Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
How to get the peer certificate(s) in PEM format
12 views
Skip to first unread message
Iñaki Baz Castillo
Feb 16, 2012, 11:53:12 AM2/16/12
to
Hi, after the SSL/TLS handshake from a client I want to get the
client's certificate(s) in PEM format (so I get a string I can print
somewhere).
So I do:
X509 *client_cert;
if ((client_cert = SSL_get_peer_certificate(ssl))) {
# Printf got cert in PEM format
}
Now my question is: how can I get the PEM string of the client's certificate(s)?
Thanks a lot.
--
Iñaki Baz Castillo
<i...@aliax.net>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org
client's certificate(s) in PEM format (so I get a string I can print
somewhere).
So I do:
X509 *client_cert;
if ((client_cert = SSL_get_peer_certificate(ssl))) {
# Printf got cert in PEM format
}
Now my question is: how can I get the PEM string of the client's certificate(s)?
Thanks a lot.
--
Iñaki Baz Castillo
<i...@aliax.net>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org
Iñaki Baz Castillo
Feb 16, 2012, 12:11:14 PM2/16/12
to
012/2/16 Iñaki Baz Castillo <i...@aliax.net>:
> Hi, after the SSL/TLS handshake from a client I want to get the
> client's certificate(s) in PEM format (so I get a string I can print
> somewhere).
>
> So I do:
>
> X509 *client_cert;
> if ((client_cert = SSL_get_peer_certificate(ssl))) {
> # Printf got cert in PEM format
> }
>
> Now my question is: how can I get the PEM string of the client's certificate(s)?
It's solved, sorry: PEM_write_X509()
> client's certificate(s) in PEM format (so I get a string I can print
> somewhere).
>
> So I do:
>
> X509 *client_cert;
> if ((client_cert = SSL_get_peer_certificate(ssl))) {
> # Printf got cert in PEM format
> }
>
> Now my question is: how can I get the PEM string of the client's certificate(s)?
Jakob Bohm
Feb 16, 2012, 12:13:12 PM2/16/12
to
On 2/16/2012 5:53 PM, Iñaki Baz Castillo wrote:
> Hi, after the SSL/TLS handshake from a client I want to get the
> client's certificate(s) in PEM format (so I get a string I can print
> somewhere).
>
> So I do:
>
> X509 *client_cert;
> if ((client_cert = SSL_get_peer_certificate(ssl))) {
> # Printf got cert in PEM format
> }
>
> Now my question is: how can I get the PEM string of the client's certificate(s)?
>
> Thanks a lot.
> Hi, after the SSL/TLS handshake from a client I want to get the
> client's certificate(s) in PEM format (so I get a string I can print
> somewhere).
>
> So I do:
>
> X509 *client_cert;
> if ((client_cert = SSL_get_peer_certificate(ssl))) {
> # Printf got cert in PEM format
> }
>
> Now my question is: how can I get the PEM string of the client's certificate(s)?
>
>
I think the PEM formatting (a line with dashes, the
Base64 lines and another line with dashes) is currently
tied to writing and reading files via the BIO layer.
So you would have to set up a "memory" BIO handle, then
tell the X509 routines to save the certificate in PEM
format to your memory BIO handle.
Of cause if you just want to print it to stdout or
another real file handle, you could just use a BIO
pointing to that file handle.
--
Jakob Bohm, CIO, partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark. direct: +45 31 13 16 10
<call:+4531131610>
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
Iñaki Baz Castillo
Feb 16, 2012, 12:20:41 PM2/16/12
to
2012/2/16 Jakob Bohm <jb-op...@wisemo.com>:
so I expect that I need to know the length of the resulting PEM format
in order to malloc for the char pointer.
I will check the memory BIO handle.
Thanks a lot.
> I think the PEM formatting (a line with dashes, the
> Base64 lines and another line with dashes) is currently
> tied to writing and reading files via the BIO layer.
>
> So you would have to set up a "memory" BIO handle, then
> tell the X509 routines to save the certificate in PEM
> format to your memory BIO handle.
>
> Of cause if you just want to print it to stdout or
> another real file handle, you could just use a BIO
> pointing to that file handle.
Thanks, indeed what I need is to store the PEM format in a C string,
> Base64 lines and another line with dashes) is currently
> tied to writing and reading files via the BIO layer.
>
> So you would have to set up a "memory" BIO handle, then
> tell the X509 routines to save the certificate in PEM
> format to your memory BIO handle.
>
> Of cause if you just want to print it to stdout or
> another real file handle, you could just use a BIO
> pointing to that file handle.
so I expect that I need to know the length of the resulting PEM format
in order to malloc for the char pointer.
I will check the memory BIO handle.
Thanks a lot.
robe...@mail.uni-paderborn.de
Feb 16, 2012, 12:01:20 PM2/16/12
to
well, I think the certificate is coded in base64. so write it to file, run
openssl base64 -d -in file -out newfile
and read the newfile in. or start parsing it an pipe the output to
your application.
Zitat von Iñaki Baz Castillo <i...@aliax.net>:
> Hi, after the SSL/TLS handshake from a client I want to get the
> client's certificate(s) in PEM format (so I get a string I can print
> somewhere).
>
> So I do:
>
> X509 *client_cert;
> if ((client_cert = SSL_get_peer_certificate(ssl))) {
> # Printf got cert in PEM format
> }
>
> Now my question is: how can I get the PEM string of the client's
> certificate(s)?
>
openssl base64 -d -in file -out newfile
and read the newfile in. or start parsing it an pipe the output to
your application.
Zitat von Iñaki Baz Castillo <i...@aliax.net>:
> Hi, after the SSL/TLS handshake from a client I want to get the
> client's certificate(s) in PEM format (so I get a string I can print
> somewhere).
>
> So I do:
>
> X509 *client_cert;
> if ((client_cert = SSL_get_peer_certificate(ssl))) {
> # Printf got cert in PEM format
> }
>
> Now my question is: how can I get the PEM string of the client's
> certificate(s)?
>
Iñaki Baz Castillo
Feb 16, 2012, 12:38:14 PM2/16/12
to
2012/2/16 <robe...@mail.uni-paderborn.de>:
a file neither use openssl in command line :)
However I've already got it:
X509 *client_X509;
unsigned char client_PEM_string[10*1024];
size_t client_PEM_string_len = sizeof(client_PEM_string);
BIO *bio;
int res;
if ((client_X509 = SSL_get_peer_certificate(ctx))) {
bio = BIO_new (BIO_s_mem());
res = PEM_write_bio_X509(bio, client_X509);
res = BIO_read(bio, client_PEM_string, (int)client_PEM_string_len);
client_PEM_string[res]='\0';
X509_free(client_X509);
printf("CERT:\n%s\n", client_PEM_string);
> well, I think the certificate is coded in base64. so write it to file, run
> openssl base64 -d -in file -out newfile
> and read the newfile in. or start parsing it an pipe the output to your
> application.
Well, this is to run within a server application so I cannot write to
> openssl base64 -d -in file -out newfile
> and read the newfile in. or start parsing it an pipe the output to your
> application.
a file neither use openssl in command line :)
However I've already got it:
X509 *client_X509;
unsigned char client_PEM_string[10*1024];
size_t client_PEM_string_len = sizeof(client_PEM_string);
BIO *bio;
int res;
if ((client_X509 = SSL_get_peer_certificate(ctx))) {
bio = BIO_new (BIO_s_mem());
res = PEM_write_bio_X509(bio, client_X509);
res = BIO_read(bio, client_PEM_string, (int)client_PEM_string_len);
client_PEM_string[res]='\0';
X509_free(client_X509);
printf("CERT:\n%s\n", client_PEM_string);
Iñaki Baz Castillo
Feb 16, 2012, 2:39:44 PM2/16/12
to
2012/2/16 Iñaki Baz Castillo <i...@aliax.net>:
certificates (rather than a single certificate) the function
SSL_get_peer_certificate (or maybe the functions PEM_write_bio_X509 or
BIO_read) just takes the first certificate in the chain.
How could I get all the certificates in the chain together? I've found:
STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *ssl);
but I don't find the STACK_OF(X509) definition so I don't know what it is.
Thanks for any help.
> However I've already got it:
>
> X509 *client_X509;
> unsigned char client_PEM_string[10*1024];
> size_t client_PEM_string_len = sizeof(client_PEM_string);
> BIO *bio;
> int res;
>
> if ((client_X509 = SSL_get_peer_certificate(ctx))) {
> bio = BIO_new (BIO_s_mem());
> res = PEM_write_bio_X509(bio, client_X509);
> res = BIO_read(bio, client_PEM_string, (int)client_PEM_string_len);
> client_PEM_string[res]='\0';
> X509_free(client_X509);
> printf("CERT:\n%s\n", client_PEM_string);
> }
Now I've realized that in case the client presents a chain of public
>
> X509 *client_X509;
> unsigned char client_PEM_string[10*1024];
> size_t client_PEM_string_len = sizeof(client_PEM_string);
> BIO *bio;
> int res;
>
> if ((client_X509 = SSL_get_peer_certificate(ctx))) {
> bio = BIO_new (BIO_s_mem());
> res = PEM_write_bio_X509(bio, client_X509);
> res = BIO_read(bio, client_PEM_string, (int)client_PEM_string_len);
> client_PEM_string[res]='\0';
> X509_free(client_X509);
> printf("CERT:\n%s\n", client_PEM_string);
> }
certificates (rather than a single certificate) the function
SSL_get_peer_certificate (or maybe the functions PEM_write_bio_X509 or
BIO_read) just takes the first certificate in the chain.
How could I get all the certificates in the chain together? I've found:
STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *ssl);
but I don't find the STACK_OF(X509) definition so I don't know what it is.
Thanks for any help.
Iñaki Baz Castillo
Feb 16, 2012, 2:53:05 PM2/16/12
to
2012/2/16 Iñaki Baz Castillo <i...@aliax.net>:
> Now I've realized that in case the client presents a chain of public
> certificates (rather than a single certificate) the function
> SSL_get_peer_certificate (or maybe the functions PEM_write_bio_X509 or
> BIO_read) just takes the first certificate in the chain.
>
> How could I get all the certificates in the chain together? I've found:
>
> STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *ssl);
>
> but I don't find the STACK_OF(X509) definition so I don't know what it is.
>
> Thanks for any help.
As far as I see, SSL_get_peer_cert_chain(ssl) does never return NULL,
> certificates (rather than a single certificate) the function
> SSL_get_peer_certificate (or maybe the functions PEM_write_bio_X509 or
> BIO_read) just takes the first certificate in the chain.
>
> How could I get all the certificates in the chain together? I've found:
>
> STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *ssl);
>
> but I don't find the STACK_OF(X509) definition so I don't know what it is.
>
> Thanks for any help.
regardless the client presented a single certificate, a certificate +
chain of certificates, or no certificate at all. Am I miss something?
SSL_get_peer_cert(ssl) does return NULL in case of no client's
certificate.
Thanks a lot.
Iñaki Baz Castillo
Feb 16, 2012, 3:34:26 PM2/16/12
to
2012/2/16 Iñaki Baz Castillo <i...@aliax.net>:
> As far as I see, SSL_get_peer_cert_chain(ssl) does never return NULL,
> regardless the client presented a single certificate, a certificate +
> chain of certificates, or no certificate at all. Am I miss something?
> SSL_get_peer_cert(ssl) does return NULL in case of no client's
> certificate.
The doc about SSL_get_peer_cert_chain(ssl) must be wrong, sure:
> regardless the client presented a single certificate, a certificate +
> chain of certificates, or no certificate at all. Am I miss something?
> SSL_get_peer_cert(ssl) does return NULL in case of no client's
> certificate.
-------------------
RETURN VALUES
The following return values can occur:
NULL
No certificate was presented by the peer or no connection was
established or the certificate chain is no longer available when a
session is reused.
Pointer to a STACKOF(X509)
The return value points to the certificate chain presented by the peer.
-------------------
That's not true. Regardless there is peer certificate or not, and
regardless there is peer chain of certificates or not, the function
returns a pointer to STACK_OF(X509) (rather than STACKOF). Then I can
do sk_X509_num(sk) to get the numbers of certs in the chain, which can
be zero.
Iñaki Baz Castillo
Feb 16, 2012, 4:15:50 PM2/16/12
to
2012/2/16 Iñaki Baz Castillo <i...@aliax.net>:
> That's not true. Regardless there is peer certificate or not, and
> regardless there is peer chain of certificates or not, the function
> returns a pointer to STACK_OF(X509) (rather than STACKOF). Then I can
> do sk_X509_num(sk) to get the numbers of certs in the chain, which can
> be zero.
What does happen with the documentation of OpenSSL project???
> regardless there is peer chain of certificates or not, the function
> returns a pointer to STACK_OF(X509) (rather than STACKOF). Then I can
> do sk_X509_num(sk) to get the numbers of certs in the chain, which can
> be zero.
I've found what I was looking for via Google in other projects source
code, for example mentions to sk_X509_num() and sk_X509_value().
How is possible those functions not to be documented in OpenSSL
documentation? Don't take me wrong, but this is a bit annoying.
0 new messages