Moparisthebest wrote: > I went ahead and implemented Patrick's suggestions, the patch is attached and also pushed to my github here: > https://github.com/moparisthebest/curl/commit/004d731d5e86d899baf78ece56 e9bba2b0c30d3b
- "stripped_pem[pem_len + 1] = '\0';" off by one. Should be "stripped_pem[pem_len] = '\0';" In all cases, terminating the string in the caller would be better since it'll avoid initial copying. - Scanning from the beginning for the -----END line can be replaced by a scan from begin pos: it'll be faster and guarantee the result is greater than begin_pos. - Beware: armor lines may also be terminated with \r\n. And they should be either at start of data or after a \n. - Security, security: since you do not scan the file by chunks, you should keep a reasonable limit to its size (maybe something like 1M... just a suggestion). > I've also seen BEGIN RSA PUBLIC KEY and BEGIN DSA PUBLIC KEY, maybe there is one for ECDSA keys too? Yes, these armor exist: the encapsulated data contains the numeric part of a key, without the encryption type OID. The armor is then specialized to specify the encryption type info. If you also want to process these, you'll have to rebuild the private key ASN.1 structure yourself... I think this will drive us in a very far and complicated country... And curl is not an SSL backend ;-) For info, I've found this page: http://stackoverflow.com/questions/5355046/where-is-the-pem-file-format- specified Hint: to determine the ASN.1 structure specific to each armor when lacking doc I search such a PEM file and use: openssl asn1parse -in <thepemfile> And start reverse engineering on it :-( RFCs may also help you. Cheers, Patrick ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
