Thank you for the quick response. This forum has superb turn around and I
read the
policies and it clearly says no thank you responses and so on to comment if
the information was
received and chewed. So I try to avoid this.
Now let me reply to the response and try to get the final answer:
-Code is presented without error recovery such as checking the file point
for nil
as to be clear to what is being executed. Sure there is plenty of code with
error recovery
in the actual test case. Also buffers are used of large size to to simply be
used to
verify that the operation was complete. Sure the RSA_size and blocksize will
be exact in
real operating code but no reason to have more code to sort through in a
POST than necessary to
outline a skeleton of operations. There is no random code from internet,
just excerpts taken from
the test case to test the API and verify correctness. All I see on the
internet or anywhere
else are man pages and so writing a flow of code to see how operations are
performed
is a starting procedure and benefits all to see in a forum.
My Situation:
Put simply I want to make sure the public key is only in the certficate I
hand out; hence
why I did not use the public/private key pair PEM in sample code to verify
that I only have the
pubic key in a file in the test skeleton code.
So in summary I currently have the
following right now but this can be fixed.
openssl genrsa -out test.pem 2048
openssl rsa -in test.pem -pubout -out testpublic.pem
openssl req -new -key testpublic.pem -inform pem -X509 -days 3650 -out
testpublic.cert
It should be this below and only the public key will be in the X509.
openssl genrsa -out test.pem 2048
openssl req -new -key test.pem -inform pem -X509 -days 3650 -out
testpublic.cert
Right now I use PEMs and an RSA *rsa structure to encrypt/decrypt
PEM_read_RSAPrivateKey(fp,&rsapriv,NULL,NULL);
PEM_read_RSA_PUBKEY(fp,&rsapub,NULL,NULL);
RSA_public_encrypt(strlen((char
*)name)+1,name,to,rsapub,RSA_PKCS1_OAEP_PADDING);
RSA_private_decrypt(128,to,result,rsapriv,RSA_PKCS1_OAEP_PADDING);
and can use this to get the X509 object I created.
X509 *cert=PEM_read_X509(fp,NULL,NULL,NULL);
Your saying I could use this EVP high level API function to get the public
key out of
the cert I created.
EVP_PKEY *evp = X509_get_pubkey(x509);
and of course I could use this too to verify that the X509 is good.
X509_verify(x509, X509_get_pubkey(x509));
but the X509_get_pubkey(x509) returns a EVP_KEY structure
and it is not clear to me what the corresponding API function for
RSA_public_encrypt(...,RSA_PKCS1_OAEP_PADDING);
would be. Basically I have a large file and only want to encrypt some
areas of the file as the file should not be in the clear that could
simply be copied and sent around. You have to have the infrastructure
to view it that being the public key and something to read and display
the file. The file does have a signature to verify trust and thats
good but clearly there is some data we do not want to have open. It is
really a level of obscuration is this aspect.
Clearly there should be a simple step solution to load a pubkey (X509) and
use to decipher. Using the PEMs it is clear and very clear as to the
structure saying RSA *rsa.
The knowledge I draw from is O'Reilly "OpenSSL" and clearly has
examples using the RSA structure and some other chapters on using random
numbers and
EVP for enveloping which is what I not want to do.
Our major trust point is the signature of the file (ECC) but we do want to
encrypt some areas of the file as to obscurate and not have
information in the clear for this custom system. No need to encrypt
the whole large file just some sensitive areas that require need to
know privileges.
I assume the best way to hand out the public key is the X509 cert I created,
if you have better recommendations they are most welcome. Then I need
the public key to decipher to chunks of data from the document that has a
signature.
redpath wrote:
>
> Bare with me on this .
>
>
> Self-signed public Key Certificate (give out your public key)
> ======================
> To give out my public key, I need to be put it into a certificate with
> my name, and signed by my own private key etc.. This process is call
> generating a self-signed public key certificate. OpenSSL can do this
> in a single command
> "openssl req -new -x509"
>
> as shown in the following command window session:
> test.pem contains both public and private RSA keys, so here is the process
>
> So create an RSA key pair called test.pem
> openssl genrsa -out test.pem 2048
> Extract the public key only
> openssl rsa -in test.pem -pubout -out testpublic.pem
>
> Then create a certificate
> openssl req -new -key testpublic.pem -inform pem -x509 -days 3650 -out
> testpublic.cert
> openssl x509 -in testpublic.cert -noout -text
>
> I can then use the function to open this X509 Certficate.
> fp = fopen("testpublic.cert","rb");
> X509 *cert=PEM_read_X509(fp,NULL,NULL,NULL);
>
> So now I have test.pem (RSA keys) testpublic.pem (public key) and
> testpublic.cert (x509 cert with piublic key).
>
> Below is code that uses the PEMs directly.
>
> FILE *fp = fopen("test.pem","rb");
> RSA *rsapriv=NULL;
> rsapriv= PEM_read_RSAPrivateKey(fp,&rsapriv,NULL,NULL);
> fclose(fp);
>
> fp = fopen("testpublic.pem","rb");
> RSA *rsapub=NULL;
> rsapub= PEM_read_RSA_PUBKEY(fp,&rsapub,NULL,NULL);
> fclose(fp);
>
> unsigned char *name= (unsigned char *)"richard redpath";
> unsigned char to[1024];
> int blocksize= RSA_size(rsapub)-41;
> printf("curious Blocksize is %d\n",blocksize);
> int rc= RSA_public_encrypt(strlen((char
> *)name)+1,name,to,rsapub,RSA_PKCS1_OAEP_PADDING);
> if (rc!=(-1))
> printf("Encrypt %d bytes returned\n",rc);
>
> unsigned char result[1024];
> rc= RSA_private_decrypt(128,to,result,rsapriv,RSA_PKCS1_OAEP_PADDING);
> printf("Decrypt rc=%d \n",rc);
> printf("result is [%s]\n",result);
>
> The question I have is that I want to hand out my X509 Public key and have
> code that can use it to decpher. I can use this function to open the
> certificate
>
> fp = fopen("testpublic.cert","rb");
> X509 *cert=PEM_read_X509(fp,NULL,NULL,NULL);
> if (cert!=NULL)
> printf("CERT is good***\n");
>
> But how can I get the Public key from this x509? So I can use
> decryption of data? In this example I use the public key PEM directly
> and thats what I should not hand out.
>
> I am not that familiar with all API functions in openssl and how to get
> artifacts
> to use them. This below is simply open the pubic key file and use it.
>
>
> fp = fopen("testpublic.pem","rb");
> RSA *rsapub=NULL;
> rsapub= PEM_read_RSA_PUBKEY(fp,&rsapub,NULL,NULL);
> fclose(fp);
>
> unsigned char result[1024];
> rc= RSA_private_decrypt(128,to,result,rsapriv,RSA_PKCS1_OAEP_PADDING);
> printf("Decrypt rc=%d \n",rc);
> printf("result is [%s]\n",result);
>
> The reason I need the public key is that I don't encrypt a chunk of
> data as would be in a PKCS7 but I have some data encrypted and other data
> not
> encrypted sort of interlaced lets say.
>
>
--
View this message in context:
http://old.nabble.com/How-to-use-X509-public-key-tp34415232p34418185.html
Sent from the OpenSSL - Dev mailing list archive at Nabble.com.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
