> From: owner-openssl-us...@openssl.org On Behalf Of sudeepta > Sent: Monday, 16 March, 2009 08:00
> I am writing a server application which is supposed to use > certificates/keys > in DER format only. In my code, I am using the following functions for > loading the server certificate and its private key respectively. > > SSL_CTX_use_certificate_file(pSSLCtx,"server.cer",SSL_FILETYPE_ASN1) and > SSL_CTX_use_PrivateKey_file(pSSLCtx,"key.cer",SSL_FILETYPE_ASN1) > Others have answered about this part. > The root CA file for the client certificate is also in DER format (i.e. > rootCA.cer).I am having trouble loading this certificate for client > verification. I initially tried using the following function : > SSL_CTX_load_verify_locations() > But it seems it is only applicable for PEM formats only. > Apparently it is indeed. > Is there any other function which uses ASN1/DER format? Or do i have to > convert the root CA file into PEM format before using? > There doesn't appear to be any similar SSL-level wrapping. SSL_CTX_load_verify_locations just calls X509_STORE_load_locations to put the cert(s) from the file, and/or the dirname(s?) (only) from the path, in X509_LOOKUP object(s) under the X509_STORE object pointed to by SSL_CTX->cert_store, which is used for verification. If your root is (or roots are) static, I think you can do the equivalent 'by hand'; either get the pointer from SSL_CTX_get_cert_store, and add a LOOKUP_file into which your cert(s) are loaded; or create an X509_STORE with a loaded LOOKUP_file, and SSL_CTX_set_cert_store it (threadsafe?). If you want the (dynamic) search-in-dir behavior of CA_path, it appears you can do the same thing with a LOOKUP_hash_dir, but I didn't trace it fully; this area is complicated. And the distributed c_rehash wouldn't set up a hashdir for DER files, so you'll need to modify or replace that. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
