Topic: Which APIs used for parse x509 PEM format certificate?

Hi,
     I want to parse one user certificate(x509 PEM format) and retrieve public key and issuer information from this certificate.
     Could you please help me to confirm which APIs used for this requirement?

     I found there are have one named "ParseCert" function, but it seems only used for DER format and single key cert file.

     Thank you in advance!

Share

2 (edited by cxdinter 2016-08-24 19:51:37)

Re: Which APIs used for parse x509 PEM format certificate?

Hi,
   sorry, I found these APIs are all in ssl.c file. But most of them are not implemented.
   Is there any plan to implement these functions? or, is there any other similar functions can replace them?

   like :
   PEM_read_bio_WOLFSSL_X509
   wolfSSL_EVP_PKEY_get1_RSA
   wolfSSL_EVP_PKEY_get1_EC_KEY

Share

Re: Which APIs used for parse x509 PEM format certificate?

Hi, I found some functions in asn.c and ssl.c.  If I call below functions sequentially, can I parse one PEM format certificate??

PemToDer()
InitDecodedCert()
ParseCert() /* get a result base on DecodedCert structure data*/

Share

Re: Which APIs used for parse x509 PEM format certificate?

Hi,

I just created an example of reading a DER-formatted certificate then extracting the public key and subject name information using wolfSSL.  The example requires wolfSSL to be compiled with the OpenSSL compatibility layer for access to some functions (--enable-opensslextra, or -DOPENSSL_EXTRA).

The example is currently in the following pull request.  I will update this link when the PR gets pulled into the "wolfssl-examples" repository:

https://github.com/wolfSSL/wolfssl-examples/pull/24

For a PEM formatted certificate, you will first need to read the file in and convert it to DER format using wolfSSL_CertPemToDer().

Best Regards,
Chris

Re: Which APIs used for parse x509 PEM format certificate?

Hi Chris,
    Thanks for your support. Your example is really helpful for me.
    I have another question about Certificate Sign Request(CSR) during TLS communication. After I called wc_MakeCertReq() to generate CSR, can I call wc_SignCert() to sign this DER certificate by myself? and then call wc_DerToPem() to generate PEM format certificate. Like below sequence, is it correct?


wc_InitCert()
wc_MakeCertReq() /*here generate CSR and generate a DER buffer*/
wc_SignCert() /*Sign DER Certificate*/
wc_DerToPem() /*use this function to generate PEM format certificate, if needed*/

Share

Re: Which APIs used for parse x509 PEM format certificate?

Hi,

That is correct.  The CSR must be signing with the applicant's private key, which is why the wc_SignCert() function is used.  Since most CA's would expect a PEM-formatted CSR, wc_DerToPem() is used to convert the DER encoded CSR to a PEM formatted one.

Best Regards,
Chris

Re: Which APIs used for parse x509 PEM format certificate?

Hi Chris,

Thanks for your confirmation.

My last question about this topic :
If I want to verify one sub-certificate by Root CA certificate, is there any function can used to input these two certificates directly and return a success or fail status? Or, maybe I must retrieve the root public key from Root CA certificate firstly, then use it to verify the sub-certificate?

Share