wpa_supplicant and blobs

Branko Subasic branko.subasic at axis.com
Fri Sep 8 03:05:01 EDT 2006


On Thu, 2006-09-07 at 17:47 -0400, Bryan Kadzban wrote:
> Branko Subasic wrote:
> > On Thu, 2006-09-07 at 12:45 -0400, Bryan Kadzban wrote:
> > 
> >> # For the cert: openssl x509 -in certfile.pem -inform PEM -outform
> >> DER -out certfile.der
> >> 
> > 
> > It's an application on an embedded platform. The OpenSSL apps are not
> >  present, only the lib is. And the app must be able to handle PEM as 
> > well.
> 
> Well, I was thinking pull the cert off the embedded platform and put it
> onto a real computer, run the conversion, then somehow get the converted
> DER-format data back onto the embedded platform.  (I mean, you got the
> PEM data over there and into a blob somehow; it should be possible to do
> the same with DER data.)

I'd prefer that too, but that's not my decision, unfortunately.

> > If the private key is encrypted, i.e. passphrase protected, then I
> > would have to decrypt it first.
> 
> Yes, but only once, instead of every time the supplicant tries to read
> the blob.  (I still think you can have DER-encoded passphrase-protected
> private keys, though.  In that case, it would work to just base64-decode
> the PEM file's contents.)
> 
> > One reason why I chose this approch is because most of this is
> > already done by the wpa_supplicant.
> > 
> > The other reason is that I think it would be nice if blobs are
> > handled analogous to files.
> 
> True.  I was just wondering if another way of looking at the problem
> might give you another solution.  :-)

Thanks for the input.
I was actually considering to do the conversion just as you proposed,
but I changed my mind mostly because I think that files and blobs should
be handled the same way. And because it might possibly help others. 

> > Assuming that the changes themselves are OK, of course ;-)
> 
> They look decent to me -- but I've never done any OpenSSL programming,
> either, so my opinion should carry *very* little weight.  ;-)

Hmm...I found a little bug in there. The private key passphrase must be
also
be handed over when calling  PEM_read_bio_PrivateKey().


/Branko



More information about the HostAP mailing list