Software makes me sad sometimes.
Q: My application has a command-line option to use an SSL client certificate. What is the OpenSSL function to load and use the certificate from a file?
A: Well, we make this lots of fun for you — it would be boring if there was just one function which you could pass the filename to. You have to write 230 lines of code like this instead.... First you have to check for yourself what type of file it is — is it a PKCS#12 file, is it a PEM file with a key in it, or is it a TPM key 'blob'?
No, there's no function which determines that for you — you have to do it yourself. And depending on the answer, you have to do three entirely different things to load the key.
To make things even more fun, those three file types have wildly different ways to handle their passphrase/PIN:
-
For a PEM file, you can't tell OpenSSL the passphrase in
advance —
if the user gave it on the command line, you have to manually
override the user interface function that OpenSSL will
call, and make
your replacement function return the pre-set passphrase.
Or if you
do ask the user, you've got no way to easily tell
whether the user
got the passphrase wrong; if they get it wrong (and type
4 or more
characters) then the 'load key' function will fail and
you have to
compare against a special error code, which may differ
from version
to version of OpenSSL because it has internal function
names. Just
for variety, if the user enters a wrong passphrase with
fewer than
4 characters, they'll get no feedback and will
just be
asked again immediately.
- For a PKCS#12 file, it's the other way round — you
have to give
the passphrase in advance, so you have to ask the user for it
yourself. Even if the file isn't actually encrypted —
because you
don't know that yet.
- For a TPM key it's a bit saner — you can either set the PIN in advance or otherwise OpenSSL will ask the user for it if necessary. But you do have to jump through various other hoops to use the TPM 'engine', instead of just pointing OpenSSL at the file and having everything handled for you.
Excuse me while I bash my head against a brick wall for a while...
And no, the answer is not "don't use OpenSSL then".
At least, not until one of the potential replacements actually starts to catch up with the features I need — support for using a TPM for certificates, and DTLS support.