#63 Set Cert + Key from string failing

[Szakmári László]

Hi,
I don't know, if this is a bug, but searched 40 hours long to find a solution for help / an example without success:

Can not "load" cert + key from string.
If I set:

HTTP.Sock.SSL.CertificateFile := 'signed.cer';
HTTP.Sock.SSL.PrivateKeyFile  := 'myPrivate.key'; 

everything works fine. :-)

But if I copy the text from inside these file to my .pas

const
  c_cer ='-----BEGIN CERTIFICATE-----'#10+
  'MIIG4DCCBMi....'#10+
  ...
  HTTP.Sock.SSL.Certificate := c_cer;
  ...

it does not connect to the server. ("tag error").
Also tried to "cut off" the '----begin ... end-----' parts, no success.

I'm using the latest Trunc version R260.
Opened a FreePascal topic too, but nobody could answer it to me:
https://forum.lazarus.freepascal.org/index.php/topic,59289

Please HELP to solve this urgently! :-(
(We are forced to send reports to our government, and the deadline is near.)

[Szakmári László]

Sent 333.33 CZK donation to compensate a few minutes of your time to look into this.
(Sorry could not send more, but I'm a simple programmer working alone from Budapest.)

[Geby]

What SSL plugin class are you using?

[Szakmári László]

latest OpenSSL (3.0.2)
Binary downloaded from here

[Geby]

Well, but what plugin you have compiled with Synapse? ssl_openssl or ssl_openssl11, or some else?

[Szakmári László]

Oh, sorry, I didn't know there are more of them...
uses ssl_openssl;
Is that wrong? It seems it loads libcrypto-3.dll and libssl-3.dll well.

[Szakmári László]

To be more precise: I've forgot about ssl_openssl11, because it seemed it is not updated to work with OpenSSL3.x, so I had to close that option out.
(I had to think a few moments to realize that. It was a month ago and I've red sooooo many things about SSL and things like that, it mixed all up a bit.)

[Geby]

ssl_openssl11 is not adapted for 3.0 yet. I must do it soon.

However your problem is very simple! Look at comments on the begin of ssl_openssl.pas where are written acceptable certificate formats:

• for files are accepted "text based PEM" or "binary based DER" formats.
• for reading from the memory is accepted "binary based DER" only.

... and you are trying to read PEM. So, try to convert your PEM certificate to DER format first (how to read here: https://www.entrust.com/knowledgebase/ssl/how-do-i-convert-my-pem-certificate-to-a-der-certificate-format)

Please, let me know if it working fine now, thanks!

[Szakmári László]

Thank you very much for the hint!!!

Of course it would have been nice, if your code would:

1. auto-recognise if it has '-----' inside it,
2. and if yes, would try to analyse if it's PKCS#8 (containing: _BEGIN_PRIVATE_KEY )
3. or PKCS#1 (containing: _BEGIN_RSA_PRIVATE_KEY)
4. and auto-convert it.

uses basenenc, fppem, ...

  HTTP.Sock.SSL.PrivateKey  := basenenc.GetRawStringFromBytes(fppem.PemToDER( priv_key_string , _BEGIN_PRIVATE_KEY, _END_PRIVATE_KEY ));
  HTTP.Sock.SSL.Certificate := basenenc.GetRawStringFromBytes(fppem.PemToDER( cert_string     , _BEGIN_PRIVATE_KEY, _END_PRIVATE_KEY ));

[joe pasquariello]

you could just say thank you! the software and supportfrom geby has been incredible.

[Szakmári László]

OFF:

Sorry, my bad,
Of course I wanted to thank :-)

I've just clicked the Send button accidentally too soon after Copy-paste.
(Phone rang and did not check my post again.)
I do appreciate the great work you are doing with this component!
I only tried to suggest a possible enhancement (with too raw sentences).

The main part of my prev. msg. is the CODE !!! because there is nowhere to find it, and wanted to share.

I've just tested it and it works great this way.
(I guess not too many of us know about these magic functions, hidden inside these basenenc + fppem units under FreePascal.)