RE: TimeStamping
Not really, I'm searching a kind of patch that I will use with Openssl. Michiels Olivier -Original Message- From: Greg Stark [mailto:[EMAIL PROTECTED]] Sent: mardi 27 fvrier 2001 17:33 To: [EMAIL PROTECTED] Subject: Re: TimeStamping Is www.time.gov good enough? --Greg Stark ([EMAIL PROTECTED]) - Original Message - From: "Olivier Michiels" [EMAIL PROTECTED] To: "Openssl-Dev (E-mail)" [EMAIL PROTECTED] Sent: Tuesday, February 27, 2001 10:21 AM Subject: TimeStamping Hi, is somebody have an implementation of the TimeStamping ? __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Memory leak in SSL_CTX_new ?
Hi I'm *suffering* from the same memory leak. Bodo mention that a reference is kept in global veriable but as I saw it is x509_store_ctx_method declared as a static variable in x509_vfy.c, is there a way to access it? Or to tell OpenSSL to free it? Am I missig something? The allocation occurrs between MemCheck_off() and MemCheck_on(), so it could *escape* OpenSSL's memory leak can't it? Please help Dror I've been doing some memory leak checking on an OpenSSL app and discovered that a memory leak occurs in SSL_CTX_new(). Stack trace is below. The SSL_get_ex_data_X509_STORE_CTX_idx() function is used to check for an error but internally allocates resources which SSL_CTX_free() does not free up. True, this however is not a true memory leak because the reference to the memory blocks is kept in a global variable. This is memory used for assigning at run-time an index value used for certain internal structures. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: ca Problems
Dr S N Henson wrote: Can you give some more information about what you've actually modified? I have scheduled submission with Bodo by the end of this week as he is very busy at the moment... Or is it possible to get this behaviour with the standard 'ca' utility? If so, how? Yes it happens when the DN order is like this: [EMAIL PROTECTED], CN=Mad Max, OU=myOu, O=org, C=IT While if I have a DN like this: C=IT, O=org, OU=myOU, CN=Mad Max, [EMAIL PROTECTED] I get valid email in the subjectAltName. It seems like it is tied to the ext adding code, but I am not sure... Wait... I have made some othe DNs trying and it seems that if I put the Email=... at the end of the DN all goes well, otherwise the subjectAltName extension is empty. The same seems to happen to the Issuer Alternative Name too, but more tests are needed. C'you, Massimiliano Pala ([EMAIL PROTECTED]) S/MIME Cryptographic Signature
Re: ca Problems - subject and issuer AltName
Massimiliano Pala wrote: The same seems to happen to the Issuer Alternative Name too, but more tests are needed. I have tested it, and it seems like I already said: if the Email field is at the end of the name (Issuer/subject) the altName extension is correctly filled, otherwise it gets an EMPTY value. Let me know if you want me to fix it or if you are taking the task... C'you, Massimiliano Pala ([EMAIL PROTECTED]) S/MIME Cryptographic Signature
New ca.c req.c Patches
Hi, I am sending in the patches (for Bodo: I know It was due to the end of the week, but I will re-send them - as many wrote in asking for the patches I am sending it to the lists too). To use the patch, put the madwolf.patch into the openssl-SNAP-20010228 dir and type: $ patch -p0 madwolf.patch If all goes well you should have the new versions of the two files. Now some explanation: req.c = o Fixed some "usage" lacking messages (passin,subject): -subject output the request's subject -passinprivate key password source o Added some new switch: -batch do not ask anything during request generation -subj arg use the passed subject in new request generation -modsubj arg modify request's subject to arg * The -batch will not prompt for any information during new request generation so defaults value will be used. * The -subj will allow for subject name specification during new request generation. The subject name format is: "CN=Some Name, OU=myOU, C=IT" or "CN=Some Name/OU=myOU/C=IT" the two will be correctly parsed. The order will be preseved into request's subject. All known nid are allowed, unknown will be ignored. * The -modsubj will allow to modify a request's subject after its creation - the request will no more be valid when verifying it - I really am not sure about its usability anyway it just required few code lines to be added. ca.c o Added one new switch: -subj arg - Use arg instead of request's subject * The -subj will allow for subject name arg to be used instead of the request's subject name. Useful when issuing certificates with modified subject (by RA operator) without requiring the user to submit again for a certificate because of errors in subject. This is useful for IE/Server requests. The subject's format is the same as the one reported for the -subj request's new switch. Hope this will help in CA managing. C'you, Massimiliano Pala ([EMAIL PROTECTED]) --- apps/ca.c Thu Feb 22 16:00:08 2001 +++ apps/ca-openca.cThu Mar 1 10:59:05 2001 @@ -183,6 +183,7 @@ " -batch - Don't ask questions\n", " -msie_hack - msie modifications to handle all those universal strings\n", " -revoke file- Revoke a certificate (given in file)\n", +" -subj arg - Use arg instead of request's subject\n", " -extensions .. - Extension section (override value in config file)\n", " -extfile file - Configuration file with X509v3 extentions to add\n", " -crlexts .. - CRL extension section (override value in config file)\n", @@ -208,24 +209,25 @@ static int save_serial(char *serialfile, BIGNUM *serial); static int certify(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509, const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy,TXT_DB *db, - BIGNUM *serial, char *startdate,char *enddate, int days, - int batch, char *ext_sect, LHASH *conf,int verbose); + BIGNUM *serial, char *subj, char *startdate,char *enddate, + int days, int batch, char *ext_sect, LHASH *conf,int verbose); static int certify_cert(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509, const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy, - TXT_DB *db, BIGNUM *serial,char *startdate, + TXT_DB *db, BIGNUM *serial, char *subj, char *startdate, char *enddate, int days, int batch, char *ext_sect, LHASH *conf,int verbose); static int certify_spkac(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509, const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy, -TXT_DB *db, BIGNUM *serial,char *startdate, +TXT_DB *db, BIGNUM *serial,char *subj, char *startdate, char *enddate, int days, char *ext_sect,LHASH *conf, int verbose); static int fix_data(int nid, int *type); static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext); static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst, - STACK_OF(CONF_VALUE) *policy, TXT_DB *db, BIGNUM *serial, + STACK_OF(CONF_VALUE) *policy, TXT_DB *db, BIGNUM *serial,char *subj, char *startdate, char *enddate, int days, int batch, int verbose, X509_REQ *req, char *ext_sect, LHASH *conf); +static X509_NAME *do_subject( char *subject ); static int do_revoke(X509 *x509, TXT_DB *db, int ext, char *extval); static int get_certificate_status(const char *ser_status, TXT_DB *db); static int do_updatedb(TXT_DB *db); @@ -280,6 +282,7 @@ char *serialfile=NULL; char *extensions=NULL; char *extfile=NULL; + char *subj=NULL; char *crl_ext=NULL; int rev_type = REV_NONE; char *rev_arg = NULL; @@ -343,6 +346,12 @@
Re: ca Problems - subject and issuer AltName
I've checked in a fix for this. Patch is: diff -cr -x CVS openssl/crypto/x509v3/v3_alt.c ossl/crypto/x509v3/v3_alt.c *** openssl/crypto/x509v3/v3_alt.c Fri Feb 23 03:16:08 2001 --- ossl/crypto/x509v3/v3_alt.c Thu Mar 1 13:07:30 2001 *** *** 318,324 /* Now add any email address(es) to STACK */ i = -1; while((i = X509_NAME_get_index_by_NID(nm, !NID_pkcs9_emailAddress, i)) 0) { ne = X509_NAME_get_entry(nm, i); email = M_ASN1_IA5STRING_dup(X509_NAME_ENTRY_get_data(ne)); if(!email || !(gen = GENERAL_NAME_new())) { --- 318,324 /* Now add any email address(es) to STACK */ i = -1; while((i = X509_NAME_get_index_by_NID(nm, !NID_pkcs9_emailAddress, i)) = 0) { ne = X509_NAME_get_entry(nm, i); email = M_ASN1_IA5STRING_dup(X509_NAME_ENTRY_get_data(ne)); if(!email || !(gen = GENERAL_NAME_new())) { Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: ca Problems - subject and issuer AltName
Dr S N Henson wrote: I've checked in a fix for this. Patch is: [...] Steve. Thanks. I will re-send my patches to Bodo at the end of the week as he said. C'you, Massimiliano Pala ([EMAIL PROTECTED]) S/MIME Cryptographic Signature
Session reuse on client side when the session runs SSLv2 fails
The following sequence of calls will fail when my_session-ssl_version == SSL2_VERSION: SSL_set_session(my_ssl, my_session); SSL_set_connect_state(my_ssl); /* Probably not really needed, but doesn't matter */ SSL_connect(my_ssl); /* Returns -1 */ ERR_print_error(my_errbio); The printout will be: 28:error:140750DD:SSL routines:SSL23_CONNECT:ssl23 doing session id reuse:s23_clnt.c:132: ... or something very similar. The reason for all this is actually that ssl23_get_method() (which is called downstreams from SSL_set_session()) in s23_meth.c will return the result of SSLv23_method() when presented with SSL2_VERSION as input argument, while it will give the results from SSLv3_method() and TLSv1_method() for SSL3_VERSION and TLS1_VERSION respectively. What happens next is that ssl23_connect() is called with an SSL in the state SSL_ST_CONNECT|SSL_ST_BEFORE. The first thing that is checked is if there's a session connected to the SSL, and if there is, the error given above is signaled. Unless someone tells me the behavior of ssl23_get_method() is correct visavi SSLv2, I'll change it ro return the result of SSLv2_method(). -- Richard Levitte \ Spannvgen 38, II \ [EMAIL PROTECTED] Chairman@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 Redakteur@Stacken \ SWEDEN \ or +46-709-50 36 10 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Software Engineer, Celo Communications: http://www.celocom.com/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: TimeStamping
In our implementation, we defined our own policy OID under our private enterprise mib number. I've just written a small routine to verify a v12 pkix timestamp signature using openssl 0.9.6 on my WinDoze box. Thanks to Peter Sylvester for the hint on moving the content into id_data. If you want the source, let me know. -Original Message- From: Olivier Michiels [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 28, 2001 11:53 PM To: '[EMAIL PROTECTED]' Subject: RE: TimeStamping Thanks for your help. I'm new with Openssl and TimeStamping. How did you define the TSAPolicyId. It's a ANS1_OBJECT but what is the OID of this object ? Michiels Olivier -Original Message- From: Peter Sylvester [mailto:[EMAIL PROTECTED]] Sent: mardi 27 février 2001 18:42 To: [EMAIL PROTECTED] Subject: Re: TimeStamping There are several ones, I have tested TSA implementations from my client and I have my own one based on OPENSSL and on the lastest draft of TSP. Look at http://www.edelweb.fr/tsa.html for details. Hi, is somebody have an implementation of the TimeStamping ? __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]