Re: Reading certificate from structure using d2i_X509??
On Tue, Mar 11, 2003 at 01:54:55PM -0800, rajagopalan ramanujam wrote:
hi,
I am having a problem when reading a certificate and
private key from a memory buffer instead of a file.
i am using d2i_X509(NULL,cert,strlen(cert)) to read
the certificate string which was defined in one of
.pem
file. Should i use SSL_CTX_use_certificate_ASN1
instead??? Please help me.
copied from server.pem file
unsigned char * cert
=MIIDDzCCAs2gAwIBAgICAQw==;
unsigned char * key =
y5qH6Q0Nvb5SUcJEYY...p6==;
Incorrect. This is PEM format, d2i_* expected DER/binary input
use:
% openssl x509 -in server.pem -noout -C server_cert.c
will produce some like this:
[cut]
unsigned char XXX_certificate[1592]={
0x30,0x82,0x06,0x34,0x30,0x82,0x05,0x1C,0xA0,0x03,0x02,0x01,0x02,0x02,0x01,0x0D,
[cut]
here is my sample server code :
void ssl_server ()
{
SSL_CTX* ctx;
SSL* ssl;
X509*client_cert,*x509_cert,*x509_key;
char*str;
SSL_METHOD *meth;
int theFd;
fd_set theFdSet;
/* SSL preliminaries. We keep the certificate and
key with the context. */
SSL_load_error_strings();
SSLeay_add_ssl_algorithms();
meth = SSLv23_server_method();
ctx = SSL_CTX_new (meth);
x509_cert = d2i_X509(NULL,cert,strlen(cert));
if (SSL_CTX_use_certificate(ctx,x509_cert) = 0) {
return;
}
x509_key = d2i_X509(NULL,key,sizeof(key));
if (SSL_CTX_use_PrivateKey(ctx,x509_key) = 0) {
return;
}
if (!SSL_CTX_check_private_key(ctx)) {
printf(Private key does not match the certificate
public key\n);
return;
}
.
.
}
when d2i_X509 its failing for the following reason.
IMPLEMENT_ASN1_FUNCTIONS(X509)
ASN1_VALUE *ASN1_item_d2i(..)
asn1_check_tlen(..)
ASN1err(ASN1_F_ASN1_CHECK_TLEN, ASN1_R_WRONG_TAG);
return 0;
here is sample code:
X509 *
get_cert( void)
{
unsigned char *der = XXX_certificate;
X509*crt = NULL;
if ( NULL == ( crt = X509_new())) {
/* Ops, out-of-memory? */
return NULL;
}
return d2i_X509( crt, der, sizeof( XXX_certificate));
}
__
Do you Yahoo!?
Yahoo! Web Hosting - establish your business online
http://webhosting.yahoo.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
--
regards
Valentin Zahariev
CTO
E-CARD Ltd.
http://www.e-card.bg
PGP keyID: 0xC005C5CA
Key fingerprint = F3 46 26 21 8F F0 5E 19 5B B3 34 08 24 9E 71 13 C0 05 C5 CA
http://certs.e-card.bg:11371/pks/lookup?op=getsearch=0xC005C5CA
pgp0.pgp
Description: PGP signature
Re: Unable to find an RSAREF shared library (librsaref.so)
On Thu, Apr 18, 2002 at 06:15:11AM -0400, Dirk van der Giesen wrote: I'm working on a free BSD version 4.0 If i lookup where openssl.cnf is located i find these two builds by default, OpenSSL configuration file is located in /etc/ssl BTW, you should upgrade your system to FreeBSD 4.5-STABLE /usr/local/ssl/openssl.cnf /usr/src/crypto/openssl/apps/openssl.cnf The first one is probabely the one i build myself before i knew openssl was build with FreeBSD which i persume is the second one. /usr/src is FreeBSD base and kernel source directory What i try to do is generate a private key and then a certificate signing request. I do this as supposed by the Thawte guide: Securing Your Apache Web Server with a Thawte Digital Certificate. I go to the /usr/src/crypto/openssl/ STOP! NOT HERE, this is system source, you'll lose all your files when make updating of sources. This directory looks like this: CHANGES Makefile.orgconfig include ssl CHANGES.SSLeay Makefile.sslcrypto mt test Configure NEWSdemos openssl.doxytimes FREEBSD-Xlist README dep perltools INSTALL appsdoc private.key util LICENSE bugse_os.h rsaref Makefilecerts e_os2.h shlib I go into the certs directory because i think this is nice place to keep my certificates and all In here i do : Without encryption: openssl genrsa -out www.domain.com.key 1024 which seems to work nicely and generates my www.domain.com.key file. The next step should create a CSR that has the same modulus as the private key: openssl req -new -key www.domain.com.key -out www.domain.com.csr First when i do just the above it has problems not being able to find the configfile. Using configuration from /etc/ssl/openssl.cnf Heh, you see, /usr/bin/openssl using /etc/ssl/openssl.cnf. This is openssl from base system. Unable to load config info unable to find 'distinguished_name' in config problems making Certificate Request The first thing that strikes me is that it's looking for a config file in a place where it has never been build. I mean, i didn't do it and neither did FreeBSD and i certainly never deleted a build. But what i try then not knowing to much about this system and all is the following. I try to make openssl use the config file, i think, belongs to this build i'm using: openssl req -new -key www.domain.com.key -out www.domain.com.csr -config ../apps/openssl.cnf Then i get to fill out some info and after that i get this error: ** RSAPrivateEncrypt: Unable to find an RSAREF shared library (librsaref.so). ** Install the /usr/ports/security/rsaref port or package and run this ** program again. See Chapter 6.5 in the FreeBSD Handbook, located at ** http://www.freebsd.org/handbook/openssl.html, for more information. Upgrade :) 63721:error:0D064077:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large: /usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/asn1/a_object.c:104 : 63721:error:0D064077:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large: /usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/asn1/a_object.c:104 : 63721:error:0D072006:asn1 encoding routines:ASN1_sign:bad get asn1 object call:/ usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/asn1/a_sign.c:126: In not so many words i have posted this problem before and people start asking me questions like why do you want to use this and and you shouldn't use that and so on. I really don't do things on purpose. I just try to follow guidelines like those of Thawte, verisign, or even those on the openSSL site. I hope if anyone can see through what's going on right here, and is willing to explain me in quit detail what to do to get further in the process of generating the apropiate files to secure some info being send to my server back and forth. Sincerely, Dirk van der Giesen __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- rgdz curly http://www.e-card.bg PGP keyID: 0xC005C5CA Key fingerprint = F3 46 26 21 8F F0 5E 19 5B B3 34 08 24 9E 71 13 C0 05 C5 CA http://certs.e-card.bg:11371/pks/lookup?op=getsearch=0xC005C5CA msg25163/pgp0.pgp Description: PGP signature
Re: self-signed certificate for virtual webserver
On Fri, Nov 09, 2001 at 03:17:39PM +0100, Jakub Jermar wrote: Hi, I am trying to generate a self-signed certificate for one of my virtual webservers. The problem is that no matter what I enter as CN when asked by the second command below, the certificate is not created for the hostname I want (admin.frakira.cz, but for lexus.frakira.cz, which is the machine's name). These are the commands I used (I followed the man page): # openssl genrsa -out /etc/ssl/private/admin.frakira.cz.key 1024 # openssl req -new -key /etc/ssl/private/admin.frakira.cz.key -out /etc/ssl/private/admin.frakira.cz.csr # openssl x509 -req -days 365 -in /etc/ssl/private/admin.frakira.cz.csr -signkey /etc/ssl/private/admin.frakira.cz.key -out /etc/ssl/admin.frakira.cz.crt When I enter the last one, everything looks OK ... it outputs something about that the signature is ok and the DN, which is - as of this moment - exactly what I want. But when I try to open https://admin.frakira.cz, it complains about the certificate belonging to lexus.frakira.cz... (Yes, I did restarted apache). So, how do I arrange that the certificate belongs to admin.frakira.cz and is signed by lexus.frakira.cz? Please, reply directly to my email since the list seems to be rather slow in subscribing me that I could miss your reply for the list. Thank you in advance, Jakub Jermar __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] I did some checks eg: curly@FaiLurE:ttyp6 curly $ dnsip lexus.frakira.cz 217.11.254.38 217.11.254.38 curly@FaiLurE:ttyp6 curly $ dnsip admin.frakira.cz 217.11.254.38 217.11.254.38 I see, they are at same IP - gotcha :) Read carefully about certification and virtual hosting in apache/mod_ssl documentation. On same IP/port you can have only 1 cert. apache gives you warning about that certificate for overlaping certificate for - check your apache logs. you must use deferent IP or/and port for virtualhosts, if you wanna diferent certificates for each virt. -- rgdz curly http://www.e-card.bg PGP keyID: 0xCB6681D8 Key fingerprint = 5A 7B 24 E3 9F CE FF 03 E9 FE D0 BD 81 27 08 2C CB 66 81 D8 msg21634/pgp0.pgp Description: PGP signature
Re: SHA1
On Sun, Nov 11, 2001 at 10:08:16AM -0500, Rich Salz wrote: $ echo password |openssl dgst -sha1 -binary| openssl base64 You've got a newline there; try echo 'password' | tr -d '\012' | openssl dgst use echo with option -n -n is no new-line echo -n password |openssl dgst -sha1 -binary| openssl base64 -- Zolera Systems, Securing web services (XML, SOAP, Signatures, Encryption) http://www.zolera.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- rgdz curly http://www.e-card.bg PGP keyID: 0xCB6681D8 Key fingerprint = 5A 7B 24 E3 9F CE FF 03 E9 FE D0 BD 81 27 08 2C CB 66 81 D8 msg21638/pgp0.pgp Description: PGP signature
Re: Time Diff?
On Fri, Sep 14, 2001 at 11:03:20AM +0200, Averroes wrote: Hi all, Perhaps someone noticed this: When I create a certificate there is difference between system (OS) time and creation time of certificate. Approximately one hour. certificate info: Validity Not Before: Sep 14 09:57:24 2001 GMT Not After : Sep 13 09:57:24 2006 GMT and immediately after signing: Fri Sep 14 10:58:32 BST 2001 Timezone? GMT and BST? Any ideas? Regards -- # .- ...- . .-. .-. --- . ... .- .-.-.- .- -.-- ... .- # Averroes A. Aysha # Think Linux, Think Slackware! # Network Security Auditor (NSA) # e-fingerprint = 73B7 2559 2968 5094 3B95 5C70 4E85 5F94 6068 1DD8 # http://www.keyserver.net/en/ # .- ...- . .-. .-. --- . ... .- .-.-.- .- -.-- ... .- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- rgdz curly http://www.e-card.bg PGP keyID: 0xCB6681D8 Key fingerprint = 5A 7B 24 E3 9F CE FF 03 E9 FE D0 BD 81 27 08 2C CB 66 81 D8 PGP signature
