date:20011223

X509_REQ weird behavior

2001-12-23 Thread Michael Pogrebisky


Hi all,

Recently I needed to perform the following task: given a certificate request
(PKCS10 structure), make another one, with just a different public key.
So, I've written the following piece of code to do this:

// Declarations
EVP_PKEY pkey;
FILE* infile, *outfile;

// Opening the input and output files
...
// Creating the public key
...

// Read the PKCS10
X509_REQ* req = PEM_read_X509_REQ(infile, NULL, NULL, NULL);

// Set certificate request public key
if(!X509_REQ_set_pubkey(req, pkey))
return -1;

// Sign upon the request
if(!X509_REQ_sign(req, pkey, EVP_sha1()))
return -1;

// Write the new certificate into the output file
if(!PEM_write_X509_REQ(outfile, req))
return -1;

Everything worked as expected (no errors were reported). However, looking at
the output file after the execution, I discovered the request I got was the
same as the input one!
I took me several hours (and drove me crazy!) to find the catch. I needed to
clear the cached values in the req_info structure, as follows:

req-req_info-asn1 = NULL;
req-req_info-length = 0;

Well, now it works. But I think the behavior described above is buggy.
Can someone, please, fix it in the future releases of OpenSSL?
Thanks,

Michael Pogrebisky,
Software developer at Mercury Interactive Inc., Israel.
---
Work phone: +972-(0)3-5399258
Home phone: +972-(0)3-9610824
Mobile phone:   +972-(0)54-497123
Work fax:   +972-(0)3-5331617
E-mail: [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

[STATUS] OpenSSL (Sun 23-Dec-2001)

2001-12-23 Thread OpenSSL Project



  OpenSSL STATUS   Last modified at
  __   $Date: 2001/12/21 03:23:15 $

  DEVELOPMENT STATE

o  OpenSSL 0.9.7:  Under development...
o  OpenSSL 0.9.6c: Released on December  21st, 2001
o  OpenSSL 0.9.6b: Released on July   9th, 2001
o  OpenSSL 0.9.6a: Released on April  5th, 2001
o  OpenSSL 0.9.6:  Released on September 24th, 2000
o  OpenSSL 0.9.5a: Released on April  1st, 2000
o  OpenSSL 0.9.5:  Released on February  28th, 2000
o  OpenSSL 0.9.4:  Released on August09th, 1999
o  OpenSSL 0.9.3a: Released on May   29th, 1999
o  OpenSSL 0.9.3:  Released on May   25th, 1999
o  OpenSSL 0.9.2b: Released on March 22th, 1999
o  OpenSSL 0.9.1c: Released on December  23th, 1998

  RELEASE SHOWSTOPPERS

o BIGNUM library failures on 64-bit platforms (0.9.7-dev):
  - BN_mod_mul verificiation (bc) fails for solaris64-sparcv9-cc

  AVAILABLE PATCHES

o 

  IN PROGRESS

o Steve is currently working on (in no particular order):
ASN1 code redesign, butchery, replacement.
OCSP
EVP cipher enhancement.
Enhanced certificate chain verification.
Private key, certificate and CRL API and implementation.
Developing and bugfixing PKCS#7 (S/MIME code).
Various X509 issues: character sets, certificate request extensions.
o Geoff and Richard are currently working on:
ENGINE (the new code that gives hardware support among others).
o Richard is currently working on:
UI (User Interface)
UTIL (a new set of library functions to support some higher level
  functionality that is currently missing).
Shared library support for VMS.
Kerberos 5 authentication
Constification
OCSP

  NEEDS PATCH

o  All 'openssl' subprograms taking '-des' and '-des3' options should
   include AES support (0.9.7-dev)

o  'openssl speed' should include AES support (0.9.7-dev)

o  apps/ca.c: Sign the certificate? - n creates empty certificate file

o  OpenSSL_0_9_6-stable:
   #include openssl/e_os.h in exported header files is illegal since
   e_os.h is suitable only for library-internal use.

o  Whenever strncpy is used, make sure the resulting string is NULL-terminated
   or an error is reported

o  OpenSSL STATUS is never up-to-date.

  OPEN ISSUES

o  The Makefile hierarchy and build mechanism is still not a round thing:

   1. The config vs. Configure scripts
  It's the same nasty situation as for Apache with APACI vs.
  src/Configure. It confuses.
  Suggestion: Merge Configure and config into a single configure
  script with a Autoconf style interface ;-) and remove
  Configure and config. Or even let us use GNU Autoconf
  itself. Then we can avoid a lot of those platform checks
  which are currently in Configure.

o  Support for Shared Libraries has to be added at least
   for the major Unix platforms. The details we can rip from the stuff
   Ralf has done for the Apache src/Configure script. Ben wants the
   solution to be really simple.

   Status: Ralf will look how we can easily incorporate the
   compiler PIC and linker DSO flags from Apache
   into the OpenSSL Configure script.

   Ulf: +1 for using GNU autoconf and libtool (but not automake,
which apparently is not flexible enough to generate
libcrypto)


o  The perl/ stuff needs a major overhaul. Currently it's
   totally obsolete. Either we clean it up and enhance it to be up-to-date
   with the C code or we also could replace it with the really nice
   Net::SSLeay package we can find under
   http://www.neuronio.pt/SSLeay.pm.html.  Ralf uses this package for a
   longer time and it works fine and is a nice Perl module. Best would be
   to convince the author to work for the OpenSSL project and create a
   Net::OpenSSL or Crypt::OpenSSL package out of it and maintains it for
   us.

   Status: Ralf thinks we should both contact the author of Net::SSLeay
   and look how much effort it is to bring Eric's perl/ stuff up
   to date.
   Paul +1

  WISHES

o  SRP in TLS.
   [wished by:
Dj [EMAIL PROTECTED], Tom Wu [EMAIL PROTECTED],
Tom Holroyd [EMAIL PROTECTED]]

   See http://search.ietf.org/internet-drafts/draft-ietf-tls-srp-00.txt
   as well as http://www-cs-students.stanford.edu/~tjw/srp/.

   Tom Holroyd tells us there is a SRP patch for OpenSSH at
   http://members.tripod.com/professor_tom/archives/, that could
   be useful.
__
OpenSSL Project

[PATCH] aes integration (2nd try)

2001-12-23 Thread Stephen Sprunk


Okay, here's my first stab at some improvements to AES integration.

.  apps/openssl speed now supports aes options, works just like des.
.  improved efficiency of EVP calling AES
.  substantial AES API cleanup

Coming soon:

.  128-bit CFB and OFB modes
.  Support in more apps/openssl programs
.  MMX ASM code

I'll leave renaming rijndael.h and crypto/rijndael/ to someone with
more CVS skill :)

cvs diff -Nu is at:
http://defiant.dfw.nostrum.com/~sprunk/aes.diff.bz2

S

-- 
Stephen Sprunk  So long as they don't get violent, I want to
CCIE #3723 let everyone say what they wish, for I myself have
K5SSSalways said exactly what pleased me.  --Albert Einstein
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

X509_REQ weird behavior

[STATUS] OpenSSL (Sun 23-Dec-2001)

[PATCH] aes integration (2nd try)

3 matches

Site Navigation

Mail list logo

Footer information