date:20160818

[openssl-users] OCSP verification issue

2016-08-18 Thread Peter Bowen

I recently ran into a bug with verification of OCSP responses that appears to 
be in all versions of OpenSSL (including current 1.1.0 builds).

RFC 6960 and its predecessor 2560 allow that the response may be signed by the 
key for "the CA who issued the certificate in question” (section 2.2).  In this 
case it should not be necessary to include any certs in the basicResponse, as 
the signature can be validated using the public key used to validate the 
certificate whose status is being checked.

While this is contemplated by the RFCs, OpenSSL fails in certain cases if no 
certificates are provided in the response. If there are at least two 
intermediate CAs in the certificate chain between a trust anchor and end entity 
certificate, then OCSP_basic_verify will return a certificate verify error.

The code below reproduces the failure and demonstrates that reducing the path 
length from anchor to end entity certificate resolves the issue as does adding 
a certificate from the trust anchor to the first CA to the response.

I think the correct behaviour would be to check if the issuer of the 
certificate matches the signer of the OCSP response and, if so, simply skip the 
X509_verify_cert check.

Thanks,
Peter

#!/usr/bin/env ruby
# Copyright 2016 Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License").  You may not use
# this file except in compliance with the License.  You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html

require 'openssl'
require 'base64'
require 'open3'

# Ruby has no to_text method for OCSP responses, so shell out
def ocsp_to_text(ocsp_der)
  # Figure out if our base64 uses -D or -d to decode
  %x/echo | base64 -D/
  if $? == 0
dparam="-D"
  else
dparam="-d"
  end

  out = ""
  Open3::popen2("/bin/bash -t") do |i, o, t|
i.puts("openssl ocsp -noverify -text -respin <(echo 
#{Base64.strict_encode64(ocsp_der)} | base64 #{dparam})")
o.each{|l|out += l}
  end
  out
end

# Set up Names and Keys for all the certs
nodes = {
  :root => {
:name => OpenSSL::X509::Name.new([["C", "US", 
OpenSSL::ASN1::PRINTABLESTRING],
  ["O", "Beyond Hypersecure Inc", OpenSSL::ASN1::PRINTABLESTRING],
  ["CN", "Beyond Hypersecure Root CA", 
OpenSSL::ASN1::PRINTABLESTRING]]),
:key => OpenSSL::PKey::RSA.new(2048)
  },
  :ca1 => {
:name => OpenSSL::X509::Name.new([["C", "US", 
OpenSSL::ASN1::PRINTABLESTRING],
  ["O", "Beyond Hypersecure Inc", OpenSSL::ASN1::PRINTABLESTRING],
  ["CN", "Beyond Hypersecure Partner CA", 
OpenSSL::ASN1::PRINTABLESTRING]]),
:key => OpenSSL::PKey::RSA.new(2048)
  },
  :ca2 => {
:name => OpenSSL::X509::Name.new([["C", "US", 
OpenSSL::ASN1::PRINTABLESTRING],
  ["O", "HyperCyberHost LLC", OpenSSL::ASN1::PRINTABLESTRING],
  ["CN", "HyperCyberHost Server CA", 
OpenSSL::ASN1::PRINTABLESTRING]]),
:key => OpenSSL::PKey::RSA.new(2048)
  },
  :ee => {
:name => OpenSSL::X509::Name.new([["C", "US", 
OpenSSL::ASN1::PRINTABLESTRING],
  ["CN", "localdemo.sslmap.com", OpenSSL::ASN1::PRINTABLESTRING]]),
:key => OpenSSL::PKey::RSA.new(2048),
:sans => "DNS:localdemo.sslmap.com"
  }
}

# Generate all the certs
root_cert = OpenSSL::X509::Certificate.new
root_cert.version = 0x2
root_cert.serial = 0x0
root_cert.not_before = Time.new(2004,01,01,00,00,01)
root_cert.not_after =  Time.new(2028,12,31,23,59,59)
root_cert.subject = nodes[:root][:name]
root_cert.issuer = root_cert.subject
root_cert.public_key = nodes[:root][:key]
ef = OpenSSL::X509::ExtensionFactory.new
ef.subject_certificate = root_cert
ef.issuer_certificate = root_cert
root_cert.add_extension(ef.create_extension("subjectKeyIdentifier", "hash", 
false))
root_cert.add_extension(ef.create_extension("basicConstraints", "CA:TRUE", 
true))
root_cert.add_extension(ef.create_extension("keyUsage","digitalSignature, 
keyCertSign, cRLSign", true))
root_cert.sign(nodes[:root][:key], OpenSSL::Digest::SHA256.new)

puts root_cert.to_text
puts root_cert.to_pem

ca1_cert = OpenSSL::X509::Certificate.new
ca1_cert.version = 0x2
ca1_cert.serial = 0xa
ca1_cert.not_before = Time.new(2011,01,01,00,00,01)
ca1_cert.not_after =  Time.new(2020,12,31,23,59,59)
ca1_cert.subject = nodes[:ca1][:name] 
ca1_cert.issuer = root_cert.subject
ca1_cert.public_key = nodes[:ca1][:key]
ef = OpenSSL::X509::ExtensionFactory.new
ef.config = OpenSSL::Config.parse('
[polsect]
policyIdentifier = 2.5.29.32.0
CPS.1="http://beyondhypersecure.example.com/cps;
')
ef.subject_certificate = ca1_cert
ef.issuer_certificate = root_cert
ca1_cert.add_extension(ef.create_extension("subjectKeyIdentifier", "hash", 
false))
ca1_cert.add_extension(ef.create_extension("authorityKeyIdentifier", 
"keyid:always", false))
ca1_cert.add_extension(ef.create_extension("basicConstraints", "CA:TRUE", true))

[openssl-users] _armv7_tick undefined instruction error

2016-08-18 Thread Lee Rock

Hi, all:
When I specify "user_debug=31" in kernel cmdline, I get undefined 
instruction error.
And I figured it out that PC pointed at "mrc p15,0,r0,c9,c13,0". I know this 
instruction is used
to get CPU tick. Unless PMUSERENR(Performance Monitors User Enable Register) is 
set, 
this instruction is not allowed to execute in user mode.
I wonder why openssl use this instruction in user mode, as PMUSERENR is 
not set by default.
BTW, My architecture is ARM v7, kernel is 3.18, openssl 1.0.1.

BR
Rock Lee
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Using Openssl for eCOS platform

2016-08-18 Thread ssk1506

Hi Jay,

Thanks for your reply.

Our requirement is as follows

1. only using openssl for authenticaion and a key wrap algorithm.  No
encryption is needed.
2. For MAC alogorithm, we need to use M_SHA1 / M_SHA256
For key wrap algo, we need to use AES 128 or AES 256 algo.

Following are the steps we followed

1.  As we have eCOS platform, we just integrated the openssl files (1.0.1g)
and added to them to our  makefile to build them (only .c and .h files)
2  In our applicatoin we call the openssl functions to above two functions
from the openssl.

 key wrap algorithm to decrupt the session key which is received from
the master.  AES_set_decrypt_key, AES_unwrap_key

 MAC algo to generate a mac value for a message (HMAC(), EVP_sha1(),
EVP_sha256())

3. But during the linking stage we are getting the errors as ""undefined
reference to a function "
   Example":
   
openssl/openssl101g/crypto/engine/tb_rand.o(.text.ENGINE_get_default_RAND+0x8):
In function `ENGINE_get_default_RAND': undefined reference to
`engine_table_select'

4. Not able to figure out if there is any common setting file (to configure
openssl ) so that we can enable /disable some features and services.

We tried doing the method as your had suggested.  But it seems that there is
not much effect for the declaration of eCos

Request to please let us know what mistake we are making, or we have missed
out any configuration.

Regards,

SSK



--
View this message in context: 
http://openssl.6102.n7.nabble.com/Using-Openssl-for-eCOS-platform-tp67892p67922.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Using Openssl for eCOS platform

2016-08-18 Thread ssk1506

Hi Jay,

Thanks for your reply.

Our requirement is as follows

1. only using openssl for authenticaion and a key wrap algorithm.  No 
encryption is needed.
2. For MAC alogorithm, we need to use M_SHA1 / M_SHA256
For key wrap algo, we need to use AES 128 or AES 256 algo.

Following are the steps we followed

1.  As we have eCOS platform, we just integrated the openssl files (1.0.1g) and 
added to them to our  makefile to build them (only .c and .h files)
2  In our applicatoin we call the openssl functions to above two functions from 
the openssl.

 key wrap algorithm to decrupt the session key which is received from the 
master.  AES_set_decrypt_key, AES_unwrap_key

 MAC algo to generate a mac value for a message (HMAC(), EVP_sha1(), 
EVP_sha256())

3. But during the linking stage we are getting the errors as ""undefined 
reference to a function "
   Example":

openssl/openssl101g/crypto/engine/tb_rand.o(.text.ENGINE_get_default_RAND+0x8): 
In function `ENGINE_get_default_RAND': undefined reference to 
`engine_table_select'

4. Not able to figure out if there is any common setting file (to configure 
openssl ) so that we can enable /disable some features and services.

We tried doing the method as your had suggested.  But it seems that there is 
not much effect for the declaration of eCos

Request to please let us know what mistake we are making, or we have missed out 
any configuration.

Regards,

SSK


From: Jay Foster-2 [via OpenSSL] [mailto:ml-node+s6102n67903...@n7.nabble.com]
Sent: 17 August 2016 07:53 PM
To: Sunil Kerur 
Subject: Re: Using Openssl for eCOS platform

I have used the following snippet (along with some others) in the e_os.h header 
file:
# if defined(__ECOS)
#  define __INITIAL_POINTER_SIZE 0
#  define GETPID_IS_MEANINGLESS
#  define NO_CHMOD
#  define NO_SYSLOG
#  define HAVE_LONG_LONG 1
#  define HAVE_LONG_DOUBLE 1
#  define OPENSSL_THREADS
#  undef DEVRANDOM_EGD
# endif
The GETPID_IS_MEANINGLESS might work for you.

Jay

On 8/17/2016 2:55 AM, Devadas kk wrote:
Hi,
 Best way to do is to modify e_os.h header file.
 This file has to do with OS specific changes.

 Something like

 #ifdef ECOS
  #define getpid ecos_task_id_fn
#endif

 ecos_task_id_fn is a placed holder, find out actual function name to get 
process ID.
 GetThreadID is the function in NETWARE.
Regards,
Devadas

On Wed, Aug 17, 2016 at 10:28 AM, ssk1506 <[hidden 
email]> wrote:
Hi, I am using openssl on a n eCOS platform. I need only the secure 
authentication (no encryption needed). I integrated the openssl source code 
with my application. When I trying to build, I am getting some linking errors. 
:undefined reference to 'getpid' :undefined reference to 'RANDpoll' I am trying 
to find how to enable or disable the macros (switches to enable or disable a 
feature/service). But it seems that openssl.conf is generated from some 
utitlity program and from a file opensslconf.h.in Pl. 
anyone suggest how to configure. Regards, SSK

View this message in context: Using Openssl for eCOS 
platform
Sent from the OpenSSL - User mailing list 
archive at Nabble.com.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users




--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


If you reply to this email, your message will be added to the discussion below:
http://openssl.6102.n7.nabble.com/Using-Openssl-for-eCOS-platform-tp67892p67903.html
To start a new topic under OpenSSL - User, email 
ml-node+s6102n3...@n7.nabble.com
To unsubscribe from Using Openssl for eCOS platform, click 
here.
NAML




--
View this message in context: 
http://openssl.6102.n7.nabble.com/Using-Openssl-for-eCOS-platform-tp67892p67926.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] OCSP verification issue

[openssl-users] _armv7_tick undefined instruction error

Re: [openssl-users] Using Openssl for eCOS platform

Re: [openssl-users] Using Openssl for eCOS platform

4 matches

Site Navigation

Mail list logo

Footer information