Hi,
You can use X509V3_EXT_i2d(NID_crl_distribution_points, critical, sk) where sk
is a STACK_OF(DIST_POINT) that you have previously filled with multiple URIs.
Cheers,
-Dave
> On Nov 22, 2017, at 06:58, Dirk Menstermann wrote:
> Hi,
>
> can anybody share example code
> STACK_OF(DIST_POINT) *distPoints = sk_DIST_POINT_new_null();
> sk_DIST_POINT_push (distPoints, distPoint);
> X509_EXTENSION *ext = X509V3_EXT_i2d (NID_crl_distribution_points, 0,
> distPoints);
> X509_add_ext (cert, ext, -1);
> X509_EXTENSION_free (ext);
>
> The extension wi
Hi Marcus,
Try giving -CAfile a concatenated file with both CA certificates inside.
hulk:/tmp $ cat DSS* > chain.pem
hulk:/tmp $ openssl ts -verify -in /tmp/out10.tsp -queryfile /tmp/out10.tsq
-CAfile chain.pem
Verification: OK
Cheers,
-Dave
> On Nov 14, 2017, at 02:30, Marcus Lundblad
gt; X509_ATTRIBUTE *attr;
> while ((attr = sk_X509_ATTRIBUTE_pop(attrs)) != NULL) {
> X509_ATTRIBUTE_free(attr);
> }
> sk_X509_ATTRIBUTE_free(attrs);
>
> Looks working.
>
> Regards,
> Libor
>
>
> On 2017-11-15 15:31, Dave Coombs wrote:
>
>> Hel
Hello,
You can do something like the following.
First make a type corresponding to a stack of x509 attributes:
typedef STACK_OF(X509_ATTRIBUTE) SEQ_X509_ATTRIBUTE;
DECLARE_ASN1_FUNCTIONS(SEQ_X509_ATTRIBUTE);
Then make an asn1 template that specifies how the stack should be
>> It would be nice, though, if the API provided a way to get the signer's
>> certificate. There is OCSP_resp_get0_signature(), but that only returns the
>> bit string. Comparable functions in other modules (eg:
>> X509_get0_signature(), X509_REQ_get0_signature(), X509_CRL_get0_signature(),
Hello,
I was fiddling around with OpenSSL 1.1.0 this past weekend, because One Day
We'll Need To Upgrade (tm), and ran into the following.
We have some code that uses OCSP_BASICRESP_verify() with 1.0.1 / 1.0.2 to
confirm that the signature on an ocsp response is correct. This is a macro in
>> If I pass in a STACK_OF(X509) *certs with only the signer's cert in it, and
>> NULL for X509_STORE *st since it won't be used, then I think I should get
>> the desired result, yes, at the cost of ocsp_find_signer(single-entry certs)
>> and the internal creation/destruction of an unused
Hi Matt, thanks for your response.
>> Is the correct solution to use OCSP_basic_verify(), which feels like
>> overkill for my needs (the code in question is *part of* our own
>> path-validation routine), or might there be some other way?
>
> Can you use OCSP_basic_verify() passing in
> Thank you Matt!,
> yes it odd, the component in C# is from a third an we don't know C#, we think
> that for a moment we could replace that using openssl command line.
>
> Could show me how pass a key to the openssl?
To use a specific key instead of deriving it from a passphrase, use -K
Hello,
This is just a guess, but try AES_set_decrypt_key() before trying to unwrap?
-Dave
> On Jan 4, 2018, at 13:08, InMotion Man wrote:
>
> Hello all,
> I'm having trouble using the AES_unwrap_key function. I have tried different
> things but it always returns 0 and
Hi,
Wikipedia has some information.
https://en.wikipedia.org/wiki/Secure_Hash_Algorithms
What is produced by "dgst -sha" is what the above link is calling SHA-0
(originally just called SHA).
All the best,
-Dave
> On Dec 25, 2017, at 22:44, Swapnil Deshpande
Hello,
Looking at the code in x509_lu.c, X509_STORE_add_cert() takes ownership of your
X509 *cc_cert -- you don't need to (and probably shouldn't) free it.
Cheers,
-Dave
> On Jan 2, 2018, at 19:38, Karl Denninger wrote:
>
> Assume the following code snippet:
>
> const
> The observation is correct, but the conclusion is wrong.
> The object is reference counted, and X509_free() is needed
> to avoid a leak (when the store is freed along with the
> context).
My apologies -- I assumed based on its name that X509_OBJECT_up_ref_count was
upping the refcount on the
Yeah, it looks like the signature is just wrong. Even setting aside the
question of padding, I used rsautl -verify -raw on the signature using the
CSR's public key, and I would expect to see a pair of sequence tags (0x30) with
sensible lengths somewhere inside, and I don't.
hulk:/tmp $
Hi,
You can use i2a_ASN1_INTEGER() to print an ASN1_INTEGER to a BIO.
-Dave
> On Oct 16, 2018, at 05:37, Opa114 wrote:
>
> Hi there,
>
> i have to print out some data, which is an ASN1_BIT_STRING and an
> ASN1_INTEGER with BIO_printf. For GENERAL_NAME for example there a predefined
>
, as far as I know.
-Dave
> On Oct 16, 2018, at 10:32, Opa114 wrote:
>
> Hi,
>
> thanks for this - what about the ASN1_BIT_STRING? Is there such a predefined
> function?
>
> Von: openssl-users <mailto:openssl-users-boun...@openssl.org>> im Auftrag von Dave Coo
Hello,
That syntax looks correct, yes. It belongs in the [section] name you are
passing to the "-extensions" argument on the "openssl ca" command when issuing
the certificate.
I hope this helps.
-Dave
> On Oct 2, 2018, at 05:47, DUPALUT, Benjamin wrote:
>
> Hello,
>
> Does anyone,
> On Sep 25, 2018, at 14:34, Krehbiel, Richard wrote:
>
> For my testing I want to explore the behaviors of policies, policy
> constraints, and policy mappings. I have figured out how to request and
> issue certs with custom policy OIDs, but I haven't yet seen a method of
> granting an
Hi,
> if (!digest)
> {
> static int
> supported_nids[] = {NID_sha256, NID_sha384, NID_sha512, 0};
> *nids =
>
> This makes sense - however there don’t appear to be any APIs in openssl that
> allow you to manipulate a X509_REQ_INFO structure. I can create it, and
> encode/decode it, but there is no X509_REQ_INFO_get_subject_name() (or
> friends) to populate the structure. X509_REQ_INFO itself is opaque.
Hi,
They're macros, defined in SKM_DEFINE_STACK_OF() in safestack.h. If you
DEFINE_STACK_OF(Foo), you'll automatically end up with a sk_Foo_num() macro.
Cheers,
-Dave
> On Nov 13, 2019, at 12:20, Jason Schultz wrote:
>
> Hello-
>
> I am updating my Linux application from using OpenSSL
Hi,
I could be wrong, but I think the problem may be that [Cert_policy_server] has
a policyIdentifier with two values. Try something like:
[server_cert]
certificatePolicies = ia5org, @Cert_policy_server, @Cert_other_policy_server
[Cert_policy_server]
policyIdentifier = GroupeSTIAssurance
Is there a chance you're compiling using the 1.0.2 headers but linking
against 1.1.1?
-D.
On Fri, 2021-04-09 at 20:48 +, Robert Smith via openssl-users
wrote:
> Unfortunately I am unable to link:
>
> ../bin/arm_release/libAppcrypt.a(Certificate.o): In function
>
Hello,
I have in my possession some smartcards whose pkcs15 objects contain
incorrectly structured DER encodings, and I need to get these cards
working in my card management tool. I've made structs corresponding to
the relevant parts of pkcs15 using openssl's ASN1 module, but naturally
the
25 matches
Mail list logo