Re: [openssl-users] Regarding SSL_VERIFY_PEER

2017-05-03 Thread john gloster 
Hi Victor and Michael,



Thanks for your respective response.



I need to make sure the following validation happens.

   - subject field in one certificate matches with the issuer field in the
   subsequent certificate
   - no duplicate certificate in the chain
   - basicConstraints : for CA certificate CA must be set to TRUE

 pathLenConstraints – checking as per
RFC5280; I want to check even to see no CA with pathLen set 0 is Issuer of
another CA certificate

   - validity period check
   - revocation status check
   - keyUsage : Eg. to make sure *keyCertSign *indicator set for the CA
   certificates in the chain
   - Criticality check
   - Signature validation



As per RFC5280, subjectKeyIdentifier and authorityKeyIdentifier matching is
not required to be done by application.
Section 4.2.1.2 .

“Applications are not required to verify that key identifiers match when
performing

certification path validation.”





Is it possible to let me know what all from the BULLETED are validated at
OpenSSL level? We are using 1.0.2k

This helps in saving my time required for debugging.



Thanks,

John

On Wed, May 3, 2017 at 9:57 PM, Michael Wojcik <
michael.woj...@microfocus.com> wrote:

> > From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf
> > Of Viktor Dukhovni
> > Sent: Wednesday, May 03, 2017 06:40
> >
> > For the full verification process see:
> >
> >
> > https://github.com/openssl/openssl/blob/f0ef20bf386b5c37ba5a4ce5c1de9a
> > 819bbeffb2/crypto/x509/x509_vfy.c#L208
>
> I haven't looked at x509_vfy.c in 1.1.0, but in the 1.0.x code it's fairly
> involved. When I implemented custom chain validation for a product, I
> stepped through the code under the debugger for a handful of different
> cases, to get a better idea of what it was doing. I recommend the exercise
> for anyone who wants to intervene in OpenSSL's chain validation.
>
> My custom validation code uses the OpenSSL validation callback, making
> some additional checks and allowing some exceptions, based on application
> configuration. I assume John is doing something similar, and not trying to
> implement chain validation from scratch. I definitely wouldn't recommend
> that, given the Byzantine complexity of X.509v3 PKI, unless you really must
> (e.g. because you want a non-hierarchical PKI topology).
>
> Michael Wojcik
> Distinguished Engineer, Micro Focus
>
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Regarding SSL_VERIFY_PEER

2017-05-03 Thread john gloster 
Hi,

I needed to validate different extensions of each of the Issuer certificate
in the chain.

Snippet rom https://linux.die.net/man/3/ssl_set_verify:

"The certificate chain is checked starting with the deepest nesting level
(the root CA certificate) and worked upward to the peer's certificate. At
each level signatures and issuer attributes are checked. "

When we say "issuer attributes", could someone let me know what different
stuffs in the CA certificate are validated?


Thanks in advance.

John.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] SSL_VERIFY_PEER

2017-05-02 Thread john gloster 
Hi,

I needed to validate different extensions of each of the Issuer certificate
in the chain.

Snippet rom https://linux.die.net/man/3/ssl_set_verify:

"The certificate chain is checked starting with the deepest nesting level
(the root CA certificate) and worked upward to the peer's certificate. At
each level signatures and issuer attributes are checked. "

When we say "issuer attributes", could someone let me know what different
stuffs in the CA certificate are validated?


Thanks in advance.

John.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] OSCP.

2017-04-12 Thread john gloster 
Could anyone point me to some OSCP samples?
Needed to check whether CA certificate is still active.

Thanks.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] CA validation.

2017-04-12 Thread john gloster 
Hi,

Does X509_verify_cert() checks KeyUsage extension?

Is there any API to check whether the CA certificate is properly used based
on the
Criticality specified in the certificate?

[Eg. CRL signing, Key Cert signing etc.]


Thanks.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Certificate path validation.

2017-03-29 Thread john gloster 
Is there any API to retrieve the values of BasicConstraint extention of a
certificate?

Needed to find out whether it is a CA certificate and Path Length
constraint.

Could someone please provide me with sample code?

Thanks.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Load secrets to context.

2016-07-27 Thread john gloster 
Thanks Victor.

Could you explain the reason in below cases? These are in cases when we use
both the APIs as mentioned above.

cert_file : Server's certifcate
chain_file: Complete certificate chain; starting with Server's certifcate,
followed by intermediate CA certificate and ending with Root CA certificate


Scenario 1 - Failing case

SSL_CTX_use_certificate_file() : Loaded cert_file
SSL_CTX_use_certificate_chain_file() : Loaded chain_file

Test: When tried to connect to the server, only Server's certificate and
Root CA certificate were presented in the CERTIFICATE message of the
handshake; intermediate CA certificates were missing.

Scenario 2 - Successful case

SSL_CTX_use_certificate_file() : Loaded chain_file
SSL_CTX_use_certificate_chain_file() : Loaded chain_file

Test: When tried to connect to the server, complete certificate chain was
presented in the CERTIFICATE message of the handshake.







On Wed, Jul 27, 2016 at 10:08 PM, Viktor Dukhovni <
openssl-us...@dukhovni.org> wrote:

> On Wed, Jul 27, 2016 at 09:28:55PM +0530, john gloster wrote:
>
> > Can we use both the following APIs in the same application to load
> > certificate to the SSL context?
> >
> > *SSL_CTX_use_certificate_file()*
> > *SSL_CTX_use_certificate_chain_file()*
>
> For any given certificate chain use either one or the other, but
> in many cases SSL_CTX_use_certificate_chain_file() is the more
> convenient choice.
>
> > If we can how to use them?
>
> ERR_clear_error();
> if (SSL_CTX_use_certificate_chain_file(ctx, cert_file) <= 0) {
> /* Handle error */
> }
> if (SSL_CTX_use_PrivateKey_file(ctx, key_file, SSL_FILETYPE_PEM) <= 0)
> {
> /* Handle error */
> }
> if (!SSL_CTX_check_private_key(ctx)) {
> /* Handle error */
> }
> /* Success */
>
> See the SSL_CTX_use_certificate(3) manpage for a more detailed
> description.
>
> --
> Viktor.
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Load secrets to context.

2016-07-27 Thread john gloster 
Hi,

Can we use both the following APIs in the same application to load
certificate to the SSL context?

*SSL_CTX_use_certificate_file()*
*SSL_CTX_use_certificate_chain_file()*

If we can how to use them?

Thanks in advance.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users