Tried to contact Jim Ramsay offline but ran into a very vicious spam killer which seemed to be broken when I followed his directions for bypassing it.
I am interested in hearing from people doing peer to peer communications (like email) using certificates from a non-trivial certificate heirarchy (e.g., one containing "intermediate certificates" between the root and end-user certificates). My immediate interest is how to load multiple certificates into the various web browsers, but I would be grateful for any and all pointers to information and/or the people who are working out how to do this in a compatable cross-platform manner. [EMAIL PROTECTED] "Dr. Stephen Henson" wrote: > > On Thu, Mar 13, 2003, Jim Ramsay wrote: > > > I ran into a small snag using OpenSSL for email encrypting, > > whether I use it from inside mutt or standalone. > > > > I received a signed email from my test account (using a free > > thawte email cert). I saved the corresponding cert in the place > > necessary for mutt to use it for encryption. Mutt simply throws > > the signature through "openssl pkcs7 -print_certs" and throws the > > resulting certificate chain into `openssl x509 -hash -noout`.0 . > > I am able to use this cert without any problems to encrypt back > > to the sender, and can decrypt it there. Looking at the > > resulting certificate, the order in the file is as follows: > > > > (1) The signer cert (Signed by (3) ) > > (2) The CA root cert (Self-signed) > > (3) An intermediate cert (Signed by (2) ) > > > > I received email from someone else, signed using a > > digsigtrust.org certificate. I added it in the same way, but the > > recipient is not able to decrypt email from me encrypted with > > this certificate. I looked at the actual cert file, and this is > > how it is arranged: > > > > (1) An intermediate cert (Signed by (2) ) > > (2) The CA root cert (Self-signed) > > (3) An intermediate cert (Signed by (1) ) > > (4) The signer cert (Signed by (3) ) > > > > So it turns out email I thought I was encrypting with (4) was > > actually being encrypted with (1). Of course the recipient could > > not decrypt. > > > > Is there an easy way, besides editing the certs by hand, to > > separate out: > > a - the signer's cert alone (depth 0 in the chain) > > b - the root ca cert > > c - All other intermediate certs > > > > Also, is this a borked setup on the other person's machine that > > their certificate comes out upside-down like that? > > > > I have tested with (ugh) Outlook Express also, and this > > upside-down certificate is properly used (Outlook separates out > > the a, b, and c parts properly). > > > > The order is effectively arbitrary [1]. > > However there is additional information in the PKCS#7 structure which allows > the signer certificate to be located (its issuer name and serial number). The > OpenSSL 'smime' utility can be used to extract the signer's certificate from > arbitrarily ordered certificates using the -signer option with -verify. So if > you do: > > openssl smime -verify -in whatever.email -signer signerout.pem ... > > it should work. Note this will *write* the signers certificate(s) to > signerout.pem. > > [1] Well I'm simplifying a bit here. For the technically minded or just > curious there are two encoding schemes which may be used. The certificates are > in a SET OF structure which can be encoded using DER or BER. > > For DER the certificates are sorted in lexical order that is comparing the > binary data: the way stuff is encoded effectively means that the smallest will > appear first with this option and largest last. > > For BER the DER rules *may* be applied or any old order used. > > OpenSSL effectively uses the BER version when encoding for various reasons[2]. > > [2] These are a bit complex and not really relevant to this issue. > > Steve. > -- > Dr Stephen N. Henson. > Core developer of the OpenSSL project: http://www.openssl.org/ > Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ > Email: [EMAIL PROTECTED], PGP key: via homepage. > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] -- Charles B. (Ben) Cranston mailto:[EMAIL PROTECTED] http://www.wam.umd.edu/~zben ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
