Eric Meyer <[EMAIL PROTECTED]> wrote:----------------------------------------------------------
Hi Eric ....
Yes, You are right, the openssl documents are not well detailed and, in some cases, out-to-date; also sometimes, ,just like you, I feel a little confused an desperate but this makes you self learning about the library (crypto lib,in my particular case).
So, I recommends you some really useful links:
So, I recommends you some really useful links:
http://www.columbia.edu/~ariel/ssleay/ <- the base library, I think
http://www2.psy.uq.edu.au/~ftp/Crypto/ <- some FAQ's
http://www2.psy.uq.edu.au/~ftp/Crypto/ssl.html <-Programmer reference
And of course this mailing list ......
There are some recommendations and security standars to verify a CSR, to create and sign a new certificate, you must read them and select the proper according to your needs and/or to your system or organization policies.
Follows my certification process protocol:
X509 *x=NULL, *xreq=NULL, **b=NULL;
X509_REQ *req=NULL, **sr=NULL;
ASN1_GENERALIZEDTIME *N_after_gmt=NULL, **out_asn=NULL;
BIO *in=NULL, *incer=NULL, *buf=NULL;
X509_REQ *req=NULL, **sr=NULL;
ASN1_GENERALIZEDTIME *N_after_gmt=NULL, **out_asn=NULL;
BIO *in=NULL, *incer=NULL, *buf=NULL;
- Receive the CSR (in my case by socket connection) or read this from a file.
- Decode the CSR:
buf = BIO_new (BIO_s_mem());
in = BIO_new_mem_buf(mensaje, strlen(mensaje));
req = PEM_read_bio_X509_REQ(in, sr, NULL, NULL);
req = PEM_read_bio_X509_REQ(in, sr, NULL, NULL);
- Retrieve and Decode the signer cert:
incer = BIO_new_mem_buf(cert, strlen((const char*)cert));
x = PEM_read_bio_X509(incer, b, NULL, NULL);
x = PEM_read_bio_X509(incer, b, NULL, NULL);
- verify the CSR with the signer pubkey:
if (X509_REQ_verify (req, X509_get_pubkey(x)) != 1)
{
// Error code
{
// Error code
}
- Create and fill the new cert:
xreq = X509_new();
X509_set_version(xreq,VERSION);
ASN1_INTEGER_set(X509_get_serialNumber(xreq), num_serie);
X509_gmtime_adj(X509_get_notBefore(xreq),0);
X509_gmtime_adj(X509_get_notAfter(xreq),(long)60*60*24*DAYS);
X509_set_issuer_name(xreq,"CA_subject");
ASN1_INTEGER_set(X509_get_serialNumber(xreq), num_serie);
X509_gmtime_adj(X509_get_notBefore(xreq),0);
X509_gmtime_adj(X509_get_notAfter(xreq),(long)60*60*24*DAYS);
X509_set_issuer_name(xreq,"CA_subject");
X509_NAME_add_entry_by_txt(X509_get_subject_name(xreq), "CN", MBSTRING_ASC, "The Common Name", -1, -1, 0);
X509_NAME_add_entry_by_txt(X509_get_subject_name(xreq), "OU", MBSTRING_ASC, "The OU", -1, -1, 0);
X509_NAME_add_entry_by_txt(X509_get_subject_name(xreq), "O", MBSTRING_ASC,"The ORG", -1, -1, 0);
X509_NAME_add_entry_by_txt(X509_get_subject_name(xreq), "C", MBSTRING_ASC, "The country", -1, -1, 0);
X509_NAME_add_entry_by_txt(X509_get_subject_name(xreq), "OU", MBSTRING_ASC, "The OU", -1, -1, 0);
X509_NAME_add_entry_by_txt(X509_get_subject_name(xreq), "O", MBSTRING_ASC,"The ORG", -1, -1, 0);
X509_NAME_add_entry_by_txt(X509_get_subject_name(xreq), "C", MBSTRING_ASC, "The country", -1, -1, 0);
// The client public key
X509_set_pubkey(xreq, X509_REQ_get_pubkey(req));
// X509v3 Extensions
res=add_ext(xac, xreq, NID_basic_constraints, "your options");
res=add_ext(xac, xreq, NID_key_usage, "your options key usage");
res=add_ext(xac, xreq, NID_ext_key_usage, "the extend key usage");
res=add_ext(xac, xreq, NID_subject_key_identifier, "Your choice");
res=add_ext(xac, xreq, NID_authority_key_identifier, "your choice");
res=add_ext(xac, xreq, NID_issuer_alt_name, "some stuff ");
res=add_ext(xac, xreq, NID_netscape_cert_type, "some stuff");
res=add_ext(xac, xreq, NID_netscape_comment, "some stuff");
res=add_ext(xac, xreq, NID_basic_constraints, "your options");
res=add_ext(xac, xreq, NID_key_usage, "your options key usage");
res=add_ext(xac, xreq, NID_ext_key_usage, "the extend key usage");
res=add_ext(xac, xreq, NID_subject_key_identifier, "Your choice");
res=add_ext(xac, xreq, NID_authority_key_identifier, "your choice");
res=add_ext(xac, xreq, NID_issuer_alt_name, "some stuff ");
res=add_ext(xac, xreq, NID_netscape_cert_type, "some stuff");
res=add_ext(xac, xreq, NID_netscape_comment, "some stuff");
/ / signing the new cert
X509_sign (xreq, dec_key_ac, EVP_sha1());
X509_sign (xreq, dec_key_ac, EVP_sha1());
// write out in some format (PEM or DER)
res = PEM_write_bio_X509(buf, xreq);
This is a wide vision of my CertSign protocol, there are some things that are not mentioned here like the CDP (CRL Distribution Point), a suitable guideline is the PKI Forum and the IETF PKI Work group.
Hope this helps
Best regards
Zainos
Do You Yahoo!?
Yahoo! Net: La mejor conexión a internet y 25MB extra a tu correo por $100 al mes.