Pre Master Secret Regarding

2010-04-03 Thread Aravinda babu 
Hi all,


During SSL/TLS handshake,a pre master secret is sent from client to the
server by encrypting pre master secret with server's public key.From that
both client and server derive master secret and finally one symmetric key.My
doubt is, why both cannot use pre master secret itself as a symmetric key ?

Thanks in advance,

Aravind.

Re: OpenSSL API which build the chain from a peer certificate

2008-11-07 Thread Aravinda babu 
Hi all,

First of all thanks for all of your suggestions and information.I got a
clear idea of how to do the required thing.
I forgot to mention one thing.

We are making one library for certificate management which will be used by
different applications.In that library we have one API which will verify the
certificate given as input parameter.So i don't have any SSL context or SSL
STORE context with me.Just application passes one certificate in X509 * and
i have to verify that certificate.I think you got my point.My library
doesn't have any touch with SSL session etc...

Now to verify that certificate i have to prepare a certificate chain from
the application supplied certificate.Is it possible to do this ?

Thanks once again to all,

Cheers,
Aravind.

On Thu, Nov 6, 2008 at 8:21 PM, Patrick Patterson [EMAIL PROTECTED]
 wrote:

 Hi Aravind:

 On November 6, 2008 01:51:20 am Aravinda babu wrote:
  Hi all,
 
  Is there any OpenSSL API which will prepare the certificate chain from
 the
  peer certificate given as input ? I have only peer certificate.I
  have to build the cert chain from this 
 
 This was already answered yesterday - the answer is: If you want to use
 raw
 OpenSSL, then it can be done in the _verify() callbacks. There are many
 examples out there that may give you an idea of how to do this.

 There are also other libraries and systems that already have this work done
 for you, and you just have to call that library's callback in the
 appropriate
 place in your code (usually in the set verify callback section).

 Please take a look at the messages from yesterday. Is there a single API
 call
 that will do this? - no. And depending on what you mean by prepare a
 certificate chain, you will have different requirements. If you want to do
 full Path Discovery and Validation (build the certification chain back to a
 pre-established trust anchor, using certificates that you may or may not
 already have, and verify and validate each link in that chain using the
 algorithms from PKIX) then something like the Pathfinder callback (I won't
 link to it again, please check the previous post) is what you want. If you
 only want to check the signatures and perform some cursory checks, then the
 existing OpenSSL API's have this covered. If you want to know how to write
 that code, then I would suggest picking up the O'Rilley OpenSSL book, or
 looking at the code in the OpenSSL source tree - there are many examples in
 there already that may do what you want.

 Or, you could hire someone to do the integration for you. :)

 Have fun.

 --
 Patrick Patterson
 President and Chief PKI Architect,
 Carillon Information Security Inc.
 http://www.carillon.ca
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing List[EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]

Re: Preparing a certificate chain from the peer certificate during HTTPS

2008-11-05 Thread Aravinda babu 
Hi all,

Eagerly waiting for the response..

Thanks in advance,
Aravind.

On Tue, Nov 4, 2008 at 6:21 PM, Aravinda babu [EMAIL PROTECTED]wrote:

 Hi all,

 During HTTPS connection establishment server sends its certificate to
 client for verification.
 Now i want to prepare a certificate chain from this certificate which got
 from server.

 I downloaded the CA bundle from Mozilla website.Now i have to prepare the
 cert chain from the peer certificate using this CA bundle.Please tell me how
 to do this ?

 My idea is i will took the issuer of the peer cert and i will check the CA
 bundle which matches the subject field in this CA bundle ??? Am i right
 ?

 But when i browsed  https://www.paypal.com , i got the peer certificate
 whose issuer is

 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at
 https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation
 SSL SGC CA


 But i didn't find any root CA in the CA bundle with respect to above
 issuer. How to prepare a chain like this type of case ?? Same in the case
 when i browsed
 https://www.citibank.co.in , https://www.axisbank.co.in etc

 Sorry for long mail

 Thanks in advance,
 Aravind.

OpenSSL API which build the chain from a peer certificate

2008-11-05 Thread Aravinda babu 
Hi all,

Is there any OpenSSL API which will prepare the certificate chain from the
peer certificate given as input ? I have only peer certificate.I
have to build the cert chain from this 

Thanks in advance,
Aravind.

Preparing a certificate chain from the peer certificate during HTTPS

2008-11-04 Thread Aravinda babu 
Hi all,

During HTTPS connection establishment server sends its certificate to client
for verification.
Now i want to prepare a certificate chain from this certificate which got
from server.

I downloaded the CA bundle from Mozilla website.Now i have to prepare the
cert chain from the peer certificate using this CA bundle.Please tell me how
to do this ?

My idea is i will took the issuer of the peer cert and i will check the CA
bundle which matches the subject field in this CA bundle ??? Am i right
?

But when i browsed  https://www.paypal.com , i got the peer certificate
whose issuer is

/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at
https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation
SSL SGC CA


But i didn't find any root CA in the CA bundle with respect to above issuer.
How to prepare a chain like this type of case ?? Same in the case when i
browsed
https://www.citibank.co.in , https://www.axisbank.co.in etc

Sorry for long mail

Thanks in advance,
Aravind.

Peer Certificate Verification API

2008-11-03 Thread Aravinda babu 
Hi all,

Normally , During HTTPS connection establishment peer server produces it's
certificate to the client.I want to know how openssl checks this certificate
? I want to know the exact API which does this so that i will check the code
of that API. Please tell me the related things regarding this. (Means how
client checks the digital signature of peer certificate etc)

Thanks in advance,
Aravind.

OPENSSL_ITEM regarding

2008-10-21 Thread Aravinda babu 
Hi all,

Can i get some information on how to use OPENSSL_ITEM structure. I found the
structure definition in crypto.h as follows:

*typedef* *struct* openssl_item_st
http://cvs.opensolaris.org/source/s?refs=openssl_item_st
{
*int* code http://cvs.opensolaris.org/source/s?refs=code;
*void* *value
http://cvs.opensolaris.org/source/s?refs=value;   /* Not used for
flag attributes */
size_t http://cvs.opensolaris.org/source/s?defs=size_t
value_size http://cvs.opensolaris.org/source/s?refs=value_size;   /*
Max size of value for output, length for input */
size_t http://cvs.opensolaris.org/source/s?defs=size_t
*value_length http://cvs.opensolaris.org/source/s?refs=value_length;  /*
Returned length of value for output */
} OPENSSL_ITEM http://cvs.opensolaris.org/source/s?refs=OPENSSL_ITEM;


But i didn't find anything related to how to use this structure.Means
any example program of using this structure ?? I am bit confused
a'out value_size and value_length ???

Thanks in advance,

Waiting for your reply,
Aravind.

Re: Getting the peer certificate in a memory buffer

2008-10-20 Thread Aravinda babu 
Hi Douglas,

Is this right way to get the peer certificate in a data buffer ?

STACK_OF(X509) *sk;
  int ii = 0, noOfCerts = 0 , res = -1;
  X509 *certs[15];
  unsigned char *intFmtOfCerts[15];
  unsigned int len[15];


   sk= SSL_get_peer_cert_chain(connssl-handle);
  noOfCerts = sk_X509_num(sk) ;

  for(ii = 0 ; ii  noOfCerts ; ii++)
  {
certs[ii] = sk_X509_value (sk, ii);
len[ii]= i2d_X509( certs[ii] , NULL);
intFmtOfCerts[ii]  = (unsigned char *) malloc( len[ii] );
len[ii]= i2d_X509( certs[ii] ,
intFmtOfCerts[ii] );
}

Thanks,
Aravind.

On Fri, Oct 17, 2008 at 8:26 PM, Douglas E. Engert [EMAIL PROTECTED] wrote:



 Aravinda babu wrote:

 Hi all,

 I am new to OpenSSL.I want to get the peer certificate in a memory buffer.

 If i use SSL_get_peer_certificate i can get in X509 strcture.
 But i want the peer certificate as a data buffer.(unsigned char *)


 Then what are you going to do with it?
 Write to a file or memory?
 Do you want der or pem encoding?

bp = BIO_new(BIO_s_mem()); /* To memory */
  or
bp = BIO_new(BIO_s_file()); /* to a file */
fp = fopen(filename,w));
BIO_set_fp(bp,fp,BIO_NOCLOSE);

peer = s-session-peer;

i2d_X509_bio(bp,peer); /* as der */
  or
PEM_write_bio_X509(bp,peer); /* as pem */




 Is there any API for this ??

 Thanks in advance,
 Aravind.


 --

  Douglas E. Engert  [EMAIL PROTECTED]
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
 __
 OpenSSL Project http://www.openssl.org
 Development Mailing List   openssl-dev@openssl.org
 Automated List Manager   [EMAIL PROTECTED]

Getting the peer certificate in a memory buffer

2008-10-17 Thread Aravinda babu 
Hi all,

I am new to OpenSSL.I want to get the peer certificate in a memory buffer.

If i use SSL_get_peer_certificate i can get in X509 strcture.
But i want the peer certificate as a data buffer.(unsigned char *)

Is there any API for this ??

Thanks in advance,
Aravind.