Re: [openssl-dev] [openssl.org #4602] Missing accessors
Hi Richard, On 20/07/16 17:14, Richard Levitte via RT wrote: > On Mon Jul 11 11:34:35 2016, mattias.ell...@physics.uu.se wrote: >> I guess having a more restrictive accessor that only sets the >> EXFLAG_PROXY bit could work. I suggested the more general solution of >> having set/clear accessors for arbitrary flags since it was - well >> more >> general. > So let me ask this in a different manner, does OpenSSL 1.1 still not set the > EXFLAG_PROXY flag correctly? In what situations does that happen? That may be > worth a bug report of its own. > this ties into my earlier question and example of verifying proxy certificates. What if I want to explicitly *set* the EXFLAG_PROXY for a stack of certificates? how would I do that? how can I ensure that OpenSSL 1.1 will automagically trigger this flag for me? Is there a 'get_*' function to determine which flags were set during certificate verification? thanks for any pointers or advice, JJK / Jan Just Keijser -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4617] openssl Issue/Bug
Hi Harold, On 18/07/16 21:31, Lapprich, Harold via RT wrote: > JJK, > > Thanks for the quick response, it is really appreciated. Can I ask where you > picked up the syntax for this command line (familiar with the various shells > and /dev/null but couldn't put this together)? this is off-topic for this list, but I cannot email you directly. You could try reading up at http://tldp.org/HOWTO/Bash-Prog-Intro-HOWTO-3.html or any other hit that comes up when searching for "linux shell stderr redirect" HTH, JJK > -Original Message----- > From: Jan Just Keijser via RT [mailto:r...@openssl.org] > Sent: Monday, July 18, 2016 2:26 PM > To: Lapprich, Harold (GE Aviation, US) > Cc: openssl-dev@openssl.org > Subject: EXT: Re: [openssl-dev] [openssl.org #4617] openssl Issue/Bug > > Hi, > > On 18/07/16 18:39, Lapprich, Harold via RT wrote: >> To Whom It May Concern, >> >> openssl version -a: >> >> OpenSSL 1.0.2a 19 Mar 2015 >> >> built on: reproducible build, date unspecified >> >> platform: linux-ppc >> >> options: bn(64,32) rc4(ptr,char) des(idx,risc1,16,long) blowfish(idx) >> >> compiler: >> /home/devadmin/buildserver/staging/build-output/c919/trunk-iop/host/us >> r/bin/ccache >> /home/devadmin/buildserver/staging/build-output/c919/trunk-iop/host/us >> r/bin/powerpc-e500v2-linux-uclibc-gcc -I. -I.. -I../include -fPIC >> -DOPENSSL_PIC -DZLIB_SHARED -DZLIB -DOPENSSL_THREADS -D_REENTRANT >> -DDSO_DLFCN -DHAVE_DLFCN_H -DB_ENDIAN -D_LARGEFILE_SOURCE >> -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -mcpu=8540 -pipe -O2 >> -Wall -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM >> -DAES_ASM -DVPAES_ASM >> >> OPENSSLDIR: "/etc/ssl" >> >> >> >> OS Name, Version, Hardware platform: >> >> uname -a >> >> Linux ahmu-iop-devel 3.10.76 #1 SMP PREEMPT Fri Jul 8 11:18:12 EDT >> 2016 ppc GNU/Linux >> >> >> >> >> Using 'openssl' in a Linux design and since it is a command line application >> it is always outputting content to the screen, for example: >> >> >> openssl req -new -x509 -nodes -days 365 -subj >> "/C=US/ST=Ohio/L=Cincinnati/O=www.ge.com/OU=AHMU-UNIT/CN=AHMU-UNIT" >> -keyout start -out start >> >> Generating a 2048 bit RSA private key >> >> .. >> ...+++ >> >> .+++ >> >> writing new private key to 'start' >> >> - >> >> >> Trying to find a way to prevent the output being output to 'stdout' but have >> not found a parameter (can redirect to a file but the .+ characters are >> still written to the console). >> >> >> There either has to be a missed parameter or bug exist? >> > This is not a bug or lacking feature. > The + characters are written to stderr, so if you use > openssl .> stdout 2> stderr > the characters disappear (into the file 'stderr'; use '2> /dev/null' to send > then straight to bit-heaven). This depends slightly on the shell you use, > BTW. The above syntax is for bash/zsh/ksh; for csh/tcsh a different syntax > applies. > > HTH, > > JJK > > > -- > Ticket here: > https://urldefense.proofpoint.com/v2/url?u=http-3A__rt.openssl.org_Ticket_Display.html-3Fid-3D4617=CwIDaQ=IV_clAzoPDE253xZdHuilRgztyh_RiV3wUrLrDQYWSI=i74Dd1YgazOdjUqZ7H6RwfJnspP534048ulHQI_l8Lg=hC-ePxGkl2IKC2iYTHYFk1qfc32xU_KzR5R3duyHaIM=G81nAuvPiu8kBUwgddPaVgh_UkoNVeOvf7Q4veAdNVo= > Please log in as guest with password guest if prompted > > -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4617 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4617] openssl Issue/Bug
Hi, On 18/07/16 18:39, Lapprich, Harold via RT wrote: > To Whom It May Concern, > > openssl version -a: > > OpenSSL 1.0.2a 19 Mar 2015 > > built on: reproducible build, date unspecified > > platform: linux-ppc > > options: bn(64,32) rc4(ptr,char) des(idx,risc1,16,long) blowfish(idx) > > compiler: > /home/devadmin/buildserver/staging/build-output/c919/trunk-iop/host/usr/bin/ccache > > /home/devadmin/buildserver/staging/build-output/c919/trunk-iop/host/usr/bin/powerpc-e500v2-linux-uclibc-gcc > -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DZLIB_SHARED -DZLIB > -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DB_ENDIAN > -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -mcpu=8540 > -pipe -O2 -Wall -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM > -DAES_ASM -DVPAES_ASM > > OPENSSLDIR: "/etc/ssl" > > > > OS Name, Version, Hardware platform: > > uname -a > > Linux ahmu-iop-devel 3.10.76 #1 SMP PREEMPT Fri Jul 8 11:18:12 EDT 2016 ppc > GNU/Linux > > > > > Using 'openssl' in a Linux design and since it is a command line application > it is always outputting content to the screen, for example: > > > openssl req -new -x509 -nodes -days 365 -subj > "/C=US/ST=Ohio/L=Cincinnati/O=www.ge.com/OU=AHMU-UNIT/CN=AHMU-UNIT" -keyout > start -out start > > Generating a 2048 bit RSA private key > > .+++ > > .+++ > > writing new private key to 'start' > > - > > > Trying to find a way to prevent the output being output to 'stdout' but have > not found a parameter (can redirect to a file but the .+ characters are > still written to the console). > > > There either has to be a missed parameter or bug exist? > This is not a bug or lacking feature. The + characters are written to stderr, so if you use openssl .> stdout 2> stderr the characters disappear (into the file 'stderr'; use '2> /dev/null' to send then straight to bit-heaven). This depends slightly on the shell you use, BTW. The above syntax is for bash/zsh/ksh; for csh/tcsh a different syntax applies. HTH, JJK -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4617 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4529] Output of -hash option incompatible 64-bit Linux vs 32-bit Linux
Withers John Z via RT wrote: > To whom it may concern, > > I have built OpenSSL 1.0.1s for 64-bit and 32-bit version of RHEL5.11. The > reasons for this are long and involve my employer, so I would detail them in > this message. > > I successfully built and deployed to a 64-bit RHEL 5.11 server (using a local > installation path) and was able to configure the issuer certificate cache for > my applications. I built a separate package for 32-bit RHEL 5.11 (again, > using a local installation path). After installation, I observed that the > -hash option of the openssl command (and hence the c_rehash utility) computed > incorrect subject hashes for the issuer certificates in the cache. Identical > certificates from the 64-bit installation were installed but the hash values > were different. Tracing the operation of the s_client module with strace > indicated that the hash values computed internally matched the hash values > produced on the 64-bit system. I replicated the symbolic links for the > issuer certificates from the 64-bit system to the 32-bit system and the > certificates presented by the remote server for my application were verified. > > FWIW: I've downloaded and built openssl-1.0.1s on my EL 5.11 box in both 32bit and 64bit mode (I needed to hack ./Configure for that, BTW). The resulting openssl x509 -hash command prints out the exact same hash for both the 32bit and 64bit versions. HTH, JJK / Jan Just Keijser Nikhef Amsterdam -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4529 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #3843] OpenSSL 1.0.1* and below: incorrect use of _lrotl()
Hi, r...@openssl.org via RT wrote: And linux-x86_64 won't work here, since it uses some instructions not supported by MIC. But all x86_64 modules feature run-time switch, when processor capabilities are detected [with cpuid] and code that can't be executed on any particular processor won't execute. Or do you mean that fails to *compile* it with -mmic? Or do you mean that cpuid doesn't work on mic? But I recall that there is cpuid... It fails to compile with -mmic: x86_64cpuid.s:165: Error: `pxor' is not supported on `k1om' I see, thanks. In other words, as it turns out my suggestion about run-time switch does not apply in this case, because minimum of SSE2 is actually *assumed* for x86_64 platform. And this doesn't hold true for Knights Corner. But it does hold true for Knights Landing, doesn't it? I see no point in attempting to accommodate assembler support for Knights Corner (too rare processor) and would appreciate if you could confirm if following works with 1.0.2: ./Configure linux-x86_64-icc no-asm -mmic BTW, _lrotl fix is applied to 1.0.1, but not earlier versions, which are open for security fixes only. I can confirm that a clean build of openssl 1.0.2a using the above ./Configure line works for me. The resulting binary runs without issues. JJK ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl.org #3451] patch for x509.c
Hi Richard,
On 15/07/14 10:56, Richard Levitte via RT wrote:
I do like the idea, and definitely see the need for this.
A nit pick, though '-valid' as a option name is a bit confusing, I'd
personally expect it to take a full blown time argument -- something like
DDD-HH:MM -- and not just hours and minutes. Maybe '-time' or something like
that. That or actually have '-valid' take the full blown argument (thereby
replacing '-days' in the long run).
thanks for picking this up; the name '-valid' as well as the format
HH:MM came from the Globus Toolkit 'grid-proxy-init' command, which
uses the same syntax. I agree that the name might be a bit confusing. If
I understand you correctly you're suggesting to use
-valid DDD-HH:MM
(I'm using '-valid' here for lack of a better name right now) where
anything before the hyphen is the number of days, and anything after it
is the time in HH:MM format? It should be possible to specify HH 24,
and we could also support MM 60 (e.g -valid 0-0:1440 == -valid 0-24:00
== -valid 1-0:00 == -days 1)
but then the syntax
-valid 0-24:00
seems confusing as well ... or we could use logic as follows:
if arg contains hyphen then anything before it is #days, anything after
it is time in HH:MM format
if arg contains no hyphen and no colon then it's the number of days
if arg contains no hyphen but it does contain a colon then #days = 0 and
the entire argument is a time in HH:MM format
suggestions?
JJK / Jan Just Keijser
Nikhef
Amsterdam
On Sun Jul 13 20:13:28 2014, janj...@nikhef.nl wrote:
hi ,
attached is a minor patch to apps/x509.c. The patch allows the user to
specify the validity of a certificate in hours and minutes (next to
days). This is esp useful when creating grid/RFC3820 proxies which
typically have a duration of 12 hours.
regards,
JJK / Jan Just Keijser
--- openssl-1.0.1c/apps/x509.c 2011-10-10 01:13:46.0 +0200
+++ openssl-1.0.1c-jjk/apps/x509.c 2012-08-09 09:17:37.783134860 +0200
@@ -128,6 +128,7 @@
-addreject arg - reject certificate for a given purpose\n,
-setalias arg - set certificate alias\n,
-days arg - How long till expiry of a signed certificate -
def 30 days\n,
+ -valid HH:MM - How long till expiry of a signed certificate\n,
-checkend arg - check whether the cert expires in the next arg
seconds\n,
exit 1 if so, 0 if not\n,
-signkey arg - self sign cert with arg\n,
@@ -154,12 +155,12 @@
};
static int MS_CALLBACK callb(int ok, X509_STORE_CTX *ctx);
-static int sign (X509 *x, EVP_PKEY *pkey,int days,int clrext, const
EVP_MD *digest,
+static int sign (X509 *x, EVP_PKEY *pkey,int minutes,int clrext,
const EVP_MD *digest,
CONF *conf, char *section);
static int x509_certify (X509_STORE *ctx,char *CAfile,const EVP_MD
*digest,
X509 *x,X509 *xca,EVP_PKEY *pkey,
STACK_OF(OPENSSL_STRING) *sigopts,
- char *serial, int create ,int days, int clrext,
+ char *serial, int create ,int minutes, int clrext,
CONF *conf, char *section, ASN1_INTEGER *sno);
static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt);
static int reqfile=0;
@@ -194,7 +195,7 @@
int ocsp_uri=0;
int trustout=0,clrtrust=0,clrreject=0,aliasout=0,clrext=0;
int C=0;
- int x509req=0,days=DEF_DAYS,modulus=0,pubkey=0;
+ int x509req=0,days=DEF_DAYS,minutes=0,modulus=0,pubkey=0;
int pprint = 0;
const char **pp;
X509_STORE *ctx=NULL;
@@ -292,6 +293,26 @@
goto bad;
}
}
+ else if (strcmp(*argv,-valid) == 0)
+ {
+ if (--argc 1) goto bad;
+
+ char *delim = strchr(*(++argv), ':');
+ if (delim)
+ {
+ *delim = '\0';
+ delim++;
+ minutes = atoi( delim );
+ }
+ int hours = atoi( *argv );
+ minutes = 60 * hours + minutes;
+
+ if (minutes == 0)
+ {
+ BIO_printf(STDout,bad -valid specification\n);
+ goto bad;
+ }
+ }
else if (strcmp(*argv,-passin) == 0)
{
if (--argc 1) goto bad;
@@ -511,6 +532,10 @@
goto end;
}
+ if (minutes == 0)
+ {
+ minutes = 24*60*days;
+ }
if (!X509_STORE_set_default_paths(ctx))
{
ERR_print_errors(bio_err);
@@ -964,7 +989,7 @@
}
assert(need_rand);
- if (!sign(x,Upkey,days,clrext,digest,
+ if (!sign(x,Upkey,minutes,clrext,digest,
extconf, extsect)) goto end;
}
else if (CA_flag == i)
@@ -982,7 +1007,7 @@
assert(need_rand);
if (!x509_certify(ctx,CAfile,digest,x,xca,
CApkey, sigopts,
- CAserial,CA_createserial,days, clrext,
+ CAserial,CA_createserial,minutes, clrext,
extconf, extsect, sno))
goto end;
}
@@ -1148,7 +1173,7 @@
X509 *x, X509 *xca, EVP_PKEY *pkey,
STACK_OF(OPENSSL_STRING) *sigopts,
char *serialfile, int create,
- int days, int clrext, CONF *conf, char *section,
+ int minutes, int clrext, CONF *conf, char *section,
ASN1_INTEGER *sno)
{
int ret=0;
@@ -1191,7 +1216,7 @@
goto end;
/* hardwired expired */
- if (X509_time_adj_ex(X509_get_notAfter(x),days, 0, NULL) == NULL)
+ if (X509_gmtime_adj(X509_get_notAfter(x),(long)60*minutes) == NULL)
goto end;
if
Re: [openssl.org #3451] patch for x509.c
On 15/07/14 15:20, Daniel Kahn Gillmor wrote: On 07/15/2014 07:58 AM, Salz, Rich via RT wrote: The Globus syntax is strange. :) We should support the ISO date/time standard, and use that throughout and not invent yet another syntax, or yet another flag. It's fairly simple to parse, and handles timezones, relative times, date/time mixing, and so on. The XML XSD spec, for example, has a reasonable explanation. Agreed here. also, the presence of a hyphen in a time marker is too easily misunderstood as a minus sign. If we're talking about the duration of a certificate, we could use something like the ISO-8601 duration syntax: https://en.wikipedia.org/wiki/ISO-8601#Durations e.g. PT1800S is 1800 seconds I like the idea, but I won't have time to rewrite the patch right now. Implementing full ISO8061 timestamps will take some effort. I'd also propose to rename '-valid' to '-duration' . I'll get back on this in mid August. cheers, JJK / Jan Just Keijser Nikhef Amsterdam __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #3451] patch for x509.c
hi ,
attached is a minor patch to apps/x509.c. The patch allows the user to
specify the validity of a certificate in hours and minutes (next to
days). This is esp useful when creating grid/RFC3820 proxies which
typically have a duration of 12 hours.
regards,
JJK / Jan Just Keijser
--- openssl-1.0.1c/apps/x509.c 2011-10-10 01:13:46.0 +0200
+++ openssl-1.0.1c-jjk/apps/x509.c 2012-08-09 09:17:37.783134860 +0200
@@ -128,6 +128,7 @@
-addreject arg - reject certificate for a given purpose\n,
-setalias arg - set certificate alias\n,
-days arg - How long till expiry of a signed certificate - def 30
days\n,
+ -valid HH:MM- How long till expiry of a signed certificate\n,
-checkend arg - check whether the cert expires in the next arg seconds\n,
exit 1 if so, 0 if not\n,
-signkey arg- self sign cert with arg\n,
@@ -154,12 +155,12 @@
};
static int MS_CALLBACK callb(int ok, X509_STORE_CTX *ctx);
-static int sign (X509 *x, EVP_PKEY *pkey,int days,int clrext, const EVP_MD
*digest,
+static int sign (X509 *x, EVP_PKEY *pkey,int minutes,int clrext, const EVP_MD
*digest,
CONF *conf, char *section);
static int x509_certify (X509_STORE *ctx,char *CAfile,const EVP_MD *digest,
X509 *x,X509 *xca,EVP_PKEY *pkey,
STACK_OF(OPENSSL_STRING) *sigopts,
-char *serial, int create ,int days, int clrext,
+char *serial, int create ,int minutes, int clrext,
CONF *conf, char *section, ASN1_INTEGER *sno);
static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt);
static int reqfile=0;
@@ -194,7 +195,7 @@
int ocsp_uri=0;
int trustout=0,clrtrust=0,clrreject=0,aliasout=0,clrext=0;
int C=0;
- int x509req=0,days=DEF_DAYS,modulus=0,pubkey=0;
+ int x509req=0,days=DEF_DAYS,minutes=0,modulus=0,pubkey=0;
int pprint = 0;
const char **pp;
X509_STORE *ctx=NULL;
@@ -292,6 +293,26 @@
goto bad;
}
}
+ else if (strcmp(*argv,-valid) == 0)
+ {
+ if (--argc 1) goto bad;
+
+ char *delim = strchr(*(++argv), ':');
+ if (delim)
+ {
+ *delim = '\0';
+ delim++;
+ minutes = atoi( delim );
+ }
+ int hours = atoi( *argv );
+ minutes = 60 * hours + minutes;
+
+ if (minutes == 0)
+ {
+ BIO_printf(STDout,bad -valid specification\n);
+ goto bad;
+ }
+ }
else if (strcmp(*argv,-passin) == 0)
{
if (--argc 1) goto bad;
@@ -511,6 +532,10 @@
goto end;
}
+ if (minutes == 0)
+ {
+ minutes = 24*60*days;
+ }
if (!X509_STORE_set_default_paths(ctx))
{
ERR_print_errors(bio_err);
@@ -964,7 +989,7 @@
}
assert(need_rand);
- if (!sign(x,Upkey,days,clrext,digest,
+ if (!sign(x,Upkey,minutes,clrext,digest,
extconf, extsect)) goto end;
}
else if (CA_flag == i)
@@ -982,7 +1007,7 @@
assert(need_rand);
if (!x509_certify(ctx,CAfile,digest,x,xca,
CApkey, sigopts,
- CAserial,CA_createserial,days, clrext,
+ CAserial,CA_createserial,minutes,
clrext,
extconf, extsect, sno))
goto end;
}
@@ -1148,7 +1173,7 @@
X509 *x, X509 *xca, EVP_PKEY *pkey,
STACK_OF(OPENSSL_STRING) *sigopts,
char *serialfile, int create,
- int days, int clrext, CONF *conf, char *section,
+ int minutes, int clrext, CONF *conf, char *section,
ASN1_INTEGER *sno)
{
int ret=0;
@@ -1191,7 +1216,7 @@
goto end;
/* hardwired expired */
- if (X509_time_adj_ex(X509_get_notAfter(x),days, 0, NULL) == NULL)
+ if
