Too Long !!!

2001-09-04 Thread wong . nyook . yeen 



hi ... has anyone try to generate their Private Key using this command openssl
genrsa -rand /dev/urandom -out domain.key 1024 ???

i'm trying this and it already took 5 days ...

any comment r welcome 

Regards,
Wong Nyook Yeen
Email : [EMAIL PROTECTED]
Tel no : 03 - 2018228 ext. 1031


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

non blocking

2001-09-04 Thread Rama krishna Prasad Chunduru 

Hi all,
  I am writing one  server program which accepts the connections from clients 
and process the connections. I am using openssl-0.9.6b version. 
I am crating one socket with non blocking mode and bounded to the SSL port 
with any ipaddress. i am listening on that socket to serve the client 
connections. My question is when i am trying to browse the server, the server 
is accepting the connection but SSL_accept is failing( non blocking) with 
return value as -1. I done SSL_get_error on the return value it shows 2.  i 
am unable to find the reason.
Any Help is appreciated.
From
RKP

-- 
Rama Krishna Prasad  Chunduru
Software engineer
Intoto Software(I) Pvt Ltd
Kharkhana
Secundrabad 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

libcrypto.so.2 libssl.so.2

2001-09-04 Thread Ola Persson 

Hi I have a question which I haven't been able to answer myself,

I tried to update my current Kde 2.1 to Kde 2.2 and then kdebase-2.2-3 asks 
for libcrypto.so.2  libssl.so.2 which I have been able to locate in 
openssl-0.9.6b-6.i386.rpm. The problem is that I have a newer (I think, 
becouse when trying install 0.9.6b-6 it says it is older than current) 
version of opensll namely openssl-0.9.6-9. In openssl-0.9.6-9 I can't locate 
libcrypto.so.2  libssl.so.2.
If I remember correctly openssl-0.9.6-9 is an update from RH.
Currently using RH 7.1 kernelversion 2.4.

How do I install libcrypto.so.2   libssl.so.2 so that RPM understands that 
they are there?

With regards
//Ola P. O.

_
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

detecting and removing memory leaks using openssl supported apis...

2001-09-04 Thread Aslam 

Hi,

Can any one of u guys tell me how to use the memory check support thing of
Openssl..
Following code does output the memory leaks, but how to read the output and
narrow the cause of memory leak..

Code:

void Openssl_Init()
{
OpenSSL_add_all_algorithms();

CRYPTO_malloc_debug_init();
CRYPTO_dbg_set_options(V_CRYPTO_MDEBUG_ALL);
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);

g_pBioStdOut = BIO_new(BIO_s_file());
BIO_set_fp(g_pBioStdOut, stdout, BIO_NOCLOSE);
BIO_printf(g_pBioStdOut, OpenSSL Application Starting.\n);

//g_fp = fopen(d:\\work\\MemoryLeaks.txt, w);
}


void Openssl_Exit()
{
BIO_printf(g_pBioStdOut, OpenSSL Application Exiting.\n);
BIO_printf(g_pBioStdOut, \n\n);
BIO_free(g_pBioStdOut);

CRYPTO_mem_leaks_fp(stderr);
//CRYPTO_mem_leaks_fp(fp);
ERR_free_strings();
ERR_remove_state(0);
EVP_cleanup(); 

if(g_fp)
fclose(g_fp);
}

Output:

[11:21:51]   245 file=.\crypto\err\err.c, line=696, thread=480, number=332,
addr
ess=00D0B830
[11:21:51]   248 file=.\crypto\lhash\lhash.c, line=193, thread=480,
number=12, a
ddress=00D0BC10
[11:21:51]   246 file=.\crypto\lhash\lhash.c, line=119, thread=480,
number=96, a
ddress=00D0B9E0
[11:21:51]   247 file=.\crypto\lhash\lhash.c, line=121, thread=480,
number=64, a
ddress=00D0BB08
504 bytes leaked in 4 chunks

Question: How to read this and figure out where excatly is the memory leak
??

Thanks
Aslam
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

pod2man.pl-related compilation error. Help!

2001-09-04 Thread Chris Scott 

I wrote about this a few days ago and have not yet been able to solve it;
I'd appreciate anybody's input...

See http://marc.theaimsgroup.com/?l=openssl-usersm=99922122232541w=2 for
details.

Thanks!

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: non blocking

2001-09-04 Thread Lutz Jaenicke 

On Tue, Sep 04, 2001 at 12:09:16PM +0530, Rama krishna Prasad Chunduru wrote:
 I am crating one socket with non blocking mode and bounded to the SSL port 
 with any ipaddress. i am listening on that socket to serve the client 
 connections. My question is when i am trying to browse the server, the server 
 is accepting the connection but SSL_accept is failing( non blocking) with 
 return value as -1. I done SSL_get_error on the return value it shows 2.  i 
 am unable to find the reason.

2 = SSL_ERROR_WANT_READ

man SSL_get_error !

Best regards,
Lutz
-- 
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus   http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik  Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus  Fax. +49 355 69-4153
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Too Long !!!

2001-09-04 Thread Lutz Jaenicke 

On Mon, Sep 03, 2001 at 01:21:33PM +1000, [EMAIL PROTECTED] wrote:
 hi ... has anyone try to generate their Private Key using this command openssl
 genrsa -rand /dev/urandom -out domain.key 1024 ???

Yes. In the past we have seen several similar reports.

Solution: do not specify /dev/urandom with -rand. genrsa will try to read
from /dev/urandom until the end of the file is reached. /dev/urandom has
no end, so you are hanging in an infinite loop.
/dev/urandom is automatically queried by OpenSSL, you can omit the -rand
option if you have /dev/urandom.

Best regards,
Lutz
-- 
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus   http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik  Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus  Fax. +49 355 69-4153
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Too Long !!!

2001-09-04 Thread Ryan Hurst 

My Guess is its just sitting there reading your /dev/urandom (aka sounds
like a blocking/non-blocking issue), even on a 386 it should not take more
than a minute or so to generate the key. Take a look at the FAQ for
information on gathering entropy.

Ryan

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] 
Sent: Sunday, September 02, 2001 8:22 PM
To: [EMAIL PROTECTED]
Subject: Too Long !!!



hi ... has anyone try to generate their Private Key using this command
openssl
genrsa -rand /dev/urandom -out domain.key 1024 ???

i'm trying this and it already took 5 days ...

any comment r welcome 

Regards,
Wong Nyook Yeen
Email : [EMAIL PROTECTED]
Tel no : 03 - 2018228 ext. 1031


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Completion Notification

2001-09-04 Thread Nebi Musa 




I am a C++ Programmer developing a 
program that combines OpenSSL
and I/O Completion Ports using WinSock 
2.2. 

I would like to know whether the 
SSL_write() and SSL_read() send
completion notification to the I/O 
Completion Port mechanism.

Further more, I would like to know if I 
set SSL_set_fd() to a NonBlocking SOCKET,
will the calls to SSL_write() and 
SSL_read() will return immedietly or will they 
return only upon success or 
failiur.

Thanks,

shep

Re: question on DSA_verify vs EVP_VerifyFinal

2001-09-04 Thread Mark W. Webb 

On Saturday 01 September 2001 07:49 am, you wrote:

Thanks for getting back to me.

What you are saying makes sense, I just do not know why EVP_VerifyFinal 
passes a signature coming from Java, and DSA_verify fails it?  There must be 
some difference between the two.



 Mark W. Webb wrote:
  I have two programs that sign information.  One written in C, and one in
  Java.  The signature is verified on another program written in C.  The C
  based apps are using openssl 0.9.6a.  The Java program is using standard
  JDK functions.  The signature that is created by the C based app is
  verified using DSA_verify.  This seems to be working fine.  The signature
  that is created by the Java app is verified using the EVP_VerifyFinal
  function.  If I use the DSA_verify function on the Java created
  signature, it fails.  I  use openssl command line args to have openssl
  verify a signature placed in a file created by Java.  Here is the command
  line argument:
 
  openssl dgst -dss1 -verify PEM Pub key -signature DSA Signature
  created by java datafile
 
  is tracing through the code, I found that this command line argument
  depends on  to work.
 
  My question is, how come I need 2 different functions to verify
  signatures that originate from the same private key?
 
  Note : The Java app uses a PKCS8 form of the private key and the C app
  uses a DER form of the private key.

 This should be in openssl-users...

 Anyway. EVP_Verify*() digests data and then verifies the signature using
 the digest and the relevant public key algorithm. They are high level
 functions in that all you need to do to use a different algorithm is
 change the parameters.

 DSA_verify on the other hand is a lower level function that will only
 work with DSA. Also it doesn't do the digesting itself you have to pass
 it the digest rather than the data to be digested.

 Steve.

-- 
Mark Webb
Software Engineer
Dolphin Technology
1300B Floyd Ave
Rome, NY 13440

Phone: (315) 334-4892 x222
Fax: (315) 339-4846
Email: [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Completion notification

2001-09-04 Thread Nebi Musa 



I am a C++ Programmer developing a 
program that combines OpenSSL
and I/O Completion Ports using WinSock 
2.2. 

I would like to know whether the 
SSL_write() and SSL_read() send
completion notification to the I/O 
Completion Port mechanism.

Further more, I would like to know if I 
set SSL_set_fd() to a NonBlocking SOCKET,
will the calls to SSL_write() and 
SSL_read() will return immedietly or will they 
return only upon success or 
failiur.

Thanks,

shep

Errors with CRL.

2001-09-04 Thread Eldi Espinosa (InfoSpace Inc) 
Title: Errors with CRL.





I just installed openssl and I created a RSA cert. I'm trying to use CRL to check issuer info, last update etc as this information is going to be important for audit but when i try to use it it just gives me an error.

this is my command line:
openssl crl -in test.pem -text


And this is the error message:
unable to load CRL
1340:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib
.c:662:Expecting: X509 CRL


Please help


Thanks


Eldi

RE: Errors with CRL.

2001-09-04 Thread Ryan Hurst 
Title: Errors with CRL.









What CA generated the CRL? Are you sure it
is in PEM? Does it have the PEM armor (- BEGIN...,  END)?



Ryan



-Original Message-
From: Eldi Espinosa (InfoSpace
Inc) [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, September 04, 2001
1:01 PM
To: '[EMAIL PROTECTED]'
Subject: Errors with CRL.



I just installed openssl and I created a RSA cert.
I'm trying to use CRL to check issuer info, last update etc as this information
is going to be important for audit but when i try to use it it just gives me an
error.

this is my command line: 
openssl
crl -in test.pem -text 

And this is the error message: 
unable
to load CRL 
1340:error:0906D06C:PEM
routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib 
.c:662:Expecting:
X509 CRL 

Please help 

Thanks 

Eldi

SSL without certificate

2001-09-04 Thread Ding Yiqiang 



Hi,

Is it possible to build an SSL server without 
server certificate, so that an encrypted SSL connection can be created without 
any certificate? Thanks in advance.

Yiqiang

Re:

2001-09-04 Thread Gregory Stark 

From the BIO_f_cipher() man page:

BIO_flush() on an encryption BIO that is being written through is used to
signal that no more data is to be encrypted: this is used to flush and
possibly pad the final block through the BIO.
.
...
.
NOTES
When encrypting BIO_flush() must be called to flush the final block through
the BIO. If it is not then the final block will fail a subsequent decrypt

==
Greg Stark
[EMAIL PROTECTED]
==

- Original Message -
From: Shaheed Bacchus [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Tuesday, September 04, 2001 4:55 PM
Subject: Re:


 hello,
 i am trying to write a piece of code that will take an unsigned char*
 (called Data) and 3DES encode it and then store it in another
 unsigned char *.  at the bottom of this message are two code
 snippets, #1 writes the encrypted data to a file BIO while #2
 writes it to a mem BIO.  #1 appears to work perfectly, if i use
 the openssl des3 command with the appropiate flags and key
 i can decrypt the file that was written.  #2 does not work, the
 encrypted data produced is always shorter than the data
 produced by #1 and i cannot decrypt it.  any ideas on why
 #2 will not work?

 code snippet #1:
 
 const EVP_CIPHER *cipher=NULL;
 unsigned char *SaltPtr=NULL;
 unsigned char Salt[PKCS5_SALT_LEN];
 unsigned char Key[24], MD[MD5_DIGEST_LENGTH];
 BIO *OutData, *EncBio=NULL;
 BUF_MEM *OutDataBuf=NULL;
 static const char magic[]=Salted__;
 int DataLen=0;

 OpenSSL_add_all_algorithms();
 cipher = EVP_get_cipherbyname(des3);
 OutData = BIO_new(BIO_s_file());
 if (BIO_write_filename(OutData, mytest.des) = 0)
 {
printf(Error with BIO_write\n);
 goto end;
  }
 if (RAND_pseudo_bytes(Salt, PKCS5_SALT_LEN)  0)
 {
printf(Error with RAND_pseudo_bytes\n);
return (1);
 }
 if ((BIO_write(OutData, magic, sizeof(magic)-1) != sizeof(magic)-1)
 || (BIO_write(OutData, (char *) Salt, PKCS5_SALT_LEN) !=
  PKCS5_SALT_LEN))
 {
printf(Error writing salt\n);
goto end;
 }
 SaltPtr = Salt;
 EVP_BytesToKey(cipher, EVP_md5(), SaltPtr,
   (unsigned char *) Passwd,
strlen(Passwd), 1, Key, MD);
 if (!(EncBio=BIO_new(BIO_f_cipher(
  goto end;
 BIO_set_cipher(EncBio, cipher, Key, MD, 1);
 if (EncBio)
 {
   OutData = BIO_push(EncBio, OutData);
 }
 if (BIO_write(OutData, (char *)Data, strlen(Data)) != strlen(Data))
 {
printf(Error writing Data\n);
 goto end;
  }
  -

 code snippet #2:
 --
 const EVP_CIPHER *cipher=NULL;
 unsigned char *SaltPtr=NULL;
 unsigned char Salt[PKCS5_SALT_LEN];
 unsigned char Key[24], MD[MD5_DIGEST_LENGTH];
 BIO *OutData, *EncBio=NULL;
 BUF_MEM *OutDataBuf=NULL;
 static const char magic[]=Salted__;
 int DataLen=0, ret=0;

 OpenSSL_add_all_algorithms();
 cipher = EVP_get_cipherbyname(des3);
 OutData = BIO_new(BIO_s_mem());
  if (RAND_pseudo_bytes(Salt, PKCS5_SALT_LEN)  0)
 {
printf(Error with RAND_pseudo_bytes \n);
 return (1);
  }

 if ((BIO_write(OutData, magic, sizeof(magic)-1) != sizeof(magic)-1) ||
 (BIO_write(OutData, (char *) Salt, PKCS5_SALT_LEN) !=
 PKCS5_SALT_LEN))
 {
  printf(Error writing salt\n);
   goto end;
  }
  EVP_BytesToKey(cipher, EVP_md5(), SaltPtr,
(unsigned char *) Passwd,
strlen(Passwd), 1, Key, MD);
  if (!(EncBio=BIO_new(BIO_f_cipher(
goto end;
  BIO_set_cipher(EncBio, cipher, Key, MD, 1);
   if (EncBio)
 {
   OutData = BIO_push(EncBio, OutData);
 }
 if (BIO_write(OutData, (char *)Data, strlen(Data)) != strlen(Data))
 {
   printf(Error writing Data\n);
goto end;
 }
 BIO_get_mem_ptr(OutData, OutDataBuf);
 DataLen = OutDataBuf-length;
 OutBuf = OutDataBuf-data;


 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing List[EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

No Subject

2001-09-04 Thread ÍôÑó 

   HI, I am a green hand in SSL programming.
If I have got a certificate with the postfix
of .pem or .cer, how can I get the subject ,
public key and other related infomation  from the
file?  I mean what kind of functions I should 
employ?
thank you.
   




___IP¿¨¡¢ÉÏÍø¿¨Á½ÕÛÊ·Å«±È¡¢À¯±ÊСÐÂÈ«¼Ò¸£»ªÓïÅÅÐаñ°ä½±µäÀñ¼ÓÈëÊéÓÑ»á»ñ¾«ÃÀÀñÆ·

Re:

2001-09-04 Thread Shaheed Bacchus 

thank you very much, you nailed it on the head.

Gregory Stark wrote:

 From the BIO_f_cipher() man page:

 BIO_flush() on an encryption BIO that is being written through is used to
 signal that no more data is to be encrypted: this is used to flush and
 possibly pad the final block through the BIO.
 .
 ...
 .
 NOTES
 When encrypting BIO_flush() must be called to flush the final block through
 the BIO. If it is not then the final block will fail a subsequent decrypt

 ==
 Greg Stark
 [EMAIL PROTECTED]
 ==

 - Original Message -
 From: Shaheed Bacchus [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Cc: [EMAIL PROTECTED]
 Sent: Tuesday, September 04, 2001 4:55 PM
 Subject: Re:

  hello,
  i am trying to write a piece of code that will take an unsigned char*
  (called Data) and 3DES encode it and then store it in another
  unsigned char *.  at the bottom of this message are two code
  snippets, #1 writes the encrypted data to a file BIO while #2
  writes it to a mem BIO.  #1 appears to work perfectly, if i use
  the openssl des3 command with the appropiate flags and key
  i can decrypt the file that was written.  #2 does not work, the
  encrypted data produced is always shorter than the data
  produced by #1 and i cannot decrypt it.  any ideas on why
  #2 will not work?
 
  code snippet #1:
  
  const EVP_CIPHER *cipher=NULL;
  unsigned char *SaltPtr=NULL;
  unsigned char Salt[PKCS5_SALT_LEN];
  unsigned char Key[24], MD[MD5_DIGEST_LENGTH];
  BIO *OutData, *EncBio=NULL;
  BUF_MEM *OutDataBuf=NULL;
  static const char magic[]=Salted__;
  int DataLen=0;
 
  OpenSSL_add_all_algorithms();
  cipher = EVP_get_cipherbyname(des3);
  OutData = BIO_new(BIO_s_file());
  if (BIO_write_filename(OutData, mytest.des) = 0)
  {
 printf(Error with BIO_write\n);
  goto end;
   }
  if (RAND_pseudo_bytes(Salt, PKCS5_SALT_LEN)  0)
  {
 printf(Error with RAND_pseudo_bytes\n);
 return (1);
  }
  if ((BIO_write(OutData, magic, sizeof(magic)-1) != sizeof(magic)-1)
  || (BIO_write(OutData, (char *) Salt, PKCS5_SALT_LEN) !=
   PKCS5_SALT_LEN))
  {
 printf(Error writing salt\n);
 goto end;
  }
  SaltPtr = Salt;
  EVP_BytesToKey(cipher, EVP_md5(), SaltPtr,
(unsigned char *) Passwd,
 strlen(Passwd), 1, Key, MD);
  if (!(EncBio=BIO_new(BIO_f_cipher(
   goto end;
  BIO_set_cipher(EncBio, cipher, Key, MD, 1);
  if (EncBio)
  {
OutData = BIO_push(EncBio, OutData);
  }
  if (BIO_write(OutData, (char *)Data, strlen(Data)) != strlen(Data))
  {
 printf(Error writing Data\n);
  goto end;
   }
   -
 
  code snippet #2:
  --
  const EVP_CIPHER *cipher=NULL;
  unsigned char *SaltPtr=NULL;
  unsigned char Salt[PKCS5_SALT_LEN];
  unsigned char Key[24], MD[MD5_DIGEST_LENGTH];
  BIO *OutData, *EncBio=NULL;
  BUF_MEM *OutDataBuf=NULL;
  static const char magic[]=Salted__;
  int DataLen=0, ret=0;
 
  OpenSSL_add_all_algorithms();
  cipher = EVP_get_cipherbyname(des3);
  OutData = BIO_new(BIO_s_mem());
   if (RAND_pseudo_bytes(Salt, PKCS5_SALT_LEN)  0)
  {
 printf(Error with RAND_pseudo_bytes \n);
  return (1);
   }
 
  if ((BIO_write(OutData, magic, sizeof(magic)-1) != sizeof(magic)-1) ||
  (BIO_write(OutData, (char *) Salt, PKCS5_SALT_LEN) !=
  PKCS5_SALT_LEN))
  {
   printf(Error writing salt\n);
goto end;
   }
   EVP_BytesToKey(cipher, EVP_md5(), SaltPtr,
 (unsigned char *) Passwd,
 strlen(Passwd), 1, Key, MD);
   if (!(EncBio=BIO_new(BIO_f_cipher(
 goto end;
   BIO_set_cipher(EncBio, cipher, Key, MD, 1);
if (EncBio)
  {
OutData = BIO_push(EncBio, OutData);
  }
  if (BIO_write(OutData, (char *)Data, strlen(Data)) != strlen(Data))
  {
printf(Error writing Data\n);
 goto end;
  }
  BIO_get_mem_ptr(OutData, OutDataBuf);
  DataLen = OutDataBuf-length;
  OutBuf = OutDataBuf-data;
 
 
  __
  OpenSSL Project http://www.openssl.org
  User Support Mailing List[EMAIL PROTECTED]
  Automated List Manager   [EMAIL PROTECTED]
 

 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing List[EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]

RE: Too Long !!!

2001-09-04 Thread Himanshu Soni 

Have you tried the genrsa and dsaparam followed by a gendsa command?


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
Sent: Monday, September 03, 2001 5:55 PM
To: [EMAIL PROTECTED]
Subject: RE: Too Long !!!




so ... have anyone try to create a private key using openssl command ... pls
show me the way ...

Regards,
Wong Nyook Yeen
Email : [EMAIL PROTECTED]
Tel no : 03 - 2018228 ext. 1031



__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

doubt regarding X509_verify_cert

2001-09-04 Thread jyothi 



Hi all,

I have a doubt regarding the x509_verify_cert().  When we have a TRUSTED
certificate with the authority-key-identifier extension, and when we are
trying to verify a SELF certificate using the function X509_verify_cert(),
the verification is failing.

Upon a deeper look into the function, the function is failing as follows...

When we call the X509_verify_cert() with the CTX,
Before calling this function we are initializing the CTX-cert with the
self-certificate, and we are adding the trusted-certificates in X509_STORE
using the function X509_STORE_add_cert().

In the X509_verify_cert()
1. checks whether CTX-cert (self-certificate) is self-signed certificate or
not by PUSHing the certificates into a chain.
2. It is looking for Trusted certificates whose subject name is same as the
Issuer Name of CTX-cert(ie., self-certificate) and pushing the certificates
into the chain in the CTX. Now we are checking the Trusted certificates are
Self-signed or not by calling the function X509_check_issued( ).
3. We are passing the subject and issuer certificates the same Trusted
Certificate.  In this function we are checking the Serial Number of the
Issuer certificate with the Serial number in the extension Authorithy Key
Identifier of the Subject Certificate.
Here we are facing problem.  The problem is ASN1_INTEGER_cmp( ) is failing.

The QUESTION is whether the Serial Number in the Trusted Certificate should
be SAME as the Serial Number in the Authority Key Identifier extension?

If the two need not be the same then we feel that there is a bug in the
X509_check_issued ( ) function as we are using it to verify whether the
certificate is self-signed or not.

I would be thankful for any help regarding this question..

Regards
Suram



__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Simple question

2001-09-04 Thread ET Tan 

Hi all,

How do I serialize an RSA private key into DER?

I tried by using the i2d_RSAPrivateKey(...) but it crashed.

My code snippet:

---
RSA *rsa = RSA_generate_key(1024, 0x10001, NULL, NULL);

unsigned char der[1]; // ought to be enough?

i2d_RSAPrivateKey(rsa, (unsigned char**)der); // crashes here
---

Thanks

ET.

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]