Extensions for IP Addresses and AS Identifiers
Hi! I would like to know if this is supported with OpenSSL: http://www.ietf.org/internet-drafts/draft-ietf-pkix-x509-ipaddr-as-extn-00.txt I would suppose that I can use the configuration file section and use hardcoded DER representation... Is this guess correct? Is there any other less ugly way? Thanks for any help -- Tiago Antao - RIPE NCC __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Validity period of certificates
You mean how to create a certificate using openssl? -Original Message- From: Radboud Platvoet [mailto:[EMAIL PROTECTED]] Sent: 02 October 2002 13:52 To: [EMAIL PROTECTED] Subject: RE: Validity period of certificates In order for me to use these macros, I first need to load an X509 structure with my certificate (located in a .pem file). Does anybody know how to do this? Thanks, Radboud -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Vijo Cherian Sent: Friday, September 27, 2002 10:27 PM To: [EMAIL PROTECTED] Subject: Re: Validity period of certificates X509_get_notBefore() X509_get_notAfter() are your friends. make sure you dont use that key/cert in any production systems. vijo. On Fri, Sep 27, 2002 at 03:39:07PM +0200, Radboud Platvoet wrote: Thanks guys, That works great. However, I would really like to do it with a call from my C code and not in the shell. -Radboud -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Michiels Olivier Sent: Friday, September 27, 2002 3:04 PM To: [EMAIL PROTECTED] Subject: Re: Validity period of certificates Hi, take the BEGIN CERTIFICATE to the END CERTIFICATE part, put it in a file, then do : openssl x509 -in yourfile -text. You will see the start and the end date at the beginning of the response. Hope this help, Michiels Olivier Radboud Platvoet wrote: Hi everyone, I would like to know if there is a way to find out for what period a certificate is valid (ie: the start and end date). This is the certificate from which I like to determine the validity period: -BEGIN RSA PRIVATE KEY- MIICXQIBAAKBgQDHbmDreHdsfXmdgiveojbx2hVrJPvzxzQ0Ug6g0KxOYUVSSLbs xBCW5PGQEn6a++AI6SMt13MTidpUJZmiPiOB2/D7Lg1YMJNQgJ8VfpzWESvgtQCV 6txwVWz0gGSnmJ8EkLhaY0t57PhrEqM2RpZKgiBl08bueXCazblhWpyvOQIDAQAB AoGAB33wCiiGY/76uJ4RQ9XYNpG4yEOla20KWwTSI9xy/KbO0d6FcLOU4/ZJ1N28 /9mCexM3DRvQ6OT+3LZk5SFsd/1dOEi+P5rhIOAe/0VReiS5oIlhqr6lhOF4/WHp OZwglVDuB1U+zqX3fb6exkBlfcg8nv/iaI7GrxRl+ib9bWECQQD3crtg8DkLXT1o zwqgNyobPQgv0TJaCHAIub/XVjN2jkTU6HJPrPh6RUBTPAx/pW5CSuxGqcRDRgan RP6Zqu8NAkEAzlLSauaZhGGQXROxaac8Q7v423e/CTXKwCHAhkOIlKHBcq2Qzvo6 PrHzAKYVsOx5fwMZATe86Kz8OeSgoCFV3QJATILFPWwJt2HVIxshhfiIpHNynJZq ozwIqCoHD2Yv83B6B/r3nXs2OVhAU3w1wSI9vXG9LPxBGywD0qSatJkN4QJBAMoR MUVDLU0KpHGUDOhVwl7wJO0EnRNvHHAJXl3gnE49EZG3zR/4z7yBWWXkQ1AweVlc dkvMA/a5HJmygWHy4/0CQQCybDrUXfLGmfCL3R95fc3/XfHF+VodnfZoWY09hjQO wYPK/0sAatyAW4I9ks0XCoWbPBJEOueX5TAixPhh0pkn -END RSA PRIVATE KEY- -BEGIN CERTIFICATE- MIICkzCCAfygAwIBAgIBADANBgkqhkiG9w0BAQQFADCBgzELMAkGA1UEBhMCTkwx FTATBgNVBAgTDFp1aWQgSG9sbGFuZDESMBAGA1UEBxMJUm90dGVyZGFtMRMwEQYD VQQKEwpEaWdpdm94IEJWMSEwHwYDVQQLExhSZXNlYXJjaCBhbmQgRGV2ZWxvcG1l bnQxETAPBgNVBAMTCFMyU2VydmVyMB4XDTAyMDkyNzA3MzM1NFoXDTAzMDkyNzA3 MzM1NFowgYMxCzAJBgNVBAYTAk5MMRUwEwYDVQQIEwxadWlkIEhvbGxhbmQxEjAQ BgNVBAcTCVJvdHRlcmRhbTETMBEGA1UEChMKRGlnaXZveCBCVjEhMB8GA1UECxMY UmVzZWFyY2ggYW5kIERldmVsb3BtZW50MREwDwYDVQQDEwhTMlNlcnZlcjCBnzAN BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAx25g63h3bH15nYIr3qI28doVayT788c0 NFIOoNCsTmFFUki27MQQluTxkBJ+mvvgCOkjLddzE4naVCWZoj4jgdvw+y4NWDCT UICfFX6c1hEr4LUAlerccFVs9IBkp5ifBJC4WmNLeez4axKjNkaWSoIgZdPG7nlw ms25YVqcrzkCAwEAAaMVMBMwEQYJYIZIAYb4QgEBBAQDAgZAMA0GCSqGSIb3DQEB BAUAA4GBAA4al9nd/lph0P+RKoOfDPZXLFf1kfU7dHJIrXR5F9HvhVuVNyFLNyTO JXq8M/mcPM9eGNEfOwdGjHZCM91pduauvTZ6rqUOHIDV5oQdqVsCEMdZa5t2aTS+ g+ffMr6+aAm+ax3eU3/5tk1T2RkVOsIFEYCymiaMcXsVCFUvi/Pn -END CERTIFICATE- Any help is greatly appreciated! Thanks, Radboud _ _ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- vijo __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager
Loading a certifcate from file into a X509 struct
Hi everyone, I would like to load a certificate from file into a X509 struct without too much hassle. (I found something for which I have specific questions below, but if you know another way, then please tell me that as well.) I found the PEM_read_X509 macro and figured that it might do for me what I want. I just have some trouble figuring the parameters out. This is the definition (after you resolve the macro): (X509 *) PEM_read_X509( FILE *fp, X509 **x, pem_password_cb *cb, void *u ); These I figured out: - fp is most likely an open file pointer to the certificate file. - x is most likely a double pointer to an X509 struct. But what is a pem_password_cb and what do I do with it? It is defined as: typedef int pem_password_cb(char *buf, int size, int rwflag, void *userdata); And what is this void *u at the end supposed to do?? Any help, or even better: an example, would be greatly appreciated!! Thanks, Radboud __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Validity period of certificates
No. I have a file certificate. It is on disk. I want to determine the validity period of it. In order to do so, I first need to load the certificate FROM file INTO a X509 structure (defined in X509.h of the OpenSSL source code). -Radboud -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Jose Correia (J) Sent: Wednesday, October 02, 2002 1:59 PM To: [EMAIL PROTECTED] Subject: RE: Validity period of certificates You mean how to create a certificate using openssl? -Original Message- From: Radboud Platvoet [mailto:[EMAIL PROTECTED]] Sent: 02 October 2002 13:52 To: [EMAIL PROTECTED] Subject: RE: Validity period of certificates In order for me to use these macros, I first need to load an X509 structure with my certificate (located in a .pem file). Does anybody know how to do this? Thanks, Radboud -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Vijo Cherian Sent: Friday, September 27, 2002 10:27 PM To: [EMAIL PROTECTED] Subject: Re: Validity period of certificates X509_get_notBefore() X509_get_notAfter() are your friends. make sure you dont use that key/cert in any production systems. vijo. On Fri, Sep 27, 2002 at 03:39:07PM +0200, Radboud Platvoet wrote: Thanks guys, That works great. However, I would really like to do it with a call from my C code and not in the shell. -Radboud -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Michiels Olivier Sent: Friday, September 27, 2002 3:04 PM To: [EMAIL PROTECTED] Subject: Re: Validity period of certificates Hi, take the BEGIN CERTIFICATE to the END CERTIFICATE part, put it in a file, then do : openssl x509 -in yourfile -text. You will see the start and the end date at the beginning of the response. Hope this help, Michiels Olivier Radboud Platvoet wrote: Hi everyone, I would like to know if there is a way to find out for what period a certificate is valid (ie: the start and end date). This is the certificate from which I like to determine the validity period: -BEGIN RSA PRIVATE KEY- MIICXQIBAAKBgQDHbmDreHdsfXmdgiveojbx2hVrJPvzxzQ0Ug6g0KxOYUVSSLbs xBCW5PGQEn6a++AI6SMt13MTidpUJZmiPiOB2/D7Lg1YMJNQgJ8VfpzWESvgtQCV 6txwVWz0gGSnmJ8EkLhaY0t57PhrEqM2RpZKgiBl08bueXCazblhWpyvOQIDAQAB AoGAB33wCiiGY/76uJ4RQ9XYNpG4yEOla20KWwTSI9xy/KbO0d6FcLOU4/ZJ1N28 /9mCexM3DRvQ6OT+3LZk5SFsd/1dOEi+P5rhIOAe/0VReiS5oIlhqr6lhOF4/WHp OZwglVDuB1U+zqX3fb6exkBlfcg8nv/iaI7GrxRl+ib9bWECQQD3crtg8DkLXT1o zwqgNyobPQgv0TJaCHAIub/XVjN2jkTU6HJPrPh6RUBTPAx/pW5CSuxGqcRDRgan RP6Zqu8NAkEAzlLSauaZhGGQXROxaac8Q7v423e/CTXKwCHAhkOIlKHBcq2Qzvo6 PrHzAKYVsOx5fwMZATe86Kz8OeSgoCFV3QJATILFPWwJt2HVIxshhfiIpHNynJZq ozwIqCoHD2Yv83B6B/r3nXs2OVhAU3w1wSI9vXG9LPxBGywD0qSatJkN4QJBAMoR MUVDLU0KpHGUDOhVwl7wJO0EnRNvHHAJXl3gnE49EZG3zR/4z7yBWWXkQ1AweVlc dkvMA/a5HJmygWHy4/0CQQCybDrUXfLGmfCL3R95fc3/XfHF+VodnfZoWY09hjQO wYPK/0sAatyAW4I9ks0XCoWbPBJEOueX5TAixPhh0pkn -END RSA PRIVATE KEY- -BEGIN CERTIFICATE- MIICkzCCAfygAwIBAgIBADANBgkqhkiG9w0BAQQFADCBgzELMAkGA1UEBhMCTkwx FTATBgNVBAgTDFp1aWQgSG9sbGFuZDESMBAGA1UEBxMJUm90dGVyZGFtMRMwEQYD VQQKEwpEaWdpdm94IEJWMSEwHwYDVQQLExhSZXNlYXJjaCBhbmQgRGV2ZWxvcG1l bnQxETAPBgNVBAMTCFMyU2VydmVyMB4XDTAyMDkyNzA3MzM1NFoXDTAzMDkyNzA3 MzM1NFowgYMxCzAJBgNVBAYTAk5MMRUwEwYDVQQIEwxadWlkIEhvbGxhbmQxEjAQ BgNVBAcTCVJvdHRlcmRhbTETMBEGA1UEChMKRGlnaXZveCBCVjEhMB8GA1UECxMY UmVzZWFyY2ggYW5kIERldmVsb3BtZW50MREwDwYDVQQDEwhTMlNlcnZlcjCBnzAN BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAx25g63h3bH15nYIr3qI28doVayT788c0 NFIOoNCsTmFFUki27MQQluTxkBJ+mvvgCOkjLddzE4naVCWZoj4jgdvw+y4NWDCT UICfFX6c1hEr4LUAlerccFVs9IBkp5ifBJC4WmNLeez4axKjNkaWSoIgZdPG7nlw ms25YVqcrzkCAwEAAaMVMBMwEQYJYIZIAYb4QgEBBAQDAgZAMA0GCSqGSIb3DQEB BAUAA4GBAA4al9nd/lph0P+RKoOfDPZXLFf1kfU7dHJIrXR5F9HvhVuVNyFLNyTO JXq8M/mcPM9eGNEfOwdGjHZCM91pduauvTZ6rqUOHIDV5oQdqVsCEMdZa5t2aTS+ g+ffMr6+aAm+ax3eU3/5tk1T2RkVOsIFEYCymiaMcXsVCFUvi/Pn -END CERTIFICATE- Any help is greatly appreciated! Thanks, Radboud _ _ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- vijo __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __
Re: Windows, MS VC++, MFC and OpenSSL
Date sent: Wed, 02 Oct 2002 11:26:19 +0200 From: Michael Voucko [EMAIL PROTECTED] Organization: Fillmore Labs GmbH To: [EMAIL PROTECTED] Subject:Re: Windows, MS VC++, MFC and OpenSSL Send reply to: [EMAIL PROTECTED] Yes it is possible, and in fact very easy. And it works quite well. Ken Radboud Platvoet wrote: Hi everyone, Does anyone know if it Is possible to use the MFC CAsyncSocket class as a base for an OpenSSL connection? The CAsyncSocket class has many nice features such as OnReceive, OnClose, OnAccept and OnConnect events which I use extensively in my programs that use unsecure connections. I would like to be able to use the same features for my secure connections. Checkout the current maximum block size in SSL_write() thread, it might give you a clue what to expect. -- Michael __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl- [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] _ Support InterSoft International, Inc. Voice: 888-823-1541, International 281-398-7060 Fax: 888-823-1542, International 281-560-9170 [EMAIL PROTECTED] http://www.securenetterm.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Loading a certifcate from file into a X509 struct
Radboud Platvoet wrote: [...] This is the definition (after you resolve the macro): (X509 *) PEM_read_X509( FILE *fp, X509 **x, pem_password_cb *cb, void *u ); These I figured out: - fp is most likely an open file pointer to the certificate file. - x is most likely a double pointer to an X509 struct. But what is a pem_password_cb and what do I do with it? It is defined as: typedef int pem_password_cb(char *buf, int size, int rwflag, void *userdata); And what is this void *u at the end supposed to do?? Any help, or even better: an example, would be greatly appreciated!! man pem Regards, Nils __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Windows, MS VC++, MFC and OpenSSL
Cool! Thanks! - Radboud -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Kenneth R. Robinette Sent: Wednesday, October 02, 2002 2:39 PM To: [EMAIL PROTECTED] Subject: Re: Windows, MS VC++, MFC and OpenSSL Date sent: Wed, 02 Oct 2002 11:26:19 +0200 From: Michael Voucko [EMAIL PROTECTED] Organization: Fillmore Labs GmbH To: [EMAIL PROTECTED] Subject:Re: Windows, MS VC++, MFC and OpenSSL Send reply to: [EMAIL PROTECTED] Yes it is possible, and in fact very easy. And it works quite well. Ken Radboud Platvoet wrote: Hi everyone, Does anyone know if it Is possible to use the MFC CAsyncSocket class as a base for an OpenSSL connection? The CAsyncSocket class has many nice features such as OnReceive, OnClose, OnAccept and OnConnect events which I use extensively in my programs that use unsecure connections. I would like to be able to use the same features for my secure connections. Checkout the current maximum block size in SSL_write() thread, it might give you a clue what to expect. -- Michael __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl- [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] _ Support InterSoft International, Inc. Voice: 888-823-1541, International 281-398-7060 Fax: 888-823-1542, International 281-560-9170 [EMAIL PROTECTED] http://www.securenetterm.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Windows, MS VC++, MFC and OpenSSL
Use the Detach class member it will give you a normal socket. Riaan -Original Message- From: Radboud Platvoet [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 02, 2002 11:19 AM To: [EMAIL PROTECTED] Subject: Windows, MS VC++, MFC and OpenSSL Hi everyone, Does anyone know if it Is possible to use the MFC CAsyncSocket class as a base for an OpenSSL connection? The CAsyncSocket class has many nice features such as OnReceive, OnClose, OnAccept and OnConnect events which I use extensively in my programs that use unsecure connections. I would like to be able to use the same features for my secure connections. Thanks, Radboud __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] NOTICE: This message and any attachments are confidential and intended solely for the addressee. If you have received this message in error, please notify the sender at Nanoteq (Pty) Ltd immediately, telephone number +27 (0) 12 672 7000. Any unauthorised use, alteration or dissemination is prohibited. Nanoteq (Pty) Ltd accepts no liability whatsoever for any loss whether it be direct, indirect or consequential, arising from information made available and actions resulting there from. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Loading a certifcate from file into a X509 struct
I am sure that works on a Unix machine, but unfortunately I am on Windows. Could you maybe copy and paste the output of man pem in an email? Thanks, Radboud PS: I am sure that the documentation for OpenSSL on Unix machines is adequate, however on Windows machines, with the lack of a working 'man' command and no help files available, it is quite impossible to make heads or tails out of it. Most of the time I need to get into the source code to figure out how it works!! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Nils Larsch Sent: Wednesday, October 02, 2002 2:46 PM To: [EMAIL PROTECTED] Subject: Re: Loading a certifcate from file into a X509 struct Radboud Platvoet wrote: [...] This is the definition (after you resolve the macro): (X509 *) PEM_read_X509( FILE *fp, X509 **x, pem_password_cb *cb, void *u ); These I figured out: - fp is most likely an open file pointer to the certificate file. - x is most likely a double pointer to an X509 struct. But what is a pem_password_cb and what do I do with it? It is defined as: typedef int pem_password_cb(char *buf, int size, int rwflag, void *userdata); And what is this void *u at the end supposed to do?? Any help, or even better: an example, would be greatly appreciated!! man pem Regards, Nils __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Signature and ENGINE
Hi everybody, I'm curious to know how can I sign something using an ENGINE. When I'm looking in the x509.c code, I see the setup_engine function but the variable 'e' is not used in the rest of the code, is it normal ? Why initialize an ENGINE to not using it ? Thanks, Michiels Olivier __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
My own ENGINE for NFast
Hi, I'm writing my own NFast ENGINE because the chil interface do not provide me enough functionalities. Right I have implemented the two functions hwnfast_load_privkey and hwnfast_load_pubkey. I can load keys with those functions but I don't know how to fill the EVP_PKEY data structure. The reference to my private key is a pointer to a NFast specific structure (M_KeyID) and the public key is in a buffer. I've looked the code of the hw_ncipher but I think I can't use it like that. The keys are stored this way: I have two files (hash,blob) that contains the pirvate key protected by a logical token and the public key is store in a pem file. My question is, how do I create the two EVP_PKEY in my implementation. Thank, Michiels Olivier __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Signature and ENGINE
In message [EMAIL PROTECTED] on Wed, 02 Oct 2002 15:27:57 +0200, Michiels Olivier [EMAIL PROTECTED] said: olivier.michiels I'm curious to know how can I sign something using olivier.michiels an ENGINE. When I'm looking in the x509.c code, I olivier.michiels see the setup_engine function but the variable 'e' olivier.michiels is not used in the rest of the code, is it normal ? olivier.michiels Why initialize an ENGINE to not using it ? When you initilize an engine, it hooks in it's own routines for assymetric and symmetric algorithms that it has available. After that, whenever you do an operation that uses one of those algorithms, the encryption/decryption(/signing/verification) calls are redirected to the engine you selected, and thereby to your hardware. There's nothing explicit for you to do there... -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
My own ENGINE for NFast
Original Message Subject: My own ENGINE for NFast Date: Wed, 02 Oct 2002 15:54:20 +0200 From: Michiels Olivier [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: Openssl Users [EMAIL PROTECTED] Hi, I'm writing my own NFast ENGINE because the chil interface do not provide me enough functionalities. Right I have implemented the two functions hwnfast_load_privkey and hwnfast_load_pubkey. I can load keys with those functions but I don't know how to fill the EVP_PKEY data structure. The reference to my private key is a pointer to a NFast specific structure (M_KeyID) and the public key is in a buffer. I've looked the code of the hw_ncipher but I think I can't use it like that. The keys are stored this way: I have two files (hash,blob) that contains the pirvate key protected by a logical token and the public key is store in a pem file. My question is, how do I create the two EVP_PKEY in my implementation. Thank, Michiels Olivier __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Loading a certifcate from file into a X509 struct
On Wed, Oct 02, 2002 at 03:13:55PM +0200, Radboud Platvoet wrote: I am sure that works on a Unix machine, but unfortunately I am on Windows. Could you maybe copy and paste the output of man pem in an email? Thanks, Radboud PS: I am sure that the documentation for OpenSSL on Unix machines is adequate, however on Windows machines, with the lack of a working 'man' command and no help files available, it is quite impossible to make heads or tails out of it. Most of the time I need to get into the source code to figure out how it works!! Well, the manpages appear to be on the openssl.org website, so: http://www.openssl.org/docs/crypto/pem.html And the callback I should imagine is for reading the poassword from the user if requried. and u will be a pointer to pass to the callback function, like practically all C callbacks. (Don't you just long for Perl-style closures sometimtes?) SRH -- Steve Haslam Reading, UK [EMAIL PROTECTED] Debian GNU/Linux Maintainer [EMAIL PROTECTED] maybe the human race deserves to be wiped out __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Loading a certifcate from file into a X509 struct
On Mittwoch, 2. Oktober 2002 15:13, Radboud Platvoet wrote: I am sure that works on a Unix machine, but unfortunately I am on Windows. Could you maybe copy and paste the output of man pem in an email? see: http://www.openssl.org/docs/crypto/pem.html or use the pod2html command. Regards, Nils __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
csr generating automaticly
Hi! How could I generate a csr from a batch file without human interaction? I use the openssl command line. If it is possible, which is the batch file format? If I use openssl req -new -key a.key -out a.csr then I have to fill-in the name, etc., and it is not good for me, because I would call this command from an other program. thanks: Peter __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Apache 2.0.39 + ssl + ldap with client certificate authentication
Hi Jose, would you please outline how exactly one could use this patch? What kind of LDAP lookup works best with X509_NAME_oneline()-style names? Should the LDAP tree be somewhat special? thank you and sorry for off-topic, Vadim On Wed, Oct 02, 2002 at 08:50:36AM +0200, Jose Correia (J) wrote: Hi Sarah Take a look at http://authzldap.othello.ch/index.html I've used it successfully. Cheers Jose -Original Message- From: Sarath Chandra M [mailto:[EMAIL PROTECTED]] Sent: 29 September 2002 11:17 To: [EMAIL PROTECTED] Subject: Apache 2.0.39 + ssl + ldap with client certificate authentication Dear group, Has anybody tried doing ldap client certificate authentication for an apache 2.0.39 ssl server ? Our environment is : RedHat linux 7.1 kernel 2.4.x apache 2.0.39 (inc. mod_ssl) openssl-engine-0.9.6g openldap (on a different redhat linux server) The apache website has a verisign server certificate, a self-signed CA certificate and all clients have certificates in the ldap server signed by this CA. When clients present their certificate to browse the Apache secure site, Apache should check the existence of their certificate in the LDAP server and also the validity of the contents of the certificate presented. Kindly provide some direction to any solution or resources related to this issue. Any help would be highly appreciated. TIA Sarath __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Netscape Enterprise 3.6
Hi everyone, My company is planning to move to apache, right now we are running netscape enterprise 3.6. I need to be able to migrate the certs from the netscape db to pem format. The db are not just in a pkcs format. So far I have been able to extract the private keys using the instructions found here http://www.drh-consultancy.demon.co.uk/nskey.html I have used openssl s_client -host -showcerts to get the cert info, however this did not seem to get all the info I need (Mozilla said the cert had an unknown issuer). We are using verisign certs. We tried to have them reissue, but they want the price of a new cert to do that. So assuming I have the private key converted to pem format, how do I get the cert out of a netscape db? Can I not get this over a network connection (like I tried with openssl s_client) since the certificate is presented to the client? Any info would be greatly appreciated, thank you in advance. Ryan __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
How to set a CRLNumber extension in CRL
Dear all, I want to know the way to implement to set the CRLNumber extension in CRL using openssl-0.9.7 beta 3. In the crypto/x509v3 directory, there is a flie v3_ini.c. In this source code, the X509V3_EXT_MEHTOD is already defined. Fisrt I think that I should add the(X509V3_EXT_S2I)s2i_ASN1_INTEGER in the structure, since the s2i_ASN1_INTEGER code is also defined in v3_util.c. 59 #include stdio.h 60 #include cryptlib.h 61 #include openssl/x509v3.h 62 63 X509V3_EXT_METHOD v3_crl_num = { 64 NID_crl_number, 0, ASN1_ITEM_ref(ASN1_INTEGER), 65 0,0,0,0, 66 (X509V3_EXT_I2S)i2s_ASN1_INTEGER, 67 0, 68 0,0,0,0, NULL}; 69 In line 67, I will add the (X509V3_EXT_S2I)s2i_ASN1_INTEGER In the CRLNumber extension, the ASN.1 in RFC 3280 says: CRLNumber ::= INTEGER (0..MAX) Then I should define the ASN1 macro, but now I do no know how to define the ASN1 macro to define the ASN.1. Looking at some others examples, if you have a sequence tag, the macro will start like : ASN1_SEQUENCE() ... ASN1_SEQUENCE_END() However the CRLNumber is just INTEGER. I want to know simply just define the macro to use or any pointer to take a look at. I would be very appreciated if you give me some suggestion. Sincerely, -Kiyoshi Kiyoshi Watanabe __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Apache 2.0.39 + ssl + ldap with client certificate authentication
On Wed, 2 Oct 2002, Sarath Chandra M wrote: Dear Jose, I had looked at the site u mentioned. But my problem is in applying the patch (http://authzldap.othello.ch/modssl-patch.html) to mod_ssl as said in the installation page of the same site. If you could tell me how to apply this patch, then I can go ahead and try. I'm right now working on a new release of the module that is sup posed to support apache2, hopefully I'll get that out of the door today or tomorrow. Mit herzlichem Gruss Andreas Mueller -- Dr. Andreas Mueller, Beratung und Entwicklung CH-8852 Altendorf Switzerland Tel: +41 55 4621483 Fax: +41 55 4621485 [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Seeding the OpenSSL PRNG on Windows
Can anyone suggest how I would seed the OpenSSL PRNG on Windows? I guess on Unix systems, I can use /dev/random. But is there an equivalent on Windows? Note, that the OpenSSL application I'm writing is a server application. So it is likely that it will run on a box with little or no UI interaction. So I don't want to use something that depends on user clicks or whatever, to build entropy. Can anybody suggest a good src of entropy on Windows, and how to use it from a C/C++ program? Thanks, Ed __ Do you Yahoo!? New DSL Internet Access from SBC Yahoo! http://sbc.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: How to set a CRLNumber extension in CRL
On Thu, Oct 03, 2002, Kiyoshi WATANABE wrote: Dear all, I want to know the way to implement to set the CRLNumber extension in CRL using openssl-0.9.7 beta 3. The extension is already supported, but not in the 'ca' application which generates CRLs. In the crypto/x509v3 directory, there is a flie v3_ini.c. In this source code, the X509V3_EXT_MEHTOD is already defined. Fisrt I think that I should add the(X509V3_EXT_S2I)s2i_ASN1_INTEGER in the structure, since the s2i_ASN1_INTEGER code is also defined in v3_util.c. 59 #include stdio.h 60 #include cryptlib.h 61 #include openssl/x509v3.h 62 63 X509V3_EXT_METHOD v3_crl_num = { 64 NID_crl_number, 0, ASN1_ITEM_ref(ASN1_INTEGER), 65 0,0,0,0, 66 (X509V3_EXT_I2S)i2s_ASN1_INTEGER, 67 0, 68 0,0,0,0, NULL}; 69 In line 67, I will add the (X509V3_EXT_S2I)s2i_ASN1_INTEGER In the CRLNumber extension, the ASN.1 in RFC 3280 says: CRLNumber ::= INTEGER (0..MAX) Then I should define the ASN1 macro, but now I do no know how to define the ASN1 macro to define the ASN.1. Looking at some others examples, if you have a sequence tag, the macro will start like : ASN1_SEQUENCE() ... ASN1_SEQUENCE_END() However the CRLNumber is just INTEGER. I want to know simply just define the macro to use or any pointer to take a look at. I would be very appreciated if you give me some suggestion. Its already in there: ASN1_ITEM_ref(ASN1_INTEGER). What you cannot currently do, as I mentioned is to add this extension using the 'ca' application. There isn't an s2i_ASN1_INTEGER in the structure for a reason: this is to stop the extension being used in config files. Config files are fine for the static extensions whose value will be the same, however CRLNumber has to increase with each new CRL issued. If you could add CRLNumber from a config file this may well result in distinct CRLs having the same number which is a bad thing(tm). What is really needed is to handle CRLNumber as a special case, for example via a file which is treated in a similar way to the serial number and updated with each CRL issued. Steve. -- Dr. Stephen Henson [EMAIL PROTECTED] OpenSSL Project http://www.openssl.org/~steve/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OCSP Segementation fault
On Wed, Oct 02, 2002, David Sloat wrote: Hi I've implemented a trimmed down version of the ocsp application (apps/ocsp.c) and when I execute the code, I get a segmentation fault while trying to free the OCSP_* structures. I've changed the order of the OCSP_*_free calls, but it always seg faults on one of them. The free calls in particular are the ones at the very end of the function - which represents the successful case. Usually the second free call in the list is the one to seg fault. I noticed someone had a similar issue a few months back - but I was unable to send an email to that person to see if there was any resolution to the problem (title of message thread: OCSP memory leaks). Attached is the code sample... Some of the newer functions in OpenSSL follow a naming convention. When you have a function like, foo_get0_bar or foo_add1_bar() the '0' and the '1' indicates how the added or obtained structure behaves. In the '0' case the structure added or obtained will be freed when the parent structure is freed and so it should *not* be freed itself: otherwise the same thing may be freed twice typically resulting in segmentation violations. In the '1' case the structure should be freed as well as the parent. So in your example the function OCSP_request_add0_id actually swallows the passed cert id, so you should not free up the certid later: it will be automatically freed up when the request is freed. Steve. -- Dr. Stephen Henson [EMAIL PROTECTED] OpenSSL Project http://www.openssl.org/~steve/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: How to set a CRLNumber extension in CRL
Dear Steve, Thank you for your comment. I understand the usage of this extension and fully agree with you. Best Regards, -Kiyoshi Kiyoshi Watanabe On Thu, Oct 03, 2002, Kiyoshi WATANABE wrote: Dear all, I want to know the way to implement to set the CRLNumber extension in CRL using openssl-0.9.7 beta 3. The extension is already supported, but not in the 'ca' application which generates CRLs. In the crypto/x509v3 directory, there is a flie v3_ini.c. In this source code, the X509V3_EXT_MEHTOD is already defined. Fisrt I think that I should add the(X509V3_EXT_S2I)s2i_ASN1_INTEGER in the structure, since the s2i_ASN1_INTEGER code is also defined in v3_util.c. 59 #include stdio.h 60 #include cryptlib.h 61 #include openssl/x509v3.h 62 63 X509V3_EXT_METHOD v3_crl_num = { 64 NID_crl_number, 0, ASN1_ITEM_ref(ASN1_INTEGER), 65 0,0,0,0, 66 (X509V3_EXT_I2S)i2s_ASN1_INTEGER, 67 0, 68 0,0,0,0, NULL}; 69 In line 67, I will add the (X509V3_EXT_S2I)s2i_ASN1_INTEGER In the CRLNumber extension, the ASN.1 in RFC 3280 says: CRLNumber ::= INTEGER (0..MAX) Then I should define the ASN1 macro, but now I do no know how to define the ASN1 macro to define the ASN.1. Looking at some others examples, if you have a sequence tag, the macro will start like : ASN1_SEQUENCE() ... ASN1_SEQUENCE_END() However the CRLNumber is just INTEGER. I want to know simply just define the macro to use or any pointer to take a look at. I would be very appreciated if you give me some suggestion. Its already in there: ASN1_ITEM_ref(ASN1_INTEGER). What you cannot currently do, as I mentioned is to add this extension using the 'ca' application. There isn't an s2i_ASN1_INTEGER in the structure for a reason: this is to stop the extension being used in config files. Config files are fine for the static extensions whose value will be the same, however CRLNumber has to increase with each new CRL issued. If you could add CRLNumber from a config file this may well result in distinct CRLs having the same number which is a bad thing(tm). What is really needed is to handle CRLNumber as a special case, for example via a file which is treated in a similar way to the serial number and updated with each CRL issued. Steve. -- Dr. Stephen Henson [EMAIL PROTECTED] OpenSSL Project http://www.openssl.org/~steve/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]