Re: Annoying Garbage characters in OIDs

2005-08-02 Thread Dr. Stephen Henson 
On Tue, Aug 02, 2005, Johnny Gonzalez wrote:

   
   Número de serie = 9
   
   1.3.6.1.4.1.4710.1.3.2 = 1 
   ---The 2 first
   characters are garbage
   
   1.3.6.1.4.1.4710.1.3.1 = 1 
   ---The 2 first
   characters are garbage
   
   STREET = cra 23  
   ---The 2
   first characters are garbage
   
   CN = Prueba 1 cert
   
   OU = Internet
   
   O = Ubiquando
   
   L = Bogota
   
   S = Cundinamarca
   
   What should I do to avoid these annoying
  characters in
   the value of my special
   OIDs??
   
   Am I doing something wrong when I add the OIDs?
   
  
  Looks more like you are having a problem with
  Windows...
  
  What it is doing when it finds an OID it doesn't
  recognize is to dump the
  whole encoded component in the manner you describe.
  
  So what you really need to do if you need this to
  display on Windows is to use
  OIDs that it does recognize. 
  
 How can I do that? I mean, our certification politics
 require that our certificates have those 3 OIDs, so
 following your suggestions, how could I use other OIDs
 that windows can recognize?
 
 I thought the problem was the way I register the OIDs
 in openssl to add them to the certificates. What do
 you think? Is there another way to register the OIDs
 in openssl different from what I did?
 

No it isn't OpenSSL. OpenSSL is outputting the correct data its just that
whatever Windows program you are using doesn't recognize the OIDs and has a
policy to just dump out the value without interpreting it at all, which isn't
very friendly.

In you example ^S^A1 is the DER representation of a PRINTABLESTRING of one
octet in length which is the character '1'.

What Windows program produces that output and what version of Windows is it?
When I display a certificate using the certificate wizard dialog box it looks
fine even if it has OIDs it doesn't recognize.

BTW if you are going to use international characters (basically anything
larger than 127) you'd better set string_mask=utf8only in the openssl.cnf
file. If you also use the -utf8 input option the terminal *must* send
characters in UTF8 format.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Non-std attributes in certificate requests

2005-08-02 Thread Dr. Stephen Henson 
On Tue, Aug 02, 2005, Philipp Ghring wrote:

 Hi,
 
 How can I include arbitrary binary data in a certificate request with OpenSSL?
 
 Currently, I am trying it the following way:
 
 [ new_oids ]
 qcsr=1.3.6.1.4.1.18506.1.1
 
 [ req_attributes ]
 qcsr = Qualified Public Key Signature
 qcsr_default=DER:3CB63813C2F6468422BE2A07A1115D218D8b
 
 Do you notice the small b at the end?
 
 If it were encoded binary correctly, all hex-characters would be uppercase or 
 lowercase together.
 
 Bit the result is still mixed-case:
 
 1.3.6.1.4.1.18506.1.1:DER:3CB63813C2F6468422BE2A07A1115D218D8b
 
 Could it be that OpenSSL can only encode arbitrary data in x.509 
 certificates, 
 but not in certificate requests?
 

Nope :-)

OpenSSL can include arbitrary data in *extensions* in certificates. Similarly
you can also do that in *extensions* in certificate requests.

What you have above is an attribute in a certificate request the contents of
which are assumed to be an ASCII (well normally ASCII) string. You get a
similar result if you tried to but DER in a certificate DN component.

If you do put arbitrary unstructured data in a certificate or request that's
likely to choke some ASN1 parsers. A better way is to enclose that data in an
OCTET STRING (or whatever is appropriate) using the OpenSSL 0.9.8 mini-ASN1
compiler.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

openssl 0.9.7a problem with EVP_PKEY loading.

2005-08-02 Thread Chevalier, Victor T. 
I am having trouble with openssl 0.9.7a.  I can't use a newer version
cause I am using standard redhat.

I am trying to load a private key into an EVP_PKEY using either a fp or
a BIO.

So far neither have worked.

Heres a quick example of what I'm testing.

EVP_PKEY *pkey = NULL;
BIO *in = NULL;

in = BIO_new(BIO_s_file());
BIO_read_filename(in, mykey.pem);
pkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL);
if (!pkey)
{
  cout  error pkey not loading.  endl;
}
EVP_PKEY_free(pkey);
BIO_free(in);


Can someone explain why it keeps telling me error pkey not loading!!!  I
have tried this with the FILE *fp method as well.  Is there something
else I need to do, cause this is confounding me.

Thanks.
Victor
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: openssl 0.9.7a problem with EVP_PKEY loading.

2005-08-02 Thread Thomas J. Hruska 

Chevalier, Victor T. wrote:

I am having trouble with openssl 0.9.7a.  I can't use a newer version
cause I am using standard redhat.

I am trying to load a private key into an EVP_PKEY using either a fp or
a BIO.

So far neither have worked.

Heres a quick example of what I'm testing.

EVP_PKEY *pkey = NULL;
BIO *in = NULL;

in = BIO_new(BIO_s_file());
BIO_read_filename(in, mykey.pem);
pkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL);
if (!pkey)
{
  cout  error pkey not loading.  endl;
}
EVP_PKEY_free(pkey);
BIO_free(in);


Can someone explain why it keeps telling me error pkey not loading!!!  I
have tried this with the FILE *fp method as well.  Is there something
else I need to do, cause this is confounding me.

Thanks.
Victor


Are you sure none of the previous functions are failing?
Have you called the appropriate OpenSSL initialization calls?
Have you obtained the actual error message using standard OpenSSL error 
handlers?


I would try answering those questions in that order.  You are making a 
lot of assumptions that everything is OK right up to reading in the 
private key.  Your approach to use BIOs is the right one.  FILE pointers 
make your application non-portable.



--
Thomas Hruska
Shining Light Productions

Home of BMP2AVI, Nuclear Vision, ProtoNova, and Win32 OpenSSL.
http://www.slproweb.com/

Ask me about discounts on any Shining Light Productions product!
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: openssl 0.9.7a problem with EVP_PKEY loading.

2005-08-02 Thread Dr. Stephen Henson 
On Tue, Aug 02, 2005, Chevalier, Victor T. wrote:

 
 Can someone explain why it keeps telling me error pkey not loading!!!  I
 have tried this with the FILE *fp method as well.  Is there something
 else I need to do, cause this is confounding me.
 

How about reading the FAQ?

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Simple X509_CERT_AUX an key_id question

2005-08-02 Thread Frédéric Donnat 
Hi all,

In crypto/x509/x509.h header i can see th following:

typedef struct x509_cert_aux_st
{
STACK_OF(ASN1_OBJECT) *trust;   /* trusted uses */
STACK_OF(ASN1_OBJECT) *reject;  /* rejected uses */
ASN1_UTF8STRING *alias; /* friendly name */
ASN1_OCTET_STRING *keyid;   /* key id of private key */
STACK_OF(X509_ALGOR) *other;/* other unspecified info */
} X509_CERT_AUX;

and in crypto/pkcs12/p12_crt.c file i read:
in function PKCS12 *PKCS12_create ( .EVP_PKEY *pkey, X509 *cert...) {
...
 if (pkey  cert)
{
if(!X509_check_private_key(cert, pkey))
return NULL;
X509_digest(cert, EVP_sha1(), keyid, keyidlen);
}

if (cert)
{
bag = PKCS12_add_cert(bags, cert);
if(name  !PKCS12_add_friendlyname(bag, name, -1))
goto err;
if(keyidlen  !PKCS12_add_localkeyid(bag, keyid, keyidlen))
goto err;
}
...
}


So i understand that the key id is a hash of the X.509 cert and it is not 
something related to the private key (except that the cert includes the 
exponent and the modulus of the private key).

If i did not make mistake, the X509_digest is just ASN1_digest of an ASN1 
convertion of the X509 cert.

Is there a way to get (or compute) this value from my private key?

Maybe i missed something ... ;(
Is there another part of the code where a hash of the private key is put in the 
key_id?

Could someone put some light on this??

thanks in advance 
regards,


Fred
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Non-std attributes in certificate requests

2005-08-02 Thread Philipp Gühring 
Hi,

 OpenSSL can include arbitrary data in *extensions* in certificates.
 Similarly you can also do that in *extensions* in certificate requests.

I tried to put it into extensions before, without luck.

 What you have above is an attribute in a certificate request the contents
 of which are assumed to be an ASCII (well normally ASCII) string. You get a
 similar result if you tried to but DER in a certificate DN component.

Ok. Accepted

 If you do put arbitrary unstructured data in a certificate or request
 that's likely to choke some ASN1 parsers. A better way is to enclose that
 data in an OCTET STRING (or whatever is appropriate) using the OpenSSL
 0.9.8 mini-ASN1 compiler.

Yes, OCTET STRING would be also fine.

I just need an efficient method to encode binary data into a certificate 
request extension, which the CA has to extract and ignore afterwards. 
(It is meta-information for the CA, and does not go into the certificate)

Could you give me a short configuration example how I can put my binary data 
through hex encoding (or something else) into an Octet String typed extension 
into a certificate request?

(The examples and documentation I could find only covers the certificates, not 
the requests)

Regards,
Philipp Gühring

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Non-std attributes in certificate requests

2005-08-02 Thread Dr. Stephen Henson 
On Tue, Aug 02, 2005, Philipp Ghring wrote:
 
 I just need an efficient method to encode binary data into a certificate 
 request extension, which the CA has to extract and ignore afterwards. 
 (It is meta-information for the CA, and does not go into the certificate)
 
 Could you give me a short configuration example how I can put my binary data 
 through hex encoding (or something else) into an Octet String typed extension 
 into a certificate request?
 
 (The examples and documentation I could find only covers the certificates, 
 not 
 the requests)
 

The configuration file syntax is identical. In the distributed openssl.cnf
file there's a line comented out with req_extensions on it. If you add
something like:

req_extensions = v3_req

[v3_req]

1.2.3.4 = ASN1:FORMAT:HEX,OCT:abcdef

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]