Re: Annoying Garbage characters in OIDs
On Tue, Aug 02, 2005, Johnny Gonzalez wrote: Número de serie = 9 1.3.6.1.4.1.4710.1.3.2 = 1 ---The 2 first characters are garbage 1.3.6.1.4.1.4710.1.3.1 = 1 ---The 2 first characters are garbage STREET = cra 23 ---The 2 first characters are garbage CN = Prueba 1 cert OU = Internet O = Ubiquando L = Bogota S = Cundinamarca What should I do to avoid these annoying characters in the value of my special OIDs?? Am I doing something wrong when I add the OIDs? Looks more like you are having a problem with Windows... What it is doing when it finds an OID it doesn't recognize is to dump the whole encoded component in the manner you describe. So what you really need to do if you need this to display on Windows is to use OIDs that it does recognize. How can I do that? I mean, our certification politics require that our certificates have those 3 OIDs, so following your suggestions, how could I use other OIDs that windows can recognize? I thought the problem was the way I register the OIDs in openssl to add them to the certificates. What do you think? Is there another way to register the OIDs in openssl different from what I did? No it isn't OpenSSL. OpenSSL is outputting the correct data its just that whatever Windows program you are using doesn't recognize the OIDs and has a policy to just dump out the value without interpreting it at all, which isn't very friendly. In you example ^S^A1 is the DER representation of a PRINTABLESTRING of one octet in length which is the character '1'. What Windows program produces that output and what version of Windows is it? When I display a certificate using the certificate wizard dialog box it looks fine even if it has OIDs it doesn't recognize. BTW if you are going to use international characters (basically anything larger than 127) you'd better set string_mask=utf8only in the openssl.cnf file. If you also use the -utf8 input option the terminal *must* send characters in UTF8 format. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Non-std attributes in certificate requests
On Tue, Aug 02, 2005, Philipp Ghring wrote: Hi, How can I include arbitrary binary data in a certificate request with OpenSSL? Currently, I am trying it the following way: [ new_oids ] qcsr=1.3.6.1.4.1.18506.1.1 [ req_attributes ] qcsr = Qualified Public Key Signature qcsr_default=DER:3CB63813C2F6468422BE2A07A1115D218D8b Do you notice the small b at the end? If it were encoded binary correctly, all hex-characters would be uppercase or lowercase together. Bit the result is still mixed-case: 1.3.6.1.4.1.18506.1.1:DER:3CB63813C2F6468422BE2A07A1115D218D8b Could it be that OpenSSL can only encode arbitrary data in x.509 certificates, but not in certificate requests? Nope :-) OpenSSL can include arbitrary data in *extensions* in certificates. Similarly you can also do that in *extensions* in certificate requests. What you have above is an attribute in a certificate request the contents of which are assumed to be an ASCII (well normally ASCII) string. You get a similar result if you tried to but DER in a certificate DN component. If you do put arbitrary unstructured data in a certificate or request that's likely to choke some ASN1 parsers. A better way is to enclose that data in an OCTET STRING (or whatever is appropriate) using the OpenSSL 0.9.8 mini-ASN1 compiler. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
openssl 0.9.7a problem with EVP_PKEY loading.
I am having trouble with openssl 0.9.7a. I can't use a newer version cause I am using standard redhat. I am trying to load a private key into an EVP_PKEY using either a fp or a BIO. So far neither have worked. Heres a quick example of what I'm testing. EVP_PKEY *pkey = NULL; BIO *in = NULL; in = BIO_new(BIO_s_file()); BIO_read_filename(in, mykey.pem); pkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL); if (!pkey) { cout error pkey not loading. endl; } EVP_PKEY_free(pkey); BIO_free(in); Can someone explain why it keeps telling me error pkey not loading!!! I have tried this with the FILE *fp method as well. Is there something else I need to do, cause this is confounding me. Thanks. Victor __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: openssl 0.9.7a problem with EVP_PKEY loading.
Chevalier, Victor T. wrote: I am having trouble with openssl 0.9.7a. I can't use a newer version cause I am using standard redhat. I am trying to load a private key into an EVP_PKEY using either a fp or a BIO. So far neither have worked. Heres a quick example of what I'm testing. EVP_PKEY *pkey = NULL; BIO *in = NULL; in = BIO_new(BIO_s_file()); BIO_read_filename(in, mykey.pem); pkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL); if (!pkey) { cout error pkey not loading. endl; } EVP_PKEY_free(pkey); BIO_free(in); Can someone explain why it keeps telling me error pkey not loading!!! I have tried this with the FILE *fp method as well. Is there something else I need to do, cause this is confounding me. Thanks. Victor Are you sure none of the previous functions are failing? Have you called the appropriate OpenSSL initialization calls? Have you obtained the actual error message using standard OpenSSL error handlers? I would try answering those questions in that order. You are making a lot of assumptions that everything is OK right up to reading in the private key. Your approach to use BIOs is the right one. FILE pointers make your application non-portable. -- Thomas Hruska Shining Light Productions Home of BMP2AVI, Nuclear Vision, ProtoNova, and Win32 OpenSSL. http://www.slproweb.com/ Ask me about discounts on any Shining Light Productions product! __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: openssl 0.9.7a problem with EVP_PKEY loading.
On Tue, Aug 02, 2005, Chevalier, Victor T. wrote: Can someone explain why it keeps telling me error pkey not loading!!! I have tried this with the FILE *fp method as well. Is there something else I need to do, cause this is confounding me. How about reading the FAQ? Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Simple X509_CERT_AUX an key_id question
Hi all, In crypto/x509/x509.h header i can see th following: typedef struct x509_cert_aux_st { STACK_OF(ASN1_OBJECT) *trust; /* trusted uses */ STACK_OF(ASN1_OBJECT) *reject; /* rejected uses */ ASN1_UTF8STRING *alias; /* friendly name */ ASN1_OCTET_STRING *keyid; /* key id of private key */ STACK_OF(X509_ALGOR) *other;/* other unspecified info */ } X509_CERT_AUX; and in crypto/pkcs12/p12_crt.c file i read: in function PKCS12 *PKCS12_create ( .EVP_PKEY *pkey, X509 *cert...) { ... if (pkey cert) { if(!X509_check_private_key(cert, pkey)) return NULL; X509_digest(cert, EVP_sha1(), keyid, keyidlen); } if (cert) { bag = PKCS12_add_cert(bags, cert); if(name !PKCS12_add_friendlyname(bag, name, -1)) goto err; if(keyidlen !PKCS12_add_localkeyid(bag, keyid, keyidlen)) goto err; } ... } So i understand that the key id is a hash of the X.509 cert and it is not something related to the private key (except that the cert includes the exponent and the modulus of the private key). If i did not make mistake, the X509_digest is just ASN1_digest of an ASN1 convertion of the X509 cert. Is there a way to get (or compute) this value from my private key? Maybe i missed something ... ;( Is there another part of the code where a hash of the private key is put in the key_id? Could someone put some light on this?? thanks in advance regards, Fred __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Non-std attributes in certificate requests
Hi, OpenSSL can include arbitrary data in *extensions* in certificates. Similarly you can also do that in *extensions* in certificate requests. I tried to put it into extensions before, without luck. What you have above is an attribute in a certificate request the contents of which are assumed to be an ASCII (well normally ASCII) string. You get a similar result if you tried to but DER in a certificate DN component. Ok. Accepted If you do put arbitrary unstructured data in a certificate or request that's likely to choke some ASN1 parsers. A better way is to enclose that data in an OCTET STRING (or whatever is appropriate) using the OpenSSL 0.9.8 mini-ASN1 compiler. Yes, OCTET STRING would be also fine. I just need an efficient method to encode binary data into a certificate request extension, which the CA has to extract and ignore afterwards. (It is meta-information for the CA, and does not go into the certificate) Could you give me a short configuration example how I can put my binary data through hex encoding (or something else) into an Octet String typed extension into a certificate request? (The examples and documentation I could find only covers the certificates, not the requests) Regards, Philipp Gühring __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Non-std attributes in certificate requests
On Tue, Aug 02, 2005, Philipp Ghring wrote: I just need an efficient method to encode binary data into a certificate request extension, which the CA has to extract and ignore afterwards. (It is meta-information for the CA, and does not go into the certificate) Could you give me a short configuration example how I can put my binary data through hex encoding (or something else) into an Octet String typed extension into a certificate request? (The examples and documentation I could find only covers the certificates, not the requests) The configuration file syntax is identical. In the distributed openssl.cnf file there's a line comented out with req_extensions on it. If you add something like: req_extensions = v3_req [v3_req] 1.2.3.4 = ASN1:FORMAT:HEX,OCT:abcdef Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]