RE: Signature validation in certificates
Thanks Dominique. I guess the openssl verify does these steps to actually verify if an incoming server certificate compares to a root certificate. Regards Geetha -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dominique Lohez Sent: Wednesday, July 09, 2008 7:33 PM To: openssl-users@openssl.org Subject: Re: Signature validation in certificates The signature checkingwork like this The SIGNER ( CA or SERVER ) build a digest with an appropriate algorithm then he encrypt the digest with its private key Within the certificate you know the digest algorithm so you can build this digest and then you decrypt thi sdsignature with the public key of the signer , this must be identical to the digest I hope this helps Dominique LOHEZ Geetha_Priya a écrit : I have read numerous certification related docs. Being new to this technology I don't find any material detailing the manual certificate validation [even the faq on the same heading ] specially verifying key part. I also went through verify.c in openssl but key verification is lost amongst the APIs. Here is my understanding on certificate validation A root certificate [signed by CA] comprises of version, serial num, issuer and subject details, public key algorithm details and a signature which is hash of the rest of cert details further encrypted using private key. This root cert is installed by browsers automatically. The web servers have their certificates signed by these CA. When a https site id accessed , the server sends a server certificate that contains most of the above details (except for changed subject name/validity etc.)along with the signature and a RSA public key Now for certificate validation: First we verify the credentials of issuer/common name etc.. that is clear to me Second step is to match the signature which I find a lil confusing Here do you use public key to decrypt the signature portion of your root certificate and compare it with, the decrypted portion of server certificate (decrypted with public key that appears in server certificate). Does this sound right? The root certificate has public key and signature and so does the server certificate. Please clarify as I am manually trying to verify certificates. Any other C files within openssl which talks the details about signature validation. Thanks for your help Regards Geetha DISCLAIMER: This email (including any attachments) is intended for the sole use of the intended recipient/s and may contain material that is CONFIDENTIAL AND PRIVATE COMPANY INFORMATION. Any review or reliance by others or copying or distribution or forwarding of any or all of the contents in this message is STRICTLY PROHIBITED. If you are not the intended recipient, please contact the sender by email and delete all copies; your cooperation in this regard is appreciated. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- Dr Dominique LOHEZ ISEN 41, Bd Vauban F59046 LILLE France Phone : +33 (0)3 20 30 40 71 Email: [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] DISCLAIMER: This email (including any attachments) is intended for the sole use of the intended recipient/s and may contain material that is CONFIDENTIAL AND PRIVATE COMPANY INFORMATION. Any review or reliance by others or copying or distribution or forwarding of any or all of the contents in this message is STRICTLY PROHIBITED. If you are not the intended recipient, please contact the sender by email and delete all copies; your cooperation in this regard is appreciated. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
OpenSSL link problem (MacOSX 10.4 - 10.5)
Good day! I'm developing an application for MacOSX and want to use the OpenSSL library (latest one - 0.9.8h) in it. My application has MacOSX 10.4 as minimal target OS, but I'm developing on 10.5 (gcc 4.0) While I was compiling the OpenSSL library, I had to change the CFLAG value for darwin-i386-cc configuration by adding -mmacosx-version-min=10.4 parameter. The compilation was OK, but I failed to link my application with libcrypto.a -- the linker failed to find several symbols: Undefined symbols: _fputs$UNIX2003, referenced from: _write_string in libcrypto.a(ui_openssl.o) _read_string in libcrypto.a(ui_openssl.o) _read_string in libcrypto.a(ui_openssl.o) _read_string in libcrypto.a(ui_openssl.o) _chmod$UNIX2003, referenced from: _RAND_write_file in libcrypto.a(randfile.o) The problem was caused by Crypto library defining macros _POSIX_C_SOURCE (/crypto/ui/ui_openssl.c:125) and _XOPEN_SOURCE (/crypto/rand/randfile.c:60). These macros control the Unix2003 conformance introduced in MacOSX 10.5 (more about it on http://developer.apple.com/releasenotes/Darwin/SymbolVariantsRelNotes/index. html). Of course, if I comment the definitions of macros mentioned above, everything works fine. But maybe this way I lose some functionality? Can anyone tell me how to handle this issue correctly? Best Regards, Igor Lorents __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
OpenSSL link problem (MacOSX 10.4 - 10.5)
Good day! I'm developing an application for MacOSX and want to use the OpenSSL library (latest one - 0.9.8h) in it. My application has MacOSX 10.4 as minimal target OS, but I'm developing on 10.5 (gcc 4.0) While I was compiling the OpenSSL library, I had to change the CFLAG value for darwin-i386-cc configuration by adding -mmacosx-version-min=10.4 parameter. The compilation was OK, but I failed to link my application with libcrypto.a -- the linker failed to find several symbols: Undefined symbols: _fputs$UNIX2003, referenced from: _write_string in libcrypto.a(ui_openssl.o) _read_string in libcrypto.a(ui_openssl.o) _read_string in libcrypto.a(ui_openssl.o) _read_string in libcrypto.a(ui_openssl.o) _chmod$UNIX2003, referenced from: _RAND_write_file in libcrypto.a(randfile.o) The problem was caused by Crypto library defining macros _POSIX_C_SOURCE (/crypto/ui/ui_openssl.c:125) and _XOPEN_SOURCE (/crypto/rand/randfile.c:60). These macros control the Unix2003 conformance introduced in MacOSX 10.5 (more about it on http://developer.apple.com/releasenotes/Darwin/SymbolVariantsRelNotes/index. html). Of course, if I comment the definitions of macros mentioned above, everything works fine. But maybe this way I lose some functionality? Can anyone tell me how to handle this issue correctly? Best Regards, Igor Lorents __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
templates and cert chain validity
Hi there,
I'm just about verification of certs. Since X509v3 there are many
extensions with their own types. Some of them are known to the current
implementation, many aren't.
To implement a validity checking which is aware of different models
shell as of RFC 3280 or chain as af ISIS-MTT.
There are some OIDs that should be used to determine which model should
be used. One of them is 1.3.6.1.4.1.8301.3.5 (by TU Darmstadt, Germany)
which comes with this type:
ValidityModel::= SEQUENCE
{
validityModelIdOBJECT IDENTIFIER
validityModelInfo ANY DEFINED BY validityModelId OPTIONAL
}
Sinse the extension ID (validityModelID) is known, only the Info has to
be coded. I tried:
typedef struct X509ValidityModelInfo_st {
ASN1_OBJECT *info;
} X509VALIDITYMODELINFO;
DECLARE_ASN1_ITEM(X509VALIDITYMODELINFO)
DECLARE_ASN1_FUNCTIONS(X509VALIDITYMODELINFO)
together with
ASN1_SEQUENCE(X509VALIDITYMODELINFO) = {
ASN1_OPT(X509VALIDITYMODELINFO, info, ASN1_OBJECT),
} ASN1_SEQUENCE_END(X509VALIDITYMODELINFO)
IMPLEMENT_ASN1_FUNCTIONS(X509VALIDITYMODELINFO)
and using it with following code
int validityModelIsChain(X509 *_cert)
{
int iRet = 0;
int nid = OBJ_txt2nid(id-validityModel);
X509 *cert = X509_dup(_cert); // local copy
int index = X509_get_ext_by_NID(cert, nid, -1);
X509_EXTENSION *ext = X509_get_ext(cert, index);
if (ext)
{
ASN1_OCTET_STRING *os = X509_EXTENSION_get_data(ext);
X509VALIDITYMODELINFO *mi = 0;
d2i_X509VALIDITYMODELINFO(mi, (const unsigned char **)os-data,
os-length);
if (mi mi-info)
{
char buf[60];
nid = OBJ_obj2nid(mi-info);
OBJ_obj2txt(buf, sizeof(buf), mi-info, 0);
printf(ValidityModel: %s\n, buf);
iRet = 1;
}
// X509VALIDITYMODELINFO_free(mi); // bad?
}
// X509_EXTENSION_free(ext); // bad, double-release!
X509_free(cert); // neccessary, else leak, but fails
return iRet;
}
I'm missing how to release the temporary items correctly.
Do you have any hints? Is the above approach reasonable?
==
I've been looking into the sources to find a place where the
cert chain checking is done in terms of the certs span of life.
Downwards the chain each cert should become valid while the issuers
cert is valid.
I thought the right place would be somewhere within x509_vfy.c,
perhaps at check_issued, but the search was in vain.
Is there any function to do a comparation of two ASN_TIME values
correctly though different formats and timezones may be in use?
Any hints?
TIA
--
Christian Weber
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
PKCS12_parse Issue?
Hello all,
I'm trying to run a loop to parse the same p12 multple times to take some
metrics. However, after the loop completes twice succesfully, PKCS12_parse
fails. Any suggestions as to why this is happening?
-Chris
while(count 0){
/* Parse the PKCS #12 file with password */
ca = (STACK_OF(X509) *)NULL;
if (!PKCS12_parse(p12, password, pkey, cert, ca))
{
printf(Error parsing file\n);
return -3;
}
/* Find PKey */
if ( (EVP_PKEY *)NULL == pkey ){
//printf(No private key!\n);
}
else{
//printf(Private key found!\n);
}
/* Find Cert */
if ( (X509 *)NULL == cert ){
//printf(No X509!\n);
}
else{
//printf(X509 found!\n);
}
/* Find CA */
if ( (STACK_OF(X509) *)NULL == ca ){
//printf(No CA!\n);
}
else{
//printf(CA found!\n);
}
count--;
EVP_PKEY_free(pkey);
X509_free(cert);
sk_X509_pop_free(ca, X509_free);
}//end while
Errors while building OpenSSL in Windows
I am trying to do a default build of OpenSSL on Windows. The compiler does not like building with ASM files and complains the following: ml /Cp /coff /c /Cx /Focrypto\sha\asm\s1_win32.obj .\crypto\sha\asm\s1_win32.asm Assembling: .\crypto\sha\asm\s1_win32.asm Microsoft (R) Macro Assembler Version 8.00.50727.762 Copyright (C) Microsoft Corporation. All rights reserved. .\crypto\sha\asm\s1_win32.asm(13) : error A2008: syntax error : integer NMAKE : fatal error U1077: 'C:\Program Files (x86)\Microsoft Visual Studio 8\VC\bin\ml.EXE' : return code '0x1' Stop. This problem seems to be a known issue. http://marc.info/?l=openssl-devm=121204499318732w=1 I tried both the solutions mentioned but to no avail. Any other suggestions? Cheers, Simon M
Re: Errors while building OpenSSL in Windows
Hi, This error have been already reported. Check the following link : http://www.mail-archive.com/[EMAIL PROTECTED]/msg24173.html I'm not sure if my fix have been put into cvs. Cheers, -- Mounir IDRASSI IDRIX http://www.idrix.fr On Thu, July 10, 2008 10:50 pm, Panthers Rock wrote: I am trying to do a default build of OpenSSL on Windows. The compiler does not like building with ASM files and complains the following: ml /Cp /coff /c /Cx /Focrypto\sha\asm\s1_win32.obj .\crypto\sha\asm\s1_win32.asm Assembling: .\crypto\sha\asm\s1_win32.asm Microsoft (R) Macro Assembler Version 8.00.50727.762 Copyright (C) Microsoft Corporation. All rights reserved. .\crypto\sha\asm\s1_win32.asm(13) : error A2008: syntax error : integer NMAKE : fatal error U1077: 'C:\Program Files (x86)\Microsoft Visual Studio 8\VC\bin\ml.EXE' : return code '0x1' Stop. This problem seems to be a known issue. http://marc.info/?l=openssl-devm=121204499318732w=1 I tried both the solutions mentioned but to no avail. Any other suggestions? Cheers, Simon M __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
BN_is_prime_fasttest_ex() goes into an infinite loop because of witness()'s return value
Hello! We've been successfully using openssl for a while on various platforms, but now have a problem with FreeBSD sparc 64. in BN_is_prime_fasttest_ex() calls witness(), which always returns 1 at the line line of the function, and that causes BN_is_prime_fasttest_ex() to go into an infinite loop. We're using gcc version 3.4.6 [FreeBSD] 20060305 configured with: FreeBSD/sparc64 system compiler; thread model: posix. OpenSSL 0.9.7e-p1 25 Oct 2004 Thank you! Yuliya
BN_is_prime_fasttest_ex() goes into an infinite loop because of witness()'s return value
Hello! We've been successfully using openssl for a while on various platforms, but now have a problem with FreeBSD sparc 64. in BN_is_prime_fasttest_ex() calls witness(), which always returns 1 at the line line of the function, and that causes BN_is_prime_fasttest_ex() to go into an infinite loop. We're using gcc version 3.4.6 [FreeBSD] 20060305 configured with: FreeBSD/sparc64 system compiler; thread model: posix. OpenSSL 0.9.7e-p1 25 Oct 2004 Thank you! Yuliya
Re: PKCS12_parse Issue?
On Thu, Jul 10, 2008, Christopher Ivory wrote:
Hello all,
I'm trying to run a loop to parse the same p12 multple times to take some
metrics. However, after the loop completes twice succesfully, PKCS12_parse
fails. Any suggestions as to why this is happening?
-Chris
while(count 0){
/* Parse the PKCS #12 file with password */
ca = (STACK_OF(X509) *)NULL;
if (!PKCS12_parse(p12, password, pkey, cert, ca))
{
printf(Error parsing file\n);
return -3;
}
/* Find PKey */
if ( (EVP_PKEY *)NULL == pkey ){
//printf(No private key!\n);
}
else{
//printf(Private key found!\n);
}
/* Find Cert */
if ( (X509 *)NULL == cert ){
//printf(No X509!\n);
}
else{
//printf(X509 found!\n);
}
/* Find CA */
if ( (STACK_OF(X509) *)NULL == ca ){
//printf(No CA!\n);
}
else{
//printf(CA found!\n);
}
count--;
EVP_PKEY_free(pkey);
X509_free(cert);
sk_X509_pop_free(ca, X509_free);
}//end while
Try the FAQ for details of how to get a more meaningful error code.
Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
x509 bug? unable to load certificate
Hi, I tried using both the Win32 v0.9.8g and v0.9.8h (along with Shining Light's Visual C++ 2008 Redistributable install) binaries, to no avail. Here's the problem: openssl x509 -inform DER -in smime.p7s -text unable to load certificate 1036:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:.\crypto\asn1\tasn_dec.c:1294: 1036:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:.\crypto\asn1\tasn_dec.c:380:Type=X509_CINF 1036:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:.\crypto\asn1\tasn_dec.c:749:Field=cert_inf o, Type=X509 This failure occurs for all 3 .p7s (detached signature) files I've tried, 2 issued by the US Government, and 1 by Verisign. On the other hand, the following works for all 3 files: openssl pkcs7 -print_certs -inform DER -in smime.p7s -text A bug in x509 or something else? Any workarounds? My intent is to use x509 to reformat one of the certs/pkcs7, so that an email program can better ingest it. Regards, Frank J. Iannarilli [EMAIL PROTECTED] Aerodyne Research, Inc., 45 Manning Road, Billerica, MA 01821 USA www.aerodyne.com/cosr/cosr.html __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Website correction request: only subscribers can post to openssl-users
Hi, On the following page: http://www.openssl.org/support/ it declares that anybody can post to the openssl-users. But evidently (from my experience), that's not true; only subscribers can. Unfortunately, browsing the website doesn't unambiguously indicate whom I should notify about this. So this post is the next best thing, I hope. HTHs, Frank J. Iannarilli [EMAIL PROTECTED] Aerodyne Research, Inc., 45 Manning Road, Billerica, MA 01821 USA www.aerodyne.com/cosr/cosr.html __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: x509 bug? unable to load certificate
Frank J. Iannarilli wrote: Hi, I tried using both the Win32 v0.9.8g and v0.9.8h (along with Shining Light's Visual C++ 2008 Redistributable install) binaries, to no avail. Here's the problem: openssl x509 -inform DER -in smime.p7s -text unable to load certificate 1036:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:.\crypto\asn1\tasn_dec.c:1294: 1036:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:.\crypto\asn1\tasn_dec.c:380:Type=X509_CINF 1036:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:.\crypto\asn1\tasn_dec.c:749:Field=cert_inf o, Type=X509 This failure occurs for all 3 .p7s (detached signature) files I've tried, 2 issued by the US Government, and 1 by Verisign. On the other hand, the following works for all 3 files: openssl pkcs7 -print_certs -inform DER -in smime.p7s -text A bug in x509 or something else? Any workarounds? My intent is to use x509 to reformat one of the certs/pkcs7, so that an email program can better ingest it. Regards, Frank J. Iannarilli [EMAIL PROTECTED] Aerodyne Research, Inc., 45 Manning Road, Billerica, MA 01821 USA www.aerodyne.com/cosr/cosr.html Your problem appears to be that you are attempting to use PKCS#7 S/MIME signed _signatures_ as DER _certificates_. Two very different file formats, which is what the ASN.1 routines are complaining about. In other words, you are using OpenSSL incorrectly. It has nothing to do with what version you have installed. What the correct command line is, I have no idea - I don't fiddle with S/MIME. Side note: The VC++ 2008 Redistributable installer is _Microsoft_'s. I don't see how you could mistake the name Microsoft for Shining Light Productions - it is plastered all over their website. I merely provide a link to the _Microsoft_ website that has the download for the _Microsoft_ VC++ 2008 Redistributable installer for the sake of convenience (and to head off the deluge of complaints from clueless souls about OpenSSL not working). Separating the VC++ redistributable from the main installer is beginning to look like a bad idea... People apparently don't bother reading or understanding (or some combination of both). -- Thomas Hruska Shining Light Productions Home of BMP2AVI, Nuclear Vision, ProtoNova, and Win32 OpenSSL. http://www.slproweb.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Regenerating a p7s file?
Hi, Thanks to Thomas Hruska, responding to my previous post, for straightening out my newbie understanding. Let me try to reframe my how-to question. I have an S/MIME signed_signature .p7s file, that contains certificates. From using: openssl pkcs7 -print_certs -inform DER -in smime.p7s -text I can see that there are *two* certificates pertaining to the signer (CN: common name entity), each with a different serial number. I want to regenerate this .p7s file, omitting one of the two certificates. Or more generally, to modify one of the certificate entries, e.g. to add the Subject Alternative Name field. I've programmed ASM, C, C++, .dlls, so generally know my way around code, but have no experience with crypto infrastructure. I'd appreciate anyone's suggestion for the appropriate sequence of openssl incantations to achieve my objective. Thanks, Frank Frank J. Iannarilli [EMAIL PROTECTED] Aerodyne Research, Inc., 45 Manning Road, Billerica, MA 01821 USA www.aerodyne.com/cosr/cosr.html __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
