Re: Checking certificate chain
Plot Lost writes: [...] > For this particular project I'm required to check each step > individually, not the entire chain at once. That's what verifying the chain does (see the implementation of X509_verify_cert()). You could add a callback using X509_STORE_CTX_set_verify_cb(). That doesn't seem to have a separate manpage but reading the manpage for SSL_CTX_set_verify() should explain it. (SSL_CTX_set_verify() just sets the callback in X509_STORE_CTX.) > How can I get verify_cert to say that the server cert is ok according > to the inter cert, regardless of any other cert that may be needed to > complete the chain. (The code will then go on to check inter against > root, or against another inter etc as needed asuming each step is > completed ok) Presuming using X509_verify_cert() and a callback really isn't suitable, you can use X509_check_issued() to see if one certificate issued another and check the signature by getting the public key (X509_get_pubkey()) and verifying using X509_verify(). Or something like that; really it seems safer to me to use X509_verify_cert(). There are checks that have to be performed in context which X509_verify_cert() does (path constraints, policy constraints, etc.), and it seems easy to skip a few if you're not careful. (See section 6 of RFC 5280.) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: How can I load a PEM key stored in a string instead from a file?
On Tue October 26 2010, Leandro Santiago wrote: > Sorry. I don't understand everything. Do you have any code example? > I've tried to read the source code of these functions, but > PEM_read_PrivateKey is a macro (and I hate read big macros) :-( > gcc -E ... >output.txt Is your answer to that complaint. Mike > 2010/10/26 Wim Lewis : > > PEM_read_PrivateKey() is a wrapper around PEM_ASN1_read() (which reads an > > arbitrary ASN.1 object from a PEM-encoded blob) and d2i_PrivateKey() (which > > knows how to read a private key blob specifically). > > > > PEM_ASN1_read() simply creates a BIO from the FILE* that you give it, and > > calls PEM_ASN1_read_bio(). If you want, you can instead create a BIO from > > your string using something like BIO_new_mem_buf() and call > > PEM_ASN1_read_bio() yourself. (A BIO is an openssl object that's like a > > more general-purpose FILE*.) > > > > BTW, if your keys are stored in a database, there's probably no need for > > them to be PEM-encoded; you can save a bit of space and time by storing > > them in DER format and calling d2i_PrivateKey() directly. (PEM format is > > more or less just base64-encoded DER.) There's a FAQ entry on this: > > http://www.openssl.org/support/faq.html#PROG3 > > > > > > > > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org > > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Checking certificate chain
Hi, Thus wrote Plot Lost (plot.l...@gmail.com): > > Stick them in an X509_STORE_CTX and call X509_verify_cert(). ?See > > apps/verify.c for an example. > I'm using verify_cert, and whilst that works to allow me to check that > inter_cert is ok according to root_cert (result = 1) I can't check > that server_cert is ok according to inter_cert (that gets result =0, > error 'unable to get issuer certificate') > For this particular project I'm required to check each step > individually, not the entire chain at once. > How can I get verify_cert to say that the server cert is ok according > to the inter cert, regardless of any other cert that may be needed to > complete the chain. (The code will then go on to check inter against > root, or against another inter etc as needed asuming each step is > completed ok) you could define a callback function for the verification by using X509_STORE_set_verify_cb_func(store, myCallback); myCallback has the following parameters int myCallback(int ok, X509_STORE_CTX *ctx) When you call X509_verify_cert(), OpenSSL will call your callback function after each verification step. Inside the callback function, you can call X509_STORE_CTX_get_current_cert(ctx) to get the certificate that's currently being verified, the ok parameter will give you OpenSSL's verification status. Maybe this helps, Martin __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Checking certificate chain
>> Hi, I'm trying to figure out how to check a certificate is valid >> according to a chain of certificates. >> >> There are 3 certs in all, and they are all held as X509 data in memory, e.g. >> >> X509 *server_cert; >> X509 *inter_cert; >> X509 *root_cert; >> >> How can I check that 'server_cert' is authenticated by 'inter_cert', >> and that in turn is authenticated by 'root_cert' ? > > Stick them in an X509_STORE_CTX and call X509_verify_cert(). See > apps/verify.c for an example. > I'm using verify_cert, and whilst that works to allow me to check that inter_cert is ok according to root_cert (result = 1) I can't check that server_cert is ok according to inter_cert (that gets result =0, error 'unable to get issuer certificate') For this particular project I'm required to check each step individually, not the entire chain at once. How can I get verify_cert to say that the server cert is ok according to the inter cert, regardless of any other cert that may be needed to complete the chain. (The code will then go on to check inter against root, or against another inter etc as needed asuming each step is completed ok) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Checking certificate chain
Plot Lost writes: > Hi, I'm trying to figure out how to check a certificate is valid > according to a chain of certificates. > > There are 3 certs in all, and they are all held as X509 data in memory, e.g. > > X509 *server_cert; > X509 *inter_cert; > X509 *root_cert; > > How can I check that 'server_cert' is authenticated by 'inter_cert', > and that in turn is authenticated by 'root_cert' ? Stick them in an X509_STORE_CTX and call X509_verify_cert(). See apps/verify.c for an example. [...] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Adding Hash to Application : Static Build - OpenSSL With FIPS
Hi Jeff, first of all a big thanks for reply ... i am trying to build it on Windows using VS2005. as suggested by Dr. Stephen and others on OpenSSL threads, i have build FIPS on FIPS 1.2 Module and then linking it against OpenSSL Build 0.9.8l to build FIPS Capable OpenSSL - cd C:\OPENSSL_BUILD\openssl-fips-1.2 - ms\do_fips no-asm - this is to build FIPS Module - cd C:\OPENSSL_BUILD\openssl-0.9.8l - perl Configure VC-WIN32 fips --with-fipslibdir="C:\OPENSSL_BUILD\openssl-fips-1.2\out32dll" - nmake -f ms\nt.mak - to build static OpenSSL First I would like to know if the steps and procedure i followed to Build OpenSSL with FIPS is correct. can you please help me here. >> 5292:error:2507606A:DSO support routines:WIN32_BIND_FUNC:could >> not bind to the requested symbol (1) What symbol is fipslink.pl trying to locate? 5292:error:2507606A:DSO support routines:WIN32_BIND_FUNC:could not bind to the r equested symbol name:.\crypto\dso\dso_win32.c:288:symname(FINGERPRINT_premain) it shows error with Symname : FINGERPRINT_premain - this is when i try to call fipslink.pl to add hash to my application. thanks, Rajesh. On Wed, Oct 27, 2010 at 1:18 PM, Jeffrey Walton wrote: > Hi Rajesh, > > I've had success with integrity checking using MACs and signatures for > both PE/PE+ and Elf32/64 executables and dynamic libraries on their > respective platforms (not limited to a OpenSSL dll). If I recall, > OpenSSL is only trying to embed a MAC. > > >> 5292:error:2507606A:DSO support routines:WIN32_BIND_FUNC:could > >> not bind to the requested symbol > (1) What symbol is fipslink.pl trying to locate? > > (2) How is fipslink.pl trying to locate it? Is it through MinGW and nm > (or other command); or is it using the Windows DebugHelp library? > > (3) Is the symbol present in the module? If using MinGW, try "nm -D". > If using a Microsoft compatible tool, use a visual tool such as > PEBrowse, or a command line tool such as dumpbin. > > Jeff > > On Wed, Oct 27, 2010 at 2:07 AM, rajesh kumar > wrote: > > sorry to repost it ... sorry if its annoying anyone.. > > has anyone faced with same issues ... really need of help here ... > > Thanks, > > Rajesh. > > > > On Tue, Oct 26, 2010 at 3:54 PM, rajesh kumar > > wrote: > >> > >> Hi All, > >> According to UserGuide i am trying to add hash to my Project DLL as i am > >> linking the OpenSSL Lib statically. > >> While calling fipslink.pl i do see following link errors.. > >> > >> Dump from the command prompt ... > >> TSPFIPS>nmake -f Add_FipsHash_TSP.mak > >> Microsoft (R) Program Maintenance Utility Version 8.00.50727.42 > >> Copyright (C) Microsoft Corporation. All rights reserved. > >> Building CiscoTSP with Hash for Self Test > >> SET FIPS_LINK=link > >> SET FIPS_CC=cl > >> SET FIPS_CC_ARGS=/Fo\fips_premain.obj -I -I /MD /Ox /O2 /Ob2 /W3 > >> /WX /Gs > >> 0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32 -DWINDLL > >> -DWIN32_LEAN_AND_MEAN > >> -DL_ENDIAN -DDSO_WIN32 -D_CRT_SECURE_NO_DEPRECATE > >> -D_CRT_NONSTDC_NO_DEPRECATE / > >> Fdout32 -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 > >> -DOPENSSL_NO_MD > >> C2 -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_CAPIENG > >> -DOPENSSL_NO_KRB5 -D > >> OPENSSL_FIPS -DOPENSSL_NO_DYNAMIC_ENGINE /Zl -c > >> SET > >> FIPS_PREMAIN_SRC=C:\OpenSSL-work\OpenSSL_Downloaded\openssl-0.9.8l\o > >> penssl-fips-1.2\out32\fips_premain.c > >> SET > >> PREMAIN_DSO_EXE=C:\OpenSSL-work\OpenSSL_Downloaded\openssl-0.9.8l\op > >> enssl-fips-1.2\out32\fips_premain_dso.exe > >> SET > >> PREMAIN_SHA1_EXE=C:\OpenSSL-work\OpenSSL_Downloaded\openssl-0.9.8l\o > >> penssl-fips-1.2\out32\fips_standalone_sha1.exe > >> SET > >> FIPS_SHA1_EXE=C:\OpenSSL-work\OpenSSL_Downloaded\openssl-0.9.8l\open > >> ssl-fips-1.2\out32\fips_standalone_sha1.exe > >> SET > >> O_FIPSCANISTER=C:\OpenSSL-work\OpenSSL_Downloaded\openssl-0.9.8l\ope > >> nssl-fips-1.2\out32\fipscanister.lib > >> SET FIPS_TARGET="..\Win32\ReleaseMinDependency\CiscoTSP.dll" > >> SET > >> FIPSLIB_D=C:\OpenSSL-work\OpenSSL_Downloaded\openssl-0.9.8l\openssl- > >> fips-1.2\out32 > >> perl fipslink.pl /nologo /opt:ref /machine:x86 > /subsystem:console > >> /dll / > >> NOENTRY msvcrt.lib /NODEFAULTLIB:nochkclr.obj > >> /INCLUDE:__dllmaincrtstar...@12 /m > >> ap /out:"..\Win32\ReleaseMinDependency\CiscoTSP.dll" > >> @C:\DOCUME~1\drajesh\LOCALS > >> ~1\Temp\nm4A1.tmp > >> Integrity check OK > >> cl /Fo\fips_premain.obj -I -I /MD /Ox /O2 /Ob2 /W3 /WX /Gs0 /GF /Gy > >> /nologo -DOP > >> ENSSL_SYSNAME_WIN32 -DWIN32 -DWINDLL -DWIN32_LEAN_AND_MEAN -DL_ENDIAN > >> -DDSO_WIN3 > >> 2 -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE /Fdout32 > >> -DOPENSSL_NO_C > >> AMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 > >> -DOPENSSL_NO_CMS -D > >> OPENSSL_NO_JPAKE -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_KRB5 -DOPENSSL_FIPS > >> -DOPENSSL > >> _NO_DYNAMIC_ENGINE /Zl -c > >> C:\OpenSSL-work\OpenSSL_Downloa
Checking certificate chain
Hi, I'm trying to figure out how to check a certificate is valid according to a chain of certificates. There are 3 certs in all, and they are all held as X509 data in memory, e.g. X509 *server_cert; X509 *inter_cert; X509 *root_cert; How can I check that 'server_cert' is authenticated by 'inter_cert', and that in turn is authenticated by 'root_cert' ? Also, can this be extended to more than one inter_cert if needed? This is not running as a client/server, so no SSL or CTX structures allocated, just the X509 data. Thanks for any help on this. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Adding Hash to Application : Static Build - OpenSSL With FIPS
Hi Rajesh, I've had success with integrity checking using MACs and signatures for both PE/PE+ and Elf32/64 executables and dynamic libraries on their respective platforms (not limited to a OpenSSL dll). If I recall, OpenSSL is only trying to embed a MAC. >> 5292:error:2507606A:DSO support routines:WIN32_BIND_FUNC:could >> not bind to the requested symbol (1) What symbol is fipslink.pl trying to locate? (2) How is fipslink.pl trying to locate it? Is it through MinGW and nm (or other command); or is it using the Windows DebugHelp library? (3) Is the symbol present in the module? If using MinGW, try "nm -D". If using a Microsoft compatible tool, use a visual tool such as PEBrowse, or a command line tool such as dumpbin. Jeff On Wed, Oct 27, 2010 at 2:07 AM, rajesh kumar wrote: > sorry to repost it ... sorry if its annoying anyone.. > has anyone faced with same issues ... really need of help here ... > Thanks, > Rajesh. > > On Tue, Oct 26, 2010 at 3:54 PM, rajesh kumar > wrote: >> >> Hi All, >> According to UserGuide i am trying to add hash to my Project DLL as i am >> linking the OpenSSL Lib statically. >> While calling fipslink.pl i do see following link errors.. >> >> Dump from the command prompt ... >> TSPFIPS>nmake -f Add_FipsHash_TSP.mak >> Microsoft (R) Program Maintenance Utility Version 8.00.50727.42 >> Copyright (C) Microsoft Corporation. All rights reserved. >> Building CiscoTSP with Hash for Self Test >> SET FIPS_LINK=link >> SET FIPS_CC=cl >> SET FIPS_CC_ARGS=/Fo\fips_premain.obj -I -I /MD /Ox /O2 /Ob2 /W3 >> /WX /Gs >> 0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32 -DWINDLL >> -DWIN32_LEAN_AND_MEAN >> -DL_ENDIAN -DDSO_WIN32 -D_CRT_SECURE_NO_DEPRECATE >> -D_CRT_NONSTDC_NO_DEPRECATE / >> Fdout32 -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 >> -DOPENSSL_NO_MD >> C2 -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_CAPIENG >> -DOPENSSL_NO_KRB5 -D >> OPENSSL_FIPS -DOPENSSL_NO_DYNAMIC_ENGINE /Zl -c >> SET >> FIPS_PREMAIN_SRC=C:\OpenSSL-work\OpenSSL_Downloaded\openssl-0.9.8l\o >> penssl-fips-1.2\out32\fips_premain.c >> SET >> PREMAIN_DSO_EXE=C:\OpenSSL-work\OpenSSL_Downloaded\openssl-0.9.8l\op >> enssl-fips-1.2\out32\fips_premain_dso.exe >> SET >> PREMAIN_SHA1_EXE=C:\OpenSSL-work\OpenSSL_Downloaded\openssl-0.9.8l\o >> penssl-fips-1.2\out32\fips_standalone_sha1.exe >> SET >> FIPS_SHA1_EXE=C:\OpenSSL-work\OpenSSL_Downloaded\openssl-0.9.8l\open >> ssl-fips-1.2\out32\fips_standalone_sha1.exe >> SET >> O_FIPSCANISTER=C:\OpenSSL-work\OpenSSL_Downloaded\openssl-0.9.8l\ope >> nssl-fips-1.2\out32\fipscanister.lib >> SET FIPS_TARGET="..\Win32\ReleaseMinDependency\CiscoTSP.dll" >> SET >> FIPSLIB_D=C:\OpenSSL-work\OpenSSL_Downloaded\openssl-0.9.8l\openssl- >> fips-1.2\out32 >> perl fipslink.pl /nologo /opt:ref /machine:x86 /subsystem:console >> /dll / >> NOENTRY msvcrt.lib /NODEFAULTLIB:nochkclr.obj >> /INCLUDE:__dllmaincrtstar...@12 /m >> ap /out:"..\Win32\ReleaseMinDependency\CiscoTSP.dll" >> @C:\DOCUME~1\drajesh\LOCALS >> ~1\Temp\nm4A1.tmp >> Integrity check OK >> cl /Fo\fips_premain.obj -I -I /MD /Ox /O2 /Ob2 /W3 /WX /Gs0 /GF /Gy >> /nologo -DOP >> ENSSL_SYSNAME_WIN32 -DWIN32 -DWINDLL -DWIN32_LEAN_AND_MEAN -DL_ENDIAN >> -DDSO_WIN3 >> 2 -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE /Fdout32 >> -DOPENSSL_NO_C >> AMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 >> -DOPENSSL_NO_CMS -D >> OPENSSL_NO_JPAKE -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_KRB5 -DOPENSSL_FIPS >> -DOPENSSL >> _NO_DYNAMIC_ENGINE /Zl -c >> C:\OpenSSL-work\OpenSSL_Downloaded\openssl-0.9.8l\ope >> nssl-fips-1.2\out32/fips_premain.c >> fips_premain.c >> link /nologo /opt:ref /machine:x86 /subsystem:console /dll /NOENTRY >> msvcrt.lib / >> NODEFAULTLIB:nochkclr.obj /INCLUDE:__dllmaincrtstar...@12 /map >> /out:..\Win32\Rel >> easeMinDependency\CiscoTSP.dll >> @C:\DOCUME~1\drajesh\LOCALS~1\Temp\nm4A1.tmp >> >> C:\OpenSSL-work\OpenSSL_Downloaded\openssl-0.9.8l\openssl-fips-1.2\out32\fips_pr >> emain_dso.exe "..\Win32\ReleaseMinDependency\TSP.dll" >> 5292:error:2507606A:DSO support routines:WIN32_BIND_FUNC:could not bind to >> the r >> equested symbol >> name:.\crypto\dso\dso_win32.c:288:symname(FINGERPRINT_premain) >> 5292:error:2506C06A:DSO support routines:DSO_bind_func:could not bind to >> the req >> uested symbol name:.\crypto\dso\dso_lib.c:294: >> Get hash failure at fipslink.pl line 48. >> NMAKE : fatal error U1077: 'C:\Perl\bin\perl.EXE' : return code '0x1' >> >> Can some suggest me if i am missing anything >> Thanks, >> Rajesh. > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
