Change Issued By

2011-11-18 Thread Keshav Nair 

Hello,
 Ok now its plain and simple i have generated a openssl 
certificate with php but when i view it, then it shows me the same 
issued by and issued to how do i change the issued by things now i know 
that we need to add a ca while signing the certificate from 
openssl_csr_sign() like


openssl_csr_sign ( mixed $csr , mixed $cacert , mixed $priv_key , int $days [, 
array $configargs [, int $serial = 0 ]] )

where $cacert is the ca certificate and provide a ca certificate in 
it but when i do that it doesn't do any changes my main guess is that i 
have to edit the openssl.cnf but i don't get it where to edit to get 
this result. Can you please tell me how to change the issuer because i have a 
project and i would like to implement OpenSSL in it and its users can use it to 
create certificates and all the certificates they create will be issued by us 
as the issuer.

Thanks You
Keshav Nair

understanding fipsld usage

2011-11-18 Thread Kevin Fowler 
Let me first say I have read the User Guide and Security Policy
repeatedly, as well as the Incore Tutorial, looked through this users
group, and read anything else I could find - so I'm not being lazy,
although my questions may be pedestrian... Please correct any
misunderstandings along the way.

I understand that when fipscanister.o is built, its SHA1 digest is
calculated and saved. Then when an application links to
fipscanister.o, fipsld is used, which checks that the SHA1 is correct,
and then calculates the digest for the application and rebuilds it
with that digest embedded. Then, when the application is run and calls
FIPS_mode_set(), the digest is calculated and checked against the
embedded value.

I think that openssl itself is an example of an application built with
the fipscanister.o, is that correct?

When OpenSSL is built, it produces, among other things, the
libcrypto.a static library, which contains what was sequestered in
fipscanister.o.Is that correct?

Now I have a big application to build, and it will have the
FIPS-capable OpenSSL in it. When I do the build, I think the
instructions say that the SHA1 digest has to be re-calculated on this
application, and that value embedded where the previous standalone
value was. Is that correct?

Is my application pulling in the FIPS stuff by linking in the libcrypto.a?

If my application is just too large and complex, do I pretty much need
to go with the shared library, and avoid the part where the digest is
recalculated/re-embedded in the application itself?

Thanks
Kevin
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: How to do generate PKCS#7 to embedded system

2011-11-18 Thread Dave Thompson 
Correcting myself for the record: 

 From: owner-openssl-us...@openssl.org On Behalf Of Dave Thompson
 Sent: Thursday, 17 November, 2011 18:53

 snip As I said, I don't believe any openssl commandline 
 function will create a 'degenerate' (cert-only) PKCS#7, which 
 is a signeddata with zero signerinfos (and zero digestalgs), 
 omitted or dummy content, and your cert(s). You could:
 
Looking for something else, I discovered that commandline 
'crl2pkcs7 -nocrl -certfile' (obviously :-?) does do this. 

 - (probably) write a tiny program using the PKCS7_* API; 
 on a quick scan it looks like you can just create a 
 (inner) PKCS7 and _set0_other(data,empty octet string), then a 
 (outer) PKCS7 and _set_type(,signed) and _set_content(,thatdata)
 and _add_cert and write it out, but I haven't tested.
 
and I was off some here. outer PKCS7 needs to have type signed 
and also version, and *point to* PKCS7_SIGNED whose 'contents' 
are the inner data, but are apparently preallocated and only 
need to be set to omitted data (although I bet empty would work).
And it's _add_certificate, or inline which crl2p7.c does instead.

snip other options, still correct but less important 

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: PKCS7 parse

2011-11-18 Thread Dave Thompson 
 From: owner-openssl-us...@openssl.org On Behalf Of  Anamitra Dutta
Majumdar
 Sent: Thursday, 17 November, 2011 19:44

 There is a requirement to process a pkcs7 bag of certificate chain.
 Is there an OpenSSL API to parse the certificates in a PKCS7 
 bag and get
 each of the certificates in the bag as Base64 encoded string.
 
See src/pkcs7.c, which is (already) a commandline utility 
to read signeddata or signenvdata PKCS7 from a file, 
extract the certs and/or CRLs, and write them to files.

You can convert each in-memory cert to base64 by i2d_X509_bio 
on a BIO_f_base64 over BIO_s_{mem,file,fp} as needed. 
Or i2d_X509 to memory and run through EVP_EncodeBlock.

But if you really want PEM, which is base64 with linebreaks 
and labels, just use PEM_write_bio_X509 or PEM_write_X509. 


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org