Format error in certificate´s notAfter field
Hi, I´m trying to connect to my vpn server, using tunnelblick, but thinking this is a openssl stuff... may be I am wrong. When connecting I got (XX is a placeholder) : 2020-12-22 17:32:49.423703 VERIFY ERROR: depth=0, error=format error in certificate's notAfter field: C=es, L=P, O=XX, CN=XX, emailAddress=XX, serial=17702460327850242852 I have checked this: https://mta.openssl.org/pipermail/openssl-users/2019-March/010018.html , but seems to be something different. When checking UTC field for server CA cert, I got: % openssl asn1parse -in ca.crt | grep UTC 207:d=3 hl=2 l= 13 prim: UTCTIME :170908154452Z 222:d=3 hl=2 l= 13 prim: UTCTIME :360718151218Z Why 'format error in certicate´s notAfter field' error? thx --
Re: How to Manually allocate BIGNUM ->d and set dmax, top values to create a Result Buffer in openssl 1.1.1 ?
In openssl 1.1.1, I see that this bn_mod_exp function is called from "rsa_ossl_public_decrypt" : 566 if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx, 567rsa->_method_mod_n)) { 568 goto err; 569 } so we are doing "f^(rsa->e)mod(rsa->n)" , this result is being filled in ret (a BIGNUM* type). This 'ret' variable is not a part of the RSA structure . So I think we need look for any bignum "BN" set functions(if available) to modify the BIGNUM structure attributes like 'd' array,top & dmax values , ..as this ret variable isn't the part of RSA structure (yet) when the bn_mod_exp is called. Checkout this function "rsa_ossl_public_decrypt" for more details. Hope that clarifies the scenario . Please let me know if you have any questions. Thanks, Prudvi. On Tue, Dec 22, 2020 at 3:45 AM prudvi raj wrote: > > > > Hello all, > > > > We use a hardware accelerator to calculate BIGNUM rr = a^p mod m .( > bn_mod_exp). I am trying to rewrite that logic for openssl 1.1.1. Code > snippet of custom bn_mod_exp function: > > -- > > if(rr->d) > > { > > OPENSSL_free(rr->d); > > } > > rr->d = ( BN_ULONG * )( malloc( m->top * sizeof(BN_ULONG) ) ); > > rr->top = m->top; > > rr->dmax = m->top; > > rr->neg = 0; > > > > publicKeyData.operandALength = a->top * sizeof(BN_ULONG); > > publicKeyData.operandA = ( System::BYTE * )( a->d ); > > publicKeyData.operandBLength = p->top * sizeof(BN_ULONG); > > publicKeyData.operandB = ( System::BYTE * )( p->d ); > > publicKeyData.modulusLength = m->top * sizeof(BN_ULONG); > > publicKeyData.modulus = ( System::BYTE * )( m->d ); > > > > publicKeyData.resultLength = m->top * sizeof(BN_ULONG); > > publicKeyData.result = ( System::BYTE * )( rr->d ); > > > > calculate ( publicKeyData );< Bytes in "rr->d" buffer. > > -- > > I found a few 'get' functions (no set functions though) like -- > bn_get_top , bn_get_dmax. These are in "bn_intern.c" , not in "bn_lib.c" > (or BN API). > >OPENSSL_free(rr->d) > >rr->d = ( BN_ULONG * )( malloc( m->top * sizeof(BN_ULONG) ) ); > > rr->top = m->top; > > rr->dmax = m->top; > > rr->neg = 0 > > > > As forward declarations are no longer allowed in openssl 1.1.1 , how to > replicate above operations in openssl 1.1.1 ? > > Are there any Set functions for set, dmax , d values (allocate memory > for rr->d) . ?! > > Please help me on this!! > > > > Thanks, > > Prudvi. > > > > IIUC, this is just a side effect of not being able to access the RSA > structure directly like in openssl 1.0.2 days. > The function RSA_set0_key() will allow you to set D, and there are > routines for other portions of the struct as well. > When the structure went opaque, getter and setters we're added for > your use, see: > - https://www.openssl.org/docs/man1.1.1/man3/RSA_set0_key.html > > If you need to keep backwards compat with 1.0.2, you can define those > getter/setter functions when building with 1.0.2 in your source > code. However, it's strongly recommended to not be using 1.0.2. > > Bill >
Re: How to Manually allocate BIGNUM ->d and set dmax, top values to create a Result Buffer in openssl 1.1.1 ?
On Tue, Dec 22, 2020 at 3:45 AM prudvi raj wrote: > > Hello all, > > We use a hardware accelerator to calculate BIGNUM rr = a^p mod m .( > bn_mod_exp). I am trying to rewrite that logic for openssl 1.1.1. Code > snippet of custom bn_mod_exp function: > -- > if(rr->d) > { > OPENSSL_free(rr->d); > } > rr->d = ( BN_ULONG * )( malloc( m->top * sizeof(BN_ULONG) ) ); > rr->top = m->top; > rr->dmax = m->top; > rr->neg = 0; > > publicKeyData.operandALength = a->top * sizeof(BN_ULONG); > publicKeyData.operandA = ( System::BYTE * )( a->d ); > publicKeyData.operandBLength = p->top * sizeof(BN_ULONG); > publicKeyData.operandB = ( System::BYTE * )( p->d ); > publicKeyData.modulusLength = m->top * sizeof(BN_ULONG); > publicKeyData.modulus = ( System::BYTE * )( m->d ); > > publicKeyData.resultLength = m->top * sizeof(BN_ULONG); > publicKeyData.result = ( System::BYTE * )( rr->d ); > > calculate ( publicKeyData );< "rr->d" buffer. > -- > I found a few 'get' functions (no set functions though) like -- bn_get_top > , bn_get_dmax. These are in "bn_intern.c" , not in "bn_lib.c" (or BN API). >OPENSSL_free(rr->d) >rr->d = ( BN_ULONG * )( malloc( m->top * sizeof(BN_ULONG) ) ); > rr->top = m->top; > rr->dmax = m->top; > rr->neg = 0 > > As forward declarations are no longer allowed in openssl 1.1.1 , how to > replicate above operations in openssl 1.1.1 ? > Are there any Set functions for set, dmax , d values (allocate memory for > rr->d) . ?! > Please help me on this!! > > Thanks, > Prudvi. > IIUC, this is just a side effect of not being able to access the RSA structure directly like in openssl 1.0.2 days. The function RSA_set0_key() will allow you to set D, and there are routines for other portions of the struct as well. When the structure went opaque, getter and setters we're added for your use, see: - https://www.openssl.org/docs/man1.1.1/man3/RSA_set0_key.html If you need to keep backwards compat with 1.0.2, you can define those getter/setter functions when building with 1.0.2 in your source code. However, it's strongly recommended to not be using 1.0.2. Bill
How to Manually allocate BIGNUM ->d and set dmax, top values to create a Result Buffer in openssl 1.1.1 ?
Hello all, We use a hardware accelerator to calculate BIGNUM rr = a^p mod m .( bn_mod_exp). I am trying to rewrite that logic for openssl 1.1.1. Code snippet of custom bn_mod_exp function: -- if(rr->d) { OPENSSL_free(rr->d); } rr->d = ( BN_ULONG * )( malloc( m->top * sizeof(BN_ULONG) ) ); rr->top = m->top; rr->dmax = m->top; rr->neg = 0; publicKeyData.operandALength = a->top * sizeof(BN_ULONG); publicKeyData.operandA = ( System::BYTE * )( a->d ); publicKeyData.operandBLength = p->top * sizeof(BN_ULONG); publicKeyData.operandB = ( System::BYTE * )( p->d ); publicKeyData.modulusLength = m->top * sizeof(BN_ULONG); publicKeyData.modulus = ( System::BYTE * )( m->d ); publicKeyData.resultLength = m->top * sizeof(BN_ULONG); publicKeyData.result = ( System::BYTE * )( rr->d ); calculate ( publicKeyData );d) rr->d = ( BN_ULONG * )( malloc( m->top * sizeof(BN_ULONG) ) ); rr->top = m->top; rr->dmax = m->top; rr->neg = 0 As forward declarations are no longer allowed in openssl 1.1.1 , how to replicate above operations in openssl 1.1.1 ? Are there any Set functions for set, dmax , d values (allocate memory for rr->d) . ?! Please help me on this!! Thanks, Prudvi.