Format error in certificate´s notAfter field

2020-12-22 Thread Raúl Uría Elices 
Hi,

I´m trying to connect to my vpn server, using tunnelblick, but thinking
this is a openssl stuff... may be I am wrong.


When connecting I got (XX is a placeholder) : 

2020-12-22 17:32:49.423703 VERIFY ERROR: depth=0, error=format error in
certificate's notAfter field: C=es, L=P, O=XX, CN=XX,
emailAddress=XX, serial=17702460327850242852

I have checked this:
https://mta.openssl.org/pipermail/openssl-users/2019-March/010018.html ,
but seems to be something different.

When checking UTC field for server CA cert, I got:

% openssl asn1parse -in ca.crt  | grep UTC
  207:d=3  hl=2 l=  13 prim: UTCTIME   :170908154452Z
  222:d=3  hl=2 l=  13 prim: UTCTIME   :360718151218Z

Why 'format error in certicate´s notAfter field' error?


thx

-- 

 

Re: How to Manually allocate BIGNUM ->d and set dmax, top values to create a Result Buffer in openssl 1.1.1 ?

2020-12-22 Thread prudvi raj 
In openssl 1.1.1,
I see that this bn_mod_exp function is called from "rsa_ossl_public_decrypt"
:

566 if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx,
567rsa->_method_mod_n)) {
568 goto err;
569 }

so we are doing "f^(rsa->e)mod(rsa->n)" , this result is being filled in
ret (a BIGNUM* type).
This 'ret' variable is not a part of the RSA structure . So I think we need
look for any bignum "BN" set functions(if available) to modify the BIGNUM
structure attributes like 'd' array,top & dmax values , ..as this ret
variable isn't the part of RSA structure (yet) when the bn_mod_exp is
called.

Checkout this function "rsa_ossl_public_decrypt" for more details.

Hope that clarifies the scenario .
Please let me know if you have any questions.

Thanks,
Prudvi.

On Tue, Dec 22, 2020 at 3:45 AM prudvi raj  wrote:
> >
> > Hello all,
> >
> > We use a hardware accelerator to calculate BIGNUM rr = a^p mod m .(
> bn_mod_exp).  I am trying to rewrite that logic for openssl 1.1.1. Code
> snippet of custom bn_mod_exp function:
> > --
> > if(rr->d)
> > {
> > OPENSSL_free(rr->d);
> > }
> > rr->d = ( BN_ULONG * )( malloc( m->top * sizeof(BN_ULONG) ) );
> > rr->top = m->top;
> > rr->dmax = m->top;
> > rr->neg = 0;
> >
> > publicKeyData.operandALength = a->top * sizeof(BN_ULONG);
> > publicKeyData.operandA = ( System::BYTE * )( a->d );
> > publicKeyData.operandBLength = p->top * sizeof(BN_ULONG);
> > publicKeyData.operandB = ( System::BYTE * )( p->d );
> > publicKeyData.modulusLength = m->top * sizeof(BN_ULONG);
> > publicKeyData.modulus = ( System::BYTE * )( m->d );
> >
> > publicKeyData.resultLength = m->top * sizeof(BN_ULONG);
> > publicKeyData.result = ( System::BYTE * )( rr->d );
> >
> > calculate ( publicKeyData );< Bytes in "rr->d" buffer.
> > --
> >  I found  a few 'get' functions (no set functions though) like --
> bn_get_top , bn_get_dmax. These are in "bn_intern.c" , not in "bn_lib.c"
> (or BN API).
> >OPENSSL_free(rr->d)
> >rr->d = ( BN_ULONG * )( malloc( m->top * sizeof(BN_ULONG) ) );
> > rr->top = m->top;
> > rr->dmax = m->top;
> > rr->neg = 0
> >
> > As forward declarations are no longer allowed in openssl 1.1.1 , how to
> replicate above operations in openssl 1.1.1 ?
> > Are there any Set functions for set, dmax , d values (allocate memory
> for rr->d) . ?!
> > Please help me on this!!
> >
> > Thanks,
> > Prudvi.
> >
>
> IIUC, this is just a side effect of not being able to access the RSA
> structure directly like in openssl 1.0.2 days.
> The function RSA_set0_key() will allow you to set D, and there are
> routines for other portions of the struct as well.
> When the structure went opaque, getter and setters we're added for
> your use, see:
>   - https://www.openssl.org/docs/man1.1.1/man3/RSA_set0_key.html
>
> If you need to keep backwards compat with 1.0.2, you can define those
> getter/setter functions when building with 1.0.2 in your source
> code. However, it's strongly recommended to not be using 1.0.2.
>
> Bill
>

Re: How to Manually allocate BIGNUM ->d and set dmax, top values to create a Result Buffer in openssl 1.1.1 ?

2020-12-22 Thread William Roberts 
On Tue, Dec 22, 2020 at 3:45 AM prudvi raj  wrote:
>
> Hello all,
>
> We use a hardware accelerator to calculate BIGNUM rr = a^p mod m .( 
> bn_mod_exp).  I am trying to rewrite that logic for openssl 1.1.1. Code 
> snippet of custom bn_mod_exp function:
> --
> if(rr->d)
> {
> OPENSSL_free(rr->d);
> }
> rr->d = ( BN_ULONG * )( malloc( m->top * sizeof(BN_ULONG) ) );
> rr->top = m->top;
> rr->dmax = m->top;
> rr->neg = 0;
>
> publicKeyData.operandALength = a->top * sizeof(BN_ULONG);
> publicKeyData.operandA = ( System::BYTE * )( a->d );
> publicKeyData.operandBLength = p->top * sizeof(BN_ULONG);
> publicKeyData.operandB = ( System::BYTE * )( p->d );
> publicKeyData.modulusLength = m->top * sizeof(BN_ULONG);
> publicKeyData.modulus = ( System::BYTE * )( m->d );
>
> publicKeyData.resultLength = m->top * sizeof(BN_ULONG);
> publicKeyData.result = ( System::BYTE * )( rr->d );
>
> calculate ( publicKeyData );< "rr->d" buffer.
> --
>  I found  a few 'get' functions (no set functions though) like -- bn_get_top 
> , bn_get_dmax. These are in "bn_intern.c" , not in "bn_lib.c" (or BN API).
>OPENSSL_free(rr->d)
>rr->d = ( BN_ULONG * )( malloc( m->top * sizeof(BN_ULONG) ) );
> rr->top = m->top;
> rr->dmax = m->top;
> rr->neg = 0
>
> As forward declarations are no longer allowed in openssl 1.1.1 , how to 
> replicate above operations in openssl 1.1.1 ?
> Are there any Set functions for set, dmax , d values (allocate memory for 
> rr->d) . ?!
> Please help me on this!!
>
> Thanks,
> Prudvi.
>

IIUC, this is just a side effect of not being able to access the RSA
structure directly like in openssl 1.0.2 days.
The function RSA_set0_key() will allow you to set D, and there are
routines for other portions of the struct as well.
When the structure went opaque, getter and setters we're added for
your use, see:
  - https://www.openssl.org/docs/man1.1.1/man3/RSA_set0_key.html

If you need to keep backwards compat with 1.0.2, you can define those
getter/setter functions when building with 1.0.2 in your source
code. However, it's strongly recommended to not be using 1.0.2.

Bill

How to Manually allocate BIGNUM ->d and set dmax, top values to create a Result Buffer in openssl 1.1.1 ?

2020-12-22 Thread prudvi raj 
Hello all,

We use a hardware accelerator to calculate BIGNUM rr = a^p mod m .(
bn_mod_exp).  I am trying to rewrite that logic for openssl 1.1.1. Code
snippet of custom bn_mod_exp function:
--
if(rr->d)
{
OPENSSL_free(rr->d);
}
rr->d = ( BN_ULONG * )( malloc( m->top * sizeof(BN_ULONG) ) );
rr->top = m->top;
rr->dmax = m->top;
rr->neg = 0;

publicKeyData.operandALength = a->top * sizeof(BN_ULONG);
publicKeyData.operandA = ( System::BYTE * )( a->d );
publicKeyData.operandBLength = p->top * sizeof(BN_ULONG);
publicKeyData.operandB = ( System::BYTE * )( p->d );
publicKeyData.modulusLength = m->top * sizeof(BN_ULONG);
publicKeyData.modulus = ( System::BYTE * )( m->d );

publicKeyData.resultLength = m->top * sizeof(BN_ULONG);
publicKeyData.result = ( System::BYTE * )( rr->d );

calculate ( publicKeyData );d)
   rr->d = ( BN_ULONG * )( malloc( m->top * sizeof(BN_ULONG) ) );
rr->top = m->top;
rr->dmax = m->top;
rr->neg = 0

As forward declarations are no longer allowed in openssl 1.1.1 , how to
replicate above operations in openssl 1.1.1 ?
Are there any Set functions for set, dmax , d values (allocate memory for
rr->d) . ?!
Please help me on this!!

Thanks,
Prudvi.