openssl 0.9.8: 3rd level certificates verification problem
I run into invalid CA certificate (X509_V_ERR_INVALID_CA) error when I was trying to verify a third level certificates with OpenSSL 0.9.8. It seems that the code in check_chain_extensions() function in crypto/x509/x509_vfy.c file assumes that either certificate must be directly signed by CA certificate or it must have EXFLAG_PROXY flag (see code around lines 504-520 and must_be_ca flag processing above). Note that second level certificates are verified correctly and the same third level certificates verified just fine with OpenSSL 0.9.6/0.9.7 I would appreciate if someone can check if this is an expected behavior for OpenSSL (and then I will have to find a workaround) or it is a bug (and then I'll be a happy camper waiting for next OpenSSL release). Thank you in advance, Aleksey Sanin __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: openssl 0.9.8: 3rd level certificates verification problem
Thanks for quick response and explanations! You are right, the second certificate in the chain did not have CA ext flag set and 0.9.8 did not like it while 0.9.6/0.9.7 ignore this problem. Very strange that I missed this till now :( Thanks again, Aleksey __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: MSVC Application linked against static openssl libs is crashing
While it is pretty hard to say what exactly is the problem in your case due to the lack of details, I would try to guess that the likely reason is MSVC runtime incompatibility. One of the worst surprises of Microsoft Windows is that it has several C runtime libraries *incompatible* with each other. Thus if you compile a library against one runtime (say, single-threaded runtime) and then link it to an application compiled against another runtime (say, multi-threaded dll runtime) then the application has a very good chance of crashing as soon as it tries to open file, free memory allocated in the library (or vice versa), etc. Thus, it is always a good idea to make sure that all your libraries and application use *exactly* the same MSVC runtime. If it is not the case, MSVC linker prints an innocent looking warning LNK4098 which is usually mistakenly ignored by most of the people. Best, Aleksey Sanin __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: HMAC SHA1 source code
http://www.aleksey.com/xmlsec/bart.gif Aleksey Rich Salz wrote: openssl/crypto/sha/ refers the functions: SHA1_Init(), SHA1_Update() SHA1_Final(), but there seems to be no reference of their definition in the source. man grep I guarantee that the functions are there. /r$ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problem with d2i_PKCS12_fp on Win32
The problem is that you have compiled your application and the OpenSSL library using different MS C runtime libraries. There are few possible options on Windows (single threaded, single threaded debug, multi threaded, multi threaded debug) and you MUST use the same libraries for both OpenSSL library and your application. Otherwise, you'll have crash on the first OpenSSL IO call. Aleksey. Peter Aben wrote: Because I have to use certificates in the PKCS#12 format, I use the function d2i_PKCS12_fp() in my application. On UNIX, this works fine. On Windows NT4 (SP6a) the function crashes. I am using OpenSSL 0.9.6c at the moment. I have read about a similar problem in this mailing list, and there is an advise to look at the FAQ. Unfortunately, the FAQ list on the openssl.org site is not accessible :( I would appreciate it very much if someone could give me an answer on this. Is there a fix, or should I try a more recent release of OpenSSL? Thank you in advance! Peter Aben. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [ANNOUNCE] OpenSSL 0.9.6g released
The issue here is responsiveness yet maintaining stability and compilability in the releases. There should only have been _ONE_ release, not _THREE_. Please, raise your hands everyone who never was in the same situation! This is the life, move forward! Now OpenSSL team has a stable release and an expirience on how to deal with such situation. Cross your fingers and they will never do it again :) Aleksey Sanin BTW, thanks for creating patches and new release(s) soo quickly! __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: documentation
try 'man crypto' or http://www.openssl.org/docs/ Aleksey Andrea Nagar wrote: Hi everybody, can anyone suggest me where I can find the documentation of the openssl API. In particular, having the digest of a document, the signature and the public key of the signer, I need to verify the signature. How can I do that? Any help would be really appreciated. Thanks. Andrea Nagar Do You Yahoo!? Sign-up for Video Highlights of 2002 FIFA World Cup
Re: 3DES decrytpion
Do you have any reason to do not use EVP_Cipher*() functions instead of low-level des_ecb3_encrypt()? EVP functions provide very good abstraction layer and hide many algorithm specific details. Aleksey Sanin. Stella Power wrote: hi, I'm trying to use the crypto library to decrypt a file which has been encrypted using triple-DES. I have the following declarations: char *temp; char **elines; des_cblock *input; I have a function which parses the file and grabs the encrypted strings temp = parse_file(mapped_file); I then set elines[i] = temp; However I can't pass elines[i] to des_ecb3_encrypt() as it is not declared as des_cblock. Is there any way of casting it, passing it, some way of passing the data returned by the parse_file() function to des_ecb3_encrypt()? Also, am I right in thinking that des_cblock being defined the way it is , that you can only decrypt in batches of 8 characters?? Thanks! Stella __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: 3DES decrytpion
Well, using EVP functions is not too difficult (http://www.openssl.org/docs/crypto/EVP_EncryptInit.html#): 1) init context EVP_CIPHER_CTX ctx; EVP_CIPHER_CTX_init(ctx); 2) init cipher EVP_CipherInit(ctx, EVP_des_ede3_cbc(), key, iv, encrypt); 3) encrypt/decrypt data while available EVP_CipherUpdate(ctx, out, outLen, in, inLen); 4) encrypt/decrypt the last block EVP_CipherFinal(ctx, out, outLen); 5) cleanup context EVP_CIPHER_CTX_cleanup(ctx); You can also take a look at test/evp_test.c file in OpenSSL package. Aleksey Sanin. Stella Power wrote: I'm afraid that I couldn't find any examples on how to use the EVP functions, and still do not know how I would go about implementing it. The only restriction I have on my code is that the encrypted input file is 3DES ECB encrypted. Stella On Wed, May 01, 2002 at 09:03:42AM -0700, Aleksey Sanin wrote: Do you have any reason to do not use EVP_Cipher*() functions instead of low-level des_ecb3_encrypt()? EVP functions provide very good abstraction layer and hide many algorithm specific details. Aleksey Sanin. Stella Power wrote: hi, I'm trying to use the crypto library to decrypt a file which has been encrypted using triple-DES. I have the following declarations: char *temp; char **elines; des_cblock *input; I have a function which parses the file and grabs the encrypted strings temp = parse_file(mapped_file); I then set elines[i] = temp; However I can't pass elines[i] to des_ecb3_encrypt() as it is not declared as des_cblock. Is there any way of casting it, passing it, some way of passing the data returned by the parse_file() function to des_ecb3_encrypt()? Also, am I right in thinking that des_cblock being defined the way it is , that you can only decrypt in batches of 8 characters?? Thanks! Stella __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Please Help!!!
I've tried it on Solaris and Linux. IMHO, in both cases it is not polished as well as it should be. Probably there exist projects there you have to use 3.0 because of its new features. But it's not the case for me. Aleksey. Richard Levitte - VMS Whacker wrote: In message [EMAIL PROTECTED] on Mon, 22 Apr 2002 22:38:47 -0700, Aleksey Sanin [EMAIL PROTECTED] said: aleksey IMHO it's bad idea to use gcc 3.0 on Solaris now. I had very aleksey bad expirience with it in the past. If it is possible, try aleksey gcc 2.95.3. Is that just on Solaris, or a recommendation to avoid gcc 3 in general? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Please Help!!!
IMHO it's bad idea to use gcc 3.0 on Solaris now. I had very bad expirience with it in the past. If it is possible, try gcc 2.95.3. Aleksey Sanin Paul Mallary wrote: I have been trying to figure this out on my own for the past day or so and am stumped. I have installed all of the necessary stuff for openssl to compile but I keep getting these error messages when I configure and make... ./Configure solaris-sparcv8-gcc shared no-threads JUST A SECTION OF THE ./Configure Makefile = Makefile.ssl comp.h = ../../include/openssl/comp.h [File exists] make[2]: Leaving directory `/export/install/packages/openssl-0.9.6c/crypto/comp' make[1]: Leaving directory `/export/install/packages/openssl-0.9.6c/crypto' making links in ssl... make[1]: Entering directory `/export/install/packages/openssl-0.9.6c/ssl' Makefile = Makefile.ssl ssl.h = ../include/openssl/ssl.h [File exists] ssl2.h = ../include/openssl/ssl2.h [File exists] ssl3.h = ../include/openssl/ssl3.h [File exists] ssl23.h = ../include/openssl/ssl23.h [File exists] tls1.h = ../include/openssl/tls1.h [File exists] Then when I run make JUST A SECTION + rm -f libcrypto.so.0 + rm -f libcrypto.so + rm -f libcrypto.so.0.9.6 + rm -f libssl.so.0 + rm -f libssl.so + rm -f libssl.so.0.9.6 making all in crypto... make[1]: Entering directory `/export/install/packages/openssl-0.9.6c/crypto' ( echo #ifndef MK1MF_BUILD; \ echo /* auto-generated by crypto/Makefile.ssl for crypto/cversion.c */; \ echo #define CFLAGS \gcc -fPIC -DDSO_DLFCN -DHAVE_DLFCN_H -mcpu=ultrasparc -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W -DULTRA SPARC -DMD5_ASM\; \ echo #define PLATFORM \solaris-sparcv9-gcc\; \ echo #define DATE \`date`\; \ echo #endif ) buildinf.h gcc -I. -I../include -fPIC -DDSO_DLFCN -DHAVE_DLFCN_H -mcpu=ultrasparc -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W -DULTRASPARC -D MD5_ASM -c -o cryptlib.o cryptlib.c In file included from cryptlib.c:59: /usr/local/lib/gcc-lib/sparc-sun-solaris2.8/3.0.3/include/stdio.h:36:27: iso/stdio_iso.h: No such file or directory In file included from cryptlib.c:59: /usr/local/lib/gcc-lib/sparc-sun-solaris2.8/3.0.3/include/stdio.h:194: parse error before '*' token /usr/local/lib/gcc-lib/sparc-sun-solaris2.8/3.0.3/include/stdio.h:229: parse error before '*' token /usr/local/lib/gcc-lib/sparc-sun-solaris2.8/3.0.3/include/stdio.h:230: parse error before '*' token /usr/local/lib/gcc-lib/sparc-sun-solaris2.8/3.0.3/include/stdio.h:236: parse error before size_t /usr/local/lib/gcc-lib/sparc-sun-solaris2.8/3.0.3/include/stdio.h:241: parse error before size_t /usr/local/lib/gcc-lib/sparc-sun-solaris2.8/3.0.3/include/stdio.h:250: parse error before '*' token /usr/local/lib/gcc-lib/sparc-sun-solaris2.8/3.0.3/include/stdio.h:252: parse error before '*' token /usr/local/lib/gcc-lib/sparc-sun-solaris2.8/3.0.3/include/stdio.h:276: parse error before '*' token /usr/local/lib/gcc-lib/sparc-sun-solaris2.8/3.0.3/include/stdio.h:285: parse error before '*' token /usr/local/lib/gcc-lib/sparc-sun-solaris2.8/3.0.3/include/stdio.h:286: parse error before FILE /usr/local/lib/gcc-lib/sparc-sun-solaris2.8/3.0.3/include/stdio.h:287: parse error before '*' token cryptlib.c:60:20: string.h: No such file or directory What is wrong with what I am doing? Any help would be a life saver! __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Capicom signing openssl verification
$openssl x509 -pubout ... Aleksey. Howard Chan wrote: 0bc601c1e456$5ee179c0$086fa8c0@vrjyu"> Ivan,SorryI've got a question from your question. How do you export yourpublic key from your certificate? Would I be able to export a public keyfrom a cert created and signed through OpenSSL commands? Grateful for yourcomments!!Best regards,H. Chan- Original Message -From: "Ivan Saez" [EMAIL PROTECTED]To: [EMAIL PROTECTED]Sent: Monday, April 15, 2002 3:30 PMSubject: Capicom signing openssl verification Hi,I can sign and verify the digital signature of a web-form with myprivate and publickey using capicom but now I need to verify the digital signature on aSun Solaris server with openssl 0.9.6c. I exported my public key anduploaded it to the Sun server. On the server I have my public key andthe digital signed text signed with my private key. Then on the Sunserver I do :openssl dgst -sha1 -binary -verify ivan_public.key -signature19870193.pem text19870193.pem is the signed web-form (signed with capicom). I believe theformat isPKCS7. Text is the file containing the ascii text from the web-form.Openssl returns Verification Failure . Any idea of what I'm doing wrong?kind regards,Ivan__OpenSSL Project ht tp://www.openssl.orgUser Support Mailing List[EMAIL PROTECTED]Automated List Manager [EMAIL PROTECTED] __OpenSSL Project http://www.openssl.orgUser Support Mailing List[EMAIL PROTECTED]Automated List Manager [EMAIL PROTECTED]
Re: Capicom signing openssl verification
Sorry, mistype $openssl x509 -pubkey ... Aleksey. Aleksey Sanin wrote: [EMAIL PROTECTED]"> $openssl x509 -pubout ... Aleksey. Howard Chan wrote: 0bc601c1e456$5ee179c0$086fa8c0@vrjyu"> Ivan,SorryI've got a question from your question. How do you export yourpublic key from your certificate? Would I be able to export a public keyfrom a cert created and signed through OpenSSL commands? Grateful for yourcomments!!Best regards,H. Chan- Original Message -From: "Ivan Saez" [EMAIL PROTECTED]To: [EMAIL PROTECTED]Sent: Monday, April 15, 2002 3:30 PMSubject: Capicom signing openssl verification Hi,I can sign and verify the digital signature of a web-form with myprivate and publickey using capicom but now I need to verify the digital signature on aSun Solaris server with openssl 0.9.6c. I exported my public key anduploaded it to the Sun server. On the server I have my public key andthe digital signed text signed with my private key. Then on the Sunserver I do :openssl dgst -sha1 -binary -verify ivan_public.key -signature19870193.pem text19870193.pem is the signed web-form (signed with capicom). I believe theformat isPKCS7. Text is the file containing the ascii text from the web-form.Openssl returns Verification Failure . Any idea of what I'm doing wrong?kind regards,Ivan__OpenSSL Project http://www.openssl.orgUser Support Mailing List[EMAIL PROTECTED]Automated List Manager [EMAIL PROTECTED] __OpenSSL Project http://www.openssl.orgUser Support Mailing List[EMAIL PROTECTED]Automated List Manager [EMAIL PROTECTED]
Re: Memory leak in TLS client side app
If you are using Linux I stroingly recommend to try Valgrind: http://developer.kde.org/~sewardj/ a very nice memory leaks/memory access check tool. Aleksey Krishnaswamy R. wrote: Hi all, I have written a TLS client using the OpenSSL library. It uses memory BIOs as the input/output BIOs to the SSL connection. The code flow of the client is as follows * SSL_CTX_new(...) * SSL_CTX_use_certificate_ASN1(...) * SSL_CTX_use_RSAPrivateKey_ASN1(...) * X509_STORE_add_cert() // To add CA cert * other init actions * for ever * SSL_new(...) * create read write BIOs * SSL_connect(...) * . * SSL_free(...) * wait for reconnect event * endfor As the above code flow shows, the client has to periodically (based on time or event) perform a TLS handshake with a TLS server for authentication (EAP-TLS). When this client is run for many iterations, it leaks memory. After tracking OpenSSL mallocs, I have found that it leaks ~ 9K. This 9K leak does not happen for every iteration, but it happens for every n iteration. (Sometimes n is 1 or 3, it is variable ). Soon this leads to lack of memory because the app will be running for ever. Any ideas on what could be causing the memory leak or tips on how to trace back this memory leak, is highly appreciated. thanks, Krishna __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: problem
http://www.sunfreeware.com/opensshdoc.html Aleksey Govind Vinjamuri wrote: on Solaris 2.6 with open ssh 3.1 p1 with openssl 9.6c. get his error Couldn't connect to PRNGD socket /var/spool/prngd/pool: No such file or directory Entropy collection failed ssh-rand-helper child produced insufficient data Thanks in advance. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SHA256/512
AFAIK, the last fix was made back in October and it addressed
an attack related to random numbers generator. I am not sure
I have any fresh insider information on the topic :)
The problem is that SHA256 and greater are became required
in other standards (XML Encryption, for example). And quick
search showed that there is no solid open source implementation yet.
Aleksey Sanin.
Lutz Jaenicke wrote:
[EMAIL PROTECTED]">
On Wed, Apr 10, 2002 at 11:08:24PM -0700, Aleksey Sanin wrote:
Just wonder why OpenSSL has no SHA256/512 support("grep -i sha `find . -name "*"` | grep 256" in openssl-0.9.7-stable-SNAP-20020319returns only bunch of *_AES_256_SHA references)?Does there exist any reason or simply nobody had time(or interest) to do it?
What is the current state?I checked out the NIST pages and found a draft and comments.One of the comments included a proposed change to the algorithm.Is the algorithm now really fix? I don't think it would be a good ideato include it before it is clear that it will stay unchanged.(0.9.7 is in feature freeze, so it won't be added before 0.9.8).Best regards, Lutz
Re: How can I check a signed-text
XML Signature is quite complicated standard. You could not simply check the signature by calculating the digest of whole XML document. OpenSSL does not support XML DSig. Probably you want to use some other library. For example, you can try one I wrote: http://www.aleksey.com/xmlsec Aleksey Sanin [EMAIL PROTECTED] http://www.aleksey.com/xmlsec [EMAIL PROTECTED] wrote: Hi, I have an XML application (works only with MSIE) which signs a html form with the users private key.. Now I want to verify the signaturevalue on the server (Sun Solaris 2.8). I've succeeded in extracting the public key but I can't find the rigth openssl (version 0.9.6c) options to check the signaturevalue. Probably the format of the signaturevalue is wrong: dsig:SignatureValuegQBugbr5aenwu01IvkMBJKsshiwrWUZ/N+gdESuXvWv2b324H7i EZ8QOcxAhT78yS6EVtvGTcbUtHuIx99eqG01HRMavyP0P24BqvkK8nqONJY3GO3bDdLjnVxJ 1Hk4f7c6ZtXiVfnL9VlG/cl+12Wkg 8Oejq8iXsZLyL7Mpibg= /dsig:SignatureValue I've been playing with openssl dgst, openssl rsautl and openssl smime but without success. I would apperciate it very much if someone could give me some directions to look. kind regards, Ivan Ing. Ivan Saez Scheihing , Eindhoven University of Technology Systeemhuis/Bush BG 3.41 tel. 040-2475044 P.O.Box 513, 5600 MB Eindhoven, The Netherlands E-Mail: [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
questions/RFEs about X509_NAME
Hi, All!
I have few questions/RFEs to OpenSSL developers about
X509 and X509_NAME structures. I run into some problems
when I've tried to use some low-level functions and I wonder is
it worth to patch OpenSSL instead writing custom functions
in my library. I am not absolutelly sure that all my points are valid so
please correct me if I am wrong.
Thank you in advance,
Aleksey Sanin.
http://www.aleksey.com/xmlsec
Questions List:
--
1) Sorting of the X509_NAME_ENTRY elements in X509_NAME structure
(for X509 subject and issuer fields).
Right now OpenSSL reads the entries in the order they appear in the
certificate (or in the order you are adding them if you are creating cert).
I am not sure but I do not remember any order restrictions in the X509
rfc or
DName RFC (http://www.ietf.org/rfc/rfc2253.txt). And this scares me in
general
because implementation relaying on the order is likely to have interop
problems.
The suggestion is to sort X509_NAME_ENTRY elements after reading or
creating the cert or before using any order depending function
(hashing, comparison, search, etc.)
2) X509_NAME_ENTRY_cmp function missed
In order to do the sorting described above a new X509_NAME_ENTRY_cmp
function is required. I think it should be implemented something
like this:
int X509_NAME_ENTRY_cmp(const X509_NAME_ENTRY **a, const
X509_NAME_ENTRY **b) {
return(OBJ_cmp((*a)-object, (*b)-object));
}
3) X509_NAME_cmp function compares set field of X509_NAME
After doing sorting as described in 1) I run into another problem:
the function X509_NAME_cmp compares set field of X509_NAME
as follows (the interesting lines are marked ):
for (i=sk_X509_NAME_ENTRY_num(a-entries)-1; i=0; i--)
{
na=sk_X509_NAME_ENTRY_value(a-entries,i);
nb=sk_X509_NAME_ENTRY_value(b-entries,i);
j=na-value-length-nb-value-length;
if (j) return(j);
j=memcmp(na-value-data,nb-value-data,
na-value-length);
if (j) return(j);
j=na-set-nb-set;
if (j) return(j);
}
AFAIK, the set field stores the X509_NAME_ENTRY position in
the list. I am not sure that comparing positions in this way is
a right thing here because we are *already* doing this by itterating
thru all X509_NAME_ENTRY entires in the X509_NAME. And of course,
this comparisson fails after sorting :)
I suggest to remove these two lines marked with .
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: certificate creation example
I hope this will help. All keys are saved w/o passphrase. Probably you
do not want to do it in production.
Aleksey Sanin.
http://www.aleksey.com/xmlsec
---
A. Create new CA
CA.pl -newca
cp ./demoCA/cacert.pem .
cp ./demoCA/private/cakey.pem .
openssl x509 -text -in cacert.pem
B. Generate RSA key and second level CA
openssl genrsa -out ca2key.pem
openssl req -new -key ca2key.pem -out ca2req.pem
openssl ca -cert cacert.pem -keyfile cakey.pem \
-out ca2cert.pem -infiles ca2req.pem
openssl verify -CAfile cacert.pem ca2cert.pem
C. Sign DSA key with second level CA
openssl req -new -key dsakey.pem -out dsareq.pem
openssl ca -cert ca2cert.pem -keyfile ca2key.pem \
-out dsacert.pem -infiles dsareq.pem
openssl verify -CAfile cacert.pem -untrusted ca2cert.pem dsacert.pem
D. Sign RSA key with second level CA
openssl req -new -key rsakey.pem -out rsareq.pem
openssl ca -cert ca2cert.pem -keyfile ca2key.pem \
-out rsacert.pem -infiles rsareq.pem
openssl verify -CAfile cacert.pem -untrusted ca2cert.pem rsacert.pem
Howard Chan wrote:
048101c1dacc$f4e0eed0$086fa8c0@vrjyu">
Hello OpenSSL experts,
I've been experimenting, or more like
playing around, with Openssl on Linux. This is what I'm trying to do with
OpenSSL :
create a self-signed root CAcertificate
create a private key and then a certificate
request
use the root CA cert to sign the certificate
request, thereby making a user certificate
finally, I want to verify the cert(ie.
verify-CApath ___ newcert.pem)
I'm no expert at this, but this is what
I did (so far):
I used 'openssl req -x509 -newkey rsa:1024
-keyoutkey.pem -out req.pem' for Step 1 above.
I used 'openssl req -new -key privkey.pem
-outcert.csr' for Step 2 above.
For Step 3 above, I triedusing the 'ca'
command but always returned an error (which is attached), saying that it
could not find files in the ./demoCA directory. So I created a /demoCA
directory on my machine containing the CA cert and it's private key and
the serial and index files. But still, when I ran the 'ca' command the
same error occurs.
I know there's a CA.pl programwhich
I can utilize to do the cert creation...but how do I use that? Do I need
to compile it or anything before I can use that program? I'm not sure.
So I don't know what to do for Step 3
(sign a cert request with the CA root cert). I'm out of ideas.
Please enlighten me with some ideas, or
correct my errors if you could.
Thanks alot.
Best regards,
H. Chan
Using configuration from /usr/share/ssl/openssl.cnf./demoCA/private/cakey.pem: No such file or directorytrying to load CA private key7740:error:02001002:system library:fopen:No such file or directory:bss_file.c:245:fopen('./demoCA/private/cakey.pem','r')7740:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:247:error in ca
openssl and XML signature
Hello, List! I am looking for an open source C/C++ implementation for recently W3C recommended XML signature standard. Does there exist one and if not then will it be interesting to create one? Thanks, Aleksey. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
