Re: Choose server certificate based on client IP address?
Jeremy Bratton schrieb: I'm currently working on a client/server order system that uses SSL with client and server certificates. I'm using OpenSSL via Ruby. Everything has been working well, but we need to add a new trading partner to the system and they required us to get a different certificate for use only with them. Is it possible to use a different server certificate based on the client IP address? I am attempting to get a TCP connection, check the source IP, and then create an SSL context with the correct certificate, and establish an SSL connection using that context. It doesn't seem to be working, but I can't tell exactly what's going wrong. It it something in my implementation or is my method completely wrong? If so, is there any way to accomplish my goal? I've searched the archives, but most similar cases seem to be dealing with web servers and virtual hosting where the certificate should change based on the requested host, but I need to choose the certificate based on client IP. You should double-check if the TCP connection is initiated by the IP you expect to see. On systems with multiple (virtual) network interfaces in the same subnet (such as web servers with multiple SSL-enabled hosts, each on one IP), some applications choose an arbitrary source address when initiating outbound TCP connections. Just my €.02, --ck __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: How to delegate a next proxy by current proxy
Ian jonhson schrieb: Did you successfully create second delegated proxy? How to create? Are there something wrong with my commands? I never used the command-line tools. I did all my work with OpenSSL's C API. Sorry I can't help. --ck __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: How to delegate a next proxy by current proxy
Ian jonhson schrieb: Oh... Are there any example codes for doing this job with openssl API? Did you actually read my former mail? You replied to it with The book is very necessary for me. Look that mail up in your archive, it contains URLs to an example in C. --ck __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: X 509 Logo Extension
Fadil Sutomo schrieb: OK. Now I have a question about OpenSSL. Is there anyone of you know whether OpenSSL supports X509 LogoType Extension? As I am trying to put a logo into the certificates. From a quick glance at RFC3709, the LogoType extension looks to me like a normal X.509 extension with the OID 1.3.6.1.5.5.7.1.12. As you can basically add any custom extension to an X.509 certificate request via the OpenSSL C API (I don't know about the limitations of the command-line tool), I don't see why that particular extension shouldn't be supported. Just my €.02, --ck __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: How to delegate a next proxy by current proxy
Ian jonhson schrieb: Hi, As we know, a user owned certificate can delegate his proxy to finish hit grid task. If the applications with user's proxy run in a node need to access remote data node, it have to create next level proxy by its current proxy. How to create next proxy? If you implement the codes only by Openssl, what should be paid attention ? I just know that next proxy should have a new DN attached with a serial number and new time stamp limited by original proxy. Could anybody give me some advices, or example codes? There's only a couple things you need to watch: 1. Copy CN from old proxy and as you said, add another DN=proxy. Some Grid components even add DN=limited proxy to denote that the proxy is supposed to be the last derivation. 2. Depending on the implementation, the serial is not important, proxies aren't revokable anyway. In Globus/gLite's GSI implementation, the serial is not checked. 3. The new proxy must not have a smaller notBefore or a larger notAfter. 4. From what I observed, key length is not important either - the new proxy can even have a bigger key length than the old one. 4. Sign the new proxy with the old one. I used the example code from Network security with OpenSSL: http://www.oreilly.com/catalog/openssl/index.html Check out the EX10-6 file from the example code tarball at http://www.opensslbook.com/NSwO-1.3.tar.gz and you're all set (with some minor modifications). HTH, --ck __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Extracting all extensions from a certificate
Hi, how can I extract all extensions from a certificate into a STACK_OF(X509_EXTENSION)? For certificate requests, there is X509_REQ_get_extensions that returns this stack, but how is that done with an actual certificate? Regards, --ck __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Extracting all extensions from a certificate
Bruce Stephens schrieb: X509_get_ext_count(), X509_get_ext(), and the usual stack macros STACK_OF(X509_EXTENSION), sk_X509_EXTENSION_push() and so on, I guess. That does the trick. However, I'm stumped at how to convert an extension value back to a string. I call obj = X509_EXTENSION_get_object(ext); data = X509_EXTENSION_get_data(ext); and now have both the ASN.1 structure in an ASN1_OBJECT as well as its data in an ASN1_OCTET_STRING (at least if the documentation I googled is accurate). How do I get back from the octet string to a normal ascii string? The extension was put into the certificate with the following code: ASN1_OCTET_STRING *ex_oct = NULL; ex_oct = ASN1_OCTET_STRING_new(); ASN1_OCTET_STRING_set(ex_oct,policy,-1); Is there any up-to-date complete documentation available for the full function set of OpenSSL? For some of the stuff, like ASN.1 manipulation, I can't even find anything on Google... Regards, --ck __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Custom certificate extensions CSR / cert creation: Missing field
Hello, I have isolated the problem to the private key that seems to be incorrectly generated. When I take my self-created certificate and my self-created RSA key and try to convert them to PKCS#12, the following error occurs: [EMAIL PROTECTED] kunz]$ openssl pkcs12 -export -in testcert.pem -inkey testkey.pem -out test.p12 Error loading private key 22864:error:0D06B078:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:140: 22864:error:0D080065:asn1 encoding routines:d2i_ASN1_INTEGER:bad object header:a_int.c:204: 22864:error:0D09D082:asn1 encoding routines:d2i_RSAPrivateKey:parsing:d2i_r_pr.c:117: 22864:error:0D09B00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib:d2i_pr.c:89: 22864:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_lib.c:291: The portion of my C code that generates the key and adds it to the certificate request looks like this (readers of the O'Reilly OpenSSL book will find this strangely familiar): keypair = RSA_generate_key(1024, RSA_3, NULL, NULL); if (!(RSA_check_key(keypair))) int_error(Error with keypair!); pkey = EVP_PKEY_new(); if (!(EVP_PKEY_set1_RSA(pkey, keypair))) int_error(Error setting key to RSA); if (!(req = X509_REQ_new ())) int_error(Error creating new request); X509_REQ_set_pubkey (req, pkey); After all is said and done, the private key is written to the PEM file: if (!(PEM_write_PrivateKey(fp, pkey, NULL,NULL,0,0,NULL))) int_error (Error writing private key); We're not encrypting the key because the resulting proxy certificate chain is used for single-sign-on purposes in a Grid environment. We do need the key because we need to be able to delegate new proxy certificates based on the one that has just been generated. However, since the private key and certificate are basically throwaway items that are regenerated for each job submission, I feel no pain showing both to you. Impersonate me if you want, but do it quickly ;) -BEGIN CERTIFICATE- MIICGzCCAcWgAwIBAgIBATANBgkqhkiG9w0BAQUFADBWMRMwEQYDVQQKEwpHZXJt YW5HcmlkMRQwEgYDVQQLEwtVbmlIYW5ub3ZlcjEZMBcGA1UEAxMQQ2hyaXN0b3Bo ZXIgS3VuejEOMAwGA1UEAxMFcHJveHkwHhcNMDcwNTEwMDg0MzQ5WhcNMDcwNTEw MjA0MzQ5WjBmMRMwEQYDVQQKEwpHZXJtYW5HcmlkMRQwEgYDVQQLEwtVbmlIYW5u b3ZlcjEZMBcGA1UEAxMQQ2hyaXN0b3BoZXIgS3VuejEOMAwGA1UEAxMFcHJveHkx DjAMBgNVBAMTBXByb3h5MIGdMA0GCSqGSIb3DQEBAQUAA4GLADCBhwKBgQCR6a8b EHwnIxfOS3SXw30rrnYf07iwqC1oEkwZyyfHvfEZnIR9EH60hJ6FJghYvm6YNrp6 +qQotYBg9lQln+L7PySYL+f6KeEfCkymD1owqHbqKLvoDEhvRoiWioiU0YX2+zGh 5MpN8DWhKbs4xeJnydHKvvMbZcXKBwwVcXiHqQIBA6MsMCowDgYDVR0PAQH/BAQD AgSwMBgGDCsGAQQBgY1dZAMCAQQIZm9vCmZvbwowDQYJKoZIhvcNAQEFBQADQQAm DzWVnPzJ8lwLL2ti5nZ4PzOYp+EZnROMemOaDJ/iX1X7YZ/kR8WaGr2NA+vzZhPL tp9fv6d7FQjjGOYHJ0b/ -END CERTIFICATE- -BEGIN RSA PRIVATE KEY- MIGKAgEAAoGBAJHprxsQfCcjF85LdJfDfSuudh/TuLCoLWgSTBnLJ8e98RmchH0Q frSEnoUmCFi+bpg2unr6pCi1gGD2VCWf4vs/JJgv5/op4R8KTKYPWjCoduoou+gM SG9GiJaKiJTRhfb7MaHkyk3wNaEpuzjF4mfJ0cq+8xtlxcoHDBVxeIepAgED -END RSA PRIVATE KEY- The key is somehow wrong, but how? And why? Regards, --ck __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Custom certificate extensions CSR / cert creation: Missing field
Goetz Babin-Ebell schrieb: The key is somehow wrong, but how? And why? It contains only the public part of the key. The private part seems to get lost in between... You are so right. In the course of my copypaste work of art, I reassigned pkey with... guess what? The certificate's public key. D'oh. Thanks a lot for pointing me in the correct direction. Regards, --ck __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Custom certificate extensions CSR / cert creation: Missing field
Hi, I am using the examples from the O'Reilly book Network Security with OpenSSL (X.509 section) to create a CSR, push a custom extension into it and sign that CSR with a given private key. This - in general - works OK, but when I want to use the resulting certificate chain (I have the signing certificate and a couple more in there) for anything secure (i.e. mutual authentication), I am greeted with failure. I wrote an extremely simple program to check what might be wrong with the certificate stack and this seems to be the problem: 15939:error:0D078079:asn1 encoding routines:ASN1_ITEM_EX_D2I:field missing:tasn_dec.c:391:Field=d, Type=RSA 15939:error:0907400D:PEM routines:PEM_X509_INFO_read_bio:ASN1 lib:pem_info.c:224: I figure that there is something wrong with the way I create the ASN.1 object and push it onto the extension stack for the CSR. This looks like so in my code: ASN1_OBJECT *obj; ASN1_OCTET_STRING *ex_oct = NULL; X509_EXTENSION *ex_execpol = NULL; new_nid = OBJ_create(EXECPOLICY_OID, EXECPOLICY_SN, EXECPOLICY_LN); obj = OBJ_nid2obj(new_nid); if (!(ex_oct = ASN1_OCTET_STRING_new())) { int_error(Error creating custom ASN.1 struct); } extlist = sk_X509_EXTENSION_new_null(); ASN1_OCTET_STRING_set(ex_oct,policy,-1); if (!(ex_execpol = X509_EXTENSION_create_by_OBJ(ex_execpol, obj, 0, ex_oct))) { //3rd parameter is critical/noncritical int_error(Error creating X509 extension for execpolicy); } if (!(sk_X509_EXTENSION_push (extlist, ex_execpol))) { int_error(Error pushing custom extension to stack); } if (!(X509_REQ_add_extensions (req, extlist))) { int_error (Error adding ExecPolicy to the request); } sk_X509_EXTENSION_pop_free (extlist, X509_EXTENSION_free); } Later, I am getting the extension stack from the CSR... if (!(req_exts = X509_REQ_get_extensions (req))) int_error (Error getting the request's extensions); int new_nid; ASN1_OBJECT *obj; new_nid = OBJ_create(EXECPOLICY_OID, EXECPOLICY_SN, EXECPOLICY_LN); execPolicy_pos = X509v3_get_ext_by_NID (req_exts, new_nid, -1); execPolicy = X509v3_get_ext (req_exts, execPolicy_pos); fputc ('\n', stdout); ...and add them to the certificate before signing: /* add x509v3 extensions as specified */ X509V3_set_ctx (ctx, CAcert, cert, NULL, NULL, 0); for (i = 0; i EXT_COUNT; i++) { X509_EXTENSION *ext; if (!(ext = X509V3_EXT_conf (NULL, ctx, ext_ent[i].key, ext_ent[i].value))) { fprintf (stderr, Error on \%s = %s\\n, ext_ent[i].key, ext_ent[i].value); int_error (Error creating X509 extension object); } // Mark purpose as critical if (!(X509_EXTENSION_set_critical (ext, 1))) { fprintf(stderr, Error setting Extension to critical: %s, ext_ent[i].key); int_error(Error setting Extension to critical); } if (!X509_add_ext (cert, ext, -1)) { fprintf (stderr, Error on \%s = %s\\n, ext_ent[i].key, ext_ent[i].value); int_error (Error adding X509 extension to certificate); } X509_EXTENSION_free (ext); } /* add the extension in the request to the cert */ if (!X509_add_ext (cert, execPolicy, -1)) int_error (etc); Is there anything I am doing horribly wrong along the way? Any pointers where the missing field could be? I guess it can only be in the custom ASN.1 structure I have created for my own extension. Regards and thanks, --ck __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Custom certificate extensions CSR / cert creation: Missing field
Dr. Stephen Henson schrieb: Hmmm that error shouldn't be encountered when you load a certificate. It suggests that you have an RSA private key but that it is in an invalid format. I forgot to mention that openssl x509 -text -noout -in mycertchain.pem does produce valid output, and seems to disregard the error that prevents the certificate from actually being usable. To me that means that it somehow has to be syntactically correct. I can provide you with demo credentials if that is of any help - they are set to run out after 12 hours anyway. :) Thanks for your help, --ck __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
openssl: installation fails
hi list, on our little linux playground box (Debian, Kernel 2.2.15), openSSL locks up the machine while doing - SNIP - gcc -I.. -I../../include -DTHREADS -D_REENTRANT -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASM - c -o md2_one.o md2_one.c - SNAP - i am using gcc version 2.95.2 2313 on a Cyrix 6x86 w/apache 1.3.12 and php 4.0.0 installed... any ideas? --ck ps. and yes, i DID use ./Configure linux-elf! -- http://www.de-punkt.de - Hosting made easy! @ [EMAIL PROTECTED] T 05241 / 23498-13 F 05241 / 23498-20 snail: Moltkestraße 25, 0 Gütersloh __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]