RE: how do i use a CRL file to verify a certificate against?
You can't tell if it has been revoked. That's why they are 'trusted roots'. If you think your root ca has been compromised, that is when you usually hit the big red panic button and shut down the shop. -Original Message- From: Jon Bendtsen [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 21, 2004 9:39 AM To: [EMAIL PROTECTED] Subject: how do i use a CRL file to verify a certificate against? i can verify a certificate against a root certificate, with openssl verify -CAfile root.ca rsacert.pem but how do i know that the certificate i try to verify has not been revoked? JonB __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: how do i use a CRL file to verify a certificate against?
ok. You get the CDP from the certificate, load the CRL from the CDP, verify the CRL against the root cert. to verify that the signature matches, it has not expired, etc. , then see if the cert's number is in the CRL. Check out the book 'OpenSSL' by O'Reilly. It walks you through all that, or you can examine some of the samples that call routines like X509_verify_cert(). -Original Message- From: Jon Bendtsen [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 21, 2004 9:50 AM To: [EMAIL PROTECTED] Subject: Re: how do i use a CRL file to verify a certificate against? Den 21. sep 2004, kl. 15:43, skrev Lee Baydush: You can't tell if it has been revoked. That's why they are 'trusted roots'. If you think your root ca has been compromised, that is when you usually hit the big red panic button and shut down the shop. no no, it's not the root ca that has been revoked, but a certificate that was signed by the root ca. I would like to know if the certificate has been revoked, and i would expect i could verify against a CRL JonB __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Problems with get_notAfter
Do you know are you trying to output to an input only BIO? I assume you also checked the hbio!=NULL and cert!=NULL? -Original Message- From: Marcos Paraiso [mailto:[EMAIL PROTECTED] Sent: Monday, September 20, 2004 9:08 AM To: [EMAIL PROTECTED] Subject: Problems with get_notAfter Hi everebody, I´m new with OpenSSL and am having some trouble ... I´m trying to print the endDate of a certificate, using the ASN1_TIME_print function but nothing happens. Here´s an excerpt from the code: FILE *file; BIO *hbio; X509 *cert; hbio = BIO_new_file(file, r); cert = PEM_read_bio_X509(hbio, NULL, NULL, NULL); ASN1_TIME_print(hbio, X509_get_notAfter(cert)); I also used the UTCTIME function, but again nothing happened... The function that prints all the certificate works just fine, but I only need the endDate!!! Could someone PLEASE help me?!? Thanks... Marcos = ___ Yahoo! Messenger 6.0 - jogos, emoticons sonoros e muita diversão. Instale agora! http://br.download.yahoo.com/messenger/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Adding signature algorithm for verification
Will somebody tell me how to add an OID and corresponding verification routine to OpenSSL version 0.9.7c to verify a SHA-256 signature. Currently I am trapping the X509_V_ERR_CERT_SIGNATURE_FAILURE and X509_V_ERR_CRL_SIGNATURE_FAILURE errors in my verify callback routine, comparing the OID in the algorithm-data section to the OID for SHA256WithRSA (1.2.840.113549.1.1.11), if it matches, computing the SHA256 hash myself and comparing it to the passed signature data using RSA_verify(). This works fine, but I know there has to be more subtle way to add the OID and hash function to OpenSSL, I just can not find any complete example or write-up anywhere. I keep finding tidbits about adding OIDs and other parts, but am not seeing how the parts all go together. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Problems with get_notAfter
ok. It must be the bio then. If you are debugging/running this in a console window, try this... BIO *bio_out; bio_out=BIO_new(BIO_s_file()); ASSERT(bio_out!=NULL); BIO_set_fp(bio_out, stdout, BIO_NOCLOSE); ASN1_TIME_print(bio_out, X509_get_notAfter(cert)); BIO_free_all(bio_out); Otherwise, you can do the following to put it into a buffer and then do whatever you want with it. char buf[128]; BIO *bio_mem; bio_mem = BIO_new_mem_buf((void *)buf, 128); ASSERT(bio_mem!=NULL); ASN1_TIME_print(bio_mem, X509_get_notAfter(cert)); BIO_free(bio_mem); -Original Message- From: Marcos Paraiso [mailto:[EMAIL PROTECTED] Sent: Monday, September 20, 2004 9:25 AM To: [EMAIL PROTECTED] Subject: RE: Problems with get_notAfter Yes, I checked if the hbio and the cert were properly loaded (hbio!= NULL and cert!= NULL)... As I wrote before, I was able to print the full cert... Marcos --- Lee Baydush [EMAIL PROTECTED] escreveu: Do you know are you trying to output to an input only BIO? I assume you also checked the hbio!=NULL and cert!=NULL? -Original Message- From: Marcos Paraiso [mailto:[EMAIL PROTECTED] Sent: Monday, September 20, 2004 9:08 AM To: [EMAIL PROTECTED] Subject: Problems with get_notAfter Hi everebody, I´m new with OpenSSL and am having some trouble ... I´m trying to print the endDate of a certificate, using the ASN1_TIME_print function but nothing happens. Here´s an excerpt from the code: FILE *file; BIO *hbio; X509 *cert; hbio = BIO_new_file(file, r); cert = PEM_read_bio_X509(hbio, NULL, NULL, NULL); ASN1_TIME_print(hbio, X509_get_notAfter(cert)); I also used the UTCTIME function, but again nothing happened... The function that prints all the certificate works just fine, but I only need the endDate!!! Could someone PLEASE help me?!? Thanks... Marcos = ___ Yahoo! Messenger 6.0 - jogos, emoticons sonoros e muita diversão. Instale agora! http://br.download.yahoo.com/messenger/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]