OpenSSL Compilation Issue (for -mips3)
Hi All, We are facing a compilation issue which building OpenSSL for -mips3 and mcpu=r4000 for Big Endian. We are using MontaVista supplied gcc and bin utils. GCC Version : 2.95.3 LD Version : 2.10.91 AR Version : 2.10.91 RANLIB Version : 2.10.91 The following is the error log. Any clues in this regard will be very helpful. make[1]: Entering directory `/home/sadashivan/openssl-0.9.7b/apps' rm -f openssl if [ linux-shared = hpux-shared -o linux-shared = darwin-shared ] ; then \ tl_mips-linux-gcc -o openssl -DMONOLITH -I.. -I../include -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_NO_KRB5 -DOPENSSL_NO_ASM -DOPENSSL_NO_BF -DOPENSSL_NO_CAST -DOPENSSL_NO_DH -DOPENSSL_NO_DSA -DOPENSSL_NO_MDC2 -DOPENSSL_NO_RC2 -DOPENSSL_NO_RC4 -DOPENSSL_NO_RC5 -DOPENSSL_NO_TLS1 -mips3 -mcpu=r4000 -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall openssl.o verify.o asn1pars.o req.o dgst.o dh.o dhparam.o enc.o passwd.o gendh.o errstr.o ca.o pkcs7.o crl2p7.o crl.o rsa.o rsautl.o dsa.o dsaparam.o x509.o genrsa.o gendsa.o s_server.o s_client.o speed.o s_time.o apps.o s_cb.o s_socket.o app_rand.o version.o sess_id.o ciphers.o nseq.o pkcs12.o pkcs8.o spkac.o smime.o rand.o engine.o ocsp.o ../libssl.a ../libcrypto.a ; \ else \ LD_LIBRARY_PATH=..:$LD_LIBRARY_PATH \ tl_mips-linux-gcc -o openssl -DMONOLITH -I.. -I../include -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_NO_KRB5 -DOPENSSL_NO_ASM -DOPENSSL_NO_BF -DOPENSSL_NO_CAST -DOPENSSL_NO_DH -DOPENSSL_NO_DSA -DOPENSSL_NO_MDC2 -DOPENSSL_NO_RC2 -DOPENSSL_NO_RC4 -DOPENSSL_NO_RC5 -DOPENSSL_NO_TLS1 -mips3 -mcpu=r4000 -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall openssl.o verify.o asn1pars.o req.o dgst.o dh.o dhparam.o enc.o passwd.o gendh.o errstr.o ca.o pkcs7.o crl2p7.o crl.o rsa.o rsautl.o dsa.o dsaparam.o x509.o genrsa.o gendsa.o s_server.o s_client.o speed.o s_time.o apps.o s_cb.o s_socket.o app_rand.o version.o sess_id.o ciphers.o nseq.o pkcs12.o pkcs8.o spkac.o smime.o rand.o engine.o ocsp.o -L.. -lssl -L.. -lcrypto ; \ fi /opt/hardhat/devkit/mips/fp_be/bin/../mips-hardhat-linux/bin/ld: openssl.o: ISA mismatch (-mips3) with previous modules (-mips1) Bad value: failed to merge target specific data of file openssl.o /opt/hardhat/devkit/mips/fp_be/bin/../mips-hardhat-linux/bin/ld: verify.o: ISA mismatch (-mips3) with previous modules (-mips1) Bad value: failed to merge target specific data of file verify.o /opt/hardhat/devkit/mips/fp_be/bin/../mips-hardhat-linux/bin/ld: asn1pars.o: ISA mismatch (-mips3) with previous modules (-mips1) Bad value: failed to merge target specific data of file asn1pars.o /opt/hardhat/devkit/mips/fp_be/bin/../mips-hardhat-linux/bin/ld: req.o: ISA mismatch (-mips3) with previous modules (-mips1) Bad value: failed to merge target specific data of file req.o Confidentiality Notice The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. If you are not the intended recipient, please notify the sender at Wipro or [EMAIL PROTECTED] immediately and destroy all copies of this message and any attachments. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
How to check the cA field of basic constraints object in v3 certificates?
Hi , I have the x509 v3 certificates, I would like to validate the BASIC CONSTRAINTS FIELD. Using X509_get_ext_d2i I will get the BASIC_CONSTRAINTS structure if it is present.. How to extract and validate the cA and pathLenConstraint from the structure? Any inputs on this? Thanks in advance., Sakthi S G Confidentiality Notice The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. If you are not the intended recipient, please notify the sender at Wipro or [EMAIL PROTECTED] immediately and destroy all copies of this message and any attachments. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Random number seed in RSA
Title: Message
HI.,
You can use /dev/random as a seed generator..I belive that cygwin
has the support for /dev/random device..
For that u can use RAND_load_file("/dev/random", no_of_bytes) for
programming the seed.
or
otherwise you can use the static character buffer (rnd_seed)as a seed and
use
RAND_seed(rnd_seed, sizeof rnd_seed); to program the seed. In the
second case you need to store the seed such a way hackers should not break the
seed..
Hope
this helps..
Sakthi
S G
-Original Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Joe smithSent: Tuesday, August 10, 2004 3:21
AMTo: [EMAIL PROTECTED]Subject: Random number
seed in RSA
Hi,
I have asnippet that encrypts/decrypts using RSA.
#include stdio.h
#include openssl/rsa.h
#include string.h
// RSATest: Program illustrating Simple RSA Encryption/Decryption
int main()
{
char *plain="Sample text"; //Sample text (plain text) to
Encrypt/Decrypt
char *ciphertext;
char *plain1;
int enclen,i,declen;
printf("%s\n",plain);
// Generate RSA key
RSA *rsa1= RSA_generate_key(1024,65537,NULL,NULL);
// RSA_size() will determine how much memory must be allocated for an RSA
encrypted value
ciphertext = (char *)malloc(RSA_size(rsa1));
printf("RSA size %d",RSA_size(rsa1));
I am using Cygwin. My question is thisWhere and How do I seed the
random number generator?
Thanks,
Joe
Do you Yahoo!?New
and Improved Yahoo! Mail - Send 10MB messages!
Confidentiality Notice
The information contained in this electronic message and any attachments to this message are intended
for the exclusive use of the addressee(s) and may contain confidential or privileged information. If
you are not the intended recipient, please notify the sender at Wipro or [EMAIL PROTECTED] immediately
and destroy all copies of this message and any attachments.
RE: How to convert a buffer to an intern structure???
Title: Message Hi., Use d2i interfaces For any object... d2i_OBJNAME(OBJTYPE *obj, char *pp, long length) for example to get RSA key from buffer RSA *rsa rsa = d2i_RSAPublicKey(NULL, buf, len).. Hope it helps.. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Roberto Zainos HSent: Monday, August 02, 2004 10:21 PMTo: [EMAIL PROTECTED]Subject: How to convert a buffer to an intern structure??? Hi guys!!! I'm working in a Crypto-OpenSSL based Project generating and mannaging X509 cert's. I have a little problem because I'm using an Oracle DB like repository.The cert's arestored in PEM format in the DB (-BEGIN . END-), the connection between my app and the server is ODBC based, when Irecover the cert froom DBI store that in a buffer (char []) but I don't know how convert that buffer in an intern usable structure...(Maybe BIO or PEM) Any hint??? Best Regards Zainos Do You Yahoo!?Yahoo! Net: La mejor conexión a internet y 25MB extra a tu correo por $100 al mes. Confidentiality Notice The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. If you are not the intended recipient, please notify the sender at Wipro or [EMAIL PROTECTED] immediately and destroy all copies of this message and any attachments.
BN library clarification needed!!
I am using the BN library for generating keys. With the documents I come to know that it is giving only big endian support. If I use BN_bn2bin(big_rand, test_num[8]), test_num[0] - will have the MSB and test_num[7] - will have the LSB. Is my understanding correct? Regards., Sakthi S G Confidentiality Notice The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. If you are not the intended recipient, please notify the sender at Wipro or [EMAIL PROTECTED] immediately and destroy all copies of this message and any attachments. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Freeing the x509 struct.
Do we need to free the X509 structure returned by d2i_X509() and PEM_read_X509() functions after using it? Sakthi S G Confidentiality Notice The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. If you are not the intended recipient, please notify the sender at Wipro or [EMAIL PROTECTED] immediately and destroy all copies of this message and any attachments. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Checking the critical flags and Key usage extension x509v3 certs.
For the second case it is returning 255. There was a problem in the certificate.. Thanks for your help. Sakthi S G -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dr. Stephen Henson Sent: Tuesday, July 20, 2004 9:47 PM To: [EMAIL PROTECTED] Subject: Re: Checking the critical flags and Key usage extension x509v3 certs. On Tue, Jul 20, 2004, [EMAIL PROTECTED] wrote: Hi., In both the certificates I am getting critical flag as zero. I have single stepped the code X509_get_ext_d2i(). In function X509_EXTENSION_get_critical()the structure the value of ex-critical field is -1 for certificate 1. It is zero for certificate 2. Could you post the two certificates or send them to me privately? It sounds like either OpenSSL is messing something up or the critical flag is incorrectly encoded. Your results imply that #1 has an absent criticality flag (which is interpreted as FALSE) and that #2 is present but set to FALSE which violates DER, but is treated as FALSE. It should be present and TRUE. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] Confidentiality Notice The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. If you are not the intended recipient, please notify the sender at Wipro or [EMAIL PROTECTED] immediately and destroy all copies of this message and any attachments. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Checking the authkeyid and subkeyid!!
Is there any function available to compare the Authority key identifier of the certifcate with the issuers subject key identifier? Will X509_verify_cert() do the comparision of the above? Actually I have both the certificates in DER format. Confidentiality Notice The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. If you are not the intended recipient, please notify the sender at Wipro or [EMAIL PROTECTED] immediately and destroy all copies of this message and any attachments. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Checking the authkeyid and subkeyid!!
Hi., I had gone thro' the X509_check_issued(). With that only I have created X509 structure for subject and issuers certificate with d2i_X509(). But the subject-akid is NULL . Then I called ASN1_OCTET_STRING_cmp(subject-akid-keyid, issuer-skid);it crashes.. Is there anything I need to do for updating this akid structure? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Amar Desai Sent: Wednesday, July 21, 2004 4:49 PM To: [EMAIL PROTECTED] Subject: Re: Checking the authkeyid and subkeyid!! You can use something like this... ASN1_OCTET_STRING_cmp(subject-akid-keyid, issuer-skid); Look into the X509_check_issued() function and see if it satisfies your requirements. Amar [EMAIL PROTECTED] wrote: Is there any function available to compare the Authority key identifier of the certifcate with the issuers subject key identifier? Will X509_verify_cert() do the comparision of the above? Actually I have both the certificates in DER format. Confidentiality Notice The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. If you are not the intended recipient, please notify the sender at Wipro or [EMAIL PROTECTED] immediately and destroy all copies of this message and any attachments. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] Confidentiality Notice The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. If you are not the intended recipient, please notify the sender at Wipro or [EMAIL PROTECTED] immediately and destroy all copies of this message and any attachments. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Checking the authkeyid and subkeyid!!
I have tried X509_get_ext_d2i akid = X509_get_ext_d2i(dev_cert, NID_authority_key_identifier,NULL, NULL) This returns AUTHORITY_KEYID structure..After that will ASN1_OCTET_STRING_cmp() serve the purpose? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dr. Stephen Henson Sent: Wednesday, July 21, 2004 4:52 PM To: [EMAIL PROTECTED] Subject: Re: Checking the authkeyid and subkeyid!! On Wed, Jul 21, 2004, Amar Desai wrote: You can use something like this... ASN1_OCTET_STRING_cmp(subject-akid-keyid, issuer-skid); You also need to call X509_check_purpose(cert, -1, 0) just to ensure the fields were filled in if you did things that way though I'd recommend using X509_get_ext_d2i() instead. Also akid-keyid is an OPTIONAL field so a check should be made to see if it is NULL first. Look into the X509_check_issued() function and see if it satisfies your requirements. Yes that's probably easiest. It does some other checks too though but if the two certificates are valid theses shouldn't cause problems. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] Confidentiality Notice The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. If you are not the intended recipient, please notify the sender at Wipro or [EMAIL PROTECTED] immediately and destroy all copies of this message and any attachments. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Checking the authkeyid and subkeyid!!
I have tried to the following code..it crashes in
ASN1_OCTET_STRING_cmp()..
Any inputs??
--
BOOL SSL_validate_AID_SID(X509 *dev_cert, UCHAR *manu_buffer) {
X509 *issuer_cert = NULL;
AUTHORITY_KEYID *akid = NULL;
ASN1_OCTET_STRING *skid = NULL;
issuer_cert = d2i_X509(NULL,manu_buffer,(long) (2048));
akid = X509_get_ext_d2i(dev_cert,
NID_authority_key_identifier,NULL, NULL);
if (!akid) {
printf(Error: AUTORITY key IDENTIFIER is Not present);
return 0;
}
skid =X509_get_ext_d2i(issuer_cert,
NID_subject_key_identifier, NULL, NULL);
/* Check key ids (if present) */
ASN1_OCTET_STRING_cmp(akid-keyid, skid);
AUTHORITY_KEYID_free(akid);
return 0;
}
--
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dr.
Stephen Henson
Sent: Wednesday, July 21, 2004 4:52 PM
To: [EMAIL PROTECTED]
Subject: Re: Checking the authkeyid and subkeyid!!
On Wed, Jul 21, 2004, Amar Desai wrote:
You can use something like this...
ASN1_OCTET_STRING_cmp(subject-akid-keyid, issuer-skid);
You also need to call X509_check_purpose(cert, -1, 0) just to
ensure the fields were filled in if you did things that way
though I'd recommend using
X509_get_ext_d2i() instead.
Also akid-keyid is an OPTIONAL field so a check should be
made to see if it is NULL first.
Look into the X509_check_issued() function and see if it satisfies
your
requirements.
Yes that's probably easiest. It does some other checks too
though but if the two certificates are valid theses shouldn't
cause problems.
Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Confidentiality Notice
The information contained in this electronic message and any attachments to this
message are intended
for the exclusive use of the addressee(s) and may contain confidential or privileged
information. If
you are not the intended recipient, please notify the sender at Wipro or [EMAIL
PROTECTED] immediately
and destroy all copies of this message and any attachments.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
RE: Checking the authkeyid and subkeyid!!
---BeginMessage--- I am seeing that akid-keyid as NULL always but i am sure that akid is a valid structure. It is a valid certificate and authority key identifier is also present, in that case i am wondering how can i get the akid-keyid as a NULL? Do i need to call any function to update akid structure apart from X509_get_ext_d2i()? Thanks Sakthi S G -Original Message- From: [EMAIL PROTECTED] on behalf of Dr. Stephen Henson Sent: Wed 7/21/2004 5:51 PM To: [EMAIL PROTECTED] Cc: Subject: Re: Checking the authkeyid and subkeyid!! winmail.dat---End Message--- Confidentiality Notice The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. If you are not the intended recipient, please notify the sender at Wipro or [EMAIL PROTECTED] immediately and destroy all copies of this message and any attachments.
RE: X.509 certificates invalid certiifcates.
Thanks for ur help. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dr. Stephen Henson Sent: Monday, July 19, 2004 4:57 PM To: [EMAIL PROTECTED] Subject: Re: X.509 certificates invalid certiifcates. On Mon, Jul 19, 2004, Richard Levitte - VMS Whacker wrote: In message [EMAIL PROTECTED] on Mon, 19 Jul 2004 09:51:35 +0530, [EMAIL PROTECTED] said: sakthi.subramaniam sakthi.subramaniam Its not clear what you want to do from this 30/31 years business. sakthi.subramaniam The number of years difference between Not Valid sakthi.subramaniam before and Not valid after should not exceed 30 sakthi.subramaniam years in the certificates..How can I check it ? Since you're doing this by programming: - You get the validity limits, using the macros X509_get_notBefore() and X509_get_notAfter() - extract the year from the limits, using the function ASN1_extract_year() (NOT TESTED!) below. - subtract one year from the other and check that it's lower than 31. One complication is that the subtraction would need to be decremented if one year day was before the first. For example the difference between December 31st 2001 and January 1st 2002 is obviously less than a year. Timezones could also complicate matters though they are not allowed by various specifications (including RFC3280) in certificates. There's no legitimate reason AFAICS to have the two dates in different timezones but depending on the OPs reasons for wanting the check this might need to be taken into account. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] Confidentiality Notice The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. If you are not the intended recipient, please notify the sender at Wipro or [EMAIL PROTECTED] immediately and destroy all copies of this message and any attachments. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: X.509 certificates invalid certiifcates.
Its not clear what you want to do from this 30/31 years business. The number of years difference between Not Valid before and Not valid after should not exceed 30 years in the certificates..How can I check it ? Thanks Sakthi S G -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dr. Stephen Henson Sent: Sunday, July 18, 2004 2:28 AM To: [EMAIL PROTECTED] Subject: Re: X.509 certificates invalid certiifcates. On Thu, Jul 15, 2004, [EMAIL PROTECTED] wrote: Hi., I am passing the certificates which will be valid for 31 years for openssl routines.. but the I need to have implementation that it should check only for 30 years..Is there any function available? Currently I am calling x509_verify() for this certificate but it says it is valid.How can I check all fields (country, organisation, locality, unit) is present in the certificate? Its not clear what you want to do from this 30/31 years business. X509_verify() by itself will just check the signature. X509_verify_cert() will do a more complete chain verification including extensions and expiry times. As for checking for the presence of certain fields you can do that with the X509_NAME API. You could I suppose use the x509 program and parse the textual output but that's a bit yucky. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] Confidentiality Notice The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. If you are not the intended recipient, please notify the sender at Wipro or [EMAIL PROTECTED] immediately and destroy all copies of this message and any attachments. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: d2i_X509() failed.
Hi ., Is it possible that to have certificates in other formats like PKCS apart from PEM/DER? In that case how can we convert the PKCS to X509 format?Is there any interface available on openssl? What way we can identify the format of the certificate. According to my understanding DER and PKCS format are same if not correct me. Thanks a lot for your help., Sakthi S G -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sakthi Subramanian (WT01 - EMBEDDED PRODUCT ENGINEERING SOLUTIONS) Sent: Tuesday, July 13, 2004 10:47 AM To: [EMAIL PROTECTED] Subject: d2i_X509() failed. Hi., I am using d2i_x509() function for converting the certificates from DER to PEM. It is failing at file :tasn_dec.c function:asn1_template_ex_d2i() line number 353. ( version 0.9.7c and 0.9.7b also) The DER format buffer contains valid certificates of 2048 bytes. At the end it has the sequence of 0xFF then filled with zeros. What could be the problem for the cause of d2i_X509() failure? Thanks and Regards., Sakthi S G __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] Confidentiality Notice The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. If you are not the intended recipient, please notify the sender at Wipro or [EMAIL PROTECTED] immediately and destroy all copies of this message and any attachments. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: d2i_X509() failed.
Hi., I will be getting the certificates in a buffer in DER format.The buffer of 2048 bytes contains the following data I am copying the initial few bytes and then the trailing bytes.: With the start bytes we can identify as DER format. When I pass this buffer to d2i_X509() it fails. -buffer contents starts here --- 0x30,0x82,0x03,0x67,0x30,0x82,0x02,0x4F,0xA0,0x03,0x02,0x01,0x02,0x02,0x 10,0x50,0x01,0x59,0x49,0x40,0xC2,0x76,0xB1,0x94,0x16,0x43,0xEE,0x8B,0x44 ,0xA0,0x ---valid datas- 29,0xD1,0x0F,0x86,0x4E,0x5C,0x45,0x7D,0xBF,0x34,0xB0,0x7B,0xAB,0xAB,0xDC ,0x38,0x38,0xE0,0x81,0x23,0x7F,0x8C,0xEE,0x8B,0xBD,0x18,0x19,0x41,0xFE,0 xF0,0xF3,0x51,0x10,0xEA,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xF F,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0x FF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF ,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0 xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xF F,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0x FF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF ,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0 xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,- rest of buffer is filled with zeros. If you need any other information, I can give..Is it possible to have certificates in other formats apart from PEM/DER? If yes how can I convert the same? Thanks Nils for ur help.. Sakthi S G -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nils Larsch Sent: Tuesday, July 13, 2004 4:27 PM To: [EMAIL PROTECTED] Subject: Re: d2i_X509() failed. [EMAIL PROTECTED] wrote: Hi ., Is it possible that to have certificates in other formats like PKCS apart from PEM/DER? In that case how can we convert the PKCS to X509 format?Is there any interface available on openssl? What way we can identify the format of the certificate. According to my understanding DER and PKCS format are same if not correct me. it would be useful if you could give us an example of the data your are trying to decode Cheers, Nils __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] Confidentiality Notice The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. If you are not the intended recipient, please notify the sender at Wipro or [EMAIL PROTECTED] immediately and destroy all copies of this message and any attachments. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: d2i_X509() failed.
Attached the cert dump.. What is dumpasn1? How can I take that? Thanks., Sakthi S G -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nils Larsch Sent: Tuesday, July 13, 2004 5:47 PM To: [EMAIL PROTECTED] Subject: Re: d2i_X509() failed. [EMAIL PROTECTED] wrote: Hi., I will be getting the certificates in a buffer in DER format.The buffer of 2048 bytes contains the following data I am copying the initial few bytes and then the trailing bytes.: With the start bytes we can identify as DER format. When I pass this buffer to d2i_X509() it fails. -buffer contents starts here --- 0x30,0x82,0x03,0x67,0x30,0x82,0x02,0x4F,0xA0,0x03,0x02,0x01,0x02,0x02, 0x 10,0x50,0x01,0x59,0x49,0x40,0xC2,0x76,0xB1,0x94,0x16,0x43,0xEE, 0x8B,0x44 ,0xA0,0x can't see something obviously wrong with this, what does dumpasn1 say ? could you send us the whole data in an attachment ? Cheers, Nils __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] Confidentiality Notice The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. If you are not the intended recipient, please notify the sender at Wipro or [EMAIL PROTECTED] immediately and destroy all copies of this message and any
RE: d2i_X509() failed.
Thanks for the link.. Did you get the dump I have sent? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nils Larsch Sent: Tuesday, July 13, 2004 6:29 PM To: [EMAIL PROTECTED] Subject: Re: d2i_X509() failed. [EMAIL PROTECTED] wrote: ... What is dumpasn1? How can I take that? It's nice ASN.1 tool written by Peter Gutmann, see: http://www.cs.auckland.ac.nz/~pgut001/ Nils __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] Confidentiality Notice The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. If you are not the intended recipient, please notify the sender at Wipro or [EMAIL PROTECTED] immediately and destroy all copies of this message and any attachments. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
d2i_X509() failed.
Hi., I am using d2i_x509() function for converting the certificates from DER to PEM. It is failing at file :tasn_dec.c function:asn1_template_ex_d2i() line number 353. ( version 0.9.7c and 0.9.7b also) The DER format buffer contains valid certificates of 2048 bytes. At the end it has the sequence of 0xFF then filled with zeros. What could be the problem for the cause of d2i_X509() failure? Thanks and Regards., Sakthi S G __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: RSA_verify() - Bad signature error
Before calling the RSA verify(), I have hashed the message digest got 20 bytes output. It just works fine!! -Original Message- From: Sakthi Subramanian (WT01 - EMBEDDED PRODUCT ENGINEERING SOLUTIONS) Sent: Monday, July 05, 2004 6:36 PM To: '[EMAIL PROTECTED]' Subject: RSA_verify() - Bad signature error which message digest alg are you using ? In case your are using SHA-1 the message digest should be 20 bytes long. Sakthi yes it is SHA-1 digest. I will be getting the message digest buffer of 128 bytes and sign buffer of 128 bytes from the other party. Since I am getting the buffer of size 128 bytes, I presume that it it is the message digest length. Is it correct? Or How can I calculate the message digest length? Regards., Sakthi S G _ WIPRO Technologies, Embedded Product Engineering Solutions, Plot No.72, KEONICS Electronics City Hosur Main Road, Bangalore - 560 100 Phone : 28520408 or 5122 Extn: 85115 ___ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
