Pehuen,
Usually that part does not have to do with the CA, it has to do with the creation of the CSR (Certificate Signing Request). (Unless it is a self signed certificate like your CA itself)
When creating the request for aserver you should put the full domain name as the Common Name that should
All,
David cam up with a solution that looks to me as some thing that would be really nice, he suggested that OpenSSL would allow the developer to register a callback function to do the unsafe functions.
However while he thinks OpenSSL should default to the OS 'best' function available, I am
The OPENSSL_gmtime in o_time.c (that gets called from other places like ASN1_UTCTIME_cmp_time_t in a_utctm.c) does not use the safe version of gmtime in lots of platforms including:OPENSSL_SYS_WIN32OPENSSL_SYS_OS2
__CYGWIN32__OPENSSL_SYS_MACOSXOPENSSL_SYS_SUNOS
This could cause problems in
You should use some thing like this:
FILE * file = NULL;
X509 * cert = NULL;
// Open the DER filefile= fopen(der_file_name, rb);// load it into a X509 object
cert = d2i_X509_fp(file, NULL);
fclose(file);
file = fopen(pem_file_name, w);
//write the X509 object to a PEM fileint
Hi all,
After reading a lot on small exponents in RSA public keys, it seems
to me that the issue is only if I am not using libraries like OpenSSL
for signing, but if I use RSA_Sign or EVP_Sign they implement PKCS#1
and that solves that problem even if I sign the same plain text e
times.
So if I
Hey,
If I don't feed some random bytes (as data to encrypt - not as IV) to
the Triple-DES, is that a weakness? I think I should add at least 1
block size of random bytes (64 bit - 8 bytes), to make sure that
one-repeated character padding will not be added in the first block.
Thanks,
Joe
1. I don't expect any thing developed specilay for me, I was just
wondering if there is any one out there that knew about a function
that already exists and does it.
2. I am not designing a system to break in 10 years, I am thinking of
better performance for the time until we need to find a
PROTECTED] wrote:
Joe Gluck wrote:
1. I don't expect any thing developed specilay for me, I was just
wondering if there is any one out there that knew about a function
that already exists and does it.
2. I am not designing a system to break in 10 years, I am thinking of
better performance
I will not get certificates today for after 2045 because the
certificates that I am checking are certificates that already past a
validation check and have been inserted into my cache system, therefor
it is a certificate signed by our own system which does not sign for
more then 25 year. most are
of a certificate
in text format, and a C function to turn that into a time_t. Will
that do what you need?
-Kyle H
On 1/30/06, Joe Gluck [EMAIL PROTECTED] wrote:
I will not get certificates today for after 2045 because the
certificates that I am checking are certificates that already past
it to a number that represent 1 hour, I thought instead I can
get the time and compare it to the time_t of the expiration that I
already saved (may be a year a ago in the cache).
Thanks
Joe
On 1/29/06, Dr. Stephen Henson [EMAIL PROTECTED] wrote:
On Sat, Jan 28, 2006, Joe Gluck wrote:
Any ideas
something that a lot of people end up misconfiguring on their systems.
On 1/27/06, Joe Gluck [EMAIL PROTECTED] wrote:
Hi all,
I have a certificate with dates represented as GMT time.
I am trying to get those times as GMT in a time_t format, is this ok?
ASN1_TIME * not_after;
time_t
gettimeofday)? (See first message in
thread)
Thanks
Joe
On 1/28/06, Dr. Stephen Henson [EMAIL PROTECTED] wrote:
On Fri, Jan 27, 2006, Joe Gluck wrote:
Does some one have any idea about this, it looks like it fell out
through the night.
The comment in there explains fairly well why
. Stephen Henson [EMAIL PROTECTED] wrote:
On Sat, Jan 28, 2006, Joe Gluck wrote:
Thank you for all tour replies but the gettimeofday I already use, but
it was not what I was asking in the original message.
What I asked is how can I get the ASN1_integer into a time_t to be
able to compare
On 1/28/06, Dr. Stephen Henson [EMAIL PROTECTED] wrote:
On Sat, Jan 28, 2006, Joe Gluck wrote:
My mistake it was ASN1_TIME that is correct.
But any way, I don't see a reason why I should not be able to convert
it, if I don't care for milliseconds, time_t can represent times for
up
own
code.
Read the man pages for more information on how you can exploit this feature.
-Kyle H
On 1/28/06, Joe Gluck [EMAIL PROTECTED] wrote:
I can't change the TZ because it will affect the entire system and it
is a production system running on client sites, so I can't just change
Hi all,
I have a certificate with dates represented as GMT time.
I am trying to get those times as GMT in a time_t format, is this ok?
ASN1_TIME * not_after;
time_t expire;
not_after = X509_get_notAfter(cert); // cert is a X509 object
expire = ASN1_UTCTIME_get(not_after);
will the expire hold
Does some one have any idea about this, it looks like it fell out
through the night.
On 1/27/06, Joe Gluck [EMAIL PROTECTED] wrote:
Hi all,
I have a certificate with dates represented as GMT time.
I am trying to get those times as GMT in a time_t format, is this ok?
ASN1_TIME * not_after
Hi,
I am trying to compare two certificates by comparing their public keys.
Just to give a reference I designed a certificate cache for verifying
signatures (no private keys), every new certificate goes through the
full verify process, check issuer path, and check signature
(X509_verify()) and
, (unless that hash also is done automaticly when
loading the cert into the X509 before calling the compare function.
Thanks,
Joe
On 1/26/06, Dr. Stephen Henson [EMAIL PROTECTED] wrote:
On Thu, Jan 26, 2006, Joe Gluck wrote:
Hi,
I am using OpenSSL and although they have the X509_cmp
on it with the one already in my
cache.
Thanks,
Joe
On 1/26/06, Dr. Stephen Henson [EMAIL PROTECTED] wrote:
On Thu, Jan 26, 2006, Joe Gluck wrote:
That is good to know, and I assumed it will hash only once, but I want
to skip that one time as well, and have the verification done only
once
:
On Thu, Jan 26, 2006, Joe Gluck wrote:
That is great to know because I did not know if while loading the
certiicate it parses the fields and hashes or just loads it.
It parses most fields. The public key and extension parts aren't parsed until
a call is explicitly made to parse them
but those we clear any way before decoding the base64, so
after this process it is guaranteed to be the same exact PEM file.
And there is only one system that will create the original PEM file so
I don't think that is an issue.
Joe
On 1/26/06, Lev Walkin [EMAIL PROTECTED] wrote:
Joe Gluck wrote
I was also concerned about some one messing with the headers or any
other field, but those check I did only after the public key did not
match, because if the public key matches to one in the cache and the
one in the cache is fully verified, then I don't care for additional
checks.
And if it
24 matches
Mail list logo
