Re: verify certificate - not from a file
Patrick Patterson wrote:
On November 23, 2008 10:57:55 pm ThanhTrung Do wrote:
From: Itay Dagan [EMAIL PROTECTED]
Subject: verify certificate - not from a file
To: openssl-dev@openssl.org
Date: Monday, November 24, 2008, 12:37 AM
Hi Guys
I am new in openssl - so hopfully I am not bringing up an
old issue :
I am trying to verify a certificate that I am saving as
string in a random place on my PC memory.
I know that there is the
"SSL_CTX_load_verify_locations()" that verify
certificate from a file or a path.
My Q is :
Does openssl supports taking certificate not from a file or
path but from a place in the memory ?
meaning - A function that gets a char* - reads the
certificate from that location and verifying it.
appreciate your help :)
I have the same need too, highly appreciate your helps.
Something like the following should work if the certificate is in PEM format.
(note: this is example only - the below code is probably full of errors,
because I just zen'd it from memory). I'm sure that Steve or one of the other
guru's will correct any problems :)
char certbuf = "PEM-ENCODED-CERTIFICATE";
BIO *bufbio = BIO_new(BIO_s_mem());
int len = BIO_puts(bufbio , certbuf);
X509 *cert = X509_new();
PEM_read_bio_X509(bufbio, cert, NULL, NULL);
If the Cert is already in DER format, just use the d2i_X509() function to read
it into the OpenSSL internal representation.
Have fun.
As Patrick wrote you can load a certificate into X509 structure, but
after that you need to validate it with other facilities such as
functions implemented in X509_STORE set. You can find a simple code
below to load both PEM and DER certificate into a X509 structure.
int loadFromMemory(char *buf, int bufLen)
{
BIO *bp = NULL;
X509 *cert = NULL;
#define retFree(x) do { \
if(bp) \
BIO_free(bp); \
if(cert) \
X509_free(cert); \
return x; \
} while(0);
if(!buf || bufLen 1)
return 1;
bp = BIO_new(BIO_s_mem());
if(!bp)
return 2;
cert = X509_new();
if(!cert)
retFree(3);
if(!BIO_write(bp, buf, bufLen))
retFree(4);
cert = PEM_read_bio_X509(bp, NULL, NULL);
if(!cert) {
BIO_free(bp);
bp = BIO_new(BIO_s_mem());
if(!bp)
retFree(5);
if(!BIO_write(bp, (char *) buf, bufLen))
retFree(6);
cert = d2i_X509_bio(bp, NULL);
}
BIO_free(bp);
if(!cert)
retFree(7);
return 0;
}
Regards,
Shahin Khorasani
__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager [EMAIL PROTECTED]
Re: pubkey format
Hi, You can download simple utility to transform PKCS#1 RSA public key to opnessh public key format from here: http://www.parssign.com/openssh_pk_linux.tar.gz It is free to use and linked statically on Linux (must works on most distributions) Regards, Shahin Khorasani Dhiva wrote: openssl x509 -in sample.pem -pubkey -noout What is the format of the pubkey ? How can i convert or transform this key to ssh-rsa format? I am talking about the ssh keys that are available in authorized_keys file. Or Does openssl has any tools to manage the pubkey ? like dismantle and assemble again. thanks dhiva __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: pubkey format
Sorry, the source code is not available. but you can write a customized application (Mounir explained the format properly) - Shahin Khorasani Kyle Hamilton wrote: Can the source be made available? I would like to use it on MacOSX. -Kyle H On Fri, Dec 19, 2008 at 11:43 PM, Shahin Khorasani khoras...@amnafzar.com wrote: Hi, You can download simple utility to transform PKCS#1 RSA public key to opnessh public key format from here: http://www.parssign.com/openssh_pk_linux.tar.gz It is free to use and linked statically on Linux (must works on most distributions) Regards, Shahin Khorasani Dhiva wrote: openssl x509 -in sample.pem -pubkey -noout What is the format of the pubkey ? How can i convert or transform this key to ssh-rsa format? I am talking about the ssh keys that are available in "authorized_keys" file. Or Does openssl has any tools to manage the pubkey ? like dismantle and assemble again. thanks dhiva __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: verify certificate - not from a file
Hi Itay,
I'm just a user/fan of curl project but I did not read the api
documentation or source code.
Anyway you can get free ssl certificates from this site:
http://www.parssign.com/e-index.html and try them.
Regrads,
Shahin Khorasani
Itay Dagan wrote:
Hi Shahin
Thanks again for your advise
still have some problems to get it work with curl
when writing :
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0);
curl_easy_setopt(curl,CURLOPT_SSL_CTX_FUNCTION, Connector::loadFromMemory); //suppose to load the certificate
curl_easy_setopt (curl, CURLOPT_SSL_VERIFYPEER, TRUE);
ret = curl_easy_perform(curl);
..."
It behaves like no certificate has been uploaded to the database (looking for certificate path)
Is there another way to way to verify the certificate.
thanks :)
Itay
As Patrick wrote you can load a certificate into X509 structure, but after that you need to validate it with other facilities such as functions implemented in X509_STORE set. You can find a simple code below to load both PEM and DER certificate into a X509 structure.
intloadFromMemory(char *buf, int bufLen)
{
BIO *bp = NULL;
X509 *cert = NULL;
#define retFree(x) do { \
if(bp) \
BIO_free(bp); \
if(cert) \
X509_free(cert); \
return x; \
} while(0);
if(!buf || bufLen 1)
return 1;
bp = BIO_new(BIO_s_mem());
if(!bp)
return 2;
cert = X509_new();
if(!cert)
retFree(3);
if(!BIO_write(bp, buf, bufLen))
retFree(4);
cert = PEM_read_bio_X509(bp, NULL, NULL);
if(!cert) {
BIO_free(bp);
bp = BIO_new(BIO_s_mem());
if(!bp)
retFree(5);
if(!BIO_write(bp, (char *) buf, bufLen))
retFree(6);
cert = d2i_X509_bio(bp, NULL);
}
BIO_free(bp);
if(!cert)
retFree(7);
return 0;
}
Regards,
Shahin Khorasani
Patrick Patterson wrote:
On November 23, 2008 10:57:55 pm ThanhTrung Do wrote:
Something like the following should work if the certificate is in PEM format.
(note: this is example only - the below code is probably full of errors,
because I just zen'd it from memory). I'm sure that Steve or one of the other
guru's will correct any problems :)
char certbuf = "PEM-ENCODED-CERTIFICATE";
BIO *bufbio = BIO_new(BIO_s_mem());
int len = BIO_puts(bufbio , certbuf);
X509 *cert = X509_new();
PEM_read_bio_X509(bufbio, cert, NULL, NULL);
If the Cert is already in DER format, just use the d2i_X509() function to read
it into the OpenSSL internal representation.
Have fun.
From: Itay Dagan [EMAIL PROTECTED]
Subject: verify certificate - not from a file
To: openssl-dev@openssl.org
Date: Monday, November 24, 2008, 12:37 AM
Hi Guys
I am new in openssl - so hopfully I am not bringing up an
old issue :
I am trying to verify a certificate that I am saving as
string in a random place on my PC memory.
I know that there is the
"SSL_CTX_load_verify_locations()" that verify
certificate from a file or a path.
My Q is :
Does openssl supports taking certificate not from a file or
path but from a place in the memory ?
meaning - A function that gets a char* - reads the
certificate from that location and verifying it.
appreciate your help :)
I have the same need too, highly appreciate your helps.
__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
Re: Get root certificates from System Store of Windows
try this
#include WinCrypt.h
static void ossl_x509store_add_certs_win(X509_STORE *store)
{
HCERTSTORE hStore;
PCCERT_CONTEXT pContext = NULL;
X509 *x509;
hStore = CertOpenSystemStore(0, "ROOT");
if(!hStore)
return;
while (pContext = CertEnumCertificatesInStore(hStore, pContext))
{
x509 = NULL;
x509 = d2i_X509(NULL,
pContext-pbCertEncoded, pContext-cbCertEncoded);
if (x509)
{
X509_STORE_add_cert(store, x509);
X509_free(x509);
}
}
CertFreeCertificateContext(pContext);
CertCloseStore(hStore, 0);
}
Shahin Khorasani
NARUSE, Yui wrote:
On Unix, we can use X509_STORE_set_default_paths(store)
to load root certificates provided by the system
But on Windows, its certificates aren't provided as a file.
So it should be required another way.
Following is a concept code (use Crypt32.dll):
#include WinCrypt.h
/* http://msdn.microsoft.com/en-us/library/aa380252(VS.85).aspx */
static void
ossl_x509store_add_certs_win(X509_STORE *store)
{
HCERTSTORE hStore;
PCCERT_CONTEXT pContext = NULL;
hStore = CertOpenSystemStore(0, "ROOT");
if(!hStore) return;
while (pContext = CertEnumCertificatesInStore(hStore, pContext)) {
BIO *in = BIO_new_mem_buf(pContext-pbCertEncoded, pContext-cbCertEncoded);
if (!in) continue;
X509 *x509 = d2i_X509_bio(in, NULL);
BIO_free(in);
if (x509) {
X509_STORE_add_cert(store, x509);
X509_free(x509);
}
}
CertFreeCertificateContext(pContext);
CertCloseStore(hStore, 0);
}
I want to merge this to OpenSSL, but I can't propose suitable API.
Thoughts?
__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
Re: SSL / zlib compression
Adayadil Thomas wrote: Greetings. I have an SSL session in which the client and server has negotiated for cipherSuite SSL_RSA_WITH_RC4_128_MD5 compressionMethodzlib-compression Now, is the zlib-compression applied before encryption or after ? data - zlib-compression - encryption == decrypt - zlib-inflate- data or data - encryption - zlib-compression == zlib-inflate- decrypt - data Thanks Ashley Thomas __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED] Ashly look at RFC 2246 , The TLS Record Protocol part certainly u see this : optionally compresses the data, applies a MAC, encrypts, and transmits the result compression is an optional layer (i think no compression used in well-known ssl implementation) and ur question answer : zlib-compression - encryption regards __ Shahin Khorasani PKI Dept. Sharif SecureWare Co. www.parssign.com __ __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Web-of-trust authentication in OpenSSL.
Dr Bob wrote: Dear OpenSSL developers, I've been developing an private peer-to-peer application based on OpenSSL (Thank you, to all the developers who have put time into OpenSSL) Initially I used X509 certificates for the authentication between peers, However I quickly realised that a hierarchical certificate structure was not ideal, and that a Web of Trust system would be required. So I've implemented an web-of-trust style authentication system inside OpenSSL. It is basically a combination of OpenPGP style certificates and SSL3/TSL1 connection After 6+ months of work, I've finished the first working prototype. and would like to share it with the OpenSSL developers of the world (and contribute back). Hence this email! So: (1) Is OpenSSL interested in including this work into the code base (provided its up-to-scratch etc...) ? (2) If so, is there anyone who could [guide/help] me to clean it up and correctly merge the code? (3) What are the procedures for doing so (I'm new around here) I haven't put the code on the website yet, (soon... there is never enough time to get everything done). but you can see it at work in my application: RetroShare available at http://www.lunamutt.com. Looking forward to any comments. Thanks. Mark. --- More information about the implementation follows. The work was done on openssl-0.9.7g, and consisted of the following modifications: (a) define a ASN1 web-of-trust certificate (a XPGP Certificate) + implement helper functions. (b) create a XPGP_method() derived from the ssl3 methods. This effectively uses the XPGP certificate instead of the X509 certificate. (all the rest is the same) (c) create a web-of-trust authentication system. Most of the implementation fits in nicely with the rest of openSSL. The most significant issues are: (1) the SSL part of OpenSSL does not allow alternative certificate types, I therefore transformed CERT into a union. (I'm all ears for alternatives) (2) The Authentication System is current rather crude and inefficient, and is not connected to the STOREs in anyway. (probably needs a redesign) (3) the Certificate Definition needs to be checked. (would like to make it compatible with GPG/OpenPGP etc) __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED] Dear DR Bob i installed retroshare on windows some questions : whats the gui library name why retroshare uses selfsigned pgp certificate . how can i find more people usinn this software regrads __ Shahin Khorasani PKI Dept. Sharif SecureWare Co. www.parssign.com __ __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #1400] spurious CRs in S/MIME clearsigned mails
Roumen Petrov wrote: Bruno Kozlowski via RT wrote: [SNIP] The resulting mailfile has mixed EOLs: Most lines end in LF, but 3 lines end in CRLF: | $ cat -A mailfile | grep \^M | Content-Type: text/plain^M$ | ^M$ | some text^M$ I think that this is correct - EOL for emails(headers, empty line, body) is CRLF, but at moment I cannot point to RFC. [SNIP] Roumen --- dear roumen the rfc you pointed them, are : rfc2045, rfc2311 , rfc3850(3854) regrads __ Shahin Khorasani PKI Dept. Sharif SecureWare Co. www.parssign.com __ __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: how to generate RSA format data?
Hello hunter,
Your raw data seems to be a RSA public key modulus.
A public key in ASN.1 must have an algorithm identifier and an exponent.
Take a look at this sample:
raw data is (hexdump):
8230 2201 0d30 0906 862a 8648 0df7 0101
0501 0300 0182 000f 8230 0a01 8202 0101
d200 808c f87b cf63 7cb3 2cff 43dd 5cf5--- You just
provided this part
7def d1f5 adaa 0944 87ea f398 a654 b36d
2303 4d68 e9fa fd46 9171 0f97 2960 cd1e
6045 21aa 6986 44e2 679f 5a07 bbf9 157e
82e2 82a8 5f42 7cee 4af6 7c1a e53d 05a3
cf9a fc6a a0d9 6850 64f1 a6af f6fe c61c
f39f ba1e cb31 c734 5c2f 4937 5383 4de5
7b29 010a 2f86 41ab 00af 2ce3 3a48 3d19
41c2 3196 455d 219b d1a0 9600 a107 65a7
f195 aacd a105 3c71 fc7f 9c58 5825 6bd7
ffe7 8d47 6c3d de2a 2779 489f 2641 ed81
9f54 62e2 c4ed 893d e0bf 3678 a8c9 6573
bda9 9b1f acb1 6634 9375 48bf ef82 887c
0e08 6b68 b6f3 8170 bda0 f8a7 2e1b 023d
5309 a755 e68e e014 cffd 9610 857a 3ffb
f569 344c 7ea7 2520 d33f 0084 a9ca eaf6
028f 0103 0100
Gutman ASN1 dumper output:
0 290: SEQUENCE {
4 13: SEQUENCE {
6 9: OBJECT IDENTIFIER rsaEncryption (1 2 840 113549 1 1 1)
17 0: NULL
: }
19 271: BIT STRING, encapsulates {
24 266: SEQUENCE {
28 257: INTEGER
: 00 D2 8C 80 7B F8 63 CF B3 7C FF 2C DD 43 F5 5C
: EF 7D F5 D1 AA AD 44 09 EA 87 98 F3 54 A6 6D B3
: 03 23 68 4D FA E9 46 FD 71 91 97 0F 60 29 1E CD
: 45 60 AA 21 86 69 E2 44 9F 67 07 5A F9 BB 7E 15
: E2 82 A8 82 42 5F EE 7C F6 4A 1A 7C 3D E5 A3 05
: 9A CF 6A FC D9 A0 50 68 F1 64 AF A6 FE F6 1C C6
: 9F F3 1E BA 31 CB 34 C7 2F 5C 37 49 83 53 E5 4D
: 29 7B 0A 01 86 2F AB 41 AF 00 E3 2C 48 3A 19 3D
: C2 41 96 31 5D 45 9B 21 A0 D1 00 96 07 A1 A7 65
: 95 F1 CD AA 05 A1 71 3C 7F FC 58 9C 25 58 D7 6B
: E7 FF 47 8D 3D 6C 2A DE 79 27 9F 48 41 26 81 ED
: 54 9F E2 62 ED C4 3D 89 BF E0 78 36 C9 A8 73 65
: A9 BD 1F 9B B1 AC 34 66 75 93 BF 48 82 EF 7C 88
: 08 0E 68 6B F3 B6 70 81 A0 BD A7 F8 1B 2E 3D 02
: 09 53 55 A7 8E E6 14 E0 FD CF 10 96 7A 85 FB 3F
: 69 F5 4C 34 A7 7E 20 25 3F D3 84 00 CA A9 F6 EA
: 8F
289 3: INTEGER 65537
: }
: }
: }
Regards,
Shahin Khorasani
hunter li wrote:
Hi, All,
I have the following code to generate the RSA data. But it always gives
me error:
5049:error:0906D064:lib(9):func(109):reason(100):pem_lib.c:756.
I do appreciate any suggestion!
#include stdio.h
#include stdlib.h
#include stdint.h
#include string.h
#include openssl/bio.h
#include openssl/rsa.h
#include openssl/pem.h
#include openssl/err.h
int main(void)
{
RSA *public_key;
BIO *pub_bio;
char *publicKey_test = "-BEGIN PUBLIC
KEY-\nOTJjM2I3NTJmMmZlMzhkOTZjOTI2MjIxNzc0NjllNzM\
MWExMDk5MmZkNWY3MWE0N2JlMzRhMzcxMDZkZDNkMTk\
ZTUzNDc4OTY4OWQzM2FlYWRjMmQ2NWEzNGM5NjdjYzg\
ODQzMzNhNDI4YjEyODRjZmQ0ZGNkZjVjM2UyNDU5Njk\
NzNmMDAyZGEyMjIxZGM3NGM3NjdhYzZkYWIzYjc1YmE\
MzAwZmZlNzcxZmIzMGJhZTBhMzQ4OGUxYTBhYzU0MmI\
N2EwOTVlZWIzMzg1MWMwZWM2N2YwNDMzMzE3MTdkOTU\
ZjM2ZmFlM2NiMDI3MTdhMjQxNjc3YTRkNTI4ODNhZDM\
MzQ3ODE1N2IzZDcwODk0YjVmYzI3MTI5NmU4MjViOTU\
Y2Q1NTQ3M2ZlMWY5MzgzYmZjZTkzN2YyNmRhNjliOTY\
OGE0MjA4YzBiOTU1NDAyNDM1ZTcwYjY0NDE1OTE2MmE\
YjFmNmU4ODA5YTAwMWI2N2MwNDE4NzU3NWEwMGNkN2Q\
OTU0YTcxNzkyZTJiZjlhYjcxOTk1NzdmYjc2NWI3YjQ\
OWNmOGJmYjM3MGQxNDMxZGE3OGYwMTU4ODEwY2Y5OTI\
MWUxMzAyMzUzNTFmNjUyMjU4NjkzNjM3MTU1YmUyMzU\
NTQyYjhlYTIzMzI2NTE0ZTAzOGVlZjM4ZDVjZTBmNzc=\n-END PUBLIC KEY-";
pub_bio = BIO_new_mem_buf(publicKey_test, -1);
if(pub_bio == NULL) {
ERR_print_errors_fp(stdout);
return 1;
}
public_key = PEM_read_bio_RSA_PUBKEY(pub_bio, NULL, NULL, NULL);
if(public_key == NULL) {
ERR_print_errors_fp(stdout);
}
RSA_free(public_key);
return 0;
}
Here I try to convert the following public key raw data into PEM format.
I encode the data into base64 and add"-BEGIN PUBLIC KEY-",
"END PUBLIC KEY-".
The raw data is as following 256 Bytes:
92 c3 b7 52 f2 fe 38 d9 6c 92 62 21 77 46 9e 73
1a 10 99 2f d5 f7 1a 47 be 34 a3 71 06 dd 3d 19
e5 34 78 96 89 d3 3a ea dc 2d 65 a3 4c 96 7c c8
84 33 3a 42 8b 12 84 cf d4 dc df 5c 3e 24 59 69
73 f0 02 da 22 21 dc 74 c7 67 ac 6d ab 3b 75 ba
30 0f fe 77 1f b3 0b ae 0a 34 88 e1 a0 ac 54 2b
7a 09 5e eb 33 85 1c 0e c6 7f 04 33 31 71 7d 95
f3 6f ae 3c b0 27 17 a2 41 67 7a 4d 52 88 3a d3
34 78 15 7b 3d 70 89 4b 5f c2 71 29 6e 82 5b 95
cd 55 47 3f e1 f9 38 3b fc e9 37 f2 6d a6 9b 96
8a 42 08 c0 b9 55 40 24 35 e7 0b 64 41 59 16 2a
b1 f6 e8 80 9a 00 1b 67 c0 41 87 57 5a 00 cd 7d
95 4a 71 79 2e 2b f9 ab 71 99 57 7f b7 65 b7 b4
9c f8 bf b3 70 d1 43 1d a7 8f 01 58 81 0c f9 92
1e 13 02 35 35 1f 65 22 58 69 36 37 15 5b e2 35
54 2b 8e a2 33 26 51 4e 03 8e ef 38 d5 ce 0f 77
Thank you in advance!
Hunter
__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
