Re: bug in PKCS7_free ?
This is another example of the problem I highlighted a few days ago. You need to be very careful with which getter methods return a new instance (or inc the ref count), and which ones do not. Definitely not a bug but a matter of consistency. Nils Larsch wrote: Alexandre Belloni wrote: Hi, I'm trying to build a PKCS7 envelopped data (encrypted) but when I'm done withe the PKCS7 structure and I try to free it (calling PKCS7_free) I keep getting an "access violation accessing 0xfeeefef6". I'm using openssl 0.9.8 under windows XP (win32). Code is attached. ... cert = PKCS7_cert_from_signer_info(p7, si); if (cert == NULL) { ret = -1; goto err; } ... if (cert != NULL) X509_free(cert); if (p7 != NULL) PKCS7_free(p7); this doesn't work as PKCS7_cert_from_signer_info doesn't increase the reference counter and hence you free the cert twice ... Nils __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: bug in PKCS7_free ?
Alexandre Belloni wrote: Hi, I'm trying to build a PKCS7 envelopped data (encrypted) but when I'm done withe the PKCS7 structure and I try to free it (calling PKCS7_free) I keep getting an "access violation accessing 0xfeeefef6". I'm using openssl 0.9.8 under windows XP (win32). Code is attached. ... cert = PKCS7_cert_from_signer_info(p7, si); if (cert == NULL) { ret = -1; goto err; } ... if (cert != NULL) X509_free(cert); if (p7 != NULL) PKCS7_free(p7); this doesn't work as PKCS7_cert_from_signer_info doesn't increase the reference counter and hence you free the cert twice ... Nils __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: difference between authenticode certificate and normal certificate?
On Wed, Jul 27, 2005, coco coco wrote: > Hi, > > Sorry if this is a bit OT, can someone explain what is the difference > between > an MS Authenticode certificate, a normal certificate, and a certificate > for signing Netscape object? > > What are the bits and bytes that are different? I can't find info > detailed enough to give a satisfactory answer, and I don't feel > like spending money to get an authenticode cert and a netscape > cert just to find that out :) > > What's so different between authenticode certificate and netscape > certificate that you can't use the same key and certificate to sign > both your windows-based software and your java stuff? > I looked at this some time ago so this may not be up to date... There wasn't anything special about an authenticode certificate provided you didn't set the extensions to specifically exclude the usages. So a "vanilla" CA and EE certificate are sufficient. The root CA also has to be added and trusted for code signing in the Windows certificate stores. The certificates you get from CAs not intended for authenticode generally aren't usable, normally because the root CA isn't trusted for code signing and occasionally because the extended key usage doesn't allow it either. Netscape object signing used to also require that the netscape certificate signing extension and its object signing bit set. If this extension was not present then it couldn't be used. I'm not sure if that's still the case since netscape certificate type is largely obsolete. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: difference between authenticode certificate and normal certificate?
Sorry if this is a bit OT, can someone explain what is the difference between an MS Authenticode certificate, a normal certificate, and a certificate for signing Netscape object? The values in the keyUsage and extendedKeyUsage extensions. /r$ -- Rich Salz, Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
difference between authenticode certificate and normal certificate?
Hi, Sorry if this is a bit OT, can someone explain what is the difference between an MS Authenticode certificate, a normal certificate, and a certificate for signing Netscape object? What are the bits and bytes that are different? I can't find info detailed enough to give a satisfactory answer, and I don't feel like spending money to get an authenticode cert and a netscape cert just to find that out :) What's so different between authenticode certificate and netscape certificate that you can't use the same key and certificate to sign both your windows-based software and your java stuff? Thanks for any information coco _ On the road to retirement? Check out MSN Life Events for advice on how to get there! http://lifeevents.msn.com/category.aspx?cid=Retirement __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Openssl for Solaris 10
Never mind, Ramon. I think openssl 0.9.8 supports Solaris 10. The problem that I had was that I did not update gcc header file. When I installed pre-compiled gcc on the Solaris 10, there is an instruction about to update gcc header file but I did not do that at the time. After I updated gcc header file, both openssl 0.9.7g and 0.9.8 was compiled fine. I am not sure why you got the problem maybe library files were not in your path? Thanks anyway. Ryan -Original Message- From: Ramon Berger [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 26, 2005 6:06 PM To: Ruiyuan Jiang Subject: Re: Openssl for Solaris 10 Ruiyan, What error are you getting? I had a problem with 0.9.8 on Solaris 10 and 9. But I got the following information from Tim Rosmus [EMAIL PROTECTED], from this mailing list... |# gcc -o ssh ssh.o readconf.o clientloop.o sshtty.o sshconnect.o |sshconnect1.o # sshconnect2.o -L. -Lopenbsd-compat/ -L/opt/ssl/lib |-R/opt/ssl/lib -lssh # -lopenbsd-compat -lresolv -lcrypto -lrt -lz |-lsocket -lnsl # |# Undefined first referenced |# symbol in file |# dlopen /opt/ssl/lib/libcrypto.a(dso_dlfcn.o) |# (symbol belongs to implicit dependency /usr/lib/libdl.so.1) |# dlclose /opt/ssl/lib/libcrypto.a(dso_dlfcn.o) |# (symbol belongs to implicit dependency /usr/lib/libdl.so.1) |# dlsym /opt/ssl/lib/libcrypto.a(dso_dlfcn.o) |# (symbol belongs to implicit dependency /usr/lib/libdl.so.1) |# dlerror /opt/ssl/lib/libcrypto.a(dso_dlfcn.o) |# (symbol belongs to implicit dependency /usr/lib/libdl.so.1) # ld: |fatal: Symbol referencing errors. No output written to ssh # collect2: |ld returned 1 exit status # make: *** [ssh] Error 1 # Add "--with-ldflags=-ldl" to your configure run for openssh. -- Tim Rosmus <[EMAIL PROTECTED]> Postmaster / USENET / DNS Northwest Nexus Inc. > Hi, all > > Does openssl 0.9.7g and 0.9.8 supports Solaris 10? The "config" > command passed but "make" failed for both version. Thanks. > > Ryan > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: bug in PKCS7_free ?
Dr. Stephen Henson wrote: Any reason you can't use PKCS7_encrypt() instead? Unfortunately, I got the same result using PKCS7_encrypt(). -- Alexandre Belloni __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: bug in PKCS7_free ?
On Wed, Jul 27, 2005, Alexandre Belloni wrote: > Hi, > > I'm trying to build a PKCS7 envelopped data (encrypted) but when I'm > done withe the PKCS7 structure and I try to free it (calling PKCS7_free) > I keep getting an "access violation accessing 0xfeeefef6". > > I'm using openssl 0.9.8 under windows XP (win32). > > Code is attached. > Any reason you can't use PKCS7_encrypt() instead? Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
bug in PKCS7_free ?
Hi, I'm trying to build a PKCS7 envelopped data (encrypted) but when I'm done withe the PKCS7 structure and I try to free it (calling PKCS7_free) I keep getting an "access violation accessing 0xfeeefef6". I'm using openssl 0.9.8 under windows XP (win32). Code is attached. -- Alexandre Belloni #include #include #include #include #include #include #include #include #include #include int main(void) { PKCS7 *p7 = NULL; PKCS7_SIGNER_INFO *si = NULL; X509*cert = NULL; PKCS7 *p7c= NULL; BIO *p7bio = NULL; BIO *in = NULL; BIO *out= NULL; int ret; int len = 0; unsigned char *p7_der = NULL; char data[] = "123456789"; STACK_OF(PKCS7_SIGNER_INFO) *sk; in = BIO_new(BIO_s_file()); if (in == NULL) { ret = -1; goto err; } if (BIO_read_filename(in,"p7pem") <= 0) { ret = -1; goto err; } p7 = PEM_read_bio_PKCS7(in,NULL,NULL,NULL); if (p7 == NULL) { ret = -1; goto err; } sk = PKCS7_get_signer_info(p7); if (sk == NULL) { ret = -1; goto err; } si = sk_PKCS7_SIGNER_INFO_value(sk, 0); if (si == NULL) { ret = -1; goto err; } cert = PKCS7_cert_from_signer_info(p7, si); if (cert == NULL) { ret = -1; goto err; } p7c = PKCS7_new(); if(p7c == NULL) { ret = -1; goto err; } PKCS7_set_type(p7c, NID_pkcs7_enveloped); if(!PKCS7_set_cipher(p7c, EVP_des_ede3_cbc())) { ret = -1; goto err; } if(!PKCS7_add_recipient(p7c, cert)) { ret = -1; goto err; } p7bio = PKCS7_dataInit(p7c, NULL); if(p7bio == NULL) { ret = -1; goto err; } BIO_write(p7bio, data, sizeof(data)); BIO_flush(p7bio); if (!PKCS7_dataFinal(p7c, p7bio)) { ret = -1; goto err; } out = BIO_new(BIO_s_file()); if (out == NULL) { ret = -1; goto err; } if (BIO_write_filename(out, "p7enc") <= 0) { ret = -1; goto err; } PEM_write_bio_PKCS7(out,p7c); ret = 0; err: if (in != NULL) BIO_free_all(in); if (out != NULL) BIO_free_all(out); if (p7bio != NULL) BIO_free_all(p7bio); if (cert != NULL) X509_free(cert); if (p7 != NULL) PKCS7_free(p7); if (p7c != NULL) PKCS7_free(p7c); return ret; }
Re: Openssl for Solaris 10
Ruiyuan Jiang wrote: Hi, all Does openssl 0.9.7g and 0.9.8 supports Solaris 10? The "config" command passed but "make" failed for both version. Thanks. what's the error message ? Nils __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]