Re: bug in PKCS7_free ?

2005-07-28 Thread Nils Larsch

Tan Eng Ten wrote:
This is another example of the problem I highlighted a few days ago. You 
need to be very careful with which getter methods return a new instance 
(or inc the ref count), and which ones do not.


Definitely not a bug but a matter of consistency.


it's certainly a bug but it might be caused by a not so
optimal docu and naming scheme. A better name for this
function would be PKCS7_get0_cert_from_signer_info ...

Nils
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]


Re: bug in PKCS7_free ?

2005-07-28 Thread Dr. Stephen Henson
On Thu, Jul 28, 2005, Nils Larsch wrote:

 Tan Eng Ten wrote:
 This is another example of the problem I highlighted a few days ago. You 
 need to be very careful with which getter methods return a new instance 
 (or inc the ref count), and which ones do not.
 
 Definitely not a bug but a matter of consistency.
 
 it's certainly a bug but it might be caused by a not so
 optimal docu and naming scheme. A better name for this
 function would be PKCS7_get0_cert_from_signer_info ...
 

Or instead of using undocumented internal structures and functions use the
documented PKCS7_get0_signers().

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]


Re: PKI interoperability

2005-07-28 Thread Bernhard Froehlich

Prashant Sodhiya wrote:



Hi All,

Is there any way we can test the interoperability of SSL certificates 
with any third party vendor's certificate.


Yes.

Depending on wether you want to test another server's certificate or the 
use of client certs you can use openssl s_client or openssl 
s_server. See http://www.openssl.org/docs/apps/s_client.html and 
http://www.openssl.org/docs/apps/s_server.html.



Thanks and Regards,

Prashant Sodhiya


Hope it helps,
Ted
;)

--
PGP Public Key Information
Download complete Key from http://www.convey.de/ted/tedkey_convey.asc
Key fingerprint = 31B0 E029 BCF9 6605 DAC1  B2E1 0CC8 70F4 7AFB 8D26



smime.p7s
Description: S/MIME Cryptographic Signature


Re: difference between authenticode certificate and normal certificate?

2005-07-28 Thread coco coco

Thanks for replying.


From: Dr. Stephen Henson [EMAIL PROTECTED]
I looked at this some time ago so this may not be up to date...

There wasn't anything special about an authenticode certificate provided 
you
didn't set the extensions to specifically exclude the usages. So a 
vanilla

CA and EE certificate are sufficient. The root CA also has to be added and
trusted for code signing in the Windows certificate stores.

The certificates you get from CAs not intended for authenticode generally
aren't usable, normally because the root CA isn't trusted for code signing 
and

occasionally because the extended key usage doesn't allow it either.

Netscape object signing used to also require that the netscape certificate
signing extension and its object signing bit set. If this extension was not
present then it couldn't be used. I'm not sure if that's still the case 
since

netscape certificate type is largely obsolete.



Ok, sounds simple enough, so I create a root CA with openssl, then sign a 
certificate

for a fictitious user, which use that to sign an Office VBA (just some dummy
stuff, doing nothing).

After loading up my VBA, I see it has no timestamp, and according to the
msdn site, the signature is timestamped by connecting to the CA (which 
issued

the certificate) and get the timestamp signed by that CA. And this is done
in the background, during code signing. I digged around, there's no other
way to do it.

Ok, it's getting interesting. Let's say if I set up a TSA server (using 
opentsa

or something), but my certifcates are created using openssl. How do I add
that information into the certificate I signed, so that during code signing,
Windows knows how to connect to my tsa server to get a timestamp?

So what is the extension that I need to put in, what information and how?

That's what I was asking, what's the difference between the code signing
cert and a plain vanilla cert?

Thanks for any hint.

coco

_
Is your PC infected? Get a FREE online computer virus scan from McAfee® 
Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]


Re: difference between authenticode certificate and normal certificate?

2005-07-28 Thread Dr. Stephen Henson
On Thu, Jul 28, 2005, Dr. Stephen Henson wrote:

 On Thu, Jul 28, 2005, coco coco wrote:
 
  
  Ok, sounds simple enough, so I create a root CA with openssl, then sign a 
  certificate
  for a fictitious user, which use that to sign an Office VBA (just some dummy
  stuff, doing nothing).
  
  After loading up my VBA, I see it has no timestamp, and according to the
  msdn site, the signature is timestamped by connecting to the CA (which 
  issued
  the certificate) and get the timestamp signed by that CA. And this is done
  in the background, during code signing. I digged around, there's no other
  way to do it.
  
 
 Well when I tried the timestamp could be added by using any appropriate
 timestamping server. At the time only VeriSign's was available, there may be a
 few more now: I notice there's a Thatwe timestamping CA in MSIE.
 
 The authenticode timestamping stuff at the time used a non-standard format,
 though it was documented.
 

Just found a link which may help:

http://www.thawte.com/support/code/msauth.html#timestamp

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]


Re: difference between authenticode certificate and normal certificate?

2005-07-28 Thread coco coco


Just found a link which may help:

http://www.thawte.com/support/code/msauth.html#timestamp



Thanks a lot. Sorry to sound like a dumbass, but how do I put that 
information into the certificate when I signed it? :) I mean, how do I 
specify the URL of the tsa, which extension to use ?


If someone could give an ASN.1 def of a MS authenticode cert, that would 
help too.


rgds

coco

_
Don’t just search. Find. Check out the new MSN Search! 
http://search.msn.click-url.com/go/onm00200636ave/direct/01/


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]


Re: difference between authenticode certificate and normal certificate?

2005-07-28 Thread Dr. Stephen Henson
On Thu, Jul 28, 2005, coco coco wrote:

 
 The problem is with signing Office macro, which has to use the stupid macro
 editor to do. And there is no place to insert an option for timestamping.
 All the information I get is that the editor will do it automatically, and 
 somehow,
 that info for getting timestamp must be known to the editor, thru the 
 certificate.
 
 So I'm trying to figure out how to put that info into the cert to make that
 macro editor happy.
 

Hmmm, I don't have access to the relevant tools for that. Do you have a sample
signed macro or certificate that includes this information?

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]


Re: difference between authenticode certificate and normal certificate?

2005-07-28 Thread coco coco


Hmmm, I don't have access to the relevant tools for that. Do you have a 
sample

signed macro or certificate that includes this information?



hehe, I don't, that's why I can't figure out what to put in there. I tried
different extensions, looked up all the stuff I can use in x509v3, to no 
avail.

None of those works.

If I have one, I can just parse it to see what's in it. The macros I found 
on the web

have the same issue, no timestamp.

Anyway, I just found that CA called Ascertia which seems to offer free 
certificate.

I'll see if I can get a free cert for code signing, and see what's in there.

rgds

coco

_
On the road to retirement? Check out MSN Life Events for advice on how to 
get there! http://lifeevents.msn.com/category.aspx?cid=Retirement


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]