Re: bug in PKCS7_free ?
Tan Eng Ten wrote: This is another example of the problem I highlighted a few days ago. You need to be very careful with which getter methods return a new instance (or inc the ref count), and which ones do not. Definitely not a bug but a matter of consistency. it's certainly a bug but it might be caused by a not so optimal docu and naming scheme. A better name for this function would be PKCS7_get0_cert_from_signer_info ... Nils __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: bug in PKCS7_free ?
On Thu, Jul 28, 2005, Nils Larsch wrote: Tan Eng Ten wrote: This is another example of the problem I highlighted a few days ago. You need to be very careful with which getter methods return a new instance (or inc the ref count), and which ones do not. Definitely not a bug but a matter of consistency. it's certainly a bug but it might be caused by a not so optimal docu and naming scheme. A better name for this function would be PKCS7_get0_cert_from_signer_info ... Or instead of using undocumented internal structures and functions use the documented PKCS7_get0_signers(). Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: PKI interoperability
Prashant Sodhiya wrote: Hi All, Is there any way we can test the interoperability of SSL certificates with any third party vendor's certificate. Yes. Depending on wether you want to test another server's certificate or the use of client certs you can use openssl s_client or openssl s_server. See http://www.openssl.org/docs/apps/s_client.html and http://www.openssl.org/docs/apps/s_server.html. Thanks and Regards, Prashant Sodhiya Hope it helps, Ted ;) -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26 smime.p7s Description: S/MIME Cryptographic Signature
Re: difference between authenticode certificate and normal certificate?
Thanks for replying. From: Dr. Stephen Henson [EMAIL PROTECTED] I looked at this some time ago so this may not be up to date... There wasn't anything special about an authenticode certificate provided you didn't set the extensions to specifically exclude the usages. So a vanilla CA and EE certificate are sufficient. The root CA also has to be added and trusted for code signing in the Windows certificate stores. The certificates you get from CAs not intended for authenticode generally aren't usable, normally because the root CA isn't trusted for code signing and occasionally because the extended key usage doesn't allow it either. Netscape object signing used to also require that the netscape certificate signing extension and its object signing bit set. If this extension was not present then it couldn't be used. I'm not sure if that's still the case since netscape certificate type is largely obsolete. Ok, sounds simple enough, so I create a root CA with openssl, then sign a certificate for a fictitious user, which use that to sign an Office VBA (just some dummy stuff, doing nothing). After loading up my VBA, I see it has no timestamp, and according to the msdn site, the signature is timestamped by connecting to the CA (which issued the certificate) and get the timestamp signed by that CA. And this is done in the background, during code signing. I digged around, there's no other way to do it. Ok, it's getting interesting. Let's say if I set up a TSA server (using opentsa or something), but my certifcates are created using openssl. How do I add that information into the certificate I signed, so that during code signing, Windows knows how to connect to my tsa server to get a timestamp? So what is the extension that I need to put in, what information and how? That's what I was asking, what's the difference between the code signing cert and a plain vanilla cert? Thanks for any hint. coco _ Is your PC infected? Get a FREE online computer virus scan from McAfee® Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: difference between authenticode certificate and normal certificate?
On Thu, Jul 28, 2005, Dr. Stephen Henson wrote: On Thu, Jul 28, 2005, coco coco wrote: Ok, sounds simple enough, so I create a root CA with openssl, then sign a certificate for a fictitious user, which use that to sign an Office VBA (just some dummy stuff, doing nothing). After loading up my VBA, I see it has no timestamp, and according to the msdn site, the signature is timestamped by connecting to the CA (which issued the certificate) and get the timestamp signed by that CA. And this is done in the background, during code signing. I digged around, there's no other way to do it. Well when I tried the timestamp could be added by using any appropriate timestamping server. At the time only VeriSign's was available, there may be a few more now: I notice there's a Thatwe timestamping CA in MSIE. The authenticode timestamping stuff at the time used a non-standard format, though it was documented. Just found a link which may help: http://www.thawte.com/support/code/msauth.html#timestamp Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: difference between authenticode certificate and normal certificate?
Just found a link which may help: http://www.thawte.com/support/code/msauth.html#timestamp Thanks a lot. Sorry to sound like a dumbass, but how do I put that information into the certificate when I signed it? :) I mean, how do I specify the URL of the tsa, which extension to use ? If someone could give an ASN.1 def of a MS authenticode cert, that would help too. rgds coco _ Dont just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: difference between authenticode certificate and normal certificate?
On Thu, Jul 28, 2005, coco coco wrote: The problem is with signing Office macro, which has to use the stupid macro editor to do. And there is no place to insert an option for timestamping. All the information I get is that the editor will do it automatically, and somehow, that info for getting timestamp must be known to the editor, thru the certificate. So I'm trying to figure out how to put that info into the cert to make that macro editor happy. Hmmm, I don't have access to the relevant tools for that. Do you have a sample signed macro or certificate that includes this information? Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: difference between authenticode certificate and normal certificate?
Hmmm, I don't have access to the relevant tools for that. Do you have a sample signed macro or certificate that includes this information? hehe, I don't, that's why I can't figure out what to put in there. I tried different extensions, looked up all the stuff I can use in x509v3, to no avail. None of those works. If I have one, I can just parse it to see what's in it. The macros I found on the web have the same issue, no timestamp. Anyway, I just found that CA called Ascertia which seems to offer free certificate. I'll see if I can get a free cert for code signing, and see what's in there. rgds coco _ On the road to retirement? Check out MSN Life Events for advice on how to get there! http://lifeevents.msn.com/category.aspx?cid=Retirement __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
