Verification problem
Hello everybody Is possible to set up openssl application for verify command in order to checking all relevant CRLs in verification chain ? Because I find that the CRL checking is exercised only at the lowest level, that means 0 depth in verification level. Thanks -- View this message in context: http://www.nabble.com/Verification-problem-tf3714215.html#a10389714 Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: How put issuerUniqueID into certificate?
Kyle Hamilton wrote: The ITU X.509v1? The X.509v3? The Internet Public Key Infrastructure Certificate Profile? Perhaps the Attribute Certificate profile? Or the Proxy Certificate profile? Or some other profile? excerpt from the 2000 version. Since this is the one that I have online. issuerUniqueIdentifier is used to uniquely identify an issuer in case of name re-use. subjectUniqueIdentifier is used to uniquely identify a subject in case of name re-use. NOTE 3 – In situations where a distinguished name might be reassigned to a different user by the Naming Authority, CAs can use the unique identifier to distinguish between reused instances. However, if the same user is provided certificates by multiple CAs, it is recommended that the CAs coordinate on the assignment of unique identifiers as part of their user registration procedures. smime.p7s Description: S/MIME Cryptographic Signature
Custom certificate extensions CSR / cert creation: Missing field
Hi,
I am using the examples from the O'Reilly book Network Security with
OpenSSL (X.509 section) to create a CSR, push a custom extension into
it and sign that CSR with a given private key. This - in general - works
OK, but when I want to use the resulting certificate chain (I have the
signing certificate and a couple more in there) for anything secure
(i.e. mutual authentication), I am greeted with failure.
I wrote an extremely simple program to check what might be wrong with
the certificate stack and this seems to be the problem:
15939:error:0D078079:asn1 encoding routines:ASN1_ITEM_EX_D2I:field
missing:tasn_dec.c:391:Field=d, Type=RSA
15939:error:0907400D:PEM routines:PEM_X509_INFO_read_bio:ASN1
lib:pem_info.c:224:
I figure that there is something wrong with the way I create the ASN.1
object and push it onto the extension stack for the CSR. This looks like
so in my code:
ASN1_OBJECT *obj;
ASN1_OCTET_STRING *ex_oct = NULL;
X509_EXTENSION *ex_execpol = NULL;
new_nid = OBJ_create(EXECPOLICY_OID, EXECPOLICY_SN, EXECPOLICY_LN);
obj = OBJ_nid2obj(new_nid);
if (!(ex_oct = ASN1_OCTET_STRING_new())) {
int_error(Error creating custom ASN.1 struct);
}
extlist = sk_X509_EXTENSION_new_null();
ASN1_OCTET_STRING_set(ex_oct,policy,-1);
if (!(ex_execpol = X509_EXTENSION_create_by_OBJ(ex_execpol, obj, 0,
ex_oct))) { //3rd parameter is critical/noncritical
int_error(Error creating X509 extension for execpolicy);
}
if (!(sk_X509_EXTENSION_push (extlist, ex_execpol))) {
int_error(Error pushing custom extension to stack);
}
if (!(X509_REQ_add_extensions (req, extlist))) {
int_error (Error adding ExecPolicy to the request);
}
sk_X509_EXTENSION_pop_free (extlist, X509_EXTENSION_free);
}
Later, I am getting the extension stack from the CSR...
if (!(req_exts = X509_REQ_get_extensions (req)))
int_error (Error getting the request's extensions);
int new_nid;
ASN1_OBJECT *obj;
new_nid = OBJ_create(EXECPOLICY_OID, EXECPOLICY_SN, EXECPOLICY_LN);
execPolicy_pos = X509v3_get_ext_by_NID (req_exts,
new_nid, -1);
execPolicy = X509v3_get_ext (req_exts, execPolicy_pos);
fputc ('\n', stdout);
...and add them to the certificate before signing:
/* add x509v3 extensions as specified */
X509V3_set_ctx (ctx, CAcert, cert, NULL, NULL, 0);
for (i = 0; i EXT_COUNT; i++)
{
X509_EXTENSION *ext;
if (!(ext = X509V3_EXT_conf (NULL, ctx,
ext_ent[i].key, ext_ent[i].value)))
{
fprintf (stderr, Error on \%s = %s\\n,
ext_ent[i].key, ext_ent[i].value);
int_error (Error creating X509 extension object);
}
// Mark purpose as critical
if (!(X509_EXTENSION_set_critical (ext, 1))) {
fprintf(stderr, Error setting Extension to critical:
%s, ext_ent[i].key);
int_error(Error setting Extension to critical);
}
if (!X509_add_ext (cert, ext, -1))
{
fprintf (stderr, Error on \%s = %s\\n,
ext_ent[i].key, ext_ent[i].value);
int_error (Error adding X509 extension to certificate);
}
X509_EXTENSION_free (ext);
}
/* add the extension in the request to the cert */
if (!X509_add_ext (cert, execPolicy, -1))
int_error (etc);
Is there anything I am doing horribly wrong along the way? Any pointers
where the missing field could be? I guess it can only be in the custom
ASN.1 structure I have created for my own extension.
Regards and thanks,
--ck
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
Re: mathematical entropy question on Linux (hardware rng over network)
Am Di, 8.05.2007, 21:48, schrieb Kyle Hamilton: Randomness is randomness. However, the important thing is that the randomness is not known, and the randomness cannot be retrieved. If you're worried about passing the tests on a subset of the data, take the subset that you're thinking of and run the tests on it. If it's truly random, it will pass no matter what subset you take. Yes, I will run the tests as soon as I have programmed an useful and secure way to chunk and dispatch the random data. I don't know what the characteristics of the encrypted stream would be (to an eavesdropper) if the encrypted stream is completely random. Theoretically it shouldn't make a difference, but I haven't heard of any research on the topic. (Most research attempts to apply a cryptographically-generated sequence of apparently-random bytes to an information stream, thus making the stream appear random. It / should/ just appear like any other encrypted information stream.) -Kyle H I see. So I am quite shure I will not introduce a security flaw by chunking the data stream and transmitting it over the network with ssh2. Many thanks for your thoughts ! PS: If someone has thoughts on this as well, please let me know. Sincerely, Robert __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Custom certificate extensions CSR / cert creation: Missing field
On Wed, May 09, 2007, Christopher Kunz wrote: I wrote an extremely simple program to check what might be wrong with the certificate stack and this seems to be the problem: 15939:error:0D078079:asn1 encoding routines:ASN1_ITEM_EX_D2I:field missing:tasn_dec.c:391:Field=d, Type=RSA 15939:error:0907400D:PEM routines:PEM_X509_INFO_read_bio:ASN1 lib:pem_info.c:224: Hmmm that error shouldn't be encountered when you load a certificate. It suggests that you have an RSA private key but that it is in an invalid format. If you want to create custom extensions there is a much easier way now: the mini-ASN1 compiler as mentioned in the docs. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Custom certificate extensions CSR / cert creation: Missing field
Dr. Stephen Henson schrieb: Hmmm that error shouldn't be encountered when you load a certificate. It suggests that you have an RSA private key but that it is in an invalid format. I forgot to mention that openssl x509 -text -noout -in mycertchain.pem does produce valid output, and seems to disregard the error that prevents the certificate from actually being usable. To me that means that it somehow has to be syntactically correct. I can provide you with demo credentials if that is of any help - they are set to run out after 12 hours anyway. :) Thanks for your help, --ck __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Custom certificate extensions CSR / cert creation: Missing field
On Wed, May 09, 2007, Christopher Kunz wrote: Dr. Stephen Henson schrieb: Hmmm that error shouldn't be encountered when you load a certificate. It suggests that you have an RSA private key but that it is in an invalid format. I forgot to mention that openssl x509 -text -noout -in mycertchain.pem does produce valid output, and seems to disregard the error that prevents the certificate from actually being usable. To me that means that it somehow has to be syntactically correct. I can provide you with demo credentials if that is of any help - they are set to run out after 12 hours anyway. :) Thanks for your help, What I meant was that error looks like there is a private key in the file which is causing the function PEM_read_bio_X509_INFO() to fail when it attempts to read it rather than a certificate reading error or possibly that error is from a previous function call. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Post
Samuel what does that mean... if you live in NY i'll buy you dinner On 5/9/07, Samuel Reed [EMAIL PROTECTED] wrote: Is it worth something? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Michael Fedor Sent: Wednesday, May 09, 2007 2:52 PM To: openssl-users@openssl.org Subject: Post How can I delete any post that have my email address. [EMAIL PROTECTED] there is data that should not be out on the net __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Post
Michael Fedor wrote: Thanks do you know who the list maintainer is. I suspect that instructions for contacting the list maintainer could be had via the [EMAIL PROTECTED] email listed in the trailer appended to all emails sent via the list. Sending it a message containing a line that reads help will probably be a decent start. Often, Internet mailing lists will follow a convention of owner-listname or listname-owner for an alias by which the list maintainer can be reached. rick jones __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Post
On Wed 07-05-09 17:52, Michael Fedor wrote: How can I delete any post that have my email address. [EMAIL PROTECTED] there is data that should not be out on the net You may or may not be able to persuade the list maintainer to delete your posts, but it won't do you much good. I have my own copies of a number of things you've posted to this list, and I have no plans to delete them (nor do I plan to do anything nefarious with them). Even if I did delete the messages, I'm sure they exist on backups. And that's just me; I'm sure the same is true of however many other people subscribe to this list. And Google and other services may have cached copies of the web pages containing the list archives. If you've posted unsafe information to this list, you need to render it safe (revoke certificates, change passphrases, whatever it takes). And since you've now publicly called attention to the fact that this information is out there, I suggest you do so as soon as possible. -- Keith Thompson [EMAIL PROTECTED] San Diego Supercomputer Center http://users.sdsc.edu/~kst/ 858-822-0853 We must do something. This is something. Therefore, we must do this. -- Antony Jay and Jonathan Lynn, Yes Minister __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Post
Im cool On 5/9/07, Keith Thompson [EMAIL PROTECTED] wrote: On Wed 07-05-09 17:52, Michael Fedor wrote: How can I delete any post that have my email address. [EMAIL PROTECTED] there is data that should not be out on the net You may or may not be able to persuade the list maintainer to delete your posts, but it won't do you much good. I have my own copies of a number of things you've posted to this list, and I have no plans to delete them (nor do I plan to do anything nefarious with them). Even if I did delete the messages, I'm sure they exist on backups. And that's just me; I'm sure the same is true of however many other people subscribe to this list. And Google and other services may have cached copies of the web pages containing the list archives. If you've posted unsafe information to this list, you need to render it safe (revoke certificates, change passphrases, whatever it takes). And since you've now publicly called attention to the fact that this information is out there, I suggest you do so as soon as possible. -- Keith Thompson [EMAIL PROTECTED] San Diego Supercomputer Center http://users.sdsc.edu/~kst/ 858-822-0853 We must do something. This is something. Therefore, we must do this. -- Antony Jay and Jonathan Lynn, Yes Minister __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Post
If you're talking about the cert and session key you posted, anyone can get the cert from the server and the master key is useless. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
