Hi,
On Wed, November 27, 2013 16:02, Dereck Hurtubise wrote:
X509v3 Extended Key Usage:
Trust Root
what is this strange?
'Trust Root' as Extended Key Usage?
__
OpenSSL Project
the ASN.1 dump of this certificate ...
0 470: SEQUENCE {
4 319: SEQUENCE {
8 3: [0] {
10 1: INTEGER 2
: }
13 5: INTEGER 00 D6 2D F4 34
20 13: SEQUENCE {
22 9: OBJECT IDENTIFIER sha1WithRSAEncryption (1 2 840 113549 1 1 5)
33 0:
It is NTP indicating that this certificate is held by a supposed trusted
root (authority).
This is NTP's way of figuring out if the certificate of the subject/issuer
should be trusted or not.
So they misuse X509 extensions for their own purposes.
This alone is not enough.
So they also implement
I rather not use the openssl config file, and stick with aPI's.
is it really an octet string containing one ASCII character 5?
no, it was just a simple example, the real values is are PRINTABLESTRING and
INTEGER.
Is that ehat you meant:
ASN1_OCTET_STRING *os = ASN1_OCTET_STRING_new();
I want to thank everyone who replied for the help.
I figured out what went wrong.
Two things.
The RSA public key wasn't loaded with the correct values.
Thank you for giving a hint about that.
The second thing was the data to verify somehow included the OID of the
signature.
So the second time
How nice, they're asking for a self-signed certificate to include a
specific EKU to indicate it's a Trust Anchor, and the OID used for this
has never been allocated. Crazy.
I just looked at OpenSSL's objects.txt database, and found some OIDs
that need some change:
id-pkix-OCSP 8
Welcome to the wonderful world of NTP Autokey.
Where they misuse X509v3 extensions for their own purposes.
Nothing I can do about it. It's in the specification of that RFC (5906)
On Thu, Nov 28, 2013 at 4:14 PM, Erwann Abalea
erwann.aba...@keynectis.comwrote:
How nice, they're asking for a