Problem creating self signed certifcate using -subj option

2005-08-12 Thread prakash babu 



Hello All,

 I am using OpenSSL 
0.9.8
 When creating a self 
signed certificate using req commandwe can specify 
the X509 name either by using -subj option or 
prompting the userto enter the values.

i. prompting the 
userto enter the values
eg # openssl req -x509 -out cacert.pem 
-new -keyout cakey.pem -nodes Country Name (2 letter 
code) [AU]:INN string is too long, it needs to be less 
than 2 bytes long
Here the values 
entered by the user are checked with minimum 
and maximum limits of each field specified in the 
openssl.conf file

Reason: req_check_len function is 
called to verify the field length

Flow : make_REQ( ) 
--- prompt_info( ) --- add_DN_object( ) --- 
req_check_len()

ii -subj 
option
eg # openssl req -x509 
-out cacert.pem -new -keyout cakey.pem -subj 
/C=IN/ST=TamilNadu/L=CBE/O=test/CN=test -nodes
Here the values entered by the 
user are not checked with minimum and 
maximum limits of each field specified in the 
openssl.conf file

Reason: req_check_len function is not called 

Flow : make_REQ( ) --- build_subject( ) --- 
parse_name( ) //req_check_len is not called

Is this a bug ?
Suggestion for OpenSSL 0.9.8 
:
The following code can be added in file apps/apps.c between 
lines 2135 and 2137 to checkthe minimum and 
maximum limits of each field specified in the openssl.conf file

 
2133 
BIO_printf(bio_err, "No value provided for Subject Attribute %s, skipped\n", 
ne_types[i]); 
2134 
continue; 
2135 
}
//--- 
// 
const char *longname;char buffer[100];char 
longname_min[256],longname_max[256],*p;long n_min,n_max,j;long 
errline;int len_buf;static CONF *req_conf=NULL;char 
*dn_sect,*value;

//Get the longname from the 
NIDlongname=OBJ_nid2ln(nid);

//Load the default configuration 
filep=make_config_name();req_conf=NCONF_new(NULL);j=NCONF_load(req_conf, 
p, errline);if (j == 0){BIO_printf(bio_err,"error on line 
%ld of %s\n",errline,req_conf);goto error;}

dn_sect=NCONF_get_string(req_conf,"req","distinguished_name");

if (dn_sect == NULL){BIO_printf(bio_err,"unable to find 
distinguished_name in config %s\n",p);goto error;}

if ((value=NCONF_get_string(req_conf,dn_sect,longname)) == 
NULL){ERR_clear_error();value=NULL;}

//Get the min length of the field from config 
fileBIO_snprintf(buffer,sizeof buffer,"%s_min",longname);if 
(!NCONF_get_number(req_conf,dn_sect,buffer, 
n_min)){ERR_clear_error();n_min = -1;}

//Get the max length of the field from config 
fileBIO_snprintf(buffer,sizeof buffer,"%s_max",longname);if 
(!NCONF_get_number(req_conf,dn_sect,buffer, 
n_max)){ERR_clear_error();n_max = -1;}

//Compare the length of field against against the allowable 
minimum and maximum

len_buf=strlen(ne_values[i]);if ((n_min  0)  (len_buf 
 
n_min)) 
{ 
BIO_printf(bio_err,"%s is too short, it needs to be at least %d bytes 
long\n",longname,n_min); 
goto 
error; 
}if ((n_max = 0)  (len_buf  
n_max)) 
{ 
BIO_printf(bio_err,"%s is too long, it needs to be less than %d bytes 
long\n",longname,n_max); 
goto 
error; 
}

//--- 
// 

2137 
if (!X509_NAME_add_entry_by_NID(n, nid, chtype, (unsigned char*)ne_values[i], 
-1,-1,mval[i])) 
2138 
goto error; 
2139 
}

Thanks,
Prakash Babu

		 Start your day with Yahoo! - make it your home page

question about error message: unable to write 'random state'

2005-08-12 Thread Dave Peterson 
I hope this isn't a repeat of a previous posting, and apologize
if it is (I tried posting this question a couple of days ago and
think the email may not have actually been sent).  Anyway, I'm
having trouble using openssl to encrypt email messages, and would
greatly appreciate any advice anyone may have.  I'm trying to
write a PERL CGI script that uses openssl to send an encrypted
email.  The script is executing the following command, piping the
body of the message to the command's standard input:

openssl smime -subject 'subject' -encrypt /path/to/cert.pem  outfile 21

Standard error is redirected to standard output for debugging.
The command's output (written to outfile) looks like this:

Subject: subject
MIME-Version: 1.0
Content-Disposition: attachment; filename=smime.p7m
Content-Type: application/x-pkcs7-mime; name=smime.p7m
Content-Transfer-Encoding: base64

MIIBnQYJKoZIhvcNAQcDoIIBjjCCAYoCAQAxggE4MIIBNAIBADCBnDCBlDEaMBgG
A1UEChMRTGVuZGluZyBSZXNvdXJjZXMxKDAmBgkqhkiG9w0BCQEWGXBldGVAbGVu
ZGluZ3Jlc291cmNlcy5uZXQxFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xEzARBgNV
BAgTCkNhbGlmb3JuaWExCzAJBgNVBAYTAlVTMRIwEAYDVQQDEwlQZXRlciBZZWUC
AxAAATANBgkqhkiG9w0BAQEFAASBgKBPMjrDgbB0c6yVAboSeMrBHdKClgajJ53I
kkOA0UZqut71DJsoCm5LPRGJ73bEiydY9R9y2OrsLMPEZ0dNC2JEBTfP1EL1gNom
UkbRpYRpa9liAq2QFEjflcFZBw4d8vIDrMCDJSrEUCWAW3U57nLl6RU5M01V/MuK
3dgWkXhGMEkGCSqGSIb3DQEHATAaBggqhkiG9w0DAjAOAgIAoAQILKEDpzpFXQmA
IJ6P3o41/T4Tq5J2ak7vHpmGI94Inf/2ObSCXYaCtYMn
unable to write 'random state'

I was reading some info about the unable to write 'random state'
message.  Apparently this indicates a problem accessing a seeding
file for random number generation.  The info I am reading says that
openssl tries to use /dev/urandom by default, and starting with version
0.9.7, tries /dev/random if /dev/urandom is unavailable.

The web server executing the CGI script is running FreeBSD 4.11-STABLE
and the version of openssl installed on the server is 0.9.7d
(17 Mar 2004).  I wrote a little CGI script that does an
ls -l /dev | grep random and the result looks like this:

crw-r--r--   1 root  wheel   2,   3 Apr 15 11:11 random
crw-r--r--   1 root  wheel   2,   4 Apr 15 11:11 urandom

As shown above, both /dev/urandom and /dev/random exist and are
world-readable.  Therefore I do not know why openssl is printing the
error message.  Does anyone know why this is happening?  Any
suggestions on how to solve this problem are greatly appreciated.
When replying, please cc [EMAIL PROTECTED]

Thanks,
Dave
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Plan for OCSP verifier to LDAP?

2005-08-12 Thread coco coco 

Is there any plan to support OCSP verification over LDAP (or LDAP/s)?

OT: BTW, could anyone recommend an LDAP client library (C or C++) that works
on Windows? Preferably open source.

thanks

coco

_
Express yourself instantly with MSN Messenger! Download today - it's FREE! 
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Plan for OCSP verifier to LDAP?

2005-08-12 Thread Rich Salz 
 Is there any plan to support OCSP verification over LDAP (or LDAP/s)?

This question makes no sense.  OCSP and LDAP are two differnet protocols.
It's like saying SMTP over HTTP
/r$

-- 
Rich Salz  Chief Security Architect
DataPower Technology   http://www.datapower.com
XS40 XML Security Gateway  http://www.datapower.com/products/xs40.html

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Newbie SSL_write question

2005-08-12 Thread Jagannadha Bhattu Gosukonda 
Call ERR_clear_error() before while loop and call
ERR_get_error_line_data in a loop till it returns 0 inside
SSL_ERROR_SYSCALL case. This may give you some idea on what went
wrong.

JB

On 8/11/05, Michael [EMAIL PROTECTED] wrote:
 On 8/11/05, David Schwartz [EMAIL PROTECTED] wrote:
 
 snip
 
   My code uses blocking sockets, has the SSL_CTX
   SSL_MODE_ENABLE_PARTIAL_WRITE option set and loops on the ssl_read but
   the socket is closed after the first 32k is sent.
  
   Why, if a message block size is 16k, does the first 32k of a message
   get written/read, then the socket dropped?
 
 snip
 
  Give us example code or more detailed information about what you 
  mean by
  the socket dropped and how you determined that.
  My bet is simply that there's a bug in your code. With non-blocking
  sockets, you have to test the return value of SSL_read and properly handle
  partial or failed sends. You may get a failed send if there was insufficient
  space to fit a single block of protocol data (or if protocol data was sent
  that corresponds to zero bytes of application data!). You may get a partial
  send.
 
 Thanks for your reply David - I think you're probably right about my code! ;-)
 
 Upon your suggestion I added some more cases to test the return code
 of ssl_write and found that I am getting a SSL_ERROR_SYSCALL after the
 first 32 bytes.
 
 Here is is the code. As mentioned before, I have the SSL_CTX set with
 partial writes enabled, the main write loop is as follows (for
 clarity,I've removed all the tests of ssl_write other than those that
 get called).
 
 --start
 char error_str[BUFF_SIZE]
 char out_buf[BUFFSIZE];
 int sent_bytes=0;
 int offset=0;
 int bytes_to_send = length of data in out_buf
 
 fprintf(stderr, - Attempting to write %d bytes\n, bytes_to_send);
 
 while(bytes_to_send){
 
sent_bytes = SSL_write(p_ssl, out_buf+offset, bytes_to_send);
 
switch(SSL_get_error(p_ssl, sent_bytes)) {
case SSL_ERROR_NONE:
bytes_to_send -= sent_bytes;
offset += sent_bytes;
fprintf(stderr, - Written %d bytes\n, sent_bytes);
break;
case SSL_ERROR_SYSCALL:
error_str = Err_error_string(Err_get_error());
fprintf(stderr, - SSL_ERROR_SYSCALL: %s\n, error_str);
return false; // exit routine
default:
fprintf(stderr, - SSL_write reports %d\n, sent_bytes);
return false; // exit routine
}
 }
 --end--
 
 When I try and write more than 32k I get the following messages...
 
 - Attempting to write 59266 bytes
 - Written 16384 bytes
 - Written 16384 bytes
 - SSL_ERROR_SYSCALL: error::lib(0):func(0):reason(0)
 
 I have SSL_load_error_strings() earlier in my code, but don't get any
 more information than this.
 
 I'm still at a loss as to whats happening here, but many thanks for
 your help in getting this far.
 
 Michael.
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

cryptlib vs. openssl

2005-08-12 Thread Schering 
Hi,

does anyone know about Peter Gutmann's cryptlib and how it compares to
openssl?

Gerd



__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

BorlandC++ 6 compiler Options

2005-08-12 Thread Jean-Michel Lekston 








Hi,

I have some problems with RSA_bio_read and BN_bn2hex
wich fall in segmentation faults. I compiled openssl using standard procedure
perl Configure BC-32, do_nasm, make f bcb.mak

It compiled well. I try some examples, it works well
except for RSA_bio_read and BN. In FAQ it is clear that compilation options are
very important particularly for bio functions so I try to set exactly same
option to my project (multithread lib) but its hard and not as simple as
gcc and vc do. So I m never sure it is correct, nevertheless I keep the
seg fault, and even if I compile openssl in debug mode I keep this error. 



Is there here to help me please?





Jean-Michel Lekston

Cogendi

Phone: +33 (1) 41 91 75 75

Re: Plan for OCSP verifier to LDAP?

2005-08-12 Thread Rich Salz 
 I have a (potiential) customer which has a CA configured with an OCSP
 responder that
 talks only LDAP. The IT guy wouldn't want to set up an http responder
 (don't ask reason, I can't figure that out either).

He probably means that the OCSP responder only gets certificates and CRL's
by doing LDAP queries.

 That's why I was asking if there is any plan to put in support to send
 OCSP request over LDAP.

There is no such thing.  LDAP protocol has bind, search, etc., packets.
OCSP uses HTTP POST to make a query.

Can you show me where OCSP over LDAP is documented?
/r$

-- 
Rich Salz  Chief Security Architect
DataPower Technology   http://www.datapower.com
XS40 XML Security Gateway  http://www.datapower.com/products/xs40.html

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]