Customer Enterprise X.509 Extension OID Assignment
I'm not terribly familiar with OIDs in ASN.1 and the like, so I wanted to confirm that I have the correct impression here. If I were to create a custom X.509 certificate extension for use within my enterprise and with others outside who wanted to write or modify their own software to interoperate with it, I'd need to assign an OID for this extension, right? And for that, would the standard way to do this be to assign an OID underneath the one assigned to us by the IANA in their Private Enterprise Number list[1], right? (I note that [1] claims to be the SMI Network Management Private Enterprise Codes, but I gather that others use this for pretty much anything where they need a unique OID.) [1]: http://www.iana.org/assignments/enterprise-numbers cjs -- Curt Sampson c...@cynic.net +81 90 7737 2974 http://www.starling-software.com/ I have always wished for my computer to be as easy to use as my telephone; my wish has come true because I can no longer figure out how to use my telephone. --Bjarne Stroustrup __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Customer Enterprise X.509 Extension OID Assignment
On 02/06/2012 09:41 AM, Curt Sampson wrote: If I were to create a custom X.509 certificate extension for use within my enterprise and with others outside who wanted to write or modify their own software to interoperate with it, I'd need to assign an OID for this extension, right? And for that, would the standard way to do this be to assign an OID underneath the one assigned to us by the IANA in their Private Enterprise Number list[1], right? It is one possible way, you need to find someone that owns an OID (forever) and dedicates you a number. in france, every enterprise has an oid 1.3.2.officialenterprisenumber some institution sell such numbers. (I note that [1] claims to be the SMI Network Management Private Enterprise Codes, but I gather that others use this for pretty much anything where they need a unique OID.) I'd prefer to say non-ambiguous. besides that, I would also investigate your need for a custom extension, if you use it for 'identity', then use a subjectAltname for example if you use it for some kind of attribute based authorisation, well, you are maybe overloading the certificate. Peter __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Customer Enterprise X.509 Extension OID Assignment
On 2012-02-06 10:00 +0100 (Mon), Peter Sylvester wrote: It is one possible way, you need to find someone that owns an OID (forever) and dedicates you a number. Ok; that makes it quite clear. So any OID is fine, so long as you own it. ...but I gather that others use this for pretty much anything where they need a unique OID.) I'd prefer to say non-ambiguous. Yes, that sounds more correct. besides that, I would also investigate your need for a custom extension, That's in progress. I'm not yet convinced we need one, but I wanted to know how I would go about assigning an ID should I move that direction. Thanks again for your help. cjs -- Curt Sampson c...@cynic.net +81 90 7737 2974 http://www.starling-software.com/ I have always wished for my computer to be as easy to use as my telephone; my wish has come true because I can no longer figure out how to use my telephone. --Bjarne Stroustrup __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Customer Enterprise X.509 Extension OID Assignment
On 2/6/2012 9:41 AM, Curt Sampson wrote: I'm not terribly familiar with OIDs in ASN.1 and the like, so I wanted to confirm that I have the correct impression here. If I were to create a custom X.509 certificate extension for use within my enterprise and with others outside who wanted to write or modify their own software to interoperate with it, I'd need to assign an OID for this extension, right? And for that, would the standard way to do this be to assign an OID underneath the one assigned to us by the IANA in their Private Enterprise Number list[1], right? (I note that [1] claims to be the SMI Network Management Private Enterprise Codes, but I gather that others use this for pretty much anything where they need a unique OID.) [1]: http://www.iana.org/assignments/enterprise-numbers cjs Yes, the Enterprise numbers are the easy way of getting a unique OID number space to a company which is not one of the big special organizations (ISO, ITU, IETF etc.). For example, RSADSI (when they were still a crypto company) used their enterprise OID as a prefix for all the OIDs defined in their PKCS standards, those OIDs are now part of the derived official standards, but the rest of the RSADSI OID space remains theirs. Because only one enterprise number is allowed per company, the first thing you should do is to add a .1 or .0 for the your/their first way of assigning numbers below their enterprise OID, then increment that field when you need a new OID space for the same company. Example, RSADSI added a .1 to their enterprise OID to define the base OID for all PKCS standards, with the next element being the number of the PKCS standard, they used .2 for their hash algorithms and .3 for their encryption algorithms. Thus RSADSI.1.1.1 is PKCS#1.rsaEncryption RSADSI.2.5 is RSADSI message digest algorithm MD5 RSADIS.3.4 is RSADSI encryption algorithm RC4 etc. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Customer Enterprise X.509 Extension OID Assignment
IANA allocate Private Enterprise Numbers under iso.org.dod.internet.private.enterprise (1.3.6.1.4.1). See http://www.iana.org/assignments/enterprise-numbers. -- Christopher On 6 February 2012 20:11, Curt Sampson c...@cynic.net wrote: On 2012-02-06 10:00 +0100 (Mon), Peter Sylvester wrote: It is one possible way, you need to find someone that owns an OID (forever) and dedicates you a number. Ok; that makes it quite clear. So any OID is fine, so long as you own it. ...but I gather that others use this for pretty much anything where they need a unique OID.) I'd prefer to say non-ambiguous. Yes, that sounds more correct. besides that, I would also investigate your need for a custom extension, That's in progress. I'm not yet convinced we need one, but I wanted to know how I would go about assigning an ID should I move that direction. Thanks again for your help. cjs -- Curt Sampson c...@cynic.net +81 90 7737 2974 http://www.starling-software.com/ I have always wished for my computer to be as easy to use as my telephone; my wish has come true because I can no longer figure out how to use my telephone. --Bjarne Stroustrup __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org -- Christopher Vance __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Openssl as a library in iOS/Certificate Signing Request PKCS10
Hi, I would like to use openssl library in my iOS application (Objective-C) to generate certificate signing request. If I wanted to use openssl application in linux I would write something like that: openssl req -new -newkey rsa:2048 -nodes -out common_name.csr -keyout common_name.key -subj /C=pl/ST=state/L=city/O=organization/OU=department/CN=common_name However, I have to use openssl as a library. Can I ask for some hints on how to do it or what documents should I read in the first place? Do I have to separately create public/private keys and then use them to create CSR? I found out that there a few functions which are responsible for creating CSR: int PEM_write_bio_X509_REQ(BIO *bp, X509_REQ *x); int PEM_write_X509_REQ(FILE *fp, X509_REQ *x); int PEM_write_bio_X509_REQ_NEW(BIO *bp, X509_REQ *x); int PEM_write_X509_REQ_NEW(FILE *fp, X509_REQ *x); 1. I assume that after calling PEM_write_X509_REQ_NEW(), file fp will contain csr only, like this: -BEGIN CERTIFICATE REQUEST- ... -END CERTIFICATE REQUEST- 2. is there any info on how to initialize X509_REQ object? It's a struct, that looks like this: typdef struct X509_req_st { X509_REQ_INFO* req_info; X509_ALGOR* sig_alg; ASN1_BIT_STRING* signature; int references; } X509_REQ; As I look through the dependencies, there are a lot of different classes. Do I have to initialize all of them manually or is there a better way? I would be very grateful for any help! Greetings, Kacper86 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
reference docs at old sial.org
Hi, Just wanted to let the users of openssh know that the old reference documents from sial.org, which provided a handy discussion of maintaining a certificate authority and other aspects of use of openssh, are now back online at http://novosial.org. The sial.org domain was sold several years ago and the contents replaced by the domain name reseller. Since the original author, Jeremy Mates, placed the documents in the public domain, they are available online again in one collection at this new site. cheers, Peter N. Steinmetz __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Openssl as a library in iOS/Certificate Signing Request PKCS10
From: owner-openssl-us...@openssl.org On Behalf Of Kacper86 Sent: Monday, 06 February, 2012 09:49 I would like to use openssl library in my iOS application (Objective-C) to generate certificate signing request [like] openssl req -new -newkey rsa:2048 -nodes -out common_name.csr -keyout common_name.key -subj /C=pl/ST=state/L=city/O=organization/OU=department/CN=common_name [except] as a library. Can I ask for some hints on how to do it or what documents should I read in the first place? Do I have to separately create public/private keys and then use them to create CSR? You can read PKCS#10 = RFC 2986 but it doesn't say much. AFAICS OpenSSL doesn't have any man pages for REQ other than the i2d/d2i routines (which are not very interesting). http://en.wikipedia.org/wiki/Certificate_signing_request has a decent introduction, but its description of DN and CN is quite wrong. (DN is the whole sequence of fields CN Org OrgUnit etc., possibly including EmailAddress although that is now preferred in the SubjectAltName extension instead of DN. CN *for an SSL server* is normally the FQDN; in other cases it may be another name. Note that *domain* name as in FQDN != *distinguished* name as in X509CSR.) It refers to http://www.redkestrel.co.uk/Articles/CSR.html#anchor-whats-in-a-csr which expands a little, and also contains some info on keys and key generation which is not actually part of a CSR but as above is often done together with a CSR. A certreq is inherently for a specific keypair (public/private). If you already have a keypair and want to generate a CSR for it, you can do that. Since in SSL or other PKI a keypair without a cert is basically useless, usually you generate a keypair and immediately either generate a selfsigned cert, or generate a CSR and use it to get a (CA-issued) cert. Typically you would generate a (subsequent) CSR for an existing keypair only if the first CSR was bad (rejected) and needs to be corrected, or the first cert was wrong somehow and needs to be replaced. Even in these cases you might choose to discard the first keypair and generate a new one. I found out that there a few functions which are responsible for creating CSR: int PEM_write_bio_X509_REQ(BIO *bp, X509_REQ *x); int PEM_write_X509_REQ(FILE *fp, X509_REQ *x); int PEM_write_bio_X509_REQ_NEW(BIO *bp, X509_REQ *x); int PEM_write_X509_REQ_NEW(FILE *fp, X509_REQ *x); To write a CSR to a PEM file, which may create the *file*, yes. The CSR must already be built (I would say created) in memory. There are different routines to write a DER file, but DER format is less used, especially over the web. If you are newly generating the keypair, you must also write the privatekey in a suitable location and format; otherwise any cert you obtain is useless. The publickey is contained in the CSR and (later) cert, and even if you manage to lose those, for RSA using OpenSSL's preferred (CRT) form, the publickey can be easily recovered from the privatekey. 1. I assume that after calling PEM_write_X509_REQ_NEW(), file fp will contain csr only, like this: -BEGIN CERTIFICATE REQUEST- ... -END CERTIFICATE REQUEST- The file open on fp will have the CSR written to it like that. If nothing else is written to the same file before or after calling PEM_write_, and it wasn't a nonempty existing file opened for append, then that will be the only contents. 2. is there any info on how to initialize X509_REQ object? snip As I look through the dependencies, there are a lot of different classes. Do I have to initialize all of them manually or is there a better way? You should (allocate and) initialize all the fields in req_info, also called the TBS (to be signed), then use X509_REQ_sign to add your (entity's) signature. The minimal fields in req_info are your subject name and your publickey. You can also include various attributes and extensions depending on the CA you're using and the desired contents (e.g. capabilities) of the resulting cert. apps/req.c has code to create (and write) a new CSR (with quite a few options for the contents, and optional keypair generation) or to read (and display) an existing one, or to generate a selfsigned cert from a new CSR or an existing one. If you ignore the parts about display and selfsigned, what's left is a smorgasbord for you. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: getting SSL_ERROR_ZERO_RETURN when calling operation from WSDL using axis2c
From: owner-openssl-us...@openssl.org On Behalf Of manoj dhyani Sent: Saturday, 04 February, 2012 23:59 both soapUI and client application built using axis 2c are running on the same machine, I have axis2java based client running on the same machine and works fine the request is hot very big, the webserver requires WS-Security username and password, but if you don't pass that it returns a soap fault in case of SopUI and axis2java but fails with the same error for axis2c the buffer in axis2c is null, I do see encrypted alter and connection reset after FIN I am attaching the wireashark capture both when the call is done from SoapUI and Axis2c client Okay, in the good case (SoapUI) after handshake (resulting in TLS1.0 RSA-RC4-128-SHA) we have: #17 send enc-data 559-20=539 #18,19 recv enc-data 1471-20=1451 #21 recv enc-data 69-20=49 #22 send enc-data 762-20=742 about .4sec delay to #23 ACK and another .4sec to #24,25,27,28,30,31,33,34,36 recv enc-data 12218-20=12198 539 is about right to be HTTPhdr plus a smallish request; 1451 + 49 could be a segmented response (but see next) or a response with some HTTP control like chunked encoding. 742 could be a slightly larger request and 12198 a big response (not segmented, but maybe from a different part of server). In the bad case (app+axis2) there's 4.5sec delay starting handshake which I'll hope was just debugging, then after handshake we have: #15 send enc-data 204-20=184 #16 send enc-data 22-20=2 #17 send enc-data 944-20=924 about .2sec delay maybe Nagle then recv ACK(#16) and ACK(#17) then #20 recv enc-alert with piggyback FIN (with PSH ACK) #21 send ACK(#20+FIN) not FIN (probably in stack) #22 recv RST (with ACK and good ack/seq) The server apparently dislikes your request and closes aggressively: it RSTs to your machine's ACK(FIN) even though it may still have seqctrs and (thus) endpoint block, and even though you haven't begun to FIN. This is not ideal TCP behavior, though it can be acceptable in an error case. It looks very odd that your request is sent as 184,2,924. 184 is enough for HTTPhdr but little or no request data. 2 is a very odd size to do in the middle. Total 1110 is noticeably more than 539 for first request in good case. Since you can debug, I would look at the calls to SSL_write, and verify that when concatenated they form a valid request (HTTPhdr then SOAP request body), and try to look at the calling (axis2c) code to see why it's sending in pieces like this. Though in itself legal that behavior is somewhat unusual, and might be triggering a server limitation the other case doesn't. Hope this helps. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Openssl as a library in iOS/Certificate Signing Request PKCS10
On 2012-02-06 20:43 -0500 (Mon), Dave Thompson wrote: Even in these cases you might choose to discard the first keypair and generate a new one. Careful there; it does depend on for what you're using the keypair. For your typical TLS-enabled-web-server usage that's fine, but if you're doing something where you want to read encrypted data at a later date (e.g., S/MIME e-mail messages), tossing the keypair you need to read this these is kind of a bad idea cjs -- Curt Sampson c...@cynic.net +81 90 7737 2974 http://www.starling-software.com/ I have always wished for my computer to be as easy to use as my telephone; my wish has come true because I can no longer figure out how to use my telephone. --Bjarne Stroustrup __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org