Re: [openssl-users] OCSP_response_status
On 05-01-16 21:23, rosect...@yahoo.com wrote: Hi, I am using OCSP_response_status(..) to check the OCSP result. My openssl is of version 1.0.1h. It is noticed that if the response has some issue, for example, the ocsp server can not be contacted and thus the request is timed out (this can be handled separately.) or if the Responder URL path is not correct, the call to OCSP_response_status(..) will generate a Segmentation fault. If you pass incorrect data to OCSP_response_status(), things may go wrong. So don't do that, then :-) Instead, the HTTP library which you use should be able to inform you if the HTTP request failed for some reason. When it does, don't call OCSP_response_status()... (also, make sure to call OCSP_basic_verify() before accepting the result of OCSP_response_status() at fact value, because the latter checks the signature while the former does not). -- Wouter Verhelst ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] OCSP signature verification
Hi, (that other mail on OCSP on this list reminded me of this...) I've found the answer in the mean time by using a debugger and single-stepping through the library... On 01-12-15 14:58, Verhelst Wouter (Consultant) wrote: Hi folks, I'm trying to write an application that needs to verify the validity of data on a smartcard. That data is signed with an RSA key for which a certificate exists on the card; but if the card is stolen or lost, the certificate will be revoked, so I want to ensure that the certificate is valid. I'm doing an OCSP request to take care of that. Since OpenSSL's own OCSP_sendreq_* functions don't support HTTP proxies, I'm currently using libcurl to send the request to the OCSP endpoint. This seems to work; when I get the reply and use d2i_OCSP_RESPONSE(), then with things like OCSP_response_status() and OCSP_resp_find_status() and friends I can manage to get the status of the request and a given certificate. However, that doesn't do signature verification. I believe that I should use OCSP_basic_verify() for that, but I'm not entirely sure whether that is the case, and if so whether I would need to do some additional checks beforehand. Unfortunately, I can't find any documentation on OCSP_basic_verify(). I should note that due to the nature of my needs, I have a rather huge set of valid intermediate CAs, but a fairly limited set of root CAs that can be used for valid cards (that is, if the signature validates but it wasn't signed by any of the CAs under one of my limited set of roots, the card is a forgery and should be rejected as invalid). A few questions: - Am I right in assuming that OCSP_basic_verify will check the signature on the OCSP request? Answer: yes (verified this by modifying some data in the OCSP response data, which caused signature verification to fail) - In "OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, X509_STORE *st, unsigned long flags)", I'm not entirely certain of what the "st" argument is meant to contain, and can't figure out the "certs" one. Pouring over the code, I believe the "st" argument should allow me to limit validation to my set of root certificates, but I could be mistaken. As for the "certs" one, I can't understand that one at all. The only thing I can think of is that maybe it should contain the issuer certificate that I used for the original request, but then why is it a STACK_OF(X509)* and not just an X509*? What am I missing? Answers: - The "STACK_OF(X509) *certs" argument should just be bs->certs (i.e., the certificates which were sent along with the OCSP response, and which contain all certificates required to be able to verify the signature on the response as well as its certificate chain). I assume this is done so as to retain API compatibility with other certificate verification methods (e.g., using CRLs), even though the *certs argument really is superfluous (OCSP_basic_verify could just as easily pluck those certificates out of the *bs argument). - The "X509_STORE *st" argument indeed allows me to limit the root certificates allowed for valid signatures. By not including the default certificate store, I can reject cards that are signed by a different root. -- Wouter Verhelst ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] OPenssl and dependencies such as openssh
On Wed, Jan 06, 2016 at 07:33:27AM -0700, The Doctor wrote: > On Mon, Jan 04, 2016 at 07:22:04PM +, Viktor Dukhovni wrote: > > On Mon, Jan 04, 2016 at 09:08:31AM -0700, The Doctor wrote: > > > > > if ((rc = fprintf(fd ,"%08x (%s)\n", SSLeay(), > > > SSLeay_version(SSLEAY_VERSION))) <0) > > > > > > Could there be anything that is causing openssh not to see the new > > > openssl 1.1 > > > > The above. The SSLeay names are gone. The new way is: > > > > if ((rc = fprintf(fd ,"%08x (%s)\n", OpenSSL_version_num(), > > OpenSSL_version(OPENSSL_VERSION))) <0) > > > > I think it is likely prudent at this time to restore source- > > backwards-compatible behaviour, by adding to : > > > > #if !defined(OPENSSL_API_COMPAT) || OPENSSL_API_COMPAT < 0x1010L > > # include > > # define SSLeay OpenSSL_version_num > > # define SSLeay_version OpenSSL_version > > # define SSLEAY_VERSION_NUMBER OPENSSL_VERSION_NUMBER > > # define SSLEAY_VERSION OPENSSL_VERSION > > # define SSLEAY_CFLAGS OPENSSL_CFLAGS > > # define SSLEAY_BUILT_ON OPENSSL_BUILT_ON > > # define SSLEAY_PLATFORM OPENSSL_PLATFORM > > # define SSLEAY_DIR OPENSSL_DIR > > #endif /* OPENSSL_API_COMPAT */ > > > > Users who want to make sure they are avoiding interfaces that are > > deprecated with 1.1.0 can set OPENSSL_API_COMPAT to 0x1010L or > > higher as appropriate. > > > > With all the other issues (DEPREACTED) identified, let > me test the above out. > Still a few bumps, but I recommend that this be committed to openssl 1.1 branch. > > -- > > Viktor. > > ___ > > openssl-users mailing list > > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > > -- > Member - Liberal International This is doctor@@nl2k.ab.ca Ici > doctor@@nl2k.ab.ca > God,Queen and country!Never Satan President Republic!Beware AntiChrist > rising! > http://www.fullyfollow.me/rootnl2k Look at Psalms 14 and 53 on Atheism > Birthdate 29 Jan 1969 Redhill, Surrey, UK > ___ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca God,Queen and country!Never Satan President Republic!Beware AntiChrist rising! http://www.fullyfollow.me/rootnl2k Look at Psalms 14 and 53 on Atheism Birthdate 29 Jan 1969 Redhill, Surrey, UK ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] OPenssl and dependencies such as openssh
On Mon, Jan 04, 2016 at 07:22:04PM +, Viktor Dukhovni wrote: > On Mon, Jan 04, 2016 at 09:08:31AM -0700, The Doctor wrote: > > > if ((rc = fprintf(fd ,"%08x (%s)\n", SSLeay(), > > SSLeay_version(SSLEAY_VERSION))) <0) > > > > Could there be anything that is causing openssh not to see the new openssl > > 1.1 > > The above. The SSLeay names are gone. The new way is: > >if ((rc = fprintf(fd ,"%08x (%s)\n", OpenSSL_version_num(), >OpenSSL_version(OPENSSL_VERSION))) <0) > > I think it is likely prudent at this time to restore source- > backwards-compatible behaviour, by adding to : > > #if !defined(OPENSSL_API_COMPAT) || OPENSSL_API_COMPAT < 0x1010L > # include > # define SSLeay OpenSSL_version_num > # define SSLeay_version OpenSSL_version > # define SSLEAY_VERSION_NUMBER OPENSSL_VERSION_NUMBER > # define SSLEAY_VERSION OPENSSL_VERSION > # define SSLEAY_CFLAGS OPENSSL_CFLAGS > # define SSLEAY_BUILT_ON OPENSSL_BUILT_ON > # define SSLEAY_PLATFORM OPENSSL_PLATFORM > # define SSLEAY_DIR OPENSSL_DIR > #endif /* OPENSSL_API_COMPAT */ > > Users who want to make sure they are avoiding interfaces that are > deprecated with 1.1.0 can set OPENSSL_API_COMPAT to 0x1010L or > higher as appropriate. > With all the other issues (DEPREACTED) identified, let me test the above out. > -- > Viktor. > ___ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca God,Queen and country!Never Satan President Republic!Beware AntiChrist rising! http://www.fullyfollow.me/rootnl2k Look at Psalms 14 and 53 on Atheism Birthdate 29 Jan 1969 Redhill, Surrey, UK ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
