Question about picking PRF when storing a private key

2019-08-26 Thread Caleb An
Hi openssl team & community, When using the i2d_PKCS8PrivateKey functions to encode a private key, is there a way to also select the PBKDF2 PRF? Thanks so much! - Caleb An

Re: Add ECDSA signature R and S to X509 structure

2019-08-26 Thread William Roberts
This thread actually has some code on it for doing this: https://www.mail-archive.com/openssl-users@openssl.org/msg86672.html Bill On Mon, Aug 26, 2019 at 9:46 AM Ken Goldman wrote: > > On 8/17/2019 5:35 AM, Billy Brumley wrote: > > Hey Ken, > > > >> I have an ECDSA signature supplied to me as

Re: question about certificate verify

2019-08-26 Thread Viktor Dukhovni
On Mon, Aug 26, 2019 at 02:39:40PM +, Blumenthal, Uri - 0553 - MITLL wrote: > > To ignore expiration of only the leaf certificate, you > > need a verification callback that checks the error > > reason at depth 0 and if it is expiration, returns > > "ok = 1" anyway. > > Is there a potential

Re: Add ECDSA signature R and S to X509 structure

2019-08-26 Thread Ken Goldman
On 8/17/2019 5:35 AM, Billy Brumley wrote: Hey Ken, I have an ECDSA signature supplied to me as R and S byte arrays and lengths (from an HSM). How do I add them to the X509 structure? Is there an API, a set of calls, or do you have any hints? You might be looking for ECDSA_SIG_set0:

Re: question about certificate verify

2019-08-26 Thread Blumenthal, Uri - 0553 - MITLL
Is there a potential problem - if a certificate has multiple issues, such as bad signature and certificate expired? Would all of these conditions be reported, or only the first one detected? Regards, Uri Sent from my iPhone On Aug 26, 2019, at 10:11, Viktor Dukhovni wrote: >> On Aug 26,

Re: question about certificate verify

2019-08-26 Thread Viktor Dukhovni
> On Aug 26, 2019, at 5:24 AM, forston_...@trendmicro.com wrote: > > We check a sub-certificate with a lot of root certificates. > We don’t want to check sub-certificate’s expire time, but we want to get an > error when root certificate expired. > > I try to verify it by following option, >

question about certificate verify

2019-08-26 Thread forston_...@trendmicro.com
Hi Openssl team, I have a question about certificate verify. We check a sub-certificate with a lot of root certificates. We don't want to check sub-certificate's expire time, but we want to get an error when root certificate expired. I try to verify it by following option, X509_VERIFY_PARAM*