parsing invalid DER

Hello, I have in my possession some smartcards whose pkcs15 objects contain incorrectly structured DER encodings, and I need to get these cards working in my card management tool. I've made structs corresponding to the relevant parts of pkcs15 using openssl's ASN1 module, but naturally the

Re: Symbols X509_set_notAfter and X509_set_notBefore are missing

Is there a chance you're compiling using the 1.0.2 headers but linking against 1.1.1? -D. On Fri, 2021-04-09 at 20:48 +, Robert Smith via openssl-users wrote: > Unfortunately I am unable to link: > > ../bin/arm_release/libAppcrypt.a(Certificate.o): In function >

Re: Help with certificatePolicies section

Hi, I could be wrong, but I think the problem may be that [Cert_policy_server] has a policyIdentifier with two values. Try something like: [server_cert] certificatePolicies = ia5org, @Cert_policy_server, @Cert_other_policy_server [Cert_policy_server] policyIdentifier = GroupeSTIAssurance

Re: sk_X509_OBJECT_num()

Hi, They're macros, defined in SKM_DEFINE_STACK_OF() in safestack.h. If you DEFINE_STACK_OF(Foo), you'll automatically end up with a sk_Foo_num() macro. Cheers, -Dave > On Nov 13, 2019, at 12:20, Jason Schultz wrote: > > Hello- > > I am updating my Linux application from using OpenSSL

Re: i2d_X509_REQ() -> d2i_X509_REQ() = asn1 encoding routines:c2i_ASN1_OBJECT:invalid object encoding:a_object.c:287

> This makes sense - however there don’t appear to be any APIs in openssl that > allow you to manipulate a X509_REQ_INFO structure. I can create it, and > encode/decode it, but there is no X509_REQ_INFO_get_subject_name() (or > friends) to populate the structure. X509_REQ_INFO itself is opaque.

Re: [openssl-users] Engine NID_sha512

Hi, > if (!digest) > { > static int > supported_nids[] = {NID_sha256, NID_sha384, NID_sha512, 0}; > *nids = >

Re: [openssl-users] BIO_printf with ASN1_BIT_STRING and ASN1_INTEGER?

, as far as I know. -Dave > On Oct 16, 2018, at 10:32, Opa114 wrote: > > Hi, > > thanks for this - what about the ASN1_BIT_STRING? Is there such a predefined > function? > > Von: openssl-users <mailto:openssl-users-boun...@openssl.org>> im Auftrag von Dave Coo

Re: [openssl-users] BIO_printf with ASN1_BIT_STRING and ASN1_INTEGER?

Hi, You can use i2a_ASN1_INTEGER() to print an ASN1_INTEGER to a BIO. -Dave > On Oct 16, 2018, at 05:37, Opa114 wrote: > > Hi there, > > i have to print out some data, which is an ASN1_BIT_STRING and an > ASN1_INTEGER with BIO_printf. For GENERAL_NAME for example there a predefined >

Re: [openssl-users] SubjectAltName syntax in openssl.cnf

Hello, That syntax looks correct, yes. It belongs in the [section] name you are passing to the "-extensions" argument on the "openssl ca" command when issuing the certificate. I hope this helps. -Dave > On Oct 2, 2018, at 05:47, DUPALUT, Benjamin wrote: > > Hello, > > Does anyone,

Re: [openssl-users] An example issuing an intermediate CA with policy mappings?

> On Sep 25, 2018, at 14:34, Krehbiel, Richard wrote: > > For my testing I want to explore the behaviors of policies, policy > constraints, and policy mappings. I have figured out how to request and > issue certs with custom policy OIDs, but I haven't yet seen a method of > granting an

Re: [openssl-users] I need help to implement triple des algorithm with openssl

> Thank you Matt!, > yes it odd, the component in C# is from a third an we don't know C#, we think > that for a moment we could replace that using openssl command line. > > Could show me how pass a key to the openssl? To use a specific key instead of deriving it from a passphrase, use -K

Re: [openssl-users] CSR verify failure

Yeah, it looks like the signature is just wrong. Even setting aside the question of padding, I used rsautl -verify -raw on the signature using the CSR's public key, and I would expect to see a pair of sequence tags (0x30) with sensible lengths somewhere inside, and I don't. hulk:/tmp $

Re: [openssl-users] AES_unwrap_key returns 0

Hello, This is just a guess, but try AES_set_decrypt_key() before trying to unwrap? -Dave > On Jan 4, 2018, at 13:08, InMotion Man wrote: > > Hello all, > I'm having trouble using the AES_unwrap_key function. I have tried different > things but it always returns 0 and

Re: [openssl-users] Unclear docs -- request clarification on X509_STORE_add_cert

> The observation is correct, but the conclusion is wrong. > The object is reference counted, and X509_free() is needed > to avoid a leak (when the store is freed along with the > context). My apologies -- I assumed based on its name that X509_OBJECT_up_ref_count was upping the refcount on the

Re: [openssl-users] Unclear docs -- request clarification on X509_STORE_add_cert

Hello, Looking at the code in x509_lu.c, X509_STORE_add_cert() takes ownership of your X509 *cc_cert -- you don't need to (and probably shouldn't) free it. Cheers, -Dave > On Jan 2, 2018, at 19:38, Karl Denninger wrote: > > Assume the following code snippet: > > const

Re: [openssl-users] OpenSSL SHA algorithm

Hi, Wikipedia has some information. https://en.wikipedia.org/wiki/Secure_Hash_Algorithms What is produced by "dgst -sha" is what the above link is calling SHA-0 (originally just called SHA). All the best, -Dave > On Dec 25, 2017, at 22:44, Swapnil Deshpande

Re: [openssl-users] Example code to add several CRL distribution points

> STACK_OF(DIST_POINT) *distPoints = sk_DIST_POINT_new_null(); > sk_DIST_POINT_push (distPoints, distPoint); > X509_EXTENSION *ext = X509V3_EXT_i2d (NID_crl_distribution_points, 0, > distPoints); > X509_add_ext (cert, ext, -1); > X509_EXTENSION_free (ext); > > The extension wi

Re: [openssl-users] Example code to add several CRL distribution points

Hi, You can use X509V3_EXT_i2d(NID_crl_distribution_points, critical, sk) where sk is a STACK_OF(DIST_POINT) that you have previously filled with multiple URIs. Cheers, -Dave > On Nov 22, 2017, at 06:58, Dirk Menstermann wrote: > Hi, > > can anybody share example code

Re: [openssl-users] How to parse DER encoded x509 attributes?

gt; X509_ATTRIBUTE *attr; > while ((attr = sk_X509_ATTRIBUTE_pop(attrs)) != NULL) { > X509_ATTRIBUTE_free(attr); > } > sk_X509_ATTRIBUTE_free(attrs); > > Looks working. > > Regards, > Libor > > > On 2017-11-15 15:31, Dave Coombs wrote: > >> Hel

Re: [openssl-users] How to parse DER encoded x509 attributes?

Hello, You can do something like the following. First make a type corresponding to a stack of x509 attributes: typedef STACK_OF(X509_ATTRIBUTE) SEQ_X509_ATTRIBUTE; DECLARE_ASN1_FUNCTIONS(SEQ_X509_ATTRIBUTE); Then make an asn1 template that specifies how the stack should be

Re: [openssl-users] Verifying a timestamp signed using a cert issued by a sub CA (intermediate)

Hi Marcus, Try giving -CAfile a concatenated file with both CA certificates inside. hulk:/tmp $ cat DSS* > chain.pem hulk:/tmp $ openssl ts -verify -in /tmp/out10.tsp -queryfile /tmp/out10.tsq -CAfile chain.pem Verification: OK Cheers, -Dave > On Nov 14, 2017, at 02:30, Marcus Lundblad

Re: [openssl-users] OCSP_BASICRESP_verify() in 1.1.0

>> It would be nice, though, if the API provided a way to get the signer's >> certificate. There is OCSP_resp_get0_signature(), but that only returns the >> bit string. Comparable functions in other modules (eg: >> X509_get0_signature(), X509_REQ_get0_signature(), X509_CRL_get0_signature(),

Re: [openssl-users] OCSP_BASICRESP_verify() in 1.1.0

>> If I pass in a STACK_OF(X509) *certs with only the signer's cert in it, and >> NULL for X509_STORE *st since it won't be used, then I think I should get >> the desired result, yes, at the cost of ocsp_find_signer(single-entry certs) >> and the internal creation/destruction of an unused

Re: [openssl-users] OCSP_BASICRESP_verify() in 1.1.0

Hi Matt, thanks for your response. >> Is the correct solution to use OCSP_basic_verify(), which feels like >> overkill for my needs (the code in question is *part of* our own >> path-validation routine), or might there be some other way? > > Can you use OCSP_basic_verify() passing in

[openssl-users] OCSP_BASICRESP_verify() in 1.1.0

Hello, I was fiddling around with OpenSSL 1.1.0 this past weekend, because One Day We'll Need To Upgrade (tm), and ran into the following. We have some code that uses OCSP_BASICRESP_verify() with 1.0.1 / 1.0.2 to confirm that the signature on an ocsp response is correct. This is a macro in