Hello,
I have in my possession some smartcards whose pkcs15 objects contain
incorrectly structured DER encodings, and I need to get these cards
working in my card management tool. I've made structs corresponding to
the relevant parts of pkcs15 using openssl's ASN1 module, but naturally
the
Is there a chance you're compiling using the 1.0.2 headers but linking
against 1.1.1?
-D.
On Fri, 2021-04-09 at 20:48 +, Robert Smith via openssl-users
wrote:
> Unfortunately I am unable to link:
>
> ../bin/arm_release/libAppcrypt.a(Certificate.o): In function
>
Hi,
I could be wrong, but I think the problem may be that [Cert_policy_server] has
a policyIdentifier with two values. Try something like:
[server_cert]
certificatePolicies = ia5org, @Cert_policy_server, @Cert_other_policy_server
[Cert_policy_server]
policyIdentifier = GroupeSTIAssurance
Hi,
They're macros, defined in SKM_DEFINE_STACK_OF() in safestack.h. If you
DEFINE_STACK_OF(Foo), you'll automatically end up with a sk_Foo_num() macro.
Cheers,
-Dave
> On Nov 13, 2019, at 12:20, Jason Schultz wrote:
>
> Hello-
>
> I am updating my Linux application from using OpenSSL
> This makes sense - however there don’t appear to be any APIs in openssl that
> allow you to manipulate a X509_REQ_INFO structure. I can create it, and
> encode/decode it, but there is no X509_REQ_INFO_get_subject_name() (or
> friends) to populate the structure. X509_REQ_INFO itself is opaque.
Hi,
> if (!digest)
> {
> static int
> supported_nids[] = {NID_sha256, NID_sha384, NID_sha512, 0};
> *nids =
>
, as far as I know.
-Dave
> On Oct 16, 2018, at 10:32, Opa114 wrote:
>
> Hi,
>
> thanks for this - what about the ASN1_BIT_STRING? Is there such a predefined
> function?
>
> Von: openssl-users <mailto:openssl-users-boun...@openssl.org>> im Auftrag von Dave Coo
Hi,
You can use i2a_ASN1_INTEGER() to print an ASN1_INTEGER to a BIO.
-Dave
> On Oct 16, 2018, at 05:37, Opa114 wrote:
>
> Hi there,
>
> i have to print out some data, which is an ASN1_BIT_STRING and an
> ASN1_INTEGER with BIO_printf. For GENERAL_NAME for example there a predefined
>
Hello,
That syntax looks correct, yes. It belongs in the [section] name you are
passing to the "-extensions" argument on the "openssl ca" command when issuing
the certificate.
I hope this helps.
-Dave
> On Oct 2, 2018, at 05:47, DUPALUT, Benjamin wrote:
>
> Hello,
>
> Does anyone,
> On Sep 25, 2018, at 14:34, Krehbiel, Richard wrote:
>
> For my testing I want to explore the behaviors of policies, policy
> constraints, and policy mappings. I have figured out how to request and
> issue certs with custom policy OIDs, but I haven't yet seen a method of
> granting an
> Thank you Matt!,
> yes it odd, the component in C# is from a third an we don't know C#, we think
> that for a moment we could replace that using openssl command line.
>
> Could show me how pass a key to the openssl?
To use a specific key instead of deriving it from a passphrase, use -K
Yeah, it looks like the signature is just wrong. Even setting aside the
question of padding, I used rsautl -verify -raw on the signature using the
CSR's public key, and I would expect to see a pair of sequence tags (0x30) with
sensible lengths somewhere inside, and I don't.
hulk:/tmp $
Hello,
This is just a guess, but try AES_set_decrypt_key() before trying to unwrap?
-Dave
> On Jan 4, 2018, at 13:08, InMotion Man wrote:
>
> Hello all,
> I'm having trouble using the AES_unwrap_key function. I have tried different
> things but it always returns 0 and
> The observation is correct, but the conclusion is wrong.
> The object is reference counted, and X509_free() is needed
> to avoid a leak (when the store is freed along with the
> context).
My apologies -- I assumed based on its name that X509_OBJECT_up_ref_count was
upping the refcount on the
Hello,
Looking at the code in x509_lu.c, X509_STORE_add_cert() takes ownership of your
X509 *cc_cert -- you don't need to (and probably shouldn't) free it.
Cheers,
-Dave
> On Jan 2, 2018, at 19:38, Karl Denninger wrote:
>
> Assume the following code snippet:
>
> const
Hi,
Wikipedia has some information.
https://en.wikipedia.org/wiki/Secure_Hash_Algorithms
What is produced by "dgst -sha" is what the above link is calling SHA-0
(originally just called SHA).
All the best,
-Dave
> On Dec 25, 2017, at 22:44, Swapnil Deshpande
> STACK_OF(DIST_POINT) *distPoints = sk_DIST_POINT_new_null();
> sk_DIST_POINT_push (distPoints, distPoint);
> X509_EXTENSION *ext = X509V3_EXT_i2d (NID_crl_distribution_points, 0,
> distPoints);
> X509_add_ext (cert, ext, -1);
> X509_EXTENSION_free (ext);
>
> The extension wi
Hi,
You can use X509V3_EXT_i2d(NID_crl_distribution_points, critical, sk) where sk
is a STACK_OF(DIST_POINT) that you have previously filled with multiple URIs.
Cheers,
-Dave
> On Nov 22, 2017, at 06:58, Dirk Menstermann wrote:
> Hi,
>
> can anybody share example code
gt; X509_ATTRIBUTE *attr;
> while ((attr = sk_X509_ATTRIBUTE_pop(attrs)) != NULL) {
> X509_ATTRIBUTE_free(attr);
> }
> sk_X509_ATTRIBUTE_free(attrs);
>
> Looks working.
>
> Regards,
> Libor
>
>
> On 2017-11-15 15:31, Dave Coombs wrote:
>
>> Hel
Hello,
You can do something like the following.
First make a type corresponding to a stack of x509 attributes:
typedef STACK_OF(X509_ATTRIBUTE) SEQ_X509_ATTRIBUTE;
DECLARE_ASN1_FUNCTIONS(SEQ_X509_ATTRIBUTE);
Then make an asn1 template that specifies how the stack should be
Hi Marcus,
Try giving -CAfile a concatenated file with both CA certificates inside.
hulk:/tmp $ cat DSS* > chain.pem
hulk:/tmp $ openssl ts -verify -in /tmp/out10.tsp -queryfile /tmp/out10.tsq
-CAfile chain.pem
Verification: OK
Cheers,
-Dave
> On Nov 14, 2017, at 02:30, Marcus Lundblad
>> It would be nice, though, if the API provided a way to get the signer's
>> certificate. There is OCSP_resp_get0_signature(), but that only returns the
>> bit string. Comparable functions in other modules (eg:
>> X509_get0_signature(), X509_REQ_get0_signature(), X509_CRL_get0_signature(),
>> If I pass in a STACK_OF(X509) *certs with only the signer's cert in it, and
>> NULL for X509_STORE *st since it won't be used, then I think I should get
>> the desired result, yes, at the cost of ocsp_find_signer(single-entry certs)
>> and the internal creation/destruction of an unused
Hi Matt, thanks for your response.
>> Is the correct solution to use OCSP_basic_verify(), which feels like
>> overkill for my needs (the code in question is *part of* our own
>> path-validation routine), or might there be some other way?
>
> Can you use OCSP_basic_verify() passing in
Hello,
I was fiddling around with OpenSSL 1.1.0 this past weekend, because One Day
We'll Need To Upgrade (tm), and ran into the following.
We have some code that uses OCSP_BASICRESP_verify() with 1.0.1 / 1.0.2 to
confirm that the signature on an ocsp response is correct. This is a macro in
25 matches
Mail list logo