Re: Set Issuer
Thanks for reply! I found the solution.2005/7/23, Jorey Bump [EMAIL PROTECTED]: pana wrote: I don't know how I can set the issuer value which will appear in the certificate after I signed it. Someone can help me?If you have set up your CA properly, the issuer will be set when you sign the certificate.__OpenSSL Project http://www.openssl.orgUser Support Mailing Listopenssl-users@openssl.orgAutomated List Manager [EMAIL PROTECTED]
Re: [dev-crypto] Re: Use PolicyInformation class
I tried also with ASN1Sequence. The exact problem is that when the program is going to execute PolicyInformation.getInstance(), it launches an exception and terminates. Can you help me? bye pana 2005/7/18, David Hook [EMAIL PROTECTED]: Can you tell me more about the exact problem you are seeing? As far as I'm aware the PolicyInformation class is okay. One thing from the code below - a PolicyInformation extension contains an ASN.1 Sequence not a BIT STRING... Regards, David On Sat, 2005-07-16 at 15:17 +0200, pana wrote: Thanks for reply Carlos! I tried something similar, but the problem is again with the method getInstance(). The execution stops with it, there is a loop. I used getInstance() method for other extensions and it works well. I don't know why whit PolicyInformation class I can't obtain an object in this way. I tried to create certificate policies extensions either with only a field or with qualifiers field too. the end is the same. Any suggestion? 2005/7/14, Carlos Lozano [EMAIL PROTECTED]: Hi pana, I think you are experiencing a very common problem that appear when trying to read an extension value, this problem has been solved on this list other times but refered to other extension values. The values for certificate extensions are encoded as Octect String so for reading a real extension value (instead of the codification as octect string) using Bouncy Castle you can use the following code (I didn't test it but I think it could be useful to give an idea): X509Certificate cert //the certificate to examine byte[] policyInformationExtensionValue = cert.getExtensionValue(/* OID For Policy Information Extension */); ASN1InputStream asn1Input = new ASN1InputStream(policyInformationExtensionValue ); DEROctetString policyInformationOctetString = (DEROctetString) asn1Input.readObject(); asn1Input = new ASN1InputStream(policyInformationOctetString .getOctets()); PolicyInformation policyInformation = PolicyInformation.getInstance((DERBitString) asn1Input.readObject()); - Original Message - From: pana [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, July 14, 2005 3:46 PM Subject: [dev-crypto] Re: Use PolicyInformation class The problem is to get an instance of this class with the method PolicyInformation.getInstance(). It doesn't work well. bye pana 2005/7/13, pana [EMAIL PROTECTED]: I need to extract the Policy Constraints extension from my x.509 v3 certificate. I used getExtensionValue method and then I tried to create a PolicyInformation object with this data, but I can't. how can I read this extension? Someone can help me? thanks pana __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [dev-crypto] Re: Use PolicyInformation class
That's true! When the program executes this line: asn1Input = new ASN1InputStream(policyInformationOctetString.getOctets()); Checking the dedug mode, the variables assume this value: asn1Input= ASN1InputStream (id=74) END_OF_STREAM= ASN1InputStream$1 (id=75) eofFound= false in= ByteArrayInputStream (id=77) policyInformationOctetString= DEROctetString (id=68) string= byte[9] (id=82) [0]= 48 [1]= 7 [2]= 48 [3]= 5 [4]= 6 [5]= 3 [6]= 42 [7]= 4 [8]= 5 Then the next line would be where there is .getInstance(). At this point the execution stops and the thread is forced to terminate. bye pana2005/7/21, David Hook [EMAIL PROTECTED]: What exception is being thrown? What does the stack trace look like?It's impossible to tell what's going on from the below information.Regards,DavidOn Thu, 2005-07-21 at 11:17 +0200, pana wrote: I tried also with ASN1Sequence. The exact problem is that when the program is going to execute PolicyInformation.getInstance(), it launches an exception and terminates. Can you help me? bye pana 2005/7/18, David Hook [EMAIL PROTECTED]: Can you tell me more about the exact problem you are seeing? As far as I'm aware the PolicyInformation class is okay. One thing from the code below - a PolicyInformation extension contains an ASN.1 Sequence not a BIT STRING... Regards, David On Sat, 2005-07-16 at 15:17 +0200, pana wrote: Thanks for reply Carlos! I tried something similar, but the problem is again with the method getInstance(). The execution stops with it, there is a loop. I used getInstance() method for other extensions and it works well. I don't know why whit PolicyInformation class I can't obtain an object in this way. I tried to create certificate policies extensions either with only a field or with qualifiers field too. the end is the same. Any suggestion? 2005/7/14, Carlos Lozano [EMAIL PROTECTED]:Hi pana, I think you are experiencing a very common problem that appear when trying to read an extension value, this problem has been solved on this listother times but refered to other extension values. The values for certificate extensions are encoded as Octect String so for reading a real extension value (instead of the codification as octectstring) using Bouncy Castle you can use the following code (I didn't test itbut I think it could be useful to give an idea): X509Certificate cert //the certificate to examine byte[] policyInformationExtensionValue = cert.getExtensionValue (/* OIDFor Policy Information Extension */); ASN1InputStream asn1Input = newASN1InputStream(policyInformationExtensionValue ); DEROctetString policyInformationOctetString = (DEROctetString)asn1Input.readObject(); asn1Input = new ASN1InputStream(policyInformationOctetString .getOctets()); PolicyInformation policyInformation =PolicyInformation.getInstance((DERBitString) asn1Input.readObject()); - Original Message -From: pana [EMAIL PROTECTED] To: [EMAIL PROTECTED]Sent: Thursday, July 14, 2005 3:46 PMSubject: [dev-crypto] Re: Use PolicyInformation class The problem is to get an instance of this class with the methodPolicyInformation.getInstance(). It doesn't work well. byepana 2005/7/13, pana [EMAIL PROTECTED]: I need to extract the Policy Constraints extension from my x.509 v3certificate. I used getExtensionValue method and then I tried to create a PolicyInformation object with this data, but I can't. how can I read this extension? Someone can help me? thanks pana
Set Issuer
Hi, I don't know how I can set the issuer value which will appear in the certificate after I signed it. Someone can help me? bye pana __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
enviroment variable
Which are the variable I have to set when I install openssl 0.9.8 on my debian system? And how have I to set them? I can't use the apt because it stops at 0.9.7 version and I need to use the newer one. bye pana __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
How can I uninstall openssl?
I need to uninstall openssl 0.9.7 to install the new version 0.9.8. How can I do? I delete the folders ssl and openssl but it doesn't work. Any suggestion? bye pana __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Problem to upgrade openssl
Hi, I have installed openssl 0.9.7e but now I need to upgrade it to the newer version 0.9.8. I tried to uninstall the 0.9.7 version but I have not been able to do it. I removed the ssl folder in /usr/local (debian) and I removed the main folder openssl in my home, then I installed the 0.9.8 version but when I check it with openssl version command I always obtain that my openssl is 0.9.7e. How can I uninstall correcly or upgrade openssl? thanks pana __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: mini-ASN.1 compiler 0.9.8-beta5
You find the error. The version used is 0.9.7e!!! Probably I uninstalled not well the old version. thanks pana 2005/6/16, Richard Levitte - VMS Whacker [EMAIL PROTECTED]: In message [EMAIL PROTECTED] on Thu, 16 Jun 2005 11:51:57 +0200, pana [EMAIL PROTECTED] said: panasa1 The error I get when I use -genstr is: panasa1 panasa1 unknown option -genstr panasa1 asn1parse [options] infile panasa1 where options are panasa1 -inform arg input format - one of DER TXT PEM panasa1 -in arg input file panasa1 -out arg output file (output format is always DER panasa1 -noout argdon't produce any output panasa1 -offset arg offset into file panasa1 -length arg length of section in file panasa1 -iindent entries panasa1 -dump dump unknown data in hex form panasa1 -dlimit arg dump the first arg bytes of unknown data in hex form panasa1 -oid file file of extra oid definitions panasa1 -strparse offset panasa1a series of these can be used to 'dig' into multiple panasa1ASN1 blob wrappings That's not 0.9.8-beta5. Try the following command: openssl version Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: mini-ASN.1 compiler 0.9.8-beta5
...now the problem is how to uninstall or upgrade openssl, because I try to do it but always the version is 0.9.7e. I simply removed the folder Is there an uninstall function? bye pana 2005/6/21, pana [EMAIL PROTECTED]: You find the error. The version used is 0.9.7e!!! Probably I uninstalled not well the old version. thanks pana 2005/6/16, Richard Levitte - VMS Whacker [EMAIL PROTECTED]: In message [EMAIL PROTECTED] on Thu, 16 Jun 2005 11:51:57 +0200, pana [EMAIL PROTECTED] said: panasa1 The error I get when I use -genstr is: panasa1 panasa1 unknown option -genstr panasa1 asn1parse [options] infile panasa1 where options are panasa1 -inform arg input format - one of DER TXT PEM panasa1 -in arg input file panasa1 -out arg output file (output format is always DER panasa1 -noout argdon't produce any output panasa1 -offset arg offset into file panasa1 -length arg length of section in file panasa1 -iindent entries panasa1 -dump dump unknown data in hex form panasa1 -dlimit arg dump the first arg bytes of unknown data in hex form panasa1 -oid file file of extra oid definitions panasa1 -strparse offset panasa1a series of these can be used to 'dig' into multiple panasa1ASN1 blob wrappings That's not 0.9.8-beta5. Try the following command: openssl version Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: mini-ASN.1 compiler 0.9.8-beta5
The error I get when I use -genstr is: unknown option -genstr asn1parse [options] infile where options are -inform arg input format - one of DER TXT PEM -in arg input file -out arg output file (output format is always DER -noout argdon't produce any output -offset arg offset into file -length arg length of section in file -iindent entries -dump dump unknown data in hex form -dlimit arg dump the first arg bytes of unknown data in hex form -oid file file of extra oid definitions -strparse offset a series of these can be used to 'dig' into multiple ASN1 blob wrappings I read the openssl.txt file but when I try to create a certificate using ASN1:UTF8String:Some random data or IA5STRING:Hello World in my extension syntax on openssl.cnf I get this error: Error Loading extension section v3_ca 4129:error:2207C081:X509 V3 routines:DO_EXT_CONF:unknown extension:v3_conf.c:128: 4129:error:2206B080:X509 V3 routines:X509V3_EXT_conf:error in extension:v3_conf.c:92:name=extwrk, value=ASN1:UTF8String:Some random data pana 2005/6/15, Nils Larsch [EMAIL PROTECTED]: pana wrote: I used those commands: openssl asn1parse -inform TXT -in in.txt -out out.tx openssl asn1parse ... doesn't support TXT input and openssl asn1parse -genstr 'UTF8:Hello World' works for me: [EMAIL PROTECTED]:~ openssl version OpenSSL 0.9.8-beta4-dev XX xxx [EMAIL PROTECTED]:~ openssl asn1parse -genstr 'UTF8:Hello World' 0:d=0 hl=2 l= 11 prim: UTF8STRING Then I tryed to use it in the openssl.cnf file myextension=IA5STRING:Hello World did you read doc/openssl.txt ? what error messages do you get ? Nils __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: mini-ASN.1 compiler 0.9.8-beta5
I used those commands: openssl asn1parse -inform TXT -in in.txt -out out.tx and openssl asn1parse -genstr 'UTF8:Hello World' Then I tryed to use it in the openssl.cnf file myextension=IA5STRING:Hello World Do you know where is the error? bye pana 2005/6/14, Nils Larsch [EMAIL PROTECTED]: pana wrote: Hi, I try to run the mini-ASN.1 compiler with several OpenSSL version but it doesn't work. The -genstr option results ever unknown by the system. Where is the error? What I miss? works for me, what did you do ? Nils __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: mini-ASN.1 compiler 0.9.8-dev
The error exists also using openssl 0.9.8 beta2 version. I launch the command from my home, where I've installed the OpenSSL. Any suggestion? bye pana 2005/5/24, Dr. Stephen Henson [EMAIL PROTECTED]: On Tue, May 24, 2005, pana wrote: I found the manual page but when I try to use the command openssl asn1parse -genstr ... the system answers me with unknown option -genstr !! How is it possible? bad insatallation? Are you still calling the old version of OpenSSL? Check with: openssl version Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: mini-ASN.1 compiler 0.9.8-dev
I found the manual page but when I try to use the command openssl asn1parse -genstr ... the system answers me with unknown option -genstr !! How is it possible? bad insatallation? bye pana 2005/5/20, Dr. Stephen Henson [EMAIL PROTECTED]: On Thu, May 19, 2005, pana wrote: Hi, I don't know how to use the mini-ASN.1 compiler in the openssl 0.9.8-dev version. I need to obtain DER octets to insert in my custom extensions. Their structure is very simple, I use IA5String and BMPString. For example I want something like ...=DER:00:55:00:... Someone can help me? Check out the manual pages to asn1parse (-genstr option) and ASN1_generate_nconf in 0.9.8-dev Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
mini-ASN.1 compiler 0.9.8-dev
Hi, I don't know how to use the mini-ASN.1 compiler in the openssl 0.9.8-dev version. I need to obtain DER octets to insert in my custom extensions. Their structure is very simple, I use IA5String and BMPString. For example I want something like ...=DER:00:55:00:... Someone can help me? bye pana __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
DER-encoding
Hi, how can I obtain a word in the DER-encoding form? I need it represented in octets to use it in custom extensions definition. for example: 1e:08:00:55:00:73:00:65:00:72 bye pana __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: DER-encoding
Very well! thanks. Where can I find the documentation to learn about to use the mini compiler? bye pana On 5/17/05, Dr. Stephen Henson [EMAIL PROTECTED] wrote: On Tue, May 17, 2005, pana wrote: Hi, how can I obtain a word in the DER-encoding form? I need it represented in octets to use it in custom extensions definition. for example: 1e:08:00:55:00:73:00:65:00:72 If you are using OpenSSL 0.9.8-dev you don't need to because the mini-ASN1 compiler handles that. If you are using 0.9.7X then you can use the asn1parse utility from 0.9.8-dev to generate the extension in DER form and then hexdump it to get the encoding. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: custom extension structure
I found OpenSSL 0.9.8-dev and I installed it, but I didn't find the new features. Could you show me a custom extension example with the same structure of nsComment? How is the correct way to define it in openssl.cnf? pana On 5/13/05, Dr. Stephen Henson [EMAIL PROTECTED] wrote: On Fri, May 13, 2005, pana wrote: Thanks a lot for reply. About 0.9.8-dev version: where can i find it? I searched for it but I have found nothing useful Instead about extension: I need a human redable string, I want use this extension to insert a word (ex. a name, a work), but I need to insert it when I create the certificate. The syntax woulb be myextension=ASN1:UTF8String:x ? I obtain an error unknown extension name. why? Well provided you are relying on OpenSSL for the processing you should have no problems. However you shouldn't expect other software (such as MSIE) to display the string because it doesn't understand the extension. There is already a string extension you can insert into certificates called nsComment which may suit your needs. OpenSSL 0.9.8-dev is available from ftp://ftp.openssl.org/snapshot/ with a filename of the form openssl-SNAP-date.tar.gz, for example: ftp://ftp.openssl.org/snapshot/openssl-SNAP-20050513.tar.gz Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: custom extension structure
Thanks a lot for reply. About 0.9.8-dev version: where can i find it? I searched for it but I have found nothing useful Instead about extension: I need a human redable string, I want use this extension to insert a word (ex. a name, a work), but I need to insert it when I create the certificate. The syntax woulb be myextension=ASN1:UTF8String:x ? I obtain an error unknown extension name. why? Bye pana On 5/12/05, Dr. Stephen Henson [EMAIL PROTECTED] wrote: On Thu, May 12, 2005, pana wrote: Hi All, I want add custom extension to my certificate and I try to insert the oid in [new_oids] section and the extension in the [v3_ca] section. That's ok. I want define my custom extension as a string which I can write when I create the certficate. How can I do? Do I need write C code or I only need to modify the openssl.cnf? I read the x509v3_config(5) manual section but I didn't find the solution. Someone can help me? Depends on what you want to do with the string. If its a human readable string then you can use UTF8String as the string type. If its binary data with no clear structre you can use an OCTETSTRING if it is structured you might want something more elaborate. You can generate almost arbitrary structures using the mini-ASN1 compiler in OpenSSL 0.9.8-dev but when you want to parse, display and interpret more complex forms then you might want to add a custom extension. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
custom extension structure
Hi All, I want add custom extension to my certificate and I try to insert the oid in [new_oids] section and the extension in the [v3_ca] section. That's ok. I want define my custom extension as a string which I can write when I create the certficate. How can I do? Do I need write C code or I only need to modify the openssl.cnf? I read the x509v3_config(5) manual section but I didn't find the solution. Someone can help me? Thanks pana __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: A little more about custom extension
Hi, I 'm not been clear with my answer. I only asked where I have to put the code to create custom extension. I have the code! Some help? Thanks PaNa __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
A little more about custom extension
Hi, I found here very useful information about custom extension, but I need a little more help. I wrote the c file to define my own extension but I don't now where put it and how I can use it, i.e. how the openssl find it? Thanks pAnA __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]