Re: [openssl-users] Help finding replacement for ASN1_seq_unpack_X509
I was just typing a reply to your previous message asking for a bit of
clarification and this message just came through -- answered every single
one of my questions !
To answer your question about the swig changes, I was able to solve the
problem by moving your code to the top of the swig declarations file. The
M2Crypto swig declaration file uses some pretty sophisticated directives,
and I think one of them was getting in the way. Specifically, I believe it
was a conflict with %inline %{ ... %} and the swig pre-processor.
We're using SWIG 3.0.1, and we're compiling a small list of bug fixes for
them as well (mostly with how they handle certain Microsoft specific
extensions). After we finish the port of M2Crypto, we'll submit to them as
well.
> -Original Message-
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On
> Behalf Of Dr. Stephen Henson
> Sent: Thursday, July 21, 2016 3:00 PM
> To: openssl-users@openssl.org
> Subject: Re: [openssl-users] Help finding replacement for
> ASN1_seq_unpack_X509
>
> On Thu, Jul 21, 2016, Jim Carroll wrote:
>
> > Steve,
> >
> > I ran into problems with swig when I tried to deploy you suggestion.
> Your
> > solution was slick pre-processor magic's and I was having difficulty
> > reversing the magic to troubleshoot swig (and I was a little shy
> about
> > admitting I didn't understand your suggestion).
> >
>
> Well there are various things going on underneath which can be hard to
> follow
> if you aren't used to them. Here's a bit more detail about what is
> going on.
>
> Initially we just include the necessary headers:
>
> #include
> #include
>
> ASN.1 encode/decode routines generally use a structure name. We have
> STACK_OF(X509) but no name for that so we can make one up which I call
> SEQ_CERT:
>
> typedef STACK_OF(X509) SEQ_CERT;
>
> The next bit defines an ASN.1 module structure which says the SEQ_CERT
> is
> a SEQUENCE OF X509:
>
> ASN1_ITEM_TEMPLATE(SEQ_CERT) =
> ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, SeqCert, X509)
> ASN1_ITEM_TEMPLATE_END(SEQ_CERT)
>
> Here SEQ_CERT is the structure name which that macro defines as a
> SEQUENCE OF
> X509. The "SeqCert" is just a string that is used as a name in the
> definition:
> it can be anything.
>
> Now that's all very well but it doesn't actually define any functions.
> The bit
> that does that is this:
>
> IMPLEMENT_ASN1_FUNCTIONS(SEQ_CERT)
>
> This implements four functions but we're only interested in the encode
> and
> decode ones which look like this:
>
> int i2d_SEQ_CERT(SEQ_CERT *a, unsigned char **pp);
> TYPE *d2i_SEQ_CERT(SEQ_CERT **a, unsigned char **pp, long length);
>
> These behave like regular ASN.1 functions you pass in SEQ_CERT: which
> is
> STACK_OF(X509) to the i2d_SEQ_CERT and it encodes the result as a
> SEQUENCE
> OF X509 which is the same format as the original.
>
> Similarly you can decode using d2i_SEQ_CERT() and get back a
> STACK_OF(X509).
>
> If you have this in a separate module you can declare the new functions
> (e.g.
> in a header file) with:
>
> DECLARE_ASN1_FUNCTIONS(SEQ_CERT)
>
> Hope that helps. If you have any further problems let me know.
>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
begin 666 smime.p7s
M,( &"2J&2(;W#0$'`J" ,( "`0$Q"S )!@4K#@,"&@4`,( &"2J&2(;W#0$'
M`0``H((.$3""!#8P@@,>H ,"`0("`0$P#08)*H9(AO<-`0$%!0`P;S$+, D&
M`U4$!A,"4T4Q%# 2!@-5! H3"T%D9%1R=7-T($%",28P) 8#500+$QU!9&14
M'1E%PTP,# U,S Q,#0X,SA:%PTR,# U,S Q,#0X
M,SA:,&\Q"S )!@-5! 83`E-%,10P$@8#500*$PM!9&14FQ$SEZ0I
M3'V3G[U*O)/M`QKCC\_E;5!:UI=,K(D%3IQE\/>)V:0#P.K&&J7A2/GH>A:E#&`JCIJ&DF&)"K3+!/(ZLZ3X38W\Z?X6EON]="UVM$Y,>M[FU!
M7W):<0@WLWEEI%F@E#?W`"\-PI)RVM X DRU0:, L&
M`U4=#P0$`P(!!C /!@-5'1,!`?\$!3 #`0'_,(&9!@-5'2,$@9$P@8Z %*V]
MF'HTM";W^L0F5.\#O> DRU0:H7.D<3!O,0LP"08#500&$P)313$4,!(&`U4$
M"A,+061D5')U8'9
M'EL4!R,V98^PV'>[K$%L1V"#4;#Y,CWG_/8F$\> %J6_6OR'SWAYB2&:XDP'
M"H8UO/+>4<32EK?L,`E$4+8Z]%N#!WT9UYR2M[/1"M(63:[H<4KPC:^$PWFO6-^>7NG"0U JVK=CXK#]O:,
M&D(%4=1%]9^G8B%H%2!#/)GG?+TDV*F1%W.(/U8;,3@8M'$/FLW(#IZ.+AOA
MC)B#RQ\Q\41,Q@1S279@#\?XO1> :R[IS$P.6IIY#R *+M6>8R8>59*4V((7
M6GO0O,>/3H8$,(($KS"
Re: [openssl-users] Help finding replacement for ASN1_seq_unpack_X509
On Thu, Jul 21, 2016, Jim Carroll wrote: > Steve, > > I ran into problems with swig when I tried to deploy you suggestion. Your > solution was slick pre-processor magic's and I was having difficulty > reversing the magic to troubleshoot swig (and I was a little shy about > admitting I didn't understand your suggestion). > Well there are various things going on underneath which can be hard to follow if you aren't used to them. Here's a bit more detail about what is going on. Initially we just include the necessary headers: #include #include ASN.1 encode/decode routines generally use a structure name. We have STACK_OF(X509) but no name for that so we can make one up which I call SEQ_CERT: typedef STACK_OF(X509) SEQ_CERT; The next bit defines an ASN.1 module structure which says the SEQ_CERT is a SEQUENCE OF X509: ASN1_ITEM_TEMPLATE(SEQ_CERT) = ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, SeqCert, X509) ASN1_ITEM_TEMPLATE_END(SEQ_CERT) Here SEQ_CERT is the structure name which that macro defines as a SEQUENCE OF X509. The "SeqCert" is just a string that is used as a name in the definition: it can be anything. Now that's all very well but it doesn't actually define any functions. The bit that does that is this: IMPLEMENT_ASN1_FUNCTIONS(SEQ_CERT) This implements four functions but we're only interested in the encode and decode ones which look like this: int i2d_SEQ_CERT(SEQ_CERT *a, unsigned char **pp); TYPE *d2i_SEQ_CERT(SEQ_CERT **a, unsigned char **pp, long length); These behave like regular ASN.1 functions you pass in SEQ_CERT: which is STACK_OF(X509) to the i2d_SEQ_CERT and it encodes the result as a SEQUENCE OF X509 which is the same format as the original. Similarly you can decode using d2i_SEQ_CERT() and get back a STACK_OF(X509). If you have this in a separate module you can declare the new functions (e.g. in a header file) with: DECLARE_ASN1_FUNCTIONS(SEQ_CERT) Hope that helps. If you have any further problems let me know. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Help finding replacement for ASN1_seq_unpack_X509
On Thu, Jul 21, 2016, Jim Carroll wrote: > > I ran into problems with swig when I tried to deploy you suggestion. Your > solution was slick pre-processor magic's and I was having difficulty > reversing the magic to troubleshoot swig (and I was a little shy about > admitting I didn't understand your suggestion). > > I've spent more time reading ASN1 headers since then, and I'm starting to > get a glimmer of understanding of whats/what. I'm now circling back to your > solution and I think I'm getting on top of the swig issue. > I'd be interested in knowing more details of the swig problems you had. If it helps you can just include my code snippet in a separate C source file and then just use the i2d/d2i functions in the swig wrapper itself. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Help finding replacement for ASN1_seq_unpack_X509
Steve,
I ran into problems with swig when I tried to deploy you suggestion. Your
solution was slick pre-processor magic's and I was having difficulty
reversing the magic to troubleshoot swig (and I was a little shy about
admitting I didn't understand your suggestion).
I've spent more time reading ASN1 headers since then, and I'm starting to
get a glimmer of understanding of whats/what. I'm now circling back to your
solution and I think I'm getting on top of the swig issue.
Thanks for all your help.
> -Original Message-
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On
> Behalf Of Dr. Stephen Henson
> Sent: Thursday, July 21, 2016 9:53 AM
> To: openssl-users@openssl.org
> Subject: Re: [openssl-users] Help finding replacement for
> ASN1_seq_unpack_X509
>
> On Wed, Jul 20, 2016, Jim Carroll wrote:
>
> > Thanks muchI have a corollary question if you don't mind. In
> OpenSSL
> > 1.1.0, what is the accepted procedure to convert a STACK_OF(X509) to
> DER?
> >
>
> It depends on what you mean by "to DER" and what the other ends is
> expecting.
>
> The code snipped I suggested will do that: if you call i2d_SEQ_CERT (or
> whatever you called it) that will work. That wraps the whole lot in a
> SEQUENCE
> header which is the same as the original. That is it is a SEQUENCE OF
> X509.
>
> > Would it be acceptable to just iterate the stack elements, passing
> each X509
> > through i2d_X509 and appending the results -- would that generate
> valid DER?
> > Is there a better way?
> >
>
> It depends on what the other side expects. If you just do that that and
> EOF
> signals the and of the last certificate you'll be fine. If you append
> additional data afterwards then you need to mark the last certificate
> somehow.
> The certificate sequence version prepends the data with the length of
> all the
> certificates so it automatically handles that.
>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
begin 666 smime.p7s
M,( &"2J&2(;W#0$'`J" ,( "`0$Q"S )!@4K#@,"&@4`,( &"2J&2(;W#0$'
M`0``H((.$3""!#8P@@,>H ,"`0("`0$P#08)*H9(AO<-`0$%!0`P;S$+, D&
M`U4$!A,"4T4Q%# 2!@-5! H3"T%D9%1R=7-T($%",28P) 8#500+$QU!9&14
M'1E%PTP,# U,S Q,#0X,SA:%PTR,# U,S Q,#0X
M,SA:,&\Q"S )!@-5! 83`E-%,10P$@8#500*$PM!9&14FQ$SEZ0I
M3'V3G[U*O)/M`QKCC\_E;5!:UI=,K(D%3IQE\/>)V:0#P.K&&J7A2/GH>A:E#&`JCIJ&DF&)"K3+!/(ZLZ3X38W\Z?X6EON]="UVM$Y,>M[FU!
M7W):<0@WLWEEI%F@E#?W`"\-PI)RVM X DRU0:, L&
M`U4=#P0$`P(!!C /!@-5'1,!`?\$!3 #`0'_,(&9!@-5'2,$@9$P@8Z %*V]
MF'HTM";W^L0F5.\#O> DRU0:H7.D<3!O,0LP"08#500&$P)313$4,!(&`U4$
M"A,+061D5')U8'9
M'EL4!R,V98^PV'>[K$%L1V"#4;#Y,CWG_/8F$\> %J6_6OR'SWAYB2&:XDP'
M"H8UO/+>4<32EK?L,`E$4+8Z]%N#!WT9UYR2M[/1"M(63:[H<4KPC:^$PWFO6-^>7NG"0U JVK=CXK#]O:,
M&D(%4=1%]9^G8B%H%2!#/)GG?+TDV*F1%W.(/U8;,3@8M'$/FLW(#IZ.+AOA
MC)B#RQ\Q\41,Q@1S279@#\?XO1> :R[IS$P.6IIY#R *+M6>8R8>59*4V((7
M6GO0O,>/3H8$,(($KS""`Y>@`P(!`@(1`. CRQ42@U.)K6%N>E1G:R$P#08)
M*H9(AO<-`0$+!0`P;S$+, D&`U4$!A,"4T4Q%# 2!@-5! H3"T%D9%1R=7-T
M($%",28P) 8#500+$QU!9&14'1E%PTQ-#$R,C(P
M,# P,#!:%PTR,# U,S Q,#0X,SA:,(&;,0LP"08#500&$P)'0C$;,!D&`U4$
M"!,21W)E871EE,93G!2';Q6
MI@8FM[A)X);G4:OQ\%H3216CM(P;8+QZ44*G>8RD(M\784Z1U78C"A332@)_
MMAT)@&ZE!#W9NKL6_J&'J2Y#4D,6?*\R4,BF3UKI"-C/DR6<>XCH,&3FI/A6
M@/TJ)!0S%YFL1.5IBZ-&!DO",]3I0)\&L+&LDT"YM0B3.IPJ4Z,0VST@83Q5
M`X[93G8E`B$I^J-\<79/[N%?@>G[5(#;PWLU4K>$WB(]+# M,7]9O5(WL#-I
M+4/K^M:E\9=W9U&,V>XGZ[RE!SAVC*2I./_?C/4#K$F^RO=SF3H/,JNPP#@8#51T/`0'_! 0#`@&&,!(&`U4=$P$!_P0(, 8!`?\"`0`P'08#
M51TE!!8P% 8(*P8!!04'`P(&""L&`04%!P,$,!$&`U4=( 0*, @P!@8$51T@
M`#!$!@-5'1\$/3 [,#F@-Z UAC-H='1P.B\O8W)L+G5S97)T'1EJSMCY=K5<^_LX/M[XJ/_\$(CG,JVC4T^Y$L8`[*H+=38
MNT)+D&F%$-NF-S3H>^ !$*6Y+,KF'$K8F0W!AN*0DOM:0FHC(1#I
M913V2A :)OI\BON;,((%
M(#""! B@`P(!`@(1`-4+#]T2278FC)\!=Y87SN8P#08)*H9(AO<-`0$+!0`P
M@9LQ"S )!@-5! 83`D=",1LP&08#500($Q)'%PTQ-C Q,3,P,# P,#!:%PTQ-S Q
M,3(R,S4Y-3E:," Q'C HV/H^"EPS!W)_L#3<"[3T(BZ3LDTHN"#(\B5A1
M^VO2XN77=+Z\+IU=@1UR!40:,<7&)5,P,O1STRE:UFFYLS65=GVT*:ZY[YK9
M':(_+75)?UCOJQ: M-%
Re: [openssl-users] Help finding replacement for ASN1_seq_unpack_X509
> Actually that is including a SEQUENCE header and not just the DER blobs. So if > the result must be compatible with the original format the snippet I > suggested would be appropriate here. Thanks for the correction. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Help finding replacement for ASN1_seq_unpack_X509
On Thu, Jul 21, 2016, Salz, Rich wrote: > > > STACK_OF(X509)* stack = sk_x509_new_null(); > > sk_x509_push(stack, cert); > > sk_x509_push(stack, ca); > > > > return ASN1_seq_pack_X509(stack, i2d_X509, NULL, len_out); > > Okay, so your just pushing two DER-format blobs one after the other. > Yes, what you thought to do is fine. :) Actually that is including a SEQUENCE header and not just the DER blobs. So if the result must be compatible with the original format the snippet I suggested would be appropriate here. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Help finding replacement for ASN1_seq_unpack_X509
On Wed, Jul 20, 2016, Jim Carroll wrote: > Thanks muchI have a corollary question if you don't mind. In OpenSSL > 1.1.0, what is the accepted procedure to convert a STACK_OF(X509) to DER? > It depends on what you mean by "to DER" and what the other ends is expecting. The code snipped I suggested will do that: if you call i2d_SEQ_CERT (or whatever you called it) that will work. That wraps the whole lot in a SEQUENCE header which is the same as the original. That is it is a SEQUENCE OF X509. > Would it be acceptable to just iterate the stack elements, passing each X509 > through i2d_X509 and appending the results -- would that generate valid DER? > Is there a better way? > It depends on what the other side expects. If you just do that that and EOF signals the and of the last certificate you'll be fine. If you append additional data afterwards then you need to mark the last certificate somehow. The certificate sequence version prepends the data with the length of all the certificates so it automatically handles that. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Help finding replacement for ASN1_seq_unpack_X509
> Thanks Rich! You're welcome. Getting M2Crypto moved to 1.1 is a *great* project. Thanks. -- Senior Architect, Akamai Technologies IM: richs...@jabber.at Twitter: RichSalz -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Help finding replacement for ASN1_seq_unpack_X509
Thanks Rich!
> -Original Message-
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On
> Behalf Of Salz, Rich
> Sent: Thursday, July 21, 2016 8:57 AM
> To: openssl-users@openssl.org
> Subject: Re: [openssl-users] Help finding replacement for
> ASN1_seq_unpack_X509
>
>
> > STACK_OF(X509)* stack = sk_x509_new_null();
> > sk_x509_push(stack, cert);
> > sk_x509_push(stack, ca);
> >
> > return ASN1_seq_pack_X509(stack, i2d_X509, NULL, len_out);
>
> Okay, so your just pushing two DER-format blobs one after the other.
> Yes, what you thought to do is fine. :)
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
begin 666 smime.p7s
M,( &"2J&2(;W#0$'`J" ,( "`0$Q"S )!@4K#@,"&@4`,( &"2J&2(;W#0$'
M`0``H((.$3""!#8P@@,>H ,"`0("`0$P#08)*H9(AO<-`0$%!0`P;S$+, D&
M`U4$!A,"4T4Q%# 2!@-5! H3"T%D9%1R=7-T($%",28P) 8#500+$QU!9&14
M'1E%PTP,# U,S Q,#0X,SA:%PTR,# U,S Q,#0X
M,SA:,&\Q"S )!@-5! 83`E-%,10P$@8#500*$PM!9&14FQ$SEZ0I
M3'V3G[U*O)/M`QKCC\_E;5!:UI=,K(D%3IQE\/>)V:0#P.K&&J7A2/GH>A:E#&`JCIJ&DF&)"K3+!/(ZLZ3X38W\Z?X6EON]="UVM$Y,>M[FU!
M7W):<0@WLWEEI%F@E#?W`"\-PI)RVM X DRU0:, L&
M`U4=#P0$`P(!!C /!@-5'1,!`?\$!3 #`0'_,(&9!@-5'2,$@9$P@8Z %*V]
MF'HTM";W^L0F5.\#O> DRU0:H7.D<3!O,0LP"08#500&$P)313$4,!(&`U4$
M"A,+061D5')U8'9
M'EL4!R,V98^PV'>[K$%L1V"#4;#Y,CWG_/8F$\> %J6_6OR'SWAYB2&:XDP'
M"H8UO/+>4<32EK?L,`E$4+8Z]%N#!WT9UYR2M[/1"M(63:[H<4KPC:^$PWFO6-^>7NG"0U JVK=CXK#]O:,
M&D(%4=1%]9^G8B%H%2!#/)GG?+TDV*F1%W.(/U8;,3@8M'$/FLW(#IZ.+AOA
MC)B#RQ\Q\41,Q@1S279@#\?XO1> :R[IS$P.6IIY#R *+M6>8R8>59*4V((7
M6GO0O,>/3H8$,(($KS""`Y>@`P(!`@(1`. CRQ42@U.)K6%N>E1G:R$P#08)
M*H9(AO<-`0$+!0`P;S$+, D&`U4$!A,"4T4Q%# 2!@-5! H3"T%D9%1R=7-T
M($%",28P) 8#500+$QU!9&14'1E%PTQ-#$R,C(P
M,# P,#!:%PTR,# U,S Q,#0X,SA:,(&;,0LP"08#500&$P)'0C$;,!D&`U4$
M"!,21W)E871EE,93G!2';Q6
MI@8FM[A)X);G4:OQ\%H3216CM(P;8+QZ44*G>8RD(M\784Z1U78C"A332@)_
MMAT)@&ZE!#W9NKL6_J&'J2Y#4D,6?*\R4,BF3UKI"-C/DR6<>XCH,&3FI/A6
M@/TJ)!0S%YFL1.5IBZ-&!DO",]3I0)\&L+&LDT"YM0B3.IPJ4Z,0VST@83Q5
M`X[93G8E`B$I^J-\<79/[N%?@>G[5(#;PWLU4K>$WB(]+# M,7]9O5(WL#-I
M+4/K^M:E\9=W9U&,V>XGZ[RE!SAVC*2I./_?C/4#K$F^RO=SF3H/,JNPP#@8#51T/`0'_! 0#`@&&,!(&`U4=$P$!_P0(, 8!`?\"`0`P'08#
M51TE!!8P% 8(*P8!!04'`P(&""L&`04%!P,$,!$&`U4=( 0*, @P!@8$51T@
M`#!$!@-5'1\$/3 [,#F@-Z UAC-H='1P.B\O8W)L+G5S97)T'1EJSMCY=K5<^_LX/M[XJ/_\$(CG,JVC4T^Y$L8`[*H+=38
MNT)+D&F%$-NF-S3H>^ !$*6Y+,KF'$K8F0W!AN*0DOM:0FHC(1#I
M913V2A :)OI\BON;,((%
M(#""! B@`P(!`@(1`-4+#]T2278FC)\!=Y87SN8P#08)*H9(AO<-`0$+!0`P
M@9LQ"S )!@-5! 83`D=",1LP&08#500($Q)'%PTQ-C Q,3,P,# P,#!:%PTQ-S Q
M,3(R,S4Y-3E:," Q'C HV/H^"EPS!W)_L#3<"[3T(BZ3LDTHN"#(\B5A1
M^VO2XN77=+Z\+IU=@1UR!40:,<7&)5,P,O1STRE:UFFYLS65=GVT*:ZY[YK9
M':(_+75)?UCOJQ: M-%=9XH<_VNPXG^;7/:6"2-DDFNH3JMIBVKH$1G/E$ 9
MD8XE<3>#8^@.89*P$#)O+'$"`P$``:."`=SB(9<*/G'
MV*_ SS .!@-5'0\!`?\$! ,"!: P# 8#51T3`0'_! (P`# =!@-5'24$%C 4
M!@@K!@$%!0<#! 8(*P8!!04'`P(P1@8#51T@!#\P/3 [!@PK!@$$`;(Q`0(!
M`P4P*S I!@@K!@$%!0<"`18=:'1T<',Z+R]S96-UDE*'QH34=CM%+[K`1M]
M]CL[U/FRY5[^LX>0V\F[3S&JAG>8?S4(\8%YC7"@FZN?&[XNG;*71FB1VC5\
M[C@1T1/1VFB^.U_DY "31W;:;K"NZ]K)Q3#HO(@&45E,YCJ!NY$AC!C\IGQ:
M2/NGP"_K'85*^(.K.&Q*INS)?2E26GN'Y^%BLAID@HA<[DL&']YY*Z 9#&;V
MFJ3HYV^Y[HF)FFH-]D/]<5G):'.LJD*"]IJWI4,'-BQ;060E4[7[NKAN!^P\
MBTU&T;&8EQ; '\I'[_^.1-;+K'J.:_]/&2]A0@L9SC^8NO*8S_4,>"4TRIOH
MI'J>$[1$P4TQ@@0C,(($'P(!`3"!L3"!FS$+, D&`U4$!A,"1T(Q&S 9!@-5
M! @3$D=R96%T97(@36%N8VAE6%\[F,('$!@LJADB&]PT!"1 ""S&!M*"!L3"!FS$+, D&`U4$
M!A,"1T(Q&S 9!@-5! @3$D=R96%T97(@36%N8VAE(K\1-16I%G1J3O^)+;0>"
M4IYH;/-X%UV\6 E0J9PQ3BGH9 *:,PX--7:#=#KFY\V%$)16HWJQ:@:5BL).
MO93=!;X$_+<-J'K?]HCMMJ%_%#]EUBY1\@]O*"%09UDTZM=P_"
M2&D[Z=^DH++;>$#G5] #8CUHP7'*TG'O" ?I")VG2P88EDD.S>U>OMX>M 55
J8O!7V.8Q6HQ^R08Z(;"3'!\Z`T8>,9H;RZ>)]Q84^?@49B5H
`
end
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Help finding replacement for ASN1_seq_unpack_X509
> STACK_OF(X509)* stack = sk_x509_new_null(); > sk_x509_push(stack, cert); > sk_x509_push(stack, ca); > > return ASN1_seq_pack_X509(stack, i2d_X509, NULL, len_out); Okay, so your just pushing two DER-format blobs one after the other. Yes, what you thought to do is fine. :) -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Help finding replacement for ASN1_seq_unpack_X509
We are porting M2Crypto which is a python swig wrapper around OpenSSL. It
currently supports OpenSSL 0.9.8 and we are porting it to 1.1.0. The 1.1.0
branch is really cool (clean, elegant code), but there were a few
refactoring's that affected M2Crypto. Most were trivial getter/setter type
changes, but a few were in the are of getting rid of some ASN1 processing
(which happens to be our weakest point of understanding).
We're left with porting the final bit -- which is related to X509 cert
handling. Here's a sample use. The caller builds up the call with a the
following 'psuedo-sequence'. get_der() is the function we are working on
finishing.
X508* load_cert_bio(char* filename) {
BIO* bio = BIO_new_file(filename, "r");
return PEM_read_bio_X509(bio, NULL, NULL, NULL);
}
unsigned char* get_der(int* len_out) {
X509* cert = load_cert_bio("x509.pem");
X509* ca = load_cert_bio("ca.pem");
STACK_OF(X509)* stack = sk_x509_new_null();
sk_x509_push(stack, cert);
sk_x509_push(stack, ca);
return ASN1_seq_pack_X509(stack, i2d_X509, NULL, len_out);
}
The ASN1_seq_pack_X509 was a macro -- and has been removed.
> -Original Message-
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On
> Behalf Of Salz, Rich
> Sent: Thursday, July 21, 2016 4:35 AM
> To: openssl-users@openssl.org
> Subject: Re: [openssl-users] Help finding replacement for
> ASN1_seq_unpack_X509
>
> > Would it be acceptable to just iterate the stack elements, passing
> each X509
> > through i2d_X509 and appending the results -- would that generate
> valid
> > DER?
>
> Maybe. It depends on what the receiver is expecting. If it's willing
> to read a set of certs until it hits EOF (or equivalent) that's fine.
> But if you're sending a SEQUENCE OF certificates then you need to wrap
> it in an ASN1/DER container. For example, Netscape Cert Sequence
>
> Can you post a code snippet?
>
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
begin 666 smime.p7s
M,( &"2J&2(;W#0$'`J" ,( "`0$Q"S )!@4K#@,"&@4`,( &"2J&2(;W#0$'
M`0``H((.$3""!#8P@@,>H ,"`0("`0$P#08)*H9(AO<-`0$%!0`P;S$+, D&
M`U4$!A,"4T4Q%# 2!@-5! H3"T%D9%1R=7-T($%",28P) 8#500+$QU!9&14
M'1E%PTP,# U,S Q,#0X,SA:%PTR,# U,S Q,#0X
M,SA:,&\Q"S )!@-5! 83`E-%,10P$@8#500*$PM!9&14FQ$SEZ0I
M3'V3G[U*O)/M`QKCC\_E;5!:UI=,K(D%3IQE\/>)V:0#P.K&&J7A2/GH>A:E#&`JCIJ&DF&)"K3+!/(ZLZ3X38W\Z?X6EON]="UVM$Y,>M[FU!
M7W):<0@WLWEEI%F@E#?W`"\-PI)RVM X DRU0:, L&
M`U4=#P0$`P(!!C /!@-5'1,!`?\$!3 #`0'_,(&9!@-5'2,$@9$P@8Z %*V]
MF'HTM";W^L0F5.\#O> DRU0:H7.D<3!O,0LP"08#500&$P)313$4,!(&`U4$
M"A,+061D5')U8'9
M'EL4!R,V98^PV'>[K$%L1V"#4;#Y,CWG_/8F$\> %J6_6OR'SWAYB2&:XDP'
M"H8UO/+>4<32EK?L,`E$4+8Z]%N#!WT9UYR2M[/1"M(63:[H<4KPC:^$PWFO6-^>7NG"0U JVK=CXK#]O:,
M&D(%4=1%]9^G8B%H%2!#/)GG?+TDV*F1%W.(/U8;,3@8M'$/FLW(#IZ.+AOA
MC)B#RQ\Q\41,Q@1S279@#\?XO1> :R[IS$P.6IIY#R *+M6>8R8>59*4V((7
M6GO0O,>/3H8$,(($KS""`Y>@`P(!`@(1`. CRQ42@U.)K6%N>E1G:R$P#08)
M*H9(AO<-`0$+!0`P;S$+, D&`U4$!A,"4T4Q%# 2!@-5! H3"T%D9%1R=7-T
M($%",28P) 8#500+$QU!9&14'1E%PTQ-#$R,C(P
M,# P,#!:%PTR,# U,S Q,#0X,SA:,(&;,0LP"08#500&$P)'0C$;,!D&`U4$
M"!,21W)E871EE,93G!2';Q6
MI@8FM[A)X);G4:OQ\%H3216CM(P;8+QZ44*G>8RD(M\784Z1U78C"A332@)_
MMAT)@&ZE!#W9NKL6_J&'J2Y#4D,6?*\R4,BF3UKI"-C/DR6<>XCH,&3FI/A6
M@/TJ)!0S%YFL1.5IBZ-&!DO",]3I0)\&L+&LDT"YM0B3.IPJ4Z,0VST@83Q5
M`X[93G8E`B$I^J-\<79/[N%?@>G[5(#;PWLU4K>$WB(]+# M,7]9O5(WL#-I
M+4/K^M:E\9=W9U&,V>XGZ[RE!SAVC*2I./_?C/4#K$F^RO=SF3H/,JNPP#@8#51T/`0'_! 0#`@&&,!(&`U4=$P$!_P0(, 8!`?\"`0`P'08#
M51TE!!8P% 8(*P8!!04'`P(&""L&`04%!P,$,!$&`U4=( 0*, @P!@8$51T@
M`#!$!@-5'1\$/3 [,#F@-Z UAC-H='1P.B\O8W)L+G5S97)T'1EJSMCY=K5<^_LX/M[XJ/_\$(CG,JVC4T^Y$L8`[*H+=38
MNT)+D&F%$-NF-S3H>^ !$*6Y+,KF'$K8F0W!AN*0DOM:0FHC(1#I
M913V2A :)OI\BON;,((%
M(#""! B@`P(!`@(1`-4+#]T2278FC)\!=Y87SN8P#08)*H9(AO<-`0$+!0`P
M@9LQ"S )!@-5! 83`D=",1LP&08#500($Q)'%PTQ-C Q,3,P,# P,#!:%PTQ-S Q
M,3(R,S4Y-3E:," Q'C HV/H^"EPS!W)_L#3<"[3T(BZ3LDTHN"#(\B5A1
M^VO2XN77=+Z\+IU=@1UR!40:,<7&)5,P,O1STRE:UFFYLS65=GVT*:ZY[YK9
M':(_+75)?UCOJQ: M-%=9XH<_VNPXG^;7/:6"2-DDFNH3JMIBVKH$1G/E$ 9
MD8XE<3>#8^@.89*P$#)O+&
Re: [openssl-users] Help finding replacement for ASN1_seq_unpack_X509
> Would it be acceptable to just iterate the stack elements, passing each X509 > through i2d_X509 and appending the results -- would that generate valid > DER? Maybe. It depends on what the receiver is expecting. If it's willing to read a set of certs until it hits EOF (or equivalent) that's fine. But if you're sending a SEQUENCE OF certificates then you need to wrap it in an ASN1/DER container. For example, Netscape Cert Sequence Can you post a code snippet? -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Help finding replacement for ASN1_seq_unpack_X509
Thanks muchI have a corollary question if you don't mind. In OpenSSL
1.1.0, what is the accepted procedure to convert a STACK_OF(X509) to DER?
Would it be acceptable to just iterate the stack elements, passing each X509
through i2d_X509 and appending the results -- would that generate valid DER?
Is there a better way?
> -Original Message-
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On
> Behalf Of Dr. Stephen Henson
> Sent: Tuesday, July 19, 2016 6:10 PM
> To: openssl-users@openssl.org
> Subject: Re: [openssl-users] Help finding replacement for
> ASN1_seq_unpack_X509
>
> On Tue, Jul 19, 2016, Jim Carroll wrote:
>
> > OpenSSL 1.1.0 has upgraded the safestack.h macro system, but I'm
> having
> > difficulty understanding the changes. I'm porting a piece of code
> from
> > OpenSSL 0.9.8 that uses ASN1_seq_unpack_X509. In 0.9.8, safestack.h
> had this
> > definition.
> >
> > #define ASN1_seq_unpack_X509(buf, len, d2i_func, free_func) \
> >
> > SKM_ASN1_seq_unpack(X509, (buf), (len), (d2i_func),
> (free_func))
> >
> > Could anyone point me in the right direction and how this needs to be
> > adapted?
> >
> >
>
> Ah, that uses some ancient stuff which is originally from OpenSSL
> 0.9.6. For
> 1.1.0 this has changed. You need to create a typedef for a
> STACK_OF(X509) and
> then define ASN.1 functions for it for a SEQUENCE OF X509. That is a
> lot
> easier than it sounds. This should do it:
>
> #include
> #include
>
> typedef STACK_OF(X509) SEQ_CERT;
>
> ASN1_ITEM_TEMPLATE(SEQ_CERT) =
> ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, SeqCert, X509)
> ASN1_ITEM_TEMPLATE_END(SEQ_CERT)
>
> IMPLEMENT_ASN1_FUNCTIONS(SEQ_CERT)
>
> This defines a function d2i_SEQ_CERT() which replaces the original
> macro.
>
> Note that this construct should also work in earlier versions of
> OpenSSL too
> including 0.9.8.
>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
begin 666 smime.p7s
M,( &"2J&2(;W#0$'`J" ,( "`0$Q"S )!@4K#@,"&@4`,( &"2J&2(;W#0$'
M`0``H((.$3""!#8P@@,>H ,"`0("`0$P#08)*H9(AO<-`0$%!0`P;S$+, D&
M`U4$!A,"4T4Q%# 2!@-5! H3"T%D9%1R=7-T($%",28P) 8#500+$QU!9&14
M'1E%PTP,# U,S Q,#0X,SA:%PTR,# U,S Q,#0X
M,SA:,&\Q"S )!@-5! 83`E-%,10P$@8#500*$PM!9&14FQ$SEZ0I
M3'V3G[U*O)/M`QKCC\_E;5!:UI=,K(D%3IQE\/>)V:0#P.K&&J7A2/GH>A:E#&`JCIJ&DF&)"K3+!/(ZLZ3X38W\Z?X6EON]="UVM$Y,>M[FU!
M7W):<0@WLWEEI%F@E#?W`"\-PI)RVM X DRU0:, L&
M`U4=#P0$`P(!!C /!@-5'1,!`?\$!3 #`0'_,(&9!@-5'2,$@9$P@8Z %*V]
MF'HTM";W^L0F5.\#O> DRU0:H7.D<3!O,0LP"08#500&$P)313$4,!(&`U4$
M"A,+061D5')U8'9
M'EL4!R,V98^PV'>[K$%L1V"#4;#Y,CWG_/8F$\> %J6_6OR'SWAYB2&:XDP'
M"H8UO/+>4<32EK?L,`E$4+8Z]%N#!WT9UYR2M[/1"M(63:[H<4KPC:^$PWFO6-^>7NG"0U JVK=CXK#]O:,
M&D(%4=1%]9^G8B%H%2!#/)GG?+TDV*F1%W.(/U8;,3@8M'$/FLW(#IZ.+AOA
MC)B#RQ\Q\41,Q@1S279@#\?XO1> :R[IS$P.6IIY#R *+M6>8R8>59*4V((7
M6GO0O,>/3H8$,(($KS""`Y>@`P(!`@(1`. CRQ42@U.)K6%N>E1G:R$P#08)
M*H9(AO<-`0$+!0`P;S$+, D&`U4$!A,"4T4Q%# 2!@-5! H3"T%D9%1R=7-T
M($%",28P) 8#500+$QU!9&14'1E%PTQ-#$R,C(P
M,# P,#!:%PTR,# U,S Q,#0X,SA:,(&;,0LP"08#500&$P)'0C$;,!D&`U4$
M"!,21W)E871EE,93G!2';Q6
MI@8FM[A)X);G4:OQ\%H3216CM(P;8+QZ44*G>8RD(M\784Z1U78C"A332@)_
MMAT)@&ZE!#W9NKL6_J&'J2Y#4D,6?*\R4,BF3UKI"-C/DR6<>XCH,&3FI/A6
M@/TJ)!0S%YFL1.5IBZ-&!DO",]3I0)\&L+&LDT"YM0B3.IPJ4Z,0VST@83Q5
M`X[93G8E`B$I^J-\<79/[N%?@>G[5(#;PWLU4K>$WB(]+# M,7]9O5(WL#-I
M+4/K^M:E\9=W9U&,V>XGZ[RE!SAVC*2I./_?C/4#K$F^RO=SF3H/,JNPP#@8#51T/`0'_! 0#`@&&,!(&`U4=$P$!_P0(, 8!`?\"`0`P'08#
M51TE!!8P% 8(*P8!!04'`P(&""L&`04%!P,$,!$&`U4=( 0*, @P!@8$51T@
M`#!$!@-5'1\$/3 [,#F@-Z UAC-H='1P.B\O8W)L+G5S97)T'1EJSMCY=K5<^_LX/M[XJ/_\$(CG,JVC4T^Y$L8`[*H+=38
MNT)+D&F%$-NF-S3H>^ !$*6Y+,KF'$K8F0W!AN*0DOM:0FHC(1#I
M913V2A :)OI\BON;,((%
M(#""! B@`P(!`@(1`-4+#]T2278FC)\!=Y87SN8P#08)*H9(AO<-`0$+!0`P
M@9LQ"S )!@-5! 83`D=",1LP&08#500($Q)'%PTQ-C Q,3,P,# P,#!:%PTQ-S Q
M,3(R,S4Y-3E:," Q'C HV/H^"EPS!W)_L#3<"[3T(BZ3LDTHN"#(\B5A1
M^VO2XN77=+Z\+IU=@1UR!40:,<7&)5,P,O1STRE:UFFYLS65=GVT*:ZY[YK9
M':(_+75)?UCOJQ: M-%=9X
Re: [openssl-users] Help finding replacement for ASN1_seq_unpack_X509
On Tue, Jul 19, 2016, Jim Carroll wrote: > OpenSSL 1.1.0 has upgraded the safestack.h macro system, but I'm having > difficulty understanding the changes. I'm porting a piece of code from > OpenSSL 0.9.8 that uses ASN1_seq_unpack_X509. In 0.9.8, safestack.h had this > definition. > > #define ASN1_seq_unpack_X509(buf, len, d2i_func, free_func) \ > > SKM_ASN1_seq_unpack(X509, (buf), (len), (d2i_func), (free_func)) > > Could anyone point me in the right direction and how this needs to be > adapted? > > Ah, that uses some ancient stuff which is originally from OpenSSL 0.9.6. For 1.1.0 this has changed. You need to create a typedef for a STACK_OF(X509) and then define ASN.1 functions for it for a SEQUENCE OF X509. That is a lot easier than it sounds. This should do it: #include #include typedef STACK_OF(X509) SEQ_CERT; ASN1_ITEM_TEMPLATE(SEQ_CERT) = ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, SeqCert, X509) ASN1_ITEM_TEMPLATE_END(SEQ_CERT) IMPLEMENT_ASN1_FUNCTIONS(SEQ_CERT) This defines a function d2i_SEQ_CERT() which replaces the original macro. Note that this construct should also work in earlier versions of OpenSSL too including 0.9.8. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Help finding replacement for ASN1_seq_unpack_X509
OpenSSL 1.1.0 has upgraded the safestack.h macro system, but I'm having difficulty understanding the changes. I'm porting a piece of code from OpenSSL 0.9.8 that uses ASN1_seq_unpack_X509. In 0.9.8, safestack.h had this definition. #define ASN1_seq_unpack_X509(buf, len, d2i_func, free_func) \ SKM_ASN1_seq_unpack(X509, (buf), (len), (d2i_func), (free_func)) Could anyone point me in the right direction and how this needs to be adapted? smime.p7s Description: S/MIME cryptographic signature -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
