Re: [openssl-users] 802.1AR certificate generation and the config file

On 08/11/2017 02:39 PM, Dr. Stephen Henson wrote: On Fri, Aug 11, 2017, Robert Moskowitz wrote: Frustrated... On 08/11/2017 11:14 AM, Salz, Rich via openssl-users wrote: My challenge comes to subjectAltName and its subfield hardwareModuleName per RFC 4108. I guess I am not 'getting' the

Re: [openssl-users] 802.1AR certificate generation and the config file

Frustrated... On 08/11/2017 11:14 AM, Salz, Rich via openssl-users wrote: My challenge comes to subjectAltName and its subfield hardwareModuleName per RFC 4108. I guess I am not 'getting' the subjectAltName section of 'man x509v3_config'. Not all forms of SAN names are supported. If you

Re: [openssl-users] 802.1AR certificate generation and the config file

On 08/11/2017 02:47 PM, Dr. Stephen Henson wrote: On Fri, Aug 11, 2017, Robert Moskowitz wrote: I would want the 'openssl req' command to prompt for hwType and hsSerialNum. At least for now. Note that you can't get the 'openssl req' command prompt for this but you can generate the

[openssl-users] Core dump on DSA_free -- libssl.so.1.0.0

Thanks for the help, DSA *pDSA = d2i_DSA_PUBKEY(NULL, (const unsigned char **) , dwKeySize); bool bRet = false; if (pDSA) { bRet = DSA_verify(0, signature, 20, (BYTE *) pFile, dwSize, (DSA *) pDSA) == 1 ? true : false; DSA_free(pDSA); } Jason -- openssl-users mailing list To unsubscribe:

Re: [openssl-users] 802.1AR certificate generation and the config file

Why thank you, Viktor. Let's see if I can get this right from RFC4108 On 08/11/2017 12:47 PM, Viktor Dukhovni wrote: On Fri, Aug 11, 2017 at 03:29:25PM +, Salz, Rich via openssl-users wrote: In the certificate extensions section you do something like: subjectAltName =

Re: [openssl-users] 802.1AR certificate generation and the config file

Sigh. Well let's see want I can get done on this by the next IEEE802/IETF week pair. On 08/11/2017 11:56 AM, Salz, Rich wrote: What is the procedure to get it added. RFC 4108 has been around for a while, as has 802.1AR-2009. Simplest way is to (get someone to) write the code and make a

Re: [openssl-users] 802.1AR certificate generation and the config file

On Fri, Aug 11, 2017, Robert Moskowitz wrote: > Frustrated... > > On 08/11/2017 11:14 AM, Salz, Rich via openssl-users wrote: > >>My challenge comes to subjectAltName and its subfield > >>hardwareModuleName > >>per RFC 4108. I guess I am not 'getting' the subjectAltName section of > >>'man

Re: [openssl-users] 802.1AR certificate generation and the config file

On Fri, Aug 11, 2017, Robert Moskowitz wrote: > > I would want the 'openssl req' command to prompt for hwType and > hsSerialNum. At least for now. > Note that you can't get the 'openssl req' command prompt for this but you can generate the extension in an appropriate syntax: see my other

Re: [openssl-users] 802.1AR certificate generation and the config file

On Fri, Aug 11, 2017 at 03:29:25PM +, Salz, Rich via openssl-users wrote: > In the certificate extensions section you do something like: > subjectAltName = dns:www.example.com, IP:127.0.0.1 > and so on. The "pki.tgz" > > > And further it seems you are saying there is no support for

Re: [openssl-users] Core dump on DSA_free -- libssl.so.1.0.0

> DSA *pDSA = d2i_DSA_PUBKEY(NULL, (const unsigned char **) , dwKeySize); Where and how is pKey set? Not that the manpage says it's incremented to point *past* the object, so you need something like unsigned char data = .whatever your data source is . unsigned char *pKey

Re: [openssl-users] Core dump on DSA_free -- libssl.so.1.0.0

Thanks for look into this, void * pKey = LockResource(hHandle); The code works most of the time, only occasionally generates exception and Not sure why on DSA_free(pDSA); On Fri, Aug 11, 2017 at 2:57 PM, Salz, Rich wrote: > > DSA *pDSA = d2i_DSA_PUBKEY(NULL, (const

Re: [openssl-users] Core dump on DSA_free -- libssl.so.1.0.0

Please read what I wrote. The d2i functions *modify the pointer they are given.* You have to give them a temporary copy. -- Senior Architect, Akamai Technologies Member, OpenSSL Dev Team IM: richs...@jabber.at Twitter: RichSalz From: Jason Qian [mailto:jq...@tibco.com] Sent: Friday, August

Re: [openssl-users] 802.1AR certificate generation and the config file

Thanks for the response, Rich. On 08/11/2017 11:14 AM, Salz, Rich via openssl-users wrote: My challenge comes to subjectAltName and its subfield hardwareModuleName per RFC 4108. I guess I am not 'getting' the subjectAltName section of 'man x509v3_config'. Not all forms of SAN names are

Re: [openssl-users] 802.1AR certificate generation and the config file

> Given these supported names, what goes into the config file to create a SAN > without having to specify it on the command line? In the certificate extensions section you do something like: subjectAltName = dns:www.example.com, IP:127.0.0.1 and so on. The "pki.tgz" > And further it

Re: [openssl-users] 802.1AR certificate generation and the config file

On 08/11/2017 11:29 AM, Salz, Rich wrote: Given these supported names, what goes into the config file to create a SAN without having to specify it on the command line? In the certificate extensions section you do something like: subjectAltName = dns:www.example.com, IP:127.0.0.1 and

Re: [openssl-users] 802.1AR certificate generation and the config file

> What is the procedure to get it added. RFC 4108 has been around for a while, > as has 802.1AR-2009. Simplest way is to (get someone to) write the code and make a github pull requests. Next way is to post a patch. Next way is to open an issue and hope someone gets around to it. > Though I

[openssl-users] 802.1AR certificate generation and the config file

Now that I can build a generic PKI with EDDSA, the next step is to add creation of 802.1AR iDevID certificates. I am using the current draft, sec 8, 802.1ARce-d2-2, but for this purpose it is essentially the same (but clearer written) as sec 7, 802.1AR-2009. I start with making the following

Re: [openssl-users] 802.1AR certificate generation and the config file

> My challenge comes to subjectAltName and its subfield > hardwareModuleName > per RFC 4108. I guess I am not 'getting' the subjectAltName section of > 'man x509v3_config'. Not all forms of SAN names are supported. If you look in include/openssl/x509v3.h you see the following: # define