On Thu, Nov 28, 2013, Erwann Abalea wrote:
How nice, they're asking for a self-signed certificate to include a
specific EKU to indicate it's a Trust Anchor, and the OID used for
this has never been allocated. Crazy.
I just looked at OpenSSL's objects.txt database, and found some OIDs
that
Hi,
On Wed, November 27, 2013 16:02, Dereck Hurtubise wrote:
X509v3 Extended Key Usage:
Trust Root
what is this strange?
'Trust Root' as Extended Key Usage?
__
OpenSSL Project
the ASN.1 dump of this certificate ...
0 470: SEQUENCE {
4 319: SEQUENCE {
8 3: [0] {
10 1: INTEGER 2
: }
13 5: INTEGER 00 D6 2D F4 34
20 13: SEQUENCE {
22 9: OBJECT IDENTIFIER sha1WithRSAEncryption (1 2 840 113549 1 1 5)
33 0:
It is NTP indicating that this certificate is held by a supposed trusted
root (authority).
This is NTP's way of figuring out if the certificate of the subject/issuer
should be trusted or not.
So they misuse X509 extensions for their own purposes.
This alone is not enough.
So they also implement
I want to thank everyone who replied for the help.
I figured out what went wrong.
Two things.
The RSA public key wasn't loaded with the correct values.
Thank you for giving a hint about that.
The second thing was the data to verify somehow included the OID of the
signature.
So the second time
How nice, they're asking for a self-signed certificate to include a
specific EKU to indicate it's a Trust Anchor, and the OID used for this
has never been allocated. Crazy.
I just looked at OpenSSL's objects.txt database, and found some OIDs
that need some change:
id-pkix-OCSP 8
Welcome to the wonderful world of NTP Autokey.
Where they misuse X509v3 extensions for their own purposes.
Nothing I can do about it. It's in the specification of that RFC (5906)
On Thu, Nov 28, 2013 at 4:14 PM, Erwann Abalea
erwann.aba...@keynectis.comwrote:
How nice, they're asking for a
NID is an internal openssl implementation detail; X509 data structures have
OID's.
Post the PEM of the cert.
/r$
--
Principal Security Engineer
Akamai Technology
Cambridge, MA
The certificate is received in ASN.1 DER format. Not PEM.
The only thing I want to do is verify the signature of the certificate, and
thus verify the signature itself.
It is self-signed so the public key in the certificate should be used to
verify the signature, but it isn't working.
Certificate:
The point of posting PEM is that people can cut and paste from a mail message
and decode it to get the DER or whatever. (That's why PEM format was invented,
to survive intact through email:)
You are generating a certificate, self-signing it, and your recipient cannot
verify it. Right?
From: owner-openssl-users On Behalf Of Dereck Hurtubise
Sent: Wednesday, November 27, 2013 04:40
I'm trying to verify an x509 certificate with a custom library (other than
openssl)
The reason I'm writing to this mailing list is that I can't figure out what
is going wrong.
The certificate is
11 matches
Mail list logo
