-----BEGIN PGP SIGNED MESSAGE-----
I have a base64 encoded file (could be a buffer if you like).
It is in fact a raw public key that I'm importing in ca.c. (The key was
generated by a pkix-hostile program. I need to use it in another
non-certificate hostile system. I intend to sign it with a CA key. A hack,
see below)
I know the encoding of it, etc. Rather than add code bloat I thought that I
ought to be able to just use BIO_f_base64() and BIO_push(). Is there some
kind of document that explains this stuff? I kind of stumbled upon
BIO_FLAGS_BASE64_NO_NL while tracing through the code...
What I'm really looking for now is a nice way to turn a DN in traditional
printed form (in char *buf) into something that I can stick into my req
structure. I'm calling make_REQ() from req.c (which I made global rather than
static) right now.
Making the req_conf a local to make_REQ() and moving it to another file
might make the most sense.
Is there an ungetc() equivalent?
The base64 stuff does not seem to be willing to ignore spaces in the input
stream. The code appears that it should, but I haven't traced through to see
what is up.
=== background
The hack in general works. The resulting certificate can then be fed into
racoon and I can talk RSA IPsec between NetBSD/racoon and FreeSWAN. I had to
tell racoon to not verify the certificate, otherwise it complains that the
subjectAltName is missing. I'm not sure why this is.
(Going the other direction can be down with the fswcert. The current
recommendation for making FreeSWAN talk to X.509 systems is to generate an
X.509 keypair, then extract the public and private parts and provide them to
FreeSWAN. That only works if you are in control of the FreeSWAN end and can
replace the private key)
The next steps for me are to stick the loading code directly into racoon,
and then to have it actually fetch the key via DNS. In the meantime, the
following works.
% cat sign-freeswan-key
#!/bin/sh
for key
do
echo -n '0s' >req/$key.rsa
host -t key $key | cut -d' ' -f 7- | tr -d ' ' >>req/$key.rsa
myopenssl ca -rawkey req/$key.rsa
done
%cat req/gate1.pub.sandelman.ottawa.on.ca.rsa
0sAQPVDrkcCvOI3xw7bo735f+E8dnMRvFzMQZ3Rp5FmFpsdwn1vd2WMBjvFFlb5HK/nesWURIXSGnTy2Os4VXqnsAkh61wRUMhst7DoooJMgC6drIZiAGyKb0MHjsazcxM3tRpYp9LOx9R1nPUOsp9Gd7ltCwLs8yckHlhWAx+QoDWkw==
(as generated by FreeSWAN)
and produce:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 10 (0xa)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=CA, ST=Ontario, L=Ottawa, O=Sandelman Software Works Corporation,
OU=Certs R Us,
[EMAIL PROTECTED]
Validity
Not Before: Jan 18 22:45:50 2002 GMT
Not After : Jan 18 22:45:50 2003 GMT
Subject: C=CA, ST=Ontario, O=Sandelman Software Works Corporation, OU=FreeSWAN
testing network, CN=gate1.pub.sandelman.ottawa.on.ca/Email=192.139.46.5
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:d5:0e:b9:1c:0a:f3:88:df:1c:3b:6e:8e:f7:e5:
ff:84:f1:d9:cc:46:f1:73:31:06:77:46:9e:45:98:
5a:6c:77:09:f5:bd:dd:96:30:18:ef:14:59:5b:e4:
72:bf:9d:eb:16:51:12:17:48:69:d3:cb:63:ac:e1:
55:ea:9e:c0:24:87:ad:70:45:43:21:b2:de:c3:a2:
8a:09:32:00:ba:76:b2:19:88:01:b2:29:bd:0c:1e:
3b:1a:cd:cc:4c:de:d4:69:62:9f:4b:3b:1f:51:d6:
73:d4:3a:ca:7d:19:de:e5:b4:2c:0b:b3:cc:9c:90:
79:61:58:0c:7e:42:80:d6:93
Exponent: 3 (0x3)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
1E:77:C1:3B:B0:A8:3F:F6:F2:24:41:14:99:39:C7:F2:D5:B6:17:EB
X509v3 Authority Key Identifier:
DirName:/C=CA/ST=Ontario/L=Ottawa/O=Sandelman Software Works
Corporation/OU=Certs R
[EMAIL PROTECTED]
serial:00
X509v3 Subject Alternative Name:
email:192.139.46.5
X509v3 Issuer Alternative Name:
<EMPTY>
Signature Algorithm: md5WithRSAEncryption
3c:b2:97:7f:3c:d8:51:51:24:c4:e8:23:58:29:67:f1:59:0b:
ed:47:da:38:c1:6a:83:f1:b0:19:3c:8a:11:be:ce:99:c0:5a:
9e:d9:78:f9:3b:f2:be:25:e0:cf:56:45:d7:41:a0:d3:1a:d5:
d1:f2:af:5f:42:d0:5c:4d:3e:92:90:bf:00:41:81:f3:2a:c9:
0f:dd:a6:94:6e:9d:7c:01:bd:fc:74:64:ca:fa:9e:93:14:62:
73:75:6e:22:b1:02:03:44:61:f4:6c:43:cf:1b:6d:50:9d:3f:
13:18:c6:fa:ab:7c:fe:9b:ae:bf:db:b7:fc:c8:d6:a2:a8:9e:
80:97
- -----BEGIN CERTIFICATE-----
MIIEjDCCA/WgAwIBAgIBCjANBgkqhkiG9w0BAQQFADCB2jELMAkGA1UEBhMCQ0Ex
...
q3z+m66/27f8yNaiqJ6Alw==
- -----END CERTIFICATE-----
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Finger me for keys
iQCVAwUBPEircIqHRg3pndX9AQEA1wP/cQkt4JcciUzVhtWX30AO4wjtqf3kgMeZ
l9JlQUbn4od7YfVaaDvP1sKwGyTM8RPylGf54opiBXlnZrgnCp95zntC1UfrflHr
OrKe8qJTWLWHwUR3SYoL7cFKVd5lfwptSZAsw9zawzyEIRSRRGE4Wsp5Xd4KbXEK
/3VGx6Aozhg=
=MGCV
-----END PGP SIGNATURE-----
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
