Re: problem with signature chain in X509 certificates

[soukyan]

Dr. Stephen Henson wrote:
On Tue, Jun 21, 2005, soukyan wrote:

Hello

I have the following code:
variables
X509 * cert;
and
X509_PUBKEY * working_public_key;
are previously instantiated.
                        ASN1_BIT_STRING_free(working_public_key->public_key);
working_public_key->public_key =
 ASN1_STRING_dup(cert->cert_info->key->public_key);
if (cert->cert_info->key->algor->parameter)
{
 if (working_public_key->algor->parameter)
   ASN1_TYPE_free(working_public_key->algor->parameter);
 working_public_key->algor->parameter = ASN1_TYPE_new();
 ASN1_TYPE_set(working_public_key->algor->parameter,
   cert->cert_info->key->algor->parameter->type,
   (void*)(&(cert->cert_info->key->algor->parameter->value)));
}
else
{
 if (OBJ_cmp(working_public_key->algor->algorithm,
             cert->cert_info->key->algor->algorithm))
 {
   ASN1_TYPE_free(working_public_key->algor->parameter);
   working_public_key->algor->parameter = NULL;
 }
}
ASN1_OBJECT_free(working_public_key->algor->algorithm);
working_public_key->algor->algorithm =
 OBJ_dup(cert->cert_info->key->algor->algorithm);
EVP_PKEY_free(working_public_key->pkey);
working_public_key->pkey = NULL;
X509_PUBKEY_get(working_public_key);

I do it according to RFC 3280 chapter 6.1.4 (d), (e) and (f).

If an algorithm in certificates' chain is RSA, the above code works 
correctly. But if the algorithm is DSA, application crashes 
(segmentation fault) in X509_PUBKEY_get(working_public_key).

What do I wrong i this code?




That's horribly non-portable and depends on lots of structure internals. You
should instead use X509_verify() if you just want to verify the signature on a
certificate.

If you want to extract the public key portably from a certificate use
X509_get_pubkey().


Of course I use X509_verify() this way:
X509_verify(toBeVerifiedCert, working_public_key->pkey)
but I have to prepare first a proper EVP_PKEY. because in some 
certificates the DSA parameters are not included in a certificate and 
need to be inherited from a previous certificate in a path.
In such a situation the function X509_get_pubkey() isn't usefull for me.
For now my application doesn't pass tests 4.1.4, 4.1.5 and 4.1.6 from 
NIST Test Suite because of the above problem.

Is there in OpenSSL a way to support signatures' chaining?

Thanks,
Daniel

--
Promocja! Format 15x20 tylko 99gr!
Zamów odbitki cyfrowe online - odbierz za darmo w EMPiK-u lub wy¶lemy Ci je 
poczt±
http://gazeta.empikfoto.pl
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]