On Tue, Jun 21, 2005, soukyan wrote:
> Dr. Stephen Henson wrote:
> >On Tue, Jun 21, 2005, soukyan wrote:
> >
> >
> >>Hello
> >>
> >>I have the following code:
> >>variables
> >>X509 * cert;
> >>and
> >>X509_PUBKEY * working_public_key;
> >>are previously instantiated.
> >> ASN1_BIT_STRING_free(working_public_key->public_key);
> >>working_public_key->public_key =
> >> ASN1_STRING_dup(cert->cert_info->key->public_key);
> >>if (cert->cert_info->key->algor->parameter)
> >>{
> >> if (working_public_key->algor->parameter)
> >> ASN1_TYPE_free(working_public_key->algor->parameter);
> >> working_public_key->algor->parameter = ASN1_TYPE_new();
> >> ASN1_TYPE_set(working_public_key->algor->parameter,
> >> cert->cert_info->key->algor->parameter->type,
> >> (void*)(&(cert->cert_info->key->algor->parameter->value)));
> >>}
> >>else
> >>{
> >> if (OBJ_cmp(working_public_key->algor->algorithm,
> >> cert->cert_info->key->algor->algorithm))
> >> {
> >> ASN1_TYPE_free(working_public_key->algor->parameter);
> >> working_public_key->algor->parameter = NULL;
> >> }
> >>}
> >>ASN1_OBJECT_free(working_public_key->algor->algorithm);
> >>working_public_key->algor->algorithm =
> >> OBJ_dup(cert->cert_info->key->algor->algorithm);
> >>EVP_PKEY_free(working_public_key->pkey);
> >>working_public_key->pkey = NULL;
> >>X509_PUBKEY_get(working_public_key);
> >>
> >>I do it according to RFC 3280 chapter 6.1.4 (d), (e) and (f).
> >>
> >>If an algorithm in certificates' chain is RSA, the above code works
> >>correctly. But if the algorithm is DSA, application crashes
> >>(segmentation fault) in X509_PUBKEY_get(working_public_key).
> >>
> >>What do I wrong i this code?
> >>
> >>
> >
> >
> >That's horribly non-portable and depends on lots of structure internals.
> >You
> >should instead use X509_verify() if you just want to verify the signature
> >on a
> >certificate.
> >
> >If you want to extract the public key portably from a certificate use
> >X509_get_pubkey().
> >
>
> Of course I use X509_verify() this way:
> X509_verify(toBeVerifiedCert, working_public_key->pkey)
> but I have to prepare first a proper EVP_PKEY. because in some
> certificates the DSA parameters are not included in a certificate and
> need to be inherited from a previous certificate in a path.
> In such a situation the function X509_get_pubkey() isn't usefull for me.
> For now my application doesn't pass tests 4.1.4, 4.1.5 and 4.1.6 from
> NIST Test Suite because of the above problem.
>
> Is there in OpenSSL a way to support signatures' chaining?
>
X509_get_pubkey() is useful for those cases: it just isn't complete.
You can check to see if parameters are missing using:
EVP_PKEY_missing_parameters(key);
You can copy parameters using:
EVP_PKEY_copy_parameters(to, from);
So before you replace the working_key with a new one check to see if the new
key has parameters, if not copy them from the current working key.
Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
