On Thu, Dec 01, 2005 at 04:08:38PM -0500, Sean Rhea wrote:
> >Clearly OpenSSL has already verified that the client
> >has a private key that matches the public key in the certificate, or
> >else all the certificace checks are pointless.
>
> Are you SURE about that? I'm not doubting you, it's jus
Hi Fred,
These functions i2d_X509_bio and d2i_X509_bio are used for X509 cerificates in DER format.
But the requirement was to read X509 cert in PEM format from memory.
Hi Steve,
I got ur point bio = BIO_new_mem_buf(cert, -1);
will be more efficient becuase it avoid BIO_write by just assinging
Hi
Thanks for the reply.
I will try to implement a ASN1 module for the data. I am new to openssl and
tried to get some sample code but couldn't find any. Can you please point me
to few sample examples of the implementation (may be one simple and one
complex one)?
Thanks once again.
-Venkat
---
OpenSSL Gurus,
I run a local CA and I wish to use the OpenSSL certificates to cipher
the EFS ops.
To do so, I need to generate the certificates with the extended OID
1.3.6.1.4.1.311.10.3.4 (listed as msEFS on objects.h)
My certificate generation flow is:
openssl req -nodes -new
On Nov 30, 2005, at 10:48 PM, Victor Duchovni wrote:
Clearly OpenSSL has already verified that the client
has a private key that matches the public key in the certificate, or
else all the certificace checks are pointless.
Are you SURE about that? I'm not doubting you, it's just that
"Clearly
On Thu, Dec 01, 2005, Anil Gunturu wrote:
> Thank you for your response. I have couple of more questions:
> - If I use ENGINE_by_id("athena"), what should be the name and path of
> engine implementation.
> - I understand that ENGINE_cleanup() should be called before shutting down
> the appli
Hi,
I think you could use the i2d_X509_bio and d2i_X509_bio function that help
using BIO and X509 struture.
from openssl/x509.h
#define d2i_X509_bio(bp,x509) (X509 *)ASN1_d2i_bio((char *(*)())X509_new, \
(char *(*)())d2i_X509, (bp),(unsigned char **)(x509))
#define i2d_X509_bio(
Mark wrote:
Hi Bear,
As I said, just remember to use some intelligence. Verify the
issuer, be prepared for the case where a clueless CA issues the
same serial number (which is definitely an error, but how will you
handle it?), etc.
Are there any additional steps necess
Thank you for your response. I have couple of more questions: - If I use ENGINE_by_id("athena"), what should be the name and path of engine implementation. - I understand that ENGINE_cleanup() should be called before shutting down the application, but can I call ENGINE_finish() and ENGINE_free()
Mark wrote:
> Are there any additional steps necessary to verifying the issuer
> apart from the normal peer authentication and a string compare of
> the issuer name?
Just follow the certificate chain back to a trusted root. Anyone
can forge a certificate chain, but they won't be able to get back
Hi Bear,
> As I said, just remember to use some intelligence. Verify the
> issuer, be prepared for the case where a clueless CA issues the
> same serial number (which is definitely an error, but how will you
> handle it?), etc.
Are there any additional steps necessary to verifying the issuer
apa
Mark wrote:
>>No hash can be guaranteed to be unique. Issuer and serial number
>>should be, but of course you need to exercise some intelligence here.
>
> In that case I'll use the Issuer and Serial number. Thanks.
As I said, just remember to use some intelligence. Verify the
issuer, be prepare
Hi Bear,
> > I noticed a function X509_subject_name_hash(). Will that
> give a unique
> > reference to a certificate? It seems to ;-)
>
> No hash can be guaranteed to be unique. Issuer and serial number
> should be, but of course you need to exercise some intelligence here.
>
> You can use
Mark wrote:
> I noticed a function X509_subject_name_hash(). Will that give a unique
> reference to a certificate? It seems to ;-)
No hash can be guaranteed to be unique. Issuer and serial number
should be, but of course you need to exercise some intelligence here.
You can use the subject hash
I've looked at that file but my understanding is still limited. There's
virtually no comments so it's hard to untangle what it is doing.
I noticed a function X509_subject_name_hash(). Will that give a unique
reference to a certificate? It seems to ;-)
There are several calls to a functi
On Thu, Dec 01, 2005, Venkata Sairam wrote:
> Hi
>
> I am trying to parse a ASN format that has the following structure.
> ASNSEQUENCE[C] = 3 elements
> INTEGER = 0
> SEQUENCE[C] = 2 elements
> OBJECT ID = SHA
> NULL = null
> SEQUENCE[C] = 1 elements
> SEQUENCE[C] = 2 elements
>
Hi Peter,
> Read apps/x509.c how it parses the different ways to format a subject
> and issuer.
I've looked at that file but my understanding is still limited. There's
virtually no comments so it's hard to untangle what it is doing.
I noticed a function X509_subject_name_hash(). Will that giv
On Thu, Dec 01, 2005, Rajeshwar Singh Jenwar wrote:
> extern X509 *mem2x509_pem(char *cert)
>
> {
> X509 *x509= NULL;
> BIO *bio = NULL;
> int len = -1;
> bio = BIO_new(BIO_s_mem());
> if (!bio)
> goto end;
> len = BIO_write(bio, cert, strlen(cert));
> if (len == -1)
>goto end;
>
From: "Mark" <[EMAIL PROTECTED]>
Reply-To: openssl-users@openssl.org
To: openssl-users@openssl.org
Subject: RE: A Few General OpenSSL Questions...
Date: Thu, 1 Dec 2005 12:37:55 -
Hello Usman,
> > > an error. Can someone tell what do i need to do to make
> the server
> >connect
> > > wit
extern X509 *mem2x509_pem(char *cert)
{ X509 *x509= NULL; BIO *bio = NULL; int len = -1;
bio = BIO_new(BIO_s_mem()); if (!bio) goto end; len = BIO_write(bio, cert, strlen(cert)); if (len == -1)
goto end;
x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL); if(!x509)
goto end;end:
if(bi
Hello Usman,
> > > an error. Can someone tell what do i need to do to make
> the server
> >connect
> > > with SSL v3, or TLS ver 1
> >
> >Have you tried the SSLv23_method? it starts with a v2 Hello, then it
> >upgrades to v3 or tlsv1 ...
Try this with SSLv23_method:
/* Set any paramet
On 11/30/05, Usman Riaz <[EMAIL PROTECTED]> wrote:
> b. Secondly, I set the SSL version to 3 via "SSLv3_method" and wait for
> client to connect. When the client connects (client is a FireFox
browser,
> with SSLv2,3 & TLSv1 enabled), on the server side when i try to read
from
> the bio (afte
etc. ==> cf apps/x509.c
I must admit to being even more confused after the all the replies
to this thread! Thanks for all the input ;-)
I
Read apps/x509.c how it parses the different ways to format a subject
and issuer.
--
To verify the signature, see http://edelpki.edelweb.fr/
Cela
Hi
I am trying to parse a ASN format that has the following structure.
ASNSEQUENCE[C] = 3 elements
INTEGER = 0
SEQUENCE[C] = 2 elements
OBJECT ID = SHA
NULL = null
SEQUENCE[C] = 1 elements
SEQUENCE[C] = 2 elements
INTEGER = 1
OCTET STRING = 20 bytes: 98:F7:6A:06:E1...
Hi All,
> The code below gives the FIRST Common Name RDN, not the last
> one in the hierarchy
> to be tested as a servername in tls. But well, if you only have one
> occurrence of common name :-)
>
> Anyway, the WHOLE DN, i.e. all attributes together are supposed to be
> unique in a CA.
> Of
Frédéric Donnat wrote:
> be carefull with some typo error.
>
> My openssl 0.9.7e does not accept this "RSA-AES256",
It does NOT? Strange.
> but accept "RSA:AES256".
Sure, as this specifies two cipher preferences, "RSA" or "AES256"...
> Things are the same with last openssl 0.9.7i.
I'll take i
Hi Goetz,
> At least my c_rehash expects CA certs to have the suffix .pem.
> And since the -CApath param needs hashes generated by c_rehash
> to find the certificates, it will fail...
>
> Fix the extension to .pem, run c_rehash and verify should
> succeed...
Thanks. That does it :-)
Cheers,
27 matches
Mail list logo
