ical' flag in the call
to X509_get_ext_d2i I can ignore those usage fields that
are advisory only, and can in turn use my server certificate
to authenticate as a client.
Am I reading RFC 2459 correctly?
Is my analysis of that part of the code correct?
Is there another reason ope
Is there a way to figure out which CA the server used to validate the client
certificate?
-Fen
http://pronouns.is/fae/faer
SSL_get0_verified_chain was exactly what I needed, thanks!
-Original Message-
From: openssl-users On Behalf Of Viktor
Dukhovni
Sent: Friday, October 25, 2019 11:55 AM
To: openssl-users@openssl.org
Subject: Re: Retrieve CA for client cert from SSL*
> On Oct 25, 2019, at 5:38 PM, Jan Just
So my questions are, how do I replicate what load_key() to populate
pkey (EVP_PKEY *)? And, are they any data functions that can be used
to replace what the BIO functions do for files?
The BIO routines work with strings as well as with files.
BIO *rbio;
rbio = BIO_new_mem_buf(str,
Does anyone know of an alternative for populating EVP_PKEY * that
emulates what load_key() does?
load_key() is complicated only because it deals with lots of types of
files and formats. Presumably you already know the format and
location of your key. Just use
pkey = PEM_read_bio_Pr
I grabbed "Network Security with OpenSSL" on Safari and have been
reading the relevant sections.
That's a useful book.
If I understand correctly, to read an
external file, decrypt it using an internal private key and write the
decrypted out to internal data, I would do:
Is your file real
Yes, my data is less than 128 bytes. I ran across that when I was
doing my original research and saw the approach you recommend for
larger files.
So for a small file, do I have the methodology correct?
Yes. Didn't try the code, but it's the right approach.
Jim
PEM_read_bio_RSAPrivateKey() returns a BIO *, not a EVP_PKEY *. So, I
am passing the wrong argument type when I call EVP_PKEY_get1_RSA().
Did I use the wrong call, or am I missing a call?
PEM_read_bio_RSAPrivateKey retuns an (RSA*) and you're done.
You don't need or want the call to EVP_PKEY
I have another problem now, I want to convert a pkcs#1 to a pkcs#8 using the
openssl function. I noticed that there is a "PEM_write_PKCS8PrivateKey()",
but I believe it produces a pkcs#1 public key, so how do i get a pkcs8
public key?
pkcs8 is just for private keys. There isn't any pkcs8 p
What I am trying to accomplish is create a remote application with an
embedded private key that can securely retrieve a small block of data.
Is there somewhere a public key to go with this private key?
I assume the RSA header and footer line are unnecessary?
Bad assumption. Both are part
But what i really want is the encoded string in a char buffer.
And so i comment out 2 and use 1 instead. As its suppose to write
the encoded string into a buffer,
but the problem here is pEncBuf is empty even though bytesWritten says it
wrote 4 bytes.
And i can't explain why it won'
And yeah even with the correct size it still doesn't work.
The BIO_new_mem_buf creates a read-only buffer.
If you want to write to memory use
bio = BIO_new(BIO_s_mem());
and use BIO_get_mem_ptr to get a pointer to the buffer.
Jim
Thanks. But it seems that I must add my custom information as
extension when the certificate is being created. Can I add to the
certificate which has already been created ?
No. Once the certificate has been signed it's done. If you want
to change anything you have to resign (recreate) it.
Ji
On Jul 12, 2007, at 9:29 PM, imin macho wrote:
hi...
i'm a noob in openssl.. my employee asked me to edit our c++ cert
issuer engine developed using openssl. currently the cert generated
will be valid based on the time we generate it. for example, if i
generate a cert at 13 july 2007 1:3
One other issue though the base64 encoded string contains new line
character at the end.
is there a way through the api to not include it.
It is characteristic of openssl to insert linebreaks in both base64
and PEM encodings --- and to require them when it decodes data. If
for some r
you get either of these you can retry the same operation
later.
Here's a library that demonstrates non-blocking SSL IO:
http://staff.washington.edu/fox/ezs/
Jim
__
OpenSSL Project
Date: Thu, 19 Jul 2007 16:09:59 -0400
From: Jim Marshall <[EMAIL PROTECTED]>
To: openssl-users@openssl.org
Reply-To: openssl-users@openssl.org
Subject: Re: How to prevent SSL from blocking from Network interruption
Victor Duchovni wrote:
On Thu, Jul 19, 2007 at 03:54:55PM -0400, Jim Marshall
On Jul 19, 2007, at 9:45 PM, Jim Marshall wrote:
Jim Marshall wrote:
David Schwartz wrote:
OpenSSL tries to make SSL connections act like regular TCP
connections. This
is exactly what TCP does. So your application would have this
exact same
problem with or without OpenSSL. As such, how can
I understand that, when encrypting, the last block have to be padded to
encrypt it and so i do, but i dont save to the encrypted file the padded
bytes, because i need the encrypted data to be the same size than original.
You have to save the entire encrypted block. cipher_final
will tell you
You have to save the entire encrypted block. cipher_final
will tell you the length of the padded and encrypted block.
So, should i assume that encrypted buffer will always be a multiple of
block_size ...
I would say that my application can't allow that though.
Why do you care at all? Jus
One way is 'PEM_read_PrivateKey', which reads a private key (PEM in
this case) from a FILE*.
Jim
On Jul 22, 2007, at 7:55 PM, Nagendra Tomar wrote:
Hi
I would like to know if there is a libcrypto API to read a
public/private key from a keyfile and populate the RSA structure,
so th
You are in a place where theory and practice converge. The security model
assumes you don't trust a CA (in the technical sense) if you don't trust the
CA (in the normal sense). It is built around the assumption that a client's
list of trusted CAs will be intelligentally managed to include only
Is it possible to use a different server certificate based on the
client IP address? I am attempting to get a TCP connection, check the
source IP, and then create an SSL context with the correct
certificate, and establish an SSL connection using that context. It
doesn't seem to be working, but I
Doesn't need a faq. The man page says the purpose of the
BIO_set_nbio_accept macro is to set blocking or non-blocking mode.
Seems like that's what it will do.
Jim
On Sep 3, 2007, at 11:31 AM, Jim Marshall wrote:
Jim Marshall wrote:
I'm looking at using non-blocking I/O in some places i
Use "BIO_set_nbio_accept" and this will work as you want it to.
Jim
Thanks for the feedback, but the BIO_set_nbio still doesn't seem to
work. Here is what I am doing. I have a function which creates the
accept BIO and calls BIO_set_nbio as follows (this is obviously
trimmed down from
So beyond the BIO_do_accept, I used the openssl client program to connect to
my server. I was expecting the above to make all the sockets non-blocking,
but when I called SSL_read in my code it seems to block for data. I tried
using the BIO_set_nbio an BIO_set_nbio_accept calls but no joy.
Is it possible to have one (self-signed) SSL certificate for a server
that is known as foo.bar.org (internal LAN name) and bar.org (FQDN on
the Internet)? A wildcard certificate doesn't seem to be a solution
since it seems to be a subdomain only solution.
Include all the names you want to
My question asked earlier and helpfully answered by Jim Fox opened a
whole can of worms for me. Googling around I found no two sites
that to
my untrained eye seem to do these steps in the same way. So I
borrowed a
few bits and pieces here and there and came up with these very newbie
steps
I have tried:
./config --prefix=/usr/bin --openssldir=/usr/local/openssl
make
make test
make install
This would have installed openssl into /usr/bin/lib, /usr/bin/bin,
/usr/bin/include, ...
You might have wanted "--prefix=/usr"
Jim
___
I have a private CA certificate created using openssl command line. The
issue is that the certificate expires on 19th Oct, 2007. The question is
that "Is it possible to extend the expiry of this certificate without
changing any other fields in the certificate?" Basically, I want to continue
usin
This was a certificate authority certificate. As such, the renewal
has to have
the same key and DN as the original in order to continue being a CA
for previously signed certificates.
Jim
On Oct 17, 2007, at 5:54 PM, David Schwartz wrote:
It seems to me that the OP is indeed asking somet
I'm writing some code where I'm using the EVP encryption routines
described here:
http://www.openssl.org/docs/crypto/EVP_EncryptInit.html
I'm trying to use AES. Is AES supported through this interface? It's
not listed in the documentation as a supported cipher.
The ciphers are all found i
call in question is:
SSL_get_peer_certificate(ssl)
I can post a larger code sample if necessary, but my question is: Is
this the right call for client authentication, or does it only work for
server authentication?
Thanks.
--
Colin Fox
anks to all who replied, especially Michael. This was
driving me crazy. :)
> --
> Michael Czapski
> Senior Consultant
> SeeBeyond Pty. Ltd.
> +61 2 9409-5403
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Colin Fox
&g
34 matches
Mail list logo
