date:20030119

Re: ASK: any option for CERTID in OCSP using AKID of the cert tobe checked

2003-01-19 Thread Kiyoshi WATANABE


Hi, 

I thought that two values could be the same. Both use the hash value
of the subject public key field information of the issuer certificate. 

RFC 2560 does not have any description of the use of authority key
identifer. However looking at the archives of PKIX discussion, some
mentioned the use of authority key identifer to avoid the hash
calculation at the client side.

Or am i misunderstanding about the calculation over the two values?

#The authority Key identifer has different methods to calculate, so
#it is not good to rely on the authority key identifer value only.

-Kiyoshi
Kiyoshi Watanabe



 On Sun, Jan 19, 2003, Kiyoshi WATANABE wrote:
 
  
  Dear all and developers,
  
  Is any option to create the CertID.issuerKeyHash using the AKID of the
  cert to be checked, instead of using the issuer certificate itself, in
  OCSP request? 
  
  In addition, do you see any security concerns over this usage if being
  developed?
  
 
 The OCSP standard define what CertID.issuerKeyHash should be so changing that
 makes the implementation non compliant.
 
 Updated versions of the OCSP standards are being discussed which do allow
 alternative certificate identifiers but they are still being discussed and
 OpenSSL doesn't support them yet.
 
 Steve.
 --
 Dr. Stephen Henson  [EMAIL PROTECTED]
 OpenSSL Project http://www.openssl.org/~steve/
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing List[EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Problem passing BIO buffer to PKCS7_sign()

2003-01-19 Thread marcus.carey

There was no data in BIO out.

I needed to call BIO_reset() after calling PKCS7_sign().

Thanks



- Original Message -
From: Dr. Stephen Henson [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Sunday, January 19, 2003 5:10 AM
Subject: Re: Problem passing BIO buffer to PKCS7_sign()


 On Sat, Jan 18, 2003, marcus.carey wrote:

 
  BIO *in = BIO_new(BIO_s_mem());
  BIO *out = BIO_new(BIO_s_mem());
  char buffer[40];
 
  BIO_puts(in,data);
 
  pkcs7 = PKCS7_sign(cert,pkey,chain,in,flags)
  SMIME_write_PKCS7(out,pkcs7,in,flags)
 
  BIO_read(out,buffer);
 
  data does not appear in the S/MIME message.
 
  What's the correct method for setting up BIO buffers for S/MIME
messages?
 
 

 What do you mean does not appear? Do you mean the data written to the
BIO
 'out' doesn't contain data or it doesn't show up in some client like
Outlook
 Express?

 If you aren't using PKCS7_DETACHED for flags data wont be visible but
will
 still be encoded. If you are reading it with a client and can't see data
 then you may need PKCS7_TEXT as well.

 Steve.
 --
 Dr. Stephen Henson  [EMAIL PROTECTED]
 OpenSSL Project http://www.openssl.org/~steve/
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing List[EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Problem passing BIO buffer to PKCS7_sign()

2003-01-19 Thread Dr. Stephen Henson

On Sun, Jan 19, 2003, marcus.carey wrote:

 There was no data in BIO out.
 
 I needed to call BIO_reset() after calling PKCS7_sign().
 

From which I deduce you are also using PKCS7_DETACHED. Yes at present you have
to call BIO_reset() to rewind the BIO to the start. This is because detached
data needs to make two passes over the signed data, one to sign it and the
other to output the data itself. If the OpenSSL code was made a little bit
cleverer only one pass would be needed which would combine the operations...

Steve.
--
Dr. Stephen Henson  [EMAIL PROTECTED]
OpenSSL Project http://www.openssl.org/~steve/
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Proxy'ing client certs

2003-01-19 Thread Chandrasekhar R S

I have already posted the following on the lists under Proxy'ing client
certs thread.
Could not see the posting, hence re-posting.
-
My understanding had been the following :

Client      Proxy Server   --  Proxy Client 
Server
produces a  consumes   presents aCan
only recv
CA signed   the  ProxyClient Cert
ProxyClient Cert
Client Cert   Client Cert

ProxyClient Cert is not the same as Client Cert.

Though the Proxy Server is in receipt of the Client Cert, it
cannot represent the same in the SSL connection between
ProxyClient - Server.  The requirement is to make the Proxy
faithfully forward the Client Cert to the Server.


Vadim, suggested that CONNECT method of HTTP can be
used to setup TCP connections first and run SSL next.  Proxy
could forward SSL traffic.

It had been difficult to understand the solution.  It seems to me that
we need to set up a TCP connection via the proxy server first and add
SSL to it later.  I am not aware of how to do this.

Could one help me further.

Namaste,
R S Chandrasekhar
[EMAIL PROTECTED]
ISD : 091-080-2051166
Telnet : 847-1166
Phone : 2052427

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: SSL_connect problem : bad asn1 object header

2003-01-19 Thread mikecross

the problem seems to be that you use self signed
certificates /both sides/.
there is a few possible ways to do this:
1. use custom handler for errors in certificates in
your server 
static int SSL_verify_callback(int ok, X509_STORE_CTX
*ctx)
{
charbuf[256];
X509*   err_cert;
int err, depth, ret;

err_cert= X509_STORE_CTX_get_current_cert(ctx);
err= X509_STORE_CTX_get_error(ctx);
depth= X509_STORE_CTX_get_error_depth(ctx); 

switch(err) 
  {
case X509_V_OK:
 
handle errors

  }
}
 
and use 
SSL_CTX_set_verify(your context
,SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE|
SSL_VERIFY_FAIL_IF_NO_PEER_CERT,SSL_verify_callback);

2. you may use valid certificates /not expired, signed
from thrusted root e.t.c/ then your default handler
will report success.


--- ozan alptekin [EMAIL PROTECTED] wrote:
 
 hi,
 
 I am using openssl 0.9.6.b and trying to write a
 server-client program in which both parties should
 authenticate each other and i am new to OpenSSL.
 
 but I have a problem during the handshake process, I
 get a SSL error: 5 : error:0005::lib(0)
 :func(0) :bad asn1 object header error when client
 calls SSL_connect. I realized that it is related
 with the verification mode of the server or
 something with the certificates I have created. I am
 using same selfsigned CA for creating certificates
 for server and client.
 
 I have set the verification flags as
 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT
 both for the client and the server.
 Using methods TLSv1_server_method for the server and
 TLSv1_client_method for the client.
 
 Thanks a lot...
 
 Ozan Alptekin
 
 
 
 -
 Do you Yahoo!?
 Yahoo! Mail Plus - Powerful. Affordable. Sign up now


__
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: ASK: any option for CERTID in OCSP using AKID of the cert tobe checked

Re: Problem passing BIO buffer to PKCS7_sign()

Re: Problem passing BIO buffer to PKCS7_sign()

Proxy'ing client certs

Re: SSL_connect problem : bad asn1 object header

5 matches

Site Navigation

Mail list logo

Footer information