Hi, I'm reading the CA Certificate file using OpenSSL API's EVP_EncodeUpdate & EVP_EncodeFinal and writting the data to out file (say .pem).
Issue: I'm able be read the CA Certificates properly except for Class 3 CA
files. For Class 3 type of CA certificates, the API EVP_EncodeFinal reads
the entire certificate body after reading the certificate data using
EVP_EncodeUpdate, by which the certificate data is written twice to the out
file.
But for other CA files, after reading the certificate data using
EVP_EncodeUpdate, the left out data is fetched by EVP_EncodeFinal. There by the
certificate
data is written properly to the out file
How am I reading the CA file?
1. Creating cert (X509 * structure) for the certificate
2. Initialize the Base64 encoder, using EVP_EncodeInit(), an encoding
context structure "bctx"
which is used during all encoding operations.
EVP_EncodeInit( &bctx );
3. DER encode the certificate
i2d_X509() encodes the structure pointed to by "cert" into DER
format. If out is not NULL is writes the DER encoded data to the buffer at
derTmp,
and increments it to point after the data just written. If the return
value is negative an error occurred, otherwise it returns the length of the
encoded data.
derLen = i2d_X509( cert, &derTmp );
4. Base 64 encode the certificate DER
EVP_EncodeUpdate copies "derLen" bytes of the input string "der" into a
previously-initialized "bctx"; if any data was already stored in the "bctx",
it is base64-encoded first and the results written to "encodeBuf".
The number of bytes written to "encodeBuf" is placed in "nBytesWritten".
Note that the first time this function is called, the input string is
copied into the "bctx" but since there is no input data already in "bctx", no
data
is base64-encoded. In effect, output is always one function call
behind the input.
EVP_EncodeUpdate(&bctx, encodeBuf, &nBytesWritten, der, derLen );
5. EVP_EncodeFinal() base64-encodes the data in a previously initialized and
filled "bctx" and writes the results to "encodeBuf".
The number of bytes written is placed in "nBytesWritten".
EVP_EncodeFinal(&bctx, encodeBuf, &nBytesWritten );
What is the version of OpenSSL?
OpenSSL 0.9.7d 17 Mar 2004
What is expected?
1. Is there anything incorrect in the reading the CA file, because of which
I'm seeing the issue?
2. Wherther Class 3 CA certificates should be handled differently? If Yes,
How?
3. Is it an OpenSSL API issue? If Yes, is it fixed in any of the future
releases of the OpenSSL and in which version of OpenSSL.
-Regards
Basi Reddy M
DISCLAIMER
==========
This e-mail may contain privileged and confidential information which is the
property of Persistent Systems Ltd. It is intended only for the use of the
individual or entity to which it is addressed. If you are not the intended
recipient, you are not authorized to read, retain, copy, print, distribute or
use this message. If you have received this communication in error, please
notify the sender and delete all copies of this message. Persistent Systems
Ltd. does not accept any liability for virus infected mails.
|
Hi, I’m
reading the CA Certificate file using OpenSSL API’s EVP_EncodeUpdate
& EVP_EncodeFinal and writting the data to out file (say .pem). Issue:
I’m
able be read the CA Certificates properly except for Class 3 CA files. For
Class 3 type of CA certificates, the API EVP_EncodeFinal reads the
entire certificate body after reading the certificate data using EVP_EncodeUpdate,
by which the certificate data is written twice to the out file. But
for other CA files, after reading the certificate data using EVP_EncodeUpdate,
the left out data is fetched by EVP_EncodeFinal. There by the certificate data
is written properly to the out file How
am I reading the CA file? 1.
Creating
cert (X509 * structure) for the certificate 2.
Initialize
the Base64 encoder, using EVP_EncodeInit(), an encoding context structure
"bctx" which
is used during all encoding operations. EVP_EncodeInit(
&bctx ); 3.
DER
encode the certificate i2d_X509()
encodes the structure pointed to by "cert" into DER format. If
out is not NULL is writes the DER encoded data to the buffer at derTmp, and
increments it to point after the data just written. If the return value is
negative an error occurred, otherwise it returns the length of the encoded
data. derLen
= i2d_X509( cert, &derTmp ); 4.
Base
64 encode the certificate DER EVP_EncodeUpdate copies "derLen"
bytes of the input string "der" into a previously-initialized
"bctx"; if any data was already stored in the "bctx", it
is base64-encoded first and the results written to "encodeBuf". The
number of bytes written to "encodeBuf" is placed in
"nBytesWritten". Note
that the first time this function is called, the input string is copied into
the "bctx" but since there is no input data already in
"bctx", no data is
base64-encoded. In effect, output is always one function call behind the input.
EVP_EncodeUpdate(&bctx,
encodeBuf, &nBytesWritten, der, derLen ); 5.
EVP_EncodeFinal()
base64-encodes the data in a previously initialized and filled "bctx"
and writes the results to "encodeBuf". The
number of bytes written is placed in "nBytesWritten". EVP_EncodeFinal(&bctx, encodeBuf,
&nBytesWritten ); What
is the version of OpenSSL? OpenSSL 0.9.7d 17 Mar 2004 What
is expected? 1.
Is
there anything incorrect in the reading the CA file, because of which I’m
seeing the issue? 2.
Wherther
Class 3 CA certificates should be handled differently? If Yes, How? 3.
Is
it an OpenSSL API issue? If Yes, is it fixed in any of the future releases of
the OpenSSL and in which version of OpenSSL. -Regards Basi
Reddy M DISCLAIMER ========== This e-mail may contain privileged and confidential information which is the property of Persistent Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Ltd. does not accept any liability for virus infected mails. |
