Hi, Thanks for the response.
The problem I am seeing is not with the DN. From what I understand, the distinguished name can be any one of the fields – CN, issuer, subject, that comes as part of the x509 certificate contents. None of these contain the ! character. Let me clarify the issue a little more. This is a SSO (single sign on) scenario from ‘app1’ --> ‘app2’ (our application is ‘app2’ while ‘app1’ is an external application not in our control) 1. app1: sends a CGI POST request to app2 – the POST request has the UN (username). 2. app2: does a CGI GET to receive the UN within app1’s POST request. 3. app2: has app1’s x509 certificate already stored, since it has to allow SSO from app1 – gets verification ctx from here. 4. app2: uses the UN (containing ! character) to form a hashdata, 5. app2: passes hashdata to EVP_VerifyUpdate(ctx, .. ) 6. app2: calls EVP_VerifyFinal -- this eventually fails during public key check (EVP_PKEY_verify), due to the ! character in UN As you see, in app2, we are not having any control over the character string type of the UN. Is there a way to fix ‘app2’ to make EVP_VerifyFinal pass ? We can’t make changes to ‘app1’ as the application is not owned by us. Is there any other solution you would suggest? Thanks, Rituparna Mitra From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Salz, Rich Sent: Friday, August 01, 2014 7:33 PM To: openssl-users@openssl.org Subject: RE: Query on X509 certificate validation- EVP_VerifyUpdate & EVP_VerifyFinal You have to look at the character string type of the DN. For example, in printableString the exclamation point is an illegal character. -- Principal Security Engineer Akamai Technologies, Cambridge MA IM: rs...@jabber.me<mailto:rs...@jabber.me> Twitter: RichSalz From: Mitra, Rituparna (STSD) Sent: Friday, August 01, 2014 7:21 PM To: openssl-users@openssl.org Subject: Query on X509 certificate validation- EVP_VerifyUpdate & EVP_VerifyFinal Hi, I am using “openssl-1.0.1h” to do X509 certificate validation for accessing from app1 to app2 (these are 2 separate applications). - In app2, I have uploaded the X509 certificate generated by app1 and I am using the following code segment in app2 to verify the certificate (when app1 tries to login to app2). - This code works fine for all user names, except usernames containing a ! symbol (exclamation). EVP_MD_CTX_init(ctx); EVP_VerifyInit(ctx, md); EVP_VerifyUpdate(ctx, hashdata, strlen(hashdata)); err = EVP_VerifyFinal(ctx, x509_sig, sigsize, pkey); where pkey = public key retrieved from the certificate. hashdata is a string calculated using the username as follows: "system_name:domain\username: ...." - EVP_VerifyFinal() returns success with username "test". - But using "!test" fails at EVP_VerifyFinal() which returns an error value --> err = 0 (67702888) Here ! seems to be the problem character since nothing else is different b/w the 2 cases. I am curious to know the following: a) Do X509 certificates treat ! character differently? b) Is there a way to handle usernames with a ! correctly, so that certificate check passes? c) Since hashdata is passed to EVP_VerifyUpdate(), do I need to take care of anything while forming “hashdata” with the username? Any response would be greatly appreciated. Thanks and regards, Rituparna Mitra
