X509_CRL_dup() problem ?
Hello everyone, I try to add a certificate in a CRL. To do that, i use a X509* cert, a X509_CRL* crl with this algorithm : X509_REVOKED *r = NULL; r = X509_REVOKED_new(); r-serialNumber = X509_get_serialNumber(cert); if(!crl-crl-revoked) ci-revoked = sk_X509_REVOKED_new(X509_REVOKED_cmp); if(!sk_X509_REVOKED_push(ci-revoked, r)) return false; ASN1_UTCTIME_set(r-revocationDate,time(NULL)); ASN1_UTCTIME_set(crl-crl-lastUpdate,time(NULL)); sk_X509_REVOKED_num( crl-crl-revoked ); // here i see a X value After the previous code, i duplicate the X509_CRL : X509_CRL* xrl = X509_CRL_dup( crl ); sk_X509_REVOKED_num( crl-crl-revoked ); // here i see the same X value as above sk_X509_REVOKED_num( xrl-crl-revoked ); // here i see a X-1 value. After the duplication, the added certificate has disappear ! What do i miss to do ? Thank's in advance, have a nice day, pierre. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Engine not getting registered
Hi, I just wrote a sample engine to understand the functionality which is part of built-in engines. To activate the engine I used the following sample code given at www.openssl.org/docs/crypto/engine.html ENGINE *e; const char *engine_id = ACME; ENGINE_load_builtin_engines(); e = ENGINE_by_id(engine_id); if(!e) { /* the engine isn't available */ printf(Engine not found.\n); return; } if(!ENGINE_init(e)) { /* the engine couldn't initialise, release 'e' */ ENGINE_free(e); return; } if(!ENGINE_set_default_RSA(e)) /* This should only happen when 'e' can't initialise, but the previous * statement suggests it did. */ abort(); ENGINE_set_default_DSA(e); ENGINE_set_default_ciphers(e); /* Release the functional reference from ENGINE_init() */ ENGINE_finish(e); /* Release the structural reference from ENGINE_by_id() */ ENGINE_free(e); However, when I try the above code, I hit the line Engine not found. Any ideas/areas specifically I should look for? Thanks, -Sitanshu __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
default maximum chain length considered too low
Dear OpenSSL developers, various grid projects have run into the default maximum chain length of 10 being too low. These bug reports show examples: http://bugzilla.globus.org/globus/show_bug.cgi?id=4994 https://savannah.cern.ch/bugs/index.php?37563 The functions SSL_CTX_set_verify_depth() and SSL_set_verify_depth() allow the maximum length to be increased, but this means that every application or library around OpenSSL needs to make such calls. Why not increase the default, say, to 100 instead, as Globus did? Thanks, Maarten (CERN/LCG/EGEE) __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
x509_name_cmp for different encodings
Hi, I had a list of CA certificates, a few with different encoding than PRINTABLE encoding like T61 and UTF8. I am running into the problem of not able to verify some of the certificates issued by CA certificates in cert store despite the fact that they do exist in the store. Deep analysis of the code revealed that the problem is with sorting and searching. The sorted list is not correct and hence the binary search fails. The root cause of the problem turned out to be the function - X509_NAME_cmp. It appears that it doesn't implement the comparisons as specified in RFC5280 which refers to RFC4518 for rules to do comparison for Internationalized Names in Distinguished Names. To quote from RFC4518 - The lack of precise specification for character string matching has led to significant interoperability problems. When used in certificate chain validation, security vulnerabilities can arise. To address these problems, this document defines precise algorithms for preparing character strings for matching. Is there a plan to implement RFC4518 for comparison rules? Or are they being implemented currently? Is their a workaround to support a list of CA certificates with mixed encoding in the meantime? Thanks, -Dharmendra