X509_CRL_dup() problem ?

2008-08-13 Thread delcour.pierre 

Hello everyone,

I try to add a certificate in a CRL. To do that, i use a X509* cert, a 
X509_CRL* crl with this algorithm :


X509_REVOKED *r = NULL;
r = X509_REVOKED_new();
r-serialNumber = X509_get_serialNumber(cert);
if(!crl-crl-revoked)
  ci-revoked = sk_X509_REVOKED_new(X509_REVOKED_cmp);
if(!sk_X509_REVOKED_push(ci-revoked, r))
  return false;
ASN1_UTCTIME_set(r-revocationDate,time(NULL));
ASN1_UTCTIME_set(crl-crl-lastUpdate,time(NULL));
sk_X509_REVOKED_num( crl-crl-revoked ); // here i see a X value

After the previous code, i duplicate the X509_CRL :

X509_CRL* xrl = X509_CRL_dup( crl );
sk_X509_REVOKED_num( crl-crl-revoked ); // here i see the same X value 
as above

sk_X509_REVOKED_num( xrl-crl-revoked ); // here i see a X-1 value.

After the duplication, the added certificate has disappear ! What do i 
miss to do ?


Thank's in advance,
have a nice day,
pierre.
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Engine not getting registered

2008-08-13 Thread Nanavati, Sitanshu 
Hi,

I just wrote a sample engine to understand the functionality
which   is part of built-in engines.  To activate the engine I used the
following sample code given at  www.openssl.org/docs/crypto/engine.html

ENGINE *e;
 const char *engine_id = ACME;
 ENGINE_load_builtin_engines();
 e = ENGINE_by_id(engine_id);
 if(!e)
{
 /* the engine isn't available */
printf(Engine not found.\n);
 return;
}
 if(!ENGINE_init(e)) {
 /* the engine couldn't initialise, release 'e' */
 ENGINE_free(e);
 return;
 }
 if(!ENGINE_set_default_RSA(e))
 /* This should only happen when 'e' can't initialise, but the
previous
  * statement suggests it did. */
 abort();
 ENGINE_set_default_DSA(e);
 ENGINE_set_default_ciphers(e);
 /* Release the functional reference from ENGINE_init() */
 ENGINE_finish(e);
 /* Release the structural reference from ENGINE_by_id() */
 ENGINE_free(e);


However, when I try the above code, I hit the line Engine not
found.

Any ideas/areas specifically I should look for? 

Thanks,
-Sitanshu
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   [EMAIL PROTECTED]

default maximum chain length considered too low

2008-08-13 Thread Maarten.Litmaath 
Dear OpenSSL developers,
various grid projects have run into the default maximum chain length
of 10 being too low.  These bug reports show examples:

http://bugzilla.globus.org/globus/show_bug.cgi?id=4994

https://savannah.cern.ch/bugs/index.php?37563

The functions SSL_CTX_set_verify_depth() and SSL_set_verify_depth()
allow the maximum length to be increased, but this means that every
application or library around OpenSSL needs to make such calls.
Why not increase the default, say, to 100 instead, as Globus did?
Thanks,
Maarten (CERN/LCG/EGEE)

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   [EMAIL PROTECTED]

x509_name_cmp for different encodings

2008-08-13 Thread Mohan, Dharmendra 
Hi,

 

 I had a list of CA certificates, a few with different encoding than
PRINTABLE encoding like T61 and UTF8. I am running into the problem of
not able to verify some of the certificates issued by CA certificates in
cert store despite the fact that they do exist in the store. 

 

Deep analysis of the code revealed that the problem is with sorting and
searching. The sorted list is not correct and hence the binary search
fails. The root cause of the problem turned out to be the function -
X509_NAME_cmp. It appears that it doesn't implement the comparisons as
specified in RFC5280 which refers to RFC4518 for rules to do comparison
for Internationalized Names in Distinguished Names. To quote from
RFC4518 -
 
   The lack of precise specification for character string
matching has
   led to significant interoperability problems.  When used in
   certificate chain validation, security vulnerabilities can
arise.  To
   address these problems, this document defines precise
algorithms for
   preparing character strings for matching.
 
Is there a plan to implement RFC4518 for comparison rules? Or are they
being implemented currently? 
 
Is their a workaround to support a list of CA certificates with mixed
encoding in the meantime?
 
Thanks,
 -Dharmendra