RE: Several issues concerning ASN1 in OpenSSL
Steve wrote: > > 2. Problem with ASN1_INTEGER_to_BN > > > > In OpenSSL there is following code: > > > > BIGNUM *ASN1_INTEGER_to_BN(ASN1_INTEGER *ai, BIGNUM *bn) > > { > > BIGNUM *ret; > > > > if ((ret=BN_bin2bn(ai->data,ai->length,bn)) == NULL) > > ASN1err(ASN1_F_ASN1_INTEGER_TO_BN,ASN1_R_BN_LIB); > > if(ai->type == V_ASN1_NEG_INTEGER) bn->neg = 1; > > return(ret); > > } > > > > I wonder what will happen if I write my code like this: > > > > BIGNUM *mybig = NULL; > > > > mybig = ASN1_INTEGER_to_BN(some_previously_defined_int, mybig); > > > > In my opinion everything will be fine up to the point where BN_bin2bn > > fails. Now if (BN_bin2bn returns NULL) AND (some_previously_defined_int > > happens to be negative) then SIGSEGV is on the fly. Am I right? > > > > Yes that is a typo. It should change 'ret' instead of 'bn'. I don't think that is quite enough. If BN_bin2bn returns NULL, there would still be a problem. Rather, I think you need something like: if (ret && ai->type == V_ASN1_NEG_INTEGER) ret->neg = 1; Svenning __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: A "-dn xxx" flag for the req command?
You wrote: > > Has anyone added a "-dn" flag to the req command? This would > > make it much > > easier to write scripts that generate lots of requests. > (Okay, maybe > > not a lot easier, since I could set up a config file that > > pointed to the > > environment, and then set env-vars, but that's a little > roundabout...) And I wrote: > Yep, I posted a patch on this list a couple of months ago. > See http://www.mail-archive.com/openssl-dev@openssl.org/msg05728.html > > This adds a -subject option (to print the subject DN), and a > -hash option to > print the hash value of the DN, which could be used to construct the > filename for the request. Blush! In re-reading your posting I realize I didn't read it careful enough before replying. This of course is not what you asked for, but rather for receiving requests via a web form or similar. So please disregard my previous posting. Svenning __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: A "-dn xxx" flag for the req command?
Yep, I posted a patch on this list a couple of months ago. See http://www.mail-archive.com/openssl-dev@openssl.org/msg05728.html This adds a -subject option (to print the subject DN), and a -hash option to print the hash value of the DN, which could be used to construct the filename for the request. Svenning > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of > [EMAIL PROTECTED] > Sent: Monday, August 14, 2000 6:16 PM > To: [EMAIL PROTECTED] > Subject: A "-dn xxx" flag for the req command? > > > Has anyone added a "-dn" flag to the req command? This would > make it much > easier to write scripts that generate lots of requests. (Okay, maybe > not a lot easier, since I could set up a config file that > pointed to the > environment, and then set env-vars, but that's a little roundabout...) > /r$ > __ > OpenSSL Project http://www.openssl.org > Development Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Subject DN and hash output from openssl req
I'm really sorry bothering you again, but I realized that my previous patch was a bit clumsy. Mostly because it wasn't consistent with the way "openssl x509" and "openssl crl" prints the DN hash value, so it didn't fit too well into the convention of making symlink names based on the hash (I have now removed the leading "hash="). So I'm sending a new patch (this time against SNAP-2623), that I hope will be more useful. Regards, SSS req.c.diff
RE: Subject DN and hash output from openssl req
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Svenning Sørensen > Sent: Friday, June 23, 2000 4:38 PM > To: [EMAIL PROTECTED] > Subject: Subject DN and hash output from openssl req Argh! Having received my own mail from the list, I saw that the lines were wrapped, so here we go again, with an attachment this time... SSS req.c.diff
Subject DN and hash output from openssl req
Hello, I'm working on some scripts to enable users to request certs. For this purpose I've made a patch to the openssl req command, which enables the scripts to extract the subject DN and hash value (like in openssl x509 -subject -hash ...). In case this is of any interest for the public, I'm attaching the patch below. The patch is against SNAP-2615, but i suppose it will patch the current snapshot with a litlle fuzz. Regards, SSS --- req.c.orig Fri Jun 23 13:13:40 2000 +++ req.c Fri Jun 23 15:26:52 2000 @@ -104,6 +104,8 @@ * -keyform- key file format. * -newkey - make a key and a request. * -modulus- print RSA modulus. + * -subject - print subject DN. + * -hash- print hash value. * -x509 - output a self signed X509 structure instead. * -asn1-kludge- output new certificate request in a format that some CA's * require. This format is wrong @@ -155,7 +157,7 @@ char *extensions = NULL; char *req_exts = NULL; EVP_CIPHER *cipher=NULL; - int modulus=0; + int modulus=0, subject=0, hash=0; char *passargin = NULL, *passargout = NULL; char *passin = NULL, *passout = NULL; char *p; @@ -310,6 +312,10 @@ newhdr=1; else if (strcmp(*argv,"-modulus") == 0) modulus=1; +else if (strcmp(*argv,"-subject") == 0) +subject=1; +else if (strcmp(*argv,"-hash") == 0) +hash=1; else if (strcmp(*argv,"-verify") == 0) verify=1; else if (strcmp(*argv,"-nodes") == 0) @@ -367,7 +373,9 @@ BIO_printf(bio_err," -text text form of request\n"); BIO_printf(bio_err," -noout do not output REQ\n"); BIO_printf(bio_err," -verifyverify signature on REQ\n"); - BIO_printf(bio_err," -modulus RSA modulus\n"); + BIO_printf(bio_err," -modulus print RSA modulus\n"); + BIO_printf(bio_err," -subject print subject DN\n"); + BIO_printf(bio_err," -hash print hash value\n"); BIO_printf(bio_err," -nodes don't encrypt the output key\n"); BIO_printf(bio_err," -key file use the private key contained in file\n"); BIO_printf(bio_err," -keyform arg key file format\n"); @@ -781,7 +789,7 @@ BIO_printf(bio_err,"verify OK\n"); } - if (noout && !text && !modulus) + if (noout && !text && !modulus && !subject && !hash) { ex=0; goto end; @@ -832,6 +840,38 @@ fprintf(stdout,"Wrong Algorithm type"); fprintf(stdout,"\n"); } + +if (subject) +{ +char sn[256] = ""; + +if (x509) + X509_NAME_oneline(X509_get_subject_name(x509ss),sn,256); +else + X509_NAME_oneline(X509_REQ_get_subject_name(req),sn,256); +if (!*sn) +{ +fprintf(stdout,"subject=unavailable\n"); +goto end; +} +fprintf(stdout,"subject=%s\n",sn); +} + +if (hash) +{ +X509_NAME *xn; + +if (x509) +xn=X509_get_subject_name(x509ss); +else +xn=X509_REQ_get_subject_name(req); +if (xn == NULL) +{ +fprintf(stdout,"hash=unavailable\n"); +goto end; +} +fprintf(stdout,"hash=%08lx\n",X509_NAME_hash(xn)); +} if (!noout && !x509) { __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]