Re: CRL in OpenSSL 0.9.6c

2002-03-09 Thread Boguslaw Brandys 

Thank You.
But since I use Borland C++ Builder to compile OpenSSL and still it is
broken to make DLL's with this compiler is any DLL's of 0.9.7 version
compiled with VC++ available for download ?
Or maybe this problem is corrected wit 0.9.7 version (I wish so...)

Best Regards
Boguslaw


- Original Message -
From: "Dr S N Henson" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Saturday, March 09, 2002 8:25 PM
Subject: Re: CRL in OpenSSL 0.9.6c


> Bogus³aw Brandys wrote:
> >
> > Hello,
> >
> > I have one question about CRL: is X509_verify_cert parse CRL list ?
> > I had try to use X509_STORE_load_locations to load CRL file with
revokation
> > of certificate which is used for signing. Surpsise is that  verify is
always
> > successful neither certificate is signed as revoked in CRL or not.
> > Maybe I don't understand something ?
> >
>
> It doesn't work because CRL checking was only added in 0.9.7.
>
> Steve.
> --
> Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
> Personal Email: [EMAIL PROTECTED]
> Senior crypto engineer, Gemplus: http://www.gemplus.com/
> Core developer of the   OpenSSL project: http://www.openssl.org/
> Business Email: [EMAIL PROTECTED] PGP key: via homepage.
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]



-- 

Tego nie znajdziesz w zadnym sklepie!
[ http://oferty.onet.pl ]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: CRL in OpenSSL 0.9.6c

2002-03-09 Thread Dr S N Henson 

Bogus³aw Brandys wrote:
> 
> Hello,
> 
> I have one question about CRL: is X509_verify_cert parse CRL list ?
> I had try to use X509_STORE_load_locations to load CRL file with revokation
> of certificate which is used for signing. Surpsise is that  verify is always
> successful neither certificate is signed as revoked in CRL or not.
> Maybe I don't understand something ?
> 

It doesn't work because CRL checking was only added in 0.9.7.

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Gemplus: http://www.gemplus.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Revocation list usage (CRL)

2002-03-09 Thread Bogusław Brandys 

hello,

I have such a code in my signing DLL:

int verifycert(X509 *x509)
{

/* Return values:
0 - certificate is VALID
   -1 - certificate is INVALID ,REVOKED or EXPIRED .
*/



int exitcode,i;

unsigned char *c = ROOT_certificate;

X509 *root = d2i_X509(NULL,&c,sizeof(ROOT_certificate));

X509_STORE *store = X509_STORE_new();
X509_STORE_CTX *store_ctx = X509_STORE_CTX_new();
char * dir = getfilepath();


X509_STORE_add_cert(store,root);

X509_STORE_load_locations(store,"root.crl",dir);


>  Look above ! I put this to simplify code : root.crl is a list of
revoked certificates placed in "dir". I know that i could use PEM to load
CRL and substract X509_CRL from it but this code was working really good for
my root CA when I had :

X509_STORE_load_locations(store,"root.pem",dir);

 (before I just put root CA into code (hardcode))
<-- end of comment


Seem it's not working with CRL !!!
Why ??
Please give me explanation course I'm still don't know well the  OpenSSL
code.


Best Regards
Boguslaw


.and below is the rest of code if you like it ;-)


X509_STORE_CTX_init(store_ctx,store,x509,NULL);

i = X509_verify_cert(store_ctx);
if (i) exitcode = 0;
else
{
exitcode = -1;
int err = X509_STORE_CTX_get_error(store_ctx);
fillerror(err);
}
X509_STORE_CTX_cleanup(store_ctx);
X509_STORE_CTX_free(store_ctx);
X509_STORE_free(store);
X509_free(root);
return exitcode;
}




-- 

Okresl Swoje potrzeby - my znajdziemy oferte za Ciebie!
[ http://oferty.onet.pl ]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Hard-coded trusted CA-cert

2002-03-09 Thread Boguslaw Brandys 

Hello,

I'm newbie but now I can hardcode root certificate.Thank You!
Still one question :


X509 *x;
..
  X509_free(x);  //do I must call this ?


Also any example how to read certificate to/and from memory buffer would be
nice. ;-)

Boguslaw Brandys


- Original Message -
From: "Dilkie, Lee" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, February 26, 2002 6:20 PM
Subject: RE: Hard-coded trusted CA-cert


> Dennis,
>
> This is what I did. I think I just looked into the
SSL_CTX_load_verify_locations() function and copied what it did.
>
>
> {
>
> X509 *x=NULL;
> unsigned char* c;
>
> c = CACert;
> x = d2i_X509( NULL, &c, (long) sizeof( CACert ) );
> if( x == NULL ){
> PostErrStack( "MiSslInit(): d2i_X509(CACert) failed" );
> goto ERROR_CLEANUP;
> }
> if( !SSL_CTX_add_extra_chain_cert( sslctx, x ) ){
> PostErrStack( "MiSslInit(): SSL_CTX_add_extra_chain_cert() failed" );
> goto ERROR_CLEANUP;
> }
> }
>
> hope this helps.
>
> -lee
>
> -Original Message-
> From: Dennis Jarosch [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, February 26, 2002 5:47 AM
> To: [EMAIL PROTECTED]
> Subject: Hard-coded trusted CA-cert
>
>
> Hi everybody!
>
> I'm searching for a way of hard-coding a trusted CA certificate into a
> client executable. I have browsed the archives and the documentation,
> but I was unable to find anything useful yet.
>
> Currently, I use SSL_CTX_load_verify_locations() to load my trusted
> CA-file. In my case there will only be one trusted CA and I'd prefer not
> to load it from a file.
>
> So is there a way of declaring something like this:
>
> unsigned char CACert[]={0x30,0x82,0x02,0x6B,...}
>
> which could be generated using 'openssl x509 -C -noout -in cacert.pem'
> and feeding it to the CTX for verification?
>
> Thanks for any help!
>
> Dennis
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]



-- 

Okresl Swoje potrzeby - my znajdziemy oferte za Ciebie!
[ http://oferty.onet.pl ]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

CRL in OpenSSL 0.9.6c

2002-03-09 Thread Bogusław Brandys 

Hello,

I have one question about CRL: is X509_verify_cert parse CRL list ?
I had try to use X509_STORE_load_locations to load CRL file with revokation
of certificate which is used for signing. Surpsise is that  verify is always
successful neither certificate is signed as revoked in CRL or not.
Maybe I don't understand something ?

Boguslaw




-- 

Okresl Swoje potrzeby - my znajdziemy oferte za Ciebie!
[ http://oferty.onet.pl ]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Creating a SSL Certificate

2002-03-09 Thread Huibert Kivits 

Hi Eugenio,

Creating SSL certificates is the raison d'etre of OpenSSL. So yes, that's 
possible.

About domain names: you are confusing the domain name (like "example.com") with 
the common name (like "www.example.com"). The common name is the same as the 
name of your webserver. If you create a Certificate Signing Request, you will 
always be asked for the common name.

If you need OpenSSL just for signing one single Certificate Signing Request, 
you could as well create a self-signed certificate with IIS. That would be way 
easier. IIS undoubtedly will offer this possibility.

Best regards,

Huibert 
 

Quoting Eugenio Pacheco <[EMAIL PROTECTED]>:

> Hi,
> 
> Is it possible to create a SSL Certificate using openssl? I didn't quite
> understand what these certificates are for. Usually SSL Certificates ask
> for a domain name so it can be associated with it, and I didn't get
> anywhere asking me for a domain name. How can I create a SSL Certificate
> using openssl and install it in IIS for a website? Is it possible?
> 
> Thanks in advance.
> 
> Eugenio Pacheco
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
> 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Creating a SSL Certificate

2002-03-09 Thread Eugenio Pacheco 

Hi,

Is it possible to create a SSL Certificate using openssl? I didn't quite
understand what these certificates are for. Usually SSL Certificates ask
for a domain name so it can be associated with it, and I didn't get
anywhere asking me for a domain name. How can I create a SSL Certificate
using openssl and install it in IIS for a website? Is it possible?

Thanks in advance.

Eugenio Pacheco

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Client private-key and certificate w IE Browser

2002-03-09 Thread Dr S N Henson 

Amodhini U wrote:
> 
> Hi,
> 
> 
> Could you please help me?  Specifically, how can I
> import a PKCS#8 private-key into the local IE
> Browser's security database?
> (After that, importing the associated local
> certificate in .der or .cer format should be plain
> sailing.)
> 

You can't. AFAIK IE doesn't support PKCS#8.

> (I don't want to combine the local private-key and
> local certificate into a PKCS#12 object.  That would
> compromise security.)
> 

What makes you think that? PKCS#12 is the only standard way to import an
externally generated key and certificate into IE. 

In any case PKCS#12 uses PKCS#8 internally for private key storage and
encryption.

It could be argued that the need to generate and transfer a private key
externally is already reducing the security of this system. A better way
to do thing is to generate the private key and certificate request on
the client using Xenroll and then just install the certificate.

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Gemplus: http://www.gemplus.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Client private-key and certificate w IE Browser

2002-03-09 Thread Amodhini U 

Hi,

Using OpenSSL I've created a (RSA algorithm) Root
private-key and associated (X.509v3) Root CA
certificate.

On each user (client) (Windows) machine I've been
happily creating, again using OpenSSL, a private-key
and associated client certificate (issued by my above
Root CA in response to a CSR).  The goal is to provide
client authentication to a central secure web server.

On each client machine I was able to import the Root
CA certificate into the IE browser's security
database.

However I'm failing miserably to import the local
private-key into the local IE Browser's security
database.  (Consequently, of course, importing the
local client certificate alone into the IE Browser is
of no use at all.)

Could you please help me?  Specifically, how can I
import a PKCS#8 private-key into the local IE
Browser's security database?
(After that, importing the associated local
certificate in .der or .cer format should be plain
sailing.)

(I don't want to combine the local private-key and
local certificate into a PKCS#12 object.  That would
compromise security.)

Thank you very much, in advance

Amodhini U

[EMAIL PROTECTED]



__
Do You Yahoo!?
Try FREE Yahoo! Mail - the world's greatest free email!
http://mail.yahoo.com/
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: I need to know how to generate a certificate in pkcs7 format withopenSSL

2002-03-09 Thread Tom Tang 

It is in apps directory

-Original Message-
From: GOLDING,CHARLTON (Non-HP-Corvallis,ex1)
[mailto:[EMAIL PROTECTED]]
Sent: Friday, March 08, 2002 2:21 PM
To: '[EMAIL PROTECTED]'
Subject: RE: I need to know how to generate a certificate in pkcs7
format withopenSSL


Chet Golding
Hewlett-Packard
ESDO, Operations Engineering

>-Original Message-
>From: Dr S N Henson [mailto:[EMAIL PROTECTED]] 
>Sent: Thursday, March 07, 2002 6:01 PM

Thanks, [Steve, good info!] we're on the right track now.  A few fine
details to work out but it is running.  I had a question on this
following
part:

>The openssl docs describe how the certificate creation utilities work
in
>some detail and there's a wrapper perl script CA.pl that calls the
>openssl utility using the most commonly used options.

I've not found a CA.pl script.  What I see in the /misc directory is a
CA
script but that isn't in perl, so I wanted to check in case I'm missing
something.  Where can I find this CA.pl?

Chet Golding
Hewlett-Packard
ESDO, Operations Engineering

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]