Re: ASN1_sign, ASN1_verify
You need to set the followiong flags like for a bitstringc containing a public key: pk->public_key->flags&= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07); pk->public_key->flags|=ASN1_STRING_FLAG_BITS_LEFT; If not, the code assumes that a bitstring is in fact a named bit list and removes trailing 0s. > > Hi everybody, i have a strange behavior ... > > (while investigationg it i noticed that i2d_ASN1_BIT_STRING shorten a bit string if > there are null bytes at the end of the string which it was not doing in older > versions.) > > But that's not why i write here : > I upgraded a server application from an old ssleay version to a recent openssl one. > > And with new one, for some odd reason, when i ASN1_sign a buffer (as > ASN1_BIT_STRING), the ASN1_verify will : > * always fail if the last byte of the buffer was 0x02 > * may fail if the last byte was 0x00 > * never fail if last was 0x01 or 0x03 > > The application verifying is still using the ancien ssl lib. > > has Anyone a clue ? > Cause i am a bit confused on what's wrong. > > Francis > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > > __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
pkcs7 file in crypto/pkcs7/p7 and crypto/pkcs7/t
Hi, Can anyone tell me what file formate are the files in crypto/pkcs7/p7/ and crypto/pkcs7/t/ driectories? For the files in p7 directory, I can not load them using "openssl pkcs7" command either in der or pem form. For the most files in t directory, "openssl pkcs7 -text -noout" returns nothing. Thanks! Wu __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: crlDistributionPoints with DirName value?
Hi, > crlDistributionPoints = DirName:/C=FI/O=SSH Communications Security Corp/CN=SSH Test > CA 2 No Liabilities How about crlDistributionPoints = @crl_dist [ crl_dist ] DirName = /C=FI/O=SSH Communications Security Corp/CN=SSH Test CA 2 No Liabilities -Kiyoshi Kiyoshi Watanabe > and when I attempt to use openssl ca to sign the certificate I get: > > # openssl ca -in req.pem -out cert.pem > Using configuration from /usr/share/ssl/openssl.cnf > Enter PEM pass phrase: > Error Loading extension section usr_cert > 6355:error:22075075:X509 V3 routines:v2i_GENERAL_NAME:unsupported > option:v3_alt.c:380:name=DirName > 6355:error:2206B080:X509 V3 routines:X509V3_EXT_conf:error in > extension:v3_conf.c:91:name=crlDistributionPoints, value=DirName:/C=FI/O=SSH > Communications Security Corp/CN=SSH Test CA 2 No Liabilities > > >From my reading of the source code it appears that I can only use email, > URI, DNS, RID, and IP type values for this extension. Is there some > other way to get a value of type DirName into this extension? > > Thanks very much :) > > -- > | Mike Acar | [EMAIL PROTECTED] | > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
ASN1_sign, ASN1_verify
Hi everybody, i have a strange behavior ... (while investigationg it i noticed that i2d_ASN1_BIT_STRING shorten a bit string if there are null bytes at the end of the string which it was not doing in older versions.) But that's not why i write here : I upgraded a server application from an old ssleay version to a recent openssl one. And with new one, for some odd reason, when i ASN1_sign a buffer (as ASN1_BIT_STRING), the ASN1_verify will : * always fail if the last byte of the buffer was 0x02 * may fail if the last byte was 0x00 * never fail if last was 0x01 or 0x03 The application verifying is still using the ancien ssl lib. has Anyone a clue ? Cause i am a bit confused on what's wrong. Francis __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[OpenSSL Advisory] Denial of Service in ASN.1 parsing
-BEGIN PGP SIGNED MESSAGE- OpenSSL Security Advisory [4 November 2003] Denial of Service in ASN.1 parsing == Previously, OpenSSL 0.9.6k was released on the 30 September 2003 to address various ASN.1 issues. The issues were found using a test suite from NISCC (www.niscc.gov.uk) and fixed by Dr Stephen Henson ([EMAIL PROTECTED]) of the OpenSSL core team. Subsequent to that release, Novell Inc. carried out further testing using the NISCC suite. They discovered that there was a denial of service vulnerability in OpenSSL version 0.9.6k when running on a Windows platform. A bug in OpenSSL 0.9.6 would cause certain ASN.1 sequences to trigger a large recursion. On platforms such as Windows this large recursion cannot be handled correctly and so the bug causes OpenSSL to crash. A remote attacker could exploit this flaw if they can send arbitrary ASN.1 sequences which would cause OpenSSL to crash. This could be performed for example by sending a client certificate to a SSL/TLS enabled server which is configured to accept them. We do not believe this issue could be exploited further than a Denial of Service attack. Patches for this issue have been created by Dr Stephen Henson ([EMAIL PROTECTED]) of the OpenSSL core team. Who is affected? - OpenSSL 0.9.6k is affected by the bug, but the denial of service does not affect all platforms. This issue does not affect OpenSSL 0.9.7. Currently only OpenSSL running on Windows platforms is known to crash. Recommendations - --- Upgrade to OpenSSL 0.9.6l or 0.9.7c. Recompile any OpenSSL applications statically linked to OpenSSL libraries. OpenSSL 0.9.6l is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): o http://www.openssl.org/source/ o ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-0.9.6l.tar.gz [normal] MD5 checksum: 843a65ddc56634f0e30a4f9474bb5b27 o openssl-engine-0.9.6l.tar.gz [engine] MD5 checksum: dd372198cdf31667f2cb29cd76fbda1c The checksums were calculated using the following command: openssl md5 < openssl-0.9.6l.tar.gz openssl md5 < openssl-engine-0.9.6l.tar.gz References - -- The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0851 to this issue. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0851 URL for this Security Advisory: http://www.openssl.org/news/secadv_20031104.txt -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iQCVAwUBP6eVw+6tTP1JpWPZAQF2pgP8CXV6at09Nloo7Pyv40m/J3Tbuh224WLE mQ2IARAqnj+gds8MRzQnKQcWaqdnMXOu6ayAULdDZXmQVQYBMQ61lrJiVjaxonyD T8LtSb6Zg2A5ijut7Nsuw7TItOGTfqHPSOMRUwmdcsz2/IpzDPQXcIJt2WU8uHO3 zDd6ZTOpPxY= =jZd3 -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
crlDistributionPoints with DirName value?
Hi, (Sorry if some of my terminology is wrong - What I understand of X.509 certs I've picked up working with OpenSSL to set up IPSec and SSL tunnels.) I've been working on getting SSH Sentinel to talk to the Linux FreeS/WAN IPSec implementation, and am at the stage where I want to get Sentinel to fetch CRLs automatically. To make a long story short, at http://pki.ssh.com:8080/enroll-ca-list.html ssh.com provides some test CAs whose certificates include crlDistributionPoints extensions of type DirName, and I infer that I must do something similar to get Sentinel to fetch the CRLs automatically (as it supports only LDAP for this). Is this possible with OpenSSL? Into the usr_cert section of openssl.cnf I've put crlDistributionPoints = DirName:/C=FI/O=SSH Communications Security Corp/CN=SSH Test CA 2 No Liabilities and when I attempt to use openssl ca to sign the certificate I get: # openssl ca -in req.pem -out cert.pem Using configuration from /usr/share/ssl/openssl.cnf Enter PEM pass phrase: Error Loading extension section usr_cert 6355:error:22075075:X509 V3 routines:v2i_GENERAL_NAME:unsupported option:v3_alt.c:380:name=DirName 6355:error:2206B080:X509 V3 routines:X509V3_EXT_conf:error in extension:v3_conf.c:91:name=crlDistributionPoints, value=DirName:/C=FI/O=SSH Communications Security Corp/CN=SSH Test CA 2 No Liabilities >From my reading of the source code it appears that I can only use email, URI, DNS, RID, and IP type values for this extension. Is there some other way to get a value of type DirName into this extension? Thanks very much :) -- | Mike Acar | [EMAIL PROTECTED] | __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
How to set Issuing Distribution Point in CRL
Dear all, I try to search documents in all OpenSSL mailing list about setting Issuing Distribution Point in CRL and I found a conversation that talk about iDP (http://marc.theaimsgroup.com/?l=openssl-users&m=105015263429749&w=2). Dr Stephen N. Henson said "iDP AFAICS doesn't need additional support but is a rather complex extension which may need 'raw' handling which is harder to do." After that I try to search method to do that, but I can not find in any documents. Thanks for advance. Thitikorn Trakoonsirisak