Re: Regd ASN1_ITEM_rptr( )

2004-09-15 Thread El hallabi-Kettani Abderrahmane 

First it's not a function it's a macro , you'll find
it 
in asn1/asn1.h 

#define ASN1_ITEM_rptr(ref) (ref##_it())

Normally the IMPLEMENT_ASN1_FUNCTIONS(X509) will do
the trick .
Else the macro will help :

#define DECLARE_ASN1_ITEM(name) 
OPENSSL_EXTERN const ASN1_ITEM name##_it; 

Abdou,






Vous manquez d’espace pour stocker vos mails ? 
Yahoo! Mail vous offre GRATUITEMENT 100 Mo !
Créez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/

Le nouveau Yahoo! Messenger est arrivé ! Découvrez toutes les nouveautés pour 
dialoguer instantanément avec vos amis. A télécharger gratuitement sur 
http://fr.messenger.yahoo.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: TLS application data MAC

2004-09-15 Thread Tan Eng Ten 
Look at the Appendix -- Sample Code in http://www.ietf.org/rfc/rfc2104.txt
Avinash Agarwal wrote:
Hello all,
I'm trying to figure out how to generate the MAC for application data in TLS
v1.
The rfc (2246) says at § F.2 "protecting application data" 
"Outgoing data is protected with a MAC before transmission. To prevent 
   message replay or modification attacks, the MAC is computed from the 
   MAC secret, the sequence number, the message length, the message 
   contents, and two fixed character strings." 

What are the "two fixed character strings"?
TIA
Regards,
Avinash
  

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Regd ASN1_ITEM_rptr( )

2004-09-15 Thread Sravan 
El hallabi-Kettani Abderrahmane wrote:
First it's not a function it's a macro , you'll find
it 
in asn1/asn1.h 

#define ASN1_ITEM_rptr(ref) (ref##_it())
 

Actually I was talking about the expansion of the macro ASN1_ITEM_rptr 
itself. Say if i use IMPLEMENT_ASN1_FUNCTIONS(X509),  one of the results 
of its expansion will be ASN1_item_free( (ASN1_VALUE *)a, 
ASN1_ITEM_rptr(X509) )
In this one ASN1_ITEM_rptr(X509)  will expand to  X509_it( )
I was talking about this X509_it( ). The linker is unable to resolve 
this symbol.

Normally the IMPLEMENT_ASN1_FUNCTIONS(X509) will do
the trick .
Else the macro will help :
#define DECLARE_ASN1_ITEM(name) 
	OPENSSL_EXTERN const ASN1_ITEM name##_it; 

Abdou,
even the expansion of DECLARE_ASN1_ITEM( ) depends on the directive 
OPENSSL_EXPORT_VAR_AS_FUNCTION(in asn1.h) and I can't understand the 
purpose of using this

regards,
Sravan
.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: A little help please!!!

2004-09-15 Thread Goetz Babin-Ebell 
Hello Marcos,
Marcos Paraiso wrote:
Ok, I found out the proper command:
gcc -o test test.c c:\mingw\lib\libeay32.a c:\mingw\lib\ssleay32.a
This guy compiles my programs just fine...
And includes the full libeay and ssleay linbs in your executeable.
If anybody knows a better way, please tell me!!!
I suggest reading the documentation for your compiler.
try something like
gcc -o test test.c -L C:\mingw\lib -leay32 -lssleay32
(perhaps you need -llibeay32,
 the name shema for libraries in windows is stupid)
Bye
Goetz
--
Goetz Babin-Ebell, software designer,
TC TrustCenter AG, Sonninstr. 24-28, 20097 Hamburg, Germany
Office: +49-(0)40 80 80 26 -0,  Fax: +49-(0)40 80 80 26 -126
www.trustcenter.de www.betrusted.com


smime.p7s
Description: S/MIME Cryptographic Signature

Re: Regd ASN1_ITEM_rptr( )

2004-09-15 Thread El hallabi-Kettani Abderrahmane 
try this DECLARE_ASN1_FUNCTIONS(name) .

DECLARE_ASN1_ITEM(name) may be used 
for The Platforms that can't easily handle shared
global variables , then are declared as functions
returning ASN1_ITEM pointers.
see that too: 
#define DECLARE_ASN1_ITEM(name) \
const ASN1_ITEM * name##_it(void);


Abdou,






Vous manquez d’espace pour stocker vos mails ? 
Yahoo! Mail vous offre GRATUITEMENT 100 Mo !
Créez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/

Le nouveau Yahoo! Messenger est arrivé ! Découvrez toutes les nouveautés pour 
dialoguer instantanément avec vos amis. A télécharger gratuitement sur 
http://fr.messenger.yahoo.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

PKCS7_add_attribute

2004-09-15 Thread Antonio Ruiz Martínez 
Hello!
   I've looking at the PKCS7_add_attribute function and I would like to 
insert a signed PKCS7 as an attribute.

The header of the function is:
PKCS7_add_attribute(PKCS7_SIGNER_INFO *p7si, int nid, int atrtype,void 
*value);

I suppose that nid should be the NID_pkcs7_signed but I don't know which 
values should be in atrtype (may it be V_ASN1_SEQUENCE ?) and in value 
(der coding of the PKCS7? or the SEQUENCE of the PKCS7, in this case, 
how can I get the sequence from the PKCS7?).

Could you help me, please?
Regards,
Antonio.
--
--
Antonio Ruiz Martínez
Faculty of Computer Science-University of Murcia
30071 Murcia - Spain
e-mail: [EMAIL PROTECTED] or arm [at] dif [dot] um [dot] es
--
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Regd ASN1_ITEM_rptr( )

2004-09-15 Thread Dr. Stephen Henson 
On Wed, Sep 15, 2004, Sravan wrote:

> Hi,
> I have been using X509 related functions in my code and for the 
> definitions of functions like X509_free( ), I am using the macro 
> IMPLEMENT_ASN1_FUNCTIONS(X509). In that macro expansion, 
> ASN1_ITEM_rptr(X509) is used which expands to X509_it( ). I couldn't get 
> the definition of this function anywhere and so the linker is reporting 
> it as an unresloved symbol. Actually I couldn't understand the purpose 
> of this ASN1_ITEM_rptr( ). Can anyone please explain me how to get 
> around this?
> 
> I am using Openssl 0.9.7b in Windows platform.
> 

What's the code that causes this error? There are some cases where you might
need to use ASN1_ITEM_rptr() directly but not many.

The reason for that macro (and some related ones) is to do with certain
plaform quirks. In OpenSSL 0.9.7 and later ASN1 modules are defined in terms
of constant structures. 

When an external application ASN1 module needs to reference a module inside
OpenSSL itself it has to somehow determine a pointer to the relevant structure.

One some OSes you can't easily reference a pointer to a structure in a shared
library or (in the case of windows) you can't (or I couldn't) initialize a
structure at compile time to contain a pointer to a structure in a shared
library.

That is doing:

const SOME_STRUCT foo = {&bar,...};

where "bar" is in a shared library doesn't work.

The workaround for this is to export functions which return pointers
to the structures instead and include function pointers in the static
structure. The macros are there to allow applications to be
written which use the correct convention on all supported platforms.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: PKCS7_add_attribute

2004-09-15 Thread Dr. Stephen Henson 
On Wed, Sep 15, 2004, Antonio Ruiz Martínez wrote:

> Hello!
> 
>I've looking at the PKCS7_add_attribute function and I would like to 
> insert a signed PKCS7 as an attribute.
> 
> The header of the function is:
> 
> PKCS7_add_attribute(PKCS7_SIGNER_INFO *p7si, int nid, int atrtype,void 
> *value);
> 
> I suppose that nid should be the NID_pkcs7_signed but I don't know which 
> values should be in atrtype (may it be V_ASN1_SEQUENCE ?) and in value 
> (der coding of the PKCS7? or the SEQUENCE of the PKCS7, in this case, 
> how can I get the sequence from the PKCS7?).
> 
> Could you help me, please?
> Regards,
> Antonio.
> 
> 

The NID is whatever OID is defined by whatever standard defines the syntax.
If there isn't a standard you might want to create a private OID and document
its meaning somewhere.

The meaning of atrtype and value are based on the ASN1_TYPE structure. For a
sequence atrtype is indeed V_ASN1_SEQUENCE and value is an ASN1_STRING
structure containing the encoding of the SEQUENCE.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Extended key usage field

2004-09-15 Thread Pavel 
Accorind to RFC 2459:
If the Extended key usage field is flagged critical, the certificate MUST be used only 
for one of the purposes indicated.
If the extension is flagged non-critical, then it indicates the intended purpose or 
purposes of the key, and may be used in finding the correct key/certificate of an 
entity that has multiple keys/certificates. It is an advisory field and does not imply 
that usage of the key is restricted by the certification authority to the purpose 
indicated. Certificate using applications may nevertheless require that a particular 
purpose be indicated in order for the 
certificate to be acceptable to that application.
I have a certificate (generated with MS Certificate Services W2K). 
Certificate:
 Data:
 Version: 3 (0x2)
 Serial Number:
2c:fd:65:6e:00:00:00:00:01:79
 Signature Algorithm: sha1WithRSAEncryption
..bla-bla...
 X509v3 extensions:
  X509v3 Key Usage: critical
   Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
  X509v3 Extended Key Usage: 
   TLS Web Client Authentication
Extended key usage in not flagged as critical. 
But I can't use them for smime encoding
>openssl verify -CAfile CA.cer -verbose -purpose smimesign text.cer
error 26 at 0 depth lookup:unsupported certificate purpose
>From man:
x509(1)
CERTIFICATE EXTENSIONS
The extended key usage extension places additional restrictions on the certificate 
uses. If this extension is present (whether critical or not) the key can only be used 
for the purposes specified.
Why? 


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: PKCS7_add_attribute

2004-09-15 Thread Antonio Ruiz Martínez 




Hello!

Dr. Stephen Henson wrote:

  On Wed, Sep 15, 2004, Antonio Ruiz Martínez wrote:

  
  
Hello!

   I've looking at the PKCS7_add_attribute function and I would like to 
insert a signed PKCS7 as an attribute.

The header of the function is:

PKCS7_add_attribute(PKCS7_SIGNER_INFO *p7si, int nid, int atrtype,void 
*value);

I suppose that nid should be the NID_pkcs7_signed but I don't know which 
values should be in atrtype (may it be V_ASN1_SEQUENCE ?) and in value 
(der coding of the PKCS7? or the SEQUENCE of the PKCS7, in this case, 
how can I get the sequence from the PKCS7?).

Could you help me, please?
Regards,
Antonio.


  
  The NID is whatever OID is defined by whatever standard defines the syntax.
If there isn't a standard you might want to create a private OID and document
its meaning somewhere.

The meaning of atrtype and value are based on the ASN1_TYPE structure. For a
sequence atrtype is indeed V_ASN1_SEQUENCE and value is an ASN1_STRING
structure containing the encoding of the SEQUENCE.

  

Thanks for your answer, it has been very useful when I use an octect
string but not when but I have got a problem when I'm using a sequence.
I think  I am not doing something properly because I don't get the
desired result.
I've tried the following options:

1) 
ASN1_OCTET_STRING *oct=NULL;
oct=ASN1_STRING_new();
ASN1_STRING_set(oct,p7_2,lenp7_2)
where p7_2 -> coding in DER of a signed PKCS#7
PKCS7_add_attribute(si, NID_pkcs7_signed, V_ASN1_SEQUENCE,(void *)oct);
i2d_PKC7 .

This way when I try to decode the result of the coding I get an error,
It seems the structure is not correct.
However, if I try with PKCS7_add_attribute(si, NID_pkcs7_signed,
V_ASN1_OCTET_STRING,(void *)oct) it works but I've an attribute which
is an octet string that contains a DER coded PKCS7 but I would like
that the attribute was directly the PKCS7

2) 
p7_2=d2i_PKCS7(NULL,&tsp,lenTSP);
PKCS7_add_attribute(si, NID_pkcs7_signed, V_ASN1_SEQUENCE,(void *)p7_2);
i2d_PKC7 .

This way I can decode the encoded PKCS7 but the PKCS7 is not inserted
properly as an attribute. 

How can I solve the problem?
Could you help me another time, please?
Thanks in advance,
Regards,
Antonio.

Unable to verify certificate

2004-09-15 Thread kevin quinn 
I am trying to reserch an issue related to SSL - I have the following 
from running openSSL :

CONNECTED(0004)
depth=0 /C=US/ST=California/L=Redwood Shores/O=Oracle 
Corporation/OU=Global IT/CN=collabsuite-mobile.oracle.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/ST=California/L=Redwood Shores/O=Oracle 
Corporation/OU=Global IT/CN=collabsuite-mobile.oracle.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=US/ST=California/L=Redwood Shores/O=Oracle 
Corporation/OU=Global IT/CN=collabsuite-mobile.oracle.com
verify error:num=21:unable to verify the first certificate
verify return:1

I also run a command based on OpenSSL and get the following:
CONNECTED(0004)
---
Certificate chain
0 s:/C=US/ST=California/L=Redwood Shores/O=Oracle Corporation/OU=Global 
IT/CN=c
ollabsuite-mobile.oracle.com
  i:/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification 
Authority
-BEGIN CERTIFICATE-
MIIDajCCAtegAwIBAgIQZ4ljZ2gWbAp0JaKhmvJr3jANBgkqhkiG9w0BAQUFADBf
MQswCQYDVQQGEwJVUzEgMB4GA1UEChMXUlNBIERhdGEgU2VjdXJpdHksIEluYy4x
LjAsBgNVBAsTJVNlY3VyZSBTZXJ2ZXIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw
HhcNMDMxMDIzMDAwMDAwWhcNMDQxMDIyMjM1OTU5WjCBlDELMAkGA1UEBhMCVVMx
EzARBgNVBAgTCkNhbGlmb3JuaWExFzAVBgNVBAcUDlJlZHdvb2QgU2hvcmVzMRsw
GQYDVQQKFBJPcmFjbGUgQ29ycG9yYXRpb24xEjAQBgNVBAsUCUdsb2JhbCBJVDEm
MCQGA1UEAxQdY29sbGFic3VpdGUtbW9iaWxlLm9yYWNsZS5jb20wgZ8wDQYJKoZI
hvcNAQEBBQADgY0AMIGJAoGBAOdo59J4/kai8vXTXbujXlMD1PUCYgKgAYbtoKrm
pSzQNf2XouZG9f4Qj0eFBg6o0ReBC2VzTsV5JnQaG4RB36awkilgonmU3wlublF3
yNjWDSRU0ek+aJ46/++ByUwiWqEn28TxcWcWwoiOCIDZDrYayJUJ6w/iT5jOQ546
NeRTAgMBAAGjgfQwgfEwCQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwPAYDVR0fBDUw
MzAxoC+gLYYraHR0cDovL2NybC52ZXJpc2lnbi5jb20vUlNBU2VjdXJlU2VydmVy
LmNybDBEBgNVHSAEPTA7MDkGC2CGSAGG+EUBBxcDMCowKAYIKwYBBQUHAgEWHGh0
dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
CCsGAQUFBwMCMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29j
c3AudmVyaXNpZ24uY29tMA0GCSqGSIb3DQEBBQUAA34AjiPMkHzhB/xLbADXWg8V
OBYJkEr9rZVtilV3G3GTczUfIIM+xjtEj9HZXLxw5A0be+dQKKivy8JWpZw2KPMy
3ArMWHOrLtPQLXA/n8pJKvXGHyOU1o2NpjOXXuKtnmsd5XpsRrT9fG52gGe62vxM
D4VWlmpV3XfsK5BPTSI=
-END CERTIFICATE-
---
Server certificate
subject=/C=US/ST=California/L=Redwood Shores/O=Oracle 
Corporation/OU=Global IT/C
N=collabsuite-mobile.oracle.com
issuer=/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification 
Authority
---
No client certificate CA names sent
---
SSL handshake has read 1056 bytes and written 314 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
SSL-Session:
   Protocol  : SSLv3
   Cipher: AES256-SHA
   Session-ID: 
81CB6103DF1F9043170A50DC881724ABC013DB649073527E8292498F022B47D1
   Session-ID-ctx:
   Master-Key: 
868690A37B01B6C8D59CFDE824F43E9C7A5B87ED6EF664AB18412D98AA803A2F
3439DF99217624B8164F0EB1AF16AEE4
   Key-Arg   : None
   Start Time: 1095259701
   Timeout   : 7200 (sec)
   Verify return code: 21 (unable to verify the first certificate)

Can anyone on the forum help exlain what these mean? - I am trying to 
access this site via a WAP Browser using an WAP Proxy and I get the 
following error  - Invalid certificate chain received

--
Best Regards,
Kevin Quinn

Email  [EMAIL PROTECTED]


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Extended key usage field

2004-09-15 Thread Charles B Cranston 
Why questions are particularly difficult to answer.
I guess the real answer is: because the programmer who wrote the
software in question decided to program it that way.
The "critical" bit was intended to be an aid to software upgrade:
Suppose you are trying to support a mix of old and new software,
where the old software does not know about a particular extension
but the new software does.  Presumably the new software knows the
proper way to deal with the extension.  For the old software,
the critical bit provides a "hint" of what to do.  If the critical
bit is not set, the software is free to ignore the extension.
If the critical bit is set, the software should reject the certificate.
But this is only for the old software, which does not know about
the particular extension.  In the case you describe, the software
DOES know about the Extended Key Usage extension, so the critical
bit does not make any difference.
Even though the text description could be read to support your
interpretation, note the operant sentance:
"Certificate using applications may nevertheless require that
a particular purpose be indicated in order for the certificate
to be acceptable to that application."
This leaves the final decision up to the implementor, in this
case OpenSSL.  The certificate in question is marked for the
purpose of client-side authentication (I think this is right)
which means it belongs to a person and can be used by that
person to prove to a web server who he or she is, AFTER that
server has used a Server Side certificate to prove who IT is.
Sorry, I don't know enough about MS CS W2K to advise you if
it is difficult, easy, or impossible to add the additional
purpose bits at the point the certificate is generated.
> Accorind to RFC 2459:
> If the Extended key usage field is flagged critical, the certificate 
MUST be used only for one of the purposes indicated.
> If the extension is flagged non-critical, then it indicates the 
intended purpose or purposes of the key, and may be used in finding the 
correct key/certificate of an entity that has multiple 
keys/certificates. It is an advisory field and does not imply that usage 
of the key is restricted by the certification authority to the purpose 
indicated. Certificate using applications may nevertheless require that 
a particular purpose be indicated in order for the
> certificate to be acceptable to that application.
> I have a certificate (generated with MS Certificate Services W2K).
> Certificate:
>  Data:
>  Version: 3 (0x2)
>  Serial Number:
> 2c:fd:65:6e:00:00:00:00:01:79
>  Signature Algorithm: sha1WithRSAEncryption
> ..bla-bla...
>  X509v3 extensions:
>   X509v3 Key Usage: critical
>Digital Signature, Non Repudiation, Key Encipherment, Data 
Encipherment
>   X509v3 Extended Key Usage:
>TLS Web Client Authentication
> Extended key usage in not flagged as critical.
> But I can't use them for smime encoding
>
>>openssl verify -CAfile CA.cer -verbose -purpose smimesign text.cer
>
> error 26 at 0 depth lookup:unsupported certificate purpose
> From man:
> x509(1)
> CERTIFICATE EXTENSIONS
> The extended key usage extension places additional restrictions on 
the certificate uses. If this extension is present (whether critical or 
not) the key can only be used for the purposes specified.
> Why?

--
Charles B (Ben) Cranston
mailto: [EMAIL PROTECTED]
http://www.wam.umd.edu/~zben
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Unable to verify certificate

2004-09-15 Thread Goetz Babin-Ebell 
Hello Kevin,
kevin quinn wrote:
I am trying to reserch an issue related to SSL - I have the following 
from running openSSL :

CONNECTED(0004)
depth=0 /C=US/ST=California/L=Redwood Shores/O=Oracle 
Corporation/OU=Global IT/CN=collabsuite-mobile.oracle.com
verify error:num=20:unable to get local issuer certificate
verify return:1
[...]
I also run a command based on OpenSSL and get the following:
CONNECTED(0004)
---
Certificate chain
0 s:/C=US/ST=California/L=Redwood Shores/O=Oracle Corporation/OU=Global 
IT/CN=c
ollabsuite-mobile.oracle.com
  i:/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification 
Authority
issuer=/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification 
Authority
[...]
   Verify return code: 21 (unable to verify the first certificate)

Can anyone on the forum help exlain what these mean? - I am trying to 
access this site via a WAP Browser using an WAP Proxy and I get the 
following error  - Invalid certificate chain received
This means that in your local list of trusted issuer certificates
you don't have the certificate for
/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
Add it to the list (if you trust it) and the error should go away...
Bye
Goetz
--
Goetz Babin-Ebell, software designer,
TC TrustCenter AG, Sonninstr. 24-28, 20097 Hamburg, Germany
Office: +49-(0)40 80 80 26 -0,  Fax: +49-(0)40 80 80 26 -126
www.trustcenter.de www.betrusted.com


smime.p7s
Description: S/MIME Cryptographic Signature

Re: PKCS7_add_attribute

2004-09-15 Thread Peter Sylvester 
--
X-Sun-Data-Type: text
X-Sun-Data-Description: text
X-Sun-Data-Name: text
X-Sun-Charset: us-ascii
X-Sun-Content-Lines: 12


To add an PKCS7 as an attribute, one possibiliy is to use from PKCS9 version 2:

pKCS7PDU ATTRIBUTE ::= { 
   WITH SYNTAX Contentinfo
   ID pkcs-9-at-pkcs7PDU
}

which ends up in an OID pkcs-9 25 5  as far as I see.



--
X-Sun-Data-Type: html
X-Sun-Encoding-Info: 7bit
X-Sun-Charset: us-ascii
X-Sun-Content-Lines: 83




  
  


Hello!

Dr. Stephen Henson wrote:

  On Wed, Sep 15, 2004, Antonio Ruiz Martínez wrote:

  
  
Hello!

   I've looking at the PKCS7_add_attribute function and I would like to 
insert a signed PKCS7 as an attribute.

The header of the function is:

PKCS7_add_attribute(PKCS7_SIGNER_INFO *p7si, int nid, int atrtype,void 
*value);

I suppose that nid should be the NID_pkcs7_signed but I don't know which 
values should be in atrtype (may it be V_ASN1_SEQUENCE ?) and in value 
(der coding of the PKCS7? or the SEQUENCE of the PKCS7, in this case, 
how can I get the sequence from the PKCS7?).

Could you help me, please?
Regards,
Antonio.


  
  The NID is whatever OID is defined by whatever standard defines the syntax.
If there isn't a standard you might want to create a private OID and document
its meaning somewhere.

The meaning of atrtype and value are based on the ASN1_TYPE structure. For a
sequence atrtype is indeed V_ASN1_SEQUENCE and value is an ASN1_STRING
structure containing the encoding of the SEQUENCE.

  

Thanks for your answer, it has been very useful when I use an octect
string but not when but I have got a problem when I'm using a sequence.
I think  I am not doing something properly because I don't get the
desired result.
I've tried the following options:

1) 
ASN1_OCTET_STRING *oct=NULL;
oct=ASN1_STRING_new();
ASN1_STRING_set(oct,p7_2,lenp7_2)
where p7_2 -> coding in DER of a signed PKCS#7
PKCS7_add_attribute(si, NID_pkcs7_signed, V_ASN1_SEQUENCE,(void *)oct);
i2d_PKC7 .

This way when I try to decode the result of the coding I get an error,
It seems the structure is not correct.
However, if I try with PKCS7_add_attribute(si, NID_pkcs7_signed,
V_ASN1_OCTET_STRING,(void *)oct) it works but I've an attribute which
is an octet string that contains a DER coded PKCS7 but I would like
that the attribute was directly the PKCS7

2) 
p7_2=d2i_PKCS7(NULL,&tsp,lenTSP);
PKCS7_add_attribute(si, NID_pkcs7_signed, V_ASN1_SEQUENCE,(void *)p7_2);
i2d_PKC7 .

This way I can decode the encoded PKCS7 but the PKCS7 is not inserted
properly as an attribute. 

How can I solve the problem?
Could you help me another time, please?
Thanks in advance,
Regards,
Antonio.



__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Extended key usage field

2004-09-15 Thread Dr. Stephen Henson 
On Wed, Sep 15, 2004, Pavel wrote:

> Accorind to RFC 2459:
> If the Extended key usage field is flagged critical, the certificate MUST be used 
> only for one of the purposes indicated.
> If the extension is flagged non-critical, then it indicates the intended purpose or 
> purposes of the key, and may be used in finding the correct key/certificate of an 
> entity that has multiple keys/certificates. It is an advisory field and does not 
> imply that usage of the key is restricted by the certification authority to the 
> purpose indicated. Certificate using applications may nevertheless require that a 
> particular purpose be indicated in order for the 
> certificate to be acceptable to that application.

There are various security reasons why that old definition was inadvisable at
the best of times. One piece of software (which could *not* be ignored by CAs)
rejected any certificate with a critical extension no matter what it was. This
has resulted in many CAs being forced to make extensions non-critical for
interoperability reasons. 

There was also an old definition which said "if an extension is non critical
its only advisory" to which I'd argue that's not a very good idea for
basicConstraints because then anyone could be a CA.

RFC3280 which obsoletes RFC2459 says about extended key usage (section 4.2.13):

>If the extension is present, then the certificate MUST only be used for one
>of the purposes indicated.  

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: PKCS7_add_attribute

2004-09-15 Thread Dr. Stephen Henson 
On Wed, Sep 15, 2004, Antonio Ruiz Martínez wrote:

> 
> Thanks for your answer, it has been very useful when I use an octect 
> string but not when but I have got a problem when I'm using a sequence. 
> I think  I am not doing something properly because I don't get the 
> desired result.
> I've tried the following options:
> 
> 1)
> ASN1_OCTET_STRING *oct=NULL;
> oct=ASN1_STRING_new();
> ASN1_STRING_set(oct,p7_2,lenp7_2)
> where p7_2 -> coding in DER of a signed PKCS#7
> PKCS7_add_attribute(si, NID_pkcs7_signed, V_ASN1_SEQUENCE,(void *)oct);
> i2d_PKC7 .
> 
> This way when I try to decode the result of the coding I get an error, 
> It seems the structure is not correct.
> However, if I try with PKCS7_add_attribute(si, NID_pkcs7_signed, 
> V_ASN1_OCTET_STRING,(void *)oct) it works but I've an attribute which is 
> an octet string that contains a DER coded PKCS7 but I would like that 
> the attribute was directly the PKCS7
> 
> 2)
> p7_2=d2i_PKCS7(NULL,&tsp,lenTSP);
> PKCS7_add_attribute(si, NID_pkcs7_signed, V_ASN1_SEQUENCE,(void *)p7_2);
> i2d_PKC7 .
> 
> This way I can decode the encoded PKCS7 but the PKCS7 is not inserted 
> properly as an attribute.
> 
> How can I solve the problem?
> Could you help me another time, please?
> 

What errors are you getting and what makes you think it isn't inserted
properly as an attribute? 

How are you trying to decode it.

The technique I described is precisely that used to encode and decode the
S/MIME capabilities attribute. See crypto/pkcs7/pk7_attr.c which I also wrote
BTW :-)

And I notice that the decoding in there isn't quite right: it should check
the type is really V_ASN1_SEQUENCE and reject if it isn't. I'll have to fix
that...

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: PKCS7_add_attribute

2004-09-15 Thread Antonio Ruiz Martínez 




Dr. Stephen Henson wrote:

  On Wed, Sep 15, 2004, Antonio Ruiz Martínez wrote:

  
  
Thanks for your answer, it has been very useful when I use an octect 
string but not when but I have got a problem when I'm using a sequence. 
I think  I am not doing something properly because I don't get the 
desired result.
I've tried the following options:

1)
ASN1_OCTET_STRING *oct=NULL;
oct=ASN1_STRING_new();
ASN1_STRING_set(oct,p7_2,lenp7_2)
where p7_2 -> coding in DER of a signed PKCS#7
PKCS7_add_attribute(si, NID_pkcs7_signed, V_ASN1_SEQUENCE,(void *)oct);
i2d_PKC7 .

This way when I try to decode the result of the coding I get an error, 
It seems the structure is not correct.
However, if I try with PKCS7_add_attribute(si, NID_pkcs7_signed, 
V_ASN1_OCTET_STRING,(void *)oct) it works but I've an attribute which is 
an octet string that contains a DER coded PKCS7 but I would like that 
the attribute was directly the PKCS7

2)
p7_2=d2i_PKCS7(NULL,&tsp,lenTSP);
PKCS7_add_attribute(si, NID_pkcs7_signed, V_ASN1_SEQUENCE,(void *)p7_2);
i2d_PKC7 .

This way I can decode the encoded PKCS7 but the PKCS7 is not inserted 
properly as an attribute.

How can I solve the problem?
Could you help me another time, please?


  
  
What errors are you getting and what makes you think it isn't inserted
properly as an attribute? 

  

Thanks for your comments!!!

I'm using the first solution 1), as you told me, that is...
    oct=ASN1_STRING_new();
    if  (!ASN1_STRING_set(oct,pkcs7inDER,lenPKCS7inDER)) {
        lReturn=-50;
        goto err;
    }
    p7=PKCS7_new();
    if (p7==NULL) {
        lReturn=-20;
        goto err;
    }
..
   
    si=sk_PKCS7_SIGNER_INFO_value(p7->d.sign->signer_info,0);
    if (si==NULL) {
        lReturn=-4;
        goto err;
    }

    PKCS7_add_attribute(si, NID_pkcs7_signed, V_ASN1_SEQUENCE,(char
*)oct);

And I'm getting a file that attach you. This file I can't decode it.


  How are you trying to decode it.
  

d2i_PKCS7...


  
The technique I described is precisely that used to encode and decode the
S/MIME capabilities attribute. See crypto/pkcs7/pk7_attr.c which I also wrote
BTW :-)

  

I've been looking at that code... And I'm doing the same, I think...
Have you got any idea?

Regards,
Antonio.






test.der
Description: application/x509-ca-cert

Re: PKCS7_add_attribute

2004-09-15 Thread Antonio Ruiz Martínez 




Dr. Stephen Henson wrote:

  On Wed, Sep 15, 2004, Antonio Ruiz Martínez wrote:

  
  
Thanks for your answer, it has been very useful when I use an octect 
string but not when but I have got a problem when I'm using a sequence. 
I think  I am not doing something properly because I don't get the 
desired result.
I've tried the following options:

1)
ASN1_OCTET_STRING *oct=NULL;
oct=ASN1_STRING_new();
ASN1_STRING_set(oct,p7_2,lenp7_2)
where p7_2 -> coding in DER of a signed PKCS#7
PKCS7_add_attribute(si, NID_pkcs7_signed, V_ASN1_SEQUENCE,(void *)oct);
i2d_PKC7 .

This way when I try to decode the result of the coding I get an error, 
It seems the structure is not correct.
However, if I try with PKCS7_add_attribute(si, NID_pkcs7_signed, 
V_ASN1_OCTET_STRING,(void *)oct) it works but I've an attribute which is 
an octet string that contains a DER coded PKCS7 but I would like that 
the attribute was directly the PKCS7

2)
p7_2=d2i_PKCS7(NULL,&tsp,lenTSP);
PKCS7_add_attribute(si, NID_pkcs7_signed, V_ASN1_SEQUENCE,(void *)p7_2);
i2d_PKC7 .

This way I can decode the encoded PKCS7 but the PKCS7 is not inserted 
properly as an attribute.

How can I solve the problem?
Could you help me another time, please?


  
  
What errors are you getting and what makes you think it isn't inserted
properly as an attribute? 
  

Thanks for your comments!!!

I'm using the first solution 1), as you told me, that is...
    oct=ASN1_STRING_new();
    if  (!ASN1_STRING_set(oct,pkcs7inDER,lenPKCS7inDER)) {
        lReturn=-50;
        goto err;
    }
    p7=PKCS7_new();
    if (p7==NULL) {
        lReturn=-20;
        goto err;
    }
..
   
    si=sk_PKCS7_SIGNER_INFO_value(p7->d.sign->signer_info,0);
    if (si==NULL) {
        lReturn=-4;
        goto err;
    }

    PKCS7_add_attribute(si, NID_pkcs7_signed, V_ASN1_SEQUENCE,(char
*)oct);

And I'm getting a file that attach you. This file I can't decode it.

  
How are you trying to decode it.
  

d2i_PKCS7...

  
The technique I described is precisely that used to encode and decode the
S/MIME capabilities attribute. See crypto/pkcs7/pk7_attr.c which I also wrote
BTW :-)

  

I've been looking at that code... And I'm doing the same, I think...
Have you got any idea?

Regards,
Antonio.

Re: PKCS7_add_attribute

2004-09-15 Thread Peter Sylvester 
You may try a routine like the following by replacing all occurences of
ESS_SIGNING_CERTIFICATE by PKCS7
and change the nid to the PKCS9 V2 defined one.
Or to consider to (mis)use 

   id-aa-timeStampToken OBJECT IDENTIFIER ::= { iso(1) member-body(2)
   us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) aa(2) 14 }


The difference I see is that the i2d is done before setting the attribute. 


int ESS_add_attrib_signcert(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERTIFICATE *sc) {
ASN1_STRING *seq;
unsigned char *p, *pp ;
int len;

len = i2d_ESS_SIGNING_CERTIFICATE(sc, NULL);
if (!(pp = (unsigned char *) OPENSSL_malloc(len)))
{
ESSerr(ESS_F_ADD_ATTRIB_SIGNCERT,ERR_R_MALLOC_FAILURE);
return 0;
}
p = pp;
i2d_ESS_SIGNING_CERTIFICATE(sc, &p);

if(!(seq = ASN1_STRING_new())) {
OPENSSL_free(pp);
ESSerr(ESS_F_ADD_ATTRIB_SIGNCERT,ERR_R_MALLOC_FAILURE);
return 0;
}
if(!ASN1_STRING_set (seq, pp, len)) {
ASN1_STRING_free(seq);
OPENSSL_free(pp);
ESSerr(ESS_F_ADD_ATTRIB_SIGNCERT,ERR_R_MALLOC_FAILURE);
return 0;
}
OPENSSL_free(pp); 
return PKCS7_add_signed_attribute(si, NID_id_smime_aa_signingCertificate, 
V_ASN1_SEQUENCE, seq);
}

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Extended key usage field

2004-09-15 Thread Charles B Cranston 
From RFC3280 section "4.2.1.13 Extended Key Usage"
   If a certificate contains both a key usage extension and an extended
   key usage extension, then both extensions MUST be processed
   independently and the certificate MUST only be used for a purpose
   consistent with both extensions.  If there is no purpose consistent
   with both extensions, then the certificate MUST NOT be used for any
   purpose.
Seems to me the purpose "smime-encryption" is not consistent with
the Extended Key Usage extension "TLS Web Client Authentication"
irregardless of the contents of the other (Key Usage) extension.
Are you trying to push a definition that is in conflict with RFC3280,
or am I just more confused than usual?
In particular, to support dual-certificate systems which use one
certificate for authentication and a different certificate for
encryption, and which rely on these bit settings to make using the
wrong certificate (in both cases) impossible, I would strongly
argue against ANY reading in which a certificate issued for
authentication is considered valid for encryption.  Consider the
issue of private key escrow...
Rich Salz wrote:
 > The extended key usage extension places additional restrictions on 
the certificate uses. If this extension is present (whether critical 
or not) the key can only be used for the purposes specified.

No it doesn't.  Or rather, not quite.  If you want a key to be used for 
*only* the purposes defined in the eKU list, then you must have an empty 
keyUsage attribute.  keyUsage is a special bitmap of "well known" uses. 
 The spec authors could have defined keyUsage as a list of OID's and 
defined certain well-known OID's with the current semantics, but they 
didn't.

Yes, it is confusing that you have to read it as "you may use this 
certificate for only the purposes listed in the keyUsage field (but 
assume "all bits on" if not present), *or only* for the purposes listed 
in the extendedKeyUsage field (but assume "all OIDs allowed" if not 
present).

Read the sentence above carefully. :)
/r$
--
Charles B (Ben) Cranston
mailto: [EMAIL PROTECTED]
http://www.wam.umd.edu/~zben
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: PKCS7_add_attribute

2004-09-15 Thread Antonio Ruiz Martínez 
Hello!
Peter Sylvester wrote:
You may try a routine like the following by replacing all occurences of
ESS_SIGNING_CERTIFICATE by PKCS7
and change the nid to the PKCS9 V2 defined one.
Or to consider to (mis)use 

  id-aa-timeStampToken OBJECT IDENTIFIER ::= { iso(1) member-body(2)
  us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) aa(2) 14 }
 

Ok you're right, I thought to use that identifier when I have the 
timeStampToken but at this moment I only want to make some test so as to 
know if it is possible to use it.

The difference I see is that the i2d is done before setting the attribute. 

 

Ok I agree with you, that is the only difference with my code and it is 
the only thing that I can see different.
Thanks for your help.
Regards,
Antonio.

int ESS_add_attrib_signcert(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERTIFICATE *sc) {
ASN1_STRING *seq;
unsigned char *p, *pp ;
int len;
len = i2d_ESS_SIGNING_CERTIFICATE(sc, NULL);
if (!(pp = (unsigned char *) OPENSSL_malloc(len)))
{
ESSerr(ESS_F_ADD_ATTRIB_SIGNCERT,ERR_R_MALLOC_FAILURE);
return 0;
}
p = pp;
i2d_ESS_SIGNING_CERTIFICATE(sc, &p);
	if(!(seq = ASN1_STRING_new())) {
		OPENSSL_free(pp);
		ESSerr(ESS_F_ADD_ATTRIB_SIGNCERT,ERR_R_MALLOC_FAILURE);
		return 0;
	}
	if(!ASN1_STRING_set (seq, pp, len)) {
		ASN1_STRING_free(seq);
		OPENSSL_free(pp);
		ESSerr(ESS_F_ADD_ATTRIB_SIGNCERT,ERR_R_MALLOC_FAILURE);
		return 0;
	}
	OPENSSL_free(pp); 
	return PKCS7_add_signed_attribute(si, NID_id_smime_aa_signingCertificate, V_ASN1_SEQUENCE, seq);
}

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]
 


--
--
Antonio Ruiz Martínez
Faculty of Computer Science-University of Murcia
30071 Murcia - Spain
e-mail: [EMAIL PROTECTED] or arm [at] dif [dot] um [dot] es
--
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: TLS application data MAC

2004-09-15 Thread dragos liciu 
Hi Avinash,

The paragraph you mentioned is little bit vague,
better look at 6.2.3.1 from the same RFC; below is a
fragment from 6.2.3.1 paragraph:

..
   The MAC is generated as:

   HMAC_hash(MAC_write_secret, seq_num +  
TLSCompressed.type +
TLSCompressed.version + 
TLSCompressed.length +
TLSCompressed.fragment));

   where "+" denotes concatenation.
.

The "two fixed character strings" are 'type' and
'version'; I implemented it (in C++) just as specified
above and it works.


Dragos.




__
Do you Yahoo!?
Y! Messenger - Communicate in real time. Download now. 
http://messenger.yahoo.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Problem using engine

2004-09-15 Thread Fabrício Abrão Costa 
Hi all,
I having a problem with the openssl engine manipulation. At my program I
need crypt a text using the private key inside the engine and decrypt the
crypted text using the public key at the disc. To do it first I need setup
the engine, crypt the text and then free all engine instances to decrypt the
text using the public key stored at the hard disc.
The program need runs continuously, but at the second iteration the
following error occur:
1886:error:8806D064:eracom engine:PKC11_FINISH:already
loaded:hw_eracom.c:1507:
1886:error:2607E074:engine
routines:func(126):reason(116):eng_table.c:182:
The code is below. Someone already have this problem or one similar that?
Any idea why it happens?

Fabrício
int main(int argc, char* argv[])
{
int i =0;
while(1){
runTest();
}
}

void runTest()
{
BIO *bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
const char *engine_id = "ERACOM";
const char *name = "PKCS_SLOT_0_PIN";
const char *password = "password";
ENGINE *e = NULL;

OpenSSL_add_all_algorithms();
ENGINE_load_builtin_engines();
ERR_load_crypto_strings();

e = _util.setupEngine(engine_id,name,password);

 /** code to crypt the text using the private key inside the hsm **/

ENGINE_free(e);
ENGINE_cleanup();

 /** code to decrypt the crypted text using the public key stored at the
hard disc **/

EVP_cleanup();
CRYPTO_cleanup_all_ex_data();
ERR_remove_state(0);
ERR_free_strings();

BIO_free(bio_err);
}

ENGINE *XMLCAUtils::setupEngine(const char *__engine_id, const char *__name,
const char *__password, BIO *bio_err)
{
ENGINE *e = NULL;
int engine = 0;

setenv(__name, __password, 0);

if(((e = ENGINE_by_id(__engine_id)) == NULL)&&((e =
loadEngine(__engine_id)) == NULL)){
BIO_free(bio_err);
ERR_print_errors(bio_err);
return(NULL);
}
if(!ENGINE_set_default(e,ENGINE_METHOD_RSA)){

 /** here happens the error at the second iteration **/

ERR_print_errors(bio_err);
ENGINE_free(e);
BIO_free(bio_err);
return(NULL);
}
ENGINE_free(e);
return(e);
}

ENGINE *XMLCAUtils::loadEngine(char const *__pcc_engine)
{
ENGINE *e = ENGINE_by_id("dynamic");
if(e){
if((!ENGINE_ctrl_cmd_string(e, "SO_PATH", __pcc_engine,
0))||(!ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0))){
ENGINE_free(e);
e = NULL;
}
}
return(e);
}



__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: PKCS7_add_attribute

2004-09-15 Thread Dr. Stephen Henson 
On Wed, Sep 15, 2004, Antonio Ruiz Martínez wrote:

> Hello!
> 
> Thanks for your answer, it has been very useful when I use an octect 
> string but not when but I have got a problem when I'm using a sequence. 
> I think  I am not doing something properly because I don't get the 
> desired result.
> I've tried the following options:
> 
> 1)
> ASN1_OCTET_STRING *oct=NULL;
> oct=ASN1_STRING_new();
> ASN1_STRING_set(oct,p7_2,lenp7_2)
> where p7_2 -> coding in DER of a signed PKCS#7
> PKCS7_add_attribute(si, NID_pkcs7_signed, V_ASN1_SEQUENCE,(void *)oct);
> i2d_PKC7 .
> 
> This way when I try to decode the result of the coding I get an error, 
> It seems the structure is not correct.
> However, if I try with PKCS7_add_attribute(si, NID_pkcs7_signed, 
> V_ASN1_OCTET_STRING,(void *)oct) it works but I've an attribute which is 
> an octet string that contains a DER coded PKCS7 but I would like that 
> the attribute was directly the PKCS7
> 
> 2)
> p7_2=d2i_PKCS7(NULL,&tsp,lenTSP);
> PKCS7_add_attribute(si, NID_pkcs7_signed, V_ASN1_SEQUENCE,(void *)p7_2);
> i2d_PKC7 .
> 
> This way I can decode the encoded PKCS7 but the PKCS7 is not inserted 
> properly as an attribute.
> 
> How can I solve the problem?
> Could you help me another time, please?

My guess is that there's a problem with the generation of the encoding of the
attribute: what code did you use for that?

You can put totally unstructured garbage data in an OCTET_STRING and the
result will still parse until you try to decode the contents. If however you
try that with the V_ASN1_SEQUENCE it will choke the parser when you try
d2i_PKCS7() on the outer structure.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: TLS application data MAC

2004-09-15 Thread Avinash Agarwal 
Hello dragos,
Thanks for the input.
The MAC generation mentioned below works alright for MAC generation
of Client/server hanshake finished messages.
However for the MAC generation for the TLS app data this is not working.
Any pointers on what could be wrong?
 
Regards,
Avinash

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of dragos liciu
Sent: Thursday, September 16, 2004 12:07 AM
To: [EMAIL PROTECTED]
Subject: Re: TLS application data MAC



Hi Avinash, 

The paragraph you mentioned is little bit vague, 
better look at 6.2.3.1 from the same RFC; below is a 
fragment from 6.2.3.1 paragraph: 

.. 
   The MAC is generated as: 

   HMAC_hash(MAC_write_secret, seq_num +  
TLSCompressed.type + 
TLSCompressed.version + 
TLSCompressed.length + 
TLSCompressed.fragment)); 

   where "+" denotes concatenation. 
. 

The "two fixed character strings" are 'type' and 
'version'; I implemented it (in C++) just as specified 
above and it works. 


Dragos. 




__ 
Do you Yahoo!? 
Y! Messenger - Communicate in real time. Download now. 
http://messenger.yahoo.com   
__ 
OpenSSL Project http://www.openssl.org
  
User Support Mailing List[EMAIL PROTECTED] 
Automated List Manager   [EMAIL PROTECTED] 

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Regd ASN1_ITEM_rptr( )

2004-09-15 Thread Sravan 




Dr. Stephen Henson wrote:

  On Wed, Sep 15, 2004, Sravan wrote:

  
  
Hi,
I have been using X509 related functions in my code and for the 
definitions of functions like X509_free( ), I am using the macro 
IMPLEMENT_ASN1_FUNCTIONS(X509). In that macro expansion, 
ASN1_ITEM_rptr(X509) is used which expands to X509_it( ). I couldn't get 
the definition of this function anywhere and so the linker is reporting 
it as an unresloved symbol. Actually I couldn't understand the purpose 
of this ASN1_ITEM_rptr( ). Can anyone please explain me how to get 
around this?

I am using Openssl 0.9.7b in Windows platform.


  
  
What's the code that causes this error? There are some cases where you might
need to use ASN1_ITEM_rptr() directly but not many.
  

I need to use a function like X509_new( ) in my code. 


  
The reason for that macro (and some related ones) is to do with certain
plaform quirks. In OpenSSL 0.9.7 and later ASN1 modules are defined in terms
of constant structures. 

When an external application ASN1 module needs to reference a module inside
OpenSSL itself it has to somehow determine a pointer to the relevant structure.

One some OSes you can't easily reference a pointer to a structure in a shared
library or (in the case of windows) you can't (or I couldn't) initialize a
structure at compile time to contain a pointer to a structure in a shared
library.

That is doing:

const SOME_STRUCT foo = {&bar,...};

where "bar" is in a shared library doesn't work.

The workaround for this is to export functions which return pointers
to the structures instead and include function pointers in the static
structure. The macros are there to allow applications to be
written which use the correct convention on all supported platforms.

  

Now I understood the use of ASN1_ITEM_rptr( ). Thank you.
But what if I dont wish to use the shared library(in which the
functions that return pointers to structures are present)?
In my case, I need to use say a function like X509_free( ) with out
linking libeay32.lib(in case of windows).
For that I use the macro IMPLEMENT_ASN1_FUNCTIONS(X509). But in that
expansion, ASN1_ITEM_rptr(X509) will be used which is being replaced as
X509_it( ) in my case. This is being reported as unresolved symbol by
the linker.

Regards,
Sravan