Extensions openssl
Hi, I'm looking for a way to retrieve three extensions from a certificate. They are 'Subject Directory Attributes', 'Policy Mappings' and 'Name Constraints'. Although they are defined in RFC 2459, I could not find its definition in crypto/objects/objects.h (openssl 0.9.7c distribution), nor could find any help over the Internet. Any help on this will be very appreciated. Looking forward any response. Thanks in advance. __ Acabe com aquelas janelinhas que pulam na sua tela. AntiPop-up UOL - É grátis! http://antipopup.uol.com.br/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Installation error openssl-1.11
Hi all, I am installing Globus Toolkit 3.2.1 on a Solaris 8 machine and am running into the following error in the openssl package. The error is this: (a more complete text is shown below.) /export/home1/globus/gt3.2.1-all-source-installer/BUILD/globus_openssl-1.11/crypto/.libs/libcrypto_gcc32dbgpthr.so ../crypto/.libs/libcrypto_gcc32dbgpthr.so -lsocket -lnsl -ldl -lpthread -lposix4 -R/export/home1/globuscore/lib ld: warning: file ../crypto/.libs/libcrypto_gcc32dbgpthr.so: linked to /export/home1/globus/gt3.2.1-all-source-installer/BUILD/globus_openssl-1.11/crypto/.libs/libcrypto_gcc32dbgpthr.so: attempted multiple inclusion of file It appears that the file is including the library file twice, and this is the source of the error. Has anyone had any experience with this or know of a workaround? Thanks, Ben Simmons ---snip--- bash-2.03$ pwd /export/home1/globus/gt3.2.1-all-source-installer/BUILD/globus_openssl-1.11 bash-2.03$ make Making all in include Making all in openssl e_os2.h => ./include/openssl//e_os2.h [File exists] ---snip--- Making all in ssl Making all in apps /bin/bash ../libtool --mode=link /usr/local/bin/gcc -DMONOLITH -DOPENSSL_NO_ASM -g -D_REENTRANT-D_REENTRANT -Wall -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS -DB_ENDIAN -DOPENSSL_SYSNAME_ULTRASPARC -L/export/home1/globuscore/lib -o openssl -L/export/home1/globuscore/lib openssl.o verify.o asn1pars.o req.o dgst.o dh.o dhparam.o enc.o passwd.o gendh.o errstr.o ca.o pkcs7.o crl2p7.o crl.o rsa.o rsautl.o dsa.o dsaparam.o x509.o genrsa.o gendsa.o s_server.o s_client.o speed.o s_time.o apps.o s_cb.o s_socket.o app_rand.o version.o sess_id.o ciphers.o nseq.o pkcs12.o pkcs8.o spkac.o smime.o rand.o engine.o ocsp.o ../ssl/libssl_gcc32dbgpthr.la ../crypto/libcrypto_gcc32dbgpthr.la -lsocket -lnsl -ldl -lpthread -lposix4 /usr/local/bin/gcc -DMONOLITH -DOPENSSL_NO_ASM -g -D_REENTRANT -D_REENTRANT -Wall -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS -DB_ENDIAN -DOPENSSL_SYSNAME_ULTRASPARC -o .libs/openssl openssl.o verify.o asn1pars.o req.o dgst.o dh.o dhparam.o enc.o passwd.o gendh.o errstr.o ca.o pkcs7.o crl2p7.o crl.o rsa.o rsautl.o dsa.o dsaparam.o x509.o genrsa.o gendsa.o s_server.o s_client.o speed.o s_time.o apps.o s_cb.o s_socket.o app_rand.o version.o sess_id.o ciphers.o nseq.o pkcs12.o pkcs8.o spkac.o smime.o rand.o engine.o ocsp.o -L/export/home1/globuscore/lib ../ssl/.libs/libssl_gcc32dbgpthr.so /export/home1/globus/gt3.2.1-all-source-installer/BUILD/globus_openssl-1.11/crypto/.libs/libcrypto_gcc32dbgpthr.so ../crypto/.libs/libcrypto_gcc32dbgpthr.so -lsocket -lnsl -ldl -lpthread -lposix4 -R/export/home1/globuscore/lib ld: warning: file ../crypto/.libs/libcrypto_gcc32dbgpthr.so: linked to /export/home1/globus/gt3.2.1-all-source-installer/BUILD/globus_openssl-1.11/crypto/.libs/libcrypto_gcc32dbgpthr.so: attempted multiple inclusion of file Undefined first referenced symbol in file OPENSSL_load_builtin_modulesapps.o ---snip--- ENGINE_ctrl_cmd_string apps.o EVP_aes_192_cbc genrsa.o ld: fatal: Symbol referencing errors. No output written to .libs/openssl collect2: ld returned 1 exit status *** Error code 1 make: Fatal error: Command failed for target `openssl' Current working directory /export/home1/globus/gt3.2.1-all-source-installer/BUILD/globus_openssl-1.11/apps *** Error code 1 make: Fatal error: Command failed for target `all-recursive' __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
In custom RSA_METHOD, rsa_priv_enc() is enough?
Hi all, I've managed to hack together a custom RSA_METHOD, based on Microsoft CryptoAPI (on Windows XP in my test case), to use a smart card for authentication. And it actually works, as far as I have managed to test it anyway. But I'm a little puzzled: When I'm running it, the only (crypto-related) RSA_METHOD callback that gets called, is rsa_priv_enc(), once. Even with a negotiated crypto like AES256-SHA, that, AFAICS, uses RSA for key exchange. Is this as expected, or is there other test cases that might trigger other callbacks (that needs to be implemented then)? BTW, RSA_new_method() isn't called with a RSA_METHOD*, but with an ENGINE*. Confusing? TIA, - Peter -- Peter 'Luna' Runestig (fd. Altberg), Sweden <[EMAIL PROTECTED]> PGP Key ID: 0xD07BBE13 Fingerprint: 7B5C 1F48 2997 C061 DE4B 42EA CB99 A35C D07B BE13 AOL Instant Messenger Screen name: PRunestig Yahoo! Messenger profile name: altberg __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
An epiphany (of sorts)
Just finished a cover-to-cover reading of Planning for PKI [1] and it sure cleared up some things for me. Thanks to Richard Levitte for recommending it. It seems most of the cognitive dissonance I've been having with this PKI stuff is due to the "PKI theoretics" being based upon a pair of assumptions, neither of which obtains in the real world. Assumption 1: "There is a global X.500 repository, containing all the certificates, so no assumptions need be made on OBTAINING certificates, it suffices to prove that a valid chain of certificates EXISTS" Assumption 2: "Relying-party software is competent to find all valid certificate chains, so no assumptions need be made on SELECTING certs, it suffices to prove that a valid chain of certificates EXISTS" As a simple example, I had been unable to discern any operational difference between a bridge CA and a simple hierarchy with the bridge CA at the top. After reading the book, I realize that in fact THERE IS NO DIFFERENCE until you consider REVOCATION. Let L be the local root and B be the bridge root, then when the bridge is the top of a simple hierarchy a local relying party uses the certificates: +-+--+ +-+--+ |T| | |T| | +-+--+ +-+--+ Making the bridge simply one more entry in | L root | | B root | the "trust list" schema from the book ++ ++ while for the bridge case it uses: +-+--+ +-+--+ |T| | |(L root)| +-+--+ +-+--+ In this case the L root can revoke the | L root | | B root | certificate that trusts the bridge ++ ++ There is no difference here until we talk about revocation, since both configurations trust the same set of certificates, (the ones signed by L) union (the ones signed by B). Given this, does anybody know any good references on how the various browsers can interact with a local LDAP directory, in terms of fetching certificates and CRLs when needed? [1] Planning for PKI, Russ Housley and Tim Polk, Wiley, New York, 2001 http://www.amazon.co.uk/exec/obidos/ASIN/0471397024/qid=1095958618/sr=1-12/ref=sr_1_2_12/026-0124672-5623666 -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Setting/Reusing a PKCS7 session key
Hello, I have to use a single session key for two PKCS7 objects. However, I could not find an easy way to set the key for an object since it is usually generated on the fly by the PCKS7_dataInit function. Is it possible to get this done without having to rewrite parts of the dataInit code? Thanks in advance! Jörn __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]