extending a PKCS12 certificate
Hello all, I would like to ask a question about PKCS12 certificates. Is it possible to extend a PKCS12 certificate with arbitral data? I would like to extend a given certificate with user data (such as login and password) in such a way that the output certificate is still a valid certificate. If so, can this be done with OpenSSL? How do I extract the extensions? Thanks in advance. Kind regards, Theodore _ Meer ruimte nodig? Maak nu je eigen Space http://spaces.msn.nl/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: extending a PKCS12 certificate
As far as i know, PKCS12 is just a combination of your private key and the public certificate. So, it should be possible to extract the certificate, make the changes and pack it together with the private key again. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Theodore Olen Sent: Freitag, 4. August 2006 15:31 To: openssl-users@openssl.org Subject: extending a PKCS12 certificate Hello all, I would like to ask a question about PKCS12 certificates. Is it possible to extend a PKCS12 certificate with arbitral data? I would like to extend a given certificate with user data (such as login and password) in such a way that the output certificate is still a valid certificate. If so, can this be done with OpenSSL? How do I extract the extensions? Thanks in advance. Kind regards, Theodore _ Meer ruimte nodig? Maak nu je eigen Space http://spaces.msn.nl/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: extending a PKCS12 certificate
It seems like you are talking about Attribute Certificate, but openssl doesn't support them. Unfortunately. :o( -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Theodore Olen Sent: Friday, August 04, 2006 2:31 PM To: openssl-users@openssl.org Subject: extending a PKCS12 certificate Hello all, I would like to ask a question about PKCS12 certificates. Is it possible to extend a PKCS12 certificate with arbitral data? I would like to extend a given certificate with user data (such as login and password) in such a way that the output certificate is still a valid certificate. If so, can this be done with OpenSSL? How do I extract the extensions? Thanks in advance. Kind regards, Theodore _ Meer ruimte nodig? Maak nu je eigen Space http://spaces.msn.nl/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Cross Signing
This may be the wrong place to ask this since it is not OpenSSl specific, but would cross signing of a x.509 cert to verify it's contents be a good measure to increase the trustworthiness of a cert. Take the following example... We have a CA which hands out certs with authorization type attributes (the purpose extension comes to mind). Whoever has root access to that CA could create a sub CA, or an arbitrary cert. What if the CA where to send the presigned cert to another trusted box who could then verify the contents and sign the cert in a noncritical extension. The main CA could then sign the cert in the standard way. Then applications that were paranoid about authorization could check the permission by using the public key of the checker CA. Would this work? If so, wouldn't this make it more difficult for any one person to do unauthorized things with certs by enforcing a check and balance type system? Thanks, Andrew __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: extending a PKCS12 certificate
Hello Sascha, wouldn't this invalidate the digest and therefor the entire certificate? If changing the arbitrary data does not invalidate the certificate, it must not be part of the digest, but then everybody would be able to change it. And just adding the arbitrary data to the PKCS12 file would not make those data more trustworthy either. If this is possible at all. With kind regards Gerd -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sascha Kiefer Sent: Friday, August 04, 2006 2:11 PM To: openssl-users@openssl.org Subject: RE: extending a PKCS12 certificate As far as i know, PKCS12 is just a combination of your private key and the public certificate. So, it should be possible to extract the certificate, make the changes and pack it together with the private key again. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Theodore Olen Sent: Freitag, 4. August 2006 15:31 To: openssl-users@openssl.org Subject: extending a PKCS12 certificate Hello all, I would like to ask a question about PKCS12 certificates. Is it possible to extend a PKCS12 certificate with arbitral data? I would like to extend a given certificate with user data (such as login and password) in such a way that the output certificate is still a valid certificate. If so, can this be done with OpenSSL? How do I extract the extensions? Thanks in advance. Kind regards, Theodore _ Meer ruimte nodig? Maak nu je eigen Space http://spaces.msn.nl/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Cross Signing
You'd also need to identify that second CA. Verifying that internal (second) signature would be tricky since you'd have to remove the extension (tweak the DER length fields, etc) before hashing. And then there's all the complexity of checking for revocation from the second CA. (Which, frankly, probably wouldn't happen given how little revocation checking is done on the real CA. :) For example, wouldn't you have to keep the serial numbers in sync? And validity periods? A simpler approach seems to be for concerned applications to require the client to provide certificates from both CA's. /r$ -- SOA Appliances Application Integration Middleware __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: extending a PKCS12 certificate
Hello, Thanks for your reply. Can you please give a little more explanation on how this can be done? To be sure, I don't want to change the private key and public certificate; simply said, I want to add arbitrary data to my .p12-file. Why do I want this? This ensures me that the data is safely stored, as the certificate, and therefore also my additional data, can only be opened when the password is known. Thanks in advance. Kind regards, Theodore From: Sascha Kiefer [EMAIL PROTECTED] Reply-To: openssl-users@openssl.org To: openssl-users@openssl.org Subject: RE: extending a PKCS12 certificate Date: Fri, 4 Aug 2006 16:11:14 +0400 As far as i know, PKCS12 is just a combination of your private key and the public certificate. So, it should be possible to extract the certificate, make the changes and pack it together with the private key again. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Theodore Olen Sent: Freitag, 4. August 2006 15:31 To: openssl-users@openssl.org Subject: extending a PKCS12 certificate Hello all, I would like to ask a question about PKCS12 certificates. Is it possible to extend a PKCS12 certificate with arbitral data? I would like to extend a given certificate with user data (such as login and password) in such a way that the output certificate is still a valid certificate. If so, can this be done with OpenSSL? How do I extract the extensions? Thanks in advance. Kind regards, Theodore _ Meer ruimte nodig? Maak nu je eigen Space http://spaces.msn.nl/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] _ Bellen met Messenger? Download nu Windows Live Messenger beta! http://imagine-msn.com/messenger/launch80/default.aspx?locale=nl-nl __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: extending a PKCS12 certificate
PKCS12 is a data format. It's usually password-protected, and is designed to bundle together a private key with one or more certificates. Openssl includes tools (programs and API's) to parse and generate PKCS12. Once you've extracted the cert, you can parse it, and add an extension. To sign the new certificate, you need the CA's private key; if you don't have that, forget it. If you do have that, then you might want to look at apps/ca.c or apps/x509.c to see the API's used to manipulate extensions and sign certificates. /r$ -- SOA Appliances Application Integration Middleware __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: extending a PKCS12 certificate
Hello, I'll look into Attribute Certificate, as I've never heard of this term before. Thanks! Kind regards, Theodore From: Dmitrij Mironov [EMAIL PROTECTED] Reply-To: openssl-users@openssl.org To: openssl-users@openssl.org Subject: RE: extending a PKCS12 certificate Date: Fri, 4 Aug 2006 15:11:28 +0300 It seems like you are talking about Attribute Certificate, but openssl doesn't support them. Unfortunately. :o( -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Theodore Olen Sent: Friday, August 04, 2006 2:31 PM To: openssl-users@openssl.org Subject: extending a PKCS12 certificate Hello all, I would like to ask a question about PKCS12 certificates. Is it possible to extend a PKCS12 certificate with arbitral data? I would like to extend a given certificate with user data (such as login and password) in such a way that the output certificate is still a valid certificate. If so, can this be done with OpenSSL? How do I extract the extensions? Thanks in advance. Kind regards, Theodore _ Meer ruimte nodig? Maak nu je eigen Space http://spaces.msn.nl/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] _ Download de nieuwste versie van Messenger: Windows Live Messenger http://imagine-msn.com/messenger/launch80/default.aspx?locale=nl-nl __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: extending a PKCS12 certificate
ensures me that the data is safely stored, as the certificate, and therefore also my additional data, can only be opened when the password is known. If this is all you want to do, a cryptographic beginner such as yourself will probably find it easier to use something like the GNU Privacy Guard. /r$ -- SOA Appliances Application Integration Middleware __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: extending a PKCS12 certificate
Theodore Olen wrote: Hello, I'll look into Attribute Certificate, as I've never heard of this term before. Thanks! See http://www.ietf.org/rfc/rfc3281.txt - vijay -- Vijay K. Gurbani [EMAIL PROTECTED],research.bell-labs.com,acm.org} Bell Laboratories, Lucent Technologies, Inc. 2701 Lucent Lane, Rm. 9F-546, Lisle, Illinois 60532 (USA) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: extending a PKCS12 certificate
Hi Gerd, It will. But as Dmitrij already pointed out that there are Attribute Certificates. Those attributes are not part of the signed data, so they can be change (but also by anybody). But inside a PKCS there are at least safe and for internal use, it might work. (But you do not want to send login information that maybe stored in a public certificate send to the outside world, so for my understanding, it will no longer be a public certificate, would it?) So long, --sk -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Freitag, 4. August 2006 17:24 To: openssl-users@openssl.org Subject: RE: extending a PKCS12 certificate Hello Sascha, wouldn't this invalidate the digest and therefor the entire certificate? If changing the arbitrary data does not invalidate the certificate, it must not be part of the digest, but then everybody would be able to change it. And just adding the arbitrary data to the PKCS12 file would not make those data more trustworthy either. If this is possible at all. With kind regards Gerd -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sascha Kiefer Sent: Friday, August 04, 2006 2:11 PM To: openssl-users@openssl.org Subject: RE: extending a PKCS12 certificate As far as i know, PKCS12 is just a combination of your private key and the public certificate. So, it should be possible to extract the certificate, make the changes and pack it together with the private key again. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Theodore Olen Sent: Freitag, 4. August 2006 15:31 To: openssl-users@openssl.org Subject: extending a PKCS12 certificate Hello all, I would like to ask a question about PKCS12 certificates. Is it possible to extend a PKCS12 certificate with arbitral data? I would like to extend a given certificate with user data (such as login and password) in such a way that the output certificate is still a valid certificate. If so, can this be done with OpenSSL? How do I extract the extensions? Thanks in advance. Kind regards, Theodore _ Meer ruimte nodig? Maak nu je eigen Space http://spaces.msn.nl/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: extending a PKCS12 certificate
It doesn't makes much sense to add attributes to certs if values of those attributes can't be verified. Attribute Certificate seems the right way to go (thanks, Vijay!). The question is - do our mainstream CA's (such as VeriSign, etc.) support Attribute Certificate? Tnx! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sascha Kiefer Sent: Friday, August 04, 2006 10:00 To: openssl-users@openssl.org Subject: RE: extending a PKCS12 certificate Hi Gerd, It will. But as Dmitrij already pointed out that there are Attribute Certificates. Those attributes are not part of the signed data, so they can be change (but also by anybody). But inside a PKCS there are at least safe and for internal use, it might work. (But you do not want to send login information that maybe stored in a public certificate send to the outside world, so for my understanding, it will no longer be a public certificate, would it?) So long, --sk -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Freitag, 4. August 2006 17:24 To: openssl-users@openssl.org Subject: RE: extending a PKCS12 certificate Hello Sascha, wouldn't this invalidate the digest and therefor the entire certificate? If changing the arbitrary data does not invalidate the certificate, it must not be part of the digest, but then everybody would be able to change it. And just adding the arbitrary data to the PKCS12 file would not make those data more trustworthy either. If this is possible at all. With kind regards Gerd -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sascha Kiefer Sent: Friday, August 04, 2006 2:11 PM To: openssl-users@openssl.org Subject: RE: extending a PKCS12 certificate As far as i know, PKCS12 is just a combination of your private key and the public certificate. So, it should be possible to extract the certificate, make the changes and pack it together with the private key again. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Theodore Olen Sent: Freitag, 4. August 2006 15:31 To: openssl-users@openssl.org Subject: extending a PKCS12 certificate Hello all, I would like to ask a question about PKCS12 certificates. Is it possible to extend a PKCS12 certificate with arbitral data? I would like to extend a given certificate with user data (such as login and password) in such a way that the output certificate is still a valid certificate. If so, can this be done with OpenSSL? How do I extract the extensions? Thanks in advance. Kind regards, Theodore _ Meer ruimte nodig? Maak nu je eigen Space http://spaces.msn.nl/ __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Can't Upgrade! Can't Add Threading! Please Help!
Hi; I have FreeBSD 5.3. I d/l'd the latest distro of openssl, ran: ./config --prefix=/usr/local --openssldir=/usr/local/openssl enable-threads enable-shared make make test make install and everything checked out just fine. However... server167# openssl version OpenSSL 0.9.7d 17 Mar 2004 server167# pwd /usr/ports/www/openssl-0.9.8b So... How do I turn off the old version and turn on the new which should support threading so I can use Pound?? TIA, beno __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Can't Upgrade! Can't Add Threading! Please Help!
Hello, I have FreeBSD 5.3. I d/l'd the latest distro of openssl, ran: ../config --prefix=/usr/local --openssldir=/usr/local/openssl enable-threads enable-shared make make test make install and everything checked out just fine. However... server167# openssl version OpenSSL 0.9.7d 17 Mar 2004 server167# pwd /usr/ports/www/openssl-0.9.8b So... How do I turn off the old version and turn on the new which should support threading so I can use Pound?? But I thing: $ /usr/local/bin/openssl version will give good results. When configuring Pound add option: $ ./configure --with-ssl=/usr/local ... Hope this helps. Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]