OpenSSL crashes in verify with this specific file.
Hello,
I have got a file which is signed in DER fromat. Now I try to verify it
with 'inform SMIME'. Normally OpenSSL should notify the wrong format and
exits with errors. But with the attached file it crashes very hard.
Regards
Steffen Lips
0n *H÷
_0[1
0 +�0õ *H÷
æâIKS_Dokument Version=310 FrmBaseURL=www.abfallmanagement.de
IKS_Vorgang Typ=KRWG_VORGANG ZEDALID=PLG16068.09.200526.RPC740400 Treename=BS123456789012
IKS_FormularSeite Typ=Entsorgungsnachweis komplett Tabelle=enkrwg_form_en Index=1 FrmId=41A013784D6DC4185F1167F4879D231A1A764F16375DA45A38DF91E8D3970C3D
IKS_Datensatz
nr w=ENKST001/
firma1 w=Grundig/
strasse w=Holthoffstr. /
hausnummer w=122/
plz w=45659/
ort w=Recklinghausen/
en w=1/
en_verwertung w=1/
/IKS_Datensatz
/IKS_FormularSeite
IKS_FormularSeite Typ=Entsorgungsnachweis komplett Tabelle=enkrwg_form_ve1 Index=1 FrmId=484A579F3A1616E66CEC0D1580428C2929649A1AFD31B8A1FC1B8B4331724633
IKS_Datensatz
nr w=ENKST001/
anfallstelle w=Grundig/
anfall_strasse1 w=Holthoffstr. 127/
erzeugernummer w=E12345678/
anfall_plz w=45659/
anfall_ort w=Recklinghausen/
ve_nachweise w=1/
/IKS_Datensatz
/IKS_FormularSeite
IKS_FormularSeite Typ=Entsorgungsnachweis komplett Tabelle=enkrwg_form_ve2 Index=1 FrmId=39C8171DBF079705FFA5040B191C4376761DAE1BF588A4187AF2C01F89AA15FD
IKS_Datensatz
nr w=ENKST001/
interne_bezeichnung w=M#252;ll/
schluessel w=010304*/
abfallbezeichnung w=S#228;ure bildende Aufbereitungsr#252;ckst#228;nde aus der Verarbeitung/
datum w=2005092600/
vorbehandelt_nein w=1/
/IKS_Datensatz
/IKS_FormularSeite
IKS_FormularSeite Typ=Entsorgungsnachweis komplett Tabelle=enkrwg_form_da1 Index=1 FrmId=75B55982226E4F01EE9E8F3FAC43D9727247C0C707083FD985C694D27EC1FF24
IKS_Datensatz
nr w=ENKST001/
/IKS_Datensatz
/IKS_FormularSeite
IKS_FormularSeite Typ=Entsorgungsnachweis komplett Tabelle=enkrwg_form_da2 Index=1 FrmId=B27F7771B3B5D7B064628B4FD12D351515C2E50CB0F8F6FC4E002D35856A4AEA
IKS_Datensatz
nr w=ENKST001/
/IKS_Datensatz
/IKS_FormularSeite
IKS_FormularSeite Typ=Entsorgungsnachweis komplett Tabelle=enkrwg_form_ae1 Index=1 FrmId=614B14BA34EFDDC09958C77E39B3976161EAF9DD4B5D891F0A8012C7C332E1F8
IKS_Datensatz
nr w=ENKST001/
firma1 w=Gorleben/
strasse w=Musterstr./
hausnummer w=1/
plz w=12351/
ort w=Gorleben/
anl_bezeichnung1 w=Gorleben-Verbrennung/
entsorgernr w=A12345678/
anl_strasse w=Musterstr./
anl_hausnummer w=2/
anl_staat w=DE/
anl_plz w=12351/
anl_ort w=Gorleben/
nachweise w=1/
/IKS_Datensatz
/IKS_FormularSeite
IKS_FormularSeite Typ=Entsorgungsnachweis komplett Tabelle=enkrwg_form_ae2 Index=1 FrmId=6A7A0C5B4D5D85FD5C57A5E984373FDFDFB33C9B2918CEEA6F4302F638A676EC
IKS_Datensatz
nr w=ENKST001/
datum w=2005092600/
/IKS_Datensatz
/IKS_FormularSeite
IKS_FormularSeite Typ=Entsorgungsnachweis komplett Tabelle=enkrwg_form_bb Index=1 FrmId=2E78810B81A277C2EA0C4FA8E1A151A7A7E8B2866AC499A98F476649CE0A3D57
IKS_Datensatz
nr w=ENKST001/
gueltig_bis w=2008010100/
aktenzeichen w=3241414234234/
datum w=2005092600/
unterschrift w=Stegemann/
zulaessigkeit w=1/
bestaetigung_ja w=1/
/IKS_Datensatz
/IKS_FormularSeite
IKS_FormularSeite Typ=Entsorgungsnachweis komplett Tabelle=enkrwg Index=1 FrmId=4FF3ECEF644B5A212DDB3819BB95D2A8A897F738BCC5117368CA4F49AFEA054B
IKS_Datensatz
/IKS_Datensatz
/IKS_FormularSeite
IKS_FormularSeite Typ=Entsorgungsnachweis komplett Tabelle=enkrwg_form_daparameter Index=1 FrmId=22134B58921B56F266BAF31830544C7C7CFD886204B40BBE77215531278A2629
IKS_Datensatz
/IKS_Datensatz
/IKS_FormularSeite
IKS_FormularSeite Typ=Entsorgungsnachweis komplett Tabelle=enkrwg_form_dainhalt Index=1 FrmId=843878E6066460EE62CF1EA6C896A01E1E4AFD82886466A8768B6220E060831C
IKS_Datensatz
/IKS_Datensatz
/IKS_FormularSeite
IKS_FormularSeite Typ=Entsorgungsnachweis komplett Tabelle=enkrwg_form_vebb Index=1 FrmId=DAD209D7289F857FDE3C5CF6F65F17181803002C67903F19D0BEDABF719756F4
IKS_Datensatz
/IKS_Datensatz
/IKS_FormularSeite
/IKS_Vorgang
/IKS_Dokument
0'0 /«@0
*H÷
�0~1
0 UDE1
0U
Deutsche Telekom AG1 0
U
Produktzentrum TeleSec100
10 UTeleSec PKS SigG CA 13:PN0
050128133325Z
070128133325Z0i1
0 UDE10U
Infotech GmbH1
0U
Softwareentwicklung10U
Silczak, Robert1
0U10¡0
*H÷
��0�_Çs[EMAIL PROTECTED];àte(W¹è`g±çCêB!Fr//n¨ê9Ë1ßyf ºK~B$K¹æâqå«':r8¿
òR³Ñç®êEJZfî äákæ04m Rã
éc}1âDHR)�À��£Ã0¿0 U
#0Ö®:s¹nÄÇ{ªÅ¥ó0U
ü0ù0ö m k5ldap://pks-ldap.telesec.de/o=Deutsche Telekom AG,c=de2http://pks.telesec.de/telesec/servlet/download_crl¢¤01
0 UDE1
0U
Deutsche Telekom AG1 0
U
Produktzentrum TeleSec110
10!UTeleSec PKS SigG DIR 13:PN0+
0
0�F0
U
é[EMAIL PROTECTED]
0 0+$07++0)0'+0http://pks.telesec.de/ocspr0
*H÷
[EMAIL PROTECTED]:¢¬\Äü2WC¼®ÛüNºbîÙ;åÇ8ÔoN÷NÔ ¹÷ûöÝÝUñ£ïK.8ûQ/`¡4´ñÌAzдnV»u$¶ð0
BIO_read question
Hello. I have a question about BIO_read function (). I am trying to read data from BIO, i have a buffer to place data in it. But how can I know that there is more data (xml/xmpp in fact) in BIO? This way I can grow the buffer and append new data to it. Thanx.
Re: Multiple Authority Key Identifiers in a certificate
On Fri, Feb 09, 2007, Srinivasan Thirunarayanan wrote:
Is it possible to have more than one AuthorityKeyIdentifiers in a
certificate? The X509 RFC says thus: AuthorityKeyIdentifier ::=
SEQUENCE {
keyIdentifier [0] KeyIdentifier OPTIONAL,
authorityCertIssuer [1] GeneralNamesOPTIONAL,
authorityCertSerialNumber [2] CertificateSerialNumber
OPTIONAL }
But so far, i haven't been able to find any certificate with more than
one AuthorityKeyIdentifier.
Is it possible to create a certificate in OpenSSL with more than one
AuthorityKeyIdentifier? If so, how do i do it?
IMHO doing that is illegal, if it isn't specifically prohibited by the
standards it should be.
Since you can only sign a certificate using one key I'm not sure why
you'd want to.
Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
Re: BIO_read question
Hello, Hello. I have a question about BIO_read function (). I am trying to read data from BIO, i have a buffer to place data in it. But how can I know that there is more data (xml/xmpp in fact) in BIO? This way I can grow the buffer and append new data to it. Thanx. BIO_pending() (if supported by specific BIO). Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
OpenSSL FIPS 140-2 validation
Good news for developers and vendors of software for the U.S. and Canadian government market where FIPS 140-2 validated cryptography is required. The OpenSSL FIPS Object Module, a software component compatible with the OpenSSL API, has been FIPS 140-2 validated (see certificate #733 and Security Policy document at http://csrc.nist.gov/cryptval/140-1/1401val2007.htm). The source distribution that generates this validated module is at http://www.openssl.org/source/openssl-fips-1.1.1.tar.gz. This validation means that the referenced source distribution can be used to create a binary module on a wide range of platforms, in a form compatible with OpenSSL 0.9.7, for enabling FIPS 140-2 validated cryptography in applications. Please see the Security Policy document for details on how to create a validated module for your platform and application. Other supporting information will be made available at http://oss-institute.org/FIPS_733/. -Steve M. -- Steve Marquess Open Source Software Institute [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: BIO_read question
Hello. I have a question about BIO_read function (). I am trying to read data from BIO, i have a buffer to place data in it. But how can I know that there is more data (xml/xmpp in fact) in BIO? This way I can grow the buffer and append new data to it. Thanx. If there is at least one byte of space in the buffer, just call BIO_read. If there isn't a single byte of room and you don't have the full request, you're going to have to grow the buffer at some point anyway, so you might as well do it now. If you do have the full request, there's no point in growing the buffer since no more data is coming anyway. If you're not sure if you have the full request or not, knowing whether more data is available *now* won't tell you. So why do you care? DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Openssl and Windows Timezones
Hi Everyone, My problem is with Windows 200x generated certificates. The Windows servers are set to local time, but when I import or use these certificates within OpenSSL they appear to be set to GMT time. The certificate's validity is not valid between the offset of GMT to the localtime of the Linux machine. Does OpenSSL know how to use the localtime to verify certificates, or does it always use GMT? Thanks for the help, Ryan Phillips __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Openssl and Windows Timezones
Hi Everyone, My problem is with Windows 200x generated certificates. The Windows servers are set to local time, but when I import or use these certificates within OpenSSL they appear to be set to GMT time. The certificate's validity is not valid between the offset of GMT to the localtime of the Linux machine. Does OpenSSL know how to use the localtime to verify certificates, or does it always use GMT? Certificates *always* use GMT. If certificates contained local time, you'd have to know what time zone they were created in to know when they were valid, which would create all kinds of ugliness. If your certificate contain in them the local time they are valid, they are erroneous. Make sure the error is in the certificate and not in the viewing tool (that may convert them to local time for display convenience or think they are in local time). Windows servers should be set to local time, but they should also know their correct timezone so that they can generate GMT for those things that require them. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
problem of OpenSSL on MIPS R3000
Hi, everyone,
I just cross compile the OpenSSL 0.9.7 under linux by mipsel-linux-gcc for
MIPS R3000, no error occur during the compiling process.
But, when I put the result lib to the hard platform, the openssl routines
can not be carried out and “segment fault” occurs.
Why? Does the OpenSSL not support the MIPS? How should I do to cross compile
for MIPS R3000?
The debug info is :
==
GNU gdb 6.3
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain
conditions.
Type show copying to see the conditions.
There is absolutely no warranty for GDB. Type show warranty for details.
This GDB was configured as --host=mipsel-linux
--target=mipsel-linux-uclibc.
(gdb) core core.186
Core was generated by `./drmCli'.
Program terminated with signal 11, Segmentation fault.
#0 0x0044cdac in EVP_des_cbc ()
(gdb) where
#0 0x0044cdac in EVP_des_cbc ()
#1 0x00427b4c in SSL_library_init ()
#2 0x00427b4c in SSL_library_init ()
#3 0x00400cd0 in transend (properlistInfo=0x100383f0 ,
acIP=0x574f50 192.168.18.155, acPORT=) at main.c:93
#4 0x00402a70 in cliskthread () at main.c:770
#5 0x004eac48 in pthread_start_thread ()
#6 0x00527c20 in __thread_start ()
Previous frame inner to this frame (corrupt stack?)
(gdb)
ulimit -c unlimited
mipsel-linux-gdb drmCli
core core.123
where
==
The transend function is:
void transend(char *properlistInfo,const char* acIP,int acPORT)
{
/*-- */
//char P[2000];
struct ProperTable p;
struct ProperTable *pp;
pp = p;
int err;
int sd;
struct sockaddr_in sa;
SSL_CTX* ctx;
SSL* ssl;
X509*server_cert;
char*str;
char buf2 [4096];
char*bufp;
bufp = buf2;
SSL_METHOD *meth;
/*-*/
//memset(P,0,sizeof(P));
//i = propertable_gen(type,userid,pid,data,pp);
pp = (struct ProperTable *)properlistInfo;
printf(transend p.Type=%x\n,(*pp).Type);
printf(transend p.UserID=%x\n,(*pp).UserID);
printf(transend p.PID=%x\n,(*pp).PID);
printf(transend p.Lenth=%d\n,(*pp).Lenth);
printf(transend p.Data=%s\n,(*pp).Data);
/**/
SSLeay_add_ssl_algorithms();
meth = SSLv2_client_method();
SSL_load_error_strings();
ctx = SSL_CTX_new (meth);CHK_NULL(ctx);
CHK_SSL(err);
/* --- */
/* Create a socket and connect to server using normal socket calls. */
sd = socket (AF_INET, SOCK_STREAM, 0); CHK_ERR(sd, socket);
memset (sa, '\0', sizeof(sa));
sa.sin_family = AF_INET;
// sa.sin_addr.s_addr = inet_addr (127.0.0.1); /* Server IP */
//sa.sin_addr.s_addr = inet_addr (10.64.104.168); /*Server IP */
sa.sin_addr.s_addr = inet_addr (acIP);
// sa.sin_port= htons (); /* Server Port number */
sa.sin_port = htons(acPORT); /* Server Port number */
err = connect(sd, (struct sockaddr*) sa,sizeof(sa)); CHK_ERR(err,
connect);
/* --- */
/* Now we have TCP conncetion. Start SSL negotiation. */
ssl = SSL_new (ctx); CHK_NULL(ssl);
SSL_set_fd (ssl, sd);
err = SSL_connect (ssl); CHK_SSL(err);
/* Following two steps are optional and not required for
data exchange to be successful. */
/* Get the cipher - opt */
printf (SSL connection using %s\n, SSL_get_cipher (ssl));
/* Get server's certificate (note: beware of dynamic allocation) - opt */
server_cert = SSL_get_peer_certificate (ssl); CHK_NULL(server_cert);
printf (Server certificate:\n);
str = X509_NAME_oneline (X509_get_subject_name (server_cert),0,0);
CHK_NULL(str);
printf (\t subject: %s\n, str);
OPENSSL_free (str);
str = X509_NAME_oneline (X509_get_issuer_name (server_cert),0,0);
CHK_NULL(str);
printf (\t issuer: %s\n, str);
OPENSSL_free (str);
/* We could do all sorts of certificate verification stuff here before
deallocating the certificate. */
X509_free (server_cert);
/* --- */
/* DATA EXCHANGE - Send a message and receive a reply. */
//err = SSL_write (ssl, pp, sizeof(*pp)); CHK_SSL(err);
//err = SSL_write (ssl, properlistInfo, strlen(properlistInfo));
CHK_SSL(err);
//print properlistInfo
err = SSL_write (ssl, properlistInfo, sizeof(struct ProperTable));
CHK_SSL(err);
err = SSL_read (ssl, buf2, sizeof(buf2) - 1);
CHK_SSL(err);
buf2[err] = '\0';
printf (Got %d chars:'%s'\n, err, buf2);
SSL_shutdown (ssl); /* send SSL/TLS close_notify */
/* Clean up. */
close (sd);
SSL_free (ssl);
SSL_CTX_free (ctx);
Compiling openssl as shared object
Hi, I'm getting errors from compiling courier-imap. I think that's because i've compiled openssl as a static object. How do i compile it as a shared one ? Any help would be appreciated. Warm regards, Mário Gamito __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
openssl 0.9.8D, Solaris 10 difficulties
All, This is my first post, so if this is an FAQ, I apologize (but I did search the archives first.) I'm trying to build openssl 0.9.8D on a SunFire 280R running Solaris 10. I'm using SunStudio 11. The error I'm seeing is the same one that another user reported, wherein I am unable to complete the 'make test' step because I get an error as follows: Testing cipher AES-128-ECB(encrypt) . . make: Fatal error: Command failed for target `test_evp' In the previous post, another subscriber suggested patching SunStudio 11. I applied all the patches I could find on SunSolve (namely, 120761-03, 121023-04, and 122142-03.) I'm getting the same result, so I'm really baffled at this point. Any suggestions would be very much appreciated! -ty Phillip T. (Ty) Young, DMA Manager, Data Center and Backup/Recovery Services Information Services i2 Technologies, Inc. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: openssl 0.9.8D, Solaris 10 difficulties
[EMAIL PROTECTED] wrote: In the previous post, another subscriber suggested patching SunStudio 11. I applied all the patches I could find on SunSolve (namely, 120761-03, 121023-04, and 122142-03.) I'm getting the same result, so I'm really baffled at this point. Any suggestions would be very much appreciated! You must have missed one... otherwise crank down your optimizations with the notes suggested in the RT ticket 1281. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
