Modifying the request subject DN while signing it

2007-04-23 Thread Arsen Hayrapetyan 

Hello,

The user created a PKCS#10 request using 'openssl req -subj...' and 
specified some subject distinguished name (DN), say 
'/C=AM/O=Org/OU=Dep/DN=ABC'. When the certification authority signs this 
request (for example, with command 'openssl ca...'), can it modify the 
DN, say, set it to '/C=AM/O=Org/OU=Dep/OU=DepNew/DN=ABC' (add delete or 
replace an attribute)?


Thanks in advance,
Arsen.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Modifying the request subject DN while signing it

2007-04-23 Thread Victor Duchovni 
On Mon, Apr 23, 2007 at 07:03:19PM +0500, Arsen Hayrapetyan wrote:

 The user created a PKCS#10 request using 'openssl req -subj...' and 
 specified some subject distinguished name (DN), say 
 '/C=AM/O=Org/OU=Dep/DN=ABC'. When the certification authority signs this 
 request (for example, with command 'openssl ca...'), can it modify the 
 DN, say, set it to '/C=AM/O=Org/OU=Dep/OU=DepNew/DN=ABC' (add delete or 
 replace an attribute)?

In theory yes, they have the public key in the request, and they are
free to mint any certificate they want. All they need is the right
software.

The only thing they should not be able to do is come up with the
corresponding private key, but it is not needed for certificate generation
(the private key is needed to generate a well-formed signed CSR, but
the CA does not strictly need a CSR).

-- 
Viktor.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: BIGNUM library

2007-04-23 Thread Edward Chan 
Christophe, you're right.  I just looked at my coe again, and I was not
checking the return value of DH_compute_key() for the size of the
computed shared secret; I was assuming it to be the same size as that
returned by DH_size(), which is obviously not a valid assumption.  All
the other libs return the size as an in/out arg where on the way in, the
arg is set to the size of the output buffer used to store the secret,
and on the way out it is set to the size of the secret.  So I had
overlooked that the size was actually returned via the return value.
Thanks for your help on this!



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Christophe Devine
Sent: Saturday, April 21, 2007 2:03 AM
To: openssl-users@openssl.org
Subject: Re: BIGNUM library

Edward Chan [EMAIL PROTECTED] wrote:

 But I think this always returned me 128 bytes.  So am I supposed to
 bzero the output buffer first?

Here's how I fixed the bug (not very elegant, it was a quick hack)


int i, ret = DH_compute_key(secret, pkey, m_dh);
if( ret  0  ret  128 )
{
for(i = ret; i = 0; i--)
secret[i+1] = secret[i];

memset(secret, 0, 128 - ret);
}
ReverseBytes(secret, size);


Christophe

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

openssl pkcs12 don't want to prompt password

2007-04-23 Thread Janet N 

Hi,

I'm using openssl pkcs12 to export the usercert and userkey PEM files out of
pkcs12.  I don't want the openssl pkcs12 to prompt the user for the import
and pem pass phrase.  What are the password flags to be used?

I got an invalid password when I do the following:

-bash-3.1$ openssl pkcs12 -in janet.p12 -nocerts -out userkey.pem -passin
test123
Invalid password argument test123
Error getting passwords

Thanks!

Multithreaded application crash

2007-04-23 Thread brajesh tiwari 

Hi:

I have develope a multi threaded client using open ssl.( openssl-0.9.6g) .

My client application crashes in SslClose. Below is the stack trace:

SslClose


0  0x3ff805c1ac8 in __nxm_thread_kill(...) in /usr/shlib/libpthread.so

#1  0x3ff805ba120 in pthread_kill(...) in /usr/shlib/libpthread.so
#2  0x3ff805c62a8 in UnknownProcedure2FromFile100(...) in
/usr/shlib/libpthread.so
#3  0x3ff80633994 in UnknownProcedure16FromFile0(...) in
/usr/shlib/libexc.so
#4  0x3ff80633d80 in exc_raise_signal_exception(...) in /usr/shlib/libexc.so
#5  0x3ff800d9c30 in __sigtramp(...) in /usr/shlib/libc.so
#6  0x3ff802124b8 in UnknownProcedure17FromFile22(...) in /usr/shlib/libc.so
#7  0x3ff80212cf0 in UnknownProcedure13FromFile22(...) in /usr/shlib/libc.so
#8  0x120061e30 in CRYPTO_free(str=0x140105400) mem.c :251
#9  0x12006ca28 in X509_NAME_ENTRY_free(a=0x140105400) x_name.c:259
#10 0x120062900 in sk_pop_free(st=0x1401034f0, func=0x12006c9d4) stack.c
:288
#11 0x12006c9a0 in X509_NAME_free(a=0x1400ecde0) x_name.c:250
#12 0x120095b54 in X509_CINF_free(a=0x140103520) x_cinf.c:192
#13 0x12006d138 in X509_free(a=0x1400f10e0) x_x509.c:154
#14 0x120048770 in SSL_SESSION_free(ss=0x14011a140) ssl_sess.c:481
#15 0x12003e3d4 in SSL_free(s=0x1400d4f00) ssl_lib.c:366
#16 0x12003b418 in SslClose(...) in client

I am using  pthread on Digital Unix (OSF1 machine V5.1 2650 alpha ).
I have also defined the call backs CRYPTO_set_id_callback and
CRYPTO_set_locking_callback which is needed
for multithreaded application.

Can some one please tell me what may be the problem here.
Thank you very much.

Brajesh