Modifying the request subject DN while signing it
Hello, The user created a PKCS#10 request using 'openssl req -subj...' and specified some subject distinguished name (DN), say '/C=AM/O=Org/OU=Dep/DN=ABC'. When the certification authority signs this request (for example, with command 'openssl ca...'), can it modify the DN, say, set it to '/C=AM/O=Org/OU=Dep/OU=DepNew/DN=ABC' (add delete or replace an attribute)? Thanks in advance, Arsen. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Modifying the request subject DN while signing it
On Mon, Apr 23, 2007 at 07:03:19PM +0500, Arsen Hayrapetyan wrote: The user created a PKCS#10 request using 'openssl req -subj...' and specified some subject distinguished name (DN), say '/C=AM/O=Org/OU=Dep/DN=ABC'. When the certification authority signs this request (for example, with command 'openssl ca...'), can it modify the DN, say, set it to '/C=AM/O=Org/OU=Dep/OU=DepNew/DN=ABC' (add delete or replace an attribute)? In theory yes, they have the public key in the request, and they are free to mint any certificate they want. All they need is the right software. The only thing they should not be able to do is come up with the corresponding private key, but it is not needed for certificate generation (the private key is needed to generate a well-formed signed CSR, but the CA does not strictly need a CSR). -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: BIGNUM library
Christophe, you're right. I just looked at my coe again, and I was not checking the return value of DH_compute_key() for the size of the computed shared secret; I was assuming it to be the same size as that returned by DH_size(), which is obviously not a valid assumption. All the other libs return the size as an in/out arg where on the way in, the arg is set to the size of the output buffer used to store the secret, and on the way out it is set to the size of the secret. So I had overlooked that the size was actually returned via the return value. Thanks for your help on this! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christophe Devine Sent: Saturday, April 21, 2007 2:03 AM To: openssl-users@openssl.org Subject: Re: BIGNUM library Edward Chan [EMAIL PROTECTED] wrote: But I think this always returned me 128 bytes. So am I supposed to bzero the output buffer first? Here's how I fixed the bug (not very elegant, it was a quick hack) int i, ret = DH_compute_key(secret, pkey, m_dh); if( ret 0 ret 128 ) { for(i = ret; i = 0; i--) secret[i+1] = secret[i]; memset(secret, 0, 128 - ret); } ReverseBytes(secret, size); Christophe __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
openssl pkcs12 don't want to prompt password
Hi, I'm using openssl pkcs12 to export the usercert and userkey PEM files out of pkcs12. I don't want the openssl pkcs12 to prompt the user for the import and pem pass phrase. What are the password flags to be used? I got an invalid password when I do the following: -bash-3.1$ openssl pkcs12 -in janet.p12 -nocerts -out userkey.pem -passin test123 Invalid password argument test123 Error getting passwords Thanks!
Multithreaded application crash
Hi: I have develope a multi threaded client using open ssl.( openssl-0.9.6g) . My client application crashes in SslClose. Below is the stack trace: SslClose 0 0x3ff805c1ac8 in __nxm_thread_kill(...) in /usr/shlib/libpthread.so #1 0x3ff805ba120 in pthread_kill(...) in /usr/shlib/libpthread.so #2 0x3ff805c62a8 in UnknownProcedure2FromFile100(...) in /usr/shlib/libpthread.so #3 0x3ff80633994 in UnknownProcedure16FromFile0(...) in /usr/shlib/libexc.so #4 0x3ff80633d80 in exc_raise_signal_exception(...) in /usr/shlib/libexc.so #5 0x3ff800d9c30 in __sigtramp(...) in /usr/shlib/libc.so #6 0x3ff802124b8 in UnknownProcedure17FromFile22(...) in /usr/shlib/libc.so #7 0x3ff80212cf0 in UnknownProcedure13FromFile22(...) in /usr/shlib/libc.so #8 0x120061e30 in CRYPTO_free(str=0x140105400) mem.c :251 #9 0x12006ca28 in X509_NAME_ENTRY_free(a=0x140105400) x_name.c:259 #10 0x120062900 in sk_pop_free(st=0x1401034f0, func=0x12006c9d4) stack.c :288 #11 0x12006c9a0 in X509_NAME_free(a=0x1400ecde0) x_name.c:250 #12 0x120095b54 in X509_CINF_free(a=0x140103520) x_cinf.c:192 #13 0x12006d138 in X509_free(a=0x1400f10e0) x_x509.c:154 #14 0x120048770 in SSL_SESSION_free(ss=0x14011a140) ssl_sess.c:481 #15 0x12003e3d4 in SSL_free(s=0x1400d4f00) ssl_lib.c:366 #16 0x12003b418 in SslClose(...) in client I am using pthread on Digital Unix (OSF1 machine V5.1 2650 alpha ). I have also defined the call backs CRYPTO_set_id_callback and CRYPTO_set_locking_callback which is needed for multithreaded application. Can some one please tell me what may be the problem here. Thank you very much. Brajesh