Re: Nested ASN1 strings and OPENSSL_ALLOW_NESTED_ASN1_STRINGS
On Tue, Jun 26, 2007, Williams Bryn-R40716 wrote: Hi, A team in our organisation has a small ASN.1 decoding example that works with openssl 0.9.7g, but not with any more recent release. The reason seems to be that the ASN.1 structure in question includes (perhaps wrongly) a nested ASN.1 string, which is no longer supported by default. I see from the commit logs that the change to conditionalise this in tasn_dec.c was made prior to openssl-0.9.7h by Dr. Stephen Henson with the comment Don't attempt to parse nested ASN1 strings by default (code included below). If we recompile openssl (e.g. 0.9.8e) with OPENSSL_ALLOW_NESTED_ASN1_STRINGS then our example works. However, given that this has been disabled by default since 2005 I assume that this is not normally required, annd perhaps should be taken as an indication that we have a bad ASN.1 structure or are parsing it incorrectly. I was hoping someone (Dr Henson...?) could help me to understand why this change was made, and in what circumstances it's appropriate to recompile with OPENSSL_ALLOW_NESTED_ASN1_STRINGS. Well the standards technically allow constructed string types to be nested to arbitrary depth. This is potentially a problem for recursive parsers especially if the stack size is limited. I've never come across an example of such a string except one specifically constructed as an example. I created some pathological cases for an ASN1 testing suite: before the above change they would crash the parser. In some structures (such as certificates) they are illegal anyway. The normal use of constructed strings is for streaming purposes and that can be handled using a single level of nesting: which OpenSSL can process. If the input data comes from a trusted source then it is OK to recompile with OPENSSL_ALLOW_NESTED_ASN1_STRINGS. From an unstrusted source it could be a security hole. I'd be interested to know what kind of structure you have which includes a string with more than one level of nesting. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
openssl function to convert pkcs#8
Hi, Is there a function in openssl that can convert a private key from a pkcs#8 to pkcs#1? I've done this with the command line and it works fine, just want to do this programmatically: command line (want to do this using openssl function instead): openssl pkcs8 -inform PEM -nocrypt -in dsakey.pem -out new.pem
Re: openssl function to convert pkcs#8
On Wed, Jun 27, 2007, Janet N wrote: Hi, Is there a function in openssl that can convert a private key from a pkcs#8 to pkcs#1? I've done this with the command line and it works fine, just want to do this programmatically: command line (want to do this using openssl function instead): openssl pkcs8 -inform PEM -nocrypt -in dsakey.pem -out new.pem Well PEM_read_PrivateKey() will automatically handle multiple formats including PKCS#8. If you write using PEM_write_PrivateKey() it will use PKCS#1. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Need some information regarding openssl rsa
Hi all, I am using openssl for rsa encryption/decryption. I have some questions. 1. What is the format of the encrypted data ?? It is neither ascii text not binary nor unicode. what is it ?? 2. How is the input data interpreted ?? I mean is there a number associated with all the characters ?? Example - 0-25 for 'a' to 'z', 26-51 for 'A' to 'Z' etc. Thanx in advance, Bibhuti - Looking for earth-friendly autos? Browse Top Cars by Green Rating at Yahoo! Autos' Green Center.
Windows Build of openssl-0.9.8e taking forever
Anyone, I'm trying to build openssl-0..8e and it stuck at C:\openssl-0.9.8eperl util\mkdef.pl 32 libeay 1ms\libeay32.def with 100% cpu. I'm using the cygwin perl. Thanks Mark S
RE: Need some information regarding openssl rsa
I am using openssl for rsa encryption/decryption. I have some questions. 1. What is the format of the encrypted data ?? It is neither ascii text not binary nor unicode. what is it ?? There are any number of possible formats for encrypted data. You could have raw binary RSA encrypted data, but that's not all that useful. You might have one of the more common formats (like PKCS1) which can either be PEM or DER encoded. There is no one right format. 2. How is the input data interpreted ?? I mean is there a number associated with all the characters ?? Example - 0-25 for 'a' to 'z', 26-51 for 'A' to 'Z' etc. That all depends upon exactly what you're doing, and we have no idea. Generally, the RSA encryption scheme doesn't care what the data means -- why should it? DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
