Hi,
Thanks for the response.
The problem I am seeing is not with the DN. From what I understand, the
distinguished name can be any one of the fields – CN, issuer, subject, that
comes as part of the x509 certificate contents. None of these contain the !
character.
Let me clarify the issue a little more.
This is a SSO (single sign on) scenario from ‘app1’ -- ‘app2’ (our application
is ‘app2’ while ‘app1’ is an external application not in our control)
1. app1: sends a CGI POST request to app2 – the POST request has the UN
(username).
2. app2: does a CGI GET to receive the UN within app1’s POST request.
3. app2: has app1’s x509 certificate already stored, since it has to
allow SSO from app1 – gets verification ctx from here.
4. app2: uses the UN (containing ! character) to form a hashdata,
5. app2: passes hashdata to EVP_VerifyUpdate(ctx, .. )
6. app2: calls EVP_VerifyFinal -- this eventually fails during public key
check (EVP_PKEY_verify), due to the ! character in UN
As you see, in app2, we are not having any control over the character string
type of the UN.
Is there a way to fix ‘app2’ to make EVP_VerifyFinal pass ? We can’t make
changes to ‘app1’ as the application is not owned by us.
Is there any other solution you would suggest?
Thanks,
Rituparna Mitra
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Salz, Rich
Sent: Friday, August 01, 2014 7:33 PM
To: openssl-users@openssl.org
Subject: RE: Query on X509 certificate validation- EVP_VerifyUpdate
EVP_VerifyFinal
You have to look at the character string type of the DN. For example, in
printableString the exclamation point is an illegal character.
--
Principal Security Engineer
Akamai Technologies, Cambridge MA
IM: rs...@jabber.memailto:rs...@jabber.me Twitter: RichSalz
From: Mitra, Rituparna (STSD)
Sent: Friday, August 01, 2014 7:21 PM
To: openssl-users@openssl.org
Subject: Query on X509 certificate validation- EVP_VerifyUpdate
EVP_VerifyFinal
Hi,
I am using “openssl-1.0.1h” to do X509 certificate validation for accessing
from app1 to app2 (these are 2 separate applications).
- In app2, I have uploaded the X509 certificate generated by app1 and
I am using the following code segment in app2 to verify the certificate (when
app1 tries to login to app2).
- This code works fine for all user names, except usernames containing
a ! symbol (exclamation).
EVP_MD_CTX_init(ctx);
EVP_VerifyInit(ctx, md);
EVP_VerifyUpdate(ctx, hashdata, strlen(hashdata));
err = EVP_VerifyFinal(ctx, x509_sig, sigsize, pkey);
where pkey = public key retrieved from the certificate.
hashdata is a string calculated using the username as
follows: system_name:domain\username:
- EVP_VerifyFinal() returns success with username test.
- But using !test fails at EVP_VerifyFinal() which returns an error
value -- err = 0 (67702888)
Here ! seems to be the problem character since nothing else is different b/w
the 2 cases. I am curious to know the following:
a) Do X509 certificates treat ! character differently?
b) Is there a way to handle usernames with a ! correctly, so that
certificate check passes?
c) Since hashdata is passed to EVP_VerifyUpdate(), do I need to take care
of anything while forming “hashdata” with the username?
Any response would be greatly appreciated.
Thanks and regards,
Rituparna Mitra