Re: doubt regarding certificate generation

2012-04-09 Thread Akash Deo 
hi,

The third command will just concatenate the key and certificate in one
file. You can open server.pem and verify.

Regards,
Akash

On Mon, Apr 9, 2012 at 11:23 AM, Mithun Kumar mithunsi...@gmail.com wrote:

 I am newbie to OpenSSL. I am trying to understand how certificates are
 generated. I downloaded the samples and started understanding the *
 Makefile* that came with the sources.

 Below is my understanding so far

 * $(OPENSSL) req -newkey rsa:1024 -sha1 -keyout serverkey.pem -out
 serverreq.pem -config server.cnf -reqexts req_extensions*
 Here we are trying to create a RSA private key with Private Key file 
 serverkey.pem and output file  serverreq.pem 

  *$(OPENSSL) x509 -req -in serverreq.pem -sha1 -extfile server.cnf
 -extensions certificate_extensions -CA serverCA.pem -CAkey serverCA.pem
 -CAcreateserial -out servercert.pem*
  Here we are creating a ServerCertificate which has the private key
 from serverreq.pem , signed by CA serverCA.pem using CA private key
 serverCA.pem

 * $(CAT) servercert.pem serverkey.pem serverCAcert.pem rootcert.pem 
 server.pem*
  Not shure why we are doing here.


 Can some one explain me clearly above 3 commands.
 Also  during Server Authentication , Server sends its certificate to the
 client which has the Public Key of the server. Here where is the Public Key
 generated?

 Attachment has the MakeFile that i am referring to.


 -Thanks
  mithun

Trying to get URI of CRL from certificate extension

2011-05-27 Thread Akash Deo 
Hi,

I am trying to get URI of the CRL from certificate extension using below
function:

static char *get_distribution_point(X509 *cert) {
  int   extcount, i, j;
  const char*extstr;
  CONF_VALUE*nval;
  unsigned char *data;
  X509_EXTENSION*ext;
  X509V3_EXT_METHOD *meth;
  STACK_OF(CONF_VALUE)  *val;

  if ((extcount = X509_get_ext_count(cert))  0) {
for (i = 0; i  extcount; i++) {
  ext = X509_get_ext(cert, i);
  extstr = OBJ_nid2sn(OBJ_obj2nid(X509_EXTENSION_get_object(ext)));
  if (strcasecmp(extstr, crlDistributionPoints)) continue;

  if (!(meth = X509V3_EXT_get(ext))) break;
  data = ext-value-data;
  val = meth-i2v(meth, meth-d2i(0, data, ext-value-length), 0);
  for (j = 0;  j  sk_CONF_VALUE_num(val);  j++) {
nval = sk_CONF_VALUE_value(val, j);
if (!strcasecmp(nval-name, URI))
  return strdup(nval-value);
  }
}
  }
  return 0;
}



Above function fails at
val = meth-i2v(meth, meth-d2i(0, data, ext-value-length), 0);

Any suggestions ?

Please help

Thanks  Regards,
Akash Deo

How to get intermediate CA certificate?

2011-05-11 Thread Akash Deo 
Hi,

I want to validate a CA signed certificate against its CRL.

I have root certificate from CA. I have downloaded CRL for entity
certificate (using URI in CRL Distribution Points field).

Intermediate CA certificate is also required to verify entity certificate
against CRL.

Is there any way I can get the intermidiate CA certificate during SSL
handshake. Or what should be the way to get the intermidiate CA certificate?

Thanks  Regards,
Akash

How I can find URI for this ca certificate?

2011-05-01 Thread Akash Deo 
Hi,
I am trying to verify whether a ca signed certificate is revoked.

Openssl verify option requires following parameters:


   - cert : A ca signed certificate to be verified.
   - cafile: FilePath to ca certificate used to sign the certificate (cert).
   *How I can find URI for this ca certificate?*
   - crlfile: Can be obtained from CRL Distribution Points field in
   certificate (cert).


*How I can find URI for ca certificate?*

I am trying to do the verification in my code using following example. I
tested below code by being the self CA. But if the certificates are signed
by third party CA then how to get the ca certificate used for signing.
I want my code to determine the location to pick required ca cert.

Please help:

Code example:
void handle_error(const char *file, int lineno, const char *msg)
{
fprintf(stderr, ** %s:%i %s\n, file, lineno, msg);
ERR_print_errors_fp(stderr);
exit(-1);
}

#define int_error(msg) handle_error(__FILE__, __LINE_ _, msg)
/* these are defintions to make the example simpler */
#define CA_FILE CAfile.pem
#define CA_DIR /etc/ssl
#define CRL_FILE CRLfile.pem
#define CLIENT_CERT cert.pem

int verify_callback(int ok, X509_STORE_CTX *stor)
{
if(!ok)
fprintf(stderr, Error: %s\n,
X509_verify_cert_error_string(stor-error));
return ok;
}

int main(int argc, char *argv[])
{
X509 *cert;
X509_STORE *store;
X509_LOOKUP *lookup;
X509_STORE_CTX *verify_ctx;
FILE *fp;

OpenSSL_add_all_algorithms();
ERR_load_crypto_strings();
seed_prng();

/* first read the client certificate */
if (!(fp = fopen(CLIENT_CERT, r)))
int_error(Error reading client certificate file);
if (!(cert = PEM_read_X509(fp, NULL, NULL, NULL)))
int_error(Error reading client certificate in file);
fclose(fp);

/* create the cert store and set the verify callback */
if (!(store = X509_STORE_new()))
int_error(Error creating X509_STORE_CTX object);
X509_STORE_set_verify_cb_func(store, verify_callback);

/* load the CA certificates and CRLs */
if (!(lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file(
fprintf(stderr, Error creating X509_LOOKUP object\n);
if (X509_LOOKUP_load_file(lookup, CA_FILE, X509_FILETYPE_PEM) != 1)
fprintf(stderr, Error reading the CA file\n);
if (!(lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file(
int_error(Error creating X509_LOOKUP object);
if (X509_load_crl_file(lookup, CRL_FILE, X509_FILETYPE_PEM) != 1)
int_error(Error reading the CRL file);

/* enabling verification against CRLs is not possible
in prior versions */
#if (OPENSSL_VERSION_NUMBER  0x00907000L)
/* set the flags of the store so that CRLs are consulted */
X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK |
X509_V_FLAG_CRL_CHECK_ALL);
#endif

/* create a verification context and initialize it */
if (!(verify_ctx = X509_STORE_CTX_new()))
int_error(Error creating X509_STORE_CTX object);

/* X509_STORE_CTX_init did not return an error condition
in prior versions */
#if (OPENSSL_VERSION_NUMBER  0x00907000L)
if (X509_STORE_CTX_init(verify_ctx, store, cert, NULL) != 1)
int_error(Error initializing verification context);
#else
X509_STORE_CTX_init(verify_ctx, store, cert, NULL);
#endif

/* verify the certificate */
if (X509_verify_cert(verify_ctx) != 1)
int_error(Error verifying the certificate);
else
printf(Certificate verified correctly!\n);
return 0;
}

Thanks  Regards,
Akash Deo