Validating a certificate which is expired

[Bob Bell (rtbell)]

Folks -

I have a situation where I need to determine the validity of a certificate in 
all other aspects even though it has expired. In other words, the signatures 
are all valid and the contents untampered, but the "notAfter" date is less than 
current date. If I run the certificate verify process against that certificate, 
will it tell me if there are higher severity errors (e.g. issuer signature 
invalid) rather than checking the validity period and finding the problem? I 
guess another way of asking the question is If I get the error "10 
X509_V_ERR_CERT_HAS_EXPIRED: certificate has expired" does that imply that 
everything else is OK?

Bob

Bob Bell, CISSP, CSSLP
Senior Security Architect
Trusted Systems Architectures Group
Cisco Systems, Inc.
972-813-5104(w)
801-971-4200(c)
Telepresence rtb...@cisco.com

"May God grant us the strength to correct what we can change,
The serenity to accept what we cannot,
and the wisdom to know the difference"

Command Line Question

[Bob Bell (rtbell)]

Folks -

 

I am trying to generate a PKCS#10 certificate request with a pre-existing
RSA public/private key pair that was generated using genpkey. The actual
command is openssl genpkey -out Keys.bin -outform DER -algorithm rsa
-pkeyopt rsa_keygen_bits:2048

 

Could someone please provide me with information on how to do this? Sorry
for the relatively newby question, but I have tried to dig it out of the
documentation without success.

 

Bob




 

<>

smime.p7s
Description: S/MIME cryptographic signature

RE: Pre Master Secret Regarding

[Bob Bell (rtbell)]

Aravind 

 

Actually, there is more than one key that is derived from the pre-master key. 
There is both an encryption and HMAC keys for both transmission and reception. 
That translates to 4 separate keys.

 

Bob

 

From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] 
On Behalf Of Aravinda babu
Sent: Saturday, April 03, 2010 6:39 AM
To: openssl-users@openssl.org
Cc: openssl-...@openssl.org
Subject: Pre Master Secret Regarding

 

Hi all,


During SSL/TLS handshake,a pre master secret is sent from client to the server 
by encrypting pre master secret with server's public key.From that both client 
and server derive master secret and finally one symmetric key.My doubt is, why 
both cannot use pre master secret itself as a symmetric key ?

Thanks in advance,

Aravind.




PGP.sig
Description: PGP signature

RE: About ECC patent and OpenSSL ECC code

[Bob Bell (rtbell)]

Anil -
 
Unfortunately, I am not intimately familiar with what OpenSSL has
implemented. I know that we (Cisco) has been trying to negotiate the
minefield I talked about earlier for the better part of a year, but is still
working through it. I do know that when I talked with Certicom at the last
RSA conference about the NSA license, they told me that it only covered
stuff actually sold to the Federal Government and that if I sold any
equipment (I work in the IP Telephony group), outside of the Federal Space,
I would have to get a separate license. They also said that if a customer
wanted to put an ECC key into a x.509 cert that was signed by an RSA key
(and there are very very few CAs available that will sign certs with an ECC
key), that the customer would have to get a license for that operation. I
felt at the time that this basically invalidated the "gift" that they had
made to IETF, but that is not a Legal opinion. It is my own personal one.
So, as a result, I have basically put any implementation of ECC-based TLS or
IKE on hold pending a decision from Cisco corporate. That is why I
recommended very strongly that you consult a lawyer. There is a lot of grey
area here that might be fine or it might be a very slippery slope to a
serious legal hassle.

Bob


  _  

From: Anilkumar Bollineni [mailto:[EMAIL PROTECTED] 
Sent: Friday, 11 January, 2008 13:03
To: openssl-users@openssl.org; Bob Bell (rtbell)
Subject: RE: About ECC patent and OpenSSL ECC code


Hi Bob,
I have received so many mails from open-ssl users about this issue. Really
thanks for the information. After going through the mails and some
documentation about the Certicom patents, I understand that Certicom has
more patents in "efficient" implemenation of ECC and not in a way how we
implement ECC normally. I need to find out if OpenSSL has any of those
"efficient" implementiaons and did voilate any patents. If you know any
information on this can you share it? Thanks.
Also I have went through a Certicom document saying that certicom has
patents in ECDSA usage in IKEv1/IKEv2. 
http://www.ietf.org/ietf/IPR/certicom-ipr-rfc-3446.pdf
>From this document I understand, that whoever wants use to IKEv1/IKEv2 with
ECDSA has to get patent license. I hope you (Cisco) might have face same
problem. Could you share any of your experience on this?
 
Thanks a lot,
Anil
 


"Bob Bell (rtbell)" <[EMAIL PROTECTED]> wrote:

Anil -
 
There are a lot of legal issues surrounding the use of Certicom patented ECC
code. One of the things that happened a couple of IETF meetings ago was that
Certicom signed a letter allowing the use of some of their patents for
things like TLS. However, there are a number of legal requirements attached,
including the listing/displaying of the Certicom patents on splash screens
or on the hardware device depending on the type of implementation. I would
strongly urge you to have a lawyer research these licensing agreements and
then research (with you) what additional patents might be involved (for
instance Certicom has a patent on having an ECC public key in an X.509 cert
signed using RSA) in your product. While ECC is a marvelous technology,
there is a large minefield that still needs to be mapped.
 
Bob Bell


  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Anilkumar Bollineni
Sent: Thursday, 10 January, 2008 12:12
To: openssl-users@openssl.org
Subject: About ECC patent and OpenSSL ECC code


Hi there,
 
I have a question on OpenSSL ECC (Elliptic Curve Cryptography) code. I saw
that Sun systems has donated the the ECCcode to OpenSSL. Also I saw that
Certicom has held 130 patents in ECC area and finally NSA has licensed that
code.
Suppose if I download the code from the OpenSSL and try to develop a product
using the OpenSSL ECC code, does it violate any patent issue with certicom?
Can anybody share any experience or information about this?
 
Thanks for support.
 
-Anil
 
  _  

Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try
<http://us.rd.yahoo.com/evt=51733/*http://mobile.yahoo.com/;_ylt=Ahu06i62sR8
HDtDypao8Wcj9tAcJ> it now.




  _  

Never miss a thing. Make Yahoo
<http://us.rd.yahoo.com/evt=51438/*http://www.yahoo.com/r/hs> your homepage.




smime.p7s
Description: S/MIME cryptographic signature

RE: About ECC patent and OpenSSL ECC code

[Bob Bell (rtbell)]

Anil -
 
There are a lot of legal issues surrounding the use of Certicom patented ECC
code. One of the things that happened a couple of IETF meetings ago was that
Certicom signed a letter allowing the use of some of their patents for
things like TLS. However, there are a number of legal requirements attached,
including the listing/displaying of the Certicom patents on splash screens
or on the hardware device depending on the type of implementation. I would
strongly urge you to have a lawyer research these licensing agreements and
then research (with you) what additional patents might be involved (for
instance Certicom has a patent on having an ECC public key in an X.509 cert
signed using RSA) in your product. While ECC is a marvelous technology,
there is a large minefield that still needs to be mapped.
 
Bob Bell


  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Anilkumar Bollineni
Sent: Thursday, 10 January, 2008 12:12
To: openssl-users@openssl.org
Subject: About ECC patent and OpenSSL ECC code


Hi there,
 
I have a question on OpenSSL ECC (Elliptic Curve Cryptography) code. I saw
that Sun systems has donated the the ECCcode to OpenSSL. Also I saw that
Certicom has held 130 patents in ECC area and finally NSA has licensed that
code.
Suppose if I download the code from the OpenSSL and try to develop a product
using the OpenSSL ECC code, does it violate any patent issue with certicom?
Can anybody share any experience or information about this?
 
Thanks for support.
 
-Anil
 



  _  

Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try
 it now.



smime.p7s
Description: S/MIME cryptographic signature

Is 0.9.7m the final release for 0.9.7 train?

[Bob Bell (rtbell)]

Folks -
 
Is the 0.9.7m release the final release of the .7 train? I am trying to
determine when to change to a later train.
 
Bob
 
Bob Bell
IPCBU Chief Security Architect
Cisco Systems, Inc.
576 S. Brentwood Ln.
Bountiful, UT 84010
801-294-3034 (v)
801-294-3023 (f)
801-971-4200 (c)
[EMAIL PROTECTED]
 


smime.p7s
Description: S/MIME cryptographic signature