Re: Hard-coded trusted CA-cert

2002-03-09 Thread Boguslaw Brandys 

Hello,

I'm newbie but now I can hardcode root certificate.Thank You!
Still one question :


X509 *x;
..
  X509_free(x);  //do I must call this ?


Also any example how to read certificate to/and from memory buffer would be
nice. ;-)

Boguslaw Brandys


- Original Message -
From: Dilkie, Lee [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, February 26, 2002 6:20 PM
Subject: RE: Hard-coded trusted CA-cert


 Dennis,

 This is what I did. I think I just looked into the
SSL_CTX_load_verify_locations() function and copied what it did.


 {

 X509 *x=NULL;
 unsigned char* c;

 c = CACert;
 x = d2i_X509( NULL, c, (long) sizeof( CACert ) );
 if( x == NULL ){
 PostErrStack( MiSslInit(): d2i_X509(CACert) failed );
 goto ERROR_CLEANUP;
 }
 if( !SSL_CTX_add_extra_chain_cert( sslctx, x ) ){
 PostErrStack( MiSslInit(): SSL_CTX_add_extra_chain_cert() failed );
 goto ERROR_CLEANUP;
 }
 }

 hope this helps.

 -lee

 -Original Message-
 From: Dennis Jarosch [mailto:[EMAIL PROTECTED]]
 Sent: Tuesday, February 26, 2002 5:47 AM
 To: [EMAIL PROTECTED]
 Subject: Hard-coded trusted CA-cert


 Hi everybody!

 I'm searching for a way of hard-coding a trusted CA certificate into a
 client executable. I have browsed the archives and the documentation,
 but I was unable to find anything useful yet.

 Currently, I use SSL_CTX_load_verify_locations() to load my trusted
 CA-file. In my case there will only be one trusted CA and I'd prefer not
 to load it from a file.

 So is there a way of declaring something like this:

 unsigned char CACert[]={0x30,0x82,0x02,0x6B,...}

 which could be generated using 'openssl x509 -C -noout -in cacert.pem'
 and feeding it to the CTX for verification?

 Thanks for any help!

 Dennis
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing List[EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing List[EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]



-- 

Okresl Swoje potrzeby - my znajdziemy oferte za Ciebie!
[ http://oferty.onet.pl ]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: CRL in OpenSSL 0.9.6c

2002-03-09 Thread Boguslaw Brandys 

Thank You.
But since I use Borland C++ Builder to compile OpenSSL and still it is
broken to make DLL's with this compiler is any DLL's of 0.9.7 version
compiled with VC++ available for download ?
Or maybe this problem is corrected wit 0.9.7 version (I wish so...)

Best Regards
Boguslaw


- Original Message -
From: Dr S N Henson [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Saturday, March 09, 2002 8:25 PM
Subject: Re: CRL in OpenSSL 0.9.6c


 Bogus³aw Brandys wrote:
 
  Hello,
 
  I have one question about CRL: is X509_verify_cert parse CRL list ?
  I had try to use X509_STORE_load_locations to load CRL file with
revokation
  of certificate which is used for signing. Surpsise is that  verify is
always
  successful neither certificate is signed as revoked in CRL or not.
  Maybe I don't understand something ?
 

 It doesn't work because CRL checking was only added in 0.9.7.

 Steve.
 --
 Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
 Personal Email: [EMAIL PROTECTED]
 Senior crypto engineer, Gemplus: http://www.gemplus.com/
 Core developer of the   OpenSSL project: http://www.openssl.org/
 Business Email: [EMAIL PROTECTED] PGP key: via homepage.
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing List[EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]



-- 

Tego nie znajdziesz w zadnym sklepie!
[ http://oferty.onet.pl ]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]