Distinguish between regular and engine loaded private key
All, I have the need to distinguish between a private key loaded regularly with openssl and one that is loaded by an engine (hw_pkcs11 trustway engine). It will always be an rsa key. I looked a bit at the definition of rsa_st and found that there is an engine pointer in there. Should this pointer be set to a specific value if an engine is used? In the implementation I use the pointer is not touched by the engine implementation (and I could not find an engine that does change that value) i.e. for a regular loaded pkey the pointer is set to the same address as for an engine loaded key and it is different from an engine pointer address if an engine is loaded. Does anybody know if the engine SHOULD set this pointer? Is there another good way to distinguish the keys In case you are interested: the problem at hand lies in the fact that you can't DER encode a pkey that is only a handle for a priv. key on the engine device (in the trustway pkcs11 engine I use it leads to a segfault if one tries to encode such a pkey object) I would like to be able to detect engine held keys reliably to prevent this. Markus __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
d2i_X509 vs. ASN1_item_d2i
Hi, I was under the impression that the following two code fragments are equivalent. But the first can successfully decode a BER encoded certificate (in value), while the second fails - data too long. When should ASN1_item_d2i_bio be used? cert = d2i_X509(NULL,(unsigned char **) value, valueLen); in = BIO_new_mem_buf(value, valueLen); cert = (X509 *) ASN1_item_d2i_bio(ASN1_ITEM_rptr(X509), in, NULL); Am I missing something? Markus __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: d2i_X509 vs. ASN1_item_d2i
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dr. Stephen Henson Sent: Monday, September 22, 2003 2:47 PM To: [EMAIL PROTECTED] Subject: Re: d2i_X509 vs. ASN1_item_d2i On Mon, Sep 22, 2003, Markus Lorch wrote: Hi, I was under the impression that the following two code fragments are equivalent. But the first can successfully decode a BER encoded certificate (in value), while the second fails - data too long. When should ASN1_item_d2i_bio be used? cert = d2i_X509(NULL,(unsigned char **) value, valueLen); in = BIO_new_mem_buf(value, valueLen); cert = (X509 *) ASN1_item_d2i_bio(ASN1_ITEM_rptr(X509), in, NULL); They should both work unless there's something odd choking the BIO version. What happens if you call d2i_X509_bio() on the BIO or: openssl x509 -inform DER -in cert.der that also works with the cert. Please note that the certificate comes out of a PKCS11 device and thus is BER encoded dumpasn1 can also read the certificate without problems and reports no errors. If you get errors in all cases can you send me the certificate that does this? sure, already on its way :) The two aren't exactly equivalent. The BIO version has a routine which locates the end of the ASN1 data and then passes the length to d2i_X509(). Its possible that this routine is being confused by the data. That sounds plausible as the exact error was: asn1 encoding routines: ASN1_get_object:too long:asn1_lib.c:130 Markus Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Engine for IBM 2058 eServer Cryptographic Accelerator?
Hi, does anyone know if the IBM 4758 engine also support the IBM 2058 eServer Cryptographic Accelerator? Is that what the ibmca patch in the contrib directory is for? Has somebody used it with 0.9.7b? Or is there another patch/engine available? Experiences anybody? Thanks Markus __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: extend validity of existing certificates
On my little system I've three types of self created certificates that will all expire this year (I didnt pay much attention to expiration when first creating them). I'm now looking for a way how to extend this validity without recreating the certificates and therefore breaking existing trust-relation. There is no way to extend certificate validity (other than chaning your computer clock - not recommended) but you can issue a new certificate with the same keypair used originaly (standard procedure for renewal) but because you maintain the keys you are not breaking any trust relations i) my CA. I have the key-file and the crt-file. If I need to recreate this I need to recreate and resign all certificates of type ii) also and I'll need to redistribute the new CA to all clients that have this cert installed. only the cert file needs recreation and yes, all the clients will have to have the new cert (watch out to use the same subject as well, i.e. create a new, identical certificate that only differs in the validity and serial number) ii) the certificates signed by the above CA. This are mostly certificates for virtual hosts with my apache. I've the key-file and the crt-file and even the csr-file. none of these need to be recreated because of the new CA certificate, however if these certs expire themselves then you also need to renew them. Same as before, only the certs need renewal - key pairs can be maintained iii) selfsigned certificates I use for securing mailtransfer. I have the pem-file in this case. same as above, create a new cert but maintain the key. But actually you can simply reuse you expired cert as they are self-signed, you (and nobody else) trusts your certs. All the trust is directly in your public-private key pair. I hope that I can extend the validity with openssl without recreating. nope, that's what makes certificates safe. Markus thnx, peter -- mag. peter pilsl IT-Consulting tel: +43-699-1-3574035 fax: +43-699-4-3574035 [EMAIL PROTECTED] http://www.goldfisch.at __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: extend validity of existing certificates
It is not true, because it is possible to extend the validity of a certificate, even with openssl. I'd be really curious how you accomplish this, other than the solution below ... which creates a new cert request which becomes a new cert after the cert request has been signed I.e. a PKC is a signed construct, if you change anything within the construct (i.e. the validity) you have to create a new signature and thus have a new certificate that is != to the old one. The only thing you can (and want to) keep is the key pair. You have to create a new certification request, with an extended period of time. Rossi - Original Message - From: Markus Lorch [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, February 17, 2003 3:10 PM Subject: RE: extend validity of existing certificates On my little system I've three types of self created certificates that will all expire this year (I didnt pay much attention to expiration when first creating them). I'm now looking for a way how to extend this validity without recreating the certificates and therefore breaking existing trust-relation. There is no way to extend certificate validity (other than chaning your computer clock - not recommended) but you can issue a new certificate with the same keypair used originaly (standard procedure for renewal) but because you maintain the keys you are not breaking any trust relations i) my CA. I have the key-file and the crt-file. If I need to recreate this I need to recreate and resign all certificates of type ii) also and I'll need to redistribute the new CA to all clients that have this cert installed. only the cert file needs recreation and yes, all the clients will have to have the new cert (watch out to use the same subject as well, i.e. create a new, identical certificate that only differs in the validity and serial number) ii) the certificates signed by the above CA. This are mostly certificates for virtual hosts with my apache. I've the key-file and the crt-file and even the csr-file. none of these need to be recreated because of the new CA certificate, however if these certs expire themselves then you also need to renew them. Same as before, only the certs need renewal - key pairs can be maintained iii) selfsigned certificates I use for securing mailtransfer. I have the pem-file in this case. same as above, create a new cert but maintain the key. But actually you can simply reuse you expired cert as they are self-signed, you (and nobody else) trusts your certs. All the trust is directly in your public-private key pair. I hope that I can extend the validity with openssl without recreating. nope, that's what makes certificates safe. Markus thnx, peter -- mag. peter pilsl IT-Consulting tel: +43-699-1-3574035 fax: +43-699-4-3574035 [EMAIL PROTECTED] http://www.goldfisch.at __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
storage of OID in X509_EXTENSION question
Hi, I am just getting started with the OpenSSL crypto lib. What I need to do is to extract an unknown extension from a X509V3 cert. I have been successful in finding out that X509_EXTENSION_get_data does return the contents of the extension. However what does X509_EXTENSION_get_object give me then? I assume the returned ASN1_object is a description of the extension, and the data field contains the OID, right? (the length field currently gives me 8 bytes and the nid is 0 (for unknown I assume)). Can anybody tell me how I can compare this OID to another one that I have as a string (i.e. 1.3.6.1.5.5.7.0.12)? Or asked another way, how should I proceed if I only want to extract all the extensions that have the above OID from a X509V3 PKC. Thanks Markus __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: oids, attributes (doc pointers)
Eric, if you request a new OID branch for your organization you should be fine. This can be done at: http://www.iana.org/cgi-bin/enterprise.pl Markus Markus Lorch Doctoral Student in Computer Science Virginia Tech http://csgrad.cs.vt.edu/~mlorch -Original Message- From: [EMAIL PROTECTED] [mailto:owner-openssl-users;openssl.org]On Behalf Of Eric Weitzman Sent: Friday, October 25, 2002 1:52 PM To: [EMAIL PROTECTED] Subject: oids, attributes (doc pointers) Would someone be kind enough to direct me to sources of information on: 1) creating new oids that don't conflict with existing oids 2) creating new attributes in certificates that can hold arbitrary values Thanks, - Eric __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]