OpenSSL support for MacOS Big Sur(Cross compilation for ARM architecture/Apple silicon)?
Hi All, As Apple is moving from Intel to ARM architecture, does OpenSSL support cross-compiling(using Xcode 12.2) on MacOS Big Sur for Apple silicon(ARM architecture)?If not, any expected date? Thanks,Vinay
OpenSSL 1.1.1b version chooses wrong AS(assembler) on Windows
Hi All, The OpenSSL version 1.1.1b chooses wrong AS(assembler) on running through Cygwin in Windows. It chooses 'ml' instead of 'nasm'(but uses the syntax of nasm) which causes OpenSSL build failure on Windows. The same works fine with OpenSSL 1.1.0i version. Looks like a bug with 1.1.1b version. Setting 'AS=nasm' before running the configure script in the Cygwin shell resolves the problem. Can someone please confirm if the above workaround is acceptable and can be logged as bug in OpenSSL 1.1.1b version? Regards,Vinay
[openssl-users] GSCheck fails for Windows 32build 'libeay32.dll' library
Hi All, The 32bit OpenSSL 1.1.0i library 'libeay32.dll' fails for binscope GSCheck on Windows. E:\libeay32.dll: error BA2022: libeay32.dll was compiled with the following modules for which a language could not be identified. Ensure these were compiled with debug information and run BinScope again: aes-586.obj aesni-x86.obj bf-586.obj bn-586.obj chacha-x86.obj cmll-x86.obj co-586.obj crypt586.obj des-586.obj ecp_nistz256-x86.obj ghash-x86.obj md5-586.obj poly1305-x86.obj rc4-586.obj rmd-586.obj sha1-586.obj sha256-586.obj sha512-586.obj vpaes-x86.obj wp-mmx.obj x86-gf2m.obj x86-mont.obj x86cpuid.obj Any idea on how to resolve this problem or is it expected behavior. NOTE: 1. Adding /GS flag and enabling debug mode did not resolve the problem. 2. The same works fine with 64bit Windows 'libeay32.dll' 3. For other OpenSSL library ' libssl32.dll', GSCheck passes for both 32bit and 64bit. Regards, Vinay -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Bug in OpenSSL 0.9.8e
Hi All, I am using OpenSSL *OpenSSL 0.9.8e*. The OpenSSL function sometimes *sha1_block_host_order () *crashes on Linux. Is there any fix available for this issue or what are the modifications need to be done? Please guide me. _The core back trace is as follows:_ Program terminated with *signal 11*, Segmentation fault. #0 0x00560670 in *sha1_block_host_order ()* *(gdb) bt* #0 0x00560670 in sha1_block_host_order () #1 0x005605a4 in sha1_block_host_order () #2 0x005605a4 in sha1_block_host_order () #3 0x005605a4 in sha1_block_host_order () #4 0x005605a4 in sha1_block_host_order () #5 0x005605a4 in sha1_block_host_order () #6 0x005605a4 in sha1_block_host_order () #7 0x005605a4 in sha1_block_host_order () #8 0x005605a4 in sha1_block_host_order () #9 0x005605a4 in sha1_block_host_order () #10 0x005605a4 in sha1_block_host_order () #11 0x005605a4 in sha1_block_host_order () #12 0x005605a4 in sha1_block_host_order () #13 0x005605a4 in sha1_block_host_order () #14 0x005605a4 in sha1_block_host_order () #15 0x005605a4 in sha1_block_host_order () #16 0x005605a4 in sha1_block_host_order () #17 0x005605a4 in sha1_block_host_order () #18 0x005605a4 in sha1_block_host_order () #19 0x005605a4 in sha1_block_host_order () #20 0x005605a4 in sha1_block_host_order () #21 0x005605a4 in sha1_block_host_order () #22 0x005605a4 in sha1_block_host_order () #23 0x005605a4 in sha1_block_host_order () #24 0x005605a4 in sha1_block_host_order () #25 0x005605a4 in sha1_block_host_order () #26 0x005605a4 in sha1_block_host_order () #27 0x005605a4 in sha1_block_host_order () #28 0x005605a4 in sha1_block_host_order () #29 0x005605a4 in sha1_block_host_order () #30 0x005605a4 in sha1_block_host_order () #31 0x005605a4 in sha1_block_host_order () #32 0x005605a4 in sha1_block_host_order () #33 0x005605a4 in sha1_block_host_order () #34 0x005605a4 in sha1_block_host_order () #35 0x005605a4 in sha1_block_host_order () #36 0x005605a4 in sha1_block_host_order () #37 0x005605a4 in sha1_block_host_order () #38 0x005605a4 in sha1_block_host_order () #39 0x005605a4 in sha1_block_host_order () #40 0x005605a4 in sha1_block_host_order () #41 0x005605a4 in sha1_block_host_order () #42 0x005605a4 in sha1_block_host_order () *---Type return to continue, or q return to quit---q * Thanks Best Regards, Vinay
Re: Not able to read public modulus public exponent fields
Hi Christian, I am getting public modulus as NULL and public exponent a huge number when X509_get_pubkey() and EVP_PKEY_get1_RSA() is used to fetch public exponent and modulus fields. On printing the same certificate using OpenSSL command the public exponent and public modulus values are 65537 and 2048 bit respectively. The code snippet is as follows: modulus_and_exponent(X509 *cert) { EVP_PKEY *pkey = X509_get_pubkey(cert); RSA *rsa_public_key = NULL; rsa_public_key = EVP_PKEY_get1_RSA(pkey); printf("PublicExponet-%s\n",BN_bn2dec(rsa_public_key-e)); printf("Public modulus--%s\n",BN_bn2dec(rsa_public_key-n)); /* Code crashes here as rsa_public_key-n is NULL */ } Output: PublicExponent-279964342706543159665257626509989783222311151451322332440661199787945070689635058717755565780056915051263769453969105572897430499929 3745386264339644558683338200791056152198580705931322779689387202606383243164440904522925490656610122331992075987530306432028706884548314192719199948802768 2013935531243223237786019153197327666386125162585064239799789437289544526672152158051987971265743490012610974637622069525558253839966730499510722847180895 2344257684815792657502151663029681418529094171517923191010946320493177361393065606680894807596115830450328067935952849240287649292898772435573305764291222 90932390276617063126287 PublicModulus cannot be printed as Code crashes here as rsa_public_key-n is NULL Thanks Best Regards, Vinay Christian Hohnstaedt wrote: Hi, Try: EVP_PKEY *pkey = X509_get_pubkey(cert); rsa_public_key = EVP_PKEY_get1_RSA(pkey); Cheers Christian On Mon, May 23, 2011 at 06:41:34PM +0530, Vinay Kumar wrote: Hi All, I am trying to print *public modulus* and *public exponent* from a *X509 certificate*. The code snippet is as follows: modulus_and_exponent(X509 *cert) { RSA *rsa_public_key = NULL; if(cert-cert_info-key-pkey){ rsa_public_key = EVP_PKEY_get1_RSA (cert-cert_info-key-pkey); printf("Public exponent--%s\n",BN_bn2dec(rsa_public_key-e)); printf("Public modulus--%s\n",BN_bn2dec(rsa_public_key-n)); } else { printf("PKEY NOT FOUND\n"); } } Output: *PKEY NOT FOUND* The key structure contains other valid fields but pkey field is NULL when checked through gdb: *(gdb) p *(cert-cert_info) * $1 = {version = 0x8f2ecb8, serialNumber = 0x8f2fa38, signature = 0x8f2fa50, issuer = 0x8f2fa60, validity = 0x8f25fb8, subject = 0x8f25ff8, key = 0x8f26050, issuerUID = 0x0, subjectUID = 0x0, extensions = 0x8f2ef58} *(gdb) p *(cert-cert_info-key) * $2 = {algor = 0x8f26060, public_key = 0x8f26070, *pkey = 0x0*} (gdb) The same certificate when printed using OpenSSL command *displays exponent and modulus* as follows*:* Certificate: Data: Version: 3 (0x2) Serial Number: 389 (0x185) Signature Algorithm: sha1WithRSAEncryption Issuer: C=IN, O=CL, OU=XYZ, CN=PC CA Validity Not Before: Nov 25 12:40:41 2010 GMT Not After : Feb 28 12:40:41 2031 GMT Subject: C=IN, O=Global, OU=XYZ, CN=Global CA Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) * Modulus (2048 bit): * 00:dd:c6:44:3b:c0:39:0d:e8:75:21:89:fa:41:f2: ca:b1:46:d1:a2:b8:ea:78:f2:6e:27:84:03:d1:0a: 4d:85:4f:f9:5a:56:25:85:7b:1b:01:b2:de:31:df: 1a:3d:32:9d:0f:c9:a6:b8:c6:89:7c:87:f3:f9:6d: a9:fd:79:df:0e:b3:ad:90:5e:05:fc:26:d5:11:e5: 03:73:e5:9b:9e:8f:40:af:a5:a0:09:e1:50:4f:22: 06:e5:80:03:77:26:af:d8:62:28:00:c5:bc:a3:fe: c2:e7:68:a7:9a:81:6a:07:35:ee:43:0f:eb:04:d6: ed:53:92:a8:b2:87:6a:02:5c:43:dd:61:cf:da:64: ba:15:13:22:3b:79:b1:83:04:69:0d:25:82:73:f9: d2:78:f6:cd:30:20:3e:eb:f2:7d:8e:56:e3:0f:38: 06:a2:21:b8:c8:a9:50:a8:4a:7f:3c:a8:d3:85:76: ec:53:38:a7:b6:4a:9c:a7:88:a5:b9:06:e0:a5:53: b3:fa:ae:97:bb:ab:e5:35:8a:ad:92:9c:55:b1:ac: a1:11:3b:d0:b6:4f:f8:da:bc:01:74:67:99:c7:7a: d1:d5:14:91:84:76:15:a8:41:34:99:fb:c9:00:92: cf:45:d4:db:66:2c:d7:5c:38:49:c9:a9:4b:0f:80: 55:0f *Exponent: 65537 (0x10001) * X509v3 extensions: X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Subject Key Identifier: 25:05:14:41:88:7F:0A:54:A4:04:92:05:9F:7B:F5:B1:63:D5:34:13 X509v3 Authority Key Identifier:
Not able to read public modulus public exponent fields
Hi All, I am trying to print *public modulus* and *public exponent* from a *X509 certificate*. The code snippet is as follows: modulus_and_exponent(X509 *cert) { RSA *rsa_public_key = NULL; if(cert-cert_info-key-pkey){ rsa_public_key = EVP_PKEY_get1_RSA (cert-cert_info-key-pkey); printf(Public exponent--%s\n,BN_bn2dec(rsa_public_key-e)); printf(Public modulus--%s\n,BN_bn2dec(rsa_public_key-n)); } else { printf(PKEY NOT FOUND\n); } } Output: *PKEY NOT FOUND* The key structure contains other valid fields but pkey field is NULL when checked through gdb: *(gdb) p *(cert-cert_info) * $1 = {version = 0x8f2ecb8, serialNumber = 0x8f2fa38, signature = 0x8f2fa50, issuer = 0x8f2fa60, validity = 0x8f25fb8, subject = 0x8f25ff8, key = 0x8f26050, issuerUID = 0x0, subjectUID = 0x0, extensions = 0x8f2ef58} *(gdb) p *(cert-cert_info-key) * $2 = {algor = 0x8f26060, public_key = 0x8f26070, *pkey = 0x0*} (gdb) The same certificate when printed using OpenSSL command *displays exponent and modulus* as follows*:* Certificate: Data: Version: 3 (0x2) Serial Number: 389 (0x185) Signature Algorithm: sha1WithRSAEncryption Issuer: C=IN, O=CL, OU=XYZ, CN=PC CA Validity Not Before: Nov 25 12:40:41 2010 GMT Not After : Feb 28 12:40:41 2031 GMT Subject: C=IN, O=Global, OU=XYZ, CN=Global CA Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) * Modulus (2048 bit): * 00:dd:c6:44:3b:c0:39:0d:e8:75:21:89:fa:41:f2: ca:b1:46:d1:a2:b8:ea:78:f2:6e:27:84:03:d1:0a: 4d:85:4f:f9:5a:56:25:85:7b:1b:01:b2:de:31:df: 1a:3d:32:9d:0f:c9:a6:b8:c6:89:7c:87:f3:f9:6d: a9:fd:79:df:0e:b3:ad:90:5e:05:fc:26:d5:11:e5: 03:73:e5:9b:9e:8f:40:af:a5:a0:09:e1:50:4f:22: 06:e5:80:03:77:26:af:d8:62:28:00:c5:bc:a3:fe: c2:e7:68:a7:9a:81:6a:07:35:ee:43:0f:eb:04:d6: ed:53:92:a8:b2:87:6a:02:5c:43:dd:61:cf:da:64: ba:15:13:22:3b:79:b1:83:04:69:0d:25:82:73:f9: d2:78:f6:cd:30:20:3e:eb:f2:7d:8e:56:e3:0f:38: 06:a2:21:b8:c8:a9:50:a8:4a:7f:3c:a8:d3:85:76: ec:53:38:a7:b6:4a:9c:a7:88:a5:b9:06:e0:a5:53: b3:fa:ae:97:bb:ab:e5:35:8a:ad:92:9c:55:b1:ac: a1:11:3b:d0:b6:4f:f8:da:bc:01:74:67:99:c7:7a: d1:d5:14:91:84:76:15:a8:41:34:99:fb:c9:00:92: cf:45:d4:db:66:2c:d7:5c:38:49:c9:a9:4b:0f:80: 55:0f *Exponent: 65537 (0x10001) * X509v3 extensions: X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Subject Key Identifier: 25:05:14:41:88:7F:0A:54:A4:04:92:05:9F:7B:F5:B1:63:D5:34:13 X509v3 Authority Key Identifier: keyid:22:31:20:B5:A8:DD:AC:DB:52:28:24:E6:F6:C6:A3:13:F2:94:A0:32 X509v3 Basic Constraints: critical CA:TRUE, pathlen:0 Signature Algorithm: sha1WithRSAEncryption 45:39:8c:c9:91:9a:2c:b1:2b:78:18:2e:66:51:1c:29:9a:be: c0:37:d5:a8:57:a1:0f:f1:ea:83:3e:fc:5b:bf:2f:b4:b2:eb: 5e:7b:ec:7a:15:da:8d:74:15:1e:96:c1:9c:d5:0b:53:ef:0e: 2d:5c:55:17:65:60:38:0f:6c:f4:30:2b:f0:cd:fc:01:e8:9c: da:40:c5:31:f5:a9:3d:ab:20:69:de:4f:01:70:92:a6:e6:a6: 98:5d:ca:1b:d2:14:3d:58:cf:e3:9c:02:c3:82:98:6f:65:3b: 5c:20:f5:3e:47:9c:1c:4e:5c:a1:50:ff:a5:f4:45:c3:96:ce: af:9d:c8:dd:55:33:a6:d0:e5:5d:fc:c6:8a:07:c4:0d:22:45: c6:47:db:90:09:28:06:58:5d:83:1e:0a:35:5d:1a:72:50:d6: 37:ae:f3:84:1c:af:8e:f2:55:5a:68:38:dd:c3:2d:63:cc:03: c9:04:a8:59:c6:dc:ea:2f:23:0f:86:27:95:e3:f0:ba:9f:44: 75:21:80:ad:1b:76:55:fb:70:aa:a1:5b:a0:da:7d:65:61:99: 05:ca:ec:b1:2e:99:91:d5:c4:e8:ad:f5:30:e8:9b:39:e9:ae: 47:fa:a0:d9:d0:e6:36:ea:9b:8b:02:f1:09:ac:08:08:cb:59: bf:3d:bc:57 -BEGIN CERTIFICATE- MIID0jCCArqgAwIBAgICAYUwDQYJKoZIhvcNAQEFBQAwbzELMAkGA1UEBhMCVVMx EjAQBgNVBAoTCUNhYmxlTGFiczEUMBIGA1UECxMLUGFja2V0Q2FibGUxNjA0BgNV BAMTLVBhY2tldENhYmxlIFJvb3QgRGV2aWNlIENlcnRpZmljYXRlIEF1dGhvcml0 eTAeFw0xMDExMjUxMjQwNDFaFw0zMTAyMjgxMjQwNDFaMIGAMQswCQYDVQQGEwJJ TjElMCMGA1UEChMcR2xvYmFsIEVkZ2UgU29mdHdhcmUgTGltaXRlZDEUMBIGA1UE CxMLUGFja2V0Q2FibGUxNDAyBgNVBAMTK0dsb2JhbCBFZGdlIFNvZnR3YXJlIExp bWl0ZWQgUGFja2V0Q2FibGUgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK AoIBAQDdxkQ7wDkN6HUhifpB8sqxRtGiuOp48m4nhAPRCk2FT/laViWFexsBst4x
Re: Base64 Encoding and Decoding error
Hi Jan, Thanks for your reply, but OpenSSL Base64 decoding api returns NULL on passing Base64 encoded data. The code snippet is as follows: int main(int argc, char **argv) { char *output = unbase64(dGVzdGVuY29kaW5nCg==, strlen(dGVzdGVuY29kaW5nCg==)); printf(Unbase64: %s\n, output); free(output); } char *unbase64(unsigned char *input, int length) { BIO *b64, *bmem; char *buffer = (char *)malloc(length); memset(buffer, 0, length); b64 = BIO_new(BIO_f_base64()); bmem = BIO_new_mem_buf(input, length); bmem = BIO_push(b64, bmem); BIO_read(bmem, buffer, length); BIO_free_all(bmem); return buffer; } The string *dGVzdGVuY29kaW5nCg==* on Base64 decoding should return *testencoding\n*, but the above code returns *NULL*. Please let me know the cause of Base64 returning NULL. Thanks Best Regards, Vinay Jan Steffens wrote: On Tue, Mar 1, 2011 at 7:00 AM, Vinay Kumar L vinaykuma...@globaledgesoft.com wrote: Encoding of string testencoding using base64 command: #base64 data.txt encode.txt data.txt - It contains only the string testencoding encode.txt - It contains encoded data #cat encode.txt dGVzdGVuY29kaW5nCg== This is actually the encoding for the string testencoding\n. Note the trailing newline, and check what your data.txt really contains. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Base64 Encoding and Decoding error
Hi All, I am doing Base64 encoding and decoding of a string testencoding using OpenSSL api *BIO_f_base64, *but when Base64 encoding is done for the same string using OpenSSL command *base64,* the last byte of encoded data will be different than the one generated using *BIO_f_base64 *api. Also the Base64 decoding api returns NULL. The code snippet is as follows: _ Encoding of string *testencoding* using *base64* command:_ *#base64 data.txt encode.txt* data.txt - It contains only the string *testencoding* encode.txt - It contains encoded data *#cat encode.txt dGVzdGVuY29kaW5nCg== *_Encoding of string *testencoding* using *BIO_f_base64* api: _ char str[]=testencoding; char *ptr; ptr=base64(str, strlen(str)); printf(Encoded string = %s\n, ptr); char *base64(const char *input, int32_t length) { BIO *bmem=NULL, *b64=NULL; char *buff; BUF_MEM *bptr; b64 = (BIO *)BIO_new(BIO_f_base64()); bmem = (BIO *)BIO_new(BIO_s_mem()); b64 = (BIO *)BIO_push(b64, bmem); BIO_write(b64, input, length); BIO_flush(b64); BIO_get_mem_ptr(b64, bptr); buff = (char *)malloc(bptr-length+1); memcpy(buff, bptr-data, bptr-length); buff[bptr-length] = 0; if(b64) BIO_free_all(b64); return buff; } The output of the above code snippet is : *dGVzdGVuY29kaW5n* _ Decoding of same encoded text* *_*_dGVzdGVuY29kaW5nCg== _*_using_*_ Base64 _*_openssl command: _*#base64 -d encode.txt decode.txt* encode.txt - It contains encoded data decode.txt - It contains decoded data *#cat decode.txt testencoding *_Decoding of same encoded text_*_ _*_*dGVzdGVuY29kaW5nCg *using* openssl api's: *_*char *unbase64(unsigned char *input, int length) * { BIO *b64=NULL, *bmem=NULL; FILE *ptr; char *buffer = (char *)malloc(length); memset(buffer,0,length); b64 = (BIO *)BIO_new(BIO_f_base64()); bmem = BIO_new_mem_buf(input, length); bmem = (BIO *)BIO_push(b64, bmem); BIO_read(bmem, buffer,length); if(bmem) BIO_free_all(bmem); return buffer; } When encoded data *dGVzdGVuY29kaW5nCg *is passed to the above function, it returns NULL. Please let me know why* BIO_read *is returning NULL on decoding and also why the last bytes of encoded data(using OpenSSL api) is different than the encoded data using openssl command. Thanks Best Regards, Vinay _* *_
To reduce the size of the OpenSSL library
Hi All, I am trying to reduce the size of OpenSSL library due to memory constraints on our platform. I removed all the not required ciphers (idea, rc5, mdc2...). ./config no-rc2 no-md2 no-mdc2 no-idea no-rc5 no-bf no-krb5 no-cast no-zlib no-zlib-dynamic no-rfc3779 no-gmp no-camellia no-asm I also used -Os(Optimize for size) during compilation. How can the size of library be further reduced? Please guide me. Regards, Vinay
Re: Error 20 at 0 depth lookup:unable to get local issuer certificate
Thank you. It worked fine after concatenating cert1.pem and cert2.pem into single file. Regards, Vinay sandeep kiran p wrote: The -untrusted argument to verify command takes a single file containing multiple certificates concatenated together. Try adding cert1.pem and cert2.pem into a single file and check again. Thanks, Sandeep On Tue, Dec 14, 2010 at 12:00 PM, Vinay Kumar L vinaykuma...@globaledgesoft.com mailto:vinaykuma...@globaledgesoft.com wrote: Hi all, I have generated certificate chain using Openssl(OpenSSL 0.9.8e). The certificate hierarchy is as follows: ca.pem cert1.pemcert2.pem-last.pem Openssl doesn't give any error when verifying these certificate chain(Certificate chain verification is successful) during TLS connection establishment(Connection establishment is successful) but when verified using Openssl command /openssl verify /gives following error: *# openssl verify -CAfile ca.pem -untrusted cert1.pem cert2.pem last.pem* cert2.pem: OK last.pem: /C=IN/O=Xyz/OU=CableLabs Key Distribution Center/CN=kdc.xyz.com http://kdc.xyz.com error 20 at 0 depth lookup:unable to get local issuer certificate The Subject and Issuer names in certificates are correct. Please let me know the cause of error and changes required in the certificate hierarchy. Regards, Vinay
Error 20 at 0 depth lookup:unable to get local issuer certificate
Hi all, I have generated certificate chain using Openssl(OpenSSL 0.9.8e). The certificate hierarchy is as follows: ca.pem cert1.pemcert2.pem-last.pem Openssl doesn't give any error when verifying these certificate chain(Certificate chain verification is successful) during TLS connection establishment(Connection establishment is successful) but when verified using Openssl command /openssl verify /gives following error: *# openssl verify -CAfile ca.pem -untrusted cert1.pem cert2.pem last.pem* cert2.pem: OK last.pem: /C=IN/O=Xyz/OU=CableLabs Key Distribution Center/CN=kdc.xyz.com error 20 at 0 depth lookup:unable to get local issuer certificate The Subject and Issuer names in certificates are correct. Please let me know the cause of error and changes required in the certificate hierarchy. Regards, Vinay
Openssl certificate date issue
Hi all, I am trying to generate certificate which is valid for 20years. As the 20years crosses unix end time(January 19, 2038 03:14:07 GMT) from the current date, openssl certificate generated will have wrong dates(Not before and not after times) in certificate as follows: *Validity Not Before: Oct 13 06:43:05 2010 GMT Not After : Jan 23 00:14:49 1902 GMT* Is there any way to generate certificate which is valid for 20yrs from current date so that it will have correct validity times even if 20years crosses unix end time? Please guide me. Regards, Vinay
Use of IMPLEMENT_ASN1_FUNCTIONS()
Hi All, I found a code snippet as follows: ASN1_SEQUENCE(KDC_PRINCNAME) = { ASN1_EXP(KDC_PRINCNAME, realm, ASN1_GENERALSTRING, 0), ASN1_EXP(KDC_PRINCNAME, princname, KRB5_PRINCNAME, 1) } ASN1_SEQUENCE_END(KDC_PRINCNAME); IMPLEMENT_ASN1_FUNCTIONS(KDC_PRINCNAME) Here ASN1_SEQUENCE implements the asn1 sequence of KDC_PRINCNAME, but what is the functionality of IMPLEMENT_ASN1_FUNCTIONS(KDC_PRINCNAME)? Is it compulsory to include this function after defining every ASN1_SEQUENCE? Please guide me. Regards, Vinay __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Subject alternative name problem
Hi all, I have to generate a KDC certificate containing Subject alternative name extension using openssl which includes the following details: ** The KDC's X.509 certificate MUST contain name of the realm for that KDC and the principal name of the KDC (defined in RFC 1510bis) as the SubjectAltName version 3 extension. Below is the definition of this version 3 extension, as specified by the X.509 standard: subjectAltName EXTENSION ::= { SYNTAX GeneralNames IDENTIFIED BY id-ce-subjectAltName } GeneralNames ::= SEQUENCE SIZE(1..MAX) OF GeneralName GeneralName ::= CHOICE { otherName [0] OtherName, ... } OtherName ::= SEQUENCE { type-idOBJECT IDENTIFIER, value [0] EXPLICIT ANY DEFINED BY type-id } For the purpose of specifying a Kerberos principal name, the value in OtherName MUST be a KerberosName, defined as follows: KerberosName ::= SEQUENCE { realm [0] Realm, principalName [1] PrincipalName } This specific syntax is identified within subjectAltName by setting the type-id in OtherName to krb5PrincipalName, where (from the Kerberos specification) we have krb5 OBJECT IDENTIFIER ::= { iso (1) org (3) dod (6) internet (1) security (5) kerberosv5 (2) } krb5PrincipalName OBJECT IDENTIFIER ::= { krb5 2 } * Please suggest SAN details that must be included in openssl.cnf for generating KDC certificate containing above mentioned details as a part of Subject Alternative Extension in kdc certificate. I have generated KDC certificate by including following lines in openssl.cnf: # Add id-pkinit-san (pkinit subjectAlternativeName) subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name [kdc_princ_name] realm = EXP:0, GeneralString:${ENV::REALM} principal_name = EXP:1, SEQUENCE:kdc_principal_seq [kdc_principal_seq] name_type = EXP:0, INTEGER:1 name_string = EXP:1, SEQUENCE:kdc_principals [kdc_principals] princ1 = GeneralString:krbtgt Is is enough to include the above lines in opensssl.cnf while generating kdc certificate to add Subject Alternative Extension which satisfies the requirements mentioned in the beginning? Please guide me. Regards, Vinay princ2 = GeneralString:${ENV::REALM}
Re: Subject alternative name problem
Vinay Kumar L wrote: Hi all, I have to generate a KDC certificate containing Subject alternative name extension using openssl which includes the following details: ** The KDC's X.509 certificate MUST contain name of the realm for that KDC and the principal name of the KDC (defined in RFC 1510bis) as the SubjectAltName version 3 extension. Below is the definition of this version 3 extension, as specified by the X.509 standard: subjectAltName EXTENSION ::= { SYNTAX GeneralNames IDENTIFIED BY id-ce-subjectAltName } GeneralNames ::= SEQUENCE SIZE(1..MAX) OF GeneralName GeneralName ::= CHOICE { otherName [0] OtherName, ... } OtherName ::= SEQUENCE { type-idOBJECT IDENTIFIER, value [0] EXPLICIT ANY DEFINED BY type-id } For the purpose of specifying a Kerberos principal name, the value in OtherName MUST be a KerberosName, defined as follows: KerberosName ::= SEQUENCE { realm [0] Realm, principalName [1] PrincipalName } This specific syntax is identified within subjectAltName by setting the type-id in OtherName to krb5PrincipalName, where (from the Kerberos specification) we have krb5 OBJECT IDENTIFIER ::= { iso (1) org (3) dod (6) internet (1) security (5) kerberosv5 (2) } krb5PrincipalName OBJECT IDENTIFIER ::= { krb5 2 } * Please suggest SAN details that must be included in openssl.cnf for generating KDC certificate containing above mentioned details as a part of Subject Alternative Extension in kdc certificate. I have generated KDC certificate by including following lines in openssl.cnf: # Add id-pkinit-san (pkinit subjectAlternativeName) subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name [kdc_princ_name] realm = EXP:0, GeneralString:${ENV::REALM} principal_name = EXP:1, SEQUENCE:kdc_principal_seq [kdc_principal_seq] name_type = EXP:0, INTEGER:1 name_string = EXP:1, SEQUENCE:kdc_principals [kdc_principals] princ1 = GeneralString:krbtgt Is is enough to include the above lines in opensssl.cnf while generating kdc certificate to add Subject Alternative Extension which satisfies the requirements mentioned in the beginning? Please guide me. Regards, Vinay princ2 = GeneralString:${ENV::REALM}