Re: How to convert certificate from .pem to .der format

2008-09-30 Thread delcour.pierre 

praveens wrote:

I want to know the openssl APIs to convert a certificate from .pem to .der
format.
I know about the openssl command which does the same. But Can you tell me
how to do it in a Cprogram using openssl or any other method
  

Hi,

load your x509 file using

loaded = PEM_read_X509(f, NULL, NULL, NULL);   // load in pem
with f = fopen( fileName,"rb");
and loaded a X509*

save it :
BIO *out=NULL;
   if ((out=BIO_new(BIO_s_file())) == NULL)
   return -1;
  
   if(BIO_write_filename(out, filename2) <= 0)

   return -1;
   if (! i2d_X509_bio(out, loaded)) // save it in der.
   return -1;
   return 0; // success

filename is the file's name of pem certificate, filename2 is the file's 
name for der certificate.


(joke)You can also use syscall (/joke)
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: The Authority Key ID extension

2008-09-08 Thread delcour.pierre 

Silviu VLASCEANU wrote:

Hi,

Sorry to bother again, but I still haven't found how to add the 
Authority Key ID to a certificate, using openssl.

Please, I need some help with this. The details are below.

Thank you in advance,

--
Silviu

2008/9/3 Silviu VLASCEANU <[EMAIL PROTECTED] 
>


Hello everybody,

I need to copy the Subject Key ID (SKID) from the CA certificate
to the Authority Key ID (AKID) of a new certificate.
I have extracted the SKID with

AUTHORITY_KEYID *akid = X509_get_ext_d2i(ca_cert,
NID_subject_key_identifier, NULL, NULL);

How can I "put" akid in an X509_EXTENSION so that I can add the
latter to a new certificate with X509_add_ext(x, ex_akid, -1) ?

Thanks a lot,

-- 
Silviu



In my case, i set aki to this string :
"issuer:always,keyid:always".

It will display :
keyid:[...] // the subject key id (keyid of isser)
DirName:[...] // the dn of issuer's issuer)
serial:[...] // the serail of issuer' issuer.


To set this aki, i use this code :
   X509V3_CTX ctx;// create a context
   X509V3_set_ctx(&ctx, issuer , son, NULL, NULL, 0);
   X509_EXTENSION* ex = X509V3_EXT_conf_nid(NULL, &ctx, 
NID_authority_key_identifier , (char*)"issuer:always,keyid:always"));

X509_add_ext( son,ex, -1);

with X509* issuer, * son;

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Remove Ask for a pass phrase

2008-08-28 Thread delcour.pierre 

Hello everyone,

I'm trying to load a private key with this function :

/EVP_PKEY *PEM_read_PrivateKey(FILE *fp, EVP_PKEY **x,pem_password_cb *cb, void 
*u);/

I use it this way :
EVP_PKEY* key = PEM_read_Privatekey(file,NULL,NULL,passwd);
with file a File* containing the correct file, and passwd a char*.
In this case :  passwd = NULL;

If I load a private key which need a passphrase, the function ask me the 
pass phrase (in konsole). I would like to "remove" this feature.


How can i have a NULL value as return instead of typing the required 
pass phrase ?


Thank's in advance,
Have a nice day,
pierre
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Remove ask for a pass phrase

2008-08-28 Thread delcour.pierre 

Hello everyone,

I'm trying to load a private key with this function :

/EVP_PKEY *PEM_read_PrivateKey(FILE *fp, EVP_PKEY **x,pem_password_cb *cb, void 
*u);/

I use it this way :
EVP_PKEY* key = PEM_read_Privatekey(file,NULL,NULL,passwd);
with file a File* containing the correct file, and passwd a char*.
In this case :  passwd = NULL;

If I load a private key which need a passphrase, the function ask me the 
pass phrase (in konsole). I would like to "remove" this feature.


How can i have a NULL value as return instead of typing the required 
pass phrase ?


Thank's in advance,
Have a nice day,
pierre

Re: Create a X509 from a string

2008-08-24 Thread delcour.pierre 

delcour.pierre wrote:

Hello,

I don't look at the mail archiver. A similar question was send.

Here is the link if you are interested :
http://www.mail-archive.com/openssl-users@openssl.org/msg52560.html

Sorry to disturb you.

Have a nice day,
pierre

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Create a X509 from a string

2008-08-24 Thread delcour.pierre 

Hello everyone,

I need to create a X509 certificate from a string. In fact, the string 
contains the PEM value of the certificate without the "-BEGIN 
CERTIFICATE-" and the "-END CERTIFICATE-".


Here you have an exemple :
MIID9jCCAt6gAwIBAgIBATANBgkqhkiG9w0BAQsFADBZMQ0wCwYDVQQKEwRPcmdh
MREwDwYDVQQLEwhPcmdhTmFtZTEOMAwGA1UEAxMFLnJvb3QxJTAjBgNVBC4THDZU
UEs1RTNZc1ZYZEM1YysyaEFETkZVdWlGRT0wHhcNMDgwNzAzMTAwMTI3WhcNMjgw
NjI4MTAwMTI3WjBZMQ0wCwYDVQQKEwRPcmdhMREwDwYDVQQLEwhPcmdhTmFtZTEO
MAwGA1UEAxMFLnJvb3QxJTAjBgNVBC4THDZUUEs1RTNZc1ZYZEM1YysyaEFETkZV
dWlGRT0wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDWXMFjF+4YVChR
RKyT0iWNz9XPOV8hCA/jYr793osbedOa7EmUdmfud5WU8YRCbs5r3nE9migI3Ssw
u7pUMZl005RWLB4zSn08rnh5U3RoHgyBK4R/pTXJzZAckjeDaMgQ8JhDFxO8RJ3U
SEZP6tBu1x7NkBSyQETGGgag9uMCDiwWGxzgSwxiifaQyadRcc+RlBxgB6uAQR+F
/jTTJRk9AA52JXTy8mi8pF63Zr/p6jC0xpmOFR4SUxhXXFdhWXfa6Q0OeNWXyWTS
BgYiceKsRYmZQ86bi8y/VLT0xkJiVBAxbxSf+KWEuVD2vYjOiyH4y5bjfu9XsgJr
sVF/GmfjAgMBAAGjgcgwgcUwEwYDVR0TAQH/BAkwBwEB/wICAP8wCwYDVR0PBAQD
AgIEMB0GA1UdDgQWBBTpM8rkTdixVd0Llz7aEAM0VS6IUTCBgQYDVR0jBHoweIAU
6TPK5E3YsVXdC5c+2hADNFUuiFGhXaRbMFkxDTALBgNVBAoTBE9yZ2ExETAPBgNV
BAsTCE9yZ2FOYW1lMQ4wDAYDVQQDEwUucm9vdDElMCMGA1UELhMcNlRQSzVFM1lz
VlhkQzVjKzJoQURORlV1aUZFPYIBATANBgkqhkiG9w0BAQsFAAOCAQEAHtmu211N
BdCfx1wq7RmQKKkZN1/w223CXCYmuSBTXZwRj0Q3HuRIimSxM3GR8vkj6njbSqHS
g9qsI9pT12aw5r7ChhTCMzttk5xHZ9d0a5ew0Q5Z+WnOCOJOUMl47KGGYewSIiL4
dwKv3/oZQuhJ06PXF3GL8NG+oFSAOGFOBzS9xIHEhAhU5DkUgpPb/GkCZBPQfFBb
NIulYtQ2p/A70HhsAbkMmhrvqj/ib06pPWMAsOWTyfC0CcVFDJZcnWRYpbC3I9vI
Xy07yMLWapoNZibeXvQCcfdxJzKJLLuJKarpt8hyAoB1sPcljKNBVoabQvC1zN0d
VxiNl0uLkxJBjA==

I don't want to create a temporary file on HDD. I think, there is a way 
using BIO feature, but i don't know how to use them. So how can i load 
the base64-encoded string to a BIO struct in order to get a X509* struct 
using PEM_read_bio_X509() function ?


Thank's in advance,

Have a nice day,
pierre
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: How to compute all attributes of RSA private key from modulus and private exponent?

2008-08-24 Thread delcour.pierre 

delcour.pierre wrote:

Metalpalo wrote:

Hello

Ihave got one question:

Does exist some way how to compute all attributes of private key from
modulus and private exponent?
I think as public exponent, prime1, prime2, exp1, exp2...

Thanks  

My previous answer doesn't answer to your question, sorry, my mistake.

Have a nice day,
pierre
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: How to compute all attributes of RSA private key from modulus and private exponent?

2008-08-20 Thread delcour.pierre 

Metalpalo wrote:

Hello

Ihave got one question:

Does exist some way how to compute all attributes of private key from
modulus and private exponent?
I think as public exponent, prime1, prime2, exp1, exp2...

Thanks
  

If you want to generate a rsa key with openssl code (not in line command) :

   RSA *rsa_ori = RSA_new(); // create a new rsa
   BIGNUM *e = BN_new();// create a new BN
   EVP_PKEY* key = EVP_PKEY_new();// create a blank one

   if (! BN_hex2bn(&e , /* the wanted exponent in char* , wrote in hexa 
i.e "010001"*/)) // set the BN value with the future exponent

   return -1; // Error : can't set the exponent
  
   if(! RSA_generate_key_ex(rsa_ori,/* int for the key length i.e 1024 
*/,e,NULL)) // if the generation runs badly -> throw error

   return -1; // Error : key can't be generated
   // if can't put private part of rsa in evp -> throw error
   if  (EVP_PKEY_set1_RSA(key, RSAPrivateKey_dup(rsa_ori)) <1)
return -1; // Error : key can't be set.
  
Here both RSA struct and EVP_PKEY struct contains all numbers needed to 
generate a rsa key.


I hope my answer help you ;)
Have a nice day,
pierre
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: X509_CRL_dup() problem ?

2008-08-13 Thread delcour.pierre 

Dr. Stephen Henson wrote:

On Mon, Aug 11, 2008, delcour.pierre wrote:

  

Hello everyone,

I try to add a certificate in a CRL. To do that, i use a X509* cert, a 
X509_CRL* crl with this algorithm :


X509_REVOKED *r = NULL;
r = X509_REVOKED_new();
r->serialNumber = X509_get_serialNumber(cert);
if(!crl->crl->revoked)
   ci->revoked = sk_X509_REVOKED_new(X509_REVOKED_cmp);
if(!sk_X509_REVOKED_push(ci->revoked, r))
   return false;
ASN1_UTCTIME_set(r->revocationDate,time(NULL));
ASN1_UTCTIME_set(crl->crl->lastUpdate,time(NULL));
sk_X509_REVOKED_num( crl->crl->revoked ); // here i see a X value

After the previous code, i duplicate the X509_CRL :

X509_CRL* xrl = X509_CRL_dup( crl );
sk_X509_REVOKED_num( crl->crl->revoked ); // here i see the same X value as 
above

sk_X509_REVOKED_num( xrl->crl->revoked ); // here i see a X-1 value.

After the duplication, the added certificate has disappear ! What do i miss 
to do ?





Well that CRL will be useless because its signatrue is wrong. If you call
X509_CRL_sign() to modify the signature it should work.

The reason you get that issue is that an X509_CRL contains a cache of the
encoding of the signed portion to speed up signature calculation. If you
really want to have a CRL with an invalid signature you can manually mark the
cached version as invalid with:

x->crl->enc.modified = 1;

Hi,

Thank you very much, with the invalid cached version it's working :

Have a nice day,
pierre.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

X509_CRL_dup() problem ?

2008-08-11 Thread delcour.pierre 

Hello everyone,

I try to add a certificate in a CRL. To do that, i use a X509* cert, a 
X509_CRL* crl with this algorithm :


X509_REVOKED *r = NULL;
r = X509_REVOKED_new();
r->serialNumber = X509_get_serialNumber(cert);
if(!crl->crl->revoked)
   ci->revoked = sk_X509_REVOKED_new(X509_REVOKED_cmp);
if(!sk_X509_REVOKED_push(ci->revoked, r))
   return false;
ASN1_UTCTIME_set(r->revocationDate,time(NULL));
ASN1_UTCTIME_set(crl->crl->lastUpdate,time(NULL));
sk_X509_REVOKED_num( crl->crl->revoked ); // here i see a X value

After the previous code, i duplicate the X509_CRL :

X509_CRL* xrl = X509_CRL_dup( crl );
sk_X509_REVOKED_num( crl->crl->revoked ); // here i see the same X value 
as above

sk_X509_REVOKED_num( xrl->crl->revoked ); // here i see a X-1 value.

After the duplication, the added certificate has disappear ! What do i 
miss to do ?


Thank's in advance,
have a nice day,
pierre.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: How to load a chain of certificates ?

2008-06-21 Thread delcour.pierre 

delcour.pierre wrote:

Hello,

Ariel Salomon wrote:


Hi Pierre,

 If you are using this certificate chain for an SSL connection, use 
SSL_CTX_use_certificate_chain_file which does precisely what you are 
asking.  If you are just looking for a way to load this chain for 
other uses, the source code for that function should help you out.


take a look at the man page:
http://www.openssl.org/docs/ssl/SSL_CTX_use_certificate.html

 - Ariel

delcour.pierre wrote:

Hello everyone,

I have to load a chain of x509v3 certificates which is only one file,
like this one (i cut it):

-BEGIN CERTIFICATE-
MIIEjjC[...]7DjKlgcOcx
-END CERTIFICATE-
-BEGIN CERTIFICATE-
MIIEfzC[...]ds0pfH
-END CERTIFICATE-
-BEGIN CERTIFICATE-
MIIEeT[...]AxQv6oN
-END CERTIFICATE-
-BEGIN CERTIFICATE-
MIIEdjC[...]1zwDx
-END CERTIFICATE-
-BEGIN CERTIFICATE-
MIIEcjC[...]WziILI=
-END CERTIFICATE-

So, how can i load it thanks to openssl ?

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]
Thank's for your answer. I took a look at this page, and i wrote this 
code :


   SSL_CTX *ctx = NULL;
   ctx = SSL_CTX_new(SSLv23_method());
   cout << SSL_CTX_use_certificate_chain_file(ctx, 
"/home/pierred/chain/cert.chain.pem) << endl;


I only got a segmentation fault. After looking at the source code of 
the SSL_CTX_use_certificate_chain_file, i found that the seg. fault is 
due to this line :

ret=SSL_CTX_use_certificate(ctx,x);

I thought, i have to use another function instead of this one 
"SSLv23_method()". I try SSLv3_method(), but no change.


I 'm using openssl 0.9.8g on kubuntu 8.04.

Thank's in advance,
pierre delcour.

Answer :

   SSL_CTX *ctx = NULL;
   if (!SSL_library_init())
   return -1;
  
   if (!(ctx = SSL_CTX_new(TLSv1_method (

  return -1;
  
   if (SSL_CTX_set_default_verify_paths(ctx) != 1)

   return -1;
  
   if ( SSL_CTX_use_certificate_chain_file(ctx, chain_filename) != 1)

  return -1;

All the certificates are in the stack_of(X509)*  : ctx->extra_certs

Have a nice day

Re: How to extract subjectAltName

2008-06-18 Thread delcour.pierre 

Gerhard Gappmeier wrote:

Hi,

I try to read subjectAltName, but ASN1_STRING_to_UTF8 seems not to work.
For the X509_NAME entries the same procedure works,
but this ASN1_STRING seems to be different.

In the debugger I can already see the ASN1_STRING:
pString->length = 43
pString->type = 4
pString->data = "0)†urn:x:bla‚ xxx"
pString->flags = 0

Code snippet:
UaPkiCertificateInfo UaPkiCertificate::info() const
{
UaPkiCertificateInfo ret;
X509_EXTENSION *pExt;
char *pBuffer = 0;
int length = 0;
int loc = X509_get_ext_by_NID(m_pCert, NID_subject_alt_name, -1);
pExt = X509_get_ext(m_pCert, loc);
if (pExt)
{
ASN1_STRING *pString = X509_EXTENSION_get_data(pExt);
length = ASN1_STRING_to_UTF8((unsigned char**)&pBuffer, pString);
ret.subjectAltName = pBuffer;
OPENSSL_free(pBuffer);
}
return ret;
}

regards,
Gerhard
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]



Hello,

TO get data from X509V3 cert, i use bio function :

   BIO *bio = BIO_new(BIO_s_mem());
   X509_EXTENSION * ex = X509_get_ext( _d_cert,i); // get 
the type  
   if(!X509V3_EXT_print(bio, ex, 0, 0))// read the text of this 
extention

   M_ASN1_OCTET_STRING_print(bio,ex->value);
   len = BIO_read(bio, buffer, BUFFER_SIZE);// here buffer contain 
the text, len the lenght of it.
   buffer[len] = '\0';// add the EOT sign, buffer 
contain a readable text.


Hope it can help you ;)
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: How to load a chain of certificates ?

2008-06-17 Thread delcour.pierre 

delcour.pierre wrote:

Hello,

Ariel Salomon wrote:


Hi Pierre,

 If you are using this certificate chain for an SSL connection, use 
SSL_CTX_use_certificate_chain_file which does precisely what you are 
asking.  If you are just looking for a way to load this chain for 
other uses, the source code for that function should help you out.


take a look at the man page:
http://www.openssl.org/docs/ssl/SSL_CTX_use_certificate.html

 - Ariel

delcour.pierre wrote:

Hello everyone,

I have to load a chain of x509v3 certificates which is only one file,
like this one (i cut it):

-BEGIN CERTIFICATE-
MIIEjjC[...]7DjKlgcOcx
-END CERTIFICATE-
-BEGIN CERTIFICATE-
MIIEfzC[...]ds0pfH
-END CERTIFICATE-
-BEGIN CERTIFICATE-
MIIEeT[...]AxQv6oN
-END CERTIFICATE-
-BEGIN CERTIFICATE-
MIIEdjC[...]1zwDx
-END CERTIFICATE-
-BEGIN CERTIFICATE-
MIIEcjC[...]WziILI=
-END CERTIFICATE-

So, how can i load it thanks to openssl ?

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]
Thank's for your answer. I took a look at this page, and i wrote this 
code :


   SSL_CTX *ctx = NULL;
   ctx = SSL_CTX_new(SSLv23_method());
   cout << SSL_CTX_use_certificate_chain_file(ctx, 
"/home/pierred/chain/cert.chain.pem) << endl;


I only got a segmentation fault. After looking at the source code of 
the SSL_CTX_use_certificate_chain_file, i found that the seg. fault is 
due to this line :

ret=SSL_CTX_use_certificate(ctx,x);

I thought, i have to use another function instead of this one 
"SSLv23_method()". I try SSLv3_method(), but no change.


I 'm using openssl 0.9.8g on kubuntu 8.04.

Thank's in advance,
pierre delcour.

Hello,

I still looking for a solution of this problem...

Thank's in advance
pierre delcour

X509_dup bug ?

2008-06-11 Thread delcour.pierre 

Hello,

I wrote this code :
X509* CA = X509_new();
X509* cert = X509_dup ( CA );

Each time i got a segmentation fault when i use cert (cert == NULL is 
true). For me, X509_dup duplicate the given X509 certificate, so i don't 
think that cert == NULL is a good behavior. . I'm using openssl 0.9.8g 
with kubuntu 8.04 64bit edition.


Am i right ?
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: how to add an extension to a X509 certificate ? the answer

2008-06-11 Thread delcour.pierre 

HEllo, here is the solution of my problem :

I want to have this extension in my X509v3 certificate :

X509v3 Authority Key Identifier:
keyid:6B:FC:14:20:72:EE:15:6E:D1:29:7A:4D:40:69:90:F7:AE:B1:3A:FF
DirName:/O=o/OU=ou/CN=vn/dnQualifier=a/wUIHLuFW7RKXpNQGmQ966xOv8=
serial:01

To made this possible, you will need to write this code : (_d_cert is a 
X509*)


X509_EXTENSION *ex; // create a new extension
X509V3_CTX ctx;// create a context
X509V3_set_ctx(&ctx, _d_cert , _d_cert, NULL, NULL, 0); // here, it's 
mean self signed certificate
ex = X509V3_EXT_conf_nid(NULL, &ctx, NID_authority_key_identifier , 
"issuer:always,keyid:always" );

if (ex == NULL)
   return 0; // run badly :(

X509_add_ext(_d_cert,ex, -1);// add it to the certificate 
extension (at the end of the stack)

X509_EXTENSION_free(ex);// free temp extension
return 1;
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: How to load a chain of certificates ?

2008-06-09 Thread delcour.pierre 

Hello,

Ariel Salomon wrote:


Hi Pierre,

 If you are using this certificate chain for an SSL connection, use 
SSL_CTX_use_certificate_chain_file which does precisely what you are 
asking.  If you are just looking for a way to load this chain for 
other uses, the source code for that function should help you out.


take a look at the man page:
http://www.openssl.org/docs/ssl/SSL_CTX_use_certificate.html

 - Ariel

delcour.pierre wrote:

Hello everyone,

I have to load a chain of x509v3 certificates which is only one file,
like this one (i cut it):

-BEGIN CERTIFICATE-
MIIEjjC[...]7DjKlgcOcx
-END CERTIFICATE-
-BEGIN CERTIFICATE-
MIIEfzC[...]ds0pfH
-END CERTIFICATE-
-BEGIN CERTIFICATE-
MIIEeT[...]AxQv6oN
-END CERTIFICATE-
-BEGIN CERTIFICATE-
MIIEdjC[...]1zwDx
-END CERTIFICATE-
-BEGIN CERTIFICATE-
MIIEcjC[...]WziILI=
-END CERTIFICATE-

So, how can i load it thanks to openssl ?

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]
Thank's for your answer. I took a look at this page, and i wrote this 
code :


  SSL_CTX *ctx = NULL;
  ctx = SSL_CTX_new(SSLv23_method());
  cout << SSL_CTX_use_certificate_chain_file(ctx, 
"/home/pierred/chain/cert.chain.pem) << endl;


I only got a segmentation fault. After looking at the source code of the 
SSL_CTX_use_certificate_chain_file, i found that the seg. fault is due 
to this line :

ret=SSL_CTX_use_certificate(ctx,x);

I thought, i have to use another function instead of this one 
"SSLv23_method()". I try SSLv3_method(), but no change.


I 'm using openssl 0.9.8g on kubuntu 8.04.

Thank's in advance,
pierre delcour.

Re: how to add an extension to a X509 certificate ?

2008-06-09 Thread delcour.pierre 

Dr. Stephen Henson wrote:

On Fri, Jun 06, 2008, delcour.pierre wrote:

  

Hello everyone,

I have a different problem now. I want to add a "X509v3 Authority Key 
Identifier" field in a x509v3 certificate.

This field must have these three parts :
- keyid (the keyid of the issuer)
- dirname (the same string as issuer field)
- serial (of issuer)




Actually that's not true. If must have keyid and/or both dirname and serial.
It is quite acceptable (and a good idea) to just use keyid.

  

int type =  NID_authority_key_identifier;
char* value = 
""keyid:A6:40:81:F6:3E:4A:AC:08:E7:76:17:01:91:CD:DF:39:D7:CB:FC:14, 
DirName:O=O, OU=OU, CN=CN/dnQualifier=pkCB9j5KrAjndhcBkc3fOdfL/BQ=, 
serial:01\n"; // here i m not sure how to write it.
X509_EXTENSION *ex;   X509V3_CTX ctx; 
X509V3_set_ctx_nodb(&ctx); X509V3_set_ctx(&ctx, _d_cert , _d_cert, 
NULL, NULL, 0); // self signed

ex = X509V3_EXT_conf_nid(NULL, &ctx, type , value);
if (ex == NULL)
   throw Odici_exception(DEV_NULL_ERR,"Error in 
Certificate::setV3Extention(), Extensions can't be set"); 
X509_add_ext(_d_cert,ex, -1) ;  X509_EXTENSION_free(ex);
// free temp extension


With this value, if there is no exception thrown, i only have the keyid 
part...


How can i set this extension ??



If you really want to have both you need to include the appropriate
issuer certificate in the session context, then it is used automatically if
you use the correct value syntax.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]


  

Hello,

Thank's for your answer. In my case i really need the 3 fields. But if i 
want to use this function with a self signed certificate, how can i do ?

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: How to load a chain of certificates ?

2008-06-09 Thread delcour.pierre 

Hello,

Ariel Salomon wrote:


Hi Pierre,

 If you are using this certificate chain for an SSL connection, use 
SSL_CTX_use_certificate_chain_file which does precisely what you are 
asking.  If you are just looking for a way to load this chain for 
other uses, the source code for that function should help you out.


take a look at the man page:
http://www.openssl.org/docs/ssl/SSL_CTX_use_certificate.html

 - Ariel

delcour.pierre wrote:

Hello everyone,

I have to load a chain of x509v3 certificates which is only one file,
like this one (i cut it):

-BEGIN CERTIFICATE-
MIIEjjC[...]7DjKlgcOcx
-END CERTIFICATE-
-BEGIN CERTIFICATE-
MIIEfzC[...]ds0pfH
-END CERTIFICATE-
-BEGIN CERTIFICATE-
MIIEeT[...]AxQv6oN
-END CERTIFICATE-
-BEGIN CERTIFICATE-
MIIEdjC[...]1zwDx
-END CERTIFICATE-
-BEGIN CERTIFICATE-
MIIEcjC[...]WziILI=
-END CERTIFICATE-

So, how can i load it thanks to openssl ?

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Thank's for your answer. I took a look at this page, and i wrote this code :

   SSL_CTX *ctx = NULL;
   ctx = SSL_CTX_new(SSLv23_method());
   cout << SSL_CTX_use_certificate_chain_file(ctx, 
"/home/pierred/chain/cert.chain.pem) << endl;


I only got a segmentation fault. After looking at the source code of the 
SSL_CTX_use_certificate_chain_file, i found that the seg. fault is due 
to this line :

ret=SSL_CTX_use_certificate(ctx,x);

I thought, i have to use another function instead of this one 
"SSLv23_method()". I try SSLv3_method(), but no change.


I 'm using openssl 0.9.8g on kubuntu 8.04.

Thank's in advance,
pierre delcour.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: how to add an extension to a X509 certificate ?

2008-06-06 Thread delcour.pierre 

Hello everyone,

I have a different problem now. I want to add a "X509v3 Authority Key 
Identifier" field in a x509v3 certificate.

This field must have these three parts :
- keyid (the keyid of the issuer)
- dirname (the same string as issuer field)
- serial (of issuer)



int type =  NID_authority_key_identifier;
char* value = 
""keyid:A6:40:81:F6:3E:4A:AC:08:E7:76:17:01:91:CD:DF:39:D7:CB:FC:14, 
DirName:O=O, OU=OU, CN=CN/dnQualifier=pkCB9j5KrAjndhcBkc3fOdfL/BQ=, 
serial:01\n"; // here i m not sure how to write it.
X509_EXTENSION *ex;   
X509V3_CTX ctx; 
X509V3_set_ctx_nodb(&ctx); 
X509V3_set_ctx(&ctx, _d_cert , _d_cert, NULL, NULL, 0); // self signed

ex = X509V3_EXT_conf_nid(NULL, &ctx, type , value);
if (ex == NULL)
   throw Odici_exception(DEV_NULL_ERR,"Error in 
Certificate::setV3Extention(), Extensions can't be set"); 
X509_add_ext(_d_cert,ex, -1) ;  
X509_EXTENSION_free(ex);// free temp extension


With this value, if there is no exception thrown, i only have the keyid 
part...


How can i set this extension ??
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Set X509v3 Authority Key Identifier with openssl0.9.8g

2008-06-03 Thread delcour.pierre 

Hello,

I try to set a "X509v3 Authority Key Identifier" extension with this 
value : 
"keyid:6B:FC:14:20:72:EE:15:6E:D1:29:7A:4D:40:69:90:F7:AE:B1:3A:FF\nDirName:/O=O/OU=DC.OU/CN=.ROOT.CN/dnQualifier=a/wUIHLuFW7RKXpNQGmQ966xOv8=\nserial:01\0"


With this code :
X509* _d_cert ; // loaded from a file
X509_EXTENSION *ex;
X509V3_CTX ctx;  
X509V3_set_ctx_nodb(&ctx);  
X509V3_set_ctx(&ctx, _d_cert, _d_cert, NULL, NULL, 0); // self signed


ex = X509V3_EXT_conf_nid(NULL, &ctx, 90 , value);
if (ex == NULL)
  cout << "Error, extensions can't be set");

When i use this code (valid) to see the extension :

BIO *bio = BIO_new(BIO_s_mem());
int len = 0;
char buffer[2];
if(!X509V3_EXT_print(bio, ex, 0, 0))// read the text of this extention
   M_ASN1_OCTET_STRING_print(bio,ex->value);
len = BIO_read(bio, buffer, BUFFER_SIZE);// here buffer contain the 
text, len the lenght of it.

buffer[len] = '\0';// add the EOT sign
cout << buffer << endl;

I only got this : 
"keyid:6B:FC:14:20:72:EE:15:6E:D1:29:7A:4D:40:69:90:F7:AE:B1:3A:FF"


How can i fix my problem ?

Thank's in advance
pierre delcour.
[EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

how to add an extension to a X509 certificate ?

2008-05-28 Thread delcour.pierre 

Hello everyone,

I would like to add an extension to a X509v3 certificate.
I wrote :
void Addmyextension(X509* cert, int nid, char* value, bool crit)
{

X509_EXTENSION* ex = X509_EXTENSION_new();   
ex->object = OBJ_nid2obj(nid);

crit? ex->critical = 0xff :  ex->critical = -1;  // Question 1
ASN1_STRING_set(ex->value, value, strlen(value)); // Question 2
X509_add_ext( cert, ex, -1); 
cout << " A :"<< toHex(ex->value->data) << endl;
   


}

Question 1 :
Is 0xff and -1 good value for critical state ? I found these one in 
x509_v3.c line 240...


Question 2 :
I don't think this line is good.
When i set the same text as i found in other extension, i don't have the 
same value in the asn1_string :


STACK_OF (X509_EXTENSION)* sk_ext = cert->cert_info->extensions;
X509_EXTENSION *ex2 =sk_X509_EXTENSION_value(sk_ext, 1);
cout << "B :"data) << endl;

I get :
A :43413A54525545
B :30030101FF

But this value must be the same (value = "CA:TRUE", A is the hexadecimal 
code of this char*). So i think my Addmyextension is not good.
I have a get function for convert the stack of extension to a map. I 
think i must create a similar function (which use BIO probably) for set 
an extension.


map Certificate::getV3ext()
{
map extension;
   ASN1_OBJECT *obj;
   // bio struct is use to read the X509_EXTENSION in this case (like a 
stream in c++)

   BIO *bio = BIO_new(BIO_s_mem());
   int i, len, n = X509_get_ext_count( _d_cert );
   char buffer[BUFFER_SIZE];
   X509_EXTENSION *ex;
   for (i=0; iobject);// convert it to integer
cout << "type  " << type  << " " <<  string(OBJ_nid2ln(type)) << endl;
   if (X509_EXTENSION_get_critical(ex))// if critical
   text = CRITICAL_TEXTE;//add "critical, " text to 
the string
  
   if(!X509V3_EXT_print(bio, ex, 0, 0))// read the text of this 
extention

   M_ASN1_OCTET_STRING_print(bio,ex->value);
   len = BIO_read(bio, buffer, BUFFER_SIZE);// here buffer contain 
the text, len the lenght of it.

   buffer[len] = '\0';// add the EOT sign
   text += buffer;// add the readed text to the string
   extension.insert(make_pair(type,text));// put it in the map
   }
   BIO_free(bio);// clear the bio "stream"
   return extension; // retrun the map
}

But i can find how to use BIO feature for add  an extension.


Thanks in advance,
pierre delcour
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

How to load a chain of certificates ?

2008-05-27 Thread delcour.pierre 

Hello everyone,

I have to load a chain of x509v3 certificates which is only one file, 
like this one (i cut it):


-BEGIN CERTIFICATE-
MIIEjjC[...]7DjKlgcOcx
-END CERTIFICATE-
-BEGIN CERTIFICATE-
MIIEfzC[...]ds0pfH
-END CERTIFICATE-
-BEGIN CERTIFICATE-
MIIEeT[...]AxQv6oN
-END CERTIFICATE-
-BEGIN CERTIFICATE-
MIIEdjC[...]1zwDx
-END CERTIFICATE-
-BEGIN CERTIFICATE-
MIIEcjC[...]WziILI=
-END CERTIFICATE-

So, how can i load it thanks to openssl ?

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: [EVP_PKEY] How to duplicate it ?

2008-05-26 Thread delcour.pierre 

Thomas Mangold wrote:

Why not just copy the key?

EVP_PKEY *cp_key (EVP_PKEY *pkey) {

 /* error handling omittet */
   EVP_PKEY *pnew;
   int key_type;

   pnew = EVP_PKEY_new();
   switch(pkey->type) {
  case EVP_PKEY_RSA:
   DSA *dsa = EVP_PKEY_get1_DSA(pkey);
   EVP_PKEY_set1_DSA(pnew, dsa);
   break;
  case EVP_PKEY_DSA:
   RSA *rsa = EVP_PKEY_get1_RSA(pkey);
   EVP_PKEY_set1_RSA(pnew, rsa);
   break;
  case EVP_PKEY_DH:
   DH *dh = EVP_PKEY_get1_DH(pkey);
   EVP_PKEY_set1_DH(pnew, dh);
   break;
  case EVP_PKEY_EC:
   EC_KEY *ec = EVP_PKEY_get1_EC(pkey);
   EVP_PKEY_set1_EC(pnew, ec);
   break;

 default:
  fprintf(stderr, "unknown key type %.\n", pkey->type);
  }

  return pnew;
}

Thomas
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]



Hello,

this way doesn't work in my case (i think) :

EVP_PKEY* to = cp_key(from);
cout << EVP_PKEY_cmp_parameters(from, to);

this code displays -1, so i think the duplication doesn't word.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

[EVP_PKEY] How to duplicate it ?

2008-05-23 Thread delcour.pierre 

Hello everyone,

I would like to duplicate an EVP_PKEY struct.


I wrote this not working code:
   BIO *bout = BIO_new(BIO_s_mem());
   PEM_write_bio_PrivateKey(bout, key, NULL, NULL, 0, NULL, NULL);
key = PEM_read_bio_PrivateKey(bout, NULL, NULL, NULL);
cout << (key == NULL) << endl;
   BIO_free(bout);//destroy the buffer
   return key;

Each time, the cout display 1 (key is NULL), i don't know why.

So is there a way to duplicate it ??
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Public key from a x509v3 certificate

2008-04-17 Thread delcour.pierre 

Hello,

David Schwartz wrote:

If you want to compare the DER encodings, you need to get the DER encoding,
not the number. If you want to compare the numbers, '03' should compare
equal to '3' anyway. What are you trying to do?

DS

I just want to extract the public key to store it in another place.

So i think I don't need this artefact.

Delcour pierre
[EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Public key from a x509v3 certificate

2008-04-16 Thread delcour.pierre 

Hello,

Thank's for the answer, but i still got a little problem, when i run 
this code :


EVP_PKEY *key2 = X509_get_pubkey(certif.getX509Certificate());
cout << BN_bn2hex(key2->pkey.rsa->n);

I miss the first 00 of the public key...
How can i get them ?



[EMAIL PROTECTED] wrote:

Hello,

[EMAIL PROTECTED] wrote on 04/15/2008 06:30:10 PM:

  

Hello,

I'm looking to get back the public key from a x509 v3 certificate.

I use the function ASN1_BIT_STRING * key = 509_get0_pubkey_bitstr(x509* 
certificate); but i don't get what i want :
I get  (from a conversion to hexadecimal thanks to  : cout << setw(2) << 



  

setfill('0') << right << hex << (int) key->data[c]; )
30:82:01:0A:02:82:01:01:___the_public_key___:02:03:01:00:01

How can i get only the public key ?


Try X509_get_pubkey().

Best regards,
--
Marek Marcola <[EMAIL PROTECTED]>

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Public key from a x509v3 certificate

2008-04-16 Thread delcour.pierre 

Hello,

I'm looking to get back the public key from a x509 v3 certificate.

I use the function ASN1_BIT_STRING * key = 509_get0_pubkey_bitstr(x509* 
certificate); but i don't get what i want :
I get  (from a conversion to hexadecimal thanks to  : cout << setw(2) << 
setfill('0') << right << hex << (int) key->data[c]; )

30:82:01:0A:02:82:01:01:___the_public_key___:02:03:01:00:01

How can i get only the public key ?

Thank's in advance,
Have a nice day

Pierre delcour
[EMAIL PROTECTED]

ps :  30:82:01:0A:02:82:01:01 appears for a 2048 bit key. 01:00:01 seems 
to be the exponent.

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]