RE: PEM_read_bio_RSA_PUBKEY
I did that already and saw already that BIO_gets is called. I just left
the question open since I don't understand the reason behind this. It
forces me to use a buffer BIO that I only need for that one read. But I
agree that this is a workaround that is doable
>> Is it possible that PEM_read_bio_RSA_PUBKEY uses BIO_gets internally
>
> Sometimes the best answer to that sort of question -- sadly, perhaps, but
> true nonetheless -- is to look at the source code. Not so hard to read as
> I
> had at first supposed.
>
> Charles
>
> -Original Message-
> From: owner-openssl-us...@openssl.org
> [mailto:owner-openssl-us...@openssl.org] On Behalf Of Carolin Latze
> Sent: Tuesday, September 04, 2012 5:03 AM
> To: openssl-users@openssl.org
> Subject: RE: PEM_read_bio_RSA_PUBKEY
>
> Hi,
>
> I went on reading about this error and figured out that the socket bio
> does not support the BIO_gets method. Is it possible that
> PEM_read_bio_RSA_PUBKEY uses BIO_gets internally and is therefore not
> really compatible with a socket bio?
>
> In order to verify that I created a buffer BIO (BIO_f_buffer()) on top of
> the socket bio for the read function. And this just works. Is this the
> desired way to do this? I can live with it, but since it was not
> documented (or maybe I just missed it), I did not expect it.
>
> best regards and thanks a lot again for the help
> Carolin
>
>> Hi Dave
>>
>> thanks a lot for the explanation. That makes a lot clearer to me. I
> added
>> some code to read out possible errors and there is none on the write
> method. However there is a strange one on read:
>>
>> error code pubkey: 537297017 in bio_lib.c line 297.
>> error data:
>> error string: error:20068079:BIO routines:BIO_gets:unsupported method
> error code pubkey: 151441516 in pem_lib.c line 696.
>> error data:
>> error string: error:0906D06C:PEM routines:PEM_read_bio:no start line
>>
>> For me that sounds as if it does not fine the "- BEGIN PUBKEY "
> line. So I checked with wireshark and it is there. The PEM string is
> distributed over 3 packets but it is continuous data (there is no other
> data in those packets). So where does this error come from? Any ideas? I
> cannot do anything about the method here, right?
>>
>> BTW I checked that this error is really triggered by the read function
> and
>> not by any BIO function before that function.
>>
>> best regards
>> Carolin
>>
>>>> From: owner-openssl-us...@openssl.org On Behalf Of Carolin Latze Sent:
>> Monday, 03 September, 2012 13:39
>>>> I try to send an RSA public from one entity to another using socket
>> BIOs. I use PEM_write_bio_RSA_PUBKEY and PEM_read_bio_RSA_PUBKEY to do
> that. I also tried with PEM_{write|read}_bio_RSAPublicKey. Both have the
>>>> same behaviour in my case. The write function seems to work just fine.
>> I
>>>> am able to see the public key on the wire (using wireshark). However,
>> the read function just crashes. It looks as if it reads an endless
> amount of data and I have no idea why. Are those function
>>>> actually meant
>>>> to send data over a socket bio?
>>> The PEM routines are meant to send or store over practically any
>> channel. The DER routines are meant to send/store over any 8-bit clean
> channel, which many socket protocols also do. (TCP/IP itself and a plain
> socket does, but some protocols built on top of TCP/IP like SMTP and
> HTTP don't, while some like FTP do.)
>>> Either pair should work, but mixing them should not. The RSAPublicKey
>> routines use the "raw" PKCS#1 format, and the RSA_PUBKEY routines use
> the generic X.509 PublicKeyInfo format which *contains* the PKCS#1.
> Although semantically equivalent, these are not the same thing.
>>> But if you get this (or pretty much anything else) wrong, the read
>> routine shouldn't crash. It should return null with error information
> stored in the error queue; this is not the same as either crashing or
> reading endlessly. In fact reading endlessly wouldn't crash either by my
> definition so I can't guess what you mean actually happens.
>>>> This is how I call them:
>>>> on party A:
>>>> RSA rsa;
>>>>
>>>> PEM_write_bio_RSA_PUBKEY(sockbio,rsa);
>>>> on party B:
>>>> rsa = RSA_new();
>>>> PEM_read_bio_RSAPublicKey(sockbio,&rsa,0,0);
>>>> Something wrong with the way I call the functions?
>>> If you are mismatching RSA_PUBKEY to RSAPublicKey see above.
>>> Even if not, you definitely should check for err
RE: PEM_read_bio_RSA_PUBKEY
Hi,
I went on reading about this error and figured out that the socket bio
does not support the BIO_gets method. Is it possible that
PEM_read_bio_RSA_PUBKEY uses BIO_gets internally and is therefore not
really compatible with a socket bio?
In order to verify that I created a buffer BIO (BIO_f_buffer()) on top of
the socket bio for the read function. And this just works. Is this the
desired way to do this? I can live with it, but since it was not
documented (or maybe I just missed it), I did not expect it.
best regards and thanks a lot again for the help
Carolin
> Hi Dave
>
> thanks a lot for the explanation. That makes a lot clearer to me. I
added
> some code to read out possible errors and there is none on the write
method. However there is a strange one on read:
>
> error code pubkey: 537297017 in bio_lib.c line 297.
> error data:
> error string: error:20068079:BIO routines:BIO_gets:unsupported method
error code pubkey: 151441516 in pem_lib.c line 696.
> error data:
> error string: error:0906D06C:PEM routines:PEM_read_bio:no start line
>
> For me that sounds as if it does not fine the "- BEGIN PUBKEY "
line. So I checked with wireshark and it is there. The PEM string is
distributed over 3 packets but it is continuous data (there is no other
data in those packets). So where does this error come from? Any ideas? I
cannot do anything about the method here, right?
>
> BTW I checked that this error is really triggered by the read function
and
> not by any BIO function before that function.
>
> best regards
> Carolin
>
>>> From: owner-openssl-us...@openssl.org On Behalf Of Carolin Latze Sent:
> Monday, 03 September, 2012 13:39
>>> I try to send an RSA public from one entity to another using socket
> BIOs. I use PEM_write_bio_RSA_PUBKEY and PEM_read_bio_RSA_PUBKEY to do
that. I also tried with PEM_{write|read}_bio_RSAPublicKey. Both have the
>>> same behaviour in my case. The write function seems to work just fine.
> I
>>> am able to see the public key on the wire (using wireshark). However,
> the read function just crashes. It looks as if it reads an endless
amount of data and I have no idea why. Are those function
>>> actually meant
>>> to send data over a socket bio?
>> The PEM routines are meant to send or store over practically any
> channel. The DER routines are meant to send/store over any 8-bit clean
channel, which many socket protocols also do. (TCP/IP itself and a plain
socket does, but some protocols built on top of TCP/IP like SMTP and
HTTP don't, while some like FTP do.)
>> Either pair should work, but mixing them should not. The RSAPublicKey
> routines use the "raw" PKCS#1 format, and the RSA_PUBKEY routines use
the generic X.509 PublicKeyInfo format which *contains* the PKCS#1.
Although semantically equivalent, these are not the same thing.
>> But if you get this (or pretty much anything else) wrong, the read
> routine shouldn't crash. It should return null with error information
stored in the error queue; this is not the same as either crashing or
reading endlessly. In fact reading endlessly wouldn't crash either by my
definition so I can't guess what you mean actually happens.
>>> This is how I call them:
>>> on party A:
>>> RSA rsa;
>>>
>>> PEM_write_bio_RSA_PUBKEY(sockbio,rsa);
>>> on party B:
>>> rsa = RSA_new();
>>> PEM_read_bio_RSAPublicKey(sockbio,&rsa,0,0);
>>> Something wrong with the way I call the functions?
>> If you are mismatching RSA_PUBKEY to RSAPublicKey see above.
>> Even if not, you definitely should check for error on the read
>> routine and at least display something. The write routine is
>> much less likely to fail, but even so as general good practice
>> you should check it too.
>> Nit: personally in C I would write NULL rather than 0
>> for a null pointer -- just so it's visible to humans,
>> although it makes no difference to the compiler.
>> Unfortunately C++ doesn't support this until recently.
>> __
> OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
>
>
>
>
> __
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
>
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
RE: PEM_read_bio_RSA_PUBKEY
Hi Dave
thanks a lot for the explanation. That makes a lot clearer to me. I added
some code to read out possible errors and there is none on the write
method. However there is a strange one on read:
error code pubkey: 537297017 in bio_lib.c line 297.
error data:
error string: error:20068079:BIO routines:BIO_gets:unsupported method
error code pubkey: 151441516 in pem_lib.c line 696.
error data:
error string: error:0906D06C:PEM routines:PEM_read_bio:no start line
For me that sounds as if it does not fine the "- BEGIN PUBKEY "
line. So I checked with wireshark and it is there. The PEM string is
distributed over 3 packets but it is continuous data (there is no other
data in those packets). So where does this error come from? Any ideas? I
cannot do anything about the method here, right?
BTW I checked that this error is really triggered by the read function and
not by any BIO function before that function.
best regards
Carolin
>> From: owner-openssl-us...@openssl.org On Behalf Of Carolin Latze Sent:
Monday, 03 September, 2012 13:39
>
>> I try to send an RSA public from one entity to another using socket
BIOs. I use PEM_write_bio_RSA_PUBKEY and PEM_read_bio_RSA_PUBKEY to do
that. I also tried with PEM_{write|read}_bio_RSAPublicKey. Both have
the
>> same behaviour in my case. The write function seems to work just fine.
I
>> am able to see the public key on the wire (using wireshark). However,
the read function just crashes. It looks as if it reads an endless
amount of data and I have no idea why. Are those function
>> actually meant
>> to send data over a socket bio?
> The PEM routines are meant to send or store over practically any
channel. The DER routines are meant to send/store over any 8-bit clean
channel, which many socket protocols also do. (TCP/IP itself and a plain
socket does, but some protocols built on top of TCP/IP like SMTP and
HTTP don't, while some like FTP do.)
>
> Either pair should work, but mixing them should not. The RSAPublicKey
routines use the "raw" PKCS#1 format, and the RSA_PUBKEY routines use
the generic X.509 PublicKeyInfo format which *contains* the PKCS#1.
Although semantically equivalent, these are not the same thing.
>
> But if you get this (or pretty much anything else) wrong, the read
routine shouldn't crash. It should return null with error information
stored in the error queue; this is not the same as either crashing or
reading endlessly. In fact reading endlessly wouldn't crash either by my
definition so I can't guess what you mean actually happens.
>
>> This is how I call them:
>> on party A:
>> RSA rsa;
>>
>> PEM_write_bio_RSA_PUBKEY(sockbio,rsa);
>> on party B:
>> rsa = RSA_new();
>> PEM_read_bio_RSAPublicKey(sockbio,&rsa,0,0);
>> Something wrong with the way I call the functions?
> If you are mismatching RSA_PUBKEY to RSAPublicKey see above.
>
> Even if not, you definitely should check for error on the read
> routine and at least display something. The write routine is
> much less likely to fail, but even so as general good practice
> you should check it too.
>
> Nit: personally in C I would write NULL rather than 0
> for a null pointer -- just so it's visible to humans,
> although it makes no difference to the compiler.
> Unfortunately C++ doesn't support this until recently.
>
>
> __
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
>
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
PEM_read_bio_RSA_PUBKEY
Hi all,
I try to send an RSA public from one entity to another using socket
BIOs. I use PEM_write_bio_RSA_PUBKEY and PEM_read_bio_RSA_PUBKEY to do
that. I also tried with PEM_{write|read}_bio_RSAPublicKey. Both have the
same behaviour in my case. The write function seems to work just fine. I
am able to see the public key on the wire (using wireshark). However,
the read function just crashes. It looks as if it reads an endless
amount of data and I have no idea why. Are those function actually meant
to send data over a socket bio?
This is how I call them:
on party A:
RSA rsa;
PEM_write_bio_RSA_PUBKEY(sockbio,rsa);
on party B:
rsa = RSA_new();
PEM_read_bio_RSAPublicKey(sockbio,&rsa,0,0);
Something wrong with the way I call the functions?
best regards
Carolin
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
Re: how to extract an RSA public key
I guess I just got it if the only way is to use the PEM API? > Hi all, > > is there an API call that allows to extract an RSA public key (out of an > RSA structure) or should I just access rsa->n and rsa->e directly? I > cannot find an API call RSA_* that gives me the public key, but the > documentation (http://www.openssl.org/docs/crypto/rsa.html) says one > should not access the RSA members directly. > > best regards > Carolin > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
how to extract an RSA public key
Hi all, is there an API call that allows to extract an RSA public key (out of an RSA structure) or should I just access rsa->n and rsa->e directly? I cannot find an API call RSA_* that gives me the public key, but the documentation (http://www.openssl.org/docs/crypto/rsa.html) says one should not access the RSA members directly. best regards Carolin __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
moving from EVP to BIO_f_cipher
Hi all
since OpenSSL allows to do the encryption using the BIO API and since I
need the BIO API anyways for the sockets I thought I rewrite my code to
use the BIOs instead of EVPs. However I see some strange behavior. I
create a cipher BIO on the server as follows:
encbio = BIO_new(BIO_f_cipher());
BIO_set_cipher(encbio,EVP_bf_cbc(),key,NULL,1); /* 1 = encryption */
Then I set it on top of the socket bio:
BIO_push(encbio,cbio);
Now I send some data:
data_len = strlen(testmessage);
printf("---> %d\n",data_len);
while (written <= 0)
{
written = BIO_write(encbio,&data_len,sizeof(int));
if (written <= 0)
if (BIO_should_retry(encbio))
BIO_write(encbio,&data_len,sizeof(int));
}
written=0;
while (written <= 0)
{
printf("---> %s\n",testmessage);
written = BIO_write(encbio,testmessage,data_len);
if (written <= 0)
if (BIO_should_retry(encbio))
BIO_write(encbio,testmessage,data_len);
}
BIO_flush(encbio);
I create a decryption cipher bio in the same way on the client and as long
as I leave it as it is, it just works fine. The server sends data_len and
testmessage and the client receives it (and is able to decrypt it). Now I
want the client to send something back. So I set up an encryption cipher
bio on the client (like shown above) and a decryption cipher bio on the
server. So my source code looks like this:
server.c:
-> send 2 messages like above
-> receive 2 messages like above
client.c
-> receive 2 messages like above
-> send 2 messages like above
Now if I execute client and server, the client does only receive the first
message (the int data_len). It will not even receive testmessage from the
server as long as the server runs. However when I kill the server
(ctrl+c), the message arrives. That is weird since not even BIO_flush
helps. Whats going wrong here?
best regards
Carolin
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
Re: Server key issue. need Urgent Help on it
Sorry for the stupid questions, but - does this file exist on your machine (and there is no typo in the name)? - and does it have meaningful content (a key)? > Dear All, > I have installed OpenSSL and faces this given below error when try to tun > apache server. Kindly advice me on this, how to correct it > > root@zeroshell root> /etc/init.d/httpd start > Starting httpd daemon... > Syntax error on line 121 of /etc/httpd/conf/ssl.conf: > SSLCertificateKeyFile: file '/etc/httpd/conf/ssl.key/server.key' does not > exist or is empty > > I am looking forward to you about this error > > Best Regards, > Jamshed Alam > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
EVP_CIPHER_CTX_set_key_length and EVP_CIPHER_key_length
Hi all
I created a shared key based on a DH exchange and want to use that key
with a symmetric encryption algorithm. This key has a length of 16 Bytes
(128 bit). Here is what I do to initialize AES:
char *key,*iv;
// DH exchange which ends with a 16B value in key
RAND_pseudo_bytes(iv,16);
EVP_EncryptInit(&enc_ctx,EVP_aes_128_cbc(),NULL,NULL);
EVP_CIPHER_CTX_set_key_length(&enc_ctx,16);
EVP_EncryptInit(&enc_ctx,NULL,skey,iv);
None of the functions seems to generate an error. I checked that by
calling ERR_print_errors_fp. However when I check the key length
printf("key len: %d\n",EVP_CIPHER_key_length(&enc_ctx));
It returns 1. Shouldn't it return 16? I guess I make a mistake when
setting the key, but where?
best regards
Carolin
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
Re: DH exchange & socket BIOs
ok took me a while, but now I got it. You were right. I missed your point "twice the length of binary data". Yup, If I take that into account, it works. thanks a lot! On 08/24/2012 05:47 PM, Michel wrote: Hi Carolin, "It is just about half the length of the ..." [very] Quick response : Hex value is twice the lengh of binary data : Have you checked the value of 'size' arg ? Not sure this helps ... Le 24/08/2012 16:38, Carolin Latze a écrit : (sorry if this mail arrives twice. I send it first without being subscribed to this list by accident) Hi all I try to implement a DH exchange using socket BIOs. Here is what I do: On the server - I initialize a DH structure with DH_new - I generate the parameters using DH_generate_parameters(prime_len,g,NULL,NULL) with prime_len=512 - I generate the keys using DH_generate_key(dh) Now I need to send p,g, and the server's public key to the client. In order to do that I convert each of those three values to hex. This is the example for p: int size = DH_size(dh); char* prime = (char*) malloc(size*sizeof(char)); memset(prime,0,size*sizeof(char)); prime = BN_bn2hex(dh->p); afterwards I open a socket BIO that allows a client to connect: bio = BIO_new_accept(port); Now, when a client connects, I write those three values to the BIO. Example for p: BIO_do_accept(bio); cbio = BIO_pop(bio); BIO_write(cbio,prime,size); Ok, lets move the client. The client connects successfully to the server and reads the three values from the BIO: prime = (char*)malloc(size*sizeof(char)); memset(prime,0,size*sizeof(char)); BIO_read(bio,prime,size); If I print out "prime" on the client using printf I see that this is exactly the stream of bytes that have been sent by the server. But if I write this value back into a DH structure it changes: DH *dh = DH_new(); BN_hex2bn(&(dh->p),prime); If I check the value now with BN_print, it is a shorter value! It is just about half the length of the original p and I have no idea why. What is it that I miss here? Any hints would be appreciated Regards Carolin __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
DH exchange & socket BIOs
Hi all I try to implement a DH exchange using socket BIOs. Here is what I do: On the server - I initialize a DH structure with DH_new - I generate the parameters using DH_generate_parameters(prime_len,g,NULL,NULL) with prime_len=512 - I generate the keys using DH_generate_key(dh) Now I need to send p,g, and the server's public key to the client. In order to do that I convert each of those three values to hex. This is the example for p: int size = DH_size(dh); char* prime = (char*) malloc(size*sizeof(char)); memset(prime,0,size*sizeof(char)); prime = BN_bn2hex(dh->p); afterwards I open a socket BIO that allows a client to connect: bio = BIO_new_accept(port); Now, when a client connects, I write those three values to the BIO. Example for p: BIO_do_accept(bio); cbio = BIO_pop(bio); BIO_write(cbio,prime,size); Ok, lets move the client. The client connects successfully to the server and reads the three values from the BIO: prime = (char*)malloc(size*sizeof(char)); memset(prime,0,size*sizeof(char)); BIO_read(bio,prime,size); If I print out "prime" on the client using printf I see that this is exactly the stream of bytes that have been sent by the server. But if I write this value back into a DH structure it changes: DH *dh = DH_new(); BN_hex2bn(&(dh->p),prime); If I check the value now with BN_print, it is a shorter value! It is just about half the length of the original p and I have no idea why. What is it that I miss here? Any hints would be appreciated Regards Carolin __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
DH exchange & socket BIOs
(sorry if this mail arrives twice. I send it first without being subscribed to this list by accident) Hi all I try to implement a DH exchange using socket BIOs. Here is what I do: On the server - I initialize a DH structure with DH_new - I generate the parameters using DH_generate_parameters(prime_len,g,NULL,NULL) with prime_len=512 - I generate the keys using DH_generate_key(dh) Now I need to send p,g, and the server's public key to the client. In order to do that I convert each of those three values to hex. This is the example for p: int size = DH_size(dh); char* prime = (char*) malloc(size*sizeof(char)); memset(prime,0,size*sizeof(char)); prime = BN_bn2hex(dh->p); afterwards I open a socket BIO that allows a client to connect: bio = BIO_new_accept(port); Now, when a client connects, I write those three values to the BIO. Example for p: BIO_do_accept(bio); cbio = BIO_pop(bio); BIO_write(cbio,prime,size); Ok, lets move the client. The client connects successfully to the server and reads the three values from the BIO: prime = (char*)malloc(size*sizeof(char)); memset(prime,0,size*sizeof(char)); BIO_read(bio,prime,size); If I print out "prime" on the client using printf I see that this is exactly the stream of bytes that have been sent by the server. But if I write this value back into a DH structure it changes: DH *dh = DH_new(); BN_hex2bn(&(dh->p),prime); If I check the value now with BN_print, it is a shorter value! It is just about half the length of the original p and I have no idea why. What is it that I miss here? Any hints would be appreciated Regards Carolin
Working with Strings on a SSL Server
Hi everybody, I have a very strange problem and hope that somebody is able to help me. I wrote a simple client and server in C that authenticate each other mutually using SSL. The SSL connection itself is working and I was able to exchange messages using SSL_write and SSL_read. The client sends X509 extensions as strings to the server. The server is able to read them and prints them to stdout. Those extensions contain some special values I want to check on the server. The general idea is that the client has some certificates, he wants to check. But those certificates contain some special values, he cannot check. Therefore he establishes a SSL connection to a verification server that will verify those values and send the result to the client. As I said, I am able to send those values using SSL_write to the server who is able to read them using SSL_read. In order to verify those values, the server has to open some local files. In order to do so, I create the filename: sprintf(filename,"certs/%s",dirpt->d_name); This will create a null-terminated string. Even if I never use this string, just because I created it, SSL_clear will coredump with *** glibc detected *** ./server: free(): invalid pointer: 0x0806ed48 *** === Backtrace: = /lib/libc.so.6[0xb7ccfa00] /lib/libc.so.6(cfree+0x89)[0xb7cd16f9] /usr/lib/libcrypto.so.0.9.8(CRYPTO_free+0x38)[0xb7e32208] /usr/lib/libcrypto.so.0.9.8(ASN1_OBJECT_free+0x89)[0xb7eb4479] /usr/lib/libcrypto.so.0.9.8(ASN1_primitive_free+0xf5)[0xb7ec2cb5] /usr/lib/libcrypto.so.0.9.8[0xb7ec2f0f] /usr/lib/libcrypto.so.0.9.8(ASN1_template_free+0x89)[0xb7ec2fe9] /usr/lib/libcrypto.so.0.9.8[0xb7ec2ef0] /usr/lib/libcrypto.so.0.9.8(ASN1_item_free+0x13)[0xb7ec3033] /usr/lib/libcrypto.so.0.9.8(X509_NAME_ENTRY_free+0x27)[0xb7ebc5f7] /usr/lib/libcrypto.so.0.9.8(sk_pop_free+0x40)[0xb7ea2b90] /usr/lib/libcrypto.so.0.9.8[0xb7ebc1e6] /usr/lib/libcrypto.so.0.9.8[0xb7ec2e25] /usr/lib/libcrypto.so.0.9.8(ASN1_template_free+0x89)[0xb7ec2fe9] /usr/lib/libcrypto.so.0.9.8[0xb7ec2ef0] /usr/lib/libcrypto.so.0.9.8(ASN1_template_free+0x89)[0xb7ec2fe9] /usr/lib/libcrypto.so.0.9.8[0xb7ec2ef0] /usr/lib/libcrypto.so.0.9.8(ASN1_item_free+0x13)[0xb7ec3033] /usr/lib/libcrypto.so.0.9.8(X509_free+0x27)[0xb7ebc9c7] /usr/lib/libssl.so.0.9.8(SSL_SESSION_free+0xda)[0xb7de185a] /usr/lib/libssl.so.0.9.8(SSL_clear+0x11f)[0xb7ddf77f] ./server[0x804a332] /lib/libpthread.so.0[0xb7d9f18b] /lib/libc.so.6(clone+0x5e)[0xb7d2b09e] I tried to create the filename string also using memcpy. Everything is fine until this string becomes null-terminated... I know, that sounds very strange, but does anybody have any idea how to solve that problem?? Regards Carolin -- Carolin Latze Research Assistant Department of Computer Science Boulevard de Pérolles 90 CH-1700 Fribourg phone: +41 26 300 83 30 homepage: http://diuf.unifr.ch/people/latzec __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Usage of STACK_OF(X509)
Hi everybody,
I try to verify a small X509 chain: ca.pem (self signed) -> client.pem
On the commandline I do: cat ca.pem client.pem >> all.pem and
openssl verify -CAfile ca.pem all.pem (or similar, cannot remember the
exact syntax, but that works like this)
In my little C program, I don't want to do a cat (or store everything in
one file). I open ca.pem and client.pem. In order to verify client.pem,
I think I have to create a STACK_OF(X509) to store both in a chain. The
following code worked for all.pem and without STACK_OF(X509), but using
different files (that means ca.pem AND client.pem) and STACK_OF(X509)
does not work. I also tried to push "cert" and "ca" in the different
order, but that didn't help. Does anybody see the small error I made?
Any hints are appreciated!
Thanks a lot in advance
Carolin
int verify_valid_chain(X509 *cert,X509 *ca)
{
X509_STORE *store;
X509_LOOKUP *lookup;
X509_STORE_CTX *verify_ctx;
STACK_OF(X509) *st=sk_X509_new_null();
sk_X509_push(st,cert);
sk_X509_push(st,ca);
if(!(store=X509_STORE_new()))
int_error("Error creating X509_STORE_CTX object");
if(X509_STORE_load_locations(store,SOME_CA,NULL)!=1)
int_error("Error loading the CA file");
if(X509_STORE_set_default_paths(store)!=1)
int_error("Error loading the system-wide CAs");
if(!(lookup=X509_STORE_add_lookup(store,X509_LOOKUP_file(
int_error("Error creating X509_LOOKUP object");
if(!(verify_ctx = X509_STORE_CTX_new()))
int_error("Error creating X509_STORE_CTX object");
if(X509_STORE_CTX_init(verify_ctx,store,cert,st)!=1)
int_error("Error initializing verification context");
if(X509_verify_cert(verify_ctx) !=1)
{
int err;
int_error("Error verifying the certificate");
err=X509_STORE_CTX_get_error(verify_ctx);
printf("ERROR: %s\n",X509_verify_cert_error_string(err));
sk_X509_free(st);
return -1;
}
else
{
printf("Certificate verified correctly!\n");
sk_X509_free(st);
return 0;
}
}
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
Extract issuer's serialNumber from X509 extension
Hi everybody, is there an easy way to extract the certificate's issuer serialNumber (that is the one in the X509v3 Authority Key Identifier extension)? At the moment, I try to parse this extension using string methods, but I could imagine that there is another way to do this. Am I right? Thanks in Advance Carolin -- Carolin Latze Research Assistant Department of Computer Science Boulevard de Pérolles 90 CH-1700 Fribourg phone: +41 26 300 83 30 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: How to decode ASN.1 Bit String
Ok, I found the error: I mixed up data types :-(
Thanks anyway!
Carolin Latze wrote:
> Dr. Stephen Henson wrote:
>
>> On Tue, Apr 29, 2008, Carolin Latze wrote:
>>
>>
>>
>>> Hello everybody,
>>>
>>> I know, that might be an easy question, but I really didn't find an
>>> answer till now...
>>>
>>> I have a certificate in TLS (X.509) with an ASN1. Bit String extension.
>>> How to I read it out? Till now I did the following:
>>>
>>> X509_EXTENSION *ext;
>>> ext=X509_get_ext(cert,i);
>>> os=X509_EXTENSION_get_data(ext);
>>> extstr=ASN1_STRING_data(os);
>>>
>>> But extstr is not exactly what it should be. It should be a bit string
>>> of 20 bytes. extstr contains 20 bytes, but the first 4 bytes are always
>>> "1614" and the last four bytes are missing Any ideas? (I am sure, I
>>> am simply using the wrong functions, but everything I tried gave the
>>> same result)
>>>
>>>
>>>
>> You also need to retrieve the length of os using ASN1_STRING_length(os).
>>
>> What you then have is the encoding of the BIT STRING and not the content. If
>> you want the content you have to call d2i_ASN1_BITSTRING() on the encoding,
>> see docs and FAQ for examples of using the d2i_*() functions.
>>
>>
>>
> First of all: thanks for the answer. That helped a lot. I think, I know
> what to do: First of all, I read out the encoded data using
> ASN1_STRING_data, then the length using ASN1_STRING_length. Finally I
> fill in the content using d2i_ASN1_BIT_STRING. I realized it as follows:
>
> X509_EXTENSION *ext;
> unsigned char *sstring;
> const unsigned char *extstr;
> ASN1_OCTET_STRING *os;
> long len;
>
> ext=X509_get_ext(cert,i);
>
> os=X509_EXTENSION_get_data(ext);
> extstr=ASN1_STRING_data(os);
> len=ASN1_STRING_length(os);
> os=d2i_ASN1_BIT_STRING(&os,&extstr,len);
> if(os==NULL) int_error("d2i_ASN1_BIT_STRING
> returned NULL\n");
> else fprintf(stdout,"d2i_ASN1_BIT_STRING
> succeeded\n");
> sstring=(unsigned
> char*)malloc((size_t)os->length + 1);
> memcpy(sstring,os->data,(size_t)os->length);
> sstring[os->length+1]='\0';
>
>
> The problem is that d2i_ASN1_BIT_STRING always returns:
>
> 3797:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
> tag:tasn_dec.c:1294:
> 3797:error:0D06C03A:asn1 encoding routines:ASN1_D2I_EX_PRIMITIVE:nested
> asn1 error:tasn_dec.c:830:
>
> And I have not really an idea about what goes wrong here. I tried to
> google around but did not find a satisfactory answer. My question is: Is
> there still something missing or wrong in this code or might it be
> possible that I did something wrong in the assignment of the extension
> when creating the certificate?
>
> (I assigned the extensions like this:
> ext=X509V3_EXT_conf_nid(NULL,&ctx,nid,ext_entries[i].value;
> X509_add_ext(x509,ext,-1);)
>
> Regards
> Carolin
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager [EMAIL PROTECTED]
>
--
Carolin Latze
Research Assistant
Department of Computer Science
Boulevard de Pérolles 90
CH-1700 Fribourg
phone: +41 26 300 83 30
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
Re: How to decode ASN.1 Bit String
Dr. Stephen Henson wrote:
> On Tue, Apr 29, 2008, Carolin Latze wrote:
>
>
>> Hello everybody,
>>
>> I know, that might be an easy question, but I really didn't find an
>> answer till now...
>>
>> I have a certificate in TLS (X.509) with an ASN1. Bit String extension.
>> How to I read it out? Till now I did the following:
>>
>> X509_EXTENSION *ext;
>> ext=X509_get_ext(cert,i);
>> os=X509_EXTENSION_get_data(ext);
>> extstr=ASN1_STRING_data(os);
>>
>> But extstr is not exactly what it should be. It should be a bit string
>> of 20 bytes. extstr contains 20 bytes, but the first 4 bytes are always
>> "1614" and the last four bytes are missing Any ideas? (I am sure, I
>> am simply using the wrong functions, but everything I tried gave the
>> same result)
>>
>>
>
> You also need to retrieve the length of os using ASN1_STRING_length(os).
>
> What you then have is the encoding of the BIT STRING and not the content. If
> you want the content you have to call d2i_ASN1_BITSTRING() on the encoding,
> see docs and FAQ for examples of using the d2i_*() functions.
>
>
First of all: thanks for the answer. That helped a lot. I think, I know
what to do: First of all, I read out the encoded data using
ASN1_STRING_data, then the length using ASN1_STRING_length. Finally I
fill in the content using d2i_ASN1_BIT_STRING. I realized it as follows:
X509_EXTENSION *ext;
unsigned char *sstring;
const unsigned char *extstr;
ASN1_OCTET_STRING *os;
long len;
ext=X509_get_ext(cert,i);
os=X509_EXTENSION_get_data(ext);
extstr=ASN1_STRING_data(os);
len=ASN1_STRING_length(os);
os=d2i_ASN1_BIT_STRING(&os,&extstr,len);
if(os==NULL) int_error("d2i_ASN1_BIT_STRING
returned NULL\n");
else fprintf(stdout,"d2i_ASN1_BIT_STRING
succeeded\n");
sstring=(unsigned
char*)malloc((size_t)os->length + 1);
memcpy(sstring,os->data,(size_t)os->length);
sstring[os->length+1]='\0';
The problem is that d2i_ASN1_BIT_STRING always returns:
3797:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
tag:tasn_dec.c:1294:
3797:error:0D06C03A:asn1 encoding routines:ASN1_D2I_EX_PRIMITIVE:nested
asn1 error:tasn_dec.c:830:
And I have not really an idea about what goes wrong here. I tried to
google around but did not find a satisfactory answer. My question is: Is
there still something missing or wrong in this code or might it be
possible that I did something wrong in the assignment of the extension
when creating the certificate?
(I assigned the extensions like this:
ext=X509V3_EXT_conf_nid(NULL,&ctx,nid,ext_entries[i].value;
X509_add_ext(x509,ext,-1);)
Regards
Carolin
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
How to decode ASN.1 Bit String
Hello everybody, I know, that might be an easy question, but I really didn't find an answer till now... I have a certificate in TLS (X.509) with an ASN1. Bit String extension. How to I read it out? Till now I did the following: X509_EXTENSION *ext; ext=X509_get_ext(cert,i); os=X509_EXTENSION_get_data(ext); extstr=ASN1_STRING_data(os); But extstr is not exactly what it should be. It should be a bit string of 20 bytes. extstr contains 20 bytes, but the first 4 bytes are always "1614" and the last four bytes are missing Any ideas? (I am sure, I am simply using the wrong functions, but everything I tried gave the same result) Thanks in advance Carolin -- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: CAFile
I'm not sure, but shouldn't it be possible to simply use cat? Something like: cat ca1.pem ca2.pem ... caN.pem > CAfile.pem But I might be wrong... Regards Carolin [EMAIL PROTECTED] wrote: > Hello everybody > > For some hours now I try to find out how to create CAfile (a file with > multiple CAs inside, the one file counterpart of -CApath). > I need such a file for HTTPS Client authentification together with the yaws > webserver. In the yaws user guide they write that > it is a plain old openssl "cacertfile", but neither on the openssl homepage > nor somewhere else (google) did I find a description > of that file format resp. an explanation howto create such a file. > > Could anybody please give me an example or point me to the right > documentation? > > Thanks for any help. > Kind Regards > Alex > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > -- Carolin Latze Research Assistant Department of Computer Science Boulevard de Pérolles 90 CH-1700 Fribourg phone: +41 26 300 83 30 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
X509 extension
Hi everybody,
I have some problems with X509 extensions. First of all, what I want to do:
I want to define new extensions, simply some new extension fields that I
want to fill with values.
I thought, I just define them in an array:
struct entry ext_entries[3] =
{
{"basicConstraints","CA:FALSE"},
{"authorityKeyIdentifier","keyid,issuer:always"},
{"myOwnExtension","myValue"}
};
Those are the extensions for a non CA certificate. The CA certificate
has only the first two, but not the third. When I execute
ext=X509V3_EXT_conf(NULL,&ctx,ext_entries[i].key,ext_entries[i].value)
I get an error for myOwnExtension "unknown extension name". I tried to
add it to openssl.cnf under [usr_cert], but that didn't fix it. Where
and how do I have to define new extensions? That should be possible,
shouldn't it?
Thanks in advance
Regards
Carolin
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
