RE: PEM_read_bio_RSA_PUBKEY
I did that already and saw already that BIO_gets is called. I just left the question open since I don't understand the reason behind this. It forces me to use a buffer BIO that I only need for that one read. But I agree that this is a workaround that is doable >> Is it possible that PEM_read_bio_RSA_PUBKEY uses BIO_gets internally > > Sometimes the best answer to that sort of question -- sadly, perhaps, but > true nonetheless -- is to look at the source code. Not so hard to read as > I > had at first supposed. > > Charles > > -Original Message- > From: owner-openssl-us...@openssl.org > [mailto:owner-openssl-us...@openssl.org] On Behalf Of Carolin Latze > Sent: Tuesday, September 04, 2012 5:03 AM > To: openssl-users@openssl.org > Subject: RE: PEM_read_bio_RSA_PUBKEY > > Hi, > > I went on reading about this error and figured out that the socket bio > does not support the BIO_gets method. Is it possible that > PEM_read_bio_RSA_PUBKEY uses BIO_gets internally and is therefore not > really compatible with a socket bio? > > In order to verify that I created a buffer BIO (BIO_f_buffer()) on top of > the socket bio for the read function. And this just works. Is this the > desired way to do this? I can live with it, but since it was not > documented (or maybe I just missed it), I did not expect it. > > best regards and thanks a lot again for the help > Carolin > >> Hi Dave >> >> thanks a lot for the explanation. That makes a lot clearer to me. I > added >> some code to read out possible errors and there is none on the write > method. However there is a strange one on read: >> >> error code pubkey: 537297017 in bio_lib.c line 297. >> error data: >> error string: error:20068079:BIO routines:BIO_gets:unsupported method > error code pubkey: 151441516 in pem_lib.c line 696. >> error data: >> error string: error:0906D06C:PEM routines:PEM_read_bio:no start line >> >> For me that sounds as if it does not fine the "- BEGIN PUBKEY " > line. So I checked with wireshark and it is there. The PEM string is > distributed over 3 packets but it is continuous data (there is no other > data in those packets). So where does this error come from? Any ideas? I > cannot do anything about the method here, right? >> >> BTW I checked that this error is really triggered by the read function > and >> not by any BIO function before that function. >> >> best regards >> Carolin >> >>>> From: owner-openssl-us...@openssl.org On Behalf Of Carolin Latze Sent: >> Monday, 03 September, 2012 13:39 >>>> I try to send an RSA public from one entity to another using socket >> BIOs. I use PEM_write_bio_RSA_PUBKEY and PEM_read_bio_RSA_PUBKEY to do > that. I also tried with PEM_{write|read}_bio_RSAPublicKey. Both have the >>>> same behaviour in my case. The write function seems to work just fine. >> I >>>> am able to see the public key on the wire (using wireshark). However, >> the read function just crashes. It looks as if it reads an endless > amount of data and I have no idea why. Are those function >>>> actually meant >>>> to send data over a socket bio? >>> The PEM routines are meant to send or store over practically any >> channel. The DER routines are meant to send/store over any 8-bit clean > channel, which many socket protocols also do. (TCP/IP itself and a plain > socket does, but some protocols built on top of TCP/IP like SMTP and > HTTP don't, while some like FTP do.) >>> Either pair should work, but mixing them should not. The RSAPublicKey >> routines use the "raw" PKCS#1 format, and the RSA_PUBKEY routines use > the generic X.509 PublicKeyInfo format which *contains* the PKCS#1. > Although semantically equivalent, these are not the same thing. >>> But if you get this (or pretty much anything else) wrong, the read >> routine shouldn't crash. It should return null with error information > stored in the error queue; this is not the same as either crashing or > reading endlessly. In fact reading endlessly wouldn't crash either by my > definition so I can't guess what you mean actually happens. >>>> This is how I call them: >>>> on party A: >>>> RSA rsa; >>>> >>>> PEM_write_bio_RSA_PUBKEY(sockbio,rsa); >>>> on party B: >>>> rsa = RSA_new(); >>>> PEM_read_bio_RSAPublicKey(sockbio,&rsa,0,0); >>>> Something wrong with the way I call the functions? >>> If you are mismatching RSA_PUBKEY to RSAPublicKey see above. >>> Even if not, you definitely should check for err
RE: PEM_read_bio_RSA_PUBKEY
Hi, I went on reading about this error and figured out that the socket bio does not support the BIO_gets method. Is it possible that PEM_read_bio_RSA_PUBKEY uses BIO_gets internally and is therefore not really compatible with a socket bio? In order to verify that I created a buffer BIO (BIO_f_buffer()) on top of the socket bio for the read function. And this just works. Is this the desired way to do this? I can live with it, but since it was not documented (or maybe I just missed it), I did not expect it. best regards and thanks a lot again for the help Carolin > Hi Dave > > thanks a lot for the explanation. That makes a lot clearer to me. I added > some code to read out possible errors and there is none on the write method. However there is a strange one on read: > > error code pubkey: 537297017 in bio_lib.c line 297. > error data: > error string: error:20068079:BIO routines:BIO_gets:unsupported method error code pubkey: 151441516 in pem_lib.c line 696. > error data: > error string: error:0906D06C:PEM routines:PEM_read_bio:no start line > > For me that sounds as if it does not fine the "- BEGIN PUBKEY " line. So I checked with wireshark and it is there. The PEM string is distributed over 3 packets but it is continuous data (there is no other data in those packets). So where does this error come from? Any ideas? I cannot do anything about the method here, right? > > BTW I checked that this error is really triggered by the read function and > not by any BIO function before that function. > > best regards > Carolin > >>> From: owner-openssl-us...@openssl.org On Behalf Of Carolin Latze Sent: > Monday, 03 September, 2012 13:39 >>> I try to send an RSA public from one entity to another using socket > BIOs. I use PEM_write_bio_RSA_PUBKEY and PEM_read_bio_RSA_PUBKEY to do that. I also tried with PEM_{write|read}_bio_RSAPublicKey. Both have the >>> same behaviour in my case. The write function seems to work just fine. > I >>> am able to see the public key on the wire (using wireshark). However, > the read function just crashes. It looks as if it reads an endless amount of data and I have no idea why. Are those function >>> actually meant >>> to send data over a socket bio? >> The PEM routines are meant to send or store over practically any > channel. The DER routines are meant to send/store over any 8-bit clean channel, which many socket protocols also do. (TCP/IP itself and a plain socket does, but some protocols built on top of TCP/IP like SMTP and HTTP don't, while some like FTP do.) >> Either pair should work, but mixing them should not. The RSAPublicKey > routines use the "raw" PKCS#1 format, and the RSA_PUBKEY routines use the generic X.509 PublicKeyInfo format which *contains* the PKCS#1. Although semantically equivalent, these are not the same thing. >> But if you get this (or pretty much anything else) wrong, the read > routine shouldn't crash. It should return null with error information stored in the error queue; this is not the same as either crashing or reading endlessly. In fact reading endlessly wouldn't crash either by my definition so I can't guess what you mean actually happens. >>> This is how I call them: >>> on party A: >>> RSA rsa; >>> >>> PEM_write_bio_RSA_PUBKEY(sockbio,rsa); >>> on party B: >>> rsa = RSA_new(); >>> PEM_read_bio_RSAPublicKey(sockbio,&rsa,0,0); >>> Something wrong with the way I call the functions? >> If you are mismatching RSA_PUBKEY to RSAPublicKey see above. >> Even if not, you definitely should check for error on the read >> routine and at least display something. The write routine is >> much less likely to fail, but even so as general good practice >> you should check it too. >> Nit: personally in C I would write NULL rather than 0 >> for a null pointer -- just so it's visible to humans, >> although it makes no difference to the compiler. >> Unfortunately C++ doesn't support this until recently. >> __ > OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org > > > > > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: PEM_read_bio_RSA_PUBKEY
Hi Dave thanks a lot for the explanation. That makes a lot clearer to me. I added some code to read out possible errors and there is none on the write method. However there is a strange one on read: error code pubkey: 537297017 in bio_lib.c line 297. error data: error string: error:20068079:BIO routines:BIO_gets:unsupported method error code pubkey: 151441516 in pem_lib.c line 696. error data: error string: error:0906D06C:PEM routines:PEM_read_bio:no start line For me that sounds as if it does not fine the "- BEGIN PUBKEY " line. So I checked with wireshark and it is there. The PEM string is distributed over 3 packets but it is continuous data (there is no other data in those packets). So where does this error come from? Any ideas? I cannot do anything about the method here, right? BTW I checked that this error is really triggered by the read function and not by any BIO function before that function. best regards Carolin >> From: owner-openssl-us...@openssl.org On Behalf Of Carolin Latze Sent: Monday, 03 September, 2012 13:39 > >> I try to send an RSA public from one entity to another using socket BIOs. I use PEM_write_bio_RSA_PUBKEY and PEM_read_bio_RSA_PUBKEY to do that. I also tried with PEM_{write|read}_bio_RSAPublicKey. Both have the >> same behaviour in my case. The write function seems to work just fine. I >> am able to see the public key on the wire (using wireshark). However, the read function just crashes. It looks as if it reads an endless amount of data and I have no idea why. Are those function >> actually meant >> to send data over a socket bio? > The PEM routines are meant to send or store over practically any channel. The DER routines are meant to send/store over any 8-bit clean channel, which many socket protocols also do. (TCP/IP itself and a plain socket does, but some protocols built on top of TCP/IP like SMTP and HTTP don't, while some like FTP do.) > > Either pair should work, but mixing them should not. The RSAPublicKey routines use the "raw" PKCS#1 format, and the RSA_PUBKEY routines use the generic X.509 PublicKeyInfo format which *contains* the PKCS#1. Although semantically equivalent, these are not the same thing. > > But if you get this (or pretty much anything else) wrong, the read routine shouldn't crash. It should return null with error information stored in the error queue; this is not the same as either crashing or reading endlessly. In fact reading endlessly wouldn't crash either by my definition so I can't guess what you mean actually happens. > >> This is how I call them: >> on party A: >> RSA rsa; >> >> PEM_write_bio_RSA_PUBKEY(sockbio,rsa); >> on party B: >> rsa = RSA_new(); >> PEM_read_bio_RSAPublicKey(sockbio,&rsa,0,0); >> Something wrong with the way I call the functions? > If you are mismatching RSA_PUBKEY to RSAPublicKey see above. > > Even if not, you definitely should check for error on the read > routine and at least display something. The write routine is > much less likely to fail, but even so as general good practice > you should check it too. > > Nit: personally in C I would write NULL rather than 0 > for a null pointer -- just so it's visible to humans, > although it makes no difference to the compiler. > Unfortunately C++ doesn't support this until recently. > > > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
PEM_read_bio_RSA_PUBKEY
Hi all, I try to send an RSA public from one entity to another using socket BIOs. I use PEM_write_bio_RSA_PUBKEY and PEM_read_bio_RSA_PUBKEY to do that. I also tried with PEM_{write|read}_bio_RSAPublicKey. Both have the same behaviour in my case. The write function seems to work just fine. I am able to see the public key on the wire (using wireshark). However, the read function just crashes. It looks as if it reads an endless amount of data and I have no idea why. Are those function actually meant to send data over a socket bio? This is how I call them: on party A: RSA rsa; PEM_write_bio_RSA_PUBKEY(sockbio,rsa); on party B: rsa = RSA_new(); PEM_read_bio_RSAPublicKey(sockbio,&rsa,0,0); Something wrong with the way I call the functions? best regards Carolin __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: how to extract an RSA public key
I guess I just got it if the only way is to use the PEM API? > Hi all, > > is there an API call that allows to extract an RSA public key (out of an > RSA structure) or should I just access rsa->n and rsa->e directly? I > cannot find an API call RSA_* that gives me the public key, but the > documentation (http://www.openssl.org/docs/crypto/rsa.html) says one > should not access the RSA members directly. > > best regards > Carolin > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
how to extract an RSA public key
Hi all, is there an API call that allows to extract an RSA public key (out of an RSA structure) or should I just access rsa->n and rsa->e directly? I cannot find an API call RSA_* that gives me the public key, but the documentation (http://www.openssl.org/docs/crypto/rsa.html) says one should not access the RSA members directly. best regards Carolin __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
moving from EVP to BIO_f_cipher
Hi all since OpenSSL allows to do the encryption using the BIO API and since I need the BIO API anyways for the sockets I thought I rewrite my code to use the BIOs instead of EVPs. However I see some strange behavior. I create a cipher BIO on the server as follows: encbio = BIO_new(BIO_f_cipher()); BIO_set_cipher(encbio,EVP_bf_cbc(),key,NULL,1); /* 1 = encryption */ Then I set it on top of the socket bio: BIO_push(encbio,cbio); Now I send some data: data_len = strlen(testmessage); printf("---> %d\n",data_len); while (written <= 0) { written = BIO_write(encbio,&data_len,sizeof(int)); if (written <= 0) if (BIO_should_retry(encbio)) BIO_write(encbio,&data_len,sizeof(int)); } written=0; while (written <= 0) { printf("---> %s\n",testmessage); written = BIO_write(encbio,testmessage,data_len); if (written <= 0) if (BIO_should_retry(encbio)) BIO_write(encbio,testmessage,data_len); } BIO_flush(encbio); I create a decryption cipher bio in the same way on the client and as long as I leave it as it is, it just works fine. The server sends data_len and testmessage and the client receives it (and is able to decrypt it). Now I want the client to send something back. So I set up an encryption cipher bio on the client (like shown above) and a decryption cipher bio on the server. So my source code looks like this: server.c: -> send 2 messages like above -> receive 2 messages like above client.c -> receive 2 messages like above -> send 2 messages like above Now if I execute client and server, the client does only receive the first message (the int data_len). It will not even receive testmessage from the server as long as the server runs. However when I kill the server (ctrl+c), the message arrives. That is weird since not even BIO_flush helps. Whats going wrong here? best regards Carolin __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Server key issue. need Urgent Help on it
Sorry for the stupid questions, but - does this file exist on your machine (and there is no typo in the name)? - and does it have meaningful content (a key)? > Dear All, > I have installed OpenSSL and faces this given below error when try to tun > apache server. Kindly advice me on this, how to correct it > > root@zeroshell root> /etc/init.d/httpd start > Starting httpd daemon... > Syntax error on line 121 of /etc/httpd/conf/ssl.conf: > SSLCertificateKeyFile: file '/etc/httpd/conf/ssl.key/server.key' does not > exist or is empty > > I am looking forward to you about this error > > Best Regards, > Jamshed Alam > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
EVP_CIPHER_CTX_set_key_length and EVP_CIPHER_key_length
Hi all I created a shared key based on a DH exchange and want to use that key with a symmetric encryption algorithm. This key has a length of 16 Bytes (128 bit). Here is what I do to initialize AES: char *key,*iv; // DH exchange which ends with a 16B value in key RAND_pseudo_bytes(iv,16); EVP_EncryptInit(&enc_ctx,EVP_aes_128_cbc(),NULL,NULL); EVP_CIPHER_CTX_set_key_length(&enc_ctx,16); EVP_EncryptInit(&enc_ctx,NULL,skey,iv); None of the functions seems to generate an error. I checked that by calling ERR_print_errors_fp. However when I check the key length printf("key len: %d\n",EVP_CIPHER_key_length(&enc_ctx)); It returns 1. Shouldn't it return 16? I guess I make a mistake when setting the key, but where? best regards Carolin __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: DH exchange & socket BIOs
ok took me a while, but now I got it. You were right. I missed your point "twice the length of binary data". Yup, If I take that into account, it works. thanks a lot! On 08/24/2012 05:47 PM, Michel wrote: Hi Carolin, "It is just about half the length of the ..." [very] Quick response : Hex value is twice the lengh of binary data : Have you checked the value of 'size' arg ? Not sure this helps ... Le 24/08/2012 16:38, Carolin Latze a écrit : (sorry if this mail arrives twice. I send it first without being subscribed to this list by accident) Hi all I try to implement a DH exchange using socket BIOs. Here is what I do: On the server - I initialize a DH structure with DH_new - I generate the parameters using DH_generate_parameters(prime_len,g,NULL,NULL) with prime_len=512 - I generate the keys using DH_generate_key(dh) Now I need to send p,g, and the server's public key to the client. In order to do that I convert each of those three values to hex. This is the example for p: int size = DH_size(dh); char* prime = (char*) malloc(size*sizeof(char)); memset(prime,0,size*sizeof(char)); prime = BN_bn2hex(dh->p); afterwards I open a socket BIO that allows a client to connect: bio = BIO_new_accept(port); Now, when a client connects, I write those three values to the BIO. Example for p: BIO_do_accept(bio); cbio = BIO_pop(bio); BIO_write(cbio,prime,size); Ok, lets move the client. The client connects successfully to the server and reads the three values from the BIO: prime = (char*)malloc(size*sizeof(char)); memset(prime,0,size*sizeof(char)); BIO_read(bio,prime,size); If I print out "prime" on the client using printf I see that this is exactly the stream of bytes that have been sent by the server. But if I write this value back into a DH structure it changes: DH *dh = DH_new(); BN_hex2bn(&(dh->p),prime); If I check the value now with BN_print, it is a shorter value! It is just about half the length of the original p and I have no idea why. What is it that I miss here? Any hints would be appreciated Regards Carolin __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
DH exchange & socket BIOs
Hi all I try to implement a DH exchange using socket BIOs. Here is what I do: On the server - I initialize a DH structure with DH_new - I generate the parameters using DH_generate_parameters(prime_len,g,NULL,NULL) with prime_len=512 - I generate the keys using DH_generate_key(dh) Now I need to send p,g, and the server's public key to the client. In order to do that I convert each of those three values to hex. This is the example for p: int size = DH_size(dh); char* prime = (char*) malloc(size*sizeof(char)); memset(prime,0,size*sizeof(char)); prime = BN_bn2hex(dh->p); afterwards I open a socket BIO that allows a client to connect: bio = BIO_new_accept(port); Now, when a client connects, I write those three values to the BIO. Example for p: BIO_do_accept(bio); cbio = BIO_pop(bio); BIO_write(cbio,prime,size); Ok, lets move the client. The client connects successfully to the server and reads the three values from the BIO: prime = (char*)malloc(size*sizeof(char)); memset(prime,0,size*sizeof(char)); BIO_read(bio,prime,size); If I print out "prime" on the client using printf I see that this is exactly the stream of bytes that have been sent by the server. But if I write this value back into a DH structure it changes: DH *dh = DH_new(); BN_hex2bn(&(dh->p),prime); If I check the value now with BN_print, it is a shorter value! It is just about half the length of the original p and I have no idea why. What is it that I miss here? Any hints would be appreciated Regards Carolin __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
DH exchange & socket BIOs
(sorry if this mail arrives twice. I send it first without being subscribed to this list by accident) Hi all I try to implement a DH exchange using socket BIOs. Here is what I do: On the server - I initialize a DH structure with DH_new - I generate the parameters using DH_generate_parameters(prime_len,g,NULL,NULL) with prime_len=512 - I generate the keys using DH_generate_key(dh) Now I need to send p,g, and the server's public key to the client. In order to do that I convert each of those three values to hex. This is the example for p: int size = DH_size(dh); char* prime = (char*) malloc(size*sizeof(char)); memset(prime,0,size*sizeof(char)); prime = BN_bn2hex(dh->p); afterwards I open a socket BIO that allows a client to connect: bio = BIO_new_accept(port); Now, when a client connects, I write those three values to the BIO. Example for p: BIO_do_accept(bio); cbio = BIO_pop(bio); BIO_write(cbio,prime,size); Ok, lets move the client. The client connects successfully to the server and reads the three values from the BIO: prime = (char*)malloc(size*sizeof(char)); memset(prime,0,size*sizeof(char)); BIO_read(bio,prime,size); If I print out "prime" on the client using printf I see that this is exactly the stream of bytes that have been sent by the server. But if I write this value back into a DH structure it changes: DH *dh = DH_new(); BN_hex2bn(&(dh->p),prime); If I check the value now with BN_print, it is a shorter value! It is just about half the length of the original p and I have no idea why. What is it that I miss here? Any hints would be appreciated Regards Carolin
Working with Strings on a SSL Server
Hi everybody, I have a very strange problem and hope that somebody is able to help me. I wrote a simple client and server in C that authenticate each other mutually using SSL. The SSL connection itself is working and I was able to exchange messages using SSL_write and SSL_read. The client sends X509 extensions as strings to the server. The server is able to read them and prints them to stdout. Those extensions contain some special values I want to check on the server. The general idea is that the client has some certificates, he wants to check. But those certificates contain some special values, he cannot check. Therefore he establishes a SSL connection to a verification server that will verify those values and send the result to the client. As I said, I am able to send those values using SSL_write to the server who is able to read them using SSL_read. In order to verify those values, the server has to open some local files. In order to do so, I create the filename: sprintf(filename,"certs/%s",dirpt->d_name); This will create a null-terminated string. Even if I never use this string, just because I created it, SSL_clear will coredump with *** glibc detected *** ./server: free(): invalid pointer: 0x0806ed48 *** === Backtrace: = /lib/libc.so.6[0xb7ccfa00] /lib/libc.so.6(cfree+0x89)[0xb7cd16f9] /usr/lib/libcrypto.so.0.9.8(CRYPTO_free+0x38)[0xb7e32208] /usr/lib/libcrypto.so.0.9.8(ASN1_OBJECT_free+0x89)[0xb7eb4479] /usr/lib/libcrypto.so.0.9.8(ASN1_primitive_free+0xf5)[0xb7ec2cb5] /usr/lib/libcrypto.so.0.9.8[0xb7ec2f0f] /usr/lib/libcrypto.so.0.9.8(ASN1_template_free+0x89)[0xb7ec2fe9] /usr/lib/libcrypto.so.0.9.8[0xb7ec2ef0] /usr/lib/libcrypto.so.0.9.8(ASN1_item_free+0x13)[0xb7ec3033] /usr/lib/libcrypto.so.0.9.8(X509_NAME_ENTRY_free+0x27)[0xb7ebc5f7] /usr/lib/libcrypto.so.0.9.8(sk_pop_free+0x40)[0xb7ea2b90] /usr/lib/libcrypto.so.0.9.8[0xb7ebc1e6] /usr/lib/libcrypto.so.0.9.8[0xb7ec2e25] /usr/lib/libcrypto.so.0.9.8(ASN1_template_free+0x89)[0xb7ec2fe9] /usr/lib/libcrypto.so.0.9.8[0xb7ec2ef0] /usr/lib/libcrypto.so.0.9.8(ASN1_template_free+0x89)[0xb7ec2fe9] /usr/lib/libcrypto.so.0.9.8[0xb7ec2ef0] /usr/lib/libcrypto.so.0.9.8(ASN1_item_free+0x13)[0xb7ec3033] /usr/lib/libcrypto.so.0.9.8(X509_free+0x27)[0xb7ebc9c7] /usr/lib/libssl.so.0.9.8(SSL_SESSION_free+0xda)[0xb7de185a] /usr/lib/libssl.so.0.9.8(SSL_clear+0x11f)[0xb7ddf77f] ./server[0x804a332] /lib/libpthread.so.0[0xb7d9f18b] /lib/libc.so.6(clone+0x5e)[0xb7d2b09e] I tried to create the filename string also using memcpy. Everything is fine until this string becomes null-terminated... I know, that sounds very strange, but does anybody have any idea how to solve that problem?? Regards Carolin -- Carolin Latze Research Assistant Department of Computer Science Boulevard de Pérolles 90 CH-1700 Fribourg phone: +41 26 300 83 30 homepage: http://diuf.unifr.ch/people/latzec __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Usage of STACK_OF(X509)
Hi everybody, I try to verify a small X509 chain: ca.pem (self signed) -> client.pem On the commandline I do: cat ca.pem client.pem >> all.pem and openssl verify -CAfile ca.pem all.pem (or similar, cannot remember the exact syntax, but that works like this) In my little C program, I don't want to do a cat (or store everything in one file). I open ca.pem and client.pem. In order to verify client.pem, I think I have to create a STACK_OF(X509) to store both in a chain. The following code worked for all.pem and without STACK_OF(X509), but using different files (that means ca.pem AND client.pem) and STACK_OF(X509) does not work. I also tried to push "cert" and "ca" in the different order, but that didn't help. Does anybody see the small error I made? Any hints are appreciated! Thanks a lot in advance Carolin int verify_valid_chain(X509 *cert,X509 *ca) { X509_STORE *store; X509_LOOKUP *lookup; X509_STORE_CTX *verify_ctx; STACK_OF(X509) *st=sk_X509_new_null(); sk_X509_push(st,cert); sk_X509_push(st,ca); if(!(store=X509_STORE_new())) int_error("Error creating X509_STORE_CTX object"); if(X509_STORE_load_locations(store,SOME_CA,NULL)!=1) int_error("Error loading the CA file"); if(X509_STORE_set_default_paths(store)!=1) int_error("Error loading the system-wide CAs"); if(!(lookup=X509_STORE_add_lookup(store,X509_LOOKUP_file( int_error("Error creating X509_LOOKUP object"); if(!(verify_ctx = X509_STORE_CTX_new())) int_error("Error creating X509_STORE_CTX object"); if(X509_STORE_CTX_init(verify_ctx,store,cert,st)!=1) int_error("Error initializing verification context"); if(X509_verify_cert(verify_ctx) !=1) { int err; int_error("Error verifying the certificate"); err=X509_STORE_CTX_get_error(verify_ctx); printf("ERROR: %s\n",X509_verify_cert_error_string(err)); sk_X509_free(st); return -1; } else { printf("Certificate verified correctly!\n"); sk_X509_free(st); return 0; } } __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Extract issuer's serialNumber from X509 extension
Hi everybody, is there an easy way to extract the certificate's issuer serialNumber (that is the one in the X509v3 Authority Key Identifier extension)? At the moment, I try to parse this extension using string methods, but I could imagine that there is another way to do this. Am I right? Thanks in Advance Carolin -- Carolin Latze Research Assistant Department of Computer Science Boulevard de Pérolles 90 CH-1700 Fribourg phone: +41 26 300 83 30 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: How to decode ASN.1 Bit String
Ok, I found the error: I mixed up data types :-( Thanks anyway! Carolin Latze wrote: > Dr. Stephen Henson wrote: > >> On Tue, Apr 29, 2008, Carolin Latze wrote: >> >> >> >>> Hello everybody, >>> >>> I know, that might be an easy question, but I really didn't find an >>> answer till now... >>> >>> I have a certificate in TLS (X.509) with an ASN1. Bit String extension. >>> How to I read it out? Till now I did the following: >>> >>> X509_EXTENSION *ext; >>> ext=X509_get_ext(cert,i); >>> os=X509_EXTENSION_get_data(ext); >>> extstr=ASN1_STRING_data(os); >>> >>> But extstr is not exactly what it should be. It should be a bit string >>> of 20 bytes. extstr contains 20 bytes, but the first 4 bytes are always >>> "1614" and the last four bytes are missing Any ideas? (I am sure, I >>> am simply using the wrong functions, but everything I tried gave the >>> same result) >>> >>> >>> >> You also need to retrieve the length of os using ASN1_STRING_length(os). >> >> What you then have is the encoding of the BIT STRING and not the content. If >> you want the content you have to call d2i_ASN1_BITSTRING() on the encoding, >> see docs and FAQ for examples of using the d2i_*() functions. >> >> >> > First of all: thanks for the answer. That helped a lot. I think, I know > what to do: First of all, I read out the encoded data using > ASN1_STRING_data, then the length using ASN1_STRING_length. Finally I > fill in the content using d2i_ASN1_BIT_STRING. I realized it as follows: > > X509_EXTENSION *ext; > unsigned char *sstring; > const unsigned char *extstr; > ASN1_OCTET_STRING *os; > long len; > > ext=X509_get_ext(cert,i); > > os=X509_EXTENSION_get_data(ext); > extstr=ASN1_STRING_data(os); > len=ASN1_STRING_length(os); > os=d2i_ASN1_BIT_STRING(&os,&extstr,len); > if(os==NULL) int_error("d2i_ASN1_BIT_STRING > returned NULL\n"); > else fprintf(stdout,"d2i_ASN1_BIT_STRING > succeeded\n"); > sstring=(unsigned > char*)malloc((size_t)os->length + 1); > memcpy(sstring,os->data,(size_t)os->length); > sstring[os->length+1]='\0'; > > > The problem is that d2i_ASN1_BIT_STRING always returns: > > 3797:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong > tag:tasn_dec.c:1294: > 3797:error:0D06C03A:asn1 encoding routines:ASN1_D2I_EX_PRIMITIVE:nested > asn1 error:tasn_dec.c:830: > > And I have not really an idea about what goes wrong here. I tried to > google around but did not find a satisfactory answer. My question is: Is > there still something missing or wrong in this code or might it be > possible that I did something wrong in the assignment of the extension > when creating the certificate? > > (I assigned the extensions like this: > ext=X509V3_EXT_conf_nid(NULL,&ctx,nid,ext_entries[i].value; > X509_add_ext(x509,ext,-1);) > > Regards > Carolin > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > -- Carolin Latze Research Assistant Department of Computer Science Boulevard de Pérolles 90 CH-1700 Fribourg phone: +41 26 300 83 30 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: How to decode ASN.1 Bit String
Dr. Stephen Henson wrote: > On Tue, Apr 29, 2008, Carolin Latze wrote: > > >> Hello everybody, >> >> I know, that might be an easy question, but I really didn't find an >> answer till now... >> >> I have a certificate in TLS (X.509) with an ASN1. Bit String extension. >> How to I read it out? Till now I did the following: >> >> X509_EXTENSION *ext; >> ext=X509_get_ext(cert,i); >> os=X509_EXTENSION_get_data(ext); >> extstr=ASN1_STRING_data(os); >> >> But extstr is not exactly what it should be. It should be a bit string >> of 20 bytes. extstr contains 20 bytes, but the first 4 bytes are always >> "1614" and the last four bytes are missing Any ideas? (I am sure, I >> am simply using the wrong functions, but everything I tried gave the >> same result) >> >> > > You also need to retrieve the length of os using ASN1_STRING_length(os). > > What you then have is the encoding of the BIT STRING and not the content. If > you want the content you have to call d2i_ASN1_BITSTRING() on the encoding, > see docs and FAQ for examples of using the d2i_*() functions. > > First of all: thanks for the answer. That helped a lot. I think, I know what to do: First of all, I read out the encoded data using ASN1_STRING_data, then the length using ASN1_STRING_length. Finally I fill in the content using d2i_ASN1_BIT_STRING. I realized it as follows: X509_EXTENSION *ext; unsigned char *sstring; const unsigned char *extstr; ASN1_OCTET_STRING *os; long len; ext=X509_get_ext(cert,i); os=X509_EXTENSION_get_data(ext); extstr=ASN1_STRING_data(os); len=ASN1_STRING_length(os); os=d2i_ASN1_BIT_STRING(&os,&extstr,len); if(os==NULL) int_error("d2i_ASN1_BIT_STRING returned NULL\n"); else fprintf(stdout,"d2i_ASN1_BIT_STRING succeeded\n"); sstring=(unsigned char*)malloc((size_t)os->length + 1); memcpy(sstring,os->data,(size_t)os->length); sstring[os->length+1]='\0'; The problem is that d2i_ASN1_BIT_STRING always returns: 3797:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1294: 3797:error:0D06C03A:asn1 encoding routines:ASN1_D2I_EX_PRIMITIVE:nested asn1 error:tasn_dec.c:830: And I have not really an idea about what goes wrong here. I tried to google around but did not find a satisfactory answer. My question is: Is there still something missing or wrong in this code or might it be possible that I did something wrong in the assignment of the extension when creating the certificate? (I assigned the extensions like this: ext=X509V3_EXT_conf_nid(NULL,&ctx,nid,ext_entries[i].value; X509_add_ext(x509,ext,-1);) Regards Carolin __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
How to decode ASN.1 Bit String
Hello everybody, I know, that might be an easy question, but I really didn't find an answer till now... I have a certificate in TLS (X.509) with an ASN1. Bit String extension. How to I read it out? Till now I did the following: X509_EXTENSION *ext; ext=X509_get_ext(cert,i); os=X509_EXTENSION_get_data(ext); extstr=ASN1_STRING_data(os); But extstr is not exactly what it should be. It should be a bit string of 20 bytes. extstr contains 20 bytes, but the first 4 bytes are always "1614" and the last four bytes are missing Any ideas? (I am sure, I am simply using the wrong functions, but everything I tried gave the same result) Thanks in advance Carolin -- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: CAFile
I'm not sure, but shouldn't it be possible to simply use cat? Something like: cat ca1.pem ca2.pem ... caN.pem > CAfile.pem But I might be wrong... Regards Carolin [EMAIL PROTECTED] wrote: > Hello everybody > > For some hours now I try to find out how to create CAfile (a file with > multiple CAs inside, the one file counterpart of -CApath). > I need such a file for HTTPS Client authentification together with the yaws > webserver. In the yaws user guide they write that > it is a plain old openssl "cacertfile", but neither on the openssl homepage > nor somewhere else (google) did I find a description > of that file format resp. an explanation howto create such a file. > > Could anybody please give me an example or point me to the right > documentation? > > Thanks for any help. > Kind Regards > Alex > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > -- Carolin Latze Research Assistant Department of Computer Science Boulevard de Pérolles 90 CH-1700 Fribourg phone: +41 26 300 83 30 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
X509 extension
Hi everybody, I have some problems with X509 extensions. First of all, what I want to do: I want to define new extensions, simply some new extension fields that I want to fill with values. I thought, I just define them in an array: struct entry ext_entries[3] = { {"basicConstraints","CA:FALSE"}, {"authorityKeyIdentifier","keyid,issuer:always"}, {"myOwnExtension","myValue"} }; Those are the extensions for a non CA certificate. The CA certificate has only the first two, but not the third. When I execute ext=X509V3_EXT_conf(NULL,&ctx,ext_entries[i].key,ext_entries[i].value) I get an error for myOwnExtension "unknown extension name". I tried to add it to openssl.cnf under [usr_cert], but that didn't fix it. Where and how do I have to define new extensions? That should be possible, shouldn't it? Thanks in advance Regards Carolin __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]