Re: X509 verify
I'm using the PEM_write_X509(), avoiding the BIO, is there any difference?
Anyway, this function does not give errors.
Calling the ERR_error_string() on the failed verify, the error returned is:
error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib
Searching on Google for this error it is not so helpful, it says only that
something on the certificate or on the public key is wrong.
Probably the i2d/d2i functions add something undesired on mine X509
structure.
Thanks again for your help.
Best Regards
Andrea Saracino
2011/7/28 Erwin Himawan ehima...@gmail.com
By the way sorry for the font size, it does not mean anything, it just
mixed up during cut and paste.
The function to dump x509 into a certificate is is PEM_write_bio_X509() and
the function to dump a x509 der file is bio_write(). Here is the doc on
bio_write http://www.manpagez.com/man/3/BIO_write/osx-10.3.php
erwin
On Wed, Jul 27, 2011 at 8:20 PM, Erwin Himawan ehima...@gmail.com wrote:
**
I would not use the X509_print_fp(), since it does not give you the PEM
or DER file.
Use intead PEM_write_bio or write_bio() for PEM and DER respectively.
Also check for error for the status of these two bio write function.
hopefully it helps
*From:* Andrea Saracino saracino.and...@gmail.com
*Sent:* Wednesday, July 27, 2011 6:05 PM
*To:* openssl-users@openssl.org
*Subject:* Re: X509 verify
Hi Erwin, thanks for your fast answer.
I dumped both the certificates in 2 PEM files, then I used the
X509_print_fp() to obtain the readable version of both of them. The two
resulting files are identical. Perhaps there is something wrong in the
invocation of the i2d/d2i functions. I'm posting an extract of the code:
//
struct T_G_4{
unsigned char nonce[NONCE_SIZE];
int cert_size;
unsigned char certificate[MAX_MSG_SIZE-NONCE_SIZE-sizeof(int)];
}
/*...*/
T_G_4 * TG4=new T_G_4;
/*...*/
peer_certificate=/* initialization function */ //this is a private member
of a class and the two functions are members of the same class
EVP_PKEY * pubkey=EVP_PKEY_new();
EVP_PKEY_set1_RSA(pubkey, rsa_ca_pub_key);
X509_verify(peer_certificate,pubkey); //this verification returns 1
unsigned char * serialized certificate=NULL; //following the example of
the openssl d2i_X509 page, NULL pointer avoids the management of the
increasing pointer
TG4-cert_size=i2d(peer_certificate,serialized_certificate);
//serialization
memcpy(TG4-certificate,serialized_certificate,TG4-cert_size);
//initialize the remaining fields and return TG4
//passing the structure to another function
//other function:
/*...*/
unsigned char * serialized_certificate=new unsigned char [TG4-cert_size];
memcpy(serialized_certificate,TG4-certificate,TG4-cert_size);
peer_certificate = d2i_X509(NULL,(const unsigned char
**)serialized_certificate,TG4-cert_size); //deserialization
X509_verify(peer_certificate,pubkey); //now it returns 0... :(
/*...*/
Is there something wrong in this code?
Thanks in advance.
Best Regards
Andrea Saracino
2011/7/27 Erwin Himawan ehima...@gmail.com
The way I would verify this is by writting the original X509 object into
PEM file and dumping the X509 object resulted from d2i_x509() into another
PEM file and compares both files using the openssl ; either using asnparse
or x509 command.
On Wed, Jul 27, 2011 at 9:46 AM, Andrea Saracino
saracino.and...@gmail.com wrote:
Hello everyone,
I've found some issues using the function X509_verify() on a simple X509
certificate. After the creation, if I call:
X509_verify(certificate,ca_key);
the function returns 1, but if I call the i2d_X509() function on the
certificate and then the d2i_X509() on the obtained byte string, the
X509_verify() on the resultant certificate returns 0.
I printed the certificate, in a readable format, before and after the
i2d() and d2i() execution and the result is exactly the same. The various
fields (issuer, subject...) have the correct values. Any ideas?
Best Regards
Andrea Saracino
X509 verify
Hello everyone, I've found some issues using the function X509_verify() on a simple X509 certificate. After the creation, if I call: X509_verify(certificate,ca_key); the function returns 1, but if I call the i2d_X509() function on the certificate and then the d2i_X509() on the obtained byte string, the X509_verify() on the resultant certificate returns 0. I printed the certificate, in a readable format, before and after the i2d() and d2i() execution and the result is exactly the same. The various fields (issuer, subject...) have the correct values. Any ideas? Best Regards Andrea Saracino
Re: X509 verify
The way I would verify this is by writting the original X509 object into PEM file and dumping the X509 object resulted from d2i_x509() into another PEM file and compares both files using the openssl ; either using asnparse or x509 command. On Wed, Jul 27, 2011 at 9:46 AM, Andrea Saracino saracino.and...@gmail.comwrote: Hello everyone, I've found some issues using the function X509_verify() on a simple X509 certificate. After the creation, if I call: X509_verify(certificate,ca_key); the function returns 1, but if I call the i2d_X509() function on the certificate and then the d2i_X509() on the obtained byte string, the X509_verify() on the resultant certificate returns 0. I printed the certificate, in a readable format, before and after the i2d() and d2i() execution and the result is exactly the same. The various fields (issuer, subject...) have the correct values. Any ideas? Best Regards Andrea Saracino
Re: X509 verify
Hi Erwin, thanks for your fast answer.
I dumped both the certificates in 2 PEM files, then I used the
X509_print_fp() to obtain the readable version of both of them. The two
resulting files are identical. Perhaps there is something wrong in the
invocation of the i2d/d2i functions. I'm posting an extract of the code:
//
struct T_G_4{
unsigned char nonce[NONCE_SIZE];
int cert_size;
unsigned char certificate[MAX_MSG_SIZE-NONCE_SIZE-sizeof(int)];
}
/*...*/
T_G_4 * TG4=new T_G_4;
/*...*/
peer_certificate=/* initialization function */ //this is a private member of
a class and the two functions are members of the same class
EVP_PKEY * pubkey=EVP_PKEY_new();
EVP_PKEY_set1_RSA(pubkey, rsa_ca_pub_key);
X509_verify(peer_certificate,pubkey); //this verification returns 1
unsigned char * serialized certificate=NULL; //following the example of the
openssl d2i_X509 page, NULL pointer avoids the management of the increasing
pointer
TG4-cert_size=i2d(peer_certificate,serialized_certificate);
//serialization
memcpy(TG4-certificate,serialized_certificate,TG4-cert_size);
//initialize the remaining fields and return TG4
//passing the structure to another function
//other function:
/*...*/
unsigned char * serialized_certificate=new unsigned char [TG4-cert_size];
memcpy(serialized_certificate,TG4-certificate,TG4-cert_size);
peer_certificate = d2i_X509(NULL,(const unsigned char
**)serialized_certificate,TG4-cert_size); //deserialization
X509_verify(peer_certificate,pubkey); //now it returns 0... :(
/*...*/
Is there something wrong in this code?
Thanks in advance.
Best Regards
Andrea Saracino
2011/7/27 Erwin Himawan ehima...@gmail.com
The way I would verify this is by writting the original X509 object into
PEM file and dumping the X509 object resulted from d2i_x509() into another
PEM file and compares both files using the openssl ; either using asnparse
or x509 command.
On Wed, Jul 27, 2011 at 9:46 AM, Andrea Saracino
saracino.and...@gmail.com wrote:
Hello everyone,
I've found some issues using the function X509_verify() on a simple X509
certificate. After the creation, if I call:
X509_verify(certificate,ca_key);
the function returns 1, but if I call the i2d_X509() function on the
certificate and then the d2i_X509() on the obtained byte string, the
X509_verify() on the resultant certificate returns 0.
I printed the certificate, in a readable format, before and after the
i2d() and d2i() execution and the result is exactly the same. The various
fields (issuer, subject...) have the correct values. Any ideas?
Best Regards
Andrea Saracino
Re: X509 verify
I would not use the X509_print_fp(), since it does not give you the PEM or DER
file.
Use intead PEM_write_bio or write_bio() for PEM and DER respectively.
Also check for error for the status of these two bio write function.
hopefully it helps
From: Andrea Saracino
Sent: Wednesday, July 27, 2011 6:05 PM
To: openssl-users@openssl.org
Subject: Re: X509 verify
Hi Erwin, thanks for your fast answer.
I dumped both the certificates in 2 PEM files, then I used the X509_print_fp()
to obtain the readable version of both of them. The two resulting files are
identical. Perhaps there is something wrong in the invocation of the i2d/d2i
functions. I'm posting an extract of the code:
//
struct T_G_4{
unsigned char nonce[NONCE_SIZE];
int cert_size;
unsigned char certificate[MAX_MSG_SIZE-NONCE_SIZE-sizeof(int)];
}
/*...*/
T_G_4 * TG4=new T_G_4;
/*...*/
peer_certificate=/* initialization function */ //this is a private member of a
class and the two functions are members of the same class
EVP_PKEY * pubkey=EVP_PKEY_new();
EVP_PKEY_set1_RSA(pubkey, rsa_ca_pub_key);
X509_verify(peer_certificate,pubkey); //this verification returns 1
unsigned char * serialized certificate=NULL; //following the example of the
openssl d2i_X509 page, NULL pointer avoids the management of the increasing
pointer
TG4-cert_size=i2d(peer_certificate,serialized_certificate); //serialization
memcpy(TG4-certificate,serialized_certificate,TG4-cert_size);
//initialize the remaining fields and return TG4
//passing the structure to another function
//other function:
/*...*/
unsigned char * serialized_certificate=new unsigned char [TG4-cert_size];
memcpy(serialized_certificate,TG4-certificate,TG4-cert_size);
peer_certificate = d2i_X509(NULL,(const unsigned char
**)serialized_certificate,TG4-cert_size); //deserialization
X509_verify(peer_certificate,pubkey); //now it returns 0... :(
/*...*/
Is there something wrong in this code?
Thanks in advance.
Best Regards
Andrea Saracino
2011/7/27 Erwin Himawan ehima...@gmail.com
The way I would verify this is by writting the original X509 object into PEM
file and dumping the X509 object resulted from d2i_x509() into another PEM file
and compares both files using the openssl ; either using asnparse or x509
command.
On Wed, Jul 27, 2011 at 9:46 AM, Andrea Saracino saracino.and...@gmail.com
wrote:
Hello everyone,
I've found some issues using the function X509_verify() on a simple X509
certificate. After the creation, if I call:
X509_verify(certificate,ca_key);
the function returns 1, but if I call the i2d_X509() function on the
certificate and then the d2i_X509() on the obtained byte string, the
X509_verify() on the resultant certificate returns 0.
I printed the certificate, in a readable format, before and after the i2d()
and d2i() execution and the result is exactly the same. The various fields
(issuer, subject...) have the correct values. Any ideas?
Best Regards
Andrea Saracino
Re: X509 verify
By the way sorry for the font size, it does not mean anything, it just mixed
up during cut and paste.
The function to dump x509 into a certificate is is PEM_write_bio_X509() and
the function to dump a x509 der file is bio_write(). Here is the doc on
bio_write http://www.manpagez.com/man/3/BIO_write/osx-10.3.php
erwin
On Wed, Jul 27, 2011 at 8:20 PM, Erwin Himawan ehima...@gmail.com wrote:
**
I would not use the X509_print_fp(), since it does not give you the PEM or
DER file.
Use intead PEM_write_bio or write_bio() for PEM and DER respectively.
Also check for error for the status of these two bio write function.
hopefully it helps
*From:* Andrea Saracino saracino.and...@gmail.com
*Sent:* Wednesday, July 27, 2011 6:05 PM
*To:* openssl-users@openssl.org
*Subject:* Re: X509 verify
Hi Erwin, thanks for your fast answer.
I dumped both the certificates in 2 PEM files, then I used the
X509_print_fp() to obtain the readable version of both of them. The two
resulting files are identical. Perhaps there is something wrong in the
invocation of the i2d/d2i functions. I'm posting an extract of the code:
//
struct T_G_4{
unsigned char nonce[NONCE_SIZE];
int cert_size;
unsigned char certificate[MAX_MSG_SIZE-NONCE_SIZE-sizeof(int)];
}
/*...*/
T_G_4 * TG4=new T_G_4;
/*...*/
peer_certificate=/* initialization function */ //this is a private member
of a class and the two functions are members of the same class
EVP_PKEY * pubkey=EVP_PKEY_new();
EVP_PKEY_set1_RSA(pubkey, rsa_ca_pub_key);
X509_verify(peer_certificate,pubkey); //this verification returns 1
unsigned char * serialized certificate=NULL; //following the example of the
openssl d2i_X509 page, NULL pointer avoids the management of the increasing
pointer
TG4-cert_size=i2d(peer_certificate,serialized_certificate);
//serialization
memcpy(TG4-certificate,serialized_certificate,TG4-cert_size);
//initialize the remaining fields and return TG4
//passing the structure to another function
//other function:
/*...*/
unsigned char * serialized_certificate=new unsigned char [TG4-cert_size];
memcpy(serialized_certificate,TG4-certificate,TG4-cert_size);
peer_certificate = d2i_X509(NULL,(const unsigned char
**)serialized_certificate,TG4-cert_size); //deserialization
X509_verify(peer_certificate,pubkey); //now it returns 0... :(
/*...*/
Is there something wrong in this code?
Thanks in advance.
Best Regards
Andrea Saracino
2011/7/27 Erwin Himawan ehima...@gmail.com
The way I would verify this is by writting the original X509 object into
PEM file and dumping the X509 object resulted from d2i_x509() into another
PEM file and compares both files using the openssl ; either using asnparse
or x509 command.
On Wed, Jul 27, 2011 at 9:46 AM, Andrea Saracino
saracino.and...@gmail.com wrote:
Hello everyone,
I've found some issues using the function X509_verify() on a simple X509
certificate. After the creation, if I call:
X509_verify(certificate,ca_key);
the function returns 1, but if I call the i2d_X509() function on the
certificate and then the d2i_X509() on the obtained byte string, the
X509_verify() on the resultant certificate returns 0.
I printed the certificate, in a readable format, before and after the
i2d() and d2i() execution and the result is exactly the same. The various
fields (issuer, subject...) have the correct values. Any ideas?
Best Regards
Andrea Saracino
Re: X509 Verify callback
On Mon, 2010-05-10 at 14:43 -0400, Chris Bare wrote:
Is there a way get have X509_verify_cert retry it's path building after it
gets an X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT?
My idea is to implement a verify callback that uses the AIA information to
download the issuer cert and add it to the stack of untrusted certs.
Is this possible, or would I have to let X509_verify_cert error out and call
it again?
How about...
int my_get_issuer_func(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
{
int ret = X509_STORE_CTX_get1_issuer(issuer, ctx, x);
if (ret 0)
return ret;
/* Do whatever you need to look up the issuer... */
}
... and somewhere else in your SSL_CTX setup:
X509_STORE *store = SSL_CTX_get_cert_store(vpninfo-https_ctx);
store-get_issuer = my_get_issuer_func;
--
David WoodhouseOpen Source Technology Centre
david.woodho...@intel.com Intel Corporation
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
Re: X509 Verify callback
On Mon, 2010-05-10 at 14:43 -0400, Chris Bare wrote:
Is there a way get have X509_verify_cert retry it's path building after it
gets an X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT?
My idea is to implement a verify callback that uses the AIA information to
download the issuer cert and add it to the stack of untrusted certs.
Is this possible, or would I have to let X509_verify_cert error out and call
it again?
How about...
int my_get_issuer_func(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
{
int ret = X509_STORE_CTX_get1_issuer(issuer, ctx, x);
if (ret 0)
return ret;
/* Do whatever you need to look up the issuer... */
}
... and somewhere else in your SSL_CTX setup:
X509_STORE *store = SSL_CTX_get_cert_store(vpninfo-https_ctx);
store-get_issuer = my_get_issuer_func;
--
David WoodhouseOpen Source Technology Centre
david.woodho...@intel.com Intel Corporation
That's almost perfect, but doesn't putting it inside the X509_STORE like this
tell the rest of the code it's trusted? If I'm downloading it using AIA I
can't trust it and still need to chain up to a trusted root.
It's too bad the verify function takes a STORE for trusted certs and a stack
for other certs. If both were STOREs I could do exactly what you describe
above.
--
Chris Bare
ch...@bareflix.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
Re: X509 Verify callback
On Tue, 2010-05-11 at 09:58 -0400, Chris Bare wrote: That's almost perfect, but doesn't putting it inside the X509_STORE like this tell the rest of the code it's trusted? If I'm downloading it using AIA I can't trust it and still need to chain up to a trusted root. Hm, true. But surely there's something else (ctx-verify_cb or ctx-verify?) that lets you fix that up too? -- dwmw2 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
X509 Verify callback
Is there a way get have X509_verify_cert retry it's path building after it gets an X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT? My idea is to implement a verify callback that uses the AIA information to download the issuer cert and add it to the stack of untrusted certs. Is this possible, or would I have to let X509_verify_cert error out and call it again? -- Chris Bare ch...@bareflix.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: X509 Verify callback
On 05/10/2010 08:43 PM, Chris Bare wrote: Is there a way get have X509_verify_cert retry it's path building after it gets an X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT? My idea is to implement a verify callback that uses the AIA information to download the issuer cert and add it to the stack of untrusted certs. Is this possible, or would I have to let X509_verify_cert error out and call it again? Trying to do path building during path validation may end up in a never ending loop or almost. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: X509 Verify callback
On 05/10/2010 08:43 PM, Chris Bare wrote: Is there a way get have X509_verify_cert retry it's path building after it gets an X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT? My idea is to implement a verify callback that uses the AIA information to download the issuer cert and add it to the stack of untrusted certs. Is this possible, or would I have to let X509_verify_cert error out and call it again? Trying to do path building during path validation may end up in a never ending loop or almost. How else can I leverage the local path building code? What if I happen to have parts of the path already? The path validation will build the path until it fails and that shows me what to go out and download next. At least that's how I'm thinking of it, but I'm open to suggestions. -- Chris Bare ch...@bareflix.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
