Re: X509 verify
I'm using the PEM_write_X509(), avoiding the BIO, is there any difference? Anyway, this function does not give errors. Calling the ERR_error_string() on the failed verify, the error returned is: error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib Searching on Google for this error it is not so helpful, it says only that something on the certificate or on the public key is wrong. Probably the i2d/d2i functions add something undesired on mine X509 structure. Thanks again for your help. Best Regards Andrea Saracino 2011/7/28 Erwin Himawan ehima...@gmail.com By the way sorry for the font size, it does not mean anything, it just mixed up during cut and paste. The function to dump x509 into a certificate is is PEM_write_bio_X509() and the function to dump a x509 der file is bio_write(). Here is the doc on bio_write http://www.manpagez.com/man/3/BIO_write/osx-10.3.php erwin On Wed, Jul 27, 2011 at 8:20 PM, Erwin Himawan ehima...@gmail.com wrote: ** I would not use the X509_print_fp(), since it does not give you the PEM or DER file. Use intead PEM_write_bio or write_bio() for PEM and DER respectively. Also check for error for the status of these two bio write function. hopefully it helps *From:* Andrea Saracino saracino.and...@gmail.com *Sent:* Wednesday, July 27, 2011 6:05 PM *To:* openssl-users@openssl.org *Subject:* Re: X509 verify Hi Erwin, thanks for your fast answer. I dumped both the certificates in 2 PEM files, then I used the X509_print_fp() to obtain the readable version of both of them. The two resulting files are identical. Perhaps there is something wrong in the invocation of the i2d/d2i functions. I'm posting an extract of the code: // struct T_G_4{ unsigned char nonce[NONCE_SIZE]; int cert_size; unsigned char certificate[MAX_MSG_SIZE-NONCE_SIZE-sizeof(int)]; } /*...*/ T_G_4 * TG4=new T_G_4; /*...*/ peer_certificate=/* initialization function */ //this is a private member of a class and the two functions are members of the same class EVP_PKEY * pubkey=EVP_PKEY_new(); EVP_PKEY_set1_RSA(pubkey, rsa_ca_pub_key); X509_verify(peer_certificate,pubkey); //this verification returns 1 unsigned char * serialized certificate=NULL; //following the example of the openssl d2i_X509 page, NULL pointer avoids the management of the increasing pointer TG4-cert_size=i2d(peer_certificate,serialized_certificate); //serialization memcpy(TG4-certificate,serialized_certificate,TG4-cert_size); //initialize the remaining fields and return TG4 //passing the structure to another function //other function: /*...*/ unsigned char * serialized_certificate=new unsigned char [TG4-cert_size]; memcpy(serialized_certificate,TG4-certificate,TG4-cert_size); peer_certificate = d2i_X509(NULL,(const unsigned char **)serialized_certificate,TG4-cert_size); //deserialization X509_verify(peer_certificate,pubkey); //now it returns 0... :( /*...*/ Is there something wrong in this code? Thanks in advance. Best Regards Andrea Saracino 2011/7/27 Erwin Himawan ehima...@gmail.com The way I would verify this is by writting the original X509 object into PEM file and dumping the X509 object resulted from d2i_x509() into another PEM file and compares both files using the openssl ; either using asnparse or x509 command. On Wed, Jul 27, 2011 at 9:46 AM, Andrea Saracino saracino.and...@gmail.com wrote: Hello everyone, I've found some issues using the function X509_verify() on a simple X509 certificate. After the creation, if I call: X509_verify(certificate,ca_key); the function returns 1, but if I call the i2d_X509() function on the certificate and then the d2i_X509() on the obtained byte string, the X509_verify() on the resultant certificate returns 0. I printed the certificate, in a readable format, before and after the i2d() and d2i() execution and the result is exactly the same. The various fields (issuer, subject...) have the correct values. Any ideas? Best Regards Andrea Saracino
X509 verify
Hello everyone, I've found some issues using the function X509_verify() on a simple X509 certificate. After the creation, if I call: X509_verify(certificate,ca_key); the function returns 1, but if I call the i2d_X509() function on the certificate and then the d2i_X509() on the obtained byte string, the X509_verify() on the resultant certificate returns 0. I printed the certificate, in a readable format, before and after the i2d() and d2i() execution and the result is exactly the same. The various fields (issuer, subject...) have the correct values. Any ideas? Best Regards Andrea Saracino
Re: X509 verify
The way I would verify this is by writting the original X509 object into PEM file and dumping the X509 object resulted from d2i_x509() into another PEM file and compares both files using the openssl ; either using asnparse or x509 command. On Wed, Jul 27, 2011 at 9:46 AM, Andrea Saracino saracino.and...@gmail.comwrote: Hello everyone, I've found some issues using the function X509_verify() on a simple X509 certificate. After the creation, if I call: X509_verify(certificate,ca_key); the function returns 1, but if I call the i2d_X509() function on the certificate and then the d2i_X509() on the obtained byte string, the X509_verify() on the resultant certificate returns 0. I printed the certificate, in a readable format, before and after the i2d() and d2i() execution and the result is exactly the same. The various fields (issuer, subject...) have the correct values. Any ideas? Best Regards Andrea Saracino
Re: X509 verify
Hi Erwin, thanks for your fast answer. I dumped both the certificates in 2 PEM files, then I used the X509_print_fp() to obtain the readable version of both of them. The two resulting files are identical. Perhaps there is something wrong in the invocation of the i2d/d2i functions. I'm posting an extract of the code: // struct T_G_4{ unsigned char nonce[NONCE_SIZE]; int cert_size; unsigned char certificate[MAX_MSG_SIZE-NONCE_SIZE-sizeof(int)]; } /*...*/ T_G_4 * TG4=new T_G_4; /*...*/ peer_certificate=/* initialization function */ //this is a private member of a class and the two functions are members of the same class EVP_PKEY * pubkey=EVP_PKEY_new(); EVP_PKEY_set1_RSA(pubkey, rsa_ca_pub_key); X509_verify(peer_certificate,pubkey); //this verification returns 1 unsigned char * serialized certificate=NULL; //following the example of the openssl d2i_X509 page, NULL pointer avoids the management of the increasing pointer TG4-cert_size=i2d(peer_certificate,serialized_certificate); //serialization memcpy(TG4-certificate,serialized_certificate,TG4-cert_size); //initialize the remaining fields and return TG4 //passing the structure to another function //other function: /*...*/ unsigned char * serialized_certificate=new unsigned char [TG4-cert_size]; memcpy(serialized_certificate,TG4-certificate,TG4-cert_size); peer_certificate = d2i_X509(NULL,(const unsigned char **)serialized_certificate,TG4-cert_size); //deserialization X509_verify(peer_certificate,pubkey); //now it returns 0... :( /*...*/ Is there something wrong in this code? Thanks in advance. Best Regards Andrea Saracino 2011/7/27 Erwin Himawan ehima...@gmail.com The way I would verify this is by writting the original X509 object into PEM file and dumping the X509 object resulted from d2i_x509() into another PEM file and compares both files using the openssl ; either using asnparse or x509 command. On Wed, Jul 27, 2011 at 9:46 AM, Andrea Saracino saracino.and...@gmail.com wrote: Hello everyone, I've found some issues using the function X509_verify() on a simple X509 certificate. After the creation, if I call: X509_verify(certificate,ca_key); the function returns 1, but if I call the i2d_X509() function on the certificate and then the d2i_X509() on the obtained byte string, the X509_verify() on the resultant certificate returns 0. I printed the certificate, in a readable format, before and after the i2d() and d2i() execution and the result is exactly the same. The various fields (issuer, subject...) have the correct values. Any ideas? Best Regards Andrea Saracino
Re: X509 verify
I would not use the X509_print_fp(), since it does not give you the PEM or DER file. Use intead PEM_write_bio or write_bio() for PEM and DER respectively. Also check for error for the status of these two bio write function. hopefully it helps From: Andrea Saracino Sent: Wednesday, July 27, 2011 6:05 PM To: openssl-users@openssl.org Subject: Re: X509 verify Hi Erwin, thanks for your fast answer. I dumped both the certificates in 2 PEM files, then I used the X509_print_fp() to obtain the readable version of both of them. The two resulting files are identical. Perhaps there is something wrong in the invocation of the i2d/d2i functions. I'm posting an extract of the code: // struct T_G_4{ unsigned char nonce[NONCE_SIZE]; int cert_size; unsigned char certificate[MAX_MSG_SIZE-NONCE_SIZE-sizeof(int)]; } /*...*/ T_G_4 * TG4=new T_G_4; /*...*/ peer_certificate=/* initialization function */ //this is a private member of a class and the two functions are members of the same class EVP_PKEY * pubkey=EVP_PKEY_new(); EVP_PKEY_set1_RSA(pubkey, rsa_ca_pub_key); X509_verify(peer_certificate,pubkey); //this verification returns 1 unsigned char * serialized certificate=NULL; //following the example of the openssl d2i_X509 page, NULL pointer avoids the management of the increasing pointer TG4-cert_size=i2d(peer_certificate,serialized_certificate); //serialization memcpy(TG4-certificate,serialized_certificate,TG4-cert_size); //initialize the remaining fields and return TG4 //passing the structure to another function //other function: /*...*/ unsigned char * serialized_certificate=new unsigned char [TG4-cert_size]; memcpy(serialized_certificate,TG4-certificate,TG4-cert_size); peer_certificate = d2i_X509(NULL,(const unsigned char **)serialized_certificate,TG4-cert_size); //deserialization X509_verify(peer_certificate,pubkey); //now it returns 0... :( /*...*/ Is there something wrong in this code? Thanks in advance. Best Regards Andrea Saracino 2011/7/27 Erwin Himawan ehima...@gmail.com The way I would verify this is by writting the original X509 object into PEM file and dumping the X509 object resulted from d2i_x509() into another PEM file and compares both files using the openssl ; either using asnparse or x509 command. On Wed, Jul 27, 2011 at 9:46 AM, Andrea Saracino saracino.and...@gmail.com wrote: Hello everyone, I've found some issues using the function X509_verify() on a simple X509 certificate. After the creation, if I call: X509_verify(certificate,ca_key); the function returns 1, but if I call the i2d_X509() function on the certificate and then the d2i_X509() on the obtained byte string, the X509_verify() on the resultant certificate returns 0. I printed the certificate, in a readable format, before and after the i2d() and d2i() execution and the result is exactly the same. The various fields (issuer, subject...) have the correct values. Any ideas? Best Regards Andrea Saracino
Re: X509 verify
By the way sorry for the font size, it does not mean anything, it just mixed up during cut and paste. The function to dump x509 into a certificate is is PEM_write_bio_X509() and the function to dump a x509 der file is bio_write(). Here is the doc on bio_write http://www.manpagez.com/man/3/BIO_write/osx-10.3.php erwin On Wed, Jul 27, 2011 at 8:20 PM, Erwin Himawan ehima...@gmail.com wrote: ** I would not use the X509_print_fp(), since it does not give you the PEM or DER file. Use intead PEM_write_bio or write_bio() for PEM and DER respectively. Also check for error for the status of these two bio write function. hopefully it helps *From:* Andrea Saracino saracino.and...@gmail.com *Sent:* Wednesday, July 27, 2011 6:05 PM *To:* openssl-users@openssl.org *Subject:* Re: X509 verify Hi Erwin, thanks for your fast answer. I dumped both the certificates in 2 PEM files, then I used the X509_print_fp() to obtain the readable version of both of them. The two resulting files are identical. Perhaps there is something wrong in the invocation of the i2d/d2i functions. I'm posting an extract of the code: // struct T_G_4{ unsigned char nonce[NONCE_SIZE]; int cert_size; unsigned char certificate[MAX_MSG_SIZE-NONCE_SIZE-sizeof(int)]; } /*...*/ T_G_4 * TG4=new T_G_4; /*...*/ peer_certificate=/* initialization function */ //this is a private member of a class and the two functions are members of the same class EVP_PKEY * pubkey=EVP_PKEY_new(); EVP_PKEY_set1_RSA(pubkey, rsa_ca_pub_key); X509_verify(peer_certificate,pubkey); //this verification returns 1 unsigned char * serialized certificate=NULL; //following the example of the openssl d2i_X509 page, NULL pointer avoids the management of the increasing pointer TG4-cert_size=i2d(peer_certificate,serialized_certificate); //serialization memcpy(TG4-certificate,serialized_certificate,TG4-cert_size); //initialize the remaining fields and return TG4 //passing the structure to another function //other function: /*...*/ unsigned char * serialized_certificate=new unsigned char [TG4-cert_size]; memcpy(serialized_certificate,TG4-certificate,TG4-cert_size); peer_certificate = d2i_X509(NULL,(const unsigned char **)serialized_certificate,TG4-cert_size); //deserialization X509_verify(peer_certificate,pubkey); //now it returns 0... :( /*...*/ Is there something wrong in this code? Thanks in advance. Best Regards Andrea Saracino 2011/7/27 Erwin Himawan ehima...@gmail.com The way I would verify this is by writting the original X509 object into PEM file and dumping the X509 object resulted from d2i_x509() into another PEM file and compares both files using the openssl ; either using asnparse or x509 command. On Wed, Jul 27, 2011 at 9:46 AM, Andrea Saracino saracino.and...@gmail.com wrote: Hello everyone, I've found some issues using the function X509_verify() on a simple X509 certificate. After the creation, if I call: X509_verify(certificate,ca_key); the function returns 1, but if I call the i2d_X509() function on the certificate and then the d2i_X509() on the obtained byte string, the X509_verify() on the resultant certificate returns 0. I printed the certificate, in a readable format, before and after the i2d() and d2i() execution and the result is exactly the same. The various fields (issuer, subject...) have the correct values. Any ideas? Best Regards Andrea Saracino
Re: X509 Verify callback
On Mon, 2010-05-10 at 14:43 -0400, Chris Bare wrote: Is there a way get have X509_verify_cert retry it's path building after it gets an X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT? My idea is to implement a verify callback that uses the AIA information to download the issuer cert and add it to the stack of untrusted certs. Is this possible, or would I have to let X509_verify_cert error out and call it again? How about... int my_get_issuer_func(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) { int ret = X509_STORE_CTX_get1_issuer(issuer, ctx, x); if (ret 0) return ret; /* Do whatever you need to look up the issuer... */ } ... and somewhere else in your SSL_CTX setup: X509_STORE *store = SSL_CTX_get_cert_store(vpninfo-https_ctx); store-get_issuer = my_get_issuer_func; -- David WoodhouseOpen Source Technology Centre david.woodho...@intel.com Intel Corporation __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: X509 Verify callback
On Mon, 2010-05-10 at 14:43 -0400, Chris Bare wrote: Is there a way get have X509_verify_cert retry it's path building after it gets an X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT? My idea is to implement a verify callback that uses the AIA information to download the issuer cert and add it to the stack of untrusted certs. Is this possible, or would I have to let X509_verify_cert error out and call it again? How about... int my_get_issuer_func(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) { int ret = X509_STORE_CTX_get1_issuer(issuer, ctx, x); if (ret 0) return ret; /* Do whatever you need to look up the issuer... */ } ... and somewhere else in your SSL_CTX setup: X509_STORE *store = SSL_CTX_get_cert_store(vpninfo-https_ctx); store-get_issuer = my_get_issuer_func; -- David WoodhouseOpen Source Technology Centre david.woodho...@intel.com Intel Corporation That's almost perfect, but doesn't putting it inside the X509_STORE like this tell the rest of the code it's trusted? If I'm downloading it using AIA I can't trust it and still need to chain up to a trusted root. It's too bad the verify function takes a STORE for trusted certs and a stack for other certs. If both were STOREs I could do exactly what you describe above. -- Chris Bare ch...@bareflix.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: X509 Verify callback
On Tue, 2010-05-11 at 09:58 -0400, Chris Bare wrote: That's almost perfect, but doesn't putting it inside the X509_STORE like this tell the rest of the code it's trusted? If I'm downloading it using AIA I can't trust it and still need to chain up to a trusted root. Hm, true. But surely there's something else (ctx-verify_cb or ctx-verify?) that lets you fix that up too? -- dwmw2 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
X509 Verify callback
Is there a way get have X509_verify_cert retry it's path building after it gets an X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT? My idea is to implement a verify callback that uses the AIA information to download the issuer cert and add it to the stack of untrusted certs. Is this possible, or would I have to let X509_verify_cert error out and call it again? -- Chris Bare ch...@bareflix.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: X509 Verify callback
On 05/10/2010 08:43 PM, Chris Bare wrote: Is there a way get have X509_verify_cert retry it's path building after it gets an X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT? My idea is to implement a verify callback that uses the AIA information to download the issuer cert and add it to the stack of untrusted certs. Is this possible, or would I have to let X509_verify_cert error out and call it again? Trying to do path building during path validation may end up in a never ending loop or almost. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: X509 Verify callback
On 05/10/2010 08:43 PM, Chris Bare wrote: Is there a way get have X509_verify_cert retry it's path building after it gets an X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT? My idea is to implement a verify callback that uses the AIA information to download the issuer cert and add it to the stack of untrusted certs. Is this possible, or would I have to let X509_verify_cert error out and call it again? Trying to do path building during path validation may end up in a never ending loop or almost. How else can I leverage the local path building code? What if I happen to have parts of the path already? The path validation will build the path until it fails and that shows me what to go out and download next. At least that's how I'm thinking of it, but I'm open to suggestions. -- Chris Bare ch...@bareflix.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org