Pehuen,
Usually that part does not have to do with the CA, it has to do with the creation of the CSR (Certificate Signing Request). (Unless it is a self signed certificate like your CA itself)
When creating the request for a server you should put the full domain name as the "Common Name" that sho
All,
David cam up with a solution that looks to me as some thing that would be really nice, he suggested that OpenSSL would allow the developer to register a callback function to do the unsafe functions.
However while he thinks OpenSSL should default to the OS 'best' function available, I am n
The OPENSSL_gmtime in o_time.c (that gets called from other places like ASN1_UTCTIME_cmp_time_t in a_utctm.c) does not use the safe version of gmtime in lots of platforms including:OPENSSL_SYS_WIN32OPENSSL_SYS_OS2
__CYGWIN32__OPENSSL_SYS_MACOSXOPENSSL_SYS_SUNOS
This could cause problems in multi-th
When using OpenSSL it by defaults uses /dev/urandom for random seeding.
When using OpenSSL just for signature verification & hash functions I don't need the random.
But:
1. When using OpenSSL for signing data, and for SSL sessions (both client side and server side), should I use the /dev/random
You should use some thing like this:
FILE * file = NULL;
X509 * cert = NULL;
// Open the DER filefile = fopen("der_file_name", "rb");// load it into a X509 object
cert = d2i_X509_fp(file, NULL);
fclose(file);
file = fopen("pem_file_name", "w");
//write the X509 object to a PEM fileint PEM_write_
Hi all,
After reading a lot on "small exponents" in RSA public keys, it seems
to me that the issue is only if I am not using libraries like OpenSSL
for signing, but if I use RSA_Sign or EVP_Sign they implement PKCS#1
and that solves that problem even if I sign the same plain text e
times.
So if I
Hey,
If I don't feed some random bytes (as data to encrypt - not as IV) to
the Triple-DES, is that a weakness? I think I should add at least 1
block size of random bytes (64 bit - 8 bytes), to make sure that
one-repeated character padding will not be added in the first block.
Thanks,
Joe
___
AIL PROTECTED]> wrote:
> Joe Gluck wrote:
> > 1. I don't expect any thing developed specilay for me, I was just
> > wondering if there is any one out there that knew about a function
> > that already exists and does it.
> >
> > 2. I am not designing a s
1. I don't expect any thing developed specilay for me, I was just
wondering if there is any one out there that knew about a function
that already exists and does it.
2. I am not designing a system to break in 10 years, I am thinking of
better performance for the time until we need to find a better
's a call to get the expiration date of a certificate
> in text format, and a C function to turn that into a time_t. Will
> that do what you need?
>
> -Kyle H
>
> On 1/30/06, Joe Gluck <[EMAIL PROTECTED]> wrote:
> > I will not get certificates today for after 204
I will not get certificates today for after 2045 because the
certificates that I am checking are certificates that already past a
validation check and have been inserted into my cache system, therefor
it is a certificate signed by our own system which does not sign for
more then 25 year. most are 1
number that represent 1 hour, I thought instead I can
get the time and compare it to the time_t of the expiration that I
already saved (may be a year a ago in the cache).
Thanks
Joe
On 1/29/06, Dr. Stephen Henson <[EMAIL PROTECTED]> wrote:
> On Sat, Jan 28, 2006, Joe Gluck wrote:
>
&
v() and getenv() yourself to modify it within your own
> code.
>
> Read the man pages for more information on how you can exploit this feature.
>
> -Kyle H
>
> On 1/28/06, Joe Gluck <[EMAIL PROTECTED]> wrote:
> > I can't change the TZ because it will affect the e
e the value of TZ.
>
> -Kyle H
>
> On 1/28/06, Dr. Stephen Henson <[EMAIL PROTECTED]> wrote:
> > On Sat, Jan 28, 2006, Joe Gluck wrote:
> >
> > > My mistake it was ASN1_TIME that is correct.
> > >
> > > But any way, I don't see a reason
n 1/28/06, Dr. Stephen Henson <[EMAIL PROTECTED]> wrote:
> On Sat, Jan 28, 2006, Joe Gluck wrote:
>
> > Thank you for all tour replies but the gettimeofday I already use, but
> > it was not what I was asking in the original message.
> >
> > What I asked is how can I get
gettimeofday)? (See first message in
thread)
Thanks
Joe
On 1/28/06, Dr. Stephen Henson <[EMAIL PROTECTED]> wrote:
> On Fri, Jan 27, 2006, Joe Gluck wrote:
>
> > Does some one have any idea about this, it looks like it fell out
> > through the night.
> >
>
> The comme
ngs. That's
> something that a lot of people end up misconfiguring on their systems.
>
> On 1/27/06, Joe Gluck <[EMAIL PROTECTED]> wrote:
> > Hi all,
> >
> > I have a certificate with dates represented as GMT time.
> >
> > I am trying to get those
Does some one have any idea about this, it looks like it fell out
through the night.
On 1/27/06, Joe Gluck <[EMAIL PROTECTED]> wrote:
> Hi all,
>
> I have a certificate with dates represented as GMT time.
>
> I am trying to get those times as GMT in a time_t format, is t
Hi,
I would like to know if there is a Isomorphism between a serial number
represented as a ASN1 and if I had that number in int?
If it is true than i can just use most of the times the original ASN1
as a unique id, instead of parsing it into a int value. (If I know
they are from the same issuer
Hi all,
I have a certificate with dates represented as GMT time.
I am trying to get those times as GMT in a time_t format, is this ok?
ASN1_TIME * not_after;
time_t expire;
not_after = X509_get_notAfter(cert); // cert is a X509 object
expire = ASN1_UTCTIME_get(not_after);
will the "expire" hol
Thank you guys for all those great points.
I think I am getting to a conclusion, although some of you were not
concerned about the hashing of the X509_check_purpose() because it
happens only once, I am because yes indeed the one in the cache after
the first time will not need to rehash but the oth
I was also concerned about some one messing with the headers or any
other field, but those check I did only after the public key did not
match, because if the public key matches to one in the cache and the
one in the cache is fully verified, then I don't care for additional
checks.
And if it fails
s but those we clear any way before decoding the base64, so
after this process it is guaranteed to be the same exact PEM file.
And there is only one system that will create the original PEM file so
I don't think that is an issue.
Joe
On 1/26/06, Lev Walkin <[EMAIL PROTECTED]> wrote:
&
That is correct but in my case I am getting the cert in PEM, and it is
created by another application we develop so it should be an exact
duplicate if it is actually the same one.
On 1/26/06, Lev Walkin <[EMAIL PROTECTED]> wrote:
> Joe Gluck wrote:
> > That attack is interesting,
of the entire
certificate (The text as I get in a PEM format before loading it into
the X509 object. it is faster than hashing the same size and comparing
the hash.
Thanks
On 1/26/06, Dr. Stephen Henson <[EMAIL PROTECTED]> wrote:
> On Thu, Jan 26, 2006, Joe Gluck wrote:
>
> >
wrote:
> On Thu, Jan 26, 2006, Joe Gluck wrote:
>
> > That is great to know because I did not know if while loading the
> > certiicate it parses the fields and hashes or just loads it.
> >
>
> It parses most fields. The public key and extension parts aren't par
the one already in my
cache.
Thanks,
Joe
On 1/26/06, Dr. Stephen Henson <[EMAIL PROTECTED]> wrote:
> On Thu, Jan 26, 2006, Joe Gluck wrote:
>
> > That is good to know, and I assumed it will hash only once, but I want
> > to skip that one time as well, and have the verific
, (unless that hash also is done automaticly when
loading the cert into the X509 before calling the compare function.
Thanks,
Joe
On 1/26/06, Dr. Stephen Henson <[EMAIL PROTECTED]> wrote:
> On Thu, Jan 26, 2006, Joe Gluck wrote:
>
> > Hi,
> >
> >
> > I am usin
Hi,
I am trying to compare two certificates by comparing their public keys.
Just to give a reference I designed a certificate cache for verifying
signatures (no private keys), every new certificate goes through the
full verify process, check issuer path, and check signature
(X509_verify()) and ch
29 matches
Mail list logo