chnology
> Cambridge, MA
>
> __
> OpenSSL Project http://www.openssl.org
> Development Mailing List openssl-dev@openssl.org
> Automated List Manager
Name, we don't see this behaviour:
Original Struct:
(gdb) p *r3
$3 = {badstring = 0x0, mystr = 0x80568a8}
new struct after i2d -> d2i:
(gdb) p *r4
$4 = {badstring = 0x0, mystr = 0x8056960}
(gdb)
If anyone can shed any light on this, it would be appreciated.
---
Patrick Patterson
Chief
the above
header on the definitions, I don't think that will result in an interoperable
implementation.
Best Regards,
Patrick.
On 2013-03-12, at 4:43 PM, Patrick Patterson wrote:
> Hi Steve,
>
> Ok - but if I have an IETF ASN.1 like this:
>
> * Request
struct and ASN1_SEQUENCE {
}?? From my understanding, the IETF uses IMPLICIT tagging for everything.
Thanks.
Patrick.
On 2013-03-12, at 4:28 PM, Dr. Stephen Henson wrote:
> On Tue, Mar 12, 2013, Patrick Patterson wrote:
>
>> Hi OpenSSL Developers,
>>
>> I think we&
Name, we don't see this behaviour:
Original Struct:
(gdb) p *r3
$3 = {badstring = 0x0, mystr = 0x80568a8}
new struct after i2d -> d2i:
(gdb) p *r4
$4 = {badstring = 0x0, mystr = 0x8056960}
(gdb)
If anyone can shed any light on this, it would be appreciated.
---
Patrick Patterson
Chief
Hello all:
While playing around with a project over the holidays, I ran into the following:
If you have an Optional Implicitly tagged GENERAL_NAMES, followed by
another optional implicitly tagged item, and you don't actually fill
in the GENERAL_NAMES structure (since it is optional), OpenSSL will
or
workarounds that need to be applied to 0.9.8 to get this to work? Or,
conversely, after looking at the code, can anyone point out what dumb mistake
that I'm making?
Thanks.
openssl_example.cc
Description: Binary data
---
Patrick Patterson
Chief PKI Architect
Carillon Information Secu
g the CMS definitions?
Thanks!
---
Patrick Patterson
Chief PKI Architect
Carillon Information Security Inc.
http://www.carillon.ca
__
OpenSSL Project http://www.openssl.org
Dev
o code this up.
Are there any examples kicking around that anyone would be willing to share?
Thanks.
---
Patrick Patterson
Chief PKI Architect
Carillon Information Security Inc.
http://www.carillon.ca
__
r message. However, I suggest that
you check your build system setup, and ensure that you are correctly linking
with the OpenSSL libraries on your system.
Best Regards,
---
Patrick Patterson
Chief PKI Architect
Carillon Information Security Inc.
http://www.ca
gt;
> In other words: You're basically looking for ASN1_item_d2i() and
> ASN1_item_i2d(), respectively.
>
> Best regards,
>
> Martin
> __
> OpenSSL Project http://www.openssl.org
> Develop
Hi Martin:
Just a couple of quick questions:
- How are you supporting LDAP URLs for CRLDP?
- Do you implement all of the possible trust models and profile types for OCSP?
- How complete is your HTTP implementation?
- How do you hook into the application "main loop" to prevent an OCSP or CRL
call
Hi Steve:
On 2010-11-16, at 3:53 PM, Dr. Stephen Henson wrote:
> On Tue, Nov 16, 2010, Patrick Patterson wrote:
>
>> That said, when I pipe the output through asn1parse, I don't see the SID
>> information, so I'm not sure where the cms command would pull it
1.0.0 with how this is handled
that would make a difference? For a couple of reasons (including integration
with a hardware engine) I would like to stay with 0.9.8.
Thanks.
---
Patrick Patterson
Chief PKI Architect
Carillon Information Secur
Hi Steve:
On 2010-11-15, at 1:29 PM, Dr. Stephen Henson wrote:
> On Mon, Nov 15, 2010, Patrick Patterson wrote:
>>
>> 1: Why SID isn't getting set.
>>
>
> Not sure haven't had a chance to check in more detail yet.
>
It appears rather strange, because
Hi Steve:
On 2010-11-15, at 11:43 AM, Dr. Stephen Henson wrote:
> On Mon, Nov 15, 2010, Patrick Patterson wrote:
>
> If you call CMS_dataInit() with a NULL BIO it should make use of any content
> already in the CMS structure. It does create a read only BIO internally for
> that
Hi Steve:
On 2010-11-15, at 11:43 AM, Dr. Stephen Henson wrote:
> On Mon, Nov 15, 2010, Patrick Patterson wrote:
>
> If you call CMS_dataInit() with a NULL BIO it should make use of any content
> already in the CMS structure. It does create a read only BIO internally for
> that
xUcUQ/SoQLUJ5xDXpMCSq106ykY9LDl0CuJN5tJIzAgTTSbT1l4sR2fA50XNSIvrkFjC4BvEmphGov+DFMhj7Bc8simNt9MhHfFNGwgkIyn9CimzNnFw/qvGusS+ZhuGPU2pry/Ni/QyOUlQDmcE3BvLNDqzaKqv5scQMTcwNQIBA4AUhDqRcbli7VMmNY18LiunDrNZy7QwBwYFKw4DAhqgADANBgkqhkiG9w0BAQEFAAQA
--
Patrick Patterson
Chief PKI Architect,
Carillon Information Security Inc.
http://www.carill
Here's a hint:
You are creating a DER encoded RSA public Key - you are trying to read a DER
encoded X.509 certificate. These are not the same thing.
Have fun.
Patrick.
On 2010-11-10, at 9:06 PM, furrbie wrote:
>
> Hi,
>
> I am trying to read in a DER encoded RSA public key using d2i_X509_fp
ache, you
can do this fairly simply by using the SSLCipherSuite httpd.conf directive. If
you wrote the application, then prior to accepting any connections, use the
SSL_CTX_set_cipher_list() function to set everything up the way you want.
Have fun!
--
Patrick Patterson
Preside
rbud will approach you and find out if
you want to come and join them in the land of "we can't say what we're working
on, but it's REALLY interesting :)"
Have fun!
--
Patrick Patterson
President and Chief PKI Architec
t; modification (just by linking against the CSP capable OpenSSL library) to
> support the CSP.
>
Again - just wrapping something in a box doesn't make it any more secure -
security comes from many more methods than that.
--
Patrick Patterson
President and Chief PKI Arc
Peter:
On 29/03/10 1:15 AM, Peter Waltenberg wrote:
>
> Sure - it works if you have a simple application, main -> OpenSSL
> even main ->lib doing SSL -> OpenSSL still works.
>
> What's giving us grief (and I suspect the person who first raised this
> grief) is:
> main -> lib that needs SSL to d
your SSL_CTX_set_verify setup as follows?
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE, cb);
(have CB == NULL) if you don't want to have your own custom callback to handle
the verification.
If not, then you're not actually having the SSL/TLS session say to reque
?l=openssl-dev&m=123447208513863&w=2
>
> Thank you.
> __
> OpenSSL Project http://www.openssl.org
> Development Mailing List openssl-dev@openssl.org
> Automated List Manager majo
it to the IEFT TLS working group.
Have fun.
Patrick Patterson
Chief PKI Architect
Carillon Information Security Inc.
Benjamin Gittins wrote:
> Hi,
>
> I am new to the TLS/SSL protocol.
>
> I am exploring the idea of extending OpenSSL to perform authenticated
> key exchang
it to the IEFT TLS working group.
Have fun.
Patrick Patterson
Chief PKI Architect
Carillon Information Security Inc.
Benjamin Gittins wrote:
> Hi,
>
> I am new to the TLS/SSL protocol.
>
> I am exploring the idea of extending OpenSSL to perform authenticated
> key exchang
RussMitch wrote:
>
>> That's against the security policy.
>
> I don't care about the security policy. I just want to build openssl with
> fips enabled, link to it, and pass the power up tests. Can you help?
>
> /Russ
Ok - I'll bite - the only possible reason for going through the pain and
suf
tives, then you've
got A LOT of places to go and add that support to).
Have fun.
--
Patrick Patterson
President and Chief PKI Architect,
Carillon Information Security Inc.
http://www.carillon.ca
__
OpenSSL Project
t is broken.
My guess is that while your algorithm may be correct, the representation of
the bytes that you are using isn't of the same format that OpenSSL is
expecting. Again, without your source, it is almost impossible to help.
Have fun.
--
Patrick Patterson
President and
t; - i.e.: follow all of the relevant standards and conventions
as closely as possible, or else you're just going to make life miserable
for guys like me :)
Have fun.
---
Patrick Patterson
Chief PKI Architect
Carillon Information Security Inc.
http://www.carillon.ca
___
9_new();
PEM_read_bio_X509(bufbio, &cert, NULL, NULL);
If the Cert is already in DER format, just use the d2i_X509() function to read
it into the OpenSSL internal representation.
Have fun.
--
Patrick Patterson
President and Chief PKI Architect,
Carillon Information Secur
://www.carillon.ca/tools/pathfinder.php
Have fun.
--
Patrick Patterson
President and Chief PKI Architect,
Carillon Information Security Inc.
http://www.carillon.ca
__
OpenSSL Project http://www.opens
Vineet Kumar wrote:
> Yes, but it looks like if openssl has to conform to JITC tests then in
> order to accept an EE, a CRL **signed by EE's CA** better be present.
> It doesn't matter if a CRL is present but signed by some other CA in
> the cert-chain, no? This strictness of who the CRL's signer s
are using strict revocation information checking, the
above chain should fail, because you can't look up the status of the end
certificate.
If you want a good example of code for a PDVal tool that implements all of the
tests in the NIST suite, please take a look at Pathfinder - it's avai
If I reserve the setting and replace slash
> with comma, I can get an DN for ldap query, right?
>
Depends on your LDAP client, but usually yes. However, this is probably a bad
practice, because you would have to have all of your relying parties
configured somehow to know which server to
depending rather heavily on the native
routines provided by OpenSSL) . Do you mean an extension to the OpenSSL
libraries, so that 'openssl verify' can correctly validate long life
signatures? If so, then probably the right thing to do is to create a patch
to OpenSSL itself, and sub
Hi Konrad:
Konrad Kleine wrote:
> I also posted this question on the users mailing list.
>
> Hello,
>
> we are writing an client/server-application in C/C++ using OpenSSL.
>
> That's fine, but is it possible to verify the server's certificate on
> client side by specifying a whole directory o
claiming that the above list of suppressions will work 100% for
you - the suppressions above are for things that our code tickles - you may
want to add more of them for those specific areas that your code touches that
ours does not.
Have fun.
--
Patrick Patterson
President and Chie
penSSL
with -DPURIFY, and it is quite clean.
(we do it all the time here with WvStreams and Pathfinder, and it works like a
charm).
Have fun.
--
Patrick Patterson
President and Chief PKI Architect,
Carillon Information Security Inc.
http://www
subject, and the merits of the two approaches are
probably best discussed on the PKIX list, rather than here, as the approach
has little to do with the technical implementation of what you propose :)
Have fun.
--
Patrick Patterson
President and Chief PKI Architect,
Carillon Informa
" in this case, I believe) if you want to
validate a CRL against a key other than that used to sign the certificate,
you are supposed to use the cRLIssuer field of the cRLDistributionPoint in
the certificate. Allowing any other form of validation of a CRL signature
leaves you wide open to a den
42 matches
Mail list logo
