What will it happen when a certificate has an empty issuer?

Hi, all,   I recently created a certificate chain, on which some certificates happen to have “empty” issuers/subjects. Clearly, these certificates violate Section 4.1.2.4, RFC5280: “The issuer field MUST contain a non-empty distinguished name (DN)”. Meanwhile, the chain can still pass

Re: Fingerprint mismatch only for 32-bit DLL linked statically to FIPS Capable OpenSSL

I ran into the same issue on my FIPS journey a few years ago. I'm assuming you are building for windows in which case setting the /FIXED flag is the right thing to do, however you cannot be guaranteed to get the address you specify - it may already be occupied in which case the dll will be

Fingerprint mismatch only for 32-bit DLL linked statically to FIPS Capable OpenSSL

*Appreciate any help on the following.* 1. Built OpenSSL Fips Module and then 'static binaries' of FIPS capable OSSL which 'statically link to the windows run-time'. Thus, my application binary (FipsApp.exe) does not depend on OSSL DLLs. 2. Consumed these static binaries

Re: Json Web Keys again

> There isn't a key specific format for Ed25519. > You need to use i2d_PUBKEY() for that. I used EVP_PKEY_get_raw_public_key which got added for these raw keys, works fine for Ed25519. On the EVP_PKEY_get_raw_public_key.html page, it would help if it mentioned that *len should be set to the

Re: Json Web Keys again

On 04/12/2019 11:22, Angus Robertson - Magenta Systems Ltd wrote: >>> It seems the EVP_PKEY_RSA_PSS addition was only committed 28th >>> October 2019, so need to wait for 1.1.1e, hopefully real soon... >> >> Ah, that explains it! > > Now tested with 1.1.1e-dev and I can generate a JWK from an

Re: Json Web Keys again

> > It seems the EVP_PKEY_RSA_PSS addition was only committed 28th > > October 2019, so need to wait for 1.1.1e, hopefully real soon... > > Ah, that explains it! Now tested with 1.1.1e-dev and I can generate a JWK from an RSA-PSS key. Since JWK is for signing, I also tried to support ED25519

Re: Json Web Keys again

On 03/12/2019 19:07, Angus Robertson - Magenta Systems Ltd wrote: >>> Agreed, code looks clear enough, but was this was for 1.1.1 or >>> master? >> >> This code looks the same in 1.1.1 and master. > > It seems the EVP_PKEY_RSA_PSS addition was only committed 28th October > 2019, so need to

verbosity of `openssl ca` error

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, I'm trying to sign a csr by running `CA=signing-ca openssl ca -verbose -config /etc/simple-pki/ca-ssl.conf -name signing_ca -in /tmp/tmp.Qz3EoKa0S4/fileserver-lo.ddns.eckner.net.csr -out /tmp/tmp.Qz3EoKa0S4/fileserver-lo.ddns.eckner.net.crt