All,
We have a code signing facility that has signed a lot of code using
a certificate that recently expired. Now, validation of the signed
code fails because one of the certs in the chain has expired (not
the root cert, and not the signing cert).
So, should the verification routine be changed to
Ok let me rephrase my original question: Why would
someone trust a cert chain of length 3 less then they
would a cert chain of length 2? I see software (like
apache) that have a tunable acceptable-cert-chain-length
parameter. Why wouldn't you just trust any cert
chain length?
cj
- Original
- Original Message -
From: Rich Salz [EMAIL PROTECTED]
To: Chris Jarshant [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Friday, April 04, 2003 2:56 PM
Subject: Re: Certificats : chain
Ok let me rephrase my original question: Why would
someone trust a cert chain of length 3 less
- Original Message -
From: Dr. Stephen Henson [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, March 31, 2003 7:52 PM
Subject: Re: X509_STORE and X509_verify performance
On Mon, Mar 31, 2003, Chris Jarshant wrote:
I generated 1000 test self-signed CA certs, and wrote
a small
Well in the short term some kind of evil hack will be needed by an
application. This would involve messing around with the internals of the
X509_STORE and normally you shouldn't go near those. However in this case
you
haven't got any choice.
In outline you'd create an X509_OBJECT for each
I generated 1000 test self-signed CA certs, and
wrote
a small program to add them all to an X509_STORE
in
preparation for verifying a certificate.. But this
operation
took a LONG, LONG time. Even adding 500 certs
took
approx. 30 seconds! It appeared to go real
fast for
the first 100 certs,
And just to be clear, it was the for() loop
that
calls X509_STORE_add_cert() for each
certthat was taking forever, not the actual
verification, which took no perceivable (in
terms of user interface delay)
time.
cj
- Original Message -
From:
Chris Jarshant
To: [EMAIL
All,
ocsp2.valicert.net seems to be
non-functional. Anyone
know of any OCSP Responders I can use to test
my
OCSP client? I have used openvalidation.org
with
moderate success (some of their certs don't
have
the OCSPSigning extended key usage
attribute,
which openssl promptly rejects).
cj
BTW: I also need test signed
certificates,
signed by the test CAs from the test
site
you're about to tell me about :-)
cj
- Original Message -
From:
Chris Jarshant
To: [EMAIL PROTECTED]
Sent: Monday, December 02, 2002 5:19
PM
Subject: ocsp2.valicert.net
be trusted, and any app that does so is broken.
cj
- Original Message -
From: Jason Haar [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, November 25, 2002 10:06 PM
Subject: Re: Combine certificates into chain
On Mon, Nov 25, 2002 at 01:00:18PM -0500, Chris Jarshant wrote:
Another
- Original Message -
From: Vadim Fedukovich [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Sunday, November 24, 2002 12:46 PM
Subject: Re: Converting own CA certificate to pkcs12
On Fri, Nov 22, 2002 at 01:50:37PM -0500, Chris Jarshant wrote:
You can't convert a public key
- Original Message -
From: Sebastian Lisken [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, November 22, 2002 11:45 AM
Subject: Combine certificates into chain
Hi, I have been issued a certificate by a CA. They make a
.pkcs12 file available with a password for the
As per my previous mail, I am writing code that,
given a cert,
looks to see if it has an embedded OCSP Responder,
in order
to try and validate the cert with the given
Responder.
So, I am writing a routine that, given an X509
*cert, looks for
the OCSP Responder (all error checking omitted
Since PKCS12 is simply a container for keys and/or
certs, you can certainly craft a PKCS12 file with just
a single key or just a single cert in it.
Unfortunately the current openssl pkcs12 command enforces
a peculiar limitation that each PKCS12 file must have
at least one cert and one private key
Which shows the -nd flag (and corresponding
API, PKCS7_set_detached()) has no effect. Anyone
know why? Is this a permanent change?
The preferred method for using PKCS#7 is the high level API or the smime
utility, the 'sign' utility is rather old and clunky.
I'll check to see if
No, but I'm about to for a large project I'm working on...
Will keep the group informed. I will be using the
programmatic APIs rather than the command line.
Hope it's better documented than the other openssl
APIs :-)
Bob Kupperstein wrote:
I'm interested in feedback about reliability,
.. It is not a generic, multi-purpose
compare routine. If anyone has one or knows of one please let me know!!
Chris Jarshant wrote:
Is there documentation (aside from looking at the header files) on how to
use things like STACK_OF(type) and the sk_*_find() functions?
Perhaps I'm going about it wrong
Erwann ABALEA wrote:
Probably a limitation of the actual browsers. But you might want to check
Mozilla 1.0, which seems to be able to save a bunch of private
key/certificate pairs at once. I haven't tested this functionality, but it
might be possible that there's only one output file, and
Chris Jarshant wrote:
Erwann ABALEA wrote:
Probably a limitation of the actual browsers. But you might want to check
Mozilla 1.0, which seems to be able to save a bunch of private
key/certificate pairs at once. I haven't tested this functionality, but it
might be possible
Erwann ABALEA wrote:
friendlyName, then look for their public key cert using that friendlyName,
then look for a corresponding private key using the friendlyName. If I
can't find a private key with that friendlyName, I use the localKeyID from
the public key cert to match. If there is
Is there documentation (aside from looking at the header files) on how to
use things like STACK_OF(type) and the sk_*_find() functions?
Perhaps I'm going about it wrong, but I can't figure it out.
Any help would be most apprecianted. I'm trying to do this:
given a STACK_OF(PKCS12_SAFEBAG)
21 matches
Mail list logo