All,
We have a code signing facility that has signed a lot of code using
a certificate that recently expired. Now, validation of the signed
code fails because one of the certs in the chain has expired (not
the root cert, and not the signing cert).
So, should the verification routine be changed to
since some of the chains would be
successfully validated.
cj
- Original Message -----
From: "Rich Salz" <[EMAIL PROTECTED]>
To: "Chris Jarshant" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Friday, April 04, 2003 2:56 PM
Subject: Re: Certificats : chai
Ok let me rephrase my original question: Why would
someone trust a cert chain of length 3 less then they
would a cert chain of length 2? I see software (like
apache) that have a tunable acceptable-cert-chain-length
parameter. Why wouldn't you just trust any cert
chain length?
cj
- Original
> Well in the short term some kind of evil hack will be needed by an
> application. This would involve messing around with the internals of the
> X509_STORE and normally you shouldn't go near those. However in this case
you
> haven't got any choice.
>
> In outline you'd create an X509_OBJECT for e
- Original Message -
From: "Dr. Stephen Henson" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, March 31, 2003 7:52 PM
Subject: Re: X509_STORE and X509_verify performance
> On Mon, Mar 31, 2003, Chris Jarshant wrote:
>
> > I generated 1000 te
And just to be clear, it was the for() loop
that
calls X509_STORE_add_cert() for each
cert that was taking forever, not the actual
verification, which took no perceivable (in
terms of user interface delay)
time.
cj
- Original Message -
From:
Chris Jarshant
To: [EMAIL
I generated 1000 test self-signed CA certs, and
wrote
a small program to add them all to an X509_STORE
in
preparation for verifying a certificate.. But this
operation
took a LONG, LONG time. Even adding 500 certs
took
approx. 30 seconds! It appeared to go real
fast for
the first 100 certs
BTW: I also need test signed
certificates,
signed by the test CAs from the test
site
you're about to tell me about :-)
cj
- Original Message -
From:
Chris Jarshant
To: [EMAIL PROTECTED]
Sent: Monday, December 02, 2002 5:19
PM
Subject: ocsp2.valicer
All,
ocsp2.valicert.net seems to be
non-functional. Anyone
know of any OCSP Responders I can use to test
my
OCSP client? I have used openvalidation.org
with
moderate success (some of their certs don't
have
the OCSPSigning extended key usage
attribute,
which openssl promptly rejects).
c
7;t
really be trusted, and any app that does so is broken.
cj
- Original Message -
From: "Jason Haar" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, November 25, 2002 10:06 PM
Subject: Re: Combine certificates into chain
> On Mon, Nov 25, 2002 at 01:
- Original Message -
From: "Vadim Fedukovich" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Sunday, November 24, 2002 12:46 PM
Subject: Re: Converting own CA certificate to pkcs12
> On Fri, Nov 22, 2002 at 01:50:37PM -0500, Chris Jarshant wrote:
> >
- Original Message -
From: "Sebastian Lisken" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, November 22, 2002 11:45 AM
Subject: Combine certificates into chain
>
> Hi, I have been issued a certificate by a CA. They make a
> .pkcs12 file available with a password for
As per my previous mail, I am writing code that,
given a cert,
looks to see if it has an embedded OCSP Responder,
in order
to try and validate the cert with the given
Responder.
So, I am writing a routine that, given an X509
*cert, looks for
the OCSP Responder (all error checking omitted f
OCSP Gurus,
I am attempting to implement an app which
attempts
to verify PKCS7 signatures on data. It does
all the local
verification one would expect.
Now I want to add OCSP into the mix. Given a
locally verified
certificate chain, I want to perform OCSP on any
and all certs
involved
Since PKCS12 is simply a container for keys and/or
certs, you can certainly craft a PKCS12 file with just
a single key or just a single cert in it.
Unfortunately the current openssl pkcs12 command enforces
a peculiar limitation that each PKCS12 file must have
at least one cert and one private key
- Original Message -
From: "Dr. Stephen Henson" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, September 06, 2002 8:23 PM
Subject: Re: PKCS7 detached signatures no longer detached in 0.9.6e
> On Thu, Sep 05, 2002, Chris Jarshant wrote:
>
>
> > Which shows the "-nd" flag (and corresponding
> > API, PKCS7_set_detached()) has no effect. Anyone
> > know why? Is this a permanent change?
>
> The preferred method for using PKCS#7 is the high level API or the smime
> utility, the 'sign' utility is rather old and clunky.
>
> I'll check
No, but I'm about to for a large project I'm working on...
Will keep the group informed. I will be using the
programmatic APIs rather than the command line.
Hope it's better documented than the other openssl
APIs :-)
Bob Kupperstein wrote:
> I'm interested in feedback about reliability, inter
All,
Are there any declarations of the stability of the APIs found in the OpenSSL
distribution? For example, are there any guarantees or even "we will try not
to"'s
which limit the amount of change that the APIs can undergo from release to
release?
_
It is not a generic, multi-purpose
compare routine. If anyone has one or knows of one please let me know!!
Chris Jarshant wrote:
> Is there documentation (aside from looking at the header files) on how to
> use things like STACK_OF(type) and the sk_*_find() functions?
> Perhaps I'm g
Is there documentation (aside from looking at the header files) on how to
use things like STACK_OF(type) and the sk_*_find() functions?
Perhaps I'm going about it wrong, but I can't figure it out.
Any help would be most apprecianted. I'm trying to do this:
given a STACK_OF(PKCS12_SAFEBAG) instan
Erwann ABALEA wrote:
> > friendlyName, then look for their public key cert using that friendlyName,
> > then look for a corresponding private key using the friendlyName. If I
> > can't find a private key with that friendlyName, I use the localKeyID from
> > the public key cert to match. If th
Chris Jarshant wrote:
> Erwann ABALEA wrote:
>
> > Probably a limitation of the actual browsers. But you might want to check
> > Mozilla 1.0, which seems to be able to save a bunch of private
> > key/certificate pairs at once. I haven't tested this functionality,
Erwann ABALEA wrote:
> Probably a limitation of the actual browsers. But you might want to check
> Mozilla 1.0, which seems to be able to save a bunch of private
> key/certificate pairs at once. I haven't tested this functionality, but it
> might be possible that there's only one output file, and
24 matches
Mail list logo
