X509 digest different after write and read to-from PEM

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

X509 digest different after write and read to-from PEM

M G-3
Hi list,
 
I noticed that the DER string representation was very very similar (longer by one byte) and only different by very few bytes... i.e., they are almost exactly the same thing....  I am trying to get to the cause of why the digest differs between them
 
Any ideas?


Find your next car at Yahoo! Canada Autos
Reply | Threaded
Open this post in threaded view
|

Re: X509 digest different after write and read to-from PEM

Dr. Stephen Henson
On Sat, Oct 22, 2005, M G wrote:

> Hi list,
>  
> I noticed that the DER string representation was very very similar (longer by one byte) and only different by very few bytes... i.e., they are almost exactly the same thing....  I am trying to get to the cause of why the digest differs between them
>  
> Any ideas?
>

Why don't you post the code that created the certificate or the two examples?

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: X509 digest different after write and read to-from PEM

M G-3
Hi Dr. Henson,
 
Thanks in advance for taking a look:  Here is my code that creates the certificate (I removed the checks on return values - they were fine)
 
m_pX509 = X509_new();
 
X509_set_version(m_pX509, 2);
X509_gmtime_adj(X509_get_notBefore(m_pX509),0);
X509_gmtime_adj(X509_get_notAfter(m_pX509), (long)60*60*24*nDaysValid);
X509_set_pubkey(m_pX509, pEVP);
 
X509_NAME * pName = X509_get_subject_name(m_pX509);
X509_NAME_add_entry_by_txt(pName, "C", MBSTRING_ASC,szC,-1,-1,0);
X509_NAME_add_entry_by_txt(pName, "C", MBSTRING_ASC,szO,-1,-1,0);
X509_NAME_add_entry_by_txt(pName,"CN",MBSTRING_ASC,szCN,-1,-1,0);
 
// self signed:
X509_set_issuer_name(m_pX509, pName);
 
X509_sign(m_pX509, pEVP, EVP_sha1());
 
That is all I do... Am I missing something important?
 
Thank you very much!


"Dr. Stephen Henson" <[hidden email]> wrote:
On Sat, Oct 22, 2005, M G wrote:

> Hi list,
>
> I noticed that the DER string representation was very very similar (longer by one byte) and only different by very few bytes... i.e., they are almost exactly the same thing.... I am trying to get to the cause of why the digest differs between them
>
> Any ideas?
>

Why don't you post the code that created the certificate or the two examples?

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [hidden email]
Automated List Manager [hidden email]


Find your next car at Yahoo! Canada Autos
Reply | Threaded
Open this post in threaded view
|

Re: X509 digest different after write and read to-from PEM

Dr. Stephen Henson
On Sun, Oct 23, 2005, M G wrote:

> Hi Dr. Henson,
>  
> Thanks in advance for taking a look:  Here is my code that creates the certificate (I removed the checks on return values - they were fine)
>  
> m_pX509 = X509_new();
>  
> X509_set_version(m_pX509, 2);
> X509_gmtime_adj(X509_get_notBefore(m_pX509),0);
> X509_gmtime_adj(X509_get_notAfter(m_pX509), (long)60*60*24*nDaysValid);
> X509_set_pubkey(m_pX509, pEVP);
>  
> X509_NAME * pName = X509_get_subject_name(m_pX509);
> X509_NAME_add_entry_by_txt(pName, "C", MBSTRING_ASC,szC,-1,-1,0);
> X509_NAME_add_entry_by_txt(pName, "C", MBSTRING_ASC,szO,-1,-1,0);
> X509_NAME_add_entry_by_txt(pName,"CN",MBSTRING_ASC,szCN,-1,-1,0);
>  
> // self signed:
> X509_set_issuer_name(m_pX509, pName);
>  
> X509_sign(m_pX509, pEVP, EVP_sha1());
>  
> That is all I do... Am I missing something important?
>  
> Thank you very much!
>

After adding a couple of lines of code to print out the digest of the
certificate and dump it as DER I still get exactly the same results.

What code are you using to produce the digest?

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: X509 digest different after write and read to-from PEM

Rich Salz
In reply to this post by M G-3
If there is a difference as small as one bit then the digests should be
different.

        /r$

--
Rich Salz                  Chief Security Architect
DataPower Technology       http://www.datapower.com
This address will be going away; please use [hidden email]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: X509 digest different after write and read to-from PEM

M G-3
In reply to this post by Dr. Stephen Henson
This is the code I used:
(after the generate function code shown earlier in this thread - I have an m_pX509) - this is what I do with it:
 
 m_strPEMText = X509ToPEM(m_pX509);
 m_strFingerprint = GetSHAFingerprint(m_pX509);
 ::MessageBox(NULL, m_strFingerprint, "ORIGINAL FINGERPRINT", MB_OK);
 
// create the same cert by reading it from PEM:
 X509 * pSame = X509FromPEM(m_strPEMText);
 ::MessageBox(NULL, GetSHAFingerprint(pSame), "FINGERPRINT OF WROTE OUT, READ IN", MB_OK);
 
CString CMyCertificate::GetSHAFingerprint(X509 * pX509)
{
 unsigned char fp[20];
 unsigned int nFPLength = 20;
 if(!X509_digest(pX509, EVP_sha1(), fp, &nFPLength))
  return "";
 m_strFingerprint = "";
 CString strTemp;
 for(unsigned int i = 0; i < nFPLength; i++)
 {
  strTemp.Format("%02x", (0xff & fp[i]));
  m_strFingerprint += strTemp;
  if(i != (nFPLength-1))
   m_strFingerprint += ":";
 }
 return m_strFingerprint;
}
 
X509 * CMyCertificate::X509FromPEM(CString strPEM)
{
  BIO * pMem = BIO_new_mem_buf((LPSTR)(LPCSTR)strPEM, -1);
  BIO_seek(pMem, 0);
 
 X509 * pResult = PEM_read_bio_X509(pMem, NULL, NULL, NULL);
  CMySecurityBox::PrintAnyErrors();
  BIO_free(pMem);
 return pResult;
}
CString CMyCertificate::X509ToPEM(X509 * pX509)
{
  BIO * pMem = BIO_new(BIO_s_mem());
 if(!PEM_write_bio_X509(pMem, pX509))
  {
    BIO_free(pMem);
    return "";   // failure
  }
  CString S = "";
  CString strTemp;
  BIO_seek(pMem, 0);
 
  char pData[4096];
  int nLengthRead;
  while((nLengthRead = BIO_read(pMem,pData,4096)) != -1)
  {
    strTemp = pData;
    strTemp = strTemp.Mid(0, nLengthRead);
    S += strTemp;
  }
 
  return S;
}

"Dr. Stephen Henson" <[hidden email]> wrote:
On Sun, Oct 23, 2005, M G wrote:

> Hi Dr. Henson,
>
> Thanks in advance for taking a look: Here is my code that creates the certificate (I removed the checks on return values - they were fine)
>
> m_pX509 = X509_new();
>
> X509_set_version(m_pX509, 2);
> X509_gmtime_adj(X509_get_notBefore(m_pX509),0);
> X509_gmtime_adj(X509_get_notAfter(m_pX509), (long)60*60*24*nDaysValid);
> X509_set_pubkey(m_pX509, pEVP);
>
> X509_NAME * pName = X509_get_subject_name(m_pX509);
> X509_NAME_add_entry_by_txt(pName, "C", MBSTRING_ASC,szC,-1,-1,0);
> X509_NAME_add_entry_by_txt(pName, "C", MBSTRING_ASC,szO,-1,-1,0);
> X509_NAME_add_entry_by_txt(pName,"CN",MBSTRING_ASC,szCN,-1,-1,0);
>
> // self signed:
> X509_set_issuer_name(m_pX509, pName);
>
> X509_sign(m_pX509, pEVP, EVP_sha1());
>
> That is all I do... Am I missing something important?
>
> Thank you very much!
>

After adding a couple of lines of code to print out the digest of the
certificate and dump it as DER I still get exactly the same results.

What code are you using to produce the digest?

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [hidden email]
Automated List Manager [hidden email]


Find your next car at Yahoo! Canada Autos
Reply | Threaded
Open this post in threaded view
|

Re: X509 digest different after write and read to-from PEM

M G-3
In reply to this post by Dr. Stephen Henson
Hi Dr. Henson,

You were wondering what code I used to produce the
digest:  I used my X509 certificate to get the
fingerprint with GetSHAFingerprint() - then I wrote
the X509 to PEM, then I read it back and called
GetSHAFingerprint() again and received a different
fingerprint.  Is this supposed to happen?  This is the
code that I used:

// any existing X509 cert:
m_strPEMText = X509ToPEM(m_pX509);
m_strFingerprint = GetSHAFingerprint(m_pX509);
::MessageBox(NULL, m_strFingerprint, "ORIGINAL
FINGERPRINT", MB_OK);

X509 * pSame = X509FromPEM(m_strPEMText);
::MessageBox(NULL, GetSHAFingerprint(pSame),
"FINGERPRINT OF WROTE OUT, READ IN", MB_OK);

//THE FUNCTIONS:
CString CMyCertificate::GetSHAFingerprint(X509 *
pX509)
{
 unsigned char fp[20];
 unsigned int nFPLength = 20;
 if(!X509_digest(pX509, EVP_sha1(), fp, &nFPLength))
  return "";
 m_strFingerprint = "";
 CString strTemp;
 for(unsigned int i = 0; i < nFPLength; i++)
 {
  strTemp.Format("%02x", (0xff & fp[i]));
  m_strFingerprint += strTemp;
  if(i != (nFPLength-1))
   m_strFingerprint += ":";
 }
 return m_strFingerprint;
}
 
X509 * CMyCertificate::X509FromPEM(CString strPEM)
{
  BIO * pMem = BIO_new_mem_buf((LPSTR)(LPCSTR)strPEM,
-1);
  BIO_seek(pMem, 0);
 
 X509 * pResult = PEM_read_bio_X509(pMem, NULL, NULL,
NULL);
  CMySecurityBox::PrintAnyErrors();
  BIO_free(pMem);
 return pResult;
}
CString CMyCertificate::X509ToPEM(X509 * pX509)
{
  BIO * pMem = BIO_new(BIO_s_mem());
 if(!PEM_write_bio_X509(pMem, pX509))
  {
    BIO_free(pMem);
    return "";   // failure
  }
  CString S = "";
  CString strTemp;
  BIO_seek(pMem, 0);
 
  char pData[4096];
  int nLengthRead;
  while((nLengthRead = BIO_read(pMem,pData,4096)) !=
-1)
  {
    strTemp = pData;
    strTemp = strTemp.Mid(0, nLengthRead);
    S += strTemp;
  }
 
  return S;
}


--- "Dr. Stephen Henson" <[hidden email]> wrote:

> On Sun, Oct 23, 2005, M G wrote:
>
> > Hi Dr. Henson,
> >  
> > Thanks in advance for taking a look:  Here is my
> code that creates the certificate (I removed the
> checks on return values - they were fine)
> >  
> > m_pX509 = X509_new();
> >  
> > X509_set_version(m_pX509, 2);
> > X509_gmtime_adj(X509_get_notBefore(m_pX509),0);
> > X509_gmtime_adj(X509_get_notAfter(m_pX509),
> (long)60*60*24*nDaysValid);
> > X509_set_pubkey(m_pX509, pEVP);
> >  
> > X509_NAME * pName =
> X509_get_subject_name(m_pX509);
> > X509_NAME_add_entry_by_txt(pName, "C",
> MBSTRING_ASC,szC,-1,-1,0);
> > X509_NAME_add_entry_by_txt(pName, "C",
> MBSTRING_ASC,szO,-1,-1,0);
> >
>
X509_NAME_add_entry_by_txt(pName,"CN",MBSTRING_ASC,szCN,-1,-1,0);

> >  
> > // self signed:
> > X509_set_issuer_name(m_pX509, pName);
> >  
> > X509_sign(m_pX509, pEVP, EVP_sha1());
> >  
> > That is all I do... Am I missing something
> important?
> >  
> > Thank you very much!
> >
>
> After adding a couple of lines of code to print out
> the digest of the
> certificate and dump it as DER I still get exactly
> the same results.
>
> What code are you using to produce the digest?
>
> Steve.
> --
> Dr Stephen N. Henson. Email, S/MIME and PGP keys:
> see homepage
> OpenSSL project core developer and freelance
> consultant.
> Funding needed! Details on homepage.
> Homepage: http://www.drh-consultancy.demon.co.uk
>
______________________________________________________________________
> OpenSSL Project                                
> http://www.openssl.org
> User Support Mailing List                  
> [hidden email]
> Automated List Manager                          
> [hidden email]
>



       

       
               
__________________________________________________________
Find your next car at http://autos.yahoo.ca
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: X509 digest different after write and read to-from PEM

Dr. Stephen Henson
On Tue, Oct 25, 2005, M G wrote:

> Hi Dr. Henson,
>
> You were wondering what code I used to produce the
> digest:  I used my X509 certificate to get the
> fingerprint with GetSHAFingerprint() - then I wrote
> the X509 to PEM, then I read it back and called
> GetSHAFingerprint() again and received a different
> fingerprint.  Is this supposed to happen?  This is the
> code that I used:
>

As I said before this isn't supposed to happen. I can't reproduce this in pure
C code so I assume there's a problem somewhere with your code.

BIO_seek() doesn't work on memory BIOs but that's not a problem. Also you
should check that BIO_read() returns >0 not just !=-1.

If that doesn't help I'd suggest you compare the PEM data in your string and
that produced by writing it to a file with the pem routines directly.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: X509 digest different after write and read to-from PEM

M G-3
Dr. Henson,

Looks like the check on the >0 and not just != -1 did
the trick!  Thank you for helping me!

Cheers!

--- "Dr. Stephen Henson" <[hidden email]> wrote:

> On Tue, Oct 25, 2005, M G wrote:
>
> > Hi Dr. Henson,
> >
> > You were wondering what code I used to produce the
> > digest:  I used my X509 certificate to get the
> > fingerprint with GetSHAFingerprint() - then I
> wrote
> > the X509 to PEM, then I read it back and called
> > GetSHAFingerprint() again and received a different
> > fingerprint.  Is this supposed to happen?  This is
> the
> > code that I used:
> >
>
> As I said before this isn't supposed to happen. I
> can't reproduce this in pure
> C code so I assume there's a problem somewhere with
> your code.
>
> BIO_seek() doesn't work on memory BIOs but that's
> not a problem. Also you
> should check that BIO_read() returns >0 not just
> !=-1.
>
> If that doesn't help I'd suggest you compare the PEM
> data in your string and
> that produced by writing it to a file with the pem
> routines directly.
>
> Steve.
> --
> Dr Stephen N. Henson. Email, S/MIME and PGP keys:
> see homepage
> OpenSSL project core developer and freelance
> consultant.
> Funding needed! Details on homepage.
> Homepage: http://www.drh-consultancy.demon.co.uk
>
______________________________________________________________________
> OpenSSL Project                                
> http://www.openssl.org
> User Support Mailing List                  
> [hidden email]
> Automated List Manager                          
> [hidden email]
>



       

       
               
__________________________________________________________
Find your next car at http://autos.yahoo.ca
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]