| Author |
Message |
|
|
Post subject: Documentation
 Posted: Dec 08, 2006 - 11:55 AM
|
|
Joined: Dec 08, 2006
Posts: 1
|
|
Hi,
I have installed the plugin with Eclipse 3.2 (Windows) and I have some questions:Is there an example project or a tutorial to compare the plugin with OpenSSL 
What do the different icons in the tree editor mean ?
I asked the plugin to decode the CRL from cacert.org. Eclipse managed to decode the list and displayed it but it was unresponsive for a few minutes. A progression bar would help.
[/list] |
|
|
| |
|
|
|
 |
|
|
|
Post subject: Re: Documentation
Posted: Dec 11, 2006 - 09:45 AM
|
|
Joined: Nov 28, 2006
Posts: 4
Location: Paris
|
|
The project Demo-X509 contains a few examples.
The 'Certificate' directory contains the certificate of the HTTPS
server at www.xcarecrows.com both in:
- ASN.1 format (www_xcarecrows_com.cer) ;
- XML format (www_xcarecrows_com.xer).
The XML file contains the same information as the ASN.1 file. With
OpenSSL, one would gather a similar information with the command:
| Code: | $ openssl x509 -text -noout -in www_xcarecrows_com.cer -inform PEM
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
5b:c7:db:f0:4c:58:cc:d2:2c:b6:e6:d1:bb:b9:d3:f6
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com
Validity
Not Before: Nov 16 00:00:00 2006 GMT
Not After : Nov 16 23:59:59 2007 GMT
Subject: C=FR, ST=PARIS, L=PARIS, O=COGENIT,CN=www.xcarecrows.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:f1:d8:8d:a1:b2:ac:36:d8:d3:dc:95:a0:f1:7e:
c8:b9:d7:15:fd:85:fa:3f:51:cd:27:ea:91:9b:ae:
90:09:5e:c3:bd:17:bc:3d:89:43:2f:b4:e8:e6:e4:
[...]
|
Figuring how to parse the output of the OpenSSL command is left as an
exercise to the reader :o)
Viewed with a simple text editor, the XML file 'www_xcarecrows_com.xer'
looks like:
| Code: | <?xml version="1.0" encoding="UTF-8"?>
<Certificate>
<toBeSigned>
<version>2</version>
<serialNumber>
121997475577366191729936968002595050486
</serialNumber>
<signature>
<algorithm>1.2.840.113549.1.1.5<!-- sha1WithRSAEncryption --></algorithm>
<parameters></parameters>
</signature>
<issuer>
<rdnSequence>
<RelativeDistinguishedName>
<AttributeTypeAndValue>
<type>2.5.4.6<!-- id-at-countryName --></type>
<value>ZA</value>
</AttributeTypeAndValue>
</RelativeDistinguishedName>
<RelativeDistinguishedName>
<AttributeTypeAndValue>
<type>2.5.4.8<!-- id-at-stateOrProvinceName --></type>
<value>
<printableString>Western Cape</printableString>
</value>
</AttributeTypeAndValue>
</RelativeDistinguishedName>
<RelativeDistinguishedName>
<AttributeTypeAndValue>
<type>2.5.4.7<!-- id-at-localityName --></type>
<value>
<printableString>Cape Town</printableString>
</value>
</AttributeTypeAndValue>
</RelativeDistinguishedName>
[...]
|
One can regenerate the XML/XER file through a right click on the icon
of the XER file and an activation of the 'Xcarecrows 4 X509 | Decode'
menu. The wizard is described with greater details in the user-guide
which is available in the 'Xcarecrows 4 X509' section of the 'Help'
menu from Eclipse.
The ASN.1 decoder adds XML comments to describe the numeric Object
Identifiers (OID). The comments are purely informative. They can be
removed by an external SAX parser.
Note: the XML file is not simply well-formed. The decoder checks the
conformance of the XML file against the schema which describe the
concept of X.509v3 certificate.
As the navigation in the XML file with a pure text editor is quite
tedious, one can use the visual tree editor. It is suggested to change
the properties of the XER file beforehand: the 'Default expansion'
checkbox under the 'Xcarecrows 4 X509' sub-menu in the properties
window of the file controls whether the tree is displayed in whole or in part
Enable it for the certificate of the www.xcarecrows.com site.
The icons in the tree editor are chosen according to the type of the
node in the tree. The upper line gives the description of the selected
node as illustrated in the picture.
Amongst the common elements are Sequence (green cube), Choice
(yellow cube) and SimpleType (blue cube).
The 'Request' directory contains a certificate request in:
- ASN.1 format (test_request.per) ;
- XML format (test_request.xer).
You can regenerate the XML from the ASN.1 data as before and compare its
content with the output of the OpenSSL command below:
| Code: | $ openssl req -in req.pem -text -inform PEM -noout
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=FR, L=PARIS, O=COGENIT,CN=Test/emailAddress=busytester@cogenit.fr
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:be:6d:25:e7:f5:80:b8:60:fa:d6:40:ec:d4:70:
83:2e:8a:31:43:08:4f:59:e3:5a:65:94:9b:24:b6:
7e:f2:5c:14:84:47:d0:d0:83:3f:eb:58:fb:9e:96:
69:fb:65:0f:1f:c8:ee:98:e0:aa:21:1c:76:3c:93:
4e:f5:fd:5a:a7:20:91:63:80:05:da:b2:20:de:30:
f4:bd:6d:cc:eb:69:4b:c5:5e:fb:81:11:d4:db:95:
[...]
|
The content of the 'CRL' directory illustrates the decoding of a
certificate revocation list (datagrid.xer) which you can compare
with its OpenSSL counterpart:
| Code: | $ openssl crl -in datagrid.crl -text -inform PEM -noout
Certificate Revocation List (CRL):
Version 1 (0x0)
Signature Algorithm: sha1WithRSAEncryption
Issuer: /C=FR/O=CNRS/CN=Datagrid-fr
Last Update: Feb 26 23:15:21 2006 GMT
Next Update: Mar 28 23:15:21 2006 GMT
Revoked Certificates:
Serial Number: 0653
Revocation Date: Oct 11 07:56:43 2004 GMT
Serial Number: 0696
Revocation Date: Jan 19 11:41:25 2006 GMT
Serial Number: 0697
Revocation Date: Jan 19 11:41:38 2006 GMT
Serial Number: 06CC
Revocation Date: Nov 19 13:44:41 2004 GMT
[...]
|
One would decode a PKCS#8 private key the same with Xcarecrows 4 X509.
Most of time one do not even care about the extension or the type of
the document: the plugin does its best to figure it out (and it is not
too bad at it :o) ).
Regarding the generation of X.509 documents encoded as ASN.1 that
OpenSSL offers, for instance for the signature of certificate,
Xcarecrows 4 X509 currently limits itself to the encoding of valid
XER files to ASN.1. Xcarecrows 4 X509 can generate a private PKCS#8
key but unlocking it or using it to sign a certificate is scheduled
for the newt version of Xcarecrows 4 X509 (early 2007).
The developers have been notified with the issue related to the freeze
of the user interface during the decoding of the CRL from cacert.org.
The CRL contains more than 38000 entries but the user interface should
perform better.
--
Ueimor |
|
|
| |
|
|
|
|
|
|
| |
Log in to check your private messages
Go to Administration Panel
