[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

OpenSSL cert help needed



Hey, all.

I'm trying to get the new (correct) certificate behavior implemented,
and I need some OpenSSL help.

Our authentication needs are pretty simple compared to the whole X509
cert model, but I'm still having some confusion fitting them in.

Here are the functions I need to write:

 F1) Given an Identity key and a Transport key (both RSA), make two
     certificates, C_ident and C_trans, such that C_ident is
     self-signed and C_trans is signed by C_ident.

     I don't care about using these certs for anything but Mixminion
     connections;  I don't care about setting names unless I need to.

     (Not _too_ hard, but do I need to do anything weird with X509
     names? Do I need to set some kind of CA flags or anything.)

 F2) Later, put C_ident and C_trans in a certificate chain and provide
     them both to clients who connect to us.

 F3) On the client side, get the certificate chain, and extract both
     certs.  Determine which is which.  Extract the Identity public
     key, hash it, and check the hash against a known value.  If we
     haven't seen C_trans before, check whether it's signed by the
     identity key.  Make sure that the connection is actually using
     the public key in C_trans.

If somebody can tell me the sequence of openssl functions I need to
call to do this, I'd be quite grateful. 

Yours,
-- 
Nick