QCA 2.0

Thread: QCA 2.0

Search this list only Search all lists
QCA 2.0
	2007-10-26 11:22:02
Hi, I'm currently trying to use QCA for handling an SSL connection. I need to check the validity of the peer cert against a CA certificate that I have on the file system of the client. In order to load the cert and get a QCA::Certificate object, I'm using the static function 'QCA::Certificate::fromPEMFile(fileName);' This works correctly and load the certifcate properly when called on the certificate signed by my CA, however, everytime I try to load the CA using it, the call won't succeed. I'm getting a null certificate. >From the docs, it looks like QCA::Certificate can handle a CA certificate hence the function 'isCA()'. The version used of QCA is the official 2.0.0 release and I'm using the qca-ossl 0.1 plugin available from the affinix website (release 20070904). This is linking against Qt 4.3.2 and OpenSSL 0.9.8d. The OS used is Windows 2003 Server. Any help would be appreciated. Thank you, _______________________________________________ Delta mailing list Deltalists.affinix.com http://lists.affinix.com/listinfo.cgi/delta-affinix.com

Re: QCA 2.0
	2007-10-26 11:39:50
Hi Pascal, On Friday 26 October 2007 9:22 am, Pascal Patry wrote: > In order to load the cert and get a QCA::Certificate object, I'm using the > static function 'QCA::Certificate::fromPEMFile(fileName);' > > This works correctly and load the certifcate properly when called on the > certificate signed by my CA, however, everytime I try to load the CA using > it, the call won't succeed. I'm getting a null certificate. > > From the docs, it looks like QCA::Certificate can handle a CA certificate > hence the function 'isCA()'. Dumb question: are you sure the CA certificate is in PEM format? You may need to use fromDER instead. If you're sure that part is right, you can send the CA certificate file to me and I can examine it. -Justin _______________________________________________ Delta mailing list Deltalists.affinix.com http://lists.affinix.com/listinfo.cgi/delta-affinix.com

Re: QCA 2.0
	2007-10-26 11:54:54
On Friday 26 October 2007 12:39, Justin Karneges wrote: > Hi Pascal, > > On Friday 26 October 2007 9:22 am, Pascal Patry wrote: > > In order to load the cert and get a QCA::Certificate object, I'm using > > the static function 'QCA::Certificate::fromPEMFile(fileName);' > > > > This works correctly and load the certifcate properly when called on the > > certificate signed by my CA, however, everytime I try to load the CA > > using it, the call won't succeed. I'm getting a null certificate. > > > > From the docs, it looks like QCA::Certificate can handle a CA certificate > > hence the function 'isCA()'. > > Dumb question: are you sure the CA certificate is in PEM format? You may > need to use fromDER instead. If you're sure that part is right, you can > send the CA certificate file to me and I can examine it. Yes, the CA certificate is in the PEM format. It has been generate using OpenSSL 0.9.8d. This is how I generated it: openssl genrsa -out ca_key.pem 1024 -days 3650 openssl req -new -key ca_key.pem -out ca_req.pem openssl x509 -req -trustout -in ca_req.pem -signkey ca_key.pem -out ca_cert.pem -days 3650 ca_cert.pem has been attached to this mail. _______________________________________________ Delta mailing list Deltalists.affinix.com http://lists.affinix.com/listinfo.cgi/delta-affinix.com


Re: QCA 2.0
	2007-10-26 14:24:54
On Friday 26 October 2007 13:36, Justin Karneges wrote: > On Friday 26 October 2007 9:54 am, Pascal Patry wrote: > > On Friday 26 October 2007 12:39, Justin Karneges wrote: > > > Dumb question: are you sure the CA certificate is in PEM format? You > > > may need to use fromDER instead. If you're sure that part is right, > > > you can send the CA certificate file to me and I can examine it. > > > > Yes, the CA certificate is in the PEM format. It has been generate using > > OpenSSL 0.9.8d. > > > > This is how I generated it: > > openssl genrsa -out ca_key.pem 1024 -days 3650 > > openssl req -new -key ca_key.pem -out ca_req.pem > > openssl x509 -req -trustout -in ca_req.pem -signkey ca_key.pem -out > > ca_cert.pem -days 3650 > > > > ca_cert.pem has been attached to this mail. > > Interesting, this cert has a header/footer that says "TRUSTED CERTIFICATE". > It appears that OpenSSL will refuse to read a "TRUSTED CERTIFICATE" using > their standard X509 functions. Instead, you must use the X509_AUX > functions. If you remove the word "TRUSTED" from the header/footer of the > PEM file, then qca-ossl will be able to load it. This header difference > may have been caused by your usage of the -trustout argument when > generating. > > I've seen this TRUSTED thing before, but I thought it was just a PEM > garnish only, to assist a human reader. OpenSSL has a d2i_X509_AUX > function though, which seems to hint that there may be a variation in the > ASN.1 data as well. I'll have to investigate. > > Anyway, just remove "TRUSTED" and all should be fine. Thank you, this is now working perfectly. I'll get rid of -trustout in my procedure. There seems to be a problem with the way: QCA::Certificate::notValidBefore(), and QCA::Certificate::notValidAfter() work, because these dates are generated inside the cert as UTC dates, however when calling these functions, the timespec is local. As a simple workaround, I'm currently using 'setTimeSpec(Qt::UTC)' on the QDateTime returned by these functions, but you might want to fix this directly in QCA. Thank you again, Pascal _______________________________________________ Delta mailing list Deltalists.affinix.com http://lists.affinix.com/listinfo.cgi/delta-affinix.com

[1-4]

about | contact Other archives ( Real Estate discussion Medical topics )