RE: No OPENSSL_Applink

[Dave Thompson]

 From: owner-openssl-us...@openssl.org On Behalf Of open...@comaxis.com
 Sent: Saturday, June 07, 2014 09:35

 I am attempting to use the d2i_PKCS12_fp() API call in a Windows DLL
 compiled with the multi-threaded (/MT) runtime library.  On this call I
 get the runtime error OPENSSL_Uplink(03CE1000,08): no
 OPENSSL_Applink.
 From discussions I have seen about this error, I thought I could fix it by
 adding applink.c to my project, and calling CRYPTO_malloc_init().
 However this has no effect.  Is use of /MT causing this?  It will be
 difficult to change that, due to other components of the project.  I have

applink.c (and OpenSSL_Applink) only works in an EXE, not a DLL.

 used the HMAC and SHA256 APIs in this project with no problem.  If it is
 just file I/O causing the problem, is there a way that I can
 read in the .p12 file myself, and just pass a buffer to OpenSSL in order
 to initialize the PKCS12 structure?
 
Yes, uplink is for file access (and malloc_init is for memory allocation).

You can:

- read the file contents into memory and call d2i_PKCS12 to parse from memory
(pass a temporary *copy* pointer because it gets changed, which isn't possible 
for an array and is wrong for a malloc/etc pointer that you need to free later)

- call BIO_new_file to open the file *in OpenSSL NOT your code* and use 
d2i_PKCS12_bio.



__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Query reg multiple CA-Cert in list with same subject

[Mukesh Yadav]

Hi,

I have a query for Ca-Cert list.
If at gateway we have configured two CA-certs A1 and A2 both having same
subject and content except time-stamp of generation.

If peer sends Cert matching to A2, gateway tries to validate it with
A1(subject being same and configured first in list) and validation fails.

1. is there a way to avoid addition of cert in store if subject and all
contents are same except timestamp generation.
2. Or if not 1st, is there way to validate incoming cert with both cert
configured in store.


Thanks

Re: Query reg multiple CA-Cert in list with same subject

[Erwann Abalea]

Bonjour,

No need to include openssl-dev here.
If A1 and A2 have the same subject, then they are 2 certificates for the 
same CA. Therefore, your gateway is right in testing A1 first.
However, if your software is correctly configured, it should also test 
A2. That's what OpenSSL does when given a set of CA certificates.


If your gateway software is a commercial software, please report this 
misbehaviour to the vendor.


--
Erwann ABALEA

Le 10/06/2014 09:08, Mukesh Yadav a écrit :

Hi,

I have a query for Ca-Cert list.
If at gateway we have configured two CA-certs A1 and A2 both having 
same subject and content except time-stamp of generation.


If peer sends Cert matching to A2, gateway tries to validate it with 
A1(subject being same and configured first in list) and validation fails.


1. is there a way to avoid addition of cert in store if subject and 
all contents are same except timestamp generation.
2. Or if not 1st, is there way to validate incoming cert with both 
cert configured in store.



Thanks

Re: SSL Renogotation failure

[Mithun Kumar]

Thanks Raheeda,

So you say this is a bug in PostgeSQL and from version 9.3 and above works
fine? Do you any links which speaks on this?




On Wed, Jun 4, 2014 at 3:34 PM, Rahila Syed rahilasye...@gmail.com wrote:

 Hello,

 SSL renegotiation is error prone in PostgreSQL version 9.3 and below.
 You can either upgrade your PostgreSQL server or as a work around ,if
 network security is not your major concern SSL renegotiation parameter can
 be switched off to avoid connection lost errors due to SSL renegotiation.




 On Tue, Jun 3, 2014 at 5:16 PM, Mithun Kumar mithunsi...@gmail.com
 wrote:

 Hi,

 Currently i working on a scenario where client uses openssl for
 connecting to PostgreSQL server.

 There is a flag in Server which invokes SSL renegotiation after certain
 amount of data is transferred.

 Connection terminates as part of SSL_read() with Errno = 10054 ( (An
 existing connection was forcibly  closed by the remote host.)

 Server logs shows following:-
 2014-06-03 06:31:41 EDT FATAL:  connection to client lost
 2014-06-03 07:12:05 EDT LOG:  SSL renegotiation failure
 2014-06-03 07:12:05 EDT LOG:  SSL failed to send renegotiation request
 2014-06-03 07:12:05 EDT LOG:  SSL error: unsafe legacy renegotiation
 disabled


 Any pointers? :)

OpenSSL windows build fails when no-engine no-hw options

[Michel]

Hi,
When configure'd with no-engine and no-hw options, build of OpenSSL 
1.0.1h on Windows 7 failed.
Although it might not be the best solution, the attached patch solved 
this (for static linking) by adding or moving up some related 
preprocessor directives.


But still leaves a problem when dynamic linking :
LIBEAY32.def : error LNK2001: unresolved external symbol 
TS_CONF_set_crypto_device
LIBEAY32.def : error LNK2001: unresolved external symbol 
TS_CONF_set_default_engine


I tried to modify the libeay.num file for these two symbols (I added 
'ENGINE' at the end of the lines 3873 and 4098), but this didn't solved 
this issue, proving that I still do not understand the whole build 
process :-(


Does anyone know about this matter ?

--- ccgost/gost2001.c	Thu Jun 05 11:41:31 2014
+++ ccgost/gost2001.c	Sun Jun 08 00:09:58 2014
@@ -6,6 +6,9 @@
  *  Implementation of GOST R 34.10-2001    *
  *  Requires OpenSSL 0.9.9 for compilation*
  **/
+
+#ifndef OPENSSL_NO_ENGINE
+
 #include gost_lcl.h
 #include gost_params.h
 #include string.h
@@ -341,3 +344,4 @@
 	return gost2001_compute_public(ec);
 	}
 
+#endif /* !OPENSSL_NO_ENGINE */
\ No newline at end of file
--- ccgost/gost2001_keyx.c	Thu Jun 05 11:41:31 2014
+++ ccgost/gost2001_keyx.c	Sun Jun 08 00:07:01 2014
@@ -7,6 +7,9 @@
  *   based PKCS7/SMIME support*
  *  Requires OpenSSL 0.9.9 for compilation*
  **/
+
+#ifndef OPENSSL_NO_ENGINE
+
 #include openssl/evp.h
 #include openssl/rand.h
 #include string.h
@@ -18,8 +21,6 @@
 #include gost_lcl.h
 #include gost2001_keyx.h
 
-
-
 /* Implementation of CryptoPro VKO 34.10-2001 algorithm */
 static int VKO_compute_key(unsigned char *shared_key,size_t shared_key_size,const EC_POINT *pub_key,EC_KEY *priv_key,const unsigned char *ukm)
 	{
@@ -306,3 +307,5 @@
 	if (gkt) GOST_KEY_TRANSPORT_free(gkt);
 	return ret;
 	}
+
+#endif /* !OPENSSL_NO_ENGINE */
--- ccgost/gost94_keyx.c	Thu Jun 05 11:41:31 2014
+++ ccgost/gost94_keyx.c	Sun Jun 08 00:10:11 2014
@@ -8,6 +8,9 @@
  *	  *
  *  Requires OpenSSL 0.9.9 for compilation*
  **/
+
+#ifndef OPENSSL_NO_ENGINE
+
 #include string.h
 #include openssl/dh.h
 #include openssl/rand.h
@@ -289,3 +292,4 @@
 	return -1;
 	}	
 
+#endif /* !OPENSSL_NO_ENGINE */
\ No newline at end of file
--- ccgost/gost_ameth.c	Thu Jun 05 11:44:33 2014
+++ ccgost/gost_ameth.c	Sun Jun 08 00:07:55 2014
@@ -7,6 +7,9 @@
  *   for OpenSSL  *
  *  Requires OpenSSL 0.9.9 for compilation*
  **/
+
+#ifndef OPENSSL_NO_ENGINE
+ 
 #include string.h
 #include openssl/crypto.h
 #include openssl/err.h
@@ -943,3 +946,5 @@
 		}		
 	return 1;
 	}
+
+#endif /* !OPENSSL_NO_ENGINE */
\ No newline at end of file
--- ccgost/gost_asn1.c	Thu Jun 05 11:41:31 2014
+++ ccgost/gost_asn1.c	Sun Jun 08 00:08:07 2014
@@ -6,6 +6,9 @@
  *   ASN1 structure definition for GOST key transport *
  *  Requires OpenSSL 0.9.9 for compilation*
  **/
+
+#ifndef OPENSSL_NO_ENGINE
+
 #include stdio.h
 #include openssl/asn1t.h
 #include openssl/x509.h
@@ -53,3 +56,5 @@
 } ASN1_NDEF_SEQUENCE_END(GOST_CLIENT_KEY_EXCHANGE_PARAMS)
 
 IMPLEMENT_ASN1_FUNCTIONS(GOST_CLIENT_KEY_EXCHANGE_PARAMS)
+
+#endif /* !OPENSSL_NO_ENGINE */
\ No newline at end of file
--- ccgost/gost_crypt.c	Thu Jun 05 11:41:31 2014
+++ ccgost/gost_crypt.c	Sun Jun 08 00:08:18 2014
@@ -6,6 +6,9 @@
  *   OpenSSL interface to GOST 28147-89 cipher functions  *
  *  Requires OpenSSL 0.9.9 for compilation*
  **/
+
+#ifndef OPENSSL_NO_ENGINE
+
 #include string.h
 #include gost89.h
 #include openssl/rand.h
@@ -632,3 +635,4 @@
 	return 1;
 	}
 
+#endif /* !OPENSSL_NO_ENGINE */
\ No newline at end of file
--- ccgost/gost_ctl.c	Thu Jun 05 11:41:31 2014
+++ ccgost/gost_ctl.c	Sun Jun 08 00:08:42 2014
@@ -6,6 +6,9 @@
  *Implementation of control commands for GOST engine  *
  *OpenSSL 0.9.9 libraries required*
  **/
+
+#ifndef OPENSSL_NO_ENGINE
+
 #include stdlib.h
 #include string.h
 #include openssl/crypto.h
@@ -87,3 +90,5 @@
 
 	return 1;
 	}	
+
+#endif /* !OPENSSL_NO_ENGINE */
--- ccgost/gost_eng.c	Thu Jun 05 11:44:33 2014
+++ ccgost/gost_eng.c	Sun Jun 08 00:08:57 2014
@@ -7,6 +7,9 @@
  *   for OpenSSL  *

ECDSA - Signature verify

[Anant Rao]

Hi,

Objective in one-line:
=
Verify a signature, given an ECDSA public key in X509 format.


Details:
==
I read an X509 cert stored on disk. The following are some of its contents:

Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)

...
ASN1 OID: prime256v1
Signature Algorithm: ecdsa-with-SHA1
...


Now, I get some data that is signed by the private key corresponding to the
above public key/cert and I need to verify it.

Here're some pieces of my code:

...
EVP_PKEY *pub_key = X509_get_pubkey(cert);  //this is OK
...
EVP_VerifyFinal(c, signature, signature_len, pub_key); //this fails; Why
does it fail?

The following are the errors from the above VerifyFinal:

140310811899840:error:0D07207B:asn1 encoding
routines:ASN1_get_object:header too long:asn1_lib.c:150:
140310811899840:error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad
object header:tasn_dec.c:1306:
140310811899840:error:0D07803A:asn1 encoding
routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:381:Type=ECDSA_SIG


So, after reading this page (
http://wiki.openssl.org/index.php/Elliptic_Curve_Cryptography), I realized
I need to extract the EC_POINT out of the above public key.
But, I'm not sure how to do it. Assuming that that's the right approach, I
want to do the following:

EC_POINT *pub;

if(1 != EC_KEY_set_public_key(key, pub)) handleErrors();

Can you help how I can retrieve the EC_POINT out of the public key? If this
is not the correct approach at all, could you point what I need to do?

Thanks a lot in advance!

[no subject]

[Zhang, Ping (Unisphere)]

link error building openssl 0.9.8za with FIPS module 1.2.4

[Zhang, Ping (Unisphere)]

In process upgrade openssl to 0.9.8za. When building with fips module 1.2.4 
lib, failed with link error. The same process and fips 1.2.4 lib works with 
0.9.8y.

Compared the code difference with 0.9.8za and 0.9.8y, noticed 
BN_consttime_swap() is used in 0.9.8za crypto/ec/ec2_mult.c.

perl Configure VC-WIN32 no-asm fips 
--with-fipslibdir=C:\openssl_build\openssl-fips-1.2.4\out32dll
ms\do_ms
nmake -f ms\ntdll.mak clean
nmake -f ms\ntdll.mak

The error I got
cl /Fotmp32dll\fips_premain_dso.obj 
-DFINGERPRINT_PREMAIN_DSO_LOAD -Iinc32 -Itmp32dll /MD /Ox /O2 /Ob2 /W3 /WX /Gs0 
/GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN 
-DDSO_WIN32 -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE 
-DOPENSSL_USE_APPLINK -I. /Fdout32dll -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED 
-DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE 
-DOPENSSL_NO_CAPIENG -DOPENSSL_NO_KRB5 -DOPENSSL_FIPS 
-DOPENSSL_NO_DYNAMIC_ENGINE -D_WINDLL  -c .\fips\fips_premain.c
fips_premain.c
link /nologo /subsystem:console /opt:ref 
/out:out32dll\fips_premain_dso.exe @C:\DOCUME~1\zhangp\LOCALS~1\Temp\1\nm419.tmp
   Creating library out32dll\fips_premain_dso.lib and object 
out32dll\fips_premain_dso.exp
ec2_mult.obj : error LNK2019: unresolved external symbol _BN_consttime_swap 
referenced in function _ec_GF2m_montgomery_point_multiply
out32dll\fips_premain_dso.exe : fatal error LNK1120: 1 unresolved externals

Any recommendation on solutions?

Thanks,
-Ping

Re: link error building openssl 0.9.8za with FIPS module 1.2.4

[Dr. Stephen Henson]

On Tue, Jun 10, 2014, Zhang, Ping (Unisphere) wrote:

 In process upgrade openssl to 0.9.8za. When building with fips module 1.2.4 
 lib, failed with link error. The same process and fips 1.2.4 lib works with 
 0.9.8y.
 
 Compared the code difference with 0.9.8za and 0.9.8y, noticed 
 BN_consttime_swap() is used in 0.9.8za crypto/ec/ec2_mult.c.
 
 perl Configure VC-WIN32 no-asm fips 
 --with-fipslibdir=C:\openssl_build\openssl-fips-1.2.4\out32dll
 ms\do_ms
 nmake -f ms\ntdll.mak clean
 nmake -f ms\ntdll.mak
 
 The error I got
 cl /Fotmp32dll\fips_premain_dso.obj 
 -DFINGERPRINT_PREMAIN_DSO_LOAD -Iinc32 -Itmp32dll /MD /Ox /O2 /Ob2 /W3 /WX 
 /Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN 
 -DDSO_WIN32 -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE 
 -DOPENSSL_USE_APPLINK -I. /Fdout32dll -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED 
 -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE 
 -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_KRB5 -DOPENSSL_FIPS 
 -DOPENSSL_NO_DYNAMIC_ENGINE -D_WINDLL  -c .\fips\fips_premain.c
 fips_premain.c
 link /nologo /subsystem:console /opt:ref 
 /out:out32dll\fips_premain_dso.exe 
 @C:\DOCUME~1\zhangp\LOCALS~1\Temp\1\nm419.tmp
Creating library out32dll\fips_premain_dso.lib and object 
 out32dll\fips_premain_dso.exp
 ec2_mult.obj : error LNK2019: unresolved external symbol _BN_consttime_swap 
 referenced in function _ec_GF2m_montgomery_point_multiply
 out32dll\fips_premain_dso.exe : fatal error LNK1120: 1 unresolved externals
 
 Any recommendation on solutions?
 

Fixed in the latest snapshots. This problem is mentioned in the release
notes:

https://www.openssl.org/news/openssl-0.9.8-notes.html

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: link error building openssl 0.9.8za with FIPS module 1.2.4

[Zhang, Ping (Unisphere)]

Thanks! Got a build with 0610's snapshot.
However rebuilt openssl0.9.8za with no-ec (not rebuild fips libs), still see 
the same error.
-DOPENSSL_NO_EC -DOPENSSL_NO_ECDSA -DOPENSSL_NO_ECDH

-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] 
On Behalf Of Dr. Stephen Henson
Sent: Tuesday, June 10, 2014 10:54 AM
To: openssl-users@openssl.org
Subject: Re: link error building openssl 0.9.8za with FIPS module 1.2.4

On Tue, Jun 10, 2014, Zhang, Ping (Unisphere) wrote:

 In process upgrade openssl to 0.9.8za. When building with fips module 1.2.4 
 lib, failed with link error. The same process and fips 1.2.4 lib works with 
 0.9.8y.
 
 Compared the code difference with 0.9.8za and 0.9.8y, noticed 
 BN_consttime_swap() is used in 0.9.8za crypto/ec/ec2_mult.c.
 
 perl Configure VC-WIN32 no-asm fips 
 --with-fipslibdir=C:\openssl_build\openssl-fips-1.2.4\out32dll
 ms\do_ms
 nmake -f ms\ntdll.mak clean
 nmake -f ms\ntdll.mak
 
 The error I got
 cl /Fotmp32dll\fips_premain_dso.obj 
 -DFINGERPRINT_PREMAIN_DSO_LOAD -Iinc32 -Itmp32dll /MD /Ox /O2 /Ob2 /W3 /WX 
 /Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN 
 -DDSO_WIN32 -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE 
 -DOPENSSL_USE_APPLINK -I. /Fdout32dll -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED 
 -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE 
 -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_KRB5 -DOPENSSL_FIPS 
 -DOPENSSL_NO_DYNAMIC_ENGINE -D_WINDLL  -c .\fips\fips_premain.c fips_premain.c
 link /nologo /subsystem:console /opt:ref 
 /out:out32dll\fips_premain_dso.exe 
 @C:\DOCUME~1\zhangp\LOCALS~1\Temp\1\nm419.tmp
Creating library out32dll\fips_premain_dso.lib and object 
 out32dll\fips_premain_dso.exp ec2_mult.obj : error LNK2019: unresolved 
 external symbol _BN_consttime_swap referenced in function 
 _ec_GF2m_montgomery_point_multiply
 out32dll\fips_premain_dso.exe : fatal error LNK1120: 1 unresolved 
 externals
 
 Any recommendation on solutions?
 

Fixed in the latest snapshots. This problem is mentioned in the release
notes:

https://www.openssl.org/news/openssl-0.9.8-notes.html

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org 
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: ECDSA - Signature verify

[Swair Mehta]

remember doing something along the lines of :

ecPublicKey = X509_get_pubkey(readCertificate);
EC_KEY *ecKey;
ecKey = EVP_PKEY_get1_EC_KEY(ecPublicKey);
EC_KEY_set_asn1_flag(ecKey, Put in the curve name);
ecGroup = EC_GROUP_new_by_curve_name(Put in the curve name);
EC_KEY_set_group(ecKey, ecGroup);


int status = ECDSA_verify(ecPublicKey-type, digest, SHA256_DIGEST_LENGTH,
signatureBytes, Signaturelength, ecKey);
if(status==1)
//signature is valid

I will let someone with more experience comment on whether it is right or
wrong.




On Tue, Jun 10, 2014 at 7:24 AM, Anant Rao a...@noknok.com wrote:

 Hi,

 Objective in one-line:
 =
 Verify a signature, given an ECDSA public key in X509 format.


 Details:
 ==
 I read an X509 cert stored on disk. The following are some of its contents:

 Public Key Algorithm: id-ecPublicKey
 Public-Key: (256 bit)

 ...
 ASN1 OID: prime256v1
 Signature Algorithm: ecdsa-with-SHA1
 ...


 Now, I get some data that is signed by the private key corresponding to
 the above public key/cert and I need to verify it.

 Here're some pieces of my code:

 ...
 EVP_PKEY *pub_key = X509_get_pubkey(cert);  //this is OK
 ...
 EVP_VerifyFinal(c, signature, signature_len, pub_key); //this fails; Why
 does it fail?

 The following are the errors from the above VerifyFinal:

 140310811899840:error:0D07207B:asn1 encoding
 routines:ASN1_get_object:header too long:asn1_lib.c:150:
 140310811899840:error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad
 object header:tasn_dec.c:1306:
 140310811899840:error:0D07803A:asn1 encoding
 routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:381:Type=ECDSA_SIG


 So, after reading this page (
 http://wiki.openssl.org/index.php/Elliptic_Curve_Cryptography), I
 realized I need to extract the EC_POINT out of the above public key.
 But, I'm not sure how to do it. Assuming that that's the right approach, I
 want to do the following:

 EC_POINT *pub;

 if(1 != EC_KEY_set_public_key(key, pub)) handleErrors();

 Can you help how I can retrieve the EC_POINT out of the public key? If
 this is not the correct approach at all, could you point what I need to do?

 Thanks a lot in advance!




-- 
Swair Mehta

Re: ECDSA - Signature verify

[Matt Caswell]

On 10 June 2014 15:24, Anant Rao a...@noknok.com wrote:
 Hi,

 Objective in one-line:
 =
 Verify a signature, given an ECDSA public key in X509 format.


 Details:
 ==
 I read an X509 cert stored on disk. The following are some of its contents:

 Public Key Algorithm: id-ecPublicKey
 Public-Key: (256 bit)

 ...
 ASN1 OID: prime256v1
 Signature Algorithm: ecdsa-with-SHA1
 ...


 Now, I get some data that is signed by the private key corresponding to the
 above public key/cert and I need to verify it.

 Here're some pieces of my code:

 ...
 EVP_PKEY *pub_key = X509_get_pubkey(cert);  //this is OK
 ...
 EVP_VerifyFinal(c, signature, signature_len, pub_key); //this fails; Why
 does it fail?

 The following are the errors from the above VerifyFinal:

 140310811899840:error:0D07207B:asn1 encoding routines:ASN1_get_object:header
 too long:asn1_lib.c:150:
 140310811899840:error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad
 object header:tasn_dec.c:1306:
 140310811899840:error:0D07803A:asn1 encoding
 routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:381:Type=ECDSA_SIG


Looks to me like the signature you are passing it is in the wrong
format. Where did you get it from?



 So, after reading this page
 (http://wiki.openssl.org/index.php/Elliptic_Curve_Cryptography), I realized
 I need to extract the EC_POINT out of the above public key.

No. There is no need to do this. You only need to worry about the low
level EC stuff if you are not using the EVP interface - which you are.

Matt
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Dynamically User Selection of signing algorithm.

[Yash Dosi]

Hi All,

I am creating an android app which can perform basic email security
operations like encryption, decryption, signing and verification. So far I
am able to perform all 4 operations successfully. But one thing I still
haven't figured out is how to specify Signing Algorithm at runtime.

I mean I want to have a drop downlist from which the user can select the
signing algorithm algorithm.

I know how to do this in case of encryption. But for signing we are not
specifying any algorithm in the PKCS7_Sign function call. So how do I
mention which signing algorithm I should use while signing the mail.

Thanks in advance!

Don't build apps?

[Jeffrey Walton]

I'm working with OpenSSL 1.0.1h. I'm configuring for android-x86.

setenv-android.sh worked fine, and exported the following:

export MACHINE=i686
export RELEASE=2.6.37
export SYSTEM=android
export ARCH=x86

export CROSS_COMPILE=i686-linux-android-
export 
ANDROID_DEV=$ANDROID_NDK_ROOT/platforms/$_ANDROID_API/$_ANDROID_ARCH/usr
export HOSTCC=gcc

$ echo $ANDROID_DEV
/opt/android-ndk-r9/platforms/android-14/arch-x86/usr

The configure looks like so:

$ ./config shared -no-ssl2 -no-ssl3 -no-comp -no-hw -no-engine
--openssldir=/usr/local/ssl/android-14/

However, compilation is failing because the programs are being
compiled (more correctly, the missing comp.h):

$ make

i686-linux-android-gcc -DMONOLITH -I.. -I../include  -fPIC
-DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN
-DHAVE_DLFCN_H -Wa,--noexecstack -mandroid
-I/opt/android-ndk-r9/platforms/android-14/arch-x86/usr/include
-B/opt/android-ndk-r9/platforms/android-14/arch-x86/usr/lib -O3
-fomit-frame-pointer -Wall -DOPENSSL_BN_ASM_PART_WORDS
-DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m
-DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM
-DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM   -c -o dhparam.o dhparam.c
i686-linux-android-gcc -DMONOLITH -I.. -I../include  -fPIC
-DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN
-DHAVE_DLFCN_H -Wa,--noexecstack -mandroid
-I/opt/android-ndk-r9/platforms/android-14/arch-x86/usr/include
-B/opt/android-ndk-r9/platforms/android-14/arch-x86/usr/lib -O3
-fomit-frame-pointer -Wall -DOPENSSL_BN_ASM_PART_WORDS
-DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m
-DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM
-DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM   -c -o enc.o enc.c
enc.c:70:26: fatal error: openssl/comp.h: No such file or directory
compilation terminated.
make[1]: *** [enc.o] Error 1
make: *** [build_apps] Error 1

How do I stop the attempt to compile the programs? What change is made
to stop building of programs during a cross-compile of, for example,
Android (arm) and iOS (arm)?

Thanks in advance.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Dynamically User Selection of signing algorithm.

[Viktor Dukhovni]

On Wed, Jun 11, 2014 at 11:13:55AM +0530, Yash Dosi wrote:

 I am creating an android app which can perform basic email security
 operations like encryption, decryption, signing and verification. So far I
 am able to perform all 4 operations successfully. But one thing I still
 haven't figured out is how to specify Signing Algorithm at runtime.
 
 I mean I want to have a drop downlist from which the user can select the
 signing algorithm algorithm.
 
 I know how to do this in case of encryption. But for signing we are not
 specifying any algorithm in the PKCS7_Sign function call. So how do I
 mention which signing algorithm I should use while signing the mail.

With S/MIME or CMS you specify a signing key and certificate.  The
algorithm is implied by the choice of key material.

For example, RSA keys can't generate DSA signatures.

-- 
Viktor.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org