Re: [openssl-users] exporting the certificate with the .pfx
> On Jun 15, 2018, at 7:25 PM, Harold Huggins wrote: > > We are having issues exporting the certificate with the .pfx Works here. $ openssl req -new -x509 -newkey rsa:1024 -nodes -keyout key.pem -out cert.pem -days 30 -subj "/CN=$(uname -n)" Generating a 1024 bit RSA private key ++ .++ writing new private key to 'key.pem' - $ openssl pkcs12 -export -out chain.p12 -inkey key.pem -in cert.pem \ -passout pass:foobar -certpbe aes-128-cbc -keypbe aes-128-cbc $ openssl pkcs12 -info -in chain.p12 -passin pass:foobar -passout pass:foobar MAC Iteration 2048 MAC verified OK PKCS7 Encrypted data: PBES2, PBKDF2, AES-128-CBC, Iteration 2048, PRF hmacWithSHA1 Certificate bag Bag Attributes localKeyID: F7 AC 6C BE 62 B1 CC 80 C7 AC DC B4 9F 85 C6 19 C6 F7 4B 0F subject=/CN=amnesiac.example issuer=/CN=amnesiac.example -BEGIN CERTIFICATE- ... -END CERTIFICATE- PKCS7 Data Shrouded Keybag: PBES2, PBKDF2, AES-128-CBC, Iteration 2048, PRF hmacWithSHA1 Bag Attributes localKeyID: F7 AC 6C BE 62 B1 CC 80 C7 AC DC B4 9F 85 C6 19 C6 F7 4B 0F Key Attributes: -BEGIN ENCRYPTED PRIVATE KEY- ... -END ENCRYPTED PRIVATE KEY- -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] exporting the certificate with the .pfx
Hi, Everyone, We are having issues exporting the certificate with the .pfx Error printout log file as follows: OpenSSL> pkcs12 -export -out "cfored.pfx" -inkey "cfored_encrypted_private.key" -in "mergeredcertificate.crt" Usage: pkcs12 [options] where options are -export output PKCS12 file -chain add certificate chain -inkey file private key if not infile -certfile f add all certs in f -CApath arg - PEM format directory of CA's -CAfile arg - PEM format file of CA's -name "name" use name as friendly name -caname "nm" use nm as CA friendly name (can be used more than once). -in infile input filename -out outfile output filename -noout don't output anything, just verify. -nomacver don't verify MAC. -nocerts don't output certificates. -clcerts only output client certificates. -cacerts only output CA certificates. -nokeys don't output private keys. -info give info about PKCS#12 structure. -des encrypt private keys with DES -des3 encrypt private keys with triple DES (default) -idea encrypt private keys with idea -seed encrypt private keys with seed -aes128, -aes192, -aes256 encrypt PEM output with cbc aes -camellia128, -camellia192, -camellia256 encrypt PEM output with cbc camellia -nodes don't encrypt private keys -noiter don't use encryption iteration -nomaciter don't use MAC iteration -maciter use MAC iteration -nomac don't generate MAC -twopass separate MAC, encryption passwords -descert encrypt PKCS#12 certificates with triple DES (default RC2-40) -certpbe alg specify certificate PBE algorithm (default RC2-40) -keypbe alg specify private key PBE algorithm (default 3DES) -macalg alg digest algorithm used in MAC (default SHA1) -keyex set MS key exchange type -keysig set MS key signature type -password p set import/export password source -passin p input file pass phrase source -passout p output file pass phrase source -engine e use engine e, possibly a hardware device. -rand file;file;... load the file (or the files in the directory) into the random number generator -CSP name Microsoft CSP name -LMK Add local machine keyset attribute to private key error in pkcs12 OpenSSL> -- HAROLD HUGGINS-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] exporting the certificate with the .pfx
Hi, Everyone, We are having issues exporting the certificate with the .pfx Error printout log file as follows: OpenSSL> pkcs12 -export -out "cfored.pfx" -inkey "cfored_encrypted_private.key" -in "mergeredcertificate.crt" Usage: pkcs12 [options] where options are -export output PKCS12 file -chain add certificate chain -inkey file private key if not infile -certfile f add all certs in f -CApath arg - PEM format directory of CA's -CAfile arg - PEM format file of CA's -name "name" use name as friendly name -caname "nm" use nm as CA friendly name (can be used more than once). -in infile input filename -out outfile output filename -noout don't output anything, just verify. -nomacver don't verify MAC. -nocerts don't output certificates. -clcerts only output client certificates. -cacerts only output CA certificates. -nokeys don't output private keys. -info give info about PKCS#12 structure. -des encrypt private keys with DES -des3 encrypt private keys with triple DES (default) -idea encrypt private keys with idea -seed encrypt private keys with seed -aes128, -aes192, -aes256 encrypt PEM output with cbc aes -camellia128, -camellia192, -camellia256 encrypt PEM output with cbc camellia -nodes don't encrypt private keys -noiter don't use encryption iteration -nomaciter don't use MAC iteration -maciter use MAC iteration -nomac don't generate MAC -twopass separate MAC, encryption passwords -descert encrypt PKCS#12 certificates with triple DES (default RC2-40) -certpbe alg specify certificate PBE algorithm (default RC2-40) -keypbe alg specify private key PBE algorithm (default 3DES) -macalg alg digest algorithm used in MAC (default SHA1) -keyex set MS key exchange type -keysig set MS key signature type -password p set import/export password source -passin p input file pass phrase source -passout p output file pass phrase source -engine e use engine e, possibly a hardware device. -rand file;file;... load the file (or the files in the directory) into the random number generator -CSP name Microsoft CSP name -LMK Add local machine keyset attribute to private key error in pkcs12 OpenSSL> -- HAROLD HUGGINS-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Access clienthello in openssl1.1.0
On Wed, Jun 13, 2018 at 11:32:11AM -0500, Zeyuan Yu wrote: > Hi All, > > Is there still a way to access client hello in 1.1.0? > > Before 1.1.0 I can just access the internal `s->init_msg`. And starting > 1.1.1, APIs are provided for the client hello. But there doesn't seem to be > similar methods in 1.1.0. I don't believe so, and it's unclear that this qualifies as a "missing accessor" that would be eligible to get fixed in 1.1.0 as a bugfix. So I think your main option is to move to 1.1.1, at this point. -Ben -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] I need help to implement triple des algorithm with openssl
Thank you Matt!, yes it odd, the component in C# is from a third an we don't know C#, we think that for a moment we could replace that using openssl command line. Could show me how pass a key to the openssl? Thank you! El vie., 15 de jun. de 2018 a la(s) 10:53, Matt Caswell (m...@openssl.org) escribió: > > > On 15/06/18 14:34, Fernando A wrote: > > Hi all, > > > > I am not an expert with openssl and I need replace a component in c# > > that run algorithm Triple DES. > > I tried in the command line something like this > > "openssl enc -des-ede3 -k 1234567890123456ABCDEFGH -in test.txt -out > > test.enc" > > > > but the result that I obtain is diferent of result launched by the c# > > component. > > Of course the passphrase is the same, and always file test.enc contain a > > phrase > > that start with "Salted__..." indifferent of the contain of file > test.txt. > > some idea? > > thanks in advance! > > Is your c# component using a passphrase or a key? If a passphrase, how > does it generate the key from that passphrase? > > By default the OpenSSL enc command uses its own key derivation function > (KDF) to generate a key from a passphrase. That KDF uses a random salt > value which it prepends to the beginning of the file. If the KDF in C# > is different (which it almost certainly is), and it doesn't use the same > file format as OpenSSL uses (which it almost certainly doesn't) then > you're going to get different results. > > You can alternatively pass a key rather than a passphrase to the OpenSSL > command line. > > It seems odd that you are using the command line to replace a c# > component, rather than using the OpenSSL APIs. > > Matt > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] OpenSSL 1.1.0: No X509_STORE_CTX_set_cert_crl() function?
>Should I file an issue on GitHub about the missing setters? That would be great, thanks. Glad you got something to work. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] OpenSSL 1.1.0: No X509_STORE_CTX_set_cert_crl() function?
Am 15.06.18 um 16:36 schrieb Salz, Rich via openssl-users: It looks like in OpenSSL 1.1.0 I can no longer do that. There are only functions available that return various function pointers from a X509_STORE_CTX structure (like X509_STORE_CTX_get_cert_crl), but there are no corresponding counterparts to set the function pointers. This could be viewed as a bug; we had no idea people wanted to *set* various fields. WE consider missing accessors/setters in opaque datatypes a bug. I found the following awkward workaround: I set up a temporary X509_STORE_CTX object only for the purpose of getting the original X509_STORE_CTX_cert_crl_fn function pointer that I save somewhere. Then I call X509_STORE_set_cert_crl to assign my own cert_crl function, from which later X509_STORE_CTXs created for the X509_STORE will inherit it. This is the code (minus error checking): X509_STORE *my_store = X509_STORE_new(); X509_STORE_CTX *ctx = X509_STORE_CTX_new(); X509_STORE_CTX_init(ctx, NULL, NULL, NULL); X509_STORE_CTX_cert_crl_fn original_cert_crl = X509_STORE_CTX_get_cert_crl(ctx); X509_STORE_set_cert_crl(my_store, my_own_cert_crl); X509_STORE_CTX_free(ctx); Should I file an issue on GitHub about the missing setters? Thanks Stephan -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] OpenSSL 1.1.0: No X509_STORE_CTX_set_cert_crl() function?
It looks like in OpenSSL 1.1.0 I can no longer do that. There are only functions available that return various function pointers from a X509_STORE_CTX structure (like X509_STORE_CTX_get_cert_crl), but there are no corresponding counterparts to set the function pointers. This could be viewed as a bug; we had no idea people wanted to *set* various fields. WE consider missing accessors/setters in opaque datatypes a bug. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] I need help to implement triple des algorithm with openssl
On 15/06/18 14:34, Fernando A wrote: > Hi all, > > I am not an expert with openssl and I need replace a component in c# > that run algorithm Triple DES. > I tried in the command line something like this > "openssl enc -des-ede3 -k 1234567890123456ABCDEFGH -in test.txt -out > test.enc" > > but the result that I obtain is diferent of result launched by the c# > component. > Of course the passphrase is the same, and always file test.enc contain a > phrase > that start with "Salted__..." indifferent of the contain of file test.txt. > some idea? > thanks in advance! Is your c# component using a passphrase or a key? If a passphrase, how does it generate the key from that passphrase? By default the OpenSSL enc command uses its own key derivation function (KDF) to generate a key from a passphrase. That KDF uses a random salt value which it prepends to the beginning of the file. If the KDF in C# is different (which it almost certainly is), and it doesn't use the same file format as OpenSSL uses (which it almost certainly doesn't) then you're going to get different results. You can alternatively pass a key rather than a passphrase to the OpenSSL command line. It seems odd that you are using the command line to replace a c# component, rather than using the OpenSSL APIs. Matt -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] OpenSSL 1.1.0: No X509_STORE_CTX_set_cert_crl() function?
Hi, while porting from OpenSSL 1.0.2. to OpenSSL 1.1.0 I ran into the following problem: With OpenSSL 1.0.2. I plugged into the certificate verification mechanism in order to capture the X509_CRL that was used to validate a certificate. The original function pointer stored in the cert_crl member of a X509_STORE_CTX structure was saved, and another function was assigned to the cert_crl member that called the saved original cert_crl function and then performed additional operations with the X509_CRL structure. It looks like in OpenSSL 1.1.0 I can no longer do that. There are only functions available that return various function pointers from a X509_STORE_CTX structure (like X509_STORE_CTX_get_cert_crl), but there are no corresponding counterparts to set the function pointers. Is this intentional, or is this an omission in OpenSSL 1.1.0? If this is intentional, how could I reproduce the funtionality without having to duplicate the code in the static cert_crl() function in x509_vfy.c? Thanks Stephan -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] I need help to implement triple des algorithm with openssl
Hi all, I am not an expert with openssl and I need replace a component in c# that run algorithm Triple DES. I tried in the command line something like this "openssl enc -des-ede3 -k 1234567890123456ABCDEFGH -in test.txt -out test.enc" but the result that I obtain is diferent of result launched by the c# component. Of course the passphrase is the same, and always file test.enc contain a phrase that start with "Salted__..." indifferent of the contain of file test.txt. some idea? thanks in advance! -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users