Himanshu Soni wrote:
Thank you for the reply.
The response leads me to another question:
Is it planned for any forthcoming releases?
I understand that this is restricted by the device library but if one was to
use lets say, a pkcs#11 interface to the device via the engine API, then
this
Mark W. Webb wrote:
I want to change the questions that a users is prompted to answer when a
certificate is created. Do I need to change the crypto/objects/objects.txt
file, or the crypto/objects/objects.h, or which one??
None of the above :-)
Depends what you mean by 'questions'. If
George Staikos wrote:
As some of you may know, KDE uses OpenSSL for Konqueror. Lately, we have
been noticing new Class 3 certificates from Verisign which OpenSSL seems to
be choking on. I have attached the CA root files in DER form, along with
some example certificates presented by
George Staikos wrote:
On Thursday 26 July 2001 14:15, Dr S N Henson wrote:
Wrt the verify problem what errors do you get and what command line
options are you using?
openssl verify -CAfile ca-cert-bundle.pem ibm.pem
All the problem certificates say unable to load
Ryan Hurst wrote:
Has any work been done to add ECDSAwithSHA1 (1.2.840.10045.4.1) to OpenSSL?
I see that the appropriate NIDs have been added in but I am assuming this is
simply a result of their inclusion in
http://www.ietf.org/internet-drafts/draft-ietf-pkix-ipki-pkalgs-03.txt.
I am
David Stes wrote:
On Fri, Jul 27, 2001 at 07:27:59PM +0100, Dr S N Henson wrote:
What field does the Certicom ECC root use, is it available anywhere?
There's the NIST specifications on ECC (ECDSA) and there's also a
Certicom group called SECG. They specify fields. And curves
David Stes wrote:
I'm sorry, I did have sect163k1. But I'm still several weeks of work away
from reading the public key from Certicom, however.
But this is a fun project, so I hope to get there.
It should be fairly easy to read read the public key from the Certicom
root.
It uses a
Olivier Michiels wrote:
Hi,
I also develop an OCSP responder and I'm interested to find the ocsp deamon.
Is it in Openssl or OpenCA ?
The latest snapshot includes some OCSP responder code in the openssl
'ocsp' application. It is intended for test and debugging purposes and
to give an
Olivier Michiels wrote:
Thank you for your quick response.
As I previuosly said, I develop an OCSP responder and I would like to know
if there is another OCSP client like the psm in Mozilla.
Your original query said:
Hi,
I also develop an OCSP responder and I'm interested to find the
Mark W. Webb wrote:
I have a 1024 bit DSA key that I am using to sign a SHA-1 hash. I need to
know what the maximum size of that signature that is generated.
DSA_size(dsa_key) will give you this. However the actual signature may
be smaller.
Steve.
--
Dr Stephen N. Henson.
Ehsan Amiri wrote:
Hi All
I create a RSA key using RSA_generate_key and then
public and private parts to two different files using
this functions:
PEM_write_bio_RSAPublicKey
PEM_write_bio_RSAPrivateKey
but when I want to instantiate an RSA * by calling
the function
Ehsan Amiri wrote:
Hello All
I want to use a buffer BIO independently, but after
initializing a (BIO *) using BIO_new(BIO_f_buffer()) I
can not write to it( BIO_write() returns zero).
Could anyone help me resolve this problem?
It depends on what you want to do. If you want to write
Jung-Ho Ahn wrote:
I extracted an issuer DN from a certificate and
print out using X509_NAME_oneline.
But there seems to be a decoding problem like:
Issuer: /Email=... Inc./OU=\x00R\x00\x00D\x00\x00t\x00e\x00r/...
How can I fix the problem?
Its a BMPString which X509_NAME_oneline
Ben Laurie wrote:
The bad news is that we fail AES tests! Guess our implementation is
screwed.
Strange, it passed some tests I did ages ago. I'll look into it...
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto
Kim, Peter wrote:
Hi, long time no talk.
How are things? It seems like you've been actively using OpenSSL. You must
be a master of OpenSSL by now. How do you like it?
BTW, these postings should go to openssl-users, I think. openssl-dev is for
the development of OpenSSL.
Also,
Pablo J. Royo wrote:
I think it would be great if this BIO where included in OpenSSL so people
asking for compression could use it, but I think that PKCS7 standars says
nothing about compression.(And after some years I know OpenSSL people team
enougth to think that if there is no well
Mark W. Webb wrote:
I have two programs that sign information. One written in C, and one in
Java. The signature is verified on another program written in C. The C
based apps are using openssl 0.9.6a. The Java program is using standard JDK
functions. The signature that is created by
chandu wrote:
Hi all,
I have a doubt regarding the x509_verify_cert(). When we have a TRUSTED
certificate with the authority-key-identifier extension, and when we are
trying to verify a SELF certificate using the function X509_verify_cert(),
the verification is failing.
Does this
Reddie, Steven wrote:
I'm not clear on the problem here (I'm asking on behalf of someone). They
claim that keys created with OpenSSL are not useable with BSAFE. They are
also calling them BER keys. My understanding is that DER, being a subset of
BER, is used for encoding all keys.
Ajay Nerurkar wrote:
ValiCert's ASN.1 parser has been upgraded to be compatible with
OpenSSL-0.9.6b. It can be downloaded from
http://www.valicert.com/developers/ .
What are the main changes to the OpenSSL macros for ASN.1 in
0.9.7 vis-a-vis 0.9.6b?
The ASN1 code has been almost
Ryan Hurst wrote:
Is the new ASN1 code complete? Or it they still be changing?
The code may well change to support things like stream based I/O
(instead of memory based I/O) and some new features may be added such as
a generalized ASN1 printing routines or value setting.
However the new
[EMAIL PROTECTED] wrote:
Hello, I'm experiencing with some problems with the DER encoding of a BIT
STRING.
Indeed when you have to produce an BIT STRING with all the bit set to zero
if you use the ASN1_BIT_STRING_set passing to it such a string what you
obtain is that
the final encoding
Michael Sierchio wrote:
It appears that (haven't not yet looked at the code) IPv6 addresses
aren't currently supported in OpenSSL certs in subjectAltName. Is
this the case? Or is the problem in the 'openssl ca' command line
parsing?
No they aren't handled currently. I haven't really
Shoichi Sakane wrote:
No they aren't handled currently. I haven't really looked into IPv6 and
how the things should be displayed and parsed.
I can supply the display and parsing grammar. As for the address encoding,
it's just 16 octets (in network byte order) encoded as an octet
Gleison Santos wrote:
Hi, all.
In a project I'm working now we don't want to use any X509 extensions,
basically due to binary size limitation. I've commented a lot a source
code, removing any reference to X509_EXTENSION structure.
But during server certificate validation I get a error
Catherine Goldin wrote:
Hi all,
I read in DH()--SSLeay 0.9.0b -- Jan 1999 that DH certificates aren't used
in SSL-level routines. What about now? Is DH used anywhere in SSL?
DH certificates aren't currently supported: hardly anything uses them.
The DH algorithm itself is used by (among
Gleison Santos wrote:
In fact, ASN1 routines have access to X509_EXTENSION structure while
executing parsing routines. But I free that information after it.
Can you be more specific about that? Do you free the information after
the ASN1 code has parsed the structure? If so then when the
Michael Sierchio wrote:
Dr S N Henson wrote:
DH certificates aren't currently supported: hardly anything uses them.
The DH algorithm itself is used by (among other things) SSL and TLS.
Mobile IP does. I suggest again that, since a DH profile exists,
it should be supported in OpenSSL
Michael Sierchio wrote:
Dr S N Henson wrote:
Michael Sierchio wrote:
Dr S N Henson wrote:
DH certificates aren't currently supported: hardly anything uses them.
The DH algorithm itself is used by (among other things) SSL and TLS.
Mobile IP does. I suggest again
Michael Sierchio wrote:
There are considerable advantages in doing away with the subgroup
nonsense if you're not doing DSS -- it can strengthen the key agreement
against several forms of attack.
For the hand-waving approach, the only difference in syntax is
in subjectPublicKeyInfo --
Michael Sierchio wrote:
Dr S N Henson wrote:
Then we'd obviously need an alternative parameter generation algorithm.
The X9.42 version (also in RFC2631) would be usable (though better ones
exist) except no test vectors exist which aren't obviously broken. I've
never found anyone
[EMAIL PROTECTED] wrote:
Hi,
After I created a RSA key, I want to create a SSL Certificate with the following
command:
openssl.exe req -new -key pcniws1.key -out pcniws1.csr
I get the following error message:
Using configuration from /usr/local/ssl/openssl.cnf
Unable to load
Diego R. Lopez wrote:
Hi,
We have found what seems an error in the X509_check_issued() function
inside crypto/x509v3/v3_purp.c
At the end of the checks the routine makes for deciding whether a certain
certificate issued a second one, there is a comparison between
the name found inside
Diego R. Lopez wrote:
[EMAIL PROTECTED] said:
A standard property of certificates is that the issuer name and serial
number must be unique.
The Authority Key Identifier extension is used as a means of uniquely
identifying the issuing authority. One way it does this is to use the
Diego R. Lopez wrote:
Please, would you have a look on the files and cert paths I attached to
my previous message and tell me why (without the patch I propose) the
verification fails?
At least one problem is:
euroPKIBYeuroPKI.pem:
subject= /O=EuroPKI/CN=EuroPKI Root Certification
[EMAIL PROTECTED] wrote:
Hello, I was checking the implementation of Generalized Time in OpenSSL
and seems to me that isn't not compliant with the X.680 specification.
Indeed according to the specification it's possible to
have fractional seconds. The function ASN1_GENERALIZEDTIME_check
[EMAIL PROTECTED] wrote:
Thank you for your answer.
Yes of course you're right for RFC 2459, but in the RFC 3161 that defines
the
Time Stamp Protocol:
The ASN.1 GeneralizedTime syntax can include fraction-of-second
details. Such syntax, without the restrictions from [RFC 2459]
Richard Shih-Ping Chan wrote:
openssl enc -d is failing with 20011001 snapshot.
Thanks for the report. I noticed that a couple of days ago. Its being
looked into.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto
Dr S N Henson wrote:
Richard Shih-Ping Chan wrote:
openssl enc -d is failing with 20011001 snapshot.
Thanks for the report. I noticed that a couple of days ago. Its being
looked into.
This should be fixed in the next snapshot.
Steve.
--
Dr Stephen N. Henson. http://www.drh
Richard Levitte - VMS Whacker wrote:
From: Richard Chan [EMAIL PROTECTED]
cshihpin Snapshot 20011002 has fixed the openssl enc -d problem
cshihpin reported earlier. However with the aes algorithms
cshihpin like aes-128-cbc etc it dumps core on exit (file is
cshihpin decrypted correctly).
Wang, Kate wrote:
Hi all,
In my application, I called PKCS7_encrypt() to encrypt a document. When I
call
PEM_write_bio_PKCS7(out, p7) to write the encrypted document out to a file,
the encrypted content always
has
--- BEGIN PKCS7 ---
--- END PKCS7 ---
wrapped arround it. And when I
francoise lacambre wrote:
In the file pem.h, you define :
#define PEM_STRING_X509_TRUSTED TRUSTED CERTIFICATE
#define PEM_STRING_X509_REQ CERTIFICATE REQUEST
In what refence document (RFC or ...) are defined these strings ?
The first is an OpenSSL
Tom Biggs wrote:
Our crypto accelerator uses Montgomery's Method. Just as in OpenSSL's
eay RSA functions, the chip has pre-calculation initialization steps.
I can tell the chip to just do them each time, but of course it is faster
to only do it once for each modulus (n, or p and q) and
Douglas E. Engert wrote:
Dr S N Henson wrote:
Douglas E. Engert wrote:
It does not appear there is any code in OpenSSL to make sure all critical
extensions are checked during a verify. This could be considered a bug.
The default behavior should be to reject any critical
Massimiliano Pala wrote:
Hi,
I found 2 bugs in the previous patch, so here them are the fixes against
latest SNAP (20011026).
Poblems:
1. the dn_subject structure was not freed at the end of
the do_body function;
2. the dn_subject was not set (empty) if
Massimiliano Pala wrote:
Hi all,
I am ri-posting this message as I have received no replies to it.
If no one is interested in the proposals then simply ignore this
message.
-----
[ openssl ca command improve ]
Some work could be initially done by
introducing
J. Johnson wrote:
The archives show a lot of queries posted to 'openssl-users'--with no
responses. Anyone know of any particular reasons?
I thought OpenSSL looked pretty viable, but it won't be if no one will
help support possible users.
The OpenSSL mailing lists have been down for
Ben Laurie wrote:
Ben Laurie wrote:
francoise lacambre wrote:
Don't you think, in the X509_STORE_get_by_subject function, that the following
line
vs-current_method=j;
would be replaced by :
Phil Stracchino wrote:
On Fri, Sep 28, 2001 at 11:00:25AM -0700, Phil Stracchino wrote:
On Fri, Sep 28, 2001 at 06:21:26PM +0100, Dr S N Henson wrote:
Read the bit in the FAQ about adding an ERR_print_errors_fp() call then
see what it says is the cause.
I tried using
[EMAIL PROTECTED] wrote:
And are also mentioned the DER encoding rules of X.690 for the same case.
Therefore we need to a little patch for
the function ASN1_GENERALIZEDTIME_check in order to be able
to accept time as indicated in the above example
I've just checked in a fix to the
Phil Stracchino wrote:
On Thu, Sep 27, 2001 at 02:26:14PM -0700, Phil Stracchino wrote:
I've just compiled and installed openssh-2.9.9p2 (compiled against
openssl-0.9.6b using gcc-3.0.0) on a Slackware 7-based Linux machine
(kernel 2.4.6ac2). The previously installed version was 2.9p2,
Phil Stracchino wrote:
On Fri, Sep 28, 2001 at 11:21:43PM +0100, Dr S N Henson wrote:
Strange, it should produce an error of some sort. See what happens if
you remove the pass phrase on the private key (using the rsa utility)
and also see if you get an error when you supply an incorrect
blue wrote:
Dear all
I try many times in BMPString which I think it can show my
character(not english) but It show
So please suggest me the way to show other character.
This depends on what you are trying to display the characters with. If
your terminal supports UTF8 then you
Oscar Jacobsson wrote:
Hi!
From the SSL_CTX_load_verify_locations manpage:
If CApath is not NULL, it points to a directory containing CA certificates in
PEM format. The files each contain one CA certificate. The files are looked up
by the CA subject name hash value, which must hence be
Harald Koch wrote:
[pkix quote deleted]
Any thoughts on how to go about adding support for separate CA
certificates for certs and CRLs to the existing OpenSSL certificate
verifier?
I've been meaning to look through the pkix CRL stuff to see how this lot
works in practice. The last time
Michael Sierchio wrote:
Ajay Nerurkar wrote:
According to the doc the fields p, q, dmp1, dmq1 and iqmp
in the RSA structure may be NULL in private keys but the
function i2d_RSAPrivateKey() calls BN_num_bits() with each
field of the argument RSA* a. And BN_num_bits() cannot handle
a
Blue wrote:
Question??
1 How can I pass argument (ex. country,Email,...) in one
instruction
2 I try find Example but few.Please suggest url fot Ex.
You need to create a file with the field information in it and pass that
using the -config command line option. Check out the
Gunther Schadow wrote:
Hi,
regarding my yesterday's post to enable the apps x509 and req to work
with empty subject DNs (as permitted, even suggested by PKIX for certs
with non-human subjects), I found another problem that I'm going to do
something about now. The ca tool depends on the
Rich Salz wrote:
Suggestions? Is there any interest in such changes at all?
I think the CA program is proof of concept and not up to the quality
of the rest of openssl. Any improvement here would be good.
Yes ca.c is an example of how to write a CA and not a very good one at
that. It
Richard Levitte - VMS Whacker wrote:
I've looked at util/mk1mf.pl and wondered for a long time why it does
it's own configuration stuff (from all the util/pl/*.pl files) instead
of relying on data created by Configure. When one looks in Configure,
one can find entries for the Windows
Rich Salz wrote:
When are you going to drop Win16 support?
How about 0.9.7 being the last 16bit platform release?
I'm not sure if OpenSSL still compiles under Win16 anyway. There's some
legacy Win16 code and build options but it hasn't been tested for some
time.
Steve.
--
Dr Stephen N.
Doug Kaufman wrote:
On Tue, 4 Dec 2001, Richard Levitte - VMS Whacker wrote:
From: Dr S N Henson [EMAIL PROTECTED]
drh I'm not sure if OpenSSL still compiles under Win16 anyway. There's some
drh legacy Win16 code and build options but it hasn't been tested for some
drh time
I was trying to compile test scripts (openssl-0.9.6b)
~/openssl-0.9.6b/demos/Maurice/*.c
When I try to make the file, I get the following error:
Too few arguments to function PEM_ASN1_read
Yes you will get that. The stuff in demos/Maurice/*.c is way out of
date. Applications shouldn't even call
Filipe Custódio wrote:
Hi!
I've been having some problems trying to load a PEM formated public
key into an RSA structure. The key I want to load is:
-BEGIN PUBLIC KEY-
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC7514kyrphs8TdJIh9KqUpgWSZ
Oscar Jacobsson wrote:
Having them in obj_mac.h should mean they are recognized by default,
shouldn't it? I'm not sure exactly what a_strnid.c does, but it looks
like a collection of convenience functions. I'm sure DC could be added,
as long as some kind soul could point out what its
Eric Laroche wrote:
Hi,
Yes, I am aware of the OpenSSL engine interface. Our code applies
quite similar mechanisms of feeding 'configuration' information (name/
value pairs) from application code. However, the engine command
definitions affect the whole engine setting, whereas our
Eric Laroche wrote:
Hi,
Yes, I am aware of the OpenSSL engine interface. Our code applies
quite similar mechanisms of feeding 'configuration' information (name/
value pairs) from application code. However, the engine command
definitions affect the whole engine setting, whereas our
²Ü¸Ú ([EMAIL PROTECTED]) wrote:
Hello,
openssl-0.9.6, openssl-0.9.6a, openssl-0.9.6-stable-snap-20020103,
openssl-engine-0.9.6c, openssl-0.9.6c, openssl-snap-20020103, these versions
can not be compiled under windows2000 + VC6.0.
Whenever I use perl Configure VC-WIN32 or
Stefan Kotes wrote:
All,
The ASN.1 DER encoding rules for SET OF collection say that the values of
the occurrences in this collection should be lexicographically ordered. I
have noticed that i2d_X509_NAME function omits this sorting for the
RelativeDistinguishedName member of the
Cristina Nita-Rotaru wrote:
Hello.
There might be a problem with EVP_DecryptUpdate.
My understanding was that EVP_EncryptUpdate can be called
multiple times and then conclude the encryption by calling
EVP_EncryptFinal. A similar mechanism applies for
EVP_DecryptUpdate and
Eric Laroche wrote:
Dr S N Henson wrote:
Eric Laroche wrote:
Yes, I am aware of the OpenSSL engine interface. Our code applies
quite similar mechanisms of feeding 'configuration' information (name/
value pairs) from application code. However, the engine command
definitions
francoise lacambre wrote:
hello,
I have a little question about check_purpose_ssl_server
and check_purpose_ssl_client.
check_chain_purpose function calls X509_check_purpose
for all untrusted certificats in the chain.
This function calls a check_purpose function.
In SSL_SERVER (or
Discussion moved from openssl-users...
Bear Giles wrote:
I can think of multiple
common storage formats: text files, DBM files, LDAP, RDBMS.
why not use an existing database abstraction layer such as libdbi or ODBC?
Too abstract - queries are done with SQL statements. That's not
H, this doesn't seem to have made it to the list. No doubt there
will be two copies now :-)
Bear Giles wrote:
I can think of multiple
common storage formats: text files, DBM files, LDAP, RDBMS.
why not use an existing database abstraction layer such as libdbi or ODBC?
Too
Richard Levitte - VMS Whacker wrote:
From: Dr S N Henson [EMAIL PROTECTED]
stephen.henson I've done some work on this but its only partly
stephen.henson complete and sitting in a dark corner of my hard
stephen.henson drive...
I'm curious to see what you've come up with so far.
I'll
Bear Giles wrote:
I'll dig out the code. It was largely based around the PKCS#11
functionality but with an OpenSSL flavour. That is you have a load of
objects each of which is a set of attributes. You can then lookup based
on exact matches of each attribute.
This is query by example.
Bear Giles wrote:
One classic approach is to have all lookup functions return a
list of unique keys. The caller then requests each object individually
via a lookup that guarantees uniqueness. Uniqueness is easy to guarantee
on any hashed or relational store - make it the primary
Bear Giles wrote:
Issuer and subject number should also be unique, and it's a common
search pattern. I don't think anyone searches on the hash of the
entire certificate.
It should be unique but it might not be, either by accident or malicious
intent.
This indirectly raises a
Bear Giles wrote:
To avoid duplication of code I'd say such concerns should be addressed
either at the application level or on top of whatever OpenSSL plugin API
is adopted.
I think that would be a serious mistake. I'm specifically thinking
of something like the CA cert
Richard Levitte - VMS Whacker wrote:
From: Dr S N Henson [EMAIL PROTECTED]
stephen.henson Is there some specific reason why the API should
stephen.henson return a key at all and not just the certificate (or
stephen.henson whatever) it corresponds to?
You might want to store keys alone
Bear Giles wrote:
Of course, this opens the whole can-o-worms of what constitutes
a duplicate cert? Is it an exact match, or matching I+SN, or
some other criteria?
There are some cases where only an exact match is acceptable. An example
is how OpenSSL performs a verify operation on a
Bear Giles wrote:
If it only did an I+SN match then an attacker could readily generate a
self-signed certificate using its own key with matching I+SN.
But a self-signed cert is easily identified and could be flagged
for special handling. By removing them from the standard population
Bear Giles wrote:
Nothing. The trust settings aren't part of the certificate encoding. The
current trust handling stores these after the main encoding only if the
*TRUST() functions are used.
As an aside my postgresql stuff currently uses the standard X509 routines
when converting
Bear Giles wrote:
What would you classify as bad data in this case?
A fake root cert and HTTPS certs. Then you do a DNS attack, the victims
get the blackhat HTTPS site but when they check the public cert respository
it comes back with a full cert chain.
Ditto bad object signing
Richard Levitte - VMS Whacker wrote:
From: Bear Giles [EMAIL PROTECTED]
bear The primary key is an opaque string henceforce known as the alias.
bear The plugin may treat this as a primary key, but must not attempt to
bear interpret it as a hash, email address, keyid, serial number, etc.
Oscar Jacobsson wrote:
Bear Giles wrote:
But a plug-in that transparently updated a smart card would be extremely
handy. :-) That's what makes the design so hard - it needs to be able
to handle everything from 8k smart cards holding a single veiled key and
cert to RDBMS databases with
Richard Levitte - VMS Whacker wrote:
I assume this must be a bit confusing, because we all seem to have
different ideas on what the different layers are supposed to do.
My idea is that we have three layers:
0. The application
1. The DB framework (which may or may not be part of the
Oscar Jacobsson wrote:
Dr S N Henson wrote:
I'd be reluctant to have multiple APIs handling each case. What we could
have is flags or profiles saying what a certain kind of database should
support.
OpenSSL currently has separate APIs, as opposed to flags or profiles,
for handling
Richard Levitte - VMS Whacker wrote:
The only thing that troubles me then is that the plug-in (dynamically
loadable, right?) would have to share certain structures with OpenSSL,
which means that we'd better define those structures in a way that
they won't need change after they are set in
Ben Laurie wrote:
Dr S N Henson wrote:
The self signed cert was only an example. There are other cases which
could apply as well. An example would be explicit trust of an EE
certificate. That isn't supported in OpenSSL yet but it will be at some
point. It would however have
Charles McCabe wrote:
I'm a complete Linux newbie here, submitting this report for the common
good. I'm trying to get sshd working on my RedHat 7.2 box and this
openssl install was the last in a series of frustrations. Hope it helps
someone somewhere.
[snip]
gcc -I.. -I../../include
201 - 291 of 291 matches
Mail list logo