Re: PrivateKey Decrypt Failure

On Sep 11, 2019, at 3:31 AM, Chitrang Srivastava wrote: > I am using openssl 1.1.1b and I am storing private key encrypted. > > I am storing private key as > PEM_write_bio_PrivateKey(bio, pkey, EVP_aes_128_cbc(), PKeyPassPKCS12, 0, 0, > NULL); I don't think that PEM_write_bio_PrivateKey()

Re: Does openssl sanity check ALPN strings?

On Jun 26, 2019, at 4:25 PM, Hal Murray wrote: > If a client passes {99, "a", "z" } with a length of 3 to > SSL_CTX_set_alpn_protos, > does that get rejected or sent to the server? > > If a somebody sends that to a server, does it get passed to the alpn callback? I don't think OpenSSL does

Re: PkiPath with openssl

On Jun 17, 2019, at 11:35 PM, Tobias Wolf wrote: > The specification said about sorting and providing the pki path in correct > order. Ah, I thought you were asking about producing the correct DER representation, not assembling the list of certs. In that case, take a look at the

Re: PkiPath with openssl

On Jun 17, 2019, at 8:09 AM, Tobias Wolf wrote: > there already a function available? In fact I´d like to provide a > STACK(X509)* as a parameter and get the pem or der encoded asn1 structure > back. Assuming you've already assembled the list of certificates you want to encode, I think you

Re: How to Sign and Encrypt in CMS ?

On May 5, 2019, at 7:13 PM, Dr. Pala wrote: > small question - I was playing around with the CMS interface and I was > wondering what is the right way to generate a signed and encrypted CMS. In > particular, for PKCS#7, you could use the signed_and_encrypted choice... but > in CMS, there is

Re: asn1parse genstr question

On Apr 21, 2019, at 8:58 AM, Dmitry Belyavsky wrote: > openssl asn1parse -genstr "UTF8String:ф" -out content > > I get a 6-byte file. If I understand correctly, it starts with a 2-byte > header indicating the content length and then contains an encoded letter 'ф' > I want. But the encoding

Re: Is there a way to retrieve the certificate from SSL_CTX?

On 5. mar. 2019, at 10:14 f.h., Paul Smith wrote: > E.g., I'm adding my certificate with SSL_CTX_use_certificate(); is there a > way to get it back out? Does SSL_CTX_get0_certificate() do what you need? (The "get0" (vs "get") indicates its reference-counting semantics.)

Re: [openssl-users] Creating PKCS#8 from pvk format

On 4. des. 2018, at 4:00 e.h., zhongju li via openssl-users wrote: > Now I need to convert the key in RSA format to EVP_PKEY, then to PKCS#8. I > have tried the following functions, all of these functions return 0 (failure) > without any further debugging information/clues: >

Re: [openssl-users] updating openssl

On 6. nóv. 2018, at 2:02 e.h., Paul wrote: > I configured Openvpn server on ubuntu 16.04 and ubuntu was using a old > version of openssl 1.0.2 and I was updating openssl to v1.1.1 > Now I've installed the openssl but now unable to mv file installed to ln -s > /usr/local/ssl/bin/openssl

Re: [openssl-users] porting socket ssl python to c++

This pair of articles is quite old, so some of the API details have changed, but it has an overall description of how to use OpenSSL: https://www.linuxjournal.com/article/4822 https://www.linuxjournal.com/article/5487 The link to the example code is broken, but you can find it here:

Re: [openssl-users] command passwd

On 16. júl. 2018, at 1:51 e.h., Carl-Valentin Schmitt wrote: > mcrypt not only has md5, it has blowfish too and other keys. You can download > source at http://sf.net > mcrypt is a linux command as follower oft command crypt. I don't think the "openssl passwd" command has

Re: [openssl-users] PEM_write_bio_RSAPrivateKey assure Randomness of PK

On 23. maí 2018, at 10:08 f.h., redpath wrote: > SO if I add this RAND usage below, em I seeding to assure a different RSA key > pair each time run of creating a RSA pair. > > I would certainly replace the time with the UUID of the device to be unique > to the device. You

Re: [openssl-users] How to produce a nested CMS / PKCS#7 structure?

On Nov 25, 2016, at 12:43 PM, Dr. Stephen Henson wrote: > Something like that did happen for PKCS#7 but the OCTET STRING encapsulation > is correct for CMS. Aha, and this difference is called out in RFC5652 [5.2.1]. Thanks, that clarifies things for me a little. So

[openssl-users] How to produce a nested CMS / PKCS#7 structure?

I'm trying to produce nested structures, like signed-enveloped-signed data. This is explicitly described in the various RFCs, but I can't figure out how to get OpenSSL to produce valid output, and I can't find any code examples of doing this. What I'm doing (which doesn't quite work) is this:

Re: [openssl-users] Question about stateOrProvince

On Aug 30, 2016, at 6:28 PM, Tim Boring wrote: > When creating a CSR, openssl displays the following > > > State or Province Name (full name) [Some-State]: > ... > And a couple lines up from that is a comment pointing to RFC 3280, which > defines the following: The

Re: [openssl-users] CMS with Symmetric key

On Apr 4, 2016, at 3:42 PM, Jakob Bohm wrote: > Unless you can point out a clause in the "CMS" format RFCs > that allow use without X.509 certificates, there is no reason > why the "CMS" part of the OpenSSL library should be able to > any such thing. The CMS RFC (RFC

Re: [openssl-users] Converting DER encoded unsigned CSR to internal OpenSSL format

On Nov 9, 2015, at 3:46 PM, Peter P. wrote: > I'm writing an application using Openssl 1.0.2d where I am trying to take a > DER encoded unsigned CSR and read it into an X509_REQ data structure via the > d2i_X509_REQ_bio() function. This function errors out during when I

Re: [openssl-users] OPENSSL_SYS_VOS meaning

On Aug 24, 2015, at 11:33 AM, David Luengo López dlue...@rti.com wrote: 439 #define DUMMY_SEED /* at least MD_DIGEST_LENGTH */ 440 /* Note that the seed does not matter, it's just that 441 * ssleay_rand_add expects to have something to hash. */ 442

Re: [openssl-users] Custom OID strange characters

On Aug 11, 2015, at 2:03 PM, Robert Sandilands rsand...@netscape.net wrote: So this leads to the next question: How do I teach OpenSSL the format of the value for a custom extension without writing code? What do you want OpenSSL to do with that knowledge? Presumably, the reason you're

Re: [openssl-users] Custom OID strange characters

On Aug 11, 2015, at 9:24 AM, Robert Sandilands rsand...@netscape.net wrote: I am trying to build a certificate request with a custom OID and it is encoding strange characters in the certificate. For example I specify the following line in the .cnf file: bla_policy =

Re: [openssl-users] OpenSSL and iCloud

On Jan 5, 2015, at 12:01 PM, open...@comaxis.com wrote: Are there any known problems using OpenSSL with iCloud? I am trying to connect to imap.mail.me.com using port 993. My call to SSL_Connect() returns 0, with SSL_get_error() returing 1 (SSL_ERROR_SSL). I am using OpenSSL version 1.0.1h,

Re: OPENSSL_cleanse()

On Oct 23, 2014, at 10:17 PM, Vladimir Zatsepin vladimir.zatse...@gmail.com wrote: Does somebody know how OPENSSL_cleanse() works? I don't understand what this [17, 63, 0xF] values means. Why such values were chosen? I think it's a simplistic random number generator, like a linear

Re: Format of sig in EVP_SignFinal for DSA keys

On 6 Oct 2014, at 2:11 PM, Grahame Grieve wrote: I can't find any documentation as the exact format of sig produced by EVP_SignFinal when using a DSA key. It's 71 bytes, but 71 bytes of what? Just guessing here, but there are two formats I've seen for (EC)DSA signatures. One of them is an

Re: serverFull and otherFull

On 21 Apr 2014, at 10:27 PM, Sri Ramya wrote: can any one explain me what is server full and theotherfull in openssl terminology??? I think we need more context. Where are you seeing those terms? __ OpenSSL Project

Re: Looking more at the Heatbleed

On 10 Apr 2014, at 2:02 PM, mclellan, dave wrote: We are looking more deeply into Heartbleed to determine the risk to our proprietary, non-open application. 1. Background summary: Our proprietary client/server protocol is protected by TLS with OpenSSL 1.0.1c and 1.0.1e. We do not

Re: OpenSSL version 1.0.1g release signed with unauthorized key???

On 9 Apr 2014, at 4:12 PM, Jakob Bohm wrote: Attention: The .asc file I downloaded directly from openssl.org for the 1.0.1g tarball was signed with a key NOT authorized by the fingerprints.txt file distributed in previous tarballs, nor by the (unverifiable) fingerprints.txt available from

Re: SSL vs. SSH in the context of CVE 2014-0160

On 8 Apr 2014, at 7:14 PM, Chris Hill wrote: Team, I am having a discussions with a few friends about why this OpenSSL vuln (CVE 2014-0160) does not affect SSH. This may be TOO basic for many of you (apologize in advance), but can't think of any other way to prove my point other than

Re: Regarding openssl-devel

On 12 Mar 2014, at 4:44 AM, banupriya wrote: Hi All, I would like to know how different is openssl-devel from openssl098 version. Thanks in Advance, Banupriya K There is a detailed changelog here: http://www.openssl.org/news/changelog.html In terms of API, they are not much

Re: Openssl 0.9.8r - openssl 1.0.1e

On 8 Jan 2014, at 12:14 PM, Hasan, Rezaul (NSN - US/Arlington Heights) wrote: If I have a Linux CLIENT machine running with openssl 0.9.8r establishing HTTPS sessions with a Linux SERVER running openssl 1.0.1e Is there any problems I should anticipate? In other words, should

Re: tlsv1 alert unknown ca

On 1 Oct 2013, at 3:00 PM, Troyanker, Vlad wrote: PROBLEM: the server fails SSL connection with SSL_accept: tlsv1 alert unknown ca The funny part I cannot even find where in source code that error (code SSL_R_TLSV1_ALERT_UNKNOWN_CA) gets thrown. I am looking through

Re: Warning for SSL_read()

On 12 Aug 2013, at 3:36 AM, John Selbie wrote: I'm upgrading a socket server written for non-blocking TCP sockets to use OpenSSL in non-blocking mode. In the man page for SSL_read, the following is stated: When an SSL_read() operation has to be repeated because of SSL_ERROR_WANT_READ

Re: Extracting data from custom extension

On 15 Jul 2013, at 4:24 PM, jimits10 wrote: i have a custom extension with test oid 1.2.3.4.5. I try to extract the oid data in the following manner: [] On investigating i found that ASN1 String was encoded in the form that it had 04 at the start to denote ASN1 coding followed by the

Re: openssl 1.0.1e Signature verification problems

On 14 Jun 2013, at 6:09 AM, anand rao wrote: I am using openssl 1.0.1e to create a CA and generate certificates. I am facing an issue while generating the device certificates. After creating the ca certificate using below command # openssl req -x509 -new -newkey rsa:1024 -keyout

Re: Question about intermediate certificate chain

On 21 May 2013, at 5:02 PM, Jorge Ventura wrote: Because the client trust the connection when I inform the intermediate, I suppose the server is not sending the intermediate, only the first certificate in the chain and in this case the command fail. That is a reasonable conclusion. You can

Re: Question about intermediate certificate chain

On 21 May 2013, at 5:37 PM, Jorge Ventura wrote: Somech, The server side is using one .pem file like this: private key the certificate intermediate 1 intermediate 2 The intermediate 2 was signed by one root CA available at client side and the two intermediate was supplied by the same

Re: Creating CSR with very long organizationName

On 8 May 2013, at 3:10 AM, Cipriano Groenendal - Byte Internet wrote: Hey all, I'm trying to create a CSR using a very long organizationName, but I keep getting the message 140605698299560:error:0D07A097:asn1 encoding routines:ASN1_mbstring_ncopy:string too

Re: Reading an encrypted file

On 5 Mar 2013, at 6:57 AM, Greg Keene wrote: Is there an API that will allow me to read an encrypted file directly into memory? If possible I would like to bypass decrypting the file and writing it back out to the hard drive. What format is the encrypted file in? If it's just (for

Re: How to use a binary public key

On Jan 23, 2013, at 1:12 PM, Tovey, Dwight (LaserJet RD FW Eng.) wrote: Hello all – I have a need to send a bit of RSA encrypted data to a device. The device will provide it’s public key via SNMP as 140 bytes of binary data. I’m assuming that the data is DER format, but I can’t swear to

Re: genrsa question how secure is the random creation

On 11 Dec 2012, at 3:27 PM, redpath wrote: an RSA pair is created. Its not so much I want to know how a pair is randomly selected but how secure is that random selection. Random number generators are a series and this selection could be followed for brute force deciphering. I think the

Re: How do I tell openssl where its configuration file is, without a commandline argument?

On 28 Nov 2012, at 12:31 PM, Ted Byers wrote: Is it possible to tell openssl where the configuration file is, e.g. by setting an environment variable, without passing a commandline argument? If I remember correctly, you can set the OPENSSL_CONF environment variable to the path of the config

Re: RSA quintuple vs. xmldsig mismatch

On 29 Oct 2012, at 8:44 AM, Miroslav Mikluš wrote: The xmldsig (http://www.w3.org/TR/xmldsig-core/#sec-RSAKeyValue) use the first form of RSA representation with respect to the : http://tools.ietf.org/html/rfc3447#section-3.2 The RSAKeyValue element contains a public key, but the quintuple

Re: Digital certificate with more than 1 year validity

On 17 Sep 2012, at 9:13 PM, Santhosh AP wrote: Kindly help us to create digital certificate having more than 365 day’s validity. At present we are using OpenSSL 0.9.7a Feb 19 2003 version. Kindly confirm is it possible to cross the certificate validity more than 1 year, if it’s possible

Re: What exactly does the -binary switch do when creating s/mime output?

On 21 Aug 2012, at 2:39 PM, Bart W Jenkins wrote: Given: openssl smime -binary -sign -passin pass:SomePassword -signer cert.pem -inkey key.pem -in Document.txt -out Document.txt.sig -outform DER What *exactly* is done to the s/mime text to create a binary file? Are you asking about the

Re: change passphrase on CA

On 21 Aug 2012, at 8:03 AM, Brian J. Murrell wrote: I have an openssl generated CA and I want to change the passphrase on the CA certificate/key. I can't seem to find any documentation on how to go about that. IIRC, the newer way is to use the 'pkey' subcommand, and the older way is to use

Re: How to know which curve to use for which cipher

(I think this is more appropriate for openssl-users than -dev, so I'm responding to that list.) On 10 Jul 2012, at 8:59 AM, Sirshendu Rakshit wrote: My questions are: 1) Is this a good way to know the EC_KEY using the curve-name Or there is some better way to know it? If you're hardcoding a

Re: Question on openssl dgst: which private key?

On Jun 26, 2012, at 7:20 PM, Dave Thompson wrote: It's probably still easier to write a small program, but if you really want to do it yourself, you can see the structure by asn1parse'ing an existing one, or looking at the code starting with ec/ec_asn1.c . It is SEQUENCE version

Re: Remote access to my CA

On 17 Apr 2012, at 10:48 AM, Nathan Smyth wrote: I created a CA on my local machine (using CA.sh), which I used to develop some socket-based applications. The apps access the CA using SSL_CTX_load_verify_locations, with the (local) path of the CA. I'm now distributing the applications to

Re: Remote access to my CA

On 17 Apr 2012, at 2:04 PM, Nathan Smyth wrote: If the apps only need to be able to verify certificates issued by that CA, then all they need is a copy of the CA's certificate and to know that that certificate should be used as a trust root. (And, perhaps, access to a CRL or something if

Re: ENGINE Structural and functional references

On 4 Apr 2012, at 12:10 PM, Sunjeet Singh wrote: If I have multiple SSL connections using an engine at the same time, IS IT TRUE THAT- 1. I should have at least one structural and one functional reference for the entire duration within which the engine will be used i.e., between the calls

Re: AES-256 Implementation and OpenSSL

On 2 Apr 2012, at 8:09 AM, Theodore Tolstoy wrote: It seems to implement AES-{128,192,256} ECB mode of encryption/decryption(?). Am I wrong? Is it possible to use OpenSSL to achieve equivalent results? Yes. The low-level openssl AES implementation (AES_ecb_encrypt(), etc.) is available

Re: missing symbols when building openssl1.0.0g as static library..

On 28 Feb 2012, at 9:57 AM, JonathonS wrote: Here is the command I used to build openssl: ./Configure --prefix=/home/user/openssl_release --openssldir=/home/user/openssl_release no-asm threads zlib shared linux-x86_64 After the binaries have been built, it produces libcrypto.a and

Re: missing symbols when building openssl1.0.0g as static library..

On 28 Feb 2012, at 5:15 PM, JonathonS wrote: Thanks guys. Sorry for the confusion. I thought U meant undefined and T meant it *belongs* in the text section, NOT that it actually *exists* in the text section :) Here is my linker command. g++ -g -o unit_tests unit_tests.o

Re: weak key check?

On Feb 17, 2012, at 5:05 PM, anthony berglas wrote: Taking a different slant, is it possible to provide the Entropy using a pass phrase. So a given pass phrase will always generate the same key pair. This means that for simple applications no key store is required. Much like password

Re: weak key check?

On Feb 20, 2012, at 8:38 AM, Jakob Bohm wrote: On 2/17/2012 10:16 PM, Wim Lewis wrote: Even aside from TPM or other HSMs, hardware random number generators have been a common feature of PC motherboard chipsets for a decade or so. I assume, perhaps optimistically, that the /dev/?random

Re: weak key check?

On Feb 16, 2012, at 9:22 AM, Kenneth Goldman wrote: Many laptops and desktops and some servers now come with a TPM chip, a free source of hardware random numbers. Even aside from TPM or other HSMs, hardware random number generators have been a common feature of PC motherboard chipsets for a

Re: About the usage of SSL_get_ex_new_index

On 7 Feb 2012, at 8:50 AM, Bruce (Riji) Cai wrote: Hi all, From man page of SSL_CTX_set_verify, I saw this example snippet: /*** snippet begin */ ... mydata_t mydata; ... mydata_index =

Re: openssl and SHA256

On Jan 18, 2012, at 11:47 AM, Scott Wilson wrote: Does openssl support SHA256? Yes, it does. I'm not sure why it doesn't show up in the output of list-message-digest-commands or the usage message, but openssl sha256 will compute a SHA256 digest, and openssl dgst --help lists it.

Re: Difference b/w TLS Connection and TLS Session

On 4 Nov 2011, at 7:12 AM, Mr.Rout wrote: Can any body please let me know what is the difference between TLS Connection and TLS Session ? If a client makes a connection to a server it has previously connected to, it can re-use the cryptographic parameters (such as the initial session key /

Re: strong TLS connections

On 7 Oct 2011, at 7:40 PM, Kristen J. Webb wrote: I'm exploring the security of TLS for TCP/IP connections. I would like to establish TLS connections using server certificates (managing client certs via external or internal PKI is painful). My understanding is that a TLS connection with a

Re: Open SSL API's Support For IPv6.

On 21 Sep 2011, at 6:17 AM, Akanksha Shukla wrote: Currently we are using OpenSSL 0.9.8 version. I have question about few of the API's support for IPV6. 1) BIO_new_connect() [...] Queries : 1) Do the above mentioned API's support IPv6? I don't think so. BIO_new_connect() (and

Re: Help compiling,assembling and linking RC4 code.

On 19 Aug 2011, at 4:08 AM, rastir...@rastirrat.force9.co.uk wrote: What I am try to do is build the assembly language version of RC4. So far I have been able to create the rc4-586.asm file by running the rc4-586.pl script. I specifically want to run rc4speed and rc4test but using the

Re: Usage of macro OPENSSL_NO_STDIO

On 17 Aug 2011, at 7:36 AM, Kchitiz Saxena wrote: Can somebody briefly explain the use of macro OPENSSL_NO_STDIO. There are few functions like SSL_CTX_use_certificate_file() which are defined only if this macro is not defined. What is the functionality which is derived out of this macro

Re: Bug in OpenSSL 0.9.8e

On 20 Jul 2011, at 2:25 AM, Vinay Kumar wrote: Hi All, I am using OpenSSL OpenSSL 0.9.8e. The OpenSSL function sometimes sha1_block_host_order () crashes on Linux. Is there any fix available for this issue or what are the modifications need to be done? Please guide me. The core back

Re: Simple question: Maximum length of PEM file?

On 26 Jul 2011, at 10:16 PM, Katif wrote: Can you tell me what are the application dependency factor here so we'll be able to chase a limit? It is used as an RSA key exchange certification/private key pairing. Thanks... The two things that are variable size are the key material itself,

Re: Handshake question

On 27 Jul 2011, at 1:52 PM, castre...@gmail.com wrote: Using memory buffers and blocking IO. I begin the handshake by the client intiating hello message. The server reads message, and data is put in its ssl output. This is sent back to client. The client read the data ( SSL_read) and

Re: Handshake question

On 27 Jul 2011, at 4:37 PM, castre...@gmail.com wrote: There is no data to send to the client ( I have checked the BIO out and there is no pending data to send out). This is my main problem. When I check the clients state using SSL_state_string from the last read it returns UNKWN.

Re: SSL_read returns SSL_ERROR_WANT_READ

On 11 Jul 2011, at 3:18 PM, Carla Strembicke wrote: The server recieves the encrypted data and sends to the lower level and where it is pumped into the SSL structure ( which is using these memory buffers) using the BIO_write call ( I acutally see that bytes are written into it) and the

Re: Updating code using ASN1_HEADER

On Jun 29, 2011, at 5:22 AM, Kenneth Porter wrote: I need to update an old piece of code written for 0.9.7 that uses the obsolete ASN1_HEADER struct as part of importing a Netscape certificate [...] It looks like that piece of code was adapted from load_cert() in openssl's apps.c. Try

Re: Need to extract the checksum from a signature

On 4 Jul 2011, at 7:47 AM, Roland Flury wrote: At the moment I use the PHP function openssl_pkcs7_verify() to verify the signature (I also could use the openssl command line tool with a system command). But verify is not enough, because I need to send back the digest. Is there any way

Re: Reliable identification by DN (or something else) for commercially-signed certs?

On 26 Jun 2011, at 11:39 AM, Leo Richard Comerford wrote: What should I use to whitelist certificates by? Specifically, what can I whitelist on to prevent false positives? For example, the obvious thing seems to be Distinguished Name. But can I safely assume that any two certificates issued

Re: problem with EVP_DecryptFinal_ex function

On 22 Jun 2011, at 5:46 AM, Damir Musulin wrote: I have created a decrypt function and it fails (how wonderful) The problem lies in the EVP_DecryptFinal_ex. I have made use of the ERR_print_errors_fp(stderr); option to see what is wrong but it is quite a cryptic message:

Re: Replacement of functions that operate with sockets

On 15 Jun 2011, at 11:57 AM, ml.vladimbe...@gmail.com wrote: Whether is it possible to implement? I have read in the documentation about BIO-functions, and could not understand is it possible to implement or not. Thanks for any help or suggestions. Yes, this is possible. It is asked on this

Re: SSL Communication using BIO

On 23 May 2011, at 1:29 PM, Harshvir Sidhu wrote: Anyone any comments on this. Is openssl appropriate choice for my case? As I understand it you want OpenSSL to handle the protocol and encryption, but you don't want OpenSSL to do any network I/O itself: you want to do that (via the C# sockets

Re: Clients glomming onto a listener

On 10 May 2011, at 4:13 PM, David Schwartz wrote: On 5/10/2011 2:10 AM, John Hollingum wrote: Pretty much immediately after the accept the program forks a handler, but the rogue clients must be glomming onto the main process before the SSL negotiation is complete. Calling 'fork' with an

Re: Conversion of RSA Encrypted message to Base64 format !!!

On 20 Apr 2011, at 3:01 AM, pattabi raman wrote: How can I use the funtion BIO_new_fp(stdout, BIO_NOCLOSE) to print the value to another character array instead of stdout? If not this, which Bio_ function I can use so that it will convert to Base64 and put it in char buffer ?? I think

Re: How is MD5 fingerprint on X509 created?

On 19 Apr 2011, at 10:55 AM, Matt C wrote: Should I be hashing the entire contents of the PEM file, only part, or is there additional data I need to add? The fingerprint that openssl computes is the hash of the entire certificate in DER format. You should be able to recover the DER-formatted

Re: Verify signed text

On 30 Mar 2011, at 9:59 AM, luis hernandez wrote: i get a file with a signed base64 string produced using the following commands: openssl dgs -md5 -sign key.pem stringtosign.txt | openssl enc -base64 -A signedbase64string.txt that signed string is part of a text file that includes

Re: DH: safe prime issue

On 30 Mar 2011, at 6:19 AM, ikuzar wrote: I 'd like to know if it is a security issue when p ( a DH param ) is not a safe prime ? is it more easier to attack DH algorithm with a non safe prime ... ? Yes. If p-1 does not have large factors, then it is easier to compute the discrete logarithm

Re: Verify signed text

On 30 Mar 2011, at 12:02 PM, luis hernandez wrote: Thanks Wim, i know that cer pem files have the public key in it like: -BEGIN PUBLIC KEY- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDD0ltQNthUNUfzq0t1GpIyapjz... -END PUBLIC KEY- -BEGIN CERTIFICATE-

Re: default certs path not used

On Feb 4, 2011, at 2:08 PM, Kārlis Repsons wrote: perhaps there is someone out there, who knows why openssl doesn't seem to look for certs in /etc/ssl/certs as indicated in openssl.cnf: [ ca ] default_ca = CA_default# The default ca section [ CA_default ] dir

Re: How does privatekey ever get defined?

On 1 Nov 2010, at 12:05 PM, Eichenberger, John wrote: I am planning on adding code to call SSL_CTX_use_PrivateKey. I do not have a key file to supply, so I cannot use SSL_CTX_use_PrivateKey_file. However, I thought I would ask about this because I've reviewed the code for both of those

Re: How can I load a PEM key stored in a string instead from a file?

PEM_read_PrivateKey() is a wrapper around PEM_ASN1_read() (which reads an arbitrary ASN.1 object from a PEM-encoded blob) and d2i_PrivateKey() (which knows how to read a private key blob specifically). PEM_ASN1_read() simply creates a BIO from the FILE* that you give it, and calls

Re: Openssl certificate date issue

On 12 Oct 2010, at 11:48 PM, Vinay Kumar L wrote: I am trying to generate certificate which is valid for 20years. As the 20years crosses unix end time(January 19, 2038 03:14:07 GMT) from the current date, openssl certificate generated will have wrong dates My understanding is that this is

Re: Code Sample | Download Certificate

On Sep 15, 2010, at 6:24 AM, Ranjith Venkatesh wrote: Is it possible to download a certificate given the website eg: https://domainX.com using openssl functions? If yes, what are relevant functions and relevant code samples? It's possible to do this using openssl s_client -showcerts. You can

Re: Basics concepts about openssl+rsa

On Aug 17, 2010, at 12:37 PM, Leandro Santiago wrote: It's really a basic doubt: How can I parse a file with the public key to a struct which I can use to encrypt the string. Maybe just a simple_example.c... :-) And also an example about decrypt using the private key, of course :-) I'm

Re: Basics concepts about openssl+rsa

On Aug 17, 2010, at 3:19 PM, Wim Lewis wrote: But for any real-world application, you'll want to do the standard business of generating a session key, encrypting the message using conventional symmetric encryption, and encrypting the session key with the public key. Since that's a lot

Re: Simulating Mac keychain CSR with OpenSSL

On Jul 28, 2010, at 2:38 PM, Todd Oberly wrote: It's obviously asking for just a subset of what would typically go into a CSR. I tried generating several different CSR's with OpenSSL, containing various information (and then converting the files to Mac line endings), but the instructions

Re: Simple question about SSL certs

On Jul 26, 2010, at 12:55 PM, Bryan Boone wrote: I would like to write an LDAP client that when a user connects to an LDAP server with SSL, that the client cert is automatically downloaded to the client. Then a prompt asks the client to accept or reject the cert. Is this possible when

Re: Revival of ERR_free_state_table / alt solution

On Oct 7, 2009, at 8:19 AM, Thomas Harning Jr. wrote: I'm writing a browser and a library that use OpenSSL for cryptography support. I want to best be able to fully cleanup state when my plugin/library is unloaded, however it seems to me that it's not possible to clear out all

Re: Memory leaks...

On Nov 7, 2009, at 2:50 PM, barcaroller wrote: I'm getting some memory leaks when I use OpenSSL. I was not able to get rid of these leaks, even when I use EVP_cleanup() and ERR_free_strings() at the end of my program. [] ==27769== 24 bytes in 1 blocks are still reachable in loss