I thought the new openSSL did the pool hence why I started this post as I
wanted to assure that
use of the function is correct for key generation effect; then next step to
figure out some entropy.
thanks a whole bunch
--
Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html
--
Oh I am using openssl-1.0.2o just for development
But I certainly will take a recommendation of version.
Thats always appreciated.
--
Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html
--
openssl-users mailing list
To unsubscribe:
Well what I was alluding to is this the correct use of the RAND_add function
to seed the Key generation. Its a bit confusing certainly. I will use more
than the UUID
of the device but you have to have the device in hand to know that and know
it came from
a device.
I certainly will use better
SO if I add this RAND usage below, em I seeding to assure a different RSA key
pair each time run of
creating a RSA pair.
I would certainly replace the time with the UUID of the device to be unique
to the device.
You would have to acquire the device to know the seeding. Hey keep the Time
one too.
Ya me too did you ever get the info on this?
--
Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-deprecated-declarations main.c -lcrypto
* Origin: r redpath
* Project: wouldn't you like to know
/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
/**
#ifndef OPENSSL_NO_ENGINE
#include
#endif
Sample abstract code, you should see this extension in your x509 when you
use the openssl x509 -in mycsr -text
You have to register an OID, I just picked one at random.
os =ASN1_OCTET_STRING_new();
nid = OBJ_create(1.3.18.0.2.10.8, myalias, myaliasname);
I would like to know why the openssl CA command to revoke a cert
(myfiletorevoke)
needs the CA cert other than the cert I want to revoke.
openssl ca -revoke myfiletorevoke -keyfile cakey -cert cacert -passin
pass:CApass -config myconfig
I noticed that the command does not modify the cert I
I am glad someone is asking this question.
I sign the same data with same private key and sometimes the signature is 63
and sometimes it is 64 but overall the verification works for each
anyhow.
--
View this message in context:
Is it possible to revoke a cert by serial number?
I see all revoke commands you must have the cert?
I searched the form and this question is not answered.
--
View this message in context:
http://openssl.6102.n7.nabble.com/Is-it-Possible-to-revoke-cert-by-Serial-tp46381.html
Sent from the
Well what I was going to do is simply use the serial number for finding the
file int the newscerts directory
for the pem and issue the CA command with PEM. Since the backup of the
signed certs is in the newcerts directory.
I guess that would be appropriate.
--
View this message in context:
Thanks, decided to use one config file since I don't want to sync two
different files
and from the command line for certs I specify the Subj information and works
fine creating a child of the CA
with different CN. Got everything I needed for the host I was interesting in
testing with.
Subject:
[ v3_req ]
nsCertType = server,client
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = OCSPSigning
I am trying to create SSL cert signed by the CA and want OCSPsigning
extended key usage
and it turns off SSL server and SSL
I sign the cert with a CA
ca -out ibmCMSsslcert.pem -in ibmCMSssl.csr -config ibmcms.cnf -batch -cert
ibmCAcert.pem -extensions v3_req
The config has this
*[ v3_req ]*
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
*extendedKeyUsage = OCSPSigning*
I have searched the forums for multiple hostnames and commonName.
I cannot get created Certs that are signed by the CA to have a commonName
supplied in the
config instead of the command line. I also want them to have subjectAltName
fields
too. I have tried the Policy *match* and basically get
I had thought that may have been the issue and it was thanks.
The ca signing needed the option to copy.
--
View this message in context:
http://openssl.6102.n7.nabble.com/OPENSSL-Config-file-OCSP-CHECK-DELEGATED-missing-ocspsigning-usage-tp46275p46284.html
Sent from the OpenSSL - User
*If I specify the subject fields in the command line instead of the config
file*
openssl req -new -nodes -out my.csr -days 731 -keyout mykey.pem
-batch -extensions v3_OCSP -config myconfig -subj /C=US/ST=North
Carolina/L=RTP/O=IBM Corporation/CN=192.168.2.16
*I can get these fields in the
*openssl Configuration question:*
I am using these command to create a CA signed cert.
opensslreq-new-nodes-out my.csr -days 730 -keyout
mykey.pem
-batch*-extensions * v3_OCSP-config configname.cnf
openssl ca -out *mycert.pem* -in my.csr -passin
What I meant by DSA (not to spell it out Digital Signature Algorithms) is
that most of my work is
using certs for signing data not creating an SSL cert and signing with a CA.
Thanks a bunch for answering my question to
1) verify that the cert is signed by the CA I use this command
I only deal with DSA processes so this is new to me and
I have created a CA and want to create an SSL cert for a server (signed by
the CA)
and I am trying to understand the -purpose output for the result.
Below is a simple test case of commands.
mkdir demoCA
mkdir demoCA/newcerts
mkdir
Thanks and as for the last question number (5) I meant I simply replace the
SSL cert and assume there
will be a challenge to accept the new certificate by a browser? I revoke the
old one SSL cert.
--
View this message in context:
I have a best practices question on CA management for signing.
I have created CA signing cert and issue all other certs using this
CA to sign them.
1) I noticed that many CA examples set a term of 3650 days, is this commmon
practice
2) If I decide to revoke the CA and create a new CA what is
Thank you Stefan
That worked perfect changing the policy optional to supplied
in the
# For the CA policy
[ policy_match ]
organizationName= supplied
--
View this message in context:
Well my first thought is PKCS12.
And I found this link for PKCS12 maybe this might help.
http://danielpocock.com/strongswan-debian-rhel-fedora-with-android-client
--
View this message in context:
http://openssl.6102.n7.nabble.com/Using-PKCS-1-instead-of-PKCS-8-tp46071p46072.html
Sent from
pass:password*
The myconfig.cnf has some dummy information such as Redpath Corporation
[ *req_distinguished_name *]
countryName = Country Name (2 letter code)
countryName_default = AU
countryName_min= 2
countryName_max
Thanks saw that Ruby one also was not sure of it either and it was in Ruby
but will look at that much deeper. And I also saw the EJBCA and all the
orphans
I had to take in to have it work was too much for me. Geez its just a
responder come on.
--
View this message in context:
I am using OpenSSL version
OpenSSL 1.0.1e 11 Feb 2013
and the ocsp works fine.
openssl ocsp -index ./demoCA/index.txt -port 8082 -rsigner authocspsign.crt
-rkey ocspsign.key -CA ./demoCA/cacert.pem -text
and I issue a request and get a response nicely. But then I am using
char *url=
I agree with this
Once again, I would like to advocate that the openssl verification code
should allow a self-signed certificate to revoke itself, using the same
mechanisms as for revoking anything else.
I was wondering how the root cert gets revoked. Anyway thanks for posting
that
I came across http://www.openca.org
for a open source OCSP responder.
Anyone know anything about this, It seems abandoned?
I would like a standalone OCSP responder to keep things simple
and a well documented way to provide a CRL list for the OCSP responder to
work with.
The source code seems to
I was wondering about self signed certs. If I run the test OCSP it needs to
know the
CA cert but there is no CA cert. So can a OCSP responder work for self
signed certs.
--
View this message in context:
http://openssl.6102.n7.nabble.com/OCSP-and-self-signed-tp45918.html
Sent from the OpenSSL
Very nice tutorial
http://pki-tutorial.readthedocs.org/en/latest/
So the issue is that there is no real Certificate Management Trust system
available
handling concurrency issues for a Database that works seamless with
revocation commands and
OCSP responder.
For example, using an OCSP responder
The command
openssl ca -revoke ./demoCA/newcerts/1008.pem -config myconfig.cnf -passin
pass:password
seems to just update a database, the 1008.pem is not touched.
Can someone tell me what this command really does for revocation.
Also why keep a list of revoked certs, just delete them and if not
:PRINTABLE:'AU'
stateOrProvinceName :PRINTABLE:'Some-State'
organizationName :PRINTABLE:'Redpath Corporation'
Certificate is to be certified until Jul 17 13:01:31 2014 GMT (365 days)
Write out database with 1 new entries
Data Base Updated
*cat demoCA/index.txt
*V 140718112921Z
Yes this does work good
openssl ocsp -issuer ./demoCA/cacert.pem -serial 0x1000 -text -url
http://127.0.0.1:8082
and returns the good though there is a verify failure.
Response Verify Failure
140735283018172:error:27069065:OCSP routines:OCSP_basic_verify:certificate
verify
*I found the issue and fixed it but that leads to a question of security*
The error is here. The x509 that I want to check I also provide as the
issuer
since it was issued by the same issuer.
x == is the X509 loaded
req-url = url;
req-cert = x;
req-issuer = x;
but instead I
I am testing some simple scenarios for the OSCP server.
I have to stop and start the Server to know I revoked a cert.
Here is my scenario.
*I start the OSCP server*
ocsp -index ./demoCA/index.txt -port 8082 -rsigner authocspsign.crt -rkey
ocspsign.key -CA ./demoCA/cacert.pem -text
*I check a
Far enough thats good to know. Will use for testing only the OCSP request
construction
and return information parsing.
--
View this message in context:
http://openssl.6102.n7.nabble.com/OSCP-server-does-not-update-status-tp45877p45880.html
Sent from the OpenSSL - User mailing list archive at
Is there a standard to revoke a cert with a request to an OCSP. I know to
check status for an OCSP request works nicely using the OpenSSL API and is
standard RFC6960. I would think not for security issues.
Or is it simply a particular to what OSCP server product you decided to use
and allow
-pointer-type-mismatch OCSPrequest.c -lcrypto
*
*
* Origin: r redpath
*
*
* The fields in this structure are as follows:
*
* typedef struct {
*char*url;
*X509*cert;
*X509*issuer;
*spc_x509store_t *store;
*X509
pass:password
openssl ca -in ocspsign.csr -out authocspsign.crt -batch -extensions
v3_OCSP -config myconfig.cnf -passin pass:password
The index.txt file looks like this now
cat index.txt
V 140717130131Z 1000unknown /C=AU/ST=Some-State/O=Redpath
Corporation
I start the server
To make this more clear, I simply have an X509 and want to programmatically
create a OSCP request to check status for the cert.
There are no examples other than openssl commands, I have a program on a
device and
need to programmatically check x509 periodically.
Thanks in advance.
--
View
for verifying an x509.
*
The sample test code is shown below.
/**
* cc -o test -Wno-deprecated-declarations test.c -lcrypto
*
*
* Origin: r redpath
*
*
* The fields in this structure are as follows:
*
* typedef struct {
*char*url;
*X509*cert;
*X509
I see that OPENSSL provides a command for a OSCP and need to create an OSCP
request as a POST or GET.
What source code file creates this request and makes a connection.
Basically an OCSP REQUEST contains the following fields
documented in RFC6960
- protocol version (I assume this is 0 for
I searched the forum and could not find a similar question.
I have a self signed V3 x.509 file (RSA 512 for simplicity)
X509 *x;
EVP_PKEY *pk;
if ((pk=EVP_PKEY_new()) == NULL){
fprintf(stderr,err 1\n);
return(1);
}
rsa=RSA_generate_key(512,RSA_F4,NULL,NULL);
Okay so excerpt code shown below.
1) Load the RSA public key
2) Load the x509
3) Create an PKEY
4) But the life of me cannot find how to set the public and verify?
I did try a number of functions to set public key with core dump of
course.
This is just a test sample.
testrsa = RSA_new();
Nothing like forgetting to add Algorithms which was the issue
ERR_load_BIO_strings();
ERR_load_crypto_strings();
OpenSSL_add_all_algorithms();
OpenSSL_add_all_ciphers();
OpenSSL_add_all_digests();
basically get the public key
testrsa = RSA_new();
FILE *fp = fopen(x509public.pem, r);
When an x509 is created using the openssl command it creates a default serial
number if one not supplied
How is this serial number created (algorithm) in general.
openssl req -x509 etcetera
The default serial number is quite long so just using time_t (long) to set
the serial number is not very
Okay but it seems duplicate in information. The extended attributes have
information and the PEM has the base64 encoding below. Is there a way not to
have this duplicate info for efficient size?
--
View this message in context:
I will toss it thanks.
--
View this message in context:
http://openssl.6102.n7.nabble.com/extended-x509-custom-Attributes-and-BEGIN-Certificate-size-tp44938p44942.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
I am adding a custom extension to an x509 a png icon basically (bytes).
Since the png icon is too large to post the data I have subsituted it with
a
file called sample.txt that has a text line This is a sample.
The code excerpt to add the extension is below.
Thanks and also the OID register.
--
View this message in context:
http://openssl.6102.n7.nabble.com/X509-custom-extension-tp44930p44933.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
__
OpenSSL Project
I thought the PKCS7 was the way to go thanks.
Yes the command line is confusing as to what the PKCS7 can provide
and thats what was a paradox to me.
Any pointers to PKCS7 example code inserting objects and extracted them
would be appreciated and I do use the men_bio nicely.
--
View this
I took the sign.c example and modified it slightly to use artifacts I have,
but it seems the result just produces a PKCS7 that has a signature?
I want to have the data (PDF or JPG) in there as I need to use it after
validating
that it is trusted.
Basically I have a piece of data and a signature
Exactly a non-detached, I see the constant detached and thought thats what it
meant but that road lead nowhere, so if anyone has pointers how to make a
non-detacched or modify below that would be
great.
--
View this message in context:
I looked at the latest smsign.c shown below modified with a large data item.
The result is still a detached and quite small like a signature. The flag
changed
and yet nothing different. It should be quite large. All I see is the API to
soign
p7 = PKCS7_sign(scert, skey, NULL, in, flags);
and
I have a piece of data like a JPG and a MD from it and a signature PKCS#1
from the MD.
int rc= RSA_sign(NID_sha1, md, 20, sigret, siglen, rsapriv)
I send the data and the signature to someone to verify the data and they use
it.
Now maybe there is standard measure to package the data and the
I saw the CMS but I did not see how to store raw data which I need to
extract?
Lets assume the data was a JPG and I created signature from the MD (SHA1)
how can I get the JPG use it and validate it. I looked at the PKCS7 and no
mention of adding
objects.
Any example is best to learn assuming
Anyone have a working script for building the new openssl for iOS static
libraries.
I tried this script and it nicely downloads the openssl tar file
openssl-1.0.1e.tar
then tries to compile and the log seems to have a problem with the standard
includes,
not sure what needs to be set. I think I
For others to benefit. In the log the error is stdlib.h cannot be found
which of course sends you in the wrong direction to find what is wrong like
the environment include.
Basically I set the SDK version to 6.0 not 5.1 as I have 6.0 with my xCode
4.5.1 with
command tools installed.
Well I discovered one thing this constant EVP_MAX_KEY_LENGTH changed when
using FIPS
from 32 to 64. The story is
I am using 0.9.8 and this constant to assure the password a person may use
by a user is
not larger than this for AES128 ciphering as undetermined results happen on
other platforms in
I knew this was coming about the password and of course we take this password
and create a key through Password-based Key derivation but point is the
constant
changed and we should have used our own.
That was the only surprise for us. And yes I use AES_BLOCK_SIZE and other
constants
but you
I want to create expired Certs as to address them in code.
You would think this would be easy.
I use this command below to create a Cert and then a PKCS12 which I commonly
use for things.
openssl genrsa -out myrsa.pem 2048
openssl req -new -key myrsa.pem -inform pem -x509 -days 731 -out my.crt
First of all let me correct this
I am using ECDSA to create and verify a signature for a document.
I apparently cannot use the ecdsa.PEM *directory* and so here is my
question.
to this
I am using ECDSA to create and verify a signature for a document.
I apparently cannot use the ecdsa.PEM
I store my cert and private key in PKCS12 files;
I then add these PKCS12 files to Java Key Store.
If I need to perform some security functions I extract the PKCS12 from
the Java Key Store by alias and perform all sorts of openssl commands.
And so why do I want to use a Java Key Store other than
I would like to use the Java Keystore as the Key and Certificate Management
utility. Hey gotta have some management system in place.
1) Create the EC KEYS
2) make x509
3) store in Java keystore
openssl ecparam -out ec.pem -name secp224r1 -genkey
openssl req -new -key ec.pem -inform pem -x509
Found the issue, after scanning for SHA1withECDSA I found Java source code
for Keytool which has been updated with new code to support this in Java
1.7.0.13. So I upgrade the Java and it stores the x509 now.
geez
--
View this message in context:
I am using ECDSA to create and verify a signature for a document.
I apparently cannot use the ecdsa.PEM directory and so here is my question.
Below I have abstraction code for my question. The keys created are with the
openssl
commands shown below.
openssl ecparam -out *ecdsa.pem *-name
I read the public ECKEY in shown below from the x509
x509= PEM_read_bio_X509(bio,NULL, 0, NULL); //its public there is no
password
EVP_PKEY *evpkey = X509_get_pubkey(x509);
pubeckey= EVP_PKEY_get1_EC_KEY(evpkey);
BIO_free(bio);
//But do I need this setting the curvetype???
Thanks yes of course all return codes are checked as well as the x509 is
known to be
obtained in a secure manner.
so I really do not have to set the curve, this simple excerpt is enough.
The reason I ask is I might eventually replace the x509 and use a different
curve
in the future and with
When using this command
openssl genrsa -out test.pem 2048
an RSA pair is created. Its not so much I want to know how a pair is
randomly selected
but how secure is that random selection. Random number generators are a
series
and this selection could be followed for brute force deciphering.
I have written AES encryption which uses salt
int nrounds=5;
unsigned char salt[]= {1,2,3,4, 5,6,7,8};
unsigned char key[32], iv[32];
unsigned char *key_data=password;
int key_data_len= 8;
i = EVP_BytesToKey(EVP_aes_256_cbc(), EVP_sha1(), salt, key_data,
key_data_len, nrounds, key,
) {
e.printStackTrace();
}
}
}
The output is below.
java sample
hello
yes we can open it
DN: EMAILADDRESS=xx...@us.ibm.com, CN=R Redpath, OU=Sample Technology,
O=MyCompany, L=RTP, ST=NC, C=US
got Not After Date
Mon Aug 29 08:52:51 EDT 2022
got public key
public
How to use created openssl artifacts (Signature and RSA public key in x509)
from Java to verify signature of the contents of a file.
I ran into problems doing this so I am posting it for others in the future.
I use openssl to create artifacts
a signature for a file contents and
an RSA
I thought I had posted this already but cannot seem to find it.
I have tried by all means to figure out the API to create a PKCS7 for a
signature file.
Basically I have a signature file and want to wrapper it in a PKCS7. The
Signature is an
ECDSA and uses a SHA256 digest of a file that needs to
be posted here using the functions.
redpath wrote:
Well the situation is I have a file which has been signed for its
contents. This signature
is used to verify the authentication of the file. The signature works
great but I want to use
best practices to package the signature. A PKCS7
I have a PKCS7 file with signature in the envelope.
What API function can I use to open the PKCS7 to extract the signature data
and length
and then verify the message digest? The verify is shown below assuming I got
the signature
data and length.
int rc = ECDSA_verify(0, md, 20, signaturedata,
the PKCS7 to verify the file contents
which I create the message digest SHA2 from.
Is there something I am missing here. Just want to use best practices.
The challenger has the file and the PKCS7 (signature) to verify the
contents. The challenger has the
public key.
redpath wrote:
I have a PKCS7
Yes that is exactly what I was asking a standard format and yes I do use a
SHA1
for the message digest. So Formally known as PKCS#7 now called CMS thats the
way to go.
I will do that, and any pointers to documents/commands would be appreciated.
redpath wrote:
I have created EC Digital
I have created EC Digital Signature and saved it in a file.
Excerpt of code shown below for a message digest md
unsigned int siglen = ECDSA_size(peckey);
printf(Max signature length is %d \n,siglen);
siglen = ECDSA_size(peckey);
unsigned char *ptr = OPENSSL_malloc(siglen);
79 matches
Mail list logo