Re: [openssl-users] PKCS#7
Hi, thank you very much for your response. Say someone would be able to gather several clear text AES keys and their respective asymmetrically encrypted RSA blocks. Would it weakens the security of the RSA key pair ? I mean could it be easier for someone using that information to brute force an RSA key pair ? Thank you On Tue, Mar 14, 2017 at 3:12 PM, Salz, Rich via openssl-users < openssl-users@openssl.org> wrote: > > If so, would it be possible in principle to decrypt an encrypted PKCS#7 > envelope only knowing which AES key was used ? > > Yes. But maybe not with the openssl api's :) > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Doubt regarding Export keying material
Hi All, I am having a doubt in usage of Exporting keying material API (SSL_export_keying_material) in OpenSSL. Please provide your suggestions. As per Section 4 in RFC 5705, context length should be passed as uint16_t to PRF function. In that case we should allow only upto max of 2^16 (65535). So user should not pass more than 65535 value to “plen” in SSL_export_keying_material right ? Please provide your valuable suggestion on this. I am referring 1.0.2k version of OpenSSL. Thanks & Regards, Ashok [Company_logo] Raja Ashok V K Huawei Technologies Bangalore, India http://www.huawei.com 本邮件及其附件含有华为公司的保密信息,仅限于发送给上面地址中列出的个人或群组。禁 止任何其他人以任何形式使用(包括但不限于全部或部分地泄露、复制、或散发)本邮件中 的信息。如果您错收了本邮件,请您立即电话或邮件通知发件人并删除本邮件! This e-mail and its attachments contain confidential information from HUAWEI, which is intended only for the person or entity whose address is listed above. Any use of the information contained herein in any way (including, but not limited to, total or partial disclosure, reproduction, or dissemination) by persons other than the intended recipient(s) is prohibited. If you receive this e-mail in error, please notify the sender by phone or email immediately and delete it! -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] X25519: how to generate public key?
Thank you for your quick answer. Olivier Le 14/03/2017 à 13:43, Dr. Stephen Henson a écrit : On Tue, Mar 14, 2017, Olivier Meunier wrote: Hi, using openSSL 1.1.0e, I generate my private key using: openssl genpkey -algorithm x25519 -out x25519.key.pem But I cannot find how to generate the public key. I tried: openssl ec -in x25519.key.pem -pubout -out x25519.key.pub.pem but got the errors: read EC key unable to load Key 16084:error:0608308E:digital envelope routines:EVP_PKEY_get0_EC_KEY:expecting a ec key:crypto\evp\p_lib.c:319: What is the right command to get the public key? Thanks, X25519 is trteated as a distinct algorithm, not as an EC curve. You don't actually "generate" the public key you can extract or calculate the public key corresponding to a private key though. The pkey command can do this for any supported algorithm: openssl pkey -in privkey.pem -pubout -out pubkey.pem Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] PKCS#7
> If so, would it be possible in principle to decrypt an encrypted PKCS#7 > envelope only knowing which AES key was used ? Yes. But maybe not with the openssl api's :) -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] PKCS#7
Hi, is the following picture correct ? when creating an encrypted PKCS#7 envelope, a random AES key is generated and encrypted with the provided RSA private key. The AES key is used to encrypt the envelope content. The X509 certificate containing the associated public key is included in the envelope attributes. If so, would it be possible in principle to decrypt an encrypted PKCS#7 envelope only knowing which AES key was used ? Thank you- -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Cannot read exported PKCS12 cert and private key
On Mon, Mar 13, 2017, Michael Wojcik wrote: > I'll assume you mean you exported it "from a mainframe system" using RACF. > RACF has half a dozen export formats for certificates and keys; they're not > all supported by OpenSSL. > > In particular (and despite the PEM delimiters), I suspect what you have here > is a PKCS#12 file in PEM format. The openssl pkcs12 utility doesn't support > PEM encoding, because that's not normally done. RACF will do it, though, just > to be difficult. > > openssl asn1parse -in file -inform pem shows you have valid ASN.1 data, with > a big ol' blob at offset 26; adding -strparse 26 shows encrypted data. So > yes, looks like PKCS#12. > > So, try this: > 1. Edit the file and remove the PEM delimiters (" BEGIN CERTIFICATE " > and "- END CERTIFICATE "). > 2. Convert the data from Base64 to binary: > openssl base64 -d -in file -out file.der Note this can be simplified a bit with: openssl asn1parse -in file.pem -out file.der That should work for any PEM ASN.1 structure. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] X25519: how to generate public key?
On Tue, Mar 14, 2017, Olivier Meunier wrote: > Hi, > > using openSSL 1.1.0e, I generate my private key using: > openssl genpkey -algorithm x25519 -out x25519.key.pem > > But I cannot find how to generate the public key. I tried: > openssl ec -in x25519.key.pem -pubout -out x25519.key.pub.pem > but got the errors: > read EC key > unable to load Key > 16084:error:0608308E:digital envelope > routines:EVP_PKEY_get0_EC_KEY:expecting a ec > key:crypto\evp\p_lib.c:319: > > What is the right command to get the public key? > Thanks, > X25519 is trteated as a distinct algorithm, not as an EC curve. You don't actually "generate" the public key you can extract or calculate the public key corresponding to a private key though. The pkey command can do this for any supported algorithm: openssl pkey -in privkey.pem -pubout -out pubkey.pem Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] X25519: how to generate public key?
Hi, using openSSL 1.1.0e, I generate my private key using: openssl genpkey -algorithm x25519 -out x25519.key.pem But I cannot find how to generate the public key. I tried: openssl ec -in x25519.key.pem -pubout -out x25519.key.pub.pem but got the errors: read EC key unable to load Key 16084:error:0608308E:digital envelope routines:EVP_PKEY_get0_EC_KEY:expecting a ec key:crypto\evp\p_lib.c:319: What is the right command to get the public key? Thanks, Olivier -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users