Re: [openssl-users] reading DER format public keys

> On Sep 15, 2017, at 6:24 PM, Michael Richardson wrote: > >> It is the DER analogue of PEM_read_bio_PUBKEY. With few exceptions, >> you can s/PEM_READ_bio/d2i/ to go from reading PEM to reading DER. > > It would be great if there were cross-references... I should note

Re: [openssl-users] reading DER format public keys

Viktor Dukhovni wrote: > On Fri, Sep 15, 2017 at 11:57:17AM -0400, Michael Richardson wrote: >> pkey = PEM_read_bio_PUBKEY(bio, NULL, ossl_pem_passwd_cb, (void *)pass); >> There must be a way to read DER format public keys. >> I'm suspecting that

Re: [openssl-users] Error in X509_check_private_key when using pkcs11 engine (OpenSSL 1.0.2j)

On Fri, Sep 15, 2017, Anton Gerasimov wrote: > So it turns out load_privkey() function of engine_pkcs11.so sets pub_key > in the returned 'struct ec_key_st' to NULL. Is it a failure inside > engine_pkcs11.so? > Well sort of. OpenSSL requires that public key components are set for private keys

[openssl-users] Errors when running OpenSSL fipsalgtest.pl

Hi All: I was using the fipsalgtest.pl utility for running tests with some input vectors. Somehow I ran into the following errors: Any suggestions will be greatly appreciated. Thanks. *Running ECDSA2 tests* DEBUG: KeyPair, Pass=240, Fail=0 ERROR: PKV mismatch: "QX =

Re: [openssl-users] Error in X509_check_private_key when using pkcs11 engine (OpenSSL 1.0.2j)

So it turns out load_privkey() function of engine_pkcs11.so sets pub_key in the returned 'struct ec_key_st' to NULL. Is it a failure inside engine_pkcs11.so? Thanks, Anton Gerasimov -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] reading DER format public keys

On Fri, Sep 15, 2017 at 11:57:17AM -0400, Michael Richardson wrote: > pkey = PEM_read_bio_PUBKEY(bio, NULL, ossl_pem_passwd_cb, (void *)pass); > There must be a way to read DER format public keys. > I'm suspecting that maybe the magic is in the way the BIO is created? > (FAQ question PROG03,

Re: [openssl-users] Compatibility of OpenSSL (Debian)

See: https://www.openssl.org/blog/blog/2016/08/24/sweet32 > On Sep 15, 2017, at 11:52 AM, Dave Serls wrote: > > > A file DES3 encrypted here by OpenSSL 1.0.1t 3 May 2016 (Debian 7 or earlier > version) is not accessible > by OpenSSL 1.1.0f 25 May 2017 (Debian 9). Is

Re: [openssl-users] Compatibility of OpenSSL (Debian)

A file DES3 encrypted here by OpenSSL 1.0.1t 3 May 2016 (Debian 7 or earlier version) is not accessible by OpenSSL 1.1.0f 25 May 2017 (Debian 9). Is this expected behavior? https://www.openssl.org/docs/faq.html#USER3 -- openssl-users mailing list To unsubscribe:

Re: [openssl-users] reading DER format public keys

On 09/15/2017 11:57 AM, Michael Richardson wrote: The PEM_* routines, as documented at: https://www.openssl.org/docs/man1.0.2/crypto/PEM_read_bio_PUBKEY.html do not claim to read DER format input. (Actually they don't say anything about DER). Ruby's library uses: pkey =

Re: [openssl-users] documentation for 1.1.0

On Fri, 15 Sep 2017 15:54:16 + "Salz, Rich via openssl-users" wrote: > Links across versions don’t really work since we moved from “crypto” “ssl” to > man3, etc. > Perhaps we should just take them down. One might suppose that it "failed" to a secure mode.

[openssl-users] Compatibility of OpenSSL (Debian)

A file DES3 encrypted here by OpenSSL 1.0.1t 3 May 2016 (Debian 7 or earlier version) is not accessible by OpenSSL 1.1.0f 25 May 2017 (Debian 9). Is this expected behavior? -- * Dave Serls

Re: [openssl-users] reading DER format public keys

➢ pkey = PEM_read_bio_PUBKEY(bio, NULL, ossl_pem_passwd_cb, (void *)pass); That only reads PEM files. If docs say otherwise, they are wrong. ➢ There must be a way to read DER format public keys. A raw public key? Or a cert? Or a pkcs object? Anyhow, doc/man3/d2i_X509.pod in master.

[openssl-users] reading DER format public keys

The PEM_* routines, as documented at: https://www.openssl.org/docs/man1.0.2/crypto/PEM_read_bio_PUBKEY.html do not claim to read DER format input. (Actually they don't say anything about DER). Ruby's library uses: pkey = PEM_read_bio_PUBKEY(bio, NULL, ossl_pem_passwd_cb, (void *)pass);

Re: [openssl-users] documentation for 1.1.0

Links across versions don’t really work since we moved from “crypto” “ssl” to man3, etc. Perhaps we should just take them down. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] documentation for 1.1.0

Many pages like: https://www.openssl.org/docs/man1.0.2/crypto/PEM_read_bio_PUBKEY.html will have a link on the right that says: "1.1.0" version, which I'd rather read because I'm using 1.1.0+, but it links to: https://www.openssl.org/docs/man1.1.0/crypto/pem.html which does not exist.

Re: [openssl-users] Self signed cert issue

I created the CA, then created the key for a Server then created a server.csr and generated the cert. openssl genrsa -out HOME_Root_CA.key 2048openssl req -x509 -new -nodes -key HOME_Root_CA.key -sha256 -days 3650 -out HOME_Root_CA.pemopenssl x509 -in HOME_Root_CA.pem -noout -text # Create

[openssl-users] Error in X509_check_private_key when using pkcs11 engine (OpenSSL 1.0.2j)

Greetings, I'm trying to make OpenSSL (v. 1.0.2j) get client certificate/private key from a virtual PKCS#11 device, namely SoftHSM. I've imported a certificate and private key into SoftHSM, configured openssl as following and run     openssl s_client -engine pkcs11 -connect mydomain.com:443

Re: [openssl-users] Self signed cert issue

On 15-09-17 15:58, Richard Olsen wrote: > I missed putting in the email  that i created all the certs as listed > below. SO i have the CA, Server and Client certs created. And tried to > do the pfx file for authentication with a "Soft cert" where i'll have to > configure later for a "hard cert"

Re: [openssl-users] Self signed cert issue

I missed putting in the email that i created all the certs as listed below. SO i have the CA, Server and Client certs created. And tried to do the pfx file for authentication with a "Soft cert" where i'll have to configure later for a "hard cert" smartcard. ### Options fed into certs ##

Re: [openssl-users] Self signed cert issue

Sorry I left out half of my message. I created from CA down. As listed below. ### Options fed into certs ## Country Name (2 letter code) [XX]:US ## State or Province Name (full name) []:STATE ## Locality Name (eg, city) [Default City]:City ## Organization Name (eg, company) [Default Company

Re: [openssl-users] Self signed cert issue

On 15-Sep-2017 06:24, Richard Olsen wrote: > When i click on advanced i see > > "host.local.com uses and invalid security certificate. The certificate is > not trusted because the issuer certificate is unknown. The server might not > be sending the appropriate intermediate certficates. An

Re: [openssl-users] Self signed cert issue

On 15-09-17 15:24, Richard Olsen wrote: > "host.local.com uses and invalid security > certificate. The certificate is not trusted because the issuer > certificate is unknown. The server might not be sending the appropriate > intermediate certficates. An addistional root

[openssl-users] Self signed cert issue

I've run out of ideas on this and hope someone here can help me. I'm trying to set up SSL with self signed certificates. I'm on RHEL6 with httpd 2.2.15-60.el6.9_5 using firefox browser. I've created the certs with the following code: [CODE] ### Options fed into certs ## Country Name (2 letter

Re: [openssl-users] Why wasn't the fix for IP name restrictions included in 1.0.2 ?

On 15/09/17 00:05, Salz, Rich via openssl-users wrote: > > ➢ But the patch was put in git almost 10 months before 1.0.2 initial > release. > > We weren’t using git back then. So maybe it’s a bad/confusing import. Maybe > matt can explain. > Actually I think we were using git at