Re: Problem with import PKCS12 to Windows
I've now tried the certificate over SSL. An attempt to use it results in it saying there is an error in the Schannel support or just a handshake failure: it doesn't look like it even sends the certificate. Maybe S/MIME will work... I'll try that later. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problem with import PKCS12 to Windows
I've had a report that Win2K IE5 works with SSL DSA certificates and OpenSSL also that Build 5.00.2919.3800l is OK for import. I'm in the process of updating my IE5. I haven't checked this personally yet. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Problem with import PKCS12 to Windows
Well, again short description. I need import pfx file (it is in PKCS12 format) into certificate store of Windows. When certificate is stored in certificate store with corresponding private keys, it is possible to use it (for encryption and signing) in MS Outlook. It is enough for test of my project - custom cryptography service provider DLL. My provider support DSA algorithm, therefore I need DSA keys. In my first e-mail I attached generated files (generated by one CA and by me). Please, look at them. MSIE does not import certificates, it just use it from certificate store. There is a certificate manager (certmgr.exe), and this program does import of certificates (certificates are stored in registry). When I import pfx file (DSA) to certificate store, I get error message "Input information is invalid". Windows support DSA with its CryptoAPI (look at the page http://msdn.microsoft.com/library/psdk/crypto/cryptoref_4dmb.htm), there is a list with brief description of MS providers. I am not sure, if it is error because of some error of Windows (or certmgr.exe, or something else), or it is error of openssl. However, I am able to import PKCS12 file with RSA keys. I am able import X509v3 certificate with public DSA key without any problem. Currently I am in very bad situation, because I finished first part of tests (with my test program), and I can not continue with second part - test with real applications. -Original Message- From: Dr Stephen Henson [mailto:[EMAIL PROTECTED]] Sent: Saturday, December 11, 1999 6:41 PM To: [EMAIL PROTECTED] Subject: Re: Problem with import PKCS12 to Windows Ziacek Martin wrote: Thank for answers, but no one helped me. Described error is independent of length of DSA keys (512 or 1024) and I do not understand, why I can not import DSA user certificate (PKCS12 file). So, if somebody has any idea, please, let me known. You didn't say what you tried to import it into. If its Netscape then there is a problem of some sort. If its MSIE then I don't think you can use DSA certificates with it at all. Steve. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problem with import PKCS12 to Windows
Ziacek Martin wrote: Well, again short description. I need import pfx file (it is in PKCS12 format) into certificate store of Windows. When certificate is stored in certificate store with corresponding private keys, it is possible to use it (for encryption and signing) in MS Outlook. It is enough for test of my project - custom cryptography service provider DLL. My provider support DSA algorithm, therefore I need DSA keys. In my first e-mail I attached generated files (generated by one CA and by me). Please, look at them. MSIE does not import certificates, it just use it from certificate store. There is a certificate manager (certmgr.exe), and this program does import of certificates (certificates are stored in registry). When I import pfx file (DSA) to certificate store, I get error message "Input information is invalid". Windows support DSA with its CryptoAPI (look at the page http://msdn.microsoft.com/library/psdk/crypto/cryptoref_4dmb.htm), there is a list with brief description of MS providers. I am not sure, if it is error because of some error of Windows (or certmgr.exe, or something else), or it is error of openssl. However, I am able to import PKCS12 file with RSA keys. I am able import X509v3 certificate with public DSA key without any problem. Currently I am in very bad situation, because I finished first part of tests (with my test program), and I can not continue with second part - test with real applications. Windows has supported DSA in CryptoAPI since before MSIE 4.0 but it didn't support certificates then: attempting to install a DSA CA certificate resulted in an error. MS Outlook Express of the time would allow a DSA PKCS#12 file to be imported but attempts to use it to sign messages resulted in a corrupt PKCS#7 file. Now it seems it will support DSA CAs up to a point, I've managed to import some CAs as you suggested. I've also managed to do some tests which show it can recognise an invalid DSA signature. I've seen messages in the CryptoAPI mailing list from MS saying Windoze 2000 will support DSA certificates and keys. It may be that it currently supports DSA keys and certificates but doesn't "do the right thing" if it has both. It is also possible it doesn't support DSA PKCS#12 import or the applications can't handle DSA private key operations. One way to resolve this is to import a DSA private key and certificate into CryptoAPI using CryptoAPI calls directly (e.g. CryptImportKey() with a DSA PRIVATEKEYBLOB) and linking the two up and see if applications work properly. If things seem OK the next step is to export a PKCS#12 file and see if it will re-import it and use the DSA key. If this works then it suggests a non standard and broken PKCS#12 DSA format: if I can get such a PKCS#12 file to analyse I'll add an option to support it. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Problem with import PKCS12 to Windows
-Original Message- From: Dr Stephen Henson [mailto:[EMAIL PROTECTED]] Sent: Sunday, December 12, 1999 2:55 PM To: [EMAIL PROTECTED] Subject: Re: Problem with import PKCS12 to Windows Thank for answer. One way to resolve this is to import a DSA private key and certificate into CryptoAPI using CryptoAPI calls directly (e.g. CryptImportKey() with a DSA PRIVATEKEYBLOB) and linking the two up and see if applications work properly. Well, I think, it is not very simple. My CSP is able to generated public and private keys, but certmgr.exe does not see it, simply because certificate store is located in another part of registry (and of course, applications do not see these keys). I think, certificate store is in HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates. And for example, MS providers use HKEY_CURRENT_USER\Software\Microsoft\Cryptography. I think (I will check it), MS Outlook reads from certificate store both public and private keys of selected certificate, import it to provider, then encrypt/decrypt/sign/verify e-mail and then delete keys from CSP store. However, I did not find description of these registry keys (in Resource Kit for Windows NT Server you can find help file for registry keys). It means, I do not know format of these registry values, and I though, this will be latest option - I will try it. If things seem OK the next step is to export a PKCS#12 file and see if it will re-import it and use the DSA key. If this works then it suggests a non standard and broken PKCS#12 DSA format: if I can get such a PKCS#12 file to analyse I'll add an option to support it. OK, if I will able to export it, I will send it to you. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problem with import PKCS12 to Windows
Ziacek Martin wrote: Thank for answers, but no one helped me. Described error is independent of length of DSA keys (512 or 1024) and I do not understand, why I can not import DSA user certificate (PKCS12 file). So, if somebody has any idea, please, let me known. You didn't say what you tried to import it into. If its Netscape then there is a problem of some sort. If its MSIE then I don't think you can use DSA certificates with it at all. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problem with import PKCS12 to Windows
From: Dr Stephen Henson [EMAIL PROTECTED] To: [EMAIL PROTECTED] From: Ziacek Martin [EMAIL PROTECTED] To: "'[EMAIL PROTECTED] '" [EMAIL PROTECTED] Remember that messages to openssl-bugs usually come from people who are not subscribed to openssl-dev, and without Cc's to them they won't be able to read the replies. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Problem with import PKCS12 to Windows
Dear openssl-bugs, I am not sure, if I found bug in openssl, but I cannot solve some problems, please help me. For testing purposes of my project I need to generate some certificates and corresponding private keys in pkcs12 format. I need import these key sets to Outlook. I was looking for CA, which is able to generate it for me and from one CA I have web link to Your software. From second CA I got pkcs12 files, which has same bug as I have found (all files You will find in attached zip files). OpenSSL details: OpenSSL 0.9.4 09 Aug 1999 built on: date not available platform: information not available options: bn(64,32) md2(int) rc4(idx,int) des(idx,cisc,4,long) idea(int) blowfish(idx) compiler: information not available Operating System Details: Windows NT 4.0 Workstation build 1381 Service Pack 5 (i386 version) Internet Explorer 5 (5.00.2314.1003) Signcode for IE5 Compiler Details Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 12.00.8168 for 80x86 from Visual C++ 6.0 with Service pack 3 Application Details Certificate Manager ver. 5.131.1863.1 (CERTMGR.EXE) Problem Description: Pkcs12 file generated by openssl is not possible to import to Windows. Certificate manager does import. When I import pkcs12 file, I get error message (from Certificate manager import wizard): "The input information is invalid." Of course, nothing is imported. However, this message is showed only for pkcs12 file with DSA keys. File containing RSA keys is possible import without any problem. Following commands generates all files: dsaparam -outform PEM 1024 -out DSAparam.pem req -new -newkey dsa:dsaparam.pem -sha1 //saved in req.txt ca -msie_hack -in req.txt -out sign.txt pkcs12 -export -keysig -inkey privkey.pem -in sign.txt -out c:\temp\martin.pfx x509 -in sign.txt -out c:\temp\martin.der -outform DER (as PEM pass phrase and Export Password was used string 'password') I tried another switches, but without any success. Currently I am not sure, if it is bug in openssl or in Windows. It is interesting, I am able to import martin.der file. As CA I used SSLeay demo server. All generated files You will find in files.zip. I have another set of files from CA, with same error on import. I think, this CA use openssl or ssleay (files are in swh.zip, export password for pkcs12 files is ''). Well, if You know something about described problem, please help and let me known about fix. Thank and best regards Martin Files.zip Swh.zip
Re: Problem with import PKCS12 to Windows
Ziacek Martin wrote: Dear openssl-bugs, I am not sure, if I found bug in openssl, but I cannot solve some problems, please help me. Of course, nothing is imported. However, this message is showed only for pkcs12 file with DSA keys. File containing RSA keys is possible import without any problem. AFAIK you can't use DSA certificates and IE. If anyone has managed to get a user certificate (not CA!) into IE with a DSA key then I'd be interested in knowing how you did it. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problem with import PKCS12 to Windows
Martin : I think that the problem is that you are generating the private key with a legnth of 1024 bits, and maybe you have IE 5 with 40 bits of protection. Test again creating a keys of 512 bits. Slds Raul Gutierrez - Original Message - From: Ziacek Martin [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, December 06, 1999 5:01 AM Subject: Problem with import PKCS12 to Windows Dear openssl-bugs, I am not sure, if I found bug in openssl, but I cannot solve some problems, please help me. For testing purposes of my project I need to generate some certificates and corresponding private keys in pkcs12 format. I need import these key sets to Outlook. I was looking for CA, which is able to generate it for me and from one CA I have web link to Your software. From second CA I got pkcs12 files, which has same bug as I have found (all files You will find in attached zip files). OpenSSL details: OpenSSL 0.9.4 09 Aug 1999 built on: date not available platform: information not available options: bn(64,32) md2(int) rc4(idx,int) des(idx,cisc,4,long) idea(int) blowfish(idx) compiler: information not available Operating System Details: Windows NT 4.0 Workstation build 1381 Service Pack 5 (i386 version) Internet Explorer 5 (5.00.2314.1003) Signcode for IE5 Compiler Details Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 12.00.8168 for 80x86 from Visual C++ 6.0 with Service pack 3 Application Details Certificate Manager ver. 5.131.1863.1 (CERTMGR.EXE) Problem Description: Pkcs12 file generated by openssl is not possible to import to Windows. Certificate manager does import. When I import pkcs12 file, I get error message (from Certificate manager import wizard): "The input information is invalid." Of course, nothing is imported. However, this message is showed only for pkcs12 file with DSA keys. File containing RSA keys is possible import without any problem. Following commands generates all files: dsaparam -outform PEM 1024 -out DSAparam.pem req -new -newkey dsa:dsaparam.pem -sha1 file://saved in req.txt ca -msie_hack -in req.txt -out sign.txt pkcs12 -export -keysig -inkey privkey.pem -in sign.txt -out c:\temp\martin.pfx x509 -in sign.txt -out c:\temp\martin.der -outform DER (as PEM pass phrase and Export Password was used string 'password') I tried another switches, but without any success. Currently I am not sure, if it is bug in openssl or in Windows. It is interesting, I am able to import martin.der file. As CA I used SSLeay demo server. All generated files You will find in files.zip. I have another set of files from CA, with same error on import. I think, this CA use openssl or ssleay (files are in swh.zip, export password for pkcs12 files is ''). Well, if You know something about described problem, please help and let me known about fix. Thank and best regards Martin __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]