RE: Problem with openssl.exe
Hum, I don't really know. I only saw SSLEAY in the perl script CA.pl. So I thought I have to set it. -Original Message- From: Jeffrey Altman [mailto:[EMAIL PROTECTED]] Sent: mercredi 9 janvier 2002 06:13 To: [EMAIL PROTECTED] Cc: '[EMAIL PROTECTED]' Subject: Re: Problem with openssl.exe How does openssl.exe knows the SSLEAY environment variable under WNT4? When I type openssl, I have the following error: Using configuration from /usr/local/ssl/openssl.cnf you mean OPENSSL_CONF ? Jeffrey Altman * Sr.Software Designer C-Kermit 8.0 available now!!! The Kermit Project @ Columbia University includes Telnet, FTP and HTTP http://www.kermit-project.org/ secured with Kerberos, SRP, and [EMAIL PROTECTED]OpenSSL. Interfaces with OpenSSH __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
PKCS, getting signer's CN
I was trying to get the common name (CN) from a PKCS7 file that I had read in. I used, sk=PKCS7_get_signer_info(p7) now I have sk holding a STACK_OF(PKCS7_SIGNER_INFO), any function to return the CN as I go through the stack? Thanks, Frank __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
3DES-CBC questoins
A coworked has brought up a question that I cant answer and I am hoping somewhere here could. With 3des you encrypt the data with the first key, decrypt with the second and encrypt with the 3rd to get the encryprted message. He xor'ed the plain text with the encrypted message and obtained a key. He then could use that key to decrypt any other message. Now I know that if you know the plain text than you can get the key but the point was how is 3des any stronger than des if you only need one key to decrypt the message. Also it appears the key he found was only 56-bits, or maybe this is a mistake. So I guess the question is, if you only need one key to decrypt a 3des encrypted message then how is it strong. Thanks! -AndrewActiveSol.net[EMAIL PROTECTED]
RE: Problem with openssl.exe
You either create an environment variable SET OPENSSL_CONF=drive:path/filename before executing openssl.exe or specify the config file on the command line with the -config option. Hum, I don't really know. I only saw SSLEAY in the perl script CA.pl. So I thought I have to set it. -Original Message- From: Jeffrey Altman [mailto:[EMAIL PROTECTED]] Sent: mercredi 9 janvier 2002 06:13 To: [EMAIL PROTECTED] Cc: '[EMAIL PROTECTED]' Subject: Re: Problem with openssl.exe How does openssl.exe knows the SSLEAY environment variable under WNT4? When I type openssl, I have the following error: Using configuration from /usr/local/ssl/openssl.cnf you mean OPENSSL_CONF ? Jeffrey Altman * Sr.Software Designer C-Kermit 8.0 available now!!! The Kermit Project @ Columbia University includes Telnet, FTP and HTTP http://www.kermit-project.org/ secured with Kerberos, SRP, and [EMAIL PROTECTED]OpenSSL. Interfaces with OpenSSH __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Problem with openssl.exe
Yep, now it works. Thanks for your help. JP -Original Message- From: Jeffrey Altman [mailto:[EMAIL PROTECTED]] Sent: mercredi 9 janvier 2002 06:25 To: [EMAIL PROTECTED] Cc: '[EMAIL PROTECTED]' Subject: RE: Problem with openssl.exe You either create an environment variable SET OPENSSL_CONF=drive:path/filename before executing openssl.exe or specify the config file on the command line with the -config option. Hum, I don't really know. I only saw SSLEAY in the perl script CA.pl. So I thought I have to set it. -Original Message- From: Jeffrey Altman [mailto:[EMAIL PROTECTED]] Sent: mercredi 9 janvier 2002 06:13 To: [EMAIL PROTECTED] Cc: '[EMAIL PROTECTED]' Subject: Re: Problem with openssl.exe How does openssl.exe knows the SSLEAY environment variable under WNT4? When I type openssl, I have the following error: Using configuration from /usr/local/ssl/openssl.cnf you mean OPENSSL_CONF ? Jeffrey Altman * Sr.Software Designer C-Kermit 8.0 available now!!! The Kermit Project @ Columbia University includes Telnet, FTP and HTTP http://www.kermit-project.org/ secured with Kerberos, SRP, and [EMAIL PROTECTED]OpenSSL. Interfaces with OpenSSH __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: 3DES-CBC questoins
--On Wednesday, January 09, 2002 12:26 PM -0500 Andrew [EMAIL PROTECTED] wrote: A coworked has brought up a question that I cant answer and I am hoping somewhere here could. With 3des you encrypt the data with the first key, decrypt with the second and encrypt with the 3rd to get the encryprted message. Yes.. He xor'ed the plain text with the encrypted message and obtained a key. Well, does this mean that the message was only 56 bit long? As the DES stream is essentially random (I think), this would be a way of obtaining a random number. He then could use that key to decrypt any other message. What does that mean? He can't. Now I know that if you know the plain text than you can get the key but the point was how is 3des any stronger than des if you only need one key to decrypt the message. You can't. 3DES is definitely stronger. Also it appears the key he found was only 56-bits, or maybe this is a mistake. So I guess the question is, if you only need one key to decrypt a 3des encrypted message then how is it strong. Thanks! - Andrew ActiveSol.net [EMAIL PROTECTED] There is not enough information for a meaningful answer... __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Importing self-made CA certificates at the OS level
Is it possible to import CA certificates at the OS level (IE: right into an openssl install), rather than the application level? I'd rather not try to insert certs into every app on a given linux system, especially since some of them seem to be broken (KDE has no CA import in the version with Mandrake 8.1). I looked around, and couldn't find any root certs with openssl, so I'm guessing I'm barking up the wrong tree, and every app always needs its own list of CA's, but a confirmation would be nice. Jason __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: 3DES-CBC questoins
Well let's see if I can explain this a little better. How does 3DES work? Apparently my co-worked took the final encrypted text, XOR'ed it with the original message and obtained a key. Now he claims that he can decrypt any message with that key. Now this may be wrong, does it mean he can decrypt the original message then? I though 3DES was 168-bits strong, but if the three 56-bit keys are just xor'ed then it doesn't seem to be a linear encryption. Also he xor'ed the original message with the final encrypted message, this produced a key. Now he also xor'ed all three of the des keys together. When compared the keys were the same. This is strange because it seems to me then that all you need to know is the x'ored equavalent of all three of the 3des keys. Pretend I have no clue what I'm talking about and try to example how 3des works ;-) I'm not sure what other information you are looking for. I'm just asking how the semantics of 3DES work and why it's strong than DES. I know that is it, but why. Thanks! - Andrew ActiveSol.net [EMAIL PROTECTED] - Original Message - From: David Tonhofer, m-plify S.A. [EMAIL PROTECTED] To: [EMAIL PROTECTED]; Andrew [EMAIL PROTECTED] Sent: Wednesday, January 09, 2002 12:46 PM Subject: Re: 3DES-CBC questoins --On Wednesday, January 09, 2002 12:26 PM -0500 Andrew [EMAIL PROTECTED] wrote: A coworked has brought up a question that I cant answer and I am hoping somewhere here could. With 3des you encrypt the data with the first key, decrypt with the second and encrypt with the 3rd to get the encryprted message. Yes.. He xor'ed the plain text with the encrypted message and obtained a key. Well, does this mean that the message was only 56 bit long? As the DES stream is essentially random (I think), this would be a way of obtaining a random number. He then could use that key to decrypt any other message. What does that mean? He can't. Now I know that if you know the plain text than you can get the key but the point was how is 3des any stronger than des if you only need one key to decrypt the message. You can't. 3DES is definitely stronger. Also it appears the key he found was only 56-bits, or maybe this is a mistake. So I guess the question is, if you only need one key to decrypt a 3des encrypted message then how is it strong. Thanks! - Andrew ActiveSol.net [EMAIL PROTECTED] There is not enough information for a meaningful answer... __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PKCS, getting signer's CN
On Wed, 2002-01-09 at 18:21, Frank Geck wrote: I was trying to get the common name (CN) from a PKCS7 file that I had read in. I used, sk=PKCS7_get_signer_info(p7) now I have sk holding a STACK_OF(PKCS7_SIGNER_INFO), any function to return the CN as I go through the stack? don't know if this will help you: STACK_OF(PKCS7_SIGNER_INFO)* sk = PKCS7_get_signer_info(p7); for (int i = 0; i sk_PKCS7_SIGNER_INFO_num(sk); i++) { PKCS7_SIGNER_INFO* si = PKCS7_SIGNER_INFO_value(sk, i); X509* x509 = PKCS7_cert_from_signer_info(p7, si); X509_NAME* name = X509_get_subject_name(x509); text = malloc(sizeof(x-cert_info)); text = X509_NAME_oneline(name, text, 200); printf(Subject name data: %s\n, text); free(text); } -- Aleix -- Aleix Conchillo FlaquƩ SCYTL founder RD Engineer e-mail: [EMAIL PROTECTED] phone: +34 933 016 547 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
OpenSSL Question
I would like to abstract the SSL communications through 2 pipe[] fd's under win32 where I plan on reading the read side of the pipes and then Handling all network connectivity myself. I tried using SSL_set_rfd()/SSL_set_wfd() but I still couldn't get it to write communications when I issued a SSL_connect(). Is it possible to do this using only SSL_set_?fd() calls or do I need to setup a BIO, and if so.. Which type of BIO? Any/all help would be greatly appreciated. -SB __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PKCS7, getting signer's CN
Thanks, Yea I already had this output/used this code. Was tring to just get the CN=XXX without doing something lame like strtoking through text. I was loking at the code of X509_NAME_oneline and it is sure ugly! Thanks, Frank Aleix Conchillo wrote: On Wed, 2002-01-09 at 18:21, Frank Geck wrote: I was trying to get the common name (CN) from a PKCS7 file that I had read in. I used, sk=PKCS7_get_signer_info(p7) now I have sk holding a STACK_OF(PKCS7_SIGNER_INFO), any function to return the CN as I go through the stack? don't know if this will help you: STACK_OF(PKCS7_SIGNER_INFO)* sk = PKCS7_get_signer_info(p7); for (int i = 0; i sk_PKCS7_SIGNER_INFO_num(sk); i++) { PKCS7_SIGNER_INFO* si = PKCS7_SIGNER_INFO_value(sk, i); X509* x509 = PKCS7_cert_from_signer_info(p7, si); X509_NAME* name = X509_get_subject_name(x509); text = malloc(sizeof(x-cert_info)); text = X509_NAME_oneline(name, text, 200); printf(Subject name data: %s\n, text); free(text); } -- Aleix -- Aleix Conchillo FlaquƩ SCYTL founder RD Engineer e-mail: [EMAIL PROTECTED] phone: +34 933 016 547 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Certificate validation
I am wondering if openssl can be used in an application such that a certificate is checked locally on application startup as a license verification measure. My idea is to install a certificate, then have the application validate it during launch to verify that execution is permitted. Is this possible to do without allowing a user on the machine to modify the certificate to circumvent this measure? Keary Suska Esoteritech, Inc. Leveraging Open Source for a better Internet __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PKCS7, getting signer's CN
Frank Geck wrote: Thanks, Yea I already had this output/used this code. Was tring to just get the CN=XXX without doing something lame like strtoking through text. I was loking at the code of X509_NAME_oneline and it is sure ugly! X509_NAME_print_ex() is the newer version but its rather complex to handle all manner of issues. Anyway what you need to do is to use the X509_NAME functions to extract the CN. An example of their use appears in crypto/x509v3/v3_utl.c in the function get_email which handles email. However for a CN you'll get back an ASN1_STRING structure which will usually be a simple string type like PrintableString but may be a multi character type like BMPString or UTF8String. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
REMOVE
REMOVE __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Newbie question on generating a certificate request
Greetings All, I am very new to openssl and am having some difficulty finding the information on generating a certificate request. What I really want to do is obtain the distinguished name information via a web page then pass that information into the openssl call (specifically I want to do openssl req -in file -nodes -keyout key.pem -out out.pem where file is the information submitted by the user via the web page). However, in order to use the "-in" qualifier I believe the input file has to be in PEM format (or that is what I believe I have gathered from the openssl.org site). Is this the case? If so, how do I convert the file from ascii to PEM. Also, should there be field names associated with the data from the disntinguised name (ie key value pair) ? If so, what exactly should these be? If this is documented someplace, PLEASE point me in the direction of the documentation. Thank you, CaroylnDo You Yahoo!? Send FREE video emails in Yahoo! Mail.
Re: Newbie question on generating a certificate request
Carolyn Malloy wrote: Greetings All, I am very new to openssl and am having some difficulty finding the information on generating a certificate request. What I really want to do is obtain the distinguished name information via a web page then pass that information into the openssl call (specifically I want to do openssl req -in file -nodes -keyout key.pem -out out.pem where file is the information submitted by the user via the web page). However, in order to use the -in qualifier I believe the input file has to be in PEM format (or that is what I believe I have gathered from the openssl.org site). Is this the case? If so, how do I convert the file from ascii to PEM. Also, should there be field names associated with the data from the disntinguised name (ie key value pair) ? If so, what exactly should these be? If this is documented someplace, PLEASE point me in the direction of the documentation. What you actually need to do is to construct a template configuration file with the necessary field values in it and pass that on the command line using the -config option. See the EXAMPLES section of the req(1) manual page in doc/apps/req.pod or at: http://www.openssl.org/docs/apps/req.html#EXAMPLES Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
BIO question
Hi! I am need to export public key from EVP_PKEY * to string (char*) to store it (in XML file). How this could be done? Sincerely, Vadim -- La perfection est atteinte non quand il ne reste rien a ajouter, mais quand il ne reste rien a enlever. (Antoine de Saint-Exupery) __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: BIO question
On Wed, 9 Jan 2002, Vadim Zaliva wrote: I am need to export public key from EVP_PKEY * to string (char*) to store it (in XML file). How this could be done? OK, I found something: looks like combination of MEM and BASE64 bio should do the trick. Looking further Vadim -- La perfection est atteinte non quand il ne reste rien a ajouter, mais quand il ne reste rien a enlever. (Antoine de Saint-Exupery) __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Compile on big endian machine.
What flags need to be defined to compile the crypto Lib on a big endian machines? Thanks for the help. __ Do You Yahoo!? Send FREE video emails in Yahoo! Mail! http://promo.yahoo.com/videomail/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: BIO question
On Wed, 9 Jan 2002, Vadim Zaliva wrote: OK, I found something: looks like combination of MEM and BASE64 bio should do the trick. Looking further Got it working. Sorry for asking. Still getting used OpenSSL to man pages organization. Vadim -- La perfection est atteinte non quand il ne reste rien a ajouter, mais quand il ne reste rien a enlever. (Antoine de Saint-Exupery) __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]