cert verify question ....

[Carlos Roberto Zainos H]

Hi guys !!!
 
Since last time, I've been working with "openssl verify" command and options and it works pretty good, but now I need to implement this certificate verification in C source code.
 
I did search in openssl and ssleay docs and found an example, I tried to implement this but fails  this is a part of my source code :
X509 *x;
X509_STORE *csc=NULL;X509_STORE_CTX *ctx;
.
x=d2i_X509(NULL, &certificado, length); /* it's ok */

 version=X509_get_version(x); /*ok */
.
 serial=X509_get_serialNumber(x); /*ok */
..
csc=X509_STORE_new(); /*begin verification example */ printf("paso 1\n"); X509_STORE_set_default_paths(csc); printf("paso 2\n"); X509_STORE_CTX_init(ctx,csc,x,NULL);  /*fails in this point */ printf("paso 3\n"); i=X509_verify_cert(ctx); printf("paso 4 \n"); X509_STORE_CTX_cleanup(ctx); printf("paso final \n"); if (i!=0) /*ok */Notes: I have a CA self signed certificate ac.cer, and an enduser.cer certificate, both in CER form (not problem).
In openssl command line I make :
# openssl verify -CAfile ac_b64.cer ac_b64.cer <-|
ac_b64.cer:OK  /*the cert is selfsigned */
# openssl verify -CAfile ac_b64.cer end_user_b64.cer <-|
end_user_b64:OK /*the cert was signed by ac.cer */
 
The same results are that I'm looking for 
 
Help is needed again ..svp
 
Zainos
 Do You Yahoo!?
Yahoo! Net: La mejor conexión a internet y 25MB extra a tu correo por 
$100 al mes.

Please Help

[Steve OBrien]

I am trying to create a situation where
either my Microsoft CA is root and openssl is subordinate or vice-versa.
 Has anyone successfully done this.  I have managed to sign a
subordinate csr from MS with open ssl but I can' figure out how to import
it back.  Sorry if this is a duplicate post I have been waiting for
a couple hours for my first one to post.
TIA,
Steve

Re: compile problem in latest snap shot

[Dr. Stephen Henson]

On Thu, Apr 01, 2004, Frank wrote:

> Just grabed the lastest snap shot of openssl Got a compile problem that 
> probably needs to be  addressed. In file x509_vfy.h the prototype for 
> X509_policy_check() uses a reserved word explicit
> 
> int X509_policy_check(X509_POLICY_TREE **ptree, int *explicit,
> 

Oops, just committed a fix.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: default encryption exponent in RSA

[Charles B Cranston]

What is the default encryption exponent used in RSA encryption by OpenSSL?
Is it e = 2^16 + 1 = 65537?

Anybody knows where can I find this default value in the source files?
It's actually the Public Exponent field in the certificate, so you would
find it in the code that makes new certificates.
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=Maryland, O=University of Maryland, OU=College 
Park Campus, CN=UMD College Park Root v0
Validity
Not Before: Jun  6 17:15:39 2003 GMT
Not After : Aug 15 17:15:39 2007 GMT
Subject: C=US, ST=Maryland, O=University of Maryland, 
OU=College Park Campus, CN=UMD College Park Root v0
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:af:69:68:23:bf:46:9f:0c:d1:a1:20:c9:a1:2b:
0f:87:5c:6a:49:26:36:0a:f6:07:c9:76:0c:d0:73:
61:02:52:dd:10:13:75:d5:66:6e:ef:4b:2f:89:a1:
e1:7c:aa:1f:1c:b5:54:9c:b8:20:f8:df:62:a8:28:
28:00:dc:88:b4:5e:ab:2d:d0:93:77:f0:1c:3d:39:
9d:eb:f3:6a:31:ec:f9:a2:bb:75:8b:34:03:f1:e8:
d0:11:95:21:74:44:69:df:0b:a5:3f:b5:81:e4:11:
5f:2c:e3:cc:d6:84:c9:b6:e0:c0:77:34:27:0c:5b:
af:14:06:59:eb:36:4a:62:55:17:06:6f:78:94:49:
2d:55:00:97:ce:85:3d:5e:d9:14:63:4c:8e:0f:f0:
78:4e:0b:bd:de:c8:8d:76:1b:94:ec:a3:21:bd:4e:
fe:3d:2e:7b:72:8d:32:b7:e6:56:c8:2e:07:d5:97:
f3:eb:d2:0f:e9:0f:6a:3e:2f:7d:19:61:d1:3d:97:
a4:f6:21:8b:05:3b:f0:ec:69:ac:8d:80:9b:81:fa:
3e:79:ef:ad:ef:55:53:3a:7e:96:fb:89:3a:c3:ad:
2a:cb:a7:d6:ad:55:7c:5e:2c:ec:da:40:e4:3c:c5:
49:d6:99:5c:de:99:27:8f:8b:7d:03:d5:3f:1d:37:
e6:3d
Exponent: 65537 (0x10001)
^. Here is public exponent
X509v3 extensions:
X509v3 Subject Alternative Name:
...

--
Charles B (Ben) Cranston
mailto: [EMAIL PROTECTED]
http://www.wam.umd.edu/~zben
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

default encryption exponent in RSA

[Reza Curtmola]

What is the default encryption exponent used in RSA encryption by OpenSSL?
Is it e = 2^16 + 1 = 65537?

Anybody knows where can I find this default value in the source files?

Thank you!
-Reza

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Encrypted attachments

[Dave]

OK I did all of that:

  echo "Content-Type: application/x-zip-compressed;" >
/users/email/attach.txt
  echo "  name=\""$f_name"\"" >> /users/email/attach.txt
  echo "Content-Transfer-Encoding: base64" >> /users/email/attach.txt
  echo "Content-Disposition: attachment;" >> /users/email/attach.txt
  echo "  filename=\""$f_name"\"" >> /users/email/attach.txt
  /opt/apache/ssl/bin/openssl base64 -in /users/ali/$f_name >>
/users/email/atta
ch.txt
  /opt/apache/ssl/bin/openssl smime -encrypt \
  -in /users/email/attach.txt \
  /users/email/Trob.pem \
  | /usr/sbin/sendmail [EMAIL PROTECTED]

Now this works great without the encryption.  But when I add the encryption
I show that it is encrypted, little lock, has an attachment, little paper
clip, and is named correctly but it is zero bytes.  Also I can see the file
in the message source.

Any ideas?
- Original Message -
From: "Dr. Stephen Henson" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, March 31, 2004 4:13 PM
Subject: Re: Encrypted attachments


> On Wed, Mar 31, 2004, Dave wrote:
>
> > Here is how I am doing it:
> >   uuencode /users/ali/$f_name  $f_name \
> >   | /usr/local/ssl/bin/openssl smime -encrypt \
> >/users/email/Trob.pem \
> >   | /usr/sbin/sendmail [EMAIL PROTECTED]
> >
> > The details tab seems to show the file just fine:
> > begin 644 eei.zip
> > [EMAIL PROTECTED](`"16CRZ,@
> >
> > However Outlook does not show this as an attachment.  Unencrypted it
looks
> > about the same but Outlook sees it as an attachment.
> >
>
> That's because its uuencoded and not MIME. Base64 encode it with something
> like this:
>
> openssl base64 -in whatever.zip -out whatever.b64
>
> then precede that with appropriate MIME headers for example:
>
> Content-Type: application/x-zip-compressed
> Content-Transfer-Encoding: base64
>
> If you can get that to show up as an attachment then try it with the smime
> command. You could also try creating an email with outlook with an
attachment
> and copying what it does.
>
> Steve.
> --
> Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
> OpenSSL project core developer and freelance consultant.
> Funding needed! Details on homepage.
> Homepage: http://www.drh-consultancy.demon.co.uk
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: compile problem in latest snap shot

[Charles B Cranston]

OOPS, sorry, it is a C++ reserved word even though it is
not a C reserved word, and I guess it would be a Good Idea
for OpenSSL to be callable from C++ as it used to be...
Charles B Cranston wrote:

We cannot find "explicit" as a reserved word in a (fairly old)
ANSI C book.  Is this the GNU compiler or a vendor compiler?
Could this be a vendor-specific extension?  Is there a compiler
command line switch to remove vendor-specific extensions?
--
Charles B (Ben) Cranston
mailto: [EMAIL PROTECTED]
http://www.wam.umd.edu/~zben
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: compile problem in latest snap shot

[Charles B Cranston]

We cannot find "explicit" as a reserved word in a (fairly old)
ANSI C book.  Is this the GNU compiler or a vendor compiler?
Could this be a vendor-specific extension?  Is there a compiler
command line switch to remove vendor-specific extensions?
Would the GNU compiler work better anyway?

Just grabed the lastest snap shot of openssl Got a compile problem that 
probably needs to be  addressed. In file x509_vfy.h the prototype for 
X509_policy_check() uses a reserved word explicit

int X509_policy_check(X509_POLICY_TREE **ptree, int *explicit,
--
Charles B (Ben) Cranston
mailto: [EMAIL PROTECTED]
http://www.wam.umd.edu/~zben
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

compile problem in latest snap shot

[Frank]

Just grabed the lastest snap shot of openssl Got a compile problem that 
probably needs to be  addressed. In file x509_vfy.h the prototype for 
X509_policy_check() uses a reserved word explicit

int X509_policy_check(X509_POLICY_TREE **ptree, int *explicit,

Thanks,.

Frank

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: openssl correcting exponent for keyhash?

[Lutz Feldgen]

Hi Dr. Henson,

Dr. Stephen Henson wrote:
On Thu, Apr 01, 2004, Lutz Feldgen wrote:


Hi,

I try to figure out openssls handling of keys with negative exponent (to 
be exact, the exponent of 1024 bit key seems to be missing the first 
byte.) It also seems that openssl is then automatically adding this 
null-byte as there are no negative exponents...and my codec is not. Am I 
right with this guess?

The problem is that my ocspresponder takes the rawkey of a certificate 
for hashing and comparing to the keyhash of an ocsprequest.
Somehow openssl calculates another keyhash than me if the key is like I 
described above.
Can anybode help me in this case a little?



The key will be interpreted as positive by effectively inserting the missing
leading zero as you said.
Ok.

The hash however should be based on the encoded format (as specified by the
RFC) and if that doesn't include the leading zero it will hash without it.
The problem is that I tried with the encoded key but the hashs of the 
correct certificates respectively the correct keys were different from 
the ones the ISIS-MTT-Testbed built. When I switched to digest the 
rawkey everything went fine except the certificates with the "bad" keys...

You might try reencoding the key using the openssl utilities and calculating
the hash manually to see if that matches the expected value.
I will try this to checkout whether this could solve my problem, but 
unfortunately this will not really help at all as the issue is with 
already existing keys and certificates I can not reencode and resign ;(

Thanks for the quick answer,

regards,

Lutz Feldgen

--
PGP-Key available at
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x42D78987


smime.p7s
Description: S/MIME Cryptographic Signature

Re: openssl correcting exponent for keyhash?

[Dr. Stephen Henson]

On Thu, Apr 01, 2004, Lutz Feldgen wrote:

> Hi,
> 
> I try to figure out openssls handling of keys with negative exponent (to 
> be exact, the exponent of 1024 bit key seems to be missing the first 
> byte.) It also seems that openssl is then automatically adding this 
> null-byte as there are no negative exponents...and my codec is not. Am I 
> right with this guess?
> 
> The problem is that my ocspresponder takes the rawkey of a certificate 
> for hashing and comparing to the keyhash of an ocsprequest.
> Somehow openssl calculates another keyhash than me if the key is like I 
> described above.
> Can anybode help me in this case a little?
> 

The key will be interpreted as positive by effectively inserting the missing
leading zero as you said.

The hash however should be based on the encoded format (as specified by the
RFC) and if that doesn't include the leading zero it will hash without it.

You might try reencoding the key using the openssl utilities and calculating
the hash manually to see if that matches the expected value.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: default cipher suit in open ssl

[Amar Desai]

rajesh nair wrote:


I saw all the cipher names but i want to know the default cipher suit 
supported by openssl lib.
if i  write a program using openssl , with out using 
SSL_CTX_set_cipher_list() function what will bw the default cipher set ?
(that is i am not choosing a cipher suit from the list )

If I didn't misunderstand, It will try to negotiate strongest possible 
cipher suite. e.g. If I dont use  SSL_CTX_set_cipher_list() in both the 
server and the client it choses  AES-256. But It depends on your build 
configuration. e.g. If you choose to turn off AES then I think it will 
choose some other cipher suite. But as Richard said you can make cipher 
of your choice defualt cipher by using SSL_CTX_set_cipher_list().

Amar


smime.p7s
Description: S/MIME Cryptographic Signature

X509_STORE_load_locations always not return 1

[张 琦]

In my program,X509_STORE_load_locations(store, CA_FILE, CA_DIR) always not 
return 1.why?my CA cert is in DER format. 
what is X509_STORE_load_locations's default CA cert format?PEM?but my CA 
cert is in DER format.how should I do?

_
免费下载 MSN Explorer:   http://explorer.msn.com/lccn  

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

openssl correcting exponent for keyhash?

[Lutz Feldgen]

Hi,

I try to figure out openssls handling of keys with negative exponent (to 
be exact, the exponent of 1024 bit key seems to be missing the first 
byte.) It also seems that openssl is then automatically adding this 
null-byte as there are no negative exponents...and my codec is not. Am I 
right with this guess?

The problem is that my ocspresponder takes the rawkey of a certificate 
for hashing and comparing to the keyhash of an ocsprequest.
Somehow openssl calculates another keyhash than me if the key is like I 
described above.
Can anybode help me in this case a little?

Thnx in advance,

Lutz Feldgen

--
PGP-Key available at
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x42D78987


smime.p7s
Description: S/MIME Cryptographic Signature

Re:Programming difficulties

[Carlos Roberto Zainos H]

Thanks a lot Dr Stephan, Richard and Bernhard 
 
I made revisions to my source, docs and faq's and now this works fine ...
 
Best regards
 
Zainos
 Do You Yahoo!?
Yahoo! Net: La mejor conexión a internet y 25MB extra a tu correo por 
$100 al mes.

Re: default cipher suit in open ssl

[Richard Koenning]

rajesh nair wrote:

I saw all the cipher names but i want to know the default cipher suit supported by 
openssl lib.
if i  write a program using openssl , with out using SSL_CTX_set_cipher_list() 
function what will bw the default cipher set ?
(that is i am not choosing a cipher suit from the list )
Why won't you use SSL_CTX_set_cipher_list()? Using it you get any 
default you like and don't have to depend on a more or less arbitrary 
OpenSSL default.
Ciao,
Richard
--
Dr. Richard W. Könning
Fujitsu Siemens Computers GmbH
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: default cipher suit in open ssl

[rajesh nair]

> In message <[EMAIL PROTECTED]> on Wed, 31 Mar 2004 10:52:55 -0500, "rajesh nair" 
> <[EMAIL PROTECTED]> said:
> 
> rajeshnairg> which is the default cipher suit in open ssl library ?
> 
> Whatever is output with "openssl ciphers"
> 
> rajeshnairg> i print all the cipher suits using openssl ciphers , but
> rajeshnairg> i can't find out which is the default cipher suit ?
> 
> You get more (almost all) ciphers when you use the command
> "openssl ciphers ALL".
> 

thanx richard  for the replay 

I saw all the cipher names but i want to know the default cipher suit supported by 
openssl lib.
if i  write a program using openssl , with out using SSL_CTX_set_cipher_list() 
function what will bw the default cipher set ?
(that is i am not choosing a cipher suit from the list )

once more thanx for the response 


-- 
___
Sign-up for Ads Free at Mail.com
http://promo.mail.com/adsfreejump.htm

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: OPENSSL_NO_KRB5

[Richard Levitte - VMS Whacker]

In message <[EMAIL PROTECTED]> on Wed, 31 Mar 2004 12:52:56 -0800, "BV" <[EMAIL 
PROTECTED]> said:

openssl> Can somebody explain or point me to docs on this flag?
openssl> 
openssl> I'm not sure why Kerberos 5 would be excluded by default...
openssl> 
openssl> If I want Kerberos support, should I remove this flag from the make file ?

You should configure properly.  The krb5 configuration options break
from the usual format a little bit.  The two options --with-krb5-dir
and --with-krb5-flavor are mandatory to enable krb5 support.  See the
comments in Configure.

Note that there have been changes in the MIT Kerberos libraries
recently, and recent experience has shown that OpenSSL doesn't
interface with more modern versions (1.3.0 and up, maybe?).

Also, although OpenSSL has the ambition to work with Heimdal some day,
it hasn't happened yet, mostly because of incompatibilities between
the private functions in MIT Kerberos and Heimdal.  Of course, we
shouldn't use those private functions at all, but I don't have enough
knowledge to figure out what we should do instead (I haven't coded the
stuff we have today).  I've a half promise of help from someone in the
Heimdal team, but it hasn't happened yet...

Because of all the current problems, we have chosen to make Kerberos
support a selectable feature, to be selected "at your own risk"
because it's rather shaky.  When that code stabilises, I might change
it to become default if available on the building system.

-
Please consider sponsoring my work on free software.
See http://www.free.lp.se/sponsoring.html for details.

-- 
Richard Levitte   \ Tunnlandsvägen 52 \ [EMAIL PROTECTED]
[EMAIL PROTECTED]  \ S-168 36  BROMMA  \ T: +46-708-26 53 44
\  SWEDEN   \
Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/

Unsolicited commercial email is subject to an archival fee of $400.
See  for more info.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: default cipher suit in open ssl

[Richard Levitte - VMS Whacker]

In message <[EMAIL PROTECTED]> on Wed, 31 Mar 2004 10:52:55 -0500, "rajesh nair" 
<[EMAIL PROTECTED]> said:

rajeshnairg> which is the default cipher suit in open ssl library ?

Whatever is output with "openssl ciphers"

rajeshnairg> i print all the cipher suits using openssl ciphers , but
rajeshnairg> i can't find out which is the default cipher suit ?

You get more (almost all) ciphers when you use the command
"openssl ciphers ALL".

-
Please consider sponsoring my work on free software.
See http://www.free.lp.se/sponsoring.html for details.

-- 
Richard Levitte   \ Tunnlandsvägen 52 \ [EMAIL PROTECTED]
[EMAIL PROTECTED]  \ S-168 36  BROMMA  \ T: +46-708-26 53 44
\  SWEDEN   \
Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/

Unsolicited commercial email is subject to an archival fee of $400.
See  for more info.

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]