PKCS_encrypt problem
Hi everybody. I explain my problem with PKCS7_encrypt(). I have a message in ASN1 converted to DER, which I need first to sign it and after that, envelop the PKCS7 obtained. That is, I sign the message, obtaining a PKCS7. Well, there is no problemto obtain the original data from the signed messagge. I now envelop the signed data, obtaining a new PKCS7. The problem ocurrs when I try to obtain the original messagge. When I develop the enveloped message Iobtain an empty PKCS7 structure. I don't understand what can be happenning. This is my code: /Signing the original message (present in "data")*/ OpenSSL_add_all_algorithms(); certs = sk_X509_new_null (); //Obtenemos los datos a firmar en el biobio = BIO_new(BIO_s_mem()); int leidos = BIO_write(bio, data, long_data); BIO_flush(bio); //Firma de los datosPKCS7 *signedData = PKCS7_sign(cert_cli, priv_key_cli, certs, bio, 0); -- I can obtain the original message from signedData /**Enveloping the signed message***/ //Añadiremos al recipient el certificado del receptorencerts = sk_X509_new_null(); sk_X509_push(encerts, cert_recep); //Obtenemos en un bio el contenido que debe ser envueltobio2 = BIO_new(BIO_s_mem()); int long_ = i2d_PKCS7(signedData, NULL); leidos = BIO_write(bio2, signedData, long_); BIO_flush(bio2); //El cifrado que vamos a utilizarconst EVP_CIPHER *cipher = EVP_des_ede3_cbc(); //Envolvemos el contenidoPKCS7 *envelopedData = PKCS7_encrypt(encerts, bio2, cipher, 0); --- I obtain an empty PKCS7 structure when I develop envelopedData Some suggest? .Thanks
Certificate prompting password
Hi I have created a CA certificate and Key as follows: ./bin/openssl req -new -x509 -keyout ./private/CAkey.pem \ -out ./private/CAcert.pem -config openssl.cnf It prompted to enter password. I have created a Certificate request as follows: ./bin/openssl req -new -keyout ServerKey.pem -out ServerReq.pem -days 360\ -config openssl.cnf Then I have signed it as follows: cat ServerReq.pem ServerKey.pem CSR.pem ./bin/openssl ca -policy policy_anything -out ServerCert.pem -config openssl.cnf -infiles CSR.pem This is also promted to enter password When I uses the ServerCert.pem it prompts the password. My questions are: Can we avoid that password prompt when we use the certificates? Are they above commands/procedures are correct? I am getting the SSL_ERROR_WANT_READ each time i uses those certificates. Thanks P Do you Yahoo!?Yahoo! Domains - Claim yours for only $14.70/year
[no subject]
HelloIt's a nice-looking RHL 8 system with version openssl-0.9.6b-29. Needs to be upgraded to latest version. A note on www.openssl.org http://www.openssl.org/support/faq.html#BUILD81. Anybody knows the best way to do an "upgrade" of openssl w/o breaking other programs in the system?I did an rpm-e openssl, it lists other programs that depend on it. Althought it can be forced to ignore dependencies, best not to with openssl, I think.2. Should a source be installed assume will go just fine?TIA! Do you Yahoo!?Yahoo! Domains - Claim yours for only $14.70/year
Upgrading Openssl in a RHL 8 System
HelloIt's a nice-looking RHL 8 system with version openssl-0.9.6b-29. Needs to be upgraded to latest version. A note on www.openssl.org http://www.openssl.org/support/faq.html#BUILD8 The above refers to a "RHL 7.0 and later"1. Anybody knows the best way to do an "upgrade" of openssl w/o breaking other programs in the system?I did an rpm-e openssl, it lists other programs that depend on it. Althought it can be forced to ignore dependencies, best not to with openssl, I think.2. Should a source be installed assume will go just fine? Newbie here. TIA! Do you Yahoo!?Yahoo! Domains - Claim yours for only $14.70/year
Adding extension to X509_REQ
Hi all First of all, thank you so much for the answers about JAVA-OpenSSL, those really were help full for me. In another time I will detail what I'm trying to do, even though JNI profiles like my solution. This time my question is about to include in a X509_REQ a subfield which contain the serial number and de DN of the "installer", let me explain you a little bit: My workteam is trying to install an application (client) oriented to get information of the PC's of our organization, the client is installed with the approval and authorization of an "installer (a human), which supplies his certificate and his private key (for auditing purpouse). After this, the installer program make a CSR and sign it with the installer private key and sends to the CA. The CA verifies the request and if it was signed by an "valid installer" then sign and issue the certificate and notifies to the installer program. At this moment we have only one "installer" but in the future there will be a lot of them . I've been thinking that could be a good idea add in the CSR the serial number and the DN of the installer in order to the CA could search for the serial number and/or DN in the certs database. I thought use REQ extensions but I don't know if this is possible and how to do this. Thanks in advance for your replies ZainosDo You Yahoo!? Yahoo! Net: La mejor conexión a internet y 25MB extra a tu correo por $100 al mes.
CSR challenge password: What's the point?
What is the purpose of the CSR challenge password. I notice it's optional. Is it only for the CA to verify the request? -- Randall Perry sysTame Xserve Web Hosting/Co-location Website Development/Promotion Mac Consulting/Sales http://www.systame.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: CSR challenge password: What's the point?
Randall Perry wrote: What is the purpose of the CSR challenge password. I notice it's optional. Is it only for the CA to verify the request? I am also thinking how can I get the password prompting appear for the verification of the right user? sam __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: lag using openssl
To answer my own question again: The problem was solved when I realized that doing a select() on the socket file descriptor is not enough to know when there is data to read... VERY IMPORTANT: You must also check SSL_pending(...) to see if there is data which openssl has readily available for reading. A note about this in the documentation for SSL_read() would be nice (or at *least* a see also) So it wasn't a hesitation to sent out data, but *my* hesitation to read it. -- Davy Davy Durham wrote: I'm using openssl in some code that very much expects data to get sent when the write operation occurs. I *think* I'm noticing openssl hesitating to write data sometimes. I'm not ruling out it being my doing yet, but when I remove openssl from the layers of code, I'm not seeing the problem. Nagle's algorithm is disabled. Could this be happening? (Not that I am but,) If I wanted to write 1 byte messages, should they get sent as I write them? If not, is there way to force this behavior? Is there a flush operation that I have to call? Is there a way to make it always do that? I know data has to be written in records, but can a record be 1 byte? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]