PKCS_encrypt problem

2004-05-21 Thread Antonio Andrés Espallardo 



Hi everybody. I explain my problem with 
PKCS7_encrypt(). I have a message in ASN1 converted to DER, which I need first 
to sign it and after that, envelop the PKCS7 obtained. That is, I sign the 
message, obtaining a PKCS7. Well, there is no problemto obtain the 
original data from the signed messagge. I now envelop the signed data, obtaining 
a new PKCS7. The problem ocurrs when I try to obtain the original 
messagge. When I develop the enveloped message Iobtain an empty 
PKCS7 structure. I don't understand what can be happenning. This is my 
code:

/Signing the original message (present 
in "data")*/

OpenSSL_add_all_algorithms();
certs = sk_X509_new_null ();

//Obtenemos los datos a firmar en el 
biobio = BIO_new(BIO_s_mem());

int leidos = BIO_write(bio, data, 
long_data);

BIO_flush(bio); 
//Firma de los datosPKCS7 
*signedData = PKCS7_sign(cert_cli, priv_key_cli, certs, bio, 
0); -- I can obtain the original message from 
signedData 
/**Enveloping the signed 
message***/

//Añadiremos al recipient el certificado del 
receptorencerts = sk_X509_new_null();

sk_X509_push(encerts, 
cert_recep);

//Obtenemos en un bio el contenido que debe ser 
envueltobio2 = BIO_new(BIO_s_mem()); 

int long_ = i2d_PKCS7(signedData, NULL);

leidos = BIO_write(bio2, signedData, long_);

BIO_flush(bio2);

//El cifrado que vamos a utilizarconst EVP_CIPHER *cipher = 
EVP_des_ede3_cbc();

//Envolvemos el contenidoPKCS7 *envelopedData = 
PKCS7_encrypt(encerts, bio2, cipher, 0); --- I obtain an 
empty PKCS7 structure when I develop envelopedData


Some suggest? .Thanks

Certificate prompting password

2004-05-21 Thread SM KP 
Hi

I have created a CA certificate and Key as follows:

./bin/openssl req -new -x509 -keyout ./private/CAkey.pem \ -out ./private/CAcert.pem -config openssl.cnf

It prompted to enter password.

I have created a Certificate request as follows:

./bin/openssl req -new -keyout ServerKey.pem -out ServerReq.pem -days 360\ -config openssl.cnf

Then I have signed it as follows:

 cat ServerReq.pem ServerKey.pem  CSR.pem
 ./bin/openssl ca -policy policy_anything -out ServerCert.pem -config openssl.cnf -infiles CSR.pem

This is also promted to enter password

When I uses the ServerCert.pem it prompts the password.


My questions are:

Can we avoid that password prompt when we use the certificates?

Are they above commands/procedures are correct?

I am getting the SSL_ERROR_WANT_READ each time i uses those certificates.


Thanks
P
 
		Do you Yahoo!?Yahoo! Domains - Claim yours for only $14.70/year

[no subject]

2004-05-21 Thread Carlos Sunden 
HelloIt's a nice-looking RHL 8 system with version openssl-0.9.6b-29. Needs to be upgraded to latest version.

A note on www.openssl.org
http://www.openssl.org/support/faq.html#BUILD81. Anybody knows the best way to do an "upgrade" of openssl w/o breaking other programs in the system?I did an rpm-e openssl,  it lists other programs that depend on it. Althought it can be forced to ignore dependencies, best not to with openssl, I think.2. Should a source be installed  assume will go just fine?TIA! 
		Do you Yahoo!?Yahoo! Domains - Claim yours for only $14.70/year

Upgrading Openssl in a RHL 8 System

2004-05-21 Thread Carlos Sunden 





HelloIt's a nice-looking RHL 8 system with version openssl-0.9.6b-29. Needs to be upgraded to latest version.

A note on www.openssl.org
http://www.openssl.org/support/faq.html#BUILD8
The above refers to a "RHL 7.0 and later"1. Anybody knows the best way to do an "upgrade" of openssl w/o breaking other programs in the system?I did an rpm-e openssl,  it lists other programs that depend on it. Althought it can be forced to ignore dependencies, best not to with openssl, I think.2. Should a source be installed  assume will go just fine?
Newbie here.
TIA! 
		Do you Yahoo!?Yahoo! Domains - Claim yours for only $14.70/year

Adding extension to X509_REQ

2004-05-21 Thread Carlos Roberto Zainos H 
Hi all

First of all, thank you so much for the answers about JAVA-OpenSSL, those really were help full for me. In another time I will detail what I'm trying to do, even though JNI profiles like my solution.

This time my question is about to include in a X509_REQ a subfield which contain the serial number and de DN of the "installer", let me explain you a little bit:

My workteam is trying to install an application (client) oriented to get information of the PC's of our organization, the client is installed with the approval and authorization of an "installer (a human), which supplies his certificate and his private key (for auditing purpouse). After this, the installer program make a CSR and sign it with the installer private key and sends to the CA. The CA verifies the request and if it was signed by an "valid installer" then sign and issue the certificate and notifies to the installer program.

At this moment we have only one "installer" but in the future there will be a lot of them . I've been thinking that could be a good idea add in the CSR the serial number and the DN of the installer in order to the CA could search for the serial number and/or DN in the certs database.

I thought use REQ extensions but I don't know if this is possible and how to do this.

Thanks in advance for your replies

ZainosDo You Yahoo!?
Yahoo! Net: La mejor conexión a internet y 25MB extra a tu correo por 
$100 al mes.

CSR challenge password: What's the point?

2004-05-21 Thread Randall Perry 
What is the purpose of the CSR challenge password. I notice it's optional.
Is it only for the CA to verify the request?

-- 
Randall Perry
sysTame

Xserve Web Hosting/Co-location
Website Development/Promotion
Mac Consulting/Sales

http://www.systame.com/


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: CSR challenge password: What's the point?

2004-05-21 Thread Mr Bean 
Randall Perry wrote:
What is the purpose of the CSR challenge password. I notice it's optional.
Is it only for the CA to verify the request?
 

I am also thinking how can I get the password prompting appear for the 
verification of the right user?

sam
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: lag using openssl

2004-05-21 Thread Davy Durham 
To answer my own question again:
The problem was solved when I realized that doing a select() on the 
socket file descriptor is not enough to know when there is data to read... 

VERY IMPORTANT: You must also check SSL_pending(...) to see if there is 
data which openssl has readily available for reading.

A note about this in the documentation for SSL_read() would be nice (or 
at *least* a see also)

So it wasn't a hesitation to sent out data, but *my* hesitation to read it.
-- Davy

Davy Durham wrote:
I'm using openssl in some code that very much expects data to get sent 
when the write operation occurs.

I *think* I'm noticing openssl hesitating to write data sometimes.  
I'm not ruling out it being my doing yet, but when I remove openssl 
from the layers of code, I'm not seeing the problem.

Nagle's algorithm is disabled.
Could this be happening?  (Not that I am but,) If I wanted to write 1 
byte messages, should they get sent as I write them?  If not, is there 
way to force this behavior?  Is there a flush operation that I have to 
call?  Is there a way to make it always do that?

I know data has to be written in records, but can a record be 1 byte?

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]