Detached Signature
Hello everybody, I want to save a detached signature and I don't know what structure to use and how to fill it. The signature is created by a smartcardterminal and I want to save it in a standardized way for later verification. Any suggestions? Frank Wockenfuß __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Detached Signature
You should see the example sign.c in openssl crypto lib. detached signature can be saved in PKCS7 format. Good luck! Hien TTT On 7/30/07, Wockenfuß, Frank [EMAIL PROTECTED] wrote: Hello everybody, I want to save a detached signature and I don't know what structure to use and how to fill it. The signature is created by a smartcardterminal and I want to save it in a standardized way for later verification. Any suggestions? Frank Wockenfuß __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
AW: Detached Signature
Hi, thanks for the hint. Do I always need to use a private key to create a PKCS7 format? If yes, how do I decrypt the PKCS7 format on the verification side? Frank Wockenfuß _ Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Hien Truong Thu Gesendet: Montag, 30. Juli 2007 12:37 An: openssl-users@openssl.org Betreff: Re: Detached Signature You should see the example sign.c in openssl crypto lib. detached signature can be saved in PKCS7 format. Good luck! Hien TTT On 7/30/07, Wockenfuß, Frank [EMAIL PROTECTED] wrote: Hello everybody, I want to save a detached signature and I don't know what structure to use and how to fill it. The signature is created by a smartcardterminal and I want to save it in a standardized way for later verification. Any suggestions? Frank Wockenfuß __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Error while encryption or Decrypting
Dear brad Thanks for the advice and the hint I have been through the free commands to check where the error occured In APPS folder in enc.c file whenever I comment this line(640) if (benc != NULL) BIO_free(benc); the dump core disappear I am working in check what does this line mean and what is benc regards On 7/29/07, Brad Hards [EMAIL PROTECTED] wrote: On Saturday 28 July 2007 01:49, Pink Princess wrote: *** glibc detected *** /home/noura/workspace/256OpenSSL/apps/openssl: double free or corruption (!prev): 0x0820d170 *** This is the most likely problem - you are free()ing memory that has already been free()d. Maybe you are free()ing memory that openssl is cleaning up later. Try running under valgrind or a debugger. Brad
Re: Detached Signature
Hi, Yes, you need to use a private key to create a PKCS7 signature. Beside, you need to create a certificate which corresponding to your privkey, then this cert will be used to verify your signature. You can use Openssl command line to create key and cert Hien TTT On 7/30/07, Wockenfuß, Frank [EMAIL PROTECTED] wrote: Hi, thanks for the hint. Do I always need to use a private key to create a PKCS7 format? If yes, how do I decrypt the PKCS7 format on the verification side? Frank Wockenfuß -- *Von:* [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] *Im Auftrag von *Hien Truong Thu *Gesendet:* Montag, 30. Juli 2007 12:37 *An:* openssl-users@openssl.org *Betreff:* Re: Detached Signature You should see the example sign.c in openssl crypto lib. detached signature can be saved in PKCS7 format. Good luck! Hien TTT On 7/30/07, Wockenfuß, Frank [EMAIL PROTECTED] wrote: Hello everybody, I want to save a detached signature and I don't know what structure to use and how to fill it. The signature is created by a smartcardterminal and I want to save it in a standardized way for later verification. Any suggestions? Frank Wockenfuß __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
AW: Detached Signature
I will try it and ask again if there are more questions. Thank you Frank Wockenfuß _ Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Hien Truong Thu Gesendet: Montag, 30. Juli 2007 13:32 An: openssl-users@openssl.org Betreff: Re: Detached Signature Hi, Yes, you need to use a private key to create a PKCS7 signature. Beside, you need to create a certificate which corresponding to your privkey, then this cert will be used to verify your signature. You can use Openssl command line to create key and cert Hien TTT On 7/30/07, Wockenfuß, Frank [EMAIL PROTECTED] wrote: Hi, thanks for the hint. Do I always need to use a private key to create a PKCS7 format? If yes, how do I decrypt the PKCS7 format on the verification side? Frank Wockenfuß _ Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Hien Truong Thu Gesendet: Montag, 30. Juli 2007 12:37 An: openssl-users@openssl.org Betreff: Re: Detached Signature You should see the example sign.c in openssl crypto lib. detached signature can be saved in PKCS7 format. Good luck! Hien TTT On 7/30/07, Wockenfuß, Frank [EMAIL PROTECTED] wrote: Hello everybody, I want to save a detached signature and I don't know what structure to use and how to fill it. The signature is created by a smartcardterminal and I want to save it in a standardized way for later verification. Any suggestions? Frank Wockenfuß __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
pkcs#7 structure with existing signature value
Hello, I hope someone can help. I have an existing signature which was made with a smartcard. So, how can I create a valid pkcs#7 structure which contains this signature value. I appreciate any thoughts, references, samples or other help! Thanks and best regards Christian Wiesbauer
Problems with SSL_read() - SSL_ERROR_SYSCALL
Hi All, we are working on client - server architecture. We are using openssl for communication. My problem is that - while transferring data, SSL_read() always fails (after transferring few KB of data). The follwoing error is returned - -- SSL_read() returns SSL_ERROR_SYSCALL error:0005:lib(0):func(0):DH lib --- This always happens between data transfer. Here's the code snippet gSSL = SSL_new(ctx); SSL_set_fd(gSSL, m_Socket); result = SSL_connect(gSSL); //Get certificate ** the following piece of code is giving problem ret=select(1,sckt,NULL,NULL, timeout); ERR_clear_error(); ret = SSL_read(gSSL,buffer,size); Any help is much appreciated. Warm Regards, Arun S.
RE: Error while encryption or Decrypting
That line means if benc still points at something, free it. The problem is - more likely than not, somebody has already freed benc, but did not set benc to zero (or NULL). As a result, this check (line 640) says benc is not zero, so it must be pointing at something that must be freed, so invoke the free(). Trace the use of benc and make sure whoever freed it before line 640, also set it to zero. Better way of freeing in the context would be: if (benc != NULL) { if (BIO_free(benc) == 0) abort_with_error(Cannot free benc!); benc = 0; } where abort_with_error() is your own function. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pink Princess Sent: Monday, July 30, 2007 06:50 To: Brad Hards Cc: openssl-users@openssl.org Subject: Re: Error while encryption or Decrypting Dear brad Thanks for the advice and the hint I have been through the free commands to check where the error occured In APPS folder in enc.c file whenever I comment this line(640) if (benc != NULL) BIO_free(benc); the dump core disappear I am working in check what does this line mean and what is benc regards On 7/29/07, Brad Hards [EMAIL PROTECTED] wrote: On Saturday 28 July 2007 01:49, Pink Princess wrote: *** glibc detected *** /home/noura/workspace/256OpenSSL/apps/openssl: double free or corruption (!prev): 0x0820d170 *** This is the most likely problem - you are free()ing memory that has already been free()d. Maybe you are free()ing memory that openssl is cleaning up later. Try running under valgrind or a debugger. Brad
Re: i2d_DSAPublicKey
Hi, Edward Chan wrote: When I call this function, I can see from the generated binary data that the format is the public key, followed by the P param, followed by 3 bytes which I don't know what they are, followed by the Q param, followed by the G param. You have got an ASN.1 DER encoding which is Tag || Length || Value Since P, Q, G are integers they'll encoded with the tag of an integer (0x2 i think), followed by a length and then the value bytes. I haven't tried generating more than one DSA pub/priv key pair yet using these params so I don't know if these 3 bytes are the same all the time, but does someone know off hand what those bytes are? If you can tell what those bytes are which are confusing you maybe someone can confirm that you are indeed seeing the ASN.1 tag|length. Is there some standard encoding for how a public key and private key are stored? i.e. do the params always come after the pub/priv key, or before? And do they always appear in the order of P,Q,G? Yes, it is a standard. Please refer to RFC 3279 for DSSParms. -jb -- Tact is the art of making a point without making an enemy. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: i2d_DSAPublicKey
I think you're right. Before the P,Q,G params, I see (0x02, 0x41, 0x00), (0x02, 0x15, 0x00), and (0x02, 0x41, 0x00) respectively. 0x41 and 0x15 appear to be 1 greater than the actual length of the params. Any idea why it is 1 greater than the actual length? But before the public key, I see (0x30, 0x81, 0xDF, 0x02, 0x40). Can you tell me what these values represent? The pubkey is 0x40 bytes. I assume 0x02 is the integer type. What are the first 3 bytes? -Original Message- From: [EMAIL PROTECTED] [mailto:owner-openssl- [EMAIL PROTECTED] On Behalf Of jimmy bahuleyan Sent: Monday, July 30, 2007 6:55 AM To: openssl-users@openssl.org Subject: Re: i2d_DSAPublicKey Hi, Edward Chan wrote: When I call this function, I can see from the generated binary data that the format is the public key, followed by the P param, followed by 3 bytes which I don't know what they are, followed by the Q param, followed by the G param. You have got an ASN.1 DER encoding which is Tag || Length || Value Since P, Q, G are integers they'll encoded with the tag of an integer (0x2 i think), followed by a length and then the value bytes. I haven't tried generating more than one DSA pub/priv key pair yet using these params so I don't know if these 3 bytes are the same all the time, but does someone know off hand what those bytes are? If you can tell what those bytes are which are confusing you maybe someone can confirm that you are indeed seeing the ASN.1 tag|length. Is there some standard encoding for how a public key and private key are stored? i.e. do the params always come after the pub/priv key, or before? And do they always appear in the order of P,Q,G? Yes, it is a standard. Please refer to RFC 3279 for DSSParms. -jb -- Tact is the art of making a point without making an enemy. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: i2d_DSAPublicKey
Hello, I think you're right. Before the P,Q,G params, I see (0x02, 0x41, 0x00), (0x02, 0x15, 0x00), and (0x02, 0x41, 0x00) respectively. 0x41 and 0x15 appear to be 1 greater than the actual length of the params. Any idea why it is 1 greater than the actual length? But before the public key, I see (0x30, 0x81, 0xDF, 0x02, 0x40). Can you tell me what these values represent? The pubkey is 0x40 bytes. I assume 0x02 is the integer type. What are the first 3 bytes? This is ASN.1 sequence. Try openssl asn1parse command to display your file. Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: TLS - Block cipher error
Hello, I setup openldap properly with the certs by copying into the correct directory and with the correct permissions and set up slapd.conf with the following entries TLSCipherSuite HIGH:MEDIUM:+TLSv1:+SSLv2: +SSLv3 TLSCACertificateFile /usr/local/etc/openldap/cacert.pem TLSCertificateFile /usr/local/etc/openldap/server_cert.pem TLSCertificateKeyFile /usr/local/etc/openldap/server_key.pem Slapd starts up successfully using /usr/local/libexec/slapd -d10 -u ldap -h ldap:/// ldaps:/// now the openssl questios: I run /usr/local/ssl/bin/openssl s_client -connect localhost:636 -showcerts and get the error above TLS1_SETUP_KEY_BLOCK cipher or hash unavailable BUT ... If I use the openssl that came with Solaris 11 /usr/sfw/bin/openssl -connect localhost:636 this works properly without error... That version of ssl is 0.8.9a.. Try to esablish connection between openssl s_client and openssl s_server with your compiled version and with these ciphers. Try to run openssl s_client -debug -msg -state to get more information. Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Problems with SSL_read() - SSL_ERROR_SYSCALL
Hi, Arun Singarajipura wrote: Hi All, we are working on client - server architecture. We are using openssl for communication. My problem is that - while transferring data, SSL_read() always fails (after transferring few KB of data). The follwoing error is returned - -- SSL_read() returns SSL_ERROR_SYSCALL error:0005:lib(0):func(0):DH lib --- In that case you better check what errno has. That can give you a better idea of what went wrong. (although i don't know why that DH lib is present above. I don't think DH is involved in any SSL read/write unless your handshake isn't over and your SSL_read() is in fact completing the handshake). This always happens between data transfer. Here's the code snippet gSSL = SSL_new(ctx); SSL_set_fd(gSSL, m_Socket); result = SSL_connect(gSSL); //Get certificate ** the following piece of code is giving problem ret=select(1,sckt,NULL,NULL, timeout); check what 'ret' is. ERR_clear_error(); ret = SSL_read(gSSL,buffer,size); check errno here if you get a SSL_ERROR_SYSCALL. -jb -- Tact is the art of making a point without making an enemy. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Problems with SSL_read() - SSL_ERROR_SYSCALL
Hi, Thanks for the reply. I used WSAGetLastError() just after SSL_read() and the result of this is *Read failed with error 10054: An existing connection was forcibly closed by the remote host.* Warm regards, Arun S. ** On 7/31/07, jimmy bahuleyan [EMAIL PROTECTED] wrote: Hi, Arun Singarajipura wrote: Hi All, we are working on client - server architecture. We are using openssl for communication. My problem is that - while transferring data, SSL_read() always fails (after transferring few KB of data). The follwoing error is returned - -- SSL_read() returns SSL_ERROR_SYSCALL error:0005:lib(0):func(0):DH lib --- In that case you better check what errno has. That can give you a better idea of what went wrong. (although i don't know why that DH lib is present above. I don't think DH is involved in any SSL read/write unless your handshake isn't over and your SSL_read() is in fact completing the handshake). This always happens between data transfer. Here's the code snippet gSSL = SSL_new(ctx); SSL_set_fd(gSSL, m_Socket); result = SSL_connect(gSSL); //Get certificate ** the following piece of code is giving problem ret=select(1,sckt,NULL,NULL, timeout); check what 'ret' is. ERR_clear_error(); ret = SSL_read(gSSL,buffer,size); check errno here if you get a SSL_ERROR_SYSCALL. -jb -- Tact is the art of making a point without making an enemy. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]