[FWD] Build fips test fails
Forwared to openssl-users for public discussion. Best regards, Lutz - Forwarded message from Steve Alstrin [EMAIL PROTECTED] - Subject: Build fips test fails Date: Mon, 12 May 2008 14:58:24 -0500 Thread-Topic: Build fips test fails Thread-Index: Aci0aok1MMe4GgQHSkmURt21fQVTew== From: Steve Alstrin [EMAIL PROTECTED] To: [EMAIL PROTECTED] OpenSSL self-test report: OpenSSL version: 0.9.7j-dev Last change: Add new Windows build target VC-32-GMAKE for VC++. This... Options: no-krb5 OS (uname): Linux unxsalst.pentasafe.com 2.6.15-1.2054_FC5smp #1 SMP Tue Mar 14 16:05:46 EST 2006 i686 GNU/Linux OS (config): i686-whatever-linux2 Target (default): linux-pentium Target: linux-pentium Compiler: Using built-in specs. Target: i386-redhat-linux Configured with: ../configure --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --enable-shared --enable-threads=posix --enable-checking=release --with-system-zlib --enable-__cxa_atexit --disable-libunwind-exceptions --enable-libgcj-multifile --enable-languages=c,c++,objc,obj-c++,java,fortran,ada --enable-java-awt=gtk --disable-dssi --with-java-home=/usr/lib/jvm/java-1.4.2-gcj-1.4.2.0/jre --with-cpu=generic --host=i386-redhat-linux Thread model: posix gcc version 4.1.0 20060304 (Red Hat 4.1.0-3) Failure! - make[1]: Entering directory `/Unix2/Unix/salst/ports/openssl-fips-1.1.2' making all in crypto... make[2]: Entering directory `/Unix2/Unix/salst/ports/openssl-fips-1.1.2/crypto' making all in crypto/objects... make[3]: Entering directory `/Unix2/Unix/salst/ports/openssl-fips-1.1.2/crypto/objects' make[3]: Nothing to be done for `all'. make[3]: Leaving directory `/Unix2/Unix/salst/ports/openssl-fips-1.1.2/crypto/objects' making all in crypto/md2... make[3]: Entering directory `/Unix2/Unix/salst/ports/openssl-fips-1.1.2/crypto/md2' make[3]: Nothing to be done for `all'. make[3]: Leaving directory `/Unix2/Unix/salst/ports/openssl-fips-1.1.2/crypto/md2' making all in crypto/md4... make[3]: Entering directory `/Unix2/Unix/salst/ports/openssl-fips-1.1.2/crypto/md4' make[3]: Nothing to be done for `all'. make[3]: Leaving directory `/Unix2/Unix/salst/ports/openssl-fips-1.1.2/crypto/md4' making all in crypto/md5... make[3]: Entering directory `/Unix2/Unix/salst/ports/openssl-fips-1.1.2/crypto/md5' make[3]: Nothing to be done for `all'. make[3]: Leaving directory `/Unix2/Unix/salst/ports/openssl-fips-1.1.2/crypto/md5' making all in crypto/sha... make[3]: Entering directory `/Unix2/Unix/salst/ports/openssl-fips-1.1.2/crypto/sha' make[3]: Nothing to be done for `all'. make[3]: Leaving directory `/Unix2/Unix/salst/ports/openssl-fips-1.1.2/crypto/sha' making all in crypto/mdc2... make[3]: Entering directory `/Unix2/Unix/salst/ports/openssl-fips-1.1.2/crypto/mdc2' make[3]: Nothing to be done for `all'. make[3]: Leaving directory `/Unix2/Unix/salst/ports/openssl-fips-1.1.2/crypto/mdc2' making all in crypto/hmac... make[3]: Entering directory `/Unix2/Unix/salst/ports/openssl-fips-1.1.2/crypto/hmac' make[3]: Nothing to be done for `all'. make[3]: Leaving directory `/Unix2/Unix/salst/ports/openssl-fips-1.1.2/crypto/hmac' making all in crypto/ripemd... make[3]: Entering directory `/Unix2/Unix/salst/ports/openssl-fips-1.1.2/crypto/ripemd' make[3]: Nothing to be done for `all'. make[3]: Leaving directory `/Unix2/Unix/salst/ports/openssl-fips-1.1.2/crypto/ripemd' making all in crypto/des... make[3]: Entering directory `/Unix2/Unix/salst/ports/openssl-fips-1.1.2/crypto/des' make[3]: Nothing to be done for `all'. make[3]: Leaving directory `/Unix2/Unix/salst/ports/openssl-fips-1.1.2/crypto/des' making all in crypto/rc2... make[3]: Entering directory `/Unix2/Unix/salst/ports/openssl-fips-1.1.2/crypto/rc2' make[3]: Nothing to be done for `all'. make[3]: Leaving directory `/Unix2/Unix/salst/ports/openssl-fips-1.1.2/crypto/rc2' making all in crypto/rc4... make[3]: Entering directory `/Unix2/Unix/salst/ports/openssl-fips-1.1.2/crypto/rc4' make[3]: Nothing to be done for `all'. make[3]: Leaving directory `/Unix2/Unix/salst/ports/openssl-fips-1.1.2/crypto/rc4' making all in crypto/rc5... make[3]: Entering directory `/Unix2/Unix/salst/ports/openssl-fips-1.1.2/crypto/rc5' make[3]: Nothing to be done for `all'. make[3]: Leaving directory `/Unix2/Unix/salst/ports/openssl-fips-1.1.2/crypto/rc5' making all in crypto/idea... make[3]: Entering directory `/Unix2/Unix/salst/ports/openssl-fips-1.1.2/crypto/idea' make[3]: Nothing to be done for `all'. make[3]: Leaving directory `/Unix2/Unix/salst/ports/openssl-fips-1.1.2/crypto/idea' making all in crypto/bf... make[3]: Entering directory `/Unix2/Unix/salst/ports/openssl-fips-1.1.2/crypto/bf' make[3]: Nothing to be done for `all'. make[3]: Leaving directory `/Unix2/Unix/salst/ports/openssl-fips-1.1.2/crypto/bf' making all in crypto/cast... make[3]: Entering directory
generating PKCS_SIGNER_INFO from signature
Hi I had a question related to programmatic usage of the open-ssl libraries. I have a need to generate a PKCS object from an exisiting PEM RSA signature, X509 verification certificate, the CA chain certificate and the clear data. Rest of the stuff is clear and understandable, but I able not able to use my PEM format RSA signature to generate a PKCS_SIGNER_INFO object and make it a part of the PKCS7 blob. Can you help me and let me know as to how to populate an existing PEM format RSA signature into a new pkcs7 object? Regards Ashish Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Implementing a custom cryptographic function
Hi I want to compile ccgost (available in openssl 0.9.9) on Windows. But the Makefile generates error. Could you give me some instrunctions about building it ? (I've used Microsoft Compiler, GCC, Cygwin)
Re: Implementing a custom cryptographic function
Hi I want to write a simple dynamic engine. Is there any documentation about writing and using it ? Could anyone send me a sample dynamic engine ? Yes, there is ccgost, but I need a simpler code (so I understand it faster; cause I only want to add a new cryptographic function)
Problem in compiling ccgost on Windows and Linux
Hi I'm trying to build ccgost. In windows (MinGW) the error is: C:\Users\Mehdi\Desktop\openssl 0.9.9\openssl\engines\ccgostmake (cd ../..; make DIRS=engines EDIRS=ccgost sub_all) process_begin: CreateProcess(NULL, (cd ../..; make DIRS=engines EDIRS=ccgost sub _all), ...) failed. make (e=2): The system cannot find the file specified. make: *** [top] Error 2 C:\Users\Mehdi\Desktop\openssl 0.9.9\openssl\engines\ccgost in Linux Ubuntu: (cd ../..; make DIRS=engines EDIRS=ccgost sub_all) make[1]: Entering directory `/home/mehdi/openssl' making all in engines... make[2]: Entering directory `/home/mehdi/openssl/engines' cl -I../include -DOPENSSL_THREADS -DDSO_WIN32 -W3 -WX -Gs0 -GF -Gy -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DWHIRLPOOL_ASM -c -o e_4758cca.o e_4758cca.c make[2]: cl: Command not found make[2]: *** [e_4758cca.o] Error 127 make[2]: Leaving directory `/home/mehdi/openssl/engines' make[1]: *** [build_engines] Error 1 make[1]: Leaving directory `/home/mehdi/openssl' make: *** [top] Error 2 Is there any hack/tweak to build ccgost ?
Problem in compiling openssl 0.9.9 with MinGW
I've successfully compiled and installed openssl 0.9.9 with Microsoft C/C++ compiler, but in MinGW, in the config step, this error generates: RC4_CHUNK is undefined e_os2.h = include/openssl/e_os2.h making $target in $dir... 'TOP' is not recognized as an internal or external command, operable program or batch file. make: *** [links] Error 1
Certificate chain utilities
Hello, I need to create a certificate chain. The inputs are my own certificate, a list of root certificates, a list of intermediate certificates and the distinguished name of the root CA the peer trusts. The certificate chain I need to create shall start with my own cert, and end with the root CA the peer trusts. Are there any utility functions in openssl that do this? When browsing through the code and header files I found that X509_STORE and X509_STORE_CTX seem to do similar things to what I am searching for. However, I have not been able to find any documentation for these functions. Is there any documentation available somewhere that I have missed? Regards Roger _ Trött på jobbet? Hitta nya utmaningar här! http://msn.jobbguiden.se/jobseeker/resumes/postresumenew/postresumestart.aspx?sc_cmp2=JS_INT_SEMSN_NLPCV__ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Certificate chain utilities
On May 13, 2008 08:42:13 am Roger No-Spam wrote: Hello, I need to create a certificate chain. The inputs are my own certificate, a list of root certificates, a list of intermediate certificates and the distinguished name of the root CA the peer trusts. The certificate chain I need to create shall start with my own cert, and end with the root CA the peer trusts. Are there any utility functions in openssl that do this? When browsing through the code and header files I found that X509_STORE and X509_STORE_CTX seem to do similar things to what I am searching for. However, I have not been able to find any documentation for these functions. Is there any documentation available somewhere that I have missed? If you are building and validating certificate chains, you may want to take a look at Pathfinder (http://pathfinder-pki.googlecode.com). Remember, there are LOTS of rules for validating certificates, and just checking that there is a signature path between two certs is insufficient in most cases, if you want to have real trust. Have fun. -- Patrick Patterson President and Chief PKI Architect, Carillon Information Security Inc. http://www.carillon.ca __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Implementing a custom cryptographic function
On 2008.05.11 at 10:25:39 +0330, Mehdi Asgari wrote: Hi I want to compile ccgost (available in openssl 0.9.9) on Windows. But the Makefile generates error. Could you give me some instrunctions about building it ? (I've used Microsoft Compiler, GCC, Cygwin) Could you give more information - post error message, for example? Really I don't understand what do you mean listing GCC and Cygwin in the same list as Microsoft Compiler. Cygwin compiler is GCC. One of ports of GCC to windows. Really, ccgost engine was developed using GCC on various platforms. On Windows we prefer to use Mingw32 port of GCC rather than Cygwin, although it is possible to produce native windows binaries with Cygwin gcc (using -mno-cygwin swithch to the compiler). Even better - to use mingw cross-compiler running on some Unix platform to build windows executables Typically you do the following: perl Configure mingw shared make If you are doing cross-compiling, you've also add --cross-compile-prefix option to the Configure command line. For instance on Debian Linux with mingw32 cross-compiler included in the distribution, you run ./Configure mingw shared cross-compile-prefix=i586-mingw32msvc- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Unable to fetchmail problem SSL enabling
Hi, I tried to connect to pop.gmail.com using openssl $ openssl s_client -connect pop.gmail.com:995 \ -CApath /usr/share/ssl/certs -quiet - depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc./CN=pop.gmail.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc./CN=pop.gmail.com verify error:num=27:certificate not trusted verify return:1 depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc./CN=pop.gmail.com verify error:num=21:unable to verify the first certificate verify return:1 +OK Gpop ready for requests from 122.167.6.196 y11pf6904269pod.0 read:errno=0 - what is the meaning of unable to get local issuer certificate? do i need create any other certificates? Regards, Naveen. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Unable to fetchmail problem SSL enabling
Hi all, I am trying to receive the mail from gmail using fetchmail command in arm embedded (pxa-255) target, but ended up with the error. $fetchmail -vk fetchmail: WARNING: Running as root is discouraged. fetchmail:/root/.fetchmailrc:2: SSL is not enabled at ssl So, i planned enable the openssl, the procedure i followed is: 1) Generated the keys for SSL using $ cd /usr/share/ssl/certs/ $ openssl genrsa -out privkey.pem 2048 - Generating RSA private key, 2048 bit long modulus ..+++ +++ e is 65537 (0x10001) - $ openssl dsaparam -out dsaparam.pem 2048 - Generating DSA parameters, 2048 bit long prime This could take some time .+++* +..+.+++* - $ openssl gendsa -out privkey.pem dsaparam.pem Generating DSA key, 2048 bits 2) exported the path of the openssl conf $ export OPENSSL_CONF=/etc/ssl/openssl.cnf 3) created the certificate $ openssl req -new -key privkey.pem -out cert.csr -- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. - Country Name (2 letter code) [AU]:IN State or Province Name (full name) [Some-State]:karnataka Locality Name (eg, city) []:bangalore Organization Name (eg, company) [Internet Widgits Pty Ltd]:ISSPL Organizational Unit Name (eg, section) []:Embedded Common Name (eg, YOUR name) []:naveen Email Address []:[EMAIL PROTECTED] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: --- $ openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095 --- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. - Country Name (2 letter code) [AU]:IN State or Province Name (full name) [Some-State]:karnataka Locality Name (eg, city) []:bangalore Organization Name (eg, company) [Internet Widgits Pty Ltd]:ISSPL Organizational Unit Name (eg, section) []:embedded Common Name (eg, YOUR name) []:naveen Email Address []:[EMAIL PROTECTED] --- 4) $ chmod 644 cacert.pem 5) started openssl $ openssl x509 -in cacert.pem -fingerprint -subject \ -issuer -serial -hash -noout -- MD5 Fingerprint=64:CB:C8:A8:6A:A4:5B:4E:44:5A:8D:4B:04:C5:90:35 subject= /C=IN/ST=karnataka/L=bangalore/O=ISSPL/OU=embedded/CN=naveen/[EMAIL PROTECTED] issuer= /C=IN/ST=karnataka/L=bangalore/O=ISSPL/OU=embedded/CN=naveen/[EMAIL PROTECTED] serial=00 5d3b072c -- 6) ln -s cacert.pem 5d3b072c.0 7) Verified the installation of the certificate $ openssl verify -CApath /usr/share/ssl/certs \ /usr/share/ssl/certs/cacert.pem - /usr/share/ssl/certs/cacert.pem: OK - 8) But still when i try fetchmail getting the same error my .fetchfilerc file -- user '[EMAIL PROTECTED]' there with password '**' is nkinnovate here options ssl -- Please guide me how do i debug the issue? Regards, Naveen. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]