RC4 and in-buffer encryption with EVP_Encrypt/DecryptUpdate
This question has been asked before and I could find no answers to it in the archives. Can one send the same buffer (for in and out parameters) to EVP_EncryptUpdate and EVP_DecryptUpdate functions when the encryption cipher is RC4? Regards, S M
RE: PEM binary format
> Thus, I conclude that there is some format in place, respectively > how do I know where a bignum starts and where it ends? The format is ANSI X.690, also knows as BER or DER, somtimes (slightly erroneously) referred to as ASN.1. > I tried to find a clue by browsing the sources, but I gave up > confused by all the asn1 parse and nested bio print functions. > > Can some one please put me into the right direction? I appreciate > help and comments! X.690 is an ITU standard. It is, in fact, still the preferred protocol for the interchange of binary data. Googling "X.690" should find you lots of information. http://asn1.elibel.tm.fr/standards/ DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: custom asn1 structure
Thanks for the response. Unfortunately i cannot use any other version of openssl. Up until now i have been working with the methods provided by openssl as i described. i2d, ASN1* . But now you say i have to create 4 new functions. I dont think 0.9.6 follows the same nameing conventions as i dont see many *_asn1.c files. May there be any code that is doing something similar to what i want so i may take a look at? > > The first piece of advice if possible is DON'T. The ASN1 code changed > significantly in OpenSSL 0.9.7 and later and as a result it is much easier > to > write. All the old code had been rewritten in the new format with the odd > exception such as SSL_SESSION. > > In 0.9.7 there are numerous cases where the standard modules use ASN1 these > usually have the names *_asn1.c or *_asn.c . There are many (which don't > follow that naming convention) in crypto/x509v3. > > If you have to use 0.9.6 then look at the equivalent files. You have to > manually write 4 functions foo_new(), foo_free(), i2d_foo() and d2i_foo() > using macros from asn1_mac.h . > > Steve. > -- > Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage > OpenSSL project core developer and freelance consultant. > Homepage: http://www.drh-consultancy.demon.co.uk > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] >
Re: custom asn1 structure
On Tue, Jul 01, 2008, harold reggie wrote: > Hello, > I am trying to build a custom asn1 structure in my program using openssl > 0.9.6. > The structure will have a few sequences / sets with integers, > printablestrings, etc. > > I am looking for some help on where to begin. I have been pouring over the > openssl code, and have been playing with various methods of creating this > ans1 structure but i haven't been able to create quite what i need. > > Are there some good examples out there too look at? > The first piece of advice if possible is DON'T. The ASN1 code changed significantly in OpenSSL 0.9.7 and later and as a result it is much easier to write. All the old code had been rewritten in the new format with the odd exception such as SSL_SESSION. In 0.9.7 there are numerous cases where the standard modules use ASN1 these usually have the names *_asn1.c or *_asn.c . There are many (which don't follow that naming convention) in crypto/x509v3. If you have to use 0.9.6 then look at the equivalent files. You have to manually write 4 functions foo_new(), foo_free(), i2d_foo() and d2i_foo() using macros from asn1_mac.h . Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
custom asn1 structure
Hello, I am trying to build a custom asn1 structure in my program using openssl 0.9.6. The structure will have a few sequences / sets with integers, printablestrings, etc. I am looking for some help on where to begin. I have been pouring over the openssl code, and have been playing with various methods of creating this ans1 structure but i haven't been able to create quite what i need. Are there some good examples out there too look at? Im currently doing things this way: create ASN1_STRING, ASN1_INTEGER..etc i2d all of them with null and get total size call ASN1_object_size(1,i,V_ASN1_SEQUENCE); to get total size. malloc new data size. i2d with newly malloc'd data. and finally ASN1_STRING_set(seq,data,total); But this does not really product what i need. I need something like: sequence set object objectname printable string string integervalue Any help would be apreciated.
Re: asn1 encoding routines:ASN1_get_object:too long
I fixed it -- removed FIXCRIO from my qmail smtpd/run file Sorry for the posting when this wasn't really an openssl problem... but I'd like to post this follow up just in case someone googles it in the future if they made the same mistake as me! On Mon, Jun 30, 2008 at 1:32 PM, fbc <[EMAIL PROTECTED]> wrote: > I'm running a qmail server on Fedora Core 6 and have the latest version of > OpenSSL (in the official fc6 yum repositories) for it: > [EMAIL PROTECTED] control]#* openssl version > *OpenSSL 0.9.8b 04 May 2006* > > Since I upgraded to this newest version, no mail servers have been able to > make encrypted connections, because of an error: > [EMAIL PROTECTED] control]#* openssl s_client -starttls smtp -crlf -connect > mail.myhost.tld:25 > *CONNECTED(0003) > 24182:error:0D07209B:asn1 encoding routines:ASN1_get_object:too > long:asn1_lib.c:142: > 24182:error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad object > header:tasn_dec.c:1278: > 24182:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 > error:tasn_dec.c:208:Type=ASN1_PRINTABLE > 24182:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested > asn1 error:tasn_dec.c:749:Field=value, Type=X509_NAME_ENTRY > 24182:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested > asn1 error:tasn_dec.c:710: > 24182:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested > asn1 error:tasn_dec.c:710: > 24182:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested > asn1 error:tasn_dec.c:749:Field=issuer, Type=X509_CINF > 24182:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested > asn1 error:tasn_dec.c:749:Field=cert_info, Type=X509 > 24182:error:1409000D:SSL routines:SSL3_GET_SERVER_CERTIFICATE:ASN1 > lib:s3_clnt.c:866:* > > Has anyone seen this before? Google searching and searching the mailing > list archives hasn't returned anything for me. > The way I setup qmail (www.qmailtoaster.org) has me setting up the pem > file like this: > http://wiki.qmailtoaster.com/index.php?title=Certificate&printable=yes > Anyone forsee a problem with putting the key, cert and ca bundle of certs > into one file? > Thanks for any help >
Re: using NNTPS (nnrp with ssl) with windows mail / thunderbird on windows vista
Hello all, lately i am facing problems with Certification Authorities as mentioned in mails attached. Hope anyone knowns centos perl script CA for generating certificates (i believe it is not only centos script and other distros use it also. I have used centos script /etc/pki/tls/misc/CA my own certificate authority. In next steps i am generating requests for certificates to services such as LDAP,NNRPD and lately signing requests with CA. My approach is to import my own CA into Windows Vista OS as root CA and trusted, to avoid messages in clients such as "certificate could not be verified, certificate is not signed or cerficate authority cannot be verified". When i asked for help at openssl mailinglist i have recieved interesting answer : Just make sure your certificate is actually one "son" of your CA. > > It is right To make one CA cert with the 509 extensions set to CA >X509v3 Basic Constraints: >CA:TRUE >X509v3 Key Usage: >Certificate Sign, CRL Sign >Netscape Cert Type: >SSL CA, S/MIME CA > > But it is a mistake to make the "son" as ANOTHER SELF SIGNED cert with > those > extensions not set as CA > X509v3 extensions: >X509v3 Basic Constraints: >CA:FALSE >Netscape Cert Type: >SSL Client, SSL Server, S/MIME, Object Signing >X509v3 Key Usage: >Digital Signature, Non Repudiation, Key Encipherment >Netscape Comment: > > I know of important companies doing this mistake. > The second cert has to be one SIGNED by the first CA authority, not a > selfsigned one with CA fields "off" of false. > Said in other words: the second cert is the result or output of a CSR > (certificate signing request) signed by the CA cert. Yes, that is true, so why this is not so in case of /etc/pki/tls/misc/CA . All my generated server certificates signed with own CA, using this script have : X509v3 extensions: > X509v3 Basic Constraints: > CA:FALSE > Netscape Comment: > OpenSSL Generated Certificate > X509v3 Subject Key Identifier: > CC:FC:A1:2D:DE:CD:D1:9E:34:F3:89:08:F9:D6:30:79:AF:EE:6B:94 > X509v3 Authority Key Identifier: > > keyid:C7:B9:B0:BC:5A:A2:73:18:02:F2:80:E2:8A:0C:BC:58:0C:87:14:95 Thanks in advance! DAVID On Mon, Jun 23, 2008 at 4:02 PM, javierm <[EMAIL PROTECTED]> wrote: > > Your logic is correct, in Thunderbird, you have the preferences|advanced > and > this shows you a set of tabs, the last one of which is "Certificates". > Press > View Certificates Button and you get another dialog with 4 tabs > > 1.- the first tab (your certificates) is for the pk12 ones > 2.- other people's certs, for the pem of other people > 3.- websites certs > 4.- and authorities to put your CA cert. > > Just make sure your certificate is actually one "son" of your CA. > > It is right To make one CA cert with the 509 extensions set to CA >X509v3 Basic Constraints: >CA:TRUE >X509v3 Key Usage: >Certificate Sign, CRL Sign >Netscape Cert Type: >SSL CA, S/MIME CA > > But it is a mistake to make the "son" as ANOTHER SELF SIGNED cert with > those > extensions not set as CA > X509v3 extensions: >X509v3 Basic Constraints: >CA:FALSE >Netscape Cert Type: >SSL Client, SSL Server, S/MIME, Object Signing >X509v3 Key Usage: >Digital Signature, Non Repudiation, Key Encipherment >Netscape Comment: > > I know of important companies doing this mistake. > The second cert has to be one SIGNED by the first CA authority, not a > selfsigned one with CA fields "off" of false. > Said in other words: the second cert is the result or output of a CSR > (certificate signing request) signed by the CA cert. > > Thunderbird accepts PEM format, so you don't need the DER transformation. > > The above outputs are part of "openssl x509 -in anycert.pem -text" > > > > David Hlacik wrote: > > > > Hello, > > > > i have working nnrpd with SSL configuration. I am using my custom > > generated > > SSL certificate signed with my own Certification Authority. Each time i > am > > accessing news in Windows Mail client i am getting message , that > > certificate is not trusted and cannot be verified. > > I want to get rid off this message by importing my custom CA (or probably > > custom certificate) into windows certification storage and make it > trusted > > so i will not get this message again. > > > > So far, i have converted my cacert.pem to der format using : > > openssl x509 -inform PEM -outform DER -in cacert.pem -out cacert.der > > > > Then, i have converted my nnrpd certificate to pk12 format using: > > openssl pkcs12 -export -clcerts -in nnrpd.cert.pem -inkey nnrpd.key.pem > > -out > > clcert.p12 > > > > Then i have by clicking
Re: Dev EVP Unterstand
On Sat, Jun 28, 2008, Razack wrote: > I'm not sure, that this code is correct? > > > > thx for help > > > > unsigned char text[]="Hello World!"; > > char key[]="password"; > > char iv[]="12345678"; > > [snip] > > > EVP_EncryptInit_ex(&ctx,EVP_aes_256_cbc(),NULL,key,iv); > The key for that algorithm is 256 bits and the iv 128 bits. The key and iv values you specify are too small. This will result in it using whatever data follows that buffer with unpredictable results. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: TLSv1 problem
Leonard F. Elia wrote: TLS v1 (OpenSSL 0.9.8d 28 Sep 2006 / SunOS 5.10 Generic_127127-11 sun4v sparc SUNW,Sun-Fire-T1000) and Firefox 3 [Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/2008052906 Firefox/3.0] both work fine for me. doki_pen wrote: I think it is a firefox problem and it is because I am using a * cert. My cert is for *.mydomain.com. I think firefox flags it as TLS-intolerant and problems ensue. There are some related bugs on mozilla. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
PEM binary format
Hello! I want to use openssl generated rsa keys in my custom rsa implementation. In order to do this, I have to interpret the binary file created by: (host.key is the rsa key file) $ openssl enc -d -base64 -in host.key I suppose the funny outputs are the bignums from the struct rsa_st (crypto/rsa/rsa.h) However, if I display the key file in human readable format, $ openssl rsa -text -in host.key open the binary output from the prior command in a hex editor and search for, e.g., the modulus, I cannot find it. In brief, the hexadecimal representation and the binary representation do converge. Thus, I conclude that there is some format in place, respectively how do I know where a bignum starts and where it ends? I tried to find a clue by browsing the sources, but I gave up confused by all the asn1 parse and nested bio print functions. Can some one please put me into the right direction? I appreciate help and comments! -Armin ps: My custom rsa library is built on gmp, so I want to convert the binary data to the mpz_t type later on. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Dev EVP Unterstand
> I'm not sure, that this code is correct?
It has some minor issues but appears basically correct.
>EVP_EncryptInit_ex(&ctx,EVP_aes_256_cbc(),NULL,key,iv);
>EVP_EncryptUpdate(&ctx,outbuf,&outlen,text,strlen(text));
>EVP_EncryptFinal_ex(&ctx,outbuf+outlen,&tmplen);
> outlen+=tmplen;
>EVP_CIPHER_CTX_cleanup(&ctx);
>printf("%s\n",outbuf);
The result of this 'printfs' is undefined. The '%s' format specifier
requires a C-style string, and 'outbuf' does not contain a C-style string.
This will most likely just display a few bytes of garbage but it could
crash.
>EVP_DecryptInit_ex(&ctx,EVP_aes_256_cbc(),NULL,key,iv);
>EVP_DecryptUpdate(&ctx,outbuf,&outlen,text,strlen(text));
This is really ugly code. The function 'strlen(text)' tells you the size of
the string stored in text, but what you want is the number of bytes of
storage allocated. (In this case, it doesn't make much difference, but it's
a bad habit to get into and in realistic cases, it will make your code
fail).
>EVP_DecryptFinal_ex(&ctx,outbuf+outlen,&tmplen);
> outlen+=tmplen;
>EVP_CIPHER_CTX_cleanup(&ctx);
>
>printf("%s\n",text);
Again, in a toy program, this is fine. But in a real program, you need to
make sure you have a C-style string before you pass it through '%s' or call
functions like 'strlen' and 'strcat'. Normally, the result of decrypting is
an arbitrary array of bytes, not a string.
DS
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
R: R: PEM_read_RSAPublicKey problem
No no i do it correct. PEM_read_RSAPrivateKey() RSA_sign() For sign and: PEM_read_RSAPublicKey() RSA_verify() For verify -Messaggio originale- Da: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Per conto di Kenneth Goldman Inviato: lunedì 30 giugno 2008 14.58 A: openssl-users@openssl.org Oggetto: Re: R: PEM_read_RSAPublicKey problem Perhaps the problem is that you're reading the public key and trying to sign. Signing uses a private key. Try: PEM_read_RSAPrivateKey() RSA_sign() [EMAIL PROTECTED] wrote on 06/27/2008 11:31:42 AM: > Excuse me, > I'm trying, using C, to do a simple sign and verify with RSA public and > private keys on pem files. > Which is the easy way? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: R: PEM_read_RSAPublicKey problem
Perhaps the problem is that you're reading the public key and trying to sign. Signing uses a private key. Try: PEM_read_RSAPrivateKey() RSA_sign() [EMAIL PROTECTED] wrote on 06/27/2008 11:31:42 AM: > Excuse me, > I'm trying, using C, to do a simple sign and verify with RSA public and > private keys on pem files. > Which is the easy way? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
