Re: How to compute all attributes of RSA private key from modulus and private exponent?
delcour.pierre wrote: Metalpalo wrote: Hello Ihave got one question: Does exist some way how to compute all attributes of private key from modulus and private exponent? I think as public exponent, prime1, prime2, exp1, exp2... Thanks My previous answer doesn't answer to your question, sorry, my mistake. Have a nice day, pierre __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Create a key from a password
Hello, I'm writing an OpenSSL C++ application that needs to encrypt and decrypt information using a private key but I'm not supposed to keep the key saved anywhere. So to solve this I'll just generate the same key every time I need it and the plan is to generate it from a password phrase. I couldn't find a good example anywhere on how to do this so any tips will be welcome. Thank you! -- View this message in context: http://www.nabble.com/Create-a-key-from-a-password-tp19089721p19089721.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Create a X509 from a string
Hello everyone, I need to create a X509 certificate from a string. In fact, the string contains the PEM value of the certificate without the -BEGIN CERTIFICATE- and the -END CERTIFICATE-. Here you have an exemple : MIID9jCCAt6gAwIBAgIBATANBgkqhkiG9w0BAQsFADBZMQ0wCwYDVQQKEwRPcmdh MREwDwYDVQQLEwhPcmdhTmFtZTEOMAwGA1UEAxMFLnJvb3QxJTAjBgNVBC4THDZU UEs1RTNZc1ZYZEM1YysyaEFETkZVdWlGRT0wHhcNMDgwNzAzMTAwMTI3WhcNMjgw NjI4MTAwMTI3WjBZMQ0wCwYDVQQKEwRPcmdhMREwDwYDVQQLEwhPcmdhTmFtZTEO MAwGA1UEAxMFLnJvb3QxJTAjBgNVBC4THDZUUEs1RTNZc1ZYZEM1YysyaEFETkZV dWlGRT0wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDWXMFjF+4YVChR RKyT0iWNz9XPOV8hCA/jYr793osbedOa7EmUdmfud5WU8YRCbs5r3nE9migI3Ssw u7pUMZl005RWLB4zSn08rnh5U3RoHgyBK4R/pTXJzZAckjeDaMgQ8JhDFxO8RJ3U SEZP6tBu1x7NkBSyQETGGgag9uMCDiwWGxzgSwxiifaQyadRcc+RlBxgB6uAQR+F /jTTJRk9AA52JXTy8mi8pF63Zr/p6jC0xpmOFR4SUxhXXFdhWXfa6Q0OeNWXyWTS BgYiceKsRYmZQ86bi8y/VLT0xkJiVBAxbxSf+KWEuVD2vYjOiyH4y5bjfu9XsgJr sVF/GmfjAgMBAAGjgcgwgcUwEwYDVR0TAQH/BAkwBwEB/wICAP8wCwYDVR0PBAQD AgIEMB0GA1UdDgQWBBTpM8rkTdixVd0Llz7aEAM0VS6IUTCBgQYDVR0jBHoweIAU 6TPK5E3YsVXdC5c+2hADNFUuiFGhXaRbMFkxDTALBgNVBAoTBE9yZ2ExETAPBgNV BAsTCE9yZ2FOYW1lMQ4wDAYDVQQDEwUucm9vdDElMCMGA1UELhMcNlRQSzVFM1lz VlhkQzVjKzJoQURORlV1aUZFPYIBATANBgkqhkiG9w0BAQsFAAOCAQEAHtmu211N BdCfx1wq7RmQKKkZN1/w223CXCYmuSBTXZwRj0Q3HuRIimSxM3GR8vkj6njbSqHS g9qsI9pT12aw5r7ChhTCMzttk5xHZ9d0a5ew0Q5Z+WnOCOJOUMl47KGGYewSIiL4 dwKv3/oZQuhJ06PXF3GL8NG+oFSAOGFOBzS9xIHEhAhU5DkUgpPb/GkCZBPQfFBb NIulYtQ2p/A70HhsAbkMmhrvqj/ib06pPWMAsOWTyfC0CcVFDJZcnWRYpbC3I9vI Xy07yMLWapoNZibeXvQCcfdxJzKJLLuJKarpt8hyAoB1sPcljKNBVoabQvC1zN0d VxiNl0uLkxJBjA== I don't want to create a temporary file on HDD. I think, there is a way using BIO feature, but i don't know how to use them. So how can i load the base64-encoded string to a BIO struct in order to get a X509* struct using PEM_read_bio_X509() function ? Thank's in advance, Have a nice day, pierre __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
I'm having a socket error:04077068:rsa routines:RSA_verify:bad signature...
I've spent several days trying different things and failing at tracking down the actual source of this problem. I have a client and a server communicating over an SSL socket connection. The client sends some data to the server along with an RSA signature to verify it's an authorized request. Upon receiving the request from the client, the server uses the EVP_verify routines to verify the signature. Then the server attempts to send a response back to the client telling it the request succeeded or failed. However, during the transmit routine in Qt, a call to ssl_read fails and gives the following reason: Error while reading: error:04077068:rsa routines:RSA_verify:bad signature I was originally using the RSA_verify routine, but was having the same problem and thought that maybe it would be solved if I switched over to the EVP_verify routines as they can provide an EVP_MD_CTX structure. I'm using openssl built into the Qt 4.4.1 libraries, which are implemented for thread safety using the locking_function as prescribed. I've verified that the locking_function gets called for both their calls and my calls; so I don't think it's a threading issue. I'm wondering if it could have anything to do with the socket using a different public key than what I'm using to verify the sent data. Another possibility could be that they are using two different decryption algorithms and my calling the EVP_verify routines changes some global value that the ssl_ routine ends up using which is no longer valid for the connection. I've built debug versions of the shared openssl libraries and used those to build a debug version of the QtNetwork.dll; I can step into the Qt calls, but since Qt is dynamically loading the openssl APIs, I'm having difficulty stepping into the openssl routines where I can view the source code. I can only step into the assembly. So I can't really tell which line of code and why the ssl_read routines are actually failing. So, a quick recap to hopefully clarify what I'm seeing... SSL socket connection using public key A recieves signed data EVP_verify routines are called using public key B SSL socket connection attempts to read more data inside the Qt transmission code. ssl_read fails with error:04077068:rsa routines:RSA_verify:bad signature. If I skip the verification calls, everything works fine. Am I attempting to do something invalid? Is Qt making a bad assumption about when they can read from the socket? Is there a bug down in openssl? Or am I skipping some step(s) to put things back in order for the socket after I call the EVP_verify routines? Is there a book I should have read before I tried this? Thanks in advance for any help provided.
Re: Create a X509 from a string
delcour.pierre wrote: Hello, I don't look at the mail archiver. A similar question was send. Here is the link if you are interested : http://www.mail-archive.com/openssl-users@openssl.org/msg52560.html Sorry to disturb you. Have a nice day, pierre __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Convertin ssl to *.pem
I would like to know how I can convert an ssl cert to a *.pem cert. Thank you. John Pakus Network and System Services First Manhattan Consulting Group 90 Park Avenue, 18th Floor New York, NY 10016 Main: 212-557-0500 Fax: 212-949-6252 This e-mail and any attachments, is intended only for use by the addressee(s) named. It may contain confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this email, and any attachments thereto, is strictly prohibited. If you receive this email in error please immediately notify Colleen OMalley at 212 455 9100 and permanently delete the original copy and any copy of any e-mail, and any printout thereof. For further information about the firm, please see www.FMCG.com
RE: Basic question on version number..
The decision in the case of OpenSSL was that 1.x would have a stable API, permitting shared libraries to be used interchangeably. OpenSSL does not have a stable API yet, officially. If that's the rationale, I eagerly await 1.0. The lack of a stable API has hurt me far too many times. I encourage the developers to freeze the existing API. Shared library is currently an experimental feature. The only reason to have them would be to conserve memory on systems where several program are using OpenSSL. Binary backward compatibility can't be guaranteed before OpenSSL version 1.0. I think this was the original idea. For me, the more important reason to use a shared library is the ability to upgrade the library when I don't have access to the source/object code that uses the library.
Using javax.crypto.Cipher with RSA and an OpenSSL generated public key
Hi,
we have a server using OpenSLL crypto library functions around RSA.
I want to write a Java client that sends an encrypted message to the
server, which can be decrypted there.
To test this I use the following Java code below:
The encoded public key is created with OpenSSL.
RSA* rsa_private= RSA_generate_key (keylength, RSA_F4,
NULL, NULL);
len = i2d_RSA_PUBKEY(rsa_private, NULL);
pBuffer=(char *)OPENSSL_malloc(len);
upBuffer = (unsigned char*)pBuffer;
len = i2d_RSA_PUBKEY(rsa_private, upBuffer);
The server decrypts the password with the same private key used to
generate the public key:
retval = RSA_private_decrypt(RSA_size(rsa_private),
encryptedPasswordCharArrayfromJavaClient, cleartext-output, rsa_private,
RSA_NO_PADDING);
I tested my code so that encryption / decryption works in the C code
using OpenSSL.
I tested my Java code so that encryption / decryption works in the Java
code using standard Java packages with a Sun provider for RSA.
I have trouble to get the two together. If I use RSA_private_decrypt with
a byte sequence created from the Java client the output is wrong - no
error occurs.
One thing that might point to a reason for the incompatibility:
I observe that the Java client always creates the same encrypted byte
sequence from a given input string and a public key.
The OpenSSL C client produces different encrypted byte sequences for each
separate run with a given input string and a public key. Decryption works
with all of them.
If I let the C client encrypt the same given input string twice in the
same run, it creates the same encrypted sequence.
The java client code:
import java.security.KeyFactory;
import java.security.PublicKey;
import java.security.spec.X509EncodedKeySpec;
import java.util.Date;
import javax.crypto.Cipher;
public class ClientX509Encryption {
static final byte[] encodedPublicKey = {
48, -127, -97, 48, 13, 6, 9, 42, -122, 72, -122, -9, 13, 1, 1,
1,
5, 0, 3, -127, -115, 0, 48, -127, -119, 2, -127, -127, 0, -77,
119, -61,
76, -66, -58, -102, -98, 84, 20, 83, 117, -9, 69, 109, -105,
51, -58, 12,
31, -113, 110, -118, 20, 115, 107, -86, -97, 14, -39, 62, 8,
50, -22, 65,
121, -124, -52, 27, 17, -104, -123, -78, -56, 92, 18, -31,
116, 69, 105, -96,
-87, 44, 60, -115, -110, 8, -124, 59, -68, 54, 33, 63, 108,
24, 114, -11,
-103, -31, 48, -89, 10, 98, 106, -80, 123, -94, -100, -24,
-59, 18, 112, 74,
112, 58, -94, -23, 70, -41, 35, 92, 92, 26, -27, -51, 127,
-125, -109, 15,
-30, -18, -12, 27, 101, 92, 4, 77, 11, -22, 123, 47, -18, 88,
-96, 95,
32, -118, -128, 82, 22, -55, -39, 9, -34, 4, 90, 88, -17, 2,
3, 1,
0, 1,
};
public static void main(String[] args) {
byte[] encryptedpassword = null;
try {
Cipher c = Cipher.getInstance(RSA/ECB/NoPadding
);
X509EncodedKeySpec publicKeySpec = new
X509EncodedKeySpec(encodedPublicKey);
KeyFactory keyFactory = KeyFactory.getInstance(
RSA);
PublicKey publicKey =
keyFactory.generatePublic(publicKeySpec);
c.init(Cipher.ENCRYPT_MODE, publicKey);
byte[] arg0Bytes = args[0].getBytes();
// encrypt input parameter
encryptedpassword = c.doFinal(arg0Bytes);
System.out.print(static signed char
encryptedPasswordStringfromJavaClient[] = {);
for (int i = 0; i encryptedpassword.length; i++)
{
if (i % 16 == 0) {
System.out.println();
System.out.print();
}
System.out.print(encryptedpassword[i] + ,
);
}
System.out.println(\n};);
} catch (Exception e) {
e.printStackTrace();
}
}
}
Hello
Hello, Is this the right place to ask Openssl programming issues? Thanks Harris Nguyen __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
compiling openssl using vs 2003
I'm trying to compile openssl for use with visual studio. For some reason, I can't run the nmake in the vs ide. When I try it from the command line, it says it can't find things like windows.h! Does anyone have it already compiled, etc that I can download? -- Scott Hill Food for thought: A good pun is it's own reword. Energizer bunny arrested! Charged with battery! A pessimist's blood type is always B-negative. 42.7 percent of all statistics are made up on the spot. How much deeper would the ocean be without sponges? Atheism is a non-prophet organization.
Re: Certificate problem on Windows XP client...
Venkata LK Mula escribió: Hi, With reference to the above mentioned subject, we have generated root, server and client certificates in .pfx (p12) and .der format in FreeRADIUS using OpenSSL, installed these certificates on the Windows XP client. And when I'm trying to associate the Windows clinet to the network. it is displaying the message Windows was unable to find the certificate to log you on the network Roaming test2. Can any body lookinto the issue and suggest us with possible solutions for the same please. regards, Venkat If you are used freeradius utilities to issue certificates (make ca.pem, make server.pem, make client.pem, bootstrap command etc) you need to mark server certificate as CA:true or something like this, because is the server the issuer of client certs (at least, into default radius PKI). See and compare ca.cnf and server.cnf and you will see that default configuration doesn't put issuing permissions into server certificate, only into ca's. Because server hasn't got issuing permission, windows are considering that certification route is broken.You can see it into mozilla or ie. If you don't want use server certificate to sign client certs, you can issue them with ca.pem, changing only two options into the Makefile file (client.pem rule), or you can put your own commands. I have this configuration and it works perfectly, it's just a different PKI. But, if your client certs are now signed by the root authority and windows was unable to find it, i can't help you more :) Also, be sure that server and client certs have the correct extensions to work on XP. This extensions are KeyUsage and a list of numbers separated by points. Above commands, in this case, add this extensions. Hope this helps. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Basic question on version number..
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Kenneth Goldman wrote: | The decision in the case of OpenSSL was that 1.x would have a stable API, | permitting shared libraries to be used interchangeably. OpenSSL does not | have a stable API yet, officially. | | If that's the rationale, I eagerly await 1.0. Be prepared to wait a long time... I don't think we see a OpenSSL 1.0 anytime soon. If you think that a 0.9.9 indicates a pending 1.0, you are wrong. The OpenSSL version numbering allows something like a version 0.255.255 ... So I expect that the release after 0.9.9 will be a 0.9.10... Goetz - -- DMCA: The greed of the few outweighs the freedom of the many -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.4-svn0 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIsYd92iGqZUF3qPYRAmFNAJ0d5F8fOB1ihoRg37VDc7uNIhSC3wCfe/Z8 qFcrCJO2nkk8NCl2Z1osryk= =FoPM -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
client - server authentication
Hi list, i do not have much experience in ssl/tls certificates i know almost nothing about it. i have a hosted site over internet for the branch users, which i want to restrict over internet, e.g only certain computers will be allowed to access site. i want to restrict it to only branch computers. is it possible using ssl/tls to allow particular computers to access web? like access will be granted only if necessary certificate is installed on the client client's web browser. kindly provide me guideline to restrict access. kindly note: these users are connecting from dynamic ips. site has authentication. Thanks Regards Dhaval __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: any reference to different certificate versions
Kyle Hamilton wrote: X.509 refers to the certificate version. 0 == version 1, 1 == version 2, 2 == version 3. Version 1 certificates have no means for any extensions. Version 2 certificates are CRLs. CRLs use the asn1 type Version. CRLs with extensions have Version 2, but this has nothing to do with certificates. Version 2 may be used for certificates that have unique identifiers but no extensions. Since nobody seems really to use this, and there is no support in Openssl, and one still may indicate version 3 ... To be complete, these Version values also have nothing to do with the version number of the X509 standard. Version 3 certificates are the current norm, and most likely what you want. 'Current norm' means what? I'd say: Since you most likely add extensions, then version 3 is what you set. I seems unlikely to me that a future version of X509 will change the verision number of a certficate. This would be necessary if add some asn1 field after the extensions instead of defining an extension. IMO, a call to X509_set_version should not be necessary. openssl could ensure to set a good value depending on whether you have extensions of not unless the version has been set to explicitely. The best reference currently is RFC5280, and all of its references. -Kyle H On Tue, Aug 19, 2008 at 2:08 AM, Sanjith Chungath [EMAIL PROTECTED] wrote: Hi, I can set a certificate version using function X509_set_version(). Can some one give me a reference to different certificate versions that are available and the significance of each version number. -Thanks and Regards, -Sanjith. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] smime.p7s Description: S/MIME Cryptographic Signature
Re: client - server authentication
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dhaval Thakar wrote: | Hi list, Hello Daval, | i have a hosted site over internet for the branch users, which i want to | restrict over internet, | e.g only certain computers will be allowed to access site. | i want to restrict it to only branch computers. | is it possible using ssl/tls to allow particular computers to access web? | like access will be granted only if necessary certificate is installed on | the client client's web browser. Let's rephrase your requirements: You have a server using SSL/TLS. This server should grant access to only a selected list of clients. You are able to install data on these clients. The solution is simple: * create an own CA (for example with the CA.sh or CA.pl scripts. * for every client: ~ * create a client key ~ * create a certification request ~ * sign the certification request with your CA ~ * transfer the certificate (and key if created by the CA) * configure your server to use mandatory client verification. * configure your server to only use your CA certificate to ~ verify client certificates. * optionally: ~ * for every client that should not be able to connect the ~server any more: ~* revoke the client certificate ~ * create a certificate revocation list (CRL) ~ * distribute this CRL to the server ~ * configure the server to use the CRL on verification. * test your environment. * sit back and enjoy But you do need a basic knowledge about certificates. Especially you must be aware how to differentiate between a CA certificate, a server certificate and a client certificate. Then I suggest to play with the CA.sh (or CA.pl) and the openssl.cnf that is used by these scripts... | kindly note: these users are connecting from dynamic ips. site has | authentication. Doesn't matter, the server verifies if client has a certificate. If you can ensure that every entity connecting the server has an own certificate, you could configure authentication to use the data supplied in the client certificate. Goetz - -- DMCA: The greed of the few outweighs the freedom of the many -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.4-svn0 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIsb1S2iGqZUF3qPYRAiF+AJ48UtNGVB3TWJQXvNKshW5AqWX1/gCcCDib slJvLrhEVq4NgeDR0x1suPQ= =AdyF -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: compiling openssl using vs 2003
You need to download and install the Platform SDK, and you need to run the icon in the program group called 32-bit build environment or 64-bit build environment. This sets up all the appropriate environment variables for compilation. There is a binary distribution for Windows at http://www.slproweb.com/products/Win32OpenSSL.html if you don't want to deal with that. :) -Kyle H On Fri, Aug 22, 2008 at 3:29 PM, Scott Hill [EMAIL PROTECTED] wrote: I'm trying to compile openssl for use with visual studio. For some reason, I can't run the nmake in the vs ide. When I try it from the command line, it says it can't find things like windows.h! Does anyone have it already compiled, etc that I can download? -- Scott Hill Food for thought: A good pun is it's own reword. Energizer bunny arrested! Charged with battery! A pessimist's blood type is always B-negative. 42.7 percent of all statistics are made up on the spot. How much deeper would the ocean be without sponges? Atheism is a non-prophet organization. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
