RE: Reading certificate and public key from memory
Hi Dan, Please try like: char *key = -BEGIN RSA PRIVATE KEY- \n\ jGK1T++C+Np4As+ KoaO2NCiCBN5UQJRzXBsZvLDoN6IcfxJwXklp560jrKiIZ8VU\n\ .. . Drys2uVaAzmRhS6tGJ2fdwPnlSLJrQbHuP938BkyxNhdYN8drfqb\n\ -END RSA PRIVATE KEY-\n; BIO *bio = BIO_new_mem_buf(key, -1); SSL_CTX *sslctx; EVP_PKEY *pktmp = NULL; If key don't have password protcted pktmp = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL); if your key having in PKCS12 format and password protected. Please try like This pktmp = PEM_read_bio_PrivateKey(bio,0,sslctx-default_passwd_callback, sslctx-default_passwd_callback_userdata); if (pktmp == NULL) { char buffer[120]; ERR_error_string(ERR_get_error(), buffer); fprintf(stderr, OpenSSL error: %s, buffer); } SSL_CTX_use_PrivateKey(sslctx, pktmp); EVP_PKEY_free(pktmp); Please try above. If you are again facing problem. Then please read key using file pointer using fread(char *key will point private key) and please compare to hardcode key pointer and key pointer from file.Beasause it is working. Thank you. Regards, --Ajeet Kumar Singh _ From: Dan Ribe [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 01, 2008 5:41 PM To: Ajeet kumar.S Subject: Re: Reading certificate and public key from memory Hey, How are u doing ? Was trying to read my private key from the mem buffer like : char *key = -BEGIN RSA PRIVATE KEY- jGK1T++C+Np4As+ KoaO2NCiCBN5UQJRzXBsZvLDoN6IcfxJwXklp560jrKiIZ8VU N2AZVq28yjqt3RYaRPn0xhbmLfWH/o+wzlg58wIDAQABAoIBAAHEep7qWWMFWsbc .. .. DwiD1OKnxTlAvZPkTSCS+QKBgDkXMM+2jyeRPwpUEyZjqYveVb5zc3HJMMGbpI/p 09dirkd+sRoXWShF8ctVVb4B1PAFTOBEa8diickehnAyEq6KhzLWpQqhqCnylETw Drys2uVaAzmRhS6tGJ2fdwPnlSLJrQbHuP938BkyxNhdYN8drfqb -END RSA PRIVATE KEY-; int keyLength = strlen(key); BIO *bio = BIO_new_mem_buf(key, keyLength); EVP_PKEY *pktmp = NULL; pktmp = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL); if (pktmp == NULL) { char buffer[120]; ERR_error_string(ERR_get_error(), buffer); fprintf(stderr, OpenSSL error: %s, buffer); } But PEM_read_bio_PrivateKey() always returns an error like : OpenSSL error: error:0906D06C:PEM routines:PEM_read_bio:no start line Any Help ? Thanks much. Cheers ! On Tue, Sep 30, 2008 at 2:33 PM, Ajeet kumar.S [EMAIL PROTECTED] wrote: Hi Dan, I am solving this issue. I will get you back soon. It is not required to change in other format. You can use .PEM format. Thank you. Regards, --Ajeet Kumar Singh _ From: Dan Ribe [mailto:[EMAIL PROTECTED] Sent: Monday, September 29, 2008 2:34 PM To: [EMAIL PROTECTED] Subject: Re: Reading certificate and public key from memory Hi Ajeet, Just wondering whether you was able to solve this one or not. Actually I have similar problem in front of me. I want to read the private key directly from the memory buffer. Currently I have the private key in form of a file (.pem) on disk. I want to hard code its contents in my code read them directly from there. Doing so because I don't want to distribute the private key with my product. If you have already done this. Please share following information. 1. How to hard code the value in some string buffer (how to convert the .pem file to the required format). 2. How to read the key informaiton from the memory buffer. Please give me some sample code, that will make my life much easiler. Hoping for a prompt reply from your side. thanks much Cheers ! On Mon, Sep 15, 2008 at 10:11 AM, Ajeet kumar.S [EMAIL PROTECTED] wrote: Dear All, In open ssl I saw we were passing file name of certificate and public key. In openssl we used this name and reading certificates keys from that file. If instead of file name we want to pass char pointer which point to address of certificate and public key respectively. Is it possible? Actually I don't want to read certificates and keys from file .I want to pass one memory pointer for each certificate and keys respectively which stored both certificate and keys respectively. Please tell me how to possible. Thank you. Regards, --Ajeet Kumar Singh image002.jpgimage003.jpg
Re: FIPS fail
On Thu, Oct 02, 2008, Thomas J. Hruska wrote: Thomas J. Hruska wrote: Needless to say, given the lack of response and further web searching reveals issues with older VC++ linkers core dumping(?) against the latest MinGW and I've already put forth 30+ hours (not counting the preparation time of several months!), two CD-Rs, and who knows how much money into an attempted production of a default OpenSSL FIPS 140-2 compliant binary build for Windows (complete with fancy installer), I'm going to simply hold off until 1.2.0 becomes available and then try again at that time. Mixing together binaries from two totally different compilers is not only a bad idea, it is a horrifically terrible idea. The fact that this supposedly works at all for some people is a miracle. The 1.1.2 module (which I only became involved with towards the end) was designed round a Unix build system. For the 1.1.2 module it was a choice of mixing compilers or not having any Windows build at all. It was decided that was better than nothing. What version of gcc do you have with MSYS? There are issues with some versions of gcc. Supposedly, from what I've read, 1.2.0 doesn't require mixing compilers. That should significantly clean things up. Assuming, of course, not mixing compilers allows the use of VC++. If I have to use MinGW, I will be very annoyed. I'm also hoping I can compile against 0.9.8x instead of 0.9.7m. The 1.2 module (which I was involved with from the start) has Windows as a standard platform. It can be built using VC++ only. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: FIPS fail
On Thu, Oct 02, 2008, Michael S. Zick wrote: 1.1.0 does not build shared. Build static or wait for 1.2.0 Windows is an exception, it can be build shared in the 1.1.2 module. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: FIPS fail
Dr. Stephen Henson wrote: On Thu, Oct 02, 2008, Thomas J. Hruska wrote: Thomas J. Hruska wrote: Needless to say, given the lack of response and further web searching reveals issues with older VC++ linkers core dumping(?) against the latest MinGW and I've already put forth 30+ hours (not counting the preparation time of several months!), two CD-Rs, and who knows how much money into an attempted production of a default OpenSSL FIPS 140-2 compliant binary build for Windows (complete with fancy installer), I'm going to simply hold off until 1.2.0 becomes available and then try again at that time. Mixing together binaries from two totally different compilers is not only a bad idea, it is a horrifically terrible idea. The fact that this supposedly works at all for some people is a miracle. The 1.1.2 module (which I only became involved with towards the end) was designed round a Unix build system. For the 1.1.2 module it was a choice of mixing compilers or not having any Windows build at all. It was decided that was better than nothing. What version of gcc do you have with MSYS? There are issues with some versions of gcc. $ gcc --version gcc.exe (GCC) 3.4.5 (mingw-vista special r3) Copyright (C) 2004 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Not that it really matters... Supposedly, from what I've read, 1.2.0 doesn't require mixing compilers. That should significantly clean things up. Assuming, of course, not mixing compilers allows the use of VC++. If I have to use MinGW, I will be very annoyed. I'm also hoping I can compile against 0.9.8x instead of 0.9.7m. The 1.2 module (which I was involved with from the start) has Windows as a standard platform. It can be built using VC++ only. Steve. Excellent. I'll just wait for the 1.2 module then. I know that it could be a long wait of many months since FIPS validation takes a while. BTW, during the FIPS creation process that I used (a set of steps that I plan on using for all releases), I noticed that the 'MD5', 'SHA1', and 'PGP sign' links next to the source code download links at: https://www.openssl.org/source/ Are broken (not really 'broken' per se, but blank). I had to go out to the FTP site to get the signatures. -- Thomas Hruska Shining Light Productions Home of BMP2AVI, Nuclear Vision, ProtoNova, and Win32 OpenSSL. http://www.slproweb.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Converting .cer to .pem Getting errors
Hello, I'm trying to convert a .cer to a .pem by using the following command at command line. openssl x509 -in verisignintermediatecert.cer -inform d -out speedscript_new.pem When running this command I get the following output: unable to load certificate 15369:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:947: 15369:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:304:Type=X509 Any ideas on what I could be doing wrong? Alan Arthur Network Administrator, Speed Script Pharmacy Systems 24/7 Support: 1-800-444-2765 Direct: 913-643-2468 Fax: 913-894-1802 [EMAIL PROTECTED] www.speedscript.com Speed Script is a registered trademark of Digital Simplistics, Inc. This electronic message, including any attachments, may contain confidential or privileged information and is intended for the individual or entity named above. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this electronic transmission in error, please notify the sender immediately and destroy all electronic and hard copies of the communication, including attachments.
Re: Trouble with bidirectional shutdown
DS Thank you for your response. I have checked the error code using SSL_get_error. I get an SSL_ERROR_SYSCALL (5) return code, indicating an I/O, but the error queue is empty. My application continues to function. It is fetching an HTML document over an HTTPS connection. My concern is that, since I reuse the SSL handle, I should wait for it to be completely closed rather than potentially overlap HTTPS requests. Occasionally my application hangs during an HTTPS request on a dual core Inspiron when the HTTPS requests come one on the heels of another. Can you tell me anything more about what sorts of conditions would cause an SSL_ERROR_SYSCALL error? Regards, Solveig On Tue, Sep 30, 2008 at 5:49 PM, David Schwartz [EMAIL PROTECTED]wrote: Solveig Viste wrote: I have an application which is occasionally hanging. I have tracked it down to an SSL_shutdown call. The value (0) returned from the shutdown call indicates that the shutdown is not finished. As happens with non-blocking sockets, sometimes the operation does not complete and you have to retry the operation later. The shutdown man page indicates that a second call to SSL_shutdown should cause a bidirectional shutdown, A subsequent retry of the operation will complete if and only if whatever the first shutdown was waiting for has happened. and I thought this is indeed what the application calls for. However, when I make the second call to SSL_shutdown, the value returned is still 0 (shutdown not finished) rather than 1 (shutdown complete) or -1 (shutdown not successful). Did you check the error code? Was it WANT_READ or WANT_WRITE? Did you wait for the appropriate operation to be ready? Is this recently added bahavior? Does the SSL handle need to have certain properties in order to get a bidirectional shutdown? You need to handle an organized shutdown the way you handle any other operation on a non-blocking connection that might take time to complete. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- Solveig Viste Instantiations VA Smalltalk Support
Simple patch to crypto/sha/Makefile avoiding compile crash on IA64
Hi all, I got a problem on compile of openssl-SNAP-20081003 on IA64 (same on older versions of 0.9.9 dev source) like this: making all in apps... make[1]: Entering directory `/nethome/a/amadeu/prodapp/openssl-0.9.9/apps' rm -f openssl shlib_target=; if [ -n libcrypto.so.0.9.9 libssl.so.0.9.9 ]; then \ shlib_target=linux-shared; \ fi; \ LIBRARIES=-L.. -lssl -L.. -lcrypto ; \ make -f ../Makefile.shared -e \ APPNAME=openssl OBJECTS=openssl.o verify.o asn1pars.o req.o dgst.o dh.o dhparam.o enc.o passwd.o gendh.o errstr.o ca.o pkcs7.o crl2p7.o crl.o rsa.o rsautl.o dsa.o dsaparam.o ec.o ecparam.o x509.o genrsa.o gendsa.o genpkey.o s_server.o s_client.o speed.o s_time.o apps.o s_cb.o s_socket.o app_rand.o version.o sess_id.o ciphers.o nseq.o pkcs12.o pkcs8.o pkey.o pkeyparam.o pkeyutl.o spkac.o smime.o cms.o rand.o engine.o ocsp.o prime.o ts.o \ LIBDEPS= $LIBRARIES -ldl \ link_app.${shlib_target} make[2]: Entering directory `/nethome/a/amadeu/prodapp/openssl-0.9.9/apps' ../libcrypto.so: undefined reference to `sha1_block_data_order' collect2: ld returned 1 exit status make[2]: *** [link_app.gnu] Error 1 make[2]: Leaving directory `/nethome/a/amadeu/prodapp/openssl-0.9.9/apps' make[1]: *** [openssl] Error 2 make[1]: Leaving directory `/nethome/a/amadeu/prodapp/openssl-0.9.9/apps' make: *** [build_apps] Error 1 The cause of problem is: $ ls -s crypto/sha/sha*.s 0 crypto/sha/sha1-ia64.s 8 crypto/sha/sha256-ia64.s 16 crypto/sha/sha512-ia64.s Look that the sha1-ia64.s is empty! Because the crypto/sha/asm/sha1-ia64.pl is generating a empty file. This occurs because the Makefile are filling wrong the command line for sha1-ia64.pl. The following patch on crypto/sha/Makefile makes all right: openssl-SNAP-20081003$ diff -up crypto/sha/Makefile crypto/sha/Makefile.new --- crypto/sha/Makefile 2008-01-13 21:00:27.0 -0200 +++ crypto/sha/Makefile.new 2008-10-03 16:47:35.0 -0300 @@ -50,7 +50,7 @@ sha512-586.s: asm/sha512-586.pl ../perla $(PERL) asm/sha512-586.pl $(PERLASM_SCHEME) $(CFLAGS) $(PROCESSOR) $@ sha1-ia64.s: asm/sha1-ia64.pl - (cd asm; $(PERL) sha1-ia64.pl $(CFLAGS) ) $@ + (cd asm; $(PERL) sha1-ia64.pl ../$@ $(CFLAGS)) sha256-ia64.s: asm/sha512-ia64.pl (cd asm; $(PERL) sha512-ia64.pl ../$@ $(CFLAGS)) sha512-ia64.s: asm/sha512-ia64.pl The first argument for sha1-ia64.pl should be the .s file and not the $CFLAGS. I tested and works fine for me. Is it enough report this here? Should I report this someplace else? -- Amadeu A. Barbosa Jr :: http://www.inf.puc-rio.br/~ajunior __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]