RE: Reading certificate and public key from memory

2008-10-03 Thread Ajeet kumar.S 
Hi Dan,
Please try like:

 

char *key = -BEGIN RSA PRIVATE KEY- \n\
jGK1T++C+Np4As+ KoaO2NCiCBN5UQJRzXBsZvLDoN6IcfxJwXklp560jrKiIZ8VU\n\
  ..

  .

 

 Drys2uVaAzmRhS6tGJ2fdwPnlSLJrQbHuP938BkyxNhdYN8drfqb\n\
 -END RSA PRIVATE KEY-\n;   

 

BIO *bio = BIO_new_mem_buf(key, -1);



SSL_CTX  *sslctx;
EVP_PKEY *pktmp = NULL;

  If key don't have password protcted
 pktmp = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL);
if your key having in PKCS12 format and password protected.  Please try
like This

pktmp = PEM_read_bio_PrivateKey(bio,0,sslctx-default_passwd_callback,
sslctx-default_passwd_callback_userdata);


if (pktmp == NULL) {
char buffer[120];

ERR_error_string(ERR_get_error(), buffer);
fprintf(stderr, OpenSSL error: %s, buffer);
}



 SSL_CTX_use_PrivateKey(sslctx,  pktmp);

 EVP_PKEY_free(pktmp);

Please try above. If you are again facing problem. Then please read key
using file pointer using fread(char *key will point private key) and please
compare to hardcode key pointer and key pointer from file.Beasause it is
working.

 

Thank you.

Regards,

--Ajeet  Kumar  Singh

 

 

  _  

From: Dan Ribe [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, October 01, 2008 5:41 PM
To: Ajeet kumar.S
Subject: Re: Reading certificate and public key from memory

 

Hey,

How are u doing ?

Was trying to read my private key from the mem buffer like :

char *key = -BEGIN RSA PRIVATE KEY-
jGK1T++C+Np4As+

KoaO2NCiCBN5UQJRzXBsZvLDoN6IcfxJwXklp560jrKiIZ8VU
N2AZVq28yjqt3RYaRPn0xhbmLfWH/o+wzlg58wIDAQABAoIBAAHEep7qWWMFWsbc
 

..
 

..

  DwiD1OKnxTlAvZPkTSCS+QKBgDkXMM+2jyeRPwpUEyZjqYveVb5zc3HJMMGbpI/p
09dirkd+sRoXWShF8ctVVb4B1PAFTOBEa8diickehnAyEq6KhzLWpQqhqCnylETw
Drys2uVaAzmRhS6tGJ2fdwPnlSLJrQbHuP938BkyxNhdYN8drfqb
-END RSA PRIVATE KEY-;

int keyLength = strlen(key);
BIO *bio = BIO_new_mem_buf(key, keyLength);

EVP_PKEY *pktmp = NULL;
pktmp = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL);

if (pktmp == NULL) {
char buffer[120];

ERR_error_string(ERR_get_error(), buffer);
fprintf(stderr, OpenSSL error: %s, buffer);
}

But PEM_read_bio_PrivateKey() always returns an error like : 

OpenSSL error: error:0906D06C:PEM routines:PEM_read_bio:no start line

Any Help ?

Thanks much.

Cheers !

 

On Tue, Sep 30, 2008 at 2:33 PM, Ajeet kumar.S
[EMAIL PROTECTED] wrote:

Hi Dan,

I am solving this issue. I will get you back soon. It is not required to
change in other format.  You can use .PEM format.

 

Thank you.

Regards,

--Ajeet  Kumar  Singh

 

 

  _  

From: Dan Ribe [mailto:[EMAIL PROTECTED] 
Sent: Monday, September 29, 2008 2:34 PM
To: [EMAIL PROTECTED]
Subject: Re: Reading certificate and public key from memory

 

Hi Ajeet,

Just wondering whether you was able to solve this one or not. Actually I
have similar problem in front of me. I want to read the private key directly
from the memory buffer. Currently I have the private key in form of a file
(.pem) on disk. I want to hard code its contents in my code  read them
directly from there. Doing so because I don't want to distribute the private
key with my product.

If you have already done this. Please share following information. 
1. How to hard code the value in some string buffer (how to convert the .pem
file to the required format).
2. How to read the key informaiton from the memory buffer. Please give me
some sample code, that will make my life much easiler.

Hoping for a prompt reply from your side. thanks much

Cheers !

On Mon, Sep 15, 2008 at 10:11 AM, Ajeet kumar.S
[EMAIL PROTECTED] wrote:

Dear All,

  In open ssl I saw we were passing file name of certificate and
public key. In openssl we used this name and reading certificates  keys
from that file. If instead of file name we want to pass char pointer which
point to address of certificate and public key respectively.

Is it possible? Actually I don't want to read certificates and keys from
file .I want to pass one memory pointer for each certificate and keys
respectively which stored both certificate and keys respectively.

Please tell me how to possible.

 

Thank you.

Regards,

--Ajeet  Kumar  Singh

 

 

 

 

 

image002.jpgimage003.jpg

Re: FIPS fail

2008-10-03 Thread Dr. Stephen Henson 
On Thu, Oct 02, 2008, Thomas J. Hruska wrote:

 Thomas J. Hruska wrote:

 Needless to say, given the lack of response and further web searching 
 reveals issues with older VC++ linkers core dumping(?) against the latest 
 MinGW and I've already put forth 30+ hours (not counting the preparation 
 time of several months!), two CD-Rs, and who knows how much money into an 
 attempted production of a default OpenSSL FIPS 140-2 compliant binary build 
 for Windows (complete with fancy installer), I'm going to simply hold off 
 until 1.2.0 becomes available and then try again at that time.  Mixing 
 together binaries from two totally different compilers is not only a bad 
 idea, it is a horrifically terrible idea. The fact that this supposedly 
 works at all for some people is a miracle.


The 1.1.2 module (which I only became involved with towards the end) was
designed round a Unix build system.

For the 1.1.2 module it was a choice of mixing compilers or not having any
Windows build at all. It was decided that was better than nothing.

What version of gcc do you have with MSYS? There are issues with some versions
of gcc.

 Supposedly, from what I've read, 1.2.0 doesn't require mixing compilers.  
 That should significantly clean things up.  Assuming, of course, not 
 mixing compilers allows the use of VC++.  If I have to use MinGW, I will 
 be very annoyed.  I'm also hoping I can compile against 0.9.8x instead of 
 0.9.7m.


The 1.2 module (which I was involved with from the start) has Windows as a
standard platform. It can be built using VC++ only.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: FIPS fail

2008-10-03 Thread Dr. Stephen Henson 
On Thu, Oct 02, 2008, Michael S. Zick wrote:

 
 1.1.0 does not build shared.  Build static or wait for 1.2.0

Windows is an exception, it can be build shared in the 1.1.2 module.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: FIPS fail

2008-10-03 Thread Thomas J. Hruska 

Dr. Stephen Henson wrote:

On Thu, Oct 02, 2008, Thomas J. Hruska wrote:


Thomas J. Hruska wrote:

Needless to say, given the lack of response and further web searching 
reveals issues with older VC++ linkers core dumping(?) against the latest 
MinGW and I've already put forth 30+ hours (not counting the preparation 
time of several months!), two CD-Rs, and who knows how much money into an 
attempted production of a default OpenSSL FIPS 140-2 compliant binary build 
for Windows (complete with fancy installer), I'm going to simply hold off 
until 1.2.0 becomes available and then try again at that time.  Mixing 
together binaries from two totally different compilers is not only a bad 
idea, it is a horrifically terrible idea. The fact that this supposedly 
works at all for some people is a miracle.




The 1.1.2 module (which I only became involved with towards the end) was
designed round a Unix build system.

For the 1.1.2 module it was a choice of mixing compilers or not having any
Windows build at all. It was decided that was better than nothing.

What version of gcc do you have with MSYS? There are issues with some versions
of gcc.


$ gcc --version
gcc.exe (GCC) 3.4.5 (mingw-vista special r3)
Copyright (C) 2004 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is 
NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR 
PURPOSE.



Not that it really matters...


Supposedly, from what I've read, 1.2.0 doesn't require mixing compilers.  
That should significantly clean things up.  Assuming, of course, not 
mixing compilers allows the use of VC++.  If I have to use MinGW, I will 
be very annoyed.  I'm also hoping I can compile against 0.9.8x instead of 
0.9.7m.




The 1.2 module (which I was involved with from the start) has Windows as a
standard platform. It can be built using VC++ only.

Steve.


Excellent.  I'll just wait for the 1.2 module then.  I know that it 
could be a long wait of many months since FIPS validation takes a while.


BTW, during the FIPS creation process that I used (a set of steps that I 
plan on using for all releases), I noticed that the 'MD5', 'SHA1', and 
'PGP sign' links next to the source code download links at:


https://www.openssl.org/source/

Are broken (not really 'broken' per se, but blank).  I had to go out to 
the FTP site to get the signatures.


--
Thomas Hruska
Shining Light Productions

Home of BMP2AVI, Nuclear Vision, ProtoNova, and Win32 OpenSSL.
http://www.slproweb.com/


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Converting .cer to .pem Getting errors

2008-10-03 Thread Alan Arthur 
Hello,

 

I'm trying to convert a .cer to a .pem by using the following command at
command line.

 

openssl x509 -in verisignintermediatecert.cer -inform d -out
speedscript_new.pem

 

When running this command I get the following output:

 

unable to load certificate

15369:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
tag:tasn_dec.c:947:

15369:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1
error:tasn_dec.c:304:Type=X509

 

Any ideas on what I could be doing wrong?

 

Alan Arthur

Network Administrator,

Speed Script Pharmacy Systems

24/7 Support:  1-800-444-2765

Direct: 913-643-2468

Fax:  913-894-1802

[EMAIL PROTECTED]

www.speedscript.com

 

Speed Script is a registered trademark of Digital Simplistics, Inc.

 

This electronic message, including any attachments, may contain confidential
or privileged information and is intended for the individual or entity named
above.  If you are not the intended recipient, any disclosure, copying,
distribution or use of the contents of this information is prohibited.  If
you have received this electronic transmission in error, please notify the
sender immediately and destroy all electronic and hard copies of the
communication, including attachments.

Re: Trouble with bidirectional shutdown

2008-10-03 Thread solveig . instantiations 
DS

Thank you for your response. I have checked the error code using
SSL_get_error.

I get an SSL_ERROR_SYSCALL (5)  return code, indicating an I/O, but the
error queue is empty. My application continues to function. It is fetching
an HTML document over an HTTPS connection.

My concern is that, since I reuse the SSL handle, I should wait for it to be
completely closed rather than potentially overlap HTTPS requests.
Occasionally my application hangs during an HTTPS request on a dual core
Inspiron when the HTTPS requests come one on the heels of another.

Can you tell me anything more about what sorts of conditions would cause an
SSL_ERROR_SYSCALL error?

Regards,
Solveig

On Tue, Sep 30, 2008 at 5:49 PM, David Schwartz [EMAIL PROTECTED]wrote:


 Solveig Viste wrote:

  I have an application which is occasionally hanging.
  I have tracked it down to an SSL_shutdown call.

  The value (0) returned from the shutdown call indicates
  that the shutdown is not finished.

 As happens with non-blocking sockets, sometimes the operation does not
 complete and you have to retry the operation later.

  The shutdown man page indicates that a second call to
  SSL_shutdown should cause a bidirectional shutdown,

 A subsequent retry of the operation will complete if and only if whatever
 the first shutdown was waiting for has happened.

  and I thought this is indeed what the application calls for.
  However, when I make the second call to SSL_shutdown,
  the value returned is still 0 (shutdown not finished)
  rather than 1 (shutdown complete) or -1 (shutdown not successful).

 Did you check the error code? Was it WANT_READ or WANT_WRITE? Did you wait
 for the appropriate operation to be ready?

  Is this recently added bahavior? Does the SSL handle
  need to have certain properties in order to get a
  bidirectional shutdown?

 You need to handle an organized shutdown the way you handle any other
 operation on a non-blocking connection that might take time to complete.

 DS


 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   [EMAIL PROTECTED]




-- 
Solveig Viste
Instantiations
VA Smalltalk Support

Simple patch to crypto/sha/Makefile avoiding compile crash on IA64

2008-10-03 Thread Amadeu A. Barbosa Jr 
Hi all,

I got a problem on compile of openssl-SNAP-20081003 on IA64 (same on older
versions of 0.9.9 dev source) like this:

making all in apps...
make[1]: Entering directory `/nethome/a/amadeu/prodapp/openssl-0.9.9/apps'
rm -f openssl
shlib_target=; if [ -n libcrypto.so.0.9.9 libssl.so.0.9.9 ]; then \
shlib_target=linux-shared; \
fi; \
LIBRARIES=-L.. -lssl  -L.. -lcrypto ; \
make -f ../Makefile.shared -e \
APPNAME=openssl OBJECTS=openssl.o verify.o asn1pars.o req.o dgst.o dh.o
dhparam.o enc.o passwd.o gendh.o errstr.o ca.o pkcs7.o crl2p7.o crl.o
rsa.o rsautl.o dsa.o dsaparam.o ec.o ecparam.o x509.o genrsa.o gendsa.o
genpkey.o s_server.o s_client.o speed.o s_time.o apps.o s_cb.o s_socket.o
app_rand.o version.o sess_id.o ciphers.o nseq.o pkcs12.o pkcs8.o pkey.o
pkeyparam.o pkeyutl.o spkac.o smime.o cms.o rand.o engine.o ocsp.o
prime.o ts.o \
LIBDEPS= $LIBRARIES -ldl \
link_app.${shlib_target}
make[2]: Entering directory `/nethome/a/amadeu/prodapp/openssl-0.9.9/apps'
../libcrypto.so: undefined reference to `sha1_block_data_order'
collect2: ld returned 1 exit status
make[2]: *** [link_app.gnu] Error 1
make[2]: Leaving directory `/nethome/a/amadeu/prodapp/openssl-0.9.9/apps'
make[1]: *** [openssl] Error 2
make[1]: Leaving directory `/nethome/a/amadeu/prodapp/openssl-0.9.9/apps'
make: *** [build_apps] Error 1

The cause of problem is:
$ ls -s crypto/sha/sha*.s
 0 crypto/sha/sha1-ia64.s   8 crypto/sha/sha256-ia64.s  16
crypto/sha/sha512-ia64.s

Look that the sha1-ia64.s is empty! Because the
crypto/sha/asm/sha1-ia64.pl is generating a empty file. This occurs
because the Makefile are filling wrong the command line for sha1-ia64.pl.

The following patch on crypto/sha/Makefile makes all right:

openssl-SNAP-20081003$ diff -up crypto/sha/Makefile crypto/sha/Makefile.new

--- crypto/sha/Makefile 2008-01-13 21:00:27.0 -0200

+++ crypto/sha/Makefile.new 2008-10-03 16:47:35.0 -0300

@@ -50,7 +50,7 @@ sha512-586.s: asm/sha512-586.pl ../perla

$(PERL) asm/sha512-586.pl $(PERLASM_SCHEME) $(CFLAGS) $(PROCESSOR)  $@



 sha1-ia64.s:   asm/sha1-ia64.pl

-   (cd asm; $(PERL) sha1-ia64.pl $(CFLAGS) )  $@

+   (cd asm; $(PERL) sha1-ia64.pl ../$@ $(CFLAGS))

 sha256-ia64.s: asm/sha512-ia64.pl

(cd asm; $(PERL) sha512-ia64.pl ../$@ $(CFLAGS))

 sha512-ia64.s: asm/sha512-ia64.pl



The first argument for sha1-ia64.pl should be the .s file and not the
$CFLAGS. I tested and works fine for me.

Is it enough report this here? Should I report this someplace else?
-- 
Amadeu A. Barbosa Jr :: http://www.inf.puc-rio.br/~ajunior
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]