Re: ecdsa public key output
Hello I generated the certificate programmatically, but I shall look at the ecparam.c file and see how the public key is generated there and do the same. The jave keytool-generated certificate did not have any extensions attached, so I am guessing those can be stripped. The code I used for generating a self-signed certificate is below, stripped of error handling: EC_KEY *ec_key = EC_KEY_new_by_curve_name(NID_secp160r1); EC_KEY_generate_key(ec_key); EC_KEY_check_key(ec_key); EVP_PKEY *pk = EVP_PKEY_new(); EVP_PKEY_assign_EC_KEY(pk, ec_key); f = fopen(root-ecdsa160.key, w); PEM_write_PrivateKey(f, pk, NULL, NULL, 0, 0, NULL); fclose(f); FILE *f; X509 *x; x=X509_new(); X509_NAME *name = X509_get_subject_name(x); X509_set_version(x, 2); ASN1_INTEGER_set(X509_get_serialNumber(x), 3); X509_gmtime_adj(X509_get_notBefore(x), 0); X509_gmtime_adj(X509_get_notAfter(x), (long) 60 * 60 * 24 * 365); X509_set_pubkey(x, pk); X509_NAME_add_entry_by_txt(name, CN, MBSTRING_ASC, (const unsigned char*) Testing Team, -1, -1, 0); X509_NAME_add_entry_by_txt(name, O, MBSTRING_ASC, (const unsigned char*) client, -1, -1, 0); X509_set_issuer_name(x, name); X509_sign(x, pk, EVP_ecdsa()); f = fopen(root-ecdsa160.crt, w); PEM_write_X509(f, x); fclose(f); Thank you for the help. Laura Carlo Milono wrote: How did you make your EC certificates? Here is the result (truncated as yours is) by using OpenSSL - I had to use a Name Constraint and a prime curve @ 384 for a proof-of-concept: ... Subject Public Key Info: Public Key Algorithm: id-ecPublicKey EC Public Key: pub: 04:fa:b7:e7:c8:15:0b:26:5c:b4:d6:53:62:09:66: 7e:6e:15:05:ee:cc:2b:ff:f9:dd:8d:4f:ed:de:35: 56:41:ce:b4:52:4e:c5:99:46:30:b7:81:31:29:cd: 5f:0d:b9:a3:ec:12:c5:47:f1:0b:09:1c:76:fe:e5: e2:d3:04:97:3c:ac:ad:b6:e8:83:8b:b0:c2:39:ac: 8e:a2:86:59:a0:0b:0a:09:b1:75:5b:2e:83:b6:7e: c0:ad:8f:24:54:d4:9a ASN1 OID: secp384r1 X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Name Constraints: Excluded: IP:10.105.150.234/255.255.254.0 ... The above is the result of the following command-lines: openssl ecparam -out myECkey.pem -name secp384r1 -genkey openssl req -new -key myECkey.pem -out req.out -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Laura Arhire Sent: Tuesday, August 18, 2009 12:55 AM To: openssl-users@openssl.org Subject: ecdsa public key output Hello I'm trying to import ecdsa certificates for a java server using the java keytool utility. After having had trouble with openssl generated certificates, I generated a certificate using the keytool utility to see what the difference is. Upon running the openssl x509 -in cert.crt -noout -text command on this certificate, the output I get is (only public key info for brevity): Subject Public Key Info: Public Key Algorithm: id-ecPublicKey EC Public Key: pub: 04:99:cc:aa:5b:7d:fc:e1:aa:c8:0e:d0:98:b2:ed: 79:65:cb:66:7e:0f:c2:b9:7b:28:42:1b:65:1a:86: 4b:02:dc:7c:5f:d1:21:1f:ca:f2:ac * ASN1 OID: secp160k1* Which is different from the openssl generated certificates in that it has the curve name in the public key, instead of the curve parameters. The same data (ASN1 OID: secp160k1) in an openssl certificate is: Field Type: prime-field Prime: 00:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff: ff:fe:ff:ff:ac:73 A:0 B:7 (0x7) Generator (uncompressed): 04:3b:4c:38:2c:e3:7a:a1:92:a4:01:9e:76:30:36: f4:f5:dd:4d:7e:bb:93:8c:f9:35:31:8f:dc:ed:6b: c2:82:86:53:17:33:c3:f0:3c:4f:ee Order: 01:00:00:00:00:00:00:00:00:00:01:b8:fa:16:df: ab:9a:ca:16:b6:b3 Cofactor: 1 (0x1) The keytool output does not seem to be incorrect according to RFC 5280, which defines SubjectPublicKeyInfo ::= SEQUENCE { algoritmAlgorithmIdentifier subjectPublicKey BIT STRING } AlgorithmIdentifier ::= SEQUENCE { algorithm OBJECT IDENTIFIER, parameters ANY DEFINED BY algorithm OPTIONAL } unless I am reading this wrong, but the way algorithm parameters are defined seem to allow for both variants. I'm looking into making the java certificate store understand openssl-generated certificates (possibly with 3rd party APIs) as that would make my life easier. However, at the same time I'm trying to tackle the problem at the other end, so I was also wondering if I can get (maybe programatically ?), openssl to output the public key info in the way in which the keytool
Re: [openssl verify] [lookup:unable to get issuer certificate]
Please see if you have created certificates correctly : http://www.g-loaded.eu/2005/11/10/be-your-own-ca/ This may help. Regards, Abhishek 2009/8/19 Matthias Güntert matzeguent...@gmx.de Can someone please shed some light on this? This are the test-certificates I have been using. I figured it out: $ man 1 verify [...] -CAfile file: A file of trusted certificates. The file should contain multiple certificates in PEM format concatenated together. [...] $ cat rootCA.crt subRootCA.crt ca.crt $ openssl verify -CAfile rootCA.crt subRootCA.crt subRootCA.crt: OK $ openssl verify -CAfile ca.crt client.crt client.crt: OK et voila... __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Prevent concurrent operator in FIPS mode
On Wed, Aug 19, 2009, Carlo Milono wrote: [cm] My Public Sector Customers seem happy with the functionality, though not without a shock: many of their certificates were signed with MD5 (and MD2) and our application now happily rejects them (and their CA was self-signed with MD5, so ditto their CA). Note that the current unreleased version of OpenSSL 0.9.8 (which will be 0.9.8l) will by default ignore the root CA signature for efficiency purposes. A side effect of this is that as long as only the root CA uses a non-FIPS algorithm (e.g. MD5) it will work. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: PEM_read is always returning null
Why dont you try something as, X509* user_cert = NULL; if ((user_cert = PEM_read_X509(fp, NULL, NULL, NULL)) == NULL) { /* Error */ } or with a bio as, X509 *x = NULL; if (!PEM_read_bio_X509(bp, x, 0, NULL)) { /* Error */ } On Tue, Aug 18, 2009 at 5:24 AM, Azlan mohanvarma...@gmail.com wrote: Azlan wrote: Hello every one..I'm working with an application in which a module should read a pem certificate successfully.I've written 2 types of programs, but both are failing(PEM_read constantly returning null )..here are my codes.. #includestdio.h #include string.h #include openssl/crypto.h #include openssl/err.h #include openssl/bio.h #include openssl/evp.h #include openssl/objects.h #include openssl/x509.h #include openssl/pem.h int main( int argc,char *argv[]) { FILE *fp; X509 *x=X509_new(); if(x==NULL) printf(error\n); fp=fopen(argv[1],r); PEM_read_X509(fp,x,NULL,NULL); if(x==NULL) printf(error reading \n); else printf(reading success\n); fclose(fp); X509_free(x); return(0); } here is my second one..using bio do { X509 *x509Cert/*=X509_new(); result is same even if this statement is X509 *x509Cert = X509_new(); */ BIO *cert; if ((cert=BIO_new(BIO_s_file())) == NULL) { printf(Error Initializing BIO pointer); break; } if (BIO_read_filename(cert,argv[1]) = 0) { printf(Error opening file\n); break; } if (PEM_read_bio_X509(cert,x509Cert,NULL,NULL)!=NULL) { printf(\nReading from file success!\n); } }while(0); Both programs are returning NULL out of PEM_read. Even though i found similar post sabout PEM_read, none of them is solving my problem..please help me with this.. Thank you in advance. Sorry..I forgot to mention something.. In my first program,the result would be reading success..the problem is PEM_read_X509(fp,x,NULL,NULL) is not returning valid X509 into x(it's returning null..u can check by if(PEM_read_X509(fp,x,NULL,NULL)==NULL).Even after the call of function PEM_read; x has the previous value(X509_new() which is not null).Thats why out put is reading success. Please help me getting out of this. Thanks. -- View this message in context: http://www.nabble.com/PEM_read-is-always-returning-null-tp25022589p25023748.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Howto create a certificate for multiple domains?
Hi There: If you're looking for a cookbook, and want a fairly comprehensive explanation of how all of the moving parts work: http://www.carillon.ca/library/openssl_testca_howto_1.2.pdf Have fun. Patrick. On August 19, 2009 07:18:39 am deblarinteln wrote: Hi Goetz, *, There is the man page x509v3_config. It should contain the info you need. A hint: x509v3_config describes data found in the openssl.cnf file. So this data is used on creating a certificate / CSR... well I have created a certificate with all neccessary data. At least I think I've done it right. And yes, as you said, crypto isn't a thing to deal with, if you haven't got at least a minor understanding of what one is doing. Well, I think that I do have at least a minor understanding, but on the other hand I'm not that far, that I know how to deal with some sorts of jobs I need to do. Just as like as the one I'm still working on. A certificate for some subdoimains and the maindomain. All dmians should have the same cerfcate. C:\ssldir Datenträger in Laufwerk C: ist System Volumeseriennummer: F8B1-B3F8 Verzeichnis von C:\ssl 19.08.2009 12:47DIR . 19.08.2009 12:47DIR .. 19.08.2009 10:01 1.024 .rnd 19.08.2009 10:02 1.407 cacert.pem 19.08.2009 10:02 963 cakey.pem 19.08.2009 12:55 2.013 cert.p12 21.07.2009 09:32DIR certs 21.07.2009 09:32 0 database.txt 19.08.2009 10:06 963 key.pem 21.07.2009 09:32DIR keys 19.08.2009 10:09 822 req.pem 21.07.2009 09:32DIR requests 21.07.2009 09:32 0 serial.txt 8 Datei(en), 7.192 Bytes 5 Verzeichnis(se), 493.483.315.200 Bytes frei C:\sslopenssl x509 -text -in cacert.pem Certificate: Data: Version: 3 (0x2) Serial Number: ab:49:2d:9c:cd:b2:e2:b5 Signature Algorithm: sha1WithRSAEncryption Issuer: C=DE, ST=Niedersachsen, L=somewhre, O=x GmbH, OU=Administr ation, CN=somename/emailaddress=some...@mydomain.tld Validity Not Before: Aug 19 08:02:58 2009 GMT Not After : Aug 18 08:02:58 2012 GMT Subject: C=DE, ST=Niedersachsen, L=somewhere, O=x GmbH, OU=Administ ration, CN=somename/emailaddress=i...@mydomain.tld Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:d6:03:54:4b:b4:13:e8:cd:97:49:6f:ae:11:c4: 2b:04:ec:b2:b1:06:4b:8f:71:ba:85:fa:10:14:6d: 88:be:7f:37:53:15:3b:39:4e:26:9d:02:ba:3c:bd: 6e:3e:db:33:a0:19:f0:b2:cf:ef:42:30:03:7d:9a: 2b:04:85:af:3e:03:51:d3:2b:f6:af:56:38:38:93: e4:8a:2d:1f:ed:86:53:a8:33:9a:06:6e:cf:c6:ec: 6c:37:d7:90:d6:19:02:69:6f:93:0d:d7:d8:6d:11: 96:1b:d2:16:51:09:2a:f5:f3:c3:3a:19:ce:bc:ef: 26:b2:77:33:03:a9:eb:6c:31 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: A8:75:05:9B:F0:02:C7:F5:0E:99:34:97:3D:25:E0:01:9E:29:AA:10 X509v3 Authority Key Identifier: keyid:A8:75:05:9B:F0:02:C7:F5:0E:99:34:97:3D:25:E0:01:9E:29:AA:1 0 DirName:/C=DE/ST=Niedersachsen/L=Rinteln/O=x GmbH/OU=Admi nistration/CN=somename/emailaddress=i...@mydomain.tld serial:AB:49:2D:9C:CD:B2:E2:B5 X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha1WithRSAEncryption 2e:2f:33:0c:4a:88:df:88:d2:6c:23:93:a7:41:d9:12:14:f4: 7f:8e:10:a0:d5:d5:d4:7e:d2:d1:02:d3:37:9e:19:b3:e6:48: 7e:3e:f2:90:8b:3c:b2:d2:e6:90:eb:4d:a3:3d:4f:30:d9:a7: 12:98:06:6d:02:62:c3:83:41:60:d4:3c:c6:97:03:0c:ec:fc: f5:62:94:06:20:5a:cc:f9:e7:c8:e9:bd:90:f4:2b:9d:d6:c7: 96:53:a5:03:45:b2:04:90:db:5a:f2:b9:23:89:4f:10:e9:29: b7:a1:47:60:01:72:42:c5:50:91:19:60:b8:7f:64:7b:98:d7: 72:f3 -BEGIN CERTIFICATE- MIID4zCCA0ygAwIBAgIJAKtJLZzNsuK1MA0GCSqGSIb3DQEBBQUAMIGoMQswCQYD VQQGEwJERTEWMBQGA1UECBMNTmllZGVyc2FjaHNlbjEQMA4GA1UEBxMHUmludGVs bjEWMBQGA1UEChMNRGVCbGFUZWsgR21iSDEXMBUGA1UECxMOQWRtaW5pc3RyYXRp b24xGDAWBgNVBAMTD0Rlbm5pcyBCbGF1bWFubjEkMCIGCSqGSIb3DQEJARYVZGJs YXVtYW5uQGRlYmxhdGVrLmRlMB4XDTA5MDgxOTA4MDI1OFoXDTEyMDgxODA4MDI1 OFowgagxCzAJBgNVBAYTAkRFMRYwFAYDVQQIEw1OaWVkZXJzYWNoc2VuMRAwDgYD VQQHEwdSaW50ZWxuMRYwFAYDVQQKEw1EZUJsYVRlayBHbWJIMRcwFQYDVQQLEw5B ZG1pbmlzdHJhdGlvbjEYMBYGA1UEAxMPRGVubmlzIEJsYXVtYW5uMSQwIgYJKoZI hvcNAQkBFhVkYmxhdW1hbm5AZGVibGF0ZWsuZGUwgZ8wDQYJKoZIhvcNAQEBBQAD gY0AMIGJAoGBANYDVEu0E+jNl0lvrhHEKwTssrEGS49xuoX6EBRtiL5/N1MVOzlO Jp0Cujy9bj7bM6AZ8LLP70IwA32aKwSFrz4DUdMr9q9WODiT5IotH+2GU6gzmgZu
Signing a file using HMAC
Hello, I am using the dgst command to sign a file, I'm also using the -hmac option. I then want to verify the signature by decrypting it and checking the hash. The problem is the hash never seems to match. For example, if i sign the string foo I get the hash below $ echo foo | openssl dgst -sha512 -hmac bar 3e45850d52569540b8c162069831869e867dc46efb753ec0dac42c7a88b14f6a56e1ce54b1b75564acf056d5faedd82f859b8bf8430a7b275704de3651f07eee However, if I do the same thing, but sign it and then decrypt it, I get a completely different hash $ echo foo | openssl dgst -sha512 -hmac bar -sign priv | openssl rsautl -verify -inkey priv | openssl asn1parse -inform DER 0:d=0 hl=2 l= 81 cons: SEQUENCE 2:d=1 hl=2 l= 13 cons: SEQUENCE 4:d=2 hl=2 l= 9 prim: OBJECT:sha512 15:d=2 hl=2 l= 0 prim: NULL 17:d=1 hl=2 l= 64 prim: OCTET STRING [HEX DUMP]:DEEF13827724A82A7FAA3C89F46145A41FE983380B5479A9488A9C7728557BCAF96FE2DE6A1CFFC38384F4160D446BD51E82098BDD1B55A1B1EA49B9A8B2C199 If I don't use the hmac option then the hashes are always the same. $ echo foo | openssl dgst -sha512 0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6 $ echo foo | openssl dgst -sha512 -sign priv | openssl rsautl -verify - inkey priv | openssl asn1parse -inform DER 0:d=0 hl=2 l= 81 cons: SEQUENCE 2:d=1 hl=2 l= 13 cons: SEQUENCE 4:d=2 hl=2 l= 9 prim: OBJECT:sha512 15:d=2 hl=2 l= 0 prim: NULL 17:d=1 hl=2 l= 64 prim: OCTET STRING [HEX DUMP]: 0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6 I know I could verify the signature using the -verify option of the dgst command (which works). But the project I'm working on is unable to use openssl for the verification part. So I need to hash that openssl generates to be something predictable. I'm using OpenSSL 0.9.8k 25 Mar 2009, on linux Any help would be appreciated Toby __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Signing a file using HMAC
toby.wa...@fxhome.com wrote: Hello, I am using the dgst command to sign a file, I'm also using the -hmac option. I then want to verify the signature by decrypting it and checking the hash. The problem is the hash never seems to match. It's unclear to me what you are trying to accomplish conceptually. HMAC has nothing to do with signing, but is a keyed hash used as an authenticator for (possibly) pairwise message authentication. It cannot function as a signature, because it cannot be verified by a third party. Pick one. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Creating CA certificates
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 vishal saraswat wrote: | Hi all, Hello vishal, | I am sorry, I forgot to tell you that the final PEM I create is composed | of key and certificate both. | | cat server_key.pem server server_cert.pem server.pem | Now I suppose that one a client is successfully connected it should | return me code as 0 and an OK message. Right? But I get return value as | 7(Certificate Signature Failure), 21(Unable to verify the first | certificate.) Does the client have the CA certificate that signed the server certificate ? If not (and it seems to that it hasn't) it can't verify the server certificate. Goetz - -- DMCA: The greed of the few outweighs the freedom of the many -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFKjciT2iGqZUF3qPYRAruIAJ9twUzXhu1BwbVHceBMmpeQTqlX7wCggjKv Fep+kdpcRucq7clenshexMw= =ktZh -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Question regarding PEM_read_bio_X509()
I have a PEM-format server certificate that I need to convert to a binary structure as defined in section 7.4.2. (Server Certificate) of RFC5246 (TLS v1.2). Server certificate (in PEM format), residing as a text file in the filesystem | | V Load into buffer in memory with structure as defined in RFC5246: opaque ASN.1Cert1..2^24-1; struct { ASN.1Cert certificate_list0..2^24-1; } Certificate; certificate_list Also, I will need to do the reverse: converting a binary buffer in memory (with the structure above) into a PEM-format server certificate. My question is: are there OpenSSL routines that do this? I have looked at X509 *PEM_read_bio_X509(BIO *bp, X509 **x, pem_password_cb *cb, void *u); but it is not clear to me how I should handle (BIO* bp). If this function indeed does what I need, how would I convert my memory buffer to a BIO, and vice versa? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Question regarding PEM_read_bio_X509()
On Wed, Aug 19, 2009, barcaroller wrote: I have a PEM-format server certificate that I need to convert to a binary structure as defined in section 7.4.2. (Server Certificate) of RFC5246 (TLS v1.2). Server certificate (in PEM format), residing as a text file in the filesystem | | V Load into buffer in memory with structure as defined in RFC5246: opaque ASN.1Cert1..2^24-1; struct { ASN.1Cert certificate_list0..2^24-1; } Certificate; certificate_list Also, I will need to do the reverse: converting a binary buffer in memory (with the structure above) into a PEM-format server certificate. My question is: are there OpenSSL routines that do this? I have looked at X509 *PEM_read_bio_X509(BIO *bp, X509 **x, pem_password_cb *cb, void *u); but it is not clear to me how I should handle (BIO* bp). If this function indeed does what I need, how would I convert my memory buffer to a BIO, and vice versa? The functions d2i_X509() and i2d_X509() will do what you want, check out the manual pages and the FAQ to avoid a common mistake with these functions. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: PEM_read is always returning null
From: owner-openssl-us...@openssl.org On Behalf Of Azlan Sent: Tuesday, 18 August, 2009 08:24 Hello every one..I'm working with an application in which a module should read a pem certificate successfully.I've written 2 types of programs, but both are failing(PEM_read constantly returning null )..here are my codes.. trimmed errorhandling and cleanup for clarity FILE *fp; X509 *x=X509_new(); fp=fopen(argv[1],r); PEM_read_X509(fp,x,NULL,NULL); if(x==NULL) printf(error reading \n); else printf(reading success\n); here is my second one..using bio X509 *x509Cert/*=X509_new(); result is same even if this statement is X509 *x509Cert = X509_new(); */ This is a local or 'auto' variable in C and not implicitly initialized. Either initialize it to NULL or to a good value such as X509_new(), but don't leave it garbage. Probably on your system it happened to be zero = NULL and you were lucky, but you shouldn't rely on that. BIO *cert; if ((cert=BIO_new(BIO_s_file())) == NULL) error if (BIO_read_filename(cert,argv[1]) = 0) error if (PEM_read_bio_X509(cert,x509Cert,NULL,NULL)!=NULL) Both programs are returning NULL out of PEM_read. Even though i found similar post sabout PEM_read, none of them is solving my problem..please help me with this.. Thank you in advance. Are you sure the file you are reading is in fact a PEM cert? Both your codes work correctly for me when reading a valid file, after fixing the initialization in the BIO version. Sorry..I forgot to mention something.. In my first program,the result would be reading success..the problem is PEM_read_X509(fp,x,NULL,NULL) is not returning valid X509 into x(it's returning null..u can check by if(PEM_read_X509(fp,x,NULL,NULL)==NULL).Even after the call of function PEM_read; x has the previous value(X509_new() which is not null).Thats why out put is reading success. Right. The d2i_whatever and PEM_read_whatever routines follow (AFAIK always) the pattern that - if the handle argument is NULL or handle that _contains_ NULL, they allocate a new whatever for the data and return a pointer to it, AND store that pointer into handle if handle is nonNULL, but if there is an error they return NULL and DON'T allocate - if the handle argument is a pointer to an already allocated whatever, they use it (and don't allocate) and return it; if there is an error, they return NULL but leave the existing whatever allocated. The idea is that you allocated it, so you decide if and when to deallocate it. It's simplest to pass NULL, let the library allocate and use (only) the return value, but if you want to pre-allocate yourself, check the return value for success/fail NOT the handle_arg value. If the return value is NULL, call ERR_print_errors[_fp] or code a loop with ERR_get_error and whatever display you like. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Creating CA certificates
From: owner-openssl-us...@openssl.org On Behalf Of vishal saraswat Sent: Tuesday, 18 August, 2009 07:44 I am sorry, I forgot to tell you that the final PEM I create is composed of key and certificate both. cat server_key.pem server server_cert.pem server.pem I read on some blogs that some server require both to be in one file that why to be on safer side I started following this practice. I hope its fine. It's OK. OpenSSL commandline does not require this, but does allow it. Now I suppose that one a client is successfully connected it should return me code as 0 and an OK message. Right? But I get return value as 7(Certificate Signature Failure), 21(Unable to verify the first certificate.) Signature failure? Not just unable to get issuer? To verify, any client does need to have available the CA cert that signed the cert the server uses. In the general case with the client on a different machine than the server this must be a copy, and thus you need to make sure the right file (version) gets copied, but for loopback testing you can use the same file(s). s_client supports two ways: a single file containing either one CAcert or several concatenated, specified with -CAfile; or a directory specified by -CApath that contains a file for each CA cert with its filename or a symlink to it using the hash of the cert's name, allowing lookup. In your earlier email s_client specified neither of these and should have gotten 20 unable to get local issuer cert (and 21 unable to verify). I think the only way you should get signature failure is if you give s_client a CAcert which is for the correct CA name but has a different public key. Perhaps, if you've tried this (sort of) test several times, the file from an earlier iteration. p.s. - Can I connect multiple s_client to a single s_server ? In sequence, but not concurrently. For that you need a real server. G __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org