TLS CA Certificate Loading in DER format
Hi, I am to use TLS for securing an application's data transfer. For development purposes I have been using a dummy set of certificates in PEM format. The currently used "SSL_CTX_load_verify_locations" API requires that the certificate be in PEM format. However, in real time scenario, the application being developed MUST make use of certificates in DER format as per the requirements. So I wanted to know whether there is a way to load CA certificates in DER format using any SSL APIs. My search till now for such an API has been unfruitful. Thanks in Advance. -- Thanks Regards Chaitra Shankar __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: RSA OAEP encrypt with a label
Thank you Martin. I have tried using the function, however using the
code I have pasted below I get the error Error = oaep decoding error
when trying to unpadd to retrieve the original data.
For simplicity the code I have added here does not encrypt/decrypt, but
only attempts to pad and unpadd.
What could be the cause of this problem here?
--
ERR_load_RSA_strings();
int status;
const int RSA_LENGTH = 256;
const int LABEL_LENGTH = 10;
const int PADDED_DATA_LENGTH = 256;
const int ORIGINAL_DATA_LENGTH = 16;
unsigned char paddedData[PADDED_DATA_LENGTH];
unsigned char unPaddedData[ORIGINAL_DATA_LENGTH];
unsigned char originalData[ORIGINAL_DATA_LENGTH] =
{ 0x4C, 0x2E, 0x20, 0x4C, 0x65, 0x74, 0x27, 0x73,
0x20, 0x68, 0x6F, 0x70, 0x65, 0x0D, 0x0A, 0x00 };
unsigned char label[LABEL_LENGTH] =
{ 0xB8, 0x37, 0xA4, 0x26, 0xA8,
0xBF, 0x8A, 0xA0, 0xBE, 0xEB };
status = RSA_padding_add_PKCS1_OAEP
( paddedData, PADDED_DATA_LENGTH,
originalData, ORIGINAL_DATA_LENGTH,
label, LABEL_LENGTH );
status = RSA_padding_check_PKCS1_OAEP
( unPaddedData, ORIGINAL_DATA_LENGTH,
paddedData, PADDED_DATA_LENGTH,
RSA_LENGTH, label, LABEL_LENGTH );
if ( status == -1 ) {
std::cout Unpadding failed! ;
printf(Error = %s\n,ERR_reason_error_string(ERR_get_error()));
}
else {
std::cout Unpadding was OK! Lenght of the recovered data:
status std::endl;
}
--
Thank for all help so far :)
- Einar
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
Re: How to re-use a socket with a new SSL session?
On Fri, Sep 11, 2009 at 12:51:15PM +1000, Andrew Sumner wrote: Victor, you've just described exactly what I've been trying to do. A clean shutdown on both sides, socket connection left open, then a client HELLO after which both sides initiate SSL again. I just can't seem to find a method of doing it that actually works. Initially, does your client build an SSL connection over an already (TCP) established connection passed to it as a file descriptor? Initially, does your server accept an SSL connection over an already (TCP) established connection passed to it as a file descriptor? Do both parties call SSL_shutdown() at least once, and a second time if the initial return value is zero? Do you use an external session cache (store serialized SSL_SESSION objects) in a store accessible to multiple processes via IPC or an appropriate shared resource with robust locking? If so, the re-connect will be efficient, if you pre-load the saved session into the client SSL state. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
load certificate into rsa
Dear Group, I want to use the openssl crypt library to sign and verify messages. Apparently I can use a RSA struct and RSA_sign and RSA_verify for that. however my certificates are of the form -BEGIN CERTIFICATE- MIIDDTCCAnagAwIBAgIJAMWKwoNrQvTvMA0GCSqGSIb3DQEBBQUAMGMxCzAJBgNV ... -END CERTIFICATE- how ever can I load such a certificate into my RSA struct? concerning encryption, for public and private keys I could use PEM_read_RSAPublicKey and PEM_read_bio_RSAPublicKey to load my keys. Are there methods like this for certificates and certificate private keys? Thank You! Michael
Re: load certificate into rsa
On Fri, Sep 11, 2009, Michael Prinzinger wrote: Dear Group, I want to use the openssl crypt library to sign and verify messages. Apparently I can use a RSA struct and RSA_sign and RSA_verify for that. however my certificates are of the form -BEGIN CERTIFICATE- MIIDDTCCAnagAwIBAgIJAMWKwoNrQvTvMA0GCSqGSIb3DQEBBQUAMGMxCzAJBgNV ... -END CERTIFICATE- how ever can I load such a certificate into my RSA struct? concerning encryption, for public and private keys I could use PEM_read_RSAPublicKey and PEM_read_bio_RSAPublicKey to load my keys. Are there methods like this for certificates and certificate private keys? The low level RSA_sign() and RSA_verify() functions shouldn't be used to sign bulk data. Instead you should use the EVP_Sign*() and EVP_Verify*() interface. There you use a generalised key structure EVP_PKEY. You can get a public key from a certificate using X509_get_pubkey(). You can get a private key into an EVP_PKEY structure using PEM_read_PrivateKey() and a certificate into an X509 structure using PEM_read_X509(). See the manual pages for more information and actual examples. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: A PKI in a web page
Actually I am looking for a simple software with command line interface to operate a CA, sub-CA then client and server certs, that is eventually capable of publishing into the web public certs and crl / policies. If I can't find a package around openssl, I will probably end up using direct openssl commands ..., but I need something to publish CA certificate and CRL on a web page . http://devel.it.su.se/pub/jsp/polopoly.jsp?d=1026a=3290 was very good at that, but it dates now from 2005, I'am afraid it won't be updated . Here's a list of opensource pki software I run into with my comment (#) http://ejbca.sourceforge.net/ #complex and no tomcat (jboss etc ...) http://pki.openca.org/ #complex http://www.opentrust.com/index.php?lang=en #licence ... http://www.newpki.org/ # Last update December 14, 2005 http://devel.it.su.se/pub/jsp/polopoly.jsp?d=1026a=3290 #What I use but dates 2005-10-22 http://tinyca.sm-zone.net/ #Last update 2006, perhaps too much gui ? gtk ! http://www.pyca.de/ # Last update 29-Apr-2003 http://www.vpnc.org/SimpleCA/ #no date !? http://xca.sourceforge.net/ #Last update 2007 http://www.cymc.online.fr/openwebpki/ #windows only http://sourceforge.net/projects/phpki/ #perhaps too gui (web) , no-way to use direct cli !? no fully tested yet ... other list http://middleware.internet2.edu/hepki-tag/opensrc.html If you have others ? let me know, thanks . Mounir IDRASSI a écrit : Hi, You can have a look at PHPki (http://sourceforge.net/projects/phpki) : it's has the advantage of publishing a CRL and certificates on a web pages, plus enrollment and revocation pages. It's based on PHP and it invokes the openssl utility with conf files created on the fly for each operation. I have been using it for a year now and it was easy to modify it to accommodate my own requirements (like supporting SHA1 instead of the default MD5 and adding new templates). I hope it can be useful for you as it is for me. Cheers, -- Mounir IDRASSI IDRIX http://www.idrix.fr jehan procaccia wrote: Good initiative I'll give it a try ... although I am looking for intermediate size PKI free software, I am a bit confused with large scale software like openca or ejbca , too complex :-( I used to operate my pki with a perl-openssl package from http://devel.it.su.se/pub/jsp/polopoly.jsp?d=1026a=3290 but it dates from 2005 without evolution ... Now that I am about to re-create a new root, I'am looking for a new software very close to openssl with command line interface, but still able to publish crl and certs on a web page . any advice ? Regards . Richard Salz a écrit : From my blog, at https://www.ibm.com/developerworks/mydeveloperworks/blogs/soma/entry/a_pki_in_a_web_page10 I'm making available my small set of web pages and Perl script that implement a self-service PKI built around OpenSSL. The Perl script and config are under 250 lines and the couple of web pages involved are under 200 lines; there's also a couple of screen shots to guide someone through installing a cert on Microsoft Windows. It's all in the public domain. Enjoy. -- STSM, DataPower CTO WebSphere Appliance Architect http://www.ibm.com/software/integration/datapower/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: A PKI in a web page
CSP-0.34 dates from 2007. ftp://ftp.su.se/pub/users/leifj/ is where it can be found. You're using either 0.31 or 0.32, if you're using one with a date from 2005. -Kyle H On Fri, Sep 11, 2009 at 8:24 AM, jehan procaccia jehan.procac...@it-sudparis.eu wrote: Actually I am looking for a simple software with command line interface to operate a CA, sub-CA then client and server certs, that is eventually capable of publishing into the web public certs and crl / policies. If I can't find a package around openssl, I will probably end up using direct openssl commands ..., but I need something to publish CA certificate and CRL on a web page . http://devel.it.su.se/pub/jsp/polopoly.jsp?d=1026a=3290 was very good at that, but it dates now from 2005, I'am afraid it won't be updated . Here's a list of opensource pki software I run into with my comment (#) http://ejbca.sourceforge.net/ #complex and no tomcat (jboss etc ...) http://pki.openca.org/ #complex http://www.opentrust.com/index.php?lang=en #licence ... http://www.newpki.org/ # Last update December 14, 2005 http://devel.it.su.se/pub/jsp/polopoly.jsp?d=1026a=3290 #What I use but dates 2005-10-22 http://tinyca.sm-zone.net/ #Last update 2006, perhaps too much gui ? gtk ! http://www.pyca.de/ # Last update 29-Apr-2003 http://www.vpnc.org/SimpleCA/ #no date !? http://xca.sourceforge.net/ #Last update 2007 http://www.cymc.online.fr/openwebpki/ #windows only http://sourceforge.net/projects/phpki/ #perhaps too gui (web) , no-way to use direct cli !? no fully tested yet ... other list http://middleware.internet2.edu/hepki-tag/opensrc.html If you have others ? let me know, thanks . Mounir IDRASSI a écrit : Hi, You can have a look at PHPki (http://sourceforge.net/projects/phpki) : it's has the advantage of publishing a CRL and certificates on a web pages, plus enrollment and revocation pages. It's based on PHP and it invokes the openssl utility with conf files created on the fly for each operation. I have been using it for a year now and it was easy to modify it to accommodate my own requirements (like supporting SHA1 instead of the default MD5 and adding new templates). I hope it can be useful for you as it is for me. Cheers, -- Mounir IDRASSI IDRIX http://www.idrix.fr jehan procaccia wrote: Good initiative I'll give it a try ... although I am looking for intermediate size PKI free software, I am a bit confused with large scale software like openca or ejbca , too complex :-( I used to operate my pki with a perl-openssl package from http://devel.it.su.se/pub/jsp/polopoly.jsp?d=1026a=3290 but it dates from 2005 without evolution ... Now that I am about to re-create a new root, I'am looking for a new software very close to openssl with command line interface, but still able to publish crl and certs on a web page . any advice ? Regards . Richard Salz a écrit : From my blog, at https://www.ibm.com/developerworks/mydeveloperworks/blogs/soma/entry/a_pki_in_a_web_page10 I'm making available my small set of web pages and Perl script that implement a self-service PKI built around OpenSSL. The Perl script and config are under 250 lines and the couple of web pages involved are under 200 lines; there's also a couple of screen shots to guide someone through installing a cert on Microsoft Windows. It's all in the public domain. Enjoy. -- STSM, DataPower CTO WebSphere Appliance Architect http://www.ibm.com/software/integration/datapower/ __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-us...@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-us...@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-us...@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-us...@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
