Extracting RecipientInfos/DER from S/MIME message
Hello, is it possible to extract the DER blob from the RecipientInfos-part of a S/MIME message? I tried the following steps already but couldn't manage to get what I want: * BIO *bin = BIO_new(BIO_s_mem()); BIO_write(bin, mimeMessage.c_str(), mimeMessage.size()); // no errors CMS_ContentInfo *cms = SMIME_read_CMS(bin, NULL); // no errors STACK_OF(CMS_RecipientInfo) * ris = CMS_get0_RecipientInfos(cms); // no errors CMS_RecipientInfo *ri; for (int i = 0; i sk_CMS_RecipientInfo_num(ris); ++i) { ri = sk_CMS_RecipientInfo_value(ris, i); // sk_CMS_RecipientInfo_num(ris) returns 1, so it shouldn't be empty // CMS_RecipientInfo_type(ri) returns 0 } ** This is as far as I got. I have no idea on how to proceed and what I can do with the CMS_RecipientInfos I managed to extract so far. I'm still quite new to using the OpenSSL API in C/C++ so I'd appreciate any kind of help. :-) Thanks in advance! Benjamin __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Extracting RecipientInfos/DER from S/MIME message
On Wed, Apr 14, 2010, Benjamin Amling wrote: Hello, is it possible to extract the DER blob from the RecipientInfos-part of a S/MIME message? I tried the following steps already but couldn't manage to get what I want: * BIO *bin = BIO_new(BIO_s_mem()); BIO_write(bin, mimeMessage.c_str(), mimeMessage.size()); // no errors CMS_ContentInfo *cms = SMIME_read_CMS(bin, NULL); // no errors STACK_OF(CMS_RecipientInfo) * ris = CMS_get0_RecipientInfos(cms); // no errors CMS_RecipientInfo *ri; for (int i = 0; i sk_CMS_RecipientInfo_num(ris); ++i) { ri = sk_CMS_RecipientInfo_value(ris, i); // sk_CMS_RecipientInfo_num(ris) returns 1, so it shouldn't be empty // CMS_RecipientInfo_type(ri) returns 0 } ** This is as far as I got. I have no idea on how to proceed and what I can do with the CMS_RecipientInfos I managed to extract so far. I'm still quite new to using the OpenSSL API in C/C++ so I'd appreciate any kind of help. :-) The return value of CMS_RecipientInfo_type() is a constant indictaing tha type and will almost always be CMS_RECIPINFO_TRANS (see cms.h). Once you have the type you can use the appropriate function to retrieve its contents. For example CMS_RecipientInfo_ktri_get0_signer_id(). Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: problem verifying OCSP signature
On Tue, Apr 13, 2010, Chris Bare wrote: Additional candidate signer certificates need to be included in the -verify_other option. If the OCSP signing certificate is self signed then it needs to be explicitly trusted which is the -VAfile option if you use that it will also be searched as a signer. doesn't putting it in the CApath also mean it's explicitly trusted? I tracked down this code in crypto/ocsp/ocsp_vfy.c: static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, STACK_OF(X509) *certs, X509_STORE *st, unsigned long flags) { X509 *signer; OCSP_RESPID *rid = bs-tbsResponseData-responderId; if ((signer = ocsp_find_signer_sk(certs, rid))) { *psigner = signer; return 2; } if(!(flags OCSP_NOINTERN) (signer = ocsp_find_signer_sk(bs-certs, rid))) { *psigner = signer; return 1; } /* Maybe lookup from store if by subject name */ *psigner = NULL; return 0; } It looks like implementing the Maybe case would solve my problem. Would it be incorrect to look in the store also here? I'd be glad to work on a patch. The store can only lookup by subject name, lookup by key identifier is not supported: OCSP can use either. It doesn't automatically trust certificates in the store because they have to be authorised to sign OCSP responses. Certificates can be explicitly trusted though by adding an appropriate trust value. I understand I can make the command line tool with with -verify_other, but in my code I have no handy way to do that. My users are going to dump all trusted certs, regardless of purpose, into the trusted store. Well that's a bit of a problem because if you trust all those a self signed EE certificate could be used to sign OCSP responses for anyone. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: openSSL and PKCS #12 certificates
Merci beaucoup, Mounir, but I got the same error. Given the time constraints I have, I think my path moving forward is to try another library or two to see if I can find one that uses openSSL properly. Au plaisir, Remi. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Mounir IDRASSI Sent: April 13, 2010 9:09 PM To: openssl-users@openssl.org Subject: Re: openSSL and PKCS #12 certificates Hi Remi, I don't know what the inputs of your python module are, but from the error message I guess that it's expecting the PEM file to contain also the certificate of the private key and the associated CA chain. For that, I advice you to replace the option -nocerts in your command line with -nodes. Thus: - The output PEM file will contain the private key AND its certificate along with any associated CAs - You will not be asked for a password a second time because the private key in the output PEM file will be unencrypted. After that, you will have to open the output PEM file in a text editor in order to ensure that the certificate that comes just after the private key block is the one associated with the key and not a CA certificate ( a cut and past is almost necessary to put everything in the right order). I hope that with all this steps, you will finally be able to perform your client authentication. Cheers, -- Mounir IDRASSI IDRIX http://www.idrix.fr On 4/13/2010 6:45 PM, Rémi Després-Smyth wrote: Mounir, Thank you so much for your answer. I did extract the key into a pem file (using command: c:\openssl\bin\openssl pkcs12 -in cert.pfx -nocerts -out cert_key.pem), and tried to connect using the key file as output. It got further along in the process - I was prompted to enter my PEM pass phrase - but a different error came up: File C:\python26\lib\ssl.py, line 113, in __init__ cert_reqs, ssl_version, ca_certs) ssl.SSLError: [Errno 336445449] _ssl.c:351: error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib Would you have any insight in regards to the problem here? I should also note that while I was creating the key file, I noticed that I was prompted to Enter Import Password, but also to Enter PEM pass phrase. Does this mean the private key found in the pfx file is actually in PEM format to begin with? Does this change your advice at all? Regards, Remi. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Mounir IDRASSI Sent: April 13, 2010 11:29 AM To: openssl-users@openssl.org Subject: Re: openSSL and PKCS #12 certificates Hi, OPENSSL supports PKCS#12 files. Look at the header pkcs12.h that contains functions for parsing and exporting private keys and certificates from a PKCS#12 file (like d2i_PKCS12 and PKCS12_parse). Concerning the error you are getting, it appears that the phython module you are using is calling SSL_CTX_use_PrivateKey_file by giving it the PKCS#12 file name. This is does not because SSL_CTX_use_PrivateKey_file only accepts two formats : SSL_FILETYPE_PEM and SSL_FILETYPE_ASN1. In order to correct this, you have two solutions : - Either feed the python module with the private key in a PEM file. - Or modify the source code of this python module in order to use the PKCS#12 functions I mentioned above to extract the private key as an EVP_PKEY and then call SSL_use_PrivateKey instead of SSL_CTX_use_PrivateKey_file, along with SSL_use_certificate for setting the associated certificate. The first solution is the easiest because you can simply use the OPENSSL command line utility in order to extract the private key and its certificate from the PKCS#12 file as PEM files and then give them as input to your python module. I hope this will help. -- Mounir IDRASSI IDRIX http://www.idrix.fr On 4/13/2010 2:55 PM, Rémi Després-Smyth wrote: Hello. Ive been trying to setup client authentication using a PKCS #12 certificate, and Ive been having some trouble. Im trying to determine whether its because its something unsupported in openSSL, or if its a problem with the wrapper library Im using (Pythons httplib). Id appreciate it if anyone might be able to provide some insight. Im getting an error raised by the openSSL library when the wrapper class is trying to instantiate and wrap a socket, and from what Ive been able to gather to-date, the error appears to be coming from openSSL: Ssl.SSLError: [Errno 336265225] _sll.c:337: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib Is PKCS #12 supposed to be supported by openSSL? I would guess yes; I dug around in the source and found that PEM lib is the error text for ERR_R_PEM_LIB (defined in err_str.c), and I also noticed ERR_R_PKCS12_LIB in there. This gives me the impression that openSSL is incorrectly trying to load the PKCS #12 cert as a PEM
Re: ERROR LINK2019
Hi, 芦翔 please check, if you are using the right include path fpr the right .h files. After calling this: C:\From_Here\openssl.1.0.0\ perl Configure VC-WIN32 no-asm --prefix=c:/to_here/ssl C:\From_Here\openssl.1.0.0\ ms\do_ms you DON'T should use: -I C:\From_Here\openssl.1.0.0\include (or Additional Include directories in VS GUI). It's because the .h files there all consisting of incomplete files, just containing the line Link: filename.h. Instead, look into \ (root directory), there is some new directory tree /usr/bin/to_here/ssl (or similiar, I don't remember the exact location). So better use -I /usr/bin/to_here/ssl (or whatever exact to_here location is). Same for *.LIB (Additional Linker Dependencies) If this helps, please report. Otherwise also. M.M. Dear all, I am trying to add the security flavor to an application. To achieve this objective, I wrote the codes to establish a security tunnel between the server and the client with VC2008. When I build the whole project, there are tens of similar errors. All of them are as follows: SSLServer.obj : error LNK2019: unresolved external symbol _BIO_free referenced in function int __cdecl SSL_CTX_use_PrivateKey_file_pass(struct ssl_ctx_st *,char *,char *) (?SSL_CTX_use_PrivateKey_file_pass@@YAHPAUssl_ctx_st@@p...@z mailto:?SSL_CTX_use_PrivateKey_file_pass@@YAHPAUssl_ctx_st@@p...@z) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: ERROR LINK2019
Hi 芦翔, I also used mixed C / C++ Project and did not used the probably well known #ifdef __cplusplus extern C { #endif #include openssl\.h #ifdef __cplusplus } #endif stuff. It worked for me without this. Used VS 2005, which surely has same behaviour as VS 2008. M.M. hi, Thank you for your notes. Yes, my code is composed of both C and C++ code. For the openssl part, it is programed by C. And the other part is from C++. Should I only use extern for those C-realated #include, or all the C code should be embraced in the extern? Thank you so much. Best Regards, Xiang __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Costs (was: Extract DER of RecipientInfos from CMS)
Steve, Dr. Stephen Henson wrote: On Wed, Mar 24, 2010, Michael Strder wrote: Is there an API function in OpenSSL which extracts only the DER blob of RecipientInfos from a CMS message (needed for encrypted S/MIME message). Or has that to be done low-level with ASN.1 parser? No you can't extract the received encoding. You can extract the structure using CMS_get0_ReceipientInfos() but you'd have to declare your own encoding function based on the RecipientInfo ASN1_ITEM. How much would it cost if you implement that? I'm not the one to decide on that but I want to propose that to my customer. Ciao, Michael. -- Michael Ströder Klauprechtstr. 11 Dipl.-Inform. D-76137 Karlsruhe, Germany Tel.: +49 721 8304316 E-Mail: mich...@stroeder.comhttp://www.stroeder.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
ASN1_UTCTIME Question
Hi, I was just wondering what is the best way for converting type ASN1_UTCTIME* to type char* or string in C++? Thanks in advance, Jerry
RE: ERROR LINK2019
Dear Modem, Thank you for your instructions. I have overcomed the problem by putting extern in my code, and rebuild the openssl lib as your notes. I really appreciate the helps from you and Wiliam. Now, I can build my application. However, after building the application, it pops a message box, which says that This application has failed to start because LIBEAY32.dll was not found. Re-installing the application may fix this problem. I don't know what happens. I am not sure if I need re-compile the openssl code for a dll file, in addition, how can I use the compiled dll file. Suggestions will be really appreciated. Thank you. Best Regards, Xiang Date: Wed, 14 Apr 2010 15:55:49 +0200 From: modem-...@gmx.net To: openssl-users@openssl.org CC: wr...@rowe-clan.net Subject: Re: ERROR LINK2019 Hi 芦翔, I also used mixed C / C++ Project and did not used the probably well known #ifdef __cplusplus extern C { #endif #include openssl\.h #ifdef __cplusplus } #endif stuff. It worked for me without this. Used VS 2005, which surely has same behaviour as VS 2008. M.M. hi, Thank you for your notes. Yes, my code is composed of both C and C++ code. For the openssl part, it is programed by C. And the other part is from C++. Should I only use extern for those C-realated #include, or all the C code should be embraced in the extern? Thank you so much. Best Regards, Xiang __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org _ SkyDrive电子画册,带你领略精彩照片,分享“美”时“美”刻! http://www.windowslive.cn/campaigns/e-magazine/ngmchina/?a=c
Re: ERROR LINK2019
Hi 芦翔, the way Windows/C is using the SSL Lib here, is a so called Dynamic Link Library via IMPLIB loading. This means, each DLL file has a corresponding LIB file which is statically to be linked together with your source code's OBJ files to become your EXE file. But this LIB is only a so called stub, a library which does nothing else than being a proxy/gateway between your code and the SSL's DLLs. As you can imagine now, your EXE already has the LIBEAY.LIB linked. Your EXE is starting and before calling WinMain() / main() / _tmain() it initializes own startup code and LIB's startup code. The latter now searches it's corresponding DLL file to make its job of beeing the proxy. And in your case, it reports not beeing able to locate this DLL. Looks like your application just don't know where to locate the LIBEAY.DLL. 1st, you should know, where on your computer this particular file resides. 2nd, you should learn, how your platform is searching for DLLs. Hint: Search order within windows is: 1st) current directory (usually, where your .EXE resides) 2nd) each entry of %PATH% environment variable, from left to right. Finally, you could also read SSL package's INSTALL.W32 and ms\*.bat files to learn how to skip DLL usage and how to to link complete .LIB (not the small IMPLIB). This would be a so called Static Library without any DLL linkage. And very finally, inc32 might be the better include directory than include? Read _complete_ INSTALL.W32, to learn if this is true for your environment, or not. Hoping you can also help me somewhen in future, M.M. Dear Modem, Thank you for your instructions. I have overcomed the problem by putting extern in my code, and rebuild the openssl lib as your notes. I really appreciate the helps from you and Wiliam. Now, I can build my application. However, after building the application, it pops a message box, which says that This application has failed to start because LIBEAY32.dll was not found. Re-installing the application may fix this problem. I don't know what happens. I am not sure if I need re-compile the openssl code for a dll file, in addition, how can I use the compiled dll file. Suggestions will be really appreciated. Thank you. Best Regards, Xiang __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: ASN1_UTCTIME Question
On 14/04/10 1:05 PM, Jerry Wang wrote: Hi, I was just wondering what is the best way for converting type ASN1_UTCTIME* to type char* or string in C++? Probably the best way is to convert it to a time_t, and then use your normal platform functions to convert that to a string. This has the added advantage of being useful for comparisons and other things. There are a few examples of converting an ASN1_TIME struct to a time_t in the openssl sources, so you can use that. Have fun! Patrick. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: openSSL and PKCS #12 certificates
Bon courage pour la suite! -- Mounir IDRASSI IDRIX http://www.idrix.fr On 4/14/2010 3:01 PM, Rémi Després-Smyth wrote: Merci beaucoup, Mounir, but I got the same error. Given the time constraints I have, I think my path moving forward is to try another library or two to see if I can find one that uses openSSL properly. Au plaisir, Remi. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Mounir IDRASSI Sent: April 13, 2010 9:09 PM To: openssl-users@openssl.org Subject: Re: openSSL and PKCS #12 certificates Hi Remi, I don't know what the inputs of your python module are, but from the error message I guess that it's expecting the PEM file to contain also the certificate of the private key and the associated CA chain. For that, I advice you to replace the option -nocerts in your command line with -nodes. Thus: - The output PEM file will contain the private key AND its certificate along with any associated CAs - You will not be asked for a password a second time because the private key in the output PEM file will be unencrypted. After that, you will have to open the output PEM file in a text editor in order to ensure that the certificate that comes just after the private key block is the one associated with the key and not a CA certificate ( a cut and past is almost necessary to put everything in the right order). I hope that with all this steps, you will finally be able to perform your client authentication. Cheers, -- Mounir IDRASSI IDRIX http://www.idrix.fr On 4/13/2010 6:45 PM, Rémi Després-Smyth wrote: Mounir, Thank you so much for your answer. I did extract the key into a pem file (using command: c:\openssl\bin\openssl pkcs12 -in cert.pfx -nocerts -out cert_key.pem), and tried to connect using the key file as output. It got further along in the process - I was prompted to enter my PEM pass phrase - but a different error came up: File C:\python26\lib\ssl.py, line 113, in __init__ cert_reqs, ssl_version, ca_certs) ssl.SSLError: [Errno 336445449] _ssl.c:351: error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib Would you have any insight in regards to the problem here? I should also note that while I was creating the key file, I noticed that I was prompted to Enter Import Password, but also to Enter PEM pass phrase. Does this mean the private key found in the pfx file is actually in PEM format to begin with? Does this change your advice at all? Regards, Remi. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Mounir IDRASSI Sent: April 13, 2010 11:29 AM To: openssl-users@openssl.org Subject: Re: openSSL and PKCS #12 certificates Hi, OPENSSL supports PKCS#12 files. Look at the header pkcs12.h that contains functions for parsing and exporting private keys and certificates from a PKCS#12 file (like d2i_PKCS12 and PKCS12_parse). Concerning the error you are getting, it appears that the phython module you are using is calling SSL_CTX_use_PrivateKey_file by giving it the PKCS#12 file name. This is does not because SSL_CTX_use_PrivateKey_file only accepts two formats : SSL_FILETYPE_PEM and SSL_FILETYPE_ASN1. In order to correct this, you have two solutions : - Either feed the python module with the private key in a PEM file. - Or modify the source code of this python module in order to use the PKCS#12 functions I mentioned above to extract the private key as an EVP_PKEY and then call SSL_use_PrivateKey instead of SSL_CTX_use_PrivateKey_file, along with SSL_use_certificate for setting the associated certificate. The first solution is the easiest because you can simply use the OPENSSL command line utility in order to extract the private key and its certificate from the PKCS#12 file as PEM files and then give them as input to your python module. I hope this will help. -- Mounir IDRASSI IDRIX http://www.idrix.fr On 4/13/2010 2:55 PM, Rémi Després-Smyth wrote: Hello. I’ve been trying to setup client authentication using a PKCS #12 certificate, and I’ve been having some trouble. I’m trying to determine whether its because its something unsupported in openSSL, or if it’s a problem with the wrapper library I’m using (Python’s httplib). I’d appreciate it if anyone might be able to provide some insight. I’m getting an error raised by the openSSL library when the wrapper class is trying to instantiate and wrap a socket, and from what I’ve been able to gather to-date, the error appears to be coming from openSSL: Ssl.SSLError: [Errno 336265225] _sll.c:337: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib Is PKCS #12 supposed to be supported by openSSL? I would guess yes; I dug around in the source and found that “PEM lib” is the error text for ERR_R_PEM_LIB (defined in err_str.c), and I also noticed ERR_R_PKCS12_LIB
RE: ERROR LINK2019
Dear Modem, Thank you so much. Your instructions are so detailed and helpful for my code. As you said, I put the built dll files into the windows folders. Now, all the programs are running smoothly. I really appreciate your patient and kind help. Best Regards, Xiang Date: Wed, 14 Apr 2010 22:32:27 +0200 From: modem-...@gmx.net To: openssl-users@openssl.org Subject: Re: ERROR LINK2019 Hi 芦翔, the way Windows/C is using the SSL Lib here, is a so called Dynamic Link Library via IMPLIB loading. This means, each DLL file has a corresponding LIB file which is statically to be linked together with your source code's OBJ files to become your EXE file. But this LIB is only a so called stub, a library which does nothing else than being a proxy/gateway between your code and the SSL's DLLs. As you can imagine now, your EXE already has the LIBEAY.LIB linked. Your EXE is starting and before calling WinMain() / main() / _tmain() it initializes own startup code and LIB's startup code. The latter now searches it's corresponding DLL file to make its job of beeing the proxy. And in your case, it reports not beeing able to locate this DLL. Looks like your application just don't know where to locate the LIBEAY.DLL. 1st, you should know, where on your computer this particular file resides. 2nd, you should learn, how your platform is searching for DLLs. Hint: Search order within windows is: 1st) current directory (usually, where your .EXE resides) 2nd) each entry of %PATH% environment variable, from left to right. Finally, you could also read SSL package's INSTALL.W32 and ms\*.bat files to learn how to skip DLL usage and how to to link complete .LIB (not the small IMPLIB). This would be a so called Static Library without any DLL linkage. And very finally, inc32 might be the better include directory than include? Read _complete_ INSTALL.W32, to learn if this is true for your environment, or not. Hoping you can also help me somewhen in future, M.M. Dear Modem, Thank you for your instructions. I have overcomed the problem by putting extern in my code, and rebuild the openssl lib as your notes. I really appreciate the helps from you and Wiliam. Now, I can build my application. However, after building the application, it pops a message box, which says that This application has failed to start because LIBEAY32.dll was not found. Re-installing the application may fix this problem. I don't know what happens. I am not sure if I need re-compile the openssl code for a dll file, in addition, how can I use the compiled dll file. Suggestions will be really appreciated. Thank you. Best Regards, Xiang __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org _ SkyDrive电子画册,带你领略精彩照片,分享“美”时“美”刻! http://www.windowslive.cn/campaigns/e-magazine/ngmchina/?a=c
Information wanted on OpenSSL cipher alias HIGH, MEDIUM and LOW.
Hi All, I wanted to know when we use ALL:!SSLv2:!EXPORT:!LOW:!MEDIUM:!DH to select the ciphers how do OpenSSL understands what are ciphers are available under LOW and MEDIUM. Ssleay.txt documents names LOW,MEDIUM and HIGH as aliases. Please can someone provide me more information on this? Thanks in advance Jayalakshmi. smime.p7s Description: S/MIME cryptographic signature