Re: How to convert RSA public key XML format to PEM or ASCII format
Hi Thanks for your response. In which platform do I compile/execute the below CODE? I only have UNIX command line and Windows available. Regards Vivek Panikulam From: Mounir IDRASSI mounir.idra...@idrix.net To: openssl-users@openssl.org Sent: Fri, September 17, 2010 10:07:10 PM Subject: Re: How to convert RSA public key XML format to PEM or ASCII format Hi, To perform the conversion, use your favorite XML library to extract the BASE64 values in the Modulus and Exponent nodes, then create an EVP_PKEY structure from these using the functions I'm pasting below. From here, call PEM_write_PUBKEY to create a PEM file that will contain your RSA public key and that can be used later by OpenSSL. CODE unsigned char *fromBase64(const char* szInput, int* pLen) { BIO *b64, *bmem; size_t length = strlen(szInput); // The length of BASE64 representation is always bigger // than the actual data length, so the size given to // the malloc below is sufficient to hold all the // decoded data unsigned char *buffer = (unsigned char *)malloc(length); b64 = BIO_new(BIO_f_base64()); // No LF on the input string BIO_set_flags(b64, BIO_FLAGS_BASE64_NO_NL); bmem = BIO_new_mem_buf((void*)szInput, length); bmem = BIO_push(b64, bmem); *pLen = BIO_read(bmem, buffer, length); BIO_free_all(bmem); return buffer; } BIGNUM* BN_fromBase64(const char* szBase64) { BIGNUM* bn = NULL; int iLen; unsigned char* pbData = fromBase64(szBase64, iLen); if (iLen) { bn = BN_bin2bn(pbData, iLen, NULL); } free(pbData); return bn; } EVP_PKEY* RSA_fromBase64(const char* szModulus, const char* szExp) { BIGNUM *n = BN_fromBase64(szModulus); BIGNUM *e = BN_fromBase64(szExp); if (!n) printf(Invalid encoding for modulus\n); if (!e) printf(Invalid encoding for public exponent\n); if (e n) { EVP_PKEY* pRsaKey = EVP_PKEY_new(); RSA* rsa = RSA_new(); rsa-e = e; rsa-n = n; EVP_PKEY_assign_RSA(pRsaKey, rsa); return pRsaKey; } else { if (n) BN_free(n); if (e) BN_free(e); return NULL; } } /CODE Cheers, -- Mounir IDRASSI IDRIX http://www.idrix.fr Hi All I have a RSA public key provided in the below format and would like to know how to convert it into a format like PEM or any other format which can be read by openssl. I didnt find any conclusive solutions for this on www. Will the application which generated this key format be capable of generating the same key in PEM or ASCII format? ?xml version=1.0 encoding=UTF-8 ? - RSAKeyValue ModulusdhjffljkglejDHKJFHkjhSLWSKWLlkNKMNCKJBCKJFKJFBNCJKNLKNCLKMNDLKJSLKWJLJSjsSJJSDkjswlqqq/Modulus ExponentAQAB/Exponent /RSAKeyValue Regards Vivek Panikulam __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
Engine API documentation
Hi. I'm trying to implement an Engine to use my decoder with openssl. However, I find the API lacking documentation. This far I only seen comments in source code headers. How shall I go about implementing my engine? (AES cipher initially) Have searched alot and read many source files. Kind regards! Niklas Eklund Tornavägen 7 223 63 Lund 0702-527080
Re: How to convert RSA public key XML format to PEM or ASCII format
Hi, The code is a generic OpenSSL C source that will compile using the favorite compiler of your platform. Did I understand your question correctly? -- Mounir IDRASSI IDRIX http://www.idrix.fr Hi Thanks for your response. In which platform do I compile/execute the below CODE? I only have UNIX command line and Windows available. Regards Vivek Panikulam From: Mounir IDRASSI mounir.idra...@idrix.net To: openssl-users@openssl.org Sent: Fri, September 17, 2010 10:07:10 PM Subject: Re: How to convert RSA public key XML format to PEM or ASCII format Hi, To perform the conversion, use your favorite XML library to extract the BASE64 values in the Modulus and Exponent nodes, then create an EVP_PKEY structure from these using the functions I'm pasting below. From here, call PEM_write_PUBKEY to create a PEM file that will contain your RSA public key and that can be used later by OpenSSL. CODE unsigned char *fromBase64(const char* szInput, int* pLen) { BIO *b64, *bmem; size_t length = strlen(szInput); // The length of BASE64 representation is always bigger // than the actual data length, so the size given to // the malloc below is sufficient to hold all the // decoded data unsigned char *buffer = (unsigned char *)malloc(length); b64 = BIO_new(BIO_f_base64()); // No LF on the input string BIO_set_flags(b64, BIO_FLAGS_BASE64_NO_NL); bmem = BIO_new_mem_buf((void*)szInput, length); bmem = BIO_push(b64, bmem); *pLen = BIO_read(bmem, buffer, length); BIO_free_all(bmem); return buffer; } BIGNUM* BN_fromBase64(const char* szBase64) { BIGNUM* bn = NULL; int iLen; unsigned char* pbData = fromBase64(szBase64, iLen); if (iLen) { bn = BN_bin2bn(pbData, iLen, NULL); } free(pbData); return bn; } EVP_PKEY* RSA_fromBase64(const char* szModulus, const char* szExp) { BIGNUM *n = BN_fromBase64(szModulus); BIGNUM *e = BN_fromBase64(szExp); if (!n) printf(Invalid encoding for modulus\n); if (!e) printf(Invalid encoding for public exponent\n); if (e n) { EVP_PKEY* pRsaKey = EVP_PKEY_new(); RSA* rsa = RSA_new(); rsa-e = e; rsa-n = n; EVP_PKEY_assign_RSA(pRsaKey, rsa); return pRsaKey; } else { if (n) BN_free(n); if (e) BN_free(e); return NULL; } } /CODE Cheers, -- Mounir IDRASSI IDRIX http://www.idrix.fr Hi All I have a RSA public key provided in the below format and would like to know how to convert it into a format like PEM or any other format which can be read by openssl. I didnt find any conclusive solutions for this on www. Will the application which generated this key format be capable of generating the same key in PEM or ASCII format? ?xml version=1.0 encoding=UTF-8 ? - RSAKeyValue ModulusdhjffljkglejDHKJFHkjhSLWSKWLlkNKMNCKJBCKJFKJFBNCJKNLKNCLKMNDLKJSLKWJLJSjsSJJSDkjswlqqq/Modulus ExponentAQAB/Exponent /RSAKeyValue Regards Vivek Panikulam __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
cannot create p12 file
I am trying to create a .p12 file with pkcs12. I created the private key: #openssl genrsa -out user.key -des3 I also create a certificate signing request (openssl req ..) and a certificate (openssl ca.) I want to store the user key (and optionally the user certificate) in a .p12 file that can be imported Microsoft IIS. #openssl pkcs12 -export -inkey user.key -certfile user.cer -out user.pfx -name my key Or #openssl pkcs12 -export -inkey user.key -out user.pfx -name my key In either case, I get prompted for the pass phase for the key, then the process just hangs. This is with OpenSSL 1.0.0 on Solaris 10 and OpenSSL 0.9.8l under cygwin. I am pretty sure I have do this in the past and not sure what I am doing wrong. Thanks for you help.
Confusion about subject alternative names
Hi I am using various version of openssl-0.9.x (including openssl-0.9.8k-1.fc11.i686 on my linux machine altho the cusotmized openssl.cnf file is probably inherited from a slightly earlier version.) When I create a certificate signing request with openssl, I have an option to specify an Subject Alternative Name (SAN.) The request file (csr) as well as the resulting certificate includes the SAN as a value in the in the subject field. Subject: C=US, ST=x, L=x, O=x, OU=IT, CN=server1.company.com/subjectAltName=server2.company.com/emailAddress=x @company.com With MS Exchange2007, you can use a command from the powershell to generate a certificate request, which includes optional DNS servers. The csr is still signed with OpenSSL (I have one openssl machine designated as the primary CA.) As you can see, the resulting certificate has a separate Subject Alternative Name field. Subject: C=US, ST=x, O=x, OU=x, CN=server1.company.com X509v3 Subject Alternative Name: DNS:server1.company.comm, DNS:server2.company.com I need to use a SAN with my Exchange server certificate since the same certificate is used for several related services, on the same IP address, but different host names are used to make client access simpler (e.g. mail.company.com for e-mail clients and webmail.company.com for those accessing web-based mail.) I am not sure which certificate format is the correct one. And it would be much easier to use openssl instead of the exchange power shell. (Most things in Microsoft can be done via the the GUI, but a few advanced certificate functions require the exchange power shell.) Thanks
RE: Confusion about subject alternative names
Some additional info: My openssl.cnf file includes the following --- policy = policy_anything [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName= optional organizationName= optional organizationalUnitName = optional commonName = supplied emailAddress= optional subjectAltName = optional .. # req_extensions = v3_req # The extensions to add to a certificate request [ req_distinguished_name ].. subjectAltName = Subject Alternate Name subjectAltName_default = www.foo.com --- Openssl is configured as a CA. I had added the entries for subjectAltName.I do get prompted for this when creating a certificate signing request (CSR.). When I submit a CSR created by MS Exchange shell,the policy can NOT include subjectAltName = required- So clearly MS Exchange is not using the same structure for this as openssl. I am pretty sure I have the correct syntax for subjectAltName in openssl.cnf. If I try adding a field in for planet it is just ignored.So it seams clear that openssl is treating subjectAltName as a valid entry. The default openssl.cnf included --- [ usr_cert ] .. # This stuff is for subjectAltName and issuerAltname. # Import the email address. # subjectAltName=email:copy # An alternative to produce certificates that aren't # deprecated according to PKIX. # subjectAltName=email:move .. --- So it looks like openssl.cnf could optionally automatically copy the e-mail address to subjectAltName. -Thanks From: Gaiseric Vandal [mailto:gaiseric.van...@gmail.com] Sent: Saturday, September 18, 2010 5:08 PM To: openssl-users@openssl.org Subject: Confusion about subject alternative names Hi I am using various version of openssl-0.9.x (including openssl-0.9.8k-1.fc11.i686 on my linux machine altho the cusotmized openssl.cnf file is probably inherited from a slightly earlier version.) When I create a certificate signing request with openssl, I have an option to specify an Subject Alternative Name (SAN.) The request file (csr) as well as the resulting certificate includes the SAN as a value in the in the subject field. Subject: C=US, ST=x, L=x, O=x, OU=IT, CN=server1.company.com/subjectAltName=server2.company.com/emailAddress=x @company.com With MS Exchange2007, you can use a command from the powershell to generate a certificate request, which includes optional DNS servers. The csr is still signed with OpenSSL (I have one openssl machine designated as the primary CA.) As you can see, the resulting certificate has a separate Subject Alternative Name field. Subject: C=US, ST=x, O=x, OU=x, CN=server1.company.com X509v3 Subject Alternative Name: DNS:server1.company.comm, DNS:server2.company.com I need to use a SAN with my Exchange server certificate since the same certificate is used for several related services, on the same IP address, but different host names are used to make client access simpler (e.g. mail.company.com for e-mail clients and webmail.company.com for those accessing web-based mail.) I am not sure which certificate format is the correct one. And it would be much easier to use openssl instead of the exchange power shell. (Most things in Microsoft can be done via the the GUI, but a few advanced certificate functions require the exchange power shell.) Thanks
Re: Confusion about subject alternative names
The problem is not so much with IMAP or SMTP. You can easily use IIS to create separate certificate requests so those services.In the MS Exchange2007 Management Console (GUI) it is pretty easy to select the certificate to use for IMAP SSL connection. For some very odd reason you have to use the Exchange Power Shell (command line) to specify the certificate for the SMTP TLS connection (you have to specify the thumbprint of the certificate you want to use.) Digress: if Microsoft WONT give you a GUI way to do something, wouldn't it be simpler just so stick with simple configuration files like a lot of unix/linus stuff?I realize the powershell stuff lets to script stuff, which is great for adding 500 users. Anyway, the problem is really with some of MS Exchanges web-based Client Access Services (autoconfigure service, which also handles things like scheduleing )-If you configure outlook 2007 to use exchange1 it will connect to IIS, get the mismatched certificate, and complain.This gets worse if you have multiple Exchange servers. Re: Confusion about subject alternative names Peter Sylvester Thu, 02 Sep 2010 01:53:49 -0700 Since webmail, imap, smtp(s) all operate on different ports, and you have different listeners, the correct way to me seems to use three certificates with the desired hostnames etc. Having the same IP address doesn't matter in this particular case.
Error while trying to get text output from x509 cert file
Hi I am trying to get output from this x509 certificate and am getting the below error. Please let me know how to resolve this error and generate text output from this cert file. $ openssl x509 -in TestCryptPublic.cert -pubkey unable to load certificate 557096:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE Regards Vivek Panikulam
Re: Error while trying to get text output from x509 cert file
Hi, The error says that it didn't find the expected start line for a certificate which is -BEGIN CERTIFICATE- . So, check that your certificate is indeed BASE64 encoded and that the first line is -BEGIN CERTIFICATE- and the last is -END CERTIFICATE- . Cheers, -- Mounir IDRASSI IDRIX http://www.idrix.fr Hi I am trying to get output from this x509 certificate and am getting the below error. Please let me know how to resolve this error and generate text output from this cert file. $ openssl x509 -in TestCryptPublic.cert -pubkey unable to load certificate 557096:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE Regards Vivek Panikulam __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: cannot create p12 file
Hi, It hangs because it is waiting for the input certificate that has to be put with the given key inside the PKCS#12 file. Replace the -certfile option with -in and everything will be OK. Actually -certfile is for adding additional certificate, not the main one. -- Mounir IDRASSI IDRIX http://www.idrix.fr I am trying to create a .p12 file with pkcs12. I created the private key: #openssl genrsa -out user.key -des3 I also create a certificate signing request (openssl req ..) and a certificate (openssl ca.) I want to store the user key (and optionally the user certificate) in a .p12 file that can be imported Microsoft IIS. #openssl pkcs12 -export -inkey user.key -certfile user.cer -out user.pfx -name my key Or #openssl pkcs12 -export -inkey user.key -out user.pfx -name my key In either case, I get prompted for the pass phase for the key, then the process just hangs. This is with OpenSSL 1.0.0 on Solaris 10 and OpenSSL 0.9.8l under cygwin. I am pretty sure I have do this in the past and not sure what I am doing wrong. Thanks for you help. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org