Re: Signature Algorithm
Thanks, I discovered this too, by searching for X509_get_signature_type in Google's codesearch tool. Where are these things documented anyway? On Mon, Jan 10, 2011 at 11:40 AM, Christian Hohnstaedt christ...@hohnstaedt.de wrote: On Mon, Jan 10, 2011 at 10:51:21AM +0530, Karthik Ravikanti wrote: Hi, How can we get a string representation of a signature algorithm from a certificate? X509 *cert; const char *sigalg = OBJ_nid2ln(OBJ_obj2nid(cert-sig_alg-algorithm)); Cheers Christian __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- Karthik Ravikanti Karthik Ravikanti Mobile: 9701040149 Landline: 040-40058553 http://students.iiit.net/~karthik_ravikantihttp://students.iiit.net/%7Ekarthik_ravikanti
Re: Signature Algorithm
I remember seeing a method to get the signature parameters as a buffer. I can't find it now. :-( On Mon, Jan 10, 2011 at 2:13 PM, Karthik Ravikanti karthik.ravika...@gmail.com wrote: Thanks, I discovered this too, by searching for X509_get_signature_type in Google's codesearch tool. Where are these things documented anyway? On Mon, Jan 10, 2011 at 11:40 AM, Christian Hohnstaedt christ...@hohnstaedt.de wrote: On Mon, Jan 10, 2011 at 10:51:21AM +0530, Karthik Ravikanti wrote: Hi, How can we get a string representation of a signature algorithm from a certificate? X509 *cert; const char *sigalg = OBJ_nid2ln(OBJ_obj2nid(cert-sig_alg-algorithm)); Cheers Christian __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- Karthik Ravikanti Karthik Ravikanti Mobile: 9701040149 Landline: 040-40058553 http://students.iiit.net/~karthik_ravikantihttp://students.iiit.net/%7Ekarthik_ravikanti
Re: Signature Algorithm
On Mon, Jan 10, 2011 at 02:32:35PM +0530, Karthik Ravikanti wrote: I remember seeing a method to get the signature parameters as a buffer. I can't find it now. :-( OBJ_nid2ln(OBJ_obj2nid(cert-sig_alg-algorithm)) returns a pointer to the string representation of the signature algorithm like sha1WithRSAEncryption What else do you need ? Christian __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Signature Algorithm
Actually I'm working on a small wrapper for the X509 object. I need all the following: 1. Version: got this from X509_get_version(cert) 2. Serial number: got this from ASN1_INTEGER_get(X509_get_serialNumber(cert)) 3. Signature Algorithm as a string: got this from OBJ_nid2ln(X509_get_signature_type(cert)) 4. Signature alg parameters as a byte buffer: will EVP_PKEY_print_param() help? 5. Issuer name: Used X509_get_issuer_name to get a X509_NAME and then printed it in ONELINE format to a mem bio. 6. Subject name: Similar to 5. 7. Public key: I did memcpy(destBuffer, pubkey-pkey, EVP_PKEY_size(pubkey)). 8. Not before/after: did the following, where ptime is my internal structure, hope it's correct. 1. char *time = (char *) malloc(asn1time-length+1); memcpy(time, asn1time-data, asn1time-length); time[asn1time-length] = '\0'; sscanf(time, %2d%2d%2d%2d%2d%2dZ, ptime-year, ptime-month, ptime-day, ptime-hour, ptime-minute, ptime-second); free(time); ptime-millisecond = 0; Am I doing all the right things? Or am I completely off the track? On Mon, Jan 10, 2011 at 3:25 PM, Christian Hohnstaedt christ...@hohnstaedt.de wrote: On Mon, Jan 10, 2011 at 02:32:35PM +0530, Karthik Ravikanti wrote: I remember seeing a method to get the signature parameters as a buffer. I can't find it now. :-( OBJ_nid2ln(OBJ_obj2nid(cert-sig_alg-algorithm)) returns a pointer to the string representation of the signature algorithm like sha1WithRSAEncryption What else do you need ? Christian __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Signature Algorithm
9. Public key algorithm parameters: I used EVP_PKEY_print_param and printed to a mem bio. On Mon, Jan 10, 2011 at 3:53 PM, Karthik Ravikanti karthik.ravika...@gmail.com wrote: Actually I'm working on a small wrapper for the X509 object. I need all the following: 1. Version: got this from X509_get_version(cert) 2. Serial number: got this from ASN1_INTEGER_get(X509_get_serialNumber(cert)) 3. Signature Algorithm as a string: got this from OBJ_nid2ln(X509_get_signature_type(cert)) 4. Signature alg parameters as a byte buffer: will EVP_PKEY_print_param() help? 5. Issuer name: Used X509_get_issuer_name to get a X509_NAME and then printed it in ONELINE format to a mem bio. 6. Subject name: Similar to 5. 7. Public key: I did memcpy(destBuffer, pubkey-pkey, EVP_PKEY_size(pubkey)). 8. Not before/after: did the following, where ptime is my internal structure, hope it's correct. 1. char *time = (char *) malloc(asn1time-length+1); memcpy(time, asn1time-data, asn1time-length); time[asn1time-length] = '\0'; sscanf(time, %2d%2d%2d%2d%2d%2dZ, ptime-year, ptime-month, ptime-day, ptime-hour, ptime-minute, ptime-second); free(time); ptime-millisecond = 0; Am I doing all the right things? Or am I completely off the track? On Mon, Jan 10, 2011 at 3:25 PM, Christian Hohnstaedt christ...@hohnstaedt.de wrote: On Mon, Jan 10, 2011 at 02:32:35PM +0530, Karthik Ravikanti wrote: I remember seeing a method to get the signature parameters as a buffer. I can't find it now. :-( OBJ_nid2ln(OBJ_obj2nid(cert-sig_alg-algorithm)) returns a pointer to the string representation of the signature algorithm like sha1WithRSAEncryption What else do you need ? Christian __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
pem file with intermediate certificates
Hi. Two months ago, we installed our SSL certificate with stunnel-openssl succesfully. That certificate was issued by Verisign. We did not experience any issues. A few weeks ago, we had to renew that certficate and after doing that, we started to get 'Invalid certificate' errors form our web site users. It seems that the new certificate issued by Verisign, has changed its hierarchy, and browsers like FF that do not have one of the necessary intermediate certificate registered fail. This is the new hierarchy: - VeriSign Class 3 Public Primary Certification Authority - G5 - VeriSign Class 3 Secure Server CA - G3 - www.b-kin.com It is the 'VeriSign Class 3 Secure Server CA - G3' certificate the one that most FF browsers do not have registered, and so the browsers reject the request with an 'Invalid certificate' message. To solve this issue, we are trying to incorporate the 'VeriSign Class 3 Secure Server CA - G3' certificate in the .pem file, where our www.b-kin.comcertificate is installed. We have tried to include the Verisign certificate first and then the other one; and the other way round, first our certificate and then the Verisign one, but without success. The Verisign certificate has been directly taken from the Verisign web site. The .pem file has following structure: Bag Attributes heading section . -BEGIN RSA PRIVATE KEY- . -END RSA PRIVATE KEY- Bag Attributes heading section -BEGIN CERTIFICATE- /*We have alternated to put here the www.b-kin.com or the Verisign certificate*/ . -END CERTIFICATE- Bag Attributes heading section -BEGIN CERTIFICATE- /*We have alternated to put here the www.b-kin.com or the Verisign certificate*/ . -END CERTIFICATE- As we have seen in the documentation, it is possible to include a certificate hierarchy in a .pem file. What are we doing wrong? Best regards, Carlos.
openssl fips cross compilation 1.2.2
I've previously been trying to cross compile openssl-fips version 1.2 for my MIPS target, following the guidance in the user's guide, security policy, and this mailing list. I don't see a crossbuild patch for version 1.2.2, nor any instructions in the 1.2.2 documentation. I'm wondering if there is a patch coming in the future, or if cross compilation is now built in without the need for a patch, or if cross-compilation is no longer a supported option in version 1.2.2. I initially was hoping that the crossbuild modifications simply got included in the new version's source by default, removing the need for the additional patch. After examining the fipsld script, I'm fairly certain that is a bad assumption, as version 1.2.2 of the fipsld doesn't include the FIPS_SIG modifications that the 1.2 crossbuild patch contained. I could just try applying the 1.2 patch to the 1.2.2 tarball, but the fact that the crossbuild patch (and instructions for its use) were completely removed from the security policy gave me pause. Coupled with other little caveats I've read about cross compilation on the 'private label' validation website, the new validation rules for 2011, etc. it seemed like I could waste a bunch of my time sticking with the cross compilation strategy. I thought I'd send a query as to the future plans on cross compilation before I go down that road any further. Thanks in advance for any cross compilation information you can provide. -Brian
Re: openssl fips cross compilation 1.2.2
On Mon, Jan 10, 2011, blaan...@rockwellcollins.com wrote: I've previously been trying to cross compile openssl-fips version 1.2 for my MIPS target, following the guidance in the user's guide, security policy, and this mailing list. I don't see a crossbuild patch for version 1.2.2, nor any instructions in the 1.2.2 documentation. I'm wondering if there is a patch coming in the future, or if cross compilation is now built in without the need for a patch, or if cross-compilation is no longer a supported option in version 1.2.2. Cross compilation support is now included in the 1.2.2 tarball and so no patch is needed. I initially was hoping that the crossbuild modifications simply got included in the new version's source by default, removing the need for the additional patch. After examining the fipsld script, I'm fairly certain that is a bad assumption, as version 1.2.2 of the fipsld doesn't include the FIPS_SIG modifications that the 1.2 crossbuild patch contained. I just checked the 1.2.2 tarball and the FIPS_SIG changes are there. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Question on SHA1 Functions
Hi, I am a newbie to openssl and have run into what is probably a stupid question. I am using openssl-1.0.0c. So here it goes. I wanted to look at how openssl implemented the following functions which are defined in the openssl crypto library in openssl/crytpo/sha.h: int SHA1_Init(SHA_CTX *c); int SHA1_Update(SHA_CTX *c, const void *data, size_t len); int SHA1_Final(unsigned char *md, SHA_CTX *c); unsigned char *SHA1(const unsigned char *d, size_t n, unsigned char *md); In file sha1.c I only see the function implementation for SHA1 which is a wrapper function that invokes SHA1_init, SHA1_Update, and SHA1_Final. I was expecting to see the implementations for all four of these functions in file sha1_one.c. But I only see the implementation for the wrapper function SHA1 in that file. Where are these functions suppose to be implemented? [u...@centos sha]$ pwd /home/user/OPENSSLTEST/openssl-1.0.0c/crypto/sha [u...@centos sha]$ grep SHA1_Final * sha1.c: SHA1_Final((md[0]),c); sha1_one.c: SHA1_Final(md,c); sha.h:int SHA1_Final(unsigned char *md, SHA_CTX *c); sha_locl.h:# define HASH_FINAL SHA1_Final For instance above I see calls to SHA1_Final; but I don't see the actual implementation of that function. By comparison for the SHA512 case I do see all of the following functions in sha512.c in this same directory: SHA512_Init. SHA512_Update, SHA512_Final, and of course the wrapper function SHA512 implementations can all be found in sha512.c. For example: [u...@centos sha]$ grep SHA512_Final * *sha512.c:int SHA512_Final (unsigned char *md, SHA512_CTX *c)* sha512.c:{ return SHA512_Final (md,c); } sha512.c: SHA512_Final(md,c); sha512.c: SHA512_Final(md,c); sha.h:int SHA512_Final(unsigned char *md, SHA512_CTX *c); I don't understand how this works obviously. Any information would be appreciated. I want to use this in an embedded application. I also noticed macros in sha_locl.h for SHA. Is this where the SHA1 functions are implemented? Thanks, Stan Joyner
Re: Question on SHA1 Functions
Hi, SHA1_Init is indeed defined in sha_locl.h as HASH_INIT, whereas SHA1_Update and SHA1_Final are defined in md32_common.h (under crypto folder) as HASH_UPDATE and HASH_FINAL respectively. Happy hacking, -- Mounir IDRASSI IDRIX http://www.idrix.fr On 1/10/2011 4:40 PM, Stan Joyner wrote: Hi, I am a newbie to openssl and have run into what is probably a stupid question. I am using openssl-1.0.0c. So here it goes. I wanted to look at how openssl implemented the following functions which are defined in the openssl crypto library in openssl/crytpo/sha.h: int SHA1_Init(SHA_CTX *c); int SHA1_Update(SHA_CTX *c, const void *data, size_t len); int SHA1_Final(unsigned char *md, SHA_CTX *c); unsigned char *SHA1(const unsigned char *d, size_t n, unsigned char *md); In file sha1.c I only see the function implementation for SHA1 which is a wrapper function that invokes SHA1_init, SHA1_Update, and SHA1_Final. I was expecting to see the implementations for all four of these functions in file sha1_one.c. But I only see the implementation for the wrapper function SHA1 in that file. Where are these functions suppose to be implemented? [u...@centos sha]$ pwd /home/user/OPENSSLTEST/openssl-1.0.0c/crypto/sha [u...@centos sha]$ grep SHA1_Final * sha1.c: SHA1_Final((md[0]),c); sha1_one.c: SHA1_Final(md,c); sha.h:int SHA1_Final(unsigned char *md, SHA_CTX *c); sha_locl.h:# define HASH_FINAL SHA1_Final For instance above I see calls to SHA1_Final; but I don't see the actual implementation of that function. By comparison for the SHA512 case I do see all of the following functions in sha512.c in this same directory: SHA512_Init. SHA512_Update, SHA512_Final, and of course the wrapper function SHA512 implementations can all be found in sha512.c. For example: [u...@centos sha]$ grep SHA512_Final * *sha512.c:int SHA512_Final (unsigned char *md, SHA512_CTX *c)* sha512.c:{ return SHA512_Final (md,c); } sha512.c: SHA512_Final(md,c); sha512.c: SHA512_Final(md,c); sha.h:int SHA512_Final(unsigned char *md, SHA512_CTX *c); I don't understand how this works obviously. Any information would be appreciated. I want to use this in an embedded application. I also noticed macros in sha_locl.h for SHA. Is this where the SHA1 functions are implemented? Thanks, Stan Joyner __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: FIPS and OpenSSL-1.0.0
On Mon, Dec 27, 2010 at 6:47 AM, Henrik Grindal Bakken h...@ifi.uio.no wrote: 3) obtaining your own from-scratch validation starting with the 1.0.0 baseline. Good luck with that, you have a long row to hoe. We're going for 3), but as I said, our crypto module is not OpenSSL, it's the entire product, so the OpenSSL FIPS Object Module isn't interesting for me. What is interesting, however, are the self-tests. Incidentally, unless you're seeking a Level 2 validation for a non-CC certified environment you'll regret defining the crypto module boundary to include your entire application. I am seeking a level 2 validation. It's not really an application, it's a hardware device. Because the 1.0.x releases don't have any support for FIPS, they don't implement the FIPS-mandated tests. OpenSSL can't help with prevalidation now, since its FIPS-validated mode fails new validation standards compliance in some manner. You're probably already dealing with having to fork the code (to prevent any use of non-FIPS-approved algorithms when your hardware is operating in FIPS-validated mode). This suggests that your best option might be to import the self-tests from fips-1.2.2 into your own fork. -Kyle H smime.p7s Description: S/MIME Cryptographic Signature
Trust and Key management
Hi, Does OpenSSL provide any API for managing a trust store and a key store like Java? Thanks, karthik