Re:RSA_generate_key function
int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) "I would like to call this function to generate the same public/private key everytime. " I do not sure what exactly want.I suppose that you want everytime you called theRSA_generate_key_exwith same parameters and you can get same RSA key pair. The only randomness in rsa-key generation is the generation of 'p' and 'q' ,which calls theBN_generate_prime_ex. BN_generate_prime_ex will generate a random prime by your bits parameter. So my idea is to rewrite theBN_generate_prime_ex function, caching the prime that was generated.(rewriting this function may influence other functions that call it,so i recommend to write your own version of this funcition and modify the code inRSA_generate_key_ex). Also you may rewrite theRSA_generate_key_ex,caching the RSA key. At 2011-02-01 09:37:09,"Ashwin Chandra" wrote: I would like to call this function to generate the same public/private key everytime. I thought all I had to do was create the same seed using RAND_seed each time, however I still keep getting different key pairs. Is there any way to have RSA_generate_key generate the same public/private key each time? (I know this doesn’t make sense security wise, but the work I have to do requires it).
RE: RSA_generate_key function
Hi David, 1. I am not sure what you mean by replacing RSA_generate_key with my own function, because I would like it to go through the process of creating prime numbers, and modulus, etc. Basically I want the RSA_generate_key to generate the same public key at startup each time my process runs. 2. You say I could do this with writing my own PRNG? Do you have an example of this? 3. I went into the RSA_generate_key code and I saw during the prime number calculation that the function bnrand() actually uses the system time as a seed. If this was the case, how could I ever get RSA_generate_key to return the same public key? -Original Message- From: David Schwartz [mailto:dav...@webmaster.com] Sent: Monday, January 31, 2011 7:37 PM To: openssl-users@openssl.org Cc: Ashwin Chandra Subject: Re: RSA_generate_key function On 1/31/2011 5:37 PM, Ashwin Chandra wrote: > I would like to call this function to generate the same public/private > key everytime. > > I thought all I had to do was create the same seed using RAND_seed > each time, however I still keep getting different key pairs. > > Is there any way to have RSA_generate_key generate the same > public/private key each time? (I know this doesn't make sense security > wise, but the work I have to do requires it). > Replace RSA_generate_key with your own function that returns the desired key. Using the same seed each time won't work because intervening operations can leave the PRNG in a different state. You could use your own PRNG to replace OpenSSL's and then put it into a particular state prior to calling RSA_generate_key. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: RSA_generate_key function
On 1/31/2011 5:37 PM, Ashwin Chandra wrote: I would like to call this function to generate the same public/private key everytime. I thought all I had to do was create the same seed using RAND_seed each time, however I still keep getting different key pairs. Is there any way to have RSA_generate_key generate the same public/private key each time? (I know this doesn’t make sense security wise, but the work I have to do requires it). Replace RSA_generate_key with your own function that returns the desired key. Using the same seed each time won't work because intervening operations can leave the PRNG in a different state. You could use your own PRNG to replace OpenSSL's and then put it into a particular state prior to calling RSA_generate_key. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RSA_generate_key function
I would like to call this function to generate the same public/private key everytime. I thought all I had to do was create the same seed using RAND_seed each time, however I still keep getting different key pairs. Is there any way to have RSA_generate_key generate the same public/private key each time? (I know this doesn't make sense security wise, but the work I have to do requires it).
Re: OpenSSL with Managed C++
On 1/31/2011 1:07 PM, John R Pierce wrote: > On 01/31/11 10:55 AM, Harshvir Sidhu wrote: >> Hi, >>Can we use OpenSSL lib with Managed C++? Thanks. > can you call native "C" style DLL's from this 'Managed C++' (whatever that > is) ? my > initial google of 'Managed C++' indicates its a Microsoft .NET thing that was > deprecated > circa 2005. The concepts of boxing and unboxing native calls from any .NET language into a C library have never changed. The syntax of C++.NET underwent all sorts of convolutions after 1.0, but the concepts are the same. To answer Harshvir, I haven't heard of anyone who coordinated all of the pinvoke stubs/headers you might need. Of course it's possible. Best of luck in your efforts, certainly google around for anyone who might have already tried, and document your efforts for the next one to attempt it :) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: First time attempting PostgreSQL SSL
David, a couple of additional thoughts, as I re-read this... First, in your client certs location - %appdata%/postgresql - you do _not_ need the CSR. This is the Certificate Signing Request. It won't hurt you, but save this elsewhere. Next: A common gotcha on Windows is that the %APPDATA% is not always exactly what you think it is. It's worth experimenting with your local vs. roaming profiles, for example... Having said all that, here's some Good Advice(!): Skip certificates for the moment, and be sure you have SSL working _at all_ on your server. You must be sure of a couple of things: 1) The server _must_ be built with SSL support 2) The client lib you are using - typically pq_lib, if you haven't compiled your own code, must ALSO be built with SSL support. 3) The pg_hba.conf access line must 'activate' SSL for a given connection. HINT: A 'simple' pg_hba.conf setting will be adequate to testing SSL; remove the variables one by one in your logic. IE, use a 'hostssl' line for user 'test' from 0.0.0.0/0 with an md5 password. The whole SSL-build-plus-certificates chain above, all at the same time, is not for the faint of heart, if you have never done it before. It's a bit bigger than just setting the options in pg_hba.conf. Once you've verified SSL as a baseline, then you're ready to move on to certificates! Let me know! Lou Picciano - Original Message - From: "David Patricola" To: openssl-users@openssl.org Sent: Monday, January 31, 2011 4:31:08 PM Subject: FW: First time attempting PostgreSQL SSL Whoops, I forgot to include root.crt in the Postgre /data directory. Now that I fixed that, I am still getting the same connection error on the client side. -Original Message- From: David Patricola [mailto:david.patric...@jefferson.edu] Sent: Monday, January 31, 2011 4:10 PM To: 'openssl-users@openssl.org' Subject: RE: First time attempting PostgreSQL SSL I found an excellent tutorial on this: http://www.howtoforge.com/postgresql-ssl-certificates I followed the instructions perfectly, and used my client computer's IP address as the CA. Here's my setup so far: On the server: - In Postgre data/ I have the server.crt and server.key files - pg_hba.conf has hostssl all all myipaddress/32 cert - postgresql.conf has ssl = on - I restarted the service and it connected. On the client: - In my %appdata%/postgresql folder I have postgresql.crt, postgresql.csr, postgresql.key and root.crt After this, I try to connect to the server again from my client box and it says "server does not support SSL, but SSL is required". Would this be a Postgre issue or did I not put a certificate file correctly somewhere? -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Alan Buxey Sent: Saturday, January 29, 2011 3:21 PM To: openssl-users@openssl.org Subject: Re: First time attempting PostgreSQL SSL Hi, > I’m new as can be with creating SSL certificates on my own. I downloaded > the openssl binary and installed it. The instructions and tutorials on > the website don’t help me much in terms of steps A,B,C; this could also be > due to a lack of familiarity with technical terms used for each part of > this. The only thing I did accomplish is the following > > > > openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout > privateKey.key > > > > I now have a privateKey and CSR file in the openssl/bin folder. Beyond > this I do not know what goes where. I’m on Windows 2003 (server) and > Windows XP (client). I know what to change in the PostgreSQL config but > do not know if PostgreSQL implicitly knows that a certificate exists, and > what the client box should have. you probably want to check the postgreSQL documentation for where and how to use the certs - as this is not specific to OpenSSL. anyway, in general terms...you now have a private key - good, the PSQL server would have that you need to get your CSR signed by a CA that the client knows. you then would configure PSQL to use the public version of the signed CSR - usually a DER or PEM file by that point. at this point, its just like a client talking to an SSL'd web server (or any other service). client connects, gets given the cert...which it trusts (because of CA) and then SLS tunnel gets made. data is transferred over that tunnel. alan __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: First time attempting PostgreSQL SSL
David, First step - well before placing your certificates correctly, is to be sure your PostgreSQL _server_ has been compiled with SSL support. From that message, it seems it isn't... >From there, you have to place all the certificates and keys in correct >locations - but I think you're not quite there yet. To get yourself going, why not first set up a pg_hba.conf configuration using hostssl, but skip the certificate usage for the moment... Probably a bit to handle all at once; SSL plus the certificate authentication all in one go... Lou Picciano - Original Message - From: "David Patricola" To: openssl-users@openssl.org Sent: Monday, January 31, 2011 4:10:10 PM Subject: RE: First time attempting PostgreSQL SSL I found an excellent tutorial on this: http://www.howtoforge.com/postgresql-ssl-certificates I followed the instructions perfectly, and used my client computer's IP address as the CA. Here's my setup so far: On the server: - In Postgre data/ I have the server.crt and server.key files - pg_hba.conf has hostssl all all myipaddress/32 cert - postgresql.conf has ssl = on - I restarted the service and it connected. On the client: - In my %appdata%/postgresql folder I have postgresql.crt, postgresql.csr, postgresql.key and root.crt After this, I try to connect to the server again from my client box and it says "server does not support SSL, but SSL is required". Would this be a Postgre issue or did I not put a certificate file correctly somewhere? -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Alan Buxey Sent: Saturday, January 29, 2011 3:21 PM To: openssl-users@openssl.org Subject: Re: First time attempting PostgreSQL SSL Hi, > I’m new as can be with creating SSL certificates on my own. I downloaded > the openssl binary and installed it. The instructions and tutorials on > the website don’t help me much in terms of steps A,B,C; this could also be > due to a lack of familiarity with technical terms used for each part of > this. The only thing I did accomplish is the following > > > > openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout > privateKey.key > > > > I now have a privateKey and CSR file in the openssl/bin folder. Beyond > this I do not know what goes where. I’m on Windows 2003 (server) and > Windows XP (client). I know what to change in the PostgreSQL config but > do not know if PostgreSQL implicitly knows that a certificate exists, and > what the client box should have. you probably want to check the postgreSQL documentation for where and how to use the certs - as this is not specific to OpenSSL. anyway, in general terms...you now have a private key - good, the PSQL server would have that you need to get your CSR signed by a CA that the client knows. you then would configure PSQL to use the public version of the signed CSR - usually a DER or PEM file by that point. at this point, its just like a client talking to an SSL'd web server (or any other service). client connects, gets given the cert...which it trusts (because of CA) and then SLS tunnel gets made. data is transferred over that tunnel. alan __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
FW: First time attempting PostgreSQL SSL
Whoops, I forgot to include root.crt in the Postgre /data directory. Now that I fixed that, I am still getting the same connection error on the client side. -Original Message- From: David Patricola [mailto:david.patric...@jefferson.edu] Sent: Monday, January 31, 2011 4:10 PM To: 'openssl-users@openssl.org' Subject: RE: First time attempting PostgreSQL SSL I found an excellent tutorial on this: http://www.howtoforge.com/postgresql-ssl-certificates I followed the instructions perfectly, and used my client computer's IP address as the CA. Here's my setup so far: On the server: - In Postgre data/ I have the server.crt and server.key files - pg_hba.conf has hostsslall all myipaddress/32cert - postgresql.conf has ssl = on - I restarted the service and it connected. On the client: - In my %appdata%/postgresql folder I have postgresql.crt, postgresql.csr, postgresql.key and root.crt After this, I try to connect to the server again from my client box and it says "server does not support SSL, but SSL is required". Would this be a Postgre issue or did I not put a certificate file correctly somewhere? -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Alan Buxey Sent: Saturday, January 29, 2011 3:21 PM To: openssl-users@openssl.org Subject: Re: First time attempting PostgreSQL SSL Hi, >Im new as can be with creating SSL certificates on my own. I downloaded >the openssl binary and installed it. The instructions and tutorials on >the website dont help me much in terms of steps A,B,C; this could also be >due to a lack of familiarity with technical terms used for each part of >this. The only thing I did accomplish is the following > > > >openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout >privateKey.key > > > >I now have a privateKey and CSR file in the openssl/bin folder. Beyond >this I do not know what goes where. Im on Windows 2003 (server) and >Windows XP (client). I know what to change in the PostgreSQL config but >do not know if PostgreSQL implicitly knows that a certificate exists, and >what the client box should have. you probably want to check the postgreSQL documentation for where and how to use the certs - as this is not specific to OpenSSL. anyway, in general terms...you now have a private key - good, the PSQL server would have that you need to get your CSR signed by a CA that the client knows. you then would configure PSQL to use the public version of the signed CSR - usually a DER or PEM file by that point. at this point, its just like a client talking to an SSL'd web server (or any other service). client connects, gets given the cert...which it trusts (because of CA) and then SLS tunnel gets made. data is transferred over that tunnel. alan __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL with Managed C++
Can we use OpenSSL lib with Managed C++? Thanks. http://openssl-net.sourceforge.net/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: [FWD] problem in privete key
> From: owner-openssl-us...@openssl.org On Behalf Of David Schwartz > Sent: Monday, 31 January, 2011 09:50 > To: openssl-users@openssl.org > Cc: Lutz Jaenicke; praveen kumar > On 1/31/2011 12:25 AM, Lutz Jaenicke [forwarded]: > >openSSL>s_client -connect ip:port -cert certfile.crt > > > >ERROR: unable to load client certificate private key file > > 3077682908:error:0906D06C:PEM routines:PEM_read_bio:no > start line:pem_lib.c:698:Expecting: ANY PRIVATE KEY > > date inside the file like this > > > > -BEGIN CERTIFICATE- > [snip] > > -END CERTIFICATE- > > > > This is file sent by the server.please any one help me to > connect to the server. > > > > If the file is sent by the server, why are you passing it so > s_client? If you look at the cert it appears to be a (private) CA cert. At least, it is self-signed with subject=issuer containing emailAddress=c...@olivecryptosystems.com . If you want to use this cert _as the CAcert to verify the server_ use s_client -CAfile certfile.crt (And perhaps other servers in the same organization.) Note commandline s_client will make the connection even if the server (cert) isn't verified (e.g. no CAcert at all). However other software, particularly other software using openssl library, usually won't, at least not by default. > The '-cert' option, when passed to 's_client' is used to specify a > *client* certificate. Without a corresponding private key, it > won't work. > That's true. Although s_client can accept cert and key in separate files or both in one file. That's why you get the mildly confusing error about "expecting ANY PRIVATE KEY [in certfile]". Note that it isn't crazy in some cases for a server to also act as a CA issuing certs to (acceptable) clients. Properly speaking you should still distinguish these roles, the server acting as CA vs. the server acting as server for data sessions, but people often don't. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: PKCS12_parse / PKCS12_create issue
> From: owner-openssl-us...@openssl.org On Behalf Of Muhammed Shafeek > Sent: Wednesday, 26 January, 2011 12:30 > I've a program that extracts private key and cert from the input > pfx file loaded into the system > and then create a p12 file out of this private key and cert using > a different password to add it to a local keystore. You know you could use the commandline utility to do this. (Given it is present, or can be installed, and accessible; and you can write some temporary files, but if you can write an output file you can probably do temporaries.) > /*code to extract key*/ > p12Key = d2i_PKCS12_fp(fp, NULL); > PKCS12_parse(p12Key, pass, pkey, NULL, NULL); > /*code to extract cert*/ > p12Cert = d2i_PKCS12_fp(fp, NULL); > PKCS12_parse(p12Cert, pass, NULL, pCert, NULL); I assume you've omitted some file-management code here, since two d2i's from the same file open (fp) don't work. And you don't need them; you could call PKCS12_parse twice on a single (decoded) p12 object. But you shouldn't; one call to PKCS12_parse can get both key and cert, and should since they logically (must) go together. And you should definitely check for error(s), but I'll optimistically assume that was just omitted for posting. > /*creating p12 from the extracted key and cert*/ > p12 = PKCS12_create(password, name, pkey, pCert, NULL, > NID_pbe_WithSHA1And40BitRC4,NID_pbe_WithSHA1And3_Key_TripleDES_CBC,0, 0, 0); It makes no security sense to encrypt the key with RC4-40, which nowadays is trivially brute-forced (even in the days of ITAR when PKCS12 was established, it was pretty easy), but the cert which doesn't really need privacy with TripleDES. The defaults, which are the other way, would be much better. > I observe the following things: > 1. The attributes ptr in pkey extracted using PKCS12_parse is null. > Note that the input pfx does have local Key ID and friendly name. > The cert extracted using PKCS12_parse > have local Key ID attribute which is same as in input pfx file. Yes, p12_kiss.c returns alias=friendly and keyid for the cert and no attributes for the key. The man page says > Attributes currently cannot be store in the private key > EVP_PKEY structure. although that appears to be out of date. Perhaps it should, although friendly and keyid should be the same for key and cert if used at all, so getting them on the cert should probably usually be enough. > 2. The p12 file created using PKCS12_create has a local KeyID > attribute for private key and is different from that of cert. I assume you mean PKCS12_create plus i2d_PKCS12_fp or similar, since PKCS12_create by itself only creates a memory structure. > Can any one please explain the reason for this? Is there any issue > in my code? or Is this an openssl issue? On the cert, p12_crt.c uses any friendly=alias and keyid in the cert object, and ADDS friendly from caller if not null and keyid = SHA1 of cert (if doing both key&cert). This appears to violate PKCS9 (at least the one I have) which says single-valued. And isn't mentioned on the man page. (On the key, it just does friendly from caller and keyid = SHA1, but also MSCSPname and recently LocalKeySet from key.attributes!) Depending on the software that reads this, if it assumes the PKCS9 single-value rule as it apparently has a right to, which values get used/displayed/whatever for the cert may be arbitrary or even unpredictable. You probably should X509_alias_set1(,NULL,0) and similarly for keyid on your cert before giving it to PKCS12_create. Alternatively, but more work, build your own exactly as you want with the PKCS12_ PKCS7_ PKCS8_ etc. primitives. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: First time attempting PostgreSQL SSL
I found an excellent tutorial on this: http://www.howtoforge.com/postgresql-ssl-certificates I followed the instructions perfectly, and used my client computer's IP address as the CA. Here's my setup so far: On the server: - In Postgre data/ I have the server.crt and server.key files - pg_hba.conf has hostsslall all myipaddress/32cert - postgresql.conf has ssl = on - I restarted the service and it connected. On the client: - In my %appdata%/postgresql folder I have postgresql.crt, postgresql.csr, postgresql.key and root.crt After this, I try to connect to the server again from my client box and it says "server does not support SSL, but SSL is required". Would this be a Postgre issue or did I not put a certificate file correctly somewhere? -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Alan Buxey Sent: Saturday, January 29, 2011 3:21 PM To: openssl-users@openssl.org Subject: Re: First time attempting PostgreSQL SSL Hi, >Im new as can be with creating SSL certificates on my own. I downloaded >the openssl binary and installed it. The instructions and tutorials on >the website dont help me much in terms of steps A,B,C; this could also be >due to a lack of familiarity with technical terms used for each part of >this. The only thing I did accomplish is the following > > > >openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout >privateKey.key > > > >I now have a privateKey and CSR file in the openssl/bin folder. Beyond >this I do not know what goes where. Im on Windows 2003 (server) and >Windows XP (client). I know what to change in the PostgreSQL config but >do not know if PostgreSQL implicitly knows that a certificate exists, and >what the client box should have. you probably want to check the postgreSQL documentation for where and how to use the certs - as this is not specific to OpenSSL. anyway, in general terms...you now have a private key - good, the PSQL server would have that you need to get your CSR signed by a CA that the client knows. you then would configure PSQL to use the public version of the signed CSR - usually a DER or PEM file by that point. at this point, its just like a client talking to an SSL'd web server (or any other service). client connects, gets given the cert...which it trusts (because of CA) and then SLS tunnel gets made. data is transferred over that tunnel. alan __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL with Managed C++
On 01/31/11 10:55 AM, Harshvir Sidhu wrote: Hi, Can we use OpenSSL lib with Managed C++? Thanks. can you call native "C" style DLL's from this 'Managed C++' (whatever that is) ? my initial google of 'Managed C++' indicates its a Microsoft .NET thing that was deprecated circa 2005. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
OpenSSL with Managed C++
Hi, Can we use OpenSSL lib with Managed C++? Thanks. // Harshvir
Re: [FWD] problem in privete key
On 1/31/2011 12:25 AM, Lutz Jaenicke wrote: Dear friend This is praveenkumar working as a app developer from Linkwell telesystems,hyderabad,India. i have a problem in ssl while hitting the server with the certificate provided by server.i am using openssl tool in linux. When i tried to execute client with the certificate in the command line ,i am getting the error like this openSSL>s_client -connect ip:port -cert certfile.crt ERROR: unable to load client certificate private key file 3077682908:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:698:Expecting: ANY PRIVATE KEY error in s_client This is the sample certificate file file name:certfile.crt date inside the file like this -BEGIN CERTIFICATE- [snip] -END CERTIFICATE- This is file sent by the server.please any one help me to connect to the server. If the file is sent by the server, why are you passing it so s_client? The '-cert' option, when passed to 's_client' is used to specify a *client* certificate. Without a corresponding private key, it won't work. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Extended Key Usage
Never mind. This helped: http://www.mail-archive.com/openssl-users@openssl.org/msg37839.html On Mon, Jan 31, 2011 at 3:48 PM, Karthik Ravikanti < karthik.ravika...@gmail.com> wrote: > Hi, > > Using the command line tools I was able to create a CA, a certificate > request and a certificate signed by the CA. However, I also need to add the > Extended Key Usage field to the certificate. I used the -exfile and > -extensions options in x509 to no avail. > Help! > > Thanks, > Karthik >
Re: Got X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY when there was a root in the store.
Dave, Sorry for a late reply, but I was able to zero in on the real problem. I was converting X509 objects to DER and that to Apple's SecCertificateRef. In the lookup method I was again getting DER from SecCertificateRef and an X509 from it. Strangely, both the objects have the same printed subject name, but differ in the encoded form. So I'm now just avoiding the conversion to SecCertificateRef for good. Just storing DER data (and converting directly back to X509) serves my purpose well. Thanks, Karthik On Tue, Jan 25, 2011 at 7:45 AM, Dave Thompson wrote: > > From: owner-openssl-us...@openssl.org On Behalf Of Karthik > Ravikanti > > Sent: Friday, 21 January, 2011 09:16 > > > To overcome [snipped], in my get_by_subject lookup method, I'm > returning > > the certificate whose subject when printed with X509_NAME_print_ex() > > matches with the one being asked for. > > I'm not sure NAME_print_ex matches in exactly the same cases that > cert-chain matching does (or should), although for 'normal' cases > (no spurious delimiters/tags, no Unicode weirdness like surrogates) > it should be OK. FWIW I saw the certs (and key) you posted 2011-01-19 > (consistently) have the commonName as UTF8 unnecessarily (actually > uses only IA5 and IIRC only Printable). > > > Before returning however, I'm overwriting the subject and issuer > fields > > by the queried subject. I know this is stupid, so I'll remove this once I > figure > > out what's wrong. > > > However, after this, I got this: [trimmed] > > 0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is > not 01 > > 04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed > > 0D0C5006:asn1 encoding routines:ASN1_item_verify > > 14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate > verify > failed > > This means the signature didn't verify on one of the certs checked. > You could set a breakpoint in the checking logic to see which one. > Possibilities: > > - the cert from the server doesn't have a valid signature by the issuer > (CA). > Either it was brokenly issued (or forged!) in the first place, or the copy > (currently) used by the server has been damaged (perhaps tampered with). > > - the server cert is signed by a different key than in the CA cert > your lookup found. This could be because your lookup is wrong, or > it might be there are actually multiple different CA certs/keys with > the same name, and issuer-name alone (or hash canon issuer-name alone) > doesn't uniquely identify the parent cert when you try to lookup. > This latter is a known limitation in OpenSSL's chaining logic. > (If a child has AuthKeyID extension, the chaining logic will check it, > but if it mismatches can't recover by trying a different parent.) > > In theory this ambiguity can happen if a CA rolls to a new period > with no other change, but perhaps fortuitously in practice CAs change > functions and roles (and ownership!) more often than their cert > validities (which are usually quite long, like 10-30 years) expire. > It may be more likely with a subsidiary or intermediate CA, which could > have a shorter period and tend to keep the same role if it survives > at all, but I haven't encountered it in the wild yet. > > - the server cert is correctly signed by the CA cert, but the CA cert > you (find and) use is not correctly signed by its own key (selfsigned). > If the issuername and/or subjectname you are "overwriting" on lookup > differ by even one bit from the values actually in the cert created > by the CA (for itself) then the signature fails. > > I would guess the third is most likely but the second is possible; > the first is vanishingly unlikely (and can be checked by grabbing the cert > from an s_client run and using commandline verify against a good CA cert). > > > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org >
Extended Key Usage
Hi, Using the command line tools I was able to create a CA, a certificate request and a certificate signed by the CA. However, I also need to add the Extended Key Usage field to the certificate. I used the -exfile and -extensions options in x509 to no avail. Help! Thanks, Karthik
[FWD] problem in privete key
Forwarded to openssl-users for public discussion. Best regards, Lutz - Forwarded message from praveen kumar - Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=private; d=indiatimes.com; b=dD+HXBj14rLD29R6lgucpGQSSko3eDZ3iy+mf5ruwak/rNVEH9kuetEhjJCUVtVt ; Date: Sat, 29 Jan 2011 14:49:21 +0530 (IST) From: praveen kumar To: r...@openssl.org Subject: problem in privete key Dear friend This is praveenkumar working as a app developer from Linkwell telesystems,hyderabad,India. i have a problem in ssl while hitting the server with the certificate provided by server.i am using openssl tool in linux. When i tried to execute client with the certificate in the command line ,i am getting the error like this openSSL>s_client -connect ip:port -cert certfile.crt ERROR: unable to load client certificate private key file 3077682908:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:698:Expecting: ANY PRIVATE KEY error in s_client This is the sample certificate file file name:certfile.crt date inside the file like this -BEGIN CERTIFICATE- MIICsTCCAhqgAwIBAAIETPcsXzANBgkqhkiG9w0BAQUFADCBnDEoMCYGCSqGSIb3 DQEJARYZY2FAb2xpdmVjcnlwdG9zeXN0ZW1zLmNvbTELMAkGA1UEBhMCSU4xCzAJ BgNVBAgTAktBMRIwEAYDVQQHEwlCYW5nYWxvcmUxITAfBgNVBAoTGE9saXZlIENy eXB0byBTeXN0ZW1zIExMUDEPMA0GA1UECxMGU3dpdGNoMQ4wDAYDVQQDEwVPbGl2 ZTAeFw0xMDEyMDIwNTE5MjdaFw0yMDEyMDIwNTE5MjdaMIGcMSgwJgYJKoZIhvcN AQkBFhljYUBvbGl2ZWNyeXB0b3N5c3RlbXMuY29tMQswCQYDVQQGEwJJTjELMAkG A1UECBMCS0ExEjAQBgNVBAcTCUJhbmdhbG9yZTEhMB8GA1UEChMYT2xpdmUgQ3J5 cHRvIFN5c3RlbXMgTExQMQ8wDQYDVQQLEwZTd2l0Y2gxDjAMBgNVBAMTBU9saXZl MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJ7Qfr4rXC8H77UIgP5YGEtQTr hU3qVZtN+X5ysZVjITyyuxiqkXPzWASvNQK5NwO4VB05SwGNEop2NEIY8d+P87Hg qDGL5f9D5qPg7nvkzPQcZZkJhpGJ79Vvdz6+fQGkiQNBN8dgwXXCi0L2HMaec2V0 IUB7lAwAck16umfhqQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAMJXmsV22EYUJ6GD hx0lVlj23wwvdGeGqRWU3zFE/7d9kRWxG0YrTkYBKwerN4DflkCm1Glodt6Rhkwy Jvspbc7dell11wy+YeXl4c7zsumQcXOgSuWtiaLiiJw12uZVjFYmEBfdZ4zrJpYW mcaIGD1l4WsXGEesFA859g3ZiK52 -END CERTIFICATE- This is file sent by the server.please any one help me to connect to the server. Thanks®ards K.A.Praveenkumar - End forwarded message - -- Lutz Jaenicke jaeni...@openssl.org OpenSSL Project http://www.openssl.org/~jaenicke/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org