Re: command line to c++ code
On 04/13/11 4:11 PM, luis hernandez wrote: > take a look at the source to openssl (the executable utility). I > believe its in C and it, obviously, can do every possible command line > that it does. > One month doing it that way but there is not other way. its that or spend month(s) learning how to program with libssl and libcrypto some other way.openssl and only openssl (the program, not the libraries) does exactly what you asked for, 'converts command line arguments into function calls'. crypto is hard. there are no (valid) shortcuts to a full and thorough understanding of how it works and how to correctly use it. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: command line to c++ code
> Date: Wed, 13 Apr 2011 12:41:16 -0700 > From: pie...@hogranch.com > To: openssl-users@openssl.org > Subject: Re: command line to c++ code > > On 04/13/11 10:16 AM, luis hernandez wrote: > > Hi > > I do not know if you have talk about this here, but I can not find the > > answer. > > > > How to translate a command line commandt to a c++ code? > > > > For instance if at commandd prompt i do this: openssl x509 -inform DER > > -in cert.cer -noout -enddate > > > > What code will generate the same result? > > take a look at the source to openssl (the executable utility). I > believe its in C and it, obviously, can do every possible command line > that it does. > One month doing it that way but there is not other way.
Re: RSA key
On 4/13/2011 2:35 AM, pattabi raman wrote: *1. If I can't use sprintf then how can I copy the enrypted message to a character buffer. Bcoz so far I am sending the request to middleware in Char Buffer using TCP /IP socket. How can I able to achieve now.* ** If you don't know how to copy bytes of data, you don't know how to code in C. You can copy it yourself, using a 'for' loop. You can use 'memcpy'. *2. Actually I am using 2048 bit public key. So what is the right size I can use. I tried to use RSA_size(rsa) , which gives core dump error. * So any idea on the above points will help me a lot. Thanks. I'd have to see the code to be sure, but likely your core dump comes from misusing the result of this call. For example, there is no guarantee that you can *en*crypt a value just because it is RSA_size or fewer bytes. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: command line to c++ code
On 04/13/11 10:16 AM, luis hernandez wrote: Hi I do not know if you have talk about this here, but I can not find the answer. How to translate a command line commandt to a c++ code? For instance if at commandd prompt i do this: openssl x509 -inform DER -in cert.cer -noout -enddate What code will generate the same result? take a look at the source to openssl (the executable utility). I believe its in C and it, obviously, can do every possible command line that it does. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: conversion from pem to pkcs12
On Tue, Apr 12, 2011 at 3:53 AM, Dave Thompson wrote: > Aside: If the "-in" file contains both the cert and the privatekey, > you don't need to provide "-inkey" in addition. > > But the error is that the cert and privatekey don't match. > At least one of these files is not what you think it is. > Basic things first: make sure you're in the correct directory, > I am afraid to let you know that, I cannot understand the actual meaning of "correct directory". What does it means? My all .pem files are in one directory of my /home and openssl is installed by default, as I am using Ubuntu 10.10. > and have the correct version(s) of the files "correct versions"? :( > -- did you perhaps > try more than once to generate and/or obtain a cert? > No, I didn't! Cert was generated once. > If Unix, make sure no filename is a symlink to the wrong place. > > Is there more than one cert in "filename.pem"? Perhaps you > put the whole chain in there? Yes, every .pem files are there in same directory. All private keys and cert. > Try making sure the entity cert -- > the one for the key -- is first, or perhaps better only. > Is the cert correctly marked with BEGIN and END lines? > Yes they are properly wrapped. > > Try openssl x509 -in (certfile.pem) -noout -text > When I go to load my certificate file ( which is concatenated with private key ) shows me the error: * unable to load certificate 7937:error:0906D066:PEM routines:PEM_read_bio:bad end line:pem_lib.c:749:* and openssl rsa -in (privkey.pem) -noout -text > Showing modulus, privateExponent, prime1, prime2. -- Best, Zico
command line to c++ code
Hi I do not know if you have talk about this here, but I can not find the answer. How to translate a command line commandt to a c++ code? For instance if at commandd prompt i do this: openssl x509 -inform DER -in cert.cer -noout -enddate What code will generate the same result? Is there howto already written? I have bought the book Network security with Openssl by O'reilly. But I can not figure it out. TIA for your help. Luis Hernandez
Unsupported certificate purpose
I get a verify error:num=26:unsupported certificate purpose error. How do I fix this? Regards, Amar Sent from my iPhone __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL SSL_Accept Error
Server is Single Threaded and is handling all the connections in while(1) loop, the sockets are blocking but I am using FD_SET options, not sure if that could be interrupting with the way openssl works, in the code i am doing accept, then created SSL and CTX and then calling SSL_Accept. I am NOT using OpenSSL callbacks. Regarding code, the library i am using is 1.0.0a, but the openssl s_client i was using that i downloaded and that is 1.0.0c, but i think that should not cause a problem, as when i try to connect using the client created with 1.0.0a i still get the same error. I tried using OpenSSL s_client just to shortlist the error to be on server or client side. Just to be sure, i will reply with the OpenSSL s_client from the same build. The server WORKS with clients that are NON SSL, but on the connection that i do SSL it fails with the mentioned error. PFA the log file for s_client side, I have removed the data it exchanges between client and server to reduce the log, let me know if this is not clear, i will rerun and send the whole log. I tried using s_server and s_client from the same build and it works fine and it uses the cipher value from log ECDHE-RSA-AES256-SHA. But when i use s_client from the same build with my server then it dont work. This means something is wrong with my server code. Not sure what, any suggestions based on what i mentioend above? // Harshvir On Tue, Apr 12, 2011 at 10:31 PM, Dave Thompson wrote: > > From: owner-openssl-us...@openssl.org On Behalf Of Harshvir Sidhu > > Sent: Tuesday, 12 April, 2011 15:13 > > > Just to add a note to my last question, > > I tried to use openssl.exe s_client -connect IP:PORT > > and it gives the following error message in that. > (reordered) > > verify error:num=18:self signed certificate > > verify return:1 > > 236:error:140943FC::sslv3 alert bad record mac: > > 236:error:140790E5::.\ssl\s23_lib.c:177: > > > I am using a self signed certificate so this first line makes > sense, > > > but why its giving this SSL alert number 20. > > Not able to find anything useful for this. > > > I am trying to write the server side code using OpenSSL. > > I am getting the following error on SSL_Accept. > > error:1408F119::decryption failed or bad record mac > > s_client got the alert BECAUSE the server got the error. > The only real problem is that the server got the error. > > > I tried to google on this, everywhere they were mentioning > > that there was some build error, which was fixed in 0.9.8 build, > > i am not sure about te sub version, but i am using 1.0.0.a. > > I also tried using SSL_CTX_check_private_key after i set my server > > certificate and key, and its returning 1. > > There are two fundamental possibilities: > > 1. something else in your server is corrupting OpenSSL's data. > Do you have handshake callbacks e.g. verification, tempdh, etc? > Is server multithreaded? (Or less likely, using shared memory?) > Are you using nonblocking I/O with other code 'in between'? > > > 2. the compiled code for OpenSSL does the cipher or MAC wrong. > This is rare, but can be caused by a compiler bug, or at least > a 'feature' that is unusual and unexpected by the developers, > so it tends to be specific to the compiler, target platform, > and build options especially whether assembler is used but > also things like optimization, PIC, etc. > > + are you sure you're using 1.0.0a? Linenumber 117 for 1408F119 > does NOT match 1.0.0a official source but DOES match 1.0.0c. > > + did you build from source, or get a build from someone else? > What platform and options? What does openssl version -a say? > (Remembering that it may be false if the build was fiddled.) > Did you or the other builder do 'make test'? > > + do other clients, especially non-OpenSSL ones, cause the same > error on the server (and get a similar error on the client)? > Are OpenSSL client(s) the same OpenSSL build (and platform)? > > + exactly when does s_client get the error? I'd bet on Finished, > but to check, run with -state and -msg or -debug. > > + what ciphersuite is selected on s_client attempt? On other > clients that fail, or that work? What happens if you specify > a ciphersuite with different data-crypto or MAC? > > + if you run s_server from same build, with equivalent crypto > (key/cert, CAs, ciphersuites), does s_client work with it? > > > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org > OpenSSL> s_client -host 10.200.159.172 -port 5000 -state -debug Loading 'screen' into random state - done CONNECTED(0090) SSL_connect:before/connect initialization write to 0xa86360 [0xa86bf8] (210 bytes => 210 (0xD2)) SSL_connect:SSLv2/v3 write client hello A
Re: RSA key
Hi Dave, Thanks for your reply. *1. If I can't use sprintf then how can I copy the enrypted message to a character buffer. Bcoz so far I am sending the request to middleware in Char Buffer using TCP /IP socket. How can I able to achieve now.* ** *2. Actually I am using 2048 bit public key. So what is the right size I can use. I tried to use RSA_size(rsa) , which gives core dump error. * So any idea on the above points will help me a lot. Thanks. On Tue, Apr 12, 2011 at 1:53 AM, Dave Thompson wrote: > > From: owner-openssl-us...@openssl.org On Behalf Of pattabi raman > > Sent: Sunday, 10 April, 2011 08:14 > > > I am using the below code snippet and am able to do the encytption. > > > But I need to convert the encrypted format to Binary format inorder > > to pass the encrypted key to a different system. Any one pls suggest > > how to do the same ??? > > What do you mean encrypted key? There is no encrypted key. > There is an encrypt*ion* key -- your file publkey.pem -- > which you should already have obtained *from* the recipient. > > Do you mean the encrypted *data*, which is implied to be CardPin? > The output (data) from RSA_public_encrypt is ALREADY binary. > And it is NOT a null-terminated C string, so > > > sprintf(encpin, > > > "%s",encrypted); > > etc is wrong about 99.99% of the time. > > Note that most actual systems do not use just encryption; > they usually need to combine with additional information. > Perhaps what you need is some ASN.1 structure *containing* > your data, or an XML structure, etc etc. > > Also, your code is hard to read. Frequently people post code > with too little white space, but yours has far too much. > In several places you check for an error and print a message, > but then proceed to use the null pointer anyway; if/when the > error arises, this will be very wrong. In most cases there is > additional information that would be helpful in your error > message(s): errno/strerror for fopen (or other I/O) problems, > or the OpenSSL error stack (e.g. ERR_print_errors_fp) for openssl. > > Finally, you are assuming 256 bytes is enough for the RSA > encrypted value. If you ever get a publickey over 2048 bits > this will fail badly. It's safer to make this variable > if your environment or protocol allows that, or at least > check that the size of the key provided is not too big. > > > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org >
