Re: AES-256 using CTR mode.
No, as far as I know, there is no support for OCB. For the documentation on which modes are supported check evp.h!!! :-) Matt On 16 January 2013 02:57, Rohit Bansal banr...@gmail.com wrote: Thanks Matt. On that note, do we have support for OCB mode in openssl. Where can i find the documentation for all the modes supported by openssl?? Regards, Rohit Bansal On Mon, Jan 14, 2013 at 1:16 PM, Matt Caswell fr...@baggins.org wrote: The EVP API is documented here: https://www.openssl.org/docs/crypto/EVP_EncryptInit.html# There is some example code there too. It doesn't use AES or CTR, but the principle is the same. Just replace EVP_bf_cbc() with EVP_aes_256_ctr(), and ensure you use an appropriately sized key and IV. Matt On 14 January 2013 20:44, Rohit Bansal banr...@gmail.com wrote: Thanks Matt. Is there a sample code i can look into? In my case the key is unique across different messages, so having same IV across messages should not lead me into problem Thanks, Rohit Bansal On Mon, Jan 14, 2013 at 12:22 PM, Matt Caswell fr...@baggins.orgwrote: Yes, you can use CTR mode for AES-256: use the EVP interface with the EVP_CIPHER of EVP_aes_256_ctr(). However it is a fundamental requirement of CTR mode that the IV must be unique across messages. If you reuse the IV then your messages can be broken quite trivially. Therefore, if by a fixed IV, you mean that it is fixed across multiple messages then CTR mode is not suitable for you. Matt On 14 January 2013 19:25, Rohit Bansal banr...@gmail.com wrote: Hi, Can somebody help me if CTR mode is supported in openssl for AES-256 encryption? I dont want to use CBC and i have a fixed IV. Thanks, Rohit -- Rohit Bansal -- Rohit Bansal
Re: How to remove certificate from X509_STORE?
Thanks Dave, I tried with the 2nd option. But people here didn't agree so finally went ahead with the 3rd option. Thanks for soln. Sri On Fri, Jan 11, 2013 at 3:25 AM, Dave Thompson dthomp...@prinpay.comwrote: From: owner-openssl-us...@openssl.org On Behalf Of Srivardhan Hebbar Sent: Tuesday, 08 January, 2013 08:34 X509_STORE_add_cert() would add a certificate to the list of trusted certificates in the ctx. What is the way to remove a certificate from this trusted store? Am not finding any function to remove the certificate. Can anyone of you suggest a way to remove the certificate from this trusted store? Or is there a way to make a already loaded certificate an untrusted one? I presume you mean an SSL_CTX and certs trusted for SSL authentication. (OpenSSL can use, and trust, certs for other purposes.) 1. An X509 object representing a cert in OpenSSL has an associated aux field of OpenSSL-added data including (optionally?) some trust settings. There are too many twisty passages for me to track down exactly what values can be in here, and what if any does what you want. 2. The data in an X509_STORE is just a STACK_OF(X509_OBJECT). I don't see any official API, but you could just grab x-objs and sk_*_delete from it. You probably need to do downref/free to avoid a leak, and to do locking if your program(s) will or might use this while multithreading. 3. If you want an official if clumsy way, create a new X509_STORE, initialize and fill it with everything from the existing one except the cert(s) you want to omit, and then use it. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
id-smime-aa-signingCertificate - attribute definition
Hello, I'm not able to find RFC, where is defined this attribute. An example in Time Stamp Reply looks like that: - 523:d=7 hl=3 l= 179 cons: SEQUENCE 526:d=8 hl=2 l= 11 prim: OBJECT:id-smime-aa-signingCertificate 539:d=8 hl=3 l= 163 cons: SET 542:d=9 hl=3 l= 160 cons: SEQUENCE 545:d=10 hl=3 l= 157 cons: SEQUENCE 548:d=11 hl=3 l= 130 cons: SEQUENCE 551:d=12 hl=2 l= 20 prim: OCTET STRING [HEX DUMP]:1225953CB6C14917FC38188AA1326B5E476412D7 573:d=12 hl=2 l= 106 cons: SEQUENCE 575:d=13 hl=2 l= 99 cons: SEQUENCE 577:d=14 hl=2 l= 97 cons: cont [ 4 ] 579:d=15 hl=2 l= 95 cons: SEQUENCE 581:d=16 hl=2 l= 11 cons: SET 583:d=17 hl=2 l= 9 cons: SEQUENCE 585:d=18 hl=2 l= 3 prim: OBJECT:countryName 590:d=18 hl=2 l= 2 prim: PRINTABLESTRING :CZ 594:d=16 hl=2 l= 44 cons: SET 596:d=17 hl=2 l= 42 cons: SEQUENCE 598:d=18 hl=2 l= 3 prim: OBJECT:organizationName 603:d=18 hl=2 l= 35 prim: UTF8STRING:Česká pošta, s.p. [IČ 47114983] 640:d=16 hl=2 l= 34 cons: SET 642:d=17 hl=2 l= 32 cons: SEQUENCE 644:d=18 hl=2 l= 3 prim: OBJECT:commonName 649:d=18 hl=2 l= 25 prim: PRINTABLESTRING :PostSignum Qualified CA 2 676:d=13 hl=2 l= 3 prim: INTEGER :14C0B3 681:d=11 hl=2 l= 22 cons: SEQUENCE 683:d=12 hl=2 l= 20 prim: OCTET STRING [HEX DUMP]:3484C2150114E2C34964A34EC50AFDEECF67A109 - As you can see - this type of object is SET - not SEQUENCE. in RFC2634 [Page 47] is defined : SigningCertificate ::= SEQUENCE { certsSEQUENCE OF ESSCertID, policies SEQUENCE OF PolicyInformation OPTIONAL } ESSCertID ::= SEQUENCE { certHash Hash, issuerSerial IssuerSerial OPTIONAL } = as you can see, the id-smime-aa-signingCertificate type of attribute seems to be SET (OF) SigningCertificate. I really need to find definition - syntax and SEMANTIC of this attribute (defined as SET). --kapetr __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Building OpenSSL for EFI
Hello list, I would like (need) to get OpenSSL working in the EFI (Extensible Firmware Interface) environment (a pre-boot environment). I am able to setup a TCP connection from the EFI environment to the outside world using the Tianocore EFI Toolkit - this toolkit provides a BSD like API for sockets together with LibC. The EFI development environment is essentially the Visual Studio X64 compiler (on Windows) and I could do with a steer, if anyone has an inkling, on whether it's possible to build OpenSSL for this platform and if so where should I start? How do I configure OpenSSL etc? If I've asked this question in the wrong forum then apologies, if not then all help is welcome. Regards, Paul This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. Any view or opinions presented are solely those of the author and do not necessarily represent those of ViaSat. If you have received this Email in error please contact the sender by return and confirm that its contents have been destroyed without further distribution or disclosure. Please email ad...@viasat.uk.commailto:ad...@viasat.uk.com with any questions relating to this disclaimer. ViaSat has Registered Offices at Sandford Lane, Wareham, Dorset BH20 4DY. The company is registered in England and Wales under no: 3007498.
Re: id-smime-aa-signingCertificate - attribute definition
I'm sorry - I was blind ?! :-/ The both ESSCertIDs are in same Signing Certificate entity. But -I'm still interesting to find RFC with def of id-smime-aa-signingCertificate attribute type. Thanks. - PŮVODNÍ ZPRÁVA - Od: kapetr kap...@mizera.cz Komu: openssl-users@openssl.org Předmět: id-smime-aa-signingCertificate - attribute definition Datum: 16.1.2013 - 10:44:27 Hello, I'm not able to find RFC, where is defined this attribute. An example in Time Stamp Reply looks like that: - 523:d=7 hl=3 l= 179 cons: SEQUENCE 526:d=8 hl=2 l= 11 prim: OBJECT:id-smime-aa-signingCertificate 539:d=8 hl=3 l= 163 cons: SET 542:d=9 hl=3 l= 160 cons: SEQUENCE 545:d=10 hl=3 l= 157 cons: SEQUENCE 548:d=11 hl=3 l= 130 cons: SEQUENCE 551:d=12 hl=2 l= 20 prim: OCTET STRING [HEX DUMP]:1225953CB6C14917FC38188AA1326B5E476412D7 573:d=12 hl=2 l= 106 cons: SEQUENCE 575:d=13 hl=2 l= 99 cons: SEQUENCE 577:d=14 hl=2 l= 97 cons: cont [ 4 ] 579:d=15 hl=2 l= 95 cons: SEQUENCE 581:d=16 hl=2 l= 11 cons: SET 583:d=17 hl=2 l= 9 cons: SEQUENCE 585:d=18 hl=2 l= 3 prim: OBJECT:countryName 590:d=18 hl=2 l= 2 prim: PRINTABLESTRING :CZ 594:d=16 hl=2 l= 44 cons: SET 596:d=17 hl=2 l= 42 cons: SEQUENCE 598:d=18 hl=2 l= 3 prim: OBJECT:organizationName 603:d=18 hl=2 l= 35 prim: UTF8STRING:Česká pošta, s.p. [IČ 47114983] 640:d=16 hl=2 l= 34 cons: SET 642:d=17 hl=2 l= 32 cons: SEQUENCE 644:d=18 hl=2 l= 3 prim: OBJECT:commonName 649:d=18 hl=2 l= 25 prim: PRINTABLESTRING :PostSignum Qualified CA 2 676:d=13 hl=2 l= 3 prim: INTEGER :14C0B3 681:d=11 hl=2 l= 22 cons: SEQUENCE 683:d=12 hl=2 l= 20 prim: OCTET STRING [HEX DUMP]:3484C2150114E2C34964A34EC50AFDEECF67A109 - As you can see - this type of object is SET - not SEQUENCE. in RFC2634 [Page 47] is defined : SigningCertificate ::= SEQUENCE { certsSEQUENCE OF ESSCertID, policies SEQUENCE OF PolicyInformation OPTIONAL } ESSCertID ::= SEQUENCE { certHash Hash, issuerSerial IssuerSerial OPTIONAL } = as you can see, the id-smime-aa-signingCertificate type of attribute seems to be SET (OF) SigningCertificate. I really need to find definition - syntax and SEMANTIC of this attribute (defined as SET). --kapetr __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Web site: Send to Majordomo broken
On http://www.openssl.org/support/community.html the mailing list subscription feature is broken - clicking Send to Majordomo just displays the majordomo.cgi script. -- Bruce Cran __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Web site: Send to Majordomo broken
It appears that the web site went through a few changes recently and some aren't working quite right yet. Another case is on the FIPS page (http://www.openssl.org/docs/fips/) the link for the User Guide is also broken. Thanks, Lester -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Bruce Cran Sent: Wednesday, January 16, 2013 7:02 AM To: openssl-users@openssl.org Subject: Web site: Send to Majordomo broken On http://www.openssl.org/support/community.html the mailing list subscription feature is broken - clicking Send to Majordomo just displays the majordomo.cgi script. -- Bruce Cran __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Web site: Send to Majordomo broken
On Wed, Jan 16, 2013 at 9:02 AM, Bruce Cran br...@cran.org.uk wrote: On http://www.openssl.org/support/community.html the mailing list subscription feature is broken - clicking Send to Majordomo just displays the majordomo.cgi script. It also looks like its injectable: $query_string = $ENV{'QUERY_STRING'}; Shouldn't that be escaped for good measure? Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Web site: Send to Majordomo broken
On 01/16/2013 03:29 PM, Memmott, Lester wrote: It appears that the web site went through a few changes recently and some aren't working quite right yet. Another case is on the FIPS page (http://www.openssl.org/docs/fips/) the link for the User Guide is also broken. Thanks, Lester -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Bruce Cran Sent: Wednesday, January 16, 2013 7:02 AM To: openssl-users@openssl.org Subject: Web site: Send to Majordomo broken On http://www.openssl.org/support/community.html the mailing list subscription feature is broken - clicking Send to Majordomo just displays the majordomo.cgi script. -- Thanks for your update. I have fixed the links. Best regards, Lutz __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
After adding GOST engine, ssh stop work
Hi all! I have problem. After adding to openssl.cnf following lines: openssl_conf = openssl_def [openssl_def] engines = engine_section [engine_section] gost = gost_section [gost_section] engine_id = gost dynamic_path = /usr/lib64/openssl/engines/libgost.so default_algorithms = ALL CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet I couldn't able to connect to server via ssh $ ssh -v dev@10.10.4.178 OpenSSH_6.1p1, OpenSSL 1.0.1c 10 May 2012 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 50: Applying options for * debug1: Connecting to 10.10.4.178 [10.10.4.178] port 22. debug1: Connection established. debug1: identity file /home/mikhail/.ssh/id_rsa type -1 debug1: identity file /home/mikhail/.ssh/id_rsa-cert type -1 debug1: identity file /home/mikhail/.ssh/id_dsa type -1 debug1: identity file /home/mikhail/.ssh/id_dsa-cert type -1 ssh_exchange_identification: Connection closed by remote host -- Best Regards, Mike Gavrilov. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Web site: Send to Majordomo broken
On Wed, Jan 16, 2013 at 02:02:23PM +, Bruce Cran wrote: On http://www.openssl.org/support/community.html the mailing list subscription feature is broken - clicking Send to Majordomo just displays the majordomo.cgi script. -- Bruce Cran __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org Hello World, I was going to email the list to let you know about this and when I've entered the mail I saw your email Bruce. I can double this: Send to Majordomo is broken. Valentin Bud __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
X.509 certificates in OpenSSL FIPS 2.0
Hi We are using X.509 certificates in our product and are newly moving to OpenSSL FIPS 2.0 from previous versions. I see issues in calling the previous X.509 APIs in this version. The directory crypto/x509 not there in OpenSSSL 2.0. Can someone please tell me how I could use x509 certificates with OpenSSL 2.0. Also, please note that I am a OpenSSL newbie. Hence, would be great if you can point me to some documentation. Thanks Rahul