bug report
Hello, I'm trying to install the *openpana* project ( https://sourceforge.net/projects/openpana/) on my ubunto 12.40, which need the openssl library. Although I have installed openssl correctly I keep having this message when I try to configure (./configure) openpana: Error! You need to have ssl or crypto to continue. Check which of these libraries contain the HMAC function in your system and install it to continue root@ubuntu:~/Bureau/openpana-0.2.4# openssl version OpenSSL 1.0.1 14 Mar 2012 Thank you in advance. Regards. Mouad DJEDIDI
Re: bug report
2013/3/13 Mouad Djedidi mouad.djed...@gmail.com: Hello, I'm trying to install the openpana project (https://sourceforge.net/projects/openpana/) on my ubunto 12.40, which need the openssl library. Although I have installed openssl correctly I keep having this message when I try to configure (./configure) openpana: Error! You need to have ssl or crypto to continue. Check which of these libraries contain the HMAC function in your system and install it to continue root@ubuntu:~/Bureau/openpana-0.2.4# openssl version OpenSSL 1.0.1 14 Mar 2012 Thank you in advance. Regards. Mouad DJEDID sudo apt-get install libssl-dev should resolve your issue. Eero __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Diffie algorithm in openssl
I am not sure whether this mail even reached to the openssl-users Regards, Azhar On Thu, Mar 14, 2013 at 11:01 AM, azhar jodatti azhar...@gmail.com wrote: Is this the right place to ask ? Please suggest -- Forwarded message -- From: azhar jodatti azhar...@gmail.com Date: Mar 13, 2013 11:14 PM Subject: Diffie algorithm in openssl To: openssl-users@openssl.org Cc: I am very much new to openssl and trying to explore... I was trying to implement the diffie Hellman algorithm in Java which makes use of JCF and as well as in c with openssl... I am able to get this work in respective languages I.e Java - Java and C-C works fine . Generates the DH parameters and other stuffs quit well. Since my server is in Java and client is in C, I was trying to use openssl generated keys with Java as other part of component which is not working at all. Java keeps giving me invalid key specification exception... Any help would be really appriciated... its eating my head since couple of days... Regards, Azhar
Re: bug report
hi, you should check the .so or .a libraries with : a) nm lib name | grep HMAC b) ar -l lib name | grep HMAC Bye On Wed, Mar 13, 2013 at 8:27 PM, Mouad Djedidi mouad.djed...@gmail.comwrote: Hello, I'm trying to install the *openpana* project ( https://sourceforge.net/projects/openpana/) on my ubunto 12.40, which need the openssl library. Although I have installed openssl correctly I keep having this message when I try to configure (./configure) openpana: Error! You need to have ssl or crypto to continue. Check which of these libraries contain the HMAC function in your system and install it to continue root@ubuntu:~/Bureau/openpana-0.2.4# openssl version OpenSSL 1.0.1 14 Mar 2012 Thank you in advance. Regards. Mouad DJEDIDI -- *Domenico Pucci* *Senior IT Software Architect* *+39 335 5824667* * *
having a lot of troubles trying to get AES-NI working
So this is a partial continuation from the discussion thread that I started yesterday in regards to using AES-CBC. I've got an Intel Core i7 3930K that supports AES-NI and I spent the greater part of last night trying to get openssl to work or at least recognize it, but it doesn't seem to want to do that. I've tried with Cygwin 1.5-something (I forget) and the latest cygwin (tried upgrading just the openssl package - didn't work; so I ended up uninstalling my old cygwin; installing the new and it still didn't work.) I've also tried Ubuntu 12.04 LTS and Ubuntu 12.10 (and it said that it downloaded the update to it and applied it, but it still didn't work for either). I've even tried redownloading the source from www.openssl.org/source (taking it up to 1.0.1e) and that also still didn't work. (i.e. didn't work means that when I type openssl engine - the aesni doesn't show up as an option). I then tried to modify the initramfs config file to add aes_ni and then running and update-initramfs; and that didn't work either. All of the probing that I tried to do showed that the AES-NI kernel module wasn't loaded (but - for example in Solaris 11 that I've got running in a VM; when I type openssl engine; it will show (aesni) AES-NI engine (no aesni)); which leads me to think that on the Linux side, something similiar should happen (that openssl aesni engine should still be available but then there'd be a comment if the AES-NI kernel module wasn't loaded). And now I am trying to install Solaris 11 on the host system itself and it's having it's own set of issues (hardware compatibility; which I might have to set up a PXE boot server so that I can patch in/update drivers for the Solaris 11 install - but that's a different story for some other list). And I also tried SuSE Linux Enterprise Server 11 SP1 (I think) - same thing. cat /proc/cpuinfo shows that aes is available. cat /proc/crypto does not. And people (via more googling) have said that they can load kernel modules post-boot, but I don't know how to do that either. Any help on any recommended OS would be greatly appreciated. (It doesn't matter so much to me which OS is used so long as the openssl using the aesni engine works.) Thanks. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
openssl-user - UTF8 characters in configuration file
I'm using the following configuration file section in an attempt to create a CA with UTF8 characters in subject (and other) fields. string_mask = utf8only prompt = no [ req ] default_bits= 2048 default_keyfile = /opt/rasmussjCa/private/cakey.pem default_md = md5 prompt = no distinguished_name = root_ca_distinguished_name x509_extensions = root_ca_extensions [ root_ca_distinguished_name ] commonName = UTF8STRING:Root stateOrProvinceName = MA countryName = US emailAddress= r...@abc.com organizationName= abc When I use commonName = UTF8STRING:Root, I am getting a format=PRINTABLESTRING containing the UTF8STRING:Root value 45:d=5 hl=2 l= 3 prim: OBJECT:commonName 50:d=5 hl=2 l= 15 prim: PRINTABLESTRING :UTF8STRING:Root Not a UTF8STRING format as I'm expecting such as this ... 108:d=5 hl=2 l= 3 prim: OBJECT:commonName 113:d=5 hl=2 l= 23 prim: UTF8STRING:XX In addition to string_mask = utf8, I've also tried the -utf8 option on the req with the same results: openssl req -x509 -newkey rsa:1024 -out rootcacert.pem -utf8 -outform PEM +++ In addition when I try to assign a policy root_commonName to the commonName field commonName = root_commonName stateOrProvinceName = MA countryName = US emailAddress= r...@abc.com organizationName= abc [ root_commonName ] commonName = UTF8STRING:Root I am am just getting the root_commonName policy assigned to the field rather than the UTF8STRING:Root value assigned within the policy 174:d=5 hl=2 l= 3 prim: OBJECT:commonName 179:d=5 hl=2 l= 15 prim: T61STRING :root_commonName Any comments are greatly appreciated. Thanks John
Re: openssl-user - UTF8 characters in configuration file
Hello John, I had the same problem; the solution is just: UTF8String or UTF8 and not UTF8STRING Walter On 14.03.2013 17:06, rasmu...@us.ibm.com wrote: I'm using the following configuration file section in an attempt to create a CA with UTF8 characters in subject (and other) fields. string_mask = utf8only prompt = no [ req ] default_bits= 2048 default_keyfile = /opt/rasmussjCa/private/cakey.pem default_md = md5 prompt = no distinguished_name = root_ca_distinguished_name x509_extensions = root_ca_extensions [ root_ca_distinguished_name ] commonName = UTF8STRING:Root stateOrProvinceName = MA countryName = US emailAddress= r...@abc.com organizationName= abc When I use commonName = UTF8STRING:Root, I am getting a format=PRINTABLESTRING containing the UTF8STRING:Root value 45:d=5 hl=2 l= 3 prim: OBJECT:commonName 50:d=5 hl=2 l= 15 prim: PRINTABLESTRING :UTF8STRING:Root Not a UTF8STRING format as I'm expecting such as this ... 108:d=5 hl=2 l= 3 prim: OBJECT:commonName 113:d=5 hl=2 l= 23 prim: UTF8STRING:XX In addition to string_mask = utf8, I've also tried the -utf8 option on the req with the same results: openssl req -x509 -newkey rsa:1024 -out rootcacert.pem -utf8 -outform PEM +++ In addition when I try to assign a policy root_commonName to the commonName field commonName = root_commonName stateOrProvinceName = MA countryName = US emailAddress= r...@abc.com organizationName= abc [ root_commonName ] commonName = UTF8STRING:Root I am am just getting the root_commonName policy assigned to the field rather than the UTF8STRING:Root value assigned within the policy 174:d=5 hl=2 l= 3 prim: OBJECT:commonName 179:d=5 hl=2 l= 15 prim: T61STRING :root_commonName Any comments are greatly appreciated. Thanks John smime.p7s Description: S/MIME Cryptographic Signature
Re: having a lot of troubles trying to get AES-NI working
But even if it isn't enabled in the BIOS, shouldn't the output be something like this when you probe it (even if it isn't available or enabled in BIOS, but openssl itself supports it)? $ openssl engine (aesni) Intel AES-NI engine (no-aesni) (dynamic) Dynamic engine loading support (I haven't been able to find the option in the BIOS, so I'm going to have to send a support request to ASUS about that or maybe try and see if I can find another tool to see whether it's there; and whether or not it's active or not - again, different questions for different points). On Thu, Mar 14, 2013 at 11:28 AM, Matthew Hall mh...@mhcomputing.net wrote: In many cases you have to explicitly enable it in the BIOS first before it will work right. -- Sent from my mobile device. Ewen Chan chan.e...@gmail.com wrote: So this is a partial continuation from the discussion thread that I started yesterday in regards to using AES-CBC. I've got an Intel Core i7 3930K that supports AES-NI and I spent the greater part of last night trying to get openssl to work or at least recognize it, but it doesn't seem to want to do that. I've tried with Cygwin 1.5-something (I forget) and the latest cygwin (tried upgrading just the openssl package - didn't work; so I ended up uninstalling my old cygwin; installing the new and it still didn't work.) I've also tried Ubuntu 12.04 LTS and Ubuntu 12.10 (and it said that it downloaded the update to it and applied it, but it still didn't work for either). I've even tried redownloading the source from www.openssl.org/source (taking it up to 1.0.1e) and that also still didn't work. (i.e. didn't work means that when I type openssl engine - the aesni doesn't show up as an option). I then tried to modify the initramfs config file to add aes_ni and then running and update-initramfs; and that didn't work either. All of the probing that I tried to do showed that the AES-NI kernel module wasn't loaded (but - for example in Solaris 11 that I've got running in a VM; when I type openssl engine; it will show (aesni) AES-NI engine (no aesni)); which leads me to think that on the Linux side, something similiar should happen (that openssl aesni engine should still be available but then there'd be a comment if the AES-NI kernel module wasn't loaded). And now I am trying to install Solaris 11 on the host system itself and it's having it's own set of issues (hardware compatibility; which I might have to set up a PXE boot server so that I can patch in/update drivers for the Solaris 11 install - but that's a different story for some other list). And I also tried SuSE Linux Enterprise Server 11 SP1 (I think) - same thing. cat /proc/cpuinfo shows that aes is available. cat /proc/crypto does not. And people (via more googling) have said that they can load kernel modules post-boot, but I don't know how to do that either. Any help on any recommended OS would be greatly appreciated. (It doesn't matter so much to me which OS is used so long as the openssl using the aesni engine works.) Thanks. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: openssl-user - UTF8 characters in configuration file
Hi Walter, Thanks for that, but I have tried those options also, I must be missing something else? commonName = UTF8String:Root 45:d=5 hl=2 l= 3 prim: OBJECT:commonName 50:d=5 hl=2 l= 15 prim: PRINTABLESTRING :UTF8String:Root commonName = UTF8:Root 168:d=5 hl=2 l= 3 prim: OBJECT:commonName 173:d=5 hl=2 l= 9 prim: PRINTABLESTRING :UTF8:Root From: Walter H. walte...@mathemainzel.info To: openssl-users@openssl.org, Cc: rasmu...@us.ibm.com Date: 03/14/2013 12:32 PM Subject:Re: openssl-user - UTF8 characters in configuration file Sent by:owner-openssl-us...@openssl.org Hello John, I had the same problem; the solution is just: UTF8String or UTF8 and not UTF8STRING Walter On 14.03.2013 17:06, rasmu...@us.ibm.com wrote: I'm using the following configuration file section in an attempt to create a CA with UTF8 characters in subject (and other) fields. string_mask = utf8only prompt = no [ req ] default_bits= 2048 default_keyfile = /opt/rasmussjCa/private/cakey.pem default_md = md5 prompt = no distinguished_name = root_ca_distinguished_name x509_extensions = root_ca_extensions [ root_ca_distinguished_name ] commonName = UTF8STRING:Root stateOrProvinceName = MA countryName = US emailAddress= r...@abc.com organizationName= abc When I use commonName = UTF8STRING:Root, I am getting a format=PRINTABLESTRING containing the UTF8STRING:Root value 45:d=5 hl=2 l= 3 prim: OBJECT:commonName 50:d=5 hl=2 l= 15 prim: PRINTABLESTRING :UTF8STRING:Root Not a UTF8STRING format as I'm expecting such as this ... 108:d=5 hl=2 l= 3 prim: OBJECT:commonName 113:d=5 hl=2 l= 23 prim: UTF8STRING:XX In addition to string_mask = utf8, I've also tried the -utf8 option on the req with the same results: openssl req -x509 -newkey rsa:1024 -out rootcacert.pem -utf8 -outform PEM +++ In addition when I try to assign a policy root_commonName to the commonName field commonName = root_commonName stateOrProvinceName = MA countryName = US emailAddress= r...@abc.com organizationName= abc [ root_commonName ] commonName = UTF8STRING:Root I am am just getting the root_commonName policy assigned to the field rather than the UTF8STRING:Root value assigned within the policy 174:d=5 hl=2 l= 3 prim: OBJECT:commonName 179:d=5 hl=2 l= 15 prim: T61STRING :root_commonName Any comments are greatly appreciated. Thanks John
RE: openssl-user - UTF8 characters in configuration file
Hi John! Looking at apps/req.c, it seems you want to use the -utf8 flag (or put utf8: yes in your conf file [req] section) and not prefix the string with an identifier. -- Principal Security Engineer Akamai Technology Cambridge, MA
[no subject]
I’m trying to understand some code someone wrote as a wrapper for the openssl library / tool, with a view to updating it. I'm completely new to openssl and PKI in general. I found the following docs / references to help navigate but I wasn't able to find answer to my question. http://users.dcc.uchile.cl/~pcamacho/tutorial/crypto/openssl/openssl_intro.html http://www.madboa.com/geek/openssl/ But I wasn't able to find the answer to my question. *GOAL* What I need to accomplish is to modify some code so that duplicate certs with the same common name and email addresses CANNOT be created if the cert is still active. I am planning on checking the index.txt to see if a cert with the same common name exists, and if it hasn't been revoked, I'll prevent user from creating it again. *Problem:* When I create a certificate using this webtool, I see that the index.txt file in /etc/ssl/ is updated with a record starting with a V. When I revoke a certificated, the V is changed to R. However, when I delete a certificate, nothing is updated in the index.txt file. The record remains the same -it's not updated with a new status, nor is it deleted from the file. *QUESTIONS* Is it a bug that the openssl index.txt file is not updated when a cert is deleted? If it is, what is the command to update the index.txt to remove a cert? Maybe the wrapper is where the problem is ... the developer may have just forgotten to run a command line tool to update in index.txt file? I guess I just don't know how openssl is supposed to handle a cert deletion and therefore, i can't tell if i have a bug or not... and who's bug it is. Is there a way using the openssl toolset to check for duplicate certs so that I don't have to manually check index.txt? Thanks for the help.
Problems creating csr with openssl/ pkcs11
Hi all I trying to create a csr (in a c program) that uses a hardware private public key and I am accessing this token by pkcs11. However, the csr is always invalid, with the following message: $ openssl req -verify -in wltx.csr verify failure 1996:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:.\cry pto\asn1\asn1_lib.c:150: 1996:error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad object header:.\c rypto\asn1\tasn_dec.c:1306: 1996:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:.\ crypto\asn1\tasn_dec.c:381:Type=X509_SIG 1996:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:.\crypto\asn 1\a_verify.c:215: -BEGIN CERTIFICATE REQUEST- MIICvjCCAagCAQAwezELMAkGA1UEBhMCQ0gxEzARBgNVBAcTClJhcHBlcnN3aWwx FDASBgNVBAoTC2ludGVsbGlDYXJkMRUwEwYDVQQDEwxUaW0gVGFzc29uaXMxKjAo BgkqhkiG9w0BCQEWG3RpbS50YXNzb25pc0BpbnRlbGxpY2FyZC5jaDCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBAK6eAKGt9fVPSd6uv1/Rs8Uf1j9eaaA5 y7GCeybV/vAqxebI7P7RN3POz6XBYP2i2P4DwXiGeU2oDylxnHHUItAWqtIfX3H+ WDb9d98oaZnWjQsWwoBWXLjsALdblU4MKaF1K9k7obDo2rN7exXzBMRdrQnvhbW/ 6ICDe3iBNmhAk4xBIKC/lIuwILnb4xjopz261sPfg2fjV4964R/Wa7C8Iu+tPq20 LRLtZfqTTqWnnmMpdYRQMBAt7/MDSoG2l8rbnu7/TYr9F5Dzso/K2T884sZDZPeJ cIo4ZjIDE7Vj4C9tOWDaG2lhrb11JNM0ok081ZIERhg3lEYSmMZxbbUCAwEAAaAA MAsGCSqGSIb3DQEBBQOCAQEAeTc7sIpWdIwkh0bj5PVlbMcJT1QDaBG9m7lYkLRg ACBKqNLaIh/drVvGmkLdMyoedOrtjRp5PHDuEptEtBjWRy3H/fBqOsqIr8w3tGA8 A3zubCM3qmLrm4bHTyhP5w2bqY+1JfrRO68bXTQlb1rhpFddtLO7jmjM2lMr7UgH d9vicOWuAEjOOF1nenzCXxjWovKX3jB/b4rwmf9lmHx6hD8Z9EKCdwO5JKPgcWzr /UCznGUe1TAHr0XFRZPwZo2buMCYAVPw70/4u36fc+G6UPaeQSk6QR035BUs8HE0 BBXO9brFuXld13VuE2xg+VnJ8vo3L7/SCC5ufEJaeSUOvQ== -END CERTIFICATE REQUEST- The code I wrote looks as follows: int p11_sign_req(X509_REQ *req,CK_OBJECT_HANDLE private_key, CK_OBJECT_HANDLE public_key) { CK_RV rv; unsigned char *buf_in=NULL,*buf_out=NULL, *p=NULL; size_t inl=0,outl=0; RSA *rsa = NULL; CK_MECHANISM sign_mechanism; EVP_PKEY *pkey = NULL; EVP_MD *md = EVP_sha1(); rsa = p11_key_rsa(public_key); if (!rsa) { return -1; } pkey = EVP_PKEY_new(); EVP_PKEY_assign_RSA(pkey, rsa ); X509_REQ_set_pubkey(req, pkey); inl=i2d_X509_REQ_INFO(req-req_info,NULL); buf_in=(unsigned char *)malloc(inl); p = buf_in; i2d_X509_REQ_INFO(req-req_info,buf_in); outl=EVP_PKEY_size(pkey); buf_out = malloc(outl); sign_mechanism.mechanism = CKM_SHA1_RSA_PKCS; sign_mechanism.pParameter = NULL; sign_mechanism.ulParameterLen = 0; rv = p11-C_SignInit(session, sign_mechanism, private_key); if (rv != CKR_OK) { return -1; } rv = p11-C_Sign(session, p,inl, buf_out, outl); if (rv != CKR_OK) { return -1; } rv = p11-C_VerifyInit(session,sign_mechanism,public_key); if (rv != CKR_OK) { return -1; } rv = p11-C_Verify(session, p,inl, buf_out, outl); if (rv != CKR_OK) { return -1; } req-signature-data=buf_out; req-signature-length=outl; req-sig_alg-algorithm = OBJ_nid2obj(md-pkey_type); free(buf_in); return 0; } The function returns ok, the csr can be viewe, but fails upon verificatio, as mentioned. Has anybody any idea what I'm doing wrong? King regards Tim -- Sent from my Android phone with K-9 Mail. Please excuse my brevity.
Problems creating csr with openssl/ pkcs11
Hi all I trying to create a csr (in a c program) that uses a hardware private public key and I am accessing this token by pkcs11. However, the csr is always invalid, with the following message: $ openssl req -verify -in wltx.csr verify failure 1996:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:.\cry pto\asn1\asn1_lib.c:150: 1996:error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad object header:.\c rypto\asn1\tasn_dec.c:1306: 1996:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:.\ crypto\asn1\tasn_dec.c:381:Type=X509_SIG 1996:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:.\crypto\asn 1\a_verify.c:215: -BEGIN CERTIFICATE REQUEST- MIICvjCCAagCAQAwezELMAkGA1UEBhMCQ0gxEzARBgNVBAcTClJhcHBlcnN3aWwx FDASBgNVBAoTC2ludGVsbGlDYXJkMRUwEwYDVQQDEwxUaW0gVGFzc29uaXMxKjAo BgkqhkiG9w0BCQEWG3RpbS50YXNzb25pc0BpbnRlbGxpY2FyZC5jaDCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBAK6eAKGt9fVPSd6uv1/Rs8Uf1j9eaaA5 y7GCeybV/vAqxebI7P7RN3POz6XBYP2i2P4DwXiGeU2oDylxnHHUItAWqtIfX3H+ WDb9d98oaZnWjQsWwoBWXLjsALdblU4MKaF1K9k7obDo2rN7exXzBMRdrQnvhbW/ 6ICDe3iBNmhAk4xBIKC/lIuwILnb4xjopz261sPfg2fjV4964R/Wa7C8Iu+tPq20 LRLtZfqTTqWnnmMpdYRQMBAt7/MDSoG2l8rbnu7/TYr9F5Dzso/K2T884sZDZPeJ cIo4ZjIDE7Vj4C9tOWDaG2lhrb11JNM0ok081ZIERhg3lEYSmMZxbbUCAwEAAaAA MAsGCSqGSIb3DQEBBQOCAQEAeTc7sIpWdIwkh0bj5PVlbMcJT1QDaBG9m7lYkLRg ACBKqNLaIh/drVvGmkLdMyoedOrtjRp5PHDuEptEtBjWRy3H/fBqOsqIr8w3tGA8 A3zubCM3qmLrm4bHTyhP5w2bqY+1JfrRO68bXTQlb1rhpFddtLO7jmjM2lMr7UgH d9vicOWuAEjOOF1nenzCXxjWovKX3jB/b4rwmf9lmHx6hD8Z9EKCdwO5JKPgcWzr /UCznGUe1TAHr0XFRZPwZo2buMCYAVPw70/4u36fc+G6UPaeQSk6QR035BUs8HE0 BBXO9brFuXld13VuE2xg+VnJ8vo3L7/SCC5ufEJaeSUOvQ== -END CERTIFICATE REQUEST- The code I wrote looks as follows: int p11_sign_req(X509_REQ *req,CK_OBJECT_HANDLE private_key, CK_OBJECT_HANDLE public_key) { CK_RV rv; unsigned char *buf_in=NULL,*buf_out=NULL, *p=NULL; size_t inl=0,outl=0; RSA *rsa = NULL; CK_MECHANISM sign_mechanism; EVP_PKEY *pkey = NULL; EVP_MD *md = EVP_sha1(); rsa = p11_key_rsa(public_key); if (!rsa) { return -1; } pkey = EVP_PKEY_new(); EVP_PKEY_assign_RSA(pkey, rsa ); X509_REQ_set_pubkey(req, pkey); inl=i2d_X509_REQ_INFO(req-req_info,NULL); buf_in=(unsigned char *)malloc(inl); p = buf_in; i2d_X509_REQ_INFO(req-req_info,buf_in); outl=EVP_PKEY_size(pkey); buf_out = malloc(outl); sign_mechanism.mechanism = CKM_SHA1_RSA_PKCS; sign_mechanism.pParameter = NULL; sign_mechanism.ulParameterLen = 0; rv = p11-C_SignInit(session, sign_mechanism, private_key); if (rv != CKR_OK) { return -1; } rv = p11-C_Sign(session, p,inl, buf_out, outl); if (rv != CKR_OK) { return -1; } rv = p11-C_VerifyInit(session,sign_mechanism,public_key); if (rv != CKR_OK) { return -1; } rv = p11-C_Verify(session, p,inl, buf_out, outl); if (rv != CKR_OK) { return -1; } req-signature-data=buf_out; req-signature-length=outl; req-sig_alg-algorithm = OBJ_nid2obj(md-pkey_type); free(buf_in); return 0; } The function returns ok, the csr can be viewe, but fails upon verificatio, as mentioned. Has anybody any idea what I'm doing wrong? King regards Tim __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: openssl-user - UTF8 characters in configuration file
Hi Rich! Glad to hear from you and hope all is well! Thanks for the tip, but I haven't cracked this nut yet. I've tried several permutations of: - the UTF8 flag on req - openssl req -x509 -newkey rsa:1024 -out rootcacert.pem -utf8 -outform PEM - the no UTF8 flag on req - openssl req -x509 -newkey rsa:1024 -out rootcacert.pem -outform PEM - the utf8 = yes in [ req ] - the string_mask = utf8only - and visa versa I'd been using ASCII characters (still valid UTF), so I thought I'd use proper UTF and thus: commonName = Róót Which looks good in HEX (C3B3) = o with accent 5c0: 696f 6e73 0d0a 0d0a 5b20 726f 6f74 5f63 ions[ root_c 5d0: 615f 6469 7374 696e 6775 6973 6865 645f a_distinguished_ 5e0: 6e61 6d65 205d 0d0a 0d0a 636f 6d6d 6f6e name ]common 5f0: 4e61 6d65 2020 2020 2020 2020 2020 2020 Name 600: 2020 3d20 52c3 b3c3 b374 0d0a 7374 6174= Rt..stat 610: 654f 7250 726f 7669 6e63 654e 616d 6520 eOrProvinceName 620: 2020 2020 3d20 4d41 0d0a 636f 756e 7472 = MA..countr 630: 794e 616d 6520 2020 2020 2020 2020 2020 yName I also tried - commonName = UTF8:Róót - commonName = UTF8STRING:Róót - commonName = UTF8String:Róót And all seem to yield: 163:d=5 hl=2 l= 3 prim: OBJECT:commonName 168:d=5 hl=2 l= 4 prim: T61STRING :R▒▒t Which is a change from PRINTABLESTRING anyway. Still hoping to get this working. Cheers John From: Salz, Rich rs...@akamai.com To: openssl-users@openssl.org openssl-users@openssl.org, Cc: owner-openssl-us...@openssl.org owner-openssl-us...@openssl.org Date: 03/14/2013 12:53 PM Subject:RE: openssl-user - UTF8 characters in configuration file Sent by:owner-openssl-us...@openssl.org Hi John! Looking at apps/req.c, it seems you want to use the –utf8 flag (or put utf8: yes in your conf file [req] section) and not prefix the string with an identifier. -- Principal Security Engineer Akamai Technology Cambridge, MA
RE: Static and Dynamic Locking Functions
Gordon, Just quick question for you, have you seen any dynamic mutex lock been created while your openssl application is running? I implemented both static and dynamic locking mechanism in my application. I can see that there are a total of 41 static mutex locks been created during initialization but I haven't seen any dynamic mutex lock been created and invoked by openssl functions. Thanks Bob From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Le Huang Sent: Wednesday, March 13, 2013 8:21 PM To: openssl-users@openssl.org Subject: Re: Static and Dynamic Locking Functions Gordon, Not sure how your question relates OpenSSL, but in general, thread id is not a unique identifier for locks. On Thu, Mar 14, 2013 at 3:40 AM, Betsy Gordon bgor...@companioncorp.commailto:bgor...@companioncorp.com wrote: Hello, I have implemented static and dynamic locking functions but have a lingering question. It is not clear to me whether the same thread would ever create more than one lock before previous locks created by that thread had been destroyed. In other words, is the thread id intended to be the unique identifier for locks? Thank you, B. Gordon __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.orgmailto:openssl-users@openssl.org Automated List Manager majord...@openssl.orgmailto:majord...@openssl.org -- Regards, Huang Le (Eric, Alibaba DevOps) Email: 4tarhl AT gmail.comhttp://gmail.com, le.hl AT alibaba-inc.comhttp://alibaba-inc.com
Re: Static and Dynamic Locking Functions
Bob, I have never seen dynamic locks being created, only static ones. I have added dynamic locks because the documentation says that I'll avoid trouble in the future by doing it now. I only added them recently and had been running without them for years with no problems reported. I have been trying to track down a problem and wanted to eliminate the possibility that the locks were contributing to the error. I have convinced myself that the mutex's are being created properly but still haven't solved my problem. Betsy On Mar 14, 2013, at 3:04 PM, Yan, Bob wrote: Gordon, Just quick question for you, have you seen any dynamic mutex lock been created while your openssl application is running? I implemented both static and dynamic locking mechanism in my application. I can see that there are a total of 41 static mutex locks been created during initialization but I haven’t seen any dynamic mutex lock been created and invoked by openssl functions. Thanks Bob From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Le Huang Sent: Wednesday, March 13, 2013 8:21 PM To: openssl-users@openssl.org Subject: Re: Static and Dynamic Locking Functions Gordon, Not sure how your question relates OpenSSL, but in general, thread id is not a unique identifier for locks. On Thu, Mar 14, 2013 at 3:40 AM, Betsy Gordon bgor...@companioncorp.com wrote: Hello, I have implemented static and dynamic locking functions but have a lingering question. It is not clear to me whether the same thread would ever create more than one lock before previous locks created by that thread had been destroyed. In other words, is the thread id intended to be the unique identifier for locks? Thank you, B. Gordon __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- Regards, Huang Le (Eric, Alibaba DevOps) Email: 4tarhl AT gmail.com, le.hl AT alibaba-inc.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: having a lot of troubles trying to get AES-NI working
On Thu, Mar 14, 2013, Ewen Chan wrote: So this is a partial continuation from the discussion thread that I started yesterday in regards to using AES-CBC. I've got an Intel Core i7 3930K that supports AES-NI and I spent the greater part of last night trying to get openssl to work or at least recognize it, but it doesn't seem to want to do that. It it probably recognising it and you don't realise it. OpenSSL 1.0.1 automatically switches to AES-NI at the EVP level without going through an explicit AES-NI ENGINE. You can disable AES-NI detection with the environment variable: OPENSSL_ia32cap=~0x202 You should see a considerable speed up with openssl speed by comparing the two. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: having a lot of troubles trying to get AES-NI working
Does it matter whether it's ia32 or ia64 even for an x64 processor? Shouldn't there be some way for me to check whether AES is enabled or being used (other than running a speed test) either in dmesg or /proc/ or with openssl itself? I'm a little confused, and surprised/shocked that there isn't a way to probe the status of whether the AES-NI is a) present and b) enabled/utilized. re: OPENSSL_ia32cap=~0x202 so forgive me for asking lots of dumb questions but that would be $ set OPENSSL_ia32cap=~0x202 $ export OPENSSL_ia32cap correct? And how do I re-enable it without having to reboot the system? What's the value that I should be putting in on the right-hand-side of the equal sign? Your help is much appreciated. Sincerely, Ewen On Thu, Mar 14, 2013 at 7:35 PM, Dr. Stephen Henson st...@openssl.org wrote: On Thu, Mar 14, 2013, Ewen Chan wrote: So this is a partial continuation from the discussion thread that I started yesterday in regards to using AES-CBC. I've got an Intel Core i7 3930K that supports AES-NI and I spent the greater part of last night trying to get openssl to work or at least recognize it, but it doesn't seem to want to do that. It it probably recognising it and you don't realise it. OpenSSL 1.0.1 automatically switches to AES-NI at the EVP level without going through an explicit AES-NI ENGINE. You can disable AES-NI detection with the environment variable: OPENSSL_ia32cap=~0x202 You should see a considerable speed up with openssl speed by comparing the two. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
using multiple keys
If I have a directory and it has 10 files and I have 10 separate keys such that key1 is for file1 and key2 is for file2 (etc.); is there a way to automate the encryption process like that? Or do I have to run each of the commands separate and instead of having 10 separate keys in a single keyfile in a list format; that I would need to split them out into individual keyfiles (e.g. keyfile1, keyfile2, etc.) and then run the encryption individually (rather than launching a single encryption job that will process all 10 files with all 10 keys listed in one keyfile)? (I hope that this makes sense and that people are kinda getting what I'm asking here.) Thanks. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org