Openssl 1.0.1x build using VS 2012
Hi, Even though I'm successful in getting the OpenSSL build using VS 2012, but getting following error message: OPENSSL_Uplink(07FED5A31000,08): no OPENSSL_Applink while trying to 'load' libeay32.dll. The problem is solved, if we use another libeay32.dll, which is built using VS 2005. Except for this, all other development & usage environment is totally same. Do anybody has any clue on this? Thanks, Pravesh
Re: Add SubjAltName to openssl command line?
On Thu, Aug 29, 2013 at 04:38:17PM -0700, Erich Weiler wrote: > I was wondering if there was also a way to quickly create a certificate and > key file in a similar fashion while also designating SubjAltName options on > the openssl command line? The bash script below uses inline command file descriptors <(command), to dynamically construct an ephemeral openssl config file. It is a bit rough, since e.g. any non-ecdsa algorithm is assumed to be RSA, and the ECDSA curve is hard-coded, ... Still you get the idea. The output file has correct permissions courtesy of mktemp(1). Otherwise, you you need to tweak the umask, since openssl's "-out" option does not disable world/group read on the output file even when saving private keys. -- Viktor. #! /bin/bash # usage: fqdn out.pem [pkeyalg] case $3 in ecdsa) tmp=$(mktemp "$2.XX") openssl req -sha256 -new 2>/dev/null \ -config <(printf "[req]\n%s\n%s\n[dn]\n[exts]\n%s\n[alts]\n%s\n" \ "distinguished_name = dn" \ "x509_extensions = exts" \ "$(printf "%s\n%s\n%s\n%s\n%s" \ "basicConstraints= CA:false" \ "extendedKeyUsage= serverAuth, clientAuth" \ "subjectKeyIdentifier= hash" \ "authorityKeyIdentifier = keyid:always" \ "subjectAltName=@alts")" \ "DNS=$1") \ -newkey param:<(openssl ecparam -name prime256v1) \ -keyout /dev/stdout -nodes \ -x509 -set_serial 1 -days 0 -subj "/" >> "$tmp" && mv "$tmp" "$2" ;; *) tmp=$(mktemp "$2.XX") openssl req -sha256 -new 2>/dev/null \ -config <(printf "[req]\n%s\n%s\n[dn]\n[exts]\n%s\n[alts]\n%s\n" \ "distinguished_name = dn" \ "x509_extensions = exts" \ "$(printf "%s\n%s\n%s\n%s\n%s" \ "basicConstraints= CA:false" \ "extendedKeyUsage= serverAuth, clientAuth" \ "subjectKeyIdentifier= hash" \ "authorityKeyIdentifier = keyid:always" \ "subjectAltName=@alts")" \ "DNS=$1") \ -newkey rsa:2048 \ -keyout /dev/stdout -nodes \ -x509 -set_serial 1 -days 0 -subj "/" >> "$tmp" && mv "$tmp" "$2" ;; esac __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Add SubjAltName to openssl command line?
You can use the $ENV:xxx construct. It's a bit of a hack, but you only need one config file and change the env var each time... -- Principal Security Engineer Akamai Technology Cambridge, MA __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
ECDSA_do_verify error?
Hi, all: I want to verify signature that the data are from NIST test vectors. But the result awalys error! The source is as follow: #include #include #include #include #include #include #include #include #pragma comment(lib, "libeay32.lib") #pragma comment(lib, "ssleay32.lib") int main(void) { int status = 0; unsigned int digest_len = 0; unsigned char digest[32] = {0}; char *message = "This is only a test message. It is 48 bytes long"; EVP_MD_CTX md_ctx; EC_KEY *pEccKey = NULL; EC_GROUP *pEccGroup = NULL; ECDSA_SIG *signature = NULL; EC_POINT *pub_key = NULL; BIGNUM *bn_priv_key = NULL; BIGNUM *bn_x_key = NULL; BIGNUM *bn_y_key = NULL; BN_CTX *bn_ctx = NULL; char *pub_key_x = NULL; char *pub_key_y = NULL; char *priv_key_ = NULL; int pub_key_x_len = 0; int pub_key_y_len = 0; int priv_key_len = 0; unsigned char msg[] = {"\x60\xcd\x64\xb2\xcd\x2b\xe6\xc3\x38\x59\xb9\x48\x75\x12\x03\x61\xa2\x40\x85\xf3\x76\x5c\xb8\xb2\xbf\x11\xe0\x26\xfa\x9d\x88\x55\xdb\xe4\x35\xac\xf7\x88\x2e\x84\xf3\xc7\x85\x7f\x96\xe2\xba\xab\x4d\x9a\xfe\x45\x88\xe4\xa8\x2e\x17\xa7\x88\x27\xbf\xdb\x5d\xdb\xd1\xc2\x11\xfb\xc2\xe6\xd8\x84\xcd\xdd\x7c\xb9\xd9\x0d\x5b\xf4\xa7\x31\x1b\x83\xf3\x52\x50\x80\x33\x81\x2c\x77\x6a\x0e\x00\xc0\x03\xc7\xe0\xd6\x28\xe5\x07\x36\xc7\x51\x2d\xf0\xac\xfa\x9f\x23\x20\xbd\x10\x22\x29\xf4\x64\x95\xae\x6d\x08\x57\xcc\x45\x2a\x84"}; unsigned char xx[] = {"\x2d\x98\xea\x01\xf7\x54\xd3\x4b\xbc\x30\x03\xdf\x50\x50\x20\x0a\xbf\x44\x5e\xc7\x28\x55\x6d\x7e\xd7\xd5\xc5\x4c\x55\x55\x2b\x6d"}; unsigned char yy[] = {"\x9b\x52\x67\x27\x42\xd6\x37\xa3\x2a\xdd\x05\x6d\xfd\x6d\x87\x92\xf2\xa3\x3c\x2e\x69\xda\xfa\xbe\xa0\x9b\x96\x0b\xc6\x1e\x23\x0a"}; unsigned char rr[] = {"\x06\x10\x8e\x52\x5f\x84\x5d\x01\x55\xbf\x60\x19\x32\x22\xb3\x21\x9c\x98\xe3\xd4\x94\x24\xc2\xfb\x2a\x09\x87\xf8\x25\xc1\x79\x59"}; unsigned char ss[] = {"\x62\xb5\xcd\xd5\x91\xe5\xb5\x07\xe5\x60\x16\x7b\xa8\xf6\xf7\xcd\xa7\x46\x73\xeb\x31\x56\x80\xcb\x89\xcc\xbc\x4e\xec\x47\x7d\xce"}; // openssl initialization ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); // hash message with sha256 EVP_MD_CTX_init(&md_ctx); EVP_DigestInit(&md_ctx, EVP_sha256()); EVP_DigestUpdate(&md_ctx, (const void *)msg, strlen(msg)); EVP_DigestFinal(&md_ctx, digest, &digest_len); EVP_MD_CTX_cleanup(&md_ctx); pEccKey = EC_KEY_new(); if (NULL == pEccKey) { printf("ECC_KEY_new, error: %s\n", ERR_error_string(ERR_get_error(), NULL)); goto prog_end; } // output ECDSA key string pEccKey = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); if (NULL == pEccKey) { printf("EC_KEY_new_by_curve_name, error: %s\n", ERR_error_string(ERR_get_error(), NULL)); goto prog_end; } bn_ctx = BN_CTX_new(); bn_x_key = BN_new(); bn_y_key = BN_new(); pub_key = EC_POINT_new(EC_KEY_get0_group(pEccKey)); signature = ECDSA_SIG_new(); // bn_x_key = BN_bin2bn(xx, strlen(xx), bn_x_key); bn_y_key = BN_bin2bn(yy, strlen(yy), bn_y_key); EC_KEY_set_public_key_affine_coordinates(pEccKey, bn_x_key, bn_y_key); // signature->r = BN_bin2bn(rr, strlen(rr), signature->r); signature->s = BN_bin2bn(ss, strlen(ss), signature->s); /* check key */ if (!EC_KEY_check_key(pEccKey)) { fprintf(stderr, "EC_KEY_check_key failed.\n"); } // verify the signature status = ECDSA_do_verify(digest, digest_len, signature,pEccKey); if (status != 1) { printf("ECDSA_do_verify, error: %s\n", ERR_error_string(ERR_get_error(), NULL)); goto prog_end; } else { printf("ECDSA verify successfully!\n"); } prog_end: // openssl cleanup if (pEccKey) EC_KEY_free(pEccKey); if (pEccGroup) EC_GROUP_free(pEccGroup); if (signature) ECDSA_SIG_free(signature); if (pub_key) EC_POINT_free(pub_key); if (bn_x_key) BN_free(bn_x_key); if (bn_y_key) BN_free(bn_y_key); if (pub_key_x) OPENSSL_free(pub_key_x); if (pub_key_y) OPENSSL_free(pub_key_y); CRYPTO_cleanup_all_ex_data(); ERR_free_strings(); ERR_remove_state(0); return 0; } But why? The Programdoes not seemwrong. Looking forward to yourreply~~~ Best Wishes! ShiXin
Add SubjAltName to openssl command line?
Hi Y'all, I've RTFM'd a bunch on this and can't find a clear answer, so to the lists I go... ;) I can now create a cert/key pair quickly as such: # openssl req -newkey rsa:2048 -x509 -nodes -out test.pem -keyout test.pem -days 3650 And after answering the questions, I get a certificate and key in the same file. All is well. Basically I don't need my certs signed for what I'm using them for, so no CA is required for my purpose here. I was wondering if there was also a way to quickly create a certificate and key file in a similar fashion while also designating SubjAltName options on the openssl command line? Something like this maybe? openssl req -newkey rsa:2048 -x509 -nodes -out test.pem -keyout test.pem -days 3650 -subjAlt "DNS:foo.com, DNS:bar.com" or whatever. I know the "-subjAlt" option doesn't exist, but maybe there is something like it that I can invoke without having to configure a custom openssl.cnf config file for every one of these I want to create? Thanks in advance for any insight!!! cheers, erich -- View this message in context: http://openssl.6102.n7.nabble.com/Add-SubjAltName-to-openssl-command-line-tp46384.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Is it Possible to revoke cert by Serial
Well what I was going to do is simply use the serial number for finding the file int the newscerts directory for the pem and issue the CA command with PEM. Since the backup of the signed certs is in the newcerts directory. I guess that would be appropriate. -- View this message in context: http://openssl.6102.n7.nabble.com/Is-it-Possible-to-revoke-cert-by-Serial-tp46381p46383.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Is it Possible to revoke cert by Serial
> Is it possible to revoke a cert by serial number? Using the ca command? The answer is no. > I searched the form and this question is not answered. Use the source, Luke :) I can't see a good reason why the crl txt_db needs the subject name. It should be reasonable to modify ca.c to take the serial# instead of the cert (and perhaps a dummy subjectDN) /r$ -- Principal Security Engineer Akamai Technology Cambridge, MA __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Is it Possible to revoke cert by Serial
Is it possible to revoke a cert by serial number? I see all revoke commands you must have the cert? I searched the form and this question is not answered. -- View this message in context: http://openssl.6102.n7.nabble.com/Is-it-Possible-to-revoke-cert-by-Serial-tp46381.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Openssl 1.0.1x build using VS 2012
Hi, Even though I'm successful in getting the OpenSSL build using VS 2012, but getting following error message: OPENSSL_Uplink(07FED5A31000,08): no OPENSSL_Applink while trying to 'load' libeay32.dll. The problem is solved, if we use another libeay32.dll, which is built using VS 2005. Except for this, all other development & usage environment is totally same. Do anybody has any clue on this? Thanks, Pravesh