Re: Multiple attributes in PKCS#10
Hi again, shouldn't it be? static int ext_nid_list[] = { NID_ext_req, NID_ms_ext_req, NID_undef}; instead of static int ext_nid_list[] = { NID_ms_ext_req, NID_ext_req, NID_undef}; I guess it was a typo. regards, aleix On Fri, 10 Sep 2004 22:29:10 +0200, Dr. Stephen Henson <[EMAIL PROTECTED]> wrote: > > I've just fixed OpenSSL to check for the PKCS#9 extension request first and > only use MS if its not found. > > This will be in the next stable snapshot. > > Steve. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Multiple attributes in PKCS#10
Well, this is great. Thank you very much! regards, aleix On Fri, 10 Sep 2004 22:29:10 +0200, Dr. Stephen Henson <[EMAIL PROTECTED]> wrote: > > I've just fixed OpenSSL to check for the PKCS#9 extension request first and > only use MS if its not found. > > This will be in the next stable snapshot. > > > > Steve. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: some errors
"[EMAIL PROTECTED]" <[EMAIL PROTECTED]> writes: > Hello, > > I try to write some beginner sample codes. Compilation is ok in Visual > C++ 6.0. > But when I execute it, program raise error on function > PEM_read_X509 at line 34. > > I don't know, where is problem... > you forgot to call OpenSSL_add_all_algorithms() at the beginning. aleix __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
how to "copy_extension" in 0.9.6?
hi! is there any way to do a "copy_extension = copy" as in 0.9.7 in version 0.9.6? thanks in advance. regards, aleix __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
more spam
hi, i have sent a message to the list, and some anti spam software that this user ([EMAIL PROTECTED]) has installed has sent to me an email asking me to accept it if i really wanted to send the message to him. what is this? i do not want more spam. it is really annoying. anti-spam filters are good if people keeps them for themselves. i don't want to receive more email that i have not asked for. can anyone solve this? may be i'm to drastic, but i start hating all of these. regards, aleix __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: crypto library
i think that by default OpenSSL is installed in /usr/local/ssl, so libcrypto.a is in /usr/local/ssl/lib. you probably would want to do: ./config --prefix=/usr/local now libcrypto will be installed in /usr/local/bin and openssl executable in /usr/local/bin may be this was the problem. hth. aleix __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
(example) Re: checking for key usages
hi again, here is a dummy example that reads the key usage extension from a certificate. thanks Steve. regards, aleix == int main(int argc, char** argv) { FILE* in; int pos; int crit; X509* cert; X509_EXTENSION* ext; ASN1_BIT_STRING* key_usage; int digitalSignature, nonRepudiation, keyEncipherment; int dataEncipherment, keyAgreement, keyCertSign; OpenSSL_add_all_algorithms(); in = fopen(argv[1], "r"); if (in == NULL) { printf("unable to open file %s\n", argv[1]); exit(1); } cert = PEM_read_X509(in, NULL, NULL, NULL); if (cert == NULL) { printf("error reading certificate\n"); exit(1); } printf("certificate OK\n"); pos = X509_get_ext_by_NID(cert, NID_key_usage, -1); ext = X509_get_ext(cert, pos); if (ext == NULL) { printf("key usage extension not found!\n"); exit(1); } printf("key usage extension found!\n"); crit = X509_EXTENSION_get_critical(ext); printf("critical: %d\n", crit); key_usage = (ASN1_BIT_STRING*) X509V3_EXT_d2i(ext); digitalSignature = ASN1_BIT_STRING_get_bit(key_usage, 0); nonRepudiation = ASN1_BIT_STRING_get_bit(key_usage, 1); keyEncipherment = ASN1_BIT_STRING_get_bit(key_usage, 2); dataEncipherment = ASN1_BIT_STRING_get_bit(key_usage, 3); keyAgreement = ASN1_BIT_STRING_get_bit(key_usage, 4); keyCertSign = ASN1_BIT_STRING_get_bit(key_usage, 5); printf("digitalSignature: %d\n", digitalSignature); printf("nonRepudiation: %d\n", nonRepudiation); printf("keyEncipherment: %d\n", keyEncipherment); printf("dataEncipherment: %d\n", dataEncipherment); printf("keyAgreement: %d\n", keyAgreement); printf("keyCertSign: %d\n", keyCertSign); EVP_cleanup(); } __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: checking for key usages
"Dr. Stephen Henson" <[EMAIL PROTECTED]> writes: > ... then search and parse it using X509V3_get_d2i(). > > For keyUsage you get back an ASN1_BIT_STRING structure. From that you can test > individual bits using ASN1_BIT_STRING_get_bit(). > great! that is what i needed. thank you! aleix __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
checking for key usages
hi, i've added key usage extensions to some CSR and these have been added to the certificate. for this, i've use the function X509V3_EXT_conf_nid (like in the mkreq.c example). now, i'd like to obtain key usage values from an X509_EXTENSION structure. how can i obtain each of these values? that is, obtain digitalSignature, nonRepudiation... thanks in advance. regards, aleix __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
delivery rejected: GregH at ceoworkz dot com ?
hi, everytime i send a message to the list i'm getting a mail notification about delivery problems to GregH at ceoworkz dot com. is that normal? regards, aleix __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Signature Verification problem
"Howard Chan" <[EMAIL PROTECTED]> writes: > > I have this file which used sha1 hash algorithm to obtain it's message > digest, and subsequently the digest was encrypted (signed) using RSA > algorithm with a private key from a X.509 certificate. > i don't think you can get a private key from an X509 certificate, may be you meant a PKCS12. anyway... > > > Now, I have the original file, the signed message digest (from above), > and I have the corresponding public key of the X.509 certificate. > > My question is; what openssl commands can I use now to verify the > signature of the signed message digest? > OpenSSL provides a set of functions called EVP to sign and verify. to sign EVP_PKEY* pkey < your private key EVP_MD_CTX ctx; EVP_SignInit(&ctx, EVP_sha1()); EVP_SignUpdate(&ctx, your_data, your_data_size); <-- n calls if (!EVP_SignFinal(&ctx, signature_buffer, &signature_len, pkey)) { // unable to sign } to verify EVP_PKEY* pkey < your public key EVP_MD_CTX ctx; EVP_VerifyInit(&ctx, type_); EVP_VerifyUpdate(&ctx, original_data, original_data_size); if (EVP_VerifyFinal(&ctx, signature_buffer, signature_size, pkey) == -1) { // unable to verify } > I have created the message digest of the original file already. I now > want to know "what can I do with the signed message digest so that I > can decrypt it (verify) using the public key?" > > After decrypting (verifying) it, am I supposed to get the same message > digest which I created earlier from the original file? > yes, that's it. when you get the signature (the encrypted message digest) it will be decrypted and compared with the message digest calculated with data you have provided to verify with. regards, aleix __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: adding custom extensions to certificates (brief document)
"Dr. Stephen Henson" <[EMAIL PROTECTED]> writes: > > Creating a random OID is a bad idea. You should get a number assigned for your > organisation and use a subtree of that. > > See: > > http://www.iana.org/cgi-bin/enterprise.pl > > If you, for example were allocated the number you could then use any OID > starting with 1.3.6.1.4.1. such as 1.3.6.1.4.1..1 > yes, that's right. i forgot to include this in the "document" and i noticed it after sending it. you had already told this to me before in a previous post. thanks! > > Adding unstructured data to an extension is a violation of the various > standards. What you need to do instead is to add an encoded structure. > > In many cases all that is wanted is a simple string. The easiest way to handle > that is to create an 'alias' to an already existing extension such as Netscape > comment which already uses a string. For example with: > > X509V3_ext_add_alias(NID_netscape_comment, new_oid); > > After this call the new oid behaves in the same way as Netscape comment and > the standard calls for extension creation can be used in doc/openssl.txt > > An alternative technique would be to make use of the mini ASN1 compiler in > OpenSSL 0.9.8, this allows the standard configuration files to be used in a > human readable syntax. For example: > > 1.3.6.1.4.1..1 = ASN1:IA5String:My Extension Value > > Some people will not like the idea of using a development version of OpenSSL > in such a way so instead 0.9.8 can be used to just generate the encoding and > use that in a stable version of OpenSSL such as 0.9.7. > ok. thanks for the advice! i'll take this into account. and modify both, my code and the document. i thought, that showing how to add extensions by code (what i needed) could be useful to someone. that's why i wrote that. when i have a little time, i'd like to recopilate all kind of examples and document them as i've done with this one. then put all of them in a web site... may be a wiki, so people can add examples in a cooperative way. i don't know if anyone would be interested. best regards, aleix __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: adding custom extensions to certificates (brief document)
please, feel free to modify this, because my english needs to be polished. best regards, aleix __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
adding custom extensions to certificates (brief document)
E_OPTIONS Next step is to finally create the certificate. Is as easy as this: openssl ca -cert ca.pem -keyfile ca-prikey.pem -outdir . -out certificate.pem -extensions usr_cert -extfile openssl.cnf -infiles request.csr In the command above we just provide the certificate and private key of a CA, two extensions parameters that identifies the extensions to be added to the certificate (not our own extensions), and as a last parameter our CSR. This will create our certificate with our own extension inside it. For more information of the use of OpenSSL commands check out: http://www.openssl.org/docs/apps/openssl.html We can finally check the existence of our extension in the certificate. This will be done similarly to checking the CSR extensions. Here is the code: /** * We need to create our custom OID in order for OpenSSL to found * the short and long descriptions. */ int nid = OBJ_create("1.2.3.4", "TestOID", "Long description TesT OID"); ASN1_OBJECT* obj = OBJ_nid2obj(nid); /** * Here we get the list of available extensions and iterate * through them. Note the we suppose that the X509 certificate is * already created. */ int n = X509_get_ext_count(cert); printf("Extensions: %d\n", n); for (i = 0; i < n; ++i) { X509_EXTENSION* ext = X509_get_ext(cert, i); nid = OBJ_obj2nid(ext->object); printf("short name: %-22s - long name: %s\n", OBJ_nid2sn(nid), OBJ_nid2ln(nid)); } That's it. I hope this information will help other people adding custom extensions to certificates. Aleix Conchillo Flaque __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
adding extensions to certificates
hi, i've been looking at the archives list trying to search how to add additional extensions to certificates. i found the thread "Adding Application Attributes to X509 Certificates?" that is about what i'm asking but using openssl commands and openssl configuration file. eventhoug, i don't know if "Brian Skrab" who was asking on how to do it, finally solved it. my questions are: 1) I'd like to add an additional (attribute,value) pair to a certificate, can i use any OID? RFC 2459 suggests to follow IANA or ITU-T Rec. X.660 | ISO/IEC/ITU 9834-1 for additional key purposes. do i need to follow the same conventions? if so, where can i find them? 2) I'd also like to add an extended key usage, the oid is defined in openssl as follows: #define OBJ_ext_key_usage OBJ_id_ce,37 can i use for my extended key usage? whould this follow the conventions on question 1? #define OBJ_MY_ext_key_usageOBJ_id_ce,37,1 2) Once i have and OID, should i use this functions to add an extension to a certificate? X509_EXTENSION_create_by_OBJ X509_EXTENSION_set_object X509_EXTENSION_set_critical X509_EXTENSION_set_data and X509_add_ext any help would be appreciated, thanks in advance. regards, aleix __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
PKCS#12: MAC security benefits?
hi, basically, the question is: which are the security benefits of adding a MAC to a PKCS#12? thanks in advance. regards, aleix __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Speed of calculating (a exp x) modulo n ?
hi Krzysztof, try "openssl speed rsa". it will compute some rsa exponentiations and it will give you some times. you can also try "openssl speed" for all tests. regards, aleix __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: engine's performance (what's wrong?)
hi, well, first of all, let me thank you for the mail again. i was thinking the same thing yesterday morning: if you need your CPU to do other things, the cryptographic hardware can help you. the problem is when you only need cryptographic results in a real-time large process (let's say talling votes from an election, which is what i'm doing). in this kind of applications you really need speed. obviously everything is not cryptographic calculations, there is access to disks, network... but crypto is a major one. anyway, your mail has helped me to think about security risks using hardware or not. and i'll take everything into account. regarding to speed again, GMP is a really cool "kick ass" (sorry for the expression) library, we've used it for some mathematicals calculations, instead of using OpenSSL BN. if you've done a wrapper with GMP... let me say that we'll have to spend lots of money in hardware to be as fast as in software. thanks again. best regards, aleix __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: engine's performance (what's wrong?)
hi, i'll definetly have a look at the old posts if i find them. :-) thank you very much for this mail. it has really helped me understanding a bit more of what i was doing. now, results really make sense. hardware disabled = openssl speed -elapsed signverifysign/s verify/s rsa 512 bits 0.0015s 0.0002s676.4 6309.0 rsa 1024 bits 0.0089s 0.0004s111.7 2255.0 rsa 2048 bits 0.0518s 0.0015s 19.3676.0 rsa 4096 bits 0.3418s 0.0052s 2.9192.2 hardware enabled openssl speed -elapsed -engine chil signverifysign/s verify/s rsa 512 bits 0.0042s 0.0024s239.5415.3 rsa 1024 bits 0.0121s 0.0035s 82.5282.5 rsa 2048 bits 0.0597s 0.0073s 16.8136.1 rsa 4096 bits 0.3917s 0.0215s 2.6 46.6 with hardware enabled now i get 82.5 signs which i guess, as you said, is using just one processor from the nShield (which has two). so if it used the two processors it would do 165 signs more or less (nShiled is supposed to do 150 operations for second). as you can see, hardware is slower. my box is an Intel P4 at 1,4 GHz and is a bit faster than the processors in the nShiled (i think the model i'm trying is one of the worstest). i've tried the hardware version of my program with a multiprocess and i've gain more performace (uses two processors). but, what if i use a dual pentium box with P4 at 2GHz or a fastest machine? this will be faster and cheaper than the cryptographic hardware. eventhough, the cryptographic hardware has more fetures than just do operations (at least the nShield), which may be is the good thing. anyway, everything makes more sense now. thank you very much. best regards, aleix __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
engine's performance (what's wrong?)
hi again, as i said yesterday i'm doing some tests with cryptographic hardware (in my case nCipher's). now that i have loaded the engine, i'm getting real strange results. the same test with hardware enabled is much slower than the software version. it is really weird, because the "openssl speed -engine chil" command seems to be as fast as desired. do i have to set something else? is there any documentation on the net? am i getting more dummy everyday? thanks in adavace. regards, aleix here is the code (enable hardware passing 'enable' as first parameter: #include #include #include #include #include #include #include ENGINE* setup(char const* engine) { ENGINE* e = NULL; if ((e = ENGINE_by_id(engine)) == NULL) { return NULL; } // if engine was not found try to load the shared library if (e == NULL) { e = ENGINE_by_id("dynamic"); if ((e == NULL) || !ENGINE_ctrl_cmd_string(e, "SO_PATH", engine, 0) || !ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0)) { ENGINE_free(e); e = NULL; } } return e; } ENGINE* load(char const* engine) { ENGINE* e = setup(engine); if(!ENGINE_set_default(e, ENGINE_METHOD_ALL)) { ENGINE_free(e); return NULL; } ENGINE_free(e); return e; } int main(int argc, char** argv) { time_t t_start; time_t t_end; RSA* k; ENGINE* e = NULL; unsigned int i; unsigned char* buf; unsigned char* buf2; unsigned int rsa_num; CRYPTO_malloc_init(); ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); if ((argc > 1) && strcmp(argv[1], "enable") == 0) { ENGINE_load_builtin_engines(); e = load("chil"); } if (e == NULL) { printf("Hardware disabled.\n"); } else { printf("Hardware enabled.\n"); } k = RSA_generate_key(1024, 65537, NULL, NULL); buf = (unsigned char*) malloc(5000); buf2 = (unsigned char*) malloc(5000); t_start = time(NULL); for (i = 0; i < 1500; i++) { RSA_sign(NID_md5_sha1, buf, 36, buf2, &rsa_num, k); } t_end = time(NULL); printf("Total time: %d sec.\n", t_end - t_start); EVP_cleanup(); ENGINE_cleanup(); CRYPTO_cleanup_all_ex_data(); ERR_remove_state(0); ERR_free_strings(); } __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: enabling engines (solved)
Aleix Conchillo Flaque <[EMAIL PROTECTED]> writes: > > ENGINE* > setup(char const* engine) > { > if (::ENGINE_by_id(engine) == NULL) > { > return NULL; > } > > ENGINE* e = ::ENGINE_by_id("dynamic"); > if (e) > { > if (!::ENGINE_ctrl_cmd_string(e, "SO_PATH", engine.c_str(), 0) > || !::ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0)) > { > // fails in here > e = NULL; > } > } > return e; > } > i found the error. by the way, a dummy one. ENGINE_by_id already loads the shared library, so the function should look like this: ENGINE* setup(std::string const& engine) { ENGINE* e = NULL; if ((e = ::ENGINE_by_id(engine.c_str())) == NULL) { return NULL; } std::string err; // if engine was not found try to load the shared library if (e == NULL) { e = ::ENGINE_by_id("dynamic"); if ((e == NULL) || !::ENGINE_ctrl_cmd_string(e, "SO_PATH", engine.c_str(), 0) || !::ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0)) { err = "Unable to load engine dynamic library: " + engine; ::ENGINE_free(e); e = NULL; } } if (e == NULL) { throw engine_exception(err); } return e; } regards, aleix __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
enabling engines
hi, i've just started testing an ncipher hardware module using openssl. the "openssl" application seems to find the shared library (libnfhwcrhk.so), with just specifying "-engine chil". but my code, doesn't want to find the library. i get this error: "error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library: may be openssl is compiled with some define that tells where to look for shared libraries... i don't have any idea. this is the code i use: ENGINE* engine_ = setup("chil"); if(!::ENGINE_set_default(engine_, ENGINE_METHOD_ALL)) { //error treatment } ENGINE* setup(char const* engine) { if (::ENGINE_by_id(engine) == NULL) { return NULL; } ENGINE* e = ::ENGINE_by_id("dynamic"); if (e) { if (!::ENGINE_ctrl_cmd_string(e, "SO_PATH", engine.c_str(), 0) || !::ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0)) { // fails in here e = NULL; } } return e; } any ideas? thanks in advance, aleix __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: dummy question about PKCS#12
On Fri, 11 Oct 2002 18:42:02 +0200, Joern Sierwald wrote: > > If the certificates are encrypted, you need to decrypt them. Sorry for > stating the obvious. However: there is no need to encrypt them > in the 1st place. A pkcs#12 file can contain the cert unecrypted > and the key encrypted. > > openssl will encrypt the cert by default if you create a pkcs#12 file. > As far as I know you can't generate half-encrypted ones without > some programming. > great, that's what i wanted to know, just if it was possible and it keeped to be standard. aleix __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
dummy question about PKCS#12
hi! this is probably basic question. i'd like to know if there is any way to obtain the public certificates inside a PKCS#12 without the need of decrypt it. if the certificates are public it should be obvious to be able to read them. is it possible? regards, aleix __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Fw: RE: someone in the UK phone Andy pls
Begin forwarded message: Date: Thu, 12 Sep 2002 16:30:13 +0100 From: "Andy Schneider" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> Subject: RE: someone in the UK phone Andy pls Have just text'ed Andy's mobile. Aleix - can you fwd to openssl-users if it doesn't appear on the mail list since this e-mail will be in HTML. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: someone in the UK phone Andy pls
On Thu, 12 Sep 2002 16:59:17 +0200, Jose Correia (J) wrote: > and tell him to phone someone at his company to disable his > auto-response thingy. Otherwise we are going to end up with hundreds > of these things...!! > yeah, it's really annoying. aleix __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PKCS12 and private keys
On Thu, 25 Jul 2002 17:33:49 +0200 (CEST), Erwann ABALEA wrote: > > How is that localKeyID calculated? Is it a hash of the public key? If > yes, then this sounds an acceptable practice, if you really *need* to > keep separate PKCS#12 files, which is uncommon. > it's a digest of the x509 certificate (which contains the public key). in openssl is calculated with X509_digest function which needs an X509 certificate a hash method (e.g. EVP_sha1) and a buffer to store the id. regards, aleix __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: creating RSA private/public key pair
On 23 Jul 2002 17:44:15 -, ganesh kumar godavari wrote: > hello group, > i have create RSA private key using > openssl genrsa -out KEY.pem 1024 > openssl rsa -in KEY.pem -out private.pem > openssl rsa -in KEY.pem -pubout -out public.pem > hi first, you don't need to call openssl rsa -in KEY.pem -out private.pem the first command "genrsa" generates a private key already, so you'll have: openssl genrsa -out private.pem 1024 openssl rsa -in private.pem -pubout -out public.pem > > i try to read the public.pem the following way > [snip] > >if ((x=(RSA *)PEM_read_RSAPublicKey(fp,NULL, NULL,NULL)) != > NULL) [snip] > > it gives me an error saying that > that's because there's two ways to read public keys. a public key can be rsa, dsa and dh (may be more in openssl i don't remember now). with the function PEM_read_RSAPublicKey OpenSSL is expecting a concrete RSA Public key which will have in the header of the PEM file -BEGIN RSA PUBLIC KEY- instead of -BEGIN PUBLIC KEY- if you'd like to load an RSA key with the "BEGIN PUBLIC KEY" header, you should use PEM_read_RSA_PUBKEY function instead of the one you use. this header will be common for dsa, rsa and dh keys. uppps... got to catch the bus. hope this helps you. regards, aleix __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: i2d_PKCS7_bio(), what does it do?
Frank Geck <[EMAIL PROTECTED]> writes: > I was wondering if someone could tell me what i2d_PKCS7_bio() and > d21_PKCS7_bio() do. I think that they take a pkcs7 data structure and > put it in a memory bio but what type of encoding (DER, PEM/base 64)? > DER encoding check out the faq, section PROG question 3: http://www.openssl.org/support/faq.html aleix __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: HTML works fine, PHP...not so good
Ryan Hagan <[EMAIL PROTECTED]> writes: > Greetings, > > I've installed OpenSSL (0.9.6c-2) along with sslwrap (2.0.6-5) and > apache (1.3.24-3) and PHP (4.1.2-4) on a debian system. I created my > own certificate with no problems, installed the necessary lines into my > /etc/services file and ran the deamon in inetd.conf. > did you use debian packages? or you compiled packages your self? > Everything works great when I try to pull up HTML files using the HTTPS > on my server, but as soon as I try to open up a PHP file, my browser > says it can't find the file. So far, this happens with EVERY SINGLE php > file. The exact error I get is: > "The requested URL /test/test.php was not found on this server." > > With /test/test.php being whatever php file I've tried to open. > > But as soon as I change the URL from HTTPS to HTTP it works fine. Any > suggestions? Thanks a million! > do you have two servers? apache and apache-ssl? or just one? - if you have two is probably because in your apache-ssl configuration file php is not loaded. check if the lines refering to php in http.conf in your normal apache are in apache-ssl configuration file (just search php). - if you have only one server... errr... no idea... :? aleix __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
random seed
hi all, does anyone knows how to obtain a big random seed in systems that doesn't provide /dev/urandom? may be i could initialize RAND_seed with current time, and then generate random numbers and provide them as the new random seed. is this a good choice? thanks in advance, aleix __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: decrypted private key...
Leendert Meyer <[EMAIL PROTECTED]> writes: > Hi all, > > Ok here is my problem : > > I have a encrypted private key in a .pem file. > > How can I convert it to be an unencrypted version of the > key. > openssl rsa -in privkey.pem -out privkey_unenc.pem regards, aleix __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Read private key
isn't this a repeated thread? or i have a dejabou? :) aleix __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: EVP_CipherFinal()
Stella Power <[EMAIL PROTECTED]> writes: > okidokey, the code is attached. > The encryption/decryption function is in do_crypt.c > hi, i think you have the problem when you get the size of your buffer. inlen = strlen(i_p); you are treating the result as a string. this is not correct because it could have lots of \0 characters. so strlen() will stop at the first \0 and give you a wrong length. you must treat your buffers as buffers with any characters not as simple strings (encrypt does not return strings). hope this helps. regards, aleix __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: RSA TO AND FROM DER PROBLEM
On Wed, 2002-05-22 at 09:16, [EMAIL PROTECTED] wrote: > > I have a problem doing a simple program. I want to convert to and from a > rsa structure to a DER. When I do it, I get a segmentation fault and I > don't know why. Please can anybody help me? > > The code is: hi luis, next time, please, paste your code instead of sending an image... anyway RSA_generate_key creates a new RSA key so you don't have to call RSA_new previously. the line clave_der -= long_mensaje; what does exactly do? you don't need it. d2i_RSAPublicKey also creates a new RSA key so you don't have to call RSA_new(). with this changes you won't get the Segmentation fault. But you'll get that RSA_check_key does not return 1 as you expect. I guess, that's because you are trying to check a non complete RSA key, because you just have the public component. regards, aleix __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: create cert non interactively
On Tue, 2002-04-02 at 17:34, Chris Cleeland wrote: > > You can also just modify the .conf file to not prompt, e.g., I have something > like this in a customized version of openssl.conf > >[snip] this way is just better :-) -- Aleix Conchillo Flaqué http://www.scytl.com --- PGP Key: http://www.scytl.com/pgp-keys/AleixConchillo.asc --- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: create cert non interactively
On Tue, 2002-04-02 at 11:50, Sarath Chandra M wrote: > Hi, > Is there way to create certificates using openssl in a noninteractive > mode ? All the required > values (common name, email, organization, ou etc) will be captured using > a unix shell script > and passed to openssl commands. > Is it possible. Any help will be highly appreciated. > i do it this way. there is probably a better one: openssl req -new -key prikey.pem -out req.csr < info_file where info_file is a generated file (in this case with your shell script) and looks like this: -- ES Your state Your city Your organization Your organizational unit Your name -- if you don't want to fill any of the fields just leave a blank line. hope this helps. best regards, -- Aleix Conchillo Flaqué http://www.scytl.com --- PGP Key: http://www.scytl.com/pgp-keys/AleixConchillo.asc --- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PKCS7/PKCS12 strange problem
hi kevin, i don't understand when you say "is obviously not importable by IE or Netscape". your PKCS12 file seems to be fine. i can export mines in windows and netscape without any problems, and are exactly like yours, a typical PKCS12 file. :? may be your problem is that you are using your own CA. and as i can see in you PKCS12 output you have not added to it. you can add another X509 file with -certfile argument. aleix __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OffTopic: Base64 over HTTPS
i forgot to say that i use the code i send you in https posts. aleix __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OffTopic: Base64 over HTTPS
hope this helps. i don't remember where i found it... any way, here you are. #include #include "base64.h" unsigned char alphabet[64] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; int base64_decode(unsigned char *outbuf, unsigned char *inbuf, int size) { static unsigned char inalphabet[256], decoder[256]; int j, i, bits, c, char_count, errors = 0; for (i = (sizeof alphabet) - 1; i >= 0 ; i--) { inalphabet[alphabet[i]] = 1; decoder[alphabet[i]] = i; } char_count = 0; bits = 0; i = 0; j = 0; while (i 255 || ! inalphabet[c]) continue; bits += decoder[c]; char_count++; if (char_count == 4) { outbuf[j++] = bits >> 16; outbuf[j++] = (bits >> 8) & 0xff; outbuf[j++] = bits & 0xff; bits = 0; char_count = 0; } else { bits <<= 6; } } if (c == EOF) { if (char_count) errors++; } else { /* c == '=' */ switch (char_count) { case 1: errors++; break; case 2: outbuf[j++] = bits >> 10; break; case 3: outbuf[j++] = bits >> 16; outbuf[j++] = (bits >> 8) & 0xff; break; } } return (errors ? 0 : j); } int base64_encode(unsigned char *outbuf, unsigned char *inbuf, int size) { int i, j, cols, bits, c, char_count; char_count = 0; bits = 0; cols = 0; i = 0; j = 0; while (i> 18]; outbuf[j++] = alphabet[(bits >> 12) & 0x3f]; outbuf[j++] = alphabet[(bits >> 6) & 0x3f]; outbuf[j++] = alphabet[bits & 0x3f]; cols += 4; if (cols == 72) { outbuf[j++] = '\n'; cols = 0; } bits = 0; char_count = 0; } else { bits <<= 8; } } if (char_count != 0) { bits <<= 16 - (8 * char_count); outbuf[j++] = alphabet[bits >> 18]; outbuf[j++] = alphabet[(bits >> 12) & 0x3f]; if (char_count == 1) { outbuf[j++] = '='; outbuf[j++] = '='; } else { outbuf[j++] = alphabet[(bits >> 6) & 0x3f]; outbuf[j++] = '='; } if (cols > 0) outbuf[j++] = '\n'; } return j; }
Re: PKCS12 import faulire
Hi Alvaro, I had a similar problem with netscape. When i generated the certificates, i initialized the certificates serial number file (ca.srl) to 00 and netscape correctly exported the user certificate, but not the ca. i repeated all steps again without reseting ca.srl to 00 and then it worked. so my certificate has 01 serial number now. Best regards, aleix __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PKCS&, getting signer's CN
On Wed, 2002-01-09 at 18:21, Frank Geck wrote: > I was trying to get the common name (CN) from a PKCS7 file that I had > read in. I used, sk=PKCS7_get_signer_info(p7) now I have sk holding a > STACK_OF(PKCS7_SIGNER_INFO), any function to return the CN as I go > through the stack? > don't know if this will help you: STACK_OF(PKCS7_SIGNER_INFO)* sk = PKCS7_get_signer_info(p7); for (int i = 0; i < sk_PKCS7_SIGNER_INFO_num(sk); i++) { PKCS7_SIGNER_INFO* si = PKCS7_SIGNER_INFO_value(sk, i); X509* x509 = PKCS7_cert_from_signer_info(p7, si); X509_NAME* name = X509_get_subject_name(x509); text = malloc(sizeof(x->cert_info)); text = X509_NAME_oneline(name, text, 200); printf("Subject name data: %s\n", text); free(text); } -- Aleix -- Aleix Conchillo Flaqué SCYTL founder & R&D Engineer e-mail: [EMAIL PROTECTED] phone: +34 933 016 547 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
PKCS7 Singned and Enveloped
Hi, I have a few questions about the usage of the PKCS7 functions in OpenSSL. My code works: it creates a PKCS7 SignedAndEnveloped. I get the idea from the enc.c and dec.c files in crypto/pkcs7 directory. Before my code worked i wrote another code that seemed to be ok but didn't work. Let me explain, PKCS7 standard says that a SignerInfo is needed to create the PKCS7 so i called the next functions: X509 *cert = ... EVP_PKEY *pkey = ... PKCS7_SIGNER_INFO* signer = PKCS7_SIGNER_INFO_new(); PKCS7_SIGNER_INFO_set(signer, cert, pkey, EVP_sha1()); PKCS7_add_signer(p7, signer); PKCS7_add_recipient(p7, rec_cert); PKCS7_dataFinal(p7, bio); This seemed to be the most reasonable way to do it but it didn't work. The code i have now (the one that works) is: PKCS7_add_signature(p7, cert, pkey, EVP_sha1()); PKCS7_add_certificate(p7, cert); PKCS7_add_recipient(p7, rec_cert); PKCS7_dataFinal(p7, bio); Can anyone explain what are those PKCS7_add_signature and PKCS7_add_certificate calls? Do they set a PKCS_SignerInfo automatically? I do not really understand why my initial code didn't work. Any help would be really appreciated. Regards, Aleix __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: LDAP storage
On Mon, 2001-11-26 at 16:33, Harry Hoffman wrote: > Hey Aleix, > Any chance of getting that application?? I'm still a little confused > about what needs to be done when creating your own CA. I've used CA.pl to > create the certificate authority, now I need to figure out how to create > certificates for various apps (apache, postfix) and for users. Every > how-to that I read uses a mix between CA.pl and the actual openssl > commands. Sorry to sound like such a newbie, I've used openssl before but > never to this extent. > sorry, i've been off all the weekend. i would create everything with openssl, including the CA. openssl generates pkcs standard formats so no problem using them in applications. for the imp web mail client i would write a little extension to get the user cert file from ldap as you already said. php has lots of easy-to-use functions to do that. i can send you some code to store certificates in ldap using php. apache uses a pem for its certificate an another pem for its private key, and there is no problem generating them using openssl. i've never used pki in postfix, so i can not help there. if you want more concrete details on how to generate those files you can send me an email. an i'll help you if i can. regards, -- Aleix -- Aleix Conchillo Flaqué SCYTL founder & R&D Engineer e-mail: [EMAIL PROTECTED] phone: +34 933 016 547 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: problems with openssl and keytool
On Mon, 2001-11-26 at 11:27, Lidia Castillejo wrote: > Hi, > Thanks Dr S N Henson XDD > I'm using RSA keys.How i can create a PKCS#12 file from the certificate and > private key? > Thanks > using the command line: openssl pkcs12 export -in your_cert.pem -out your.p12 -inkey privatekey.pem regards, aleix __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: LDAP storage
On Fri, 2001-11-23 at 17:28, Harry Hoffman wrote: > Hey All, > Just wondering if anyone is using openldap to store their certificates > in. I'm thinking about using it to store our users email certs in and was > wondering if anyone had any good pointers as a way to approach this. > i've used openldap to store certificates and then use them with openssl. i began using ldiff files to add entries to the ldap server, but i finally wrote a simple php web application to store the certificates in DER format. to begin using openldap, checkout the distributions examples, they're really cool. openssl has functions to read certificates and they are really easy to use. what do you exactly need for your application? regards, -- Aleix ------ Aleix Conchillo Flaqué SCYTL founder & R&D Engineer e-mail: [EMAIL PROTECTED] phone: +34 933 016 547 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]