SSL_read confusion

2005-05-23 Thread Carlos Roberto Zainos H 
Hi guys!

I have some doubts in SSL functions, specially inSSL_read function.

I'm trying towrite an HTTPS generic client (POST and GET methods must be availables), I've written the code for connection via win sockets (blocking socket) and used the next code for the SSLhandshake:

if ((ctx = SSL_CTX_new (meth)) == NULL ) //Error
SSL_CTX_set_options(ctx,0);
if ((ssl = SSL_new (ctx)) == NULL)//Error
if ((SSL_set_fd (ssl, s)) != 1)//Error
SSL_set_connect_state(ssl);if ((SSL_connect(ssl)) !=1 )//Error
/* Until here there's no problem */

The misunderstood becomes when I compose a GET request and try to recover the server's answer with SSL_read:

char read [1024];char head[1024];

sprintf(head,"GET /index.html HTTP/1.1 \t\n\t");
res = SSL_write (ssl, head, strlen(head)); // OK

// try to recover the index.html resource

memset(read, 0, sizeof(read));
res = SSL_read (ssl, (read[0]), sizeof(read)-1);

//The last line only recover the 'H' from the HTTP/1.0 header spec; this means only read 1 byte, the docs say SSL_read attempt to read sizeof(read)-1 bytes and put them in (read[0]... so I don't understand why I'm only getting one byte.

If I put it on bucle then I get the complete response
for (i=0; i=70; i++){res = SSL_read (ssl, (read[0]), sizeof(read)-1); //res =0res = SSL_get_error(ssl, res);fprintf (stderr,"%s \n", res);memset(read, 0, sizeof(read));}

HTTP/1.0 200 OK
Content-Lenght: 2428
Content-Type:text/html

!-- DOCTYPE HTML PUBLIC 
--

WIN XP Pro
MVC/C++ 6.0 compiler
OpenSSL 0.9.7f


Any Suggestions or pointing will be appreciated

Best regards

Zainos
Do You Yahoo!?
Yahoo! Net: La mejor conexión a internet y 25MB extra a tu correo por 
$100 al mes.

PKCS12 function problem

2005-05-11 Thread Carlos Roberto Zainos H 
Hi there!!

I'm trying to use the high level function PKCS12_create in my appto get a p12 file to import it in MSIE and MS Outlook but it seems to be nothing, I mean, I get an empty p12 file.

Ifollowed the pkwrite example in \demos\pkcs12 but it doesn't works..

follow mi code:

out = BIO_new_file(outfile, "wb");
if (out==NULL){//Error}
fp = fopen("Prueba1.p12", "wb");
if ( fp == NULL){//Error}
// load the privkey, thecertificate and the password for the p12 file

p12 = PKCS12_create (pass, outfile, key, ucert, NULL, 0,0,0,0,0); // No problem

res = i2d_PKCS12_fp(fp, p12); //this crashes myprogram
fprintf(stderr, "fp res=%d\n", res);

res = i2d_PKCS12_bio(out, p12); // No problem
fprintf(stderr, "res=%d\n", res); // res =1

if (BIO_write_filename(out, outfile) = 0){fprintf(stdout,"Error generando file p12 \n");}I need some help please 

TIA

ZainosDo You Yahoo!?
Yahoo! Net: La mejor conexión a internet y 25MB extra a tu correo por 
$100 al mes.

Re: Windows instalattion

2005-04-18 Thread Carlos Roberto Zainos H 
Hi Silvia !!

Why not tries with this:
http://www.slproweb.com/products/Win32OpenSSL.html

It's a Windows Installer package of OpenSSL and works really good.

When you install it you will get a libeay32.lib, ssleay32.lib and his .dll corresponding files.

Also you will get a folder with header's files (.h), you may move this to INCLUDE path of MS VC++ (maybe C:\Archivos de programa\Microsoft Visual Studio\VC98\Include ) and in your program include the .h headers corresponding to the functions you are trying to use.

e.g
#include openssl/openssl_header_function.h 

Remember that openssl folder contains all the .h available functions of openssl, and after when you compile your program don't forget to include in command line cl your_app.cpp libeay32.lib 

Hope this helps

Zainos



Do You Yahoo!?
Yahoo! Net: La mejor conexión a internet y 25MB extra a tu correo por 
$100 al mes.

CertsPrivkeys in PKCS#12 format, hints needed ....

2005-03-04 Thread Carlos Roberto Zainos H 
Hi all!!!

Thanks a lot Dr Henson .. you reallypoint me in the right way .

My last question posted was based in certs and keys separated and we want build them in a PKCS12 file for exchange it... I have another question . what about the case if we want generate RSA private keys, to create and sign the CSR and send it to our CA, the CA verifies and signs the CSR and issues the corresponding certificate if me as an CA would want issue both, the private key and certificate, in PKCS#12 format ... what should I do??

I have a client-server based application in Windows XP (MS VC++6  openssl crypto lib); the client generate his RSA key pair, compose his own CSR and send this to the server, the server validates this and (if is the case) issue the certificate , the keys and certificates are in DER format. I would like issue the cert and the key in PKCS12 format .

What slould I do in this case???
TIA

Zainos
Do You Yahoo!?
Yahoo! Net: La mejor conexión a internet y 25MB extra a tu correo por 
$100 al mes.

PKCS12 help needed

2005-03-02 Thread Carlos Roberto Zainos H 
Hi there!!!

I'm trying to usethe openssl pkcs12 option from command line but I don't undestand very well the options.

I have a pair (private key and certificate file) both in PEM format. I want to get a PKCS#12 file which content both. I would like importa that (the PKCS12 file) into MS Outlook or Outlook Express.

My command line looks like:
C:\openssl pkcs12 -inkey llaveAM02.pem -certfile agente_monitor02.pem /
-CAfile certac.pem -out prueba1.p12 -export

The .p12 file is created but it's empty

Another questionIf I want programming my ownspkcs12 apps with the openssl API where can I get examples o hints??

Any help is usefull

TIA
ZAINOS
Do You Yahoo!?
Yahoo! Net: La mejor conexión a internet y 25MB extra a tu correo por 
$100 al mes.

ASN1_sign error

2005-02-23 Thread Carlos Roberto Zainos H 
Hi there!!!

I've been workingvery wellwith openssl crypto library without "unexpected" errors. But this time I get an error using X509_REQ_sign ( )... I've made a lot ofCSR's in a lot of clients with this function without problems but now when I copy-paste the source code to another app the function breaks with the following error code:

error:0D080041:asn1 encoding routines:ASN1_sign:malloc failure

My code:
res = X509_REQ_sign (req, dec_key, EVP_sha1()); if (res == 0){while ( c_error = ERR_get_error() )
// Error message here
}
Previously I made the RSA pair and populate the CSR with no problem ..

Any suggestions??

TIA

Zainos

Do You Yahoo!?
Yahoo! Net: La mejor conexión a internet y 25MB extra a tu correo por 
$100 al mes.

Question about EVP_PKEY_free ()

2004-10-21 Thread Carlos Roberto Zainos H 
Hi all!!

I have a little problem using EVP_PKEY_free() function. This crash my program.

I'm makingsomething like this in my source code:

EVP_PKEY *key=NULL;
RSA *rsa=NULL;

key=EVP_PKEY_new();
EVP_PKEY_assign_RSA (key, rsa);
// . other code here .

EVP_PKEY_free(key); // - This breaks my program ...


If I omit EVP_PKEY_free(), my app finishes ok ... but ifIdon't made this could become in memory leak???

I Can't omit the EVP_PKEY_new() line  so, what do I'm makingwrong??

Thanks in advance
Zainos


Do You Yahoo!?
Yahoo! Net: La mejor conexión a internet y 25MB extra a tu correo por 
$100 al mes.

Re: storing PEM encoded certs in database

2004-09-07 Thread Carlos Roberto Zainos H 
Hi
I'm not an expert, but I think that could be some different depending on the DBMS and the driver connection being used.

For example, I'm using Oracle DB 10g with ODBCbased client connection to the DB.

I'm storing PEM certificates making a copy of it to a buffer and then storing it into the DB via INSERT with the apropiate convertions:

unsigned char cert[2*1024];BIO *buf;

buf = BIO_new (BIO_s_mem()); res = PEM_write_bio_X509(buf, xreq);//xreq is the X509 cert
longitud = sizeof(cert);res = BIO_read(buf, cert, (int)longitud);cert[res]='\0';//executing the INSERT via exec_sql_comm(sentence) function, where sentence = "insert into certificados (estadocer,fechacaducidad,numserie,certificado) values ('V',to_date('%s','-MM-DD HH24:MI:SS'),'%i','%s')",fecha_cad, num_serie, cert)"
Holpe this helps.
ZainosSmith Baylor [EMAIL PROTECTED] wrote:
Do You Yahoo!?
Yahoo! Net: La mejor conexión a internet y 25MB extra a tu correo por 
$100 al mes.

making and signing new certificates

2004-09-02 Thread Carlos Roberto Zainos H 
Eric Meyer [EMAIL PROTECTED] wrote:--HiEric 

Yes, You are right, the openssl documents are not well detailed and, in some cases, out-to-date; also sometimes, ,just like you, I feel a little confused an desperate but this makes you self learning about the library (crypto lib,in my particular case).So, I recommends you some really useful links:
http://www.columbia.edu/~ariel/ssleay/- the base library, I think
http://www2.psy.uq.edu.au/~ftp/Crypto/- some FAQ's
http://www2.psy.uq.edu.au/~ftp/Crypto/ssl.html-Programmer reference
http://www.opensslbook.com/code.html

And of course this mailing list ..

There are some recommendations and security standars to verify a CSR, to create and sign a new certificate, you must read them and select the proper according to your needs and/or to your system or organization policies.

Follows my certification process protocol:

X509 *x=NULL, *xreq=NULL, **b=NULL;X509_REQ *req=NULL, **sr=NULL;ASN1_GENERALIZEDTIME *N_after_gmt=NULL, **out_asn=NULL;BIO *in=NULL, *incer=NULL, *buf=NULL;

- Receive the CSR (in my case by socket connection) or read this froma file.
- Decode the CSR:
buf = BIO_new (BIO_s_mem());
in = BIO_new_mem_buf(mensaje, strlen(mensaje));req = PEM_read_bio_X509_REQ(in, sr, NULL, NULL);
- Retrieve and Decode the signer cert:
incer = BIO_new_mem_buf(cert, strlen((const char*)cert));x = PEM_read_bio_X509(incer, b, NULL, NULL);
- verify the CSR with the signer pubkey:
if (X509_REQ_verify (req, X509_get_pubkey(x)) != 1){//Error code
}
- Create and fillthe new cert: 
xreq = X509_new();
X509_set_version(xreq,VERSION);ASN1_INTEGER_set(X509_get_serialNumber(xreq), num_serie);X509_gmtime_adj(X509_get_notBefore(xreq),0);X509_gmtime_adj(X509_get_notAfter(xreq),(long)60*60*24*DAYS);X509_set_issuer_name(xreq,"CA_subject");
X509_NAME_add_entry_by_txt(X509_get_subject_name(xreq), "CN", MBSTRING_ASC, "The Common Name", -1, -1, 0);X509_NAME_add_entry_by_txt(X509_get_subject_name(xreq), "OU", MBSTRING_ASC, "The OU", -1, -1, 0);X509_NAME_add_entry_by_txt(X509_get_subject_name(xreq), "O", MBSTRING_ASC,"The ORG", -1, -1, 0);X509_NAME_add_entry_by_txt(X509_get_subject_name(xreq), "C", MBSTRING_ASC, "The country", -1, -1, 0);
// The client public key
X509_set_pubkey(xreq, X509_REQ_get_pubkey(req));
// X509v3 Extensionsres=add_ext(xac, xreq, NID_basic_constraints, "your options");res=add_ext(xac, xreq, NID_key_usage, "your optionskey usage");res=add_ext(xac, xreq, NID_ext_key_usage, "the extend key usage");res=add_ext(xac, xreq, NID_subject_key_identifier, "Your choice");res=add_ext(xac, xreq, NID_authority_key_identifier, "your choice");res=add_ext(xac, xreq, NID_issuer_alt_name, "some stuff");res=add_ext(xac, xreq, NID_netscape_cert_type, "some stuff");res=add_ext(xac, xreq, NID_netscape_comment, "some stuff");

//signing the new certX509_sign (xreq, dec_key_ac, EVP_sha1());

// write out in some format (PEM or DER)
res = PEM_write_bio_X509(buf, xreq);

This is a wide vision of my CertSign protocol, there are some things that are not mentioned here like the CDP (CRL Distribution Point), a suitable guideline is the PKI Forum and the IETF PKI Work group.

Hope this helps
Best regards
ZainosDo You Yahoo!?
Yahoo! Net: La mejor conexión a internet y 25MB extra a tu correo por 
$100 al mes.

making and signing new certificates

2004-09-02 Thread Carlos Roberto Zainos H 

Eric Meyer [EMAIL PROTECTED] wrote:--HiEric 

Yes, You are right, the openssl documents are not well detailed and, in some cases, out-to-date; also sometimes, ,just like you, I feel a little confused an desperate but this makes you self learning about the library (crypto lib,in my particular case).So, I recommends you some really useful links:
http://www.columbia.edu/~ariel/ssleay/- the base library, I think
http://www2.psy.uq.edu.au/~ftp/Crypto/- some FAQ's
http://www2.psy.uq.edu.au/~ftp/Crypto/ssl.html-Programmer reference
http://www.opensslbook.com/code.html

And of course this mailing list ..

There are some recommendations and security standars to verify a CSR, to create and sign a new certificate, you must read them and select the proper according to your needs and/or to your system or organization policies.

Follows my certification process protocol:

X509 *x=NULL, *xreq=NULL, **b=NULL;X509_REQ *req=NULL, **sr=NULL;ASN1_GENERALIZEDTIME *N_after_gmt=NULL, **out_asn=NULL;BIO *in=NULL, *incer=NULL, *buf=NULL;

- Receive the CSR (in my case by socket connection) or read this froma file.
- Decode the CSR:
buf = BIO_new (BIO_s_mem());
in = BIO_new_mem_buf(mensaje, strlen(mensaje));req = PEM_read_bio_X509_REQ(in, sr, NULL, NULL);
- Retrieve and Decode the signer cert:
incer = BIO_new_mem_buf(cert, strlen((const char*)cert));x = PEM_read_bio_X509(incer, b, NULL, NULL);
- verify the CSR with the signer pubkey:
if (X509_REQ_verify (req, X509_get_pubkey(x)) != 1){//Error code
}
- Create and fillthe new cert: 
xreq = X509_new();
X509_set_version(xreq,VERSION);ASN1_INTEGER_set(X509_get_serialNumber(xreq), num_serie);X509_gmtime_adj(X509_get_notBefore(xreq),0);X509_gmtime_adj(X509_get_notAfter(xreq),(long)60*60*24*DAYS);X509_set_issuer_name(xreq,"CA_subject");
X509_NAME_add_entry_by_txt(X509_get_subject_name(xreq), "CN", MBSTRING_ASC, "The Common Name", -1, -1, 0);X509_NAME_add_entry_by_txt(X509_get_subject_name(xreq), "OU", MBSTRING_ASC, "The OU", -1, -1, 0);X509_NAME_add_entry_by_txt(X509_get_subject_name(xreq), "O", MBSTRING_ASC,"The ORG", -1, -1, 0);X509_NAME_add_entry_by_txt(X509_get_subject_name(xreq), "C", MBSTRING_ASC, "The country", -1, -1, 0);
// The client public key
X509_set_pubkey(xreq, X509_REQ_get_pubkey(req));
// X509v3 Extensionsres=add_ext(xac, xreq, NID_basic_constraints, "your options");res=add_ext(xac, xreq, NID_key_usage, "your optionskey usage");res=add_ext(xac, xreq, NID_ext_key_usage, "the extend key usage");res=add_ext(xac, xreq, NID_subject_key_identifier, "Your choice");res=add_ext(xac, xreq, NID_authority_key_identifier, "your choice");res=add_ext(xac, xreq, NID_issuer_alt_name, "some stuff");res=add_ext(xac, xreq, NID_netscape_cert_type, "some stuff");res=add_ext(xac, xreq, NID_netscape_comment, "some stuff");

//signing the new certX509_sign (xreq, dec_key_ac, EVP_sha1());

// write out in some format (PEM or DER)
res = PEM_write_bio_X509(buf, xreq);

This is a wide vision of my CertSign protocol, there are some things that are not mentioned here like the CDP (CRL Distribution Point), a suitable guideline is the PKI Forum and the IETF PKI Work group.

Hope this helps
Best regards
ZainosDo You Yahoo!?
Yahoo! Net: La mejor conexión a internet y 25MB extra a tu correo por 
$100 al mes.

Memory Leak still in my app

2004-08-31 Thread Carlos Roberto Zainos H 
Hi guys and hi Eric !

I have been tested my app again and again and following the Dr Stephen recommendations, I discovered that the BIO's are not the problem, all they points to NULL after them has been freed.

I think the problem could be in freeing the other structures .
I have a main Windows serviceserver (Win XP Professional, Visual C++ 6.0 compiler) and Openssl 0.9.7d based, which by means of a call to aCreateThread(...(LPTHREAD_START_ROUTINE) servicio...) functionbegins a routine called "servicio" which receive a CSR sent by the "client app".
The "servicio" routine makes something like:
X509 *x=NULL, *xreq=NULL, **b=NULL;X509_REQ *req=NULL, **sr=NULL; 
EVP_PKEY *pubkey_ai=NULL;ASN1_INTEGER *serial=NULL;ASN1_GENERALIZEDTIME *N_after_gmt=NULL, **out_asn=NULL;BIO *in=NULL, *incer=NULL, *buf=NULL;

// "x" for the signer cert, "xreq" is the new cert an "b" is for decode the signer cert via PEM_read_bio_X509(in,b,NULL,NULL )
// "req" is the CSR received, "sr" is for decode the CSR via PEM_read_bio_X509_REQ(incer,sr,NULL,NULL)X509_NAME *dn=NULL;

The CSR is decoded, the client pubkey is extracted from it and a new X509 structure is filled with appropriate info. The DB is updated and the client receive an notification, all this works very good. The problem is when I try to free the used structures before exit of "servicio".

X509_NAME_free(dn); // frees the dn = X509_NAME_new()of the new cert.
EVP_PKEY_free(pubkey_ai); //the signer public key used to verify the CSRASN1_INTEGER_free(serial); //the serial of the new certASN1_GENERALIZEDTIME_free(N_after_gmt); //the adjust of the new cert
BIO_set_close(in, BIO_CLOSE); //this is more efficient, instead only BIO_free()res = BIO_free(in);
BIO_set_close(incer, BIO_CLOSE);res = BIO_free(incer);
BIO_set_close(buf, BIO_CLOSE);res = BIO_free(buf);
X509_REQ_free(req);X509_free(xreq);//X509_free(x); - this breaks my server

So, I don't understand why after 100 consecutive connections the memory grows up 4.5 Kb  something is not being freed, (bios are not problem) how can I see if the structures are freed?? (points to NULL)

I need that my server coul be stable (no memory leak)
Help needed!!!

Thanks in advance
ZainosDo You Yahoo!?
Yahoo! Net: La mejor conexión a internet y 25MB extra a tu correo por 
$100 al mes.

OpenSSL function for pure base64 encoding.....

2004-08-10 Thread Carlos Roberto Zainos H 
Hi all!!

Thanks a lot for your answers!!! they were really useful !!!
Now I have another question. Is there an OpenSSL function to perform a pure base64 (not PEM)encoding of a buffer??

I've read in OpenSSL docs that the bio's filterscould be useful but I made a little test and this fails next my code:

BIO *bio=NULL, *b64=NULL; 
char mensaje[] = "Mensaje de Pruebabase64\n"; 
char mensaje_b64[64];
int res;

int main (void) 
{
 OpenSSL_add_all_algorithms(); 
 OpenSSL_add_all_ciphers();

 b64 = BIO_new(BIO_f_base64()); 
 bio = BIO_new(BIO_s_mem()); 
 b64 = BIO_push(b64, bio); 

 res = BIO_write (b64, mensaje, strlen(mensaje)); 

 res = BIO_read (bio, mensaje_b64, res); 
 printf("%d\n%s\n",res,mensaje_b64);
}

res is always -1, so ... what do I'm making wrong???

Thanks a lot for your answers in advance!
ZainosDo You Yahoo!?
Yahoo! Net: La mejor conexión a internet y 25MB extra a tu correo por 
$100 al mes.

Suggestions for the password storing

2004-08-09 Thread Carlos Roberto Zainos H 


Hi team!!
I have a "big" question,where is an appropriate place to store the encryption password of the privatekey? I mean, the security base of the priv key is based on the password which is encrypted it (PKCS#1), so  where will be a safe place to put this pwd in the client's computer (windows environement)???
Thanks in advance.
ZainosDo You Yahoo!?
Yahoo! Net: La mejor conexión a internet y 25MB extra a tu correo por 
$100 al mes.

How to convert a buffer to an intern structure???

2004-08-02 Thread Carlos Roberto Zainos H 
Hi guys!!!
I'm working in a Crypto-OpenSSL based Project generating and mannaging X509 cert's. I have a little problem because I'm using an Oracle DB like repository.The cert's arestored in PEM format in the DB (-BEGIN . END-), the connection between my app and the server is ODBC based, when Irecover the cert from DBI store that in a buffer (char []) but I don't know how convert that buffer in an intern usable structure...(Maybe BIO or PEM)

Any hint???

Best Regards
ZainosDo You Yahoo!?
Yahoo! Net: La mejor conexión a internet y 25MB extra a tu correo por 
$100 al mes.

X509_REQ_to_X509 Status

2004-05-27 Thread Carlos Roberto Zainos H 
Hi all !!

I'm trying to develop a Capp to manage a CSR (req.pem), verify it and sign it; verificationroutine is OK, but when Itry to use the nex function to convert REQ in X509 cert: 

X509_REQ_to_X509(req, DAYS, pubkey_ai)

the function breaks my program.

What is the status of this function???

I've read in SSLeay docs that "nothing *does* call this routine" . 
So ... is this just a test function?? In x509.h seems to be a stable function.

Can someone help me ??

Best regards

Zainos
Do You Yahoo!?
Yahoo! Net: La mejor conexión a internet y 25MB extra a tu correo por 
$100 al mes.

Adding extension to X509_REQ

2004-05-21 Thread Carlos Roberto Zainos H 
Hi all

First of all, thank you so much for the answers about JAVA-OpenSSL, those really were help full for me. In another time I will detail what I'm trying to do, even though JNI profiles like my solution.

This time my question is about to include in a X509_REQ a subfield which contain the serial number and de DN of the "installer", let me explain you a little bit:

My workteam is trying to install an application (client) oriented to get information of the PC's of our organization, the client is installed with the approval and authorization of an "installer (a human), which supplies his certificate and his private key (for auditing purpouse). After this, the installer program make a CSR and sign it with the installer private key and sends to the CA. The CA verifies the request and if it was signed by an "valid installer" then sign and issue the certificate and notifies to the installer program.

At this moment we have only one "installer" but in the future there will be a lot of them . I've been thinking that could be a good idea add in the CSR the serial number and the DN of the installer in order to the CA could search for the serial number and/or DN in the certs database.

I thought use REQ extensions but I don't know if this is possible and how to do this.

Thanks in advance for your replies

ZainosDo You Yahoo!?
Yahoo! Net: La mejor conexión a internet y 25MB extra a tu correo por 
$100 al mes.

OpenSSL functionality from JAVA

2004-05-19 Thread Carlos Roberto Zainos H 
I retake a question posted few weeks ago.

Is possible, or is there a way of, or what do I must do to have or make use of all OpenSSL functionality from java applications??

Exactly I want to make use of cryptographic functions implemented in Openssl (crypto) but in Java programs (e.g symmetric cipher, public key cipher, certificates, hash messages, etc). Someone told that JSSE could be a good option, but I've read the docs and I think that just a few cryptographic functionality is implemented and what JSSE is basically oriented to SSL/TLS connectivity.

What do you recommends me ?? Does someone did or is doing something similar to this before or now??

Tnaks in advance

ZainosDo You Yahoo!?
Yahoo! Net: La mejor conexión a internet y 25MB extra a tu correo por 
$100 al mes.

Problems encrypting private key

2004-05-17 Thread Carlos Roberto Zainos H 
Hi all !

I'mwriting an application that needs write out a RSA private key password based encryption in DER format but I'm getting error from functions used for, follows my code and error codes:

ERR_load_crypto_strings ();out = BIO_new(BIO_s_file());

rsa = RSA_generate_key (bits, e_value, i_progreso, NULL ); /*ok */
clave = EV_PKEY_new();
EVP_PKEY_assign_RSA (clave, rsa); /*rsa in EVP_PKEY structure */

res = PEM_write_bio_RSAPrivateKey (out, rsa, EVP_des_cbc(), NULL, 0, NULL, password); /*this works fine */

res = PEM_write_bio_PKCS8PrivateKey(out, clave, EVP_des_cbc(), NULL, 0, NULL, password); /*this breaks with follow error code:
error:06074079:digital envelope routines:EVP_PBE_CipherInit:unknown pbe algorithmerror:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor cipherinit errorerror:2306C067:PKCS12 routines:PKCS12_i2d_encrypt:encrypt errorerror:2307D067:PKCS12 routines:PKCS8_encrypt:encrypt error0 */

res = i2d_PKCS8PrivateKey_bio (out, clave, EVP_des_cbc(), NULL, 0, NULL, password); /*this is the function that interest to me but also breaks with follow error code:
error:06074079:digital envelope routines:EVP_PBE_CipherInit:unknown pbe algorithmerror:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor cipherinit errorerror:2306C067:PKCS12 routines:PKCS12_i2d_encrypt:encrypt errorerror:2307D067:PKCS12 routines:PKCS8_encrypt:encrypt errorerror:0D074041:asn1 encoding routines:ASN1_i2d_bio:malloc failure0 */

What's the problem with the two last functions ??
Do I making something erroneous??

Thanks in advance for your replies.

Zainos


Do You Yahoo!?
Yahoo! Net: La mejor conexión a internet y 25MB extra a tu correo por 
$100 al mes.

Re: Problems encrypting private key

2004-05-17 Thread Carlos Roberto Zainos H 


Thanks a lot Dr Henson !
Now all works fine
ZainosDo You Yahoo!?
Yahoo! Net: La mejor conexión a internet y 25MB extra a tu correo por 
$100 al mes.

RSA_XXX_encrypt doubts

2004-04-28 Thread Carlos Roberto Zainos H 
Hi list 
Thank you very much Dr Stephen, decrypting PBE privkey problems were fixed on my app and now works pretty good.

Now I have another problem. For design reasons (not my design) I must use both RSA_private_encrypt and RSa_public_encrypt in my app. Designers think that it's better by this way. So, I need encrypt with RSA privkey (1024 bits)a string that I call "message", message is 40 bytes size length.
Now I have another problem. For design reasons (not my design) I must use both RSA_private_encrypt and RSa_public_encrypt in my app. Designers think that is better by this way. So, I need encrypt with RSA privkey (1024 bits) a string that I call "message", message is 40 bytes length.As I read in Openssl docs and a Richar Levitte message, for this type of encryption I must "complete" to privkey_length (128 bytes) the message to be encrypted; so I added ceros '0' to message until it has 128 bytes length, an then I use RSA_private_encrypt function, follows my code:

unsigned char message[sizeRSAkey], *firma, *sobre;

firma=(unsigned char *) malloc ( RSA_size(rsa) );
flen=strlen(message);
res = RSA_private_encrypt (flen, menssge, firma, rsa, RSA_NO_PADDING); /*rsa is the RSA priv key to use*/if (res== -1){
// Error messages
}
This part seems finishes ok, function encrypts res(128) bytes ok; then follows the public encrypt phase of the previous result (I do this in two parts: 64+64 bytes):

sobre=(unsigned char *) malloc (256 * sizeof(char) );/*sobre=(unsigned char *) malloc (2 * RSA_size(clave)); this breaks my app and I don't know why, "clave" is the RSA pub key to use*/
/*firts part*/
res1= RSA_public_encrypt (res/2, firma, sobre, clave, RSA_PKCS1_OAEP_PADDING ); /*here breaks my app, tips??*/
/*second part*/
res2= RSA_public_encrypt (res/2, firma+res/2, sobre, clave, RSA_PKCS1_OAEP_PADDING );

I'm really convinced that this must not does by this way, I would prefer to use RSA_sign but how I said before, this is for design reasons :-(.

My first attempt was try to encrypt all in one step: RSA_public_encrypt with RSA_NO PADDING but I had problems, finally I thought better encrypting in two parts. But following this procedure my app also breaks.What I'm doing wrong ??
One more time, thanks in advance for your reply

ZainosDo You Yahoo!?
Yahoo! Net: La mejor conexión a internet y 25MB extra a tu correo por 
$100 al mes.

Problems with d2i_PKCS8PrivateKey_bio function

2004-04-27 Thread Carlos Roberto Zainos H 
Hi Dr Henson and openssl users list.

I'm very thankful by your answers.

This time I'm having problems with the d2i_PKCS8PrivateKey_bio function. This alwaysreturns me0 , and really I don't know what's wrong.
My code:
RSA *rsa;EVP_PKEY *dec_key, **x=NULL;
BIO *in=NULL;
char *password = "am01key";char *priv_key_der = "llaveAMp5.key";/*PBE privkey file */
int i,size_llave=0;

OpenSSL_add_all_algorithms();ERR_load_crypto_strings();

in=BIO_new(BIO_s_file());if (in==NULL) /*not problem */{/* Error code*/
}if (BIO_read_filename(in,priv_key_der) = 0) /*not problem*/{ /*ErrorCode*/
}
/*dec_key=EVP_PKEY_new(); comment this because I thought could bethe problem*/dec_key=d2i_PKCS8PrivateKey_bio(in, x, NULL,password);if (dec_key=NULL) /*also not problem*/{/*Error code */
}
size_llave=EVP_PKEY_size(dec_key); /*result of this function is always 0 */
printf("%d\n", size_llave); /*prints zero 0 */

rsa=RSA_new();rsa=EVP_PKEY_get1_RSA(dec_key); /*this function breaks because dec_key is 0 size bytes, right ? */

With all my test keys the resultsare the same (privkeyp5.key, privkeyp8.key, privkey_der.key). Is there some type of bug ? Or this is caused by my C code??

I'm a little desperate.
Thanks againin advance
ZainosDo You Yahoo!?
Yahoo! Net: La mejor conexión a internet y 25MB extra a tu correo por 
$100 al mes.

RE: Sample config file

2004-04-26 Thread Carlos Roberto Zainos H 
Hi !
Dr Henson refers to openssl-0.9.7.your-dist/apps (if you're working in a Linux/Unix box), in that directory there is an openssl.cnf file (openssl example configuraton file).

If you're working in Win32 there must be an openssl.cnf in C:\openssl-folder\bin.In both cases you must customize (if you want) that file; for testing purposes, file without changes would be ok.

ZainosArcher-Lampron [EMAIL PROTECTED] wrote:
Thank you for the reply.I do not have an openssl.cnf file anywhere in the Apache Group directory norin its subdirectories.-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] Behalf Of Dr. Stephen HensonSent: Sunday, April 25, 2004 12:07 PMTo: [EMAIL PROTECTED]Subject: Re: Sample config fileOn Fri, Apr 23, 2004, Archer-Lampron wrote: Hello, I am a newbie trying to generate my first certificates with openssl foruse with Apache on Windows XP. I seem to be missing a .CONF configurationfile. Is a sample available somewhere? Thanks for any assistance that can be provided.openssl.cnf in the apps directory.Steve.--Dr Stephen N. Henson. Email, S/MIME and PGP keys: see
 homepageOpenSSL project core developer and freelance consultant.Funding needed! Details on homepage.Homepage: http://www.drh-consultancy.demon.co.uk__OpenSSL Project http://www.openssl.orgUser Support Mailing List [EMAIL PROTECTED]Automated List Manager [EMAIL PROTECTED]__OpenSSL Project http://www.openssl.orgUser Support Mailing List [EMAIL PROTECTED]Automated List Manager [EMAIL PROTECTED]Do You Yahoo!?
Yahoo! Net: La mejor conexión a internet y 25MB extra a tu correo por 
$100 al mes.

Problems decrypting PKCS# Private Key , Help needed

2004-04-23 Thread Carlos Roberto Zainos H 
Hi all!!!

Thanks again for the answers.

The question that I now post refers to decrypt a private key PBE (PKCS#5). I've working with priv/pub keys gotten from openssl, but now my C applications needs to work with ones generated with another application (commercial software). I've been discovered (with openssl help)that private key is in "clear"PEM format (not encrypted)and PBE (PKCS#5 v2(?))protected (form DER: privkey.key). My problem is that I can't decrypt that key for use this in my C application. Follows mycode:

alg = PKCS5_pbe2_set (EVP_des_cbc(), -1, NULL, 0); /*pkcs5 v2.0 */err = EVP_PBE_CipherInit (alg-algorithm, password, strlen(password), alg-parameter, ctx, decripta); /*descripta is defined as 0 */decr_buf = (unsigned char *) malloc (longitud + EVP_CIPHER_CTX_block_size(ctx) + 1);
err = EVP_CipherUpdate (ctx, decr_buf, bytes_decr, privkey_pointer, length_privkey);
err = EVP_CipherFinal (ctx, decr_buf+bytes_decr, bytes_final);
if ( err == 0 ){printf("Ha ocurrido un error EVP_CipherFinal \n");while ( c_error = ERR_get_error() )fprintf(stderr, ERR_error_string(c_error, NULL));exit(1);}

So, err always is 0 in EVP_CipherFinal, error code returns:
error:0606506D:digital envelope routines:EVP_DecryptFinal:wrong final block length

I thought that the problemcould bethe priv key, so I generate privkeys in PKCS#5 and PKCS#8 with:
openssl pkcs8 -inform DER -in privkey.key -topk8 -v1 PBE_MD5_DES -outform DER -out privkeyp5.key ; and
openssl pkcs8 -inform DER -in privkey.key -topk8 -outform DER -out privkeyp8.key

And test my application again with those keysbut results are the same.


I don't know what is wrong ... any suggestions or tips???

Best regards

ZainosDo You Yahoo!?
Yahoo! Net: La mejor conexión a internet y 25MB extra a tu correo por 
$100 al mes.

Re: Problems decrypting PKCS# Private Key , Docs needed

2004-04-23 Thread Carlos Roberto Zainos H 


If its in DER format then d2i_PKCS8PrivateKey_bio() will handle the encryptedform, and d2i_PKCS8_PRIV_KEY_INFO() followed by EVP_PKCS82PKEY() for theunencrypted form.Steve.

Thanks a lot dr Henson . just another little question  where are the references to d21PKCS8_PRIV_KEY_INFO() and EVP_PKCS82PKEY(), I can't found it in evp.h and pem.h  in openssl web page crypto section also could'n find it... sorry.
I'm working in WinXP environement with openssl-w32-version
Thanks in advance

ZAINOSDo You Yahoo!?
Yahoo! Net: La mejor conexión a internet y 25MB extra a tu correo por 
$100 al mes.

How to encrypt a RSA priv key

2004-04-14 Thread Carlos Roberto Zainos H 

Hi !!

I have some problems because I want a RSA private key in DER form but des-cbc codified. The source key is in PEM encoded form (password protected) and I need something similar but in DER encoded form (also password protected key). I have been tried with: openssl rsa -in mykey.pem -outform DER -out mykey.key, to get a DER encoded form key, and after this: openssl enc -des-cbc -in mykey.key -out mydeskey.key -pass stdin -e;it looks like all finishes ok, but when I take a look to the output file, it looks like a little bit "strange" because it begins with "Salt_"
Really I don't know what is happening ... for me will be wonderful if I will do something like this from C routines.

I have been take a look to evp.h but I'm confused .
Someone could help me ??

thanks in advance

zainosDo You Yahoo!?
Yahoo! Net: La mejor conexión a internet y 25MB extra a tu correo por 
$100 al mes.

Re:Programming difficulties

2004-04-01 Thread Carlos Roberto Zainos H 
Thanks a lot Dr Stephan, Richard and Bernhard 

I made revisions to my source, docs and faq's and now this works fine ...

Best regards

Zainos
Do You Yahoo!?
Yahoo! Net: La mejor conexión a internet y 25MB extra a tu correo por 
$100 al mes.

Can't open CER certificate

2004-03-29 Thread Carlos Roberto Zainos H 
Hi Dr Stephen :

Thanks for your answer

As you told me I ran the openssl x509command in win32 command line, and the result was the next:

With a CA certificate:
C:\openssl\binopenssl x509 -in c:\crzh\progs\ac.cer -noout -textunable to load certificate660:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib.c:637:Expecting: TRUSTED CERTIFICATE

With an end_user certificate:
C:\openssl\binopenssl x509 -in c:\crzh\progs\agente_monitor.cer -noout -textunable to load certificate1204:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib.c:637:Expecting: TRUSTED CERTIFICATE

What does it mean??

What can I do?

I'm using openssl-0.9.7d

Thanks in advance

ZainosDo You Yahoo!?
Yahoo! Net: La mejor conexión a internet y 25MB extra a tu correo por 
$100 al mes.

newbie question ...

2004-03-26 Thread Carlos Roberto Zainos H 
Hi all !!!

I've been working for a while with the cipher and digest RC4-SHA1 routines for a project, but now I want to use the X509 libraries to handle an certificate.cer issued by a local CA.
I've looked and been tried with d2i_X509 and d2i_X509_fp routines but my tests fails.

So .. my question is ... how can (or must) I convert a CER certificate into a DER or PEM certificate with the X509 certificate handle routines ???.
I could solve my last problems with SHA1 and RC4 but this time I can't . sorry I'm a newbie...

Thanks in advance

Zainos. Do You Yahoo!?
Yahoo! Net: La mejor conexión a internet y 25MB extra a tu correo por 
$100 al mes.