Re: [openssl-users] Using a TPM to sign CSRs

2018-07-28 Thread Devang Kubavat 
Hi Kaarhik,

Please refer https://github.com/ThomasHabets/openssl-tpm-engine. It is
OpenSSL TPM Engine. It will help to offload all crypto operation to TPM.

Regards,
Devang.

On Tue, Jul 24, 2018 at 4:48 PM, Kaarthik Sivakumar 
wrote:

> Hello
>
> I need to create a key pair using a TPM (proprietary) and build a CSR and
> sign it using it the TPM as well. Currently I dont have an engine interface
> to talk to the TPM. I do the following:
>
> 1. generate key pair in the TPM. private key is kept private in the TPM
> and public key can be obtained out of the TPM
>
> 2. use the public key to generate a CSR (X509_REQ_init(), etc)
>
> 3. Get the hash of the CSR (X509_REQ_digest())
>
> 4. Pass the digest to the TPM and get back signature
>
> 5. Add signature to the CSR - I dont see any way to do this. Is there an
> openssl API to perform this step? I dont think I can use X509_REQ_sign()
> since that will use the private key provided or if I have an engine
> interface then it will call the engine to do the signing. Is there a way to
> call sign() and make it call my function that can do the step 4 above?
>
> Thanks!
>
> -kaarthik-
>
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Unexpected behaviors in TLS handshake

2018-06-20 Thread Devang Kubavat 
Hi Matt, 
Thanks for reply. 

I also used both functions SSL_CTX_set1_sigalgs_list() 
SSL_CTX_set1_client_sigalgs_list() 
but same thing happens. 
I set client side “RSA+SHA512” using SSL_CTX_set1_sigalgs_list() but still it 
is accepting sever certificate which has signature algorithm 
SHA256withRSAencryption. 

Best Regards, 
Devang

Sent from my iPhone

> On 20-Jun-2018, at 2:25 PM, Matt Caswell  wrote:
> 
> 
> 
>> On 20/06/18 09:44, Devang Kubavat wrote:
>> Hi all,
>> 
>> I set the signature algorithm using in client,
>> 
>> /* signature algorithm list */
>> 
>> (void)SSL_CTX_set1_client_sigalgs_list(ctx, “RSA+SHA512”);
>> 
>>  
>> 
>> Expected behavior: client only accepts server certificate which has
>> signature algorithm SHA512withRSAencryption during TLS handshake.
>> 
>>  
>> 
>> But, here even I set “RSA+SHA512” signature algorithm, still client is
>> accepting the server certificate which has signature algorithm
>> SHA256withRSAencryption. Why?
> 
> As I said in reply to your other post:
> 
> "The function "SSL_CTX_set1_client_sigalgs_list()" is for setting
> signature algorithms related to *client authentication*. This is not the
> same as the sig algs sent in the ClientHello. For that you need to use
> SSL_CTX_set1_sigalgs_list()."
> 
> Matt
> -- 
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Unexpected behaviors in TLS handshake

2018-06-20 Thread Devang Kubavat 
Hi all,

I set the signature algorithm using in client,
/* signature algorithm list */
(void)SSL_CTX_set1_client_sigalgs_list(ctx, "RSA+SHA512");

Expected behavior: client only accepts server certificate which has signature 
algorithm SHA512withRSAencryption during TLS handshake.

But, here even I set "RSA+SHA512" signature algorithm, still client is 
accepting the server certificate which has signature algorithm 
SHA256withRSAencryption. Why?

Best Regards,
Devang

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Regarding to disable some signature algorithm in client hello message

2018-06-19 Thread Devang Kubavat 
Hi,

I want to disable the SHA1 hash algorithm in Extension: signature algorithm 
client hello message.

[cid:image003.jpg@01D407C3.1A227530]

I have used
  /* the signature algorithms list */
  const char signAlgo[] = "RSA+SHA256";
  (void)SSL_CTX_set1_client_sigalgs_list(ctx, signAlgo);

But, still client is setting all algorithms. Is there any other way to set 
signature algorithm to SSL_CTX or SSL ?


Best Regards,
Devang

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] disable session id reuse

2018-05-06 Thread Devang Kubavat 
Hi Darshan, 

In Addition, Make sure that you should disable the session ticket based session 
resumption using SSL_OP_NO_TICKET. 

By default SSL_OP_NO_TICKET is not disabled. 

Thanks
Devang
Sent from my iPhone

> On 03-May-2018, at 2:12 PM, Mody, Darshan (Darshan)  
> wrote:
> 
> Hi,
>  
> While doing a openssl s_time command I find that by default it tries for 
> Session Id Reuse. “Now timing with session id reuse.”
>  
> In case if we don’t want openssl to reuse session id’s how can we configure 
> openssl in the application for the same.
>  
> The application here is acting as a server.
>  
> I have set  SSL_CTX_set_session_cache_mode to SSL_SESS_CACHE_OFF
>  
> Thanks
> Darshan
> -- 
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] SSL Handshake with TPM using TPM Engine

2017-12-04 Thread Devang Kubavat 
Hi All,



*SSL handshake with TPM using TPM Engine: *I am generating the RSA keys in
TPM and private key will never come out from TPM

I want to do SSL handshake with this scenario.
Can you please point out me in SSL handshake which functions are using the
RSA private key? So that, I can register those functions in TPM Engine to
perform RSA private key related operation.

Is there any reference implementation for SSL handshake using TPM via TPM
Engine?

Regards,
Digant
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] OpenSSL Engine for TPM

2017-07-05 Thread Devang Kubavat 
Hi All,

  1.  Is there any built-in OpenSSL Engine to access the TPM ?
  2.  Is there any other OpenSSL Engine to access the TPM ? If Yes, How can we 
configure in OpenSSL libraries to use that engine ?

Please guide me. Thanks.

Best Regards,
Devang
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Resume the session with new session keys

2017-02-12 Thread Devang Kubavat 
Hi,

There are two method to resume the session,
1.) Session ID,
2.) Session Ticket

Out of these two methods, which method is useful to resume session with new 
session keys ?
Is there any way to resume the session with new session keys ?


Can anyone please help me ?
Currently I am using the Ticket based session resumption and I can see that 
same master secret I get during SSL_get1_session even if session is resumed!

Best Regards,
Devang
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] How to disable the DTLS stuff in openssl 1.0.2k

2017-02-06 Thread Devang Kubavat 
Hi,
I am trying to configure the OpenSSL 1.0.2k for windows.
Can anyone help me How to disable the DTLS?

Best Regards,
Devang

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] SSL_CTX_set_timeout does not work properly

2017-02-01 Thread Devang Kubavat 
Hi,

I am using Ticket based Session Resumption in my application. I need to control 
'timeout of the session'. So as per the document I can set the timeout of the 
session using SSL_CTX_set_timeout(SSL_CTX *ctx, long t);

I used SSL_CTX_set_timeout(ctx, 500);
I am able to resume the session up to 500 seconds and after 500 seconds, the 
session fails to resume which is as expected.

But when I set t=0 in SSL_CTX_set_timeout(ctx,0), I am getting different 
behavior.
Session is resumed up to 7200 seconds. Wireshark log shows Ticket Lifetime 
Hint: 7200 seconds.

According to me the session should not resume. Can anyone please help me why it 
is behaving like this.

Best Regards,
Devang
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Different size of openssl libraries

2016-10-26 Thread Devang Kubavat 
Hi,

I am trying to build openssl 1.0.2j. for windows. Everytime I different size of 
libraries.
Is it depends on path ?

Best Regards
Devang

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users