Re: Does CSR need to be signed with matching private key?
The role of the private key in the CSR is for a proof of possession (POP). You can use crypto and non-crypto methods to provide a proof of possession of private key to a CA. Without a crypto method, I am not sure whether you can provide a POP without disclosing the private key to the CA. If the private key is for decrypting data at rest, then it is not a big deal. However, if the private key is for signing (e.g. authentication), revealing the private key to a CA, in my opinion is not a good idea; it violates the very purpose of a private key; which is to be remained private all the time. With a crypto method, you can provide a CA with a proof of possession without disclosing it to the CA. Thus, a CSR typically includes a POP and other information. There are two standards on CSR; PKCS10 and CRMF. My understanding on PKCS10 is, PKCS10 only supports proof of possession for a key which is used for a digital signature. CRMF, on the other hand, supports proof of possession for other types of key usage. For example, it supports, proof of possession for a key used for key establishment, to encrypt data (data at rest encryption). Thus, if you have two keys, one for data at rest encryption and one for digital signature; you may be able to use a CRMF-based CSR for both the decryption and signing keys. Or you may choose to use PKCS10-based CSR for you're a signing key and a CRMF-based CSR for your decryption key. From: Salz, Rich Sent: Tuesday, March 05, 2013 9:40 AM To: openssl-users@openssl.org Subject: RE: Does CSR need to be signed with matching private key? Ø Hypothetically, what if i have TWO key pairs (PubKey1, PrivKey1, PubKey2, PrivKey2). First thing Ø i do is move PrivKey1 to another place. Is there a way where I can use PubKey1 to make the CSR Ø (Without access to PrivKey1), but sign it with PrivKey2 to preserve integrity? If you can convince the CA that you possess PrivKey1. How you do that is a matter between you and the CA. Without being convinced - proof of possession - the CA should not issue any statement/certificate about the corresponding public key. -- Principal Security Engineer Akamai Technology Cambridge, MA
Re: Elliptic Curve key generation help
Last time I learnt how to generate ECC key, I use apps/ecparam.c as a reference. To get a feel on what the code is doing, I played with the openssl ecparam utility. Using the utility, I also created CSR (PKCS10), created self-signed certificate, etc. I hope this is helpful. Erwin On Tue, Aug 14, 2012 at 5:49 PM, Tom Leavy tombu...@gmail.com wrote: I have been trying to figure out how to generate an elliptic curve public private key pair and can't find much information on how you properly do that. So far I have done the following and I'm pretty sure I am missing a step someplace. void makeECCKeyPair() { EC_KEY *testKey = EC_KEY_new(); EC_KEY_generate_key(testKey); }
Re: openssl ca vs openssl x509
In general, probably look for PKI tutorial; there should be concepts associated with CA, x509 (digital certificate) Erwin On Fri, Jun 1, 2012 at 9:34 AM, Stephen More stephen.m...@gmail.com wrote: Is there a doc somewhere that explains the differences between ca and x509 ? I was signing client side certificates with: openssl ca -passin pass:$ROOTCAPASS -batch -config openssl.cnf -days 365 -keyfile private/root-ca-key.pem -cert root-ca-crt.pem -in person/$1/$1-req.pem -out person/$1/$1-crt.pem Only to find out that email address was getting stripped out and prevented the use of 'SSLUserName SSL_CLIENT_S_DN_Email' inside apache. Now I am using x509 which make apache happy: openssl x509 -req -passin pass:$ROOTCAPASS -days 365 -CAkey private/root-ca-key.pem -CA root-ca-crt.pem -CAcreateserial -in person/$1/$1-req.pem -out person/$1/$1-crt.pem ( Perhaps it is really a problem with my openssl.cnf but not sure which option to configure ) -Thanks Stephen More __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: X509 - extract remote peer certificate chain to a file
You can use PEM_write_bio_X509 or PEM_write_X509 to save X509 into a FILE. You can use PEM_read to read this PEM file when you need it. On Sun, May 6, 2012 at 10:36 PM, Josh mojo1...@privatedemail.net wrote: I have a very simple query: as a result of SSL/TLS negotiation I know I could retrieve a pointer to the remote peer x509 structure, possibly via SSL_get_peer_certificate. What I would like to do is this: 1) get that remote certificate stored in a file in a suitable format, so that I could further have a look/manipulate it via openssl (the command line program); and 2) if possible, retrieve the whole certificate chain (remote peer + CA/issuer) and store it also in a file for further examination/manipulation by openssl. The reason I am doing this is also very simple: as a result of SSL/TLS negotiation (remote socket connection) I have the option of verifying the remote party. That verification depends on the local party having the whole certificate chain (remote peer + CA/issuer) or, at the very least, the CA/issuer certificate. This, for various reasons which I won't bother you with, is not always possible, so in order for me to make the connection I have to temporarily disable the verification of the remote peer, retrieve the remote peer certificate chain, save this in a file using suitable file format, examine it, and if I determine that this chain is to be trusted, use it and enforce remote peer verification from now on, having obtained the appropriate certificates. Is this possible? __**__**__ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Exchange information without SSL
I have the impression you want to protect (providing message integrity, message authentication, and confidentiality) messages between a client and a server. The options are: 1. Protect individual message with known techniques such as S/MIME, CMS and send it in unprotected connection. 2. Protect the connection between the client and server using known techniques such TLS or DTLS, and IPSec. Send the message in clear. S/MIME, TLS, and DTLS protection is integrated with the application. IPSec protection is not integrated with application. If you do not like any of those techniques, you can use your own technique. However, it may be option-1, option-2, or combination of option-1 and option-2. Level of difficulty to implement. IPSec: Low. Client and server do not need any new functionality. If your OS kernel has IPSec stack, you can enable and configure it and you are done. TLS, DTLS: Medium. Client and server do need modification, making TLS or DTLS API calls. It is relatively simple to implement security using TLS or DTLS; TLS and DTLS API semantics are similar to networking API semantics. It is a simpler to implement because a lot of crypto API calls are hidden. S/MIME (CMS): High. Client and server do need modification. A lot of crypto API calls need to be called to create CMS envelopedData, signedData, creating/verifying digital signature, encrypting/decrypting using public key and symmetric keys, creating symmetric key. If my understanding is correct, Diffie-Hellman is key agreement protocol; PKI is public key management mechanism. These two do not provide the protection you are looking for. They enable message protection by providing the crypto keys needed by S/MIME, TLS, DTLS, and IPSec to protect the message. Erwin On Wed, May 2, 2012 at 4:46 PM, Alex Chen alex_c...@filemaker.com wrote: I want to send encrypted information from a client to the server via non-SSL connections without using hardcode encryption key, i.e. a typical scenario. Both client and server have their private key and certificate. (RAS key, PEM format) I am thinking of two options to exchange the encryption key, which will then be use to symmetric encryption/decryption. 1. Use Diffie-Hellman 2. Use PKI Which approach is a better? If I go with 2., what APIs are used to extract the private key and public key from the PEM file? Thanks for the help. Alex __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: expired ssl certificate
The validity period of your root CA and server certificates depends on your Certificate Policy (CP). CP is a document that governs the operation of your PKI. It can be very simple and it can also be very complex. There are a lot of CPs which you can use as a reference. For server cert, with 1024 bit RSA with 2 to 3 years might be sufficient. Of course you have to renew your server cert when the cert is about to expired (1/2 of the validity period). You can renew the server cert, which mean you do not need to change the server private key or rekey. In rekey, the server got a new keypair and a new cert. The option you choose should be described in the CP. When the server cert is changed, you do not need to update (or touch) the client. The reason is, during the SSL handshake, the server always sends its certificate to the client (unless you are using SSL with pre-shared-key). Hence, server cert renew or reky is transparent to client. Erwin -- From: Dinh, Thao V CIV NSWCDD, K72 thao.d...@navy.mil Sent: Thursday, April 12, 2012 7:56 AM To: openssl-users@openssl.org Subject: RE: expired ssl certificate Thank You very, very much for all for help. I have a couple more questions: 1) what is max time you can have on expiration ?? 2) You wrote Create a long lived self-signed CA certificate (for example: 20 or 30 years).. Have this self-signed CA (trust anchor) created in step-1 issues the server certificate. For this server certificate, validity period does not matter. Should we make this server certificate as long as CA ?? Because making it short ( 5 years) , the handshanking will fail due to expired cert?? Thank again Nou, Erwin... Thao Dinh -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Erwin Himawan Sent: Wednesday, April 11, 2012 2:57 PM To: openssl-users@openssl.org Subject: Re: expired ssl certificate Reading Nou's proposal, I have the impression that the client needs to be modified to accept expired server's certificate. Is my understanding correct? If my understanding is corrrect, the client needs to be updated. If the client needs to be updated, In my opinion, it is simpler to update the client with a new server certificate. However, you should not use a selfsigned certificate for your serve certificate. Instead, I am proposing to create a chain of certificate (PKI). You could avoid this problem in the future by creating a simple PKI. FUrther you could expand this PKI to issue certificate for other application. This is what I am proposing: 1. Create a long lived self-signed CA certificate (for example: 20 or 30 years); This self-signed certificate is called trust anchor certificate. Make sure, basic constraint CA is set to true. Do not make the expiration less than 5 years, since you will have the same issue again in the next 5 year to roll-over your trust anchor certificate. Also, keep the private key of this CA as safe as possible. THis is your root of trust. If you compromise this root CA private key, your PKI becomes void. 2. Distribute this self-signed certificate to all clients and install this as the trusted certificate. 3. Have this self-signed CA (trust anchor) created in step-1 issues the server certificate. For this server certificate, validity period does not matter. Of course you do not want to make the validity period too short since you have to frequently update the server certificate when it is expired. Using this proposed method, you can update or change the server certificate as often as you like. The server certificate is typically included in the SSL's ServerHello message, so the client always got the server certificate during SSL handshake. I think (?) the server could also include the chain of certificate up to the trust anchor certificate. When the client receives the server certificate issued by the self-signed CA (the self-signed CA certificate could also be included in the ServerHello), the client can verify this certificate chain up to the self-signed CA certificate. If the chain can be verified, then the server certificate is successfully validated. Hence, the server can be cryptographically authenticated. Using Nou's proposal, your client would practically accept any self-signed certificate and prone to man-in-the-middle attack. The client can cryptographically verify the server certificate, but the client can not cryptographically authenticate the server since the client does not have the knowledge of the server's legitimate public key. Using my proposal, your client can cryptographically authenticate the server, by verifying the digital signature in the server's certificate using the (selfsigned) CA certificate. The selfsigned CA certificate is then verified against a list of trusted certificates. My proposal is actually similar with what you are doing currently
Re: expired ssl certificate
Reading Nou's proposal, I have the impression that the client needs to be modified to accept expired server's certificate. Is my understanding correct? If my understanding is corrrect, the client needs to be updated. If the client needs to be updated, In my opinion, it is simpler to update the client with a new server certificate. However, you should not use a selfsigned certificate for your serve certificate. Instead, I am proposing to create a chain of certificate (PKI). You could avoid this problem in the future by creating a simple PKI. FUrther you could expand this PKI to issue certificate for other application. This is what I am proposing: 1. Create a long lived self-signed CA certificate (for example: 20 or 30 years); This self-signed certificate is called trust anchor certificate. Make sure, basic constraint CA is set to true. Do not make the expiration less than 5 years, since you will have the same issue again in the next 5 year to roll-over your trust anchor certificate. Also, keep the private key of this CA as safe as possible. THis is your root of trust. If you compromise this root CA private key, your PKI becomes void. 2. Distribute this self-signed certificate to all clients and install this as the trusted certificate. 3. Have this self-signed CA (trust anchor) created in step-1 issues the server certificate. For this server certificate, validity period does not matter. Of course you do not want to make the validity period too short since you have to frequently update the server certificate when it is expired. Using this proposed method, you can update or change the server certificate as often as you like. The server certificate is typically included in the SSL's ServerHello message, so the client always got the server certificate during SSL handshake. I think (?) the server could also include the chain of certificate up to the trust anchor certificate. When the client receives the server certificate issued by the self-signed CA (the self-signed CA certificate could also be included in the ServerHello), the client can verify this certificate chain up to the self-signed CA certificate. If the chain can be verified, then the server certificate is successfully validated. Hence, the server can be cryptographically authenticated. Using Nou's proposal, your client would practically accept any self-signed certificate and prone to man-in-the-middle attack. The client can cryptographically verify the server certificate, but the client can not cryptographically authenticate the server since the client does not have the knowledge of the server's legitimate public key. Using my proposal, your client can cryptographically authenticate the server, by verifying the digital signature in the server's certificate using the (selfsigned) CA certificate. The selfsigned CA certificate is then verified against a list of trusted certificates. My proposal is actually similar with what you are doing currently. The difference between my proposal and yours is: in yours, you verify the server certificate against a list of trusted certificates. In my proposal, you verify the server certificate using the CA certificate which is in a list of trusted certificates. Erwin On Wed, Apr 11, 2012 at 11:34 AM, Nou Dadoun ndad...@teradici.com wrote: I'm no ssl guru either but I'll make some brief comments and let others jump in if I'm too far off the mark. 1. If you use the standard verify and the peer presents an expired certificate, the certificate will not be verified and the connection will fail. 2. The verification callback is called after the regular verification is performed, here's a simple example I posted with my own question yesterday: static int verify_callback(int ok, X509_STORE_CTX *stor) { if(!ok) { printf(verify_callback Certificate Verification Error: %s\n, X509_verify_cert_error_string(stor-error)); } else { printf(verify_callback Certificate Verification Success\n); } return ok; } The ok parameter tells you whether the certificate passed so that if it's not ok (didn't pass) you can examine the reason/error and the certificate itself to see whether or not you want to over-rule that result. The return value indicates whether you want to accept it or not - the above example only reports the result (without changing it) and (if it fails) the reason for failure without changing anything. If it's not ok and you look at the cert and it's expired but you don't care, return 1 and it will be accepted. Look at the examples in the pdf for some examples. As I said earlier, standard warnings apply - you're overruling standard security mechanisms for your own purposes which can be dangerous if you're not careful. 3. I think I've answered that above N --- Nou Dadoun ndad...@teradici.com 604-628-1215 -Original Message- From: owner-openssl-us...@openssl.org [mailto: owner-openssl-us...@openssl.org] On
openssl smime CLI using password for encryption
Hi All, Does openssl smime CLI supports encryption using password, instead of using recepient certificate? Thanks, Erwin
s_server supporting multiple clients
Hi folks, Can the s_server support multiple clients connections? Thanks, Erwin
Can EVP_cleanup() corrupt memory?
Hi All, I have a function which add a list of EVP_digest that I want to look up to. Later on, I would like to free these digest from this look up table. Below is a snipet of the function that add these digest into the openssl's lookup table: /* Add EVP_MD digest into a lookup table */ if((EVP_add_digest(EVP_sha1()) = 0) || (EVP_add_digest(EVP_sha224()) = 0) || (EVP_add_digest(EVP_sha256()) = 0) || (EVP_add_digest(EVP_sha384()) = 0) || (EVP_add_digest(EVP_sha512()) = 0)) { printf(Error adding EVP_sha1, EVP_sha224, EVP_sha256, EVP_sha384, EVP_sha512 into a lookup table\n); } else { retStatus = 1; } After I finish doing my lookup, I would like to clean the lookup table. For this, I called the EVP_cleanup(). My question is, when the EVP_cleanup() is called, does EVP_cleanup() smart enough to just clean these digests or will it cause unexpected results? Thanks, Erwin
Re: Unable to load certificate
First, check what type of file it is; i.e. file x509 if it is an ascii file, check the PEM header. The PEM header will tell you what kind of information is included. If it is a data file (binary), try to use asn1parse to parse the data. If it is an ASN1 encoded file, it would show the structure of the data. On Thu, Dec 1, 2011 at 2:23 PM, Hopkins, Nathan nathan.hopk...@fil.comwrote: I found the problem with this was it was pkcs7 ** ** ** ** *From:* Hopkins, Nathan *Sent:* 30 November 2011 18:52 *To:* openssl-users@openssl.org *Subject:* RE: Unable to load certificate ** ** When I try with …-inform der I get … ** ** 32328:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1306: 32328:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:380:Type=X509 ** ** ** ** *From:* owner-openssl-us...@openssl.org [mailto: owner-openssl-us...@openssl.org] *On Behalf Of *Erwin Himawan *Sent:* 30 November 2011 16:52 *To:* openssl-users@openssl.org *Subject:* Re: Unable to load certificate ** ** Try using openssl x509 -noout -text -in server.crt -inform der On Wed, Nov 30, 2011 at 10:28 AM, Hopkins, Nathan nathan.hopk...@fil.com wrote: Hi, please can anyone help - what could be the possible cause for the below - my expectation is the .crt should be in the .pem format but I'm getting the below? openssl x509 -noout -text -in server.crt unable to load certificate 31237:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1306: 31237:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:380:Type=X509_CINF 31237:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:749:Field=cert_info, Type=X509 31237:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_oth.c:83: __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org ** **
LDAP Server Supporting Component Matching
Hi All, I am aware that this is not the right forum. However, I just wodering whether anybody knows any LDAP server (commercial or opensource) that supports searching certificate using component matching. Thanks, Erwin
Re: Unable to load certificate
Try using openssl x509 -noout -text -in server.crt -inform der On Wed, Nov 30, 2011 at 10:28 AM, Hopkins, Nathan nathan.hopk...@fil.comwrote: Hi, please can anyone help - what could be the possible cause for the below - my expectation is the .crt should be in the .pem format but I'm getting the below? openssl x509 -noout -text -in server.crt unable to load certificate 31237:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1306: 31237:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:380:Type=X509_CINF 31237:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:749:Field=cert_info, Type=X509 31237:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_oth.c:83: __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: certificates stored in ldap
Although, this doc is outdated, I find that this doc is helpful: http://vandervlies.xs4all.nl/~andre/Docs/pkildap.html On Mon, Nov 21, 2011 at 7:53 AM, prabhu kalyan rout pkr...@gmail.comwrote: Hi, I am trying to store user certificates to ldap. But i dont know how to do it. Can anybody please tell me step by step procedure to do this or point me some link where it says how to do this. Thanks __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: openssl 1.0.0 d2i_X509() error ASN1_R_WRONG_TAG
A quick observation. If I my understanding is correct, d2i_X509() function is only for DER-encoded X509. Could you make sure that your 0.9.8's cert is DER-encoded, not PEM's encoded. The cert file you are attaching is PEM's encoded file. On Tue, Oct 25, 2011 at 9:41 AM, Nan Luo luo.nan2...@gmail.com wrote: Hi, I used to work with openssl-0.9.7, and all my certificates were generated by openssl-0.9.8. Openssl-0.9.7 works great with openssl-0.9.8's certificates, I never had issues in parsing, verification, .. Recently I upgraded my application with openssl-1.0.0, I found that none of old openssl-0.9.8 certificates can be decoded properly. My application code calls API d2i_X509() to convert a DER (or PEM) certificate to a X509 structure, following is the error output: Oct 24 15:28:22.297 ASN1_item_d2i: entering Oct 24 15:28:22.297 ASN1_item_d2i: pval is NULL Oct 24 15:28:22.297 ASN1_item_ex_d2i: entering Oct 24 15:28:22.297 ASN1_item_ex_d2i: ASN1_ITYPE_SEQUENCE Oct 24 15:28:22.298 asn1_check_tlen: pclass=0, ptag=0 Oct 24 15:28:22.298 asn1_check_tlen: ASN1_R_WRONG_TAG Oct 24 15:28:22.298 ASN1_item_ex_d2i: ERR_R_NESTED_ASN1_ERROR Oct 24 15:28:22.298 CertVerify:: cannot convert the DER cert to X509 The problem certificate is attached. (This specific certificate was actually generated by openssl-1.0.0. All my openssl-0.9.8 certificates were having the same issue). I ran the following commands on this certificate, no command indicated error on the certificate: /usr/local/bin/openssl x509 -noout -text -in ssClient100.cert /usr/local/bin/openssl asn1parse -in ssClient100.cert /usr/local/bin/openssl x509 -noout -modulus -in ssClient100.cert /usr/local/bin/openssl rsa -noout -modulus -in ssClientKey100.pem I have been struggling with this error for several days. Your help is greatly appreciated. Thanks Nan
Re: openssl 1.0.0 d2i_X509() error ASN1_R_WRONG_TAG
This is a snippet of my code that converts DER encoded X509 into OPENSSL X509 /* Convert X509 from DER to openssl X509 struct */ X509 *x509CertificateTemp = NULL; const unsigned char *x509CertificateDERNext; x509CertificateDERNext = x509CertificateDER; if(d2i_X509(x509CertificateTemp, x509CertificateDERNext, x509CertificateDERLen) == NULL) { printf(Error converting x509CertificateDER to OPENSSL X509\n); } else { retX509 = x509CertificateTemp; } On Tue, Oct 25, 2011 at 9:41 AM, Nan Luo luo.nan2...@gmail.com wrote: Hi, I used to work with openssl-0.9.7, and all my certificates were generated by openssl-0.9.8. Openssl-0.9.7 works great with openssl-0.9.8's certificates, I never had issues in parsing, verification, .. Recently I upgraded my application with openssl-1.0.0, I found that none of old openssl-0.9.8 certificates can be decoded properly. My application code calls API d2i_X509() to convert a DER (or PEM) certificate to a X509 structure, following is the error output: Oct 24 15:28:22.297 ASN1_item_d2i: entering Oct 24 15:28:22.297 ASN1_item_d2i: pval is NULL Oct 24 15:28:22.297 ASN1_item_ex_d2i: entering Oct 24 15:28:22.297 ASN1_item_ex_d2i: ASN1_ITYPE_SEQUENCE Oct 24 15:28:22.298 asn1_check_tlen: pclass=0, ptag=0 Oct 24 15:28:22.298 asn1_check_tlen: ASN1_R_WRONG_TAG Oct 24 15:28:22.298 ASN1_item_ex_d2i: ERR_R_NESTED_ASN1_ERROR Oct 24 15:28:22.298 CertVerify:: cannot convert the DER cert to X509 The problem certificate is attached. (This specific certificate was actually generated by openssl-1.0.0. All my openssl-0.9.8 certificates were having the same issue). I ran the following commands on this certificate, no command indicated error on the certificate: /usr/local/bin/openssl x509 -noout -text -in ssClient100.cert /usr/local/bin/openssl asn1parse -in ssClient100.cert /usr/local/bin/openssl x509 -noout -modulus -in ssClient100.cert /usr/local/bin/openssl rsa -noout -modulus -in ssClientKey100.pem I have been struggling with this error for several days. Your help is greatly appreciated. Thanks Nan
Re: openssl s_client -dtls1 and ECC key
I would like to follow up on the path that Robin provided to fix bug associated with DTLS issue when using ECC keypair. In summary, I was able to apply the patch into openssl-1.0.0e. I verified that the patch fixed the issued associated with bad encryption error. I verified the dtls1 connection (s_client and s_server) with and without -Verify at the server. The server, issuing CA, and root CA use prime256v1 curve. The cert signature is ecdsa-with-sha256. Thanks to Robin. Erwin On Fri, Oct 21, 2011 at 10:30 AM, Robin Seggelmann seggelm...@fh-muenster.de wrote: Hi Erwin, The patch is for the current release 1.0.0e but should work with 1.0.0d as well. However, I recommend using 1.0.0e anyway because several bugs have been fixed in this version, as you might have seen on our website. Robin On 21.10.2011, at 17:27, Erwin Himawan wrote: Robin, Thanks for looking into this. Is this patch applicable to openssl-1.0.0d, or is it for another release? I will definitely let you know whether the patch solve the issue. Erwin On Fri, Oct 21, 2011 at 2:44 AM, Robin Seggelmann seggelm...@fh-muenster.de wrote: Hi Erwin, Thanks for the report. I found the bug and submitted a patch (#2628). You can also download it from our website at http://sctp.fh-muenster.de/dtls-patches.html and it would be very helpful if you can confirm that the patch fixes your issue. Robin On Oct 12, 2011, at 11:33 PM, Erwin Himawan wrote: Hi, Does anybody know whether openssl s_client and s_server support the use of -dtls1 option while the server uses ECC key? The issuing CA and root CA use ECC keypair. These are my openssl s_server and s_client options: openssl s_server -accept 12000 -cert server.pem -certform pem -key server_key.pem -keyform pem -CApath . -CAfile CAECCRoot.pem -dtls1 -cipher ALL -debug -msg -state openssl s_client -connect:10.8.122.106:12000 -CApath . -CAfile CAECCRoot.pem -dtls1 -cipher ALL -debug -msg -state When I attempted to do this, the s_client gives error: SSL3 alert write:fatal:decrypt error SSL_connect:error in SSLv3 read server key exchange B 5551756:error:1408D07B:SSL routines:SSL3_GET_KEY_EXCHANGE:bad signature:s3_clnt.c:1610 further down, I notice that the Verify return code: 0 (ok). I also use openssl verify to verify the server certificate using the issuing CA and root CA. The result agrees with the result shown by the s_client debug message. On the second note, I also try the s_server with RSA keypair, issued by the same issuing CA; the server certificate has RSA public key with signature algorithm is ecdsa-with-SHA256. In this scenario, the s_client was able to establish tls connection with the s-server. Does this mean that the openssl s_client and s_server does not support ECC keypair? Any pointer or idea how further troubleshoot this? Thanks, Erwin Viele Grüße Robin
openssl s_client -dtls1 and ECC key
Hi, Does anybody know whether openssl s_client and s_server support the use of -dtls1 option while the server uses ECC key? The issuing CA and root CA use ECC keypair. These are my openssl s_server and s_client options: openssl s_server -accept 12000 -cert server.pem -certform pem -key server_key.pem -keyform pem -CApath . -CAfile CAECCRoot.pem -dtls1 -cipher ALL -debug -msg -state openssl s_client -connect:10.8.122.106:12000 -CApath . -CAfile CAECCRoot.pem -dtls1 -cipher ALL -debug -msg -state When I attempted to do this, the s_client gives error: SSL3 alert write:fatal:decrypt error SSL_connect:error in SSLv3 read server key exchange B 5551756:error:1408D07B:SSL routines:SSL3_GET_KEY_EXCHANGE:bad signature:s3_clnt.c:1610 further down, I notice that the Verify return code: 0 (ok). I also use openssl verify to verify the server certificate using the issuing CA and root CA. The result agrees with the result shown by the s_client debug message. On the second note, I also try the s_server with RSA keypair, issued by the same issuing CA; the server certificate has RSA public key with signature algorithm is ecdsa-with-SHA256. In this scenario, the s_client was able to establish tls connection with the s-server. Does this mean that the openssl s_client and s_server does not support ECC keypair? Any pointer or idea how further troubleshoot this? Thanks, Erwin
Re: openssl s_client -dtls1 and ECC key
I forgot to mention, I am using openssl 1.0.0d The server ecc key spec is prime256v1. On Wed, Oct 12, 2011 at 4:33 PM, Erwin Himawan ehima...@gmail.com wrote: Hi, Does anybody know whether openssl s_client and s_server support the use of -dtls1 option while the server uses ECC key? The issuing CA and root CA use ECC keypair. These are my openssl s_server and s_client options: openssl s_server -accept 12000 -cert server.pem -certform pem -key server_key.pem -keyform pem -CApath . -CAfile CAECCRoot.pem -dtls1 -cipher ALL -debug -msg -state openssl s_client -connect:10.8.122.106:12000 -CApath . -CAfile CAECCRoot.pem -dtls1 -cipher ALL -debug -msg -state When I attempted to do this, the s_client gives error: SSL3 alert write:fatal:decrypt error SSL_connect:error in SSLv3 read server key exchange B 5551756:error:1408D07B:SSL routines:SSL3_GET_KEY_EXCHANGE:bad signature:s3_clnt.c:1610 further down, I notice that the Verify return code: 0 (ok). I also use openssl verify to verify the server certificate using the issuing CA and root CA. The result agrees with the result shown by the s_client debug message. On the second note, I also try the s_server with RSA keypair, issued by the same issuing CA; the server certificate has RSA public key with signature algorithm is ecdsa-with-SHA256. In this scenario, the s_client was able to establish tls connection with the s-server. Does this mean that the openssl s_client and s_server does not support ECC keypair? Any pointer or idea how further troubleshoot this? Thanks, Erwin
Reading Private and Public Key Pair DER files into EVP_PKEY
Hi All, I would like to confirm whether my approach is correct in initializing EVP_PKEY from public key DER file and private key DER file. My question is: This is the scenario, I have two files; private key files and public key files. These files are in DER. I would like to initialize the EVP_PKEY with these two keys for later usage. I includes a portion of my code that reads initialize the EVP_PKEY. Currently, I do not read the DER encoded public key into EVP_PKEY if I already read the DER encoded Private Key (see my ocde snippet). It seems that the EVP_PKEY public key portion is automatically populated when the private key is known. Is my understanding correct? Code snippet: if((privKeyDER != NULL) (privKeyDERLen 0)) // Check whether DER encoded private key is not NULL or length is not 0 { /* DER encoded private key is found */ BIO* tempBio = BIO_new_mem_buf(privKeyDER, privKeyDERLen); if(tempBio == NULL) { printf(Error instantiating temp memory BIO for DER encoded private key\n); } else { /* * When private key is known, EVP_PKEY contains both * Private and Public key. */ retEVP_PKEY = d2i_PrivateKey_bio(tempBio, retEVP_PKEY); if(retEVP_PKEY == NULL) printf(Error converting DER encoded private and deriving public key into EVP_PKEY\n); } if(tempBio != NULL) BIO_free_all(tempBio); } else { printf(Null pointer: privKeyDER || privKeyDERLen\n); printf(only contains public key\n); } /* Check if EVP_PKEY has private key */ if(retEVP_PKEY == NULL) { /* EVP_PKEY does not have private key */ /* Check if DER encoded public key is there */ /* * The DER public key is encoded as a SubjectPublicKeyInfo, so * d2i_PublicKey can not be used. d2i_PublicKey only handles RSA public keys encoded * in the PKCS#1 format. Therefore, use function d2i_PUBKEY_bio to read the DER key */ if((pubKeyDER != NULL) (pubKeyDERLen 0)) { /* DER encoded public key is found */ BIO* tempBio = BIO_new_mem_buf(pubKeyDER, pubKeyDERLen); if(tempBio == NULL) { printf(Error instantiating temp memory BIO for DER encoded public key\n); } else { retEVP_PKEY = d2i_PUBKEY_bio(tempBio, retEVP_PKEY); if(retEVP_PKEY == NULL) printf(Error converting DER encoded public key into EVP_PKEY\n); } if(tempBio != NULL) BIO_free_all(tempBio); } else { printf(Null pointer: pubKeyDER || pubKeyDERLen\n); } } /* Check whether EVP_PKEY has either (private and public key) or (public key) */ if(retEVP_PKEY == NULL) { printf(Error converting myKeypair-pubKeyDER into EVP_PKEY\n); } } Thanks, Erwin
Re: How to Check Whether the resources of X509 has been freed when it is freed by X509_free()
Thanks for the explanation and pinter for the relevant ASN1 function. Erwin -- From: Jakob Bohm jb-open...@wisemo.com Sent: Friday, September 09, 2011 4:22 AM To: openssl-users@openssl.org Subject: Re: How to Check Whether the resources of X509 has been freed when it is freed by X509_free() On 9/9/2011 5:21 AM, Erwin Himawan wrote: Hi All, I have several questions associated with freeing resources of X509 struct. snippet of my code: X509 *x509Cert = X509_new(); if (x509Cert == NULL) printf(Error instantiating X509 object\n); /* do some processing with my x509Cert object */ /* Cleaning up resources of x509Cert */ if(x509Cert != NULL) X509_free(x509Cert); My questions are: 1. How to check that x509Cert resources have been freed? I notice that X509_free(x509Cert) does not set the x509Cert to NULL, therefore I can not rely on if(x509Cert != NULL) to verify that x509Cert resources has been freed. this a bug or there are other method for verifying whether x509Cert resources have been freed. As OpenSSL is a C (not C++ or Pascal) API, unless a function takes an explicit pointer to your x509Cert variable it is not supposed to have the ability to change it. This is one of the nice semantic guarantees of the C language. As x509_free() returns void, you should simply assume that the call *will* free what it is told to free, to the maximum extent reasonably possible, which is actually the sanest and most programmer friendly way to specify a cleanup function (for the same reason, C++ destructors have no return value either and are barred from using exceptions during stack unwind). It is good practice to wrap it in a block such as the following: {X509 *ptmp = x509Cert;x509Cert = NULL; // Do this first to reduce risk of race conditions // in your own multithreadingx509_free(tmp); } Or in C++ you could declare a macro-assisted smart pointer type similar to the following: (NOT TESTED!) (For C++ purists: the macros are used to do the name pasting needed to refer to individual per-type global function names and to generate obvious class names such as X509Ptr, all the real work is done by the C++ template). #define ASNPTR_TYP(typ) ASNPtrtype, typ##_new, typ##_free #define DECLARE_ASNPTR(typ) typedef ASNPTR_TYP(typ) typ##Ptr; class ASNPTRBase { protected: void *p; public: typedef ASNPTRBase Self; typedef Self* PSelf; typedef void *PTYP; protected: PTYP Take(void) { PTYP p1 = p; p = 0; return p1; }ASNPtrBase(): p(0) {}ASNPtrBase(PTYP p1) p(p1) {} ASNPTRBase(Self p1) p(p1.Take()) {}~ASNPTRBase() { } public: bool operator bool() const { return !!p; } PTYP operator PTYP() const { return p; } private: Self operator = (PTYP p1) {}; // Not available, do not generate default impl. Self operator = (Self p1) {}; // Not available, do not generate default impl. }; template class ASNT, ASNT* (*ASNT_new)(void), void (*ASNT_free)(ASNT *p) class ASNPtr: public ASNPTRBase { public: typedef ASNPtr Self; typedef Self *PSelf; typedef ASNT * PTYP; PTYP Take(void) { return (PTYP)ASNPTRBase::Take(); }void Free(void) { // Must be in template because of type-specic specific call PTYP p1 = Take(); if (p1) ASNT_free(p1); } ASNPtr Alloc(void) { // Must be in template to avoid adding a vptr to the size of ASNPtrBase objects Free(); p = ASNT_new(); } ASNPtr Set(PTYP p1) { // Must be in template to avoid adding a vptr to the size of ASNPtrBase objects Free(); p = p1; } ASNPtr Set(ASNPtr p1) { return Set(p1.Take()); }ASNPtr() {} ASNPtr(PTYP p1) ASNPTRBase(p1) {} ASNPtr(ASNPtrp1) ASNPtrBase(p1) {} ~ASNPtr() { Free(); } Self operator = (PTYP p1) { return Set(p1); } Self operator = (Self p1) { return Set(p1); } PTYP operator PTYP() const { return p; } private: Self operator = (const Self p1) {} // Not available, do not generate default impl. // do not generate call to operator=(p1.operator PTYP()) // for const source objects as that would ruin the // rule that only one ASNPTR can own the object at // any given time. } DECLARE_ASNPTR(X509) DECLARE_ASNPTR(X509_NAME) DECLARE_ASNPTR(X509_CRL) // etc. 2. Does X509_free() also free all the internal objects that are part of the X509 struct; e.g. X509_ALGOR, X509_NAME, ASN1_INTEGER, ASN1_TIME, etc Thanks, Erwin Please look at the source code of the function ASN1_item_free, which does the real work. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
How to Check Whether the resources of X509 has been freed when it is freed by X509_free()
Hi All, I have several questions associated with freeing resources of X509 struct. snippet of my code: X509 *x509Cert = X509_new(); if (x509Cert == NULL) printf(Error instantiating X509 object\n); /* do some processing with my x509Cert object */ /* Cleaning up resources of x509Cert */ if(x509Cert != NULL) X509_free(x509Cert); My questions are: 1. How to check that x509Cert resources have been freed? I notice that X509_free(x509Cert) does not set the x509Cert to NULL, therefore I can not rely on if(x509Cert != NULL) to verify that x509Cert resources has been freed. this a bug or there are other method for verifying whether x509Cert resources have been freed. 2. Does X509_free() also free all the internal objects that are part of the X509 struct; e.g. X509_ALGOR, X509_NAME, ASN1_INTEGER, ASN1_TIME, etc Thanks, Erwin
Re: howto be my own CA for my new certificates
When you are creating a CA and issuing certificate you are building a PKI (Public Key Infrastructure). In operating a PKI, you might want to consider crafting a certification policy, specifying the process for managing the lifecycle of your certificates, securing the CA's private key, securing the server private key, etc. You can create a policy that meets your current security objectives. Your policy would be a living document to accommodate your evolving security objectives. Also, the more certificate management features are needed, you might want to look into a PKI tool. Certificate management tools worth to look at are OpenCA (http://www.openca.org/projects/openca/downloads.shtml), Dogtag Certificate System ( http://fedoraproject.org/wiki/Features/DogtagCertificateSystem), EJBCA ( http://ejbca.sourceforge.net/). Erwin On Thu, Aug 4, 2011 at 4:27 AM, Tomas Macek ma...@fortech.cz wrote: On Thu, 4 Aug 2011, Bernhard Fröhlich wrote: Am 04.08.2011 08:23, schrieb Tomas Macek: We have some web servers and I want to create self signed certificates for them. What do I want: - I want to create my own certification authority keys and certificate, that will be imported to all web browsers of our employees - I want to create certificates, that will be signed by my own certification authority (previous step) and include them to the apache/httpd configuration. I don't want our employees to be warned that the certificate is not trusted (I cannot buy a REAL trusted certificate) Reading FAQ here http://www.modssl.org/docs/2.**8/ssl_faq.html#ToC29http://www.modssl.org/docs/2.8/ssl_faq.html#ToC29, reading CA.pl from openssl-perl and discussions on inet for 2 days gave me these steps, that I already performed: 1) creating my own CA: openssl genrsa -des3 -out ca.key 1024 openssl rsa -in ca.key -out ca.key.unsecure mv ca.key.unsecure ca.key openssl req -new -x509 -days 365 -key ca.key -out ca.crt 2) creating my own server key and certification request: openssl genrsa -des3 -out server.key 1024 openssl rsa -in server.key -out server.key.unsecure mv server.key.unsecure server.key openssl req -new -key server.key -out server.csr 3) signing the request by my own CA (see step 1): openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAserial ca.srl server.crt 4) I have imported the ca.crt into the web browser 5) the server.key and server.crt were included to the apache/httpd configuration After these steps the web page looks secured and no warning appears when I enter the page. Question: --- Do you see any bad thing about these steps or can you please recommend me any further step in order to make things properly? The process looks good to me, though I'm not totally sure about step #3. I use the openssl ca ... command to sign my certificates, it needs a config file but also keeps an index file and archive structure of issued certificates which is (IMHO) worth the work. I have seen some users on inet using this, but configuration of openssl.cnf is absolutely confusing for me, there are too many options and these steps seemed to me simpler, so I have tried these steps and hoped they will be OK. But, are you sure that you want to keep your CA key unprotected? I'd advise strongly against this. Issuing server certificates should be seldom enough to do it manually by entering a password... One hint: You probably won't be happy with a CA certificate expiring in one year, since all your created certificates will be considered invalid once the CA certificates becomes invalid. So I'm quite sure you'll want to use at least 5 years as the expiry time for your CA, or even more if distributing the CA certificate is some work. Thank you Ted, sure, I will prolong the 1 year to something more... 20 years for example :-) Tomas
Re: X509 verify
The way I would verify this is by writting the original X509 object into PEM file and dumping the X509 object resulted from d2i_x509() into another PEM file and compares both files using the openssl ; either using asnparse or x509 command. On Wed, Jul 27, 2011 at 9:46 AM, Andrea Saracino saracino.and...@gmail.comwrote: Hello everyone, I've found some issues using the function X509_verify() on a simple X509 certificate. After the creation, if I call: X509_verify(certificate,ca_key); the function returns 1, but if I call the i2d_X509() function on the certificate and then the d2i_X509() on the obtained byte string, the X509_verify() on the resultant certificate returns 0. I printed the certificate, in a readable format, before and after the i2d() and d2i() execution and the result is exactly the same. The various fields (issuer, subject...) have the correct values. Any ideas? Best Regards Andrea Saracino
Re: X509 verify
I would not use the X509_print_fp(), since it does not give you the PEM or DER file. Use intead PEM_write_bio or write_bio() for PEM and DER respectively. Also check for error for the status of these two bio write function. hopefully it helps From: Andrea Saracino Sent: Wednesday, July 27, 2011 6:05 PM To: openssl-users@openssl.org Subject: Re: X509 verify Hi Erwin, thanks for your fast answer. I dumped both the certificates in 2 PEM files, then I used the X509_print_fp() to obtain the readable version of both of them. The two resulting files are identical. Perhaps there is something wrong in the invocation of the i2d/d2i functions. I'm posting an extract of the code: // struct T_G_4{ unsigned char nonce[NONCE_SIZE]; int cert_size; unsigned char certificate[MAX_MSG_SIZE-NONCE_SIZE-sizeof(int)]; } /*...*/ T_G_4 * TG4=new T_G_4; /*...*/ peer_certificate=/* initialization function */ //this is a private member of a class and the two functions are members of the same class EVP_PKEY * pubkey=EVP_PKEY_new(); EVP_PKEY_set1_RSA(pubkey, rsa_ca_pub_key); X509_verify(peer_certificate,pubkey); //this verification returns 1 unsigned char * serialized certificate=NULL; //following the example of the openssl d2i_X509 page, NULL pointer avoids the management of the increasing pointer TG4-cert_size=i2d(peer_certificate,serialized_certificate); //serialization memcpy(TG4-certificate,serialized_certificate,TG4-cert_size); //initialize the remaining fields and return TG4 //passing the structure to another function //other function: /*...*/ unsigned char * serialized_certificate=new unsigned char [TG4-cert_size]; memcpy(serialized_certificate,TG4-certificate,TG4-cert_size); peer_certificate = d2i_X509(NULL,(const unsigned char **)serialized_certificate,TG4-cert_size); //deserialization X509_verify(peer_certificate,pubkey); //now it returns 0... :( /*...*/ Is there something wrong in this code? Thanks in advance. Best Regards Andrea Saracino 2011/7/27 Erwin Himawan ehima...@gmail.com The way I would verify this is by writting the original X509 object into PEM file and dumping the X509 object resulted from d2i_x509() into another PEM file and compares both files using the openssl ; either using asnparse or x509 command. On Wed, Jul 27, 2011 at 9:46 AM, Andrea Saracino saracino.and...@gmail.com wrote: Hello everyone, I've found some issues using the function X509_verify() on a simple X509 certificate. After the creation, if I call: X509_verify(certificate,ca_key); the function returns 1, but if I call the i2d_X509() function on the certificate and then the d2i_X509() on the obtained byte string, the X509_verify() on the resultant certificate returns 0. I printed the certificate, in a readable format, before and after the i2d() and d2i() execution and the result is exactly the same. The various fields (issuer, subject...) have the correct values. Any ideas? Best Regards Andrea Saracino
Re: X509 verify
By the way sorry for the font size, it does not mean anything, it just mixed up during cut and paste. The function to dump x509 into a certificate is is PEM_write_bio_X509() and the function to dump a x509 der file is bio_write(). Here is the doc on bio_write http://www.manpagez.com/man/3/BIO_write/osx-10.3.php erwin On Wed, Jul 27, 2011 at 8:20 PM, Erwin Himawan ehima...@gmail.com wrote: ** I would not use the X509_print_fp(), since it does not give you the PEM or DER file. Use intead PEM_write_bio or write_bio() for PEM and DER respectively. Also check for error for the status of these two bio write function. hopefully it helps *From:* Andrea Saracino saracino.and...@gmail.com *Sent:* Wednesday, July 27, 2011 6:05 PM *To:* openssl-users@openssl.org *Subject:* Re: X509 verify Hi Erwin, thanks for your fast answer. I dumped both the certificates in 2 PEM files, then I used the X509_print_fp() to obtain the readable version of both of them. The two resulting files are identical. Perhaps there is something wrong in the invocation of the i2d/d2i functions. I'm posting an extract of the code: // struct T_G_4{ unsigned char nonce[NONCE_SIZE]; int cert_size; unsigned char certificate[MAX_MSG_SIZE-NONCE_SIZE-sizeof(int)]; } /*...*/ T_G_4 * TG4=new T_G_4; /*...*/ peer_certificate=/* initialization function */ //this is a private member of a class and the two functions are members of the same class EVP_PKEY * pubkey=EVP_PKEY_new(); EVP_PKEY_set1_RSA(pubkey, rsa_ca_pub_key); X509_verify(peer_certificate,pubkey); //this verification returns 1 unsigned char * serialized certificate=NULL; //following the example of the openssl d2i_X509 page, NULL pointer avoids the management of the increasing pointer TG4-cert_size=i2d(peer_certificate,serialized_certificate); //serialization memcpy(TG4-certificate,serialized_certificate,TG4-cert_size); //initialize the remaining fields and return TG4 //passing the structure to another function //other function: /*...*/ unsigned char * serialized_certificate=new unsigned char [TG4-cert_size]; memcpy(serialized_certificate,TG4-certificate,TG4-cert_size); peer_certificate = d2i_X509(NULL,(const unsigned char **)serialized_certificate,TG4-cert_size); //deserialization X509_verify(peer_certificate,pubkey); //now it returns 0... :( /*...*/ Is there something wrong in this code? Thanks in advance. Best Regards Andrea Saracino 2011/7/27 Erwin Himawan ehima...@gmail.com The way I would verify this is by writting the original X509 object into PEM file and dumping the X509 object resulted from d2i_x509() into another PEM file and compares both files using the openssl ; either using asnparse or x509 command. On Wed, Jul 27, 2011 at 9:46 AM, Andrea Saracino saracino.and...@gmail.com wrote: Hello everyone, I've found some issues using the function X509_verify() on a simple X509 certificate. After the creation, if I call: X509_verify(certificate,ca_key); the function returns 1, but if I call the i2d_X509() function on the certificate and then the d2i_X509() on the obtained byte string, the X509_verify() on the resultant certificate returns 0. I printed the certificate, in a readable format, before and after the i2d() and d2i() execution and the result is exactly the same. The various fields (issuer, subject...) have the correct values. Any ideas? Best Regards Andrea Saracino
Re: Handshake question
You metion that: Server loads its server certificate and private key ( self-signed by a CA that I created). I would liem to clarify: the server cert is a self signed cert? or the CA cert is a self signed cert? If the server cert is a self signed cert, the server is actually the ca, which in this case, the client needs the server slef signed cert. If the server is not a self-signed cert, make sure that the ca self-signed cert can verify the server cert. You can use the openssl verify CLI to do this. If you can then give the ca cert to client. If i remember correctly, when you set the verify peer to none, the server does not do cert-based auth on the client. however, tls spec specifies that client must do cert-based auth on the server. so, server must send the client its cert. hopefully, my reply make sense. On Wed, Jul 27, 2011 at 3:52 PM, castre...@gmail.com wrote: I need some help. I am basically stuck and don't know how to fix the handshake and must be missing something. Perhaps it is something with the certificates. I have a server certificate/privatekey and a CA certificate. Server loads its server certificate and private key ( self-signed by a CA that I created). The client loads the CA certificate. Using memory buffers and blocking IO. I begin the handshake by the client intiating hello message. The server reads message, and data is put in its ssl output. This is sent back to client. The client read the data ( SSL_read) and data it populated in the ssl output. This is sent back to the server. ( it is waiting for more input from server) The server reads the data (SSL_read) and nothing is generated in outbut it is waiting for more information from client. Basically I am at a stale mate now. What information am I missing. When I go and look at what state the client is in it say it is UNKWN..what does this imply Do I need a client certificate even though I have programmed the server to be a VERIFY_PEER_NONE? Does anybody have any references/books I can go get to help me with this issue...I am completely lost and confused. Note: I am currently working on windows.
Openssl API: Extracting Public Key Algorithm
Hi All, I would like to get each of the field and value of the public key info from the certificate using the API: - public key algo: id-ecPublicKey - Size of the pub key (256 bit). - pub: 02:1d:7d:69:c5:7e:ef:15:f0:76:6a:60:5a:9e:1e: 68:1f:33:6c:ca:10:62:5a:21:6e:ab:4f:d9:82:b7: d7:51:f4 This is what I did so far: 1. I have an an X509 *x509_certificate. 2. To obtain the pubkey algorithm: X509_ALGOR *x509_algor = x509_certificate-cert_info-key-algor From here, I am not really sure how to get the element of the public key algorithm. Below is the cert sample I am using. Thanks, Erwin Certificate: Data: Version: 1 (0x0) Serial Number: 0 (0x0) Signature Algorithm: ecdsa-with-SHA256 Issuer: C=US, ST=California, L=Fairfax, O=Zork.org, OU=An rver Division, CN=Server 36, Engineering Validity Not Before: Jul 13 14:34:35 2011 GMT Not After : Jul 12 14:34:35 2012 GMT Subject: C=US, ST=California, L=Fairfax, O=Zork.org, OU=A erver Division, CN=Server 36, Engineering Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 02:1d:7d:69:c5:7e:ef:15:f0:76:6a:60:5a:9e:1e: 68:1f:33:6c:ca:10:62:5a:21:6e:ab:4f:d9:82:b7: d7:51:f4 ASN1 OID: prime256v1 X509v3 extensions: X509v3 Subject Alternative Name: DNS:times.zork.org X509v3 Key Usage: Digital Signature, Key Encipherment Signature Algorithm: ecdsa-with-SHA256 30:46:02:21:00:f4:91:b8:d2:94:c8:a1:9c:9d:96:78:c5:c9: e1:f9:7d:ca:9e:43:3c:0d:93:d9:fd:6a:68:a8:c9:0d:00:25: 4e:02:21:00:86:4f:5b:92:4b:4d:24:80:b8:de:40:16:d9:c4: 9d:db:80:96:05:3a:41:ac:4c:70:4b:67:e5:78:a5:9c:09:27 -BEGIN CERTIFICATE- MIICKjCCAc+gAwIBAAIBADAKBggqhkjOPQQDAjCBlzELMAkGA1UEBhMCVVMxEzAR BgNVBAgTCkNhbGlmb3JuaWExEDAOBgNVBAcTB0ZhaXJmYXgxETAPBgNVBAoTCFpv cmsub3JnMRMwEQYDVQQLEwpBbm90aGVyIE9VMRgwFgYDVQQLEw9TZXJ2ZXIgRGl2 aXNpb24xHzAdBgNVBAMTFlNlcnZlciAzNiwgRW5naW5lZXJpbmcwHhcNMTEwNzEz MTQzNDM1WhcNMTIwNzEyMTQzNDM1WjCBlzELMAkGA1UEBhMCVVMxEzARBgNVBAgT CkNhbGlmb3JuaWExEDAOBgNVBAcTB0ZhaXJmYXgxETAPBgNVBAoTCFpvcmsub3Jn MRMwEQYDVQQLEwpBbm90aGVyIE9VMRgwFgYDVQQLEw9TZXJ2ZXIgRGl2aXNpb24x HzAdBgNVBAMTFlNlcnZlciAzNiwgRW5naW5lZXJpbmcwOTATBgcqhkjOPQIBBggq hkjOPQMBBwMiAAIdfWnFfu8V8HZqYFqeHmgfM2zKEGJaIW6rT9mCt9dR9KMqMCgw GQYDVR0RBBIwEIIOdGltZXMuem9yay5vcmcwCwYDVR0PBAQDAgWgMAoGCCqGSM49 BAMCA0kAMEYCIQD0kbjSlMihnJ2WeMXJ4fl9yp5DPA2T2f1qaKjJDQAlTgIhAIZP W5JLTSSAuN5AFtnEnduAlgU6QaxMcEtn5XilnAkn -END CERTIFICATE-
Re: Converting ECC public key point-compressed and uncompressed
I am able to convert the ECC key from compressed to uncompressed (and vice versa) using the EC_KEY_set_conv_form call . On Sun, Jul 17, 2011 at 10:30 AM, Erwin Himawan ehima...@gmail.com wrote: Marti, thanks for your response. Erwin --** From: Martin Boßlet martin.boss...@googlemail.com** Sent: Sunday, July 17, 2011 7:21 AM To: openssl-users@openssl.org Subject: Re: Converting ECC public key point-compressed and uncompressed My understanding is that to convert the form of ecc key from compressed to uncompressed and from uncompressed to compressed require the knowledge of the ECC private key. Is my understanding correct? You might want to have a look at sections 2.3.3 and 2.3.4 in http://www.secg.org/download/**aid-780/sec1-v2.pdfhttp://www.secg.org/download/aid-780/sec1-v2.pdf No knowledge of the private key is needed. Regards, Martin __**__** __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Converting ECC public key point-compressed and uncompressed
I did dig arround more on the ecparam and ec options. Having a limited knowledge on cryptograpy and specifically ecc key algorithm, and experimenting with the CLI, I would like to clarify my understanding on coverting the form of ecc key from compressed to uncompressed and vice versa. My understanding is that to convert the form of ecc key from compressed to uncompressed and from uncompressed to compressed require the knowledge of the ECC private key. Is my understanding correct? Thanks in advance Erwin On Fri, Jul 15, 2011 at 9:06 PM, Erwin Himawan ehima...@gmail.com wrote: Hi All, I would like to know whether openssl API has function call for generating ECC point-compression given that only the uncompressed ECC public key. Likewise, given the point-compressed ECC Key, I would also like to recover the uncompressed ECC key. Thanks for the help Regards, Erwin
Re: Converting ECC public key point-compressed and uncompressed
Marti, thanks for your response. Erwin -- From: Martin Boßlet martin.boss...@googlemail.com Sent: Sunday, July 17, 2011 7:21 AM To: openssl-users@openssl.org Subject: Re: Converting ECC public key point-compressed and uncompressed My understanding is that to convert the form of ecc key from compressed to uncompressed and from uncompressed to compressed require the knowledge of the ECC private key. Is my understanding correct? You might want to have a look at sections 2.3.3 and 2.3.4 in http://www.secg.org/download/aid-780/sec1-v2.pdf No knowledge of the private key is needed. Regards, Martin __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Converting ECC public key point-compressed and uncompressed
Hi All, I would like to know whether openssl API has function call for generating ECC point-compression given that only the uncompressed ECC public key. Likewise, given the point-compressed ECC Key, I would also like to recover the uncompressed ECC key. Thanks for the help Regards, Erwin
Re: Bug in EVP_DigestFinal_ex() in version 1.0.0d?
Hi Victor, If I understand these printout correctly, my compilation environment is mixed. However, can you confirm? When the code crashes, here are the print outs: OPENSSL_VERSION_NUMBER: 9470255 SSLeay(): 268435535 When the code does not crash, here are the print outs: OPENSSL_VERSION_NUMBER: 9470255 SSLeay(): 9470255 Do the OPENSSL_VERSION_NUMBER and SSLeay() supposed to be the same? Thanks, Erwin On Mon, Jun 6, 2011 at 7:52 PM, Victor Duchovni victor.ducho...@morganstanley.com wrote: On Mon, Jun 06, 2011 at 06:22:53PM -0500, Erwin Himawan wrote: I am using Netbean 7.0 for my IDE. I am using cygwin: CYGWIN_NT-5.1 1.7.9(0.237/5/3) 2011-03-29 10:10 i686 My host platform is WindowXP 32 bit. I am building the openssl ver 1.0.0d using the cygwin. The path to the OpenSSL headers included during compilation: C:/cygwin//usr/local/ssl/include/openssl Can you demonstrate that the headers used are the 1.0.0d version? For example, print the values of the compile-time OpenSSL version macro. (OPENSSL_VERSION_NUMBER). The path to the libraries using when the application was linked (linker configuration): c:/cygwin/usr/local/ssl/lib I am using libcrypto.a and libssl.a The path to the run-time: I am running the executable within the IDE, so I believe the IDE uses the same lib defined in the linker configuration). Can you demonstrate that the libraries are the 1.0.0d version? For example, print the value of the run-time OpenSSL version (SSLeay()). Can you post the stack strace from the crash and identify the data structures involved, ... Most likely your compilation environment is mixed. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Bug in EVP_DigestFinal_ex() in version 1.0.0d?
Viktor, Thanks for your help. Once I fix my compilation environment, everything works ok. Thanks again. Regards, Erwin On Tue, Jun 7, 2011 at 10:22 AM, Victor Duchovni victor.ducho...@morganstanley.com wrote: On Tue, Jun 07, 2011 at 10:05:19AM -0500, Erwin Himawan wrote: Hi Victor, If I understand these printout correctly, my compilation environment is mixed. However, can you confirm? When the code crashes, here are the print outs: OPENSSL_VERSION_NUMBER: 9470255 Converted to hexadecimal, this is: 0090812F, which is 0.9.8l SSLeay(): 268435535 Converted to hexadecimal, this is: 104F, which is 1.0.0d When the code does not crash, here are the print outs: OPENSSL_VERSION_NUMBER: 9470255 SSLeay(): 9470255 Here, both the headers and libraries are 0.9.8l Do the OPENSSL_VERSION_NUMBER and SSLeay() supposed to be the same? Certainly on the platform where the code is built, later the run-time can be at a higher patch level. You are linking with OpenSSL 1.0.0, but using headers from OpenSSL 0.9.8. This won't work. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Bug in EVP_DigestFinal_ex() in version 1.0.0d?
Hi All, I am trying out the example in this http://www.openssl.org/docs/crypto/EVP_DigestInit.html. When I build this example using ver 1.0.0d, the example crashes at E VP_DigestFinal_ex. When I build this example using previous version , the example works as expected. Any thoughts or comments whether the issue associated with EVP_DigestFinal_ex is specific to this example or has broader impact? Thanks, Erwin
Re: Bug in EVP_DigestFinal_ex() in version 1.0.0d?
Thanks for the response. It is my bad not to include the necessary detail. I guess, your answer indicating that this example compiles and runs fine is sufficient. Furthermore, I your other questions are also valuable for me to make sure my IDE is setup properly. In the mean time, here is my environment. I am using Netbean 7.0 for my IDE. I am using cygwin: CYGWIN_NT-5.1 1.7.9(0.237/5/3) 2011-03-29 10:10 i686 My host platform is WindowXP 32 bit. I am building the openssl ver 1.0.0d using the cygwin. The path to the OpenSSL headers included during compilation: C:/cygwin//usr/local/ssl/include/openssl The path to the libraries using when the application was linked (linker configuration): c:/cygwin/usr/local/ssl/lib I am using libcrypto.a and libssl.a The path to the run-time: I am running the executable within the IDE, so I believe the IDE uses the same lib defined in the linker configuration). On Mon, Jun 6, 2011 at 4:10 PM, Victor Duchovni victor.ducho...@morganstanley.com wrote: On Mon, Jun 06, 2011 at 03:18:12PM -0500, Erwin Himawan wrote: I am trying out the example in this http://www.openssl.org/docs/crypto/EVP_DigestInit.html. When I build this example using ver 1.0.0d, the example crashes at E VP_DigestFinal_ex. When I build this example using previous version, the example works as expected. You may have a mixed compilation environment, with headers, compile-time libraries and run-time libraries coming from different OpenSSL versions. Any thoughts or comments whether the issue associated with EVP_DigestFinal_ex is specific to this example or has broader impact? You have not detailed any issues, so no response is possible. To properly describe the issue, you need to specify the platform, the path to the OpenSSL headers included during compilation, the path to the libraries using when the application was linked, and the path to the run-time libraries found when the application is started and the versions of OpenSSL associated with each. A debugger stack strace for the crash, the sizes of relevant structures, ... FWIW, the example compiles and runs fine with OpenSSL 1.0.0d on x86_64 RHEL 4. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: PKCS12 - Why Encrypted?
PKCS doc., including PKCS12 http://www.rsa.com/rsalabs/node.asp?id=2124 http://www.rsa.com/rsalabs/node.asp?id=2124 On Wed, Apr 20, 2011 at 5:03 PM, Patrick Rutkowski rutsk...@gmail.comwrote: I'm pretty new to this PKI stuff, but I'm very confused about why pkcs12 files are encrypted. As I understand it, a basic p12 file contains within it two things: (1) A private key (private.pem in my case, an RSA key created with genrsa) (2) An x509 certificate (cert.pem in my case, created with req -new -x509 -key private.pem etc...) When you create the x509 certificate it isn't encrypted, because all it stores inside of it is the public key which is generated from the given private.pem; and that's not sensitive data. As far as I can see, there aren't even any options in the openssl req sub-utility to encrypt the cert created by -new -x509. Now, if I understand correctly, when you take cert.pem and private.pem and store them together into a p12 file, the pkcs12 sub-utility defaults to encrypting the p12 file as a whole, even beyond the fact that the internal private key is already encrypted, and despite the fact that (I think) the certificate doesn't need to be encrypted. I'm guessing I'm probably missing something here. It's not just that I think encrypting the cert would be silly and paranoid, it's that I don't understand why it needs to be encrypted in principle. Many thanks in advance for any help in clearing up a newbie's confusion, -Patrick P.S. If there are any de facto standard books to read on the subjecst of RSA and PKI, I would be curious to hear a tip. I'm not necessarily just interested in learning how to use these technologies from a user-end perspective. I'm pretty solid with mathematics, so I would be curious to learn about the theory of the implementation details as well. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org