RE: OpenSSL version 3.1.0-alpha1 published

[Kenneth Goldman]

The changes show a jump from 3.0 to 3.2

https://github.com/openssl/openssl/blob/master/CHANGES.md



smime.p7s
Description: S/MIME cryptographic signature

RE: RSA and DES encryption and decryption with C++ on Windows

[Kenneth Goldman]

Anyway, I'm trying to encrypt/decrypt using RSA and DES schemes.  I've tried 
some of the older code examples I could find, but some of the functions weren't 
recognized by my header files.
[kgold] You cannot encrypt long streams with RSA.  DES is deprecated.

Can anyone help me with this?  I want to encrypt fairly long strings.  A few 
hundred bytes or so.   Maybe longer.  If I can do a continuous stream of blocks 
that would be great, as well.


[kgold] Post a short example that did not work.

RE: EVP_PKEY_get_int_param is not getting degree from EC key -> man page use of integer for BIGNUM

[Kenneth Goldman]

> From: openssl-users  On Behalf Of
> Blumenthal, Uri - 0553 - MITLL
> Sent: Wednesday, January 5, 2022 6:41 PM
> To: Dr Paul Dale ; openssl-users@openssl.org
> Subject: [EXTERNAL] Re: EVP_PKEY_get_int_param is not getting degree from
> EC key
> 
> The problem that I see is that there's a set of parameters (such as
> OSSL_PKEY_PARAM_EC_COFACTOR), not described in the man pages, with
> under-specified type.
> E.g., how is one to know where's "normal" ~~sloppiness~~ imperfection in
> writing, and where "unsigned integer" truly means 'NOT C type "unsigned int"',
> especially since it's all in a C API description (so one tends to expect C 
> types,
> unless CLEARLY stated otherwise)?
> 
> Beneficial - would be a man page that lists these parameters, their types, and
> the appropriate method for retrieving them (e.g., EVP_PKEY_get_int_param()
> or EVP_PKEY_get_bn_param()).
> 
> I support specifying the type in the comments as "unsigned BIGNUM" over
> "just adding a note".
> >

I like this suggestion.  I had the same issue with 

https://www.openssl.org/docs/man3.0/man7/EVP_PKEY-EC.html

which uses 'unsigned integer' to mean a BIGNUM.

https://www.mail-archive.com/openssl-users@openssl.org/msg90149.html

The C language uses 'integer' to mean a basic type of various lengths - 
8,16,32, etc
bot surely not a structure or pointer.

https://www.gnu.org/software/libc/manual/html_node/Integers.html

I think integer has a common enough understanding in C that OpenSSL
should use a different term for a BIGNUM.

Documentation on openssl 1.0.2 / FIPS module version support for PPC LE

[Kenneth Goldman]

> From: "Bhadri Madapusi" 
>
> Is there any documentation on which version of openssl are supported
> on PPC LE. I am trying to figure out which version of 1.0.2 source
> and FIPS module to use to compile my nginx with openssl and FIPS. Thank
you.

Not documentation, but my power machines run

OpenSSL 1.1.111 Sep 2018
OpenSSL 1.1.0f-fips  25 May 2017
OpenSSL 1.1.0i-fips  14 Aug 2018
OpenSSL 1.1.1i FIPS   8 Dec 2020

RE: Random and rare Seg faults at openssl library level

[Kenneth Goldman]

From:   Gimhani Uthpala 
To: Ken Goldman 
Cc: openssl-users@openssl.org
Date:   01/07/2021 05:53 PM
Subject:[EXTERNAL] Re: Random and rare Seg faults at openssl library
level



I only have this 1.0.2.k-fips one version installed in both compiling and
running machines. However, I am compiling the application in RH7.4 and
running in RH7.8 linking to openssl library dynamically. I assume no issue
with that as I am using the same version of openssl in both.

You are having a problem, and that is a typical cause.  Try compiling and
running on the exact same OS.

If you installed openssl yourself, not using the RHEL yum installer, I
would expect random and rare issues.

Re: Compiling OpenSSL shared libraries with custom name on Unix platforms

[Kenneth Goldman]

> From: shivaramakrishna chakravarthula 
>
> Is it possible to compile OpenSSL shared libraries with custom
> names on Linux/ Unix platforms to avoid conflicts with installed
> OpenSSL libraries?
> I have tried to modify the SHLIB_EXT in Configure script but it is
> not working. I am sure it is a common problem and someone in this
> group can help.

If this is just for local testing, I typically build but don't
install.  By changing my paths, I can use the local copy.

If you're sure you have ABI compatibility, could you
manually copy and rename the .so files to /usr/include,
/usr/local/include  or equivalent?

Re: get data from X509_EXTENSION in openSSL 1.1.1.

[Kenneth Goldman]

> From: prudvi raj 
> To: openssl-users@openssl.org
> Date: 07/10/2020 07:55 AM
> Subject: [EXTERNAL] get data from X509_EXTENSION in openSSL 1.1.1.
> Sent by: "openssl-users" 
>
> Hi All,
>
> we are upgrading our codebase to 1.1.1 from 1.0.2k.Here's a code
> snippet causing error :
>
>  ext = X509_get_ext(X509, n);
>  data = ext->value->data;
>
> How do i get the data value from X509_EXTENSION object.
> since forward declarations are not allowed (compiler error) & i
> couldn't find a suitable 'getter' function.
> Can someone please help me out in resolving this issue.??

This may work:

ASN1_BIT_STRING *keyUsage =
X509_get_ext_d2i(X509Certificate, NID_key_usage,
NULL, NULL);
uint8_t bitmap = bitmap = keyUsage->data[0];
keyEncipherment = bitmap & (1<<5);  /* bit 2 little endian */

RE: SOLVED: Force use of engine all the time

[Kenneth Goldman]

From:   Frederick Gotham 
To: openssl-users@openssl.org
Date:   11/07/2019 10:39 AM
Subject:[EXTERNAL] Re: SOLVED: Force use of engine all the time
Sent by:"openssl-users" 



Frederick Gotham wrote:

> I don't think any code other than "libcrypto.so" is using the TPM2, and
so
> I don't know why I'm getting "device or resource busy" (considering I'm
> using a global named mutex)". I see that there's also a TPM2 tcti called
> "abrmd", and I'm not sure if this purpose is exactly what it's for.

Just FYI, abrmd was a TPM 2.0 user space resource manager, similar to the
TPM 1.2 tcsd.  Recent Linux kernels have a kernel driver resource manager
at /dev/tpmrm0 that removes the need for a user space daemon.

/dev/tpmrm0 supports multiple opens and does the swapping and
scheduling.  /dev/tpm0 is the original single open entry point, and
would not normally be used.

Re: Issue in linking Openssl1.1.1b to application

[Kenneth Goldman]

> From: vin 
> To: openssl-users@openssl.org
> Date: 05/10/2019 12:44 AM
> Subject: Re: Issue in linking Openssl1.1.1b to application
> Sent by: "openssl-users" 
>
> Hi Ken
>
> I am almost struck in registering the built dll to windows 7 32 bit
machine.
>
> Can you provide me the details on which all openssl1.1.1b output lib
files
> and output dll files that needs to be linked to any application while
> building in visual studio??

With mingw, I specify this to the linker

c:/program files/openssl/lib/mingw/libcrypto-1_1.a

In Visual Studio,

Linker - Input - Additional Dependencies: libcrypto32mdd.lib
Linker - General - Additional Library Directory: c:\program files\openssl
\lib\vc

However, it sounded like you were linking correctly, but Windows could
not find the dll at runtime.  That points to a PATH issue.

>
> Or any steps needs to be added while building openssl1.1.1b,I am
following
> the steps below
> Windows 32-bit
>1. perl Configure VC-WIN32
>2. nmake
>3. nmake test
>4. nmake install

I don't build myself.  I use Shining Light:

http://slproweb.com/products/Win32OpenSSL.html

Re: Issue in linking Openssl1.1.1b to application

[Kenneth Goldman]

> From: vin 
> To: openssl-users@openssl.org
> Date: 05/09/2019 01:24 PM
> Subject: Re: Issue in linking Openssl1.1.1b to application
> Sent by: "openssl-users" 
>
> Hi Ken
>
> Thanks for the reply.If I am not wrong ,You are asking me to set the path
of
> the dll in set path environment variable in testing machine (windows 7 32
> bit) right??

Right.

In the PATH environment variable.

>
> But the issue is if same dll built with openssl0.9.8k is registering
> properly in same test machine.

If 098 used the Shining Light installer, I recall that there was/is an
option to
install the dlls in the system area or not.  Perhaps you installed 098 in
the
system area but not 111.

> After replacing openssl libraries by openssl1.1.1b I am facing this
issue.So
> I guess building dll using visual studio 2008 is missing some steps .

Oh, wait!!!  I didn't notice that you're building openssl yourself.  I've
always used Shining Light.  So it could be a problem in the way they're
being build.

> Can you please help me further??

Sure.  I have 1.1 working with Visual Studio, although I still can't get
1.1 64-bit working with mingw.

RE: Using (not building) openssl with mingw on Windows 10

[Kenneth Goldman]

> From: Michael Wojcik 

> Without picking at the problem files myself, not really. It's
> probably something that will be fairly obvious in retrospect but I'm
> not seeing it from here.
>
> The import libraries (I'm assuming libssl.lib is one as well, on
> your system) basically tell the linker "for this symbol, insert a
> runtime load reference to this DLL". The Cygwin nm can display the
> symbols in an import library; I don't remember if MingW includes nm,
> or know if it understands import libraries.
>
> So well-formed import versions of libcrypto.lib and libssl.lib
> should name all the public OpenSSL symbols, and you shouldn't get
> resolution errors when linking against them. You might well get
> resolution errors at runtime, if the corresponding DLLs can't be
> found; but not a link time.

Here's a new attempt.  I added -lcrypto.  I also added -L and the path to
libcrypto.lib.

The error makes sense because -lcrypto should search for libcrypto.a, and
there is none in the Shining Light build.

I also tried pointing directly to "c:/program
files/openssl64/lib/libcrypto.lib", but the link failed.

~~

"c:/program files/mingw/bin/gcc.exe" -D_MT -DTPM_WINDOWS -I.  -shared -o
libibmtss.dll tssfile.o tsscryptoh.o tsscrypto.o tssprintcmd.o tss.o
tssproperties.o tssmarshal.o tssauth.o tssutils.o tsssocket.o tssdev.o
tsstransmit.o tssresponsecode.o tssccattributes.o tssprint.o Unmarshal.o
CommandAttributeData.o tss20.o tssauth20.o Commands.o ntc2lib.o tssntc.o \
-Wl,--out-implib,libibmtss.a -L"c:/program files/openssl64/lib"
-lcrypto "c:/program files/MinGW/lib/libws2_32.a"

c:/program
files/mingw/bin/../lib/gcc/mingw32/6.3.0/../../../../mingw32/bin/ld.exe:
cannot find -lcrypto

Re: ECC keypair generation with password

[Kenneth Goldman]

> From: Viktor Dukhovni 
> >
> > In the script, I used this:
> >
> > openssl ec -aes128 -passout pass: -in tmpecprivkeydec.pem
> -out tmpecprivkey.pem
>
> I try to avoid putting sensitive information in command-line arguments.
>
> If you're using "bash" (which has "printf" as a built-in) you could use:
>
>-passout file:<(printf "\n")
>
> which does not create any processes with the password in the argument
vector.
> Example:
>
> $ openssl enc -aes128 -pass file:<(printf "\n") < enc -d -aes128 -pass file:<(printf "\n")
> > foobar
> > EOF
> foobar

Understood, but this is just for a regression test script.

Thanks.

[openssl-users] I failed to add a git pull request for openssl

[Kenneth Goldman]

What is the process for adding a pull request to an openssl branch?

I tried from the web site, selecting 102stable and clicking 'new pull 
request'.  It uploaded but said "kgoldman wants to merge 4,027 commits 
into master from OpenSSL_1_0_2-stable".  I wanted to push one patch  to 
102stable.

The status says "closed", presumably because I did something wrong. 
However, it also says 'approved'.

~

openssl-dev seems to be closed now.  I will post the patch to this list. 
Can a developer pick it up?


--
Ken Goldman   kgold...@us.ibm.com 
914-945-2415 (862-2415)


-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Openssl 1.1 RSA_get0_key() documentation -> needs-cla

[Kenneth Goldman]

"openssl-users"  wrote on 07/31/2017 
09:20:59 AM:

> From: Matt Caswell 
> To: openssl-users@openssl.org
> Date: 07/31/2017 09:21 AM
> 
> Click "New Issue" on this page:
> 
> https://github.com/openssl/openssl/issues
> 
> You'll need a github user id.
> 
> > 
> > I'd also be willing to help with documentation, if that's possible.
> 
> It is possible. Make the relevant changes (file
> doc/man3/RSA_get0_key.pod) in a recent checkout of master and then
> create a github pull request:
> 
> https://github.com/openssl/openssl/pulls

I have an ID, but the pull request is marked needs-cla.

How do I sign it?

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Openssl and floating point

[Kenneth Goldman]

We have a platform that does not support floating point operations.  We 
discovered that openssl uses floating point in the random number 
generator.

Is there any build or compile time flag that uses an alternative to 
floating point?

--
Ken Goldman   kgold...@us.ibm.com 
914-945-2415 (862-2415)




-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: What does RSA_public_encrypt use for hash and mgf

[Kenneth Goldman]

The documentation says:

RSA_PKCS1_OAEP_PADDING
EME-OAEP as defined in PKCS #1 v2.0 with SHA-1, MGF1 and an empty encoding 
parameter. This mode is recommended for all new applications.



--
Ken Goldman   kgold...@us.ibm.com 
914-945-2415 (862-2415)




From:   Dereck Hurtubise djhurtub...@gmail.com
To: openssl-users@openssl.org
Date:   12/12/2013 07:55 AM
Subject:What does RSA_public_encrypt use for hash and mgf
Sent by:owner-openssl-us...@openssl.org



Can someone tell me what hash algorithm the RSA_public_encrypt function 
uses?
Is this SHA1 only for both?

Dereck

Re: openssl RSA_sign() and Java verify how

[Kenneth Goldman]

I'd suggest as a next step to see if you're using the same public key for 
both the Java and openssl verify.

After that, the next step would be, in Java, to do a raw public key 
operation and examine the result.  That will tell you whether it's the 
public key, the padding, the OID, or the hash that has the problem.

--
Ken Goldman   kgold...@us.ibm.com 
914-945-2415 (862-2415)




From:   R Redpath/Raleigh/IBM@IBMUS
To: openssl-users@openssl.org, 
Date:   10/30/2012 04:59 PM
Subject:openssl RSA_sign()  and Java verify how
Sent by:owner-openssl-us...@openssl.org




I am using openssl to create a signature for a file contents and use
openssl to verify the contents using the signature file. The public key is
from an x509 cert.
All works great.

I need to verify a file contents using Java. So I have written a sample 
Java
application
and it returns false and should return true. I use the same artifacts as I
did for the openssl.

I think the saved binary file of the signature may need some conversion 
for
Java but thats my guess?

The computed SHA1 for the message digest by openssl and by Java are the
same. So thats a
good start.

The Java Application is enclosed below. 
   Basically 
1 open the x509 and extract the public key.
2 read the contents of the file and make a SHA1 message digest
3 read the binary signature file
4 check signature against message digest using public key.

Re: Parsing X509 certificate subjectAltName

[Kenneth Goldman]

If I shouldn't use GEN_IPADD, what should I use?

The goal is to extract the text value associated with several OIDs. 
dumpasn1 says the values are PrintableString.

--
Ken Goldman   kgold...@us.ibm.com 
914-945-2415 (862-2415)




From:   Dr. Stephen Henson st...@openssl.org
To: openssl-users@openssl.org, 
Date:   09/11/2012 06:49 PM
Subject:Re: Parsing X509 certificate subjectAltName
Sent by:owner-openssl-us...@openssl.org



On Tue, Sep 11, 2012, Charles Mills wrote:

 
 {
 
 case GEN_DNS:
 
 case GEN_URI:
 
 case GEN_IPADD:
 
 
 ASN1_STRING_to_UTF8(pBuffer, pName-d.ia5);
 
 b =
 isWildcardedCNcompare(reinterpret_castchar *(pBuffer), nodeName);
 
 

Don't do that with the GEN_IPADD: it isn't an IA5String it is an 
OCTETSTRING
representing the IP address in a format described by RFC3280 et al.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Parsing X509 certificate subjectAltName

[Kenneth Goldman]

I'm 90% deep into parsing an X509 certificate, but I can't find sample 
code for the last piece.

I found the extension, and located the ASN1_OBJECT with nid 85, OID 
2.5.29.17, the subjectAltName.  From the dumpasn output, I see that this 
is an octet string of a sequence, etc.

I have to pull out the three OIDs   '2.23.133.2. [1, 2, and 3]' which are 
presumably in the ASN1_OBJECT. 

Can anyone point me to sample code or a hint? 

~~

515   3: . . . . . OBJECT IDENTIFIER subjectAltName (2 5 29 17)
   : . . . . . . (X.509 extension)
01 01 FF
520   1: . . . . . BOOLEAN TRUE
04 4A 30 48 A4 46 30 44 31 42 30 14 06 05 67 81 05 02 01 13 0B 69 64 
3A
523  74: . . . . . OCTET STRING, encapsulates {
30 48 A4 46 30 44 31 42 30 14 06 05 67 81 05 02 01 13 0B 69 64 3A 35 
37
525  72: . . . . . . SEQUENCE {
A4 46 30 44 31 42 30 14 06 05 67 81 05 02 01 13 0B 69 64 3A 35 37 34 
35
527  70: . . . . . . . [4] {
30 44 31 42 30 14 06 05 67 81 05 02 01 13 0B 69 64 3A 35 37 34 35 34 
33
529  68: . . . . . . . . SEQUENCE {
31 42 30 14 06 05 67 81 05 02 01 13 0B 69 64 3A 35 37 34 35 34 33 30 
30
531  66: . . . . . . . . . SET {
30 14 06 05 67 81 05 02 01 13 0B 69 64 3A 35 37 34 35 34 33 30 30
533  20: . . . . . . . . . . SEQUENCE {
06 05 67 81 05 02 01
535   5: . . . . . . . . . . . OBJECT IDENTIFIER '2 23 133 2 1'
13 0B 69 64 3A 35 37 34 35 34 33 30 30
542  11: . . . . . . . . . . . PrintableString 'id:57454300'
   : . . . . . . . . . . . }
30 18 06 05 67 81 05 02 02 13 0F 4E 50 43 54 34 32 78 2F 4E 50 43 54 
35
555  24: . . . . . . . . . . SEQUENCE {
06 05 67 81 05 02 02
557   5: . . . . . . . . . . . OBJECT IDENTIFIER '2 23 133 2 2'
13 0F 4E 50 43 54 34 32 78 2F 4E 50 43 54 35 30 78
564  15: . . . . . . . . . . . PrintableString 'NPCT42x/NPCT50x'
   : . . . . . . . . . . . }
30 10 06 05 67 81 05 02 03 13 07 69 64 3A 30 33 39 31
581  16: . . . . . . . . . . SEQUENCE {
06 05 67 81 05 02 03
583   5: . . . . . . . . . . . OBJECT IDENTIFIER '2 23 133 2 3'
13 07 69 64 3A 30 33 39 31
590   7: . . . . . . . . . . . PrintableString 'id:0391'
   : . . . . . . . . . . . }
   : . . . . . . . . . . }
   : . . . . . . . . . }
   : . . . . . . . . }
   : . . . . . . . }
   : . . . . . . }
   : . . . . . }

--
Ken Goldman   kgold...@us.ibm.com 
914-945-2415 (862-2415)

Re: asn1 parsing tutorial

[Kenneth Goldman]

The piece that openssl doesn't handle is the rsaOAEP OID for the public 
key.  Here's a typical certificate dump.  I'm trying to extract the public 
modulus.

158  74: . . . SEQUENCE {
160   9: . . . . OBJECT IDENTIFIER rsaOAEP (1 2 840 113549 1 1 7)
   : . . . . . (PKCS #1)
171  61: . . . . SEQUENCE {
173  11: . . . . . [0] {
175   9: . . . . . . SEQUENCE {
177   5: . . . . . . . OBJECT IDENTIFIER sha1 (1 3 14 3 2 26)
   : . . . . . . . . (OIW)
184   0: . . . . . . . NULL
   : . . . . . . . }
   : . . . . . . }
186  24: . . . . . [1] {
188  22: . . . . . . SEQUENCE {
190   9: . . . . . . . OBJECT IDENTIFIER pkcs1-MGF (1 2 840 113549 1 1 8)
   : . . . . . . . . (PKCS #1)
201   9: . . . . . . . SEQUENCE {
203   5: . . . . . . . . OBJECT IDENTIFIER sha1 (1 3 14 3 2 26)
   : . . . . . . . . . (OIW)
210   0: . . . . . . . . NULL
   : . . . . . . . . }
   : . . . . . . . }
   : . . . . . . }
212  20: . . . . . [2] {
214  18: . . . . . . SEQUENCE {
216   9: . . . . . . . OBJECT IDENTIFIER
   : . . . . . . . . rsaOAEP-pSpecified (1 2 840 113549 1 1 9)
   : . . . . . . . . (PKCS #1)
227   5: . . . . . . . OCTET STRING 54 43 50 41 00 TCPA.
   : . . . . . . . }
   : . . . . . . }
   : . . . . . }
   : . . . . }
234 271: . . . BIT STRING, encapsulates {
239 266: . . . . SEQUENCE {
243 257: . . . . . INTEGER 
   : . . . . . . 00 FB FD F9 09 63 15 A4.c..
   : . . . . . . 62 5F 79 C7 A9 E2 F8 FFb_y.
   : . . . . . . B4 C9 68 2F 32 F0 D4 3A..h/2..:
   : . . . . . . 78 AF A3 51 D1 95 DF E3x..Q
   [snip many lines of public modulus]
   : . . . . . . 93 05 99 B3 0C 4C B7 FA.L..
   : . . . . . . C4 36 BB 52 D1 B6 D5 9E.6.R
   : . . . . . . D7 .
504   3: . . . . . INTEGER 65537
   : . . . . . }
   : . . . . }
   : . . . }

--
Ken Goldman   kgold...@us.ibm.com 
914-945-2415 (862-2415)




From:   Peter Sylvester peter.sylves...@edelweb.fr
To: 
Cc: Kenneth Goldman/Watson/IBM@IBMUS
Date:   09/05/2012 02:09 AM
Subject:Re: asn1 parsing tutorial



On 09/04/2012 10:47 PM, Ken Goldman wrote:
 Is there any tutorial or other documentation on how to use the openssl 
asn1 parsing C functions? 
 That is, not the command line.

 The man pages are empty.  I found that the asn1parse command line 
utility works, but the 
 asn1pars.c code is completely uncommented. It will be a chore to reverse 
engineer it with a debugger.

 ~~

 Use case:  I have to parse a non-standard X.509 certificate that openssl 
cannot handle at a higher 
 level.  I think I have to parse at a low level and pull out the data I 
need.

 Any better ideas?
give more details about what you mean by non-standard x509?
are you talking about an non recognized extension for example?
or just show an example and what you want to extract.

/P

X509 certificate algorithm

[Kenneth Goldman]

I call these:

d2i_X509()
X509_print_fp()

which calls 
pkey_set_type() 
EVP_PKEY_asn1_find()
and that call fails.

I've traced the following error down to the rsaOAEP algorithm, which has a
nid of 919.  I've included both the openssl and dumpasn1 dump of the
X509 certificate.  Am I doing something wrong in openssl, or is there
a problem with the certificate?  I tried certificates from two
vendors, and they both fail at the same point.


X509_print_fp() gives

   Subject Public Key Info:
Public Key Algorithm: rsaesOaep
Unable to load Public Key
140243704706728:error:0609E09C:lib(6):func(158):reason(156):p_lib.c:239:
140243704706728:error:0B07706F:lib(11):func(119):reason(111):x_pubkey.c:155:


~~

dumpasn1 gives ()

152   0: . . SEQUENCE {}
154 351: . . SEQUENCE {
158  74: . . . SEQUENCE {
160   9: . . . . OBJECT IDENTIFIER rsaOAEP (1 2 840 113549 1 1 7)
   : . . . . . (PKCS #1)
171  61: . . . . SEQUENCE {
173  11: . . . . . [0] {
175   9: . . . . . . SEQUENCE {
177   5: . . . . . . . OBJECT IDENTIFIER sha1 (1 3 14 3 2 26)
   : . . . . . . . . (OIW)
184   0: . . . . . . . NULL
   : . . . . . . . }
   : . . . . . . }
186  24: . . . . . [1] {
188  22: . . . . . . SEQUENCE {
190   9: . . . . . . . OBJECT IDENTIFIER pkcs1-MGF (1 2 840 113549 1 1 8)
   : . . . . . . . . (PKCS #1)
201   9: . . . . . . . SEQUENCE {
203   5: . . . . . . . . OBJECT IDENTIFIER sha1 (1 3 14 3 2 26)
   : . . . . . . . . . (OIW)
210   0: . . . . . . . . NULL
   : . . . . . . . . }
   : . . . . . . . }
   : . . . . . . }
212  20: . . . . . [2] {
214  18: . . . . . . SEQUENCE {
216   9: . . . . . . . OBJECT IDENTIFIER
   : . . . . . . . . rsaOAEP-pSpecified (1 2 840 113549 1 1 9)
   : . . . . . . . . (PKCS #1)
227   5: . . . . . . . OCTET STRING 54 43 50 41 00 TCPA.
   : . . . . . . . }
   : . . . . . . }
   : . . . . . }
   : . . . . }
234 271: . . . BIT STRING, encapsulates {
239 266: . . . . SEQUENCE {
243 257: . . . . . INTEGER 
   : . . . . . . 00 FB FD F9 09 63 15 A4.c..
   : . . . . . . 62 5F 79 C7 A9 E2 F8 FFb_y.
   : . . . . . . B4 C9 68 2F 32 F0 D4 3A..h/2..:
   : . . . . . . 78 AF A3 51 D1 95 DF E3x..Q
   : . . . . . . 83 BE BF 74 D2 61 03 F6...t.a..
   : . . . . . . 82 8C D6 3C C6 86 1A 73..s
   : . . . . . . 09 5A A5 9E 5D 1B D6 D8.Z..]...
   : . . . . . . 72 50 BE 02 D7 0A 8B 8CrP..
   : . . . . . . BC BF 92 CF 7D 25 62 E0}%b.
   : . . . . . . D5 96 4D 04 96 95 83 24..M$
   : . . . . . . A5 23 1E 10 21 06 16 06.#..!...
   : . . . . . . BF 33 99 F7 D1 F0 BF 18.3..
   : . . . . . . 7C B3 1E B6 D2 20 F6 DF| ..
   : . . . . . . 09 52 F5 2C 3E D0 2D 82.R.,.-.
   : . . . . . . D8 AB A6 6A 34 73 8E 9E...j4s..
   : . . . . . . D8 B7 7B 4B 5F DE 4B 9F..{K_.K.
   : . . . . . . 31 4A 7D C4 EC 81 EC 231J}#
   : . . . . . . 79 AD E4 78 DA 52 41 BBy..x.RA.
   : . . . . . . 03 6B 1A 3F 9C A6 E5 7F.k.?
   : . . . . . . 3F B9 62 03 55 01 E7 44?.b.U..D
   : . . . . . . C9 88 B5 90 A8 CE 3E E3...
   : . . . . . . 62 D2 34 56 E8 02 C2 F4b.4V
   : . . . . . . 09 4E 58 71 32 29 D4 DF.NXq2)..
   : . . . . . . 05 8B 37 58 06 66 9A 91..7X.f..
   : . . . . . . 1A 20 B2 3A 0A 5F 35 F2. .:._5.
   : . . . . . . 9E 7A 39 79 EA 97 1D B0.z9y
   : . . . . . . 39 2B AA 93 BB 94 8F 159+..
   : . . . . . . 30 03 C5 38 28 53 1D 610..8(S.a
   : . . . . . . 3E EB AB 3B E7 98 96 A1..;
   : . . . . . . D2 35 0E 3D 37 26 F9 D0.5.=7..
   : . . . . . . 93 05 99 B3 0C 4C B7 FA.L..
   : . . . . . . C4 36 BB 52 D1 B6 D5 9E.6.R
   : . . . . . . D7 .
504   3: . . . . . INTEGER 65537
   : . . . . . }
   : . . . . }
   : . . . }

--
Ken Goldman   kgold...@us.ibm.com 
914-784-7646 (863-7646)

Re: Custom free routine is invoked with NULL argument in openssl 1.0.1

[Kenneth Goldman]

 From: Jakob Bohm jb-open...@wisemo.com

 Which version of the ANSI Spec, and where did you get a copy?
 
 I have to rely on secondary sources and experience using various 
 implementations that claim conformance.

I generally refer to Plauger's The Standard C Library, where he quotes
the spec with commentary and implementation.  Plauger was a co-author
of the standard.

Google finds this copy of the spec:

http://flash-gordon.me.uk/ansi.c.txt

Even KR say free(NULL) is a noop.

Re: weak key check?

[Kenneth Goldman]

 From: John Hascall j...@iastate.edu
 To: openssl-users@openssl.org, 
 Date: 02/16/2012 09:54 AM
 
 Richard writes:
  Well, seeding the PRNG correctly seems not to be a trivial task,
 
 Which is really sad, because you can buy a hardware RNG
 for diddly-squat these days, for example http://www.entropykey.co.uk/

Many laptops and desktops and some servers now come with a TPM chip, 
a free source of hardware random numbers.

Re: Separating the digest and signature steps of RSA signing

[Kenneth Goldman]

 From: Peter Eckersley peter.eckers...@gmail.com
 To: openssl-users@openssl.org, 
 Date: 01/26/2012 04:42 PM
 Subject: Separating the digest and signature steps of RSA signing
 
 I have an offline system that needs to compute RSA signatures over
 large blobs of data, given only hashes of the data as input and not
 the entire blobs (something like the NONEwithRSA algorithm in Java's
 RSA implementation
 http://www.docjar.com/docs/api/sun/security/mscapi/RSASignature.html)
 
 Is there any way to do that with openssl?

Yes.

- start with the hash
- prepend the OID of your choice
- prepend the desired padding if it's not supported, or 
RSA_padding_add_PKCS1_type_1(), etc.
- RSA_private_encrypt(RSA_NO_PADDING)

Re: 100 bits of entropy with FIPS/EAL4 certified hw RNG?

[Kenneth Goldman]

 From: Magosányi Árpád m...@magwas.rulez.org
 To: openssl-users@openssl.org, 
 Date: 01/18/2012 03:38 AM
 Subject: 100 bits of entropy with FIPS/EAL4 certified hw RNG?

 1. (yes, I realise that RTFM, but which one?): 

The openssl crypto library manual.

 How should I/can I seed 
 100 bits of entropy into the openssl-fips RNG? What is the function call 

 for this?

RAND_add()

Re: openssl and SHA256

[Kenneth Goldman]

 From: Scott Wilson excell...@hotmail.com
 Date: 01/18/2012 01:52 PM
 
 Does openssl support SHA256?

Yes
 
 If SHA256 is supported, how do I get it to work?  Thanks!!

SHA256_Init/Update/Final()

Re: decrypt with a public key

[Kenneth Goldman]

When you use public key algorithms:

You encrypt with the recipient's public key and the recipient 
decrypts with their private key.

You sign with your private key and the recipient verifies with your
public key.

owner-openssl-us...@openssl.org wrote on 12/28/2011 01:43:17 PM:

 From: Ireneusz Szcześniak irek.szczesn...@gmail.com
 To: openssl-users@openssl.org, 
 Date: 12/28/2011 01:45 PM
 Subject: Re: decrypt with a public key
 Sent by: owner-openssl-us...@openssl.org
 
 Thank you, Steve, for your post.  Let me explain what I'm trying to 
 do.  In the public key cryptography:
 
 message = Dprv(Epub(message)) = Dpub(Eprv(message)
 
 D stands for decrypt, E for encrypt
 prv - private key, pub - private key
 
 And so I tried to do this with the openssl command.
 
 On 28.12.2011 18:28, Dr. Stephen Henson wrote:
  On Wed, Dec 28, 2011, Ireneusz Szcze??niak wrote:
 
  Hi,
 
  In public key cryptography, a message encrypted with a private key
  can be decrypted with a public key, and so I tried:
 
  openssl rsautl -encrypt -inkey private-key -in message -out 
cryptogram
 
  openssl rsautl -decrypt -inkey public-key -pubin -in cryptogram
 
  The problem is that the second command gives me:
 
  A private key is needed for this operation
 
  Why can't one decrypt with a public key?
 
  I do realize that I can convince the recipient of the message that
  the message is indeed mine by signing the message.
 
 
 
  Try the -sign and -verify options instead.
 
  Steve.
  --
  Dr Stephen N. Henson. OpenSSL project core developer.
  Commercial tech support now available see: http://www.openssl.org
  __
  OpenSSL Project http://www.openssl.org
  User Support Mailing Listopenssl-users@openssl.org
  Automated List Manager   majord...@openssl.org
 
 
 
 -- 
 Ireneusz (Irek) Szczesniak
 http://www.irkos.org
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   majord...@openssl.org
 

Re: Is there another way to load RSA public than from a file?

[Kenneth Goldman]

 From: Väinö Leppänen narcomaco...@gmail.com
 Date: 10/21/2011 03:27 AM
 
 I'm just starting with openssl and public key encryption.
 I'm trying to encrypt certain knowledge in a C++ application,
 and I already have a working code but functions such as
 PEM_read_RSA_PUBKEY
 read the public key data from a file. The natural workaround
 of course is to implant the public key in a header and write
 it to a temporary file at runtime and then load it to the RSA-
 structure.
 
 Is there a way to load the header data directly to the RSA-
 structure?

Do I understand that you have a raw public key as a byte array
in a header, and you want to create the RSA structure from it?
If so:

RSA_new()
BN_bin2bn(n) convert public modulus to bignum
BN_bin2bn(e) convert exponent to bignum
RSA-n = n bignum
RSA-e = e bignum

Re: Problem with signature verification on microchip embedded controller

[Kenneth Goldman]

Yes, you can verify 'by hand' by doing the raw public key operation,
stripping off the padding and OID (what you call the asn1 formatting), 
and then comparing the hashes.

When you say this is what I got from the PIC controller, I assume you
mean the result of applying the public key to the signature.  Since
you don't see the obvious 00 01 ff ... padding, there are three 
possibilities:

- you're using the wrong public key, or it got altered, or it's in the 
wrong 
format for the crypto library
- you're using the wrong signature, or it got altered
- the raw public key operation isn't working correctly, or you called it
incorrectly

It's not a hashing issue, since you don't see the padding.

 From: TSCOconan chu...@tsco.ca
 To: openssl-users@openssl.org, 
 Date: 10/18/2011 03:03 PM
 Subject: Problem with signature verification on microchip embedded 
controller
 Sent by: owner-openssl-us...@openssl.org
 
 
 Hi,
 
I'm trying to implement certificate signature verification 
(certificates
 are generated and signed using OpenSSL) on a Microchip pic controller. 
The
 Microchip PIC controller doesn't support OpenSSL libraries, but it does 
have
 an encryption/decryption function.  I was successful in getting a SSL
 connection between PIC controller and a web server.  My next step is to
 setup signature verification on the PIC controller. 
 
After reading PKCS#1 V2.1 RSA Cryptography Standard
 (http://www.rsa.com/rsalabs/node.asp?id=2125)
 I realized that encryption is essentially the same as signature 
verification
 and decryption is the same as signing.  More specifically both 
encryption
 and verification uses the public key and the following formula: m = s^e 
mod
 n.  Where s is the signature or the message, e is the public exponent, n 
is
 the modulus and m is the encrypted message or decoded signature. 
Therefore,
 I'm trying to use the encryption algorithm provided to perform signature
 verification.
 
 In order to verify the certificate, I generate the SHA1 hash of the
 certificate; Decode signature using CA's public key and encryption
 algorithm.  Remove the padding from the decoded signature, the result 
hash
 should be equal to the SHA1 hash of the certificate. 
 
 However, I cannot get the two hash values to be equal.  I tried to
 verify my assumption and PIC controller results using OpenSSL command 
line. 
 
  openssl rsautl -in signature.txt -verify -asn1parse -inkey pubkey.pem
 -pubin
db e8 c6 cb 78 19 3c 0f-fd 96 1c 4f ed bd b2 34 45 60 bf 65 
   this matches the hash value I'm getting from PIC controller
 
  openssl rsautl -verify -in signature.txt -inkey pubkey.pem -pubin -raw
 -hexdump
00 01 ff ff ff ff ff ff-ff ff ff ff 00 30 21 30 
09 06 05 2b 0e 03 02 1a-05 00 04 14 db e8 c6 cb 
78 19 3c 0f fd 96 1c 4f-ed bd b2 34 45 60 bf 65 
  I believe this is what I should get after decoding the signature. After
 removing ff paddings I'll end up with asn1 format of the certificate 
hash.
 
  However this is what I got from the PIC controller which is much 
different
   8e fb 62 0e 09 c8 0b 49 40 1f 4d 2d a7 7d d6 8c
   9b bc 95 e6 bc 98 4b 96 aa 74 e5 68 90 40 bf 43 
   b5 c5 02 6d ab e3 ad 7b e6 98 fd 10 22 af b9 fb
 
  This is my signature
   7951 9b3d 244a 37f6 86d7 dc02 dc18 3bb4 
   0f66 db3a a3c1 a254 5be5 11d3 a691 63ef 
   0cf2 ec59 c48b 25ad 8881 9ed2 5230 bcd6 
 
  This is my public key (I'm using a very small key just for testing, 
will
 make it larger once everything works)
   96 FE CB 59 37 AE 8C 9C 6C 7A 01 50 0F D6 4F B4 
   E2 EC 45 D1 88 4E 1F 2D B7 1E 4B AD 76 4D 1F F1
   B0 CD 09 6F E5 B7 43 CA F8 14 FE 31 B2 06 F8 7B
  Exponent is 01 00 01
 
   I'm wondering are my assumptions wrong that I cannot use encryption
 algorithm for decoding signature?  or I'm doing something else wrong. 
 
 Thank you for any help.

Re: Openssl version compatibility [0.9.8r vs. 1.0.0e]

[Kenneth Goldman]

 From: Hasan Rezaul-CHR010 rezaul.ha...@nsn.com
 To: openssl-users@openssl.org, 
 Date: 10/19/2011 12:44 PM
 Subject: Openssl version compatibility [0.9.8r  vs.  1.0.0e]
 Sent by: owner-openssl-us...@openssl.org
 
 We have a bunch of Linux Boxes (Clients) that would run openssl 0.9.8r.
 
 We will have a Solaris box (CA Server), that would run openssl 1.0.0e
 
 Is there any compatibility problems that we would need to be concerned
 about ? Is there any difference in functionality that could give rise to
 unexpected problems ?

It likely depends on the functions you're using.  I use AES, RSA,
and SHA and it works without source modification.

I strongly advise recompiling - even for letter changes.

Re: Why RSA considers Hash algorithm

[Kenneth Goldman]

I think it's because RSA adds an object identifier (OID) to the hash 
before padding and signing.  The OID describes the hash algorithm.

ECDSA apparently doesn't do that.  I don't know DSA, but perhaps
it's the same.

 From: Lucas Martins lucasgm...@gmail.com
 To: openssl-users@openssl.org
 Date: 09/28/2011 06:31 PM
 Subject: Why RSA considers Hash algorithm
 Sent by: owner-openssl-us...@openssl.org
 
 I was looking libcrypto code, and found that DSA_sign and ECDSA_sign
 ignore hash algorithm while RSA_sign do not.
 
 Are there any reason for this?

Re: Error While Signature verification ..

[Kenneth Goldman]

A failed signature verification can have many causes.  E.g.,

- bad digest
- bad signature
- bad public key
- bad OID

I debug by doing a raw public key operation on the signature.  If you see
obvious padding and a good OID, and the digest doesn't match, then you 
have to debug why the hash that was signed is different from the hash that 

was verified.

If you see random data, no padding, then either the signature was altered
(unlikely) or the public key used for verification does not match the
private key used for signing (likely).

Hint:  While you can do cool things with C, combining a function call
and two compares within an if statement is poor style when you have to
debug.  Split the line into 3 so you can determine where the error is.

owner-openssl-us...@openssl.org wrote on 09/22/2011 09:19:07 AM:

 From: brajan balamurugan@gmail.com
 To: openssl-users@openssl.org
 Date: 09/22/2011 09:22 AM
 Subject: Error While Signature verification ..
 Sent by: owner-openssl-us...@openssl.org
 
 
 hi i am using openssl 0.9.8g version to verify the Java signed message. 
while
 verifing i got bad signature error how ever the same signature is 
verified
 in the Java correctlu ... erro occur in 
 
 
if (((unsigned int)sig-digest-length != m_len) ||
 (memcmp(m,sig-digest-data,m_len) != 0))
{
   RSAerr(RSA_F_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
}
else
   ret=1;
 
 why this error occuring .and how to over come this error

FIPS vs ECDSA

[Kenneth Goldman]

I have a preinstalled Linux OpenSSL package, where openssl version says 
OpenSSL 1.0.0-fips 29 Mar 2010.

I have the development libraries, but ECDSA headers like e.g., ecdsa.h are 
missing.  In the library, I don't see e.g., EC_KEY_new().

Is this expected?  Do I have a fips build?  Is ECDSA missing from the FIPS 
build?  Or is there simply something wrong with my package?

--
Ken Goldman   kg...@watson.ibm.com 
914-784-7646 (863-7646)

Compiling for 32-bit on 64-bit Linux

[Kenneth Goldman]

I'm trying to compile a 32-bit openssl 1.0.0d on Intel 64-bit Linux RHEL 
6.1.

This was the only combination of many I tried that seems to work.  Was I 
right?  Was there a better way?

./Configure linux-generic32 -shared -m32

--
Ken Goldman   kg...@watson.ibm.com 
914-784-7646 (863-7646)

Re: out range error compiling fips 1.2.3

[Kenneth Goldman]

Replies below.  But the meta-question is does there exist
step by step instructions for compiling the openssl FIPS module.

It seems odd that this is supposed to be so strict, yet the process seems 
to be
to google around and try various options until something works.

 From: Dr. Stephen Henson st...@openssl.org
 To: openssl-users@openssl.org
 Date: 09/09/2011 09:45 AM
 Subject: Re: out range error compiling fips 1.2.3
 Sent by: owner-openssl-us...@openssl.org
 
 On Thu, Sep 08, 2011, Kenneth Goldman wrote:
 
  I'm getting this error compiling openssl-fips-1.2.3.tar.gz, which 
seems to 
  be the latest.  It seems to be well known on openssl-dev, but I don't 
know 
  what to do about it.  Any ideas?
  
  gcc -I.. -I../.. -I../../include -DOPENSSL_THREADS -D_REENTRANT 
  -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -O3 -Wall 
  -DMD32_REG_T=int -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM 
  -DSHA512_ASM -DMD5_ASM -DAES_ASM -c  -o md5-x86_64.o md5-x86_64.s
  md5-x86_64.s: Assembler messages:
  md5-x86_64.s:41: Error: 0xd76aa478 out range of signed 32bit 
displacement
  
   uname -a
  Linux cainl.watson.ibm.com 2.6.32-131.6.1.el6.x86_64 #1 SMP Mon Jun 20 

  14:15:38 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux
  
 
 If you can get OpenSSL to compile despite that error (e.g. different 
version
 of the assembler) it wont matter because that file isn't used in the 
FIPS
 module itself. It's just a side effect of the 1.2 build process that it 
needs
 to build a complete vesion of OpenSSL as well as the module.

I thought I was not allowed to touch any of the build configuration.

This is a standard Linux RHEL 6.1 with standard gnu tools.

 
  ~~
  
  A second question.  In researching this error, I saw someone compile 
with 
  
   ./config fipscanisterbuild
  
  That's not in the INSTALL file.  Do I need this?
  
 
 That is for testing purposes for the unvalidated 2.0 module only. The 
1.2
 module uses
 
 ./config fipscanister
 
 instead.

I tried that and got:

 ./config fipscanister 
Operating system: x86_64-whatever-linux2
Configuring for linux-x86_64
target already defined - linux-x86_64 (offending arg: fipscanister)

Re: out range error compiling fips 1.2.3

[Kenneth Goldman]

 From: Jakob Bohm jb-open...@wisemo.com
 Date: 09/09/2011 05:36 AM
 Subject: Re: out range error compiling fips 1.2.3
 
 On 9/8/2011 9:35 PM, Kenneth Goldman wrote:
  ...
 
  A second question. In researching this error, I saw someone compile 
with
./config fipscanisterbuild
  That's not in the INSTALL file. Do I need this? 

 Hmm, in previous versions of the FIPS module, there was an
 official document as part of the FIPS approval which restricted
 the FIPS certification to use of a specific sequence of build steps,
 one of which was that command.
 
 Maybe the INSTALL file is the standard OpenSSL INSTALL file and
 not the true FIPS instructions, or maybe that command is only for
 the old FIPS module for version 0.9.x and not for the new module for
 version 1.0.x .
 
 Someone else on this list certainly knows which of those two applies.

I think you're right that the INSTALL file is the standard one.  The 
string
FIPS never appears.  IMHO, this is a bug in the FIPS tarball.

For the record, 

- When one specifies fipscanisterbuild, a message appears that one should
go to www.openssl.org/docs/fips

- In that page, there's a pdf SecurityPolicy that suggests 

./config fipscanisterbuild noasm

This eliminates the 'out range' error.  But them make test fails with 
this:



echo test normal x509v1 certificate
test normal x509v1 certificate
sh ./tx509 2/dev/null
testing X509 conversions
p - d
make[1]: *** [test_x509] Error 1
make[1]: Leaving directory `/home/kgold/Downloads/openssl-fips-1.2.3/test'
make: *** [tests] Error 2

out range error compiling fips 1.2.3

[Kenneth Goldman]

I'm getting this error compiling openssl-fips-1.2.3.tar.gz, which seems to 
be the latest.  It seems to be well known on openssl-dev, but I don't know 
what to do about it.  Any ideas?

gcc -I.. -I../.. -I../../include -DOPENSSL_THREADS -D_REENTRANT 
-DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -O3 -Wall 
-DMD32_REG_T=int -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM 
-DSHA512_ASM -DMD5_ASM -DAES_ASM -c  -o md5-x86_64.o md5-x86_64.s
md5-x86_64.s: Assembler messages:
md5-x86_64.s:41: Error: 0xd76aa478 out range of signed 32bit displacement

 uname -a
Linux cainl.watson.ibm.com 2.6.32-131.6.1.el6.x86_64 #1 SMP Mon Jun 20 
14:15:38 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux

~~

A second question.  In researching this error, I saw someone compile with 

 ./config fipscanisterbuild

That's not in the INSTALL file.  Do I need this?

--
Ken Goldman   kg...@watson.ibm.com 
914-784-7646 (863-7646)

Re: Req with ECDSA key and CA with RSA key

[Kenneth Goldman]

I am doing ECDSA signing and verification of SHA-512 digests.

1.0.0a.  I don't know about 0.9.8.

 From: Rick Lopes de Souza dragonde...@gmail.com

 Does Openssl support ecdsa with sha256 and sha512?
 Only above of 1.0.0 ?

Code pattern for EC_KEY read and write

[Kenneth Goldman]

I can create and use an EC_KEY, but I need utilities to write and read it 
to a file.

1 - I assume I should use PEM format, like I do for RSA.  Correct?

2 - Can someone post the call sequence?  There's nothing in the html doc 
yet.  I see some clues in the openssl source, but I'd prefer not to recode 
what already exists.

--
Ken Goldman   kg...@watson.ibm.com 
914-784-7646 (863-7646)

Re: Simple question: Maximum length of PEM file?

[Kenneth Goldman]

Is that possible in general?  There's no maximum key size
or signature size, and certificates can have extensions.

I typically read the file size first, then allocate memory, then 
read the file.

In general, hard coding a maximum length is used to enable a
buffer overflow attack.  :-)

owner-openssl-us...@openssl.org wrote on 07/26/2011 07:38:12 AM:

 From: Katif yiz...@gmail.com
 To: openssl-users@openssl.org
 Date: 07/26/2011 09:17 AM
 
 I need to know in advance the maximum length of the following three PEM
 formatted files (excluding the -BEGIN/END lines):
 
 Private key file, Certificate file, CA certificate file.
 
 For example - the following file has 68 characters length:
 
 -BEGIN CERTIFICATE-
 MIIDCDCCAfACCQDhtkeHC+WN+DANBgkqhkiG9w0BAQUFADB/MQswCQYDVQQGEwJQ
 TD
 -END CERTIFICATE-

Re: ECDSA public key token to/from binary

[Kenneth Goldman]

owner-openssl-us...@openssl.org wrote on 07/18/2011 09:49:33 AM:

 From: Billy Brumley bbrum...@gmail.com
 To: openssl-users@openssl.org
 Date: 07/18/2011 10:00 AM
 Subject: Re: ECDSA public key token to/from binary
 Sent by: owner-openssl-us...@openssl.org
 
 Dear Ken,
 
 One way to accomplish this is something along the lines of
 
 EC_POINT *EC_KEY_get0_public_key(const EC_KEY *);
 
 where EC_KEY is the key structure, returning the point as an EC_POINT
 structure, followed by
 
 int EC_POINT_get_affine_coordinates_GFp(const EC_GROUP *, const
 EC_POINT *, BIGNUM *x, BIGNUM *y, BN_CTX *);
 
 where EC_GROUP is setup for P-521 (have a look at
 EC_GROUP_new_by_curve_name), EC_POINT is the public key from the
 previous call; it dumps the coordinates to x and y, where you can use
 BN_bn2bin or whatever you like. You'd reverse it with

Thanks for the response.  Are X and Y the public key?

I tried this and it seems to work.  Error checking omitted for
easier reading.  Comments?

Getting the public key:

group = EC_KEY_get0_group(eckey);
ec_point = EC_KEY_get0_public_key(eckey);
*publicKeyLength = EC_POINT_point2oct(group,
  ec_point,
 POINT_CONVERSION_UNCOMPRESSED,
  *publicKey,
  *publicKeyLength,
  NULL);
Setting the public key:

*ecPubKey = EC_KEY_new();
group = EC_GROUP_new_by_curve_name(nid);
ec_point = EC_POINT_new(group);
EC_KEY_set_group(*ecPubKey, group);
EC_POINT_oct2point(group,
 ec_point,
 publicKey,
 publicKeyLength,
 NULL);
EC_KEY_set_public_key(*ecPubKey, ec_point);

 int EC_POINT_set_affine_coordinates_GFp(const EC_GROUP *, EC_POINT *,
 const BIGNUM *x, const BIGNUM *y, BN_CTX *);
 
 followed by
 
 int EC_KEY_set_public_key(EC_KEY *, const EC_POINT *);
 
 While this is the manual way to do it that you've asked for, there are
 a few caveats that can affect security so if possible I'd consider
 standard (ANSI? P1363?) methods like EC_POINT_point2bn and so on.
 Those also easily allow point compression if that's needed. In
 general, poke around in include/openssl/ec.h and there is lots of
 useful functionality, although not as much documentation.

I've been doing that poking.

ECDSA public key token to/from binary

[Kenneth Goldman]

I have to extract a binary (unsigned char *) representation of a public 
key from an ECDSA openssl key structure.  Later, I want to use that binary 
to reconstruct an openssl public key structure that I can use to verify a 
signature.  The curve is fixed - P521.

I don't need any certificates, just a public key that I can embed in the 
verifier.

Can someone point me toward sample code?  Or, can someone give me some 
hints?

--
Ken Goldman   kg...@watson.ibm.com 
914-784-7646 (863-7646)

FYI openssl documentation

[Kenneth Goldman]

FYI:  I've been using 
http://www.openssl.org/docs/crypto/crypto.html
as a starting point for openssl man pages.

Today, I stumbled upon
http://www.openssl.org/docs/crypto/
which is much more complete.

Is there someone I should email to request an update to the publically 
visible page?  Someone went through the trouble to write and upload the 
man pages.  It's a shame to hide them.

--
Ken Goldman   kg...@watson.ibm.com 
914-784-7646 (863-7646)

Re: minor version compatibility

[Kenneth Goldman]

owner-openssl-us...@openssl.org wrote on 05/10/2011 06:52:26 PM:

 From: Dr. Stephen Henson st...@openssl.org
 To: openssl-users@openssl.org
 Date: 05/10/2011 06:57 PM
 
 The answer is probably yes but with some caveats.
 
 If the application is well behaved and doesn't rely on undocumented 
features
 or access structure internals it should be fine.

The catch is that it's hard to determine what an 'undocumented feature' 
is.

E.g., the AES_Encrypt function is not in the man page.  Nor is MGF1.
AES_Encrypt persisted from 0.9.8 to 1.0.0.  MGF1 was dropped.

Re: minor version compatibility

[Kenneth Goldman]

My experience is more probably than yes.

I recall cases where it did not.  It's also hard to test, because it might
fail some corner case that you don't use often.

owner-openssl-us...@openssl.org wrote on 05/10/2011 05:12:33 PM:

 From: Ken Dreyer ktdre...@ktdreyer.com
 To: openssl-users@openssl.org
 Date: 05/10/2011 05:27 PM
 
 I'm pretty sure this is yes, but I don't see it documented anywhere.
 
 Are the various minor versions of OpenSSL binary compatible? For
 example, if I built Apache's mod_ssl against a previous 0.9.8 release,
 and I update my system to 0.9.8r, will everything work?

Re: TPM engine

[Kenneth Goldman]

I'd try a trousers mailing list as well.

I just compiled trousers and linked with openssl 1.0.0 and it works.  But 
I didn't try the TPM engine, which I understand to be a layer on top of 
trousers.

Did you 'discover' that it doesn't work through documentation or did you 
try to link.  My experience is that most openssl linker errors and runtime 
segfaults are due to mixing different versions of openssl on a platform. 
openssl releases often break binary compatibility.

owner-openssl-us...@openssl.org wrote on 05/02/2011 08:32:38 PM:

 From: Nicholas Wehr openssl-develop...@primacinema.com
 To: openssl-users@openssl.org
 Date: 05/02/2011 08:36 PM
 
 We're looking at using the Trousers stack for the backend of openssl
 in order to :
 provide access to an RSA key stored within the TPM
 use the TPM crypto funtions
 We've now discovered that the Trousers engine 
 (libengine_tpm_openssl) does not work with the 1.0.0 branch of 
 openssl. What are you doing to integrate your TPM? Is there a 
 Trousers alternative? Is there a modification/patch available to get
 the 1.0.0 to address the issue?
 
 http://sourceforge.net/projects/trousers/files/OpenSSL%20TPM%
 20Engine/0.4.1/openssl_tpm_engine-0.4.1.tar.gz/download
 
 Thanks!
 -nicholas

Re: Building OpenSSL vs Downloaded

[Kenneth Goldman]

I use the precompiled openssl from 
http://www.slproweb.com/products/Win32OpenSSL.html

I typically build with gcc, although I've used Microsoft VC++ in the past.

Perhaps post the linker error.  I can send you a link to a sample makefile 
if you like.

--
Ken Goldman   kg...@watson.ibm.com 
914-784-7646 (863-7646)




From:   hpenaguz...@aim.com
To: openssl-users@openssl.org
Date:   12/22/2010 01:55 PM
Subject:Re: Building OpenSSL vs Downloaded
Sent by:owner-openssl-us...@openssl.org



May I ask which download version are you using?, I tried several and 
couldn't build it and neither use it with Borland, I got a linker error.

Thanks.

-Original Message-
From: Ryan Pfeifle r...@vpi-corp.com
To: openssl-users openssl-users@openssl.org
Sent: Tue, Dec 21, 2010 4:08 am
Subject: RE: Building OpenSSL vs Downloaded

You do not need to build the library unless you want to customize it.  If 
you do compile it, it can be used with other compilers.  I use the 
downloaded version with Borland C++Builder 5 and 6, though it was 
originally built with VC++, and it works fine.
 

openssl version constants - question and request

[Kenneth Goldman]

Question:

OPENSSL_VERSION_TEXT is undocumented.  Can I count on it being there and 
up to date, or is it for internal use only?

Request:

OPENSSL_VERSION_NUMBER varies between a long and an int constant,  Could 
it please be standardized?

Legal RSA exponents

[Kenneth Goldman]

OpenSSL will hang if one asks it to create a key with an illegal (e.g., 
even) public exponent.

Is there a simple test for a legal public exponent? 

If not, is there a list of commonly used ones.  3,17,65537, ...

Re: rsa_sign versus RSA_private_encrypt

[Kenneth Goldman]

owner-openssl-us...@openssl.org wrote on 10/28/2010 03:07:18 AM:

 From: Bob Dijck di...@turnhout.tokheim.com
 
 I am trying to implement a signing function in C++ using RSA.
 Here’s how I wanted to do this:
   - First I calculate the SHA1 hash (not using openssl but another 
 implementation).
   - But then what? Should I use RSA_private_encrypt or rsa_sign? 
 When I use RSA_private_encrypt the result is different from when I 
 use rsa_sign… The openssl support pages mention that in case of 
 RSA_PKCS1_PADDING (that’s the one I use) I should use rsa_sign. Is 
 there any way around this?
 
 I thought that signing was a two step process: hash + RSA encryption
 of hash. Am I doing something wrong?

There are two other steps. It's:

- hash
- prepend an OID
- prepend a pad
- RSA private key operation

If you're application likes openssl's standard OID and pad, you can
use rsa_sign.  If not, you can do whatever you like.

PEM_write_PUBKEY segfault with 1.0.0 on windows

[Kenneth Goldman]

I'm getting a PEM_write_PUBKEY() segfault.  This is existing code that 
works 
with 0.9.8 with Windows or 1.0.0. with Linux, but fails with 1.0.0. and 
Windows. 
What's my latent bug?

Here's a small sample that fails:

RSA *rsa = RSA_generate_key(512, 65537, NULL, NULL);
EVP_PKEY *pkey = EVP_PKEY_new();
EVP_PKEY_assign_RSA(pkey, rsa);
FILE *file = fopen(tmp.pem, wb);

PEM_write_PUBKEY(file, pkey);

In my actual application, I set rsa-n and rsa-e to bignums that 
I generate.  I think that should be enough to write the public key. 

Re: Install openssl without root rights

[Kenneth Goldman]

It depends what you mean by 'install'. 

You can certainly install it under your home directory and use it or link 
to it.  I often do that when testing with a new version.

If you want to install it in a standard place like e.g. /usr/lib, then you 
need rights to write that directory, often root rights.

owner-openssl-us...@openssl.org wrote on 09/28/2010 02:57:59 AM:

 From: fabermundi fabers...@hotmail.com

 I have to install openssl on a Computer with openSUSE where I don't have 
any
 root rights.
 Is this possible? How?

OpenSSL state and suspend/resume

[Kenneth Goldman]

How does one handle a suspend/resume power cycle when using OpenSSL?

Specifically, suppose one is in the middle of a SHA-1 Init/Update/Final 
sequence when the suspend signal occurs?  What happens to SHA_CTX?

I know I can save and restore SHA_CTX by peering into the structure.  I 
also know that OpenSSL won't guarantee that the structure will be fixed 
forever, so my code will be fragile.  Is there a better alternative?



I have a similar question regarding the RNG state, but I think I can 
reseed it after the resume.



I don't see any other functions that keep internal or opaque state.  Are 
there any I should be concerned with?  I use only SHA-1, RSA, AES, lots of 
bignum functions, and the RNG.

Re: Why 2 DLL's for building OpenSSL

[Kenneth Goldman]

An argument against combining the two DLL's with a custom build
is that your configuration will be different from everyone else.
Whoever maintains your code after you move on will have to learn
your non-standard configuration.  More likely, they'll waste
time undoing your strange setup and going back to the standard.

owner-openssl-us...@openssl.org wrote on 07/05/2010 06:54:51 AM:

 Deckers, Rob rob.deck...@oce.com

 I am trying to build OpenSSL by using CMake ( only for windows )
 files to generate visual studio solutions.

  Now I see that OpenSSL results in 2 .dll files.

 Is there a special reason why 2 DLL's?
 Could it be combined in just one DLL?

1.0.0 EVP_PKEY_assign_RSA() segfault

[Kenneth Goldman]

I have some fairly basic code that is now segfaulting reliably with 1.0.0.
It has worked for years with all 0.9.8 releases.

1 - Did something change that I should know about?  Before I compile
openssl for debug and step through it, is there something I should look
for?

2 - The meta-question:  Is there an 0.9.8 - 1.0.0 porting guide.  I'm
debugging, but it looks like a long chore.

RSA *rsa;
EVP_PKEY pkey;
...
(software that constructs the RSA key structure)
...
OpenSSL_add_all_algorithms();
EVP_PKEY_assign_RSA(pkey, rsa);

--
Ken Goldman   kg...@watson.ibm.com
914-784-7646 (863-7646)

Re: Openssl tarball SHA1 checksum

[Kenneth Goldman]

owner-openssl-us...@openssl.org wrote on 04/11/2010 01:38:14 PM:

 * Kenneth Goldman wrote on Fri, Apr 09, 2010 at 08:12 -0400:
 I notice that the tarballs also include a SHA1 digest. What's the
 point?

 To have a check whether the FTP download was successful to avoid
 accidentally using corrupt files, a file integrity check with a
 checksum is quite common.

Aha.  So it's just a double check on ftp?  It's not trying to
protect against an attacker targeting the openssl site or
the download process?

Openssl tarball SHA1 checksum

[Kenneth Goldman]

This is an openssl security meta-question.

I notice that the tarballs also include a SHA1 digest.  What's the point?

1 - If anyone has authority to update the tarball with a counterfeit, can't
they also update the SHA1.
2 - The web site isn't protected by ssl (ironic).  A MIM altering the
tarball could similarly alter the SHA1.

The FAQ implies that one should get the SHA1 from the main site and the
tarball from a mirror.  Is that the point?

--
Ken Goldman   kg...@watson.ibm.com
914-784-7646 (863-7646)

Re: OpenSSL 1.0.0 released

[Kenneth Goldman]

Is there any significance to the 1.0.0.value other than it's the next
number after 0.9.9?

(Hoping that someone will answer that openssl will guarantee backward
compatibility
from here on.)

--
Ken Goldman   kg...@watson.ibm.com
914-784-7646 (863-7646)

MGF1 not exported in 1.0.0

[Kenneth Goldman]

Between 0.9.8 and 1.0.0, the function rsa_oaep.c:MGF1() was changed to
static.

This breaks backward compatibility.  IMHO, the static keyword should be
removed.

(Copying the users mailing list.  My hope is that I can gather some
community support for
the importance of backward compatibility.)

--
Ken Goldman   kg...@watson.ibm.com
914-784-7646 (863-7646)

Re: General question about documentation

[Kenneth Goldman]

owner-openssl-us...@openssl.org wrote on 11/26/2009 06:35:42 PM:

  Finally, the source code IS the only reliable source of documentation
  (assuming you can trust your compiler, OS, and hardware to do the
  right thing). It isn't the most CONVENIENT, which is why we desire
  other forms.

Two problems:

1 - Reading the source is only as reliable as the skill of the reader and
the comments in the code.  I'd rather have the answers than a research
project.

2 - If I read the source, I can't determine which functions are stable
and intended to be used by applications and which are internal and
subject to change or deletion with every release.

 the implementation details of the 250-odd API entry points in libssl.so
 would tell me very little about how to properly USE those APIs, and in
 fact, designing an application around my interpretation of the library
 developers intent would likely lead me down some rabbit holes I'd rather
 not explore.

User manual type documentation would be nice, but I'd be content with
a more complete implementation of what's there now.  E.g., the AES
functions are not documented yet.

I find the current documentation quite clear and easy to use.  My
only issue is that some functions are just not documented.

Re: Encrypting 32/64 bit integers

[Kenneth Goldman]

owner-openssl-us...@openssl.org wrote on 09/30/2009 03:27:56 AM:

 On Fri, Sep 18, 2009 at 01:59:12PM -0700, musikit wrote:
 
  again works awesome for strings. however we are realizing there are
  sometimes we just want a 32 bit int or a 64 bit int encrypted and
nothing
  else.

 You could just xor the bits with the key.

With XOR, you can toggle a bit in the cleartext by
toggling a bit in the ciphertext.  This property may or may not be
important to you.

Re: How to create a non exportable private key certificate using openssl

[Kenneth Goldman]

It sounds like the question is how do I lock the client private key,
so the user/attacker can't move it off the office PC?

For the casual user, If you do this, you'll lose your job might work.
For a determined attacker, I can't see how any software-only solution
would work.  Consider a hardware solution like a key pair locked
in a TPM.

--
Ken Goldman   kg...@watson.ibm.com
914-784-7646 (863-7646)



   
 tito  
 tit...@gmail.com 
   To
 Sent by:  openssl-users@openssl.org   
 owner-openssl-use  cc
 r...@openssl.org
   Subject
   Re: How to create a non exportable
 07/14/2009 11:49  private key certificate using   
 PMopenssl 
   
   
 Please respond to 
 openssl-us...@ope 
 nssl.org  
   
   




Thanks a lot for the reply David.

First I will explain my threat model. I have got lot of employees who do
some transactions around the world sitting in their branch offices and I
need to authenticate them using DC. So they raise a request from their
browser and I provide them with a certificate from my openssl.The browser
will be in the PC of the office branches.

Now the threat is, If an agent export the certificate he acquired in a USB
or in someother way and goes to his home pc or somewhere else and he
imports the certificate to his personal PC and started doing
transactions.This cannot be allowed and the agent should do only
transactions from his office PC allotted to him.

As you have said,
simply graying out the option to export the key is sufficient.

But the agent is a franchisee and I cannot force them to install or do
something in their pcs,nor can I check whether they are ensuring the
instructions.So I cannot force or tell the agent to do some
configuration/modification in his PC or browser.

if he uninstalls and deletes the certificates/browser or change his PC ,I
shall issue him a new certificate.

He shouldnt be able to export/backup the private key or the certificate I
have issued to him.

Also this is not an issue in IE , as I can disable the option to export the
private key.So in IE, this requirement works well.
But I cannot enforce the agents to use Windows/Linux or IE /Mozilla.The
agents have the choice of infrastructure they can use.So I cannot enforce
them to use IE or Windows.


2009/7/15 David Schwartz dav...@webmaster.com

  tito wrote:

   I have used SPKAC format to request a digital certificate from mozilla
   and signed the request with my master key from open ssl and imported it
   to my mozilla. I can readily export (backup)the private key +
  certificate
   from mozilla and import it to some other system's mozilla browser. I
  dont
   want this to happen. I dont want the private key to be exported. is
  there
   any option in openssl to disable this.

  It's not really possible to give you useful advice without understanding
  your threat model. For example, would simply graying out the option to
  export the key suffice? Or do you need to prevent the key from being
  extracted even by a determined attacker? (For example, is simply shutting
  off Mozilla's export option sufficient even if Mozilla is still capable
  of
  exporting the key?)

  In principle, for Mozilla to prove it is entitled to use the certificate,
  it
  must perform operations using the private key. Unless the key is stored
  in a
  hardware token, there is no way to stop it from exporting the very same
  private key data it is using to perform those key operations.

  What is your outer problem? Are you trying to prevent against user error?
  Are you trying to protect against malicious corruption of the browser by
  a
  determined attacker with access to the local system?

  DS


  __
  OpenSSL Project                                 http://www.openssl.org
  User Support Mailing List                    openssl-us...@openssl.org
  Automated List Manager                           majord...@openssl.org
inline: graycol.gifinline: pic04043.gifinline: 

Re: Does AES_cbc_encrypt remove PKCS5 padding

[Kenneth Goldman]

I use that function, and it does not remove padding.

1 - How would it even know what is padding and what is your data?
2 - Why do you think it removes the padding?  The function does
  not return a length.

Here's a really wild guess:  Are you perhaps padding your data with
zeros and then using strlen() to determine the length of the result?

owner-openssl-us...@openssl.org wrote on 05/06/2009 05:53:27 PM:

 AngelWarrior srikanth.bemin...@gmail.com


 But I am experimenting with the code which is actually removing the
 padding by calling
 AES_cbc_encrypt(unsigned char*)input, (unsigned char*)(output),
  (const unsigned long)(length), ks,
 (unsigned char*)ivec, AES_DECRYPT).
 What is EVP layer?

 On Wed, May 6, 2009 at 3:45 PM, Dr. Stephen Henson st...@openssl.org
wrote:
 On Wed, May 06, 2009, AngelWarrior wrote:

  Hi,
 
  Does AES_cbc_encrypt add or remove the padding, if I provide an
un-padded
  data in the multiples of 16 bytes? I wrote a piece code where I am
manually
  adding the padding but when I decrypt using AES_cbc_encrypt the padding
is
  automatically removed.
 

 None of the low level cipher routines including AES_cbc_encrypt() add or
 remove padding. That is handled in the EVP layer.

Re: OpenSSL 1.0.0 beta 1 released

[Kenneth Goldman]

Assuming it's not a joke, what's the meaning of a 1.0 as opposed to
0.9.something.

My hope is that you'll say the API is frozen and that there's a commitment
not to break backward compatibility in future releases.

--
Ken Goldman   kg...@watson.ibm.com
914-784-7646 (863-7646)

Linking with mingw on Windows

[Kenneth Goldman]

What's the linker format when using [gcc / mingw] on Windows?
I am not using cygwin!

I assume I should use the libraries in .../OpenSSL/lib/MinGW,
but maybe not.

I've tried
  -leay32
  -LC:/program files/openssl/lib/mingw/libeay32.a
and even
  copying libeay32.a to libcrypto.a and
  -lcrypto

I've linked in ssleay32.a as well. It's seeing the library file,
because I get a file not found error if I spell the library name
incorrectly.  But it's not finding the functions.

For all cases, I get errors of the form:

  c:107: undefined reference to `RSA_new'

for all openssl function calls.

--
Ken Goldman   kg...@watson.ibm.com
914-784-7646 (863-7646)

Re: Linking with mingw on Windows

[Kenneth Goldman]

Several comments:

1 - The Windows binary distribution of OpenSSL doesn't come
with libcrypto.a

2 - nm shows that RSA_new() is in libeay32.a

3 - libeay32.def shows RSA_new()

I believe that I have the libraries.  I feel like I'm just
missing some makefile option, some Windows oddity, or some
gcc flag.

owner-openssl-us...@openssl.org wrote on 03/10/2009 07:10:19 AM:

 Hi,

 RSA_new is defined in libcrypto. It is obviously not defined in
 libeay32. You can check it with nm libeay32.a | grep RSA_new. Then
 you should probably get a good copy of libcrypto.

 BR,
 Nikos
 - Original Message -
 From: Kenneth Goldman
 To: openssl-users@openssl.org
 Sent: Monday, March 09, 2009 8:26 PM
 Subject: Linking with mingw on Windows

 What's the linker format when using [gcc / mingw] on Windows?
 I am not using cygwin!

 I assume I should use the libraries in .../OpenSSL/lib/MinGW,
 but maybe not.

 I've tried
 -leay32
 -LC:/program files/openssl/lib/mingw/libeay32.a
 and even
 copying libeay32.a to libcrypto.a and
 -lcrypto

 I've linked in ssleay32.a as well. It's seeing the library file,
 because I get a file not found error if I spell the library name
 incorrectly. But it's not finding the functions.

 For all cases, I get errors of the form:

 c:107: undefined reference to `RSA_new'

 for all openssl function calls.

 --
 Ken Goldman kg...@watson.ibm.com
 914-784-7646 (863-7646)

Re: OpenSSL Version Compatabitlity issues

[Kenneth Goldman]

In general, I find that openssl routinely breaks backward
compatibility.  Even header files are incompatibly - compiling
with one version and linking with another will cause errors.

It would be wonderful to finally get to a version 1.0 which
would freeze the existing API and guarantee backward
compatibility.

[EMAIL PROTECTED] wrote on 09/30/2008 06:20:45 AM:

 I am facing issues in running my application on two different Linux
 distributions having different OpenSSL versions.

 The application “foo” is built on SUSE 9 and is intended to be
 executed on RHEL 4, 5, SUSE 9 and 10. The application”foo” links
 implicit dynamic with OpenSSL libraries on the SUSE 9, OpenSSL
 version here is 0.9.7d. When I try to run the application on RHEL 5
 where in the OpenSSL version is 0.9.8b. I am getting following error.

Re: Do you have to pre-pend 16 bytes to a raw value before RSA encryption

[Kenneth Goldman]

[EMAIL PROTECTED] wrote on 09/17/2008 08:10:09 AM:

 I just completed writing my first program using libcrypto to handle
 RSA encryption sing a public key extracted from a X509 certificate.
 This program communicates with a service created by our parent company.

 The first attempts that I made to run my program against the
 service, resulted in an error back from it stating that an encrypted
 field was required. After much brow beating, I spoke to a colleague
 of mine that works on another system and had to interface that
 system in to parent company service as well. He said that he had to
 pre-pend 16 byte sof data to the raw field prior to encrypting through
RSA.

 Sure enough, having pre-pended 16 bytes to my raw field before
 encrypting through RSA_public_encrypt() and sent the result to
 service, I got success!

 So my question is, is it required to pre-pend 16 bytes to the raw
 field or is this something my parent company are doing for their own
reasons?

What padding are you specifying?  I suspect that you are specifying
no padding, in which case the size of the input must be the same
as the size of the key.

Use one of the standard paddings.  Roll your own after
consulting with a many competent cryptographers.  (If they're
competent, they'll tell you not to roll your own.)

Re: Problem generating csr

[Kenneth Goldman]

The rpm manager will only update if you install through rpm.

1.5 gb sounds absurd for a csr.  Perhaps dump the beginning of
it to see if a particular field is incorrect.

[EMAIL PROTECTED] wrote on 09/11/2008 02:34:04 PM:

 I am running Red Hat Enterprise 5.2 with OpenSSL 0.9.8h.  The
 version of OpenSSL available for download from Red Hat Network was
 out of date so I downloaded OpenSSL 0.9.8h from openssl.org and did
 a ./configure, make, make install.  Now, if I do a openssl version,
 it displays the correct version, 0.9.8h.  However, the rpm manager
 still shows the old version.

 My problem is when I generate a csr, the csr file is over 1.5 GB.
 Needless to say I think my OpenSSL configuration is screwed up.  By
 the way I am a noobie if you haven’t already guessed.

 Help is greatly appreciated.

 Dave

RE: Basic question on version number..

[Kenneth Goldman]

 The decision in the case of OpenSSL was that 1.x would have a stable API,
 permitting shared libraries to be used interchangeably. OpenSSL does not
 have a stable API yet, officially.

If that's the rationale, I eagerly await 1.0.  The lack of a stable
API has hurt me far too many times.  I encourage the developers
to freeze the existing API.

 Shared library is currently an experimental feature.  The only reason to
  have them would be to conserve memory on systems where several program
  are using OpenSSL.  Binary backward compatibility can't be guaranteed
  before OpenSSL version 1.0.

I think this was the original idea.  For me, the more important reason
to use a shared library is the ability to upgrade the library when I
don't have access to the source/object code that uses the library.

Re: SSL_connect failure when switching from 0.9.7 to 0.9.8

[Kenneth Goldman]

In my experience, openssl releases routinely break compatibility.
This occurs for letter as well as number changes.

Compiling against the new version is not enough.  You must
link with the same version.  Dynamic linking offers a
third possibility for inconsistency.

The symptom I typically see is that almost everything works,
but some function call will crash the program.

[EMAIL PROTECTED] wrote on 07/24/2008 06:08:40 PM:

 Hi everybody,

 I'm working a project that uses OpenSSL to securely communicate
 between server and client. So far the project has been using OpenSSL
 version 0.9.7l but last week we decided to switch to 0.9.8.f. Our code
 compiled against the new version just fine but now it no
 longer works properly. The client code tries to connect to the server
 and gets an error returned by SSL_connect(). The error is
 SSL_ERROR_SSL so its a protocol related problem.

 Has anybody had a similar experience when switching to 0.9.8? The code
 worked just fine before with 0.9.7 and it also successfully
 compiled against the new version with no errors so I expected
 everything to work.

 I know the underlying connection works fine, including BIO because I
 tested it with a few reads/writes.
 Can anybody point me in the right direction? Any help is greatly
appreciated.

 Thanks,
 Alen
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Compiling static vs. dynamic and building a universal binary

[Kenneth Goldman]

[EMAIL PROTECTED] wrote on 07/17/2008 12:16:18 PM:

 Has this ever been (in recent history) an issue within a given
 release branch?
 Ie. has 0.9.8(n+1) ever broken apps that were running ok against 0.9.8n?
 0.9.8x is of course not backwards compatible with 0.9.7y, and 0.9.9 will
not
 be backwards compatible with 0.9.8 either. But that's why (reputable)
distros
 allow these branches to coexist and be upgraded independently.

I had one yesterday.  I was linking with 0.9.8d, but I incorrectly
had 0.9.8a include files in my path.  This unfortunately simulated
compiling with 'a but then an upgrade to 'd.

Almost everything worked, but HMAC core dumped deep in my code.

... a plea to make as many new functions as you like, but
freeze the existing ones.

I don't even like changes outside a release branch.  I don't want
my 0.9.8 apps to break because some new one installed 0.9.9.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Compiling static vs. dynamic and building a universal binary

[Kenneth Goldman]

[EMAIL PROTECTED] wrote on 07/16/2008 10:08:31 AM:

 2) using static builds has a benefit: you know exactly what your
 application is going to get SSL-wise: you will be sure it is installed
 on the target system because you brought it along. The drawback is
 that you have to provide your own update path to track security fixes
 -- that is compared to an OS/platform where others do the tracking and
 updating for you (e.g. active Linux distros  with dynamic libraries).

Is this really a drawback?  Since OpenSSL updates break backward
compatibility, there a problem as well with dynamic libraries.
Someone installs an update, possibly automated, possibly the install
of another program, and suddenly you application fails in strange
ways.

[... my quixotic plea for NEVER breaking backward compatibilty]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: R: PEM_read_RSAPublicKey problem

[Kenneth Goldman]

Perhaps the problem is that you're reading the public key and
trying to sign.  Signing uses a private key.

Try:

PEM_read_RSAPrivateKey()
RSA_sign()

[EMAIL PROTECTED] wrote on 06/27/2008 11:31:42 AM:

 Excuse me,
 I'm trying, using C, to do a simple sign and verify with RSA public and
 private keys on pem files.
 Which is the easy way?
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Strategy for freeing EVP and RSA keys

[Kenneth Goldman]

I'd like confirmation that I understand how to free RSA keys.

I create an RSA *key.  I then use it to create an EVP_PKEY
using EVP_PKEY_new() and EVP_PKEY_assign_RSA().

Later, want to free everything.

I _think_ that EVP_PKEY_free() will free both the EVP_PKEY and the
RSA objects.  Is that correct - that there's an implied free of the RSA
object?

If so, is this the correct strategy:

If the EVP_PKEY was created correctly
  free the EVP_KEY
else if the RSA key created correctly
  free the RSA key

--
Ken Goldman   [EMAIL PROTECTED]
914-784-7646 (863-7646)
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Debugging i2d_X509() segfault

[Kenneth Goldman]

Subject says it:  What a good approach to debugging a segfault
in i2d_X509()?

The X509 certificate succeeds when I use X509_sign().  But
when I sign by hand, adding the two signature algorithms,
signing with RSA_Sign(), and adding the signature to
the structure, X509_print_fp() segfaults.

The X509 structure (before serialization) verifies.
X509_print_fp() on the structure also succeeds.

Is there, for example, a way to i2d() the X509 parts
to narrow down the problem?

--
Ken Goldman   [EMAIL PROTECTED]
914-784-7646 (863-7646)
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Failing to read password protected pem file

[Kenneth Goldman]

I'm having trouble programmatically reading a password protected
.pem file.  With the same openssl library, I can read it using the
openssl command line.

Based on the below failure call stack, it seems to be failing getting the
nid for the cipher.

I suspect some compiler or linker option, but the fact that
the 'openssl' application works with the same library confuses
me.

Call stack:

PEM_read_bio_PrivateKey
  PEM_bytes_read_bio
PEM_get_EVP_CIPHER_INFO
  OBJ_sn2nid (AES-256-CBC)
OBJ_NAME_get
  lh_retrieve

Program snip, basically the same as apps.c:load_key()

typedef struct pw_cb_data
{
const void *password;
const char *prompt_info;
} PW_CB_DATA;

int main()
{
long  rc = 0;   /* general return code */
PW_CB_DATAcb_data;
BIO *key = NULL;
EVP_PKEY  *pkey=NULL;

cb_data.password = ;
cb_data.prompt_info = signkey.pem;

key = BIO_new(BIO_s_file());
if (key == NULL) {
  printf(Error BIO_new() failed\n);
  rc = ERROR_CODE;
}
if (BIO_read_filename(key, signkey.pem) = 0) {
  printf(Error opening %s\n, signkey.pem);
  rc = ERROR_CODE;
}
pkey = PEM_read_bio_PrivateKey(key, NULL, NULL, cb_data);
if (pkey == NULL) {
  printf(unable to load key\n);
  rc = ERROR_CODE;
}

--
Ken Goldman   [EMAIL PROTECTED]
914-784-7646 (863-7646)
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

X509 certificates through API

[Kenneth Goldman]

Is there sample code anywhere for how to construct X509 certificates
programmatically, through the API, not the command line?

The documentation includes the serialization API's, but?
little else.

I assume, since it can be done from the command line, that
the code exists and is just not documented.  Could I be
wrong?

--
Ken Goldman   [EMAIL PROTECTED]
914-784-7646 (863-7646)
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: OPENSSL_Uplink(00509010,07): no OPENSSL_Applink

[Kenneth Goldman]

http://www.openssl.org/docs/crypto/OPENSSL_Applink.html

--
Ken Goldman   [EMAIL PROTECTED]
914-784-7646 (863-7646)


[EMAIL PROTECTED] wrote on 02/16/2008 03:17:10 PM:

 hello,

 I use the functions:

 r=RSA_generate_key(bits,e,NULL,NULL)

   oFile = fopen(MyKey.txt,w);

 if (oFile!=0) {
 RSA_print_fp(oFile, r, 0);
 fclose(oFile);
 }
 to create one RSA key. But I got the error: OPENSSL_Uplink(00509010,
 07): no OPENSSL_Applink

 How can I handle this problem?

 Thanks!
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: RSA_public_decrypt error

[Kenneth Goldman]

[EMAIL PROTECTED] wrote on 02/11/2008 10:22:00 AM:

 I'm not that good in OpenSSL. How do I create a RSA file if I only
 have a modulus and exponent. Programmatically I have set the 2
 values with BN_bin2bn(), but how do I save this to a file?

I use PEM_write_RSAPublicKey()

It's interesting that the working case has the ciphertext the same size as
the modulus, while the failing case seems to be missing a byte.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]