Re: Read a Bignum from file
Angel Martinez Gonzalez wrote: Hello: I wrote a BIGNUM into a file using the function: int BN_print_fp(FILE *fp, const BIGNUM *a); But, How I can read this bignum from this file?. I donĀ“t know a openssl function to read a bignum from a file. Hello, you can read Bignum from file with this method, #include #include #include int main() { BIGNUM *b; FILE*f; charbuff[128]; /* must depend of Bignum size */ b = BN_new(); if (b == NULL) return 0; BN_add_word(b, 123456789); f = fopen("bignum", "w"); if (f == NULL) return 0; BN_print_fp(f, b); BN_free(b); fclose(f); /* start reading */ f = fopen("bignum", "r"); if (f == NULL) return 0; if (fread(buff, sizeof(char), sizeof(buff), f) <= 0) { fclose(f); return 0; } fclose(f); if (!BN_hex2bn(&b, buff)) return 0; printf("BN read from file : "); BN_print_fp(stdout, b); printf("\n"); BN_add_word(b, 1); printf("BN read from file + 1 : "); BN_print_fp(stdout, b); printf("\n"); BN_free(b); return 1; } -- Ludovic FLAMENT __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Practical CA problem - modified requests
>the openssl verify command checks CA chains, not certificate/key pairs. No it is not true. The verification is on the signature of the certificate request. Example : $>openssl req -in my.req -verify -noout Using configuration from /usr/local/ssl/openssl.cnf verify OK $> openssl asn1parse -in my.req -dump ... 249:d=3 hl=3 l= 141 prim: BIT STRING (!! : change) - 00 30 81 89 02 81 81 00-d9 5b a7 4c 6f fe d3 07 .0...[.Lo... 0010 - ef fc d1 6e c6 2b 81 43-4d 7f 50 2a 28 01 ea 3f ...n.+.CM.P*(..? 0020 - da 2a 7c 8e 14 81 31 41-0e 92 85 1d 7b 98 37 f8 .*|...1A{.7. 0030 - 24 ef 93 71 51 d8 1f f3-7f 55 ca cd 0d 18 e8 5c $..qQU.\ 0040 - 8b e8 bb 49 31 f3 e4 62-db 20 be 19 80 fc 67 7e ...I1..b. g~ 0050 - 9d dc 8f 26 c0 12 d4 05-79 42 88 92 43 76 e1 0a ...&yB..Cv.. 0060 - 73 34 ec 46 32 8a 81 23-27 4b 39 fe a4 5b 32 a7 s4.F2..#'K9..[2. 0070 - f9 a6 90 d0 58 5a 08 ca-e1 3c 7b 29 ef ac 2b 89 XZ...<{)..+. 0080 - 96 42 d9 21 c4 f7 6f 81-02 03 01 00 01.B.!..o.. ... This is the publickey corresponding of the private key that sign the request. I change one octet of the publickey and verify the request. $> openssl asn1parse -in my.req -dump ... 249:d=3 hl=3 l= 141 prim: BIT STRING (!! : change) - 00 30 81 89 02 81 81 00-d9 5b b7 4c 6f fe d3 07 .0...[.Lo... 0010 - ef fc d1 6e c6 2b 81 43-4d 7f 50 2a 28 01 ea 3f ...n.+.CM.P*(..? 0020 - da 2a 7c 8e 14 81 31 41-0e 92 85 1d 7b 98 37 f8 .*|...1A{.7. 0030 - 24 ef 93 71 51 d8 1f f3-7f 55 ca cd 0d 18 e8 5c $..qQU.\ 0040 - 8b e8 bb 49 31 f3 e4 62-db 20 be 19 80 fc 67 7e ...I1..b. g~ 0050 - 9d dc 8f 26 c0 12 d4 05-79 42 88 92 43 76 e1 0a ...&yB..Cv.. 0060 - 73 34 ec 46 32 8a 81 23-27 4b 39 fe a4 5b 32 a7 s4.F2..#'K9..[2. 0070 - f9 a6 90 d0 58 5a 08 ca-e1 3c 7b 29 ef ac 2b 89 XZ...<{)..+. 0080 - 96 42 d9 21 c4 f7 6f 81-02 03 01 00 01.B.!..o.. ... $>openssl req -in my.req -verify -noout Using configuration from /usr/local/ssl/openssl.cnf verify failure -- Ludovic FLAMENT. - Original Message - From: "Andrew Cooke" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, August 24, 2001 4:54 PM Subject: Practical CA problem - modified requests __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Practical CA problem - modified requests
Just verify the signature of request with : openssl -req -verify -in requestfile When a user make a request, he sign them with private key, so if anyone change the contents of the request, the signature verification failed. -- Ludovic FLAMENT. - Original Message - From: "Andrew Cooke" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, August 24, 2001 4:54 PM Subject: Practical CA problem - modified requests > > Hi, > > How do I detect whether a certificate request (in particular, the public > key) has been modified before signing? > > The only solutions I can see are: > > - doing an explicit test using private and public key > > - checking the public key data in request and certificate by eye > > I cannot see any way of detecting this using openssl as a standalone tool - > there is no support (that I can see) for request fingerprints and no > automated test to compare request and certificate, or certificate and > private key. > > Note that fingerprints after signing do not detect modifications before > signing and the openssl verify command checks CA chains, not > certificate/key pairs. > > Also, are there any known attacks (apart from denial of service) that can > exploit this? > > Sorry if this has an obvious solution that I've missed, > Andrew > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: IE can't process 1024 bits cert?
Hy, >thanks a lot. but i'm still confused of the cipher strength and >key length. i always think 40-bit should be the key length of >symmetric cipher algorithm and 512-bit is the key length of >asymmetric cipher algorithm. It's just. >40-bit data encryption aglorithm >is always corresponding to 512-bit certificate, and 128-bit >to 1024/2048-bit. is that right? No, the certificate is independent of the symetric key-length. You can have a server with a 512 bits certificate which used 128 bits symetric-key, or a server with a 2048 bits certificate which used 40 bits symetric-key. It's just a question of configuration of the server and the version (support crypto 128 bits or No). -- Ludovic FLAMENT __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]