Re: Read a Bignum from file
Angel Martinez Gonzalez wrote:
Hello:
I wrote a BIGNUM into a file using the function:
int BN_print_fp(FILE *fp, const BIGNUM *a);
But, How I can read this bignum from this file?. I donĀ“t know a openssl
function to read a bignum from a file.
Hello, you can read Bignum from file with this method,
#include
#include
#include
int main()
{
BIGNUM *b;
FILE*f;
charbuff[128]; /* must depend of Bignum size */
b = BN_new();
if (b == NULL)
return 0;
BN_add_word(b, 123456789);
f = fopen("bignum", "w");
if (f == NULL)
return 0;
BN_print_fp(f, b);
BN_free(b);
fclose(f);
/* start reading */
f = fopen("bignum", "r");
if (f == NULL)
return 0;
if (fread(buff, sizeof(char), sizeof(buff), f) <= 0)
{
fclose(f);
return 0;
}
fclose(f);
if (!BN_hex2bn(&b, buff))
return 0;
printf("BN read from file : ");
BN_print_fp(stdout, b);
printf("\n");
BN_add_word(b, 1);
printf("BN read from file + 1 : ");
BN_print_fp(stdout, b);
printf("\n");
BN_free(b);
return 1;
}
--
Ludovic FLAMENT
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
Re: Practical CA problem - modified requests
>the openssl verify command checks CA chains, not certificate/key pairs.
No it is not true. The verification is on the signature of the
certificate request.
Example :
$>openssl req -in my.req -verify -noout
Using configuration from /usr/local/ssl/openssl.cnf
verify OK
$> openssl asn1parse -in my.req -dump
...
249:d=3 hl=3 l= 141 prim: BIT STRING (!! : change)
- 00 30 81 89 02 81 81 00-d9 5b a7 4c 6f fe d3 07
.0...[.Lo...
0010 - ef fc d1 6e c6 2b 81 43-4d 7f 50 2a 28 01 ea 3f
...n.+.CM.P*(..?
0020 - da 2a 7c 8e 14 81 31 41-0e 92 85 1d 7b 98 37 f8
.*|...1A{.7.
0030 - 24 ef 93 71 51 d8 1f f3-7f 55 ca cd 0d 18 e8 5c
$..qQU.\
0040 - 8b e8 bb 49 31 f3 e4 62-db 20 be 19 80 fc 67 7e ...I1..b.
g~
0050 - 9d dc 8f 26 c0 12 d4 05-79 42 88 92 43 76 e1 0a
...&yB..Cv..
0060 - 73 34 ec 46 32 8a 81 23-27 4b 39 fe a4 5b 32 a7
s4.F2..#'K9..[2.
0070 - f9 a6 90 d0 58 5a 08 ca-e1 3c 7b 29 ef ac 2b 89
XZ...<{)..+.
0080 - 96 42 d9 21 c4 f7 6f 81-02 03 01 00 01.B.!..o..
...
This is the publickey corresponding of the private key that sign the
request.
I change one octet of the publickey and verify the request.
$> openssl asn1parse -in my.req -dump
...
249:d=3 hl=3 l= 141 prim: BIT STRING (!! : change)
- 00 30 81 89 02 81 81 00-d9 5b b7 4c 6f fe d3 07
.0...[.Lo...
0010 - ef fc d1 6e c6 2b 81 43-4d 7f 50 2a 28 01 ea 3f
...n.+.CM.P*(..?
0020 - da 2a 7c 8e 14 81 31 41-0e 92 85 1d 7b 98 37 f8
.*|...1A{.7.
0030 - 24 ef 93 71 51 d8 1f f3-7f 55 ca cd 0d 18 e8 5c
$..qQU.\
0040 - 8b e8 bb 49 31 f3 e4 62-db 20 be 19 80 fc 67 7e ...I1..b.
g~
0050 - 9d dc 8f 26 c0 12 d4 05-79 42 88 92 43 76 e1 0a
...&yB..Cv..
0060 - 73 34 ec 46 32 8a 81 23-27 4b 39 fe a4 5b 32 a7
s4.F2..#'K9..[2.
0070 - f9 a6 90 d0 58 5a 08 ca-e1 3c 7b 29 ef ac 2b 89
XZ...<{)..+.
0080 - 96 42 d9 21 c4 f7 6f 81-02 03 01 00 01.B.!..o..
...
$>openssl req -in my.req -verify -noout
Using configuration from /usr/local/ssl/openssl.cnf
verify failure
--
Ludovic FLAMENT.
- Original Message -
From: "Andrew Cooke" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, August 24, 2001 4:54 PM
Subject: Practical CA problem - modified requests
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: Practical CA problem - modified requests
Just verify the signature of request with : openssl -req -verify -in requestfile When a user make a request, he sign them with private key, so if anyone change the contents of the request, the signature verification failed. -- Ludovic FLAMENT. - Original Message - From: "Andrew Cooke" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, August 24, 2001 4:54 PM Subject: Practical CA problem - modified requests > > Hi, > > How do I detect whether a certificate request (in particular, the public > key) has been modified before signing? > > The only solutions I can see are: > > - doing an explicit test using private and public key > > - checking the public key data in request and certificate by eye > > I cannot see any way of detecting this using openssl as a standalone tool - > there is no support (that I can see) for request fingerprints and no > automated test to compare request and certificate, or certificate and > private key. > > Note that fingerprints after signing do not detect modifications before > signing and the openssl verify command checks CA chains, not > certificate/key pairs. > > Also, are there any known attacks (apart from denial of service) that can > exploit this? > > Sorry if this has an obvious solution that I've missed, > Andrew > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: IE can't process 1024 bits cert?
Hy, >thanks a lot. but i'm still confused of the cipher strength and >key length. i always think 40-bit should be the key length of >symmetric cipher algorithm and 512-bit is the key length of >asymmetric cipher algorithm. It's just. >40-bit data encryption aglorithm >is always corresponding to 512-bit certificate, and 128-bit >to 1024/2048-bit. is that right? No, the certificate is independent of the symetric key-length. You can have a server with a 512 bits certificate which used 128 bits symetric-key, or a server with a 2048 bits certificate which used 40 bits symetric-key. It's just a question of configuration of the server and the version (support crypto 128 bits or No). -- Ludovic FLAMENT __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
