ODP: Store Mgmt and keys loading ( keyform ENG )
I'm sorry i cannot help you with providers. All i can tell you, is that in my case libpkcs11 was not setting using RSA_meth_set_flags but RSA_set_flags and in dotnet openssl implementation, the check was being made on the method. I was thinking that our issues may be related. BR Piotr Od: Antonio Santagiuliana Wysłane: wtorek, 12 października 2021 10:50 Do: Piotr Lobacz ; openssl-users@openssl.org Temat: Re: Store Mgmt and keys loading ( keyform ENG ) in general, I think that despite what I read in previous replies, with the operation: dgst --provider=myprovider -sign handle:1 is not possible to fully reproduce what was possible with engines : dgst -keyform ENG sign -in 1 -engine=myengine. In the case of provider the store manager's caller sets ossl_store_handle_load_result as fixed callback method when calling the load of store mgmt. If that callback is not called , it will complain as no private key is possible to read. On Tue, Oct 12, 2021 at 9:22 AM Antonio Santagiuliana mailto:santantonios...@gmail.com>> wrote: Thank you for the suggestion. I am using providers though, not engine, and I can't see the higher level checking this RSA flags before it has detected a valid key is passed back from the store manager to ossl_store_handle_load_result() ( the callback passed to the store mgmt load() method). If I don't call the callback ossl_store_handle_load_result the higher level after the store mgmt load() complains no private key can be read. If I pass back an RSA key generated on the fly in the store mgmt load() then the ossl_store_handle_load_result() is fine using the RSA key mgmt load finds error in checking RSA flags , I think these flags are not set but I don't know how to set them in the fictitious private key I generated on the fly in the store mgmt load() with EVP_PKEY *pkey = NULL; pkey = EVP_RSA_gen(2048); This produces a valid pkey without errors but I think the rsa fields are not filled in.How can I add them to pkey ? I think I should register a different keymgmt on my provider but I am not sure what it should do in my case. So , for now, the RSA keymgmt is called and in its load() function ( rsa_load() ) at some point it wants to check RSA_check_flags() and there it stops as the rsa struct fileds referenced are not filled in. On Fri, 8 Oct 2021, 22:04 Piotr Lobacz, mailto:piotr.lob...@softgent.com>> wrote: Hi Antonio, I was discussing about this problem about half a year ago in here. The problem was itself in .net library but it concerned RSA_FLAG_EXT_PKEY in RSA_METHOD which is wrong. Yo can read it in here https://github.com/dotnet/runtime/issues/53345. The clue of my problem was that this flag was being set by the dotnet and engine was setting it in RSA_set_flags - which is the proper way. You need to verify how the engine sets this flag and read my issue maybe it will help you in solving yours. BR Piotr Od: openssl-users mailto:openssl-users-boun...@openssl.org>> w imieniu użytkownika Antonio Santagiuliana mailto:santantonios...@gmail.com>> Wysłane: piątek, 8 października 2021 10:34 Do: Tomas Mraz mailto:to...@openssl.org>> DW: openssl-users@openssl.org<mailto:openssl-users@openssl.org> mailto:openssl-users@openssl.org>> Temat: Re: Store Mgmt and keys loading ( keyform ENG ) Could I ask you what is the best way to let the Openssl carry on in the case I can't pass the private key from my store manager load() function as key is offloaded in secure hw? I have set RSA_FLAG_EXT_PKEY in RSA_METHOD but if I don't call the callback function from my Store Mgmt's load() where I get the uri ( the callback func is ossl_store_handle_load_result() ) I get error "could not read the private key". If instead I call the callback func , I don't know how to fill in its params , as I don't have the private key. What should I put in the params to let the rest of call chain ( I am on the dgst command ) not caring about private key but carry on with operation?or can I avoid calling the callback? Thank you On Thu, 7 Oct 2021, 09:47 Antonio Santagiuliana, mailto:santantonios...@gmail.com>> wrote: It is because of prototypes of methods.. On Thu, 7 Oct 2021, 08:49 Antonio Santagiuliana, mailto:santantonios...@gmail.com>> wrote: Hello, just continuing on this.. I defined my store mgmt as : static const OSSL_ALGORITHM test_store[] = { { "handle", "provider=test", mystore_functions}, {NULL, NULL, NULL} }; echo "test" | LD_LIBRARY_PATH=.apps/openssl dgst --provider-path=./providers --provider=test --sign handle:1 -out messa.encrypted.bin Could not open file or uri for loading private key from handle:1 C0628C24787F:error:1669:STORE routines:ossl_store_get0_loader_int:unregistered scheme:crypto/store/store_register.c:237:scheme=file C0628C24787F:error:1608010C:STORE routines:inner_lo
ODP: Store Mgmt and keys loading ( keyform ENG )
Hi Antonio, I was discussing about this problem about half a year ago in here. The problem was itself in .net library but it concerned RSA_FLAG_EXT_PKEY in RSA_METHOD which is wrong. Yo can read it in here https://github.com/dotnet/runtime/issues/53345. The clue of my problem was that this flag was being set by the dotnet and engine was setting it in RSA_set_flags - which is the proper way. You need to verify how the engine sets this flag and read my issue maybe it will help you in solving yours. BR Piotr Od: openssl-users w imieniu użytkownika Antonio Santagiuliana Wysłane: piątek, 8 października 2021 10:34 Do: Tomas Mraz DW: openssl-users@openssl.org Temat: Re: Store Mgmt and keys loading ( keyform ENG ) Could I ask you what is the best way to let the Openssl carry on in the case I can't pass the private key from my store manager load() function as key is offloaded in secure hw? I have set RSA_FLAG_EXT_PKEY in RSA_METHOD but if I don't call the callback function from my Store Mgmt's load() where I get the uri ( the callback func is ossl_store_handle_load_result() ) I get error "could not read the private key". If instead I call the callback func , I don't know how to fill in its params , as I don't have the private key. What should I put in the params to let the rest of call chain ( I am on the dgst command ) not caring about private key but carry on with operation?or can I avoid calling the callback? Thank you On Thu, 7 Oct 2021, 09:47 Antonio Santagiuliana, mailto:santantonios...@gmail.com>> wrote: It is because of prototypes of methods.. On Thu, 7 Oct 2021, 08:49 Antonio Santagiuliana, mailto:santantonios...@gmail.com>> wrote: Hello, just continuing on this.. I defined my store mgmt as : static const OSSL_ALGORITHM test_store[] = { { "handle", "provider=test", mystore_functions}, {NULL, NULL, NULL} }; echo "test" | LD_LIBRARY_PATH=.apps/openssl dgst --provider-path=./providers --provider=test --sign handle:1 -out messa.encrypted.bin Could not open file or uri for loading private key from handle:1 C0628C24787F:error:1669:STORE routines:ossl_store_get0_loader_int:unregistered scheme:crypto/store/store_register.c:237:scheme=file C0628C24787F:error:1608010C:STORE routines:inner_loader_fetch:unsupported:crypto/store/store_meth.c:356:No store loader found. For standard store loaders you need at least one of the default or base providers available. Did you forget to load them? Info: Global default library context, Scheme (file : 0), Properties () C0628C24787F:error:1669:STORE routines:ossl_store_get0_loader_int:unregistered scheme:crypto/store/store_register.c:237:scheme=handle 1) It firstly looks for a provider for scheme file: and it doesn't find as I haven't set up any store mgmt for file: . 2) It looks like on second attempt it tries to look for handle: but it finds it not registered. What does this error mean ? Does it look for registered uri schemes online ? if that is the case how can this works instead : https://github.com/tpm2-software/tpm2-openssl ? They use handle: scheme as well. Does this mean it's a problem of the methods I registered for the store or is something related to the uri scheme I am using ? Sorry but I couldn't find more info on this in the sources/docs . thank you On Mon, Oct 4, 2021 at 4:52 PM Antonio Santagiuliana mailto:santantonios...@gmail.com>> wrote: > > OK, thank you very much for your comments, that's clear. > > On Mon, 4 Oct 2021, 15:45 Tomas Mraz, > mailto:to...@openssl.org>> wrote: >> >> No, that's wrong. The dgst and other apps in OpenSSL-3.0 were already >> modified to use OSSL_STORE API to load keys. So you do not need to >> specify keyform=ENGINE if your key is provided by a provider that >> supports the STORE functionality for some special URL scheme. You just >> specify the right URL with that scheme to reference the key in the >> provider. >> >> Of course third party applications need to be modified to call >> OSSL_STORE API in a similar way how the openssl application does it. >> >> Tomas >> >> On Mon, 2021-10-04 at 15:39 +0100, Antonio Santagiuliana wrote: >> > Thank you for your comment. >> > Am I wrong then in saying that dgst and possibly other apps are not >> > ready to be used with providers rather than engines in the case you >> > need keyform=ENGINE ? >> > >> > >> > On Mon, 4 Oct 2021, 14:13 Tomas Mraz, >> > mailto:to...@openssl.org>> wrote: >> > > You would have to implement a STORE provider that handles your >> > > special >> > > url scheme and then the keys would be referenced by the >> > > yourscheme://any-identifier-you-have. Of course the application >
ODP: CSR creation using pkcs11 dynamic engine
Ok i have written printf in src/p11_rsa.c to check if i'm entering the RSA_set_flags callback and yes i am. Printf is being displayed but i still got this error, which shouldn't be any more. Od: openssl-users w imieniu użytkownika Piotr Lobacz Wysłane: wtorek, 1 czerwca 2021 17:36 Do: Selva Nair DW: openssl-users@openssl.org Temat: ODP: CSR creation using pkcs11 dynamic engine Sorry my bad i was checking bad position in the file... Od: openssl-users w imieniu użytkownika Piotr Lobacz Wysłane: wtorek, 1 czerwca 2021 17:34 Do: Selva Nair DW: openssl-users@openssl.org Temat: ODP: CSR creation using pkcs11 dynamic engine Ok not fixed in 0.4.11 it is fixed in master branch... i need to build it from master. Od: openssl-users w imieniu użytkownika Piotr Lobacz Wysłane: wtorek, 1 czerwca 2021 17:18 Do: Selva Nair DW: openssl-users@openssl.org Temat: ODP: CSR creation using pkcs11 dynamic engine Hi Selva, btw. i have found one issue in libp11 package https://github.com/OpenSC/libp11/issues/304 and i have used 0.4.10 i will check firstly with 0.4.11 and give you answer. BR Piotr Od: Selva Nair Wysłane: wtorek, 1 czerwca 2021 17:15 Do: Piotr Lobacz DW: openssl-users@openssl.org Temat: Re: CSR creation using pkcs11 dynamic engine Hi Piotr, On Tue, Jun 1, 2021 at 10:57 AM Piotr Lobacz mailto:piotr.lob...@softgent.com>> wrote: Hi, i have managed to find the engine method static EVP_PKEY *load_privkey(ENGINE *engine, const char *s_key_id, UI_METHOD *ui_method, void *callback_data) in libp11 package. I have also made a printf callback and i see the output that method is being called, but the problem is that i think i need to set this flag RSA_FLAG_EXT_PKEY in EVP_PKEY object which i don't know how to do is it even possible? The flag on the key is always set by libp11 (look for RSA_set_key in p11_rsa.c). What it doesn't set is any flags on the method -- which you wanted to satisfy dotnet. For testing you could add it -- look for PKCS11_get_rsa_method in the same file. Selva [https://softgent.com/wp-content/uploads/2020/01/Zasob-14.png]<https://www.softgent.com> Softgent Sp. z o.o., Budowlanych 31d, 80-298 Gdansk, POLAND KRS: 674406, NIP: 9581679801, REGON: 367090912 www.softgent.com Sąd Rejonowy Gdańsk-Północ w Gdańsku, VII Wydział Gospodarczy Krajowego Rejestru Sądowego KRS 674406, Kapitał zakładowy: 25 000,00 zł wpłacony w całości.
ODP: CSR creation using pkcs11 dynamic engine
Sorry my bad i was checking bad position in the file... Od: openssl-users w imieniu użytkownika Piotr Lobacz Wysłane: wtorek, 1 czerwca 2021 17:34 Do: Selva Nair DW: openssl-users@openssl.org Temat: ODP: CSR creation using pkcs11 dynamic engine Ok not fixed in 0.4.11 it is fixed in master branch... i need to build it from master. Od: openssl-users w imieniu użytkownika Piotr Lobacz Wysłane: wtorek, 1 czerwca 2021 17:18 Do: Selva Nair DW: openssl-users@openssl.org Temat: ODP: CSR creation using pkcs11 dynamic engine Hi Selva, btw. i have found one issue in libp11 package https://github.com/OpenSC/libp11/issues/304 and i have used 0.4.10 i will check firstly with 0.4.11 and give you answer. BR Piotr Od: Selva Nair Wysłane: wtorek, 1 czerwca 2021 17:15 Do: Piotr Lobacz DW: openssl-users@openssl.org Temat: Re: CSR creation using pkcs11 dynamic engine Hi Piotr, On Tue, Jun 1, 2021 at 10:57 AM Piotr Lobacz mailto:piotr.lob...@softgent.com>> wrote: Hi, i have managed to find the engine method static EVP_PKEY *load_privkey(ENGINE *engine, const char *s_key_id, UI_METHOD *ui_method, void *callback_data) in libp11 package. I have also made a printf callback and i see the output that method is being called, but the problem is that i think i need to set this flag RSA_FLAG_EXT_PKEY in EVP_PKEY object which i don't know how to do is it even possible? The flag on the key is always set by libp11 (look for RSA_set_key in p11_rsa.c). What it doesn't set is any flags on the method -- which you wanted to satisfy dotnet. For testing you could add it -- look for PKCS11_get_rsa_method in the same file. Selva [https://softgent.com/wp-content/uploads/2020/01/Zasob-14.png]<https://www.softgent.com> Softgent Sp. z o.o., Budowlanych 31d, 80-298 Gdansk, POLAND KRS: 674406, NIP: 9581679801, REGON: 367090912 www.softgent.com Sąd Rejonowy Gdańsk-Północ w Gdańsku, VII Wydział Gospodarczy Krajowego Rejestru Sądowego KRS 674406, Kapitał zakładowy: 25 000,00 zł wpłacony w całości.
ODP: CSR creation using pkcs11 dynamic engine
Ok not fixed in 0.4.11 it is fixed in master branch... i need to build it from master. Od: openssl-users w imieniu użytkownika Piotr Lobacz Wysłane: wtorek, 1 czerwca 2021 17:18 Do: Selva Nair DW: openssl-users@openssl.org Temat: ODP: CSR creation using pkcs11 dynamic engine Hi Selva, btw. i have found one issue in libp11 package https://github.com/OpenSC/libp11/issues/304 and i have used 0.4.10 i will check firstly with 0.4.11 and give you answer. BR Piotr Od: Selva Nair Wysłane: wtorek, 1 czerwca 2021 17:15 Do: Piotr Lobacz DW: openssl-users@openssl.org Temat: Re: CSR creation using pkcs11 dynamic engine Hi Piotr, On Tue, Jun 1, 2021 at 10:57 AM Piotr Lobacz mailto:piotr.lob...@softgent.com>> wrote: Hi, i have managed to find the engine method static EVP_PKEY *load_privkey(ENGINE *engine, const char *s_key_id, UI_METHOD *ui_method, void *callback_data) in libp11 package. I have also made a printf callback and i see the output that method is being called, but the problem is that i think i need to set this flag RSA_FLAG_EXT_PKEY in EVP_PKEY object which i don't know how to do is it even possible? The flag on the key is always set by libp11 (look for RSA_set_key in p11_rsa.c). What it doesn't set is any flags on the method -- which you wanted to satisfy dotnet. For testing you could add it -- look for PKCS11_get_rsa_method in the same file. Selva [https://softgent.com/wp-content/uploads/2020/01/Zasob-14.png]<https://www.softgent.com> Softgent Sp. z o.o., Budowlanych 31d, 80-298 Gdansk, POLAND KRS: 674406, NIP: 9581679801, REGON: 367090912 www.softgent.com Sąd Rejonowy Gdańsk-Północ w Gdańsku, VII Wydział Gospodarczy Krajowego Rejestru Sądowego KRS 674406, Kapitał zakładowy: 25 000,00 zł wpłacony w całości.
ODP: CSR creation using pkcs11 dynamic engine
Hi Selva, btw. i have found one issue in libp11 package https://github.com/OpenSC/libp11/issues/304 and i have used 0.4.10 i will check firstly with 0.4.11 and give you answer. BR Piotr Od: Selva Nair Wysłane: wtorek, 1 czerwca 2021 17:15 Do: Piotr Lobacz DW: openssl-users@openssl.org Temat: Re: CSR creation using pkcs11 dynamic engine Hi Piotr, On Tue, Jun 1, 2021 at 10:57 AM Piotr Lobacz mailto:piotr.lob...@softgent.com>> wrote: Hi, i have managed to find the engine method static EVP_PKEY *load_privkey(ENGINE *engine, const char *s_key_id, UI_METHOD *ui_method, void *callback_data) in libp11 package. I have also made a printf callback and i see the output that method is being called, but the problem is that i think i need to set this flag RSA_FLAG_EXT_PKEY in EVP_PKEY object which i don't know how to do is it even possible? The flag on the key is always set by libp11 (look for RSA_set_key in p11_rsa.c). What it doesn't set is any flags on the method -- which you wanted to satisfy dotnet. For testing you could add it -- look for PKCS11_get_rsa_method in the same file. Selva [https://softgent.com/wp-content/uploads/2020/01/Zasob-14.png]<https://www.softgent.com> Softgent Sp. z o.o., Budowlanych 31d, 80-298 Gdansk, POLAND KRS: 674406, NIP: 9581679801, REGON: 367090912 www.softgent.com Sąd Rejonowy Gdańsk-Północ w Gdańsku, VII Wydział Gospodarczy Krajowego Rejestru Sądowego KRS 674406, Kapitał zakładowy: 25 000,00 zł wpłacony w całości.
ODP: CSR creation using pkcs11 dynamic engine
Hi, i have managed to find the engine method static EVP_PKEY *load_privkey(ENGINE *engine, const char *s_key_id, UI_METHOD *ui_method, void *callback_data) in libp11 package. I have also made a printf callback and i see the output that method is being called, but the problem is that i think i need to set this flag RSA_FLAG_EXT_PKEY in EVP_PKEY object which i don't know how to do is it even possible? BR Piotr Łobacz Od: openssl-users w imieniu użytkownika Piotr Lobacz Wysłane: sobota, 29 maja 2021 20:12 Do: Selva Nair DW: openssl-users@openssl.org Temat: ODP: CSR creation using pkcs11 dynamic engine Hi, unfortunately that is not that simple :( These methods are not being exposed by the dotnet. Porting them would take to much time because of the method struct. Recompiling the whole dotnet sdk is also not an option. You know, i've been reading your mail and keep thinking and for now i see that the fastest way is to simply modify libp11 proxy engine in EVP_load_private_key method. First i can verify there the EVP_test_flag on the key and second modify the engine flags. This way i will be 100% sure that the problem is on dotnet side. Because when i was testing this key on the token i was generating 1024 bit length key and written it's length to the console. Than i have erased it completly and generated a new key pair with modified key length to 2048. The output result was changed: 1024 -> 2048. So the conclusion was that the key i taken correclty. I will check this on monday and keep you inform. Have a nice weekend. BR Piotr Od: Selva Nair Wysłane: sobota, 29 maja 2021 03:34 Do: Piotr Lobacz Temat: Re: CSR creation using pkcs11 dynamic engine Hi, I will also check these flags of my RSA object using RSA_test_flags and give you the answer. In the meantime as you have already told, the experts in here can share their knowledge, but i rather suspect that all you said is correct :] and the bug is in the dotnet implementation... You could probably work around it by getting the method from the key using meth = RSA_get_method(rsa) and then setting the flag on the method using RSA_meth_set_flags(meth, flags). May not be a nice thing to do to a method owned by the engine, but should work if those API are exposed via dotnet. If this is indeed the problem, you could try lobbying two places: dotnet devs to add a check for flags in the key, and libp11/pkcs11 engine devs to also set the flags on the method. One of them may oblige, depending on their thoughts on what is "right". Selva [https://softgent.com/wp-content/uploads/2020/01/Zasob-14.png]<https://www.softgent.com> Softgent Sp. z o.o., Budowlanych 31d, 80-298 Gdansk, POLAND KRS: 674406, NIP: 9581679801, REGON: 367090912 www.softgent.com Sąd Rejonowy Gdańsk-Północ w Gdańsku, VII Wydział Gospodarczy Krajowego Rejestru Sądowego KRS 674406, Kapitał zakładowy: 25 000,00 zł wpłacony w całości.
ODP: CSR creation using pkcs11 dynamic engine
Hi, unfortunately that is not that simple :( These methods are not being exposed by the dotnet. Porting them would take to much time because of the method struct. Recompiling the whole dotnet sdk is also not an option. You know, i've been reading your mail and keep thinking and for now i see that the fastest way is to simply modify libp11 proxy engine in EVP_load_private_key method. First i can verify there the EVP_test_flag on the key and second modify the engine flags. This way i will be 100% sure that the problem is on dotnet side. Because when i was testing this key on the token i was generating 1024 bit length key and written it's length to the console. Than i have erased it completly and generated a new key pair with modified key length to 2048. The output result was changed: 1024 -> 2048. So the conclusion was that the key i taken correclty. I will check this on monday and keep you inform. Have a nice weekend. BR Piotr Od: Selva Nair Wysłane: sobota, 29 maja 2021 03:34 Do: Piotr Lobacz Temat: Re: CSR creation using pkcs11 dynamic engine Hi, I will also check these flags of my RSA object using RSA_test_flags and give you the answer. In the meantime as you have already told, the experts in here can share their knowledge, but i rather suspect that all you said is correct :] and the bug is in the dotnet implementation... You could probably work around it by getting the method from the key using meth = RSA_get_method(rsa) and then setting the flag on the method using RSA_meth_set_flags(meth, flags). May not be a nice thing to do to a method owned by the engine, but should work if those API are exposed via dotnet. If this is indeed the problem, you could try lobbying two places: dotnet devs to add a check for flags in the key, and libp11/pkcs11 engine devs to also set the flags on the method. One of them may oblige, depending on their thoughts on what is "right". Selva [https://softgent.com/wp-content/uploads/2020/01/Zasob-14.png]<https://www.softgent.com> Softgent Sp. z o.o., Budowlanych 31d, 80-298 Gdansk, POLAND KRS: 674406, NIP: 9581679801, REGON: 367090912 www.softgent.com Sąd Rejonowy Gdańsk-Północ w Gdańsku, VII Wydział Gospodarczy Krajowego Rejestru Sądowego KRS 674406, Kapitał zakładowy: 25 000,00 zł wpłacony w całości.
ODP: CSR creation using pkcs11 dynamic engine
Hi Selva, i have found the cause of the problem. It is the HasNoPrivateKey function which is in dotnet OpenSsl ./src/Native/Unix/System.Security.Cryptography.Native/pal_rsa.c implementation. The crux of the problem is in these lines: // The method has descibed itself as having the private key external to the structure. // That doesn't mean it's actually present, but we can't tell. #pragma clang diagnostic push #pragma clang diagnostic ignored "-Wcast-qual" if (RSA_meth_get_flags((RSA_METHOD*)meth) & RSA_FLAG_EXT_PKEY) #pragma clang diagnostic pop { return 0; } For some reason i suspect that i do not have this RSA_FLAG_EXT_PKEY flag set. Btw. when i am calling ENGINE_load_private_key method, the arguments i'm passing are the engine and the key. Both ui_method and callback_data are passed as NULLs. I talked with guys from dotnet in here https://github.com/dotnet/runtime/issues/53345 and i need to check RSA flags.But the thing that puzzles me is that shouldn't that flag be inserted by the engine during the call of ENGINE_load_private_key? BR Piotr Od: Selva Nair Wysłane: piątek, 28 maja 2021 20:47 Do: Piotr Lobacz DW: openssl-users@openssl.org Temat: Re: CSR creation using pkcs11 dynamic engine Hi, On Fri, May 28, 2021 at 1:44 PM Piotr Lobacz wrote: > > Ok, i have found out that dotnet OpenSsl library has it's own code for > verification is key private. For this it needs the whole data of private key > from which this method: > > static int HasNoPrivateKey(RSA* rsa) > > which is in ./src/Native/Unix/System.Security.Cryptography.Native/pal_rsa.c > of dotnet verifies occurence of all private parameters. Unfortunately from > what i know private keys are not extractable from tokens because of > CKA_EXTRACTABLE=false parameter. > > Correct me if i'm wrong but from what i know about openssl, when i'm > switching to a closed engine the whole cryptography is being made by the > engine module. I think that there should be some other method verifing if key > is private. Maybe somebody could give me a hint? Its not verifying, but signing operation that is failing. This sounds like something wrong in the way you are using the dotnet interface or possibly a bug in (or limitation of) that implementation itself. Like its not meant to be used when keys are "external". I have no idea having never used C#. But you are right, when the private key is loaded through the pkcs11 engine the key is external (can stay non-extractable), and the signing operation gets delegated to the engine. Are you sure that the pkey returned by the ENGINE_get_private_key() and rsa handle generated from that pkey are valid? I see no error checks in your code unless dotnet will automatically trigger exceptions on error. You may get more relevant help in the dotnet community. Selva [https://softgent.com/wp-content/uploads/2020/01/Zasob-14.png]<https://www.softgent.com> Softgent Sp. z o.o., Budowlanych 31d, 80-298 Gdansk, POLAND KRS: 674406, NIP: 9581679801, REGON: 367090912 www.softgent.com Sąd Rejonowy Gdańsk-Północ w Gdańsku, VII Wydział Gospodarczy Krajowego Rejestru Sądowego KRS 674406, Kapitał zakładowy: 25 000,00 zł wpłacony w całości.
ODP: CSR creation using pkcs11 dynamic engine
Ok, i have found out that dotnet OpenSsl library has it's own code for verification is key private. For this it needs the whole data of private key from which this method: static int HasNoPrivateKey(RSA* rsa) which is in ./src/Native/Unix/System.Security.Cryptography.Native/pal_rsa.c of dotnet verifies occurence of all private parameters. Unfortunately from what i know private keys are not extractable from tokens because of CKA_EXTRACTABLE=false parameter. Correct me if i'm wrong but from what i know about openssl, when i'm switching to a closed engine the whole cryptography is being made by the engine module. I think that there should be some other method verifing if key is private. Maybe somebody could give me a hint? BR Piotr Od: openssl-users w imieniu użytkownika Piotr Lobacz Wysłane: piątek, 28 maja 2021 13:10 Do: openssl-users@openssl.org Temat: CSR creation using pkcs11 dynamic engine Hi all, i'm trying to generate CSR using C# System.SecurityCryptography.Openssl library together with pkcs11 token library. The whole proces for this in command line works without any problems. For execution of this process i use command: openssl req -new -subj '/C=PL/ST=Gdansk/L=Gdansk/CN=softgent.com/' -sha256 -engine pkcs11 -keyform engine -key "pkcs11:token=foo;object=tls;type=private;pin-value=1234567890" The CSR is being generated and the output is like this: -BEGIN CERTIFICATE REQUEST- MIIBADCBqAIBADBGMQswCQYDVQQGEwJQTDEPMA0GA1UECAwGR2RhbnNrMQ8wDQYD VQQHDAZHZGFuc2sxFTATBgNVBAMMDHNvZnRnZW50LmNvbTBZMBMGByqGSM49AgEG CCqGSM49AwEHA0IABB7SwUzg8S+3iYNiqGPlidqwCdmuY8MV3RfKDiR5tL/I//Cn 9dGCBAfxTO23gb5pygIXB/qCARYuYLiGpE+tFo+gADAKBggqhkjOPQQDAgNHADBE AiAI4kDGjeO/V3f7RWe34e00aZAubjLGuIRbxgmQosu7mQIgQDK3Nx22fJn80Cml t3EQTa6x9oC4RtibFgWCxZ36Wyo= -END CERTIFICATE REQUEST- Now i'm trying to do all that programatically. In order to do that i have added some OpenSsl C# missing support for the engines and used the ENGINE_load_private_key method to retrieve SafeEvpPKeyHandle which is being retrieved (i have checked it with changing the key id value). The key which i'm using is "label_" + myKeyId i.e. "label_tls". The code looks like this: public virtual SafeEvpPKeyHandle GetPrivKey(string label) { string keyId = "label_" + label; SafeEvpPKeyHandle pkey = SafeNativeMethods.ENGINE_load_private_key(engine, keyId, IntPtr.Zero, IntPtr.Zero); if(pkey.IsInvalid) { throw new InvalidOperationException("engine: unable to find private key with label='{label}'"); } return pkey; } This is being returnin me SafeEvpPKeyHandle. The problem is in calling CreateSigningRequest from System.Security.Cryptography.OpenSsl.dll. I have this method: public virtual string GetCSR(SafeEvpPKeyHandle pkey, string ext, HashAlgorithmName name) { // FIXME: determine key type RSA rsa = new RSAOpenSsl(pkey); CertificateRequest req = new CertificateRequest("CN=potato", rsa, name, RSASignaturePadding.Pkcs1); // this method is only for RSA key different is for EC, DSA etc. byte[] requestDer = req.CreateSigningRequest(); string requestPem = new string(PemEncoding.Write("CERTIFICATE REQUEST", requestDer)); return requestPem; } and i'm getting this error: Unhandled exception. Interop+Crypto+OpenSslCryptographicException: error:04075093:rsa routines:RSA_sign:value missing at System.Security.Cryptography.RSAOpenSsl.TrySignHash(ReadOnlySpan`1 hash, Span`1 destination, HashAlgorithmName hashAlgorithm, RSASignaturePadding padding, Boolean allocateSignature, Int32& bytesWritten, Byte[]& signature) at System.Security.Cryptography.RSAOpenSsl.SignHash(Byte[] hash, HashAlgorithmName hashAlgorithm, RSASignaturePadding padding) at System.Security.Cryptography.RSA.SignData(Byte[] data, Int32 offset, Int32 count, HashAlgorithmName hashAlgorithm, RSASignaturePadding padding) at System.Security.Cryptography.RSA.SignData(Byte[] data, HashAlgorithmName hashAlgorithm, RSASignaturePadding padding) at System.Security.Cryptography.X509Certificates.RSAPkcs1X509SignatureGenerator.SignData(Byte[] data, HashAlgorithmName hashAlgorithm) at System.Security.Cryptography.X509Certificates.Pkcs10CertificationRequestInfo.ToPkcs10Request(X509SignatureGenerator signatureGenerator, HashAlgorithmName hashAlgorithm) at System.Security.Cryptography.X509Certificates.CertificateRequest.CreateSigningRequest(X509SignatureGenerator signatureGenerator) at System.Security.Cryptography.X509Certificates.CertificateRequest.CreateSigningRequest() at System.Security.Cryptography.Engine.GetCSR(SafeEvpPKeyHandle pkey, String ext, HashAlgorithmName name) in /home/plobacz/workspace/OpenSsl.DynamicEngine/Engine.cs:line 72 at Flexgent.Services.CryptoSubsystem.CryptoSubsystem.Configure(String config) in /home/plobacz/workspace/crypto-subsystem/
CSR creation using pkcs11 dynamic engine
y/crypto-subsystem/src/ServiceMain.cs:line 19 I suspect that this happens, because the key in SafeEvpPKeyHandle isn't private. But when i cal this: pkcs11-tool --module /usr/lib/libtpm2_pkcs11.so --list-objects -l --pin 1234567890 I can see that there is private and public object: ERROR:fapi:src/tss2-fapi/api/Fapi_List.c:221:Fapi_List_Finish() FAPI not provisioned. ERROR:fapi:src/tss2-fapi/api/Fapi_List.c:81:Fapi_List() ErrorCode (0x00060034) Entities_List ERROR: Listing FAPI token objects failed. Using slot 0 with a present token (0x1) Public Key Object; RSA 1024 bits label: tls ID: cd924ad983bc51ca1f15f446630901fa835f7b45 Usage: encrypt, verify, wrap Access: local Private Key Object; RSA label: tls ID: cd924ad983bc51ca1f15f446630901fa835f7b45 Usage: decrypt, sign, unwrap Access: sensitive, always sensitive, never extractable, local Allowed mechanisms: RSA-X-509,RSA-PKCS-OAEP,RSA-PKCS,SHA1-RSA-PKCS,SHA256-RSA-PKCS,SHA384-RSA-PKCS,SHA512-RSA-PKCS,RSA-PKCS-PSS,SHA1-RSA-PKCS-PSS,SHA256-RSA-PKCS-PSS,SHA384-RSA-PKCS-PSS,SHA512-RSA-PKCS-PSS Maybe i'm giving some wrong parameters for retrievieng the private key from the engine? BR Piotr [https://softgent.com/wp-content/uploads/2020/01/Zasob-14.png]<https://www.softgent.com> Softgent Sp. z o.o., Budowlanych 31d, 80-298 Gdansk, POLAND KRS: 674406, NIP: 9581679801, REGON: 367090912 www.softgent.com Sąd Rejonowy Gdańsk-Północ w Gdańsku, VII Wydział Gospodarczy Krajowego Rejestru Sądowego KRS 674406, Kapitał zakładowy: 25 000,00 zł wpłacony w całości.
ODP: dynamic engine load
Ok, so from what you are saying, my order like this: dynamic --> set SO_PATH --> LOAD and then set all parameters of the engine that SO_PATH implements. i.e MODULE_PATH is correct? BR Piotr Od: Selva Nair Wysłane: czwartek, 27 maja 2021 00:44 Do: Piotr Lobacz DW: openssl-users@openssl.org Temat: Re: dynamic engine load Hi, On Wed, May 26, 2021 at 4:45 PM Piotr Lobacz mailto:piotr.lob...@softgent.com>> wrote: Btw i have verified that in openssl command line tool if i switch order from the one that worked for me: OpenSSL> engine dynamic -pre SO_PATH:/usr/lib/engines-1.1/libpkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/libckteec.so to the one that was in the code: OpenSSL> engine dynamic -pre SO_PATH:/usr/lib/engines-1.1/libpkcs11.so -pre MODULE_PATH:/usr/lib/libckteec.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD the error is the same as for me in the C# code. So the question is if you are telling me that the proper order is like that: dynamic --> set SO_PATH --> LOAD and then set all parameters of the engine that SO_PATH implements. does the order which i used is also correct one? The main error in your original code was setting MODULE_PATH on the dynamic engine instead of on pkcs11. And, I mistyped saying set ID after LOAD. As for LIST_ADD, if required, should be specified before LOAD as it's a directive to the dynamic engine, not pkcs11. It has been a while since I have looked into dynamic loading in detail, but here is my understanding. The dynamic engine supports only a few controls out of which the most useful ones are SO_PATH, ID and LIST_ADD. It won't understand MODULE_PATH. And, if SO_PATH is not given, I think ID could be used to locate the so-path of the engine but I have never got it to work. In any case, as you are giving the full SO_PATH, you don't need to set the ID. A "wrong" ID may lead to load failure but no ID will succeed. There may be some use of ID if the same shared lib implements multiple engines with different IDs. I don't know. The LOAD control causes the dynamic engine to convert itself to a new engine. Almost all engine parameters are wiped clean (including id and name) and the shared library pointed to by SO_PATH is loaded. The bind function defined in the shared lib gets executed which will fill-in the new engine parameters and set up the methods it supports. In the case of pkcs11, It sets the id to "pkcs11" on loading. So, after loading, querying the ID using Engine_get_id() will return "pkcs11". LOAD also causes the engine to be added to the internal list if LIST_ADD was specified before LOAD, not otherwise. Once loaded, the pkcs11 engine can handle controls like MODULE_PATH. It will use it to locate the module and load it when required -- usually after Engine_init() is called. Selva [https://softgent.com/wp-content/uploads/2020/01/Zasob-14.png]<https://www.softgent.com> Softgent Sp. z o.o., Budowlanych 31d, 80-298 Gdansk, POLAND KRS: 674406, NIP: 9581679801, REGON: 367090912 www.softgent.com Sąd Rejonowy Gdańsk-Północ w Gdańsku, VII Wydział Gospodarczy Krajowego Rejestru Sądowego KRS 674406, Kapitał zakładowy: 25 000,00 zł wpłacony w całości.
ODP: dynamic engine load
Btw i have verified that in openssl command line tool if i switch order from the one that worked for me: OpenSSL> engine dynamic -pre SO_PATH:/usr/lib/engines-1.1/libpkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/libckteec.so to the one that was in the code: OpenSSL> engine dynamic -pre SO_PATH:/usr/lib/engines-1.1/libpkcs11.so -pre MODULE_PATH:/usr/lib/libckteec.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD the error is the same as for me in the C# code. So the question is if you are telling me that the proper order is like that: dynamic --> set SO_PATH --> LOAD and then set all parameters of the engine that SO_PATH implements. does the order which i used is also correct one? BR Piotr Od: openssl-users w imieniu użytkownika Piotr Lobacz Wysłane: środa, 26 maja 2021 22:32 Do: Selva Nair DW: openssl-users@openssl.org Temat: ODP: dynamic engine load Yeah, that is what i have figured it out and written it in my previous message:] but big thx for help. BR Piotr Lobacz Od: Selva Nair Wysłane: środa, 26 maja 2021 15:52 Do: Piotr Lobacz DW: openssl-users@openssl.org Temat: Re: dynamic engine load Hi, On Wed, May 26, 2021 at 9:25 AM Piotr Lobacz wrote: > > Hi all, > I am trying to write a function which will load dynamic engine for pkcs11. > What i intendt to do is not to use engine id pkcs11 but dynamic. The problem > is that i get an error for ENGINE_ctrl_cmd_string with MODULE_PATH parameter. > My function currently looks like this: > > public void Initialize() > { > if (null == engine) > { > engine = SafeNativeMethods.ENGINE_by_id("dynamic"); > if (engine.IsInvalid) > { > throw new InvalidOperationException($"Unable to load > dynamic engine"); > } > > if (!File.Exists(EnginePath)) > { > throw new InvalidOperationException($"Unable to find > engine library path"); > } > > if (1 != SafeNativeMethods.ENGINE_ctrl_cmd_string(engine, > "SO_PATH", EnginePath, 0)) > { > throw new InvalidOperationException("dynamic: setting > so_path <= '{EnginePath}'"); > } At this point you should do the "LOAD" control to get the dynamic engine shell replaced by pkcs11. Then set the ID and the MODULE_PATH. So its dynamic --> set SO_PATH --> LOAD and then set all parameters of the engine that SO_PATH implements. Selva Selva [https://softgent.com/wp-content/uploads/2020/01/Zasob-14.png]<https://www.softgent.com> Softgent Sp. z o.o., Budowlanych 31d, 80-298 Gdansk, POLAND KRS: 674406, NIP: 9581679801, REGON: 367090912 www.softgent.com Sąd Rejonowy Gdańsk-Północ w Gdańsku, VII Wydział Gospodarczy Krajowego Rejestru Sądowego KRS 674406, Kapitał zakładowy: 25 000,00 zł wpłacony w całości.
ODP: dynamic engine load
Yeah, that is what i have figured it out and written it in my previous message:] but big thx for help. BR Piotr Lobacz Od: Selva Nair Wysłane: środa, 26 maja 2021 15:52 Do: Piotr Lobacz DW: openssl-users@openssl.org Temat: Re: dynamic engine load Hi, On Wed, May 26, 2021 at 9:25 AM Piotr Lobacz wrote: > > Hi all, > I am trying to write a function which will load dynamic engine for pkcs11. > What i intendt to do is not to use engine id pkcs11 but dynamic. The problem > is that i get an error for ENGINE_ctrl_cmd_string with MODULE_PATH parameter. > My function currently looks like this: > > public void Initialize() > { > if (null == engine) > { > engine = SafeNativeMethods.ENGINE_by_id("dynamic"); > if (engine.IsInvalid) > { > throw new InvalidOperationException($"Unable to load > dynamic engine"); > } > > if (!File.Exists(EnginePath)) > { > throw new InvalidOperationException($"Unable to find > engine library path"); > } > > if (1 != SafeNativeMethods.ENGINE_ctrl_cmd_string(engine, > "SO_PATH", EnginePath, 0)) > { > throw new InvalidOperationException("dynamic: setting > so_path <= '{EnginePath}'"); > } At this point you should do the "LOAD" control to get the dynamic engine shell replaced by pkcs11. Then set the ID and the MODULE_PATH. So its dynamic --> set SO_PATH --> LOAD and then set all parameters of the engine that SO_PATH implements. Selva Selva [https://softgent.com/wp-content/uploads/2020/01/Zasob-14.png]<https://www.softgent.com> Softgent Sp. z o.o., Budowlanych 31d, 80-298 Gdansk, POLAND KRS: 674406, NIP: 9581679801, REGON: 367090912 www.softgent.com Sąd Rejonowy Gdańsk-Północ w Gdańsku, VII Wydział Gospodarczy Krajowego Rejestru Sądowego KRS 674406, Kapitał zakładowy: 25 000,00 zł wpłacony w całości.
ODP: dynamic engine load
Ok i have found the problem:] The solution was to move the whole conditional if(Id == "pkcs11" {..} to the end of the function and now all is working properly. BR Piotr Lobacz Od: openssl-users w imieniu użytkownika Piotr Lobacz Wysłane: środa, 26 maja 2021 15:24 Do: openssl-users@openssl.org Temat: dynamic engine load Hi all, I am trying to write a function which will load dynamic engine for pkcs11. What i intendt to do is not to use engine id pkcs11 but dynamic. The problem is that i get an error for ENGINE_ctrl_cmd_string with MODULE_PATH parameter. My function currently looks like this: public void Initialize() { if (null == engine) { engine = SafeNativeMethods.ENGINE_by_id("dynamic"); if (engine.IsInvalid) { throw new InvalidOperationException($"Unable to load dynamic engine"); } if (!File.Exists(EnginePath)) { throw new InvalidOperationException($"Unable to find engine library path"); } if (1 != SafeNativeMethods.ENGINE_ctrl_cmd_string(engine, "SO_PATH", EnginePath, 0)) { throw new InvalidOperationException("dynamic: setting so_path <= '{EnginePath}'"); } if (1 != SafeNativeMethods.ENGINE_ctrl_cmd_string(engine, "ID", Id, 0)) { throw new InvalidOperationException("dynamic: setting engine id <= '{id}'"); } if(Id == "pkcs11") { if(!File.Exists(ModulePath)) { throw new InvalidOperationException($"Unable to load pkcs11 module path"); } if(1 != SafeNativeMethods.ENGINE_ctrl_cmd_string(engine, "MODULE_PATH", ModulePath, 0)) { throw new InvalidOperationException("dynamic: setting module_path <= '{ModulePath}'"); } } if (1 != SafeNativeMethods.ENGINE_ctrl_cmd(engine, "LIST_ADD", 1, IntPtr.Zero, null, 0)) { throw new InvalidOperationException( "dynamic: setting list_add <= 1"); } if (1 != SafeNativeMethods.ENGINE_ctrl_cmd(engine, "LOAD", 1, IntPtr.Zero, null, 0)) { throw new InvalidOperationException( "dynamic: setting load <= 1"); } } } This function is writtien in C# but it shouldn't be rather a problem, cause it looks nearly the same as with C code. According to some manuals and other stuff i should be able to load dynamic engine for pkcs11 module and i am because for example this command: OpenSSL> engine dynamic -pre SO_PATH:/usr/lib/engines-1.1/libpkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/libckteec.so works and produces log: (dynamic) Dynamic engine loading support [Success]: SO_PATH:/usr/lib/engines-1.1/libpkcs11.so [Success]: ID:pkcs11 [Success]: LIST_ADD:1 [Success]: LOAD [Success]: MODULE_PATH:/usr/lib/libckteec.so Loaded: (pkcs11) pkcs11 engine but as i said it before, when using my method i get an error on call for ENGINE_ctrl_cmd_string method. The error code which i'm getting is 0. I would be very apprecieate if someone could help me solve this issue. BR Piotr Lobacz [https://softgent.com/wp-content/uploads/2020/01/Zasob-14.png]<https://www.softgent.com> Softgent Sp. z o.o., Budowlanych 31d, 80-298 Gdansk, POLAND KRS: 674406, NIP: 9581679801, REGON: 367090912 www.softgent.com<http://www.softgent.com> Sąd Rejonowy Gdańsk-Północ w Gdańsku, VII Wydział Gospodarczy Krajowego Rejestru Sądowego KRS 674406, Kapitał zakładowy: 25 000,00 zł wpłacony w całości.
dynamic engine load
Hi all, I am trying to write a function which will load dynamic engine for pkcs11. What i intendt to do is not to use engine id pkcs11 but dynamic. The problem is that i get an error for ENGINE_ctrl_cmd_string with MODULE_PATH parameter. My function currently looks like this: public void Initialize() { if (null == engine) { engine = SafeNativeMethods.ENGINE_by_id("dynamic"); if (engine.IsInvalid) { throw new InvalidOperationException($"Unable to load dynamic engine"); } if (!File.Exists(EnginePath)) { throw new InvalidOperationException($"Unable to find engine library path"); } if (1 != SafeNativeMethods.ENGINE_ctrl_cmd_string(engine, "SO_PATH", EnginePath, 0)) { throw new InvalidOperationException("dynamic: setting so_path <= '{EnginePath}'"); } if (1 != SafeNativeMethods.ENGINE_ctrl_cmd_string(engine, "ID", Id, 0)) { throw new InvalidOperationException("dynamic: setting engine id <= '{id}'"); } if(Id == "pkcs11") { if(!File.Exists(ModulePath)) { throw new InvalidOperationException($"Unable to load pkcs11 module path"); } if(1 != SafeNativeMethods.ENGINE_ctrl_cmd_string(engine, "MODULE_PATH", ModulePath, 0)) { throw new InvalidOperationException("dynamic: setting module_path <= '{ModulePath}'"); } } if (1 != SafeNativeMethods.ENGINE_ctrl_cmd(engine, "LIST_ADD", 1, IntPtr.Zero, null, 0)) { throw new InvalidOperationException( "dynamic: setting list_add <= 1"); } if (1 != SafeNativeMethods.ENGINE_ctrl_cmd(engine, "LOAD", 1, IntPtr.Zero, null, 0)) { throw new InvalidOperationException( "dynamic: setting load <= 1"); } } } This function is writtien in C# but it shouldn't be rather a problem, cause it looks nearly the same as with C code. According to some manuals and other stuff i should be able to load dynamic engine for pkcs11 module and i am because for example this command: OpenSSL> engine dynamic -pre SO_PATH:/usr/lib/engines-1.1/libpkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/libckteec.so works and produces log: (dynamic) Dynamic engine loading support [Success]: SO_PATH:/usr/lib/engines-1.1/libpkcs11.so [Success]: ID:pkcs11 [Success]: LIST_ADD:1 [Success]: LOAD [Success]: MODULE_PATH:/usr/lib/libckteec.so Loaded: (pkcs11) pkcs11 engine but as i said it before, when using my method i get an error on call for ENGINE_ctrl_cmd_string method. The error code which i'm getting is 0. I would be very apprecieate if someone could help me solve this issue. BR Piotr Lobacz [https://softgent.com/wp-content/uploads/2020/01/Zasob-14.png]<https://www.softgent.com> Softgent Sp. z o.o., Budowlanych 31d, 80-298 Gdansk, POLAND KRS: 674406, NIP: 9581679801, REGON: 367090912 www.softgent.com Sąd Rejonowy Gdańsk-Północ w Gdańsku, VII Wydział Gospodarczy Krajowego Rejestru Sądowego KRS 674406, Kapitał zakładowy: 25 000,00 zł wpłacony w całości.
ODP: CSR generation using pkcs11 token engine from C# code
Ok i am trying to use this code: TokenEngine::TokenEngine( const StringList & modulePaths ) { ENGINE * tok = ENGINE_by_id( "pkcs11" ); if ( ! tok ) throw Exception( "token: unable to get engine" ); m_pEngine = tok; const string modulePath( findFirstExisting( modulePaths ) ); if ( modulePath.empty() ) throw Exception( "token: unable to find module path" ); DEBUG( "token: ctor: module_path=" << QS( modulePath ) ); if ( 1 != ENGINE_ctrl_cmd_string( tok, "MODULE_PATH", modulePath.c_str(), CMD_MANDATORY ) ) throw Exception( "token: setting module_path <= " + QS( modulePath ) ); DEBUG( "token: ctor: initializing " << m_pEngine ); if ( 1 != ENGINE_init( tok ) ) throw Exception( "token: unable to initialize" ); DEBUG( "token: ctor: done" ); } which is from this site https://github.com/tkil/openssl-pkcs11-samples/blob/master/OpenSSLWrappers.cpp and the problem is that if i change modulePath value to a not existing file the method is still returning 1 which i think it should not. Correct me if i'm wrong. BR Piotr Od: Michael McKenney Wysłane: poniedziałek, 24 maja 2021 14:17 Do: Piotr Lobacz ; openssl-users@openssl.org Temat: RE: CSR generation using pkcs11 token engine from C# code Usually I reserve C# for Windows servers. I use PHP on Ubuntu other Linux Distros.Most web servers that need OpenSSL are Linux. Glad you got it working. From: Piotr Lobacz Sent: Monday, May 24, 2021 8:10 AM To: Michael McKenney ; openssl-users@openssl.org Subject: ODP: CSR generation using pkcs11 token engine from C# code Hi Michael, thx for your quick reply. Unfortunately i can't use your script because i need to use native code not bash implementation. For the first question about loading token module i have found a solution on github https://github.com/tkil/openssl-pkcs11-samples . This code is a C/C++ code but i can fairly port it to C#, and i was right about different load of engine for pkcs11 engine. So this can be closed. Another thing is to generate CSR with the usage of token and openssl. This will be more complicated and i don't know yet how to do that. BR Piotr Od: Michael McKenney mailto:mike.mcken...@scsiraidguru.com>> Wysłane: poniedziałek, 24 maja 2021 13:28 Do: Piotr Lobacz mailto:piotr.lob...@softgent.com>>; openssl-users@openssl.org<mailto:openssl-users@openssl.org> mailto:openssl-users@openssl.org>> Temat: RE: CSR generation using pkcs11 token engine from C# code I wrote this script years ago when I switched to Godaddy 10 site certificates. I don't use it from C# You could easily put it into C# or PHP. < > would be variables at the top. I have it filled in so I just modify the alt_names. I just cut and paste the all of it into Ubuntu and run it in the directory /etc/apache2/ssl. If you don't need all 10, you can delete the extra ones in alt_names. openssl req -new -sha256 -nodes -out \ -newkey rsa:2048 -keyout \ -config <( cat <<-EOF [req] default_bits = 2048 prompt = no default_md = sha256 req_extensions = req_ext distinguished_name = dn [ dn ] C= < country > ST= < Your States > L= < City or location > O= < Organization > OU= emailAddress= CN = [ req_ext ] subjectAltName = @alt_names [ alt_names ] DNS.1 = < domain #1 > DNS.2 = < domain #2 > DNS.3 = < domain #3 > DNS.4 = < domain #4 > DNS.5 = < domain #5 > DNS.6 = < domain #6 > DNS.7 = < domain #7 > DNS.8 = < domain #8 > DNS.9 = < domain #9 > EOF ) -Original Message- From: openssl-users mailto:openssl-users-boun...@openssl.org>> On Behalf Of Piotr Lobacz Sent: Monday, May 24, 2021 5:54 AM To: openssl-users@openssl.org<mailto:openssl-users@openssl.org> Subject: CSR generation using pkcs11 token engine from C# code Hi all, i am currently trying to generate CSR with the usage of tpm2-pkcs11 module together with pkcs11 engine from opensc and the whole thing running with openssl api from C# code. I have checked that my solution works from command line. I have added these lines: openssl_conf = openssl_init [openssl_init] engines = engine_section [engine_section] pkcs11 = pkcs11_section [pkcs11_section] engine_id = pkcs11 dynamic_path = /usr/lib/engines-1.1/libpkcs11.so MODULE_PATH = /usr/lib/libtpm2_pkcs11.so init = 0 to the /etc/ssl/openssl.cnf configuration file and than this command: openssl req -new -subj '/C=PL/ST=Gdansk/L=Gdansk/CN=softgent.com/' -sha256 -engine pkcs11 -keyform engine -key "pkcs11:token=foo;object=tls;type=private;pin-value=1234567890" produces CSR for me. Now i want to do all this, from C# code. I have found a C# library https://github.com/andy
ODP: CSR generation using pkcs11 token engine from C# code
Hi Michael, thx for your quick reply. Unfortunately i can't use your script because i need to use native code not bash implementation. For the first question about loading token module i have found a solution on github https://github.com/tkil/openssl-pkcs11-samples . This code is a C/C++ code but i can fairly port it to C#, and i was right about different load of engine for pkcs11 engine. So this can be closed. Another thing is to generate CSR with the usage of token and openssl. This will be more complicated and i don't know yet how to do that. BR Piotr Od: Michael McKenney Wysłane: poniedziałek, 24 maja 2021 13:28 Do: Piotr Lobacz ; openssl-users@openssl.org Temat: RE: CSR generation using pkcs11 token engine from C# code I wrote this script years ago when I switched to Godaddy 10 site certificates. I don't use it from C# You could easily put it into C# or PHP. < > would be variables at the top. I have it filled in so I just modify the alt_names. I just cut and paste the all of it into Ubuntu and run it in the directory /etc/apache2/ssl. If you don't need all 10, you can delete the extra ones in alt_names. openssl req -new -sha256 -nodes -out \ -newkey rsa:2048 -keyout \ -config <( cat <<-EOF [req] default_bits = 2048 prompt = no default_md = sha256 req_extensions = req_ext distinguished_name = dn [ dn ] C= < country > ST= < Your States > L= < City or location > O= < Organization > OU= emailAddress= CN = [ req_ext ] subjectAltName = @alt_names [ alt_names ] DNS.1 = < domain #1 > DNS.2 = < domain #2 > DNS.3 = < domain #3 > DNS.4 = < domain #4 > DNS.5 = < domain #5 > DNS.6 = < domain #6 > DNS.7 = < domain #7 > DNS.8 = < domain #8 > DNS.9 = < domain #9 > EOF ) -Original Message- From: openssl-users On Behalf Of Piotr Lobacz Sent: Monday, May 24, 2021 5:54 AM To: openssl-users@openssl.org Subject: CSR generation using pkcs11 token engine from C# code Hi all, i am currently trying to generate CSR with the usage of tpm2-pkcs11 module together with pkcs11 engine from opensc and the whole thing running with openssl api from C# code. I have checked that my solution works from command line. I have added these lines: openssl_conf = openssl_init [openssl_init] engines = engine_section [engine_section] pkcs11 = pkcs11_section [pkcs11_section] engine_id = pkcs11 dynamic_path = /usr/lib/engines-1.1/libpkcs11.so MODULE_PATH = /usr/lib/libtpm2_pkcs11.so init = 0 to the /etc/ssl/openssl.cnf configuration file and than this command: openssl req -new -subj '/C=PL/ST=Gdansk/L=Gdansk/CN=softgent.com/' -sha256 -engine pkcs11 -keyform engine -key "pkcs11:token=foo;object=tls;type=private;pin-value=1234567890" produces CSR for me. Now i want to do all this, from C# code. I have found a C# library https://github.com/andyhopp/OpenSsl.DynamicEngine which will load the engine, but i think that this won't be sufficient in a matter of pkcs11 engine, because i also need to load pkcs11 module. The question is what should i add to this library for propper work in means of pkcs11 api? What i mean is to use all this data from cnf file to configure openssl. Another question is how to execute this command above for csr from C#? I suspect that because on linux C# sdk uses openssl api for all cryptographic operations than it should be somehow similar to the C solution. I would be gratefull if someone could point me at least for a C solution of this issue. Best regards Piotr Lobacz [https://softgent.com/wp-content/uploads/2020/01/Zasob-14.png]<https://www.softgent.com> Softgent Sp. z o.o., Budowlanych 31d, 80-298 Gdansk, POLAND KRS: 674406, NIP: 9581679801, REGON: 367090912 www.softgent.com<http://www.softgent.com> Sąd Rejonowy Gdańsk-Północ w Gdańsku, VII Wydział Gospodarczy Krajowego Rejestru Sądowego KRS 674406, Kapitał zakładowy: 25 000,00 zł wpłacony w całości.
CSR generation using pkcs11 token engine from C# code
Hi all, i am currently trying to generate CSR with the usage of tpm2-pkcs11 module together with pkcs11 engine from opensc and the whole thing running with openssl api from C# code. I have checked that my solution works from command line. I have added these lines: openssl_conf = openssl_init [openssl_init] engines = engine_section [engine_section] pkcs11 = pkcs11_section [pkcs11_section] engine_id = pkcs11 dynamic_path = /usr/lib/engines-1.1/libpkcs11.so MODULE_PATH = /usr/lib/libtpm2_pkcs11.so init = 0 to the /etc/ssl/openssl.cnf configuration file and than this command: openssl req -new -subj '/C=PL/ST=Gdansk/L=Gdansk/CN=softgent.com/' -sha256 -engine pkcs11 -keyform engine -key "pkcs11:token=foo;object=tls;type=private;pin-value=1234567890" produces CSR for me. Now i want to do all this, from C# code. I have found a C# library https://github.com/andyhopp/OpenSsl.DynamicEngine which will load the engine, but i think that this won't be sufficient in a matter of pkcs11 engine, because i also need to load pkcs11 module. The question is what should i add to this library for propper work in means of pkcs11 api? What i mean is to use all this data from cnf file to configure openssl. Another question is how to execute this command above for csr from C#? I suspect that because on linux C# sdk uses openssl api for all cryptographic operations than it should be somehow similar to the C solution. I would be gratefull if someone could point me at least for a C solution of this issue. Best regards Piotr Lobacz [https://softgent.com/wp-content/uploads/2020/01/Zasob-14.png]<https://www.softgent.com> Softgent Sp. z o.o., Budowlanych 31d, 80-298 Gdansk, POLAND KRS: 674406, NIP: 9581679801, REGON: 367090912 www.softgent.com Sąd Rejonowy Gdańsk-Północ w Gdańsku, VII Wydział Gospodarczy Krajowego Rejestru Sądowego KRS 674406, Kapitał zakładowy: 25 000,00 zł wpłacony w całości.
[openssl-users] How to properly build OpenSSL with certificates inside certs directory
Hi, There’s seems to be no good explanation on the website on how to build OpenSSL with CA certificates so I thought I’ll give a try here. I’ve copied all the CA certs I have to the certs folder and built, unfortunately I still get certificate validation errors with the library I uses (it links to OpenSSL dynamically). I have all the CA certs in pem format, should I include some kind of flag or do something else? Thanks in advance, Peter -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] ECDSA with random number
As in the subject is it possible to generate signature with given random number? According to the documentation of ECDSA uses RNG so it would be difficult to find out private key from signature but i want just to test my data to check if signature is being generated properly and i have'nt found any possible place where i would be able to pass random value. Any ideas? -- Piotr Łobacz Biuro Systemów i Oprogramowania RADMOR S.A. tel. (58) 6996 929 e-mail: piotr.lob...@radmor.com.pl www.radmor.com.pl RADMOR S.A., ul. Hutnicza 3, 81-212 Gdynia NIP: 586-010-21-39 REGON: 190432077 KRS: 074029 (Sąd Rejonowy Gdańsk-Północ w Gdańsku) Kapitał zakładowy wpłacony: 9 282 830 PLN ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] ECDSA with hmac sha
Hello, i have a question as in the subject is it possible with EVP api to sign data with ECDSA using HMAC-SHA instead of SHA and if yes could you guid me somehow? -- Piotr Łobacz Biuro Systemów i Oprogramowania RADMOR S.A. tel. (58) 6996 929 e-mail: piotr.lob...@radmor.com.pl www.radmor.com.pl RADMOR S.A., ul. Hutnicza 3, 81-212 Gdynia NIP: 586-010-21-39 REGON: 190432077 KRS: 074029 (Sąd Rejonowy Gdańsk-Północ w Gdańsku) Kapitał zakładowy wpłacony: 9 282 830 PLN ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] QNX cross-compiled openssl with fips
Ok, whith few modifications to fipsld++ i can now link to libcrypto.so and libcrypto.a and applications are working correctly, but mine problem still persists because if i would like to dlopen my shared library compiled with static libcrypto.a and i'll try to run fips mode from that library i get an error: 755413103 which, i have read, means that library has an incorect digest and verification has failed. Now i found that fips_premain_dso is used to generate/get this digest from library but it does not generate or even does not output anything and it does not matter if it is linux/QNX or whatever platform it is. Maybe i'm using it wrong but could anubody tell me how to use this fips_premain_dso? I'm using it like that: LD_LIBRARY_PATH=/path/to/where/my/lib/is fips_premain_dso mylib.so And that does not output anything. Dnia 2015-04-02, czw o godzinie 08:58 +0200, Piotr Łobacz pisze: Yeah i have tried with it and modified it. But mine problem is that i am cross-compiling. I have used incore to generate digest and it works with qcc and i386-pc-nto-qnx6.4.0-gcc. But with i386-pc-nto-qnx6.4.0-g++ and QCC which is for c++ it does not work it generates bad digest. What is a problem because i have to use a machine with qnx to run the compiled code to get the proper digest and than recompile with it, what actually works because i've tested it. Dnia 2015-04-02, czw o godzinie 02:34 -0400, Jeffrey Walton pisze: On Thu, Apr 2, 2015 at 2:19 AM, Piotr Łobacz piotr.lob...@radmor.com.pl wrote: Ok finally my app is working and compiled with c++ compiler but the problem persist because elf incore is bad for QNX apps compiled with g++ or QCC compiler. It generates bad digest. Even incore2 generates bad digest, and i dunno why that happens. Any suggestions? You might try fipsld++ (https://wiki.openssl.org/index.php/Fipsld_and_C%2B%2B). Its for handling C++ compilers. I'm not sure why the various symbols are not exported with extern C. I don't recall trying it with a cross compile, though. It may work, it may not work. Either way, it may give you some ideas. Jeff -- Piotr Łobacz Biuro Systemów i Oprogramowania RADMOR S.A. tel. (58) 6996 929 e-mail: piotr.lob...@radmor.com.pl www.radmor.com.pl RADMOR S.A., ul. Hutnicza 3, 81-212 Gdynia NIP: 586-010-21-39 REGON: 190432077 KRS: 074029 (Sąd Rejonowy Gdańsk-Północ w Gdańsku) Kapitał zakładowy wpłacony: 9 282 830 PLN ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] QNX cross-compiled openssl with fips
Ok i have finally managed to find what is the problem. The generated value of digest under linux had bad value. Now i have to correct incore file for QNX platform. Wish me luck or if anybody can help me with this i would be pleased. :) Dnia 2015-04-03, pią o godzinie 11:16 +0200, Piotr Łobacz pisze: Ok, whith few modifications to fipsld++ i can now link to libcrypto.so and libcrypto.a and applications are working correctly, but mine problem still persists because if i would like to dlopen my shared library compiled with static libcrypto.a and i'll try to run fips mode from that library i get an error: 755413103 which, i have read, means that library has an incorect digest and verification has failed. Now i found that fips_premain_dso is used to generate/get this digest from library but it does not generate or even does not output anything and it does not matter if it is linux/QNX or whatever platform it is. Maybe i'm using it wrong but could anubody tell me how to use this fips_premain_dso? I'm using it like that: LD_LIBRARY_PATH=/path/to/where/my/lib/is fips_premain_dso mylib.so And that does not output anything. Dnia 2015-04-02, czw o godzinie 08:58 +0200, Piotr Łobacz pisze: Yeah i have tried with it and modified it. But mine problem is that i am cross-compiling. I have used incore to generate digest and it works with qcc and i386-pc-nto-qnx6.4.0-gcc. But with i386-pc-nto-qnx6.4.0-g++ and QCC which is for c++ it does not work it generates bad digest. What is a problem because i have to use a machine with qnx to run the compiled code to get the proper digest and than recompile with it, what actually works because i've tested it. Dnia 2015-04-02, czw o godzinie 02:34 -0400, Jeffrey Walton pisze: On Thu, Apr 2, 2015 at 2:19 AM, Piotr Łobacz piotr.lob...@radmor.com.pl wrote: Ok finally my app is working and compiled with c++ compiler but the problem persist because elf incore is bad for QNX apps compiled with g++ or QCC compiler. It generates bad digest. Even incore2 generates bad digest, and i dunno why that happens. Any suggestions? You might try fipsld++ (https://wiki.openssl.org/index.php/Fipsld_and_C%2B%2B). Its for handling C++ compilers. I'm not sure why the various symbols are not exported with extern C. I don't recall trying it with a cross compile, though. It may work, it may not work. Either way, it may give you some ideas. Jeff -- Piotr Łobacz Biuro Systemów i Oprogramowania RADMOR S.A. tel. (58) 6996 929 e-mail: piotr.lob...@radmor.com.pl www.radmor.com.pl RADMOR S.A., ul. Hutnicza 3, 81-212 Gdynia NIP: 586-010-21-39 REGON: 190432077 KRS: 074029 (Sąd Rejonowy Gdańsk-Północ w Gdańsku) Kapitał zakładowy wpłacony: 9 282 830 PLN ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] QNX cross-compiled openssl with fips
Yeah i have tried with it and modified it. But mine problem is that i am cross-compiling. I have used incore to generate digest and it works with qcc and i386-pc-nto-qnx6.4.0-gcc. But with i386-pc-nto-qnx6.4.0-g++ and QCC which is for c++ it does not work it generates bad digest. What is a problem because i have to use a machine with qnx to run the compiled code to get the proper digest and than recompile with it, what actually works because i've tested it. Dnia 2015-04-02, czw o godzinie 02:34 -0400, Jeffrey Walton pisze: On Thu, Apr 2, 2015 at 2:19 AM, Piotr Łobacz piotr.lob...@radmor.com.pl wrote: Ok finally my app is working and compiled with c++ compiler but the problem persist because elf incore is bad for QNX apps compiled with g++ or QCC compiler. It generates bad digest. Even incore2 generates bad digest, and i dunno why that happens. Any suggestions? You might try fipsld++ (https://wiki.openssl.org/index.php/Fipsld_and_C%2B%2B). Its for handling C++ compilers. I'm not sure why the various symbols are not exported with extern C. I don't recall trying it with a cross compile, though. It may work, it may not work. Either way, it may give you some ideas. Jeff -- Piotr Łobacz Biuro Systemów i Oprogramowania RADMOR S.A. tel. (58) 6996 929 e-mail: piotr.lob...@radmor.com.pl www.radmor.com.pl RADMOR S.A., ul. Hutnicza 3, 81-212 Gdynia NIP: 586-010-21-39 REGON: 190432077 KRS: 074029 (Sąd Rejonowy Gdańsk-Północ w Gdańsku) Kapitał zakładowy wpłacony: 9 282 830 PLN ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] QNX cross-compiled openssl with fips
Ok finally my app is working and compiled with c++ compiler but the problem persist because elf incore is bad for QNX apps compiled with g++ or QCC compiler. It generates bad digest. Even incore2 generates bad digest, and i dunno why that happens. Any sugesstions? Dnia 2015-03-31, wto o godzinie 12:41 +0200, Piotr Łobacz pisze: Ok i have finally managed to cross-compile openssl with fips for QNX platform. What i did wass modifing the fipsld script not to input this magical number[ $? -ne 42 ] exit $? and the returned output of ${FIPS_SIG} -exe ${TARGET} was saved in SIG variable, because this line SIG=`${TARGET} tried to execute QNX compiled code on linux, what is rather impossible, to get the returned digest and recompile the target with it. Now with these little changes i was finally able to run openssl fips cross compiled app on qnx and i can gladly say that it works. Dnia 2015-03-27, pią o godzinie 11:04 +0100, Piotr Łobacz pisze: Another problem is that compiled cross-compiled OpenSSL with fips should start in its own prompt but it only spews the expected signature and exits. I have modified fipsld scripts as shown in the manual and this does not help. Incore was used from the tarball but maybe i have to use some special modifications for QNX incore? Dnia 2015-03-26, czw o godzinie 08:46 +0100, Piotr Łobacz pisze: Hello, i have been able to cross-compile openssl with fips module and what i want now is to use it within my project which is using C++. According to the manual https://wiki.openssl.org/index.php/Fipsld_and_C%2B%2B i have to modify fipsld to fipsld++. Everything works properly if i'm compiling my own libraries which are being linked with static crypto.a but if i'm going to compile some tests which are linking with those libraries i get this error: /usr/lib/fips_premain.o: In function `FINGERPRINT_premain()': /usr/lib/fips_premain.c:103: undefined reference to `FIPS_text_start()' /usr/lib/fips_premain.c:116: undefined reference to `FIPS_incore_fingerprint(unsigned char*, unsigned int)' According to the manual, problem occurs with C++ linker, but i have it modified in fipsld++ so that now PREMAIN_DSO looks like: -x c ${PREMAIN_C} -x none \ and this does not help. On Linux with gcc this was helpful but on QNX cross compilation it does not. I would be pleased if somebody could point me what am i doing wrong... -- Piotr Łobacz Biuro Systemów i Oprogramowania RADMOR S.A. tel. (58) 6996 929 e-mail: piotr.lob...@radmor.com.pl www.radmor.com.pl RADMOR S.A., ul. Hutnicza 3, 81-212 Gdynia NIP: 586-010-21-39 REGON: 190432077 KRS: 074029 (Sąd Rejonowy Gdańsk-Północ w Gdańsku) Kapitał zakładowy wpłacony: 9 282 830 PLN ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] QNX cross-compiled openssl with fips
Ok i have finally managed to cross-compile openssl with fips for QNX platform. What i did wass modifing the fipsld script not to input this magical number[ $? -ne 42 ] exit $? and the returned output of ${FIPS_SIG} -exe ${TARGET} was saved in SIG variable, because this line SIG=`${TARGET} tried to execute QNX compiled code on linux, what is rather impossible, to get the returned digest and recompile the target with it. Now with these little changes i was finally able to run openssl fips cross compiled app on qnx and i can gladly say that it works. Dnia 2015-03-27, pią o godzinie 11:04 +0100, Piotr Łobacz pisze: Another problem is that compiled cross-compiled OpenSSL with fips should start in its own prompt but it only spews the expected signature and exits. I have modified fipsld scripts as shown in the manual and this does not help. Incore was used from the tarball but maybe i have to use some special modifications for QNX incore? Dnia 2015-03-26, czw o godzinie 08:46 +0100, Piotr Łobacz pisze: Hello, i have been able to cross-compile openssl with fips module and what i want now is to use it within my project which is using C++. According to the manual https://wiki.openssl.org/index.php/Fipsld_and_C%2B%2B i have to modify fipsld to fipsld++. Everything works properly if i'm compiling my own libraries which are being linked with static crypto.a but if i'm going to compile some tests which are linking with those libraries i get this error: /usr/lib/fips_premain.o: In function `FINGERPRINT_premain()': /usr/lib/fips_premain.c:103: undefined reference to `FIPS_text_start()' /usr/lib/fips_premain.c:116: undefined reference to `FIPS_incore_fingerprint(unsigned char*, unsigned int)' According to the manual, problem occurs with C++ linker, but i have it modified in fipsld++ so that now PREMAIN_DSO looks like: -x c ${PREMAIN_C} -x none \ and this does not help. On Linux with gcc this was helpful but on QNX cross compilation it does not. I would be pleased if somebody could point me what am i doing wrong... -- Piotr Łobacz Biuro Systemów i Oprogramowania RADMOR S.A. tel. (58) 6996 929 e-mail: piotr.lob...@radmor.com.pl www.radmor.com.pl RADMOR S.A., ul. Hutnicza 3, 81-212 Gdynia NIP: 586-010-21-39 REGON: 190432077 KRS: 074029 (Sąd Rejonowy Gdańsk-Północ w Gdańsku) Kapitał zakładowy wpłacony: 9 282 830 PLN ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] QNX cross-compiled openssl with fips
Another problem is that compiled cross-compiled OpenSSL with fips should start in its own prompt but it only spews the expected signature and exits. I have modified fipsld scripts as shown in the manual and this does not help. Incore was used from the tarball but maybe i have to use some special modifications for QNX incore? Dnia 2015-03-26, czw o godzinie 08:46 +0100, Piotr Łobacz pisze: Hello, i have been able to cross-compile openssl with fips module and what i want now is to use it within my project which is using C++. According to the manual https://wiki.openssl.org/index.php/Fipsld_and_C%2B%2B i have to modify fipsld to fipsld++. Everything works properly if i'm compiling my own libraries which are being linked with static crypto.a but if i'm going to compile some tests which are linking with those libraries i get this error: /usr/lib/fips_premain.o: In function `FINGERPRINT_premain()': /usr/lib/fips_premain.c:103: undefined reference to `FIPS_text_start()' /usr/lib/fips_premain.c:116: undefined reference to `FIPS_incore_fingerprint(unsigned char*, unsigned int)' According to the manual, problem occurs with C++ linker, but i have it modified in fipsld++ so that now PREMAIN_DSO looks like: -x c ${PREMAIN_C} -x none \ and this does not help. On Linux with gcc this was helpful but on QNX cross compilation it does not. I would be pleased if somebody could point me what am i doing wrong... -- Piotr Łobacz Biuro Systemów i Oprogramowania RADMOR S.A. tel. (58) 6996 929 e-mail: piotr.lob...@radmor.com.pl www.radmor.com.pl RADMOR S.A., ul. Hutnicza 3, 81-212 Gdynia NIP: 586-010-21-39 REGON: 190432077 KRS: 074029 (Sąd Rejonowy Gdańsk-Północ w Gdańsku) Kapitał zakładowy wpłacony: 9 282 830 PLN ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] QNX cross-compiled openssl with fips
Hello, i have been able to cross-compile openssl with fips module and what i want now is to use it within my project which is using C++. According to the manual https://wiki.openssl.org/index.php/Fipsld_and_C%2B%2B i have to modify fipsld to fipsld++. Everything works properly if i'm compiling my own libraries which are being linked with static crypto.a but if i'm going to compile some tests which are linking with those libraries i get this error: /usr/lib/fips_premain.o: In function `FINGERPRINT_premain()': /usr/lib/fips_premain.c:103: undefined reference to `FIPS_text_start()' /usr/lib/fips_premain.c:116: undefined reference to `FIPS_incore_fingerprint(unsigned char*, unsigned int)' According to the manual, problem occurs with C++ linker, but i have it modified in fipsld++ so that now PREMAIN_DSO looks like: -x c ${PREMAIN_C} -x none \ and this does not help. On Linux with gcc this was helpful but on QNX cross compilation it does not. I would be pleased if somebody could point me what am i doing wrong... -- Piotr Łobacz Biuro Systemów i Oprogramowania RADMOR S.A. tel. (58) 6996 929 e-mail: piotr.lob...@radmor.com.pl www.radmor.com.pl RADMOR S.A., ul. Hutnicza 3, 81-212 Gdynia NIP: 586-010-21-39 REGON: 190432077 KRS: 074029 (Sąd Rejonowy Gdańsk-Północ w Gdańsku) Kapitał zakładowy wpłacony: 9 282 830 PLN ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Fips CTR_DRBG
Thanks a lot, adding this flag did the trick. The returned block is identical as the expected. Dnia 2015-02-27, pią o godzinie 12:54 +, Dr. Stephen Henson pisze: On Fri, Feb 27, 2015, Piotr ??obacz wrote: I can do mutch more i can give the source code: dctx = FIPS_drbg_new(NID_aes_256_ctr, DRBG_FLAG_CTR_USE_DF); Try including the flag DRBG_FLAG_TEST: the DRBG needs to be in test mode otherwise the continuous PRNG test discards the first block generated. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- Piotr Łobacz Biuro Systemów i Oprogramowania RADMOR S.A. tel. (58) 6996 929 e-mail: piotr.lob...@radmor.com.pl www.radmor.com.pl RADMOR S.A., ul. Hutnicza 3, 81-212 Gdynia NIP: 586-010-21-39 REGON: 190432077 KRS: 074029 (Sąd Rejonowy Gdańsk-Północ w Gdańsku) Kapitał zakładowy wpłacony: 9 282 830 PLN ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Fips CTR_DRBG
I can do mutch more i can give the source code: #include iostream using std::cout; using std::endl; #include stdlib.h #include openssl/evp.h #include openssl/err.h #include fips/fips_rand.h #include fips/fips_rand_lcl.h #include openssl/rand.h #include string.h typedef struct { const unsigned char *ent; size_t entlen; int entcnt; const unsigned char *nonce; size_t noncelen; int noncecnt; } TEST_ENT; static unsigned char dummy_drbg_entropy[1024]; static unsigned char entropy_x[32]; static unsigned char nonce[16]; static size_t test_entropy(DRBG_CTX *dctx, unsigned char **pout, int entropy, size_t min_len, size_t max_len) { TEST_ENT *t = (TEST_ENT*)FIPS_drbg_get_app_data(dctx); *pout = (unsigned char *)t-ent; t-entcnt++; return t-entlen; } static size_t test_nonce(DRBG_CTX *dctx, unsigned char **pout, int entropy, size_t min_len, size_t max_len) { TEST_ENT *t = (TEST_ENT*)FIPS_drbg_get_app_data(dctx); *pout = (unsigned char *)t-nonce; t-noncecnt++; return t-noncelen; } int main(int argc, char* argv[]) { int rc, mode; mode = FIPS_mode(); if(mode == 0) { rc = FIPS_mode_set(1); if(rc == 0) { cout Failed to enable FIPS mode, ; cout error: ERR_get_error() endl; } else { cout Enabled FIPS mode endl; } } else { cout Already in FIPS mode endl; } DRBG_CTX *dctx; dctx = FIPS_drbg_new(NID_aes_256_ctr, DRBG_FLAG_CTR_USE_DF); unsigned char entropytmp[] = { 0x36, 0x40, 0x19, 0x40, 0xfa, 0x8b, 0x1f, 0xba, 0x91, 0xa1, 0x66, 0x1f, 0x21, 0x1d, 0x78, 0xa0, 0xb9, 0x38, 0x9a, 0x74, 0xe5, 0xbc, 0xcf, 0xec, 0xe8, 0xd7, 0x66, 0xaf, 0x1a, 0x6d, 0x3b, 0x14 }; unsigned char noncetmp[] = { 0x49, 0x6f, 0x25, 0xb0, 0xf1, 0x30, 0x1b, 0x4f, 0x50, 0x1b, 0xe3, 0x03, 0x80, 0xa1, 0x37, 0xeb }; /* AES-256 use df PR */ std::cout FIPS_drbg_get_strength(dctx) FIPS_rand_strength() std::endl; //if (!FIPS_drbg_set_callbacks(dctx, drbg_test_entropy, 0, 0x10, drbg_test_nonce, 0)) if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0)) { std::cout dupa std::endl; } //memcpy(entropy_x, entropytmp, sizeof(entropy_x)); // memcpy(nonce, noncetmp, sizeof(nonce)); TEST_ENT t; FIPS_drbg_set_app_data(dctx, t); t.ent = entropytmp; t.entlen = sizeof(entropytmp); t.nonce = noncetmp; t.noncelen = sizeof(noncetmp); t.entcnt = 0; t.noncecnt = 0; //FIPS_drbg_instantiate(dctx, pers, sizeof(pers)); if (!FIPS_drbg_instantiate(dctx, NULL, 0)) { ERR_load_crypto_strings(); ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE)); } size_t outlen = 32; unsigned char outbuf[outlen]; if(!FIPS_drbg_generate(dctx, outbuf, outlen, 0, NULL, 0)) { ERR_load_crypto_strings(); ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE)); } FIPS_drbg_uninstantiate(dctx); FIPS_drbg_free(dctx); return 0; * } Dnia 2015-02-26, czw o godzinie 16:43 +, Dr. Stephen Henson pisze: On Thu, Feb 26, 2015, Piotr ??obacz wrote: Yes, i have read that RAND API will use CTR_DRBG by default but what if i want to have set seed and than calculate and have the same results on two different machines? As far as i understand if i set seed - which is calculated from entropy, nonce and personal string - if it is given i should get some deterministic value of returned buffer and RAND_bytes doesn't give me such result it is always different. Correct me if i am wrong. OK, can you give some details of how you are instantiating the DRBG? Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- Piotr Łobacz Biuro Systemów i Oprogramowania RADMOR S.A. tel. (58) 6996 929 e-mail: piotr.lob...@radmor.com.pl www.radmor.com.pl RADMOR S.A., ul. Hutnicza 3, 81-212 Gdynia NIP: 586-010-21-39 REGON: 190432077 KRS: 074029 (Sąd Rejonowy Gdańsk-Północ w Gdańsku) Kapitał zakładowy wpłacony: 9 282 830 PLN ___ openssl-users mailing list To unsubscribe
[openssl-users] Fips CTR_DRBG
Hello, i have a question about FIPS CTR_DRBG. I have managed to compile openssl with fips and everything works fine. The method FIPS_mode returns me 1 so i am in FIPS mode, but what is my problem i dunno how to use properly FIPS_drbg api. I have managed to create new DRBG context and than i should instantiate it and here are the ladders showing up, because i need to call FIPS_drbg_set_callbacks. According to file openssl-fips-2.0.9/fips/rand/fips_drbg_selftest.c i have created those 2 functions: static size_t test_entropy(DRBG_CTX *dctx, unsigned char **pout, int entropy, size_t min_len, size_t max_len) { TEST_ENT *t = (TEST_ENT*)FIPS_drbg_get_app_data(dctx); *pout = (unsigned char *)t-ent; t-entcnt++; return t-entlen; } static size_t test_nonce(DRBG_CTX *dctx, unsigned char **pout, int entropy, size_t min_len, size_t max_len) { TEST_ENT *t = (TEST_ENT*)FIPS_drbg_get_app_data(dctx); *pout = (unsigned char *)t-nonce; t-noncecnt++; return t-noncelen; } and entropy and nonce is being set properly but the result is different than the one in NIST test vectors. Iam trying to check this one: [AES-256 use df] [PredictionResistance = False] [EntropyInputLen = 256] [NonceLen = 128] [PersonalizationStringLen = 0] [AdditionalInputLen = 0] [ReturnedBitsLen = 512] COUNT = 0 EntropyInput = 36401940fa8b1fba91a1661f211d78a0b9389a74e5bccfece8d766af1a6d3b14 Nonce = 496f25b0f1301b4f501be30380a137eb PersonalizationString = ** INSTANTIATE: Key = 3363d9000e6db47c16d3fc65f2872c08a35f99b2d174afa537a66ec153052d98 V = 9ee8d2e9c618ccbb8e66b5eb5333dce1 AdditionalInput = ** GENERATE (FIRST CALL): Key = b1dff09c816af6d4b2111fe63c4507cb196154f8c59957a94a2b641a7c16cc01 V = 69eec01b2dd4ff3aab5fac9467f54485 AdditionalInput = ReturnedBits = 5862eb38bd558dd978a696e6df164782ddd887e7e9a6c9f3f1fbafb78941b535a64912dfd224c6dc7454e5250b3d97165e16260c2faf1cc7735cb75fb4f07e1d mine Returned bits are 0a84276ebca04933c92bb9f565dd91819e656009b4d9327edc5c777ee2e05a27d9bfd26ab7a0bf2c689ee358d2982de1b1dff09c816af6d4b2111fe63c4507cb I would be pleased if somebody could point me what am i doing wrong... -- Piotr Łobacz Biuro Systemów i Oprogramowania RADMOR S.A. tel. (58) 6996 929 e-mail: piotr.lob...@radmor.com.pl www.radmor.com.pl RADMOR S.A., ul. Hutnicza 3, 81-212 Gdynia NIP: 586-010-21-39 REGON: 190432077 KRS: 074029 (Sąd Rejonowy Gdańsk-Północ w Gdańsku) Kapitał zakładowy wpłacony: 9 282 830 PLN ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Fips CTR_DRBG
Yes, i have read that RAND API will use CTR_DRBG by default but what if i want to have set seed and than calculate and have the same results on two different machines? As far as i understand if i set seed - which is calculated from entropy, nonce and personal string - if it is given i should get some deterministic value of returned buffer and RAND_bytes doesn't give me such result it is always different. Correct me if i am wrong. Dnia 2015-02-26, czw o godzinie 13:28 +, Dr. Stephen Henson pisze: On Thu, Feb 26, 2015, Piotr ??obacz wrote: Hello, i have a question about FIPS CTR_DRBG. I have managed to compile openssl with fips and everything works fine. The method FIPS_mode returns me 1 so i am in FIPS mode, but what is my problem i dunno how to use properly FIPS_drbg api. If you simply want to use the DRBG in CTR mode then you don't need to do anything special: in FIPS mode the DRBG in CTR mode with a 256 bit AES key is the default and you can just use the normal RAND APIs. Do not use the self test or algorithm test code in applications: you need to set up proper entropy gathering callbacks and the test code contains deterministic examples which would have zero security in a real application. That's what the RAND API will do by default. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- Piotr Łobacz Biuro Systemów i Oprogramowania RADMOR S.A. tel. (58) 6996 929 e-mail: piotr.lob...@radmor.com.pl www.radmor.com.pl RADMOR S.A., ul. Hutnicza 3, 81-212 Gdynia NIP: 586-010-21-39 REGON: 190432077 KRS: 074029 (Sąd Rejonowy Gdańsk-Północ w Gdańsku) Kapitał zakładowy wpłacony: 9 282 830 PLN ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: ChaCha20/Poly1305 in OpenSSL?
Hey, But I have not been able to find its trail: $ cd openssl-git $ git pull Already up-to-date. $ grep -R -i chacha * $ grep -R -i poly1305 * $ Where are the new cipher suites located in OpenSSL? $ git checkout 1.0.2-aead They are there... Just not merged into mainline. I would be also interested in knowing whether there is any ETA for that. Best regards, Piotr Sikora __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Peek data
Hello, I would like to know whether it is possible to peek a message that was received after successful handshake? I am looking for similar behavior to python socket.MSG_PEEK flag which examine the data without consuming it and subsequent recv will read the data again. Thanks, Piotr __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Peek data
On Thu, Apr 17, 2014 at 7:04 PM, openssl-us...@dukhovni.org wrote: On Thu, Apr 17, 2014 at 12:48:11PM -0400, Jeffrey Walton wrote: This would be the job of a buffering layer above the SSL connection. In Postfix, for example, there is a buffering vstream layer above SSL. Peeking at plaintext data without consuming it is a vstream layer feature. SSL_peek? I'm not sure if its intended to be a public function, though. But it is used in s_client. Generally the public SSL library interfaces have names that start with SSL_ (upper case) and the private interfaces have names that start with ssl_ (lower case), so likely SSL_peek() is a public interface. Unfortunately, not all the public interfaces are documented as such, so we are sometimes forced to guess. In this case there are brief references to SSL_peek() in the SSL_get_error(3) and ssl(3) manpages, so the evidence for a public interface is stronger, though the function is not fully documented. I have to admit that I tried SSL_peek() and noticed that the behavior is a bit different than I expected. I am using M2Crypto [1] as openssl wrapper for python and when I use SSL_peek() I noticed that there is no read event after peeking for select.select() or select.poll(). It seems that it behaves a bit different than reading with socket.MSG_PEEK flag. 1. https://pypi.python.org/pypi/M2Crypto -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Peek data
Hello, I would like to know whether it is possible to peek a message that was received after successful handshake? I am looking for similar behavior to python socket.MSG_PEEK flag which examine the data without consuming it and subsequent recv will read the data again. Thanks, Piotr __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Add certificate callback in Change Log
Hey Jeffrey, What is the name of the function to set the callback described below? *) Add certificate callback. If set this is called whenever a certificate is required by client or server. An application can decide which certificate chain to present based on arbitrary criteria: for example supported signature algorithms. Add very simple example to s_server. This fixes many of the problems and restrictions of the existing client certificate callback: for example you can now clear an existing certificate and specify the whole chain. [Steve Henson] SSL_set_cert_cb() and SSL_CTX_set_cert_cb(). Best regards, Piotr Sikora __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
ECDSA and dlopen
Hello there i have a problem with my library. I have created my own lib with staticaly linked libcrypto.a and this library i use for signing some sort of data with EVP_KEY and when i link some app to this library everything works just fine, there are no errors from EVP_SignFinal, but when i load this library with dlopen i have such error error:0606B06E:digital envelope routines:EVP_SignFinal:wrong public key type and i dunno what can cause it maybe somebody could help me solving this issue? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: ECDSA and dlopen
No openssl version is 1.0.0b patched with modifed patch for aes gcm and my lib works but if i load it with dlopen this error occurs what is very strange for me. maybe i'll send this lib constructed by me, because this is very strange why it's not working if lib is the same but with dlopen it crashesh. Dnia 2012-05-08, wto o godzinie 13:57 +0200, Dr. Stephen Henson pisze: On Tue, May 08, 2012, Piotr ??obacz wrote: Hello there i have a problem with my library. I have created my own lib with staticaly linked libcrypto.a and this library i use for signing some sort of data with EVP_KEY and when i link some app to this library everything works just fine, there are no errors from EVP_SignFinal, but when i load this library with dlopen i have such error error:0606B06E:digital envelope routines:EVP_SignFinal:wrong public key type and i dunno what can cause it maybe somebody could help me solving this issue? Different library version? You could get that error with OpenSSL 0.9.8 but shouldn't with 1.0.0 and later. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
apache 2.2 with openssl problem
Hi i try complie apache with my openssl ./configure --prefix=/usr/unizeto/apache22 --enable-proxy --enable-ssl --with-ssl=/opt/NEW/openssl/ [...] checking for OpenSSL version... checking openssl/opensslv.h usability... yes checking openssl/opensslv.h presence... yes checking for openssl/opensslv.h... yes checking openssl/ssl.h usability... yes checking openssl/ssl.h presence... yes checking for openssl/ssl.h... yes OK checking openssl/engine.h usability... yes checking openssl/engine.h presence... yes checking for openssl/engine.h... yes checking for SSLeay_version in -lcrypto... no checking for SSL_CTX_new in -lssl... no checking for ENGINE_init... no checking for ENGINE_load_builtin_engines... no checking for SSL_set_cert_store... no configure: error: ... Error, SSL/TLS libraries were missing or unusable -- bash-2.03# cd /opt/NEW/openssl bash-2.03# ls bin include lib ssl any idea ? -- spider[at]linux.[dot].pl
Re: apache 2.2 with openssl problem
checking openssl/engine.h usability... yes checking openssl/engine.h presence... yes checking for openssl/engine.h... yes checking for SSLeay_version in -lcrypto... no checking for SSL_CTX_new in -lssl... no checking for ENGINE_init... no checking for ENGINE_load_builtin_engines... no checking for SSL_set_cert_store... no configure: error: ... Error, SSL/TLS libraries were missing or unusable -- Do you have set LD_LIBRARY_PATH and/or LD_RUN_PATH environment variables before invoking ./configure script to /opt/NEW/openssl/lib ? Or You can modify PKG_CONFIG_PATH to autodetect libraries. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: apache 2.2 with openssl problem
2007/10/3, Piotr [EMAIL PROTECTED]: checking openssl/engine.h usability... yes checking openssl/engine.h presence... yes checking for openssl/engine.h... yes checking for SSLeay_version in -lcrypto... no checking for SSL_CTX_new in -lssl... no checking for ENGINE_init... no checking for ENGINE_load_builtin_engines... no checking for SSL_set_cert_store... no configure: error: ... Error, SSL/TLS libraries were missing or unusable -- Do you have set LD_LIBRARY_PATH and/or LD_RUN_PATH environment variables before invoking ./configure script to /opt/NEW/openssl/lib ? Or You can modify PKG_CONFIG_PATH to autodetect libraries. bash-2.03# echo $LD_LIBRARY_PATH :/usr/local/firebird/lib:/usr/local/firebird/intl:/usr/local/lib:/opt/NEW/openssl/lib/:/opt/nfast/toolkits/hwcrhk/ -- spider[at]linux.[dot].pl
Re: openssl with accelerator
Hi 2007/8/13, Marek Marcola [EMAIL PROTECTED]: Hello, I have add this piece of code in apps/openssl.c recompile and problem is the same Did you add in main() code to activate this callbacks ? Something like that: { int i; /* static locks area */ mutex_buf = malloc(CRYPTO_num_locks() * sizeof(pthread_mutex_t)); if (mutex_buf == NULL) { return (-1); } for (i = 0; i CRYPTO_num_locks(); i++) { pthread_mutex_init(mutex_buf[i], NULL); } /* static locks callbacks */ CRYPTO_set_locking_callback(locking_function); CRYPTO_set_id_callback(id_function); /* dynamic locks callbacks */ CRYPTO_set_dynlock_create_callback(dyn_create_function); CRYPTO_set_dynlock_lock_callback(dyn_lock_function); CRYPTO_set_dynlock_destroy_callback(dyn_destroy_function); } Hi Thanks for help, i have add this in main function, recomplie openssl and i dont have problems with callbacks. bash-2.03# echo $LD_LIBRARY_PATH :/usr/local/firebird/lib:/usr/local/firebird/intl:/usr/local/lib:/opt/nfast/toolkits/hwcrhk/ bash-2.03# ./openssl speed rsa512 -engine chil can't use that engine 1:error:84067071:CHIL engine:HWCRHK_INIT:unit failure:e_chil.c:604: 1:error:260B806D:engine routines:ENGINE_TABLE_REGISTER:init failed:eng_table.c:161:
Re: openssl with accelerator
2007/8/14, Marek Marcola [EMAIL PROTECTED]: Hello, bash-2.03# echo $LD_LIBRARY_PATH :/usr/local/firebird/lib:/usr/local/firebird/intl:/usr/local/lib:/opt/nfast/toolkits/hwcrhk/ bash-2.03# ./openssl speed rsa512 -engine chil can't use that engine 1:error:84067071:CHIL engine:HWCRHK_INIT:unit failure:e_chil.c:604: 1:error:260B806D:engine routines:ENGINE_TABLE_REGISTER:init failed:eng_table.c:161: On my test server this is enough to tes rsa512 speed using this engine. Maybe you should look at hardware and check that it is operational. For example: $ /opt/nfast/bin/enquiry | grep -E 'mode|product' mode operational product name nFast server mode operational product name nC1002W/nC3022W/nC4032W Thank you very much , now is everythink is working :) -- -- spider[at]linux.[dot].pl
Re: openssl with accelerator
simmilar problem :( bash-2.03# ./openssl speed rsa512 -engine chil can't use that engine 17391:error:84067072:CHIL engine:HWCRHK_INIT:locking missing:e_chil.c:594:You HAVE to add dynamic locking callbacks via CRYPTO_set_dynlock_{create,lock,destroy}_callback() 17391:error:260B806D:engine routines:ENGINE_TABLE_REGISTER:init failed:eng_table.c:161: bash-2.03# ./openssl version OpenSSL 0.9.8e 23 Feb 2007 Look at: http://www.nabble.com/ssl-connection-with-private-key-in-hsm-tf2596336.html#a7241982 Hope this helps Hi Thanks for help. I have add this piece of code in apps/openssl.c recompile and problem is the same .
Re: openssl with accelerator
2007/8/8, Goetz Babin-Ebell [EMAIL PROTECTED]: I have problem with openssl cooperating with nCipher (nShield F3) engine bash-2.03# uname -a SunOS sun250 5.8 Generic_117350-35 sun4u sparc SUNW,Ultra-250 bash-2.03# ./openssl speed rsa -engine ubsec can't use that engine Last time I worked with nCipher, they used the chil engine. Bye Goetz simmilar problem :( bash-2.03# ./openssl speed rsa512 -engine chil can't use that engine 17391:error:84067072:CHIL engine:HWCRHK_INIT:locking missing:e_chil.c:594:You HAVE to add dynamic locking callbacks via CRYPTO_set_dynlock_{create,lock,destroy}_callback() 17391:error:260B806D:engine routines:ENGINE_TABLE_REGISTER:init failed:eng_table.c:161: bash-2.03# ./openssl version OpenSSL 0.9.8e 23 Feb 2007 -- -- spider[at]linux.[dot].pl
openssl with accelerator
Hello I have problem with openssl cooperating with nCipher (nShield F3) engine bash-2.03# uname -a SunOS sun250 5.8 Generic_117350-35 sun4u sparc SUNW,Ultra-250 bash-2.03# ./openssl speed rsa -engine ubsec can't use that engine 28137:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:162:filename(libubsec.so): ld.so.1: openssl: fatal: libubsec.so: open failed: No such file or directory 28137:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:244: 28137:error:87069067:ubsec engine:UBSEC_INIT:dso failure:e_ubsec.c:405: 28137:error:260B806D:engine routines:ENGINE_TABLE_REGISTER:init failed:eng_table.c:161: -- -- spider[at]linux.[dot].pl