Re: [openssl-users] Validation error on generated csr
Hi Erwann What you have to do it hash your data, prepare an X509_SIG object, set its algor to SHA1 (with NULL parameters), and fill the digest part with your hash result. Then transform it into DER, and sign it with CKM_RSA_PKCS mechanism. Thanks a lot for the explanation. However, I can't find any documentation about how to setup this X509_SIG object and then transfer it into DER. The structure seems to look as follows: typedef struct X509_sig_st { X509_ALGOR *algor; ASN1_OCTET_STRING *digest; } X509_SIG; EVP_DigestFinal(ctx,buf,buf_len); gives me a character buffer buf, containing the digest, but I seem to have to encode this to ASN1_OCTET_STRING. Can anybody quickly tell me the required functions or point me to an example of how to do this? Kind regards Tim On 03/15/2013 03:10 PM, Erwann Abalea wrote: Bonjour, Le 15/03/2013 14:07, Tim Tassonis a écrit : Hi I am trying to generate a csr in a c program by having the signing part done by pkcs11 calls, and while I get no errors, the resulting csr fails upon validation: $ openssl req -verify -in wltx.csr verify failure 2948:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:.\cry pto\asn1\asn1_lib.c:150: 2948:error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad object header:.\c rypto\asn1\tasn_dec.c:1306: 2948:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:.\ crypto\asn1\tasn_dec.c:381:Type=X509_SIG 2948:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:.\crypto\asn 1\a_verify.c:215: -BEGIN CERTIFICATE REQUEST- MIICvjCCAagCAQAwezELMAkGA1UEBhMCQ0gxEzARBgNVBAcTClJhcHBlcnN3aWwx [...] BBXO9brFuXld13VuE2xg+VnJ8vo3L7/SCC5ufEJaeSUOvQ== -END CERTIFICATE REQUEST- What is RSA signed is the direct SHA1 of the request, without the X509 encapsulation. Below is the function that generates the csr, it always succeds, but as mentioned, the csr is still invalid char *gen_csr(char *key_name, struct s_ekva **key_attrs) { [...] inl=ASN1_item_i2d((void *)req-req_info,buf_in,ASN1_ITEM_rptr(X509_REQ_INFO)); p = buf_in; outl=EVP_PKEY_size(pkey); buf_out = malloc(outl); sign_mechanism.mechanism = CKM_SHA1_RSA_PKCS; sign_mechanism.pParameter = NULL; sign_mechanism.ulParameterLen = 0; rv = p11-C_SignInit(session, sign_mechanism, prvkey); if (rv != CKR_OK) { return NULL; } rv = p11-C_Sign(session, p,inl, buf_out, outl); if (rv != CKR_OK) { return NULL; } You're feeding the PKCS#11 library with the request (the part to be signed), while specifying a CKM_SHA1_RSA_PKCS mechanism. The library doesn't know it's signing a CSR, and will SHA1 hash the data and RSA sign it. What you have to do it hash your data, prepare an X509_SIG object, set its algor to SHA1 (with NULL parameters), and fill the digest part with your hash result. Then transform it into DER, and sign it with CKM_RSA_PKCS mechanism. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl-users] Validation error on generated csr
Hi Stephen Thanks a lot, that did the trick, the verify now returns ok. Kind regards Tim On 03/18/2013 02:26 PM, Dr. Stephen Henson wrote: On Mon, Mar 18, 2013, Tim Tassonis wrote: Hi Erwann What you have to do it hash your data, prepare an X509_SIG object, set its algor to SHA1 (with NULL parameters), and fill the digest part with your hash result. Then transform it into DER, and sign it with CKM_RSA_PKCS mechanism. Thanks a lot for the explanation. However, I can't find any documentation about how to setup this X509_SIG object and then transfer it into DER. The structure seems to look as follows: typedef struct X509_sig_st { X509_ALGOR *algor; ASN1_OCTET_STRING *digest; } X509_SIG; EVP_DigestFinal(ctx,buf,buf_len); gives me a character buffer buf, containing the digest, but I seem to have to encode this to ASN1_OCTET_STRING. Can anybody quickly tell me the required functions or point me to an example of how to do this? Well you can use the ASN1 code for this but for a single digest you can just manually prepend the necessary encoding. The fips code does this to avoid having to include the ASN1 module. The relavant data is in fips/rsa/fips_rsa_sign.c in any FIPS branch (and the master branch). For example for SHA1 it is: static const unsigned char sha1_bin[] = { 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14 }; Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Validation error on generated csr
Hi I am trying to generate a csr in a c program by having the signing part done by pkcs11 calls, and while I get no errors, the resulting csr fails upon validation: $ openssl req -verify -in wltx.csr verify failure 2948:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:.\cry pto\asn1\asn1_lib.c:150: 2948:error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad object header:.\c rypto\asn1\tasn_dec.c:1306: 2948:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:.\ crypto\asn1\tasn_dec.c:381:Type=X509_SIG 2948:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:.\crypto\asn 1\a_verify.c:215: -BEGIN CERTIFICATE REQUEST- MIICvjCCAagCAQAwezELMAkGA1UEBhMCQ0gxEzARBgNVBAcTClJhcHBlcnN3aWwx FDASBgNVBAoTC2ludGVsbGlDYXJkMRUwEwYDVQQDEwxUaW0gVGFzc29uaXMxKjAo BgkqhkiG9w0BCQEWG3RpbS50YXNzb25pc0BpbnRlbGxpY2FyZC5jaDCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBAK6eAKGt9fVPSd6uv1/Rs8Uf1j9eaaA5 y7GCeybV/vAqxebI7P7RN3POz6XBYP2i2P4DwXiGeU2oDylxnHHUItAWqtIfX3H+ WDb9d98oaZnWjQsWwoBWXLjsALdblU4MKaF1K9k7obDo2rN7exXzBMRdrQnvhbW/ 6ICDe3iBNmhAk4xBIKC/lIuwILnb4xjopz261sPfg2fjV4964R/Wa7C8Iu+tPq20 LRLtZfqTTqWnnmMpdYRQMBAt7/MDSoG2l8rbnu7/TYr9F5Dzso/K2T884sZDZPeJ cIo4ZjIDE7Vj4C9tOWDaG2lhrb11JNM0ok081ZIERhg3lEYSmMZxbbUCAwEAAaAA MAsGCSqGSIb3DQEBBQOCAQEAeTc7sIpWdIwkh0bj5PVlbMcJT1QDaBG9m7lYkLRg ACBKqNLaIh/drVvGmkLdMyoedOrtjRp5PHDuEptEtBjWRy3H/fBqOsqIr8w3tGA8 A3zubCM3qmLrm4bHTyhP5w2bqY+1JfrRO68bXTQlb1rhpFddtLO7jmjM2lMr7UgH d9vicOWuAEjOOF1nenzCXxjWovKX3jB/b4rwmf9lmHx6hD8Z9EKCdwO5JKPgcWzr /UCznGUe1TAHr0XFRZPwZo2buMCYAVPw70/4u36fc+G6UPaeQSk6QR035BUs8HE0 BBXO9brFuXld13VuE2xg+VnJ8vo3L7/SCC5ufEJaeSUOvQ== -END CERTIFICATE REQUEST- Below is the function that generates the csr, it always succeds, but as mentioned, the csr is still invalid char *gen_csr(char *key_name, struct s_ekva **key_attrs) { BIO *bio_err = NULL,*bio_out = NULL; X509_REQ *req=NULL; static char *csr_buf = NULL; int csr_len = 0; int curr_nid; X509_NAME *subj=NULL; int i=0; int rc; CK_OBJECT_HANDLE prvkey = NULL, pubkey = NULL; CK_RV rv; CK_BYTE *buf_in=NULL,*buf_out=NULL, *p=NULL; size_t inl=0,outl=0; RSA *rsa = NULL; CK_MECHANISM sign_mechanism; EVP_PKEY *pkey = NULL; FILE *req_info_file = NULL; EVP_MD *md = EVP_sha1(); rc = p11_get_key(key_name,CKO_PRIVATE_KEY,prvkey); if (rc != 0) { return NULL; } rc = p11_get_key(key_name,CKO_PUBLIC_KEY,pubkey); if (rc != 0) { return NULL; } rsa = p11_key_rsa(pubkey); if (!rsa) { return NULL; } pkey = EVP_PKEY_new(); EVP_PKEY_assign_RSA(pkey, rsa ); req = X509_REQ_new(); if (req == NULL) { return NULL; } if (!X509_REQ_set_version(req,0L)) { return NULL; } subj = X509_REQ_get_subject_name(req); for (i=0; key_attrs[i] != NULL; i++) { curr_nid=OBJ_txt2nid(subjattrs[i]-key); if (curr_nid == NID_undef ) { continue; } if (!X509_NAME_add_entry_by_txt(subj,key_attrs[i]-key, MBSTRING_ASC,(unsigned char *)key_attrs[i]-val,-1,-1,0)) { continue; } } X509_REQ_set_pubkey(req, pkey); subj=NULL; inl=ASN1_item_i2d((void *)req-req_info,buf_in,ASN1_ITEM_rptr(X509_REQ_INFO)); p = buf_in; outl=EVP_PKEY_size(pkey); buf_out = malloc(outl); sign_mechanism.mechanism = CKM_SHA1_RSA_PKCS; sign_mechanism.pParameter = NULL; sign_mechanism.ulParameterLen = 0; rv = p11-C_SignInit(session, sign_mechanism, prvkey); if (rv != CKR_OK) { return NULL; } rv = p11-C_Sign(session, p,inl, buf_out, outl); if (rv != CKR_OK) { return NULL; } req-signature-data=buf_out; req-signature-length=outl; req-sig_alg-algorithm = OBJ_nid2obj(md-pkey_type); req-signature-flags= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07); req-signature-flags|=ASN1_STRING_FLAG_BITS_LEFT; bio_out=BIO_new(BIO_s_file()); if (BIO_write_filename(bio_out,my.csr) = 0) { return NULL; } if (!PEM_write_bio_X509_REQ(bio_out,req)) { return NULL; } BIO_free_all(bio_out); bio_out=NULL; csr_buf = backend_read_file(my.csr,csr_len); csr_buf[csr_len] = '\0'; if (buf_in) free(buf_in); if (buf_out) free(buf_out); if (req) X509_REQ_free(req); #ifndef OPENSSL_NO_ENGINE ENGINE_cleanup(); #endif CRYPTO_cleanup_all_ex_data(); if (bio_err) { CRYPTO_mem_leaks(bio_err); } if (bio_err) BIO_free(bio_err); if (bio_out)
Re: Validation error on generated csr
Hi Steve Thanks a lot for your reply. Just another quick question. Do you know by chance an openssl function that would convert the raw sha1 into a digestinfo structure? Kind regards Tim On 03/15/2013 02:36 PM, Dr. Stephen Henson wrote: On Fri, Mar 15, 2013, Tim Tassonis wrote: Hi I am trying to generate a csr in a c program by having the signing part done by pkcs11 calls, and while I get no errors, the resulting csr fails upon validation: Analysing that CSR the actual signature isn't in the correct form: it just contains the raw SHA1 digest instead of the required DigestInfo structure. You can check that using rsautl in a manner similar to that for certificates mentioned in the manual page. However: sign_mechanism.mechanism = CKM_SHA1_RSA_PKCS; That mechanism *should* produce a signature in the correct format, so possibly a problem with the PKCS#11 library? Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Problems creating csr with openssl/ pkcs11
Hi all I trying to create a csr (in a c program) that uses a hardware private public key and I am accessing this token by pkcs11. However, the csr is always invalid, with the following message: $ openssl req -verify -in wltx.csr verify failure 1996:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:.\cry pto\asn1\asn1_lib.c:150: 1996:error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad object header:.\c rypto\asn1\tasn_dec.c:1306: 1996:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:.\ crypto\asn1\tasn_dec.c:381:Type=X509_SIG 1996:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:.\crypto\asn 1\a_verify.c:215: -BEGIN CERTIFICATE REQUEST- MIICvjCCAagCAQAwezELMAkGA1UEBhMCQ0gxEzARBgNVBAcTClJhcHBlcnN3aWwx FDASBgNVBAoTC2ludGVsbGlDYXJkMRUwEwYDVQQDEwxUaW0gVGFzc29uaXMxKjAo BgkqhkiG9w0BCQEWG3RpbS50YXNzb25pc0BpbnRlbGxpY2FyZC5jaDCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBAK6eAKGt9fVPSd6uv1/Rs8Uf1j9eaaA5 y7GCeybV/vAqxebI7P7RN3POz6XBYP2i2P4DwXiGeU2oDylxnHHUItAWqtIfX3H+ WDb9d98oaZnWjQsWwoBWXLjsALdblU4MKaF1K9k7obDo2rN7exXzBMRdrQnvhbW/ 6ICDe3iBNmhAk4xBIKC/lIuwILnb4xjopz261sPfg2fjV4964R/Wa7C8Iu+tPq20 LRLtZfqTTqWnnmMpdYRQMBAt7/MDSoG2l8rbnu7/TYr9F5Dzso/K2T884sZDZPeJ cIo4ZjIDE7Vj4C9tOWDaG2lhrb11JNM0ok081ZIERhg3lEYSmMZxbbUCAwEAAaAA MAsGCSqGSIb3DQEBBQOCAQEAeTc7sIpWdIwkh0bj5PVlbMcJT1QDaBG9m7lYkLRg ACBKqNLaIh/drVvGmkLdMyoedOrtjRp5PHDuEptEtBjWRy3H/fBqOsqIr8w3tGA8 A3zubCM3qmLrm4bHTyhP5w2bqY+1JfrRO68bXTQlb1rhpFddtLO7jmjM2lMr7UgH d9vicOWuAEjOOF1nenzCXxjWovKX3jB/b4rwmf9lmHx6hD8Z9EKCdwO5JKPgcWzr /UCznGUe1TAHr0XFRZPwZo2buMCYAVPw70/4u36fc+G6UPaeQSk6QR035BUs8HE0 BBXO9brFuXld13VuE2xg+VnJ8vo3L7/SCC5ufEJaeSUOvQ== -END CERTIFICATE REQUEST- The code I wrote looks as follows: int p11_sign_req(X509_REQ *req,CK_OBJECT_HANDLE private_key, CK_OBJECT_HANDLE public_key) { CK_RV rv; unsigned char *buf_in=NULL,*buf_out=NULL, *p=NULL; size_t inl=0,outl=0; RSA *rsa = NULL; CK_MECHANISM sign_mechanism; EVP_PKEY *pkey = NULL; EVP_MD *md = EVP_sha1(); rsa = p11_key_rsa(public_key); if (!rsa) { return -1; } pkey = EVP_PKEY_new(); EVP_PKEY_assign_RSA(pkey, rsa ); X509_REQ_set_pubkey(req, pkey); inl=i2d_X509_REQ_INFO(req-req_info,NULL); buf_in=(unsigned char *)malloc(inl); p = buf_in; i2d_X509_REQ_INFO(req-req_info,buf_in); outl=EVP_PKEY_size(pkey); buf_out = malloc(outl); sign_mechanism.mechanism = CKM_SHA1_RSA_PKCS; sign_mechanism.pParameter = NULL; sign_mechanism.ulParameterLen = 0; rv = p11-C_SignInit(session, sign_mechanism, private_key); if (rv != CKR_OK) { return -1; } rv = p11-C_Sign(session, p,inl, buf_out, outl); if (rv != CKR_OK) { return -1; } rv = p11-C_VerifyInit(session,sign_mechanism,public_key); if (rv != CKR_OK) { return -1; } rv = p11-C_Verify(session, p,inl, buf_out, outl); if (rv != CKR_OK) { return -1; } req-signature-data=buf_out; req-signature-length=outl; req-sig_alg-algorithm = OBJ_nid2obj(md-pkey_type); free(buf_in); return 0; } The function returns ok, the csr can be viewe, but fails upon verificatio, as mentioned. Has anybody any idea what I'm doing wrong? King regards Tim -- Sent from my Android phone with K-9 Mail. Please excuse my brevity.
Problems creating csr with openssl/ pkcs11
Hi all I trying to create a csr (in a c program) that uses a hardware private public key and I am accessing this token by pkcs11. However, the csr is always invalid, with the following message: $ openssl req -verify -in wltx.csr verify failure 1996:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:.\cry pto\asn1\asn1_lib.c:150: 1996:error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad object header:.\c rypto\asn1\tasn_dec.c:1306: 1996:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:.\ crypto\asn1\tasn_dec.c:381:Type=X509_SIG 1996:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:.\crypto\asn 1\a_verify.c:215: -BEGIN CERTIFICATE REQUEST- MIICvjCCAagCAQAwezELMAkGA1UEBhMCQ0gxEzARBgNVBAcTClJhcHBlcnN3aWwx FDASBgNVBAoTC2ludGVsbGlDYXJkMRUwEwYDVQQDEwxUaW0gVGFzc29uaXMxKjAo BgkqhkiG9w0BCQEWG3RpbS50YXNzb25pc0BpbnRlbGxpY2FyZC5jaDCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBAK6eAKGt9fVPSd6uv1/Rs8Uf1j9eaaA5 y7GCeybV/vAqxebI7P7RN3POz6XBYP2i2P4DwXiGeU2oDylxnHHUItAWqtIfX3H+ WDb9d98oaZnWjQsWwoBWXLjsALdblU4MKaF1K9k7obDo2rN7exXzBMRdrQnvhbW/ 6ICDe3iBNmhAk4xBIKC/lIuwILnb4xjopz261sPfg2fjV4964R/Wa7C8Iu+tPq20 LRLtZfqTTqWnnmMpdYRQMBAt7/MDSoG2l8rbnu7/TYr9F5Dzso/K2T884sZDZPeJ cIo4ZjIDE7Vj4C9tOWDaG2lhrb11JNM0ok081ZIERhg3lEYSmMZxbbUCAwEAAaAA MAsGCSqGSIb3DQEBBQOCAQEAeTc7sIpWdIwkh0bj5PVlbMcJT1QDaBG9m7lYkLRg ACBKqNLaIh/drVvGmkLdMyoedOrtjRp5PHDuEptEtBjWRy3H/fBqOsqIr8w3tGA8 A3zubCM3qmLrm4bHTyhP5w2bqY+1JfrRO68bXTQlb1rhpFddtLO7jmjM2lMr7UgH d9vicOWuAEjOOF1nenzCXxjWovKX3jB/b4rwmf9lmHx6hD8Z9EKCdwO5JKPgcWzr /UCznGUe1TAHr0XFRZPwZo2buMCYAVPw70/4u36fc+G6UPaeQSk6QR035BUs8HE0 BBXO9brFuXld13VuE2xg+VnJ8vo3L7/SCC5ufEJaeSUOvQ== -END CERTIFICATE REQUEST- The code I wrote looks as follows: int p11_sign_req(X509_REQ *req,CK_OBJECT_HANDLE private_key, CK_OBJECT_HANDLE public_key) { CK_RV rv; unsigned char *buf_in=NULL,*buf_out=NULL, *p=NULL; size_t inl=0,outl=0; RSA *rsa = NULL; CK_MECHANISM sign_mechanism; EVP_PKEY *pkey = NULL; EVP_MD *md = EVP_sha1(); rsa = p11_key_rsa(public_key); if (!rsa) { return -1; } pkey = EVP_PKEY_new(); EVP_PKEY_assign_RSA(pkey, rsa ); X509_REQ_set_pubkey(req, pkey); inl=i2d_X509_REQ_INFO(req-req_info,NULL); buf_in=(unsigned char *)malloc(inl); p = buf_in; i2d_X509_REQ_INFO(req-req_info,buf_in); outl=EVP_PKEY_size(pkey); buf_out = malloc(outl); sign_mechanism.mechanism = CKM_SHA1_RSA_PKCS; sign_mechanism.pParameter = NULL; sign_mechanism.ulParameterLen = 0; rv = p11-C_SignInit(session, sign_mechanism, private_key); if (rv != CKR_OK) { return -1; } rv = p11-C_Sign(session, p,inl, buf_out, outl); if (rv != CKR_OK) { return -1; } rv = p11-C_VerifyInit(session,sign_mechanism,public_key); if (rv != CKR_OK) { return -1; } rv = p11-C_Verify(session, p,inl, buf_out, outl); if (rv != CKR_OK) { return -1; } req-signature-data=buf_out; req-signature-length=outl; req-sig_alg-algorithm = OBJ_nid2obj(md-pkey_type); free(buf_in); return 0; } The function returns ok, the csr can be viewe, but fails upon verificatio, as mentioned. Has anybody any idea what I'm doing wrong? King regards Tim __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Key length used in SMIME Mails
Hi I've got to find out the keysize used in an S/MIME encrypted mail. I looked around in the openssl code and tried the following: X509_ALGOR *alg; PKCS7 *p7; int p7_type; BIO *mail_bio *indata; ... p7 = SMIME_read_PKCS7(mail_bio, indata); p7_type = OBJ_obj2nid(p7-type); switch (p7_type) { case NID_pkcs7_signedAndEnveloped: alg=p7-d.signed_and_enveloped-enc_data-algorithm; break; case NID_pkcs7_enveloped: alg=p7-d.enveloped-enc_data-algorithm; break; default; return; break; } printf(Alg: %s\n,OBJ_nid2sn(OBJ_obj2nid(alg-algorithm))); printf(Len: %ld\n,ASN1_INTEGER_get(alg-parameter-value.integer)); I then get the algorithm as desired: Alg: RC2-CBC or Alg: DES-EDE3-CBC but the keysize is always -1: Key: -1 Key: -1 In pk7_attr.c (lile 110) in PKCS7_simple_smimecap, the line 134 alg-parameter-value.integer = nbit; implies that the keysize is stored there, as the funcion is called in pk7_smime.c like this: PKCS7_simple_smimecap (smcap, NID_rc2_cbc, 128); What am I doing wrong. Bye Tim __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
CRL Formats
Hi I've got a question regarding crl formats. Until now, I found two mime types for use with crl's: "application/pkix-crl", which seems to be either a DER or PEM formatted crl as in openssl crl. "application/x-pkcs7-crl", which, I would guess at least by its name, should be a pkcs7 file containing a crl and the isser certificates. I can easily create one using openssl crl2pkcs7. At least Netscape 4.nn however requires mime type "application/x-pkcs7-crl" together with a DER formatted crl, as in openssl crl. It will refuse a pkcs7 crl, at least in DER Format. Is Netscape just horribly wrong or what is the defined crl format for "application/x-pkcs7-crl"? As a additional question, does anybody know what crl format is required together with Checkpoint Firewalls? Bye Tim __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Certificate form for LDAP userCertificate
In a LDAP directory, certificates can be stored as binary data under the attribute "userCertificate". Which of the certificate formats that OpenSSL can produce is the correct one to use for this? You can load a DER encoded x509 certificate with ldapmodify or so. Don't forget to specify that the data is binary. Also pkcs7 can be fine. Bye Tim __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: idea and copyright
In the worst case, can somebody point me to another free simmetric algorithm with a 128 bit key ??? RC4 would be my recommendation. sorry but, according to openssl readme "RC4 is a trademark of RSA Security, so use of this label should perhaps only be used with RSA Security's permission.". I need something really free!!! I haven't followed this thread, but Triple DES is free and consequently mostly used for strong symmetric encryption. It is included in openssl and part of the SSL/SMIME defined algorhythms. Bye Tim __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: bad mac decode in ssl handshake
Hi Arun On Fri, 22 Sep 2000, Arun Venkataraman wrote: Looks like the webserver handles SSLv3 properly but not SSLv23 (why?). I tried: "openSsl s_client -debug -sslv3 -connect www.genowebpayment.de:443" and it worked fine. You're right, I managed to connect like this as well. The Web Server used is by the way IBM HTTP Server 1.3.6.2, so probably quite widely used. What I found out as well: - openssl s_client -ssl2 works - openssl s_client -ssl3 works So, only when I specify no protocol, the error occurs. What could that mean? Bye Tim Arun. - Original Message - From: "Tim Tassonis" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, September 22, 2000 9:17 AM Subject: bad mac decode in ssl handshake Hi When I try to contact the following SSL site with s_client, I cannot connect: www.genowebpayment.de:443 I haven't got an idea what web server they're using, but I can connect successfully with Netscape Communicator 4.75 under Linux for instance. The error occurs under 0.95a and 0.9.6-beta3 at least. This is the command I set up: openssl s_client -debug -connect www.genowebpayment.de:443 And this is the output (after the verify) I get: verify return:0 read from 0814B978 [08150F20] (5 bytes = 5 (0x5)) - 16 03 00 00 04. read from 0814B978 [08150F25] (4 bytes = 4 (0x4)) - 0e. 0004 - SPACES/NULS write to 0814B978 [0815A370] (137 bytes = 137 (0x89)) - 16 03 00 00 84 10 00 00-80 3f c3 0e 89 e0 fc 15 .?.. 0010 - c6 40 24 98 b6 f0 8a f0-2f f5 38 da f0 0e 3d 99 .@$./.8...=. 0020 - ec d9 a7 b0 35 79 92 07-07 ad 3c 1d 1e 3f 0f a0 5y..?.. 0030 - 08 59 e4 f9 98 2f 58 10-9d 51 4a af ea 70 f3 64 .Y.../X..QJ..p.d 0040 - 40 44 3c dd 1d ce 76 41-f7 35 60 5f f3 38 03 75 @D...vA.5`_.8.u 0050 - 6b 03 22 4f 8e 2f c1 41-09 cd be 3a e5 82 d2 a3 k."O./.A...: 0060 - 69 ae 4b 1b 99 ad 09 39-4b dd 82 e2 95 b8 eb 15 i.K9K... 0070 - 9c 9d f5 e4 f6 f2 ab 3b-08 25 5a 69 7f 5b 58 ab ...;.%Zi.[X. 0080 - 55 b4 0a b8 00 c7 9a f4-7aU...z write to 0814B978 [0815A370] (6 bytes = 6 (0x6)) - 14 03 00 00 01 01 .. write to 0814B978 [0815A370] (61 bytes = 61 (0x3D)) - 16 03 00 00 38 06 d3 88-fe e8 e0 2e e7 d4 fb 37 8..7 0010 - ca e2 ec d3 4c 3d 8d 78-0b 0f 02 c5 4e 2e 22 4d L=.xN."M 0020 - 29 e0 e8 33 bc a8 f7 40-c6 7d a6 00 f2 cc 0b 5b )..3...@.}.[ 0030 - 7d 9f 99 05 c8 47 17 a6-9a a8 20 dc 9e}G .. read from 0814B978 [08150F20] (5 bytes = 5 (0x5)) - 14 03 00 00 01. read from 0814B978 [08150F25] (1 bytes = 1 (0x1)) - 01. read from 0814B978 [08150F20] (5 bytes = 5 (0x5)) - 15 03 00 00 12. read from 0814B978 [08150F25] (18 bytes = 18 (0x12)) - 76 4e 6e 26 cc b7 62 08-69 a5 61 f1 b1 05 3e d1 vNn..b.i.a 0010 - c3 4d .M write to 0814B978 [0815A370] (23 bytes = 23 (0x17)) - 15 03 00 00 12 80 33 d5-37 ca 49 35 81 53 72 b5 ..3.7.I5.Sr. 0010 - a7 f9 0b f7 b8 79 72 .yr 11479:error:1408F071:SSL routines:SSL3_GET_RECORD:bad mac decode:s3_pkt.c:383: Any ideas, anybody Thanks Tim __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]