Re: verifying a decryption

[Vadim Fedukovich]

openssl at schwebbman.com wrote:
I am working on writing a program that performs encryption uses 
triple-DES. I am reading(decrypting) and writing(encrypting) a linked 
list to a file. The program will read and write the individual 
structures that make up the linked list using OpenSSL. The problem that 
I am running into, is that I cannot figure out a way to check to ensure 
that the data that is being decrypted, is actually being decrypted 
properly. In other words, if I write out my linked list, encrypting each 
structure as I write it I end up with a file that is encrypted. If I 
edit the file using a binary file editor(emacs), and I try and run the 
decryption program, the output to the screen is human readable, until it 
hits the point where I made changes in the encrypted file. Is there a 
way to stop the decryption once the data is deemed to be "bad".

thank you.
David Schwartz wrote:
 > Reply:
 >
 > There are any number of ways to do this. A very simple way is to add a
 > checksum field to the decrypted data and encrypt it along with the data.
 > When you decrypt the data, decrypt the checksum field along with it
and then
 > compute the checksum of the data (less the checksum field itself) and
verify
 > it against the decrypted checksum field. If they don't match, reject the
 > data.
 >
 >   DS
Please let me say first it was an interesting question
and a great reply.
There was even better case: rc4 encryption (XOR-based one)
of authorisation data. It was easy to flip the the right bit
resulting in "paid" status with everything else decrypted just fine.
Yes, the problem as desribed could be handled by
message-authenticating codes. It might be better to verify integrity
of ciphertext instead of cleartext.
For details, please consider to take a look at
http://attic.cashcow.dk/mail-archive.cashcow.dk/msg00857.html
and the paper mentioned there.
Some research papers are known on encrypt-and-authenticate
as a primitive operation, in case someone dont mind to write new code
regards,
Vadim
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Regarding all the spam...

[Vadim Fedukovich]

On Tue, Mar 02, 2004 at 11:47:43AM -0600, Scott Lamb wrote:
> 
> On Feb 24, 2004, at 9:55 AM, Rich Salz wrote:
> 
> >> I think I misunderstood that question.  I honestly don't know what we
> >> would lose.  Maybe a sense of openness.
> >
> > In the past -- at least, say, 2-3 years ago -- we had a couple of
> > anonymous posters who made very worthwhile contributions.  Haven't
> > seen that recently.  Also, it used to be in the spirit of crypto
> > open source (cypherpunkcs, etc) to allow anon posting because
> > of the whoele ethos thing.
> 
> I think there's a huge distinction to be made between disallowing 
> anonymous posting and disallowing non-moderated posting by non-members. 
> You can easily register a hotmail account or whatever and join the 
> mailing list anonymously. In fact, anonymity has _nothing_ to do with 
> whether you are a member of the mailing list or not.

a hotmail account might be considered a handy tool but it hardly could be
regarded as anonymous.

Please take a look at mixmaster.sf.net (the tool)
and network of remailers running around. There was mixmaster protocol
ietf draft published recently

It is not quite clear whether there's a chance to both accept mail from
remailers and kill the junk

regards,
Vadim

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: The crypto library and it's usage

[Vadim Fedukovich]

On Mon, Feb 16, 2004 at 10:40:36PM +1100, Chris Nolan wrote:
> Hello Vadim!
> 
> On Mon, 2004-02-16 at 21:28, Vadim Fedukovich wrote:
> > Dear Chris,
> > 
> > authentication methods and protocols were researched for years.
> > 
> > The method described is an easy one and probably could be implemented fast.
> > However, one better start from requirements before any coding.
> > For example: server is not authenticated here so man-in-the-middle
> > is allowed by design
> 
> Firstly, thanks for your reply! :-)
> 
> The public key will be verified against a root CA. The public keys used
> are all issued by a health organisation that is part of the federal
> government of Australia.

this would unlikely stop the Trudy from pretending to be the server for
a legitimate user and the user for the real server.
He could pass a PKCS7 Enveloped from server to user and pass the hash back,
isnt it?

Maybe the hardware used and watched could stop this in case of
properly controlled environment but it would definitely go over public network.

Please consider to use SSL (client certificates) as well as
well-known solutions from "authentication" chapter
of some good crypto textbook

Anyway, please consider requirements (threads) first, implementation next.

> I'm a final-year software engineering student, so I can totally
> understand and agree with your statement regarding man-in-the-middle
> attacks and starting with requirements(the person-in-the-middle is named
> Trudy according to Andy S Tanenbaum). 
> 
> My reason behind selecting this authentication method is that the user
> will already have needed to enter two passwords - one to access their
> cryptography store (I have no choice here - the API used to access the
> authentication tokens is provided by the government body in question)
> and another to access the private keys on their token (for signing and
> decryption). Avoiding a third password actually makes sense in this
> case, as many of the target audience would have a tendancy to have very
> similar (if not identical) passwords across all domains.

this would unlikely help to avoid Trudy as outlined

> I'm doing some tinkering at this point. I can't use the provided API on
> my chosen server platform (Linux) or any other platform as it relies on
> the excellent SQLite which uses database-level locking. As the server
> software is required to service 100s of concurrent sessions, the very
> coarse-grained locking (and thus low concurrency is inappropriate).

yes, it is important that your solution would do the job and provide
a reasonable level of performance. It might be no less important
to foil the threads according to security requirements

You are not required to publish all the details but you'd better
to have them documented first

regards,
Vadim

> After I am done with this project, I intend to contribute to the OpenSSL
> documentation, so any help that anyone gives me will not be wasted on my
> small brain. :-)
> 
> Regards,
> 
> Chris
> > 
> > regards,
> > Vadim
> > 
> > On Mon, Feb 16, 2004 at 06:48:26PM +1100, Chris Nolan wrote:
> > > Hi all,
> > > 
> > > I'm working on building a client-server setup for an application
> > > involving Smartcards. I have a library for Smartcard access on the
> > > Windows side and was hoping to do the following for authentication:
> > > 
> > > 1. Using a certificate that contains the client's public encryption key,
> > > send a PKCS7 message to the client.
> > > 2. Get the client to send me a hash of the decrypted content.
> > > 
> > > The problem is, wrapping my head around what to call and in what order
> > > on the server side. The man pages are good, but don't really give me
> > > much insight as to the structure of the API.
> > > 
> > > Can anyone point me in the direction of some examples on how to do this?
> > > The reason I want to use PKCS7 is because the library on the client side
> > > is already setup to do this with a single C function call.
> > > 
> > > Regards,
> > > 
> > > Chris
> > > 
> > > __
> > > OpenSSL Project http://www.openssl.org
> > > User Support Mailing List[EMAIL PROTECTED]
> > > Automated List Manager   [EMAIL PROTECTED]
> > __
> > OpenSSL Project http://www.openssl.org
> > User Support Mailing List 

Re: The crypto library and it's usage

[Vadim Fedukovich]

Dear Chris,

authentication methods and protocols were researched for years.

The method described is an easy one and probably could be implemented fast.
However, one better start from requirements before any coding.
For example: server is not authenticated here so man-in-the-middle
is allowed by design

regards,
Vadim

On Mon, Feb 16, 2004 at 06:48:26PM +1100, Chris Nolan wrote:
> Hi all,
> 
> I'm working on building a client-server setup for an application
> involving Smartcards. I have a library for Smartcard access on the
> Windows side and was hoping to do the following for authentication:
> 
> 1. Using a certificate that contains the client's public encryption key,
> send a PKCS7 message to the client.
> 2. Get the client to send me a hash of the decrypted content.
> 
> The problem is, wrapping my head around what to call and in what order
> on the server side. The man pages are good, but don't really give me
> much insight as to the structure of the API.
> 
> Can anyone point me in the direction of some examples on how to do this?
> The reason I want to use PKCS7 is because the library on the client side
> is already setup to do this with a single C function call.
> 
> Regards,
> 
> Chris
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: how to run ocsp server with a correct architecture ?

[Vadim Fedukovich]

On Tue, Jan 13, 2004 at 08:43:21AM +0100, Aumont - Comite Reseaux des Universites 
wrote:
> Hi
> 
> The current version of "openssl ocsp" is based on stuff/index.txt so I 
> am affraid that the OCSP server must run on the same server as the 
> certificat authority, but in our case the CA server is running offline 
> (nearly offline) for security reason.

The major task for an OCSP server is to deliver current status
of certificates issued.

> Another solution is to export the index.txt on a dedicated OCSP server, 
> but how to protect this file (integrity issu) in a way that the OCSP 
> responder can sign  answers ? Why do OCSP use index.txt as data backend 
> ? Why not use a valid CRL for that usage ?

There's a better chance to get a stale (not the current) status
if/when running from CRLs issued some time ago.

> Any coment is welcome.

Beware marketing-driven wide-scale misunderstanding here

regards,
Vadim
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: BN_mod_sqrt()

[Vadim Fedukovich]

On Thu, Jan 08, 2004 at 09:02:12PM -0800, [EMAIL PROTECTED] wrote:
> Hi,
> 
> I am using crypto library to do some calculations. I need to calculate the sqare
> root of a 1024 bit number and round it to nearest integer.

this might mean working over just integers, isnt it?

> The BN_mod_sqrt()
> function would only calculate the sqare root if the input BigNum passed to it
> is a perfect square.

it calculates squares in the ring of integers modulo prime number
and this makes the real difference. No rounding exists there

regards,
Vadim

> Is the any easy work around to do this ??
> 
> Thanks,
> Aneel.
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Service Certificate DN

[Vadim Fedukovich]

hi Jack,

On Wed, Jan 07, 2004 at 12:39:37AM -0800, [EMAIL PROTECTED] wrote:
> Hmmm ... I see. The server certificate's CN is compared to the server's 
> name as it is provided to the client. This is unlike the behavior of 
> kerberos, which performs a reverse lookup of the server's IP to locate 
> it's principal. I suppose this solves my problem creating unique DNs 
> for each of my services. It poses, however, another problem. There are 
> potentially many names by which my server can be accessed - I would 
> rather not list them all in a certificate. Because I've used a wildcard 
> in my DNS configuration, there are actually an infinite number of names 
> by which my server can be accessed: a.server, aa.server, aaa.server, 

some clients may accept wildcard in server certificate CN, "*.example.com"

> ... Furthermore, I frequently supply to clients only the hostname, to 
> which the default domain is appended. In this case, the supplied name 

never read a rule to add a default domain before matching with
subject CN fetched from a certificate 

I should also say it might be better to outline example.com once again:
a web server advertised as "www.example.com" might be hosted at
"dragonfly.example.com" using server certificate issued to "www.example.com".
Browser would check that server certificate match URL specified
by the user and be happy it really does.

> is a proper prefix of the CN, and the two don't match: "example.com" is 
> appended to "smtp", but SSL unsuccessfully compares only "smtp" to the 
> server's CN, "smtp.example.com".

It's up to a client to implement such a comparation rule and it's unlikely
widely used.

> Can openSSL be configured to compare 
> the certificate's CN to a reverse lookup of the server's IP?

OpenSSL is an open-source tool that you can make doing something you'd like.
At some point the user should be convinced an OpenSSL-liked product
is doing the right thing and/or provided with a description what exactly
it is doing.

I'm curious what's the use of data from (unsigned?) reverse zone here

regards,
Vadim

> Thanks,
> 
> Jack
> 
> On Jan 3, 2004, at 3:01 AM, Vadim Fedukovich wrote:
> 
> > On Fri, Jan 02, 2004 at 02:09:39AM -0800, [EMAIL PROTECTED] wrote:
> >> I run several SSL enabled services on a single host. Especially since
> >> some of these don't run as root, I want to create a different
> >> certificate, with a different DN, for each service. However, each
> >> service certificates' CN must be the FQDN of the host.
> >
> > Are you sure? There might be "www.example.com", "mail.example.com"
> > and "dragonfly.example.com" each resolving to the same IP address
> > with dragonfly be the unix hostname and www be the apache ServerName.
> >
> >> The kerberos
> >> principal syntax, "service/FQDN" (eg. "imap/hal.discovery") doesn't
> >> work; the CN must match the FQDN exactly.
> >>
> >> Is there a recommended style for synthesizing unique DNs for different
> >> services on the same host?
> >
> > What's the problem if someone type www.example.com to the browser and
> > get server certificate issued to www (hosted at dragonfly)?
> >
> > regards,
> > Vadim
> > __
> > OpenSSL Project http://www.openssl.org
> > User Support Mailing List[EMAIL PROTECTED]
> > Automated List Manager   [EMAIL PROTECTED]
> >
> >

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Screen Scraping

[Vadim Fedukovich]

On Fri, Jan 02, 2004 at 12:24:18PM -0600, Jay Johnston wrote:
...
> SOLUTION IMPLEMENTATION:
> Back to my current delima of the needle-in-a-haystack searches I'm doing, I
> decided to create a program that would screen scrape for the string in the
> web-based file directories.  First, however, I had to beat the password scheme
> for the SSL, since the web-based directories are only available on port 443. 
> This was simple enough, I just added the u/p to the url
> (https://user:[EMAIL PROTECTED]) and logged in using my browser with no
> trouble!

Well, you really beat it.
I guess SSL and username+password were introduced on purpose, whatever it is.
In case you're connecting through a proxy: your browser would run 
HTTP CONNECT method and specify url so the password will likely be stored
in the proxy logfile, in clear. Hope this still mean no trouble

regards,
Vadim
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Service Certificate DN

[Vadim Fedukovich]

On Fri, Jan 02, 2004 at 02:09:39AM -0800, [EMAIL PROTECTED] wrote:
> I run several SSL enabled services on a single host. Especially since 
> some of these don't run as root, I want to create a different 
> certificate, with a different DN, for each service. However, each 
> service certificates' CN must be the FQDN of the host.

Are you sure? There might be "www.example.com", "mail.example.com"
and "dragonfly.example.com" each resolving to the same IP address
with dragonfly be the unix hostname and www be the apache ServerName.

> The kerberos 
> principal syntax, "service/FQDN" (eg. "imap/hal.discovery") doesn't 
> work; the CN must match the FQDN exactly.
> 
> Is there a recommended style for synthesizing unique DNs for different 
> services on the same host?

What's the problem if someone type www.example.com to the browser and
get server certificate issued to www (hosted at dragonfly)?

regards,
Vadim
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Apache see cert as CA

[Vadim Fedukovich]

On Tue, Dec 09, 2003 at 12:28:47PM -0600, Jose Hernandez wrote:
> Here, the problem is in the Certificate, the Linux hostname is not the same
> that you gave in the certificate ...
> 
> I mean in the Common Name field It must be the Linux hostname ...

website name as fetched from server cert CN should be the same as
specified in VirtualHost section of Apache server. This name is not required
to be the same as linux box hostname; they only should both resolve to
the same IP address.

Please note I mean the VirtualHost listening to port 443 with "SSLEngine on"

> 
> -Original Message-
> From: Leon [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, December 09, 2003 12:20 p.m.
> To: [EMAIL PROTECTED]
> Subject: Apache see cert as CA
> 
> 
> I'm trying to get a SSL site up on Apache.  My system is:
> Redhat 8
> Apache 2.0.40
> OpenSSL .0.9.6b
> 
> When I start Apache, It seems to think everything is OK.  But when I try to 
> browse to a page, I just get the default Apache home page.  If I look at 
> the SSL error log I get:
> [Mon Dec 08 15:35:24 2003] [warn] RSA server certificate CommonName (CN) 
> `rt.domainname.com' does NOT match server name!?
> [Mon Dec 08 15:36:14 2003] [warn] RSA server certificate is a CA 
> certificate (BasicConstraints: CA == TRUE !?)
> I have worked thru the HOWTO's on Redhat creating a private key and 
> creating the certs
> http://www.europe.redhat.com/documentation/HOWTO/SSL-RedHat-HOWTO-3.php3
> 
> My ssl.conf entry is:
> NameVirtualHost rt.domainname.com:443
> 
> ServerName rt.domainname.com
> DocumentRoot /opt/rt3/share/html
> ErrorLog logs/rt/error_log
> CustomLog logs/rt/access_log combined
> #AddDefaultCharset UTF-8
> PerlModule Apache2 Apache::compat
> PerlModule Apache::DBI
> PerlRequire /opt/rt3/bin/webmux.pl
> 
> 
>Order allow,deny
>Allow from all
>Options All
>AllowOverride All
>AddDefaultCharset UTF-8
>
>  SetHandler perl-script
>  PerlHandler RT::Mason
>
> 
> 
> 
>SetHandler perl-script
>PerlHandler RT::Mason
> 
> 
>SetHandler perl-script
>PerlHandler RT::Mason
> 
> 
>SetHandler perl-script
>PerlHandler RT::Mason
> 
> 
> 
> 
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]

-- 
Naina library: http://www.unity.net/~vf/naina_r1.tgz
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Fwd: Getting connect errors on openssl from vbssl client

[Vadim Fedukovich]

On Sat, Nov 15, 2003 at 09:09:37PM -0800, Sriram R wrote:
> Can some one detail the steps to enable verbose debug on the openssl server.
> I added debug option ..but that did not give me enough info to further investigate.
> I get accept errors as attached below.
>  
> Any help is greatly appreciated.

Are you sure client talks SSL? Looks plain TCP to me

> -Sriram
> 
> Note: forwarded message attached.
> 
> 
> -
> Do you Yahoo!?
> Protect your identity with Yahoo! Mail AddressGuard
> X-Apparently-To: [EMAIL PROTECTED] via 216.136.173.105; Wed, 12 Nov 2003 06:02:40 
> -0800
> Return-Path: <[EMAIL PROTECTED]>
> Received: from 195.27.130.252  (EHLO mmx.engelschall.com) (195.27.130.252)
>   by mta138.mail.scd.yahoo.com with SMTP; Wed, 12 Nov 2003 06:02:34 -0800
> Received: by mmx.engelschall.com (Postfix)
>   id EEC53193F8; Wed, 12 Nov 2003 15:02:25 +0100 (CET)
> Received: from master.openssl.org (master.openssl.org [195.27.176.155])
>   by mmx.engelschall.com (Postfix) with ESMTP id CD9C9193EC
>   for <[EMAIL PROTECTED]>; Wed, 12 Nov 2003 15:02:25 +0100 (CET)
> Received: by master.openssl.org (Postfix)
>   id CDCA0203F1A; Wed, 12 Nov 2003 15:02:25 +0100 (CET)
> Delivered-To: [EMAIL PROTECTED]
> Received: by master.openssl.org (Postfix, from userid 5003)
>   id 7A7F0203EAD; Wed, 12 Nov 2003 15:02:25 +0100 (CET)
> X-Original-To: [EMAIL PROTECTED]
> Delivered-To: [EMAIL PROTECTED]
> Received: from web12308.mail.yahoo.com (web12308.mail.yahoo.com [216.136.173.106])
>   by master.openssl.org (Postfix) with SMTP id 122A5203EBB
>   for <[EMAIL PROTECTED]>; Wed, 12 Nov 2003 15:02:08 +0100 (CET)
> Received: from [128.107.253.44] by web12308.mail.yahoo.com via HTTP; Wed, 12 Nov 
> 2003 06:02:06 PST
> Date: Wed, 12 Nov 2003 06:02:06 -0800 (PST)
> From: Sriram R <[EMAIL PROTECTED]>
> Subject: Getting connect errors on openssl from vbssl client
> To: [EMAIL PROTECTED]
> MIME-Version: 1.0
> Content-Type: multipart/alternative; boundary="0-1180114893-1068645726=:84091"
> Sender: [EMAIL PROTECTED]
> Precedence: bulk
> Reply-To: [EMAIL PROTECTED]
> X-Sender: Sriram R <[EMAIL PROTECTED]>
> X-List-Manager: OpenSSL Majordomo [version 1.94.5]
> X-List-Name: openssl-users
> Content-Length: 1171
> 
> Hi all,
>   I tried to connect from my client ssl (Part of visibroker ORB SSL lib).
> When connecting to OpenSSL, I get the following errors on the OpenSSL.
>  
> ERROR 18650:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown 
>  
> Any clues as to why I get the above error?
>  
> thanks,
> -Sriram
>  
> --OpenSSL server errors 
> su-ultra10# openssl s_server -cert cert.pem -key cert.key -debug
> ACCEPT
> read from 0014E1C8 [00158508] (11 bytes => 11 (0xB))
>  - 47 49 4f 50 01 02 GIOP..
> 000b - 
> ERROR
> 18650:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown 
> protocol:s23_srvr.c:634:
> shutting down SSL
> CONNECTION CLOSED
> ACCEPT
> --
>  
> Client side messages: 
> -
> 0440,11/12/03 5:53 
> AM,010.077.240.060,00018199,VBJ-Application,main,NOTICE,Created a new outgoing 
> connection: 
> Connection[socket=Socket[addr=codc3-xdm1.cisco.com/192.122.173.179,port=4433,localport=40301]]
> 
> Adding to active connections: 
> Connection[socket=Socket[addr=codc3-xdm1.cisco.com/192.122.173.179,port=4433,localport=40301]]
> 0441,11/12/03 5:53 
> AM,010.077.240.060,00018199,VBJ-Application,main,INFO,reconnected
> 
> Writing 164 bytes at offset 0 to 
> Socket[addr=codc3-xdm1.cisco.com/192.122.173.179,port=4433,localport=40301] timeout 
> 0 msecs... complete
> 
> Reading 12 bytes at offset 0 from 
> Socket[addr=codc3-xdm1.cisco.com/192.122.173.179,port=4433,localport=40301] with 
> timeout 0 msecs ... failed
> 
> 
> 
> 
> 
> 
> 
> -
> Do you Yahoo!?
> Protect your identity with Yahoo! Mail AddressGuard

-- 
Naina library: http://www.unity.net/~vf/naina_r1.tgz
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Client certs

[Vadim Fedukovich]

On Sat, Nov 15, 2003 at 06:40:26PM -0500, David wrote:
> What kind of voodoo is required to get a client to send a cert?
> 
> Both client and server are calling SSL_CTX_use_certificate_file() and
> SSL_CTX_use_PrivateKey_file(), and the server is calling
> SSL_CTX_set_verify(ctx,SSL_VERIFY_PEER,NULL).
> 
> Despite this, SSL_get_peer_certificate (*ssl) returns a cert on the
> client but the server dies, spitting out:
> 7532:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no
> certificate returned:s3_srvr.c:1988:
> 
> It looks like both certs are actually being passed, based on a network
> trace.
> 
> What am I missing?

Maybe the server to send list of acceptable SSL client CA certificates
SSL_CTX_set_client_CA_list()

> I'm using RH9's stock libraries (0.9.7a), and working with the demo/ssl
> code in the openssl source package from openssl.org.

-- 
Naina library: http://www.unity.net/~vf/naina_r1.tgz
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: How to "reset" a BIO

[Vadim Fedukovich]

hi Kim,

try setting it read-only before reset

good luck,
Vadim

On Thu, Oct 16, 2003 at 11:45:22AM +0200, Hellan.Kim KHE wrote:
> Hi
> 
> I have a BIO populated with a PKCS#10 request. At the time I am parsing it, it don't 
> know if it is DER or PEM encoded, so I use the following code:
> 
> pReq = d2i_X509_REQ_bio(spBio, NULL);
> if(!pReq)
> {
>   BIO_reset(spBio);
>   pReq = PEM_read_bio_X509_REQ(spBio, NULL, NULL, NULL);
> }
> 
> This works fine if the "spBIO" is a BIO_new_file(), but for a BIO_new(BIO_s_mem()), 
> it does not work.
> It seems that the BIO_reset() does nok work for the memory BIO, so I am never able 
> to load a PEM request, once I have tried loading it using the d2i_X509_REQ_bio() 
> funtion.
> 
> Any ideas how to fix this?
> 
> Thanks,
> Kim Hellan
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

testing residuosity, composite modulo

[Vadim Fedukovich]

Dear list,

did anyone implement a test for a given A an X exists that 
  X ^ k == A (mod N)
for a composite N = p*q with q and q being known primes?
Any good math paper?

thank you,
Vadim

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Error (certificate verify failed)

[Vadim Fedukovich]

On Wed, Sep 03, 2003 at 11:46:30AM -0400, Charles B Cranston wrote:
> Sean McKay wrote:
> 
> >I was not able to get the LDAPS server to respond to the query so out of
> >despiration, I thought I'd try HTTPS -- if I remember right, I think
> >Microsoft uses a non-standard for LDAPS that I can't remember right now.
> 
> I am aware of one incompatability in the LDAP world.  This causes OpenLDAP
> to be incompatable with both the IBM Directory Server and I believe with
> Microsoft as well.  This is due to a modification to the way that LDAP
> does encoding to thwart a possible attack method, unfortunately, neither
> of these products interworks with the thwart.
> 
> Interestingly enough, the Perl Net::LDAPS works fine with EITHER kind of
> server.  It is totally written in Perl so does not use any of these
> libraries.
> 
> You might try to see if you can set a bit in OpenLDAP that passes
> through to OpenSSL that says "don't implement the thwart".  I had a
> conjecture that this might work (I was working in PHP at the time)
> but never had a chance to test it out.
> 
> But there is clearly an incompatability, and we had to do local code to
> make the Apache SSL stuff work with a "special library" IBM donated
> to us.
> 
> I might be able to post a URL for a technical explanation if anybody
> is interested in seeing it.

yes please.
Is it an "empty fragment" counter-measure introduced by OpenSSL
and not yet widely implemented elsewhere?

regards,
Vadim

> 
> -- 
> Charles B (Ben) Cranston
> mailto: [EMAIL PROTECTED]
> http://www.wam.umd.edu/~zben
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: OpenSSL algorithm and Java

[Vadim Fedukovich]

On Thu, Aug 07, 2003 at 10:21:09AM +0200, Davide De Benedictis wrote:
> Hi, here again
> 
> I'm a Java user and I'm using the Java Cryptography Extension shipped
> with the JDK 1.4 and enhanced with the BouncyCastle.org open source
> libraries. I need to interact with a PHP server which uses OpenSSL
> for digital Signatures.
> I'm trying to read and decript an RSA private key previously
> generated with OPENSSL. The key is encrypted using triple des
> and a key obtained from a pass phrase. Command used was:
> 
> openssl genrsa ?des3 ?out private_key_file 256
> 
> I will have to find out the algorithm used by openssl to convert the
> passphrase into a 3des 168 bit key and do the same in my code.

Both BouncyCastle and OpenSSL support pkcs12 and private key could be
saved in this format. Yes, 3des still could be used to encrypt
this private key.

hope this helps,
Vadim

> Has somebody successfully imported such a key with Java and/or 
> BouncyCastle libraries?
> Which algorithm should I use ?
> I investigated OPENSSL docos and source code without results.
> 
> Thank you in advance.
> 
> --
> Davide
> 
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: certificate based authentication: How do I create certificate-files

[Vadim Fedukovich]

Dear Torsten,

concatenating some certificates into a single file would not automagically
make every client and server follow the rules. To enforce it,
one can check something while doing SSL handshake or immediately
after the handshake before sending application data.

Servers could get client name and unit from client certificate
sent while SSL handshake. The first step would be verifying
client certificate is properly signed, the second to match
organisation unit name. If it doesnt match one could either
fail to handshake or maybe send warning html page to the client
explaining it should use the right serber.
Clients could check server cert is properly signed as well as
server name and organisation unit match.

hope this helps,
Vadim

On Fri, Jul 25, 2003 at 03:36:08PM +0200, T. Valent wrote:
> Hi!
> 
> I probably have a very basic question, but I need to describe my problem
> in detail to make sure everybody understands what I'm seeking for,
> because I may not possibly use the correct terminology. I want to have
> this kind of organizational structure (OU = Organizational Unit):
> 
> Root-CA
>   |
>   +---OU1
>   | +OU1-Server-1-Key
>   | |
>   | +OU1-Server-2-Key
>   | |
>   | +OU1-Client-1-Key
>   | |
>   | +OU1-Client-2-Key
>   | |
>   | +OU1-Client-3-Key
>   |
>   +---OU2
> + ... (and so on)
> 
> For my project I would have some dozends OUs. In this project clients
> connect to servers (not http, no DNS) and transfer data over that
> connection to a custom application.
> 
> Now I want the Servers (OU1-Server-n) to check the client's certificate
> when a client connects to a server. Any client who is member of the same
> OU should be able to connect the any of the servers of the same OU, but
> not to a server of a different OU. And the clients should check that the
> certificate of server-n is a valid certificate, signed by OU1's key
> (or/and our root-key?). It should also be allowed that Server-1 will
> connect to Server-2 (for synchronization purposes).
> 
> I tried to achieve this the following way:
> Create root key
> Create root certificate
> Create OU1 key
> Create OU1 certificate
> Sign ou1's certificate with our root key.
> Create OU1-Server-1-key
> Create OU1-Server-1-certificate
> Sign OU1-Server-1-certificate with OU1's key.
> Do the last three steps for each OU1-Client-[1-n]-key
> 
> If I have made any obvious mistakes (maybe in concept), please let me
> know.
> 
> I have quite a couple of files now. The main question is, which files
> are now needed on the clients and which on the servers and how to
> generate them from the files I have? 
> 
> [Should I just copy the server's certificate into a certificate-file
> which then contains the root-cert as well as the cert of OU1 and the
> certs of all OU1's servers into one file and have that file on the
> clients? And the same with the servers (all client-certs, OU1's certs as
> well as the root-cert)? What's confusing me is that I've seen so many
> files where certificates and keys are mixed up in one file. What's also
> confusing me is that I've seen cert files with not only ASCII coded
> binary code in it, but also with readable strings like "Issuer = ..."
> mixed up. Which format can be used for certificates?]
> 
> -- 
> Regards,
> Torsten
> 
> (0>
> //\
> V_/_
> 
> Tolerance rocks!
> 
> -
> 
> # head PCA/private/PCAkey.pem
> -BEGIN RSA PRIVATE KEY-
> Proc-Type: 4,ENCRYPTED
> DEK-Info: DES-EDE3-CBC,abcdefghijklmnopq
> 
> 1234567890abcdefghijklmnopqrstuvwxyz[modified...]
> 
> # head PCA/private/PCAcert.pem
> -BEGIN CERTIFICATE-
> MIIIEDCCBfigAwIBAgIBADANBgkqhkiG9w0BAQQFADCBqTELMAkGA1UEBhMCREUx
> 
> # grep '^---' /Server/server.pem
> -BEGIN CERTIFICATE-
> -END CERTIFICATE-
> -BEGIN RSA PRIVATE KEY-
> -END RSA PRIVATE KEY-
> -BEGIN X509 CERTIFICATE-
> -END X509 CERTIFICATE-
> -BEGIN CERTIFICATE-
> -END CERTIFICATE- [and so on, about 50 lines]
> 
> # grep '^---' /Server/client.pem
> -BEGIN CERTIFICATE-
> -END CERTIFICATE-
> -BEGIN RSA PRIVATE KEY-
> -END RSA PRIVATE KEY-
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: FQDN

[Vadim Fedukovich]

On Fri, Jul 25, 2003 at 09:18:52AM -0400, Jue (Jacky) Shu wrote:
> On 2003-07-24 at 18:43, David Schwartz wrote:
> > 
> > > Please check this url:
> > > http://developer.netscape.com/docs/manuals/security/sslin/contents.htm
> > > Server authentication, step 4
> > > The only difference is that netscape just check domain name.
> > 
> > "Does the domain name in the server's certificate match the domain name of
> > the server itself? This step confirms that the server is actually located at
> > the same network address specified by the domain name in the server
> > certificate. Although step 4 is not technically part of the SSL protocol, it
> > provides the only protection against a form of security attack known as a
> > Man-in-the-Middle Attack. Clients must perform this step and must refuse to
> > authenticate the server or establish a connection if the domain names don't
> > match. If the server's actual domain name matches the domain name in the
> > server certificate, the client goes on to Step 5."
> > 
> > As I suspected, you misunderstood it. This is NOT ABOUT DNS. This about
> > confirming that the server's name (the name you think you're talking to)
> > matches the name in the certificate.
> Well, if there is no DNS, how can you connect to a machine on the
> internet?  If the DNS has been sabotaged, it won't lead you to the
> machine you want to connect. Yes, you will say that you still need to
> check DN, But even DNs match, it is still not enough for security.
>  
> What's the difference between DN and FQDN? It is applciation related. If
> I'm sure that my application won't move from a machine to another, why
> can't I use FQDN? although it will limit application to a specific
> machine.
> 
> > Suppose I trust 'www.amazom.com'. I try to connect to 'www.amazon.com' and
> > get 210.3.4.9. I am then a certificate for 'www.evilhost.com'. I compare the
> > name of the server I am trying to speak to 'www.amazon.com' to the name in
> > the certificate 'www.evilhost.com'. If they don't match, I refuse the
> > connection.
> This is exactly what I was talking about. but not just this. In case you
> might misunderstand my question, I'd like to rephrase it here. Suppose I
> want to attack an online bank and managed to get the server's key (don't
> ask me why, i don't know either :-)). Through the certificate, I can
> know this key's DN (say domainA) or some extra information. Then I'll
> spoof DNS, make that domainA points to my machine. I'll preset a page to
> simulate a login screen on my machine. The clients will think that they
> are connecting to the real bank server, so I record their password,
> finally I can login to the real bank server after I restore DNS.
> 
> This is what I'm trying to prevent. after shake-hand and authentication
> by SSL, it is still not safe enough. because other poople and I share
> some common secrets (key and certificate), but if secrets are comprised,

I'd say own keys. Sharing them is a very bad idea.

Please note certificates are sent "in clear" while SSL handshake
so they should be considered public info

> (I know that people don't like this idea of losing key, but it happened
> before and will happen in the future) then I'm in trouble. My question
> is: can we find a solution to such a scenario? Such as application level
> authentication.

Some more passwords and keys may be used at application level
to hedge the risk and they can also be lost. That is, loosing any key
makes a better chance to get in trouble and it happens sometime, isnt it?

Please consider signed DNS (forward-type zone) in case you'd like to
verify IP address

> 
> Jacky
> 
> > As Netscape puts it, "does the domain name in the server's certificate"
> > (www.evilhost.com in my example) "match the domain name of the server
> > itself" (www.amazon.com in my example). In this case they don't. So the
> > connection is refused (or, if you prefer, considered to be to/from
> > 'www.evilhost.com' rather than 'www.amazon.com') regardless of what DNS
> > says.
> > 
> > > Why I suppose someone can get clients' key?
> > > because in my case, my clients are people without computer background.
> > > I'd like to believe them know how to keep their keys.
> > > But in case keys are comprised, shouldn't we think about any possible
> > > solution to against it?
> > 
> > I could spend months explaining why this is wrong. But I strongly advise
> > you that you should take the word of the security experts who advise you
> > that this argument makes no sense. I would cite as further evidence that you
> > are in no position to maintain this claim against experts the fact that you
> > misunderstand the basic machinations of how Netscape's server validation
> > works.
> > 
> > I'm not trying to be mean or rude. I'm just trying to stop you from doing
> > something really, really bad.
> > 
> > DS
> > 
> > 
> > __
> > OpenSSL Project 

Re: FQDN

[Vadim Fedukovich]

On Mon, Jul 21, 2003 at 12:20:05PM -0400, Christopher Fowler wrote:
> There is no functino in OpenSSL I beleive that does such a thing.
> 
> What you need to do is get the sockaddr sin_addr data from the accept()
> function.  At that point you have a IP Address.  Use gethostbyaddr() to convert
> that IP into a FQDN.  You can then verify that the FQDN of the host matches
> that in the certificate.

I doubt this.
Yes, DNS is used for lookup from "reverse" zone.
However, FQDN was intended to check whether client manage to connect
to the server he originally intended. This verifies "forward" DNS lookup.

Regards,
Vadim

> On Mon, Jul 21, 2003 at 12:12:49PM -0400, Jue (Jacky) Shu wrote:
> > hi all,
> > 
> > maybe it is not a SSL question. I want to make post-connection assertion to
> > prevent man-in-the-middle attack. But I don't know how to get FQDN of the 
> > peer side(Not from peer's certificate, it must be other side's real address).
> > Is there any socket fucntion to get peer's FQDN?
> > thank you in advance.
> > 
> > Jacky
> > 
> > __
> > OpenSSL Project http://www.openssl.org
> > User Support Mailing List[EMAIL PROTECTED]
> > Automated List Manager   [EMAIL PROTECTED]
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: FQDN

[Vadim Fedukovich]

On Mon, Jul 21, 2003 at 12:12:49PM -0400, Jue (Jacky) Shu wrote:
> hi all,
> 
> maybe it is not a SSL question. I want to make post-connection assertion to
> prevent man-in-the-middle attack. But I don't know how to get FQDN of the 
> peer side(Not from peer's certificate, it must be other side's real address).
> Is there any socket fucntion to get peer's FQDN?
> thank you in advance.
> 
> Jacky

this makes sense for a client connecting to some server.
The client use some FQDN (user input? configuration file?) to pass it
to DNS and do connect() to the host.
So the client could check whether the host respond with that FQDN
as the common name of server certificate.

hope this helps,
Vadim
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Philosophical question: What means verifying a connexion ?

[Vadim Fedukovich]

hi Michel,

On Tue, Jun 03, 2003 at 08:20:04PM +0200, Michel Gouget wrote:
> Many thanks Vadim for assuring me that keys/certificates can't work if they
> are not matched, and your observations on my architecture.
> 
> My vision is that (k0) (2048 bits) will *never* be compromised during
> application's life (~20 years), as it is kept in a bank safe in a sealed
> envelope, and is used only once to sign (ca1). (k1) *could* be compromised,
> as it is needed to sign server certificates, but this is done at a single
> place.

so k0 might be used once again to sign ca1 replacement in (unlikely) case of
k1 compromise

> On the client, (ca1), then (ca2) are verified at startup. If I understand
> correctly the certificate technology, a certificate is a rope which ties
> together a DN and a private key, no more, no less.

It "ties" DN, public key, validity dates and extensions.
The tie mentioned is the signature.

> Verifying certificate
> (c1) means for me: "verify that God (ca0) has really certified  that (DN1)
> goes with (k1)" in order to be *sure* that if someone uses (k1), *then* he
> is named (DN1). At the second level, it means that if I have verified (DN1)
> and that (k1) has been used to sign (c2), *then* I can be sure that if
> someone uses (k2), he is named (DN2), *unless* (k1) has been compromised..
> So in fact my only trusted certificate is (ca0). Maybe I have not really
> understood what is a trusted certificate.

Yes, exactly. One could also elaborate "using private key"
means making signatures (issuing certificates) or participating
in a protocol (SSL).

The trusted certificate is one verified some other way,
say using fingerprint from paper agreement. Or maybe one signed
using a private key generated and controlled by you alone.

> You are right that if (k2) is compromised, all (ca3) certificates must be
> recreated with a (k2') key, but I have not found a better solution
> 
> Concerning (k3), they are stored *encrypted* on the server, and are
> encrypted with 3DES whose strength matches the 2048 bits RSA key. The
> passphrase (p3) entered by the user is sent over the network only *after*
> having checked that we are connected to the correct server (i.e. client has
> checked server certificate). (p3) is only used in-memory by the server to
> check that it decrypts correctly (k3), then erased. (k3) is sent back still
> encrypted by (p3) over the wire.

so this security model is equivalent or weaker than using passwords over
SSL without client certificates at all:
- a client who knows the password will get access anyway
- a client who got SSL client certificate and private key at least once
  some time ago could use it to get access disregarding the password
  changed already

> I did that because users can use different clients, and a client can be used
> by different users, so I could not store state information on the client.
> (ca3, k3) are in fact attached to the user's DN. In that scheme, state
> information is carried by the user in the form of (p3), as, unfortunately
> :-), I can't ask users to remember the 2048 bits of their private key.

In this case one could just tell the user the effective level of security
and let them choose the right client software/hardware

> I still don't understand why  2) is the weakest step, nor how could I use
> "just client SSL certificates".

Let's assume a user write the password on a yellow stick and put it
on the monitor for a hour. Someone complains and password got replaced.
However before password was changed someone got client SSL certificate
and private key using that (old) password and store them.
Now that client can access the service without any password at all, isnt it?

Another possible point of failure is server-side passwords store.
This means one can fetch the passwords store after a server compromise
and fetch lots of SSL client certificates and private keys.
Distributing new passwords for all clients might be a very hard job.

To decrypt the SSL client private key one should store passwords in clear.
This means passwords are available immediately after a server compromise.
Please note there's a time-frame to crack passwords in case of
keeping password hashes, not cleartext. The service admin might stop
the service before cracking process will list some portion of passwords
in case he notice the compromise.

With client SSL certificates there's no server-side password store.

With passwords over SSL and no client certificates one could disenroll
by replacing a single password and store password hashes instead of cleartext.

Both options looks better to me.

yours,
Vadim

> 
> Once again, thanks,
> 
> Michel
> 
> - Original Message -
> From: "Vadim Fedukovich" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECT

Re: Unresolved Externals.

[Vadim Fedukovich]

On Thu, Mar 20, 2003 at 04:13:48PM +0530, Vengada Prasad Govindan wrote:
> 
> Hello,
> We are trying to use /usr/local/ssl/lib/openssl.a version 0.9.7a for
> building another application (802.1x Xsupplicant0.6). We get the
> following unresolved externals (see attachment - make_error.txt). Let us
> know what we are missing here. Also attached is the output of the
> configure script for 802.1x Xsupplicant application .

try swapping -lcrypto and -lssl
that is,
   -L/usr/local/ssl/lib -lssl -lcrypto

> 
> Regards
> Prasad
> 
> **Disclaimer
> 
> Information contained in this E-MAIL being proprietary to Wipro Limited is 
> 'privileged' and 'confidential' and intended for use only by the individual
>  or entity to which it is addressed. You are notified that any use, copying 
> or dissemination of the information contained in the E-MAIL in any manner 
> whatsoever is strictly prohibited.
> 
> ***

Content-Description: make_error.txt
> Making all in src
> make[1]: Entering directory `/home/thiagav/nec/802.1x/src/xsupplicant/src'
> gcc  -g -O2 -Wall-o xsupplicant  1xdriver.o 1xdaemon.o eapol.o eaptls.o eap.o 
> userconf.o eapcrypt.o configparse.o dot1x_globals.o os_generic.o eapmd5.o 
> eapmschapv2.o desport.o deskey.o logging.o os_wireless_ext.o auth_tools.o 
> config_grammar.o config_lex.o -L/usr/local/lib -lpcap -L/usr/local/lib -ldnet -lfl 
> -L/usr/local/ssl/lib  -lcrypto -lssl -ldnet 
> /usr/local/ssl/lib/libssl.a(t1_enc.o): In function `tls1_change_cipher_state':
> t1_enc.o(.text+0x247): undefined reference to `COMP_CTX_free'
> t1_enc.o(.text+0x26b): undefined reference to `COMP_CTX_new'
> t1_enc.o(.text+0x3b4): undefined reference to `COMP_CTX_free'
> t1_enc.o(.text+0x3d4): undefined reference to `COMP_CTX_new'
> t1_enc.o(.text+0x42f): undefined reference to `EVP_CIPHER_CTX_cleanup'
> t1_enc.o(.text+0x441): undefined reference to `EVP_CIPHER_CTX_init'
> t1_enc.o(.text+0x8ae): undefined reference to `EVP_CipherInit_ex'
> /usr/local/ssl/lib/libssl.a(ssl_lib.o): In function `SSL_free':
> ssl_lib.o(.text+0x5f9): undefined reference to `X509_NAME_free'
> /usr/local/ssl/lib/libssl.a(ssl_lib.o): In function `SSL_set_wfd':
> ssl_lib.o(.text+0x680): undefined reference to `BIO_s_socket'
> /usr/local/ssl/lib/libssl.a(ssl_lib.o): In function `SSL_set_rfd':
> ssl_lib.o(.text+0x7e0): undefined reference to `BIO_s_socket'
> /usr/local/ssl/lib/libssl.a(ssl_lib.o): In function `SSL_CTX_new':
> ssl_lib.o(.text+0xc8c): undefined reference to `X509_STORE_new'
> ssl_lib.o(.text+0xcf9): undefined reference to `EVP_get_digestbyname'
> ssl_lib.o(.text+0xd39): undefined reference to `EVP_get_digestbyname'
> ssl_lib.o(.text+0xd79): undefined reference to `EVP_get_digestbyname'
> /usr/local/ssl/lib/libssl.a(ssl_lib.o): In function `SSL_CTX_free':
> ssl_lib.o(.text+0xe99): undefined reference to `X509_STORE_free'
> ssl_lib.o(.text+0xeea): undefined reference to `X509_NAME_free'
> ssl_lib.o(.text+0xf05): undefined reference to `X509_free'
> /usr/local/ssl/lib/libssl.a(ssl_lib.o): In function `ssl_set_cert_masks':
> ssl_lib.o(.text+0x1017): undefined reference to `DH_size'
> ssl_lib.o(.text+0x1066): undefined reference to `EVP_PKEY_size'
> ssl_lib.o(.text+0x10ea): undefined reference to `EVP_PKEY_size'
> ssl_lib.o(.text+0x112c): undefined reference to `EVP_PKEY_size'
> /usr/local/ssl/lib/libssl.a(ssl_lib.o): In function `SSL_dup':
> ssl_lib.o(.text+0x16e5): undefined reference to `X509_NAME_free'
> ssl_lib.o(.text+0x17d0): undefined reference to `X509_NAME_dup'
> /usr/local/ssl/lib/libssl.a(ssl_lib.o): In function `SSL_CTX_set_cert_store':
> ssl_lib.o(.text+0x1934): undefined reference to `X509_STORE_free'
> /usr/local/ssl/lib/libssl.a(ssl_lib.o): In function `SSL_set_fd':
> ssl_lib.o(.text+0x1b7b): undefined reference to `BIO_s_socket'
> /usr/local/ssl/lib/libssl.a(ssl_lib.o): In function `SSL_CTX_check_private_key':
> ssl_lib.o(.text+0x212a): undefined reference to `X509_check_private_key'
> /usr/local/ssl/lib/libssl.a(ssl_lib.o): In function `SSL_check_private_key':
> ssl_lib.o(.text+0x21da): undefined reference to `X509_check_private_key'
> /usr/local/ssl/lib/libssl.a(ssl_lib.o): In function `ssl_clear_cipher_ctx':
> ssl_lib.o(.text+0x2c74): undefined reference to `EVP_CIPHER_CTX_cleanup'
> ssl_lib.o(.text+0x2c9b): undefined reference to `EVP_CIPHER_CTX_cleanup'
> ssl_lib.o(.text+0x2cc8): undefined reference to `COMP_CTX_free'
> ssl_lib.o(.text+0x2ce8): undefined reference to `COMP_CTX_free'
> /usr/local/ssl/lib/libssl.a(ssl_lib.o): In function `ssl_init_wbio_buffer':
> ssl_lib.o(.text+0x30d2): undefined reference to `BIO_f_buffer'
> /usr/local/ssl/lib/libssl.a(ssl_lib.o): In function `SSL_CTX_set_purpose':
> ssl_lib.o(.text+0x22de): undefined reference to `X509_PURPOSE_set'
> /usr/local/ssl/lib/libssl.a(ssl_lib.o): In function `SSL_set_purpose':
> ssl_lib.o(.text+0x22fc): undefined reference

Re: redirecting input to s_client

[Vadim Fedukovich]

On Mon, Feb 17, 2003 at 02:26:13PM +, Himanshu Soni wrote:
> Hi
> 
> Is there a way to redirect the GET/POST request from a file to the openssl 
> s_client app? something like:
> 
> cat get.txt | openssl s_client -connect server:443 -cert crtfile -key keyfile 

maybe
(cat something; sleep 10) | openssl s_client

this works with "telnet 80" for me

> The result of the above is that the program exists with "DONE" printed to the 
> console.
> 
> I have tried the -pause switch with the above but with no luck.
> 
> Thanx in advance for any help.
> 
> Himanshu Soni 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Tunneling Client Certs

[Vadim Fedukovich]

On Mon, Feb 10, 2003 at 10:02:30AM +0530, Chandrasekhar R S wrote:
> It seems I have not explained myself ably.
> 
> I completly understand that Private Keys should and would never be sent
> across.
> 
> But assume that you are going through a proxy using SSL.  And the proxy has
> no capability to verify the certs.  That capablity is vested with a server
> that sits behind the proxy(I call it the Backend server).
> 
> Now all I want is to get the cert presented by the client, to be passed on
> by the proxy, to the backend server.
> 
> Usually prox'ies, replicate a connection they receive. ie., they will
> initiate a new connection to the Backend Server, for every connection they
> receive from the client.  Thus we have two seperate SSL connections between
> the client and the backend server. One from client to the proxy and the
> other from proxy to the backend server.

Do do that, proxy should prove to client that Common Name of it's
SSL server certificate is host part of URL client is trying to connect to.

> In succint, the question is how to use the cert presented by the client in
> the SSL connection between proxy and the backend server.
> 
> thanks to all of you,
> rsr.
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Michael Helm
> Sent: Monday, February 10, 2003 1:55 AM
> To: [EMAIL PROTECTED]
> Subject: Re: Tunneling Client Certs
> 
> 
> > > I have the following scenario -
> > >
> > >  Client Cert -- Tunnel Server - Tunnel Client -- Backend server.
> > >
> > > The requirement is to pass the Client Cert to the Backend server.
> 
> > If you could do that then anyone who had access to a certificate
> > (for example the recipent of signed email) could impersonate the sender or
> 
> You may want to look at how Globus deals with a similar problem
> for grids;  see:
> http://www-fp.globus.org/security/
> and
> http://www.ietf.org/internet-drafts/draft-ietf-pkix-proxy-03.txt
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Proxy'ing client certs

[Vadim Fedukovich]

On Wed, Jan 22, 2003 at 02:36:16PM +0530, Chandrasekhar R S wrote:
> Hello Vadim,
> 
> > Localized Scenario : Proxy Client -- Backend Server
> > 5. The requirement is, Proxy Client should be presenting
> >"CLIENT CERT" to the backend server.
> 
> Yes, it can "present" it somehow
> 
> RSR : I am in search of this "somehow".
> 
>   Could it be this way - If it is possible to seperate public key from
> certificate,

yes, one could get public key from the certificate

> then it should be possible for registering "CLIENT CERT" with
> Proxy Client in its communication with Backend Server.

yes one could "register" it somehow

Please note another key, the private one is required to run SSL protocol
using that certificate

> 
> with thanks
> rsr.

best wishes,
Vadim

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Proxy'ing client certs

[Vadim Fedukovich]

Hi Chandrasekhar,

On Wed, Jan 22, 2003 at 11:20:58AM +0530, Chandrasekhar R S wrote:
> Hi Vadim
>   I am sorry for portraying the problem vaguely.
> 
>   I will make an attempt to clarify the problem -
> 
>   The entire scenario -
> 
>   Client -- Proxy Server - Proxy Client -- Backend Server
> 
>   Proxy Server and Proxy Client are on the same M/C and hence no SSL
> communication between them.  Data transfer through IPC.
> 
> Localized Scenario : Client -- Proxy Server
> 1. Client has CA signed certificate, call it "CLIENT CERT".
> 2. Client's Public Key is tightly coupled with "CLIENT CERT"

You likely mean private key here

> 3. This public key will be used in establishing SSL connection
>with the Proxy Server.

to establish SSL connection with the proxy, SSL server sertificate
and private key is required. It is not required to do Connect method
of HTTP.

> 4. Proxy Server could extract the "CLIENT CERT", say to a file.
>The file would be available for the Proxy Client (since both
>would be on the same m/c).

I should say it again: yes, SSL client certificate is available for
"Proxy Client" at this point. One could print it or something.
However, it needs the corresponding private key to run SSL protocol
pretending to be the client.

> Localized Scenario : Proxy Client -- Backend Server
> 5. The requirement is, Proxy Client should be presenting
>"CLIENT CERT" to the backend server.

Yes, it can "present" it somehow

>  My doubt is, as a certificate is tightly coupled with a Public Key, how
> could the Proxy Client use "CLIENT CERT" (that has client's public key) in
> its communication with the backend server (using SSL).

Please remember SSL had well-defined protocol design goals,
including handling man-in-the-middle

>  I referred to Stronghold HTTP server as, in their website they offer
> two options, 1. to tunnel the "CLIENT CERT" to the backend server
>  2. to present a "PROXY CLIENT CERT" for proxy client -- backend
> server scenario.

I'd prefer to keep talking about well-known protocols and 
business requirements.

Would Connect method of HTTP deliver functions wanted?

>  My requirement is to develop this functionality not for a particular
> protocol, but generically.

Any chance to tune mod_ssl or apache-ssl to do the job?

>  Sorry for the confusion.  I hope, I had been clearer than earlier.
> 
> with thanks and regards,
> rsr.

best wishes,
Vadim Fedukovich
consulting and software development

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Vadim Fedukovich
> Sent: Monday, January 20, 2003 2:13 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Proxy'ing client certs
> 
> 
> On Mon, Jan 20, 2003 at 12:20:43PM +0530, Chandrasekhar R S wrote:
> > I have already posted the following on the lists under "Proxy'ing client
> > certs" thread.
> > Could not see the posting, hence re-posting.
> > -
> > My understanding had been the following :
> >
> > Client      Proxy Server   --  Proxy Client 
> > Server
> > produces a  consumes   presents a
> Can
> > only recv
> > CA signed   the  ProxyClient Cert
> > ProxyClient Cert
> > Client Cert   Client Cert
> >
> > "ProxyClient Cert" is not the same as "Client Cert".
> >
> > Though the Proxy Server is in receipt of the "Client Cert", it
> > cannot represent the same in the SSL connection between
> > "ProxyClient - Server".  The requirement is to make the Proxy
> > faithfully forward the "Client Cert" to the "Server".
> 
> It's hard for me to see how this could fit SSL and HTTP protocols, sorry.
> Someone else might be lucky here
> 
> "consume certificate" probably means "engage in a protocol to prove
> the name certified". It's still open question what protocol both do the job
> and is implemented by popular browsers.
> 
> Hope you could hit your target with other tools like passord-based
> proxy access or maybe proxy access controlled by IPSec
> 
> > Vadim, suggested that "CONNECT method of HTTP can be
> > used to setup TCP connections first and run SSL next.  Proxy
> > could forward SSL traffic".
> >
> > It had been difficult to understan

Re: Proxy'ing client certs

[Vadim Fedukovich]

On Mon, Jan 20, 2003 at 12:20:43PM +0530, Chandrasekhar R S wrote:
> I have already posted the following on the lists under "Proxy'ing client
> certs" thread.
> Could not see the posting, hence re-posting.
> -
> My understanding had been the following :
> 
> Client      Proxy Server   --  Proxy Client 
> Server
> produces a  consumes   presents aCan
> only recv
> CA signed   the  ProxyClient Cert
> ProxyClient Cert
> Client Cert   Client Cert
> 
> "ProxyClient Cert" is not the same as "Client Cert".
> 
> Though the Proxy Server is in receipt of the "Client Cert", it
> cannot represent the same in the SSL connection between
> "ProxyClient - Server".  The requirement is to make the Proxy
> faithfully forward the "Client Cert" to the "Server".

It's hard for me to see how this could fit SSL and HTTP protocols, sorry.
Someone else might be lucky here

"consume certificate" probably means "engage in a protocol to prove 
the name certified". It's still open question what protocol both do the job
and is implemented by popular browsers.

Hope you could hit your target with other tools like passord-based
proxy access or maybe proxy access controlled by IPSec

> Vadim, suggested that "CONNECT method of HTTP can be
> used to setup TCP connections first and run SSL next.  Proxy
> could forward SSL traffic".
> 
> It had been difficult to understand the solution.  It seems to me that
> we need to set up a TCP connection via the proxy server first and add
> SSL to it later.  I am not aware of how to do this.

There was a document by Ari Luotonen; just found it at (single line!)
http://www.web-cache.com/Writings/Internet-Drafts/draft-luotonen-web-proxy-tunneling-01.txt
It describes the method how a proxy could handle HTTPS requests

Please note HTTP details might be off-topic for this list

hope this helps,
Vadim Fedukovich
consulting and software development

> 
> Could one help me further.
> 
> Namaste,
> R S Chandrasekhar
> [EMAIL PROTECTED]
> ISD : 091-080-2051166
> Telnet : 847-1166
> Phone : 2052427
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: obtaining expiry dates

[Vadim Fedukovich]

On Fri, Jan 10, 2003 at 04:52:07PM -, Dicks, Gareth M wrote:
> Hi,
> 
> I'm trying to write an automated script to check for pending expiry dates in
> SSL certs. I know how to get this info from a standard cert file in X509
> format:-
> 
> openssl x509 -in cert.cer -enddate
> 
> The problem is I have inherited a set of iPlanet web servers with the certs
> already loaded with no sign of the original certificates. Does anyone know
> ant method of extracting the certs from the iPlanet database into a format
> that can be used with openssl?

could you run s_client to talk to your servers?

> 
> Thanks,
> Gareth
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Proxy'ing client certs

[Vadim Fedukovich]

On Fri, Jan 10, 2003 at 02:57:12PM +0530, Chandrasekhar R S wrote:
> I have the following scenario -
> 
>   client-Proxy  - server.
> SSLClient -   SSLServer | SSLClient   - SSL Server.
> 
> It is my intent to pass on the clients certificate to the server for
> verification and acceptance.
> 
> Since, the connection is via a proxy, the clients certificate could reach
> upto the proxy only and not beyond, to the server.  I believe, that the
> proxy should not be able to use the clients cert in its connection with the
> server, as the client certificate is tightly coupled with its public key.
> 
> I have visited the redhat's Stronghold webpage and their proxy server seems
> to be capable of doing just this.
> 
> Is anyone aware of the technique employed.

CONNECT method of HTTP can be used to setup TCP connections first
and run SSL next. Proxy could forward SSL traffic

> 
> Namaste,
> R S Chandrasekhar
> [EMAIL PROTECTED]
> ISD : 091-080-2051166
> Telnet : 847-1166
> Phone : 2052427
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Signing certificates on Windows

[Vadim Fedukovich]

On Wed, Jan 08, 2003 at 11:46:50PM +1200, Franck Martin wrote:
> You can't use virtual hosts on apache with https.
> 
> Each host must have its own IP address, that's what I learnt from the
> doc... May be it is fixed somehow...

It can be fixed by implementing "Upgrade" HTTP request, both by servers
and browsers. I cant see how it could be done by sending HTTP headers
after SSL connection setup

> 
> So assign multiple IP addresses to your network card. it is quite easy
> under Linux...
> 
> Please feel free to contribute to the HOWTO.
> 
> Cheers.
> Franck
> 
> 
> On Wed, 2003-01-08 at 17:19, Theodor Isporidi wrote:
> 
> I know, but my search didn't turn up anything useful. I probably used 
> the wrong keywords.
> 
> > http://www.ibiblio.org/pub/Linux/docs/HOWTO/other-formats/pdf/SSL-Cert
> > ficates-HOWTO.pdf
> 
> Thanks a lot, that document was just what I needed! I have my 
> certificates now.
> 
> But Apache is still giving me some headaches. Perhaps you could give me 
> a hand here too?
> 
> 
> 
> 
> Localhost, localhost2, localhost3 and localhost4 point to 127.0.0.1 
> (done with the hosts file).
> 
> What I think this should do is serve localhost, localhost2 and 
> localhost3 only via http and localhost4 only via https. But that 
> doesn't work. I can access all 4 via http and https on Netscape 4.79. 
> With IE 6.0 SP1 I can access all 4 via http but none at all via https. 
> What is wrong there?
> 
> Bye !
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
> 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: co-signature

[Vadim Fedukovich]

On Mon, Nov 25, 2002 at 12:50:40PM +0200, [EMAIL PROTECTED] wrote:
> Hi
> 
> I'm wondering if you can help me with co-signature 
> problem and if you know something about co-signature and 
> how to implement this on openssl. I'm trying to sign a 
> message by several signers then put the all in one pkcs7 
> format. I only know how to do that with one signer.
> 
> Refering to the pkcs#7 documentation, I'll need to put 
> all the signer info in one SignedData value.
> 
> I found no instruction to do  that and I need it so. 
> Any information about the subject will be very helpfull.

just PKCS7_add_signer()
After PKCS7_dataFinal() there will be two SignerInfos

Please note something else might be named "co-signature"

good luck,
Vadim

> Thanks a lot
> 
> 
> ---
> L'e-mail gratuit pas comme les autres.
> NOMADE.FR, pourquoi chercher ailleurs ?
> 
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]

-- 
Naina library: http://www.unity.net/~vf/naina_r1.tgz
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Converting own CA certificate to pkcs12

[Vadim Fedukovich]

On Fri, Nov 22, 2002 at 01:50:37PM -0500, Chris Jarshant wrote:
> You can't convert a public key certificate into a PKCS12 file -
> the openssl pkcs12 routine *requires* a private key to be in such
> a file along with the public key, which you cannot have (CAs don't
> give out their private keys).
> 
> cj

well, given enough interest one still can do that.
Just write the tool.   "openssl pkcs12" is not the only game in the city
and pkcs12 specs allow for just a certificate

-vf

> 
> - Original Message - 
> From: "Matthew Hall" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Friday, November 22, 2002 3:13 AM
> Subject: Re: Converting own CA certificate to pkcs12
> 
> 
> On Thu, 21 Nov 2002, mikecross wrote:
> 
> > Seems to me that you problem is that you didn't supply
> > password.
> > PKCS12 format stores Private + Public key pair
> > encrypted with password.
> 
> Why would I want to store all this in a pcks12 file that
> I want to give to clients/other people to import into
> their browser? Why would I want to encrypt it when I want
> it made freely available?
> 
> Anyway - if someone could confirm how to take a Certificate
> Authority Certificate, convert it into pkcs12 and put it into
> a form for Mozilla or Netscape to import, that would be
> great.
> 
> > > Converting it to DER format was easy:
> > >
> > > openssl x509 -in ca.crt -out ca.der -outform DER
> > >
> > > I'm having issues doing the same with pkcs12, I
> > > found something
> > > that seemed close:
> > >
> > > openssl pkcs12 -export -inkey ca.key -in ca.crt -out
> > > ca.p12 -name
> > > "Angui.sh Certificate Authority"
> > >
> > > But I thought I remember seeing a warning against
> > > doing that since
> > > it may include sensitive information into that file.
> > > And what's with
> > > the Export and Import passwords? What are they
> > > exactly? Am I missing
> > > some other command-line args, or is there a better
> > > way?
> > >
> > > Can someone help?
> > >
> > > Thanks!
> > >
> > > --
> > > It's always September somewhere on the 'net. |
> > > http://angui.sh
> > > Another proud member of Eep's killfile.  | Unix
> > > Sys. Admin.
> > > unreal://angui.sh|
> > > [EMAIL PROTECTED]
> > >
> > >
> > __
> > > OpenSSL Project
> > > http://www.openssl.org
> > > User Support Mailing List
> > > [EMAIL PROTECTED]
> > > Automated List Manager
> > [EMAIL PROTECTED]
> >
> >
> > __
> > Do you Yahoo!?
> > Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
> > http://mailplus.yahoo.com
> > __
> > OpenSSL Project http://www.openssl.org
> > User Support Mailing List[EMAIL PROTECTED]
> > Automated List Manager   [EMAIL PROTECTED]
> >
> 
> -- 
> It's always September somewhere on the 'net. | http://angui.sh
> Another proud member of Eep's killfile.  | Unix Sys. Admin.
> unreal://angui.sh| [EMAIL PROTECTED]
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]

-- 
Naina library: http://www.unity.net/~vf/naina_r1.tgz
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Having an SSL server validate with two CAs...

[Vadim Fedukovich]

On Thu, Nov 07, 2002 at 11:21:50PM +0100, Richard Levitte - VMS Whacker wrote:
> While holding a lecture on PKI today, I was presented with a rather
> interesting question that I couldn't answer:
> 
> A company wants to set up a web server that is secured through SSL,
> and would like it to have maximum availability to the public out there
> while keeping maximum trust within the company.  The way they tried to
> solve this was to have the server return two server certificates, one
> signed by VeriSign, which would be used by "the public out there" and
> one that's signed by the internal company CA.
> 
> Of course, this fails, since the server will only use one server
> certificate and one private key for it's communication.
> 
> So, my idea was that the company could create a local copy of the
> VeriSign CA certificate, but signed by the internal company CA instead
> of the next level VeriSign CA.  This means that the server certificate
> signed by VeriSign could be used, and the certification path would
> differ depending on your trust point (inside the company, the trust
> point is the internal company CA, outside it would be VeriSign).  In
> that copy of VeriSign CA cert, one could add all kinds of constraints
> so it could only be used to certify the intended web server's server
> certificate.
> 
> However, that idea has a problem: the company in question doesn't
> trust VeriSign.  Period.  This means that it's potentially possible
> that someone grabs VeriSigns CA private keys, creates a new server
> certificate for the server in question, sets up a different server
> that uses this new server certificate and spoofs DNS to get the web
> server name redirected to themselves instead of the original machine.

I'd suggest to think about "trust" definition here.
In case they dont believe in content of pages coming from web server,
one could switch to some signed data type. If they concerned about
secrecy of data they send to server, start using encrypted-to-some-private-key
data types. Other solutions may better fit their (yet unknown) requirements

good luck,
Vadim

> 
> So, my solution has flaws...
> 
> The only real solution we found so far was to have the server
> available on ports 443 (for the public out there) and 444 (for access
> from inside the company), and have those two ports return the
> corresponding server certificate (443 would return the certificate
> signed by VeriSign, 444 would return the certificate signed by the
> internal company CA).
> 
> Any other ideas?  Solving this in a better way than having two ports
> would be quite welcome.
> 
> -- 
> Richard Levitte   \ Spannv?gen 38, II \ [EMAIL PROTECTED]
> Redakteur@Stacken  \ S-168 35  BROMMA  \ T: +46-8-26 52 47
> \  SWEDEN   \ or +46-708-26 53 44
> Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
> Member of the OpenSSL development team: http://www.openssl.org/
> 
> Unsolicited commercial email is subject to an archival fee of $400.
> See  for more info.
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: speed differences between EVP_Sign and EVP_Verify

[Vadim Fedukovich]

On Sun, Oct 27, 2002 at 02:11:12PM -0800, icewind wrote:
> I am running some speed tests in which I use the
> EVP_Sign and EVP_Verify functions. I have noticed that
> the Signing takes much longer (about 10 times longer)
> on average than does Verifying. This doesnt make sense
> to me. Is what I am seeing the expected behavior? I am
> using the same size data for both tests.
> 
> Thanks for any insight.

To verify, a public key is used and it usually means small public
exponent value. No wonder calculating signature-to-verify power
public exponent takes much less time than padded-hash-to-sign power
full-size private exponent

have fun,
Vadim
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: CMP support

[Vadim Fedukovich]

On Wed, Oct 23, 2002 at 05:50:09PM +0400, Andrew Abramov wrote:
> Andrew.Abramov>> And another question about additional stuff. Does the
> Andrew.Abramov>> openssl support CMP? Can it generate and parse this
> Andrew.Abramov>> kind of messages?
> 
> RLVW> No.
> 
> And does anybody know, what software (especially CA) can parse CMP
> messages?

CMP (rfc2510) looks very similar SET specifications to me.
So parsing should be easy doable

yours,
Vadim 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: OpenSSL and iPlanet problems - again

[Vadim Fedukovich]

On Wed, Oct 23, 2002 at 11:43:54AM -0400, Ashwin C Uthappa wrote:
> Hi all,
> Just some updates
> 
> I used the openssl tool to try and establish communication with both the 
> engine (which fails) and the "proxy engine" (which succeeds). I've 
> pasted the output below.
> 
> Some details:  the engine is a java application on a remote 
> machine(Windows). The proxy engine is a C application that does a very 
> basic mimicry of what the engine is supposed to do and is running off a 
> Linux machine.
> 
> Still waiting. I know the answer's out there!!
> 
> Thank you,
> - Ashwin
> 
> Output of openssl :
> -
> 
> WITH ENGINE :
> --
> OpenSSL> s_client -connect 10.10.10.114:8080 -debug -state -ssl3
> CONNECTED(0003)
> SSL_connect:before/connect initialization
> write to 081490E0 [08152EA8] (90 bytes => 90 (0x5A))
>  - 16 03 00 00 55 01 00 00-51 03 00 3d b6 c1 9e ba   U...Q..=
> 0010 - 25 db 23 28 cd d3 7a 56-3f b7 59 29 a5 72 a4 42   %.#(..zV?.Y).r.B
> 0020 - 10 0a 9f 58 95 22 cb 62-00 58 00 00 00 2a 00 16   ...X.".b.X...*..
> 0030 - 00 13 00 0a 00 66 00 07-00 05 00 04 00 65 00 64   .f...e.d
> 0040 - 00 63 00 62 00 61 00 60-00 15 00 12 00 09 00 14   .c.b.a.`
> 0050 - 00 11 00 08 00 06 00 03-01.
> 005a - 
> SSL_connect:SSLv3 write client hello A
> read from 081490E0 [0814E698] (5 bytes => 5 (0x5))
>  - 48 54 54 50 2fHTTP/

did you notice plaintext?   try this:
(echo GET / HTTP/1.0; echo; sleep 10) | telnet 10.10.10.114 8080

> write to 081490E0 [08158730] (7 bytes => 7 (0x7))
>  - 15 54 54 00 02 02 28  .TT...(
> SSL3 alert write:fatal:handshake failure
> SSL_connect:error in SSLv3 read server hello A
> 2545:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version 
> number:s3_pkt.c:279:
> 
> 
> WITH PROXY ENGINE :
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Are self signed certificates bad?

[Vadim Fedukovich]

On Tue, Oct 22, 2002 at 12:50:04PM +0200, Martin Witzel wrote:
> 
> Except when you have an independent means to verify that
>a) the self-signed certificate which you received druing the handshake
> comes from the entity which claims to be the originator
>b) you also feel comfortable to trust this entity which issues its own
> certificate
> self-signed server certificates are essentially meaningless.

Any certificate provide for public key that could be used to run
some crypto protocol. It is crypto that actually creates value
making verification tools working and trust possible.

> Self-signed client certificates are even less useful in my opinion. The
> server
> sends as a selection of trusted certificates during the handshake, and the
> client
> is supposed to select the one certificate from its client certificates
> which can be
> traced to one of these trusted signing entities. Otherwise the client must
> send
> an alert. Since a self-signed client certificate can never be traced to
> some other
> independent signing entity, this mechanism must break for client
> authentication.
> The mechanism is described as part of the SSL spec, if I recall this right.
> With
> other words, a self-signed client cert is not even spec-conformant in my
> opinion.

According to RFC 2246, server sends (quoting) "list of the distinguished
names of acceptable certificate authorities...[that] names may specify
a desired distinguished name for a root CA or for a subordinate CA",
clause 7.4.4

Client sends empty "client certificate" message in case (quoting)
"if no suitable certificate is available" or it could send the alert.

I cant find a requirement to reject self-signed client certificate
that server could find in it's local database of known public keys.

I could imagine a self-signed client certificate used to prove
"I'm the same guy that send some electronic cash yesterday".

That could work for the case of merchant who cares users to pay and
dont care what's their name and whether it's confirmed by
some well-known CA

happy speculating,
Vadim
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Verification of a signed message

[Vadim Fedukovich]

On Thu, Oct 17, 2002 at 06:59:26PM +0200, Ibl Wolfgang wrote:
> Hello,
>  
> I'm trying to verify text, which has been signed using wincrypt's
> CryptSignMessage. This function produces pkcs#7 output.
> OpenSSL outputs the message: 
>  
> Verification Failure
> 1992:error:2107106C:PKCS7 routines:PKCS7_signatureVerify:unable to find
> message
> digest:./crypto/pkcs7/pk7_doit.c:723:
> 1992:error:21075069:PKCS7 routines:PKCS7_verify:signature
> failure:./crypto/pkcs7
> /pk7_smime.c:256:
>  
> The ASN analysis of the Pkcs#7 File results, that the message digest is
> stored under the OID:
>  
> 0407 30D:   SEQUENCE {
> 0409 069: OBJECT IDENTIFIER
> :   sha1withRSAEncryption (1 2 840 113549 1 1 5)

Fragment shown is likely part of SignerInfo.
I think sha1 object should be here. At least it is so according to
Secure Electronic Transactions specifications

> 0414 050: NULL
> : }
> 0416 30D:   SEQUENCE {
> 0418 069: OBJECT IDENTIFIER
> :   rsaEncryption (1 2 840 113549 1 1 1)
> 0423 050: NULL
> : }
> 0425 04   80:   OCTET STRING
> : 1B 24 07 E9 69 EB 0D 78 48 5E 84 08 6D F5 BF C6
>...
> Any suggestions to bypass this problem?
>  
> Thanx in advance
>  
> Wolfgang

-- 
Naina library: http://www.unity.net/~vf/naina_r1.tgz
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Padding error

[Vadim Fedukovich]

hi Peter,

On Tue, Oct 15, 2002 at 12:43:24PM +0200, Peter de Vroomen wrote:
> Hi Vadim,
> 
> I have forwarded this message to the OpenSSL group as well, maybe somebody
> else can give me some good advice too. For people reading this, there was a
> conversation going on before. I have troubles verifying a key using the
> OpenSSL library. The RSA_public_decrypt() function returns an error about
> padding, while I think this function (a) should not know anything about
> padding,

let me repeat it, it should. It expects padded-hash after applying
public key to signature value. It will extract message hash (yes, any
160-bit value) from padded-hash. Padded-hash structure is defined
by PKCS1 and it cant be of any value.

To verify the message, one need message hash anyway

Please consider RSA_NO_PADDING in case you do know what are you doing.
It should be considered dangerous and the old ISO padding scheme
would be an example

> and (b) is buggy,

this function did verify lots of signatures for my projects already

> as the padding was calculated by exactly the same
> library on exactly the same machine (signing and verifying is done on the
> same machine for testing purposes).
> 
> > While verifying that signature, public key is applied to get padded-hash
> > and message hash is extracted then. If wrong public key was used,
> > message hash cant be extracted.
> 
> Ok, I understand this. What I have is a Perl script that uses the
> Crypt::OpenSSL::RSA library. In that script I use the sign() function to
> sign some data. The following is done:
> 
> 1) In the sign() function, an MD5 hash is created from the data, then the
> hash is padded from 160 bits to 1023 bits (wasn't 1024?), and encrypted with
> a private key. This is all in one go and is done in the Perl library.
> 2) I then transform the encrypted data into an octet-string.
> 3) The sign and the data is then returned in a webpage to a user.
> 
> The user can post the form on the webpage to a FCGI program that is written
> in C++.
> 
> For the C++ program, I have written my own sign() and verify() functions.
> The verify() function does the following:
> 
> 4) It converts the octet-string coded sign back to binary representation.
> 5) It decrypts the sign with a corresponding public key (using
> RSA_public_decrypt()).
> 6) It unpads the sign, which gives me back the MD5 hash.
> 7) It then computes it's own MD5 hash over the sent data.
> 8) I compares the computed MD5 hash to the decrypted MD5 hash and returns
> true if they are the same.
> 
> The problem is that step 5 sometimes returns the error: "RSA_public_decrypt:
> error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not
> 01".
> 
> I don't understand why this error is generated while I am only decrypting
> the message. The decryption process should just return the padded sign, and
> not check for padding. Decrypting should make no assumptions about what is
> encrypted, shouldn't it?
> 
> I should check the padding myself with a call to
> RSA_padding_check_PKCS1_type_1()...
> 
> So, is this a bug in the OpenSSL RSA encryption/decryption libraries?

this is definitely not an OpenSSL bug.

The best advise here could be to determine whether PKCS1 padding fits
your project security requirements and, if yes, follow specifications.

yours,
Vadim
-- 
Naina library: http://www.unity.net/~vf/naina_r1.tgz
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Apache 2.0.39 + ssl + ldap with client certificate authentication

[Vadim Fedukovich]

Hi Jose,

would you please outline how exactly one could use this patch?
What kind of LDAP lookup works best with X509_NAME_oneline()-style names?
Should the LDAP tree be somewhat special?

thank you and sorry for off-topic,
Vadim

On Wed, Oct 02, 2002 at 08:50:36AM +0200, Jose Correia (J) wrote:
> Hi Sarah
>  
> Take a look at http://authzldap.othello.ch/index.html
>  
> I've used it successfully.
>  
> Cheers
> Jose
>  
> 
> -Original Message-
> From: Sarath Chandra M [mailto:[EMAIL PROTECTED]]
> Sent: 29 September 2002 11:17
> To: [EMAIL PROTECTED]
> Subject: Apache 2.0.39 + ssl + ldap with client certificate
> authentication
> 
> 
>  
> Dear group,
> Has anybody tried doing ldap client certificate authentication for an
> apache
> 2.0.39 ssl server ?
> 
> Our environment is :
> RedHat linux 7.1 kernel 2.4.x
> apache 2.0.39 (inc. mod_ssl)
> openssl-engine-0.9.6g
> openldap (on a different redhat linux server)
> 
> The apache website has a verisign server certificate, a self-signed CA
> certificate and all clients have
> certificates in the ldap server signed by this CA.
> 
> When clients present their certificate to browse the Apache secure
> site,
> Apache should check the
> existence of their certificate in the LDAP server and also the
> validity of
> the contents of the certificate presented.
> 
> Kindly provide some direction to any solution or resources related to
> this
> issue.
> 
> Any help would be highly appreciated.
> 
> TIA
> Sarath
> 
> 
> 

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Hashing a symmetric key from a private asymmetric one

[Vadim Fedukovich]

On Wed, Sep 25, 2002 at 07:58:54PM +0200, Federico Sauter wrote:
> 
> Hi all!!
> 
> 
> Now I?ve got a security question: would it be safe to generate a (very 
> secret and important) symmetric key from a private RSA key? I mean 
> theorically you should not be able to reverse a hash function (in this 
> case one of the EVP-family of functions for symmetric ciphers) but is it 
> really safe? What do you think about it?

the best symmetric key is unpredictable one and the best source is
a good random number generator. Yes, hash function could make
generator output better and is often a part of it.

There's no black magic in RSA keypair, it's just another output of
random number generator, tested to fit some requirements.

Yes, there should be no chance to reverse random number generator state
given some outputs.

You need to determine randomness sources available and feed them all
into generator to (re)seed it. Be creative, it's the basis for security.

good luck,
Vadim
-- 
Naina library: http://www.unity.net/~vf/naina_r1.tgz
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Newbie can't read the signs with Wincrypt

[Vadim Fedukovich]

On Fri, Sep 06, 2002 at 12:59:02PM +0100, [EMAIL PROTECTED] wrote:
> vf [SMTP:[EMAIL PROTECTED]] wrote:
> > Please consider to post a (short) signed message together with 
> > signer's certificate. Private signing key would be great as 
> > well, in case it's not used for production.
> 
> OK.
> 
> I loaded up the stunnel, self-signed certificate (stunnel.pem & .p12) 
> into the Windows certificate store and used that with Wincrypt to sign a 
> copy of the PEM file (stunnel.pem.sgn). WinCrypt seems to zip the 
> file(s) and then add a signature.
> 
> (I've tried to keep it small)

"openssl asn1parse" shows structure of this signed data (output attached)
and it could be verified with
"openssl smime -verify -noverify -inform der -in /tmp/stunnel.pem.sgn"

one could also verify signer's certificate by dropping "-noverify"
and specifying CA certificate

hope this helps,
Vadim


0:d=0  hl=4 l=2499 cons: SEQUENCE  
4:d=1  hl=2 l=   9 prim:  OBJECT:pkcs7-signedData
   15:d=1  hl=4 l=2484 cons:  cont [ 0 ]
   19:d=2  hl=4 l=2480 cons:   SEQUENCE  
   23:d=3  hl=2 l=   1 prim:INTEGER   :01
   26:d=3  hl=2 l=  14 cons:SET   
   28:d=4  hl=2 l=  12 cons: SEQUENCE  
   30:d=5  hl=2 l=   8 prim:  OBJECT:md5
   40:d=5  hl=2 l=   0 prim:  NULL  
   42:d=3  hl=4 l=1680 cons:SEQUENCE  
   46:d=4  hl=2 l=   9 prim: OBJECT:pkcs7-data
   57:d=4  hl=4 l=1665 cons: cont [ 0 ]
   61:d=5  hl=4 l=1661 prim:  OCTET STRING  :-BEGIN RSA PRIVATE KEY-
MIICXAIBAAKBgQCxUFMuqJJbI9KnB8VtwSbcvwNOltWBtWyaSmp7yEnqwWel5TFf
cOObCuLZ69sFi1ELi5C91qRaDMow7k5Gj05DZtLDFfICD0W1S+n2Kql2o8f2RSvZ
qD2W9l8i59XbCz1oS4l9S09L+3RTZV9oer/Unby/QmicFLNM0WgrVNiKywIDAQAB
AoGAKX4KeRipZvpzCPMgmBZi6bUpKPLS849o4pIXaO/tnCm1/3QqoZLhMB7UBvrS
PfHj/Tejn0jjHM9xYRHi71AJmAgzI+gcN1XQpHiW6kATNDz1r3yftpjwvLhuOcp9
tAOblojtImV8KrAlVH/21rTYQI+Q0m9qnWKKCoUsX9Yu8UECQQDlbHL38rqBvIMk
zK2wWJAbRvVf4Fs47qUSef9pOo+p7jrrtaTqd99irNbVRe8EWKbSnAod/B04d+cQ
ci8W+nVtAkEAxdqPOnCISW4MeS+qHSVtaGv2kwvfxqfsQw+zkwwHYqa+ueg4wHtG
/9+UgxcXyCXrj0ciYCqURkYhQoPbWP82FwJAWWkjgTgqsYcLQRs3kaNiPg8wb7Yb
NxviX0oGXTdCaAJ9GgGHjQ08lNMxQprnpLT8BtZjJv5rUOeBuKoXagggHQJAaUAF
91GLvnwzWHg5p32UgPsF1V14siX8MgR1Q6EfgKQxS5Y0Mnih4VXfnAi51vgNIk/2
AnBEJkoCQW8BTYueCwJBALvz2JkaUfCJc18E7jCP7qLY4+6qqsq+wr0t18+ogOM9
JIY9r6e1qwNxQ/j1Mud6gn6cRrObpRtEad5z2FtcnwY=
-END RSA PRIVATE KEY-
-BEGIN CERTIFICATE-
MIICDzCCAXigAwIBAgIBADANBgkqhkiG9w0BAQQFADBCMQswCQYDVQQGEwJQTDEf
MB0GA1UEChMWU3R1bm5lbCBEZXZlbG9wZXJzIEx0ZDESMBAGA1UEAxMJbG9jYWxo
b3N0MB4XDTk5MDQwODE1MDkwOFoXDTAwMDQwNzE1MDkwOFowQjELMAkGA1UEBhMC
UEwxHzAdBgNVBAoTFlN0dW5uZWwgRGV2ZWxvcGVycyBMdGQxEjAQBgNVBAMTCWxv
Y2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAsVBTLqiSWyPSpwfF
bcEm3L8DTpbVgbVsmkpqe8hJ6sFnpeUxX3Djmwri2evbBYtRC4uQvdakWgzKMO5O
Ro9OQ2bSwxXyAg9FtUvp9iqpdqPH9kUr2ag9lvZfIufV2ws9aEuJfUtPS/t0U2Vf
aHq/1J28v0JonBSzTNFoK1TYissCAwEAAaMVMBMwEQYJYIZIAYb4QgEBBAQDAgZA
MA0GCSqGSIb3DQEBBAUAA4GBAAhYFTngWc3tuMjVFhS4HbfFF/vlOgTu44/rv2F+
ya1mEB93htfNxx3ofRxcjCdorqONZFwEba6xZ8/UujYfVmIGCBy4X8+aXd83TJ9A
eSjTzV9UayOoGtmg8Dv2aj/5iabNeK1Qf35ouvlcTezVZt2ZeJRhqUHcGaE+apCN
TC9Y
-END CERTIFICATE-

 1726:d=3  hl=4 l= 531 cons:cont [ 0 ]
 1730:d=4  hl=4 l= 527 cons: SEQUENCE  
 1734:d=5  hl=4 l= 376 cons:  SEQUENCE  
 1738:d=6  hl=2 l=   3 cons:   cont [ 0 ]
 1740:d=7  hl=2 l=   1 prim:INTEGER   :02
 1743:d=6  hl=2 l=   1 prim:   INTEGER   :00
 1746:d=6  hl=2 l=  13 cons:   SEQUENCE  
 1748:d=7  hl=2 l=   9 prim:OBJECT:md5WithRSAEncryption
 1759:d=7  hl=2 l=   0 prim:NULL  
 1761:d=6  hl=2 l=  66 cons:   SEQUENCE  
 1763:d=7  hl=2 l=  11 cons:SET   
 1765:d=8  hl=2 l=   9 cons: SEQUENCE  
 1767:d=9  hl=2 l=   3 prim:  OBJECT:countryName
 1772:d=9  hl=2 l=   2 prim:  PRINTABLESTRING   :PL
 1776:d=7  hl=2 l=  31 cons:SET   
 1778:d=8  hl=2 l=  29 cons: SEQUENCE  
 1780:d=9  hl=2 l=   3 prim:  OBJECT:organizationName
 1785:d=9  hl=2 l=  22 prim:  PRINTABLESTRING   :Stunnel Developers Ltd
 1809:d=7  hl=2 l=  18 cons:SET   
 1811:d=8  hl=2 l=  16 cons: SEQUENCE  
 1813:d=9  hl=2 l=   3 prim:  OBJECT:commonName
 1818:d=9  hl=2 l=   9 prim:  PRINTABLESTRING   :localhost
 1829:d=6  hl=2 l=  30 cons:   SEQUENCE  
 1831:d=7  hl=2 l=  13 prim:UTCTIME   :990408150908Z
 1846:d=7  hl=2 l=  13 prim:UTCTIME   :000407150908Z
 1861:d=6  hl=2 l=  66 cons:   SEQUENCE  
 1863:d=7  hl=2 l=  11 cons:SET   
 1865:d=8  hl=2 l=   9 cons: SEQUENCE  
 1867:d=9  hl=2 l=   3 prim:  OBJECT:countryName
 1872:d=9 

Re: Newbie can't read the signs with Wincrypt

[Vadim Fedukovich]

On Fri, Sep 06, 2002 at 09:20:37AM +0100, Colin McKinnon wrote:
> Hi all,
> I'm something of a newbie at this whole encryption game. I've set up our own
> CA here using self signed certificates, (certificates only get used within
> the company). OpenSSL works a treat, I've got stunnel securing various
> connections, mod_ssl running, and we've been trying out WinCrypt for signing
> files.
> 
> My problem is that although WinCrypt (www.wincrypt.de) seems to do the
> trick, the authors can't/won't tell me how it actually signs files - just
> that they use the Microsoft crypto API. My german is a lot worse than their
> english which doesn't help.
> 
> Does anyone know how it works? How I can produce compatible signed messages
> with OpenSSL? How I can verify files using OpenSSL? I tried `openssl

Please consider to post a (short) signed message together with signer's
certificate. Private signing key would be great as well,
in case it's not used for production.

> smime -verify ...` but got:
> Error reading S/MIME message
> 3285:error:2107A087:PKCS7 routines:SMIME_read_PKCS7:no content
> type:pk7_mime.c:222:
> 
> Anyone know / tested if it suffers from the Microsoft intermediate CA
> forging bug?
> 
> Can anyone suggest a simple, cheap GUI tool which can be used with OpenSSL
> certificates to sign and verify files (we need to keep these as files) which
> runs on MSWindows?
> 
> Colin
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]

-- 
Naina library: http://www.unity.net/~vf/naina_r1.tgz
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: How to use DH?

[Vadim Fedukovich]

Dear Joerg,

it would be interesting to learn the reason to consider ssltest insecure.

As I read it, DH parameters (modulus and generator) are set to
some well-known values. This is required to use the same group,
both by server and client. Security of DH key exchange is determined by
DH private keys and SSL3 server code would call DH_generate_key()
to set it random. That is, security stands on good randomness source,
exactly as it should be. Well, this analysis is pretty simple
for SSL_OP_SINGLE_DH_USE option set.

Did I miss something?

regards,
Vadim

On Tue, Aug 13, 2002 at 04:01:31PM +0200, Joerg Bartholdt wrote:
> Innokentiy Ivanov wrote:
> 
> >Good afternoon!
> >
> >Can anybody help me, please? 
> >What shell i do to use ciphers with DH/DH-anon key exchange algorithms?
> >
> >When i try to connect to OpenSSL server with only cipher DH_..._..._... or
> >DH_anon_..._..._..., it says: "no shared cipher".
> >
> >Please, help me to do this. Maybe, OpenSSL doesn't support DH/DHa at all?
> >
> OpenSSL supports DH, but to use it, you must setup some key material 
> (which is more or less timeconsuming).
> Either you use the setup-routine DH_generate_parameters() and 
> SSL_CTX_set_tmp_dh() or use fixed key material as seen in ssl/ssltest.c 
> (fast, but insecure).
> 
> Jo"rg
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]

-- 
Naina library: http://www.unity.net/~vf/naina_r1.tgz
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Session resumption - sessions not being reused

[Vadim Fedukovich]

On Thu, Aug 01, 2002 at 10:25:02AM -0700, Priya Tamhankar wrote:
> Hi,
> I'm trying to get session resumption to work (from the client-side).
> But, somehow, a new session-id is being negotiated every time, instead of a 
> reuse.

One could use protocol analyser to see whether client offer session-id
to resume.

ssldump from rtfm.com could do just that

> This is the sequence of my calls:
> SSL_CTX_set_session_cache_mode(app_ctx, SSL_SESS_CACHE_CLIENT);
> SSL_CTX_set_timeout(app_ctx, 3600);
> 
> 
> SSL_new( )
> SSL_connect_setup( )
> SSL_set_fd( )
> if (saved_session matches current host and cipher) {
>   SSL_set_session(sved_session)
> }
> 
> SSL_write( )  -> automatically calls SSL_connect..does handshake.
> 
> 
> saved_session = SSL_get1_session( )
> SSL_free( )
> 
> ---
> On adding some debug print statements, I found that -
> when the session is being saved, session->references = 3, 
> session->not_resumable = 0.
> But, after SSL_free( ) is called, session->references = 1 (which I think is 
> good), but session->not_resumable = 1. Because not_resumable is 1, at 
> ssl3_client_hello( ), a new session is generated, and the old one not reused.
> 
> The server side configuration seems ok, since if I set not_resumable to 1 
> from the application just before client-hello, the session does get reused.
> 
> Any ideas on what I could be doing wrong ?
> 
> Thanks,
> Priya.
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: PKCS v. 1.5 does not appear to take effect

[Vadim Fedukovich]

On Wed, Jul 31, 2002 at 01:46:57PM -0700, Robert Pereira wrote:
> Hi,
> 
> I attempt to sign a 160 bit SHA1 hash using my private key as follows:
> 
> C:\openssl-engine-0.9.6d\out32dll>openssl rsautl -sign -in 16k.hex -inkey
> server.key -out sign16k.hex -pkcs
> 
> Then, I attempt to hexdump the verifcation using the following:
> 
> C:\openssl-engine-0.9.6d\out32dll>openssl rsautl -verify -in
> sign16k.hex -inkey server.key -raw -hexdump
> 
> What I get is:
> 
> 
>  - 00 01 ff ff ff ff ff ff-ff ff ff ff ff ff ff ff   
> 0010 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff   
> 0020 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff   
> 0030 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff   
> 0040 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff   
> 0050 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff   
> 0060 - ff ff ff ff ff ff ff ff-ff ff ff 00 f2 e0 1c e1   
> 0070 - 7e ef 14 3b 1c 39 b2 92-d5 07 5a 01 48 d1 b0 52   ~..;.9Z.H..R
> 
> which does not contain the 15 byte padding associated with PKCS v. 1.5
> padding.  Can you please tell me what I may be doing incorrectly.

this dump looks exactly as outlined in RFC 2437, section 9.2.1

> 
> Thanks,
> Robert Pereira

-- 
Naina library: http://www.unity.net/~vf/naina_r1.tgz
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: OpenSSL and Web pages

[Vadim Fedukovich]

On Tue, Jul 30, 2002 at 10:49:02AM +0100, Chuo HUANG(CMS) wrote:
> Hello! 
> 
> I have programmed succefully a piece of VC++ with OpenSSL. The program is to
> read the private key in a client's machine and do the signature. I'd like to
> set cookies using this Signature to Client's machine later. 
> 
> What makes me confused is how to combine my VC++ program with web page, for

A custom apache module could be a solution. Naina merchant is such a module.

> example: a php file or a cold fusion file?  I tried to make a .dll file using
> most of my successful win32 application I talked before.And I set a property of
> that DLL as Signature. The Dll was built succefully but the IE stopped when I
> using this DLL in a html file.  It stopped in the statement using the first
> OPenSSL: pkey = PEM_read_PrivateKey(fp12, NULL,NULL, NULL);
> 
> Do you have any idea about how can I combine my VC++ program with web page?
> Many thanks,
> 
> Zoe
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]

-- 
Naina library: http://www.unity.net/~vf/naina_r1.tgz
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: How to support Wrong Format Certificate

[Vadim Fedukovich]

On Tue, Jul 30, 2002 at 03:27:40PM +0800, Stone Shi wrote:
> Hello, all
> 
>   I installed Apache+mod_ssl+OpenSSL as HTTPS Server, and I must make the
> server support the Wrong Format Certificate(See in attechment).
>   How can I do? 

I could see nothing wrong with this certificate.
DER encoding is good enough; one could make it PEM easily if required

>   private key in following format
> 
> typedef struct {
>   unsigned int bits; 
>   unsigned char modulus[128];
>   unsigned char publicExponent[128];
>   unsigned char exponent[128]; 
>   unsigned char prime[2][64]; 
>   unsigned char primeExponent[2][64];
>   unsigned char coefficient[64];
> } R_RSA_PRIVATE_KEY;

Maybe, private key was saved as
  write(, just_another_one_encoding, sizeof(R_RSA_PRIVATE_KEY))
If so, one could read() it back and set a EVP_PKEY.
It's still unclean how exactly numbers were broken into unsigned chars,
BN_bin2bn() may be handy to set EVP_PKEY RSA components.

hope this helps,
Vadim
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Speaking of shared secrets

[Vadim Fedukovich]

On Sun, Jul 14, 2002 at 11:56:19AM +0100, Ben Laurie wrote:
> Richard Levitte - VMS Whacker wrote:
> > In message <[EMAIL PROTECTED]> on Tue, 9 Jul 2002 11:43:04 
>+0300, Vadim Fedukovich <[EMAIL PROTECTED]> said:
> > 
> > vf> please consider to include this code into distribution
> > 
> > Thanks and forgive me for being a nuisance...
> > 
> 
> Errr...
> 
> a) This should be on openssl-dev

This discussion was started on -users. Anyway, I'm ready to re-send it
to -dev, in case b) is clear already

> b) its still GPLed - what did I miss?

GPL was replaced in the most advanced variant (get shares of product)
on July, 9. Yes, GPL is still mentioned, as diff output.
Any problem with this?

sorry for confusion,
Vadim
 
> 
> Cheers,
> 
> Ben.
> 
> -- 
> http://www.apache-ssl.org/ben.html   http://www.thebunker.net/
> 
> "There is no limit to what a man can do or how far he can go if he
> doesn't mind who gets the credit." - Robert Woodruff

-- 
Naina library: http://www.unity.net/~vf/naina_r1.tgz
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Speaking of shared secrets [was: Re: The big number multiplication code]

[Vadim Fedukovich]

On Mon, Jul 08, 2002 at 03:05:49PM -0400, Rich Salz wrote:
> > I did some work on a project a while back that might be relevant to your 
> > search:
> > 
> > http://crypto.stanford.edu/~dabo/ITTC/
> 
> This work is way cool.  (At a previous company I had some email 
> exchanges with Dan :)
> 
> One interesting application would be to integrate it into BIND so that 
> you could secure share/transfer DNSSEC zone information.  (Bind9 is 
> based on openssl.)

Could you be more specific on "secure" definition here?

As I see it, bind process currently just sends out public keys
and signatures.

One might want it to accept public keys after some voting
and/or to make signatures by quorum of zone name servers.

What is appropriate mailing list to discuss this stuff?

regards,
Vadim

>   /r$
> 
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Speaking of shared secrets [was: Re: The big number multiplication code]

[Vadim Fedukovich]

On Mon, Jul 08, 2002 at 06:43:06PM +0200, Richard Levitte - VMS Whacker wrote:
> In message <[EMAIL PROTECTED]> on Fri, 5 Jul 2002 18:45:12 +0300, 
>Vadim Fedukovich <[EMAIL PROTECTED]> said:
> 
> vf> see a program attached for details. It handles numbers of 1024 bit range
> vf> doing Shamir secret sharing.
> 
> Secret sharing is something I've been pondering implementing in
> OpenSSL for a while now, on and off.  Too bad your snipet of code is
> licensed under the GPL, that makes it unusable to be included in
> OpenSSL, if you'd be inclined that way.

I'd be happy this code to be integrated into openssl and will do my best
to maintain it. Besides, I was typing too fast and forget to mention
openssl in the source, so I should at least to say sorry now.

Please find attached another code, to get shares of product of two secrets
available in shares only. That is, avoiding recovery from shares
for doing multiplication.

Please note GRR technique of multiplication is not the same as
that of Boneh and Franklin (that is likely used in ITTS code).
In GRR, product of shares is shared again.

> Anyhow, I'm not going to discuss licenses, that's not the purpose of
> this letter.  Instead, I'd like to discuss protocol and usability.
> 
> Shamir's method is beautiful and really easy to understand with a
> certain minimum of mathematical knowledge.  However, it doesn't give
> any hint on how to protect the shares (understandably, of course).
> To use it as a part of OpenSSL, and especially as part of the openssl
> application (as well as other applications based on OpenSSL), one
> needs to collect the shares in one place, one way or the other.

I'd say, share-holders need to run a networked protocol to calculate
something or just recover original secret. They own their hardware.
Probably, the concern is cheating to break such a protocol.

> I'm imagining the following scenario:
> 
> - We implement the shared secret PEM file, with the identity "SHAMIR
>   SHARED SECRET", which would contain an ASN.1 blob (for which we'd
>   need to define a module) containing the prime p (assuming we use
>   modular arithmetics for the calculations), the small number x (the x
>   coordinate of the point that is your share) and the share itself.
>   This would then be protected the same way we currently protect
>   private keys.  This part is actually rather easy.

Yes, sure. I was asking one day whether there's any standards activity
in secret-sharing, to interop right from the start.

> - I get involved in a sensitive project where shared secrets are used
>   for protection.  The implementation I see right now is that each
>   participant inserts his or her diskette, tells the software what the
>   name of the file on that diskette is and gives a password when
>   prompted for it...

One could keep SSL links from client doing sharing or recovery
to set of servers (share-holders)

> The last part is somewhat of a problem, security-wise.  I mean, when I
> play with my own software, use my own private key protected
> appropriately, running on my laptop that isn't connected to anything
> and that has been checked for trojans, viruses and whatever, I feel
> rather safe signing some document, removing the diskette and
> reconnecting to the net in some fashion (no, I don't usually do things
> in quite such a paranoid fashion.  My laptop is secure enough and
> checked enough for my use).  However, sticking that same diskette on
> another system and giving it a password, when I'm not entirely certain
> there's no stealth program listening to the keyborad input and
> secretly taking a backup of my diskette, isn't something I would do
> without a lot of guarantees, and then I would still be suspicious.
> 
> Is there any scheme that would make the use of shared secrets a bit
> safer, or will this simply come down to each participant's trust in
> the system where the shared secret is used?

There are lots of papers on verifiable secret sharing. GRR mentioned
in the code attached and Pedersen-91, just to name a few.
Personally, I came across commitments first with "encrypted open books"
idea from Cypherpunks manifesto. There's an extensive survey by
Douglas Stinson and Ruizhong Wei, unfortunately a bit old.
Also, there's a great page by Helger Lipmaa. And I'm sure
there may be better pointers. Also, ResearchIndex is a great tool.

In short, it could be not easy to chose something best to implement.

> For perfect safety (as closely as you can get to it), hardware devices
> like nCipher (who uses some kind of shared secret for the admin cards
> in the nForec boxes, I believe) are of course the option.  However, I
> don't have the funds for that,

Re: streaming/unstreaming an RSA key

[Vadim Fedukovich]

On Wed, Jul 03, 2002 at 02:58:45PM +0200, Judith Retief wrote:
> 
>   I have to encrypt and decrypt an RSA key using symmetrical encryption,
> using RC4 or one of the other symmetrical encryption APIs. I'm working in C.
> 
> 
>   But I assume I can't just give the RSA key struct to the encryption
> algorithm as input data; its members are BIGNUM pointers so the structure
> has dynamic data that is not part of the struct footprint. I need to stream
> the RSA struct into a continious memory byte buffer to give to the
> encryption algorithm, and after decrypting this stream I need to build up
> the RSA key struct from it. 
> 
>   Are there standard functions available for these streaming functions? Or
> do I have to pull apart the pem_asn1_write/read() functions and implement my
> own? Am I guaranteed that the internal structure of the RSA struct will
> remain the same?

It is ASN.1 and DER that are here to guarantee encoded data will be
restored on any platform

> 
>   Regards, 
>  Judith
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]

-- 
Naina library: http://www.unity.net/~vf/naina_r1.tgz
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: PKCS7 file size issue

[Vadim Fedukovich]

On Wed, Jul 03, 2002 at 08:01:39AM -0400, Frank Geck wrote:
> Vadim,
> Yea I believe it is being base64 bit encoded.  Is there another
> way/better way to do this?

I'd say base64 is unlikely required, unless it's S/MIME.
SHA-1 or some other hash could be calculated over any binary data
to make/check signatures. Ciphers could handle binary data
exactly as text-like.

Naina only use base64 to encode cardholder's CN

good luck,
Vadim

> 
> Thanks,
> 
> Frank
> 
> Vadim Fedukovich wrote:
> 
> > On Tue, Jul 02, 2002 at 09:15:02PM -0400, Frank Geck wrote:
> > > I was wondering if someone could tell me real quick if this makes any
> > > sense.  I'm using the pkcs7 libraries ( not the command line interface)
> > > provided by openssl to sign a file and save the output to a file. The
> > > input file is 25,600 but the output is 36,227.  I tried another file
> > > 779,264 and the output file was 1,056,821, does this make sense?
> >
> > could it be base64?
> >
> > >
> > > Thanks,
> > >
> > > Frank
> > > [EMAIL PROTECTED]
> > >
> > > __
> > > OpenSSL Project http://www.openssl.org
> > > User Support Mailing List[EMAIL PROTECTED]
> > > Automated List Manager   [EMAIL PROTECTED]
> >
> > --
> > Naina library: http://www.unity.net/~vf/naina_r1.tgz
> > __
> > OpenSSL Project http://www.openssl.org
> > User Support Mailing List[EMAIL PROTECTED]
> > Automated List Manager   [EMAIL PROTECTED]

-- 
Naina library: http://www.unity.net/~vf/naina_r1.tgz
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: PKCS7 file size issue

[Vadim Fedukovich]

On Tue, Jul 02, 2002 at 09:15:02PM -0400, Frank Geck wrote:
> I was wondering if someone could tell me real quick if this makes any
> sense.  I'm using the pkcs7 libraries ( not the command line interface)
> provided by openssl to sign a file and save the output to a file. The
> input file is 25,600 but the output is 36,227.  I tried another file
> 779,264 and the output file was 1,056,821, does this make sense?

could it be base64?

> 
> Thanks,
> 
> Frank
> [EMAIL PROTECTED]
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]

-- 
Naina library: http://www.unity.net/~vf/naina_r1.tgz
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Fingerprint

[Vadim Fedukovich]

On Sat, Jun 29, 2002 at 10:41:34PM +0200, davide wrote:
> On Fri, 28 Jun 2002 09:15:40 +0300
> Vadim Fedukovich <[EMAIL PROTECTED]> wrote:
> 
> > On Thu, Jun 27, 2002 at 11:14:09PM +0200, davide wrote:
> > > Hi,
> > > How could I get a fingerprint from a RSA key?
> > 
> > DER-encode RSA public key and apply SHA1 on it,
> > output that 20 bytes as "%02x".
> 
> OK for apply SHA1, but I don't know (and cannot find doc)
> how to DER-encode RSA public key, could anyone help me?

It was done as

X509_PUBKEY *pk;
ASN1_OCTET_STRING *oc;
oc = ASN1_item_pack(pk, ASN1_ITEM_rptr(X509_PUBKEY), NULL);

regards,
Vadim
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: help needed regarding RSA key generation.

[Vadim Fedukovich]

On Thu, Jun 27, 2002 at 12:06:01PM -0500, Manish Ramesh Chablani wrote:
> 
> 
> 
> 
> On Thu, 27 Jun 2002, Vadim Fedukovich wrote:
> 
> > On Wed, Jun 26, 2002 at 07:35:59PM -0500, Manish Ramesh Chablani wrote:
> > > Hi,
> > >
> > >   I am new to openSSL. I want to use openSSL to provide cryptographic
> > > functions like (key generation, encryption with public key, signing with private
> > > key, MD5 calculation) i.e. basically I want to use OpenSSL's Crypto library. I
> > > am trying to add authentication/security in MPI implementation.
> > >   I am having problems getting started. For example how do I generate a
> > > RSA public key, private key pair from within my C program.
> > >   I looked at the API for rsa, its given below
> > > RSA *RSA_generate_key(int num, unsigned long e,
> > >void (*callback)(int,int,void *), void *cb_arg);
> > >
> > > but I dont want to decide the args to be passed to this API. I just want to
> > > generate random rsa key pair.
> >
> > would you like it of random size? Or maybe 1024-bits?
> 
> 
> I would like 1024 bits for first argument. But what should I pass as
> remaining arguments ?

man page is available on this function

> Also do I have to set up random seed before I
> generate keys ?

sure. This may be done automatically on some platforms.
Still, it's always Ok to care about randomness before generating RSA keys

> 
> Thanks,
> Manish
> 
> 
> >
> > >
> > > Please help.
> > >
> > > Also if you can point me to some documentation or brief tutorial on using the
> > > crypto library it will be great.
> > >
> > > Thanks,
> > > Manish
> > >
> > > -
> > >
> > > Manish Chablani,
> > > Graduate Student,
> > > Computer Science Department,
> > > Indiana University
> > > -
> > >
> > > __
> > > OpenSSL Project http://www.openssl.org
> > > User Support Mailing List[EMAIL PROTECTED]
> > > Automated List Manager   [EMAIL PROTECTED]
> > __
> > OpenSSL Project http://www.openssl.org
> > User Support Mailing List[EMAIL PROTECTED]
> > Automated List Manager   [EMAIL PROTECTED]
> >

-- 
Naina library: http://www.unity.net/~vf/naina_r1.tgz
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: help needed regarding RSA key generation.

[Vadim Fedukovich]

On Wed, Jun 26, 2002 at 07:35:59PM -0500, Manish Ramesh Chablani wrote:
> Hi,
> 
>   I am new to openSSL. I want to use openSSL to provide cryptographic 
> functions like (key generation, encryption with public key, signing with private 
> key, MD5 calculation) i.e. basically I want to use OpenSSL's Crypto library. I 
> am trying to add authentication/security in MPI implementation.
>   I am having problems getting started. For example how do I generate a 
> RSA public key, private key pair from within my C program.
>   I looked at the API for rsa, its given below
> RSA *RSA_generate_key(int num, unsigned long e,
>void (*callback)(int,int,void *), void *cb_arg);
> 
> but I dont want to decide the args to be passed to this API. I just want to 
> generate random rsa key pair.

would you like it of random size? Or maybe 1024-bits?

> 
> Please help.
> 
> Also if you can point me to some documentation or brief tutorial on using the 
> crypto library it will be great. 
> 
> Thanks,
> Manish
> 
> -
> 
> Manish Chablani,
> Graduate Student,
> Computer Science Department, 
> Indiana University
> -
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

unixreview: Anne Carasik on openssl

[Vadim Fedukovich]

Dear Mr. Casad,

UnixReview published Anne Carasik' article on openssl recently.
It should be great for LEGO fan or someone studying history of alcohol.
However, this article (at least) give wrong advise and show
lack of writer competence. To illustrate it:

- using "-rand /dev/urandom" while RSA key generation will try to read
the whole device in and would never stop. One just cant generate
RSA keypair with this option

- DSA is listed as digest algorithm in Ref.2

- it was said that "DSA uses Diffie-Hellman for key exchange" under
"Public Key Generation and Tools"

- it was suggested to use GnuPG for public-key operations instead of
openssl suitable for illustration only. However, author didnt bother
to show howto sign X.509 certificates and Secure Electronic Transactions
messages with GnuPG.

I'm sure errors list could grow fast and easy. What is UnixReview
policy on publishing follow-ups?

- Forwarded message from Brian Hatch <[EMAIL PROTECTED]> -

Date: Wed, 26 Jun 2002 14:00:59 -0700
From: Brian Hatch <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: OpenSSL article at unixreview


There's an intro OpenSSL article at www.unixreview.com that
folks might want to peruse.

- End forwarded message -

--
Naina library: http://www.unity.net/~vf/naina_r1.tgz
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Generating certificates

[Vadim Fedukovich]

On Mon, Jun 24, 2002 at 09:13:44AM +0200, Martin Sjögren wrote:
> On Thu, Jun 20, 2002 at 11:51:42AM -0500, Pisano, Ed wrote:
> > Martin,
> > I solved this by creating openssl.cnf files that contain the information
> > that is gathered interactively by CA.pl.  I then modified the openssl.exe
> > command invocations in CA.pl to add command line flags and information
> > regarding the location of the created openssl.cnf file.
> 
> Ah, but you see, what I wanted to do was to do this from _within_ my
> application, with no stupid system or popen calls, making it slightly more
> platform independent. It's too bad there is no documentation on how to
> generate certificates and things like that using libssl.

Source is available; any problem reading that?  Anyway, one can:
 - X509_new()
 - set data to be signed, including fresh public key
 - apply some private key on DER encoding of that data
 - output

Maybe, one could use Naina as one more certificate handling HOWTO

> 
> Regards,
> Martin
> 
> -- 
> Martin Sj?gren
>   [EMAIL PROTECTED]  ICQ : 41245059
>   Phone: +46 (0)31 7710870   Cell: +46 (0)739 169191
>   GPG key: http://www.strakt.com/~martin/gpg.html
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]

-- 
Naina library: http://www.unity.net/~vf/naina_r1.tgz
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: DH: problem with DH_compute_key

[Vadim Fedukovich]

On Tue, Jun 18, 2002 at 05:30:45PM +0200, julien Bournelle wrote:
> Hi all,
> 
>  I have a little pb and after a little search on google I didn't find any
> interesting help :-( 
> 
> This is my pb: i try to get a session key by DH and when I compute keys I
> didn't obtain the same session key.

No wonder,
one should call DH_generate_parameters() once to use the same modulus

> 
> This is the code :
> 
> "
> 
> #define PRIME_LEN 64
> #define GENERATOR 5
> 
> ...
> 
> DH *dh_mn;
> DH *dh_ha;
> char *key;
> char *key3;
> int dh_errors;
> 
> dh_mn = DH_generate_parameters(PRIME_LEN, GENERATOR, NULL, NULL);
> 
> DH_check(dh_mn, &dh_errors);
> 
> DH_generate_key(dh_mn);
> 
> dh_ha = DH_generate_parameters(PRIME_LEN, GENERATOR, NULL, NULL);
> 
> DH_check(dh_ha, &dh_errors);
> 
> DH_generate_key(dh_ha);
> 
> key = malloc(DH_size(dh_ha));
> key3 = malloc(DH_size(dh_mn));
> 
> DH_compute_key(key, dh_ha->pub_key, dh_mn);
> 
> DH_compute_key(key3, dh_mn->pub_key, dh_ha);
> "
> 
> and key is always different from key3...
> dh_errors = 0 
> 
> 
> thanks
> 
> [EMAIL PROTECTED]
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]

-- 
Naina library: http://www.unity.net/~vf/naina_r1.tgz
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: [ANNOUNCE] OpenSSL 0.9.7 beta 2 released

[Vadim Fedukovich]

On Sun, Jun 16, 2002 at 01:55:48PM +0200, Lutz Jaenicke wrote:
> The second beta release of OpenSSL 0.9.7 is now available from the
> OpenSSL FTP site ftp://ftp.openssl.org/source/>. Quite a lot
> of code changed between the 0.9.6 release and the 0.9.7 release, so
> a series of 3 or 4 beta releases is planned before the final release.
> 
> To make sure that it will work correctly, please test this version
> (especially on less common platforms), and report any problems to
> <[EMAIL PROTECTED]>.
> Application developers that use OpenSSL to provide cryptographic
> routines or SSL/TLS support are kindly requested to test their
> software against this new release to make sure that necessary adaptions
> can be made.

Naina library was build with beta2 without applying SET objects patch, thanx.
It was tested to generate certificates once again.

Also, CCA and merchant were tested to run registration and sale sessions
(accept the order only) with a well-known wallet,
using certificates just generated.

> Changes between 0.9.6x and 0.9.7 include:
> 
>   o New library section OCSP.
>   o Complete rewrite of ASN1 code.
>   o CRL checking in verify code and openssl utility.
>   o Extension copying in 'ca' utility.
>   o Flexible display options in 'ca' utility.
>   o Provisional support for international characters with UTF8.
>   o Support for external crypto devices ('engine') is no longer
> a separate distribution.
>   o New elliptic curve library section.
>   o New AES (Rijndael) library section.
>   o Change DES API to clean up the namespace (some applications link also
> against libdes providing similar functions having the same name).
> Provide macros for backward compatibility (will be removed in the
> future).
>   o Unifiy handling of cryptographic algorithms (software and
> engine) to be available via EVP routines for asymmetric and
> symmetric ciphers.
>   o NCONF: new configuration handling routines.
>   o Change API to use more 'const' modifiers to improve error checking
> and help optimizers.
>   o Finally remove references to RSAref.
>   o Reworked parts of the BIGNUM code.
>   o Support for new engines: Broadcom ubsec, Accelerated Encryption
> Processing, IBM 4758.
>   o Extended and corrected OID (object identifier) table.
>   o PRNG: query at more locations for a random device, automatic query for
> EGD style random sources at several locations.
>   o SSL/TLS: allow optional cipher choice according to server's preference.
>   o SSL/TLS: allow server to explicitly set new session ids.
>   o SSL/TLS: support Kerberos cipher suites (RFC2712).
>   o SSL/TLS: allow more precise control of renegotiations and sessions.
>   o SSL/TLS: add callback to retrieve SSL/TLS messages.
>   o SSL/TLS: add draft AES ciphersuites (disabled unless explicitly requested).
> 
> --
> Lutz Jaenicke   [EMAIL PROTECTED]
> OpenSSL Project http://www.openssl.org/~jaenicke/
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]

-- 
Naina library: http://www.unity.net/~vf/naina_r1.tgz
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Is it possible/appropriate to add a timestamp (RFC 3161) to a PKCS#7?

[Vadim Fedukovich]

On Thu, Jun 06, 2002 at 05:17:48PM -0700, Bob Steele wrote:
> 
> This might be a nonsensical question, and if so it 
> wouldn't be my first foolish question here:
> 
> Is it possible or appropriate to add a timestamp object
> (RFC 3161) to a PKCS#7 signature during the signature's
> creation? 

This should be defined by business logic and/or risk management rules.
No problem at software-writing level.

> It is *not* possible for me to make the timestamp the signed data
> portion, since I'm already creating signatures on external
> detached data. 
> 
> What I was wondering is if it was possible to add the timestamp
> at the same level as the certificates, much as you add additional
> certificates (for a complete signing chain) to a PKCS#7?

Maybe, another one SignerInfo part of PKCS7?
Made by time-stamping key to confirm signed-data was shown to
signer at that time. Adding another one SignerInfo would not break
validity of any previous one

> Alternately, If there is another PKI data structure that could
> incorporate
> both a PKCS#7 and a RFC 3161 timestamp, could you please suggest it
> to me?

One may want to time-stamp the whole "pkcs7 signed" to confirm
(unverified) signature was shown to the second signer at that time

good luck,
Vadim

> Thanks for any and all help.
> 
> - Bob
> 
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Need root certificates...

[Vadim Fedukovich]

On Fri, Jun 07, 2002 at 12:38:00AM -0700, Brian Doyle wrote:
> Does anyone know where I can get the latest VeriSign root certificate (that
> expires in 2028) in PEM format?  It seems to be impossible to get it from
> their website in anything other than some script to install it into a web
> browser.

Would you like someone to generate a keypair and cert and give it to you?
One must talk to Verisign

> Anyone know if there's a central trusted repository for all the popular root
> CA's primary (self-signed) certificates?
> 
> Thanks,
> 
> Brian Doyle
> Balance Software, Inc.
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Naina announce (was: [ANNOUNCE] OpenSSL 0.9.1 beta 1 released)

[Vadim Fedukovich]

On Wed, Jun 05, 2002 at 08:42:10AM +0200, Lutz Jaenicke wrote:
> On Wed, Jun 05, 2002 at 03:35:31AM +0300, Vadim Fedukovich wrote:
> > hi list,
> > 
> > Naina library may be considered an ASN.1 test; it handles some
> > Secure Electronic Transactions messages.
> > http://www.unity.net/~vf/naina_r1.tgz
> > 
> > It works with 0.9.7-beta-1, on linux, gcc 2.9.5
> > 
> > It could be great to include SET-specific objects into openssl;
> > patch is there inside
> 
> * Would you please just submit the patch with the additional OIDs into
>   [EMAIL PROTECTED]? I however won't promise that it will make it
>   into 0.9.7, which is already in feature freeze (depends on the actual
>   submission).

just sent it

> * Do you have a homepage for your project, for which we can add a link?

Thank you, not yet. Actually, not much to show at this point,
merchant-wallet interface is the only working stuff.
I guess the most popular content could be screenshots included in the package

yours,
Vadim

> 
> Best regards,
>   Lutz
> -- 
> Lutz Jaenicke [EMAIL PROTECTED]
> http://www.aet.TU-Cottbus.DE/personen/jaenicke/
> BTU Cottbus, Allgemeine Elektrotechnik
> Universitaetsplatz 3-4, D-03044 Cottbus
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Naina announce (was: [ANNOUNCE] OpenSSL 0.9.1 beta 1 released)

[Vadim Fedukovich]

hi list,

Naina library may be considered an ASN.1 test; it handles some
Secure Electronic Transactions messages.
http://www.unity.net/~vf/naina_r1.tgz

It works with 0.9.7-beta-1, on linux, gcc 2.9.5

It could be great to include SET-specific objects into openssl;
patch is there inside

regards,
Vadim

On Sun, Jun 02, 2002 at 11:46:25PM +0200, Lutz Jaenicke wrote:
> The first beta release of OpenSSL 0.9.7 is now available from the
> OpenSSL FTP site ftp://ftp.openssl.org/source/>. Quite a lot
> of code changed between the 0.9.6 release and the 0.9.7 release, so
> a series of 3 or 4 beta releases is planned before the final release.
> 
> To make sure that it will work correctly, please test this version
> (especially on less common platforms), and report any problems to
> <[EMAIL PROTECTED]>.
> Application developers that use OpenSSL to provide cryptographic
> routines or SSL/TLS support are kindly requested to test their
> software against this new release to make sure that necessary adaptions
> can be made.
> 
> Changes between 0.9.6x and 0.9.7 include:
> 
>   o New library section OCSP.
>   o Complete rewrite of ASN1 code.
>   o CRL checking in verify code and openssl utility.
>   o Extension copying in 'ca' utility.
>   o Flexible display options in 'ca' utility.
>   o Provisional support for international characters with UTF8.
>   o Support for external crypto devices ('engine') is no longer
> a separate distribution.
>   o New elliptic curve library section.
>   o New AES (Rijndael) library section.
>   o Change DES API to clean up the namespace (some applications link also
> against libdes providing similar functions having the same name).
> Provide macros for backward compatibility (will be removed in the
> future).
>   o Unifiy handling of cryptographic algorithms (software and
> engine) to be available via EVP routines for asymmetric and
> symmetric ciphers.
>   o NCONF: new configuration handling routines.
>   o Change API to use more 'const' modifiers to improve error checking
> and help optimizers.
>   o Finally remove references to RSAref.
>   o Reworked parts of the BIGNUM code.
>   o Support for new engines: Broadcom ubsec, Accelerated Encryption
> Processing, IBM 4758.
>   o PRNG: query at more locations for a random device, automatic query for
> EGD style random sources at several locations.
>   o SSL/TLS: allow optional cipher choice according to server's preference.
>   o SSL/TLS: allow server to explicitly set new session ids.
>   o SSL/TLS: support Kerberos cipher suites (RFC2712).
>   o SSL/TLS: allow more precise control of renegotiations and sessions.
>   o SSL/TLS: add callback to retrieve SSL/TLS messages.
>   o SSL/TLS: add draft AES ciphersuites (disabled unless explicitly requested).
> 
> --
> Lutz Jaenicke   [EMAIL PROTECTED]
> OpenSSL Project http://www.openssl.org/~jaenicke/
> __
> OpenSSL Project http://www.openssl.org
> Development Mailing List   [EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: PKI with Open Source "openssl"

[Vadim Fedukovich]

On Mon, Jun 03, 2002 at 11:17:40PM +, Franck Martin wrote:
> Read your web site,
> 
> Sorry other, if my e-mail is slightly off-topic but I think for a global
> trusted e-mail system, we need some special certificates and I just want
> to check if medracen is offering them...
> 
> Needs some info, what exactly is a gold certificate?

Let me guess: it's something of pure gold issued for
any marketing department to acknowledge excellence in doing their job
:-)

> I think you are missing some examples, may be you should produce a set
> of sample certificates in a openssl -text output so we can see how the
> various fields look like and the x509 extensions look like... btw, you
> can link to the SSL Certificates HOW-TO on www.tldp.org (self-promotion)
> to give people a total openssl solution and explanation...
> 
> Also the fuzzy titles are well fuzzy. I don't know if I should wear my
> glasses or not... Just teasing you...
> 
> The all in one certificate, is it a *.domainname.com certificate, or
> does it allow to sign other certificates in the sub domain?
> 
> I'm curious about the gold certificate to know if I can use it to
> generate certifcates for every e-mail accounts my organisation use? If
> it is true, then that's what we all need, and especially me.
> 
> I found out that most certificates sites hide the technical matter
> behind the salesman speech, and us administrators in charge of security
> do not know what we are really bying because all the technicalites have
> gone... Please add a "for the expert" link on each certifcate type to
> describe exactly what is given...
> 
> Finally, Kabylie is in Algeria and everybody knows that Algeria is not
> known for its stability... You should say something about that on your
> web site to proove that we can trust your company...

Personally, I'm quite sure modular division and multiplication
can be pretty stable anywhere on the globe regardless of um, country
hosting CPU doing that

just a view,
Vadim

> 
> Cheers.
> [EMAIL PROTECTED]
> 
> On Mon, 2002-06-03 at 08:20, Averroes wrote:
> 
> Hi All,
> 
> A good experiment of all openssl's options
> is at Medracen Website, this site is just for testing
> purpose, It is a just simulation describing how to implement
> PKI solution with Open Source software.
> 
> URL: http://www.medracen.net/
> 
> To get your 30 days free Digital Signature Certificate go
> to URL:
> 
>  http://www.medracen.net/pki.php?url=helium
> 
> Comments and suggestions are welcome.
> 
> Thanks you
> 
> Regards
> 
> #-
> Averroes
> 
> 
> 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: SV: Format of RSA public key ?

[Vadim Fedukovich]

On Thu, May 30, 2002 at 03:35:51PM +0200, Hellan,Kim KHE wrote:
>...
> > I have been looking at the RSA_public_decrypt() function, but I'm not quite sure 
>how it works.
> > How can I verify a signature without specifying what was signed in the first place?
> 
> >Public key is normally used to recover the digest of
> >something-to-be->signed and memcmp() it to another one.
> >That is, one need a hash of a document,
> >not necessary the document.
> 
> I have looked in the rsautl application, and there they seem to use 
>RSA_public_decrypt() to verify a signature.

Actually, to recover the hash to be memcmp() later

> I have tried to use this function and it does work somehow (not sure exactly what it 
>does though). If I change one bit in the binary blob, the verification 
>(RSA_public_decrypt) fails.

Given ciphertext change, padding check would fail on plaintext recovered.
Well, padding check is a required step while signature verification

> RSA_public_decrypt() does return 35 bytes of something that I don't know what is. 
>Maybe a hash and some information about the hash algorithm?
> I don't know how to "decode" this returned binary blob?

One should know signature details. It's hard to guess what is 35-bytes-size
object. It's not SHA1 or MD5 value. My best guess is 36-bytes-long SHA1+MD5
hash specified for SSL client authentication.

How that signature was created?

hope this makes some progress,
Vadim
> 
> TIA,
> Kim
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: SV: Format of RSA public key ?

[Vadim Fedukovich]

On Thu, May 30, 2002 at 02:09:38PM +0200, Hellan,Kim KHE wrote:
> Hi Vadim
> 
> Great!
> It works fine. When I got your mail I was just getting ready to test this function.
> This public key I have loaded, shall be used to verify a signature.
> I have the signature as a 128 byte binary blob.
> 
> I have been looking at the RSA_public_decrypt() function, but I'm not quite sure how 
>it works.
> How can I verify a signature without specifying what was signed in the first place?

Public key is normally used to recover the digest of something-to-be-signed
and memcmp() it to another one. That is, one need a hash of a document,
not necessary the document.

hope this fits,
Vadim

> 
> Thanks for all your help,
> Kim
> 
> -Oprindelig meddelelse-
> Fra: Vadim Fedukovich [mailto:[EMAIL PROTECTED]]
> Sendt: 30. maj 2002 12:15
> Til: [EMAIL PROTECTED]
> Emne: Re: Format of RSA public key ?
> 
> 
> On Thu, May 30, 2002 at 08:59:59AM +0200, Hellan,Kim KHE wrote:
> > Hi Vadim
> > 
> > I should have been more specific.
> > I know it is modulus and public exponent, but what I'm looking for is some OpenSSL 
>function to load this key into a EVP_PKEY structure.
> > 
> > Any ideas?
> 
> d2i_RSAPublicKey() and EVP_PKEY_assign_RSA() should work
> 
> hope this helps,
> Vadim
> 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: SV: Format of RSA public key ?

[Vadim Fedukovich]

On Thu, May 30, 2002 at 08:59:59AM +0200, Hellan,Kim KHE wrote:
> Hi Vadim
> 
> I should have been more specific.
> I know it is modulus and public exponent, but what I'm looking for is some OpenSSL 
>function to load this key into a EVP_PKEY structure.
> 
> Any ideas?

d2i_RSAPublicKey() and EVP_PKEY_assign_RSA() should work

hope this helps,
Vadim

> 
> Thanks,
> Kim
> 
> 
> -Oprindelig meddelelse-
> Fra: Vadim Fedukovich [mailto:[EMAIL PROTECTED]]
> Sendt: 29. maj 2002 17:03
> Til: OpenSSL Users
> Emne: Re: Format of RSA public key ?
> 
> 
> hi Kim,
> 
> On Wed, 29 May 2002, Hellan,Kim KHE wrote:
> 
> > Hi
> >
> > When I use OpenSSL to extract 1024 bit RSA public keys to a binary file, I get a 
>162 byte file with the following ASN.1 structure:
> >
> > 0:d=0  hl=3 l= 159 cons: SEQUENCE
> > 3:d=1  hl=2 l=  13 cons: SEQUENCE
> > 5:d=2  hl=2 l=   9 prim: OBJECT:rsaEncryption
> >16:d=2  hl=2 l=   0 prim: NULL
> >18:d=1  hl=3 l= 141 prim: BIT STRING
> >
> > These public keys can easily be loaded in OpenSSL.
> >
> > I now have to support some 1024 RSA public keys with a different structure. The 
>binary blob containing the public key is only 140 bytes and the ASN.1 structure looks 
>like this:
> >
> > 0:d=0  hl=3 l= 137 cons: SEQUENCE
> > 3:d=1  hl=3 l= 129 prim: INTEGER   
>:80622FB09CAD2A75E84A00E2613FF1B52ED2382C6274E45364C140FE6639F437E07A135D824D99FEAE0C8BBF1782960AA9FF38C67373C41BD8DDB341754F78823BC3321581D5EF5349F5DAAD46B3B954CA9742280528DAABFC7B23229AF04FFDBE733E0AE310C3466224FC1A9628FF14F6ED
> 
> this is modulus
> 
> >   135:d=1  hl=2 l=   3 prim: INTEGER   :010001
> 
> ..and public exponent
> 
> good luck,
> Vadim
> 
> >
> > Does anyone know how to handle this "format" in OpenSSL. How do I load these 
>public keys ?
> >
> > Thanks,
> > Kim Hellan
> > KMD / KMD-CA
> > http://www.kmd-ca.dk
> > Mailto:[EMAIL PROTECTED]
> >
> > __
> > OpenSSL Project http://www.openssl.org
> > User Support Mailing List[EMAIL PROTECTED]
> > Automated List Manager   [EMAIL PROTECTED]
> >
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Timestamping with openssl

[Vadim Fedukovich]

On Sat, 25 May 2002, Averroes wrote:

> Hi All,
>
> Perhaps someone has the answer?
>
> I want to sign a file (provided by a requester) with some information
> like : hash+timestamp, then, transforms this signed file in PKCS7 structure
> for sending back to the requester.
>
> Any help will be appreciated.

This looks like "detached signature" PKCS7 with "signing time" and
"message digest" on authenticated atributes list.

Please note lots of papers available on timestamping techniques.
One may want to include references to ajacent hashes as a proof

hope this helps,
Vadim

>
> Regards
>
> #---
> Averroes
>
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
>

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: URGENT: PKCS8 format to be used with java

[Vadim Fedukovich]

On Fri, 17 May 2002, Haikel wrote:

> Hi,
>
> I'have generated keys in pkcs8 format with java and openssl. The thing
> that was not expected is the difference of the two files structure.  The

why not? it's encrypted private key.
Yes, one should expect them to be the same after decryption

> two files I generated look like that:

would you expect someone to read that base64-encoded encrypted data?

> The file generated with java
>
> -BEGIN ENCRYPTED PRIVATE KEY-
> MIICrTAnBgoqhkiG9w0BDAEDMBkEFLHA2SGrNrwcUsFrxFftTdvpff0kAgEFBIICgCe/dqz6Z4Qn
>
> .
> bp2JoA19vvY9/z762P4hGSHJWQA4ltQVzvGXScVQ+KpobwU9YH5Qs4JGBPEO7b1L/ONpz+jBj+hF
>
> ykCw3uM=
> -END ENCRYPTED PRIVATE KEY-
>
> The file genrated with openssl
>
> -BEGIN ENCRYPTED PRIVATE KEY-
> MIICoTAbBgkqhkiG9w0BBQMwDgQIXNLEC6mo9bwCAggABIICgIEW1x+WeSW2K2BV
> .
> qWJ4VA95CfBeJbL9bjnbPog7A5qvhXmxV6rLDfwNyvzEbz2YkLWMDZp5io8Sp1TN
> fd/VfTQ=
> -END ENCRYPTED PRIVATE KEY-
>
>
> As you can see the lines have not the same length.
>
> Can anyone, tell me why the two files are different and If it's possible
> to use openssl PKCS8 keys with java.
>
> Thanks
> Haikel MEJRI
>

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Certification chain problem

[Vadim Fedukovich]

On Thu, 16 May 2002, [ISO-8859-1] Martinez Bernardo · Maria Elena wrote:

> Benoit,
>
> You have a Client Certificate from Verisign and you can't use it to sign a
> new certificate.

Nothing could stop a programmer from using such a private key to sign
other certificates.

However, an application aware of Basic Constraints extension would fail
to validate such a certificate, if/when tracing it from well-known
Verisign root.

> You need a CA certificate, which it is the type of certificate that it's
> able to sign. To obtain this kind of certificate from Verisign, you have to
> buy "Verisign On Site" product (I think that's the product name), and you
> will become a Certification Authority.
>
> But better, create your own Certification Authority with Openssl.
>
> Regards,
> Elena
>
>
> > -Mensaje original-
> > De: Benoit Goarin [SMTP:[EMAIL PROTECTED]]
> > Enviado el: jueves 16 de mayo de 2002 16:11
> > Para:   [EMAIL PROTECTED]
> > Asunto: Certification chain problem
> >
> > Hello
> >
> > Here is my problem
> >
> > I have a Verisign signed certificate (certifiacate A) and want to create
> > certificates which will be signed by it.
> > I create a pair certificate (certifiacate B) private key and send the
> > certificate (B) to a server
> > But when it signes the certifiacate with its private key (A) and returns
> > it
> > to client, windows tells me that the certificate seems to be damaged
> >
> > Here are some lines of my code :
> >
> >
> > First, I create the pair :
> >
> > int sn, rsaSize;
> > RSA * rsa;
> > X509_NAME * name;
> >
> > sn=1; // numéo de série
> > rsaSize=1024; // taille de la clé
> >
> > // création des objets certificat et clés
> > m_pX509 = X509_new();
> > m_pKey = EVP_PKEY_new();
> >
> > // génération de la paire de clés RSA et assignation à la structure
> > EVP_PKEY
> > rsa = RSA_generate_key(rsaSize, RSA_F4, NULL, NULL);
> >
> > EVP_PKEY_assign_RSA(m_pKey, rsa);
> >
> > // on fixe la version, le numéro de série et la période de validité
> > X509_set_version(m_pX509,3);
> > ASN1_INTEGER_set(X509_get_serialNumber(m_pX509), sn);
> > X509_gmtime_adj(X509_get_notBefore(m_pX509), 0);
> > X509_gmtime_adj(X509_get_notAfter(m_pX509), (long)60*60*24*nbDays);
> >
> > // on assigne la clé publique au certificat
> > X509_set_pubkey(m_pX509, m_pKey);
> >
> > // on organise les informations sur le créateur du certificat
> > name = X509_get_subject_name(m_pX509);
> > X509_NAME_add_entry_by_txt(name, "C", MBSTRING_ASC, (unsigned
> > char*)"FR",
> > -1, -1, 0);
> > X509_NAME_add_entry_by_txt(name, "O", MBSTRING_ASC, (unsigned
> > char*)"La
> > Deuxieme Tete (L2T)", -1, -1, 0);
> > X509_NAME_add_entry_by_txt(name, "Email", MBSTRING_ASC, (unsigned
> > char*)"[EMAIL PROTECTED]", -1, -1, 0);
> > X509_set_issuer_name(m_pX509, name);
> >
> >
> > Then I send the certificate to the server and do this :
> >
> > X509_sign(m_pX509, pKey, EVP_md5());
> >
> > pKey is the private key read with
> > PEM_read_PrivateKey(fp_key, &m_pKey, NULL, NULL);
> >
> >
> > It's a nigtmare I don't know what to do
> > please help me
> >
> >
> > Benoît Goarin
> >
> > __
> > OpenSSL Project http://www.openssl.org
> > User Support Mailing List[EMAIL PROTECTED]
> > Automated List Manager   [EMAIL PROTECTED]
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
>

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: p7-signedData : ordering authenticatedAttributes (or not).

[Vadim Fedukovich]

On Wed, 15 May 2002, FRISCH Laurent FTRD/DTL/ISS wrote:

> Something bothers me with the authenticatedAttributes field in PKCS#7. It is
> defined in SignerInfo by "authenticatedAttributes [0] IMPLICIT Attributes",
> Attributes being a "SET OF attributes". This means that you should order
> attributes in the SET OF when signing ('cuz you have to DER-encode them).
> ok.

PKCS may be considered a moving target. AuthenticatedAttributes are
defined to be a SEQUENCE in Secure Electronic Transactions

> Yet, in openssl (pk7_doit.c, in PKCS7_signatureVerify, see after), one can
> see that explicitly no ordering is asked (IS_SEQUENCE flag).
>
> When can a bug happen ? Hmmm. Tricky. Probably never happen in real life.
> Still, theoretically...

Some SET software is available already

-vf

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Secret sharing & partial signature

[Vadim Fedukovich]

On Mon, 13 May 2002, Rakeshbabu Bobba wrote:

> here is the link
>
>  http://crypto.stanford.edu/~dabo/ITTC/dist-files/ittc-1.0.tar.gz
>
> rakesh
>
> On 13 May 2002, Aleix Conchillo wrote:
>
> > On Mon, 2002-05-13 at 19:34, Rakeshbabu Bobba wrote:
> > > you might want to take a look at IITC project of Dan Boneh at stanford, it
> > > might be the one you are looking for.

ITTS is about generating key-shares of private keys and using them
in shares. However, one better look at the source code.

yours,
Vadim

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Creating password-protected certs.

[Vadim Fedukovich]

On Tue, 30 Apr 2002, Richard Levitte - VMS Whacker wrote:

> In message <[EMAIL PROTECTED]> on Mon, 29 Apr 2002 
>12:22:32 -0700 (PDT), Tim Jones <[EMAIL PROTECTED]> said:
>
> t0psecret> I'm trying to create password-protected client certs
> t0psecret> with OpenSSL and ssl.ca-0.1.tar.gz.  Is this what
> t0psecret> "export password" refers to (when creating the key),
> t0psecret> or is there another way?  I'm not sure whether the
> t0psecret> export password is a permanent password for the cert
> t0psecret> or just a one-time password used to import the .p12
> t0psecret> file.
> t0psecret>
> t0psecret> If it's the former, it seems as though Window strips
> t0psecret> this password when I import the cert, because I'm only
> t0psecret> asked for it the one time when importing. Is there any
> t0psecret> way around this?
>
> You're mixing up certificate and private key.  The password will
> protect the private key.  The certificate is (or should be) filled
> with public information only, and therefore doesn't require any
> password protection.

PKCS12 also specify mac-based integrity check that use another one
password and may be usefull for certificate. Yes, one could ignore
integrity check while parsing pkcs12 data.

just a note,
Vadim

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Prevent apache from giving out server cert?

[Vadim Fedukovich]

On Thu, 18 Apr 2002, Joern Sierwald wrote:

> At 10:19 18.04.2002 +0200, you wrote:
> >Hi,
> >
> >Is it possible to prevent apache from automatically giving out its server
> >certificate to everyone that is connecting to the server?
> >I want apache to only allow access to thoose that already have the
> >certificate installed in their clients.
> >It will be a form of access control.
> >
> >I need this functionality since only a few applications will ever access
> >this virtual host. The clients will come from a wide range of IP-adresses
> >(not predictable) so I cant stop access that way.
> >I also would like to avoid client certificates.
> >
> >Regards,
> >Tobbe
> >
> >__
> >OpenSSL Project http://www.openssl.org
> >User Support Mailing List[EMAIL PROTECTED]
> >Automated List Manager   [EMAIL PROTECTED]
>
> I think you make a basic mistake here: You assume that the client NEEDS the
> server certificate to
> make a connection. That is not true. The Client can, if he chooses to,
> ignore the server's signature
> and therefore not need the server's certificate.

Client need server public key, part of certificate.
Well, client could ignore SSL and talk in plaintext

> So, even if an (enemy) client does not have the server's cert - he can
> still connect. Is that what you want?
>
> Jörn
>
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
>

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: WebCT with SSL

[Vadim Fedukovich]

Carlos,

DBM (keep users in the database) method was specified in .htaccess and
apache was build without DBM. This have nothing to do with SSL.
You could either re-build httpd or specify another way to handle
web users list.

hope this helps,
Vadim


On Wed, 20 Mar 2002, Carlos Alberto Pelaez wrote:

> Hello dear friends. I try to configure WebCT with SSL and all it´s ok,
> but i found a problem.WebCT use a validation form with .htaccess . When
> i try to log in a site of the web site, appear this error:
>
> Invalid command ´AuthDBMUserFile´, perhaps mis-spelled or defined by a
> module not included in the server configuration.
>
> What can make with this ?
> Thank´s for your help and sorry by my english
>
>CAPA
>

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: PKCS7, getting list of recipients

[Vadim Fedukovich]

On Thu, 14 Mar 2002, Frank Geck wrote:

> Vadim,
> Is that because those members in the structure are not propulated?  What
> is the issuer info?  Is this the common name of the recipients?  I don't
> think so.  This is just the serial number of the cert and the issuer so you
> could if you had all the certs on each machine find all the reciepients certs
> and get the common name from there, right?
>
> Thanks,
>
> Frank
>

exactly, it's up to lookup function to search for certificate having
issuer name and serial number (PKCS7_ISSUER_AND_SERIAL type).
One could get recipient' CN from certificate subject name and only
issuer name is available from recipient info.

regards,
Vadim

> Vadim Fedukovich wrote:
>
> > On Wed, 13 Mar 2002, Frank Geck wrote:
> >
> > > How would I get a list of the recipients from a PKCS7 message?  I have
> > > read it in and it's a signed enveloped and I have decoded it and I see
> > > that there is a STACKOF(PKCS7_RECIP_INFO), any function calls to return
> > > this to me in a text format? The common name from the cert is fine as I
> > > see the PKCS7_RECIP_INFO contains a X509 cert.
> > >
> > > Thanks,
> > >
> > > Frank
> >
> > Here's a STACK_OF(PKCS7_RECIP_INFO) and one could
> > for(i=0;jrecipientinfo);i++) {
> >   ri = sk_value(p7->recipientinfo,i)
> >   printsometest(ri)
> > }
> >
> > One could access issuer info and cert serial number from recipient info,
> > not recipient' certificate.
> >
> > hope this helps,
> > Vadim
> >
> > __
> > OpenSSL Project http://www.openssl.org
> > User Support Mailing List[EMAIL PROTECTED]
> > Automated List Manager   [EMAIL PROTECTED]
>
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
>

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Off-Topic: Wildcard Certificates

[Vadim Fedukovich]

On Tue, 12 Mar 2002, Philipp [iso-8859-1] Gühring wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Hi,
>
> I read somewhere, that wildcard certificates are generally possible.
> (With the exception that not every implementation might like it)
>
> What about a certificate for *.com, *.org or *.net ?

At least one "SSL proxy" package was designed with just "*"
certificate in mind and it worked, if one tell his browser
to accept that.

> I guess, I will have to try, whether any of the certificate authorities
> accepts a certificate request like that.
> I think some of them look through the wildcard requests manually ...
>
> Many greetings,
> - --
> ~ Philipp Gühring  [EMAIL PROTECTED]
> ~ http://www.livingxml.net/   ICQ UIN: 6588261
> ~ 
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.0.6 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
>
> iD8DBQE8jn03lqQ+F+0wB3oRAvJEAJ474RbyF1Cgjafyn+CBFnpB/JXcbwCglk99
> bRAFLGJLCjNKpLjC0EhxZLc=
> =b1n8
> -END PGP SIGNATURE-
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
>

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: intermediate level CA certificates, chains

[Vadim Fedukovich]

On Fri, 8 Mar 2002, Martin Witzel wrote:

>
> Hi,
>
> I have two questions about certificate chains.
>
> a.) Can an openssl intermediate CA create certificates which contain the
> certificate
>   of an intermediate level signing CA _and_ the certificate(s) of
> higher level CAs,
>   i.e. a certificate chain with more than one certificate?

Making chains is unlikely a CA business, one could try
tuning webserver instead

> b) I have set up an intermediate level CA and signed a certificate request
> from some
> other requester (not openssl). I only see the intermediate level CA
> certificate, not
> the intermediate level CA cert + the root CA cert stacked in one cert
> as a certificate
> chain when I use this certificate in an SSL connection. However, I
> expected to see
> a certificate chain.

With openssl-based webserer, one could send a chain from server cert
to root (if CA certificates are available for webserver) accompanied by
just any other certs specified for SSL_CTX_use_certificate_chain_file()

> 1) If it is possible to create such a stacked cert at all, I must have
> goofed with the
>  intermediate level CA cert. It should already contain the root CA cert
> together
>  with its own cert, right?
>
> 2) The steps I took are, somewhat abbreviated:
> Create root CA key and cert
>genrsa -out cakey.pem
>req -new -key cakey.pem -out cakey.csr
>req -in cakey.csr -key cakey.pem -x509 -out cacert.pem
>
> Generate 2nd level CA key
>genrsa -out cakey2.pem
>req -new -key cakey2.pem -out cakey2.csr
>req -in cakey2.csr -cert cacert.pem -keyfile cakey.pem -out cacert2.pem
>
> Was there an error in the steps so far which caused the root certificate in
> the
> intermediate level CA to be omitted?
>
> 3. Now sign a self-signed client certificate request which BTW was not
> created with openssl.
> Replace the root key and cert file in the CA with the intermediate CA
> level file versions
>cakey2.pem and cacert2.pem which I have created above. Then use the
> command
> ca -ss_cert client.csr  -out clientcert.crt -policy policy_anything
>
> As mentioned, when the SSL server receives this client cert, I do not see
> that there is
> anything else but the intermediate level CA cert in it, no root cert
> included.
>
> Any clues?  Thank you, Martin

You didnt specify webserver so it's hard to guess tuning technique

good luck,
Vadim

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: secure mailinglists

[Vadim Fedukovich]

On Thu, 7 Mar 2002, Damian Hesse wrote:

> Hi everybody,
>
> we have set up our own CA and generated for everybody
> user certificates for secure communication. It really works
> fine.
>
> The task: now we want to set up mailinglists (server side)
> like "[EMAIL PROTECTED]" where some users of our company and
> some from a customer should be able to write signed and
> encryted emails and everybody on the list should be able to
> read it.
>
> The question is how should this be done? The only solution I can
> imagine is to generate a certificate for the list and send the p12-file
> to everybody on the list. But does it really work with all mail
> programs, because for example: user A send an encrypted mail to
> [EMAIL PROTECTED] which is expanded to user B, but its not originally
> encrypted for B...

Some more cases are described in RFC 2634

> Whats the best way solving such a mailinglist problem? What is
> your experience and solution? I am sure I not the only one beeing
> confronted with such a task (hope :-).

List of expected mail readers and list of their features
would help to choose the solution

good luck,
Vadim

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: boolean default true

[Vadim Fedukovich]

On Thu, 7 Mar 2002, Dr S N Henson wrote:

> Vadim Fedukovich wrote:
> >
> > Hello,
> >
> > would this construct
> >
> > ASN1_SEQUENCE(SomeTypeDefinition) = {
> >   ASN1_IMP(, someFieldName, ASN1_FBOOLEAN, N)
> >
> > be fine for "someFieldName [N] BOOLEAN DEFAULT FALSE" in ASN.1?
> > Should one use ASN1_IMP_OPT() instead?
> >
>
> You should always use OPT with the ASN1_FBOOLEAN and ASN1_TBOOLEAN.
>
> The actual type is just applying a specific interpretation when the
> field is absent or taking the default value. For example in the
> ASN1_FBOOLEAN case it means that if the boolean value is set to FALSE it
> will not be encoded and if the field is absent it will be represented as
> FALSE.

Yes, this is exactly what I'm looking for

> You don't have to use the ASN1_FBOOLEAN and ASN1_TBOOLEAN types as long
> as you interpret and set the value appropriately.
>
> Using them does have a disadvantage in that some encoders might
> incorrectly not omit a field having the default value. This would mean
> that decoding and reencoding the structure would not produce the same
> result.
>
> Steve.

many thanx for advise and for powerful ASN1 code,
Vadim

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Kannel and Openssl

[Vadim Fedukovich]

On Mon, 4 Mar 2002, Wilhelm Farrugia wrote:

>
> Dear all,
>
> I am trying to use openssl with kannel are there any implications that I
> should know about?
>
> Does any one has some details about the issue ?
>
> Thank you,
> Wilhelm Farrugia

Oleg Taranov did something with kannel and openssl and release it.
Hope a search engine could help

good luck,
Vadim

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

SSL PLUS solution vs. openssl

[Vadim Fedukovich]

Dear Certicom,

why it was stated "posting of source code is required on OpenSSL" at
http://www.certicom.com/products/ssl_plus/g/ssl/020119_2_v1_chart.html ?

-vf
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Getting RSA key as an encrypted and B64 encoded string

[Vadim Fedukovich]

On Mon, 21 Jan 2002, Hellan,Kim KHE wrote:

> Hi
>
> I have an RSA private key in a EVP_PKEY structure.
> I need to get the RSA "blob" out of the EVP_PKEY, encrypt it
> (EVP_des_ede3_cbc) and Base64 encode it.
> Basically I need something like what the PEM_write_PrivateKey() function
> does, except my destination is memory, not a file and I don't want the PEM
> header/footer.
> I'm sure this can easily be done using the right OpenSSL function, but which
> one?

PEM_ASN1_write_bio() to memory-type BIO may fit

> And also.at some point I need to put the encrypted, encoded RSA key back
> into an EVP_PKEY structure?

PEM_ASN1_read_bio()

good luck,
Vadim

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: [Fwd: update on signed-and-enveloped]

[Vadim Fedukovich]

On Fri, 11 Jan 2002, Frank Geck wrote:

> Thanks, I was already using a variant of this code.  The issue seemed to
> be openssl 0.9.6b, went to version c and it worked.
>
> The current issue I have is how can I make the buffer that will hold the
> decoded data dynamic instead of static (i.e. no BIG, use malloc).  What
> size to I make it instead of just big?  Any part of the bio data
> structure once PKCS7_dataDecode has been called that can tell me how big
> to make the buffer so that when I do: BIO_read(p7bio, buf, data_len), I
> know how big to make data len?

The very 1st step with pkcs7 would be parsing and an OCTET STRING
should be allocated to hold encrypted data. One could use this size
as an estimate.

yours,
Vadim

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: HTTPS Post

[Vadim Fedukovich]

On Wed, 9 Jan 2002, Scott Frazor wrote:

> Can anyone give me a rough idea on how to prepare and send a https POST via
> openssl?  I know how to open a socket and connect SSL, but I'm missing
> something when it comes to sending a HTTPS POST and RECEIVING the response.
> I'm not sure if I'm asking the question right.  Any ideas?

w3c-libwww would handle HTTP just fine

good luck,
Vadim

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: PKCS7 SignedAndEnveloped problems

[Vadim Fedukovich]

On 10 Jan 2002, Aleix Conchillo wrote:

> Hi,
>
>   I am trying to create a PKCS7 SignedAndEnveloped. I get the idea
> from the enc.c and dec.c files in crypto/pkcs7 directory. As it is and
> enveloped pkcs7 i need to add a recepient. And as it is signed, i need to set
> the signers. The problem i have is with the signers, if i use function
> PKCS7_add_signer like this
>
>   PKCS7_SIGNER_INFO* signer = PKCS7_SIGNER_INFO_new();
>   PKCS7_SIGNER_INFO_set(signer, cert, pkey, EVP_sha1());
>   PKCS7_add_signer(p7, signer);
>
> the recipient of the pkcs7 is unable to verify the pkcs7 data. Otherwise, if i use:
>
>   PKCS7_add_signature(p7, cert, pkey, EVP_sha1());
>   PKCS7_add_certificate(p7, cert);
>
> works as supposed. Any one can tell what am i doing wrong with PKCS7_add_signer?
>
>   Any help would be really appreciated.

Recipient may be missing signer' certificate. It would be better
to make it report the reason for verification failure.

yours,
Vadim

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: 3DES-CBC questoins

[Vadim Fedukovich]

On Wed, 9 Jan 2002, Andrew wrote:

> Well let's see if I can explain this a little better. How does 3DES
> work? Apparently my co-worked took the final encrypted text, XOR'ed it with
> the original message and obtained a key. Now he claims that he can decrypt
> any message with that key.

Did you ask him to do the show? I doubt he can. Something like this
may happen if:
- using the same key for handling all message instead of generating
  fresh random one   and
- using stream cipher like RC4.

yours,
Vadim

> Now this may be wrong, does it mean he can
> decrypt the original message then? I though 3DES was 168-bits strong, but if
> the three 56-bit keys are just xor'ed then it doesn't seem to be a linear
> encryption.
> Also he xor'ed the original message with the final encrypted message,
> this produced a key. Now he also xor'ed all three of the des keys together.
> When compared the keys were the same. This is strange because it seems to me
> then that all you need to know is the x'ored equavalent of all three of the
> 3des keys. Pretend I have no clue what I'm talking about and try to example
> how 3des works ;-) I'm not sure what other information you are looking for.
> I'm just asking how the semantics of 3DES work and why it's strong than DES.
> I know that is it, but why.
>
> Thanks!
>
> -
> Andrew
> ActiveSol.net
> [EMAIL PROTECTED]
> - Original Message -
> From: "David Tonhofer, m-plify S.A." <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>; "Andrew" <[EMAIL PROTECTED]>
> Sent: Wednesday, January 09, 2002 12:46 PM
> Subject: Re: 3DES-CBC questoins
>
>
> >
> >
> > --On Wednesday, January 09, 2002 12:26 PM -0500 Andrew
> > <[EMAIL PROTECTED]> wrote:
> >
> > > A coworked has brought up a question that I cant answer and I am hoping
> > > somewhere here could. With 3des you encrypt the data with the first key,
> > > decrypt with the second and encrypt with the 3rd to get the encryprted
> > > message.
> >
> > Yes..
> >
> > > He xor'ed the plain text with the encrypted message and obtained
> > > a key.
> >
> > Well, does this mean that the message was only 56 bit long? As the DES
> > stream is essentially random (I think), this would be a way of obtaining a
> > random number.
> >
> > > He then could use that key to decrypt any other message.
> >
> > What does that mean? He can't.
> >
> > > Now I
> > > know that if you know the plain text than you can get the key but the
> > > point was how is 3des any stronger than des if you only need one key to
> > > decrypt the message.
> >
> > You can't. 3DES is definitely stronger.
> >
> > > Also it appears the key he found was only 56-bits,
> > > or maybe this is a mistake. So I guess the question is, if you only need
> > > one key to decrypt a 3des encrypted message then how is it strong.
> > > Thanks!
> > > -
> > > Andrew
> > > ActiveSol.net
> > > [EMAIL PROTECTED]
> >
> >
> > There is not enough information for a meaningful answer...
>
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
>

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: 101-OpenSSL question..

[Vadim Fedukovich]

On Mon, 24 Dec 2001 [EMAIL PROTECTED] wrote:

>
> Hi expert guys,..   :)
>
> I'm starting a class project which requires handling a packet after
> encryption it, and before transmi it to the IP layer. I want to to add a
> header and modify the current IP address of the packet.
>
> The steps -- in summery -- are as follow:
>
> **
> 1- Packet encryption. (I have nothing to do with it)
> --
> 2- My work:
>   Get a packet.
>   Add my own header information to it.
>   Modify the IP address.
>   Pass it to the next layer.
> --
> 3- Send it to TCP/IP layer for transmit  (I have nothing to do with it too)

Theese 3 steps could be done with IPSec, tunnel (subnet-to-subnet) mode.
Please consider to install FreeSWAN to handle IP packets.

good luck,
Vadim

>
> **
>
> So I need your help to step me in the first step of this project, I
> need to know from where to start. I download the OpenSSL project, and I
> found 1500 files ,,!!!
>
> So would you mind pointing me out to the files that I should start
> modifying and playing with.
>
> Any information is valuable to me and appreciated  :)
>
> Thanks alot.
>
> Dave.
>
>
>

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Apache and SSL

[Vadim Fedukovich]

On Sat, 22 Dec 2001, Mike Brandonisio wrote:

> Hi,
>
> I wanted to post an answer to a problem I had with Apache and SSL. It took
> some time to figure this one out but here it is:
>
> PROBLEM:
> When I installed Apache and setup a virtual server for my test web site the
> standard HTTP requests worked fine and port 80 requests work fine. However
> when I would enable SSL on the Test Web Site It would act like the HTTP:80
> and HTTPS:443 were switched.
>
> When I'd hit the server with http://192.168.0.60 I get an error saying that
> the I am trying to talk to the server in an ssl enabled port try https. I
> thought that http was port-80. So I try https and is gives me an error could
> not connect to host. I try  https://192.168.0.60:80 it makes an ssl
> connection. Now here is the odd part I try  http://192.168.0.60:443 and it
> makes non-secure connection. To summarize it looked like the server is
> talking ssl on port80 and plain talk on port443.
>
> RESOLUTION: (newbie brain fart)
> It turns out that you can only have 1 virtual server respond to 1 port.
> Previously I had SSL enabled on a single virtual server that was set to
> respond to port 80. To have a web site respond to HTTP:80 and HTTPS:443 you
> need two virtual servers both responding to the same IP and both using the
> same path for their root. Then set virtual server 1 to respond to HTTP:80
> and virtual server 2 to respond to HTTPS:443. Enable SSL on virtual server 2
> as well.

It's unlikely one would want to set the same path for ssl and plain-tcp
apache virtual servers. SSL is used to transport sensitive information
and giving that out over tcp would be security problem at site design
level.

> I guess I was confused by my past experience with IIS servers. There you
> have one server that you enable SSL on.
>
> I hope this helps some else on the list as it helped me.

I should say this stuff is apache-specific and apache is not the only one
project that could be compiled with openssl. Please consider another
mailing list (I guess mod_ssl -users).

best wishes,
Vadim

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: m*n type of password protection...

[Vadim Fedukovich]

On Thu, 20 Dec 2001, Richard Levitte - VMS Whacker wrote:

> There are devoices out there (I'm thinking of nCipher boxes, but I bet
> there are others) where you can protect something (in the nCipher
> case, the admin card) with n password, of which any m (m <= n) are
> required to unlock the encrypted "something".
>
> I've heard of two technologies, but have no docs and do not really
> know what to search for.  The first is to have m*n (or whatever the
> formula would be) copies of "something", protected with all the
> different needed permutations of the passwords.  My gut feeling is
> that this method sucks.  The second method involves some clever
> splitting of "something" and some kind of protection of each part.
>
> If there's anyone who knows more or can point me in the right
> direction, I'd appreciate it.

There's "secret sharing" technique often based on system of linear
equations. One could solve that given enough equations (shares).
LaGrange formula is used to recover the secret.
Related techniques are calculating multiplication of two secrets
available as shares and doing modular inverse.
Equations are good for "any k of n originally distributed share" logic
and some research was done on alternative access structures.

> My goal is to apply whatever I come up with on usual PEM-formatted RSA
> keys, and possibly to insert code in OpenSSL for this.

One could apply this sharing to secret exponent for key storage
and recover it before using such a key. Alternatively, one could
run a protocol by share holders to do power modulo operation
using their shares without revealing them and combining results.
One could generate a key in shares running another protocol with
no single cpu handling the whole key.

There are a couple of flavours of sharing technique, some of them
suggesting bling trusting share holders and some allowing to detect
and locate invalid shares. A nice "share refresh" protocol was
suggested: sharing zero value and adding shares of zero to "old" shares
resulting in "new" shares set that would recover the same key (secret).

Using secret-sharing technique with DH is the easiest idea.
RSA and DSA could be implemented as well.

Papers/Authors/URLs list might be rather long. I do remember a paper
of Boneh and Franklin on key-share generation and there was ITTS project
with nice pointers to read futher. "Alternative" secret exponent
calculation code suitable for key-share generator was here on this list
a year ago and no errors was found since that. Please use it for OpenSSL
if it fits somewhere.

One will likely need to come up with suitable (agreed?) format for
such a shares. CRT numbers are probably irrelevant for shares of
RSA key and two other numbers (share index and number of shares)
should be saved for a basic sharing scheme.

hope this helps,
Vadim

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

bss_file.c included on windows

[Vadim Fedukovich]

Dear Openssl team,

what is the reason behind
   #ifdef WINDOWS #include "bss_file.c"
at apps/apps.c and other places?

It looks fine to exclude that while cross-compilation
from gcc to mingw32. I was able to run tests (manually, not full set yet)
on win98 with executables produced by gcc-3.0.2 and binutils-2.11.2.
Tools were build on linux for cross-compiling, i586-pc-mingw32 target,
mingw-runtime-1.2, w32api-1.2. To build openssl:
  set path to cross-tools
  ./Configure no-asm -DCURSOR_SHOWING -lwsock32 -lgdi32 -Llibpath Mingw32

regards,
Vadim

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: PKCS1 Compliant

[Vadim Fedukovich]

On Thu, 13 Dec 2001, Tony Vo wrote:

> Hello,
>
>   Is OpenSSL PKCS1 compliant?  I've noticed that in the function
> for padding type 2 that the first byte (octet) is 0x00 followed by 0x02
> for the second byte (octet).  Is this correct?  According to the PKCS1
> specification, the first byte (octet) should be 0x02.  Please help.

According to specification, version 1.5, file pkcs-1.ps.gz available
from RSA Labs site, first byte is 0. Please take a look at 8.1 clause,
"Encryption-block formatting". Well, Block Type byte could be 2.

Regards,
Vadim

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Intermediate signing certs

[Vadim Fedukovich]

On Tue, 11 Dec 2001, Tat Sing Kong wrote:

>
> That's me told then, so to authenticate a certificate you need the whole
> "chain" of certs going from the cert to authenticate all the way to a
> trusted CA.

It's unlikely just authentication is of any practical use;
authorization is and risk of failure to consider.

In case of sending encrypted mail to a stranger: would one care
authentication at all? One could just use public key from certificate
presented and the message could be just lost in case of bad key.
Yes, one should exclude main-in-the-middle and create message content
to be useful by a stranger. One could also care whether exactly this
stranger was here already. It's unlikely any CA could be useful here.

> The application I am writing is presented with certs to authenicate from an
> external source, and the configuration has to hold a "pool" of trusted certs
> so you can check the certificates presented.  It appears that this "pool"
> has to basically have every possible signer in it.  I was kind of hoping
> that I could get away with only a couple of trusted CA's; and traverse the
> certificate hierarchy to these roots.  Hold on, I can't do that because
> without the intermediate signer certs how can I figure out who signed them?
>
> Got it now.
>
> Tat.
>
> > > > Would this be a hassle if you have a root CA with a lot of
> > intermediate
> > > > signers?  That means that you have to store/locate all
> > possible intermediate
> > > > signers to evaluate a couple of end user certificates.
> > >
> > > This is why PKCS12 (iirc) provides a mechanism to provide intermediate
> > > certs with the final cert.  The CA should have a suitable chain for its
> > > own certs, and it can return the extra certs with everything that it
> > > signs.
> >
> > This likely applies to PKCS7 Signed structure.
> >
> > > This doesn't help you when presented a naked cert by a stranger - you
> > > still have to locate those intermediate certs - but at that point you
> > > have more problems than just finding the intermediate certs.  What does
> > > it mean to have a full cert chain if the root is a self-signed cert by
> > > "Bob's Bait Shop and Certificate Authority?"
> >
> > Any parseable certificate presented by a strager is good enough to
> > use that public key to send email encrypted to *his* private key.
> > At least if there's no chance for man-in-the-middle.
> >
> > Probably you are talking about verification that stranger is authorized
> > by some big guy to pay..it's completely different issue. Yes, one need
> > (root) certificate of that big guy and intermed certs to verify the chain.
> >
> > > You could decide to ignore any cert that's not from a major CA (which
> > > would make the stockholders of Verisign very happy), but that misses
> > > the point.  An individual cert by Verisign really says very little about
> > > the person, a cert signed by a small college for its students for
> > > internal use may be rock solid.
> >
> > One could care about CA certificates related to his business, either
> > well-known or private ones used to verify access to local resources.
> >
> > > On a related note, is there documentation on how to set up a "well-
> > > behaved" certs and PKCS12 bags?  I couldn't find anything the last
> > > time I checked, but maybe something has come out since then.
> >
> > Any problem with PKCS12 specifications published by RSA Labs?
> > What is "well-behaved" ?
> >
> > -vf
>
>
>
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
>

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Intermediate signing certs

[Vadim Fedukovich]

On Mon, 10 Dec 2001, Bear Giles wrote:

> > Would this be a hassle if you have a root CA with a lot of intermediate
> > signers?  That means that you have to store/locate all possible intermediate
> > signers to evaluate a couple of end user certificates.
>
> This is why PKCS12 (iirc) provides a mechanism to provide intermediate
> certs with the final cert.  The CA should have a suitable chain for its
> own certs, and it can return the extra certs with everything that it
> signs.

This likely applies to PKCS7 Signed structure.

> This doesn't help you when presented a naked cert by a stranger - you
> still have to locate those intermediate certs - but at that point you
> have more problems than just finding the intermediate certs.  What does
> it mean to have a full cert chain if the root is a self-signed cert by
> "Bob's Bait Shop and Certificate Authority?"

Any parseable certificate presented by a strager is good enough to
use that public key to send email encrypted to *his* private key.
At least if there's no chance for man-in-the-middle.

Probably you are talking about verification that stranger is authorized
by some big guy to pay..it's completely different issue. Yes, one need
(root) certificate of that big guy and intermed certs to verify the chain.

> You could decide to ignore any cert that's not from a major CA (which
> would make the stockholders of Verisign very happy), but that misses
> the point.  An individual cert by Verisign really says very little about
> the person, a cert signed by a small college for its students for
> internal use may be rock solid.

One could care about CA certificates related to his business, either
well-known or private ones used to verify access to local resources.

> On a related note, is there documentation on how to set up a "well-
> behaved" certs and PKCS12 bags?  I couldn't find anything the last
> time I checked, but maybe something has come out since then.

Any problem with PKCS12 specifications published by RSA Labs?
What is "well-behaved" ?

-vf

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: ssl-cert-HOWTO.txt for review

[Vadim Fedukovich]

Andrew,

openssl is rather "mixer" than "generator" or random data.
No deterministic (ok, stable) program can make something random.
To make a random secret one need some input unavailable to attacker.
/dev/random is "internal" enough and could be quite a good one.

regards,
Vadim

On Mon, 3 Dec 2001, Andrew Finnell wrote:

>   If openssl can generate random data and spit it out in a file then
> why use a file to begin with? Can't openssl ( tool ) just generate its
> random data internally and use that? I think that's a lot safer than
> spitting it out to a file and prevents less problems with the random data
> getting deleted/viewed.
>
> - Andrew
>
> -
> Andrew T. Finnell
> Software Engineer
> eSecurity Inc
> (321) 394-2485
>
>
> > -Original Message-
> > From: Marcus Redivo [mailto:[EMAIL PROTECTED]]
> > Sent: Saturday, December 01, 2001 7:14 PM
> > To: [EMAIL PROTECTED]
> > Subject: RE: ssl-cert-HOWTO.txt for review
> >
> >
> > Hello Fiel,
> >
> > Thanks for the comments.
> >
> > At 10:45 AM 12/1/01 -0800, Fiel Cabral wrote:
> >
> > >My suggestion is to include info about the RANDFILE
> > >variable. I set RANDFILE=$HOME/.rnd in my environment
> > >and in the configuration file (the default value:
> > $ENV::HOME/.rnd). If
> > >.rnd doesn't exist, I just copy a file to it (usually a
> > binary file or
> > >a random-looking log file).
> >
> > I did not mention the RANDFILE, and in fact left it out of
> > the example configuration, because I was under the impression
> > that if I had /dev/*random I did not need it.
> >
> > If this is not true, could someone please correct me? Thanks.
> >
> > Now, the RANDFILE candidate. Using a binary or a log is
> > nowhere near random enough. Fortunately, openssl has a
> > command to create a better random file:
> >
> > # openssl rand -out $HOME/.rnd 1024
> >
> > (Don't send the output to your console unless you add the
> > -base64 switch, unless you like abstract art... ;) )
> >
> > BTW, I'm on the list now.
> >
> > Marcus Redivo
> >
> > The Binary Tool Foundry
> > PO Box 2087 Stn Main
> > Sidney BC Canada
> > mailto:[EMAIL PROTECTED]
> > http://www.binarytool.com
> >
> >
> > __
> > OpenSSL Project http://www.openssl.org
> > User Support Mailing List[EMAIL PROTECTED]
> > Automated List Manager   [EMAIL PROTECTED]
> >
>

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Apache mod-ssl: VirtualHost and certificates

[Vadim Fedukovich]

hi,

this will work for unique port numbers only.
Here's no chance to run a bunch of standard-SSL virtual hosts
on one single 443 port and I guess it was the question.
One could do that on different IP numbers

regards,
Vadim

On Fri, 30 Nov 2001, Amol Natu wrote:

> Hi Shlomi
>
> You would need to include certificate related directives under the section
> defined for each virtual host within the httpd.conf.
> e.g:
>
> 
> Port 'port_number'
> ServerName server_name
> SSLCertificateFile /location/certificate_file_name
> SSLCertificateKeyFile /location/key_file_name
> SSLCertificateChainFile /location/certchain_file_name
> SSLCipherSuite
> ...
> ..
> 
>
>
> Regards
> Amol
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Shlomi
> Sent: Friday, November 30, 2001 2:00 AM
> To: [EMAIL PROTECTED]
> Subject: Apache mod-ssl: VirtualHost and certificates
>
>
> Hi all,
>
> Is someone know if there is a way to use a certificate for each domain on a
> server which configured to use VirtualHost (a single IP for all of the
> domains) ?
>
> I am trying to configure Apache (mod-ssl) to use a certificate for each
> VirtualHost but without success.
>
> Each VirtualHost needs a private key and a certificate, but the browser
> receives the main certificate for all of the domains.
> How can I set it to send the relevant certificate for each domain ?
>
>
> Thank you in advance,
>
> Shlomi.
>
>
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
>
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
>

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

interface for passing OAEP padding parameter

[Vadim Fedukovich]

Dear openssl team,

what is the best way to specify OAEP parameter for RSA operations?
Currently, RSA_eay_public_encrypt() and RSA_eay_private_decrypt()
will always pass NULL to RSA_padding_add_PKCS1_OAEP() and
RSA_padding_check_PKCS1_OAEP() respectively.

thank you,
Vadim
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Cross Certification

[Vadim Fedukovich]

On Mon, 22 Oct 2001, Ravi Prakash B.V. wrote:

> Dear All,
>
> I do not receive any reply for this.
> Any pointers will be appreciated.

What is the application that could benefit from cross certification?
Alternatively, what is the logic that requires cross certification?

thank you,
Vadim

> Ravi Prakash B.V.
>
>
>
> "Ravi Prakash B.V." wrote:
> >
> > Dear all,
> >
> > I want to establish cross certification between two different independent
> > CAs. How is it possible?
> >
> > Any pointers/links/docs for the above.
> >
> > Thanks in Advance,
> > Ravi Prakash B.V.
> >
> > __
> > OpenSSL Project http://www.openssl.org
> > User Support Mailing List[EMAIL PROTECTED]
> > Automated List Manager   [EMAIL PROTECTED]
>
> --
> I am NOMAD!

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]