[no subject]
Hi, We had a product which generate RSA/MD5 certificate. Now I'm working on a custom openssl engine. The goal is to generate X509 certificate with some new signature/digest algorithms. With engine, we do not need to re-code too much. Now we can generate and sign certificate, but X509_verify() failed. The error is : X509_verify() fail 33436:error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm:d:\work\newalg\openssl-1.0.1c\crypto\asn1\a_verify.c:174: a_verify.c: -- const EVP_MD *type; type=EVP_get_digestbynid(mdnid); if (type == NULL) { ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM); goto err; } - I wrote a small test : === EVP_MD *md1,*md2; OpenSSL_add_all_algorithms(); ENGINE_load_openssl(); ENGINE_load_newalg(); e = ENGINE_by_id("newalg"); if(!ENGINE_set_default(e, ENGINE_METHOD_ALL)) { printf("can't use that engine\n"); ENGINE_free(e); return ; } md1 = ENGINE_get_digest(e, NID_MyDigestAlgor); md2 = EVP_get_digestbynid(NID_MyDigestAlgor); === The result is : md1 is not NULL , and md2 is NULL. I think X509_verify() is calling EVP_get_digestbynid() to get digest algorithm, but if it doesn't find digest algorithm in engine algorithm list, how can I use X509_verify() ? Thank you for your hint.
EVP_get_digestbynid() and ENGINE_get_digest()
Hi, We had a product which generate RSA/MD5 certificate. Now I'm working on a custom openssl engine. The goal is to generate X509 certificate with some new signature/digest algorithms. With engine, we do not need to re-code too much. Now we can generate and sign certificate, but X509_verify() failed. The error is : X509_verify() fail 33436:error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm:d:\work\newalg\openssl-1.0.1c\crypto\asn1\a_verify.c:174: a_verify.c: -- const EVP_MD *type; type=EVP_get_digestbynid(mdnid); if (type == NULL) { ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM); goto err; } - I wrote a small test : === EVP_MD *md1,*md2; OpenSSL_add_all_algorithms(); ENGINE_load_openssl(); ENGINE_load_newalg(); e = ENGINE_by_id("newalg"); if(!ENGINE_set_default(e, ENGINE_METHOD_ALL)) { printf("can't use that engine\n"); ENGINE_free(e); return ; } md1 = ENGINE_get_digest(e, NID_MyDigestAlgor); md2 = EVP_get_digestbynid(NID_MyDigestAlgor); === The result is : md1 is not NULL , and md2 is NULL. I think X509_verify() is calling EVP_get_digestbynid() to get digest algorithm, but if it doesn't find digest algorithm in engine algorithm list, how can I use X509_verify() ? Thank you for your hint. (Sorry to post a question without subject one minute ago.)
Re: i2d_ASN1_BIT_STRING() and 0x00-terminated string
Thank you, I rewrite the code ,but 0x00 is still trimmed off. int main() { unsigned char *buf = NULL,*temp_buf = NULL; int buflen = 128; ASN1_BIT_STRING *bs = NULL,*bs2 = NULL; int i = 0,j = 0; int ret = 0; int derlen = 0; unsigned char *p = NULL; buf = OPENSSL_malloc(150); temp_buf = OPENSSL_malloc(150); p = temp_buf; for (i=0;ilength = %d\n",bs2->length); for (i=0;ilength;i++) { printf("%02X%c",bs2->data[i],(i+1)%20==0?'\n':' '); } } } The result is: buflen=128 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 42 00 ASN1_BIT_STRING_set() = 1 i2d_ASN1_BIT_STRING() = 131 03 81 80 01 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 42 d2i_ASN1_BIT_STRING() bs2->length = 127 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 42 On Tue, Oct 29, 2013 at 8:10 PM, Salz, Rich wrote: > You are comparing the native form to the DER encoding. You need to d2i > back and see that the data is preserved. > > Not only is “the 0x00 trimmed” but those bytes at the front 03 81 80 01 > are also a clue. J > > /r$ > > ** ** > > -- > > Principal Security Engineer > > Akamai Technology > > Cambridge, MA > > ** ** >
i2d_ASN1_BIT_STRING() and 0x00-terminated string
Hi, I have a problem with i2d_ASN1_BIT_STRING(). If I set data with a 0x00-terminated string , i2d_ASN1_BIT_STRING() will trim off 0x00. Here is a sample code: -- #include #include "openssl/asn1.h" int main() { unsigned char *buf = NULL,*temp_buf = NULL; int buflen = 128; ASN1_BIT_STRING *bs = NULL; int i = 0,j = 0; int ret = 0; unsigned char *p = NULL; buf = OPENSSL_malloc(150); temp_buf = OPENSSL_malloc(150); p = temp_buf; for (i=0;i
Re: EVP_get_digestbynid() return NULL
but I tried md = EVP_get_digestbynid(NID_md5), still NULL On Thu, Mar 14, 2013 at 11:54 AM, Viktor Dukhovni < openssl-us...@dukhovni.org> wrote: > On Thu, Mar 14, 2013 at 11:34:12AM +0800, cellecial wrote: > > > I'm frustrated that I can't get correct result from such a simple API(on > > openssl 1.0.1c),just like below. > > > > md = EVP_get_digestbynid(NID_ecdsa_with_SHA256); //NID_md5 > > This is because ECDSA-WITH-SHA256 is a signature algorithm, and not > a digest algorithm like MD5, SHA1, ... > > > Or it's just a misuse. Am I missing something? > > Yes: EVP_SignInit != EVP_DigestInit. Consult both manpages. > > -- > Viktor. > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org >
Re: How to separate ECC Public Key from keypairs and convert it to EVP_PKEY?
On Wed, Jan 30, 2013 at 9:51 PM, Dr. Stephen Henson wrote: > > If you want it to just use the curve name instead you have to call: > > EC_KEY_set_asn1_flag(eckey, OPENSSL_EC_NAMED_CURVE); > > Steve. > -- > > It's efficacious. After I call EC_KEY_set_asn1_flag() before EC_KEY_generate_key(), the self-signed certificate(ca.der) is generated successfully without prompting "signature corrupt". Thank you, Dr. Henson and Ryan. But I still have another question though it is not critical. I use Windows 8 and IE10 now. When I double click ca.der and install, if I choose 'Automatically select the certificate store based on the type of certificate',then the self-signed certificate will be in the 'Intermediate Certification Authorities',not 'Trusted Root Certification Authorities'. If I choose 'Place all certificates in the following store' and select 'Trusted Root Certification Authorities', I can find the certificate in 'Trusted Root Certification Authorities' as I wish. The automatic import activity on Win8 is a little different from it on WinXP. Maybe it's a new OS security policy, I don't know. Thank you again.
Re: PKCS12_parse() in multi-threads, "heap is corrupt"
Thank you and sorry for my last two posts without reading FAQ carefully first. Now I read FAQ and the example of the call functions. It seems I need more time to understand it and do some examples by myself. Anywise I should complete my work asap, so I add thread_setup() and thread_cleanup() and win32_locking_callback() to my code,It still fails in multi-thread mode. I think may be my openssl wasn't configured with thread support , but Configure instruction said, *# [no-]threads [don't] try to create a library that is suitable for # multithreaded applications (default is "threads" if we # know how to do it)* I guess that means openssl on windows is supporting thread defaultly. And I found snippet in opensslconf.h *#ifndef OPENSSL_THREADS # define OPENSSL_THREADS #endif *It seems like switching on the thread support. Is there anything I can do to make it work? On Sun, Dec 11, 2011 at 8:51 PM, Dr. Stephen Henson wrote: > On Sun, Dec 11, 2011, cellecial wrote: > > > Thank you. I add "OpenSSL_add_all_algorithms();" in main function and > > include "openssl/evp.h",but it still pops error dialogue after a while. > > Some threads can end well, others are not so lucky. > > > > > > Have you set the locking callbacks? You need to set those to make OpenSSL > thread safe. See the FAQ and documentation for more details. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org >
Re: PKCS12_parse() in multi-threads, "heap is corrupt"
Thank you. I add "OpenSSL_add_all_algorithms();" in main function and include "openssl/evp.h",but it still pops error dialogue after a while. Some threads can end well, others are not so lucky. On Sun, Dec 11, 2011 at 8:14 PM, Dr. Stephen Henson wrote: > On Sun, Dec 11, 2011, cellecial wrote: > > > Hi, > > > > I wrote a simple pkcs12 demo(under Windows), it just read from a > PKCS12 > > file and got private key and certificate. > > If I use single thread, it works fine. > > If I use multi-thread, it works fine for a while ,then popups an > error > > dialogue "heap is corrupt".If I debug it in Visual Studio,it points to > > PKCS12_parse() . > > If I use EnterCriticalSection and LeaveCriticalSection with > > multi-thread, it works fine too, but as you know, the effect is as same > as > > single thread does. > > > >So I want to know , what shared resource is protected by > > CriticalSection? Is PKCS12_parse() not thread-safe? Can it be executed > in > > multi-threads without mutex? > > > > int pkcs12test(unsigned char *p12buf, int p12buflen, unsigned char > *p12pswd) > > { > > PKCS12 *p12; > > X509 *cert; > > EVP_PKEY *prvkey; > > int len; > > char buf[4096]; > > int i=0; > > char desc[1000]; > > > > OpenSSL_add_all_algorithms(); > > > > At least one problem is the above line. You should call > OpenSSL_add_all_algorithm() *once* before starting threads. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org >
PKCS12_parse() in multi-threads, "heap is corrupt"
Hi, I wrote a simple pkcs12 demo(under Windows), it just read from a PKCS12 file and got private key and certificate. If I use single thread, it works fine. If I use multi-thread, it works fine for a while ,then popups an error dialogue "heap is corrupt".If I debug it in Visual Studio,it points to PKCS12_parse() . If I use EnterCriticalSection and LeaveCriticalSection with multi-thread, it works fine too, but as you know, the effect is as same as single thread does. So I want to know , what shared resource is protected by CriticalSection? Is PKCS12_parse() not thread-safe? Can it be executed in multi-threads without mutex? Thank you in advance. Here is the source code. === #include #include #include #include #include #include #include #include char p12file[256]="C:/test/ABCD.p12"; char p12pswd[10]="123456"; unsigned char *p12buf = NULL; int p12buflen = 0; #define N 30 // amount of threads #define M 20 // amount of executions per thread /* read the content from a PKCS12 file */ int Load_File(char * filename, unsigned char *pbuf, int * plen) { int fd = -1; struct stat stat_buf; int len=0,count=0,size=0; if ((fd = open(filename, O_RDONLY|O_BINARY, S_IREAD)) < 0) { return 1; } if (stat(filename, &stat_buf) != 0) { close(fd); return 1; } len = stat_buf.st_size; if (pbuf == NULL) { *plen = len; } else { count=0; while (count < len) { size = read(fd, pbuf + count, len - count); if (size <= 0) { close(fd); if (pbuf != NULL) free(pbuf); return 1; } count += size; } *plen = len; } close(fd); return 0; } int pkcs12test(unsigned char *p12buf, int p12buflen, unsigned char *p12pswd) { PKCS12 *p12; X509 *cert; EVP_PKEY *prvkey; int len; char buf[4096]; int i=0; char desc[1000]; OpenSSL_add_all_algorithms(); if ((p12buf==NULL)||(p12buflen<=0)) { printf("parameter error\n"); return -1; } p12 = d2i_PKCS12(NULL,(const unsigned char **)&p12buf,p12buflen); if(p12 == NULL) { printf("d2i_PKCS12 error\n"); return -1; } if(PKCS12_parse(p12,p12pswd,&prvkey,&cert,NULL)!=1) { if (p12!=NULL) { PKCS12_free(p12); p12=NULL; } printf("PKCS12_parse error\n"); return -1; } PKCS12_free(p12); p12=NULL; return 0; } typedef struct _param{ int threadidx; int type; } THREADPARAM; DWORD WINAPI ThreadProc( LPVOID param ) { THREADPARAM *pa; int i = 0; int ret = 0; pa = (THREADPARAM *)param; printf("[%d]thread BEGIN\n",pa->threadidx); for (i=0;ithreadidx,i); } else { printf("pkcs12test error[%d_%d]\n",pa->threadidx,i); } } printf("[%d]thread END\n",pa->threadidx); _sleep(10*1000); return 0; } void main() { DWORD dwThreadId[N]; HANDLE hThread[N]; THREADPARAM *param[N]; int ret = 0; int i=0,j=0; ret = Load_File(p12file, NULL, &p12buflen); if (ret != 0) { return ; } p12buf = (unsigned char *)malloc(p12buflen+1); if (p12buf == NULL) { printf("malloc(%d) fail\n",p12buflen); return ; } ret = Load_File(p12file, p12buf, &p12buflen); if (ret != 0) { return ; } for( i=0; ithreadidx = i; param[i]->type = 1; hThread[i] = CreateThread( NULL, 0, ThreadProc, param[i], 0, &dwThreadId[i]); if (hThread[i] == NULL) { ExitProcess(i); } } printf("before wait..."); WaitForMultipleObjects(N, hThread, TRUE, INFINITE); printf("...end wait\n"); _sleep(5*60*1000); for(i=0; i
using openssl and sunjce, encrypt same text,get different result
Hi, I need to encrypt data using C+openssl,then decrypt data using JAVA+SUNJCE. When I encrypt the same plaintext using openssl and sunjce, I found the two ciphertexts are different. I tried two algorithms:EVP_des_ede() / "DES" ,EVP_rc4() / "RC4", but the results are all depressing. I googled a post in which someone said,"you can use open ssl to encrypt the data and decrypt the same using java (any JCE implementaions) .Provided you have to use same algorthim with correct pading and initialisation vectors ." I think this is my problem.Maybe I don't know the correct padding or iv. So,can anyone help me to solve this problem? Thank you very much. Here is my main code. /* C+openssl encrypt key is parameter[strref] ,such as strref="123456"; */ int M_encrypt(unsigned char *in,int inl,unsigned char *out,int *outl, unsigned char *strref,int strrefl) { EVP_CIPHER_CTX ctx; unsigned char ekey[EVP_MAX_KEY_LENGTH]; unsigned char eiv[EVP_MAX_IV_LENGTH]; int tlen,flen; EVP_BytesToKey(EVP_des_ede(),EVP_md5(),NULL,strref,strrefl,1,ekey,eiv); EVP_EncryptInit(&ctx,cipher,ekey,eiv); EVP_EncryptUpdate(&ctx,out,&tlen,in,inl); flen=tlen; EVP_EncryptFinal(&ctx,out+flen,&tlen); flen+=tlen; *outl=flen; return 0; } /* JAVA+sun jce, encrypt key is parameter[key],byte[] key=new String("123456").getBytes(); */ public static byte[] encrypto(byte[] input,byte[] key) throws Exception{ SecretKey deskey = new javax.crypto.spec.SecretKeySpec(key,"DES"); Cipher c1 = Cipher.getInstance("DES"); c1.init(Cipher.ENCRYPT_MODE,deskey); byte[] cipherByte=c1.doFinal(input); return cipherByte; } __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
verify problem
Hi, What I do is to generate a certificate and verify it, below is some source code: **--** /** generate a certificate: X509 *cert **/ . /** sign cert using CACert's private key **/ if (X509_sign(cert, ca_priv_key, digest) == 0) { goto RER; } printf("successful sign\n"); /** read CACert to X509 *CA_Cert **/ if (load_ca_cert(CA_Cert_File_Name, &CA_Cert) != PKI_OK) { goto RER; } /** verify cert **/ store = X509_STORE_new (); X509_STORE_set_default_paths (store); X509_STORE_add_cert(store,CA_Cert); X509_STORE_CTX_init(&store_ctx, store, cert, NULL); if (X509_verify_cert(&store_ctx) <= 0) { i = X509_STORE_CTX_get_error (&store_ctx); pki_log(FAIL, __FILE__, __LINE__, NULL, \ " X509_verify_cert failed ,error-code=%d",i); goto RER; } printf("VERIFY SUCCESSED!"); **** The result is sign succeeded and verify failed. The error code is 7: X509_V_ERR_CERT_SIGNATURE_FAILURE Why I get this error? Any hint will be appreciated. -- »¶ÓʹÓà 21CN µç×ÓÓʼþϵͳhttp://www.21cn.com Thank you for using 21CN Email system __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]