[no subject]

2014-01-26 Thread cellecial 
Hi,

We had a product which generate RSA/MD5 certificate.
Now I'm working on a custom openssl engine.
The goal is to generate X509 certificate with some new signature/digest
algorithms.
With engine, we do not need to re-code too much.

Now we can generate and sign certificate, but X509_verify() failed.
The error is :

X509_verify() fail
33436:error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown
message digest
algorithm:d:\work\newalg\openssl-1.0.1c\crypto\asn1\a_verify.c:174:

a_verify.c:
--
const EVP_MD *type;
  type=EVP_get_digestbynid(mdnid);
  if (type == NULL)
   {
   ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);
   goto err;
   }
-



I wrote a small test :

===
EVP_MD *md1,*md2;

OpenSSL_add_all_algorithms();
ENGINE_load_openssl();
 ENGINE_load_newalg();
 e = ENGINE_by_id("newalg");
 if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
 {
  printf("can't use that engine\n");
  ENGINE_free(e);
  return ;
 }

md1 = ENGINE_get_digest(e, NID_MyDigestAlgor);

md2 = EVP_get_digestbynid(NID_MyDigestAlgor);

===

The result is : md1 is not NULL  , and md2 is NULL.

I think X509_verify()  is calling EVP_get_digestbynid() to get digest
algorithm, but if it doesn't find digest algorithm in engine algorithm
list, how can I use X509_verify() ?

Thank you for your hint.

EVP_get_digestbynid() and ENGINE_get_digest()

2014-01-26 Thread cellecial 
Hi,

We had a product which generate RSA/MD5 certificate.
Now I'm working on a custom openssl engine.
The goal is to generate X509 certificate with some new signature/digest
algorithms.
With engine, we do not need to re-code too much.

Now we can generate and sign certificate, but X509_verify() failed.
The error is :

X509_verify() fail
33436:error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown
message digest
algorithm:d:\work\newalg\openssl-1.0.1c\crypto\asn1\a_verify.c:174:

a_verify.c:
--
const EVP_MD *type;
  type=EVP_get_digestbynid(mdnid);
  if (type == NULL)
   {
   ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);
   goto err;
   }
-



I wrote a small test :

===
EVP_MD *md1,*md2;

OpenSSL_add_all_algorithms();
ENGINE_load_openssl();
 ENGINE_load_newalg();
 e = ENGINE_by_id("newalg");
 if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
 {
  printf("can't use that engine\n");
  ENGINE_free(e);
  return ;
 }

md1 = ENGINE_get_digest(e, NID_MyDigestAlgor);

md2 = EVP_get_digestbynid(NID_MyDigestAlgor);

===

The result is : md1 is not NULL  , and md2 is NULL.

I think X509_verify()  is calling EVP_get_digestbynid() to get digest
algorithm, but if it doesn't find digest algorithm in engine algorithm
list, how can I use X509_verify() ?

Thank you for your hint.

(Sorry to post a question without subject one minute ago.)

Re: i2d_ASN1_BIT_STRING() and 0x00-terminated string

2013-10-29 Thread cellecial 
Thank you, I rewrite the code ,but 0x00 is still trimmed off.

int main()
{
 unsigned char *buf = NULL,*temp_buf = NULL;
 int buflen = 128;
 ASN1_BIT_STRING *bs = NULL,*bs2 = NULL;
 int i = 0,j = 0;
 int ret = 0;
 int derlen = 0;
 unsigned char *p = NULL;
 buf = OPENSSL_malloc(150);
 temp_buf = OPENSSL_malloc(150);
 p = temp_buf;
 for (i=0;ilength = %d\n",bs2->length);
  for (i=0;ilength;i++)
  {
  printf("%02X%c",bs2->data[i],(i+1)%20==0?'\n':' ');
  }
 }

}


The result is:

buflen=128
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 41 42 00
ASN1_BIT_STRING_set() = 1
i2d_ASN1_BIT_STRING() = 131
03 81 80 01 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 42
d2i_ASN1_BIT_STRING()
bs2->length = 127
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 41 42


On Tue, Oct 29, 2013 at 8:10 PM, Salz, Rich  wrote:

> You are comparing the native form to the DER encoding.  You need to d2i
> back and see that the data is preserved.
>
> Not only is “the 0x00 trimmed” but those bytes at the front 03 81 80 01
> are also a clue. J
>
> /r$
>
> ** **
>
> --  
>
> Principal Security Engineer
>
> Akamai Technology
>
> Cambridge, MA
>
> ** **
>

i2d_ASN1_BIT_STRING() and 0x00-terminated string

2013-10-29 Thread cellecial 
Hi,

I have a problem with i2d_ASN1_BIT_STRING().
If I set data with a 0x00-terminated string , i2d_ASN1_BIT_STRING() will
trim off 0x00.

Here is a sample code:
--
#include 
#include "openssl/asn1.h"

int main()
{
unsigned char *buf = NULL,*temp_buf = NULL;
int buflen = 128;
ASN1_BIT_STRING *bs = NULL;
int i = 0,j = 0;
int ret = 0;
unsigned char *p = NULL;

buf = OPENSSL_malloc(150);
temp_buf = OPENSSL_malloc(150);
p = temp_buf;

for (i=0;i

Re: EVP_get_digestbynid() return NULL

2013-03-13 Thread cellecial 
but I tried  md = EVP_get_digestbynid(NID_md5), still NULL


On Thu, Mar 14, 2013 at 11:54 AM, Viktor Dukhovni <
openssl-us...@dukhovni.org> wrote:

> On Thu, Mar 14, 2013 at 11:34:12AM +0800, cellecial wrote:
>
> > I'm frustrated that I can't get correct result from such a simple API(on
> > openssl 1.0.1c),just like below.
> >
> >  md = EVP_get_digestbynid(NID_ecdsa_with_SHA256);  //NID_md5
>
> This is because ECDSA-WITH-SHA256 is a signature algorithm, and not
> a digest algorithm like MD5, SHA1, ...
>
> > Or it's just a misuse. Am I missing something?
>
> Yes: EVP_SignInit != EVP_DigestInit.  Consult both manpages.
>
> --
> Viktor.
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   majord...@openssl.org
>

Re: How to separate ECC Public Key from keypairs and convert it to EVP_PKEY?

2013-01-31 Thread cellecial 
On Wed, Jan 30, 2013 at 9:51 PM, Dr. Stephen Henson wrote:

>
> If you want it to just use the curve name instead you have to call:
>
> EC_KEY_set_asn1_flag(eckey, OPENSSL_EC_NAMED_CURVE);
>
> Steve.
> --
>
>
It's efficacious.
After I  call  EC_KEY_set_asn1_flag() before EC_KEY_generate_key(), the
self-signed certificate(ca.der) is generated successfully without prompting
"signature corrupt".
Thank you, Dr. Henson and Ryan.

But I still have another question though it is not critical.
I use Windows 8 and IE10 now.
When I double click ca.der and install, if I choose 'Automatically select
the certificate store based on the type of certificate',then the
self-signed certificate will be in the 'Intermediate Certification
Authorities',not 'Trusted Root Certification Authorities'.
If I choose 'Place all certificates in the following store' and select
'Trusted Root Certification Authorities', I can find the certificate in
'Trusted Root Certification Authorities' as I wish.
The automatic import activity on Win8 is a little different from it on
WinXP.
Maybe it's a new OS security policy, I don't know.

Thank you again.

Re: PKCS12_parse() in multi-threads, "heap is corrupt"

2011-12-11 Thread cellecial 
Thank you and sorry for my last two posts without reading FAQ carefully
first.
Now I read FAQ and the example of the call functions. It seems I need more
time to understand it and do some examples by myself.
Anywise I should complete my work asap, so I add thread_setup() and
thread_cleanup() and win32_locking_callback() to my code,It still fails in
multi-thread mode.

I think may be my openssl wasn't configured with thread support ,
but Configure instruction said,
*# [no-]threads  [don't] try to create a library that is suitable for
#   multithreaded applications (default is "threads" if we
#   know how to do it)*
I guess that means openssl on windows is supporting thread defaultly.

And I found snippet in opensslconf.h
*#ifndef OPENSSL_THREADS
# define OPENSSL_THREADS
#endif
*It seems like switching on the thread support.

Is there anything I can do to make it work?
On Sun, Dec 11, 2011 at 8:51 PM, Dr. Stephen Henson wrote:

> On Sun, Dec 11, 2011, cellecial wrote:
>
> > Thank you.  I add "OpenSSL_add_all_algorithms();" in main function and
> > include "openssl/evp.h",but it still pops error dialogue after a while.
> > Some threads can end well, others are not so lucky.
> >
> >
>
> Have you set the locking callbacks? You need to set those to make OpenSSL
> thread safe. See the FAQ and documentation for more details.
>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   majord...@openssl.org
>

Re: PKCS12_parse() in multi-threads, "heap is corrupt"

2011-12-11 Thread cellecial 
Thank you.  I add "OpenSSL_add_all_algorithms();" in main function and
include "openssl/evp.h",but it still pops error dialogue after a while.
Some threads can end well, others are not so lucky.



On Sun, Dec 11, 2011 at 8:14 PM, Dr. Stephen Henson wrote:

> On Sun, Dec 11, 2011, cellecial wrote:
>
> > Hi,
> >
> > I wrote a simple pkcs12 demo(under Windows), it just read from a
> PKCS12
> > file and got private key and certificate.
> > If I use single thread, it works fine.
> > If I use multi-thread, it works fine for a while ,then popups an
> error
> > dialogue "heap is corrupt".If I debug it in Visual Studio,it points to
> > PKCS12_parse() .
> > If I use EnterCriticalSection and LeaveCriticalSection with
> > multi-thread, it works fine too, but as you know, the effect is as same
> as
> > single thread does.
> >
> >So I want to know , what shared resource is protected by
> > CriticalSection? Is PKCS12_parse() not thread-safe? Can it  be executed
> in
> > multi-threads without mutex?
> >
> > int pkcs12test(unsigned char *p12buf, int p12buflen, unsigned char
> *p12pswd)
> > {
> >  PKCS12   *p12;
> >  X509 *cert;
> >  EVP_PKEY *prvkey;
> >  int  len;
> >  char buf[4096];
> >  int  i=0;
> >  char desc[1000];
> >
> >  OpenSSL_add_all_algorithms();
> >
>
> At least one problem is the above line. You should call
> OpenSSL_add_all_algorithm() *once* before starting threads.
>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   majord...@openssl.org
>

PKCS12_parse() in multi-threads, "heap is corrupt"

2011-12-11 Thread cellecial 
Hi,

I wrote a simple pkcs12 demo(under Windows), it just read from a PKCS12
file and got private key and certificate.
If I use single thread, it works fine.
If I use multi-thread, it works fine for a while ,then popups an error
dialogue "heap is corrupt".If I debug it in Visual Studio,it points to
PKCS12_parse() .
If I use EnterCriticalSection and LeaveCriticalSection with
multi-thread, it works fine too, but as you know, the effect is as same as
single thread does.

   So I want to know , what shared resource is protected by
CriticalSection? Is PKCS12_parse() not thread-safe? Can it  be executed in
multi-threads without mutex?

   Thank you in advance.

Here is the source code.
===
#include 
#include 
#include 
#include 
#include 
#include 
#include 

#include 

char p12file[256]="C:/test/ABCD.p12";
char p12pswd[10]="123456";
unsigned char *p12buf = NULL;
int p12buflen = 0;
#define N 30  //  amount of threads
#define M 20  //  amount of executions per thread

/* read the content from a  PKCS12 file */
int Load_File(char * filename, unsigned char *pbuf, int * plen)
{
 int   fd = -1;
 struct stat  stat_buf;
 int   len=0,count=0,size=0;

 if ((fd = open(filename, O_RDONLY|O_BINARY, S_IREAD)) < 0)
 {
  return 1;
 }

 if (stat(filename, &stat_buf) != 0)
 {
  close(fd);
  return 1;
 }
 len = stat_buf.st_size;

 if (pbuf == NULL)
 {
  *plen = len;
 }
 else
 {
  count=0;
  while (count < len)
  {
   size = read(fd, pbuf + count, len - count);
   if (size <= 0)
   {
close(fd);
if (pbuf != NULL)
 free(pbuf);
return 1;
   }
   count += size;
  }
  *plen = len;
 }
 close(fd);


 return 0;
}


int pkcs12test(unsigned char *p12buf, int p12buflen, unsigned char *p12pswd)
{
 PKCS12   *p12;
 X509 *cert;
 EVP_PKEY *prvkey;
 int  len;
 char buf[4096];
 int  i=0;
 char desc[1000];

 OpenSSL_add_all_algorithms();

 if ((p12buf==NULL)||(p12buflen<=0))
 {
  printf("parameter error\n");
  return -1;
 }


 p12 = d2i_PKCS12(NULL,(const unsigned char **)&p12buf,p12buflen);
 if(p12 == NULL)
 {

  printf("d2i_PKCS12 error\n");
  return -1;
 }

 if(PKCS12_parse(p12,p12pswd,&prvkey,&cert,NULL)!=1)
 {
  if (p12!=NULL)
  {
   PKCS12_free(p12);
   p12=NULL;
  }
  printf("PKCS12_parse error\n");
  return -1;
 }

 PKCS12_free(p12);
 p12=NULL;

 return 0;
}

typedef struct _param{
 int threadidx;
 int type;
} THREADPARAM;

DWORD WINAPI ThreadProc( LPVOID param )
{
 THREADPARAM *pa;
 int i = 0;
 int ret = 0;

 pa = (THREADPARAM *)param;
 printf("[%d]thread BEGIN\n",pa->threadidx);

 for (i=0;ithreadidx,i);
  }
  else
  {
   printf("pkcs12test error[%d_%d]\n",pa->threadidx,i);
  }

 }

 printf("[%d]thread END\n",pa->threadidx);
 _sleep(10*1000);

 return 0;
}

void main()
{
 DWORD dwThreadId[N];
 HANDLE hThread[N];
 THREADPARAM *param[N];
 int ret = 0;
 int i=0,j=0;


 ret = Load_File(p12file, NULL, &p12buflen);
 if (ret != 0)
 {
  return ;
 }

 p12buf = (unsigned char *)malloc(p12buflen+1);
 if (p12buf == NULL)
 {
  printf("malloc(%d) fail\n",p12buflen);
  return ;
 }

 ret = Load_File(p12file, p12buf, &p12buflen);
 if (ret != 0)
 {
  return ;
 }

 for( i=0; ithreadidx = i;
  param[i]->type = 1;

  hThread[i] = CreateThread(
   NULL,
   0,
   ThreadProc,
   param[i],
   0,
   &dwThreadId[i]);

  if (hThread[i] == NULL)
  {
   ExitProcess(i);
  }
 }

 printf("before wait...");
 WaitForMultipleObjects(N, hThread, TRUE, INFINITE);
 printf("...end wait\n");

 _sleep(5*60*1000);

 for(i=0; i

using openssl and sunjce, encrypt same text,get different result

2005-06-09 Thread cellecial 
Hi,
I need to encrypt data using C+openssl,then decrypt data using JAVA+SUNJCE.
When I encrypt the same plaintext using openssl and sunjce,
I found the two ciphertexts  are different.
I tried two algorithms:EVP_des_ede() / "DES" ,EVP_rc4() / "RC4",
but the results are all depressing.

I googled a post in which someone said,"you can use open ssl to encrypt the 
data and decrypt the same using java (any JCE implementaions) .Provided you 
have to use same algorthim with correct pading and initialisation vectors ."
I think this is my problem.Maybe I don't know the correct padding or iv.
So,can anyone help me to solve this problem?
Thank you very much.

Here is my main code.

/* C+openssl encrypt key is parameter[strref] ,such as strref="123456"; */
int M_encrypt(unsigned char *in,int inl,unsigned char *out,int *outl,
unsigned char *strref,int strrefl)

{
EVP_CIPHER_CTX ctx;
unsigned char ekey[EVP_MAX_KEY_LENGTH];
unsigned char eiv[EVP_MAX_IV_LENGTH];
int tlen,flen;

EVP_BytesToKey(EVP_des_ede(),EVP_md5(),NULL,strref,strrefl,1,ekey,eiv);


EVP_EncryptInit(&ctx,cipher,ekey,eiv);
EVP_EncryptUpdate(&ctx,out,&tlen,in,inl);
flen=tlen;
EVP_EncryptFinal(&ctx,out+flen,&tlen);
flen+=tlen;
*outl=flen;

return 0;
}

/* JAVA+sun jce, encrypt key is parameter[key],byte[] key=new 
String("123456").getBytes(); */
public static byte[] encrypto(byte[] input,byte[] key) throws Exception{
SecretKey deskey = new javax.crypto.spec.SecretKeySpec(key,"DES");

Cipher c1 = Cipher.getInstance("DES");
c1.init(Cipher.ENCRYPT_MODE,deskey);
byte[] cipherByte=c1.doFinal(input);

return cipherByte;
}



__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

verify problem

2000-03-19 Thread cellecial 

Hi,

What I do is to generate a certificate and verify it,
below is some source code:
**--**
/** generate a certificate: X509 *cert **/
.

 /** sign cert using CACert's private key **/
if (X509_sign(cert, ca_priv_key, digest) == 0)
 {
 goto RER;
 }
printf("successful sign\n");

/** read CACert to X509 *CA_Cert **/ 
if (load_ca_cert(CA_Cert_File_Name, &CA_Cert) != PKI_OK)
 {
 goto RER;
 }
 
/**  verify cert **/ 
store = X509_STORE_new ();

X509_STORE_set_default_paths (store);

X509_STORE_add_cert(store,CA_Cert);

X509_STORE_CTX_init(&store_ctx, store, cert, NULL);


if (X509_verify_cert(&store_ctx) <= 0)
{
i = X509_STORE_CTX_get_error (&store_ctx);
pki_log(FAIL, __FILE__, __LINE__, NULL, \
" X509_verify_cert failed ,error-code=%d",i);
goto RER;
}
printf("VERIFY SUCCESSED!");
****
The result is sign succeeded and verify failed.
The error code is 7: X509_V_ERR_CERT_SIGNATURE_FAILURE

Why I get this error? Any hint will be appreciated.
--
»¶Ó­Ê¹Óà 21CN µç×ÓÓʼþϵͳhttp://www.21cn.com
Thank you for using 21CN Email system

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]