Plan for OCSP verifier to LDAP?
Is there any plan to support OCSP verification over LDAP (or LDAP/s)? OT: BTW, could anyone recommend an LDAP client library (C or C++) that works on Windows? Preferably open source. thanks coco _ Express yourself instantly with MSN Messenger! Download today - it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: difference between authenticode certificate and normal certificate?
Wow, Steve, I must say, you are a god-send! I was still digging in the registry and the msdn site last night for a clue... Had I input the right keyword (TimeStampURL) in google, that would've solved my problem. But I was looking at the wrong place (msdn, which is a pretty useless site), also couldn't find anything on how to set this option in openssl (digged thru the openssl code without result...) Dumb me! Next time, if I have to work with Windows again, I'll trust any site more than msdn! From: Dr. Stephen Henson [EMAIL PROTECTED] Anyway, I just found that CA called Ascertia which seems to offer free certificate. I'll see if I can get a free cert for code signing, and see what's in there. For those who may be tempted to try, their enrollment just sucks, it simply doesn't work, even if you use the second option and paste your PEM-format CSR into the input box. Have you tried this: http://www.thawte.com/support/code/office.html#timestamp Apparently, verisign also has a section on this. Again, thanks a lot. coco _ Express yourself instantly with MSN Messenger! Download today - it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: difference between authenticode certificate and normal certificate?
Thanks for replying. From: Dr. Stephen Henson [EMAIL PROTECTED] I looked at this some time ago so this may not be up to date... There wasn't anything special about an authenticode certificate provided you didn't set the extensions to specifically exclude the usages. So a vanilla CA and EE certificate are sufficient. The root CA also has to be added and trusted for code signing in the Windows certificate stores. The certificates you get from CAs not intended for authenticode generally aren't usable, normally because the root CA isn't trusted for code signing and occasionally because the extended key usage doesn't allow it either. Netscape object signing used to also require that the netscape certificate signing extension and its object signing bit set. If this extension was not present then it couldn't be used. I'm not sure if that's still the case since netscape certificate type is largely obsolete. Ok, sounds simple enough, so I create a root CA with openssl, then sign a certificate for a fictitious user, which use that to sign an Office VBA (just some dummy stuff, doing nothing). After loading up my VBA, I see it has no timestamp, and according to the msdn site, the signature is timestamped by connecting to the CA (which issued the certificate) and get the timestamp signed by that CA. And this is done in the background, during code signing. I digged around, there's no other way to do it. Ok, it's getting interesting. Let's say if I set up a TSA server (using opentsa or something), but my certifcates are created using openssl. How do I add that information into the certificate I signed, so that during code signing, Windows knows how to connect to my tsa server to get a timestamp? So what is the extension that I need to put in, what information and how? That's what I was asking, what's the difference between the code signing cert and a plain vanilla cert? Thanks for any hint. coco _ Is your PC infected? Get a FREE online computer virus scan from McAfee® Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: difference between authenticode certificate and normal certificate?
Just found a link which may help: http://www.thawte.com/support/code/msauth.html#timestamp Thanks a lot. Sorry to sound like a dumbass, but how do I put that information into the certificate when I signed it? :) I mean, how do I specify the URL of the tsa, which extension to use ? If someone could give an ASN.1 def of a MS authenticode cert, that would help too. rgds coco _ Dont just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: difference between authenticode certificate and normal certificate?
Hmmm, I don't have access to the relevant tools for that. Do you have a sample signed macro or certificate that includes this information? hehe, I don't, that's why I can't figure out what to put in there. I tried different extensions, looked up all the stuff I can use in x509v3, to no avail. None of those works. If I have one, I can just parse it to see what's in it. The macros I found on the web have the same issue, no timestamp. Anyway, I just found that CA called Ascertia which seems to offer free certificate. I'll see if I can get a free cert for code signing, and see what's in there. rgds coco _ On the road to retirement? Check out MSN Life Events for advice on how to get there! http://lifeevents.msn.com/category.aspx?cid=Retirement __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
difference between authenticode certificate and normal certificate?
Hi, Sorry if this is a bit OT, can someone explain what is the difference between an MS Authenticode certificate, a normal certificate, and a certificate for signing Netscape object? What are the bits and bytes that are different? I can't find info detailed enough to give a satisfactory answer, and I don't feel like spending money to get an authenticode cert and a netscape cert just to find that out :) What's so different between authenticode certificate and netscape certificate that you can't use the same key and certificate to sign both your windows-based software and your java stuff? Thanks for any information coco _ On the road to retirement? Check out MSN Life Events for advice on how to get there! http://lifeevents.msn.com/category.aspx?cid=Retirement __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: problem verifying signature from java
Did you got any break through. Sorry, didn't read this list for a while. Actually, the code I put up in my question was correct. The problem was with a Base64 lib that I linked with in C++. The implementation of the library has a small bug, which does not handle the '+' char properly. That's why it didn't verify correctly. With the base64 bug fixed, the code has no problem. coco _ Express yourself instantly with MSN Messenger! Download today - it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: problem verifying signature from java
To rule out any problems with your OpenSSL code I'd suggest you check the signatures using the dgst command and if there are problems analyze them using rsautl. Thanks for the reply. I got it, by examining basically every function that touches my data. So, in the end, it was the base64 library that I linked with, it has a small bug in dealing with the '+' char in base64-encoded string. rgds _ On the road to retirement? Check out MSN Life Events for advice on how to get there! http://lifeevents.msn.com/category.aspx?cid=Retirement __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Need objective arguments against double certificate
Thanks all for replying. More heated debates I guess. How can there be a heated debated when there is not yet one argument advanced in favor of the double certificate scheme? I got what you meant, sorry for not being clear. I meant there will be more heated debate between us (the tech people) and the consultant, I didn't mean heated debate on this list. _ Don?t just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Need objective arguments against double certificate
Like everyone else, I say this consultant doesn't know what he's talking about (I'm tempted to ask you to tell me who it is, so I can avoid him/her). Can I suggest a different line of attack, though? It's obvious that confronting the consultant by calling bull doesn't win you any points, so how about simply asking the consultant how, exactly, the double certificate scheme increases security. And do not let yourself be satisfied with a half ass answer. Hmm, I wouldn't name names, I'm just a little guy in all this. And if I can, I would have used my real name on this list already. I'm not the one presenting the arguments, I'm preparing those behind the scene for our group leader. I'm working on a spreadsheet calculator on how the cost add up for supporting non-standard scheme. This includes: - cost for extra development (code change to support double-cert, debugging, extra bugs filed related to this scheme, ...) - cost for extra testing - cost for extra certificate, given that there will be 5000+ users using the system - cost for extra management (time difference between loading standard certificate into USB token, and creating double-cert and load them into the token) - extra cost for managing extra tool - extra cost for managing certificates in this scheme, as the validity period of the 2 certs are not synced - extra cost incurred by users, as they have to remember which cert will expire when (This is not a strong one though, as we can easily add an extra function into the system to notify the user and admin that a specific cert is going to expire, and when...) - ... other smaller misc ones Pease help to fill in items that I might have missed :) I'd ask the CEO up front on what grounds he trusts that consultant. Heh, he got a phd in CS, specializing in crypto and system security :) according to what I heard. But I don't think he has ever coded anything, but we have agreed between us that we will never attack on personal ground. Keep it cool, so no one ever mentioned anything on this. coconut_to_go But the annoying thing is, the 2 certificates do not coconut_to_go even specify usage attributes correctly. And our coconut_to_go security expert said it does not matter, we (the coconut_to_go programmers) have to figure that out, which cert is coconut_to_go used for signature and which one is used for encryption. This is just further proof that consultant doesn't know squat what he or she is talking about. After a while, I noticed my arguments against this scheme got lost in the noisy room, and it kinda stuck in there as personal thinking, and not scientific. That's why I'm posting on the list if someone could provide a hint on a more scientific comparison of security analysis model (or security attack model) on the two different schemes (double cert vs standard single cert, with key separation if needed). I'm building an attack model, based on attack tree, expanding out into different routes of attacks, ... the attack tree diagram covers about 30 pages, and I'm having difficulties presenting in a short and cool ppt to the management team. Besides, I got a gut feeling that something is missing, but don't know what. I'm a programmer by profession (and like it that way), learning crypto and security by myself, just by interest. So I'm not sure I have fully grasped the best pratice of security analysis. This exercise is trying to show that there is nothing more secure with double-cert scheme. And if it can actually show that double-cert scheme is more secure, then I would've learned something too. Problem is, it involves certain details of the project, so it is not possible to show it to the public and ask for advice. And frankly, asking blank question like that would be difficult for the gurus on the list to answer too. Thanks all. coco _ Express yourself instantly with MSN Messenger! Download today - it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: problem verifying signature from java
I am also facing the similar problem. I am generating signature using OpenSSL and passing in to JAVA to verify (running JAVA test suite). Signature format is in DER encoded PKCS#7 format. But JAVA is not able to parse the SignedData content in the PKCS#7 format. It is giving rejects tag type -96 error while parsing. Any comments on this are greatly appreciated. If you got any cluekindly let me know. Sorry to disappoint you, I've been banging my head on the monitor for 2 days now, going over the code and manual/api docs/examples/google for so many times, and I'm still having difficulties to get openssl and Java work together. All my crypto coding experiences are on Java, and this is the first time trying to get some very basic functionalities in C++, and it turns out to be much much harder than I thought :( And notice the key/cert I used in my test code are actually from the openssl examples. Anyone who has experience making openssl work with java, please give a hint. That'll be very much appreciated. coco _ Don?t just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Need objective arguments against double certificate
Pease help to fill in items that I might have missed :) The security risk that this non-standard scheme might introduce an unforseen vulnerability. This is, IMO, as likely as that it will protect against some unforseen vulnerability -- the alleged reason for the scheme. Hehe, I was trying really hard to put this issue into some tangible numbers :) There is always security risk related to the design, to the implementation, to the administration, etc. From all the books/sources I've learned crypto and security (including topics on information system auditing and assurance, information security risk assessment), I couldn't find any systematic methodology to estimate this. Everyone is talking about it in bulleted items, kinda subjective. This seems to come only with experience, and learn the hard way after screwing up a couple of times, or something. I don't know, I'm working on estimating the potential consequences of a security breach. But this is way beyond my knowledge/experience/expertise. And this is really on a case by case basis, no book can teach me that, I guess. thanks _ Is your PC infected? Get a FREE online computer virus scan from McAfee Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Need objective arguments against double certificate
Like the commentator, I'm also a little guy. In my case, I'm a retired guy who got his intro to this stuff from Entrust. I got convinced that their two (or more) -certificate solution was right, based upon the following: If you are an employee in an organization, it is valid for the organization to have access to your DATA but not your IDENTITY should you get run over by a bus or tsunami. Two certificates, where the ENCRYPTION certificate's private key is kept by the organization is thus a valid idea. This is sometimes called Key Escrow, Key Recovery, etc. However, the organization never has a legitimate reason to sign on your behalf. Two certificates with different keys allow for this distinction. It also allows you, the employee, to reclaim old encrypted material when you lose the key. Furthermore, when the police knock down your door (as is increasingly possible in the US) and demand your encryption key so they can scan your computer, you can still keep your identity-proving key private, because one assumes they would have no reason to manufacture new data signed by you. Please note that having two certificates doesn't imply key escrow, it just allows for it to happen when appropriate. Yet, it allows for a separation of confidentiality and identity proof. Well, actually, key escrow was designed in the system from the beginning. For a shameless plug, this scheme is designed by myself. I'm giving a brief description here, so you guys can help to see if that makes sense. User's keys are escrowed in a central database, completely separated from the application system (physically and logically, on a remote site). The escrow database is encrypted with two keys (double encryption, one on top of another). The two keys are kept in USB tokens, separately, then they are kept in a safe at a trusted third-party (e.g. a bank). The 2 tokens are kept at two totally different banks. The policy is that no single person should have access to both tokens at the same time. It requires at least two dedicated officers to get both tokens. There is an option too: In order to get both keys, both officers must have a dedicated third-party witness (e.g. a well-known law firm). But we are still evaluating if this option is really needed. This seems to be more of policy management issue than technical issue. The password to the token is kept with the token, in the safe at the trusted third-party. The issue seems to be with re-encryption of the escrow database. For example, if the algo is found to be broken, or if the key length is not enough anymore, then we would need to create new keys and re-encrypt the thing. This is left as open for now. That's it. Yeah, I know, you have not seen the implementation, so not fair to say if that's ok or not. This project is for a government agency, which handles very sensitive data. Sorry, this is getting into some non-sense unrelated to openssl. I'll stop here :) coco _ On the road to retirement? Check out MSN Life Events for advice on how to get there! http://lifeevents.msn.com/category.aspx?cid=Retirement __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Need objective arguments against double certificate
I thought the problem was that you were using the same keypair for encryption and signing. So that there really is only one key. I know, the key escrow was designed when the requirements were only for encryption only. Digital signature requirement was added when the consultant got on board. So, it was not really part of the original plan. We have not redesigned the escrow scheme, as we have not really resolve this double-cert thingy. Yeah, I agree with you, if we using the same key with 2 certs, the escrow becomes the main attack target. thanks coco _ On the road to retirement? Check out MSN Life Events for advice on how to get there! http://lifeevents.msn.com/category.aspx?cid=Retirement __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Need objective arguments against double certificate
Then perhaps your company should hire a security expert to design the security. Defects in portability or performance are low-risk and easily detected, and the cost scales with the time until a patch is deployed. Security vulnerabilities are much more tricky and expensive to detect and the damage may happen all at once, making them very high-risk. I understand several of the OpenSSL development team are available for consulting. Well, it's not like we can do whatever we would like to. Our company is small, and only got the small part in that project. As I said in the first message, it's the CEO of that partner company which got the biggest part of the project who brought in his security expert. They are the overall lead, and we have to work with them. Even his engineers do not agree with his security consultant. What I'm doing here (working on the cost calculator, working on the analysis model, etc) is not for our company, it's for this partnering company, actually for the group leader in that company to present it to their management. We don't like to associate our name with lousy projects, that's why I'm doing what I'm doing now, and this is extra work for nothing. If we don't care, we would shut the hell up, get the thing done (whatever it is), take the money, and move on. rgds _ FREE pop-up blocking with the new MSN Toolbar ? get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
problem verifying signature from java
I'm trying to get a client application written in C++ using OpenSSL to verify a signature sent by a server (in Java) and vice versa. Not sure I specified it correctly, but the signatures generated on both sides, from the same input data, are not the same, and therefore, can't be verify. And this is using the same key, of course. Here is the code in Java for signing it: == String testKey = -BEGIN RSA PRIVATE KEY-\n + MIIBPAIBAAJBAL7+aty3S1iBA/+yxjxv4q1MUTd1kjNwL4lYKbpzzlmC5beaQXeQ\n + 2RmGMTXU+mDvuqItjVHOK3DvPK7lTcSGftUCAwEAAQJBALjkK+jc2+iihI98riEF\n + oudmkNziSRTYjnwjx8mCoAjPWviB3c742eO3FG4/soi1jD9A5alihEOXfUzloenr\n + 8IECIQD3B5+0l+68BA/6d76iUNqAAV8djGTzvxnCxycnxPQydQIhAMXt4trUI3nc\n + a+U8YL2HPFA3gmhBsSICbq2OptOCnM7hAiEA6Xi3JIQECob8YwkRj29DU3/4WYD7\n + WLPgsQpwo1GuSpECICGsnWH5oaeD9t9jbFoSfhJvv0IZmxdcLpRcpslpeWBBAiEA\n + 6/5B8J0GHdJq89FHwEG/H2eVVUYu5y/aD6sgcm+0Avg=\n + -END RSA PRIVATE KEY-\n; String testCert = -BEGIN CERTIFICATE-\n + MIICLDCCAdYCAQAwDQYJKoZIhvcNAQEEBQAwgaAxCzAJBgNVBAYTAlBUMRMwEQYD\n + VQQIEwpRdWVlbnNsYW5kMQ8wDQYDVQQHEwZMaXNib2ExFzAVBgNVBAoTDk5ldXJv\n + bmlvLCBMZGEuMRgwFgYDVQQLEw9EZXNlbnZvbHZpbWVudG8xGzAZBgNVBAMTEmJy\n + dXR1cy5uZXVyb25pby5wdDEbMBkGCSqGSIb3DQEJARYMc2FtcG9AaWtpLmZpMB4X\n + DTk2MDkwNTAzNDI0M1oXDTk2MTAwNTAzNDI0M1owgaAxCzAJBgNVBAYTAlBUMRMw\n + EQYDVQQIEwpRdWVlbnNsYW5kMQ8wDQYDVQQHEwZMaXNib2ExFzAVBgNVBAoTDk5l\n + dXJvbmlvLCBMZGEuMRgwFgYDVQQLEw9EZXNlbnZvbHZpbWVudG8xGzAZBgNVBAMT\n + EmJydXR1cy5uZXVyb25pby5wdDEbMBkGCSqGSIb3DQEJARYMc2FtcG9AaWtpLmZp\n + MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAL7+aty3S1iBA/+yxjxv4q1MUTd1kjNw\n + L4lYKbpzzlmC5beaQXeQ2RmGMTXU+mDvuqItjVHOK3DvPK7lTcSGftUCAwEAATAN\n + BgkqhkiG9w0BAQQFAANBAFqPEKFjk6T6CKTHvaQeEAsX0/8YHPHqH/9AnhSjrwuX\n + 9EBc0n6bVGhN7XaXd6sJ7dym9sbsWxb+pJdurnkxjx4=\n + -END CERTIFICATE-\n; // same input string for both Java and C++ String input = 9O2CQ14zAXEd7GzJ9XELhQH.aE6; public void doSign() { try { // Note: PEMReader is from BouncyCastle StringReader sReader = new StringReader(testKey); PEMReader pemReader = new PEMReader(sReader); KeyPair keypair = (KeyPair) pemReader.readObject(); PrivateKey privKey = keypair.getPrivate(); PublicKey pubKey = keypair.getPublic(); sReader = new StringReader(testCert); pemReader = new PEMReader(sReader); X509Certificate cert = (X509Certificate)pemReader.readObject(); PublicKey pubKey2 = cert.getPublicKey(); Signature sig = Signature.getInstance(SHA1withRSA); sig.initSign(privKey); sig.update(input.getBytes()); byte[] sigvalue = sig.sign(); Base64 b64 = new Base64(); byte[] b = b64.encode(sigvalue); String s = new String(b); System.out.println(' + s + '); sig.initVerify(pubKey2); sig.update(input.getBytes()); boolean status = sig.verify(sigvalue); System.out.println(status); } catch(Exception e) { e.printStackTrace(); } } == And the code in C for verifying: == char * testKey = -BEGIN RSA PRIVATE KEY-\n \ MIIBPAIBAAJBAL7+aty3S1iBA/+yxjxv4q1MUTd1kjNwL4lYKbpzzlmC5beaQXeQ\n \ 2RmGMTXU+mDvuqItjVHOK3DvPK7lTcSGftUCAwEAAQJBALjkK+jc2+iihI98riEF\n \ oudmkNziSRTYjnwjx8mCoAjPWviB3c742eO3FG4/soi1jD9A5alihEOXfUzloenr\n \ 8IECIQD3B5+0l+68BA/6d76iUNqAAV8djGTzvxnCxycnxPQydQIhAMXt4trUI3nc\n \ a+U8YL2HPFA3gmhBsSICbq2OptOCnM7hAiEA6Xi3JIQECob8YwkRj29DU3/4WYD7\n \ WLPgsQpwo1GuSpECICGsnWH5oaeD9t9jbFoSfhJvv0IZmxdcLpRcpslpeWBBAiEA\n \ 6/5B8J0GHdJq89FHwEG/H2eVVUYu5y/aD6sgcm+0Avg=\n \ -END RSA PRIVATE KEY-\n; char * testCert = -BEGIN CERTIFICATE-\n \ MIICLDCCAdYCAQAwDQYJKoZIhvcNAQEEBQAwgaAxCzAJBgNVBAYTAlBUMRMwEQYD\n \
how to EVP_SignInit_ex() ?
Sorry if this is a dumb question, I'm not sure why EVP_SignInit_ext() is giving me unhandled exception error. My code is a very simple testing code: char * clearText = testing openssl; char cryptText[MAX_LEN]; char buf[MAX_LEN]; unsigned char ubuf[MAX_LEN]; unsigned char sig[MAX_LEN]; unsigned int sigLen; EVP_PKEY key; EVP_MD_CTX sctx, vctx; int ret = EVP_PKEY_assign_RSA(key, RSA_generate_key(1024, RSA_3, 0, 0)); if (ret != 1) std::cout Generate rsa key failed... std::endl; EVP_SignInit_ex(sctx, EVP_sha1(), NULL); EVP_SignUpdate(sctx, clearText, strlen(clearText)); memset(sig, 0, MAX_LEN); ret = EVP_SignFinal(sctx, sig, sigLen, key); if (ret != 1) std::cout Signing failed... std::endl; EVP_VerifyInit_ex(vctx, EVP_sha1(), NULL); EVP_VerifyUpdate(vctx, clearText, strlen(clearText)); ret = EVP_VerifyFinal(vctx, sig, sigLen, key); if (ret == 1) std::cout Signature is valid std::endl; else if (ret == 0) std::cout Signature is invalid... std::endl; else std::cout Verification failed... std::endl; Everytime I get to EVP_SignInit_ex(), I get the error: Unhandled exception at 0x1003dee6 in test.exe: 0xC005: Access violation reading location 0x. This code is basically copied from the sample. Is there anyting I need to initialize before that as well? thanks in advance cc _ Dont just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: how to EVP_SignInit_ex() ?
try a EVP_MD_CTX_init() before using the EVP_MD_CTX objects Thanks, not very familiar with openssl at all, this is the first time trying to get something quickly done with openssl. Is there any developer guide, like giving better description of the API provided by openssl, beside the O'Reilly book? It doesn't have to be tutorial, I'm quite ok with crypto stuff in Java, but using openssl has been a try-and-error process so far, and constantly need to dive into the openssl code itself. _ On the road to retirement? Check out MSN Life Events for advice on how to get there! http://lifeevents.msn.com/category.aspx?cid=Retirement __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Need objective arguments against double certificate
Thanks all for replying. More heated debates I guess. _ Dont just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]