Re: [openssl-users] Converting Bin format to X509 format
Thanks for the quick response. I am currently working with smart cards and am using the engine provided by openSC to access the private key in the smart card. Long story short I have the EVP_PKEY object with me. Can I use this to sign a certificate or some file which can be used for SSL client verification. Merci On Wednesday, 22 July 2015 11:52 AM, Erwann Abalea erwann.aba...@opentrust.com wrote: Bonjour, An X.509 certificate is: Certificate ::= SEQUENCE { tbsCertificate TBSCertificate, signatureAlgorithm AlgorithmIdentifier, signatureValue BIT STRING } What you produced with « openssl rsautl -sign » is the content of the « signatureValue » element (not its BIT STRING structure, only the inner content).What is missing is all the rest, and it can’t be produced by the sole « openssl x509 … » command. Please refine your question. Cordialement,Erwann Abalea Le 22 juil. 2015 à 11:17, Anirudh Raghunath anirudhraghun...@rocketmail.com a écrit : Hello, I have used rsault -sign option to sign a text file which gives me a binary file. I would like to convert this to X509 so that I can use it in a ssl handshake. I understand the command: openssl x509 -inform format -in certfile -out cert.pem is used. I want to know what the parameters would be for a binary input file. Thanks in advance. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Converting Bin format to X509 format
On Wed, 22 Jul 2015 09:17:43 + (UTC) Anirudh Raghunath anirudhraghun...@rocketmail.com wrote: Hello, I have used rsault -sign option to sign a text file which gives me a binary file. I would like to convert this to X509 so that I can use it in a ssl handshake. I understand the command: openssl x509 -inform format -in certfile -out cert.pem is used. I want to know what the parameters would be for a binary input file. Thanks in advance. Unfortunately signed text file and certificate are quite different things. Of course, certificate is signed electronic document. But it is document of special binary format, which contains public key and information about owner of corresponding private key. And typically, it is not signed by you, it is signed by Certificate Authority (known to server). When you use certificate (and corresponding private key) during SSL handshake, it means than server sends you something, you sign this something using your private key and send signature to server along with certificate. Server verifies signature under data, which it remembers it have been sent to you, using public key contained in the certificate, and says Ok, this guy really owns private key corresponding to public key in this certificate. It also verifies signature under certificate using known beforehand and trusted CA certificates, to make sure that public key stored in the certificate really belongs to person mentioned in the certificate subject field. So, if you sign some text file using your certificate, this signature cannot be used in the SSL handshake any way. Because you've signed some text file, not a challenge send by server during SSL handshake. This signature proves that you, owner of private key, have had access to this text file (provided your private key is not compromised), but there is no way to use this signature to prove that your are one, who established connection with server. To prove so, you have to sign something send to your from server, not some data, known beforehand. Really, option -sign of this utility may produce some signed document format such as PKCS#7 or CMS, which contains signer's certificate. For same purpose which I've described above. If someone wants to verify if you've signed this file, one should have your certificate, with public key and your name in it. Simplest way to ensure this is to attach certificate to the signed message. Then recipient of message can validate certificate, extracted from message with known and trusted CA and then use it to verify signature under message. If you want use such a curved way to extract certificate from card, it is possbile, provided that your rsautl produces standard signed message format, i.e PKCS#7 may be openssl pkcs7 -inform der -in signedfile.bin -print_certs would do the trick and write certificate of one who signed the file into filename.pem But this is not called convert signed file to X509 format, it is called extract X509 certificate from signed file. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Converting Bin format to X509 format
Thank you for the extremely elaborate answer. Now I understand the big picture. I want to attach a file from the server side which can be collected in the client program(the test) and I want to sign it and send it back. I have the ssl server client connection ready through socket and ssl code. I want to know if there is a function to load the random file to the SSL_CTX object the way we do with certificates. Thanks anyways for taking the time to answer my trivial doubts :). On Wednesday, 22 July 2015 12:12 PM, Victor Wagner vi...@wagner.pp.ru wrote: On Wed, 22 Jul 2015 09:17:43 + (UTC) Anirudh Raghunath anirudhraghun...@rocketmail.com wrote: Hello, I have used rsault -sign option to sign a text file which gives me a binary file. I would like to convert this to X509 so that I can use it in a ssl handshake. I understand the command: openssl x509 -inform format -in certfile -out cert.pem is used. I want to know what the parameters would be for a binary input file. Thanks in advance. Unfortunately signed text file and certificate are quite different things. Of course, certificate is signed electronic document. But it is document of special binary format, which contains public key and information about owner of corresponding private key. And typically, it is not signed by you, it is signed by Certificate Authority (known to server). When you use certificate (and corresponding private key) during SSL handshake, it means than server sends you something, you sign this something using your private key and send signature to server along with certificate. Server verifies signature under data, which it remembers it have been sent to you, using public key contained in the certificate, and says Ok, this guy really owns private key corresponding to public key in this certificate. It also verifies signature under certificate using known beforehand and trusted CA certificates, to make sure that public key stored in the certificate really belongs to person mentioned in the certificate subject field. So, if you sign some text file using your certificate, this signature cannot be used in the SSL handshake any way. Because you've signed some text file, not a challenge send by server during SSL handshake. This signature proves that you, owner of private key, have had access to this text file (provided your private key is not compromised), but there is no way to use this signature to prove that your are one, who established connection with server. To prove so, you have to sign something send to your from server, not some data, known beforehand. Really, option -sign of this utility may produce some signed document format such as PKCS#7 or CMS, which contains signer's certificate. For same purpose which I've described above. If someone wants to verify if you've signed this file, one should have your certificate, with public key and your name in it. Simplest way to ensure this is to attach certificate to the signed message. Then recipient of message can validate certificate, extracted from message with known and trusted CA and then use it to verify signature under message. If you want use such a curved way to extract certificate from card, it is possbile, provided that your rsautl produces standard signed message format, i.e PKCS#7 may be openssl pkcs7 -inform der -in signedfile.bin -print_certs would do the trick and write certificate of one who signed the file into filename.pem But this is not called convert signed file to X509 format, it is called extract X509 certificate from signed file. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Converting Bin format to X509 format
Bonjour, An X.509 certificate is: Certificate ::= SEQUENCE { tbsCertificate TBSCertificate, signatureAlgorithm AlgorithmIdentifier, signatureValue BIT STRING } What you produced with « openssl rsautl -sign » is the content of the « signatureValue » element (not its BIT STRING structure, only the inner content). What is missing is all the rest, and it can’t be produced by the sole « openssl x509 … » command. Please refine your question. Cordialement, Erwann Abalea Le 22 juil. 2015 à 11:17, Anirudh Raghunath anirudhraghun...@rocketmail.com a écrit : Hello, I have used rsault -sign option to sign a text file which gives me a binary file. I would like to convert this to X509 so that I can use it in a ssl handshake. I understand the command: openssl x509 -inform format -in certfile -out cert.pem is used. I want to know what the parameters would be for a binary input file. Thanks in advance. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Converting Bin format to X509 format
Hello, I have used rsault -sign option to sign a text file which gives me a binary file. I would like to convert this to X509 so that I can use it in a ssl handshake. I understand the command: openssl x509 -inform format -in certfile -out cert.pem is used. I want to know what the parameters would be for a binary input file. Thanks in advance. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Converting Bin format to X509 format
(top posting for consistency) Look at the functions named X509_sign(), X509_CRL_sign() and X509_REQ_to_X509(), those should get you started. On 22/07/2015 11:57, Anirudh Raghunath wrote: Thanks for the quick response. I am currently working with smart cards and am using the engine provided by openSC to access the private key in the smart card. Long story short I have the EVP_PKEY object with me. Can I use this to sign a certificate or some file which can be used for SSL client verification. On Wednesday, 22 July 2015 11:52 AM, Erwann Abalea erwann.aba...@opentrust.com wrote: Bonjour, An X.509 certificate is: Certificate ::= SEQUENCE { tbsCertificate TBSCertificate, signatureAlgorithm AlgorithmIdentifier, signatureValue BIT STRING } What you produced with « openssl rsautl -sign » is the content of the « signatureValue » element (not its BIT STRING structure, only the inner content). What is missing is all the rest, and it can’t be produced by the sole « openssl x509 … » command. Please refine your question. Le 22 juil. 2015 à 11:17, Anirudh Raghunath anirudhraghun...@rocketmail.com mailto:anirudhraghun...@rocketmail.com a écrit : Hello, I have used rsault -sign option to sign a text file which gives me a binary file. I would like to convert this to X509 so that I can use it in a ssl handshake. I understand the command: openssl x509 -inform format -in certfile -out cert.pem is used. I want to know what the parameters would be for a binary input file. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Converting Bin format to X509 format
Long response short, yes, you can. Prepare and fill in your X509 object, perform the signature with your EVP_PKEY private key, format the resulting signature into a BIT STRING, place this BIT STRING into your previous X509 object, complete it with the AlgorithmIdentifier you choose when signing (it should already have been set in the TBSCertificate structure, just copy it from there). The resulting X.509 certificate can be used for anything and is not limited for a SSL client verification usage. In the previous paragraph, I assume your smart card contains the CA private key, and you want to sign certificates (either subCA or subscriber, it doesn’t matter). That’s how I understood your question. If you want to do all this using only openssl CLI, that’s doable with a specially crafted config file declaring your engine and its parameters. Cordialement, Erwann Abalea Le 22 juil. 2015 à 11:57, Anirudh Raghunath anirudhraghun...@rocketmail.com a écrit : Thanks for the quick response. I am currently working with smart cards and am using the engine provided by openSC to access the private key in the smart card. Long story short I have the EVP_PKEY object with me. Can I use this to sign a certificate or some file which can be used for SSL client verification. Merci On Wednesday, 22 July 2015 11:52 AM, Erwann Abalea erwann.aba...@opentrust.com wrote: Bonjour, An X.509 certificate is: Certificate ::= SEQUENCE { tbsCertificate TBSCertificate, signatureAlgorithm AlgorithmIdentifier, signatureValue BIT STRING } What you produced with « openssl rsautl -sign » is the content of the « signatureValue » element (not its BIT STRING structure, only the inner content). What is missing is all the rest, and it can’t be produced by the sole « openssl x509 … » command. Please refine your question. Cordialement, Erwann Abalea Le 22 juil. 2015 à 11:17, Anirudh Raghunath anirudhraghun...@rocketmail.com mailto:anirudhraghun...@rocketmail.com a écrit : Hello, I have used rsault -sign option to sign a text file which gives me a binary file. I would like to convert this to X509 so that I can use it in a ssl handshake. I understand the command: openssl x509 -inform format -in certfile -out cert.pem is used. I want to know what the parameters would be for a binary input file. Thanks in advance. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users https://mta.openssl.org/mailman/listinfo/openssl-users ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users