Re: [openssl-users] Java Snippet output is not equal to command line openssl command output , Why ?
Actually, it all works just fine. Viktor's point about adding terminating "\n" to the input text helped. -BEGIN PRIVATE KEY- MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDGlXflMDDD8kOP TP5y06tSXe1g8G3uJAoGHT8NewYANIONuJEZveXnfL8+bJRIu8FDzeCc4SWsCISK WMmX/VY+IzZxLvUlOzRaKmO3Su7A9ABSc/AtcEVcrXhr9qV3axZDMXRXsWTxFnhO /lRK8RpfGoGIhgCKkuNswy/DUjka0x03HymD7HwWhaNgsuvon+zWlSNTIV3t/WU4 093DlykKgDwEPym3UXHIgAecEAsYvm/YeYtM8NsHF2tzr40dKxA460lO/P8Vr7rL df+AF9sNyfNFR81KBtPp2aqvZVXabHQrIZEpoZLrkz6uCObmyPiFx2m59Y3nXQV2 Fac8DuATAgEDAoIBAQCEY6VDdXXX9te03f73N8eMPp5AoElJbVwEE39eUgQAIwJe ewtmfplE/dTUSGLbJ9YtM+sTQMPIBa2xkIZlU47UF3mgyfjDfM2RcZfPh0nV+AA2 9/VzoC49yPrypG5PnLmCIPg6dkNLZFA0qY2HS2bqEauwWVWxt0JIgh/XjCYR4OYZ y7unFj5XnW93cAfL9U8CZPonO6iHCB14unk/UyiIHNrR41at0+qwVJYXdTFx+m0C 3KiWAwleRdVy2LBj3Fq1R3/pW3tnYTadgOInRYF4hQuF+ttIzEiuimhd6blUdMlR WWbw8xp2A8buS4DQUKz0u1OAAhDvsqfEDsWLIAq7AoGBAPHwbdW8aLN85Y3W1pYf 2ELIlV1422sH+MrKv/jqQFf9LVmiXzq2+EZiYQcSxUFp5/1OvnRIHfY2hiBtq4Ww VBq9/0u/D8Rv9bKPOvpLxYZP9FIOo8/BaLp5VV3Vz4pxVort0xHr+DfWFWH7t0cC m/3LtfC1Y7j0TKyL/soyDWzXAoGBANIf/7pM4msWM+5WtEoW17OKaE6fbHYbeG44 /C76WhRBJ5onCuz7m0tdoB9mGv+D3s8FcBojzlbDKIrZvv7XDG1rAL2x5AGKqDZP +bH5ahKJDg/tq7Sba6xqtLBMtzVqZrtDSGTUPLNkeDJM4F6rs/dK+HvEjruLhF1E ALS5UWMlAoGBAKFK8+PS8HeomQk55GQVOtcwY5Ol55yv+zHcf/tG1Y/+HjvBlNHP UC7sQK9h2NZGmqjfKaLavqQkWWrzx651jWcpVN0qCoL1TncKJ1GH2QQ1TYwJwoqA 8HxQ45Pj37Gg5FyejLadUCU5Y5anz4SsZ/6HzqB47SX4Mx2yqdwhXkiPAoGBAIwV VSbd7EdkIp7keDFkj80G8DRqSE68+vQl/XSm5rgrb7waB0invNzpFWpEEf+tPzSu SrwX3uSCGwc71KnksvOcqykhQquxxXmKpnamRrcGCV/zx8288nLxzcrdz3jxmdIs 2u3i0yJC+swzQD8dIqTcpafYXyeyWD4tVc3Q4OzDAoGBAML1gJ2slF0egQmxKSJK YktcRX4IP1rWlYClgcJ9OLAxZBFWPwW8+hsTfCDoa5WEk4+CFHZ37PyibzjGuASC UQmOZj6tVnaRkB62ExArgjzyyIMEUAbfFw4vKHe8cyF8MFC6JbTYj0EDlQtkhK65 HE0xeJjwo/swhpkBItsH0cYJ -END PRIVATE KEY- -BEGIN PUBLIC KEY- MIIBIDANBgkqhkiG9w0BAQEFAAOCAQ0AMIIBCAKCAQEAxpV35TAww/JDj0z+ctOr Ul3tYPBt7iQKBh0/DXsGADSDjbiRGb3l53y/PmyUSLvBQ83gnOElrAiEiljJl/1W PiM2cS71JTs0Wipjt0ruwPQAUnPwLXBFXK14a/ald2sWQzF0V7Fk8RZ4Tv5USvEa XxqBiIYAipLjbMMvw1I5GtMdNx8pg+x8FoWjYLLr6J/s1pUjUyFd7f1lONPdw5cp CoA8BD8pt1FxyIAHnBALGL5v2HmLTPDbBxdrc6+NHSsQOOtJTvz/Fa+6y3X/gBfb DcnzRUfNSgbT6dmqr2VV2mx0KyGRKaGS65M+rgjm5sj4hcdpufWN510FdhWnPA7g EwIBAw== -END PUBLIC KEY- $ cat rsa_tst1.java import java.security.KeyFactory; import java.security.Signature; import java.security.spec.PKCS8EncodedKeySpec; import java.util.Base64; public class rsa_tst1 { public static void main(String[] args) throws Exception { String input = "sample input\n"; final String strPk = "-BEGIN PRIVATE KEY-\n" + "MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDGlXflMDDD8kOP\n" + "TP5y06tSXe1g8G3uJAoGHT8NewYANIONuJEZveXnfL8+bJRIu8FDzeCc4SWsCISK\n" + "WMmX/VY+IzZxLvUlOzRaKmO3Su7A9ABSc/AtcEVcrXhr9qV3axZDMXRXsWTxFnhO\n" + "/lRK8RpfGoGIhgCKkuNswy/DUjka0x03HymD7HwWhaNgsuvon+zWlSNTIV3t/WU4\n" + "093DlykKgDwEPym3UXHIgAecEAsYvm/YeYtM8NsHF2tzr40dKxA460lO/P8Vr7rL\n" + "df+AF9sNyfNFR81KBtPp2aqvZVXabHQrIZEpoZLrkz6uCObmyPiFx2m59Y3nXQV2\n" + "Fac8DuATAgEDAoIBAQCEY6VDdXXX9te03f73N8eMPp5AoElJbVwEE39eUgQAIwJe\n" + "ewtmfplE/dTUSGLbJ9YtM+sTQMPIBa2xkIZlU47UF3mgyfjDfM2RcZfPh0nV+AA2\n" + "9/VzoC49yPrypG5PnLmCIPg6dkNLZFA0qY2HS2bqEauwWVWxt0JIgh/XjCYR4OYZ\n" + "y7unFj5XnW93cAfL9U8CZPonO6iHCB14unk/UyiIHNrR41at0+qwVJYXdTFx+m0C\n" + "3KiWAwleRdVy2LBj3Fq1R3/pW3tnYTadgOInRYF4hQuF+ttIzEiuimhd6blUdMlR\n" + "WWbw8xp2A8buS4DQUKz0u1OAAhDvsqfEDsWLIAq7AoGBAPHwbdW8aLN85Y3W1pYf\n" + "2ELIlV1422sH+MrKv/jqQFf9LVmiXzq2+EZiYQcSxUFp5/1OvnRIHfY2hiBtq4Ww\n" + "VBq9/0u/D8Rv9bKPOvpLxYZP9FIOo8/BaLp5VV3Vz4pxVort0xHr+DfWFWH7t0cC\n" + "m/3LtfC1Y7j0TKyL/soyDWzXAoGBANIf/7pM4msWM+5WtEoW17OKaE6fbHYbeG44\n" + "/C76WhRBJ5onCuz7m0tdoB9mGv+D3s8FcBojzlbDKIrZvv7XDG1rAL2x5AGKqDZP\n" + "+bH5ahKJDg/tq7Sba6xqtLBMtzVqZrtDSGTUPLNkeDJM4F6rs/dK+HvEjruLhF1E\n" + "ALS5UWMlAoGBAKFK8+PS8HeomQk55GQVOtcwY5Ol55yv+zHcf/tG1Y/+HjvBlNHP\n" + "UC7sQK9h2NZGmqjfKaLavqQkWWrzx651jWcpVN0qCoL1TncKJ1GH2QQ1TYwJwoqA\n" + "8HxQ45Pj37Gg5FyejLadUCU5Y5anz4SsZ/6HzqB47SX4Mx2yqdwhXkiPAoGBAIwV\n" + "VSbd7EdkIp7keDFkj80G8DRqSE68+vQl/XSm5rgrb7waB0invNzpFWpEEf+tPzSu\n" + "SrwX3uSCGwc71KnksvOcqykhQquxxXmKpnamRrcGCV/zx8288nLxzcrdz3jxmdIs\n" + "2u3i0yJC+swzQD8dIqTcpafYXyeyWD4tVc3Q4OzDAoGBAML1gJ2slF0egQmxKSJK\n" + "YktcRX4IP1rWlYClgcJ9OLAxZBFWPwW8+hsTfCDoa5WEk4+CFHZ37PyibzjGuASC\n" + "UQmOZj6tVnaRkB62ExArgjzyyIMEUAbfFw4vKHe8cyF8MFC6JbTYj0EDlQtkhK65\n" + "HE0xeJjwo/swhpkBItsH0cYJ\n" + "-END PRIVATE KEY-\n"; String base64Signature = signSHA256RSA(input,strPk);
Re: [openssl-users] Java Snippet output is not equal to command line openssl command output , Why ?
> On Aug 1, 2018, at 12:47 PM, timmy pony wrote: > > On Wed, Aug 1, 2018 at 4:28 PM Viktor Dukhovni > wrote: > On Wed, Aug 01, 2018 at 09:24:38AM +0100, timmy pony wrote: > > > I have tried this > > > > openssl dgst -sha256 -sign my_private.key -out /tmp/sign.sha256 > > codeTosign.txt > > This produces raw binary output, no base64 encoding. What is the > content of the file "codeToSign.txt"? Post the output of: > > od -tx1 < /tmp/codeToSign.txt > > od -tx1 < codeToSign.txt > 00073 61 6d 70 6c 65 20 69 6e 70 75 74 0a > 015 As expected, the disk file has a newline ending (0x0a) after the input string. > > public class SHA256RSA { > > > > public static void main(String[] args) throws Exception { > > String input = "sample input"; > > This input has no newline ending, perhaps the disk file does. The input string signed by the Java code does not. The signatures are therefore *expected* to be different. Either include a newline in the Java string, or create an input file with no newline ending. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Java Snippet output is not equal to command line openssl command output , Why ?
Hi Vicktor - I put a '\n' at end of java snippet Both are now equal Thank you for your help. On Wed, Aug 1, 2018 at 5:47 PM timmy pony wrote: > Hi Vicktor, Speed read the previous mail. > > > > On Wed, Aug 1, 2018 at 4:28 PM Viktor Dukhovni > wrote: > >> On Wed, Aug 01, 2018 at 09:24:38AM +0100, timmy pony wrote: >> >> > I have tried this >> > >> > openssl dgst -sha256 -sign my_private.key -out /tmp/sign.sha256 >> codeTosign.txt >> >> This produces raw binary output, no base64 encoding. What is the >> content of the file "codeToSign.txt"? Post the output of: >> >> od -tx1 < /tmp/codeToSign.txt >> > > od -tx1 < codeToSign.txt > > 00073 61 6d 70 6c 65 20 69 6e 70 75 74 0a > > 015 > > >> >> > public class SHA256RSA { >> > >> > public static void main(String[] args) throws Exception { >> > String input = "sample input"; >> >> This input has no newline ending, perhaps the disk file does. >> >> > // Not a real private key! Replace with your private key! >> > String strPk = "-BEGIN PRIVATE >> KEY-\nMIIEvwIBADANBgkqhkiG9" >> > + "w0BAQEFAASCBKkwggSlAgEAAoIBAQDJUGqaRB11KjxQ\nKHDeG" >> > + >> "" >> > + "Ldt0hAPNl4QKYWCfJm\nNf7Afqaa/RZq0+y/36v83NGENQ==\n" >> > + "-END PRIVATE KEY-\n"; >> >> I sure hope your production code will *NOT* have the private key >> embedded in the executable. >> >> > String base64Signature = signSHA256RSA(input,strPk); >> > System.out.println("Signature="+base64Signature); >> >> This outputs a signature encoded in base64. >> >> -- >> Viktor. >> -- >> openssl-users mailing list >> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users >> > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Java Snippet output is not equal to command line openssl command output , Why ?
Hi Vicktor, Speed read the previous mail. On Wed, Aug 1, 2018 at 4:28 PM Viktor Dukhovni wrote: > On Wed, Aug 01, 2018 at 09:24:38AM +0100, timmy pony wrote: > > > I have tried this > > > > openssl dgst -sha256 -sign my_private.key -out /tmp/sign.sha256 > codeTosign.txt > > This produces raw binary output, no base64 encoding. What is the > content of the file "codeToSign.txt"? Post the output of: > > od -tx1 < /tmp/codeToSign.txt > od -tx1 < codeToSign.txt 00073 61 6d 70 6c 65 20 69 6e 70 75 74 0a 015 > > > public class SHA256RSA { > > > > public static void main(String[] args) throws Exception { > > String input = "sample input"; > > This input has no newline ending, perhaps the disk file does. > > > // Not a real private key! Replace with your private key! > > String strPk = "-BEGIN PRIVATE > KEY-\nMIIEvwIBADANBgkqhkiG9" > > + "w0BAQEFAASCBKkwggSlAgEAAoIBAQDJUGqaRB11KjxQ\nKHDeG" > > + > "" > > + "Ldt0hAPNl4QKYWCfJm\nNf7Afqaa/RZq0+y/36v83NGENQ==\n" > > + "-END PRIVATE KEY-\n"; > > I sure hope your production code will *NOT* have the private key > embedded in the executable. > > > String base64Signature = signSHA256RSA(input,strPk); > > System.out.println("Signature="+base64Signature); > > This outputs a signature encoded in base64. > > -- > Viktor. > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Java Snippet output is not equal to command line openssl command output , Why ?
> On Aug 1, 2018, at 12:14 PM, timmy pony wrote: > > Thanks Viktor, > for assistance . > The embedded private key "skeleton" is only for visualisation purposes; No it > will not. > > > the openssl command returns binary. > so i can do .But they are still coming out different. > > openssl base64 -in /tmp/sign.sha256 -out Please re-read my previous post and respond to *all* the points. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Java Snippet output is not equal to command line openssl command output , Why ?
Thanks Viktor, for assistance . The embedded private key "skeleton" is only for visualisation purposes; No it will not. the openssl command returns binary. so i can do .But they are still coming out different. openssl base64 -in /tmp/sign.sha256 -out On Wed, Aug 1, 2018 at 4:28 PM Viktor Dukhovni wrote: > On Wed, Aug 01, 2018 at 09:24:38AM +0100, timmy pony wrote: > > > I have tried this > > > > openssl dgst -sha256 -sign my_private.key -out /tmp/sign.sha256 > codeTosign.txt > > This produces raw binary output, no base64 encoding. What is the > content of the file "codeToSign.txt"? Post the output of: > > od -tx1 < /tmp/codeToSign.txt > > > public class SHA256RSA { > > > > public static void main(String[] args) throws Exception { > > String input = "sample input"; > > This input has no newline ending, perhaps the disk file does. > > > // Not a real private key! Replace with your private key! > > String strPk = "-BEGIN PRIVATE > KEY-\nMIIEvwIBADANBgkqhkiG9" > > + "w0BAQEFAASCBKkwggSlAgEAAoIBAQDJUGqaRB11KjxQ\nKHDeG" > > + > "" > > + "Ldt0hAPNl4QKYWCfJm\nNf7Afqaa/RZq0+y/36v83NGENQ==\n" > > + "-END PRIVATE KEY-\n"; > > I sure hope your production code will *NOT* have the private key > embedded in the executable. > > > String base64Signature = signSHA256RSA(input,strPk); > > System.out.println("Signature="+base64Signature); > > This outputs a signature encoded in base64. > > -- > Viktor. > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Java Snippet output is not equal to command line openssl command output , Why ?
On Wed, Aug 01, 2018 at 09:24:38AM +0100, timmy pony wrote: > I have tried this > > openssl dgst -sha256 -sign my_private.key -out /tmp/sign.sha256 codeTosign.txt This produces raw binary output, no base64 encoding. What is the content of the file "codeToSign.txt"? Post the output of: od -tx1 < /tmp/codeToSign.txt > public class SHA256RSA { > > public static void main(String[] args) throws Exception { > String input = "sample input"; This input has no newline ending, perhaps the disk file does. > // Not a real private key! Replace with your private key! > String strPk = "-BEGIN PRIVATE KEY-\nMIIEvwIBADANBgkqhkiG9" > + "w0BAQEFAASCBKkwggSlAgEAAoIBAQDJUGqaRB11KjxQ\nKHDeG" > + "" > + "Ldt0hAPNl4QKYWCfJm\nNf7Afqaa/RZq0+y/36v83NGENQ==\n" > + "-END PRIVATE KEY-\n"; I sure hope your production code will *NOT* have the private key embedded in the executable. > String base64Signature = signSHA256RSA(input,strPk); > System.out.println("Signature="+base64Signature); This outputs a signature encoded in base64. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Java Snippet output is not equal to command line openssl command output , Why ?
Hi, Could some openssl expert please advise ? Trying to get the equivalent Openssl command-line version of the following java snippet. I have tried this openssl dgst -sha256 -sign my_private.key -out /tmp/sign.sha256 codeTosign.txt But the the results do not match ? ``` From: "tim.fortinbras" To: openssl-users@openssl.org Cc: Bcc: Date: Tue, 31 Jul 2018 06:48:59 -0700 (MST) Subject: Looking for exact openssl commands to do the following from command line ? import java.security.KeyFactory; import java.security.Signature; import java.security.spec.PKCS8EncodedKeySpec; import java.util.Base64; public class SHA256RSA { public static void main(String[] args) throws Exception { String input = "sample input"; // Not a real private key! Replace with your private key! String strPk = "-BEGIN PRIVATE KEY-\nMIIEvwIBADANBgkqhkiG9" + "w0BAQEFAASCBKkwggSlAgEAAoIBAQDJUGqaRB11KjxQ\nKHDeG" + "" + "Ldt0hAPNl4QKYWCfJm\nNf7Afqaa/RZq0+y/36v83NGENQ==\n" + "-END PRIVATE KEY-\n"; String base64Signature = signSHA256RSA(input,strPk); System.out.println("Signature="+base64Signature); } // Create base64 encoded signature using SHA256/RSA. private static String signSHA256RSA(String input, String strPk) throws Exception { // Remove markers and new line characters in private key String realPK = strPk.replaceAll("-END PRIVATE KEY-", "") .replaceAll("-BEGIN PRIVATE KEY-", "") .replaceAll("\n", ""); byte[] b1 = Base64.getDecoder().decode(realPK); PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(b1); KeyFactory kf = KeyFactory.getInstance("RSA"); Signature privateSignature = Signature.getInstance("SHA256withRSA"); privateSignature.initSign(kf.generatePrivate(spec)); privateSignature.update(input.getBytes("UTF-8")); byte[] s = privateSignature.sign(); return Base64.getEncoder().encodeToString(s); } } -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
RE: Diffie algorithm in openssl: and Java
From: owner-openssl-us...@openssl.org On Behalf Of Dave Thompson Sent: Wednesday, 20 March, 2013 20:21 From: owner-openssl-us...@openssl.org On Behalf Of azhar jodatti Sent: Wednesday, 20 March, 2013 15:21 snip this.secretKey is an object of javax.crypto.SecretKey which I am using for symmetric encryption like this byte[] utf8 = plaintext.getBytes(UTF8); Cipher c = Cipher.getInstance(DES); c.init(Cipher.ENCRYPT_MODE, this.secretKey); byte[] encryptedText = c.doFinal(utf8); return new sun.misc.BASE64Encoder().encode(encryptedText); With the usual providers DES is really DES/CBC/PKCS5Padding, and it would be clearer to be explicit. I thought that CBC with no IV specified uses a random IV, which you would need to transmit, but on testing apparently it uses zeros, which in general is bad but if you are using nonce DEKs it is tolerable. Correction: on more careful checking, it's DES/*ECB*/PKCS5Padding, which for one block I looked at is the same as CBC IV=zeros (duh). Sorry for the mislead. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Diffie algorithm in openssl: and Java
Thanks for the explanation and help.. everything worked perfect. :) :) Regards, Azhar On Mon, Mar 25, 2013 at 1:34 PM, Dave Thompson dthomp...@prinpay.comwrote: From: owner-openssl-us...@openssl.org On Behalf Of Dave Thompson Sent: Wednesday, 20 March, 2013 20:21 From: owner-openssl-us...@openssl.org On Behalf Of azhar jodatti Sent: Wednesday, 20 March, 2013 15:21 snip this.secretKey is an object of javax.crypto.SecretKey which I am using for symmetric encryption like this byte[] utf8 = plaintext.getBytes(UTF8); Cipher c = Cipher.getInstance(DES); c.init(Cipher.ENCRYPT_MODE, this.secretKey); byte[] encryptedText = c.doFinal(utf8); return new sun.misc.BASE64Encoder().encode(encryptedText); With the usual providers DES is really DES/CBC/PKCS5Padding, and it would be clearer to be explicit. I thought that CBC with no IV specified uses a random IV, which you would need to transmit, but on testing apparently it uses zeros, which in general is bad but if you are using nonce DEKs it is tolerable. Correction: on more careful checking, it's DES/*ECB*/PKCS5Padding, which for one block I looked at is the same as CBC IV=zeros (duh). Sorry for the mislead. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Diffie algorithm in openssl: and Java
On Tue, Mar 19, 2013 at 8:13 PM, Matt Caswell fr...@baggins.org wrote: On 19 March 2013 14:18, azhar jodatti azhar...@gmail.com wrote: On Tue, Mar 19, 2013 at 6:24 PM, Matt Caswell fr...@baggins.org wrote: On 19 March 2013 12:22, azhar jodatti azhar...@gmail.com wrote: PEM_write_bio_DHparams(out, temp);//this prints public key in base64 (this is what i think :) ) This is NOT a base64 representation of the public key. This is printing out the parameters only (which does not include the public key) X509EncodedKeySpec x509KeySpec = new X509EncodedKeySpec(clientPubKeyEnc); PublicKey alicePubKey = bobKeyFac.generatePublic(x509KeySpec); // this throws invalidKeySpecException : invalid key specification What is the reason behind this? Why it won't work with X509EncodedKeySpec? Because, as noted above the data you are trying to use is not what you think it is. X509EncodedKeySpec expects an ASN.1 type of SubjectPublicKeyInfo, whereas you are providing an ASN.1 type of DHparams. Instead of above, try something like this: BigInteger y = new BigInteger(4373485839237796166699589228729451887524557806298817546317652313209684941935291316056752499275686842785989445002203537603465313281932431907074220666705812428468899520395399424699433568818334649395647035588736697462362131440308900155995886437558059484184376957451229991382889256903754886307405909744230582829); BigInteger p = new BigInteger(106824077746282794452228647025839229808074839339760371103063155402464842614962676228255294325459053774613506891207056818441720848774298482866918174271328357364028843638451324415691330056638482781344307395975948664971732094293996189467599104442989563027727348339786810653279203313302815966250977426622843204103); BigInteger g = new BigInteger(5); DHPublicKeySpec dhKeySpec = new DHPublicKeySpec(y, p, g); PublicKey alicPubKey = bobKeyFac.generatePublic(dhKeySpec); Yes, I tried this as well. It won't throw any exception. It silently generate the public and secret key at server. but when I use server's public key at client to generate clients secret key, it ends up with having different secret key at both the end. The client secret key won't match with server's secret key. It's not throwing an exception because it is a correctly formatted public key as opposed to an incorrectly formatted one! If you're not getting the same shared secret then we have to keep looking for the next problem! Please can you show me the public key that is generated from the Java, and how you are getting that into the C. Public key : 5109302865963109515212754756121025695439760309823205966602712261597322738242902768943936680090189486525589441295927426233997365875508787532665251931640864129114721011635072417944560006219044065524773076483481887011307367565959735014609601352035977981372113016128912962383614943266088691125247905870630009660962744048976306621670105745197696645428683028944617742336403041732835283570637507292137401782359467132995640884184026642300272716643279774248342543531816026535360692942687407883845458106878990927218108399715490559887862345042269910918508836619472642535350414785745034292564778165044378612630468960194913792482268072428278422412284738960598286710094132345557605518602478981231098046892613531283123151 Secret key : 12127704546237718092438896066413655388776362910549172519740393110168347001533576823026774727367573930957394257354070595978655048643912250308681026844585744709027576900402249670187203160151084771397152790055765927595015924125212527820968758168922306979142896670732847778567823870168933256602812482617195330 These are the public and secret key generated at JAVA server. I am passing public key to C. below is the C code snippet which takes this key and generates secret key. printf(Enter server public key \n); unsigned char serverpublickey[1024]; scanf(%s,serverpublickey);// reads the server public key BIGNUM *spubkey=BN_new(); BIGNUM **ppubkey =spubkey; BN_dec2bn(ppubkey,serverpublickey);//convert decimal key to BIGNUM printf(\nserver public key= \n); BN_print(out,*ppubkey); clientout=DH_compute_key(clientbuf,*ppubkey,client); above DH_compute_key function returns -1 values and the error message it prints is error:05066066:Diffie-Hellman routines:COMPUTE_KEY:invalid public key I am using below code to get this error unsigned long errorcode = ERR_get_error(); ERR_error_string_n(errorcode, errbuf,sizeof errbuf); Matt
Re: Diffie algorithm in openssl: and Java
On 20 March 2013 07:37, azhar jodatti azhar...@gmail.com wrote: Public key : 5109302865963109515212754756121025695439760309823205966602712261597322738242902768943936680090189486525589441295927426233997365875508787532665251931640864129114721011635072417944560006219044065524773076483481887011307367565959735014609601352035977981372113016128912962383614943266088691125247905870630009660962744048976306621670105745197696645428683028944617742336403041732835283570637507292137401782359467132995640884184026642300272716643279774248342543531816026535360692942687407883845458106878990927218108399715490559887862345042269910918508836619472642535350414785745034292564778165044378612630468960194913792482268072428278422412284738960598286710094132345557605518602478981231098046892613531283123151 This public key is too big. It is far larger than the value of p. How are you extracting and printing it? Matt __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Diffie algorithm in openssl: and Java
On Wed, Mar 20, 2013 at 3:44 PM, Matt Caswell fr...@baggins.org wrote: On 20 March 2013 07:37, azhar jodatti azhar...@gmail.com wrote: Public key : 5109302865963109515212754756121025695439760309823205966602712261597322738242902768943936680090189486525589441295927426233997365875508787532665251931640864129114721011635072417944560006219044065524773076483481887011307367565959735014609601352035977981372113016128912962383614943266088691125247905870630009660962744048976306621670105745197696645428683028944617742336403041732835283570637507292137401782359467132995640884184026642300272716643279774248342543531816026535360692942687407883845458106878990927218108399715490559887862345042269910918508836619472642535350414785745034292564778165044378612630468960194913792482268072428278422412284738960598286710094132345557605518602478981231098046892613531283123151 This public key is too big. It is far larger than the value of p. How are you extracting and printing it? Java JCE generating this key. :( :( Below is the code I am using to print this. byte[] bobPubKeyEnc = bobKpair.getPublic().getEncoded(); // this generated server's public key System.out.println(public key : + new BigInteger(bobPubKeyEnc)); //prints public key in BigInteger (decimal) Even you can see the same steps in my previous mail threads where I pasted my complete JAVA and C code. Do you see any issue with this? or anything else Matt __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Diffie algorithm in openssl: and Java
On 20 March 2013 11:25, azhar jodatti azhar...@gmail.com wrote: byte[] bobPubKeyEnc = bobKpair.getPublic().getEncoded(); This is providing an encoded form of the public key, whereas your code is expecting it as an integer. Use the following instead: DHPublicKey dhpubkey = (DHPublicKey)(bobKpair.getPublic()); BigInteger bobPubKeyInt = dhpubkey.getY(); Matt __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Diffie algorithm in openssl: and Java
On Wed, Mar 20, 2013 at 5:12 PM, Matt Caswell fr...@baggins.org wrote: On 20 March 2013 11:25, azhar jodatti azhar...@gmail.com wrote: byte[] bobPubKeyEnc = bobKpair.getPublic().getEncoded(); This is providing an encoded form of the public key, whereas your code is expecting it as an integer. Use the following instead: DHPublicKey dhpubkey = (DHPublicKey)(bobKpair.getPublic()); BigInteger bobPubKeyInt = dhpubkey.getY(); Yes, Matt. This worked and it also generates same secret key at both the end :) :) :) Thanks a lot. You been a great help to me. One more query :). After generating secret key : byte[] bobSharedSecret = bobKeyAgree.generateSecret();//this generates secret key. Note : this key matches with C client secret key :) I am doing below stuff in JAVA : SecretKeyFactory skf = SecretKeyFactory.getInstance(DES); DESKeySpec desSpec = new DESKeySpec(bobSharedSecret); this.secretKey = skf.generateSecret(desSpec); What is the equivalent of this in C? this.secretKey is an object of javax.crypto.SecretKey which I am using for symmetric encryption like this byte[] utf8 = plaintext.getBytes(UTF8); Cipher c = Cipher.getInstance(DES); c.init(Cipher.ENCRYPT_MODE, this.secretKey); byte[] encryptedText = c.doFinal(utf8); return new sun.misc.BASE64Encoder().encode(encryptedText); and decryption like this Cipher c = Cipher.getInstance(DES); byte[] decryptBase64= new sun.misc.BASE64Decoder().decodeBuffer(incryptedData); c.init(Cipher.DECRYPT_MODE, this.secretKey); byte plaintext[] = c.doFinal(decryptBase64); return new String(plaintext,UTF-8); Matt __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Diffie algorithm in openssl: and Java
On 20 March 2013 19:21, azhar jodatti azhar...@gmail.com wrote: One more query :). After generating secret key : byte[] bobSharedSecret = bobKeyAgree.generateSecret();//this generates secret key. Note : this key matches with C client secret key :) I am doing below stuff in JAVA : SecretKeyFactory skf = SecretKeyFactory.getInstance(DES); DESKeySpec desSpec = new DESKeySpec(bobSharedSecret); this.secretKey = skf.generateSecret(desSpec); What is the equivalent of this in C? Well looking at the docs the DESKeySpec constructor just takes the first 8 bytes of the byte array to form the key. The equivalent is to just pass an unsigned char * pointing at the shared secret in the key parameter in the call to EVP_EncryptInit_ex. BUT - you should NOT use the shared secret directly like this. This goes back to my point about implementing your own protocol - it is easy to make a mistake like this. Protocols will typically pass the shared secret through some message digest function (such as SHA2), and use the output from that as the key. See section 2.1.2 of RFC2631 for an example of this in practice. The problem is that the set of possible DH shared secrets is not necessarily evenly distributed within the keyspace. By using the shared secret directly you could introduce biases into your encryption, which could in turn lead to a security flaw. (As an aside another potential security problem with DH is that it is susceptible to MITM attacks without some authentication layer - another thing that protocols will typically add) For information on encryption with openssl see: http://wiki.opensslfoundation.com/index.php/EVP and in particular these pages linked from there: http://wiki.opensslfoundation.com/index.php/EVP_Symmetric_Encryption_and_Decryption http://wiki.opensslfoundation.com/index.php/EVP_Authenticated_Encryption_and_Decryption Also see the manual pages: http://www.openssl.org/docs/crypto/EVP_EncryptInit.html# Message Digests are covered here: http://wiki.opensslfoundation.com/index.php/EVP_Message_Digests http://www.openssl.org/docs/crypto/EVP_DigestInit.html# Matt __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Diffie algorithm in openssl: and Java
From: owner-openssl-us...@openssl.org On Behalf Of azhar jodatti Sent: Wednesday, 20 March, 2013 15:21 On Wed, Mar 20, 2013 at 5:12 PM, Matt Caswell fr...@baggins.org wrote: On 20 March 2013 11:25, azhar jodatti azhar...@gmail.com wrote: byte[] bobPubKeyEnc = bobKpair.getPublic().getEncoded(); This is providing an encoded form of the public key, whereas your code is expecting it as an integer. Use the following instead: DHPublicKey dhpubkey = (DHPublicKey)(bobKpair.getPublic()); BigInteger bobPubKeyInt = dhpubkey.getY(); To be exact, PublicKey.getEncoded() is returning the X509 encoding of the parameters AND public value (y), which is why it looks huge. Matt's correction correctly get y separately, as a number. One more query :). After generating secret key : byte[] bobSharedSecret = bobKeyAgree.generateSecret(); //this generates secret key. Note : this key matches with C client secret key :) Actually that's the shared secret, as your name says. Using the shared secret directly as a secret key is the naive 1970's version often shown in textbooks, but (most?) real protocols and standards interpose a key derivation step. Also this is good place to note that unauthenticated DH keyagreement is insecure against an active attacker. Look for Ross Anderson's paper Mind your p's and q's. I am doing below stuff in JAVA : SecretKeyFactory skf = SecretKeyFactory.getInstance(DES); DESKeySpec desSpec = new DESKeySpec(bobSharedSecret); this.secretKey = skf.generateSecret(desSpec); If you don't care about DES specifics (see below) you can use SecretKeySpec with algorithm=DES and it implements interface Key so you can pass it to Cipher.init without going through a factory. What is the equivalent of this in C? *openssl* doesn't require magic data types like Java does, but does require that a DES key be scheduled or expanded before actual encrypt/decrypt. You can do this with the encrypt/decrypt call, or (once) in advance like: DES_key_schedule des_k; DES_set_key[_checked/_unchecked] ((void*)secretkeyvalue, des_k); See man -3ssl des (For other crypto libraries in C, answer is different.) But note classic single DES is fallen for about 10 years. Are you using a textbook from 1990 or something? this.secretKey is an object of javax.crypto.SecretKey which I am using for symmetric encryption like this byte[] utf8 = plaintext.getBytes(UTF8); Cipher c = Cipher.getInstance(DES); c.init(Cipher.ENCRYPT_MODE, this.secretKey); byte[] encryptedText = c.doFinal(utf8); return new sun.misc.BASE64Encoder().encode(encryptedText); With the usual providers DES is really DES/CBC/PKCS5Padding, and it would be clearer to be explicit. I thought that CBC with no IV specified uses a random IV, which you would need to transmit, but on testing apparently it uses zeros, which in general is bad but if you are using nonce DEKs it is tolerable. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Diffie algorithm in openssl: and Java
-- And possibly relevant here, the standard Suncle JCE provider actually uses DSA paramgen for DH and thus imposes the DSA size restrictions on DH -- 512 to 1024 in steps of 64 -- although they aren't required by any standard I know of. I don't recall if JCE also restricts *existing* (received) params; I'll test when I have some time. I do recall you can get around this by using BouncyCastle instead. But just using 1024 is easy and fine. -- sometime I get below error Prime size must be multiple of 64, and can only range from 512 to 1024 (inclusive) when i use small prime numbers.It means JCE uses DSA paramateres for DH algorithm. what is openSSL equalent to this? KeyPairGenerator kpg = KeyPairGenerator.getInstance(DH); kpg.initialize(1024); keyPair = kpg.generateKeyPair(); DHParameterSpec dhSpec = ((DHPublicKey) keyPair.getPublic()).getParams(); baseGenerator = dhSpec.getG(); prime = dhSpec.getP(); sizeInBits = dhSpec.getL(); is this java code equalent to below c code? DH_generate_parameters_ex(client,1024,DH_GENERATOR_5,NULL); see, with openSSL I have to pass DH_GENERATOR which only allowes (2 and 5) but that is not required in JAVA version.It generates it own base generator. -- you don't need to *generate* new parameters every time. If you do, you must send them. Sending in standard X509-ki format is often the easiest way (and JCE does by default) but not the only way. -- Do I need to do this conversion explicitly? if yes then can you please tell me how to do that. when I generate keys using DH_generate_key() function, what is the format of the keys? If it generates according to X509 spec then X509EncodedKeySpec should work in JAVA. but that is not the case. Do you see anything regarding format here which makes this all stuff crapy and non-working? -- if you reuse parameters, you don't *need* to send them, but it can be useful if you do because both parties can check they agree and something hasn't gotten misconfigured or out of sync. -- Even I tried by hardcoding the C generated parameter with JAVA. still faces the same issue. :( Regards, Azhar On Tue, Mar 19, 2013 at 3:28 AM, Matt Caswell fr...@baggins.org wrote: On 18 March 2013 21:44, Matt Caswell fr...@baggins.org wrote: However, you are correct that the DH computation does not use q, although I do not know whether JCE requires it to be specified (not having used JCE). One other point on this - X9.42 describes an optional validation procedure which does use q. From RFC2631 (based on X9.42): The following algorithm MAY be used to validate a received public key y. 1. Verify that y lies within the interval [2,p-1]. If it does not, the key is invalid. 2. Compute y^q mod p. If the result == 1, the key is valid. Otherwise the key is invalid. The primary purpose of public key validation is to prevent a small subgroup attack [LAW98] on the sender's key pair. If Ephemeral-Static mode is used, this check may not be necessary. See also [P1363] for more information on Public Key validation. Matt
Re: Diffie algorithm in openssl: and Java
On 19 March 2013 09:01, azhar jodatti azhar...@gmail.com wrote: And possibly relevant here, the standard Suncle JCE provider actually uses DSA paramgen for DH and thus imposes the DSA size restrictions on DH -- 512 to 1024 in steps of 64 -- although they aren't required by any standard I know of. I don't recall if JCE also restricts *existing* (received) params; I'll test when I have some time. I do recall you can get around this by using BouncyCastle instead. But just using 1024 is easy and fine. -- sometime I get below error Prime size must be multiple of 64, and can only range from 512 to 1024 (inclusive) when i use small prime numbers.It means JCE uses DSA paramateres for DH algorithm. what is openSSL equalent to this? KeyPairGenerator kpg = KeyPairGenerator.getInstance(DH); kpg.initialize(1024); keyPair = kpg.generateKeyPair(); DHParameterSpec dhSpec = ((DHPublicKey) keyPair.getPublic()).getParams(); baseGenerator = dhSpec.getG(); prime = dhSpec.getP(); sizeInBits = dhSpec.getL(); is this java code equalent to below c code? DH_generate_parameters_ex(client,1024,DH_GENERATOR_5,NULL); see, with openSSL I have to pass DH_GENERATOR which only allowes (2 and 5) but that is not required in JAVA version.It generates it own base generator. It appears to be equivalent, although I am not familiar with the JCE API. What I do not understand though is why you have code to generate parameters on *both* sides of your communication. If you are going to generate params every time (which both Dave and myself have advised against - it is an expensive operation), you still only need to do it on one side of the communication. So, after a bit of googling, I would expect to see something like this on the Java side (if the C side generates the params): KeyPairGenerator kpg = KeyPairGenerator.getInstance(DH); kpg.initialize(new DHParameterSpec(/* p value passed from C */, /* g value passed from C */)); keyPair = kpg.generateKeyPair(); Matt __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Diffie algorithm in openssl: and Java
On Tue, Mar 19, 2013 at 2:58 PM, Matt Caswell fr...@baggins.org wrote: On 19 March 2013 09:01, azhar jodatti azhar...@gmail.com wrote: And possibly relevant here, the standard Suncle JCE provider actually uses DSA paramgen for DH and thus imposes the DSA size restrictions on DH -- 512 to 1024 in steps of 64 -- although they aren't required by any standard I know of. I don't recall if JCE also restricts *existing* (received) params; I'll test when I have some time. I do recall you can get around this by using BouncyCastle instead. But just using 1024 is easy and fine. -- sometime I get below error Prime size must be multiple of 64, and can only range from 512 to 1024 (inclusive) when i use small prime numbers.It means JCE uses DSA paramateres for DH algorithm. what is openSSL equalent to this? KeyPairGenerator kpg = KeyPairGenerator.getInstance(DH); kpg.initialize(1024); keyPair = kpg.generateKeyPair(); DHParameterSpec dhSpec = ((DHPublicKey) keyPair.getPublic()).getParams(); baseGenerator = dhSpec.getG(); prime = dhSpec.getP(); sizeInBits = dhSpec.getL(); is this java code equalent to below c code? DH_generate_parameters_ex(client,1024,DH_GENERATOR_5,NULL); see, with openSSL I have to pass DH_GENERATOR which only allowes (2 and 5) but that is not required in JAVA version.It generates it own base generator. It appears to be equivalent, although I am not familiar with the JCE API. What I do not understand though is why you have code to generate parameters on *both* sides of your communication. If you are going to generate params every time (which both Dave and myself have advised against - it is an expensive operation), you still only need to do it on one side of the communication. So, after a bit of googling, I would expect to see something like this on the Java side (if the C side generates the params): Well, above both the code snaps are at client side, not at server. I understand I don't have to generate keys at both the end. I just wanted to give you an idea how I am doing it in JAVA and C to generate the keys. As you said both code appears to be equivalent but practically it won't seems like . at-least in my scenario. because parameters generated with above java code works with my server but that's not the case with parameters generated with above C code. KeyPairGenerator kpg = KeyPairGenerator.getInstance(DH); kpg.initialize(new DHParameterSpec(/* p value passed from C */, /* g value passed from C */)); keyPair = kpg.generateKeyPair(); yes, I m doing this at server. after generating keyPair I am generating keyAgreent as well . below is the code for this KeyAgreement keyAgree = KeyAgreement.getInstance(DH); keyAgree.init(keyPair.getPrivate()); //this generates public key at server byte[] serverPubKeyEnc = keyPair.getPublic().getEncoded(); //I really don't know how exactly it does this. but its mandatory keyAgree.doPhase(clientPubllicKey, true); //this generates secret key at server byte[] sharedSecret = keyAgree.generateSecret(); Matt
Re: Diffie algorithm in openssl: and Java
On 19 March 2013 10:37, azhar jodatti azhar...@gmail.com wrote: On Tue, Mar 19, 2013 at 2:58 PM, Matt Caswell fr...@baggins.org wrote: On 19 March 2013 09:01, azhar jodatti azhar...@gmail.com wrote: And possibly relevant here, the standard Suncle JCE provider actually uses DSA paramgen for DH and thus imposes the DSA size restrictions on DH -- 512 to 1024 in steps of 64 -- although they aren't required by any standard I know of. I don't recall if JCE also restricts *existing* (received) params; I'll test when I have some time. I do recall you can get around this by using BouncyCastle instead. But just using 1024 is easy and fine. -- sometime I get below error Prime size must be multiple of 64, and can only range from 512 to 1024 (inclusive) when i use small prime numbers.It means JCE uses DSA paramateres for DH algorithm. what is openSSL equalent to this? KeyPairGenerator kpg = KeyPairGenerator.getInstance(DH); kpg.initialize(1024); keyPair = kpg.generateKeyPair(); DHParameterSpec dhSpec = ((DHPublicKey) keyPair.getPublic()).getParams(); baseGenerator = dhSpec.getG(); prime = dhSpec.getP(); sizeInBits = dhSpec.getL(); is this java code equalent to below c code? DH_generate_parameters_ex(client,1024,DH_GENERATOR_5,NULL); see, with openSSL I have to pass DH_GENERATOR which only allowes (2 and 5) but that is not required in JAVA version.It generates it own base generator. It appears to be equivalent, although I am not familiar with the JCE API. What I do not understand though is why you have code to generate parameters on *both* sides of your communication. If you are going to generate params every time (which both Dave and myself have advised against - it is an expensive operation), you still only need to do it on one side of the communication. So, after a bit of googling, I would expect to see something like this on the Java side (if the C side generates the params): Well, above both the code snaps are at client side, not at server. I understand I don't have to generate keys at both the end. I just wanted to give you an idea how I am doing it in JAVA and C to generate the keys. As you said both code appears to be equivalent but practically it won't seems like . at-least in my scenario. because parameters generated with above java code works with my server but that's not the case with parameters generated with above C code. KeyPairGenerator kpg = KeyPairGenerator.getInstance(DH); kpg.initialize(new DHParameterSpec(/* p value passed from C */, /* g value passed from C */)); keyPair = kpg.generateKeyPair(); yes, I m doing this at server. after generating keyPair I am generating keyAgreent as well . below is the code for this KeyAgreement keyAgree = KeyAgreement.getInstance(DH); keyAgree.init(keyPair.getPrivate()); //this generates public key at server byte[] serverPubKeyEnc = keyPair.getPublic().getEncoded(); //I really don't know how exactly it does this. but its mandatory keyAgree.doPhase(clientPubllicKey, true); //this generates secret key at server byte[] sharedSecret = keyAgree.generateSecret(); Can you share the code where you load the parameters from the C into JCE? Also how you set up clientPublicKey. Finally would be useful if you can dump out the parameters after they have been read, and compare to the JSON sent. Matt __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Diffie algorithm in openssl: and Java
Well, to roll out the possibility of network error's, JSON values not being passed properly and blah blah blah I just dropped that approach. instead of that I am running C program which prints the prime,generator and public key. I have another program on same machine which is written in java where I am hard coding these C generated values and trying to get the public and secret key. ofcourse it is also giving me the same exception. below is the complete C code written to generate DH params. most of the part is taken from openSSL library source code. #include stdio.h #include stdlib.h #include string.h #include openssl/crypto.h #include openssl/dh.h #include err.h static const char rnd_seed[] = string to make the random number generator think it has the entropy; int main(){ BN_GENCB _cb; DH *client= NULL; char buf[12]; unsigned char *clientbuf=NULL; int i,clientlen,clientout,ret=1; BIO *out; CRYPTO_malloc_debug_init(); CRYPTO_dbg_set_options(V_CRYPTO_MDEBUG_ALL); CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); ERR_load_crypto_strings(); #ifdef OPENSSL_SYS_WIN32 CRYPTO_malloc_init(); #endif RAND_seed(rnd_seed, sizeof rnd_seed); out=BIO_new(BIO_s_file()); if (out == NULL) { printf(BIO is null. exiting from program); goto err; } BIO_set_fp(out,stdout,BIO_NOCLOSE); //BN_GENCB_set(_cb,cb, out);//is this really required. my gcc not recognizing cb instance so just commenting client = DH_new(); if(client == NULL){ printf(Client DH is null); goto err; } DH_generate_parameters_ex(client,1024,DH_GENERATOR_5,NULL); if (!DH_check(client, i)) { goto err; } if (i DH_CHECK_P_NOT_PRIME) BIO_puts(out, p value is not prime\n); if (i DH_CHECK_P_NOT_SAFE_PRIME) BIO_puts(out, p value is not a safe prime\n); if (i DH_UNABLE_TO_CHECK_GENERATOR) BIO_puts(out, unable to check the generator value\n); if (i DH_NOT_SUITABLE_GENERATOR) BIO_puts(out, the g value is not a generator\n); BIO_puts(out,\np=);//this prints the P in hex printf(%s,BN_bn2dec(client-p));//this prints the P in decimal BIO_puts(out,\ng=); BN_print(out,client-g);//prints generator which is 5 in this case BIO_puts(out,\n); if (!DH_generate_key(client)) { printf(unable to generate client keys); goto err; } BIO_puts(out,pri 1=); BN_print(out,client-priv_key);//prints private key BIO_puts(out,\npub 1=); printf(%s,BN_bn2dec(client-pub_key));//prints public key in decimal format DH *temp = DHparams_dup(client); BIO_puts(out,\n\n\n PEM = ); PEM_write_bio_DHparams(out, temp);//this prints public key in base64 (this is what i think :) ) BIO_puts(out,\n\n); err: if (clientbuf != NULL) OPENSSL_free(clientbuf); if (serverbuf != NULL) OPENSSL_free(serverbuf); if(server != NULL) DH_free(server); if(client != NULL) DH_free(client); BIO_free(out); return 1; } This is what it prints when I ran this program. p=106824077746282794452228647025839229808074839339760371103063155402464842614962676228255294325459053774613506891207056818441720848774298482866918174271328357364028843638451324415691330056638482781344307395975948664971732094293996189467599104442989563027727348339786810653279203313302815966250977426622843204103 g=5 pri1=622BBB2CA70FC8665F9EC3A95CF7B5C46D2F77AB10AA7D3FF485ADA9C6E005C7CF35AC0DBBFC256D2EB3AC702899140369433E1546B9DC915ACA5883D91F8FACB731F745B23C3A399FAFBDC6355E3D4203462432E950670297F6930B98C261A215053164893C2FAB55A1170699C3EDE919E59F895455B995A19C37670A6FA358 pub1=4373485839237796166699589228729451887524557806298817546317652313209684941935291316056752499275686842785989445002203537603465313281932431907074220666705812428468899520395399424699433568818334649395647035588736697462362131440308900155995886437558059484184376957451229991382889256903754886307405909744230582829 PEM = -BEGIN DH PARAMETERS- MIGHAoGBAJgfXoi5POaY+aWtOFfykV7i9JNaX1ecr1W/PeqNwpcdTg1y75FaJwrO LZSKds6dr6HtTEs5Jltda1GY2HklY8f3mja5EhNeLGLRfchQ8+Bn2FPGU1mMFpbF 07/tRJe6SOLfbQzIcTLn+TXbkS5fKWqerRnww4NZI0B+FBC+/DIHAgEF -END DH PARAMETERS- Here is my java code . import java.io.*; import java.math.BigInteger; import java.security.*; import java.security.spec.*; import java.security.interfaces.*; import javax.crypto.*; import javax.crypto.spec.*; import javax.crypto.interfaces.*; import com.sun.crypto.provider.SunJCE; public class DiffieHellmanServer { private DiffieHellmanServer() { }; public static void main(String argv[]) { try { DiffieHellmanServer keyAgree = new DiffieHellmanServer(); keyAgree.run1(); } catch (Exception e) { System.err.println(Error: + e); System.exit(1); }
Re: Diffie algorithm in openssl: and Java
On 19 March 2013 12:22, azhar jodatti azhar...@gmail.com wrote: PEM_write_bio_DHparams(out, temp);//this prints public key in base64 (this is what i think :) ) This is NOT a base64 representation of the public key. This is printing out the parameters only (which does not include the public key) X509EncodedKeySpec x509KeySpec = new X509EncodedKeySpec(clientPubKeyEnc); PublicKey alicePubKey = bobKeyFac.generatePublic(x509KeySpec); // this throws invalidKeySpecException : invalid key specification Instead of above, try something like this: BigInteger y = new BigInteger(4373485839237796166699589228729451887524557806298817546317652313209684941935291316056752499275686842785989445002203537603465313281932431907074220666705812428468899520395399424699433568818334649395647035588736697462362131440308900155995886437558059484184376957451229991382889256903754886307405909744230582829); BigInteger p = new BigInteger(106824077746282794452228647025839229808074839339760371103063155402464842614962676228255294325459053774613506891207056818441720848774298482866918174271328357364028843638451324415691330056638482781344307395975948664971732094293996189467599104442989563027727348339786810653279203313302815966250977426622843204103); BigInteger g = new BigInteger(5); DHPublicKeySpec dhKeySpec = new DHPublicKeySpec(y, p, g); PublicKey alicPubKey = bobKeyFac.generatePublic(dhKeySpec); Matt __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Diffie algorithm in openssl: and Java
On Tue, Mar 19, 2013 at 6:24 PM, Matt Caswell fr...@baggins.org wrote: On 19 March 2013 12:22, azhar jodatti azhar...@gmail.com wrote: PEM_write_bio_DHparams(out, temp);//this prints public key in base64 (this is what i think :) ) This is NOT a base64 representation of the public key. This is printing out the parameters only (which does not include the public key) X509EncodedKeySpec x509KeySpec = new X509EncodedKeySpec(clientPubKeyEnc); PublicKey alicePubKey = bobKeyFac.generatePublic(x509KeySpec); // this throws invalidKeySpecException : invalid key specification What is the reason behind this? Why it won't work with X509EncodedKeySpec? Instead of above, try something like this: BigInteger y = new BigInteger(4373485839237796166699589228729451887524557806298817546317652313209684941935291316056752499275686842785989445002203537603465313281932431907074220666705812428468899520395399424699433568818334649395647035588736697462362131440308900155995886437558059484184376957451229991382889256903754886307405909744230582829); BigInteger p = new BigInteger(106824077746282794452228647025839229808074839339760371103063155402464842614962676228255294325459053774613506891207056818441720848774298482866918174271328357364028843638451324415691330056638482781344307395975948664971732094293996189467599104442989563027727348339786810653279203313302815966250977426622843204103); BigInteger g = new BigInteger(5); DHPublicKeySpec dhKeySpec = new DHPublicKeySpec(y, p, g); PublicKey alicPubKey = bobKeyFac.generatePublic(dhKeySpec); Yes, I tried this as well. It won't throw any exception. It silently generate the public and secret key at server. but when I use server's public key at client to generate clients secret key, it ends up with having different secret key at both the end. The client secret key won't match with server's secret key. Matt
Re: Diffie algorithm in openssl: and Java
On 19 March 2013 14:18, azhar jodatti azhar...@gmail.com wrote: On Tue, Mar 19, 2013 at 6:24 PM, Matt Caswell fr...@baggins.org wrote: On 19 March 2013 12:22, azhar jodatti azhar...@gmail.com wrote: PEM_write_bio_DHparams(out, temp);//this prints public key in base64 (this is what i think :) ) This is NOT a base64 representation of the public key. This is printing out the parameters only (which does not include the public key) X509EncodedKeySpec x509KeySpec = new X509EncodedKeySpec(clientPubKeyEnc); PublicKey alicePubKey = bobKeyFac.generatePublic(x509KeySpec); // this throws invalidKeySpecException : invalid key specification What is the reason behind this? Why it won't work with X509EncodedKeySpec? Because, as noted above the data you are trying to use is not what you think it is. X509EncodedKeySpec expects an ASN.1 type of SubjectPublicKeyInfo, whereas you are providing an ASN.1 type of DHparams. Instead of above, try something like this: BigInteger y = new BigInteger(4373485839237796166699589228729451887524557806298817546317652313209684941935291316056752499275686842785989445002203537603465313281932431907074220666705812428468899520395399424699433568818334649395647035588736697462362131440308900155995886437558059484184376957451229991382889256903754886307405909744230582829); BigInteger p = new BigInteger(106824077746282794452228647025839229808074839339760371103063155402464842614962676228255294325459053774613506891207056818441720848774298482866918174271328357364028843638451324415691330056638482781344307395975948664971732094293996189467599104442989563027727348339786810653279203313302815966250977426622843204103); BigInteger g = new BigInteger(5); DHPublicKeySpec dhKeySpec = new DHPublicKeySpec(y, p, g); PublicKey alicPubKey = bobKeyFac.generatePublic(dhKeySpec); Yes, I tried this as well. It won't throw any exception. It silently generate the public and secret key at server. but when I use server's public key at client to generate clients secret key, it ends up with having different secret key at both the end. The client secret key won't match with server's secret key. It's not throwing an exception because it is a correctly formatted public key as opposed to an incorrectly formatted one! If you're not getting the same shared secret then we have to keep looking for the next problem! Please can you show me the public key that is generated from the Java, and how you are getting that into the C. Matt __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Diffie algorithm in openssl: and Java
Thanks matt for looking at this. below are the details json from C with openSSL { prime: B01DBDE7823A696F13EEFDE810DF2A010ED8BA919186029BEECCF2F0454CE85CA3E3FFD0EB3A578F80C28930AD98559D57605E37BFE2B1BD3C6D6C7657384F4DDFF45D57C59EF2DEADAF7605A1EB36A5D5007162F026E5AE161F489C8C79A5AD10C40FC7B914CDD85EE8A493307EE183194655D5190A3B7D8B45036E56E0C653, basegenerator: 2, size: 1024, publickey: 829DE389D7731F6CB1C92B92965E119FFCBAE433C5B19B5C262623FD5EA6F2D53EFAD3195372B7C746DB376C3739CBC03BE7614183F658E059F02FF8C463051E3684424BE8F3F96353275201D8B8154DED3A5152DD04EBD55C0EC20544F975EEEB703B3085C174C761712AC83EACF8507895571E1F076876F26162504D75EF11 } JSON with JAVA { prime: 178011905478542266528237562450159990145232156369120674273274450314442865788737020770612695252123463079567156784778466449970650770920727857050009668388144034129745221171818506047231150039301079959358067395348717066319802262019714966524135060945913707594956514672855690606794135837542707371727429551343320695239, basegenerator: 1740682075324020951858119801235234365386044907945613509784958310405999534884558231478515974089409507253077970949157594923683005742524387610370844734671801488761181030830437549851909834726015504946913294880833954923138536164648264460849230407872181895056496097769368017749273708962006689187956744210730, size: 1024, publickey: 154098060632197825972569070553594673213907981120204558893455132154488920498286340180930009617674527453058248409146259055129616519883338912429359077804301589391083095780370584174889589223725092053310001148182587778315708960959816212553890780658697750126252666385136330617189340099488509957293788029153796583284280546893194823052732368554200517384648060949814219845513312636361799960550824305241776726569729968117653644039260346804354135691237238964153781814300021332541328282477027772784043832083697573459487287571520026609334964134811373470209956613009283464376018849091639198208244682804180475479662224652170610412421382256896232908714139611606796633319949985382724877107919957408909942743414340389890006834786464852247662337830546584844189278383274479199021252090407963572739286575933788241737975537671923484277171204499262529715278092506505239752566691287452373502190399117732855968397767896906732126573639005461407592315315318920060328019073971670048355762952267750188451524151795498747866082848788789357672209810743252483 } Kindly let me know if you need anything else. even I can share my implementation (both Java and C) Regards, Azhar On Sun, Mar 17, 2013 at 1:10 PM, Matt Caswell fr...@baggins.org wrote: On 16 March 2013 22:29, azhar jodatti azhar...@gmail.com wrote: Matt, No reason as such for using low level interface.I just want to get it done. Do you see any issues with low level interface? or any issues with my code? In addition, the server and client works over REST API's, hence I am using JSON format to pass the parameter over the wire. The low-level interface will *work*, its just *better* to use the high level interface. The high level interface is less tightly coupled to the specifics of any one particular algorithm (you would be able to reuse much of your code if you needed to use ECDH instead of DH at some point in the future). In general the high level interface also hides much of the complexity of working with specific algorithms. Can you supply a sample of the JSON format that you are using to pass parameters and public keys? Matt
Re: Diffie algorithm in openssl: and Java
1) The C version is in hex while the java version is in decimal. Is this intentional? When you are reading in the values are reading them correctly (i.e. as hex or as decimal as required) Yes. it was intentional. I am taking care of this. 2) Is this sample from the *same* key exchange? The parameters are different which are obviously going to cause it to fail. When I run both programs it calculates the params (p,g,pk) every time on execution . that's the reason both key values are different. That won't make any such difference :) right? 3) Its not actually necessary to pass the full parameters every time you exchange keys. This can be agreed up front, e.g. RF5114 defines a set of standard well known parameters which can be used off the shelf. OpenSSL has built-in support for these. I need to look into this. Do you mean the hard coded prime and base generator numbers at client and server? how about public key? Regards, Azhar On Mon, Mar 18, 2013 at 3:22 PM, Matt Caswell fr...@baggins.org wrote: On 18 March 2013 06:26, azhar jodatti azhar...@gmail.com wrote: Thanks matt for looking at this. below are the details json from C with openSSL { prime: B01DBDE7823A696F13EEFDE810DF2A010ED8BA919186029BEECCF2F0454CE85CA3E3FFD0EB3A578F80C28930AD98559D57605E37BFE2B1BD3C6D6C7657384F4DDFF45D57C59EF2DEADAF7605A1EB36A5D5007162F026E5AE161F489C8C79A5AD10C40FC7B914CDD85EE8A493307EE183194655D5190A3B7D8B45036E56E0C653, basegenerator: 2, size: 1024, publickey: 829DE389D7731F6CB1C92B92965E119FFCBAE433C5B19B5C262623FD5EA6F2D53EFAD3195372B7C746DB376C3739CBC03BE7614183F658E059F02FF8C463051E3684424BE8F3F96353275201D8B8154DED3A5152DD04EBD55C0EC20544F975EEEB703B3085C174C761712AC83EACF8507895571E1F076876F26162504D75EF11 } JSON with JAVA { prime: 178011905478542266528237562450159990145232156369120674273274450314442865788737020770612695252123463079567156784778466449970650770920727857050009668388144034129745221171818506047231150039301079959358067395348717066319802262019714966524135060945913707594956514672855690606794135837542707371727429551343320695239, basegenerator: 1740682075324020951858119801235234365386044907945613509784958310405999534884558231478515974089409507253077970949157594923683005742524387610370844734671801488761181030830437549851909834726015504946913294880833954923138536164648264460849230407872181895056496097769368017749273708962006689187956744210730, size: 1024, publickey: 154098060632197825972569070553594673213907981120204558893455132154488920498286340180930009617674527453058248409146259055129616519883338912429359077804301589391083095780370584174889589223725092053310001148182587778315708960959816212553890780658697750126252666385136330617189340099488509957293788029153796583284280546893194823052732368554200517384648060949814219845513312636361799960550824305241776726569729968117653644039260346804354135691237238964153781814300021332541328282477027772784043832083697573459487287571520026609334964134811373470209956613009283464376018849091639198208244682804180475479662224652170610412421382256896232908714139611606796633319949985382724877107919957408909942743414340389890006834786464852247662337830546584844189278383274479199021252090407963572739286575933788241737975537671923484277171204499262529715278092506505239752566691287452373502190399117732855968397767896906732126573639005461407592315315318920060328019073971670048355762952267750188451524151795498747866082848788789357672209810743252483 } Kindly let me know if you need anything else. even I can share my implementation (both Java and C) So a few things strike me about this: 1) The C version is in hex while the java version is in decimal. Is this intentional? When you are reading in the values are reading them correctly (i.e. as hex or as decimal as required) 2) Is this sample from the *same* key exchange? The parameters are different which are obviously going to cause it to fail. 3) Its not actually necessary to pass the full parameters every time you exchange keys. This can be agreed up front, e.g. RF5114 defines a set of standard well known parameters which can be used off the shelf. OpenSSL has built-in support for these. Matt
Re: Diffie algorithm in openssl: and Java
On 18 March 2013 12:15, azhar jodatti azhar...@gmail.com wrote: 2) Is this sample from the *same* key exchange? The parameters are different which are obviously going to cause it to fail. When I run both programs it calculates the params (p,g,pk) every time on execution . that's the reason both key values are different. That won't make any such difference :) right? The parameters p, q and g need to be the same on both sides of the exchange. The values for this can be agreed in advance. You do not need to calculate them every time. If the two parties in the exchange are using different parameters then it will not work. Each side will have different private keys, and hence different public keys. You *can* generate the parameters every time - it will work as long as both sides are using the same p, q and g values - but there is no reason to do so. I also just noticed that in your JSON sample there is only one prime number provided. There are in fact two required: p and q. 3) Its not actually necessary to pass the full parameters every time you exchange keys. This can be agreed up front, e.g. RF5114 defines a set of standard well known parameters which can be used off the shelf. OpenSSL has built-in support for these. I need to look into this. Do you mean the hard coded prime and base generator numbers at client and server? how about public key? The values p, q and g can be hard coded at client and server. The private/public keys can also be static on both sides of the exchange - but if you do so then bear in mind that the agreed on secret will be the same every time. More likely you will want to use ephemeral mode - one side (usually the server) can have a static private/public key, whilst the client will use a new one every time. This will ensure that a new secret is agreed each time. One other point to make here is that it looks very much like you are designing your own protocol rather than implementing a well defined one. This is fraught with security risksit is very easy to make a mistake - and is generally a bad idea. Use standardised approaches where ever possible. In particular note that the diffie-hellman implementation in use here provides a raw shared secret at the end. Standardised protocols normally define a process for turning that shared secret into something which can be used as a key (typically by passing the secret, along with other data through some message digest). E.g. see RFC 2631 Matt
Fwd: Diffie algorithm in openssl: and Java
On 18 March 2013 12:15, azhar jodatti azhar...@gmail.com wrote: 2) Is this sample from the *same* key exchange? The parameters are different which are obviously going to cause it to fail. When I run both programs it calculates the params (p,g,pk) every time on execution . that's the reason both key values are different. That won't make any such difference :) right? The parameters p, q and g need to be the same on both sides of the exchange. The values for this can be agreed in advance. You do not need to calculate them every time. If the two parties in the exchange are using different parameters then it will not work. Each side will have different private keys, and hence different public keys. . p,q and g are same at both the end. let me tell how i am doing. I am generating p,g and q at client. then I am generating private and public key with these params. I am sending these p,g,q and public key to server and hence server using same p,g and q to generate its private and public key. server generates secret key with client public key and returns its public key. client in turn use the server public key to generated its secret key. I am generating parameter when user logs in and stays till user logout. next time when he logs in the same procedure will happen. You *can* generate the parameters every time - it will work as long as both sides are using the same p, q and g values - but there is no reason to do so I don't think i understood you completely here. but I am ok by generating parameters every time as long as it works :) I also just noticed that in your JSON sample there is only one prime number provided. There are in fact two required: p and q. well, I think other prime number is g and not q. other prime number is base generator i.e g in above JSON sample. 3) Its not actually necessary to pass the full parameters every time you exchange keys. This can be agreed up front, e.g. RF5114 defines a set of standard well known parameters which can be used off the shelf. OpenSSL has built-in support for these. I need to look into this. Do you mean the hard coded prime and base generator numbers at client and server? how about public key? The values p, q and g can be hard coded at client and server. The private/public keys can also be static on both sides of the exchange - but if you do so then bear in mind that the agreed on secret will be the same every time. More likely you will want to use ephemeral mode - one side (usually the server) can have a static private/public key, whilst the client will use a new one every time. This will ensure that a new secret is agreed each time. Yes, I would love to see at least this working. I will try this today, however I still prefer dynamic values over static. :) ;) One other point to make here is that it looks very much like you are designing your own protocol rather than implementing a well defined one. This is fraught with security risksit is very easy to make a mistake - and is generally a bad idea. Use standardised approaches where ever possible. In particular note that the diffie-hellman implementation in use here provides a raw shared secret at the end. Standardised protocols normally define a process for turning that shared secret into something which can be used as a key (typically by passing the secret, along with other data through some message digest). E.g. see RFC 2631 I don't feel i am trying to design my own protocol. at least it won't look so for me :) I want to use symmetric key encryption and for that I need a same secret key at both the ends at run time. Who else does this better than Diffie Hellman? :) :) Matt
Re: Diffie algorithm in openssl: and Java
On 18 March 2013 15:05, azhar jodatti azhar...@gmail.com wrote: I also just noticed that in your JSON sample there is only one prime number provided. There are in fact two required: p and q. well, I think other prime number is g and not q. other prime number is base generator i.e g in above JSON sample. No, g is the generator and I don't believe there is a requirement for it to be prime. In fact your Java version of your JSON has a generator which is clearly NOT prime - it is an even number. You are missing a parameter from your JSON. One other point to make here is that it looks very much like you are designing your own protocol rather than implementing a well defined one. This is fraught with security risksit is very easy to make a mistake - and is generally a bad idea. Use standardised approaches where ever possible. In particular note that the diffie-hellman implementation in use here provides a raw shared secret at the end. Standardised protocols normally define a process for turning that shared secret into something which can be used as a key (typically by passing the secret, along with other data through some message digest). E.g. see RFC 2631 I don't feel i am trying to design my own protocol. at least it won't look so for me :) I want to use symmetric key encryption and for that I need a same secret key at both the ends at run time. Who else does this better than Diffie Hellman? :) :) Diffie Hellman is the algorithm, the protocol is about how you implement and use that algorithm, e.g. taking a ridiculous example you can use the diffie-hellman algorithm and then make it insecure by transmitting the private key in the clear in the protocol!! See the top answer here: http://security.stackexchange.com/questions/2202/lessons-learned-and-misconceptions-regarding-encryption-and-cryptology Also: http://www.cse.chalmers.se/edu/year/2012/course/TDA601/Project/Presentations06/9.pdf And: Cryptographic protocols and algorithms are difficult to get right, so do not create your own http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/crypto.html Matt
RE: Diffie algorithm in openssl: and Java
From: owner-openssl-us...@openssl.org On Behalf Of azhar jodatti Sent: Saturday, 16 March, 2013 14:00 I am working on application which has android and iPhone client. Both the client talk to my server which is written in JAVA. I am using JCE implementation of DH algorithm and X509EncodedkeySpec for generating public and private key. code below X509EncodedKeySpec x509Spec = new X509EncodedKeySpec(this.clientPublicKey); PublicKey pk = kf.generatePublic(x509Spec); (I assume this is on the server, kf is a KeyFactory.getInstance(DH) and this.clientPublicKey contains client DH public key in X509-ki form.) In spite of the name, that doesn't generate a key, it only converts it from an external form (X509) to an internal form JCE can use directly. DH key(pair) generation is done with a KeyPairGenerator.getInstance(DH). It can use parameters from several sources; which are you using? for iPhone client I wrote a C programme which makes use of openSSl implementation of DH algorithm. The problem I am facing is when I generate DH params (prime,generator,pulickey) at client and pass them to server to calculate server's public and secret key, my server (JAVA) throws invalidKeySpecification exception. below are steps. //client is DH *client. //also tried with 1024 bits and DH_GENERATOR_5 DH_generate_parameters_ex(client,512,DH_GENERATOR_2,NULL); You don't need to generate new parameters each time, as I said before. And for secure sizes it's usually rather costly/slow to do so. If you do generate new parameters, the server side Java *must* use parameters sent by the client as input to server KeyPairGenerator. OTOH DH-512 is almost certainly not secure. I don't understand all the math, but the authorities I trust say that discrete-log (DH) is only a few bits better than factoring (RSA), and RSA-512 is fallen. 2. then generating DH public and private key DH_generate_key(client) That is actual key generation, like KeyPairGenerator.generate. when I pass these (prime,generator,publickey ) generated keys to server which is written in JAVA , It won't work. server (JAVA) throws invalidKeySpecification exception. Then you're not doing what I described. See next. One more point I would like to mention here is, When I use DHPublicKeySpec instead of X509EncodedKeySpec at server (JAVA) it won't throw invalidKeySpecification exception. snip rest Those are different data formats. X509EncodedKeySpec is correct if you have a DH public key (or other public key) *in X.509 SubjectPublicKeyInfo format* which Openssl calls PUBKEY and can do with no additional code. In another email you show that you are using a JSON format with separate fields (which you didn't mention before), which contains the same data as X.509-keyinfo but is not even remotely the same format, so for your format yes DHPublicKeySpec is correct. See other response for more about parameters and key values. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Diffie algorithm in openssl: and Java
From: owner-openssl-us...@openssl.org On Behalf Of Matt Caswell Sent: Monday, 18 March, 2013 09:17 On 18 March 2013 12:15, azhar jodatti azhar...@gmail.com wrote: 2) Is this sample from the *same* key exchange? The parameters are different which are obviously going to cause it to fail. When I run both programs it calculates the params (p,g,pk) every time on execution . that's the reason both key values are different. That won't make any such difference :) right? The parameters p, q and g need to be the same on both sides of the exchange. The values for this can be agreed in advance. You do not need to calculate them every time. And I would advise against doing so, because generating parameters is costly. But see below about q. If the two parties in the exchange are using different parameters then it will not work. Each side will have different private keys, and hence different public keys. You *can* generate the parameters every time - it will work as long as both sides are using the same p, q and g values - but there is no reason to do so. This isn't clear. Each side chooses keys (x,y) using the parameters, which as you say must be the same. With parameters the same, the *key* values if chosen properly (randomly) will be different. If the parameters are (wrongly) different, the key values will overwhelmingly be chosen different also, but even if they are accidentally the same or x is forced the same, exchange doesn't work. And see next about q. I also just noticed that in your JSON sample there is only one prime number provided. There are in fact two required: p and q. No. *DSA* uses p,q,g. DH requires p,g which effectively determines q, but DH computation doesn't use q and standard formats don't have it. DH can use l which is the *size* of q thus the (max) entropy of the agreement. It is sometimes convenient to use DSA parameters as DH parameters by ignoring q except optionally its size. And possibly relevant here, the standard Suncle JCE provider actually uses DSA paramgen for DH and thus imposes the DSA size restrictions on DH -- 512 to 1024 in steps of 64 -- although they aren't required by any standard I know of. I don't recall if JCE also restricts *existing* (received) params; I'll test when I have some time. I do recall you can get around this by using BouncyCastle instead. But just using 1024 is easy and fine. 3) Its not actually necessary to pass the full parameters every time you exchange keys. This can be agreed up front, e.g. RF5114 defines a set of standard well known parameters which can be used off the shelf. OpenSSL has built-in support for these. Or 2412 (Oakley) or others. There are actually two issues here: - you don't need to *generate* new parameters every time. If you do, you must send them. Sending in standard X509-ki format is often the easiest way (and JCE does by default) but not the only way. - if you reuse parameters, you don't *need* to send them, but it can be useful if you do because both parties can check they agree and something hasn't gotten misconfigured or out of sync. I need to look into this. Do you mean the hard coded prime and base generator numbers at client and server? how about public key? The values p, q and g can be hard coded at client and server. The private/public keys can also be static on both sides of the exchange - but if you do so then bear in mind that the agreed on secret will be the same every time. More likely you will want to use ephemeral mode snip I would suggest configured rather than hard-coded -- but the important point is fixed/static/long-term versus new each time. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Diffie algorithm in openssl: and Java
On 18 March 2013 21:02, Dave Thompson dthomp...@prinpay.com wrote: I also just noticed that in your JSON sample there is only one prime number provided. There are in fact two required: p and q. No. *DSA* uses p,q,g. DH requires p,g which effectively determines q, but DH computation doesn't use q and standard formats don't have it. DH can use l which is the *size* of q thus the (max) entropy of the agreement. It is sometimes convenient to use DSA parameters as DH parameters by ignoring q except optionally its size. Not entirely correct. I've just been digging into this when I saw your email. PKCS 3 does not use q for DH: DHParameter ::= SEQUENCE { prime INTEGER, -- p base INTEGER, -- g privateValueLength INTEGER OPTIONAL } However, the newer X9.42 DOES require q to be present: DomainParameters ::= Sequence { p INTEGER, -- odd prime, p = jq+1 g INTEGER, -- generator, g^q = 1 mod p q INTEGER, -- prime factor of p-1 j INTEGER OPTIONAL, -- cofactor, j=2 validationParms ValidationParms OPTIONAL } ValidationalParms ::= Sequence { seed BITSTRING, -- seed for prime generation pGenCounter INTEGER, -- parameter verification } However, it seems that OpenSSL does not support the X9.42 version. From the notes on the dhparam man page: OpenSSL currently only supports the older PKCS#3 DH, not the newer X9.42 DH. All the OpenSSL built-in RFC5114 domain parameters are also defined in terms of p, q and g. However, you are correct that the DH computation does not use q, although I do not know whether JCE requires it to be specified (not having used JCE). Matt
Re: Diffie algorithm in openssl: and Java
On 18 March 2013 21:44, Matt Caswell fr...@baggins.org wrote: However, you are correct that the DH computation does not use q, although I do not know whether JCE requires it to be specified (not having used JCE). One other point on this - X9.42 describes an optional validation procedure which does use q. From RFC2631 (based on X9.42): The following algorithm MAY be used to validate a received public key y. 1. Verify that y lies within the interval [2,p-1]. If it does not, the key is invalid. 2. Compute y^q mod p. If the result == 1, the key is valid. Otherwise the key is invalid. The primary purpose of public key validation is to prevent a small subgroup attack [LAW98] on the sender's key pair. If Ephemeral-Static mode is used, this check may not be necessary. See also [P1363] for more information on Public Key validation. Matt
Re: Diffie algorithm in openssl: and Java
Thompson, Really thanks for the reply. appreciate your time. Yes it was JCE and not JCF. it was typo :) I am working on application which has android and iPhone client. Both the client talk to my server which is written in JAVA. I am using JCE implementation of DH algorithm and X509EncodedkeySpec for generating public and private key. code below X509EncodedKeySpec x509Spec = new X509EncodedKeySpec(this.clientPublicKey); PublicKey pk = kf.generatePublic(x509Spec); for the android client I am using same JCE implementation of DH algorithm and it works fine with my server. for iPhone client I wrote a C programme which makes use of openSSl implementation of DH algorithm. The problem I am facing is when I generate DH params (prime,generator,pulickey) at client and pass them to server to calculate server's public and secret key, my server (JAVA) throws invalidKeySpecification exception. below are steps. Client in C 1. I am generating DH parameters (prime,generator) //client is DH *client. //also tried with 1024 bits and DH_GENERATOR_5 DH_generate_parameters_ex(client,512,DH_GENERATOR_2,NULL); 2. then generating DH public and private key DH_generate_key(client) when I pass these (prime,generator,publickey ) generated keys to server which is written in JAVA , It won't work. server (JAVA) throws invalidKeySpecification exception. One more point I would like to mention here is, When I use DHPublicKeySpec instead of X509EncodedKeySpec at server (JAVA) it won't throw invalidKeySpecification exception. It generates public and secret key and when I get server's public key at client and try to generate client secret key, secret key get generated at client ('C') but both keys server's secret key and client secret key wont' match. Even I not sure whether I am doing it correctly in C. Please suggest or let me know if you need more information. Regards, Azhar On Sat, Mar 16, 2013 at 5:50 AM, Dave Thompson dthomp...@prinpay.comwrote: From: owner-openssl-us...@openssl.org On Behalf Of azhar jodatti Sent: Wednesday, 13 March, 2013 13:44 I was trying to implement the diffie Hellman algorithm in Java which makes use of JCF and as well as in c with openssl... I assume you mean JCE, or maybe JCA. JCF is completely unrelated. I am able to get this work in respective languages I.e Java - Java and C-C works fine . Generates the DH parameters and other stuffs quit well. Since my server is in Java and client is in C, I was trying to use openssl generated keys with Java as other part of component which is not working at all. Java keeps giving me invalid key specification exception... What exactly are you trying to do? Your client and server, or other parties, should NEVER share a DH privatekey; they must share parameters (the group definition prime P and generator G) and exchange publickeys that use the same parameters. There are two usual ways of doing this: 1: parameters are distributed in advance, each party generates keypair (possibly certified), and they exchange at least public values (y) and optionally also duplicate parameters (especially if using certificates). 2: one party (in SSL/TLS the server) sends publickey containing parameters and public value (which may be generated in advance or transient); other party uses parameters to generate and send public value (usually transient). Openssl stores DH parameters in PKCS3 format, and since 1.0.0 can store DH privatekey in PKCS8 clear (really privkeyinfo) or encrypted and DH publickey in PUBKEY (X509 pubkeyinfo), both of which include parameters. JCE as far as I can see can't handle DH parameters alone, but can handle PKCS8 clear as PKCS8EncodedKeySpec and X509-keyinfo as X509EncodedKeySpec. (JCE handles only the DER forms; converting DER to/from PEM isn't hard, but openssl does it easily for free.) For 2 above Java responder can simply read the peer's publickey, and copy the parameters to generate its self keypair. For 1 you can either (create and) use a dummy publickey to transmit the parameters or you can write your own code to do PKCS3 -- or some other format. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Diffie algorithm in openssl: and Java
On 16 March 2013 18:00, azhar jodatti azhar...@gmail.com wrote: Thompson, Really thanks for the reply. appreciate your time. Yes it was JCE and not JCF. it was typo :) I am working on application which has android and iPhone client. Both the client talk to my server which is written in JAVA. I am using JCE implementation of DH algorithm and X509EncodedkeySpec for generating public and private key. code below X509EncodedKeySpec x509Spec = new X509EncodedKeySpec(this.clientPublicKey); PublicKey pk = kf.generatePublic(x509Spec); for the android client I am using same JCE implementation of DH algorithm and it works fine with my server. for iPhone client I wrote a C programme which makes use of openSSl implementation of DH algorithm. The problem I am facing is when I generate DH params (prime,generator,pulickey) at client and pass them to server to calculate server's public and secret key, my server (JAVA) throws invalidKeySpecification exception. below are steps. Client in C 1. I am generating DH parameters (prime,generator) //client is DH *client. //also tried with 1024 bits and DH_GENERATOR_5 DH_generate_parameters_ex(client,512,DH_GENERATOR_2,NULL); 2. then generating DH public and private key DH_generate_key(client) when I pass these (prime,generator,publickey ) generated keys to server which is written in JAVA , It won't work. server (JAVA) throws invalidKeySpecification exception. Is there any particular reason why you are using the low level interface for this. Typically using the high level EVP interface is preferred. See: http://www.openssl.org/docs/crypto/EVP_PKEY_derive.html To generate parameters: /* Create the context for generating the parameters */ if(!(pctx = EVP_PKEY_CTX_new_id(type, NULL))) goto err; if(!EVP_PKEY_paramgen_init(pctx)) goto err; /* Set a prime length of 2048 */ if(!EVP_PKEY_CTX_set_dh_paramgen_prime_len(pctx, 2048)) goto err; /* Generate parameters */ if (!EVP_PKEY_paramgen(pctx, params)) goto err; To generate keys: if(!(kctx = EVP_PKEY_CTX_new(params, NULL))) goto err; if(!EVP_PKEY_keygen_init(kctx)) goto err; /* Generate the key */ if (!EVP_PKEY_keygen(kctx, key)) goto err; To get the parameters afterwards you can use: DH *EVP_PKEY_get1_DH(EVP_PKEY *pkey); So, how are you transmitting the parameters and public keys between the Java and C? Matt
Re: Diffie algorithm in openssl: and Java
Matt, No reason as such for using low level interface.I just want to get it done. Do you see any issues with low level interface? or any issues with my code? In addition, the server and client works over REST API's, hence I am using JSON format to pass the parameter over the wire. Regards, Azhar On Sun, Mar 17, 2013 at 3:27 AM, Matt Caswell fr...@baggins.org wrote: On 16 March 2013 18:00, azhar jodatti azhar...@gmail.com wrote: Thompson, Really thanks for the reply. appreciate your time. Yes it was JCE and not JCF. it was typo :) I am working on application which has android and iPhone client. Both the client talk to my server which is written in JAVA. I am using JCE implementation of DH algorithm and X509EncodedkeySpec for generating public and private key. code below X509EncodedKeySpec x509Spec = new X509EncodedKeySpec(this.clientPublicKey); PublicKey pk = kf.generatePublic(x509Spec); for the android client I am using same JCE implementation of DH algorithm and it works fine with my server. for iPhone client I wrote a C programme which makes use of openSSl implementation of DH algorithm. The problem I am facing is when I generate DH params (prime,generator,pulickey) at client and pass them to server to calculate server's public and secret key, my server (JAVA) throws invalidKeySpecification exception. below are steps. Client in C 1. I am generating DH parameters (prime,generator) //client is DH *client. //also tried with 1024 bits and DH_GENERATOR_5 DH_generate_parameters_ex(client,512,DH_GENERATOR_2,NULL); 2. then generating DH public and private key DH_generate_key(client) when I pass these (prime,generator,publickey ) generated keys to server which is written in JAVA , It won't work. server (JAVA) throws invalidKeySpecification exception. Is there any particular reason why you are using the low level interface for this. Typically using the high level EVP interface is preferred. See: http://www.openssl.org/docs/crypto/EVP_PKEY_derive.html To generate parameters: /* Create the context for generating the parameters */ if(!(pctx = EVP_PKEY_CTX_new_id(type, NULL))) goto err; if(!EVP_PKEY_paramgen_init(pctx)) goto err; /* Set a prime length of 2048 */ if(!EVP_PKEY_CTX_set_dh_paramgen_prime_len(pctx, 2048)) goto err; /* Generate parameters */ if (!EVP_PKEY_paramgen(pctx, params)) goto err; To generate keys: if(!(kctx = EVP_PKEY_CTX_new(params, NULL))) goto err; if(!EVP_PKEY_keygen_init(kctx)) goto err; /* Generate the key */ if (!EVP_PKEY_keygen(kctx, key)) goto err; To get the parameters afterwards you can use: DH *EVP_PKEY_get1_DH(EVP_PKEY *pkey); So, how are you transmitting the parameters and public keys between the Java and C? Matt
RE: Diffie algorithm in openssl: and Java
From: owner-openssl-us...@openssl.org On Behalf Of azhar jodatti Sent: Wednesday, 13 March, 2013 13:44 I was trying to implement the diffie Hellman algorithm in Java which makes use of JCF and as well as in c with openssl... I assume you mean JCE, or maybe JCA. JCF is completely unrelated. I am able to get this work in respective languages I.e Java - Java and C-C works fine . Generates the DH parameters and other stuffs quit well. Since my server is in Java and client is in C, I was trying to use openssl generated keys with Java as other part of component which is not working at all. Java keeps giving me invalid key specification exception... What exactly are you trying to do? Your client and server, or other parties, should NEVER share a DH privatekey; they must share parameters (the group definition prime P and generator G) and exchange publickeys that use the same parameters. There are two usual ways of doing this: 1: parameters are distributed in advance, each party generates keypair (possibly certified), and they exchange at least public values (y) and optionally also duplicate parameters (especially if using certificates). 2: one party (in SSL/TLS the server) sends publickey containing parameters and public value (which may be generated in advance or transient); other party uses parameters to generate and send public value (usually transient). Openssl stores DH parameters in PKCS3 format, and since 1.0.0 can store DH privatekey in PKCS8 clear (really privkeyinfo) or encrypted and DH publickey in PUBKEY (X509 pubkeyinfo), both of which include parameters. JCE as far as I can see can't handle DH parameters alone, but can handle PKCS8 clear as PKCS8EncodedKeySpec and X509-keyinfo as X509EncodedKeySpec. (JCE handles only the DER forms; converting DER to/from PEM isn't hard, but openssl does it easily for free.) For 2 above Java responder can simply read the peer's publickey, and copy the parameters to generate its self keypair. For 1 you can either (create and) use a dummy publickey to transmit the parameters or you can write your own code to do PKCS3 -- or some other format. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Openssl for Java application
This is my first time to use OpenSSL. I have wrote once to ask for help but no reply. I would like to write OpenSSL-enabled code in my Java application, but I have no idea where to start from. What I have explored is that OpenSSL is meant for C or I might be wrong. So, I hope that I will get sufficient information from you on how to integrate OpenSSL into my Java application. Thanks. Your help is much appreciated.
Re: Openssl for Java application
http://noc.kpnw.org/~scott/ http://www.bpsinfo.com/javassl/ http://sponsor.iti.informatik.tu-darmstadt.de/itissl/
Re: Openssl for Java application
Hi, Khoo Wei Hiong, What are you trying to do exactly? If you're doing password-based encryption/decryption with symmetric keys (e.g. AES, 3DES with openssl enc on command-line), then the not-yet-commons-ssl java library will help you interop with OpenSSL: http://juliusdavies.ca/commons-ssl/ In particular, here's the link describing the symmetric key password-based-encryption (PBE) stuff: http://juliusdavies.ca/commons-ssl/pbe.html The library can also read any DSA or RSA private key generated by OpenSSL: http://juliusdavies.ca/commons-ssl/pkcs8.html Good luck! yours, Julius On Mon, Jun 2, 2008 at 12:14 AM, Khoo Wei Hiong [EMAIL PROTECTED] wrote: This is my first time to use OpenSSL. I have wrote once to ask for help but no reply. I would like to write OpenSSL-enabled code in my Java application, but I have no idea where to start from. What I have explored is that OpenSSL is meant for C or I might be wrong. So, I hope that I will get sufficient information from you on how to integrate OpenSSL into my Java application. Thanks. Your help is much appreciated. -- yours, Julius Davies 250-592-2284 (Home) 250-893-4579 (Mobile) http://juliusdavies.ca/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Openssl for Java application
So, I hope that I will get sufficient information from you on how to integrate OpenSSL into my Java application. You might find it a lot easier if you were to use Bouncy Castle. http://www.bouncycastle.org/
Re: Blowfish CBC output ciphertext differs in OpenSSL and Java with same key and IV
On Tue, Apr 29, 2008 at 5:03 AM, Dr. Stephen Henson [EMAIL PROTECTED] wrote: The call to EVP_EncryptInit_ex() uses the default key length for the cipher unless told otherwise. For Blowfish this is 128 bits but you have a 56 byte (?) key. You need to set the key length using EVP_CIPHER_CTX_set_key_length(). This involves a double call to EVP_EncryptInit_ex(). See the manual pages for more information. Thanks for your responses Steve and Julius! Yes, setting the key length appears to make it work now. I also just saw e_bf.c where IMPLEMENT_BLOCK_CIPHER is setting the default variable key to 128 bits... Regards, Vishal __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Blowfish CBC output ciphertext differs in OpenSSL and Java with same key and IV
I have no idea if your C++ code is correct, but I wrote some java code the correctly does that java side. Download not-yet-commons-ssl.jar and try this utility class: org.apache.commons.ssl.OpenSSL Here are the instructions to use it: http://juliusdavies.ca/commons-ssl/pbe.html In your case probably something like this will work: byte[] encrypted = OpenSSL.encrypt(bf-cbc, key, iv, data); yours, Julius On Sun, Apr 27, 2008 at 10:50 PM, Vishal Rao [EMAIL PROTECTED] wrote: Hello, I'm trying to encrypt a few bytes (as a trial run) with the same key and IV with Blowfish in CBC mode and standard PKCS padding using OpenSSL in a C++ app and also using SUN's Java crypto libraries. The output ciphertext is different in both places which means that I cannot get them to interoperate - cannot encrypt in OpenSSL and decrypt in Java due to a BadPaddingException. I'm pasting some code below that I've written (minus error checking etc for brevity) Is there something I can do differently in OpenSSL to get the same output - perhaps setting the key and IV differently so as to generate the same output ciphertext as Java is returning? C++ code using OpenSSL: unsigned char testplaintext[10] = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10}; unsigned char ciphertext[100] = {0}; int outlen, tmplen; unsigned char key[56] = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56}; unsigned char iv[8] = {1, 2, 3, 4, 5, 6, 7, 8}; EVP_CIPHER_CTX ctx; EVP_CIPHER_CTX_init(ctx); EVP_EncryptInit_ex(ctx, EVP_bf_cbc(), NULL, key, iv); EVP_EncryptUpdate(ctx, ciphertext, outlen, testplaintext, 10); EVP_EncryptFinal_ex(ctx, ciphertext + outlen, tmplen); outlen += tmplen; EVP_CIPHER_CTX_cleanup(ctx); // now ciphertext contains the output encrypted bytes. Java code doing the same: byte[] testplaintext = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10}; byte[] testkey = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56}; byte[] testivbytes = {1, 2, 3, 4, 5, 6, 7, 8}; IvParameterSpec testiv = new IvParameterSpec(testivbytes); SecretKeySpec testsks = new SecretKeySpec(testkey, 0, 56, Blowfish); Cipher testcipher = Cipher.getInstance(Blowfish/CBC/PKCS5Padding); testcipher.init(Cipher.ENCRYPT_MODE, testsks, testiv); byte[] testciphertext = testcipher.doFinal(testplaintext); // now testciphertext contains the output encrypted bytes. When I dump the bytes in the C++ ciphertext and Java testciphertext byte arrays they are different. Any suggestions? Looking through the OpenSSL code, it appears that the key bytes we pass in are not used directly, rather some extra operations are done before using it as the key, so maybe that is causing the mismatch in output ciphertext. Is there a way to force OpenSSL to use the key we provide unmodified? Regards, Vishal -- Thou shalt not follow the null pointer for at it's end madness and chaos lie. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- yours, Julius Davies 250-592-2284 (Home) 250-893-4579 (Mobile) http://juliusdavies.ca/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Blowfish CBC output ciphertext differs in OpenSSL and Java with same key and IV
On Mon, Apr 28, 2008, Vishal Rao wrote: C++ code using OpenSSL: unsigned char testplaintext[10] = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10}; unsigned char ciphertext[100] = {0}; int outlen, tmplen; unsigned char key[56] = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56}; unsigned char iv[8] = {1, 2, 3, 4, 5, 6, 7, 8}; EVP_CIPHER_CTX ctx; EVP_CIPHER_CTX_init(ctx); EVP_EncryptInit_ex(ctx, EVP_bf_cbc(), NULL, key, iv); EVP_EncryptUpdate(ctx, ciphertext, outlen, testplaintext, 10); EVP_EncryptFinal_ex(ctx, ciphertext + outlen, tmplen); outlen += tmplen; EVP_CIPHER_CTX_cleanup(ctx); The call to EVP_EncryptInit_ex() uses the default key length for the cipher unless told otherwise. For Blowfish this is 128 bits but you have a 56 byte (?) key. You need to set the key length using EVP_CIPHER_CTX_set_key_length(). This involves a double call to EVP_EncryptInit_ex(). See the manual pages for more information. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Blowfish CBC output ciphertext differs in OpenSSL and Java with same key and IV
Hello, I'm trying to encrypt a few bytes (as a trial run) with the same key and IV with Blowfish in CBC mode and standard PKCS padding using OpenSSL in a C++ app and also using SUN's Java crypto libraries. The output ciphertext is different in both places which means that I cannot get them to interoperate - cannot encrypt in OpenSSL and decrypt in Java due to a BadPaddingException. I'm pasting some code below that I've written (minus error checking etc for brevity) Is there something I can do differently in OpenSSL to get the same output - perhaps setting the key and IV differently so as to generate the same output ciphertext as Java is returning? C++ code using OpenSSL: unsigned char testplaintext[10] = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10}; unsigned char ciphertext[100] = {0}; int outlen, tmplen; unsigned char key[56] = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56}; unsigned char iv[8] = {1, 2, 3, 4, 5, 6, 7, 8}; EVP_CIPHER_CTX ctx; EVP_CIPHER_CTX_init(ctx); EVP_EncryptInit_ex(ctx, EVP_bf_cbc(), NULL, key, iv); EVP_EncryptUpdate(ctx, ciphertext, outlen, testplaintext, 10); EVP_EncryptFinal_ex(ctx, ciphertext + outlen, tmplen); outlen += tmplen; EVP_CIPHER_CTX_cleanup(ctx); // now ciphertext contains the output encrypted bytes. Java code doing the same: byte[] testplaintext = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10}; byte[] testkey = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56}; byte[] testivbytes = {1, 2, 3, 4, 5, 6, 7, 8}; IvParameterSpec testiv = new IvParameterSpec(testivbytes); SecretKeySpec testsks = new SecretKeySpec(testkey, 0, 56, Blowfish); Cipher testcipher = Cipher.getInstance(Blowfish/CBC/PKCS5Padding); testcipher.init(Cipher.ENCRYPT_MODE, testsks, testiv); byte[] testciphertext = testcipher.doFinal(testplaintext); // now testciphertext contains the output encrypted bytes. When I dump the bytes in the C++ ciphertext and Java testciphertext byte arrays they are different. Any suggestions? Looking through the OpenSSL code, it appears that the key bytes we pass in are not used directly, rather some extra operations are done before using it as the key, so maybe that is causing the mismatch in output ciphertext. Is there a way to force OpenSSL to use the key we provide unmodified? Regards, Vishal -- Thou shalt not follow the null pointer for at it's end madness and chaos lie. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Openssl and java jsse TLS key refresh
Hi, I have Openssl based TLS server where a java jsse (java secure socket extention) client connects. After a bit to exchange the server tries to renegotiate, here's a sample code ret = SSL_accept (ssl); CHK_SSL_ERR(ret); char buffer[256]; int count = 0; static BIO *out = BIO_new_fp(stdout,BIO_NOCLOSE); SSL_SESSION *session = SSL_get_session(ssl); SSL_SESSION_print(out, session); while(true) { memset(buffer, 0, sizeof(buffer)); if (retryRead(ssl, buffer, sizeof(buffer)) 0) { sscanf(buffer, Request :%d, count); printf('%s'\n, buffer); memset(buffer, 0x00, sizeof(buffer)); sprintf(buffer, Response :%d, count); if (retryWrite(ssl, buffer, strlen(buffer)) = 0) { printf(ERROR writing response\n); } if (count != 0 count % 5 == 0) { SSL_renegotiate(ssl); int pending = SSL_renegotiate_pending(ssl); int handShake = SSL_do_handshake(ssl); int timeout = 200; printf(do_handshake %d\n, handShake); int renegCount = count + 1000; do { timeout--; SSL_do_handshake(ssl); /*memset(buffer, 0, sizeof(buffer)); sprintf(buffer, renegotiating %d, renegCount++); Write(buffer, strSize); if (Read(buffer, strSize) != strSize) { printf(ERROR: unexpected read size\n); } printf(%s\n, buffer);*/ } while(SSL_renegotiate_pending(ssl) timeout 0); SSL_SESSION *newSession = SSL_get_session(ssl); if (newSession) { printf(Session B\n); SSL_SESSION_print(out, newSession); } printf(session compare %d\n, SSL_SESSION_cmp(session, newSession)); printf(timeout %d\n, timeout); if (timeout = 0) { printf(ERROR in refreshing keys\n); } } memset(buffer, 0, sizeof(buffer)); } else { printf(Error reading response\n); } } int retryWrite(SSL *pSSL, char *pBuffer, int pSize) { int ret = SSL_write(pSSL, pBuffer, pSize); while (ret = 0) { int err = SSL_get_error(pSSL, ret); if (err == SSL_ERROR_WANT_READ) { ret = SSL_write(pSSL, pBuffer, pSize); } else if (err == SSL_ERROR_WANT_WRITE) { ret = SSL_write(pSSL, pBuffer, pSize); } else { printf(ERROR in RetryWrite %d\n, err); return -1; } } return ret; } int retryRead(SSL *pSSL, char *pBuffer, int pSize) { int ret = SSL_read(pSSL, pBuffer, pSize); while (ret = 0) { int err = SSL_get_error(pSSL, ret); if (err == SSL_ERROR_WANT_READ) { ret = SSL_read(pSSL, pBuffer, pSize); } else if (err == SSL_ERROR_WANT_WRITE) { ret = SSL_read(pSSL, pBuffer, pSize); } else { //ret = SSL_read(pSSL, pBuffer, pSize); printf(ERROR in retryRead %d\n, err); return -1; } } return ret; } I'm (the Openssl TLS server) gets an error at the time of read. And after looking in the openssl sources the error is SSL_ERROR_SSL defined in ssl.h I'm wondering if anyone else ran into this kind of a problem with a java client connecting. The refresh works if a openssl client connects but not with a java ssl one. by the way i'm using java java version 1.5.0_09 Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_09-b01) Java HotSpot(TM) Client VM (build 1.5.0_09-b01, mixed mode) openssl 0.9.8 Is this a limitation with the java implementation of TLS ? Is there a possible work around ? As always any insights would be appreciated. -Kunal _ Put your friends on the big screen with Windows Vista® + Windows Live™. http://www.microsoft.com/windows/shop/specialoffers.mspx?ocid=TXT_TAGLM_CPC_MediaCtr_bigscreen_102007
Re: Openssl in java
Hi Suresh , Yes you can use open ssl to encrypt the data and decrypt the same using java (any JCE implementaions) .Provided you have to use same algorthim with correct pading and initialisation vectors . cheers Kabheer [EMAIL PROTECTED] wrote: Hi,Thanks for your reply.can i use openssl to encrypt in c++ and bouncy castle to decrypt in java.ThanksS.Suresh- Original Message -From: Lawrence Bowie <[EMAIL PROTECTED]>Date: Thursday, December 16, 2004 10:38 amSubject: Re: Openssl in java Try the native implementation bundled with Sun else you will have to use some JNI methods ... http://java.sun.com/products/jsse/ LDB[EMAIL PROTECTED] wrote: Hi, I am developing server application in java and client in vc++. How to use openssl from java. Thanks in abvance S.Suresh __ OpenSSL Project http://www.openssl.orgUser Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __OpenSSL Project http://www.openssl.orgUser Support Mailing List [EMAIL PROTECTED]Automated List Manager [EMAIL PROTECTED] Do you Yahoo!? All your favorites on one personal page Try My Yahoo!
Openssl in java
Hi, I am developing server application in java and client in vc++. How to use openssl from java. Thanks in abvance S.Suresh __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Openssl in java
Try the native implementation bundled with Sun else you will have to use some JNI methods ... http://java.sun.com/products/jsse/ LDB [EMAIL PROTECTED] wrote: Hi, I am developing server application in java and client in vc++. How to use openssl from java. Thanks in abvance S.Suresh __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Openssl in java
Hi, Thanks for your reply. can i use openssl to encrypt in c++ and bouncy castle to decrypt in java. Thanks S.Suresh - Original Message - From: Lawrence Bowie [EMAIL PROTECTED] Date: Thursday, December 16, 2004 10:38 am Subject: Re: Openssl in java Try the native implementation bundled with Sun else you will have to use some JNI methods ... http://java.sun.com/products/jsse/ LDB [EMAIL PROTECTED] wrote: Hi, I am developing server application in java and client in vc++. How to use openssl from java. Thanks in abvance S.Suresh __ OpenSSL Project http://www.openssl.orgUser Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: OpenSSL and JAVA
I'm having problems importing my OpennSSL certificates to my keystore. I created my root certificate in cacert.pem and I'm trying to import this now to my keystore. okay. some progress. I was able to import my CA using keytool. Apparently, you have to specify an alias for it. keytool -keystore myKeystore -import -alias cacert -file cacert.pem That worked fine for me. Then I tried importing a certificate signed by my CA. But now it's complaining that Input not an X.509 certificate. Is it because my extension is .pem? But I find it strange that I was able to successfully import my CA cert using keytool, and now that I'm trying to import a certificate signed by my CA cert, its complaining. So now what do I do? =S Liam _ The new MSN 8: advanced junk mail protection and 2 months FREE* http://join.msn.com/?page=features/junkmail __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: OpenSSL and JAVA
Then I tried importing a certificate signed by my CA. But now it's complaining that Input not an X.509 certificate. Is it because my extension is .pem? Yes! I found the answer by going through some old threads in the Sun Microsystems website. I had to convert the PEM certificate to a DER file in order for it to work. Anyway, I hope the rest of the process runs smoothly. Liam _ Add photos to your e-mail with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL and JAVA
Liam, All you will need to do is comvert the PEM format to DER. If you user cert is called me.pem then: openssl x509 -in me.pem -outform DER -out me.cer I think that is all you will need to do. I don't have access to my openssl right now, but I have done this before to get the certs into the Windows store. It sounds like the same issue. Hope I was helpful. Craig. Liam Escario wrote: I'm having problems importing my OpennSSL certificates to my keystore. I created my root certificate in cacert.pem and I'm trying to import this now to my keystore. okay. some progress. I was able to import my CA using keytool. Apparently, you have to specify an alias for it. keytool -keystore myKeystore -import -alias cacert -file cacert.pem That worked fine for me. Then I tried importing a certificate signed by my CA. But now it's complaining that Input not an X.509 certificate. Is it because my extension is .pem? But I find it strange that I was able to successfully import my CA cert using keytool, and now that I'm trying to import a certificate signed by my CA cert, its complaining. So now what do I do? =S Liam _ The new MSN 8: advanced junk mail protection and 2 months FREE* http://join.msn.com/?page=features/junkmail __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
OpenSSL and JAVA
Good day! I'm having problems importing my OpennSSL certificates to my keystore. I created my root certificate in cacert.pem and I'm trying to import this now to my keystore. keytool -import -trustcacerts -file cacert.pem -keystore myKeystore I'm getting keytool error: java.lang.Exception: Public keys in reply and keystore don't match Anyone have any experience with this? Thanks. Liam _ MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. http://join.msn.com/?page=features/virus __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
OpenSSL with Java?
Hi, I know that OpenSSL supports both windows and Unix, and it is used from C and C++ programs. My question is the following: Can we use OpenSSL from Java programs as well ( I am a new OpenSSL user)? I am planning on using OpenSSL on Linux and Windows OS, C++ and Java programs. Thanks Elie Elie Lalo Senior Software Engineer Desktop Technologies Group 1414 Mass Avenue Boxborough, MA 01719 Cisco Systems, Inc. Tel : (978)936-1160 Fax: (978)936-2212 Url : www.cisco.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: OpenSSL with Java?
I know that OpenSSL supports both windows and Unix, and it is used from C and C++ programs. My question is the following: Can we use OpenSSL from Java programs as well ( I am a new OpenSSL user)? I am planning on using OpenSSL on Linux and Windows OS, C++ and Java programs. Sure you can. You'll just have to find or write wrappers to allow Java to call into the OpenSSL library code. It usually doesn't make much sense though, Java applications usually use the brower's built-in SSL capability. DS __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL with Java?
Elie Lalo wrote: I know that OpenSSL supports both windows and Unix, and it is used from C and C++ programs. My question is the following: Can we use OpenSSL from Java programs as well ( I am a new OpenSSL user)? I am planning on using OpenSSL on Linux and Windows OS, C++ and Java programs. Java has its own SSL/TLS implementation. If I'm remembering right, it's either called JSSE or is part of JSSE. I've been able to get it to work for the case where the client is Java, the server is OpenSSL, and only the server is authenticated with a cert. The interface on the Java side was a little awkward for my tastes, but it did work. If I tried to add client-side certs to the equation, I could not get JSSE to work. This was more than a year ago and the situation may have improved by now. In order to get my project going a year ago, I ended up using an open- source Java implementation of SSL/TLS called PureTLS. It was written by Eric Rescorla, who literally wrote the book on the topic. I found it easier to get my head around than the JSSE implementation, but that's likely just my hard-headedness. :-) Since Sun has a relatively large budget to throw at making their Java implementation work, I'd probably try their implementation before anything else if I needed a Java SSL solution today. But, don't forget that PureTLS is out there if you need it. Paul Allen -- Boeing Phantom Works \ Paul L. Allen, (425) 865-3297 Math Computing Technology \ [EMAIL PROTECTED] POB 3707 M/S 7L-40, Seattle, WA 98124-2207 \ Prototype Systems Group __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL with Java?
Yes, the JDK from http://java.sun.com supports SSL. The package is called JSSE. It integrates really well. LDB Elie Lalo wrote: Hi, I know that OpenSSL supports both windows and Unix, and it is used from C and C++ programs. My question is the following: Can we use OpenSSL from Java programs as well ( I am a new OpenSSL user)? I am planning on using OpenSSL on Linux and Windows OS, C++ and Java programs. Thanks Elie Elie Lalo Senior Software Engineer Desktop Technologies Group 1414 Mass Avenue Boxborough, MA 01719 Cisco Systems, Inc. Tel : (978)936-1160 Fax: (978)936-2212 Url : www.cisco.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
OpenSSL for Java
Greetings All, I'm getting ready to develop a client/server app that will use OpenSSL. The server will be C on Linux but I'm still open on the Windows client app. I can use Java, Delphi, or VB to write the client app in. Are there quality ports of openssl libs available for any or all of these languages? Thanks, Dann __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL for Java
: [snip] : can use Java, Delphi, or VB to write the client app in. Are there quality : ports of openssl libs available for any or all of these languages? If your client will simply communicate with the server over an SSL-encrypted network socket, chances are you won't have to use a port of openssl. SSL/TLS is a standard so you could use an SSL toolkit written in the language of your choice and it should[1] work. So, in theory, you have a number of options. If you decide to go with Java: You could try either PureTLS[2] or JSSE[3]. I have no experience with the former, but with JSSE it's pretty straightforward as long as you have other Java networking experience: wrap your plain Socket objects in SSLSocket objects and go. -QM [1] = I have Java code that communicates with all kinds of SSL-enabled services and I've yet to encounter any toolkit compatibility issues. [2] = I don't have the URL offhand but a search for PureTLS and Rescorla should turn up plenty of hits [3] = http://java.sun.com. Run a local search for JSSE to get the docs. The packages are included with JDK 1.4 and there are add-ons for 1.3. -- C++ / Java / SSL http://www.brandxdev.net/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL for Java
Hi Dann. Dann wrote: I can use Java, Delphi, or VB to write the client app in. Are there quality ports of openssl libs available for any or all of these languages? I am only a novice with regards to SSL, but I think I can give you some hints. 1a) If you want to use java to implement your SSL-client Then I recommend the provider called Bountycastle, available from: http://www.bouncycastle.org/latest_releases.html This provider has what java1.4.2 lags. With java1.4.2 and Bountycastle, you should be set to go. 1b) If you want to use java to implement your SSL-client Then you can use SWIG, available from: http://www.swig.org/download.html and turn openSSL into a java package. Quote: SWIG can be used to turn common C/C++ libraries into components for use in popular scripting languages. For a very short tutorial (7 screenfulls on a small tty), see this page: http://www.swig.org/tutorial.html 2a) If you want to use Delphi ... I don't know, I have not had the need to do SSL with Delphi yet. One of my mates told me that the newest Enterprise includes C++ Builder? If it does, you can just compile openSSL with C++ Builder. 2b) If you want to use Delphi ... Last time I had to use some C++ source from Delphi, I compiled the C++ library to a DLL, and created a pasacal-file, containing the DLL-imports. 3) If you want to use VB ... I don't know. If the client machine has ie6 installed, then you may be able to find out how to use ie6's SSL-features from VB. It would be fun to see a workable solution in VB. Best Regards Stefan __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
OpenSSL for Java
Thank you to everyone for their suggestions, I will check those out. Best, Dann __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
OpenSSL with Java
Hi, Can someone please explain me or give me example how to implement OpenSSL with java servlets or just java on windows? Regards, Yuval Domain The Net Technologies Ltd. 6 Weitzman Blvd. Ramat-Hasharon Israel 47211 Tel: 972-3-5474443 Fax: 972-3-5474446 www.DomainTheNet.com This email message and any attachments hereto are intended only for use by the addressee(s) named above, and may contain legally privileged and/or confidential information. If you are not the intended addressee, you are hereby kindly notified that any dissemination, distribution or copying of this email and any attachments hereto is strictly prohibited. If you have received this email in error, kindly delete it from your computer system, and notify us at the telephone number or email address appearing above. Thank you __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
OpenSSL for Java??????
Hi there, Any effort is being put into creating a openSSL for Java? RSA security has a Java product for SSL, anyone knows of a opensource product? I know of cryptix, but this is not for SSL as far as I know. Regards, Mads Rasmussen / CiT Systems www.cit.com.br __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL for Java??????
Yep ... it's called pureTLS and you can pickit up from http://www.rtfm.com/puretls luck -Original Message- From:Mads Rasmussen [EMAIL PROTECTED] Sent:Fri, 24 Nov 2000 14:36:31 -0300 To: [EMAIL PROTECTED] Subject: OpenSSL for Java?? Hi there, Any effort is being put into creating a openSSL for Java? RSA security has a Java product for SSL, anyone knows of a opensource product? I know of cryptix, but this is not for SSL as far as I know. Regards, Mads Rasmussen / CiT Systems www.cit.com.br __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] ___ Visit http://www.visto.com/info, your free web-based communications center. Visto.com. Life on the Dot. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Java DSA Patch? [Was: openssl client - java jsse server problem]
[EMAIL PROTECTED] wrote: Hi all, Last week, Steve Henson wrote This may well be a problem with JSSE. JSSE used an invalid signature format for DSA. I had someone check this out with a patch that makes OpenSSL produce a similar invalid format and it then worked. Would someone please post that patch? Yes, it might be a Sun problem, but we only have the source to one of these things! The patch was for the server side only. It causes errors when OpenSSL clients connect with DSA OpenSSL servers. It is possible to make the client side tolerate both formats but the patch doesn't curently do that. It is not possible to make the server automatically produce the invalid format because it has no way of knowing the client is expecting it. In s3_srvr.c currently around line 1119 you have: if (!EVP_SignFinal(md_ctx,(p[2]), (unsigned int *)i,pkey)) { SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_DSA); goto err; } s2n(i,p); n+=i+2; } try changing this to: if (!EVP_SignFinal(md_ctx,p, (unsigned int *)i,pkey)) { SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_DSA); goto err; } n+=i; } Tolerating both formats could be made a 'bug' option which would allow clients to connect to JSSE. The real fix however would be to get Sun to fix their broken software. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Java DSA Patch? [Was: openssl client - java jsse server problem]
Hi all, Last week, Steve Henson wrote This may well be a problem with JSSE. JSSE used an invalid signature format for DSA. I had someone check this out with a patch that makes OpenSSL produce a similar invalid format and it then worked. Would someone please post that patch? Yes, it might be a Sun problem, but we only have the source to one of these things! Thanks Mitchell Perilstein [EMAIL PROTECTED] www.enetis.net/~mitch +1 (605) 574-2367 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: openssl client - java jsse server problem
Thanks for this helpful reply. This problem is mentioned in the java-security archives, along with the claim that jsse is correctly implemented: http://archives.java.sun.com/cgi-bin/wa?A2=ind0004L=java-securityD=0H=0O=DT=1P=234 Where shall I start digging in the openssl source to build your 'broken' s_client? I would like to reproduce your patch. Thanks, --Will Rusch Dr Stephen Henson wrote: Will Rusch wrote: openssl client - java jsse server problem I'm stuck trying to get the openssl 0.9.5a s_client to talk with a java (jsse) server, using DSA algorithms. I've tried 512-bit and 1024-bit keys. The java server is using a keytool-generated cert/key pair, signed by my CA cert that I created with openssl. The client seems to get past the certificate verification but complains: SSL3_GET_KEY_EXCHANGE: wrong signature length. openssl server - openssl client works okay. java server - java client works okay. java server - openssl is broken. Is this a bug with my certs, or elsewhere? Where do I begin digging? This may well be a problem with JSSE. JSSE used an invalid signature format for DSA. I had someone check this out with a patch that makes OpenSSL produce a similar invalid format and it then worked. This isn't part of OpenSSL because it would break clients expecting the correct format. The problem in more technical detail is that the DSA signature should be a variable length vector consisting of the ASN1 Dss-Sig-Value structure. JSSE just uses the signature without the initial length. SSL v3.0 isn't clear about the DSA format and Netscape uses a third variant. TLS however (for which I believe JSSE claims compliance) is quite clear about the matter. To quote RFC2246: 4.7. Cryptographic attributes The four cryptographic operations digital signing, stream cipher encryption, block cipher encryption, and public key encryption are designated digitally-signed, stream-ciphered, block-ciphered, and public-key-encrypted, respectively. A field's cryptographic processing is specified by prepending an appropriate key word designation before the field's type specification. Cryptographic keys are implied by the current session state (see Section 6.1). In digital signing, one-way hash functions are used as input for a signing algorithm. A digitally-signed element is encoded as an opaque vector 0..2^16-1, where the length is specified by the signing algorithm and key. In RSA signing, a 36-byte structure of two hashes (one SHA and one MD5) is signed (encrypted with the private key). It is encoded with PKCS #1 block type 0 or type 1 as described in [PKCS1]. In DSS, the 20 bytes of the SHA hash are run directly through the Digital Signing Algorithm with no additional hashing. This produces two values, r and s. The DSS signature is an opaque vector, as above, the contents of which are the DER encoding of: Dss-Sig-Value ::= SEQUENCE { r INTEGER, s INTEGER } What they were doing (assuming this is still the problem) is just plain wrong. I suggest you try and get them to fix it. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
openssl client - java jsse server problem
openssl client - java jsse server problem I'm stuck trying to get the openssl 0.9.5a s_client to talk with a java (jsse) server, using DSA algorithms. I've tried 512-bit and 1024-bit keys. The java server is using a keytool-generated cert/key pair, signed by my CA cert that I created with openssl. The client seems to get past the certificate verification but complains: SSL3_GET_KEY_EXCHANGE: wrong signature length. openssl server - openssl client works okay. java server - java client works okay. java server - openssl is broken. Is this a bug with my certs, or elsewhere? Where do I begin digging? Thanks, --Will % openssl s_client -connect lightning.rest.home.net:9003 \ -CAfile certs/ca.cert.pem \ -debug -showcerts -cipher EDH-DSS-DES-CBC3-SHA CONNECTED(0005) write to 00144950 [001459D0] (46 bytes = 46 (0x2E)) - 80 2c 01 03 01 00 03 00-00 00 20 00 00 13 19 e2 ., . blah blah blah 0020 - 69 20 1f e4 81 4e 2f 29-a2 5e 52 1f 12 36 i ...N/).^R..6 read from 00144950 [0014AF30] (7 bytes = 7 (0x7)) - 16 03 01 07 00 02 .. 0007 - SPACES/NULS read from 00144950 [0014AF37] (1790 bytes = 1790 (0x6FE)) - 00 46 03 01 39 2d 6a 46-c3 d5 28 13 15 1a be 16 .F..9-jF..(. blah blah blah 06f0 - 07 3c a7 cc 72 ac a5 59-ac f0 0e ...r..Y... 06fe - SPACES/NULS depth=1 /C=US/ST=California/L=Redwood City/O=AtHome/OU=Modem Provisioning/CN=Modem [EMAIL PROTECTED] verify return:1 depth=0 /C=US/ST=California/O=AtHome/OU=Modem Provisioning 21042 Server/CN=lightning.rest.home.net verify return:1 write to 00144950 [00142E10] (7 bytes = 7 (0x7)) - 15 03 01 00 02 02 32 ..2 21169:error:1408D108:SSL routines:SSL3_GET_KEY_EXCHANGE:wrong signature length:s3_clnt.c:1036: __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
openSSL for java
1. Is there a plan to port openSSL to the Java platform? 2. Do you know of anyone who has taken the current openSSL and implemet HTTPS in Java? Thanks. RK __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]