Re: Handling signature_algorithm extension on TLS1.3 server

2019-06-06 Thread Raja Ashok
Thanks for the detailed explanation. So rsaEncryption cert can do both RSASSA-PKCS-v1_5 and RSASSA-PSS type signature. And also the digital signature present on the cert can be of type RSASSA-PKCS-v1_5 or RSASSA-PSS. Currently in 1.1.1c's has_usable_cert() function, digital signature (Issuer's si

authEnvelopedData

2019-06-06 Thread Tobias.Wolf
Hi everyone, I need to create a "authEnvelopedData" (https://tools.ietf.org/html/rfc5083#2.1) ASN1 structure but I know how to archive this. I tried with "PKCS7_encrypt" but here I got only "envelopedData". I`ll try next with CMS_encrypt and to modify CMS_ContentInfo to add the authEnvelopedDat

Public-key based authentication of clients

2019-06-06 Thread Jeremy Friesner
Hi All, I have a simple C++ client/server application, in which the clients use OpenSSL's PSK (Pre-Shared-Key) mechanism to log in to the server via TLS -- i.e. the client GUI prompts the user to enter a username and password, and when the client connects, it calls SSL_set_psk_client_callback()

Trying to use a ((constructor)) to force libcrypto.so into FIPS mode

2019-06-06 Thread Larry Jordan via openssl-users
Re: openssl-1.0.2r Re: openssl-fips-2.0.16 OS: Linux Mint 19.1 (Ubuntu) I have added a shared library initializer function to cryptlib.c to force OpenSSL into FIPS mode, without requiring a “module operator” to directly initiate (i.e. call FIPS_mode_set(1)). void __attribute__((constructor)) Fo

Re: Handling signature_algorithm extension on TLS1.3 server

2019-06-06 Thread Matt Caswell
On 06/06/2019 16:15, Raja Ashok wrote: > Hi, > > Currently has_usable_cert() function is called on tls_choose_sigalg() to find > out the suitable certificate available. But currently rsa_pkcs1_xxx and > rsa_pss_rsae_xxx certs are stored on same index SSL_PKEY_RSA. Because of this > it > may en

Handling signature_algorithm extension on TLS1.3 server

2019-06-06 Thread Raja Ashok
Hi, Currently has_usable_cert() function is called on tls_choose_sigalg() to find out the suitable certificate available. But currently rsa_pkcs1_xxx and rsa_pss_rsae_xxx certs are stored on same index SSL_PKEY_RSA. Because of this it may ends in choosing rsa_pkcs1_xxx cert for rsa_pss_rsae_xxx ex

Re: query related to openssl certificate generation of Ed X25519, X448

2019-06-06 Thread Billy Brumley
I think the error messages are pretty clear in these cases. Trying to set a hash with (standardized) EdDSA is not going to go well for you. Have you tried this very nice walkthrough? https://tools.ietf.org/html/draft-moskowitz-eddsa-pki-00 BBB On Thu, Jun 6, 2019 at 9:47 AM Sowmya P wrote: > >