nd written 1589 bytes
> Verification error: self signed certificate
> ---
> New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
> Server public key is 10496 bit
>
>
> Regards
> Mark Hack
>
>
>
>> On Mon, 2022-10-03 at 15:11 +, Blumenthal, Uri - 0553 - MITLL wrote:
>>
,
and the EE will only be able to make use of the cert if it is able to decrypt
it, which proves possession of the private key.
David
On Mon, 2022-10-03 at 15:11 +, Blumenthal, Uri - 0553 - MITLL wrote:
> TLDR;
> Need to create a CSR for a key pair whose algorithm does not allow
>
TLDR;
Need to create a CSR for a key pair whose algorithm does not allow signing
(either because it’s something like Kyber, or because restriction enforced by
HSM). How to do it?
There are several use cases that require certifying long-term asymmetric keys
that are only capable of
What platform?
$ bat ossl3-tst.c
───┬──
│ File: ossl3-tst.c
│ Size: 216 B
>> Just wondering if Apple OS is compatible with OPenssl 3 .
>>
>
>MacOS should work just fine with OpenSSL 3.0. At least master is
>regularly tested, e.g.
>
>https://github.com/openssl/openssl/runs/6151999376?check_suite_focus=true
It works fine on all of my MacOS machines,
The problem that I see is that there's a set of parameters (such as
OSSL_PKEY_PARAM_EC_COFACTOR), not described in the man pages, with
under-specified type.
E.g., how is one to know where's "normal" ~~sloppiness~~ imperfection in
writing, and where "unsigned integer" truly means 'NOT C type
> > But, considering that the man pages describe C API, wouldn't it be
> > nice to mention (even though it may be obvious that a number of order
> > 2^384 might not fit into 32 or even 64 bits) that the actual type is
> > BIGNUM?
>
> No, the type is not a BIGNUM. Please read "man OSSL_PARAM"
> > In other words, the man page says it's unsigned int, but in fact it's
> > BIGNUM? Because the pointer I gave was to "unsigned int", like in the
> > OP's code.
>
> The param is too big to fit into int. If you were using some
> ridiculously small EC curve the call would succeed. The
On 1/4/22, 11:23, "Tomas Mraz" wrote:
> > Theoretically, shouldn’t
> >
> > EVP_PKEY_get_int_param(pkey, OSSL_PARAM_EC_ORDER, &(unsigned int)order)
> >
> > work? I verified that it does not seem to work, at least in the
> > obvious context.
>
> OSSL_PARAM_EC_ORDER is an unsigned integer
Now I became interested. ;-)
Theoretically, shouldn’t
EVP_PKEY_get_int_param(pkey, OSSL_PARAM_EC_ORDER, &(unsigned int)order)
work? I verified that it does not seem to work, at least in the obvious
context.
What is the purpose of that parameter and function call, and where/how can one
use
installing
Macports port “openssl11”.
If neither option is sufficient, I can’t help you, sorry.
On Sat, Nov 20, 2021 at 5:28 AM Blumenthal, Uri - 0553 - MITLL
wrote:
Here's how Macports did it:
1. Installed OpenSSL-1.1.1 into /opt/local/libexec/openssl11;
2. Installed OpenSSL-3.0.0
Here's how Macports did it:
1. Installed OpenSSL-1.1.1 into /opt/local/libexec/openssl11;
2. Installed OpenSSL-3.0.0 into /opt/local/libexec/openssl3;
3. Symlinked OpenSSL-3.0.0 libraries into /opt/local/lib (primary directory
where stuff lives);
I added symlinking
I don't use Brew. I've installed OpenSSL-1.1.1 (and 3.0.0) via Macports, and
have no problem linking and running apps against 1.1.1.
--
Regards,
Uri
There are two ways to design a system. One is to make is so simple there are
obviously no deficiencies.
The other is to make it so complex there
NF="" ~/openssl-3/bin/openssl rand -engine pkcs11 -hex 8
Engine "pkcs11" set.
$ OPENSSL_CONF="" openssl rand -hex 8
71f7744c5190385f
$
I'll bring this up with its maintainers.
Thanks!
On 11/11/21 1:36 am, Blumenthal, Uri - 0553 - MITLL wrote:
> Yes, i
enssl/openssl/issues/16996
Nicola
On Wed, Nov 10, 2021 at 10:33 AM Tomas Mraz wrote:
>
> On Wed, 2021-11-10 at 03:38 +0000, Blumenthal, Uri - 0553 - MITLL
> wrote:
> > On 11/9/21, 22:23, "Dr Paul Dale" wrote:
> >
> >
providing empty config causes the same result:
>
> $ OPENSSL_CONF=/dev/null openssl3 rand -hex 4
> $ OPENSSL_CONF=/dev/null openssl3 rand -engine rdrand -hex 4
> Engine "rdrand" set.
> 61f1666d
> $
>
ngine "rdrand" set.
61f1666d
$
Pauli
On 10/11/21 1:10 pm, Blumenthal, Uri - 0553 - MITLL wrote:
> Thank you!
>
> I'm trying to:
>
> a. understand why something like "openssl-3 rand -hex 4" does not work
(returns empty string), but &qu
ly different places.
Yes, the man pages could be more informative and user friendly :(
Pauli
On 10/11/21 12:35 pm, Blumenthal, Uri - 0553 - MITLL wrote:
> "man config" for OpenSSL-3.0 and newer says that there can be "[random]"
section in "openssl.cnf&qu
"man config" for OpenSSL-3.0 and newer says that there can be "[random]"
section in "openssl.cnf", where I can specify type of RNG, other things, and
*seed*, and seed *properties*.
Unfortunately, it did not bother to even list the possible/allowed values, let
alone explain what they'd mean:
At least one problem I can see with your EC certificate is wrong Key Usage. For
EC it should be "Key Agreement".
I'd not use the same cert for signing and encrypting. If you do, then add
Signature and Non-Repudiation (but I've never done that).
--
Regards,
Uri
There are two ways to design a
IMHO, GitHub should be sufficient.
--
Regards,
Uri
There are two ways to design a system. One is to make is so simple there are
obviously no deficiencies.
The other is to make it so complex there are no obvious deficiencies.
Is there an analog of the "dummy async engine" for the OpenSSL-3.0 Provider?
TNX
--
Regards,
Uri
There are two ways to design a system. One is to make is so simple there are
obviously no deficiencies.
The other is to make it so complex there are no obvious deficiencies.
In general - I concur, but there are nuances: sending root CA cert is mostly
harmless, but mostly useless - except when there's a human on the receiving end
that can and is allowed to make a decision to accept and trust that CA cert.
Re. PQC - even the "smallest" among them are much larger than
of the IT people would want to block
the ability of a “mere” user to add an “unblessed” trusted root.
Regards,
Uri
> On Mar 31, 2021, at 14:15, Viktor Dukhovni wrote:
>
>
>>
>> On Mar 31, 2021, at 2:01 PM, Blumenthal, Uri - 0553 - MITLL
>> wrote:
>>
>> For
For a Web GUI with the user at the console (e.g., a Web browser), it might be
OK.
For my needs (devices talking to each other over austere links), sending the
root CA very is both useless and wasteful. One you factor in the sizes of
Post-Quantum keys and signatures - you’ll start disliking
“OPTIONAL” means the parser must deal with complete absence, not only encoded
as ASN.1 NULL.
Broken parsers should be fixed.
--
Regards,
Uri
There are two ways to design a system. One is to make is so simple there are
obviously no deficiencies.
The other is to make it so complex
On 1/25/21, 10:13, "openssl-users on behalf of The Doctor"
wrote:
Anyone using BSD running into basename issues?
Basename issues on MacOS. Presumably the same as you're having on BSD.
smime.p7s
Description: S/MIME cryptographic signature
uce code size
> drastically.
Something I don't urgently need, but would welcome regardless.
> I suggest opening a feature request at
> https://github.com/openssl/openssl/issues
Done: https://github.com/openssl/openssl/issues/13925
Thanks!
On 21.01.21 02:07, Blumenthal, Uri -
net-draft I reference is a way to do so, but it is (to repeat)
> very much a work in progress.
Understood. Do you know if there's any code behind it? Or just the "theory"?
Thanks!
On Thu, Jan 21, 2021 at 12:35:24AM +, Blumenthal, Uri - 0553 - MITLL
wrote:
> I meant
https://datatracker.ietf.org/doc/draft-mattsson-cose-cbor-cert-compress/
> which is very much still a work in progress.
>
> -Ben
>
> ________________
> From: Blumenthal, Uri - 0553 - MITLL
> Sent: Wednesday, January 20, 2021 4:22 PM
> To: openssl-use
I need to work with CBOR-encoded certificates. Is there any way to use OpenSSL
to parse and/or generate certs in CBOR encoding?
Thanks
Regards,
Uri
smime.p7s
Description: S/MIME cryptographic signature
Those "rigid curves" that will be used in the future - future how distant, and
for how long?
Regards,
Uri
> On Nov 20, 2020, at 13:54, Phillip Hallam-Baker wrote:
>
smime.p7s
Description: S/MIME cryptographic signature
MacOS 10.15.5, Xcode-11.5, current OpenSSL master (3.0 dev)
Is this expected:
genpkey: Error setting ec_param_enc:explicit parameter:
C00D090F0100:error::digital envelope
routines:legacy_ctrl_str_to_param:command not
supported:crypto/evp/pmeth_lib.c:1011:
../../util/wrap.pl
On 6/18/20, 12:46, "openssl-users on behalf of Kurt Roeckx"
wrote:
On Thu, Jun 18, 2020 at 10:41:40AM +0200, Tomas Mraz wrote:
>> > I question the default behaviour, I think most people don't need
>> > that support.
>>
>> Unfortunately that would be an API break that could
I think that the default behavior should change for 3.0, and the API change
described in the Release Notes. I find that alternative less impacting that
this silent sudden performance deterioration.
On 6/18/20, 04:42, "openssl-users on behalf of Tomas Mraz"
wrote:
On Wed, 2020-06-17 at
Emmanuel,
Would you mind explaining why you choose to continue encrypting the AES key,
which - admittedly - is an unnecessary overkill? Is it merely to preserve the
established process itself?
On 5/26/20, 04:26, "openssl-users on behalf of Emmanuel Deloget"
wrote:
Hello Richard and
As far as I know, CURL (app and library) is perfectly happy to use a text file
comprised of concatenated PEM certificates.
I really wonder if there’s a real use case.
On May 22, 2020, at 18:49, Salz, Rich via openssl-users
wrote:
application/pkix-pkipath
Defined in RFC4366 (section 8)
On 4/28/20, 04:38, "Richard Levitte" wrote:
> Would you mind testing
Not at all! ;-)
> if https://github.com/openssl/openssl/pull/11655 fixes this?
As you suspected - it does! ;-)
Thank you!
On Mon, 27 Apr 2020 18:29:12 +0200,
Blumenthal, Uri - 05
I hit this problem recompiling libp11 with the current OpenSSL-3.0 master. It's
on MacOS Catalina 10.15.4 with the latest Xcode-11.4.1, but I think that's
irrelevant. I checked through all the .h files in the OpenSSL sources, and
found no definition o CONF_MODULE. OpenSSL-3.0 is installed into
You probably already noticed, but if not…
MacOS Mojave 10.14.6, Xcode 11.3.1. Current OpenSSL master (OpenSSL 3.0 dev)
with PR 11193 applied (latest variant).
Test Summary Report
---
25-test_req.t(Wstat: 512 Tests: 15 Failed: 2)
Failed tests: 14-15
If you generated a keypair in a smartcard, how did you extract the private key
out of it??? The whole point of a smartcard is to prevent that from being
possible.
So, like Ken suggested, I’ve no idea where the private key you posted was
coming from – but reasonably sure it has no relation
macOS 10.14.6, Xcode-11.3 (with older Xcode it used to work), p11-kit 0.23.18,
OpenSSL-1.1.1d, current master of OpenSC and libp11.
Somehow, p11-kit proxy that selects the correct PKCS#11 library to pass the
request to, is no longer invoked.
Any help is appreciated!
$ openssl cms -engine
In preparation for writing a new engine that supports message digest and
asymmetric crypto (sign and decrypt), I am trying to port the existing
simple/demo engines from the Engine Corner examples (thanks, Richard!).
The fork of https://github.com/engine-corner/Lesson-2-A-digest.git that
> > Is keyed blake2b supported in openssl-dgst (latest OpenSSL release)?
> No, sorry. It has been added for upcoming OpenSSL 3.0, though.
Doesn't look like it's there:
$ openssl3 version
OpenSSL 3.0.0-dev xx XXX (Library: OpenSSL 3.0.0-dev xx XXX )
$ echo -n "hello" |
Answered my own questions:
$ openssl3 list -mac-algorithms
Provided MACs:
BLAKE2bMAC @ default
BLAKE2sMAC @ default
CMAC @ default
GMAC @ default
HMAC @ default
KMAC128 @ default
KMAC256 @ default
Poly1305 @ default
SipHash @ default
$
$ echo -n "hello" | openssl3 mac -macopt
> Uri, Greetings!
Hello there! ;-)
> On 8/28/19 6:09 PM, Blumenthal, Uri - 0553 - MITLL wrote:
> > Do you have an ASN.1 definition fit the content of CSR, or are you willing
> > to create one?
>
> For now working with ASN.1.
In that case, I would use one of the ava
Do you have an ASN.1 definition fit the content of CSR, or are you willing to
create one?
IMHO, DER would be a pretty good choice, fat better than something home-brewed
and non-standard.
Regards,
Uri
Sent from my iPhone
> On Aug 28, 2019, at 17:49, Robert Moskowitz wrote:
>
> CSR is an
Is there a potential problem - if a certificate has multiple issues, such as
bad signature and certificate expired? Would all of these conditions be
reported, or only the first one detected?
Regards,
Uri
Sent from my iPhone
On Aug 26, 2019, at 10:11, Viktor Dukhovni wrote:
>> On Aug 26,
On 8/7/19, 10:57 AM, "openssl-users on behalf of Matt Caswell"
wrote:
> >> ../test/recipes/15-test_ec.t (Wstat: 256 Tests: 5
Failed: 1)
> >
> > Assuming you are building with enable-ec_nistp_64_gcc_128 then the fix
for this
> > issue is here:
> >
> >
Test Summary Report
---
../test/recipes/15-test_ec.t (Wstat: 256 Tests: 5 Failed: 1)
Failed test: 2
Non-zero exit status: 1
Files=174, Tests=1660, 122 wallclock secs ( 1.27 usr 0.34 sys + 81.53 cusr
29.91 csys = 113.05 CPU)
Result: FAIL
Does it
It is weird. MacOS 10.14.6, Xcode-10.3, OpenSSL-1.1.1c (Macports-installed),
current master of libp11.
Symptoms: when PKCS#11 engine is defined, git hangs upon HTTPS retrieval. If I
comment the engine out in openssl.cnf, or tell git to not load openssl.cnf - it
works fine:
$ openssl version
On 7/22/19, 3:38 PM, "Richard Levitte" wrote:
> > Turned out the failure was my misconfiguration - but the "config"
> > man page doesn't seem to describe the *exact* order of the
> > statements/sections.
>
> It does, but perhaps not in a way you expected.
:-)
> So the
ms = ALL
CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet
#####
On 7/19/19, 2:10 PM, "openssl-users on behalf of Blumenthal, Uri - 0553 -
MITLL" wrote:
MacOS Mojave 10.14.5, OpenSSL-1.1.1c (Macports-installed).
Engines defined in the op
085:digital envelope routines:EVP_CIPHER_CTX_ctrl:ctrl
operation not implemented:crypto/evp/evp_enc.c:628:
$
пт, 19 июля 2019 г., 21:09 Blumenthal, Uri - 0553 - MITLL
<mailto:u...@ll.mit.edu>:
MacOS Mojave 10.14.5, OpenSSL-1.1.1c (Macports-installed).
Engines defin
?
пт, 19 июля 2019 г., 21:09 Blumenthal, Uri - 0553 - MITLL :
MacOS Mojave 10.14.5, OpenSSL-1.1.1c (Macports-installed).
Engines defined in the openssl.cnf file:
#
[engine_section]
pkcs11 = pkcs11_section
gost = gost_section
[pkcs11_section]
engine_id = pkcs11
dynamic_path
MacOS Mojave 10.14.5, OpenSSL-1.1.1c (Macports-installed).
Engines defined in the openssl.cnf file:
#
[engine_section]
pkcs11 = pkcs11_section
gost = gost_section
[pkcs11_section]
engine_id = pkcs11
dynamic_path = /opt/local/lib/engines-1.1/libpkcs11.so
MODULE_PATH =
users on behalf of Blumenthal, Uri - 0553 -
MITLL" wrote:
I'm getting a somewhat different error trying to build OpenSSL_1_1_1-stable
on CentOS 7 (similar to RHEL 7).
Configuration:
./config --prefix=$HOME/openssl-1.1 --debug
--openssldir=$HOME/openssl-1.1/etc --with-rand-se
I'm getting a somewhat different error trying to build OpenSSL_1_1_1-stable on
CentOS 7 (similar to RHEL 7).
Configuration:
./config --prefix=$HOME/openssl-1.1 --debug --openssldir=$HOME/openssl-1.1/etc
--with-rand-seed=rdcpu enable-aria enable-ec_nistp_64_gcc_128 enable-md2
enable-rc5
You probably noticed, but the current master keeps breaking EC tests for the
last week or so. This is on Mac:
../test/recipes/15-test_ec.t ... Dubious, test returned 1
(wstat 256, 0x100)
Failed 1/5 subtests
Test Summary Report
---
> > For now the ASN.1 string is not an opaque structure.
>
> Considering how OpenSSL design evolved, I suspect that the time may come
> when this string would become opaque. Therefore, I suggest that
> getter/setter functions should be added.
Any thoughts about the
On 6/18/19, 5:44 PM, "openssl-users on behalf of Viktor Dukhovni"
wrote:
We should
perhaps provide getter/setter functions for the flags, or perhaps
even a specific function for indicating the value is a bitstring,
and how many bits it holds. For now the ASN.1 string is not an
I can understand why you may not want to break existing API. Why not add
another similar interface done the right way?
On 5/22/19, 1:11 PM, "openssl-users on behalf of Dr. Matthias St. Pierre"
wrote:
I think nobody of us needs to be convinced anymore that making it a
'double' was a bad
On 5/21/19, 10:45 AM, "openssl-users on behalf of Salz, Rich via openssl-users"
wrote:
When I overhauled the RAND mechanism, I tried to deprecate this use of
floating point,
in favor of just a number from 0 to 100 but was voted down.
If it's a sarcasm, I'm missing the point.
Hmm... Registering an OID dedicated to express this case should be feasible,
and perfectly within the ASN.1 rules. One question - where in the OID tree
would it live, as offhand I don't have any idea. It can't be too deep down, and
also, it better be fairly short.
>From the ASN.1 point of
First, let me prefix that while I don't want to badmouth anybody, even
incompetence cannot excuse deliberately generating bad/unparsable encoding.
That's one of the cases when the cure is clearly worse than the disease.
On 3/21/19, 13:58, "openssl-users on behalf of Viktor Dukhovni"
wrote:
+1 to Viktor's points.
Regards,
Uri
Sent from my iPhone
> On Mar 21, 2019, at 12:52, Viktor Dukhovni wrote:
>
> On Thu, Mar 21, 2019 at 01:00:14PM +, Salz, Rich via openssl-users wrote:
>
>>> This software however is 7 years old, we’re not in a position to drop
>>> everything and
Since OpenSSL is more than just a TLS implementation, I agree with Michael and
support relaxing these checks when appropriate.
Regards,
Uri
Sent from my iPhone
On Mar 6, 2019, at 10:22, Michael Wojcik wrote:
>> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
>>
On 1/31/19, 09:19, "openssl-users on behalf of Antonio Iacono"
wrote:
> Does anybody know how to use the smartcard to encrypt and decrypt files?
Smartcard performs public-key crypto operations, which aren't suitable for bulk
processing, such as file encryption/decryption. In
The docs site is screwed up.
CMS_sign is indeed documented for 1.1.1 - but you have to go there via
https://www.openssl.org/docs/man1.1.1 -> Libraries -> CMS_sign.html, which
would bring you to https://www.openssl.org/docs/man1.1.1/man3/CMS_sign.html
On 12/27/18, 14:00, "openssl-users on
:23 PM, Blumenthal, Uri - 0553 - MITLL
>> wrote:
>>
>> I still would like to know where all the acceptable "dgst -sigopt"
>> parameters are described for RSA and ECDSA.
>>
>> Google search and scouring openssl.org manual pages did not bring me
&g
I still would like to know where all the acceptable "dgst -sigopt" parameters
are described for RSA and ECDSA.
Google search and scouring openssl.org manual pages did not bring me anything.
On 8/24/17, 5:42 PM, "Blumenthal, Uri - 0553 - MITLL" wrote:
OpenSSL dgst m
as "letting the
> perfect be the enemy of the good", which is also known as "cutting off the
> nose to spite the face". It still cuts down on a huge number of potential
> attacks, and doing away with it allows those attacks to flourish again.
> (Which, by the way
>> Quoting from Peter Gutmann's "Engineering Security",
>> section "EV Certificates: PKI-me-Harder"
>>
>> Indeed, cynics would say that this was exactly the problem that
>> certificates and CAs were supposed to solve in the first place, and
>> that
> "Provided chain ends with unknown self-signed certificate".
I like this.
IMHO "unrecognized" would be more confusing.
I hope the team makes up their mind quickly.
On 12/4/18, 6:17 PM, "openssl-users on behalf of Michael Wojcik"
wrote:
> From: openssl-users
The way I understand the ECDSA standard, it is supposed to truncate the
provided hash - which is why it is possible to have ECDSA-over-P256-SHA384.
One possibility would be for you to truncate the SHA2 output yourself, IMHO.
On 11/30/18, 12:36 PM, "openssl-users on behalf of Fuchs, Andreas"
ssl-1.1/lib -lcrypto
$ ./ttt
OPENSSL_VERSION_NUMBER 10101010
$ gcc -o ttt ttt.c -lcrypto
$ ./ttt
OPENSSL_VERSION_NUMBER 1000210f
$
On Sun, 2018-10-21 at 00:36 +0000, Blumenthal, Uri - 0553 - MITLL
wrote:
> I'm not sure I understand what you're doing, but:
>
&g
I'm not sure I understand what you're doing, but:
$ cat ttt.c
#include
#include
int main(void)
{
printf("OPENSSL_VERSION_NUMBER %lx\n",OPENSSL_VERSION_NUMBER);
return 0;
}
$ gcc -o ttt ttt.c -lcrypto
$ ./ttt
OPENSSL_VERSION_NUMBER 1000210f
$ gcc -o ttt -I$HOME/openssl-1.1/include ttt.c
Note that the key to reproducing this issue is compiling SoftHSMv2 with 1.1.1.
When compiled with 1.0.2p, everything else can be compiled against 1.1.1 and it
works ok.
Regards,
Uri
Sent from my iPhone
> On Sep 21, 2018, at 02:09, Paras Shah (parashah) via openssl-users
> wrote:
>
> I
On 9/20/18, 4:39 PM, "openssl-users on behalf of Viktor Dukhovni"
wrote:
Despite (IMHO) its increasing obsolescence and irrelevance, the LibreSSL
fork of OpenSSL 1.0.2 also supports ECDSA.
Yep.
> so openssl 1.1.0 or newer, and his Mac is infested with
> 0.98letter.
Macports team is working on upgrading OpenSSL to 1.1.1. It takes time because
they plan to move all the ports that depend on OpenSSL to that level. I assume
that once that is done, 1.0.2 won't be supported/available on Macports anymore.
Installation - as Dominyk said: "sudo port install
my iPhone
> On Sep 3, 2018, at 14:31, Blumenthal, Uri - 0553 - MITLL
> wrote:
>
> If it builds a dummy engine - then shouldn't a dummy engine respond
> gracefully to requests with something like "sorry I can't do anything
> useful", instead of spitting outa puke of err
If it builds a dummy engine - then shouldn't a dummy engine respond gracefully
to requests with something like "sorry I can't do anything useful", instead of
spitting outa puke of error messages in response to "openssl engine -t capi"?
Regards,
Uri
Sent from my iPhone
> On Sep 3, 2018, at
Since this example would show how to generate certificates that people may not
have a lot of experience dealing with - I think it would make a lot of sense to
document as much as possible.
In short: yes please do include the examples of both what the certs should look
like, and how to generate
Same problem on Linux.
Regards,
Uri
Sent from my iPhone
> On Aug 2, 2018, at 07:47, The Doctor wrote:
>
> While compiling today's openssl 1.1.0 snap on FreeBSD 11.2
>
> I got
>
> /usr/bin/cc -I. -Icrypto/include -Iinclude -DZLIB -DZLIB_SHARED -DDSO_DLFCN
> -DHAVE_DLFCN_H -DNDEBUG
Actually, it all works just fine. Viktor's point about adding terminating "\n"
to the input text helped.
-BEGIN PRIVATE KEY-
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDGlXflMDDD8kOP
TP5y06tSXe1g8G3uJAoGHT8NewYANIONuJEZveXnfL8+bJRIu8FDzeCc4SWsCISK
FWIW, I'm with Viktor in this argument. From cryptography point of view he's
right. I suspect he's right from the practical point of view as well.
P.S. Those concerned that a nation-state would attack them, are advised to
change the default config anyway.
--
Regards,
Uri Blumenthal
On
so waiting for the answers right?
Yes I certainly am.
2018-02-15 6:57 GMT+09:00 Blumenthal, Uri - 0553 - MITLL <u...@ll.mit.edu>:
Funny. I have the same problem with the current master on one of my two MacOS
High Sierra machines. Surprisingly, the other machine builds and runs the
Funny. I have the same problem with the current master on one of my two MacOS
High Sierra machines. Surprisingly, the other machine builds and runs the
current master just fine. Configuration and build scripts are automated and
exactly the same between the two.
The “bad” machine runs a
> Here's the standards OpenSSL claims to implement:
> https://www.openssl.org/docs/standards.html.
So do many others, and yet when the RFC is impractical, a more practical
alternative is implemented.
I did not see RFC 5280 in the list of the implemented/supported standards.
7-10-11, 12:11 GMT, Blumenthal, Uri - 0553 - MITLL wrote:
>> Unfortunately, not quite. Being pip-installable means to the
>> majority of users that the package in question can be
>> installed via, e.g.,
>>
>> pip install M2Crypto
>
> I understand that, m
7-10-11, 11:35 GMT, Blumenthal, Uri - 0553 - MITLL wrote:
>> And it is not installable via PIP, though to me being placed
>> on pypi site suggested that it should be (that's how I tried
>> to install it).
>
> What’s needed for package to be pip installable? I would think
>
t; said:
>
> mcepl> On 2017-10-10, 21:17 GMT, Blumenthal, Uri - 0553 - MITLL wrote:
> mcepl> > I have to report that this M2Crypto release is broken, as it
> mcepl> > cannot find OpenSSL installed in /opt/local (apologies for
> mcepl> > spamming multiple li
I have to report that this M2Crypto release is broken, as it cannot find
OpenSSL installed in /opt/local (apologies for spamming multiple lists and
people):
/usr/bin/clang -fno-strict-aliasing -fno-common -dynamic -pipe -Os -DNDEBUG -g
-fwrapv -O3 -Wall -Wstrict-prototypes
18:54, Dr. Stephen Henson <st...@openssl.org> wrote:
>
>> On Fri, Sep 29, 2017, Blumenthal, Uri - 0553 - MITLL wrote:
>>
>> Apologies in advance for cross-posting ??? but I???m not sure which of the
>> two mailing lists this belongs to.
>>
>> A key (sa
Apologies in advance for cross-posting – but I’m not sure which of the two
mailing lists this belongs to.
A key (say, private key) is loaded from the pkcs11 engine via privkey =
ENGINE_load_private_key(engine, ); and this operation succeeds.
However the resulting key handle has its
AFAIK, at this point pkcs11 engine doesn't support key generation.
The only viable options AFAIK are OpenSC (pkcs11-tool) and vendor-specific
applications like yubico-piv-tool.
Regards,
Uri
Sent from my iPhone
> On Sep 27, 2017, at 08:23, Dmitry Belyavsky wrote:
>
>
I’m debugging programmatic access to a (modified) pkcs11 engine. My system has
several OpenSSL installations: Apple-provided OpenSSL-0.9.8 (kept as that came
with the OS :), Macports-installed OpenSSL-1.0.2l (the main one installed to
/opt/local, used by everything Macports builds, and what I
An engine works with OpenSSL-1.1.0+. It needs to hook some methods, and it
accesses them via EVP_PKEY_meth_get_sign(), EVP_PKEY_meth_get_decrypt(), and
EVP_PKEY_meth_get_encrypt(). And the corresponding set() calls.
I’d like to backport this engine to OpenSSL-1.0.2. But 1.0.2 does not
I seem unable to figure how to configure RSA-OAEP parameters (hash and MGF
functions) for “opensl pkeyutl” command.
The man page seems to say that only thing I can do is tell openssl CLI that I
want OAEP padding, and nothing more.
File “apps/pkeyutl.c” was of no help. Where can I find
On 9/1/17, 16:26, "openssl-users on behalf of Michael Wojcik"
wrote:
>Bob, I just want to say thanks for producing this. Even if it never makes
> it out of I-D stage, there's a lot of useful information here.
>
1 - 100 of 162 matches
Mail list logo