Re: Q: creating CSR for encryption-only cert?

nd written 1589 bytes > Verification error: self signed certificate > --- > New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 > Server public key is 10496 bit > > > Regards > Mark Hack > > > >> On Mon, 2022-10-03 at 15:11 +, Blumenthal, Uri - 0553 - MITLL wrote: >>

Re: creating CSR for encryption-only cert?

, and the EE will only be able to make use of the cert if it is able to decrypt it, which proves possession of the private key. David On Mon, 2022-10-03 at 15:11 +, Blumenthal, Uri - 0553 - MITLL wrote: > TLDR; > Need to create a CSR for a key pair whose algorithm does not allow >

Q: creating CSR for encryption-only cert?

TLDR; Need to create a CSR for a key pair whose algorithm does not allow signing (either because it’s something like Kyber, or because restriction enforced by HSM). How to do it? There are several use cases that require certifying long-term asymmetric keys that are only capable of

Re: 3.0.3 - EVP_EC_gen() segfault without init

What platform? $ bat ossl3-tst.c ───┬── │ File: ossl3-tst.c │ Size: 216 B

Re: Mac OS X and openssl 3

>> Just wondering if Apple OS is compatible with OPenssl 3 . >> > >MacOS should work just fine with OpenSSL 3.0. At least master is >regularly tested, e.g. > >https://github.com/openssl/openssl/runs/6151999376?check_suite_focus=true It works fine on all of my MacOS machines,

Re: EVP_PKEY_get_int_param is not getting degree from EC key

The problem that I see is that there's a set of parameters (such as OSSL_PKEY_PARAM_EC_COFACTOR), not described in the man pages, with under-specified type. E.g., how is one to know where's "normal" ~~sloppiness~~ imperfection in writing, and where "unsigned integer" truly means 'NOT C type

Re: EVP_PKEY_get_int_param is not getting degree from EC key

> > But, considering that the man pages describe C API, wouldn't it be > > nice to mention (even though it may be obvious that a number of order > > 2^384 might not fit into 32 or even 64 bits) that the actual type is > > BIGNUM? > > No, the type is not a BIGNUM. Please read "man OSSL_PARAM"

Re: EVP_PKEY_get_int_param is not getting degree from EC key

> > In other words, the man page says it's unsigned int, but in fact it's > > BIGNUM? Because the pointer I gave was to "unsigned int", like in the > > OP's code. > > The param is too big to fit into int. If you were using some > ridiculously small EC curve the call would succeed. The

Re: EVP_PKEY_get_int_param is not getting degree from EC key

On 1/4/22, 11:23, "Tomas Mraz" wrote: > > Theoretically, shouldn’t > > > > EVP_PKEY_get_int_param(pkey, OSSL_PARAM_EC_ORDER, &(unsigned int)order) > > > > work? I verified that it does not seem to work, at least in the > > obvious context. > > OSSL_PARAM_EC_ORDER is an unsigned integer

Re: EVP_PKEY_get_int_param is not getting degree from EC key

Now I became interested. ;-) Theoretically, shouldn’t EVP_PKEY_get_int_param(pkey, OSSL_PARAM_EC_ORDER, &(unsigned int)order) work? I verified that it does not seem to work, at least in the obvious context. What is the purpose of that parameter and function call, and where/how can one use

Re: OpenSSL 1.1 on OSX

installing Macports port “openssl11”. If neither option is sufficient, I can’t help you, sorry. On Sat, Nov 20, 2021 at 5:28 AM Blumenthal, Uri - 0553 - MITLL wrote: Here's how Macports did it: 1. Installed OpenSSL-1.1.1 into /opt/local/libexec/openssl11; 2. Installed OpenSSL-3.0.0

Re: OpenSSL 1.1 on OSX

Here's how Macports did it: 1. Installed OpenSSL-1.1.1 into /opt/local/libexec/openssl11; 2. Installed OpenSSL-3.0.0 into /opt/local/libexec/openssl3; 3. Symlinked OpenSSL-3.0.0 libraries into /opt/local/lib (primary directory where stuff lives); I added symlinking

Re: OpenSSL 1.1 on OSX

I don't use Brew. I've installed OpenSSL-1.1.1 (and 3.0.0) via Macports, and have no problem linking and running apps against 1.1.1. -- Regards, Uri There are two ways to design a system. One is to make is so simple there are obviously no deficiencies. The other is to make it so complex there

Re: OpenSSL-3.+ how to configure [random]?

NF="" ~/openssl-3/bin/openssl rand -engine pkcs11 -hex 8 Engine "pkcs11" set. $ OPENSSL_CONF="" openssl rand -hex 8 71f7744c5190385f $ I'll bring this up with its maintainers. Thanks! On 11/11/21 1:36 am, Blumenthal, Uri - 0553 - MITLL wrote: > Yes, i

Re: OpenSSL-3.+ how to configure [random]?

enssl/openssl/issues/16996 Nicola On Wed, Nov 10, 2021 at 10:33 AM Tomas Mraz wrote: > > On Wed, 2021-11-10 at 03:38 +0000, Blumenthal, Uri - 0553 - MITLL > wrote: > > On 11/9/21, 22:23, "Dr Paul Dale" wrote: > > > >

Re: OpenSSL-3.+ how to configure [random]?

providing empty config causes the same result: > > $ OPENSSL_CONF=/dev/null openssl3 rand -hex 4 > $ OPENSSL_CONF=/dev/null openssl3 rand -engine rdrand -hex 4 > Engine "rdrand" set. > 61f1666d > $ >

Re: OpenSSL-3.+ how to configure [random]?

ngine "rdrand" set. 61f1666d $ Pauli On 10/11/21 1:10 pm, Blumenthal, Uri - 0553 - MITLL wrote: > Thank you! > > I'm trying to: > > a. understand why something like "openssl-3 rand -hex 4" does not work (returns empty string), but &qu

Re: OpenSSL-3.+ how to configure [random]?

ly different places. Yes, the man pages could be more informative and user friendly :( Pauli On 10/11/21 12:35 pm, Blumenthal, Uri - 0553 - MITLL wrote: > "man config" for OpenSSL-3.0 and newer says that there can be "[random]" section in "openssl.cnf&qu

OpenSSL-3.+ how to configure [random]?

"man config" for OpenSSL-3.0 and newer says that there can be "[random]" section in "openssl.cnf", where I can specify type of RNG, other things, and *seed*, and seed *properties*. Unfortunately, it did not bother to even list the possible/allowed values, let alone explain what they'd mean:

Re: openssl cms -encrypt error: error setting recipientinfo

At least one problem I can see with your EC certificate is wrong Key Usage. For EC it should be "Key Agreement". I'd not use the same cert for signing and encrypting. If you do, then add Signature and Non-Repudiation (but I've never done that). -- Regards, Uri There are two ways to design a

Re: Maiising Daily Snapshots for 20210416

IMHO, GitHub should be sufficient. -- Regards, Uri There are two ways to design a system. One is to make is so simple there are obviously no deficiencies. The other is to make it so complex there are no obvious deficiencies.

Re: error: redefinition of ‘struct rsa_meth_st’

Is there an analog of the "dummy async engine" for the OpenSSL-3.0 Provider? TNX -- Regards, Uri There are two ways to design a system. One is to make is so simple there are obviously no deficiencies. The other is to make it so complex there are no obvious deficiencies.

Re: Why does OpenSSL report google's certificate is "self-signed"?

In general - I concur, but there are nuances: sending root CA cert is mostly harmless, but mostly useless - except when there's a human on the receiving end that can and is allowed to make a decision to accept and trust that CA cert. Re. PQC - even the "smallest" among them are much larger than

Re: Why does OpenSSL report google's certificate is "self-signed"?

of the IT people would want to block the ability of a “mere” user to add an “unblessed” trusted root. Regards, Uri > On Mar 31, 2021, at 14:15, Viktor Dukhovni wrote: > >  >> >> On Mar 31, 2021, at 2:01 PM, Blumenthal, Uri - 0553 - MITLL >> wrote: >> >> For

Re: Why does OpenSSL report google's certificate is "self-signed"?

For a Web GUI with the user at the console (e.g., a Web browser), it might be OK. For my needs (devices talking to each other over austere links), sending the root CA very is both useless and wasteful. One you factor in the sizes of Post-Quantum keys and signatures - you’ll start disliking

Re: Encoding of AlgorithmIdentifier with NULL parameters

“OPTIONAL” means the parser must deal with complete absence, not only encoded as ASN.1 NULL. Broken parsers should be fixed. -- Regards, Uri There are two ways to design a system. One is to make is so simple there are obviously no deficiencies. The other is to make it so complex

Re: OPenssl 3.0 issues

On 1/25/21, 10:13, "openssl-users on behalf of The Doctor" wrote: Anyone using BSD running into basename issues? Basename issues on MacOS. Presumably the same as you're having on BSD. smime.p7s Description: S/MIME cryptographic signature

Re: Parsing and generating CBOR certificates?

uce code size > drastically. Something I don't urgently need, but would welcome regardless. > I suggest opening a feature request at > https://github.com/openssl/openssl/issues Done: https://github.com/openssl/openssl/issues/13925 Thanks! On 21.01.21 02:07, Blumenthal, Uri -

Re: Parsing and generating CBOR certificates?

net-draft I reference is a way to do so, but it is (to repeat) > very much a work in progress. Understood. Do you know if there's any code behind it? Or just the "theory"? Thanks! On Thu, Jan 21, 2021 at 12:35:24AM +, Blumenthal, Uri - 0553 - MITLL wrote: > I meant

Re: Parsing and generating CBOR certificates?

https://datatracker.ietf.org/doc/draft-mattsson-cose-cbor-cert-compress/ > which is very much still a work in progress. > > -Ben > > ________________ > From: Blumenthal, Uri - 0553 - MITLL > Sent: Wednesday, January 20, 2021 4:22 PM > To: openssl-use

Parsing and generating CBOR certificates?

I need to work with CBOR-encoded certificates. Is there any way to use OpenSSL to parse and/or generate certs in CBOR encoding? Thanks Regards, Uri smime.p7s Description: S/MIME cryptographic signature

Re: EC curve preferences

Those "rigid curves" that will be used in the future - future how distant, and for how long? Regards, Uri > On Nov 20, 2020, at 13:54, Phillip Hallam-Baker wrote: > smime.p7s Description: S/MIME cryptographic signature

Master fails tests (mentioning # TODO Currently not supported)

MacOS 10.15.5, Xcode-11.5, current OpenSSL master (3.0 dev) Is this expected: genpkey: Error setting ec_param_enc:explicit parameter: C00D090F0100:error::digital envelope routines:legacy_ctrl_str_to_param:command not supported:crypto/evp/pmeth_lib.c:1011: ../../util/wrap.pl

Re: CMAC timings

On 6/18/20, 12:46, "openssl-users on behalf of Kurt Roeckx" wrote: On Thu, Jun 18, 2020 at 10:41:40AM +0200, Tomas Mraz wrote: >> > I question the default behaviour, I think most people don't need >> > that support. >> >> Unfortunately that would be an API break that could

Re: CMAC timings

I think that the default behavior should change for 3.0, and the API change described in the Release Notes. I find that alternative less impacting that this silent sudden performance deterioration. On 6/18/20, 04:42, "openssl-users on behalf of Tomas Mraz" wrote: On Wed, 2020-06-17 at

Re: Asymetric crypto and OpenSSL 3.0 deprecated functions

Emmanuel, Would you mind explaining why you choose to continue encrypting the AES key, which - admittedly - is an unnecessary overkill? Is it merely to preserve the established process itself? On 5/26/20, 04:26, "openssl-users on behalf of Emmanuel Deloget" wrote: Hello Richard and

Re: How to get all certs into a .der file.

As far as I know, CURL (app and library) is perfectly happy to use a text file comprised of concatenated PEM certificates. I really wonder if there’s a real use case. On May 22, 2020, at 18:49, Salz, Rich via openssl-users wrote:  application/pkix-pkipath Defined in RFC4366 (section 8)

Re: CONF_MODULE undefined?

On 4/28/20, 04:38, "Richard Levitte" wrote: > Would you mind testing Not at all! ;-) > if https://github.com/openssl/openssl/pull/11655 fixes this? As you suspected - it does! ;-) Thank you! On Mon, 27 Apr 2020 18:29:12 +0200, Blumenthal, Uri - 05

CONF_MODULE undefined?

I hit this problem recompiling libp11 with the current OpenSSL-3.0 master. It's on MacOS Catalina 10.15.4 with the latest Xcode-11.4.1, but I think that's irrelevant. I checked through all the .h files in the OpenSSL sources, and found no definition o CONF_MODULE. OpenSSL-3.0 is installed into

Current master fails test

You probably already noticed, but if not… MacOS Mojave 10.14.6, Xcode 11.3.1. Current OpenSSL master (OpenSSL 3.0 dev) with PR 11193 applied (latest variant). Test Summary Report --- 25-test_req.t(Wstat: 512 Tests: 15 Failed: 2) Failed tests: 14-15

Re: Fails on verifying signature - RSA_padding_check_PKCS1_type_1:invalid padding

If you generated a keypair in a smartcard, how did you extract the private key out of it??? The whole point of a smartcard is to prevent that from being possible. So, like Ken suggested, I’ve no idea where the private key you posted was coming from – but reasonably sure it has no relation

MacOS: lost ability to use p11-kit???

macOS 10.14.6, Xcode-11.3 (with older Xcode it used to work), p11-kit 0.23.18, OpenSSL-1.1.1d, current master of OpenSC and libp11. Somehow, p11-kit proxy that selects the correct PKCS#11 library to pass the request to, is no longer invoked. Any help is appreciated! $ openssl cms -engine

Writing an ENGINE for OpenSSL-1.1.1 and 3.0

In preparation for writing a new engine that supports message digest and asymmetric crypto (sign and decrypt), I am trying to port the existing simple/demo engines from the Engine Corner examples (thanks, Richard!). The fork of https://github.com/engine-corner/Lesson-2-A-digest.git that

Re: Blake2b with key

> > Is keyed blake2b supported in openssl-dgst (latest OpenSSL release)? > No, sorry. It has been added for upcoming OpenSSL 3.0, though. Doesn't look like it's there: $ openssl3 version OpenSSL 3.0.0-dev xx XXX (Library: OpenSSL 3.0.0-dev xx XXX ) $ echo -n "hello" |

Re: Blake2b with key

Answered my own questions: $ openssl3 list -mac-algorithms Provided MACs: BLAKE2bMAC @ default BLAKE2sMAC @ default CMAC @ default GMAC @ default HMAC @ default KMAC128 @ default KMAC256 @ default Poly1305 @ default SipHash @ default $ $ echo -n "hello" | openssl3 mac -macopt

Re: Format and standard for CSR

> Uri, Greetings! Hello there! ;-) > On 8/28/19 6:09 PM, Blumenthal, Uri - 0553 - MITLL wrote: > > Do you have an ASN.1 definition fit the content of CSR, or are you willing > > to create one? > > For now working with ASN.1. In that case, I would use one of the ava

Re: Format and standard for CSR

Do you have an ASN.1 definition fit the content of CSR, or are you willing to create one? IMHO, DER would be a pretty good choice, fat better than something home-brewed and non-standard. Regards, Uri Sent from my iPhone > On Aug 28, 2019, at 17:49, Robert Moskowitz wrote: > > CSR is an

Re: question about certificate verify

Is there a potential problem - if a certificate has multiple issues, such as bad signature and certificate expired? Would all of these conditions be reported, or only the first one detected? Regards, Uri Sent from my iPhone On Aug 26, 2019, at 10:11, Viktor Dukhovni wrote: >> On Aug 26,

Re: master branch: EC test broken AGAIN?

On 8/7/19, 10:57 AM, "openssl-users on behalf of Matt Caswell" wrote: > >> ../test/recipes/15-test_ec.t (Wstat: 256 Tests: 5 Failed: 1) > > > > Assuming you are building with enable-ec_nistp_64_gcc_128 then the fix for this > > issue is here: > > > >

master branch: EC test broken AGAIN?

Test Summary Report --- ../test/recipes/15-test_ec.t (Wstat: 256 Tests: 5 Failed: 1) Failed test: 2 Non-zero exit status: 1 Files=174, Tests=1660, 122 wallclock secs ( 1.27 usr 0.34 sys + 81.53 cusr 29.91 csys = 113.05 CPU) Result: FAIL Does it

Apps hang when openssl.cnf defines PKCS#11 engine

It is weird. MacOS 10.14.6, Xcode-10.3, OpenSSL-1.1.1c (Macports-installed), current master of libp11. Symptoms: when PKCS#11 engine is defined, git hangs upon HTTPS retrieval. If I comment the engine out in openssl.cnf, or tell git to not load openssl.cnf - it works fine: $ openssl version

Re: Ciphers provided by engine not accessible...?

On 7/22/19, 3:38 PM, "Richard Levitte" wrote: > > Turned out the failure was my misconfiguration - but the "config" > > man page doesn't seem to describe the *exact* order of the > > statements/sections. > > It does, but perhaps not in a way you expected. :-) > So the

Re: Ciphers provided by engine not accessible...?

ms = ALL CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet ##### On 7/19/19, 2:10 PM, "openssl-users on behalf of Blumenthal, Uri - 0553 - MITLL" wrote: MacOS Mojave 10.14.5, OpenSSL-1.1.1c (Macports-installed). Engines defined in the op

Re: Ciphers provided by engine not accessible...?

085:digital envelope routines:EVP_CIPHER_CTX_ctrl:ctrl operation not implemented:crypto/evp/evp_enc.c:628: $ пт, 19 июля 2019 г., 21:09 Blumenthal, Uri - 0553 - MITLL <mailto:u...@ll.mit.edu>: MacOS Mojave 10.14.5, OpenSSL-1.1.1c (Macports-installed). Engines defin

Re: Ciphers provided by engine not accessible...?

? пт, 19 июля 2019 г., 21:09 Blumenthal, Uri - 0553 - MITLL : MacOS Mojave 10.14.5, OpenSSL-1.1.1c (Macports-installed). Engines defined in the openssl.cnf file: # [engine_section] pkcs11 = pkcs11_section gost = gost_section [pkcs11_section] engine_id = pkcs11 dynamic_path

Ciphers provided by engine not accessible...?

MacOS Mojave 10.14.5, OpenSSL-1.1.1c (Macports-installed). Engines defined in the openssl.cnf file: # [engine_section] pkcs11 = pkcs11_section gost = gost_section [pkcs11_section] engine_id = pkcs11 dynamic_path = /opt/local/lib/engines-1.1/libpkcs11.so MODULE_PATH =

Re: Errors building 1.1.1 on RHEL 7

users on behalf of Blumenthal, Uri - 0553 - MITLL" wrote: I'm getting a somewhat different error trying to build OpenSSL_1_1_1-stable on CentOS 7 (similar to RHEL 7). Configuration: ./config --prefix=$HOME/openssl-1.1 --debug --openssldir=$HOME/openssl-1.1/etc --with-rand-se

Re: Errors building 1.1.1 on RHEL 7

I'm getting a somewhat different error trying to build OpenSSL_1_1_1-stable on CentOS 7 (similar to RHEL 7). Configuration: ./config --prefix=$HOME/openssl-1.1 --debug --openssldir=$HOME/openssl-1.1/etc --with-rand-seed=rdcpu enable-aria enable-ec_nistp_64_gcc_128 enable-md2 enable-rc5

Current master breaks EC tests

You probably noticed, but the current master keeps breaking EC tests for the last week or so. This is on Mac: ../test/recipes/15-test_ec.t ... Dubious, test returned 1 (wstat 256, 0x100) Failed 1/5 subtests Test Summary Report ---

Re: how to set flags in X509_NAME_ENTRY in OpenSSL 1.1.1

> > For now the ASN.1 string is not an opaque structure. > > Considering how OpenSSL design evolved, I suspect that the time may come > when this string would become opaque. Therefore, I suggest that > getter/setter functions should be added. Any thoughts about the

Re: how to set flags in X509_NAME_ENTRY in OpenSSL 1.1.1

On 6/18/19, 5:44 PM, "openssl-users on behalf of Viktor Dukhovni" wrote: We should perhaps provide getter/setter functions for the flags, or perhaps even a specific function for indicating the value is a bitstring, and how many bits it holds. For now the ASN.1 string is not an

Re: why does RAND_add() take "randomness" as a "double"?

I can understand why you may not want to break existing API. Why not add another similar interface done the right way? On 5/22/19, 1:11 PM, "openssl-users on behalf of Dr. Matthias St. Pierre" wrote: I think nobody of us needs to be convinced anymore that making it a 'double' was a bad

Re: why does RAND_add() take "randomness" as a "double"?

On 5/21/19, 10:45 AM, "openssl-users on behalf of Salz, Rich via openssl-users" wrote: When I overhauled the RAND mechanism, I tried to deprecate this use of floating point, in favor of just a number from 0 to 100 but was voted down. If it's a sarcasm, I'm missing the point.

Re: i2d_X509_REQ() -> d2i_X509_REQ() = asn1 encoding routines:c2i_ASN1_OBJECT:invalid object encoding:a_object.c:287

Hmm... Registering an OID dedicated to express this case should be feasible, and perfectly within the ASN.1 rules. One question - where in the OID tree would it live, as offhand I don't have any idea. It can't be too deep down, and also, it better be fairly short. >From the ASN.1 point of

Re: i2d_X509_REQ() -> d2i_X509_REQ() = asn1 encoding routines:c2i_ASN1_OBJECT:invalid object encoding:a_object.c:287

First, let me prefix that while I don't want to badmouth anybody, even incompetence cannot excuse deliberately generating bad/unparsable encoding. That's one of the cases when the cure is clearly worse than the disease. On 3/21/19, 13:58, "openssl-users on behalf of Viktor Dukhovni" wrote:

Re: i2d_X509_REQ() -> d2i_X509_REQ() = asn1 encoding routines:c2i_ASN1_OBJECT:invalid object encoding:a_object.c:287

+1 to Viktor's points. Regards, Uri Sent from my iPhone > On Mar 21, 2019, at 12:52, Viktor Dukhovni wrote: > > On Thu, Mar 21, 2019 at 01:00:14PM +, Salz, Rich via openssl-users wrote: > >>> This software however is 7 years old, we’re not in a position to drop >>> everything and

Re: OpenVPNGui 2.4.7 fails: format error in certificate's notAfter field

Since OpenSSL is more than just a TLS implementation, I agree with Michael and support relaxing these checks when appropriate. Regards, Uri Sent from my iPhone On Mar 6, 2019, at 10:22, Michael Wojcik wrote: >> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of >>

Re: [openssl-users] Smartcard cert used for encrypt\decrypt

On 1/31/19, 09:19, "openssl-users on behalf of Antonio Iacono" wrote:     > Does anybody know how to use the smartcard to encrypt and decrypt files? Smartcard performs public-key crypto operations, which aren't suitable for bulk processing, such as file encryption/decryption. In

Re: [openssl-users] openssl 1.1.1 manuals

The docs site is screwed up. CMS_sign is indeed documented for 1.1.1 - but you have to go there via https://www.openssl.org/docs/man1.1.1 -> Libraries -> CMS_sign.html, which would bring you to https://www.openssl.org/docs/man1.1.1/man3/CMS_sign.html On 12/27/18, 14:00, "openssl-users on

Re: [openssl-users] FW: Dgst sigopt parameters?

:23 PM, Blumenthal, Uri - 0553 - MITLL >> wrote: >> >> I still would like to know where all the acceptable "dgst -sigopt" >> parameters are described for RSA and ECDSA. >> >> Google search and scouring openssl.org manual pages did not bring me &g

[openssl-users] FW: Dgst sigopt parameters?

I still would like to know where all the acceptable "dgst -sigopt" parameters are described for RSA and ECDSA. Google search and scouring openssl.org manual pages did not bring me anything. On 8/24/17, 5:42 PM, "Blumenthal, Uri - 0553 - MITLL" wrote: OpenSSL dgst m

Re: [openssl-users] Question on necessity of SSL_CTX_set_client_CA_list

as "letting the > perfect be the enemy of the good", which is also known as "cutting off the > nose to spite the face". It still cuts down on a huge number of potential > attacks, and doing away with it allows those attacks to flourish again. > (Which, by the way

Re: [openssl-users] Question on necessity of SSL_CTX_set_client_CA_list

>> Quoting from Peter Gutmann's "Engineering Security", >> section "EV Certificates: PKI-me-Harder" >> >> Indeed, cynics would say that this was exactly the problem that >> certificates and CAs were supposed to solve in the first place, and >> that

Re: [openssl-users] [EXTERNAL] Re: Self-signed error when using SSL_CTX_load_verify_locations CApath

> "Provided chain ends with unknown self-signed certificate". I like this. IMHO "unrecognized" would be more confusing. I hope the team makes up their mind quickly. On 12/4/18, 6:17 PM, "openssl-users on behalf of Michael Wojcik" wrote: > From: openssl-users

Re: [openssl-users] Question on implementing the ameth ctrl ASN1_PKEY_CTRL_DEFAULT_MD_NID

The way I understand the ECDSA standard, it is supposed to truncate the provided hash - which is why it is possible to have ECDSA-over-P256-SHA384. One possibility would be for you to truncate the SHA2 output yourself, IMHO. On 11/30/18, 12:36 PM, "openssl-users on behalf of Fuchs, Andreas"

Re: [openssl-users] What to do with deprecation errors

ssl-1.1/lib -lcrypto $ ./ttt OPENSSL_VERSION_NUMBER 10101010 $ gcc -o ttt ttt.c -lcrypto $ ./ttt OPENSSL_VERSION_NUMBER 1000210f $ On Sun, 2018-10-21 at 00:36 +0000, Blumenthal, Uri - 0553 - MITLL wrote: > I'm not sure I understand what you're doing, but: > &g

Re: [openssl-users] What to do with deprecation errors

I'm not sure I understand what you're doing, but: $ cat ttt.c #include #include int main(void) { printf("OPENSSL_VERSION_NUMBER %lx\n",OPENSSL_VERSION_NUMBER); return 0; } $ gcc -o ttt ttt.c -lcrypto $ ./ttt OPENSSL_VERSION_NUMBER 1000210f $ gcc -o ttt -I$HOME/openssl-1.1/include ttt.c

Re: [openssl-users] Softhsm + engine_pkcs11 + openssl with EC keys fail.

Note that the key to reproducing this issue is compiling SoftHSMv2 with 1.1.1. When compiled with 1.0.2p, everything else can be compiled against 1.1.1 and it works ok. Regards, Uri Sent from my iPhone > On Sep 21, 2018, at 02:09, Paras Shah (parashah) via openssl-users > wrote: > > I

Re: [openssl-users] updating openssl on MacOS

On 9/20/18, 4:39 PM, "openssl-users on behalf of Viktor Dukhovni" wrote: Despite (IMHO) its increasing obsolescence and irrelevance, the LibreSSL fork of OpenSSL 1.0.2 also supports ECDSA. Yep. > so openssl 1.1.0 or newer, and his Mac is infested with > 0.98letter.

Re: [openssl-users] updating openssl on MacOS

Macports team is working on upgrading OpenSSL to 1.1.1. It takes time because they plan to move all the ports that depend on OpenSSL to that level. I assume that once that is done, 1.0.2 won't be supported/available on Macports anymore. Installation - as Dominyk said: "sudo port install

Re: [openssl-users] Engines on Mac OS X

my iPhone > On Sep 3, 2018, at 14:31, Blumenthal, Uri - 0553 - MITLL > wrote: > > If it builds a dummy engine - then shouldn't a dummy engine respond > gracefully to requests with something like "sorry I can't do anything > useful", instead of spitting outa puke of err

Re: [openssl-users] Engines on Mac OS X

If it builds a dummy engine - then shouldn't a dummy engine respond gracefully to requests with something like "sorry I can't do anything useful", instead of spitting outa puke of error messages in response to "openssl engine -t capi"? Regards, Uri Sent from my iPhone > On Sep 3, 2018, at

Re: [openssl-users] OpenSSL version 1.1.1 pre release 9 published

Since this example would show how to generate certificates that people may not have a lot of experience dealing with - I think it would make a lot of sense to document as much as possible. In short: yes please do include the examples of both what the certs should look like, and how to generate

Re: [openssl-users] openssl-1.1.0-stable-SNAP-20180802 issue

Same problem on Linux. Regards, Uri Sent from my iPhone > On Aug 2, 2018, at 07:47, The Doctor wrote: > > While compiling today's openssl 1.1.0 snap on FreeBSD 11.2 > > I got > > /usr/bin/cc -I. -Icrypto/include -Iinclude -DZLIB -DZLIB_SHARED -DDSO_DLFCN > -DHAVE_DLFCN_H -DNDEBUG

Re: [openssl-users] Java Snippet output is not equal to command line openssl command output , Why ?

Actually, it all works just fine. Viktor's point about adding terminating "\n" to the input text helped. -BEGIN PRIVATE KEY- MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDGlXflMDDD8kOP TP5y06tSXe1g8G3uJAoGHT8NewYANIONuJEZveXnfL8+bJRIu8FDzeCc4SWsCISK

Re: [openssl-users] stunnel 5.46 released

FWIW, I'm with Viktor in this argument. From cryptography point of view he's right. I suspect he's right from the practical point of view as well. P.S. Those concerned that a nation-state would attack them, are advised to change the default config anyway. -- Regards, Uri Blumenthal On

Re: [openssl-users] error (openssl-1.1.0g)

so waiting for the answers right? Yes I certainly am. 2018-02-15 6:57 GMT+09:00 Blumenthal, Uri - 0553 - MITLL <u...@ll.mit.edu>: Funny. I have the same problem with the current master on one of my two MacOS High Sierra machines. Surprisingly, the other machine builds and runs the

Re: [openssl-users] error (openssl-1.1.0g)

Funny. I have the same problem with the current master on one of my two MacOS High Sierra machines. Surprisingly, the other machine builds and runs the current master just fine. Configuration and build scripts are automated and exactly the same between the two. The “bad” machine runs a

Re: [openssl-users] TLS Error in FreeRadius - eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

> Here's the standards OpenSSL claims to implement: > https://www.openssl.org/docs/standards.html. So do many others, and yet when the RFC is impractical, a more practical alternative is implemented. I did not see RFC 5280 in the list of the implemented/supported standards.

Re: [openssl-users] OpenSSL on side

7-10-11, 12:11 GMT, Blumenthal, Uri - 0553 - MITLL wrote: >> Unfortunately, not quite. Being pip-installable means to the >> majority of users that the package in question can be >> installed via, e.g., >> >> pip install M2Crypto > > I understand that, m

Re: [openssl-users] OpenSSL on side

7-10-11, 11:35 GMT, Blumenthal, Uri - 0553 - MITLL wrote: >> And it is not installable via PIP, though to me being placed >> on pypi site suggested that it should be (that's how I tried >> to install it). > > What’s needed for package to be pip installable? I would think >

Re: [openssl-users] OpenSSL on side

t; said: > > mcepl> On 2017-10-10, 21:17 GMT, Blumenthal, Uri - 0553 - MITLL wrote: > mcepl> > I have to report that this M2Crypto release is broken, as it > mcepl> > cannot find OpenSSL installed in /opt/local (apologies for > mcepl> > spamming multiple li

Re: [openssl-users] [ANN] M2Crypto 0.27.0

I have to report that this M2Crypto release is broken, as it cannot find OpenSSL installed in /opt/local (apologies for spamming multiple lists and people): /usr/bin/clang -fno-strict-aliasing -fno-common -dynamic -pipe -Os -DNDEBUG -g -fwrapv -O3 -Wall -Wstrict-prototypes

Re: [openssl-users] Missing EVP_PKEY method to set engine?

18:54, Dr. Stephen Henson <st...@openssl.org> wrote: > >> On Fri, Sep 29, 2017, Blumenthal, Uri - 0553 - MITLL wrote: >> >> Apologies in advance for cross-posting ??? but I???m not sure which of the >> two mailing lists this belongs to. >> >> A key (sa

[openssl-users] Missing EVP_PKEY method to set engine?

Apologies in advance for cross-posting – but I’m not sure which of the two mailing lists this belongs to. A key (say, private key) is loaded from the pkcs11 engine via privkey = ENGINE_load_private_key(engine, ); and this operation succeeds. However the resulting key handle has its

Re: [openssl-users] Storing private key on tokens

AFAIK, at this point pkcs11 engine doesn't support key generation. The only viable options AFAIK are OpenSC (pkcs11-tool) and vendor-specific applications like yubico-piv-tool. Regards, Uri Sent from my iPhone > On Sep 27, 2017, at 08:23, Dmitry Belyavsky wrote: > >

[openssl-users] How to load the right engine?

I’m debugging programmatic access to a (modified) pkcs11 engine. My system has several OpenSSL installations: Apple-provided OpenSSL-0.9.8 (kept as that came with the OS :), Macports-installed OpenSSL-1.0.2l (the main one installed to /opt/local, used by everything Macports builds, and what I

[openssl-users] How to emulate EVP_PKEY_meth_get_sign() on OpenSSL-1.0.2?

An engine works with OpenSSL-1.1.0+. It needs to hook some methods, and it accesses them via EVP_PKEY_meth_get_sign(), EVP_PKEY_meth_get_decrypt(), and EVP_PKEY_meth_get_encrypt(). And the corresponding set() calls. I’d like to backport this engine to OpenSSL-1.0.2. But 1.0.2 does not

[openssl-users] -pkeyopt parameters?

I seem unable to figure how to configure RSA-OAEP parameters (hash and MGF functions) for “opensl pkeyutl” command. The man page seems to say that only thing I can do is tell openssl CLI that I want OAEP padding, and nothing more. File “apps/pkeyutl.c” was of no help. Where can I find

Re: [openssl-users] Internet Draft Guide to creating an EDSA PKI

On 9/1/17, 16:26, "openssl-users on behalf of Michael Wojcik" wrote: >Bob, I just want to say thanks for producing this. Even if it never makes > it out of I-D stage, there's a lot of useful information here. >

  1   2   >