RES: cert extract / unable to load PKCS7 object
I'm sorry. Below is the file that I'm using. -BEGIN PKCS7- MIII7gYJKoZIhvcNAQcCoIII3zCCCNsCAQExADALBgkqhkiG9w0BBwGgggjDMIIC SzCCAbSgAwIB AgIDDldsMA0GCSqGSIb3DQEBBAUAMGIxCzAJBgNVBAYTAlpBMSU wIwYDVQQKExxUaGF3dGUgQ29u c3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEy NUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNz dWluZyBDQTAeFw0wNTAzMjQxO DE0MzdaFw0wNjAzMjQxODE0MzdaMEMxHzAdBgNVBAMTFlRoYXd0 ZSBGcmVlbWFp bCBNZW1iZXIxIDAeBgkqhkiG9w0BCQEWEXJhZmFlbEBtdDQuY29tLmJyMIGfMA0G CSqGSIb3DQEBAQUAA4GNADCBiQKBgQCtD7NdeG+4sx9+NEg/mg8YIa6ZXFro1DC wMQSd0rdcpbxJ Kxh+BYY6zpzXCt9Cj9SgKKrZl7PSSpXO2TBRSga1yQBgKkOhOw dulsohids4TZYXarOnVBWg5t+Q Psspc/pZe+URjQXHpsLkkfZqQ9ij8/k9htDnv uMZuiPKo4RacwIDAQABoy4wLDAcBgNVHREEFTAT gRFyYWZhZWxAbXQ0LmNvbS5i cjAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBAUAA4GBAJM2WQMh WtuiPrC6Mac h4gEnXEstC07hHetKwjkEOEmfPvMW4wDCEHwQ09SayF8JZSG3/JMezcW/IUtp2TT l pbOPUe8HKAma55oeELTT4acopB68i9lSgG8hHPLoZ5Lx2T1Bsj+hGJLt4GEWTs XLeNv504tb9kPC GQYSg0mbDV+2MIIDPzCCAqigAwIBAgIBDTANBgkqhkiG9w0BA QUFADCB0TELMAkGA1UEBhMCWkEx FTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAG A1UEBxMJQ2FwZSBUb3duMRowGAYDVQQKExFUaGF3 dGUgQ29uc3VsdGluZzEoMCY GA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEk MCIGA1UEAx MbVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIENBMSswKQYJKoZIhvcNAQkBFhxwZX Jz b25hbC1mcmVlbWFpbEB0aGF3dGUuY29tMB4XDTAzMDcxNzAwMDAwMFoXDTEzM DcxNjIzNTk1OVow YjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25z dWx0aW5nIChQdHkpIEx0ZC4xLDAq BgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmV lbWFpbCBJc3N1aW5nIENBMIGfMA0GCSqGSIb3DQEB AQUAA4GNADCBiQKBgQDEpj xVc1X7TrnKmVoeaMB1BHCd3+n/ox7svc31W/Iadr1/DDph8r9RzgHU 5VAKMNcCY 1osiRVwjt3J8CuFWqo/cVbLrzwLB+fxH5E2JCoTzyvV84J3PQO+K/67GD4Hv0CAA mTX p6a7n2XRxSpUhQ9IBH+nttE8YQRAHmQZcmC3+wIDAQABo4GUMIGRMBIGA1Ud EwEB/wQIMAYBAf8C AQAwQwYDVR0fBDwwOjA4oDagNIYyaHR0cDovL2NybC50aGF 3dGUuY29tL1RoYXd0ZVBlcnNvbmFs RnJlZW1haWxDQS5jcmwwCwYDVR0PBAQDAg EGMCkGA1UdEQQiMCCkHjAcMRowGAYDVQQDExFQcml2 YXRlTGFiZWwyLTEzODANB gkqhkiG9w0BAQUFAAOBgQBIjNFQg+oLLswNo2asZw9/r6y+whehQ5aU nX9MIbj4 Nh+qLZ82L8D0HFAgk3A8/a3hYWLD2ToZfoSxmRsAxRoLgnSeJVCUYsfbJ3FXJY3d qZw5 jowgT2Vfldr394fWxghOrvbqNOUQGls1TXfjViF4gtwhGTXeJLHTHUb/XV9 lTzCCAy0wggKWoAMC AQICAQAwDQYJKoZIhvcNAQEEBQAwgdExCzAJBgNVBAYTAl pBMRUwEwYDVQQIEwxXZXN0ZXJuIENh cGUxEjAQBgNVBAcTCUNhcGUgVG93bjEaM BgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNV BAsTH0NlcnRpZmljYXRp b24gU2VydmljZXMgRGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJz b25hbCB GcmVlbWFpbCBDQTErMCkGCSqGSIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGh hd3Rl LmNvbTAeFw05NjAxMDEwMDAwMDBaFw0yMDEyMzEyMzU5NTlaMIHRMQswCQ YDVQQGEwJaQTEVMBMG A1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlI FRvd24xGjAYBgNVBAoTEVRoYXd0ZSBD b25zdWx0aW5nMSgwJgYDVQQLEx9DZXJ0 aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMSQwIgYD VQQDExtUaGF3dGUgUGV yc29uYWwgRnJlZW1haWwgQ0ExKzApBgkqhkiG9w0BCQEWHHBlcnNvbmFs LWZyZW VtYWlsQHRoYXd0ZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANRp19 SwlGRb celH2AxRtupykbCEXn0tDY97Et+FJXUodDpCLGMnn5V7S+9+GYcdhuqj3 bnOlmQawhRuRKx85o/o TQ9xH0A4pgCjh3j2+ZSGXq3qwF5269kUo11uenwMpUtV fwYZKX+emibVars4JAhqmMex2qOYkf15 2+VaxBy5AgMBAAGjEzARMA8GA1UdEwE B/wQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAx+ySfk74 9ZalZ2IqpPBNEWDQb4 1gWGGsJrtSNVwIzzD7qEqWih9iQiOMFw/0umScF6xHKd+dmF7SbGBxXKKs 3Hnj5 24ARx+1DSjoAp3kmv0T9KbZfLH43F8jJgmRgHPQFBveQ6mDJfLmnC8Vyv6mq4oHd YsM3VGE a+T40c53ooExAA== -END PKCS7- Thank you! -Mensagem original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Em nome de Dr. Stephen Henson Enviada em: quinta-feira, 24 de março de 2005 19:44 Para: openssl-users@openssl.org Assunto: Re: cert extract / unable to load PKCS7 object On Thu, Mar 24, 2005, Rafael wrote: Hello all, I'm trying to get a certificate to sign e-mail in the thrawe website. After I've get the certificate in the website, I copy/paste and save it in a file, but when I do : % openssl smime -pk7out -in messagefile | openssl pkcs7 -print_certs I get the following error: unable to load PKCS7 object 11638:error:0906D066:PEM routines:PEM_read_bio:bad end line:pem_lib.c:731: I'm using this instructions: http://www.kfu.com/~nsayer/encryption/openssl.html I've tried all..with and without carriage return at the end, at the beggining, with the -BEGIN PKCS7-, with the -* PKCS #7 SIGNED DATA- but I keep getting the same error. Someone knows what could this be? Why don't you post the file otherwise we'd just be guesssing? Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- Internal Virus Database is out-of-date. Checked by AVG Anti-Virus. Version: 7.0.308 / Virus Database: 266.7.4 - Release Date: 18/3/2005
Re: RES: cert extract / unable to load PKCS7 object
Rafael wrote: I'm sorry. Below is the file that I'm using. -BEGIN PKCS7- MIII7gYJKoZIhvcNAQcCoIII3zCCCNsCAQExADALBgkqhkiG9w0BBwGgggjDMIIC SzCCAbSgAwIB AgIDDldsMA0GCSqGSIb3DQEBBAUAMGIxCzAJBgNVBAYTAlpBMSU wIwYDVQQKExxUaGF3dGUgQ29u c3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEy ... openssl doesn't like this shredded pem format. Format it correctly (or let openssl do it) then it should work Nils __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
need help with TLS key computation and exchange failure
Hi, All, sorry if this is a repeat message. Obviously I am having some problems with my email... I am developing TLS based on xsupplicant code and openssl-0.9.7e. At client side, in the state of SSL3_ST_CW_KEY_EXCH_A when sl3_send_client_key_exchange() is called, DH_compute_key() is always returning zero, which will generate an error string: error:14098005:lib(20):func(152):reason(5). It looks like a ASN1 error. Usually what caused this problem? Is this because something goes wrong when dh_clnt=DHparams_dup(dh_srvr) is called, or, DH_generate_key() is called? thanks, Jie __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RES: RES: cert extract / unable to load PKCS7 object
Thank you! -Mensagem original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Em nome de Nils Larsch Enviada em: segunda-feira, 28 de março de 2005 12:29 Para: openssl-users@openssl.org Assunto: Re: RES: cert extract / unable to load PKCS7 object Rafael wrote: I'm sorry. Below is the file that I'm using. -BEGIN PKCS7- MIII7gYJKoZIhvcNAQcCoIII3zCCCNsCAQExADALBgkqhkiG9w0BBwGgggjDMIIC SzCCAbSgAwIB AgIDDldsMA0GCSqGSIb3DQEBBAUAMGIxCzAJBgNVBAYTAlpBMSU wIwYDVQQKExxUaGF3dGUgQ29u c3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEy ... openssl doesn't like this shredded pem format. Format it correctly (or let openssl do it) then it should work Nils __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- Internal Virus Database is out-of-date. Checked by AVG Anti-Virus. Version: 7.0.308 / Virus Database: 266.7.4 - Release Date: 18/3/2005 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
verify signed messages with Outlook
Hi people, Im using a free certificate from Thawte to sign a message with openSSL. In the Linux server that Im using to sign, I can verify it successfully. But when I send it with the sendmail command The Outlook says that there is an error in the signature, that the content of the message couldve been altered. Anyone knows why this is happening? Thanks Rafael Daraya
Re: verify signed messages with Outlook
Hello! On Mon, 28 Mar 2005, Rafael wrote: I'm using a free certificate from Thawte to sign a message with openSSL. In the Linux server that I'm using to sign, I can verify it successfully. But when I send it with the sendmail command The Outlook says that there is an error in the signature, that the content of the message could've been altered. Anyone knows why this is happening? We had such problem. It happened because of endlines in headers. To avoid problems, we use smime -sign -crlfeol. -- SY, Dmitry Belyavsky (ICQ UIN 6575) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
openssl smime ability to create a multi-attachment message?
Is it possible to have the command line of openssl create an smime message containing file(s)? Example. Sample e-mail: Hey here are some files. -Attachments: doc1.doc doc2.doc Is there a command line way to create the SMIME format for this? If not is there code built into openssl to handle this? Or has someone already run into this and sample code? Thank you. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
SSL_read()
Title: SSL_read() I have a question about SSL_read(). Am I correct in my understanding that SSL_read() will not read from the socket as long as there is data in the ssl buffers available for processing? And if there is data in the ssl buffer but it cannot be processed because we don't have a complete record, then I will get an SSL_ERROR_WANT_READ/WRITE, in which case, I need to issue SSL_read() again to read more data from the socket? Thanks, Ed
Re: SSL_read()
Straight from the man pages .. SSL_read() works based on the SSL/TLS records. The data are received in records (with a maximum record size of 16kB for SSLv3/TLSv1). Only when a record has been completely received, it can be processed (decryption and check of integrity). Therefore data that was not retrieved at the last call of SSL_read() can still be buffered inside the SSL layer and will be retrieved on the next call to SSL_read(). If num is higher than the number of bytes buffered, SSL_read() will return with the bytes buffered. If no more bytes are in the buffer, SSL_read() will trigger the processing of the next record. Only when the record has been received and processed completely, SSL_read() will return reporting success. At most the contents of the record will be returned. As the size of an SSL/TLS record may exceed the maximum packet size of the underlying transport (e.g. TCP), it may be necessary to read several packets from the transport layer before the record is complete and SSL_read() can succeed. it speaks to what you are inquiring about Edward Chan wrote: I have a question about SSL_read(). Am I correct in my understanding that SSL_read() will not read from the socket as long as there is data in the ssl buffers available for processing? And if there is data in the ssl buffer but it cannot be processed because we don't have a complete record, then I will get an SSL_ERROR_WANT_READ/WRITE, in which case, I need to issue SSL_read() again to read more data from the socket? Thanks, Ed __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: openssl smime ability to create a multi-attachment message?
On Mon, Mar 28, 2005, Chevalier, Victor T. wrote: Is it possible to have the command line of openssl create an smime message containing file(s)? Example. Sample e-mail: Hey here are some files. -Attachments: doc1.doc doc2.doc Is there a command line way to create the SMIME format for this? If not is there code built into openssl to handle this? Or has someone already run into this and sample code? Thank you. You have to create the MIME message in the appropriate format and send that to the smime command. This is however an area where many S/MIME clients have difficulties. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: SSL_read()
Thanks for your reply. I read that, and I think I understand what it is saying. I'm just trying to get confirmation on my understanding of it. Put in a different way, if I have the following code where I do SSL_read() in a do-while loop, int iBytesRead = 0; do { int ret = SSL_read(ssl, buf, sizeof(buf)); int err = SSL_get_error(ssl, ret); if (err == SSL_ERROR_NONE) { iBytesRead += ret; } else if (err == SSL_ERROR_ZERO_RETURN) { return 0; // ssl connection was closed } else if (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE) { break; // need more data; break loop and add fd back to poll // and do another SSL_read() when there is more data // available on the socket. } else { return 0; // read failed } } while (SSL_pending(ssl)); // ssl buffer has been completely drained Assuming client is continuously sending me data, will I ever exit this loop? I assume that once the ssl buffer has been emptied, SSL_pending() will return 0 and I break the loop, or the ssl buffer can no longer be processed without more data, in which case I get an SSL_ERROR_WANT_READ/WRITE and break the loop, at which time I will add fd back to poll and wait for more data on the socket (which could be immediate). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, March 28, 2005 4:04 PM To: openssl-users@openssl.org Subject: Re: SSL_read() Straight from the man pages .. SSL_read() works based on the SSL/TLS records. The data are received in records (with a maximum record size of 16kB for SSLv3/TLSv1). Only when a record has been completely received, it can be processed (decryption and check of integrity). Therefore data that was not retrieved at the last call of SSL_read() can still be buffered inside the SSL layer and will be retrieved on the next call to SSL_read(). If num is higher than the number of bytes buffered, SSL_read() will return with the bytes buffered. If no more bytes are in the buffer, SSL_read() will trigger the processing of the next record. Only when the record has been received and processed completely, SSL_read() will return reporting success. At most the contents of the record will be returned. As the size of an SSL/TLS record may exceed the maximum packet size of the underlying transport (e.g. TCP), it may be necessary to read several packets from the transport layer before the record is complete and SSL_read() can succeed. it speaks to what you are inquiring about Edward Chan wrote: I have a question about SSL_read(). Am I correct in my understanding that SSL_read() will not read from the socket as long as there is data in the ssl buffers available for processing? And if there is data in the ssl buffer but it cannot be processed because we don't have a complete record, then I will get an SSL_ERROR_WANT_READ/WRITE, in which case, I need to issue SSL_read() again to read more data from the socket? Thanks, Ed __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: SSL_read()
Normally, you have something like ... while(1) { select() call if (SOCKET is in read mode) { do { SSL_read() call } } if (SOCKET is in write mode) { do { SSL_write() call } } } once you end first loop make sure you close the socket and issue SSL_free(). You will have to find nifty way of ending the read/write operation, though. Yes, you will leave the eventually and also depends on the implementation you choose, threaded, using fork, single threaded, ... LDB Edward Chan wrote: Thanks for your reply. I read that, and I think I understand what it is saying. I'm just trying to get confirmation on my understanding of it. Put in a different way, if I have the following code where I do SSL_read() in a do-while loop, int iBytesRead = 0; do { int ret = SSL_read(ssl, buf, sizeof(buf)); int err = SSL_get_error(ssl, ret); if (err == SSL_ERROR_NONE) { iBytesRead += ret; } else if (err == SSL_ERROR_ZERO_RETURN) { return 0; // ssl connection was closed } else if (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE) { break; // need more data; break loop and add fd back to poll // and do another SSL_read() when there is more data // available on the socket. } else { return 0; // read failed } } while (SSL_pending(ssl)); // ssl buffer has been completely drained Assuming client is continuously sending me data, will I ever exit this loop? I assume that once the ssl buffer has been emptied, SSL_pending() will return 0 and I break the loop, or the ssl buffer can no longer be processed without more data, in which case I get an SSL_ERROR_WANT_READ/WRITE and break the loop, at which time I will add fd back to poll and wait for more data on the socket (which could be immediate). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, March 28, 2005 4:04 PM To: openssl-users@openssl.org Subject: Re: SSL_read() Straight from the man pages .. SSL_read() works based on the SSL/TLS records. The data are received in records (with a maximum record size of 16kB for SSLv3/TLSv1). Only when a record has been completely received, it can be processed (decryption and check of integrity). Therefore data that was not retrieved at the last call of SSL_read() can still be buffered inside the SSL layer and will be retrieved on the next call to SSL_read(). If num is higher than the number of bytes buffered, SSL_read() will return with the bytes buffered. If no more bytes are in the buffer, SSL_read() will trigger the processing of the next record. Only when the record has been received and processed completely, SSL_read() will return reporting success. At most the contents of the record will be returned. As the size of an SSL/TLS record may exceed the maximum packet size of the underlying transport (e.g. TCP), it may be necessary to read several packets from the transport layer before the record is complete and SSL_read() can succeed. it speaks to what you are inquiring about Edward Chan wrote: I have a question about SSL_read(). Am I correct in my understanding that SSL_read() will not read from the socket as long as there is data in the ssl buffers available for processing? And if there is data in the ssl buffer but it cannot be processed because we don't have a complete record, then I will get an SSL_ERROR_WANT_READ/WRITE, in which case, I need to issue SSL_read() again to read more data from the socket? Thanks, Ed __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
EVP_SealInit and key length
Is there any way to specify the key length to use in EVP_SealInit? (Besides AES where the EVP_CIPHER specifies the length.) If not, how do you figure out how long a key was used? Thanks, Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
OpenSSL tool in Windows environment for generating client certificate
Hi All, I wanted to use OpenSSL tool in windows (for e.g, Win 2k) platform for generating X.509 v3 client certificate. Could anyone please tell me whether it is possible? If possible, please suggest me the steps for generating the client certificate in Win 2k. Thanks Best Regards, Bhartinder Raghav __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: 1 Main CA and a subordinate CA 1-Many...how can I sign one ca with another ca...
On Fri, 25 Mar 2005 10:13:38 -0600, Chevalier, Victor T. [EMAIL PROTECTED] wrote: I am trying to create a hirearchy for my CA's...however when I have two separate CA's created similarly: On box 1 Main CA: openssl req -newkey rsa:2048 -days 4380 \ -out cacert.pem -outform PEM -config openssl.cnf On box 2 Subordinate CA: openssl req -newkey rsa:2048 -days 2190 \ -out cacert.pem -outform PEM -config openssl.cnf I try to sign the subordinate CA with the main ca like this: On box1 in the main CA directory: openssl ca -in box2/SubCA/cacert.pem -config openssl.cnf I get an error something along the lines of Expecting: CERTIFICATE REQUEST You actually want to sign the CSR for box2, not the certificate itself. You also probably don't need to generate a self-signed certificate on box 2 anyway, since the real certificate you want is box 2's CSR signed by box 1's CA. That certificate should then be valid for 2190 days... Morgan __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]