Re: difference between authenticode certificate and normal certificate?
On Thu, Jul 28, 2005, coco coco wrote: Anyway, I just found that CA called Ascertia which seems to offer free certificate. I'll see if I can get a free cert for code signing, and see what's in there. Have you tried this: http://www.thawte.com/support/code/office.html#timestamp Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
SSLVerifyClient fails
I got a big problem with SSLVerifyClient. I guess I posted a similar problem before, but now the error(s?) is really more strange (in my point of view). I used this tutorial: http://fra.nksteidl.de/Erinnerungen/OpenSSL.php I hae got two sections. One with only server-side-SSL (works), and a folder (called 'demo', with a file 'index.php') with client-side-SSL. When I call the site my browser askes me to choose a cert i want to uns to enter the site. I choose the right one (exportedvia pkcs), and then IE says cannot find server or dns , and firebird doesn't do anything (it stays on my startpage, but with the lock-symbol in Task). So I have got a Root_CA, a Server_CA and a User_CA. The Root_CA verifys the other 2 CAs. Server_CA verifys Server-Certificates (no problem). User_CA verifys Client-Certificates. I concated the Certificates from Root and User_CA cat /RootCA.cert.pem /UserCA.cert.pem UserCAchaincert.pem My integration in apache: NameVirtualHost xxx.xxx.xxx.xxx:443 VirtualHost xxx.xxx.xxx.xxx:443 ServerName test.de DocumentRoot /srv/www/htdocs/web3/html/test php_admin_value open_basedir /srv/www/htdocs/web3/html/test IfModule mod_ssl.c SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLProtocol all AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl.crl SSLOptions +StdEnvVars +ExportCertData ErrorLog /var/log/apache2/test/ssl.log LogLevel debug SSLVerifyClient none SSLCertificateFile /etc/ssl/ServerCA/testcert.pem SSLCertificateKeyFile /etc/ssl/ServerCA/testkey.pem SSLCACertificateFile /etc/ssl/UserCA/UserCAchaincert.pem SetEnvIf User-Agent .*MSIE.* nokeepalive ssl-unclean-shutdown /IfModule Location /demo SSLRequireSSL SSLVerifyClient require SSLVerifyDepth 1 /Location If you need something more, just let me know. And thank you very much in advance for every helping idea, because i try to get this to work since weeks. Sven P.S: I use Suse Linux 9.0 with mod_ssl and openssl 0.9.7b (would like to update) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
openssl smime
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Is there a method/means to use the S/MIME function to encrypt a file, but leave the content in a binary format, rather than conversion to base64 etc?? Basically provide similar function to GnuPG but using X.509 certificates , and the PKCS#X standards?? -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFC6juGBKHgXq2RAKcRAiCpAJ9eDHnUO4GtkfK6EN6Ny75rEFEkCQCfWC6U nrczvVA5C/UWag1YMUun5cc= =eeKS -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Loading PKCS#12 Files: Client Cert. and Key
Hello, I'm having great success securing my application with OpenSSLL, but I have a small question regarding client certificates and private keys. I load a PKCS#12 file into an SSL_CTX as follows: 1. Use PKCS12_parse() to read the client certificate, private key, and trusted CA stack 2. Use SSL_CTX_get_cert_store() to get the SSL_CTX's trusted CA certificate store (initially empty) 3. Pop the X509's from the PKCS#12 CA stack and push onto the SSL_CTX's certificate store 4. Use SSL_CTX_use_certificate() to load the client certificate into the SSL_CTX 5. Use SSL_CTX_use_PrivateKey() to load the client's private key into the SSL_CTX All this is working fine. Now I need to print the contents of the SSL_CTX for administrative purposes. I am able to access the trusted CA's with SSL_CTX_get_cert_store(), traverse the stack and print the subject and issuer. MY QUESTION IS: how do I access the client certificate and private key from an SSL_CTX? Thanks for the help, -David Start your day with Yahoo! - make it your home page http://www.yahoo.com/r/hs __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: about the BN prime generator
Matthew Julius Raibert wrote: I'm working on a project for which I need to generate big primes. Along the way I noticed that when I run BN_generate_prime() it seems to always set the two most significant bits to one. In other words, if I ask for a thousand 16 bit primes, I get a thousand primes that lie between hex C000 and hex 1 and not a single prime that lies between hex 8000 and hex C000. yep, that's intentional. It should ensure that the product of two q bits prime numbers is 2*q bits long (useful for rsa key generation). A simple workaround might be to generate a dh prime (or at least let openssl think you want to do this) by supplying a trivial non-NULL add parameter to BN_generate_prime, for example: #include openssl/bn.h #include iostream #include math.h #include stdlib.h #include time.h using namespace std; int main() { BIGNUM* prime = BN_new(); BIGNUM* two = BN_new(); BN_set_word(two, 2); for(int j = 0; j 100; j++) { BN_generate_prime(prime,16,0,two,NULL,NULL,NULL); cout A PRIME: BN_bn2hex(prime) endl; } return 0; } Nils __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: about the BN prime generator
Nils Larsch wrote: Matthew Julius Raibert wrote: I'm working on a project for which I need to generate big primes. Along the way I noticed that when I run BN_generate_prime() it seems to always set the two most significant bits to one. In other words, if I ask for a thousand 16 bit primes, I get a thousand primes that lie between hex C000 and hex 1 and not a single prime that lies between hex 8000 and hex C000. yep, that's intentional. It should ensure that the product of two q bits prime numbers is 2*q bits long (useful for rsa key generation). Intentional or otherwise, it's NOT the correct way of solving the problem. It introduces an unneccesary bias. The problem, in case it isn't obvious to everyone, is that the product of two n-bit numbers may be 2n bits or 2n-1 bits in length. In order to guarantee that the result will have 2n bits, the proper thing to do is generate two primes in the range (2^(n-2) * sqrt(2), 2^(n-1)). So, if you're searching for a 2048-bit product N = pq, look for prime numbers between (if I typed correctly) 5A827999FCEF32422AC06224B2789C917FB42383BCB512CA35DF19C7305BEEFE0778\ 08545794DFFD2C6A54760CA620E1F7A845D93AB2412F48D99975B0C7A5FA2F34C9EB\ 2FC77497318B0C4A5E3F3286D0A5C327C499C534CE88B38A4750BDE174F204C3FB06\ 7D933FAB7F40FDEDED12C1DA238312C00F946CD75736BFCE3CCE and 8000\ \ \ etc. - Michael Sierchio __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: difference between authenticode certificate and normal certificate?
Wow, Steve, I must say, you are a god-send! I was still digging in the registry and the msdn site last night for a clue... Had I input the right keyword (TimeStampURL) in google, that would've solved my problem. But I was looking at the wrong place (msdn, which is a pretty useless site), also couldn't find anything on how to set this option in openssl (digged thru the openssl code without result...) Dumb me! Next time, if I have to work with Windows again, I'll trust any site more than msdn! From: Dr. Stephen Henson [EMAIL PROTECTED] Anyway, I just found that CA called Ascertia which seems to offer free certificate. I'll see if I can get a free cert for code signing, and see what's in there. For those who may be tempted to try, their enrollment just sucks, it simply doesn't work, even if you use the second option and paste your PEM-format CSR into the input box. Have you tried this: http://www.thawte.com/support/code/office.html#timestamp Apparently, verisign also has a section on this. Again, thanks a lot. coco _ Express yourself instantly with MSN Messenger! Download today - it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]