Re: Storing keys and certs on USB tokens using openssl(1)
Keys at least: there's an openssl engine for opensc aKeys at least: there's an openssl engine for opensc and one for pkcs11 libraries at www.opensc.org Yes, I know, but I don't find any pointer to this engines. Even, there is no pkcs11 or opensc word in the complete openssl-source! Do I have to include the hw_* files from opensc manually? What engine id will it be? Has anyone done this in practice? Thanks for any help! Ralf __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Storing keys and certs on USB tokens using openssl(1)
Yes, I know, but I don't find any pointer to this engines. Even, there is no pkcs11 or opensc word in the complete openssl-source! Do I have to include the hw_* files from opensc manually? What engine id will it be? Has anyone done this in practice? Found the solution myself! :-) http://www.opensc.org/files/doc/opensc.html#opensc.using.openssl __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Storing keys and certs on USB tokens using openssl(1)
Ralf Hornik Mailings wrote: Yes, I know, but I don't find any pointer to this engines. Even, there is no pkcs11 or opensc word in the complete openssl-source! Do I have to include the hw_* files from opensc manually? What engine id will it be? Has anyone done this in practice? Found the solution myself! :-) http://www.opensc.org/files/doc/opensc.html#opensc.using.openssl btw: what kind of usb token do you have ? Nils __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: How to convert a buffer to an intern structure???
You can use a memory bio and then the appropiate PEM I/O function. Something like: BIO *bioMem; char *keyBuffer; X509 *cert; /* Read de buffer (bla,bla,bla) :-) */ /* And now... */ bioMem =3D BIO_new_mem_buf(keyBuffer, keyBufferLen); cert =3D PEM_read_bio_X509(bioMem,NULL,NULL,NULL); --- Juan Segarra http://spisa.act.uji.es/~juan __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: What binary data format is used by openssl enc?
On Mon, Aug 02, 2004, Alicia da Conceicao wrote: Hi Steve: Its not ASN1 because the OpenSSL ASN1 code isn't fully streaming and to do so would be a massive undertaking which has so far not attracted any interest. The data following the salt is the raw encrypted data using standard block padding. This isn't conformant with any public standard. Thank you for clearing things up for me regarding openssl enc encoding format. :-) But now that you mentioned it, I would have to say that it would be more than a massive undertaking to use DER encoding for openssl enc streaming, it would be impossible, since DER encoding always puts an object's length before an object's contents. You would first need to dump the entire stream contents into a temporary location before you can obtain and DER encode the stream length, and to do so would not qualify as streaming since nothing comes out until everything is put in. It is of course possible if a file is streamed because its length is then available. I said ASN1 not DER. It is perfectly feasible to use BER for streaming ASN1, in fact I've some prototype code that can encode such a stream for S/MIME use. The decode side is harder to handle and the only solution I've found that isn't horrendously complex involves various evil hacks which I'm not happy with. That however is partial streaming which handles some structures as a special case. Full streaming which would allow any ASN1 structure to be streamed is much harder and probably not worth it. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Storing keys and certs on USB tokens using openssl(1)
http://www.opensc.org/files/doc/opensc.html#opensc.using.openssl btw: what kind of usb token do you have ? Aladdin eToken pro 32k. Opensc now recognices my USB token. When I try to load the engine I get: mtag03:/home/rho/et2k/opensc-0.8.1 # openssl OpenSSL engine dynamic -pre SO_PATH:/usr/local/opensc/lib/opensc/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD (dynamic) Dynamic engine loading support [Success]: SO_PATH:/usr/local/opensc/lib/opensc/engine_pkcs11.so [Success]: ID:pkcs11 [Success]: LIST_ADD:1 [Failure]: LOAD 9868:error:260B606D:engine routines:DYNAMIC_LOAD:init failed:eng_dyn.c:433: OpenSSL Same happens on engine_opensc I compiled openssl with ./config shared This problem seems to be discussed former: http://www.mail-archive.com/[EMAIL PROTECTED]/msg17610.html But I think its all dynamicly linked. Any help would be appreciated Ralf __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RSA encryption - to encrypt a c structure ??
Hi, I am hoping that someone might have come across this problem and will be able to help me. I am trying to use openssl to encrypt a c structure instead of just a string, is there any function in openssl that I could use? I have a RSA key structure that is already created and I am able to encrypt and decrypt just a string using RSA_public_encrypt command and this RSA key pair . Thanks in advance, Jayashree __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE : RSA encryption - to encrypt a c structure ??
Maybe you could cast the contents of your structure to a string, encrypt this string and then cast the string back to your structure type. Marc. -Message d'origine- De : Jayashree Kanchana [mailto:[EMAIL PROTECTED] Envoyé : mardi 3 août 2004 16:00 À : [EMAIL PROTECTED] Objet : RSA encryption - to encrypt a c structure ?? Hi, I am hoping that someone might have come across this problem and will be able to help me. I am trying to use openssl to encrypt a c structure instead of just a string, is there any function in openssl that I could use? I have a RSA key structure that is already created and I am able to encrypt and decrypt just a string using RSA_public_encrypt command and this RSA key pair . Thanks in advance, Jayashree __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: RSA encryption - to encrypt a c structure ??
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jayashree Kanchana wrote: | Hi, | | I am hoping that someone might have come across this problem and will be | able to help me. | | I am trying to use openssl to encrypt a c structure instead of just a | string, is there any function in openssl that I could use? | | I have a RSA key structure that is already created and I am able to | encrypt and decrypt just a string using RSA_public_encrypt command and this RSA | key pair . | | Thanks in advance, | Jayashree | | __ | OpenSSL Project http://www.openssl.org | User Support Mailing List[EMAIL PROTECTED] | Automated List Manager [EMAIL PROTECTED] have you tried casting the address of your structure to a (char *) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBD5tKBKHgXq2RAKcRAmhjAJ41NBDtTLWAuehqGXbUuBt3uK+3ZQCggLj0 CJu/aTNbyRB4DX+HVDu2dtY= =pbav -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: RE : RSA encryption - to encrypt a c structure ??
Hi Marc, I am sorry, I am not sure how I can type cast the structure to string, should I do (char *) ? Once I encrypt I am not sure if the encrypted string has the same structure as the original structure. Can you please show me the synatx to type cast a structure to string. Thanks, Jayashree On Tue, 3 Aug 2004, Marc Gaudichet wrote: Maybe you could cast the contents of your structure to a string, encrypt this string and then cast the string back to your structure type. Marc. -Message d'origine- De : Jayashree Kanchana [mailto:[EMAIL PROTECTED] Envoyé : mardi 3 août 2004 16:00 À : [EMAIL PROTECTED] Objet : RSA encryption - to encrypt a c structure ?? Hi, I am hoping that someone might have come across this problem and will be able to help me. I am trying to use openssl to encrypt a c structure instead of just a string, is there any function in openssl that I could use? I have a RSA key structure that is already created and I am able to encrypt and decrypt just a string using RSA_public_encrypt command and this RSA key pair . Thanks in advance, Jayashree __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: RE : RSA encryption - to encrypt a c structure ??
One danger with casting a structure as a string is that zero bytes (which can happen due to slack bits in the structure) might be interpreted as an end-of-string that would prematurely terminate the data. If you're going to process binary data, look for an API where you specify both a pointer and a length. Or else encode the binary data in printable format (such as base 64 or hexadecimal) and then pass THAT string to an API that takes a C string. And, technically, you CANNOT cast a structure as a string. What is being talked about is casting a (pointer to a structure) as a (pointer to a string). Casting does not actually change the data, only the way in which it is treated by the program. Jayashree Kanchana wrote: Hi Marc, I am sorry, I am not sure how I can type cast the structure to string, should I do (char *) ? Once I encrypt I am not sure if the encrypted string has the same structure as the original structure. Can you please show me the synatx to type cast a structure to string. Thanks, Jayashree On Tue, 3 Aug 2004, Marc Gaudichet wrote: Maybe you could cast the contents of your structure to a string, encrypt this string and then cast the string back to your structure type. Marc. -Message d'origine- De : Jayashree Kanchana [mailto:[EMAIL PROTECTED] Envoy? : mardi 3 ao?t 2004 16:00 ? : [EMAIL PROTECTED] Objet : RSA encryption - to encrypt a c structure ?? Hi, I am hoping that someone might have come across this problem and will be able to help me. I am trying to use openssl to encrypt a c structure instead of just a string, is there any function in openssl that I could use? I have a RSA key structure that is already created and I am able to encrypt and decrypt just a string using RSA_public_encrypt command and this RSA key pair . Thanks in advance, Jayashree __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE : RE : RSA encryption - to encrypt a c structure ??
I think that your code should look like the following (not tested) : struct MyStruct { int iMyInt; float fMyFloat; char szMyString[5]; long lMyLong } int main () { struct MyStruct sStruct; unsigned char szEncrypted[...]; RSA Rsa; int iResult; /* Do some initializations here ... */ /* Encryption */ iResult = RSA_public_encrypt (sizeof (struct MyStruct), (unsigned char *)sStruct, szEncrypted, Rsa, RSA_PKCS1_PADDING); /* Decryption */ iResult = RSA_public_decrypt (sizeof (szEncrypted), szEncrypted, (unsigned char *)sStruct, Rsa, RSA_PKCS1_PADDING); } I hope this helps. Marc. -Message d'origine- De : Jayashree Kanchana [mailto:[EMAIL PROTECTED] Envoyé : mardi 3 août 2004 16:43 À : [EMAIL PROTECTED] Objet : Re: RE : RSA encryption - to encrypt a c structure ?? Hi Marc, I am sorry, I am not sure how I can type cast the structure to string, should I do (char *) ? Once I encrypt I am not sure if the encrypted string has the same structure as the original structure. Can you please show me the synatx to type cast a structure to string. Thanks, Jayashree On Tue, 3 Aug 2004, Marc Gaudichet wrote: Maybe you could cast the contents of your structure to a string, encrypt this string and then cast the string back to your structure type. Marc. -Message d'origine- De : Jayashree Kanchana [mailto:[EMAIL PROTECTED] Envoyé : mardi 3 août 2004 16:00 À : [EMAIL PROTECTED] Objet : RSA encryption - to encrypt a c structure ?? Hi, I am hoping that someone might have come across this problem and will be able to help me. I am trying to use openssl to encrypt a c structure instead of just a string, is there any function in openssl that I could use? I have a RSA key structure that is already created and I am able to encrypt and decrypt just a string using RSA_public_encrypt command and this RSA key pair . Thanks in advance, Jayashree __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: RE : RSA encryption - to encrypt a c structure ??
Charles B Cranston wrote: Casting does not actually change the data, only the way in which it is treated by the program. Casting changes the way data are treated by the compiler. There is no string type in C, the semantics of nul-terminated strings are created in the behavior of certain functions. Converting a structure to DER is one way of serializing, which is the operative word in this exercise. Got ASN.1? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: RSA encryption - to encrypt a c structure ??
Hi, My structure has 3 unsigned char arrays and I will have to move this encrypted data to other machines too. Following is the structure: typedef struct myStruct { unsigned char id[4]; unsigned char type; unsigned char Data[128]; } ; Can you please let me know how do I serialize that is unambiguous? I tried, struct myStruct* mypointer; mypointer = a pointer to your struct RSA_public_encrypt( sizeof *mypointer, mypointer,...) But I get warning that I am passing incompatible format. I believe I can send only unsigned char * to RSA_public_encrypt. Thanks, Jayashree On Tue, 3 Aug 2004, Rich Salz wrote: I am trying to use openssl to encrypt a c structure instead of just a string, is there any function in openssl that I could use? No. You will have to do some work. The amount of work you will have to do depends on the details of the data and where you are using it. For example, Are you moving the data from one machine to another machine, possibly of a different type? You will have to serialize. Does your structure have any pointers in it? You will have to serialize. If you *do not* have to serialize, than you can probably do something very simple: struct mystruct* mypointer; mypointer = a pointer to your struct RSA_public_encrypt(, mypointer, sizeof *mypointer, ...) If you *do* have to serialize, than you will have to do something like sprintf your structure into a temporary buffer, and encrypt that. Then, later on, you decrypt the buffer, and reverse the serialization. This means you need to define a serialization format that is unambiguous. How you do that depends on the details of your data. Hope this helps. /r$ -- Rich Salz Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]