RE: problem verifying signature from java
My case is different. Here it is failing bcz of extra SMIME capability attribute present in Signature. I removed it, it is working fine. Thank you very much for reply -Madhu -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of coco coco Sent: Thursday, June 23, 2005 10:58 AM To: openssl-users@openssl.org Subject: Re: problem verifying signature from java > >To rule out any problems with your OpenSSL code I'd suggest you check the >signatures using the dgst command and if there are problems analyze them >using >rsautl. > Thanks for the reply. I got it, by examining basically every function that touches my data. So, in the end, it was the base64 library that I linked with, it has a small bug in dealing with the '+' char in base64-encoded string. rgds _ On the road to retirement? Check out MSN Life Events for advice on how to get there! http://lifeevents.msn.com/category.aspx?cid=Retirement __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] # This Email Message is for the sole use of the intended recipient(s) and May contain CONFIDENTIAL and PRIVILEGED information. LG Soft India will not be responisible for any viruses or defects or any forwarded attachements emanating either from within LG Soft India or outside. Any unauthorised review , use, disclosure or distribution is prohibited. If you are not intentded recipient, please contact the sender by reply email and destroy all copies of the original message. #:§I"Ï®ÞrØm¶ÿà (¥éì²Z+K+©¦í1¨¥xËh¥éì²[¬z»(¥éì²Z+¢fyÒâ²Ó¨®f£¢·h)z{,à
Re: problem verifying signature from java
To rule out any problems with your OpenSSL code I'd suggest you check the signatures using the dgst command and if there are problems analyze them using rsautl. Thanks for the reply. I got it, by examining basically every function that touches my data. So, in the end, it was the base64 library that I linked with, it has a small bug in dealing with the '+' char in base64-encoded string. rgds _ On the road to retirement? Check out MSN Life Events for advice on how to get there! http://lifeevents.msn.com/category.aspx?cid=Retirement __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: problem verifying signature from java
Did you got any break through. Sorry, didn't read this list for a while. Actually, the code I put up in my question was correct. The problem was with a Base64 lib that I linked with in C++. The implementation of the library has a small bug, which does not handle the '+' char properly. That's why it didn't verify correctly. With the base64 bug fixed, the code has no problem. coco _ Express yourself instantly with MSN Messenger! Download today - it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: syntax for multiple authorityInfoAccess entries
On Thu, Jun 23, 2005, Dr. Rodney McDuff wrote: > Hi > I'm try to add multiple caIssuers and OCSP entries to my > authorityInfoAccess attribute and I am having some difficulties with > getting the right openssl.cnf syntax. I want to add the following (Note > LDAP URIs and nasty commas) > > caIssuers;http://server1.domain/certs/ca-certs.p7b > caIssuers;http://server2.domain/certs/ca-certs.p7b > caIssuers;ldap://server1.domain/CN=My%20CA,o=ORG,c=AU?crossCertificatePair;binary > caIssuers;ldap://server2.domain/CN=My%20CA,o=ORG,c=AU?crossCertificatePair;binary > OCSP;http://server1.domain/ocsp > OCSP;http://server2.domain/ocsp > > How is it done? > To use commas the @section form is mandatory. You also need to keep the LHS unique so something like this should do the trick: [EMAIL PROTECTED] ... [aia_sect] OCSP;URI.1=http://www.some.responder.org/ OCSP;URI.2=http://www.some.other-responder.org/ caIssuers;URI.3=http://server.whatever.org/cert-path caIssuers;URI.4=ldap://server.whatever.org/xxx,yyy Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
syntax for multiple authorityInfoAccess entries
Hi I'm try to add multiple caIssuers and OCSP entries to my authorityInfoAccess attribute and I am having some difficulties with getting the right openssl.cnf syntax. I want to add the following (Note LDAP URIs and nasty commas) caIssuers;http://server1.domain/certs/ca-certs.p7b caIssuers;http://server2.domain/certs/ca-certs.p7b caIssuers;ldap://server1.domain/CN=My%20CA,o=ORG,c=AU?crossCertificatePair;binary caIssuers;ldap://server2.domain/CN=My%20CA,o=ORG,c=AU?crossCertificatePair;binary OCSP;http://server1.domain/ocsp OCSP;http://server2.domain/ocsp How is it done? -- Dr. Rodney G. McDuff |Ex ignorantia ad sapientiam Manager, Strategic Technologies Group|Ex luce ad tenebras Information Technology Services | The University of Queensland | EMAIL: [EMAIL PROTECTED] | TELEPHONE: +61 7 3365 8220 | signature.asc Description: OpenPGP digital signature
Re: problem with policy mappings extension decoding
On Wed, Jun 22, 2005, soukyan wrote: > Dr. Stephen Henson wrote: > >On Wed, Jun 22, 2005, soukyan wrote: > >>Now I have another question. > >>When I print policy mapping extension with X509V3_EXT_print() I get: > >> > >>0:d=0 hl=2 l= 26 cons: SEQUENCE > >>2:d=1 hl=2 l= 24 cons: SEQUENCE > >>4:d=2 hl=2 l= 10 prim: OBJECT:2.16.840.1.101.3.2.1.48.1 > >>16:d=2 hl=2 l= 10 prim: OBJECT:2.16.840.1.101.3.2.1.48.2 > >> > > > > > >That's an asn1parse output. Normally X509V3_EXT_print() wont do that and > >then > >only if standard routines fail. > > I am using X509V3_EXT_PARSE_UNKNOWN: > X509V3_EXT_print(bio, ext, X509V3_EXT_PARSE_UNKNOWN, 0); > to know a structure of unknown extensions. > OK, this should be fixed now. The initial cause was that the extension table was not in order but that was caused by inconsistencies in the OID table between OpenSSL 0.9.7 and 0.9.8. It should now display and parse the extension properly. Please check the next snapshot. Thanks for the report, Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Make error openssl-0.9.8-beta5
I have an older machine that appears to be "slapper" vulnerable. During the make of openssl-0.9.8-beta5, I get the following error: : undefined reference to `__ctype_b' Google and list searches mention something about needing an older version of glibc to fix? This doesn't make sense. I need to downgrade to compile a new version of openssl? Can anyone confirm if this is indeed correct? If not, does anyone know a workaround to get this compiled? Thanks. -- Matt __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: problem with policy mappings extension decoding
Dr. Stephen Henson wrote: On Wed, Jun 22, 2005, soukyan wrote: Now I have another question. When I print policy mapping extension with X509V3_EXT_print() I get: 0:d=0 hl=2 l= 26 cons: SEQUENCE 2:d=1 hl=2 l= 24 cons: SEQUENCE 4:d=2 hl=2 l= 10 prim: OBJECT:2.16.840.1.101.3.2.1.48.1 16:d=2 hl=2 l= 10 prim: OBJECT:2.16.840.1.101.3.2.1.48.2 That's an asn1parse output. Normally X509V3_EXT_print() wont do that and then only if standard routines fail. I am using X509V3_EXT_PARSE_UNKNOWN: X509V3_EXT_print(bio, ext, X509V3_EXT_PARSE_UNKNOWN, 0); to know a structure of unknown extensions. But when I try to extract this extension: POLICY_MAPPINGS *polMaps = NULL; polMaps = (POLICY_MAPPINGS*)X509_get_ext_d2i(cert, NID_policy_mappings, &crit, NULL); I get NULL. This means polMaps is NULL and crit is -1 which is decoding problem. What should I do to extract this extension correctly? You need OpenSSL 0.9.8 to handle policy mappings. Yes, I am using OpenSSL 0.9.8 Beta 4. See what happens with the 'x509' utility. This is the output of this utility: X509v3 Policy Mappings: critical 0.0.. `.H.e...0.. `.H.e...0. If that doesn't produce meaningful output please send me the cert. OK. I am just sending this certificate (on Your e-mail steve*openssl.org). The certificate comes from NIST Test Suite (test 4.10.1) and it is an intermediate CA certificate. http://csrc.nist.gov/pki/testing/x509paths.html Thanks, Daniel -- Promocja! Format 15x20 tylko 99gr! Zamów odbitki cyfrowe online - odbierz za darmo w EMPiK-u lub wy¶lemy Ci je poczt± http://gazeta.empikfoto.pl __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Decrypting RSA Private Key
On Wed, Jun 22, 2005, Nick G. wrote: > > WRT Apache I did verify that OpenSSL can read the keys I created using: > > openssl genrsa -out clr.rsa 1024 > then > openssl pkcs8 -v1 PBE-MD5-DES -in clr.rsa -topk8 -out enc.des.v1.pkcs8 > or > openssl pkcs8 -v2 des -in clr.rsa -topk8 -out enc.des.v2.pkcs8 > or > openssl pkcs8 -v2 des3 -in clr.rsa -topk8 -out enc.des3.v2.pkcs8 > > and that the output from the command you suggested above is identical > for all the keys but that Apache will not accept any of the encrypted > PKCS#8 versions (prompts for passphrase, but then claims the pass phrase > was bad no matter how many times I try to type it in correctly!). I will > report this as bug to them. > They may be missing some calls to add the PBE algorithms. This is automatic if you call OpenSSL_add_all_algorithms() but needs to be handled if algorithms are being added manually. A meaningful error code would help too... > FYI, The new Java5 stuff will also croak when deciphering the v2 > algorithms claiming that it: "Cannot find any provider supporting > 1.2.840.113549.1.5.13" (1.2.etc is the OID for TripleDES, right?) > No that's the PKCS#5 v2.0 OID. You'd expect that message if it didn't understand PKCS#5 v2.0. Unfortunately PKCS#5 v1.5 doesn't include any schemes for strong encryption because the algorithm only derives 128 bits of data (key+IV). You may have more luck with the PKCS#12 PBE algorithms: see the examples on the manual page to the pkcs8 utility for more info. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Decrypting RSA Private Key
Strictly speaking 1.2.840.113549.1.5.13 is the OID for the "PBES2 encryption scheme" from PKCS#5 V2. Dave __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Decrypting RSA Private Key
Dr. Stephen Henson wrote: On Tue, Jun 21, 2005, Nick G. wrote: Hello, I have a need to read an encrypted RSA Private Key generated using openssl with a java program. I have included some background at the end of this message, but my question is basically: how is the pass phrase converted into the key part? I can get the IV from the DEK-Info line, but I can't seem to figure out (by looking at the openssl source) how the key portion of the decryption key is created from the password entered by the user. Right now I am simply converting the pass phrase into a bytes and using that as the key portion. I believe this is incorrect, but I don't know what else to try. Also, I assume that the key is _not_ encrypted with PBE (since it is not padded per pkcs5). Is this assumption correct? Finally, once decrypted, will the key have the same asn1 schema as a key written in the clear? Please excuse me if these questions are already answered in the archives, as I was unable to locate any posts with this information (probably poor choice of search terms!) Also, if the transformation of the pass phrase into key is covered in some rfc I have yet to discover a shove in the right direction would be appreciated! Background: I have been able to generate/convert keys using openssl in the following formats and successfully read them using a java program: pkcs8 - clear text pkcs8 - des encrypted rsa - clear text However, I'm using the key for Apache mod_ssl and the only formats it seems to accept are: pkcs8 - clear text rsa - clear text rsa - des encrypted Since we want to protect the key using at least des encryption and I can't seem to make Apache read the pkcs8 format keys when they are encrypted (perhaps the httpd folks are using the wrong callback?), I thought making java decrypt the RSA key would be the "simplest" solution. Any OpenSSL application should transparently handle PKCS#8 clear text or encrypted keys. But make sure you have the correct PEM headers. If you try: openssl rsa -in key.pem -noout -text and that can correctly decrypt the key you should have no problems with Apache unless it does something weird. The PKCS#8 formats OpenSSL uses are all standard and it can use a variety of password based encryption (PBE) algorithms included PKCS#5 v1.5, v2.0 and PKCS#12. The other 'traditional' format for OpenSSL private key encyption is non-standard and has remained unchanged since the SSLeay days. It *is* documented. See: http://www.openssl.org/docs/crypto/pem.html#PEM_ENCRYPTION_FORMAT and http://www.openssl.org/docs/crypto/EVP_BytesToKey.html#KEY_DERIVATION_ALGORITHM Thank you, this is exactly what I was searching for. Sadly, I had even guessed that maybe the DEK-Info was the salt [and not an IV], and guessed the iteration count might be one, but couldn't get that to work either. Obviously, I gave up to soon! WRT Apache I did verify that OpenSSL can read the keys I created using: openssl genrsa -out clr.rsa 1024 then openssl pkcs8 -v1 PBE-MD5-DES -in clr.rsa -topk8 -out enc.des.v1.pkcs8 or openssl pkcs8 -v2 des -in clr.rsa -topk8 -out enc.des.v2.pkcs8 or openssl pkcs8 -v2 des3 -in clr.rsa -topk8 -out enc.des3.v2.pkcs8 and that the output from the command you suggested above is identical for all the keys but that Apache will not accept any of the encrypted PKCS#8 versions (prompts for passphrase, but then claims the pass phrase was bad no matter how many times I try to type it in correctly!). I will report this as bug to them. FYI, The new Java5 stuff will also croak when deciphering the v2 algorithms claiming that it: "Cannot find any provider supporting 1.2.840.113549.1.5.13" (1.2.etc is the OID for TripleDES, right?) Again, thank you for the help. Cheers! Nick __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: problem with policy mappings extension decoding
On Wed, Jun 22, 2005, soukyan wrote: > Dr. Stephen Henson wrote: > >X509_get_pubkey() is useful for those cases: it just isn't complete. > > > >You can check to see if parameters are missing using: > > > >EVP_PKEY_missing_parameters(key); > > > >You can copy parameters using: > > > >EVP_PKEY_copy_parameters(to, from); > > > >So before you replace the working_key with a new one check to see if the > >new > >key has parameters, if not copy them from the current working key. > > Thank You. > > Now I have another question. > When I print policy mapping extension with X509V3_EXT_print() I get: > > 0:d=0 hl=2 l= 26 cons: SEQUENCE > 2:d=1 hl=2 l= 24 cons: SEQUENCE > 4:d=2 hl=2 l= 10 prim: OBJECT:2.16.840.1.101.3.2.1.48.1 > 16:d=2 hl=2 l= 10 prim: OBJECT:2.16.840.1.101.3.2.1.48.2 > That's an asn1parse output. Normally X509V3_EXT_print() wont do that and then only if standard routines fail. > But when I try to extract this extension: > > POLICY_MAPPINGS *polMaps = NULL; > polMaps = (POLICY_MAPPINGS*)X509_get_ext_d2i(cert, NID_policy_mappings, > &crit, NULL); > > I get NULL. This means polMaps is NULL and crit is -1 which is decoding > problem. > > What should I do to extract this extension correctly? > You need OpenSSL 0.9.8 to handle policy mappings. See what happens with the 'x509' utility. If that doesn't produce meaningful output please send me the cert. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
problem with policy mappings extension decoding
Dr. Stephen Henson wrote: X509_get_pubkey() is useful for those cases: it just isn't complete. You can check to see if parameters are missing using: EVP_PKEY_missing_parameters(key); You can copy parameters using: EVP_PKEY_copy_parameters(to, from); So before you replace the working_key with a new one check to see if the new key has parameters, if not copy them from the current working key. Thank You. Now I have another question. When I print policy mapping extension with X509V3_EXT_print() I get: 0:d=0 hl=2 l= 26 cons: SEQUENCE 2:d=1 hl=2 l= 24 cons: SEQUENCE 4:d=2 hl=2 l= 10 prim: OBJECT:2.16.840.1.101.3.2.1.48.1 16:d=2 hl=2 l= 10 prim: OBJECT:2.16.840.1.101.3.2.1.48.2 But when I try to extract this extension: POLICY_MAPPINGS *polMaps = NULL; polMaps = (POLICY_MAPPINGS*)X509_get_ext_d2i(cert, NID_policy_mappings, &crit, NULL); I get NULL. This means polMaps is NULL and crit is -1 which is decoding problem. What should I do to extract this extension correctly? Thanks, Daniel __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]