which Asymetic algorithem that pkcs7_sign and pkcs_encrypt
Hi , Do any one have an idea of which algorithems that pkcs7_sign and pkcs_encrypt Api's will use internally. I wanted to use only Rsa Algorithems for signing and encryption. but not sure about how to set those Rsa algorithem before calling sign and encrypt functions. -- --Best Regards Shankar
Public key from a x509v3 certificate
Hello, I'm looking to get back the public key from a x509 v3 certificate. I use the function ASN1_BIT_STRING * key = 509_get0_pubkey_bitstr(x509* certificate); but i don't get what i want : I get (from a conversion to hexadecimal thanks to : cout setw(2) setfill('0') right hex (int) key-data[c]; ) 30:82:01:0A:02:82:01:01:___the_public_key___:02:03:01:00:01 How can i get only the public key ? Thank's in advance, Have a nice day Pierre delcour [EMAIL PROTECTED] ps : 30:82:01:0A:02:82:01:01 appears for a 2048 bit key. 01:00:01 seems to be the exponent. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Public key from a x509v3 certificate
Hello, [EMAIL PROTECTED] wrote on 04/15/2008 06:30:10 PM: Hello, I'm looking to get back the public key from a x509 v3 certificate. I use the function ASN1_BIT_STRING * key = 509_get0_pubkey_bitstr(x509* certificate); but i don't get what i want : I get (from a conversion to hexadecimal thanks to : cout setw(2) setfill('0') right hex (int) key-data[c]; ) 30:82:01:0A:02:82:01:01:___the_public_key___:02:03:01:00:01 How can i get only the public key ? Try X509_get_pubkey(). Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: which Asymetic algorithem that pkcs7_sign and pkcs_encrypt
On Wed, Apr 16, 2008, shankar ks wrote: Hi , Do any one have an idea of which algorithems that pkcs7_sign and pkcs_encrypt Api's will use internally. I wanted to use only Rsa Algorithems for signing and encryption. but not sure about how to set those Rsa algorithem before calling sign and encrypt functions. PKCS7_encrypt() uses RSA and whatever symmetric algorithm you specify. PKCS7_sign() can use RSA, DSA or EC depending on the key type specified. It will also use a message digest algorithm, normally SHA1. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Disabling mail delivery for this list.
Hi all. I read and post to this mailing list using the gmane NNTP interface. Is there a way to disable the list's mail delivery so I do not have to get the same messages delivered to my mailbox as well? Many thanks. Best regards, Jurko Gospodnetić __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
PEM_write_RSAPublicKey() stops performing the program
Hello, my name is Kirill! (OpenssL 0.9.8g for Win32) Problem: program stops performing on PEM_write_RSAPublicKey() (the same is with PEM_write_RSAPrivateKey()) I tried other code examples with PEM_write_RSAPublicKey() - the result is the same! Please, here is the code (Visual C++ 6.0): // ssl3.cpp #include stdafx.h #include pem.h #include rsa.h #include iostream.h #include conio.h #pragma comment(lib, C:\\OpenSSL\\lib\\VC\\libeay32MD.lib) #define PRIVAT ./privat.key #define PUBLIC ./public.key void main() { RSA * rsa = NULL; unsigned long bits = 2048; FILE *priv_key_file, *pub_key_file; const EVP_CIPHER *cipher = NULL; priv_key_file = fopen(PRIVAT, wb); pub_key_file = fopen(PUBLIC, wb); rsa = RSA_generate_key(bits, RSA_F4, NULL, NULL); OpenSSL_add_all_ciphers(); cipher = EVP_get_cipherbyname(bf-ofb); PEM_write_RSAPrivateKey(priv_key_file, rsa, cipher, NULL, 0, NULL, hello); PEM_write_RSAPublicKey(pub_key_file, rsa); RSA_free(rsa); } Thank you for reply! __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Public key from a x509v3 certificate
Hello, Thank's for the answer, but i still got a little problem, when i run this code : EVP_PKEY *key2 = X509_get_pubkey(certif.getX509Certificate()); cout BN_bn2hex(key2-pkey.rsa-n); I miss the first 00 of the public key... How can i get them ? [EMAIL PROTECTED] wrote: Hello, [EMAIL PROTECTED] wrote on 04/15/2008 06:30:10 PM: Hello, I'm looking to get back the public key from a x509 v3 certificate. I use the function ASN1_BIT_STRING * key = 509_get0_pubkey_bitstr(x509* certificate); but i don't get what i want : I get (from a conversion to hexadecimal thanks to : cout setw(2) setfill('0') right hex (int) key-data[c]; ) 30:82:01:0A:02:82:01:01:___the_public_key___:02:03:01:00:01 How can i get only the public key ? Try X509_get_pubkey(). Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Using OpenSSL cryptographic functions in a multi-threaded application
Hi: We are using only the OpenSSL cryptographic functionality, the EVP and HMAC functions, in a multi-threaded application. Do we need to do anything to ensure thread safety ? The documentation mentions CRYPTO_set_locking_callback() and CRYPTO_set_id_callback() ,but we are not calling these functions nor have we put critical sections in our own code before calling the cryptographic functions. We are experiencing some crashes and attempting to track them down and thought our use of OpenSSL may be faulty. Thanks Regards Lide Wang __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Public key from a x509v3 certificate
Thank's for the answer, but i still got a little problem, when i run this code : EVP_PKEY *key2 = X509_get_pubkey(certif.getX509Certificate()); cout BN_bn2hex(key2-pkey.rsa-n); I miss the first 00 of the public key... How can i get them ? The leading '00' is part of the DER encoding of the data portion, it is not part of the number. It is required when the number would otherwise be considered negative (because its high bit would be set) and prohibited elsewhere. The command you issued outputs the numerical value. I think you are asking for something that is not sensible. If you're going to compare it to something else, you should be comparing the full DER encoding. If you want it for any other purpose, you shouldn't want the leading 0, since it's an artifact of DER encoding. If you want to compare the DER encodings, you need to get the DER encoding, not the number. If you want to compare the numbers, '03' should compare equal to '3' anyway. What are you trying to do? DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Usage of extensions basicconstraints from CLI
Hello, I am attempting to create a self-signed x509 cert. with basic constraints set to critical,CA:true,pathlen:5 using the following command (and various permutations of the same): openssl req -new -key /etc/apache2/key-ca.pem -x509 -extensions basicConstraints=critical,CA:TRUE,pathlen:5 -days 365 -out /etc/apache2/cert-ca.pem With the command as written I get the following error: Error Loading extension section basicConstraints=critical,CA:TRUE,pathlen:5 I have not modified openssl.cnf. I'd like to know how to do this from the command line. I've read the man pages for req, genrsa, and x509 and have done quite a bit of searching for examples. Thanks for any help.
Re: SSL overhead
One more question: I'm working on an ansynchronous framework, and there's a poll method that gets called in each iteration. In our sockets, this method's supposed to do whatever needs doing, and return how many bytes are waiting to be read from the socket, so the return value should be the value of SSL_pending, if I want SSL to be transparent. The problem is that SSL_pending might return 0 if there's stuff on the socket, but isn't enough to decode a full record. And as long as poll() returns 0, no calls to read() which triggers a call to SSL_read() will be made, so I need to call SSL_read() in the calls to poll(), or to find some other way to force SSL to process a little bit of data. Should I call SSL_read() with a num value of 0? will that work? or is there something else I'm missing here? Thanks Tomas -- |_|0|_| |_|_|0| |0|0|0| (\__/) (='.'=)This is Bunny. Copy and paste bunny ()_() to help him gain world domination. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: SSL overhead
does one of the flags in the BIO object say anything about the blocking nature of the BIO? For example, does SSL_connect return automatically or not depending on the BIO flags, or on the BIO_write and read return values? T -- |_|0|_| |_|_|0| |0|0|0| (\__/) (='.'=)This is Bunny. Copy and paste bunny ()_() to help him gain world domination. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: SSL overhead
One more question: I'm working on an ansynchronous framework, and there's a poll method that gets called in each iteration. In our sockets, this method's supposed to do whatever needs doing, and return how many bytes are waiting to be read from the socket, so the return value should be the value of SSL_pending, if I want SSL to be transparent. The problem is that SSL_pending might return 0 if there's stuff on the socket, but isn't enough to decode a full record. And as long as poll() returns 0, no calls to read() which triggers a call to SSL_read() will be made, so I need to call SSL_read() in the calls to poll(), or to find some other way to force SSL to process a little bit of data. Should I call SSL_read() with a num value of 0? will that work? or is there something else I'm missing here? This seems like a strange and inefficient architecture. Why receive the data twice, once in a some kind of 'poll' operation and then again in a 'read' operation. Either the 'poll' operation should just say do something or the 'poll' operation should provide the data. Why not just call SSL_read in the 'poll' operation and if the return value is non-zero, stash the data in a buffer and return the number of bytes you read? That way you won't need to call into the SSL engine again to get the data you knew you needed anyway. If the purpose of the 'poll' operation is just to say yes, there's something to do, then you should not be calling the 'poll' operation unless directed to by the SSL framework. If the SSL framework returns 'WANT_READ', then you know that no further progress will be possible until either you can read more data from the socket or something else happens. In that case, your 'poll' can check the real socket. Otherwise, it is a mistake to wait since the data may already be there. In sum: 1) Check the socket for readability only if the SSL engine last gave you a WANT_READ and you've made no further progress since then. Otherwise, just call SSL_read. 2) Don't try to figure out how many bytes there are, just get them, and then not only will you know how many there are, but you'll know what they are too. You'll definitely need that later, so don't force the SSL engine to do the work of processing them twice. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]