Re: Problems build openssl-0.9.8j on OpenVMS
Thanks, I've noticed the same about those long symbols. There are a few more things but that's a good start. If you check one of the later snapshots, you'll see that I've fixed quite a bit of stuff. As to the FIPS stuff, I have simply not had the time to look into it. There's been quite a lot of changes there since last I looked, and I believe it requires a bit more care than simply compiling the object files... But this is good, you're reminding me of something I should have dealt with. Cheers, Richard In message 498642f0.3060...@tibco.com on Sun, 01 Feb 2009 19:48:48 -0500, Sue Abercrombie ab...@tibco.com said: aberz Hi, Richard, aberz aberz I have been poking about with the openssl-0.9.8j VMS kit. I found that aberz there is one long symbol not included in symhacks. I have added this aberz block below the CRYPTO symbols in symhacks: aberz aberz /* Hack some long names not included in CRYPTO list */ aberz #undef int_CRYPTO_set_do_dynlock_callback aberz #define int_CRYPTO_set_do_dynlock_callback int_CRYPTO_set_do_dynlock_cb aberz aberz In [.UTIL]LIBEAY.NUM I replaced this line aberz int_CRYPTO_set_do_dynlock_callback 4057 EXIST:FUNCTION: aberz for the long symbol with these two lines aberz int_CRYPTO_set_do_dynlock_callback 4057 EXIST:!VMS:FUNCTION: aberz int_CRYPTO_set_do_dynlock_cb 4057 EXIST:VMS:FUNCTION: aberz so that the SYMBOL_VECTOR in the VMS options file uses the hacked symbol. aberz aberz I added five modules to the lists in CRYPTO-LIB.COM, which were not aberz being compiled and thus whose symbols aren't in the library. These are aberz aes_wrap, asn_mime, bn_opt, bn_x931p, and des_lib. In each case, I aberz appended the module name to the list of modules in the same directory as aberz these. aberz aberz These changes give me a clean build of the crypto and ssl libraries and their applications. aberz aberz Trying to add the FIPS modules to LIBCRYPTO, however, is another problem entirely. FIPS is not a valid parameter to MAKEVMS.COM. [.FIPS]FIPS-LIB references source modules which do not exist. The code in FIPS-LIB which defines the logical name OPENSSL for including header files does not produce a valid directory name. I can fix the definition of OPENSSL, but I can't provide missing source modules. aberz aberz My list of missing C source files referenced in FIPS-LIB.COM is aberz [.fips]fips_err_wrapper.c aberz [.fips.sha]fips_sha1dgst.c aberz [.fips.sha]fips_sha256,fips_sha512.c aberz [.fips.des]fips_des_enc.c aberz [.fips.des]fips_set_key.c aberz [.fips.aes]fips_aes_core.c aberz aberz I have not tried to identify missing header files. Difficult in any case, and impossible without all of the .c files. aberz aberz Questions, comments, recommendations? Any and all are welcome. aberz aberz Cheers! aberz Sue Abercrombie aberz Senior Architect aberz TIBCO Software Inc. aberz aberz aberz Richard Levitte wrote: aberz I've seen the same thing. Fixing it. Unfortunately, it will mean aberz that you will have to pick up a snapshot a little later or wait until aberz the next release. aberz Cheers,fips_sha1dgst,fips_sha1_selftest,fips_sha256,fips_sha512 aberz Richard aberz In message 4971adfe.9030...@tibco.com on Sat, 17 Jan 2009 05:07:58 -0500, Sue Abercrombie ab...@tibco.com said: aberz aberz I am trying to build a recent OpenSSL release (0.9.8j) on OpenVMS (both Integrity Server and Alpha Server hardware platforms). I am having undefined symbol problems. aberz [... snip ...] aberz -- Richard Levitte rich...@levitte.org http://richard.levitte.org/ Life is a tremendous celebration - and I'm invited! -- from a friend's blog, translated from Swedish __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Openssl signature verification
Dear All, Thank you Dave Thompson for your help and clarifying my doubt. Thank you. Regards, --Ajeet Kumar Singh Sarve Bhavantu Sukhina ,Sarve Santu NiramayaSarve Bhadrani Pashyantu , Maa Kaschit Dukha Bhagh Bhavet -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dave Thompson Sent: Saturday, January 31, 2009 8:11 AM To: openssl-users@openssl.org Subject: RE: Openssl signature verification From: owner-openssl-us...@openssl.org On Behalf Of Ajeet kumar.S Sent: Friday, 30 January, 2009 00:07 In openssl API X509_verify(X509 *a, EVP_PKEY *r) is used to verify the signature of certificate. I have some doubt please help me. Is in this API we are passing the CA certificate and public key of CA certificate? We pass any cert and the key we believe (are told) will verify it. CA root certs are self-signed; the key _in_ the cert is used to sign it, or to be precise the keypair whose public half is in the cert is used. As a result you can't trust a root cert simply because the signature verifies; you must have other evidence this is the/a valid root cert from/for a given CA, such as a trusted distribution or manually-checked fingerprint. Lower-level CA certs (if any) and end-entity certs are signed by a parent cert, or to be precise by a keypair whose public half is certified by the parent cert. If you instead use X509_verify_cert, it tries several methods to find and verify the whole cert chain (from a root) by looking in (data from) a configurable file and/or (hashed) entries in a configurable directory. If you want to do this job or part(s) of it yourself, you can look at that for an example, but it's pretty complicated. What is data over SSL compute the HASH? The DER-encoded CertificateInfo portion of the cert, which is the first element in the outermost SEQUENCE and contains version, serial, copy of sig-algid, issuer name, subject name publickey, validity period, and for v3 optional extensions such as keyusage, subjectaltname, keyids, etc. This is everything in the cert except the appended algid and signature, and is indented under Data: in the display from openssl x509 -text . SSL will decrypt the CA signature (Which is on CA certificate bundle)? Decrypted CA Signature will match to above HASH.(query 2)? For RSA signatures this is approximately true. You actually raise the signature value to the public exponent (like RSA encryption) rather than the private exponent (as for RSA decryption), and the (standard) padding is different for sign/verify than for encrypt/decrypt. For DSA signatures this is not true at all. There is no corresponding encryption or decryption; there is simply a signing algorithm and a verifying algorithm. You apply the verifying algorithm to determine if the received signature is correct for the (recomputed) hash. You separately asked In Openssl for signature verification we are using API ASN1_item_verify(). Let me know the data which is used for finger print (signature) creation is the CA public key or some thing else data . Please clarify this doubt. How we are verifying the signature? If you mean in crypto/x509/x_all.c X509_verify(), we are verifying the signature in the cert, of the data in the cert, using the key. No fingerprint is involved. This only applies to X509 certs; the verification of signatures on other things is similar but not identical. Fingerprints can be used in lots of situations and ways. _PKI_ fingerprints can meaningfully be computed on either the whole CertificateInfo thus verifying all the attributes directly, or just on the publickey since that is enough to verify the signature. But a fingerprint is not a signature; it does not itself have any cryptographic protection. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
