Re: Client side certificate for using in SSL connection
mb0 wrote: Hello, i explored this article: http://support.microsoft.com/kb/315588 My questions are about using openssl to generate client-side certificate for using in SSL tunnel 1. can it be self-signed root certificate? 2. what options of openssl must i use so that Internet Explorer could import it? 3. if no client certificate is used, how SSL handshake happens? what certificate/private ey is used on the client side? -- Serge __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org 1) use you can have a self-signed root certificate and use it to sign your client certificate . 2) I think you can use these link for generating self signed root and your client certificate . http://www.eclectica.ca/howto/ssl-cert-howto.php#cnfig study the doc on openssl it will help from openssl website -- Thanks and Regards Naveen __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Client side certificate for using in SSL connection
On Thu, 2009-02-05 at 17:01 +0300, mb0 wrote: 1. can it be self-signed root certificate? it can be either a root certificate or a certificate signed by a CA. The certificate structure is the same, the meaning is different. When the server receive the certificate, it has to verify it. If it is self-signed, it must have a copy of that certificate stored somewhere. So, if you plan to have many clients, you should copy all their certificates somewhere in the server storage... this does not scale. A better approach is to create a CA, save only its certificate on the server, and let any client have a certificate issued by that CA. 2. what options of openssl must i use so that Internet Explorer could import it? already replied. 3. if no client certificate is used, how SSL handshake happens? what certificate/private ey is used on the client side? TLS/SSL support server authentication or mutual (i.e. client+server) authentication. With server only authentication, client and server agree on a pre-master secret (which is symmetric key), then they compute and validate a master secret, from which application keys are derived (for encrypting/hmac-ing the record layer messages). If client authentication is required, the client additionally digitally signs (asymmetric crypto) a particular piece of data. Almost nothing changes in the agreement of the pre-master secret. So, if you don't use client auth, no client private key is used. bye! -- Emanuele Cesena emanuele.ces...@gmail.com http://ecesena.dyndns.org Il corpo non ha ideali __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
use of OpenSSL libeay32.dll with C#
Hi all, I am starting with openSSL and C#, and I need some help on this point if possible, I am trying to write a C# programme that uses the functions of (sign, check, hash, generate random keys, encrypt, decrypt functions). I am using a compiled version dll of openssl(libeay32.dll, ssleay32.dll). If any one of you can send me an example using this kind of functions that will be very useful for me, i need it really. Thanks to all and sorry for my long text El Habib __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: libcrypto.so.2 problem
George what you have is openssh; what you need is openssl. HTH _ From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of George Ping Sent: Thursday, February 05, 2009 11:09 PM To: openssl-users@openssl.org Subject: libcrypto.so.2 problem Hi, All, I am installing pvktool to convert .p12 certificate file into p7b and then the private key file pvk. I am following the paper of http://www.jacco2.dds.nl/networking/crtimprt-org.html http://www.jacco2.dds.nl/networking/crtimprt-org.html On the Fedora 7 or 10 and even SuSeLinux, I tried to install pvktool, but always got the problem as, rpm -i pvk-0.12-3jdl.i386.rpm warning: pvk-0.12-3jdl.i386.rpm: Header V3 DSA signature: NOKEY, key ID fd37b537 error: Failed dependencies: libcrypto.so.2 is needed by pvk-0.12-3jdl.i386 I definitely have openssl installed on the linux box, rpm -qa | grep ssh libssh2-0.18-7.fc9.i386 openssh-5.1p1-3.fc10.i386 openssh-server-5.1p1-3.fc10.i386 openssh-askpass-5.1p1-3.fc10.i386 ganymed-ssh2-210-6.fc9.i386 openssh-clients-5.1p1-3.fc10.i386 - just could not figure out why the system complained about libcrypto. Could you please give me some information on fix the problem? Thank you very much, Kind regards, George Ping No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.0.233 / Virus Database: 270.10.18/1936 - Release Date: 02/05/09 11:34:00
Re: OpenSSL command line HMAC
Hi all, Hi Alistair!
* Young, Alistair wrote on Fri, Feb 06, 2009 at 10:16 +:
Ultimately I settled on the use of a shell script to act as an
intermediary:
#!/bin/bash
If you can use bash you could pass the key in \xNN form for
$'\xNN' to avoid special characters like blanks and control chars
or binary zero issues:
pass a kind of hey dump instead of binary.
First make some escape hex dump with something like
public static char[]
getbin(byte[] buf)
{
char[] result = null;
int pos = 0;
int len = buf.length;
{
String result = ;
result = new char [len * 2];
for (int i = 0; i len; i++) {
byte b = buf[pos + i];
// this is horrible slow because of many temp StringBuffers,
//just to illustrate
result = result + \\x; // we want \x in the String
result = result + hexnib((b 0xF0) 4);
result = result + = hexnib((b 0x0F));
}
}
return result;
}
public static final char
hexnib(int nibble)
{
if (nibble = 9) return (char) ('0' + nibble);
return (char) ('A' + nibble - 10);
}
For 'hello' you should get '\x68\x65\x6c\x6c\x6f'.
Then pass this to your script as parameter like you now pass the
file name and in your script have something like
#!/bin/bash
key_escaped=$1
key_raw=`eval echo $\'$key_escaped\'`
echo openssl -option $key_raw
which can be used like
u...@host:~ $ ./x.sh '\x41\x42'
openssl -option AB
(This does not mean that I'd recommend to do such things! Crypto via
shell scripts and stuff invitest potential security flaws etc.)
oki,
Steffen
[End of message]-8===
--
About Ingenico: Ingenico is the world's leading provider of payment solutions,
with over 15 million terminals deployed across the globe. Delivering the very
latest secure electronic payment technologies, transaction management and the
widest range of value added services, Ingenico is shaping the future direction
of the payment solutions market. Leveraging on its global presence and local
expertise, Ingenico is reinforcing its leadership by taking banks and
businesses beyond payment through offering comprehensive solutions, a true
source of differentiation and new revenues streams.
This message may contain confidential and/or privileged information. If you
are not the addressee or authorized to receive this for the addressee, you must
not use, copy, disclose or take any action based on this message or any
information herein. If you have received this message in error, please advise
the sender immediately by reply e-mail and delete this message. Thank you for
your cooperation.
P Please consider the environment before printing this e-mail
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
Re: OpenSSL command line HMAC
On Fri February 6 2009, Steffen DETTMER wrote:
Hi all, Hi Alistair!
* Young, Alistair wrote on Fri, Feb 06, 2009 at 10:16 +:
Ultimately I settled on the use of a shell script to act as an
intermediary:
#!/bin/bash
If you can use bash you could pass the key in \xNN form for
$'\xNN' to avoid special characters like blanks and control chars
or binary zero issues:
pass a kind of hey dump instead of binary.
First make some escape hex dump with something like
public static char[]
getbin(byte[] buf)
{
char[] result = null;
int pos = 0;
int len = buf.length;
{
String result = ;
result = new char [len * 2];
for (int i = 0; i len; i++) {
byte b = buf[pos + i];
// this is horrible slow because of many temp StringBuffers,
//just to illustrate
result = result + \\x; // we want \x in the String
result = result + hexnib((b 0xF0) 4);
result = result + = hexnib((b 0x0F));
}
}
return result;
}
public static final char
hexnib(int nibble)
{
if (nibble = 9) return (char) ('0' + nibble);
return (char) ('A' + nibble - 10);
}
For 'hello' you should get '\x68\x65\x6c\x6c\x6f'.
?? print(%q ...) ??
Mike
Then pass this to your script as parameter like you now pass the
file name and in your script have something like
#!/bin/bash
key_escaped=$1
key_raw=`eval echo $\'$key_escaped\'`
echo openssl -option $key_raw
which can be used like
u...@host:~ $ ./x.sh '\x41\x42'
openssl -option AB
(This does not mean that I'd recommend to do such things! Crypto via
shell scripts and stuff invitest potential security flaws etc.)
oki,
Steffen
[End of message]-8===
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
RE: OpenSSL command line HMAC
Hi Steffen! -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Steffen DETTMER Sent: 06 February 2009 13:33 To: Everyone Subject: Re: OpenSSL command line HMAC Hi all, Hi Alistair! * Young, Alistair wrote on Fri, Feb 06, 2009 at 10:16 +: Ultimately I settled on the use of a shell script to act as an intermediary: #!/bin/bash If you can use bash you could pass the key in \xNN form [... snip ...] Thanks for the suggestion, Steffen - that would at least remove the need to write the key to a file. (This does not mean that I'd recommend to do such things! Crypto via shell scripts and stuff invitest potential security flaws etc.) Indeed - the presence of 'eval' alone is probably enough to give security experts a few sleepless nights! :) But, assuming that all the data we feed in is done in escaped form (\xNN) that should prevent injection-style attacks. Cheers for tip! Alistair. Please help Logica to respect the environment by not printing this email / Merci d'aider Logica à préserver l'environnement en évitant d'imprimer ce mail / Bitte drucken Sie diese Nachricht nicht aus und helfen Sie so Logica dabei die Umwelt zu schuetzen / Por favor ajude a Logica a respeitar o ambiente não imprimindo este correio electrónico. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: OpenSSL command line HMAC
Hi Dave - thanks for your reply!
-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Dave Thompson
Sent: 06 February 2009 00:29
To: openssl-users@openssl.org
Subject: RE: OpenSSL command line HMAC
From: owner-openssl-us...@openssl.org On Behalf Of Young, Alistair
Sent: Wednesday, 04 February, 2009 09:52
I seem to have some success if I place quotes around the [Linux]
command
line:
$ cat message.bin | openssl dgst -sha256 -hmac `cat key.bin` -binary
mac.bin
(Don't need cat here, just on the openssl. But that's not your question.)
Yes, indeed - this just struck me as the closest analog to what I'm doing in
Java: writing the message to the process's input stream. (In fact, from the
command line I think that you can just supply the message file as a parameter
without need for piping or redirection).
But, to complicate things further, I'm trying to invoke this from Java.
So I have something like:
byte[] key = ;
Runtime.getRuntime().exec(openssl, dgst, -sha256, -hmac,
\ + new String(key) + \, -binary); I then pipe my message in,
and collect the output from the output stream.
In the Java I have (SDK5=jre1.6.0_02) I can't Runtime.exec multiple strings
like that, I have to put them in an array with {}. (Or a single String, but
then I'm not sure whose parsing rules are used and when.) With a String [],
don't add quotes around the key value. In a shell command, ' \ are processed
by the shell before being passed to the program. As are the ` above.
Then it works for me.
You're right about the array, of course - this was some poorly transcribed
code! :)
Without the quotes, if my hmac key contains a space or tab character, it seems
that somewhere along the way, the two halves of the key are treated as separate
parameters. So, if my key was £$% £$%*, attempting to execute the command
simply results in OpenSSL giving a £$%* not found error.
Adding the quotes didn't work because, if I understand things correctly, the
notion of quotes (or escaping characters with \) is a shell concept - hence my
attempt to force the command to run under a shell.
But no joy. I believe this may be because Java does not run the command
within a shell.
I can try to force the use of the shell:
Runtime.getRuntime().exec(/bin/bash, -c, openssl, dgst,
-sha256,
-hmac, \ + new String(key) + \, -binary); But now my piped
message either seems to get interpreted as an openssl command
(so I just get something like %$£$ is an invalid command followed
by a list of the standard openssl commands) or I get an unexpected EOF
while looking for matching `' error.
You don't need a shell, but if you want one, -c takes the entire command
(line) as the single next argument. Your call is telling bash to do just
openssl, so it runs openssl with no arguments, and openssl tries to
interpret stdin. Here you WOULD need around non-text key so shell parses
it correctly, and I think actually ' if it contains $ or ` which shell does
interpret inside , and I think you need to \ any quote or \ in it. I would
avoid that.
Yes, I tried various permutations - including passing the openssl command as a
single parameter to the shell, and preceding each character of the key with an
escaping '\' - but no luck!
Ultimately I settled on the use of a shell script to act as an intermediary:
#!/bin/bash
/usr/local/ssl/fips-1.0/bin/openssl dgst -sha256 -hmac `cat $1` -binary
My Java code then writes the key to a file, and then invokes the scripts
passing the filename as a parameter. The Java code can then pipe the message
through and collect the MAC before deleting the key file.
I don't really like having to write the key to disk, but I couldn't make it
work any other way.
Incidentally, the simple approach (simply passing the key as a parameter,
regardless of its content) worked flawlessly under Windows (using non-FIPS
OpenSSL).
Alistair.
Please help Logica to respect the environment by not printing this email /
Merci d'aider Logica à préserver l'environnement en évitant d'imprimer ce mail
/ Bitte drucken Sie diese Nachricht nicht aus und helfen Sie so Logica dabei
die Umwelt zu schuetzen / Por favor ajude a Logica a respeitar o ambiente não
imprimindo este correio electrónico.
This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an intended
recipient then please promptly delete this e-mail and any attachment and all
copies and inform the sender. Thank you.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List
libcrypto.so.2 problem
Hi, All, I am installing pvktool to convert .p12 certificate file into p7b and then the private key file pvk. I am following the paper of http://www.jacco2.dds.nl/networking/crtimprt-org.html On the Fedora 7 or 10 and even SuSeLinux, I tried to install pvktool, but always got the problem as, rpm -i pvk-0.12-3jdl.i386.rpm warning: pvk-0.12-3jdl.i386.rpm: Header V3 DSA signature: NOKEY, key ID fd37b537 error: Failed dependencies: libcrypto.so.2 is needed by pvk-0.12-3jdl.i386 I definitely have openssl installed on the linux box, rpm -qa | grep ssh libssh2-0.18-7.fc9.i386 openssh-5.1p1-3.fc10.i386 openssh-server-5.1p1-3.fc10.i386 openssh-askpass-5.1p1-3.fc10.i386 ganymed-ssh2-210-6.fc9.i386 openssh-clients-5.1p1-3.fc10.i386 - just could not figure out why the system complained about libcrypto. Could you please give me some information on fix the problem? Thank you very much, Kind regards, George Ping
Problems with encryption
Has anyone seen problems encrypting credit card numbers with BlowFish. When encrypting with a 32 char or a 56 char key the there are a number of values that are not encrypting and thus decrypting all of the characters. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: documentation/description of RSA PEM file format used by OpenSSL
Thanks for the link, but I've already seen that, and unfortunately it didn't help... When I open the PEM files with keys in a plain text editor, the contents are different than what's shown on the linked page. In stead of: -BEGIN RSA PRIVATE KEY- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,3F17F5316E2BAC89 ...base64 encoded data... -END RSA PRIVATE KEY- there is just: -BEGIN RSA PRIVATE KEY- ...base64 encoded data... -END RSA PRIVATE KEY- After decoding the base64 encoded data, I get some binary data which I don't know what to do with... Dr. Stephen Henson pisze: On Thu, Feb 05, 2009, Tomasz Ka??mierczak wrote: Hello, In the OpenSSL API there are functions called PEM_write_RSAPrivateKey(), PEM_write_RSAPublicKey() and corresponding read functions: PEM_read_RSAPrivateKey(), PEM_read_RSAPublicKey(). What I need is to read/write RSA keys to/from a file in exactly the same format as these functions do, but I cannot use OpenSSL (due to licensing issues when using OpenSSL in GPL'd code). I've tried to find some GPL'd code that can handle files in such format, but haven't succeeded. What I've managed to find out is that it's a PKCS#1 certificate stored in a PEM file - is that right? Unfortunately, even with such knowledge, I haven't managed to find any specification that would be of any help. RSAPublicKey and RSAPrivateKey are the same structures mentioned in PKCS#1 base64 encoded with the approproiate headers. If you need the PEM encryption format then see: http://www.openssl.org/docs/crypto/pem.html#PEM_ENCRYPTION_FORMAT Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: documentation/description of RSA PEM file format used by OpenSSL
If it says -BEGIN RSA PRIVATE KEY-, then it is an unencrypted PKCS#1 RSA key structure which contains private exponent, public exponent, and modulus. -Kyle H On Fri, Feb 6, 2009 at 9:34 AM, Tomasz Kaźmierczak tome...@wp.eu wrote: Thanks for the link, but I've already seen that, and unfortunately it didn't help... When I open the PEM files with keys in a plain text editor, the contents are different than what's shown on the linked page. In stead of: -BEGIN RSA PRIVATE KEY- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,3F17F5316E2BAC89 ...base64 encoded data... -END RSA PRIVATE KEY- there is just: -BEGIN RSA PRIVATE KEY- ...base64 encoded data... -END RSA PRIVATE KEY- After decoding the base64 encoded data, I get some binary data which I don't know what to do with... Dr. Stephen Henson pisze: On Thu, Feb 05, 2009, Tomasz Ka??mierczak wrote: Hello, In the OpenSSL API there are functions called PEM_write_RSAPrivateKey(), PEM_write_RSAPublicKey() and corresponding read functions: PEM_read_RSAPrivateKey(), PEM_read_RSAPublicKey(). What I need is to read/write RSA keys to/from a file in exactly the same format as these functions do, but I cannot use OpenSSL (due to licensing issues when using OpenSSL in GPL'd code). I've tried to find some GPL'd code that can handle files in such format, but haven't succeeded. What I've managed to find out is that it's a PKCS#1 certificate stored in a PEM file - is that right? Unfortunately, even with such knowledge, I haven't managed to find any specification that would be of any help. RSAPublicKey and RSAPrivateKey are the same structures mentioned in PKCS#1 base64 encoded with the approproiate headers. If you need the PEM encryption format then see: http://www.openssl.org/docs/crypto/pem.html#PEM_ENCRYPTION_FORMAT Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: documentation/description of RSA PEM file format used by OpenSSL
Ok. And it is of course base64 encoded, right? And what about the public key (-BEGIN RSA PUBLIC KEY-)? It looks the same way as the private key file, but it is shorter. Kyle Hamilton pisze: If it says -BEGIN RSA PRIVATE KEY-, then it is an unencrypted PKCS#1 RSA key structure which contains private exponent, public exponent, and modulus. -Kyle H On Fri, Feb 6, 2009 at 9:34 AM, Tomasz Kaźmierczak tome...@wp.eu wrote: Thanks for the link, but I've already seen that, and unfortunately it didn't help... When I open the PEM files with keys in a plain text editor, the contents are different than what's shown on the linked page. In stead of: -BEGIN RSA PRIVATE KEY- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,3F17F5316E2BAC89 ...base64 encoded data... -END RSA PRIVATE KEY- there is just: -BEGIN RSA PRIVATE KEY- ...base64 encoded data... -END RSA PRIVATE KEY- After decoding the base64 encoded data, I get some binary data which I don't know what to do with... Dr. Stephen Henson pisze: On Thu, Feb 05, 2009, Tomasz Ka??mierczak wrote: Hello, In the OpenSSL API there are functions called PEM_write_RSAPrivateKey(), PEM_write_RSAPublicKey() and corresponding read functions: PEM_read_RSAPrivateKey(), PEM_read_RSAPublicKey(). What I need is to read/write RSA keys to/from a file in exactly the same format as these functions do, but I cannot use OpenSSL (due to licensing issues when using OpenSSL in GPL'd code). I've tried to find some GPL'd code that can handle files in such format, but haven't succeeded. What I've managed to find out is that it's a PKCS#1 certificate stored in a PEM file - is that right? Unfortunately, even with such knowledge, I haven't managed to find any specification that would be of any help. RSAPublicKey and RSAPrivateKey are the same structures mentioned in PKCS#1 base64 encoded with the approproiate headers. If you need the PEM encryption format then see: http://www.openssl.org/docs/crypto/pem.html#PEM_ENCRYPTION_FORMAT Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: documentation/description of RSA PEM file format used by OpenSSL
On Fri, Feb 06, 2009, Tomasz Ka??mierczak wrote: Ok. And it is of course base64 encoded, right? And what about the public key (-BEGIN RSA PUBLIC KEY-)? It looks the same way as the private key file, but it is shorter. As I said in the other message thats an RSAPublicKey structure, see PKCS#1. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: documentation/description of RSA PEM file format used by OpenSSL
Ok. Thanks for the answers. I'll try with this information. Regards, Tomasz Kaźmierczak Dr. Stephen Henson pisze: On Fri, Feb 06, 2009, Tomasz Kaźmierczak wrote: Ok. And it is of course base64 encoded, right? And what about the public key (-BEGIN RSA PUBLIC KEY-)? It looks the same way as the private key file, but it is shorter. As I said in the other message thats an RSAPublicKey structure, see PKCS#1. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Problems with encryption
Has anyone seen problems encrypting credit card numbers with BlowFish. When encrypting with a 32 char or a 56 char key the there are a number of values that are not encrypting and thus decrypting all of the characters. This sounds like a classic example of bugs caused by the everything is a C-style string mindset. No, not everything is a string. Some things are binary data. Some things have their length stored separately and aren't terminated by a zero byte. Some things have zeroes inside them, and 'strlen' won't give you the data length. Perhaps you want to base64 encode the encrypted data? DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Problems with encryption
Yes, I want and must base64 encode the data. Have you seen any examples of doing this with the binary results from encrypting. David Schwartz wrote: Has anyone seen problems encrypting credit card numbers with BlowFish. When encrypting with a 32 char or a 56 char key the there are a number of values that are not encrypting and thus decrypting all of the characters. This sounds like a classic example of bugs caused by the everything is a C-style string mindset. No, not everything is a string. Some things are binary data. Some things have their length stored separately and aren't terminated by a zero byte. Some things have zeroes inside them, and 'strlen' won't give you the data length. Perhaps you want to base64 encode the encrypted data? DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Problems with encryption
On Sat, Feb 7, 2009 at 12:44 AM, Rafel Coyle rafel.co...@earthlink.net wrote: Yes, I want and must base64 encode the data. Have you seen any examples of doing this with the binary results from encrypting. See, for example, the code of the enc / dec OpenSSL utilities; sourcecode in apps/enc.c Basically, base64 encoding/decoding is done there by adding a base64 encoding/decoding BIO filter to the BIO stack. The encrypting / decrypting is done through the use of another BIO filter in that chain. You may want to read up on how to use BIOs before you start hacking ;-) Regarding BIOs: those can be used to process file-, memory-, etc. data. Several examples of their use can be found in the apps/ and demo/ OpenSSL directories (some a little rougher than others). For an example of base64 enc/dec without the crypto, see http://www.mail-archive.com/openssl-users@openssl.org/msg55632.html -- Met vriendelijke groeten / Best regards, Ger Hobbelt -- web:http://www.hobbelt.com/ http://www.hebbut.net/ mail: g...@hobbelt.com mobile: +31-6-11 120 978 -- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Problems with encryption
See, for example, the code of the enc / dec OpenSSL utilities; sourcecode in apps/enc.c Where are these examples? Please! Ger Hobbelt wrote: On Sat, Feb 7, 2009 at 12:44 AM, Rafel Coyle rafel.co...@earthlink.net wrote: Yes, I want and must base64 encode the data. Have you seen any examples of doing this with the binary results from encrypting. See, for example, the code of the enc / dec OpenSSL utilities; sourcecode in apps/enc.c Basically, base64 encoding/decoding is done there by adding a base64 encoding/decoding BIO filter to the BIO stack. The encrypting / decrypting is done through the use of another BIO filter in that chain. You may want to read up on how to use BIOs before you start hacking ;-) Regarding BIOs: those can be used to process file-, memory-, etc. data. Several examples of their use can be found in the apps/ and demo/ OpenSSL directories (some a little rougher than others). For an example of base64 enc/dec without the crypto, see http://www.mail-archive.com/openssl-users@openssl.org/msg55632.html __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Problems with encryption
in the OpenSSL source code tarball, in the directory mentioned. -Kyle H On Fri, Feb 6, 2009 at 4:33 PM, Rafel Coyle rafel.co...@earthlink.net wrote: See, for example, the code of the enc / dec OpenSSL utilities; sourcecode in apps/enc.c Where are these examples? Please! Ger Hobbelt wrote: On Sat, Feb 7, 2009 at 12:44 AM, Rafel Coyle rafel.co...@earthlink.net wrote: Yes, I want and must base64 encode the data. Have you seen any examples of doing this with the binary results from encrypting. See, for example, the code of the enc / dec OpenSSL utilities; sourcecode in apps/enc.c Basically, base64 encoding/decoding is done there by adding a base64 encoding/decoding BIO filter to the BIO stack. The encrypting / decrypting is done through the use of another BIO filter in that chain. You may want to read up on how to use BIOs before you start hacking ;-) Regarding BIOs: those can be used to process file-, memory-, etc. data. Several examples of their use can be found in the apps/ and demo/ OpenSSL directories (some a little rougher than others). For an example of base64 enc/dec without the crypto, see http://www.mail-archive.com/openssl-users@openssl.org/msg55632.html __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: OpenSSL command line HMAC
From: owner-openssl-us...@openssl.org On Behalf Of Young, Alistair
Sent: Friday, 06 February, 2009 05:17
-Original Message-
From: owner-openssl-us...@openssl.org On Behalf Of Dave Thompson
Sent: 06 February 2009 00:29
But, to complicate things further, I'm trying to invoke this from
Java.
So I have something like:
byte[] key = ;
Runtime.getRuntime().exec(openssl, dgst, -sha256, -hmac,
\ + new String(key) + \, -binary); I then pipe my message in,
and collect the output from the output stream.
In the Java I have (SDK5=jre1.6.0_02) I can't Runtime.exec multiple
strings
like that, I have to put them in an array with {}. (Or a single String,
but
then I'm not sure whose parsing rules are used and when.) With a String
[],
don't add quotes around the key value. In a shell command, ' \ are
processed
by the shell before being passed to the program. As are the ` above.
Then it works for me.
You're right about the array, of course - this was some poorly
transcribed code! :)
Without the quotes, if my hmac key contains a space or tab
character, it seems that somewhere along the way, the two halves
of the key are treated as separate parameters. So, if my key was
£$% £$%*, attempting to execute the command simply results in
OpenSSL giving a £$%* not found error.
Are those pounds in 8859-1, as posted? I don't use any non-US charsets
here and so can't easily test that, but with $% $%* (minus quotes)
it (still) works for me. (I previously lazily tested on my local Windows
instead of Linux, but this time to be certain I used a convenient Linux box,
which actually has an older jre, 1.5.0_06-b05 .)
Adding the quotes didn't work because, if I understand things
correctly, the notion of quotes (or escaping characters with \)
is a shell concept - hence my attempt to force the command to run
under a shell.
Those are shell concepts, yes. But then you have to figure out
exactly what to tell the shell to get it to end up with the
exactly right values passed to the program i.e. openssl.
Shell is designed to be convenient for normal (interactive) cases,
as the cost of confusion and obscurity in weird cases.
snip
Incidentally, the simple approach (simply passing the key as a
parameter, regardless of its content) worked flawlessly under
Windows (using non-FIPS OpenSSL).
That makes me really suspicious. I wonder if it might be an issue with
high-half signed characters somewhere, or Unicode encoding, or such.
Could you try passing the desired arguments to instead a simple program
that just shows you exactly what it's getting, something like:
#include stdio.h
int main (void) {int c, char **v)
{ char*p; while(p=*++v){
fputs(p);while(*p)printf( %02x,*p++);putchar ('\n'); }
}
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
