Re: ecdsa_method missing?

2011-02-22 Thread Mounir IDRASSI 

Hi,

In the case of RSA_METHOD, it is working because the underlying type 
rsa_meth_st is defined in rsa.h, whereas for ECDSA_METHOD, the 
underlying type ecdsa_method is not exported by the public headers: it 
is defined in the internal OpenSSL header ecs_locl.h found in the source 
distribution. That explains why you are getting the compile error.
I don't know why it was done like this, but if you really need this 
structure then you'll have to copy its definition from the header I 
mentioned above.


Cheers,
--
Mounir IDRASSI
IDRIX
http://www.idrix.fr

On 2/22/2011 6:14 PM, Kent Yoder wrote:

Hi,

   The following RSA code compiles:

#include
main() { RSA_METHOD rsa = { "test" };  }

but this ECDSA code doesn't:

#include
main() {  ECDSA_METHOD ecdsa = { "test" }; }

Am I missing a declaration, or is this perhaps a bug?

Thanks,
Kent
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re:Re: Re: at what time must I call SSL_free( ) / SSL_CTX_free( )

2011-02-22 Thread lzyzizi 
The SSL will abort the handshake automatically when something was wrong such as 
the authentication failure,no shared cipher list,verify callback failure and so 
on.So i think you shall call the shutdown and free the object when the 
handshake functions(SSL_do_handshake,SSL_accept,SSL_connect...) failed.


At 2011-02-23 00:45:22,"Aro RANAIVONDRAMBOLA"  wrote:
Hello,
I would like to know at what timehave I to call shutdown ? is there a case I 
have no choice ( and so I have to shutdown ).
In fact, I develop a secure stack between TCP and an application. . So in 
appli_connect( ), appli_read( ), ... appli_accept( ) are defined  like these :
appli_connect(appli_num, ... ){
connect(appli_num->sock , ...);
 ...
SSL_connect(appli_num->ssl, ...);
}

appli_accept(appli_num, ...){
accept(appli_num->sock, ...);
...
SSL_accept(...);
}

appli_read( ){
...
}
appli_write( ){
..
}


  


2011/2/16 lzyzizi
Sorry, I made you confusing.
1)I just want to say that it depends on your needs  to call SSL_CTX_free().For 
example ,you develop an application that needs user to import the certificate 
.If the user import the wrong certificate , you may not call SSL_CTX_free to 
free the SSL_CTX object.You may tell the user that your certificate is wrong, 
and let him import again.
Sometimes,you develop a server.Every time starting server, the server will load 
the certificate.The failure of calling SSL_CTX_use_certificate_file means that 
it load the wrong certificate,If it is a fatal error for you,you should call 
SSL_CTX_free to SSL_CTX object and end your server.

I think  usage of SSL_CTX/SSL function is not about the SSL usage ,but the 
common sense of object-oriented programming.When to kill the object denpends 
what your program needs.



At 2011-02-16 19:40:50,"Aro RANAIVONDRAMBOLA"  wrote:
2) => OK
1) I do not understand when you say I can also call 
SSL_CTX_use_certificate_file( ) to load another certificate file ...
   if it fails how can you load another certificate file ?



2011/2/15 lzyzizi
What time have you to call SSL_free() and SSL_CTX_free() depends what you want 
to end the SSL/SSL_CTX object's lifecycle.Calling these functions is just 
likedel the object in C++,which means you don't want the object any more.
The failure of calling functions(e.g.SSL_CTX_set_cipher_list( ), 
SSL_CTX_use_certificate_file( ), ..., SSL_CTX_set_verify( )) does not mean that 
the SSL/SSL_CTX object won't work any more.For example, if the 
SSL_CTX_use_certificate_file() fails, it just means that the certificate file 
may be not OK.You can also call it to load another certificate file.

2)You may not call SSL_CTX_free(),when SSL objects fails.Because the SSL_CTX 
object  is used to create SSL object as a factory.SSL_CTX may create many SSL 
objects.An SSL object just means that this SSL handshake(or other operations) 
has errors,which does not imply that SSL_CTX object has error.Especially,

the failure of these functions(SSL_connect( ), SSL_accept( ), 
SSL_get_verify_result()) is common in SSL handshake, because your peer sent 
wrong certificate to you or something that violated the SSL protocol.It is not 
your fault,so you just need to free the SSL object or do some reconnection 
operation.


At 2011-02-15 22:40:29,"Aro RANAIVONDRAMBOLA"  wrote:
Hello,
I 'd like to know at what time have I to call SSL_free( ) and SSL_CTX_free( )
1) For example, I call SSL_CTX_free( ) when a call to a function which fill in 
the CTX fails ( SSL_CTX_set_cipher_list( ), SSL_CTX_use_certificate_file( ), 
..., SSL_CTX_set_verify( ) ). I am wondering if it is a good idea.
2) I call both SSL_free( ) and SSL_CTX_free( ) when a function using SSL object 
fails. it concerns  SSL_connect( ), SSL_accept( ), SSL_get_verify_result(), ... 
is that OK ?
thanks

Re: HELP!!!! mod_tsa:could not load X.509 certificate

2011-02-22 Thread Mounir IDRASSI 

Hi,

Are you sure you have the same error description 
(lib(47):func(131):reason(117):ts_rsp_sign.c:206:)? I have tested here 
with a certificate containing "Digital Signature, Non Repudiation" key 
usage and OpenSSL doesn't complain.
I'm attaching the timestamp certificate (with its key and its CA 
certificate) that I used. Can you see if it is working for you?


Cheers,
--
Mounir IDRASSI
IDRIX
http://www.idrix.fr

On 2/22/2011 3:11 PM, Yessica De Ascencao wrote:

Hi Mounir IDRASSI!
I generated the certificate with ONLY Digital Signature, Non 
Repudiation but I still have the same problem.


Thanks!

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
d8:e6:a3:f6:22:c7:a4:0c
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=ve, ST=distrito capital, O=suscerte, OU=acraiz, 
CN=ac/emailAddress=a...@suscerte.gob.ve 

Validity
Not Before: Feb 22 14:08:20 2011 GMT
Not After : Feb 22 14:08:20 2012 GMT
Subject: C=ve, ST=distritocapital, L=caracas, O=tss, 
OU=suscerte, CN=tsscompany/emailAddress=t...@company.com 


Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:bd:6e:12:e5:72:37:f2:74:e4:95:f7:43:f2:c7:
00:7d:53:cb:2d:a9:49:68:4d:04:b7:40:8d:b7:cd:
56:23:89:8a:e1:78:d6:a8:bd:a3:ef:16:62:d6:37:
6d:25:ce:eb:9d:30:8a:5e:be:6a:68:6f:bf:cd:f7:
6b:cd:85:f8:c6:62:f3:ea:8e:32:79:2a:d2:38:40:
b9:d7:88:c9:18:5c:63:98:69:ea:b6:95:83:a2:ac:
1b:b4:17:9a:e7:ea:66:bc:c3:e6:c8:e6:47:94:9b:
36:3c:3b:e0:59:9e:85:90:a6:8f:ad:8a:0a:0b:9e:
51:de:ef:93:73:e5:6b:a9:f2:49:ec:c0:46:57:71:
27:fd:85:47:09:f7:90:f7:bb:c5:3a:83:0a:3c:cc:
f2:88:2f:69:5c:80:e2:7f:9e:28:d3:19:09:62:fb:
2b:61:a4:f8:4c:64:d6:72:cb:41:a9:68:69:38:8b:
3f:03:04:83:26:e0:9a:ce:be:1f:05:f0:6d:99:2c:
87:16:97:e2:7f:8b:2f:b1:eb:19:2f:10:45:00:2c:
8e:dd:f5:80:de:cf:c7:17:a0:cc:cf:0d:f3:48:19:
7f:5b:b0:dd:51:a8:80:e0:65:eb:79:ef:ea:fc:d8:
6d:a5:2d:e3:06:b0:83:83:14:7f:61:f9:dc:ea:a7:
7a:4b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:

FA:0C:6E:6E:88:58:51:F4:DF:F1:E3:CC:DD:9D:71:8C:CD:95:68:17

X509v3 Authority Key Identifier:

keyid:76:B9:CB:3B:5D:C8:B6:AB:02:74:86:D3:1C:C7:42:58:B1:AE:7E:76


X509v3 Subject Alternative Name:
email:t...@company.com 
X509v3 Extended Key Usage: critical
Time Stamping
Signature Algorithm: sha1WithRSAEncryption
3d:d4:76:9a:d7:2d:6a:93:62:d7:2c:29:87:cc:9c:72:97:19:
1a:2d:59:b8:fc:6c:86:22:ad:9c:ba:74:de:89:cb:55:c0:f8:
50:02:5d:7d:58:92:cb:0d:c9:9a:30:a9:2a:32:7e:2c:c6:a1:
19:eb:09:30:55:85:c8:30:d4:f1:51:9a:ca:77:58:8e:f8:a6:
b8:d9:92:63:10:fa:ad:06:79:aa:d9:5a:09:9c:5b:91:8b:7a:
04:66:f5:24:0b:25:25:69:a5:66:30:c1:4a:b8:cf:c7:51:e1:
5a:a0:a6:51:cf:b0:26:05:8d:c4:66:cd:3b:c6:08:a5:de:57:
81:af


2011/2/22 Mounir IDRASSI >


Hi,

I don't agree : from the error description
(lib(47):func(131):reason(117):ts_rsp_sign.c:206) it is clear that
OpenSSL loaded the certificate but the X509_check_purpose(signer,
X509_PURPOSE_TIMESTAMP_SIGN, 0) call in ts_rsp_sign failed.

Actaully, reading the certificate dump shows that the problem is
coming from the certificate Key Usage : it MUST NOT contain Key
Encipherment.
So, to resolve your problem, set the Key Usage to ONLY Digital
Signature, Non Repudiation.

I hope this will help.
Cheers,
--
Mounir IDRASSI
IDRIX
http://www.idrix.fr


On 2/22/2011 2:40 PM, Patrick Patterson wrote:

Hi Yessica:

That error is fairly straightforward - it's can't load the
cert (meaning, it can't even load the file).

Have you made sure that the permissions are correct? Are you
absolutely sure that you have the right cert in the right
location?

Have fun.

Patrick.

On 2011-02-22, at 8:37 AM, Yessica De Ascencao wrote:

Hi!
This is the new certificate:

Certificate:
Data:
Version: 3 (0x2)
Serial Number:

Re: Two questions about OpenSSL TSA Tool?

2011-02-22 Thread Jaroslav Imrich 
Hello Dragan,

there is currently no way to display information you require with openssl's
TS command. However it is pretty easy to write custom application and use
openssl library to parse time-stamp response.

OpenSSL's TS module currently signs timestamps only with "sha1-rsa"
algorithm, but few months ago I've submitted patch that allows users to
specify signing algorithm -
http://rt.openssl.org/Ticket/Display.html?id=2145&user=guest&pass=guest

-- 
Kind Regards / S pozdravom

Jaroslav Imrich
http://www.jariq.sk

Re: HELP!!!! mod_tsa:could not load X.509 certificate

2011-02-22 Thread Jaroslav Imrich 
Hello Yessica,

you are almost there :)

Try only "Non Repudiation" as key usage:

X509v3 Key Usage:
Non Repudiation
X509v3 Extended Key Usage: critical
Time Stamping


-- 
Kind Regards / S pozdravom

Jaroslav Imrich
http://www.jariq.sk


On Tue, Feb 22, 2011 at 3:11 PM, Yessica De Ascencao
wrote:

> Hi Mounir IDRASSI!
> I generated the certificate with ONLY Digital Signature, Non Repudiation
> but I still have the same problem.
>
> Thanks!
>
>
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number:
> d8:e6:a3:f6:22:c7:a4:0c
>
> Signature Algorithm: sha1WithRSAEncryption
> Issuer: C=ve, ST=distrito capital, O=suscerte, OU=acraiz,
> CN=ac/emailAddress=a...@suscerte.gob.ve
> Validity
> Not Before: Feb 22 14:08:20 2011 GMT
> Not After : Feb 22 14:08:20 2012 GMT
>
> Subject: C=ve, ST=distritocapital, L=caracas, O=tss, OU=suscerte,
> CN=tsscompany/emailAddress=t...@company.com
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> RSA Public Key: (2048 bit)
> Modulus (2048 bit):
> 00:bd:6e:12:e5:72:37:f2:74:e4:95:f7:43:f2:c7:
> 00:7d:53:cb:2d:a9:49:68:4d:04:b7:40:8d:b7:cd:
> 56:23:89:8a:e1:78:d6:a8:bd:a3:ef:16:62:d6:37:
> 6d:25:ce:eb:9d:30:8a:5e:be:6a:68:6f:bf:cd:f7:
> 6b:cd:85:f8:c6:62:f3:ea:8e:32:79:2a:d2:38:40:
> b9:d7:88:c9:18:5c:63:98:69:ea:b6:95:83:a2:ac:
> 1b:b4:17:9a:e7:ea:66:bc:c3:e6:c8:e6:47:94:9b:
> 36:3c:3b:e0:59:9e:85:90:a6:8f:ad:8a:0a:0b:9e:
> 51:de:ef:93:73:e5:6b:a9:f2:49:ec:c0:46:57:71:
> 27:fd:85:47:09:f7:90:f7:bb:c5:3a:83:0a:3c:cc:
> f2:88:2f:69:5c:80:e2:7f:9e:28:d3:19:09:62:fb:
> 2b:61:a4:f8:4c:64:d6:72:cb:41:a9:68:69:38:8b:
> 3f:03:04:83:26:e0:9a:ce:be:1f:05:f0:6d:99:2c:
> 87:16:97:e2:7f:8b:2f:b1:eb:19:2f:10:45:00:2c:
> 8e:dd:f5:80:de:cf:c7:17:a0:cc:cf:0d:f3:48:19:
> 7f:5b:b0:dd:51:a8:80:e0:65:eb:79:ef:ea:fc:d8:
> 6d:a5:2d:e3:06:b0:83:83:14:7f:61:f9:dc:ea:a7:
> 7a:4b
> Exponent: 65537 (0x10001)
> X509v3 extensions:
> X509v3 Basic Constraints:
> CA:FALSE
> X509v3 Key Usage:
> Digital Signature, Non Repudiation
> Netscape Comment:
> OpenSSL Generated Certificate
> X509v3 Subject Key Identifier:
> FA:0C:6E:6E:88:58:51:F4:DF:F1:E3:CC:DD:9D:71:8C:CD:95:68:17
> X509v3 Authority Key Identifier:
>
> keyid:76:B9:CB:3B:5D:C8:B6:AB:02:74:86:D3:1C:C7:42:58:B1:AE:7E:76
>
> X509v3 Subject Alternative Name:
> email:t...@company.com
> X509v3 Extended Key Usage: critical
> Time Stamping
> Signature Algorithm: sha1WithRSAEncryption
> 3d:d4:76:9a:d7:2d:6a:93:62:d7:2c:29:87:cc:9c:72:97:19:
> 1a:2d:59:b8:fc:6c:86:22:ad:9c:ba:74:de:89:cb:55:c0:f8:
> 50:02:5d:7d:58:92:cb:0d:c9:9a:30:a9:2a:32:7e:2c:c6:a1:
> 19:eb:09:30:55:85:c8:30:d4:f1:51:9a:ca:77:58:8e:f8:a6:
> b8:d9:92:63:10:fa:ad:06:79:aa:d9:5a:09:9c:5b:91:8b:7a:
> 04:66:f5:24:0b:25:25:69:a5:66:30:c1:4a:b8:cf:c7:51:e1:
> 5a:a0:a6:51:cf:b0:26:05:8d:c4:66:cd:3b:c6:08:a5:de:57:
> 81:af
>
>
> 2011/2/22 Mounir IDRASSI 
>
> Hi,
>>
>> I don't agree : from the error description
>> (lib(47):func(131):reason(117):ts_rsp_sign.c:206) it is clear that OpenSSL
>> loaded the certificate but the X509_check_purpose(signer,
>> X509_PURPOSE_TIMESTAMP_SIGN, 0) call in ts_rsp_sign failed.
>>
>> Actaully, reading the certificate dump shows that the problem is coming
>> from the certificate Key Usage : it MUST NOT contain Key Encipherment.
>> So, to resolve your problem, set the Key Usage to ONLY Digital Signature,
>> Non Repudiation.
>>
>> I hope this will help.
>> Cheers,
>> --
>> Mounir IDRASSI
>> IDRIX
>> http://www.idrix.fr
>>
>>
>> On 2/22/2011 2:40 PM, Patrick Patterson wrote:
>>
>>> Hi Yessica:
>>>
>>> That error is fairly straightforward - it's can't load the cert (meaning,
>>> it can't even load the file).
>>>
>>> Have you made sure that the permissions are correct? Are you absolutely
>>> sure that you have the right cert in the right location?
>>>
>>> Have fun.
>>>
>>> Patrick.
>>>
>>> On 2011-02-22, at 8:37 AM, Yessica De Ascencao wrote:
>>>
>>>  Hi!
 This is the new certificate:

 Certificate:
 Data:
 Version: 3 (0x2)
 Serial Number:
 d8:e6:a3:f6:22:c7:a4:0b
 Signature Algorithm: sha1WithRSAEncryption
 Issuer: C=ve, ST=distrito capital, O=suscerte, OU=acraiz,
 C

openssl smime vs. cms

2011-02-22 Thread Leonard F. Elia 
Is openssl cms the now recommended way to handle data which used to be
handled using openssl smime?

I keep some files encrypted on disk using the smime utility, but if cms
is recommended I will start using that.

-- 
Leonard F. Elia III, CISSP
Sr. System Administrator
LITES - NASA Langley Research Center
Science Systems & Applications, Inc., Hampton VA

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

ecdsa_method missing?

2011-02-22 Thread Kent Yoder 
Hi,

  The following RSA code compiles:

#include 
main() { RSA_METHOD rsa = { "test" };  }

but this ECDSA code doesn't:

#include 
main() {  ECDSA_METHOD ecdsa = { "test" }; }

Am I missing a declaration, or is this perhaps a bug?

Thanks,
Kent
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Re: at what time must I call SSL_free( ) / SSL_CTX_free( )

2011-02-22 Thread Aro RANAIVONDRAMBOLA 
Hello,
I would like to know at what time have I to call shutdown ? is there a case
I have no choice ( and so I have to shutdown ).
In fact, I develop a secure stack between TCP and an application. . So in
appli_connect( ), appli_read( ), ... appli_accept( ) are defined  like these
:
appli_connect(appli_num, ... ){
connect(appli_num->sock , ...);
 ...
SSL_connect(appli_num->ssl, ...);
}

appli_accept(appli_num, ...){
accept(appli_num->sock, ...);
...
SSL_accept(...);
}

appli_read( ){
...
}
appli_write( ){
..
}




2011/2/16 lzyzizi 

> Sorry, I made you confusing.
> 1)I just want to say that it depends on your needs  to call
> SSL_CTX_free().For example ,you develop an application that needs user to
> import the certificate .If the user import the wrong certificate , you may
> not call SSL_CTX_free to free the SSL_CTX object.You may tell the user that
> your certificate is wrong, and let him import again.
> Sometimes,you develop a server.Every time starting server, the server will
> load the certificate.The failure of calling SSL_CTX_use_certificate_file
> means that it load the wrong certificate,If it is a fatal error for you,you
> should call SSL_CTX_free to SSL_CTX object and end your server.
>
> I think  usage of SSL_CTX/SSL function is not about the SSL usage ,but the
> common sense of object-oriented programming.When to kill the object denpends
> what your program needs.
>
>
> At 2011-02-16 19:40:50,"Aro RANAIVONDRAMBOLA"  wrote:
>
> 2) => OK
> 1) I do not understand when you say I can also call
> SSL_CTX_use_certificate_file( ) to load another certificate file ...
>if it fails how can you load another certificate file ?
>
>
> 2011/2/15 lzyzizi 
>
>> What time have you to call SSL_free() and SSL_CTX_free() depends what you
>> want to end the SSL/SSL_CTX object's lifecycle.Calling these functions is
>> just like *del* the object in C++,which means you don't want the object
>> any more.
>> The failure of calling functions(e.g.SSL_CTX_set_cipher_list( ),
>> SSL_CTX_use_certificate_file( ), ..., SSL_CTX_set_verify( )) does not mean
>> that the SSL/SSL_CTX object won't work any more.For example, if the
>> SSL_CTX_use_certificate_file() fails, it just means that the certificate
>> file may be not OK.You can also call it to load another certificate file.
>>
>> 2)You may not call SSL_CTX_free(),when SSL objects fails.Because the
>> SSL_CTX object  is used to create SSL object as a factory.SSL_CTX may create
>> many SSL objects.An SSL object just means that this SSL handshake(or other
>> operations) has errors,which does not imply that SSL_CTX object has
>> error.Especially,
>> the failure of these functions(SSL_connect( ), SSL_accept( ),
>> SSL_get_verify_result()) is common in SSL handshake, because your peer sent
>> wrong certificate to you or something that violated the SSL protocol.It is
>> not your fault,so you just need to free the SSL object or do some
>> reconnection operation.
>>
>>
>> At 2011-02-15 22:40:29,"Aro RANAIVONDRAMBOLA"  wrote:
>>
>> Hello,
>> I 'd like to know at what time have I to call SSL_free( ) and
>> SSL_CTX_free( )
>> 1) For example, I call SSL_CTX_free( ) when a call to a function which
>> fill in the CTX fails ( SSL_CTX_set_cipher_list( ),
>> SSL_CTX_use_certificate_file( ), ..., SSL_CTX_set_verify( ) ). I am
>> wondering if it is a good idea.
>> 2) I call both SSL_free( ) and SSL_CTX_free( ) when a function using SSL
>> object fails. it concerns  SSL_connect( ), SSL_accept( ),
>> SSL_get_verify_result(), ... is that OK ?
>> thanks
>>
>>
>>
>>
>
>
>

Re: HELP!!!! mod_tsa:could not load X.509 certificate

2011-02-22 Thread Yessica De Ascencao 
Hi Mounir IDRASSI!
I generated the certificate with ONLY Digital Signature, Non Repudiation but
I still have the same problem.

Thanks!

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
d8:e6:a3:f6:22:c7:a4:0c
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=ve, ST=distrito capital, O=suscerte, OU=acraiz,
CN=ac/emailAddress=a...@suscerte.gob.ve
Validity
Not Before: Feb 22 14:08:20 2011 GMT
Not After : Feb 22 14:08:20 2012 GMT
Subject: C=ve, ST=distritocapital, L=caracas, O=tss, OU=suscerte,
CN=tsscompany/emailAddress=t...@company.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:bd:6e:12:e5:72:37:f2:74:e4:95:f7:43:f2:c7:
00:7d:53:cb:2d:a9:49:68:4d:04:b7:40:8d:b7:cd:
56:23:89:8a:e1:78:d6:a8:bd:a3:ef:16:62:d6:37:
6d:25:ce:eb:9d:30:8a:5e:be:6a:68:6f:bf:cd:f7:
6b:cd:85:f8:c6:62:f3:ea:8e:32:79:2a:d2:38:40:
b9:d7:88:c9:18:5c:63:98:69:ea:b6:95:83:a2:ac:
1b:b4:17:9a:e7:ea:66:bc:c3:e6:c8:e6:47:94:9b:
36:3c:3b:e0:59:9e:85:90:a6:8f:ad:8a:0a:0b:9e:
51:de:ef:93:73:e5:6b:a9:f2:49:ec:c0:46:57:71:
27:fd:85:47:09:f7:90:f7:bb:c5:3a:83:0a:3c:cc:
f2:88:2f:69:5c:80:e2:7f:9e:28:d3:19:09:62:fb:
2b:61:a4:f8:4c:64:d6:72:cb:41:a9:68:69:38:8b:
3f:03:04:83:26:e0:9a:ce:be:1f:05:f0:6d:99:2c:
87:16:97:e2:7f:8b:2f:b1:eb:19:2f:10:45:00:2c:
8e:dd:f5:80:de:cf:c7:17:a0:cc:cf:0d:f3:48:19:
7f:5b:b0:dd:51:a8:80:e0:65:eb:79:ef:ea:fc:d8:
6d:a5:2d:e3:06:b0:83:83:14:7f:61:f9:dc:ea:a7:
7a:4b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
FA:0C:6E:6E:88:58:51:F4:DF:F1:E3:CC:DD:9D:71:8C:CD:95:68:17
X509v3 Authority Key Identifier:

keyid:76:B9:CB:3B:5D:C8:B6:AB:02:74:86:D3:1C:C7:42:58:B1:AE:7E:76

X509v3 Subject Alternative Name:
email:t...@company.com
X509v3 Extended Key Usage: critical
Time Stamping
Signature Algorithm: sha1WithRSAEncryption
3d:d4:76:9a:d7:2d:6a:93:62:d7:2c:29:87:cc:9c:72:97:19:
1a:2d:59:b8:fc:6c:86:22:ad:9c:ba:74:de:89:cb:55:c0:f8:
50:02:5d:7d:58:92:cb:0d:c9:9a:30:a9:2a:32:7e:2c:c6:a1:
19:eb:09:30:55:85:c8:30:d4:f1:51:9a:ca:77:58:8e:f8:a6:
b8:d9:92:63:10:fa:ad:06:79:aa:d9:5a:09:9c:5b:91:8b:7a:
04:66:f5:24:0b:25:25:69:a5:66:30:c1:4a:b8:cf:c7:51:e1:
5a:a0:a6:51:cf:b0:26:05:8d:c4:66:cd:3b:c6:08:a5:de:57:
81:af


2011/2/22 Mounir IDRASSI 

> Hi,
>
> I don't agree : from the error description
> (lib(47):func(131):reason(117):ts_rsp_sign.c:206) it is clear that OpenSSL
> loaded the certificate but the X509_check_purpose(signer,
> X509_PURPOSE_TIMESTAMP_SIGN, 0) call in ts_rsp_sign failed.
>
> Actaully, reading the certificate dump shows that the problem is coming
> from the certificate Key Usage : it MUST NOT contain Key Encipherment.
> So, to resolve your problem, set the Key Usage to ONLY Digital Signature,
> Non Repudiation.
>
> I hope this will help.
> Cheers,
> --
> Mounir IDRASSI
> IDRIX
> http://www.idrix.fr
>
>
> On 2/22/2011 2:40 PM, Patrick Patterson wrote:
>
>> Hi Yessica:
>>
>> That error is fairly straightforward - it's can't load the cert (meaning,
>> it can't even load the file).
>>
>> Have you made sure that the permissions are correct? Are you absolutely
>> sure that you have the right cert in the right location?
>>
>> Have fun.
>>
>> Patrick.
>>
>> On 2011-02-22, at 8:37 AM, Yessica De Ascencao wrote:
>>
>>  Hi!
>>> This is the new certificate:
>>>
>>> Certificate:
>>> Data:
>>> Version: 3 (0x2)
>>> Serial Number:
>>> d8:e6:a3:f6:22:c7:a4:0b
>>> Signature Algorithm: sha1WithRSAEncryption
>>> Issuer: C=ve, ST=distrito capital, O=suscerte, OU=acraiz,
>>> CN=ac/emailAddress=a...@suscerte.gob.ve
>>> Validity
>>> Not Before: Feb 21 20:15:08 2011 GMT
>>> Not After : Feb 21 20:15:08 2012 GMT
>>> Subject: C=ve, ST=distritocapital, L=caracas, O=tss, OU=suscerte,
>>> CN=tsscompany/emailAddress=t...@company.com
>>> Subject Public Key Info:
>>> Public Key Algorithm: rsaEncryption
>>> RSA Public Key: (2048 bit)
>>> Modulus (2048 bit):
>>> 00:bd:6e:12:e5:72:37:f2:74:e4:95:f7:43:f2:c7:
>>>

Re: HELP!!!! mod_tsa:could not load X.509 certificate

2011-02-22 Thread Yessica De Ascencao 
Hi Patrick!
The certificate has all permissions, and the tutorial does not specify a
location for its storage.
Thanks!

2011/2/22 Patrick Patterson 

> Hi Yessica:
>
> That error is fairly straightforward - it's can't load the cert (meaning,
> it can't even load the file).
>
> Have you made sure that the permissions are correct? Are you absolutely
> sure that you have the right cert in the right location?
>
> Have fun.
>
> Patrick.
>
> On 2011-02-22, at 8:37 AM, Yessica De Ascencao wrote:
>
> > Hi!
> > This is the new certificate:
> >
> > Certificate:
> > Data:
> > Version: 3 (0x2)
> > Serial Number:
> > d8:e6:a3:f6:22:c7:a4:0b
> > Signature Algorithm: sha1WithRSAEncryption
> > Issuer: C=ve, ST=distrito capital, O=suscerte, OU=acraiz,
> CN=ac/emailAddress=a...@suscerte.gob.ve
> > Validity
> > Not Before: Feb 21 20:15:08 2011 GMT
> > Not After : Feb 21 20:15:08 2012 GMT
> > Subject: C=ve, ST=distritocapital, L=caracas, O=tss, OU=suscerte,
> CN=tsscompany/emailAddress=t...@company.com
> > Subject Public Key Info:
> > Public Key Algorithm: rsaEncryption
> > RSA Public Key: (2048 bit)
> > Modulus (2048 bit):
> > 00:bd:6e:12:e5:72:37:f2:74:e4:95:f7:43:f2:c7:
> > 00:7d:53:cb:2d:a9:49:68:4d:04:b7:40:8d:b7:cd:
> > 56:23:89:8a:e1:78:d6:a8:bd:a3:ef:16:62:d6:37:
> > 6d:25:ce:eb:9d:30:8a:5e:be:6a:68:6f:bf:cd:f7:
> > 6b:cd:85:f8:c6:62:f3:ea:8e:32:79:2a:d2:38:40:
> > b9:d7:88:c9:18:5c:63:98:69:ea:b6:95:83:a2:ac:
> > 1b:b4:17:9a:e7:ea:66:bc:c3:e6:c8:e6:47:94:9b:
> > 36:3c:3b:e0:59:9e:85:90:a6:8f:ad:8a:0a:0b:9e:
> > 51:de:ef:93:73:e5:6b:a9:f2:49:ec:c0:46:57:71:
> > 27:fd:85:47:09:f7:90:f7:bb:c5:3a:83:0a:3c:cc:
> > f2:88:2f:69:5c:80:e2:7f:9e:28:d3:19:09:62:fb:
> > 2b:61:a4:f8:4c:64:d6:72:cb:41:a9:68:69:38:8b:
> > 3f:03:04:83:26:e0:9a:ce:be:1f:05:f0:6d:99:2c:
> > 87:16:97:e2:7f:8b:2f:b1:eb:19:2f:10:45:00:2c:
> > 8e:dd:f5:80:de:cf:c7:17:a0:cc:cf:0d:f3:48:19:
> > 7f:5b:b0:dd:51:a8:80:e0:65:eb:79:ef:ea:fc:d8:
> > 6d:a5:2d:e3:06:b0:83:83:14:7f:61:f9:dc:ea:a7:
> > 7a:4b
> > Exponent: 65537 (0x10001)
> > X509v3 extensions:
> > X509v3 Basic Constraints:
> > CA:FALSE
> > X509v3 Key Usage:
> > Digital Signature, Non Repudiation, Key Encipherment
> > Netscape Comment:
> > OpenSSL Generated Certificate
> > X509v3 Subject Key Identifier:
> >
> FA:0C:6E:6E:88:58:51:F4:DF:F1:E3:CC:DD:9D:71:8C:CD:95:68:17
> > X509v3 Authority Key Identifier:
> >
> keyid:76:B9:CB:3B:5D:C8:B6:AB:02:74:86:D3:1C:C7:42:58:B1:AE:7E:76
> >
> > X509v3 Subject Alternative Name:
> > email:t...@company.com
> > X509v3 Extended Key Usage: critical
> > Time Stamping
> > Signature Algorithm: sha1WithRSAEncryption
> > 02:d1:fd:44:de:1e:9f:e0:29:66:35:8f:43:da:e6:b5:20:43:
> > 52:90:b0:dc:8a:0f:09:92:9e:c2:6b:dc:14:ab:2c:9f:1b:8e:
> > 02:76:9a:17:08:77:ca:26:06:13:25:9e:4a:e2:bf:bb:2b:4d:
> > cf:67:41:c0:2b:3a:1a:d0:ae:a8:88:3c:13:e2:0d:f6:9c:1e:
> > e7:ba:ef:22:c6:b8:18:3b:a8:5e:f9:0e:43:b8:de:82:b1:e0:
> > be:00:d2:57:9c:f3:d9:48:72:28:70:5d:06:d7:73:84:bc:f7:
> > 5e:65:27:86:0d:e8:28:b4:dd:72:4d:8e:59:02:cc:39:0f:8d:
> > 47:87
> >
> > And this is the error:
> > [Mon Feb 21 20:15:37 2011] [error] mod_tsa:could not load X.509
> certificate: /usr/local/ssl/misc/demoCA/tss.pem
> > [Mon Feb 21 20:15:37 2011] [error]
> mod_tsa:17262:error:2F083075:lib(47):func(131):reason(117):ts_rsp_sign.c:206:
> > [Mon Feb 21 20:15:37 2011] [emerg] exiting, fatal error during mod_tsa
> initialisation.
> >
> > Thanks!!!
> >
> > 2011/2/21 Jaroslav Imrich 
> > Hello Yessica,
> >
> > please post new certificate and exact error you're getting.
> >
> > --
> >
> > Kind Regards / S pozdravom
> >
> > Jaroslav Imrich
> > http://www.jariq.sk
> >
> >
> >
> > On Mon, Feb 21, 2011 at 4:41 PM, Yessica De Ascencao <
> yessima...@gmail.com> wrote:
> > hello!!!
> > Thanks for the response!
> >
> > Yes I needed the extension to Time Stamping, however when I load the
> sample certificate in the OpenTSA page, continues to show me the same error.
> I created a certificate with the correct extension and likewise gives me
> error.
> >
> > I really do not know what may be happening.
> >
> > Thank you very much!
> >
> >
> >
> > 2011/2/18 Jaroslav Imrich 
> > Hello Yessica,
> >
> >
> > this line in your logs tells you where the error occured:
> >
> >
> > [Thu Feb 17 19:23:09 201

Re: HELP!!!! mod_tsa:could not load X.509 certificate

2011-02-22 Thread Mounir IDRASSI 

Hi,

I don't agree : from the error description 
(lib(47):func(131):reason(117):ts_rsp_sign.c:206) it is clear that 
OpenSSL loaded the certificate but the X509_check_purpose(signer, 
X509_PURPOSE_TIMESTAMP_SIGN, 0) call in ts_rsp_sign failed.


Actaully, reading the certificate dump shows that the problem is coming 
from the certificate Key Usage : it MUST NOT contain Key Encipherment.
So, to resolve your problem, set the Key Usage to ONLY Digital 
Signature, Non Repudiation.


I hope this will help.
Cheers,
--
Mounir IDRASSI
IDRIX
http://www.idrix.fr

On 2/22/2011 2:40 PM, Patrick Patterson wrote:

Hi Yessica:

That error is fairly straightforward - it's can't load the cert (meaning, it 
can't even load the file).

Have you made sure that the permissions are correct? Are you absolutely sure 
that you have the right cert in the right location?

Have fun.

Patrick.

On 2011-02-22, at 8:37 AM, Yessica De Ascencao wrote:


Hi!
This is the new certificate:

Certificate:
 Data:
 Version: 3 (0x2)
 Serial Number:
 d8:e6:a3:f6:22:c7:a4:0b
 Signature Algorithm: sha1WithRSAEncryption
 Issuer: C=ve, ST=distrito capital, O=suscerte, OU=acraiz, 
CN=ac/emailAddress=a...@suscerte.gob.ve
 Validity
 Not Before: Feb 21 20:15:08 2011 GMT
 Not After : Feb 21 20:15:08 2012 GMT
 Subject: C=ve, ST=distritocapital, L=caracas, O=tss, OU=suscerte, 
CN=tsscompany/emailAddress=t...@company.com
 Subject Public Key Info:
 Public Key Algorithm: rsaEncryption
 RSA Public Key: (2048 bit)
 Modulus (2048 bit):
 00:bd:6e:12:e5:72:37:f2:74:e4:95:f7:43:f2:c7:
 00:7d:53:cb:2d:a9:49:68:4d:04:b7:40:8d:b7:cd:
 56:23:89:8a:e1:78:d6:a8:bd:a3:ef:16:62:d6:37:
 6d:25:ce:eb:9d:30:8a:5e:be:6a:68:6f:bf:cd:f7:
 6b:cd:85:f8:c6:62:f3:ea:8e:32:79:2a:d2:38:40:
 b9:d7:88:c9:18:5c:63:98:69:ea:b6:95:83:a2:ac:
 1b:b4:17:9a:e7:ea:66:bc:c3:e6:c8:e6:47:94:9b:
 36:3c:3b:e0:59:9e:85:90:a6:8f:ad:8a:0a:0b:9e:
 51:de:ef:93:73:e5:6b:a9:f2:49:ec:c0:46:57:71:
 27:fd:85:47:09:f7:90:f7:bb:c5:3a:83:0a:3c:cc:
 f2:88:2f:69:5c:80:e2:7f:9e:28:d3:19:09:62:fb:
 2b:61:a4:f8:4c:64:d6:72:cb:41:a9:68:69:38:8b:
 3f:03:04:83:26:e0:9a:ce:be:1f:05:f0:6d:99:2c:
 87:16:97:e2:7f:8b:2f:b1:eb:19:2f:10:45:00:2c:
 8e:dd:f5:80:de:cf:c7:17:a0:cc:cf:0d:f3:48:19:
 7f:5b:b0:dd:51:a8:80:e0:65:eb:79:ef:ea:fc:d8:
 6d:a5:2d:e3:06:b0:83:83:14:7f:61:f9:dc:ea:a7:
 7a:4b
 Exponent: 65537 (0x10001)
 X509v3 extensions:
 X509v3 Basic Constraints:
 CA:FALSE
 X509v3 Key Usage:
 Digital Signature, Non Repudiation, Key Encipherment
 Netscape Comment:
 OpenSSL Generated Certificate
 X509v3 Subject Key Identifier:
 FA:0C:6E:6E:88:58:51:F4:DF:F1:E3:CC:DD:9D:71:8C:CD:95:68:17
 X509v3 Authority Key Identifier:
 
keyid:76:B9:CB:3B:5D:C8:B6:AB:02:74:86:D3:1C:C7:42:58:B1:AE:7E:76

 X509v3 Subject Alternative Name:
 email:t...@company.com
 X509v3 Extended Key Usage: critical
 Time Stamping
 Signature Algorithm: sha1WithRSAEncryption
 02:d1:fd:44:de:1e:9f:e0:29:66:35:8f:43:da:e6:b5:20:43:
 52:90:b0:dc:8a:0f:09:92:9e:c2:6b:dc:14:ab:2c:9f:1b:8e:
 02:76:9a:17:08:77:ca:26:06:13:25:9e:4a:e2:bf:bb:2b:4d:
 cf:67:41:c0:2b:3a:1a:d0:ae:a8:88:3c:13:e2:0d:f6:9c:1e:
 e7:ba:ef:22:c6:b8:18:3b:a8:5e:f9:0e:43:b8:de:82:b1:e0:
 be:00:d2:57:9c:f3:d9:48:72:28:70:5d:06:d7:73:84:bc:f7:
 5e:65:27:86:0d:e8:28:b4:dd:72:4d:8e:59:02:cc:39:0f:8d:
 47:87

And this is the error:
[Mon Feb 21 20:15:37 2011] [error] mod_tsa:could not load X.509 certificate: 
/usr/local/ssl/misc/demoCA/tss.pem
[Mon Feb 21 20:15:37 2011] [error] 
mod_tsa:17262:error:2F083075:lib(47):func(131):reason(117):ts_rsp_sign.c:206:
[Mon Feb 21 20:15:37 2011] [emerg] exiting, fatal error during mod_tsa 
initialisation.

Thanks!!!

2011/2/21 Jaroslav Imrich
Hello Yessica,

please post new certificate and exact error you're getting.

--

Kind Regards / S pozdravom

Jaroslav Imrich
http://www.jariq.sk



On Mon, Feb 21, 2011 at 4:41 PM, Yessica De Ascencao  
wrote:
hello!!!
Thanks for the response!

Yes I needed the extension to Time Stamping, however when I load the sample 
certificate in the OpenTSA page, continues to show me the same error. I created 
a certificate with the correct extension and likewise gives me error.

I really do not know what may be happening.

Thank you very much!



2011/2/18 Jaroslav Imrich
Hell

Re: HELP!!!! mod_tsa:could not load X.509 certificate

2011-02-22 Thread Patrick Patterson 
Hi Yessica:

That error is fairly straightforward - it's can't load the cert (meaning, it 
can't even load the file).

Have you made sure that the permissions are correct? Are you absolutely sure 
that you have the right cert in the right location?

Have fun.

Patrick.
 
On 2011-02-22, at 8:37 AM, Yessica De Ascencao wrote:

> Hi!
> This is the new certificate:
> 
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number:
> d8:e6:a3:f6:22:c7:a4:0b
> Signature Algorithm: sha1WithRSAEncryption
> Issuer: C=ve, ST=distrito capital, O=suscerte, OU=acraiz, 
> CN=ac/emailAddress=a...@suscerte.gob.ve
> Validity
> Not Before: Feb 21 20:15:08 2011 GMT
> Not After : Feb 21 20:15:08 2012 GMT
> Subject: C=ve, ST=distritocapital, L=caracas, O=tss, OU=suscerte, 
> CN=tsscompany/emailAddress=t...@company.com
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> RSA Public Key: (2048 bit)
> Modulus (2048 bit):
> 00:bd:6e:12:e5:72:37:f2:74:e4:95:f7:43:f2:c7:
> 00:7d:53:cb:2d:a9:49:68:4d:04:b7:40:8d:b7:cd:
> 56:23:89:8a:e1:78:d6:a8:bd:a3:ef:16:62:d6:37:
> 6d:25:ce:eb:9d:30:8a:5e:be:6a:68:6f:bf:cd:f7:
> 6b:cd:85:f8:c6:62:f3:ea:8e:32:79:2a:d2:38:40:
> b9:d7:88:c9:18:5c:63:98:69:ea:b6:95:83:a2:ac:
> 1b:b4:17:9a:e7:ea:66:bc:c3:e6:c8:e6:47:94:9b:
> 36:3c:3b:e0:59:9e:85:90:a6:8f:ad:8a:0a:0b:9e:
> 51:de:ef:93:73:e5:6b:a9:f2:49:ec:c0:46:57:71:
> 27:fd:85:47:09:f7:90:f7:bb:c5:3a:83:0a:3c:cc:
> f2:88:2f:69:5c:80:e2:7f:9e:28:d3:19:09:62:fb:
> 2b:61:a4:f8:4c:64:d6:72:cb:41:a9:68:69:38:8b:
> 3f:03:04:83:26:e0:9a:ce:be:1f:05:f0:6d:99:2c:
> 87:16:97:e2:7f:8b:2f:b1:eb:19:2f:10:45:00:2c:
> 8e:dd:f5:80:de:cf:c7:17:a0:cc:cf:0d:f3:48:19:
> 7f:5b:b0:dd:51:a8:80:e0:65:eb:79:ef:ea:fc:d8:
> 6d:a5:2d:e3:06:b0:83:83:14:7f:61:f9:dc:ea:a7:
> 7a:4b
> Exponent: 65537 (0x10001)
> X509v3 extensions:
> X509v3 Basic Constraints: 
> CA:FALSE
> X509v3 Key Usage: 
> Digital Signature, Non Repudiation, Key Encipherment
> Netscape Comment: 
> OpenSSL Generated Certificate
> X509v3 Subject Key Identifier: 
> FA:0C:6E:6E:88:58:51:F4:DF:F1:E3:CC:DD:9D:71:8C:CD:95:68:17
> X509v3 Authority Key Identifier: 
> 
> keyid:76:B9:CB:3B:5D:C8:B6:AB:02:74:86:D3:1C:C7:42:58:B1:AE:7E:76
> 
> X509v3 Subject Alternative Name: 
> email:t...@company.com
> X509v3 Extended Key Usage: critical
> Time Stamping
> Signature Algorithm: sha1WithRSAEncryption
> 02:d1:fd:44:de:1e:9f:e0:29:66:35:8f:43:da:e6:b5:20:43:
> 52:90:b0:dc:8a:0f:09:92:9e:c2:6b:dc:14:ab:2c:9f:1b:8e:
> 02:76:9a:17:08:77:ca:26:06:13:25:9e:4a:e2:bf:bb:2b:4d:
> cf:67:41:c0:2b:3a:1a:d0:ae:a8:88:3c:13:e2:0d:f6:9c:1e:
> e7:ba:ef:22:c6:b8:18:3b:a8:5e:f9:0e:43:b8:de:82:b1:e0:
> be:00:d2:57:9c:f3:d9:48:72:28:70:5d:06:d7:73:84:bc:f7:
> 5e:65:27:86:0d:e8:28:b4:dd:72:4d:8e:59:02:cc:39:0f:8d:
> 47:87
> 
> And this is the error:
> [Mon Feb 21 20:15:37 2011] [error] mod_tsa:could not load X.509 certificate: 
> /usr/local/ssl/misc/demoCA/tss.pem
> [Mon Feb 21 20:15:37 2011] [error] 
> mod_tsa:17262:error:2F083075:lib(47):func(131):reason(117):ts_rsp_sign.c:206:
> [Mon Feb 21 20:15:37 2011] [emerg] exiting, fatal error during mod_tsa 
> initialisation.
> 
> Thanks!!!
> 
> 2011/2/21 Jaroslav Imrich 
> Hello Yessica,
> 
> please post new certificate and exact error you're getting.
> 
> -- 
> 
> Kind Regards / S pozdravom
> 
> Jaroslav Imrich
> http://www.jariq.sk
> 
> 
> 
> On Mon, Feb 21, 2011 at 4:41 PM, Yessica De Ascencao  
> wrote:
> hello!!!
> Thanks for the response!
> 
> Yes I needed the extension to Time Stamping, however when I load the sample 
> certificate in the OpenTSA page, continues to show me the same error. I 
> created a certificate with the correct extension and likewise gives me error.
> 
> I really do not know what may be happening.
> 
> Thank you very much!
> 
> 
> 
> 2011/2/18 Jaroslav Imrich 
> Hello Yessica,
> 
> 
> this line in your logs tells you where the error occured:
> 
> 
> [Thu Feb 17 19:23:09 2011] [error] 
> mod_tsa:1510:error:2F083075:lib(47):func(131):reason(117):ts_rsp_sign.c:206:
> 
> When you look into source code of openssl ts module - 
> http://cvs.openssl.org/fileview?f=openssl/crypto/ts/ts_rsp_sign.c&v=1.6.4.2 - 
> you can see that line 206 contains following code:
> 
> if (X509_check_purpose(signer, X509_

Re: HELP!!!! mod_tsa:could not load X.509 certificate

2011-02-22 Thread Yessica De Ascencao 
Hi!
This is the new certificate:

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
d8:e6:a3:f6:22:c7:a4:0b
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=ve, ST=distrito capital, O=suscerte, OU=acraiz,
CN=ac/emailAddress=a...@suscerte.gob.ve
Validity
Not Before: Feb 21 20:15:08 2011 GMT
Not After : Feb 21 20:15:08 2012 GMT
Subject: C=ve, ST=distritocapital, L=caracas, O=tss, OU=suscerte,
CN=tsscompany/emailAddress=t...@company.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:bd:6e:12:e5:72:37:f2:74:e4:95:f7:43:f2:c7:
00:7d:53:cb:2d:a9:49:68:4d:04:b7:40:8d:b7:cd:
56:23:89:8a:e1:78:d6:a8:bd:a3:ef:16:62:d6:37:
6d:25:ce:eb:9d:30:8a:5e:be:6a:68:6f:bf:cd:f7:
6b:cd:85:f8:c6:62:f3:ea:8e:32:79:2a:d2:38:40:
b9:d7:88:c9:18:5c:63:98:69:ea:b6:95:83:a2:ac:
1b:b4:17:9a:e7:ea:66:bc:c3:e6:c8:e6:47:94:9b:
36:3c:3b:e0:59:9e:85:90:a6:8f:ad:8a:0a:0b:9e:
51:de:ef:93:73:e5:6b:a9:f2:49:ec:c0:46:57:71:
27:fd:85:47:09:f7:90:f7:bb:c5:3a:83:0a:3c:cc:
f2:88:2f:69:5c:80:e2:7f:9e:28:d3:19:09:62:fb:
2b:61:a4:f8:4c:64:d6:72:cb:41:a9:68:69:38:8b:
3f:03:04:83:26:e0:9a:ce:be:1f:05:f0:6d:99:2c:
87:16:97:e2:7f:8b:2f:b1:eb:19:2f:10:45:00:2c:
8e:dd:f5:80:de:cf:c7:17:a0:cc:cf:0d:f3:48:19:
7f:5b:b0:dd:51:a8:80:e0:65:eb:79:ef:ea:fc:d8:
6d:a5:2d:e3:06:b0:83:83:14:7f:61:f9:dc:ea:a7:
7a:4b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
FA:0C:6E:6E:88:58:51:F4:DF:F1:E3:CC:DD:9D:71:8C:CD:95:68:17
X509v3 Authority Key Identifier:

keyid:76:B9:CB:3B:5D:C8:B6:AB:02:74:86:D3:1C:C7:42:58:B1:AE:7E:76

X509v3 Subject Alternative Name:
email:t...@company.com
X509v3 Extended Key Usage: critical
Time Stamping
Signature Algorithm: sha1WithRSAEncryption
02:d1:fd:44:de:1e:9f:e0:29:66:35:8f:43:da:e6:b5:20:43:
52:90:b0:dc:8a:0f:09:92:9e:c2:6b:dc:14:ab:2c:9f:1b:8e:
02:76:9a:17:08:77:ca:26:06:13:25:9e:4a:e2:bf:bb:2b:4d:
cf:67:41:c0:2b:3a:1a:d0:ae:a8:88:3c:13:e2:0d:f6:9c:1e:
e7:ba:ef:22:c6:b8:18:3b:a8:5e:f9:0e:43:b8:de:82:b1:e0:
be:00:d2:57:9c:f3:d9:48:72:28:70:5d:06:d7:73:84:bc:f7:
5e:65:27:86:0d:e8:28:b4:dd:72:4d:8e:59:02:cc:39:0f:8d:
47:87

And this is the error:
[Mon Feb 21 20:15:37 2011] [error] mod_tsa:could not load X.509 certificate:
/usr/local/ssl/misc/demoCA/tss.pem
[Mon Feb 21 20:15:37 2011] [error]
mod_tsa:17262:error:2F083075:lib(47):func(131):reason(117):ts_rsp_sign.c:206:
[Mon Feb 21 20:15:37 2011] [emerg] exiting, fatal error during mod_tsa
initialisation.

Thanks!!!

2011/2/21 Jaroslav Imrich 

> Hello Yessica,
>
> please post new certificate and exact error you're getting.
>
> --
>
> Kind Regards / S pozdravom
>
> Jaroslav Imrich
> http://www.jariq.sk
>
>
>
> On Mon, Feb 21, 2011 at 4:41 PM, Yessica De Ascencao  > wrote:
>
>> hello!!!
>> Thanks for the response!
>>
>> Yes I needed the extension to Time Stamping, however when I load the
>> sample certificate in the OpenTSA page, continues to show me the same
>> error. I created a certificate with the correct extension and likewise
>> gives me error.
>>
>> I really do not know what may be happening.
>>
>> Thank you very much!
>>
>>
>>
>> 2011/2/18 Jaroslav Imrich 
>>
>>> Hello Yessica,
>>>
>>>
>>> this line in your logs tells you where the error occured:
>>>
>>>
>>> [Thu Feb 17 19:23:09 2011] [error]
>>> mod_tsa:1510:error:2F083075:lib(47):func(131):reason(117):ts_rsp_sign.c:206:
>>>
>>> When you look into source code of openssl ts module -
>>> http://cvs.openssl.org/fileview?f=openssl/crypto/ts/ts_rsp_sign.c&v=1.6.4.2-
>>>  you can see that line 206 contains following code:
>>>
>>> if (X509_check_purpose(signer, X509_PURPOSE_TIMESTAMP_SIGN, 0) !=
>>> 1)
>>> {
>>> TSerr(TS_F_TS_RESP_CTX_SET_SIGNER_CERT,
>>>   TS_R_INVALID_SIGNER_CERTIFICATE_PURPOSE);
>>> return 0;
>>> }
>>>
>>> That means loading of TSA certificate failed because of incorrect
>>> extensions.
>>>
>>> Certificate you posted has critical mark on "X509v3 Subject Alternative
>>> Name" which is completely wrong in this case. It is "Time Stamping" th

Two questions about OpenSSL TSA Tool?

2011-02-22 Thread Dragan Google Mail 
Dear all
 
I have two questions:
 
1. How can I extract TSA certificate and CA certificate(s) from a time stamp
response, using OpenSSL TSA Tool?
 
2. How can I print signature algorithm (SHA1-RSA, SHA256-RSA,
SHA512-RSA,...) from the time stamp response/token in human-readable format?
 
Thanks in advance.
 
 
Best regards,
Dragan Spasic

undefined reference to `_OPENSSL_cleanse|

2011-02-22 Thread cryptocat 

Hello, I using gcc with codeblocks and I tried to compile the code below and
got the undefined reference error on lines 57 and 70. Am I supposed to use a
library to link with, I just gave the compiler to directory for the include
files in the crypto folder and the include folder.



/* crypto/sha/sha256.c */
/* 
 * Copyright (c) 2004 The OpenSSL Project.  All rights reserved
 * according to the OpenSSL license [found in ../../LICENSE].
 * 
 */
#include 
#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA256)

#include 
#include 

#include 
#include 
#include 
#include 

const char SHA256_version[]="SHA-256" OPENSSL_VERSION_PTEXT;

int SHA224_Init (SHA256_CTX *c)
{
#ifdef OPENSSL_FIPS
FIPS_selftest_check();
#endif
c->h[0]=0xc1059ed8UL;   c->h[1]=0x367cd507UL;
c->h[2]=0x3070dd17UL;   c->h[3]=0xf70e5939UL;
c->h[4]=0xffc00b31UL;   c->h[5]=0x68581511UL;
c->h[6]=0x64f98fa7UL;   c->h[7]=0xbefa4fa4UL;
c->Nl=0;c->Nh=0;
c->num=0;   c->md_len=SHA224_DIGEST_LENGTH;
return 1;
}

int SHA256_Init (SHA256_CTX *c)
{
#ifdef OPENSSL_FIPS
FIPS_selftest_check();
#endif
c->h[0]=0x6a09e667UL;   c->h[1]=0xbb67ae85UL;
c->h[2]=0x3c6ef372UL;   c->h[3]=0xa54ff53aUL;
c->h[4]=0x510e527fUL;   c->h[5]=0x9b05688cUL;
c->h[6]=0x1f83d9abUL;   c->h[7]=0x5be0cd19UL;
c->Nl=0;c->Nh=0;
c->num=0;   c->md_len=SHA256_DIGEST_LENGTH;
return 1;
}

unsigned char *SHA224(const unsigned char *d, size_t n, unsigned char *md)
{
SHA256_CTX c;
static unsigned char m[SHA224_DIGEST_LENGTH];

if (md == NULL) md=m;
SHA224_Init(&c);
SHA256_Update(&c,d,n);
SHA256_Final(md,&c);
OPENSSL_cleanse(&c,sizeof(c));
return(md);
}

unsigned char *SHA256(const unsigned char *d, size_t n, unsigned char *md)
{
SHA256_CTX c;
static unsigned char m[SHA256_DIGEST_LENGTH];

if (md == NULL) md=m;
SHA256_Init(&c);
SHA256_Update(&c,d,n);
SHA256_Final(md,&c);
OPENSSL_cleanse(&c,sizeof(c));
return(md);
}

int SHA224_Update(SHA256_CTX *c, const void *data, size_t len)
{   return SHA256_Update (c,data,len);   }
int SHA224_Final (unsigned char *md, SHA256_CTX *c)
{   return SHA256_Final (md,c);   }

#define DATA_ORDER_IS_BIG_ENDIAN

#define HASH_LONG   SHA_LONG
#define HASH_CTXSHA256_CTX
#define HASH_CBLOCK SHA_CBLOCK
/*
 * Note that FIPS180-2 discusses "Truncation of the Hash Function Output."
 * default: case below covers for it. It's not clear however if it's
 * permitted to truncate to amount of bytes not divisible by 4. I bet not,
 * but if it is, then default: case shall be extended. For reference.
 * Idea behind separate cases for pre-defined lenghts is to let the
 * compiler decide if it's appropriate to unroll small loops.
 */
#define HASH_MAKE_STRING(c,s)   do {\
unsigned long ll;   \
unsigned int  n;\
switch ((c)->md_len)\
{   case SHA224_DIGEST_LENGTH:  \
for (n=0;nh[n]; HOST_l2c(ll,(s));   } \
break;  \
case SHA256_DIGEST_LENGTH:  \
for (n=0;nh[n]; HOST_l2c(ll,(s));   } \
break;  \
default:\
if ((c)->md_len > SHA256_DIGEST_LENGTH) \
return 0;   \
for (n=0;n<(c)->md_len/4;n++)   \
{   ll=(c)->h[n]; HOST_l2c(ll,(s));   } \
break;  \
}   \
} while (0)

#define HASH_UPDATE SHA256_Update
#define HASH_TRANSFORM  SHA256_Transform
#define HASH_FINAL  SHA256_Final
#define HASH_BLOCK_DATA_ORDER   sha256_block_data_order
#ifndef SHA256_ASM
static
#endif
void sha256_block_data_order (SHA256_CTX *ctx, const void *in, size_t num);

#include "md32_common.h"

#ifndef SHA256_ASM
static const SHA_LONG K256[64] = {
0x428a2f98UL,0x71374491UL,0xb5c0fbcfUL,0xe9b5dba5UL,
0x3956c25bUL,0x59f111f1UL,0x923f82a4UL,0xab1c5ed5UL,
0xd807aa98UL,0x12835b01UL,0x243185beUL,0x550c7dc3UL,
0x72be5d74UL,0x80deb1feUL,0x9bdc06a7UL,0xc19bf174UL,
0xe49b69c1UL,0xefbe4786UL,0x0fc19dc6UL,0x240ca1ccUL,
0x2de92c6fUL,0x4a7484aaUL,0x5cb0a9dcUL,0x76f988daUL,
0x983e5152UL,0xa831c66dUL,0xb00327c8UL,0xbf597fc7UL,
0xc6e00bf3UL,0xd5a79147UL,0x06ca6351UL,0x14292967UL,
0x27b70a85UL,0x2e1b2138UL,0x4d2c6dfcUL,0x53380d13UL,
0x650a7354UL,0x766a0abbUL,0x81c2c92eUL,0x92722c85UL,
0xa2bfe8a1UL,0xa81a664bUL,0xc24b8b70UL,0xc76

Re: HELP!!!! mod_tsa:could not load X.509 certificate

2011-02-22 Thread Jaroslav Imrich 
Hello Yessica,

please post new certificate and exact error you're getting.

-- 
Kind Regards / S pozdravom

Jaroslav Imrich
http://www.jariq.sk



On Mon, Feb 21, 2011 at 4:41 PM, Yessica De Ascencao
wrote:

> hello!!!
> Thanks for the response!
>
> Yes I needed the extension to Time Stamping, however when I load the
> sample certificate in the OpenTSA page, continues to show me the same
> error. I created a certificate with the correct extension and likewise
> gives me error.
>
> I really do not know what may be happening.
>
> Thank you very much!
>
>
>
> 2011/2/18 Jaroslav Imrich 
>
>> Hello Yessica,
>>
>>
>> this line in your logs tells you where the error occured:
>>
>>
>> [Thu Feb 17 19:23:09 2011] [error]
>> mod_tsa:1510:error:2F083075:lib(47):func(131):reason(117):ts_rsp_sign.c:206:
>>
>> When you look into source code of openssl ts module -
>> http://cvs.openssl.org/fileview?f=openssl/crypto/ts/ts_rsp_sign.c&v=1.6.4.2- 
>> you can see that line 206 contains following code:
>>
>> if (X509_check_purpose(signer, X509_PURPOSE_TIMESTAMP_SIGN, 0) !=
>> 1)
>> {
>> TSerr(TS_F_TS_RESP_CTX_SET_SIGNER_CERT,
>>   TS_R_INVALID_SIGNER_CERTIFICATE_PURPOSE);
>> return 0;
>> }
>>
>> That means loading of TSA certificate failed because of incorrect
>> extensions.
>>
>> Certificate you posted has critical mark on "X509v3 Subject Alternative
>> Name" which is completely wrong in this case. It is "Time Stamping" that has
>> to be marked as critical.
>>
>>
>> --
>> Kind Regards / S pozdravom
>>
>> Jaroslav Imrich
>> http://www.jariq.sk
>>
>
>
>
> --
> Saludos!
> Yessica De Ascencao
> 0426-7142582