Only in FIPS mode: Crash in X509_sign() with memory corruption

2013-02-08 Thread Memmott, Lester
I'm hoping someone has some insight into what I'm doing wrong or if I've just bumped up against a bug. I'm using Visual Studio 2008 on Windows 8 and am in the process of running existing code with FIPS enabled. As expected a few things don't work, but in this case, I'm a bit stumped. I've nar

Re: [openssl-users] Is ordering of distinguished names for subject and issuer in OpenSSl 0.9.8 certificates important?

2013-02-08 Thread Peter Sylvester
Ording is important. unfortunately the default order shown in the textual form is not the same as for ldap tools. using openssl asn1parse shows the encoding, country code should come first. __ OpenSSL Project

Re: [openssl-users] Is ordering of distinguished names for subject and issuer in OpenSSl 0.9.8 certificates important?

2013-02-08 Thread Erwann Abalea
Since you need authoritative elements, start by downloading and reading authoritative documents (all are freely available from ITU-T website). X.509, section 7: - [...] The issuer and subject fields of each certificate are used, in part, to identify a valid path. For each pair of adjacent c

RE: Is ordering of distinguished names for subject and issuer in OpenSSl 0.9.8 certificates important?

2013-02-08 Thread Salz, Rich
I think either you mis-read the web page, or the author is confused. Looking at RFC 2253, it quotes X.501 which says: DistinguishedName ::= RDNSequence RDNSequence ::= SEQUENCE OF RelativeDistinguishedName RelativeDistinguishedName ::= SET SIZE (1..MAX) OF AttributeTypeAndValue AttributeTypeAndVal

Re: AES GCM + padding

2013-02-08 Thread Dirk Menstermann
Thank you Matt! On 08.02.2013 16:33, Matt Caswell wrote: > It is a feature of GCM that the ciphertext (excluding the authentication tag) > is > identical length to the plaintext. Therefore no padding is required. > > Matt > > On 8 February 2013 14:27, Dirk Menstermann

Is ordering of distinguished names for subject and issuer in OpenSSl 0.9.8 certificates important?

2013-02-08 Thread Simner, John
Dear All, I am working on an embedded product which has the OpenSSL 0.9.8w library and acts as a client. It is communicating with another product which has the OpenSSL 0.9.8e library and acts as a server. A customer has supplied the client certificate for the server and the associated root CA t

Re: AES GCM + padding

2013-02-08 Thread Matt Caswell
It is a feature of GCM that the ciphertext (excluding the authentication tag) is identical length to the plaintext. Therefore no padding is required. Matt On 8 February 2013 14:27, Dirk Menstermann wrote: > Hi, > > I'm playing around with "EVP_aes_128_gcm". This works, but it seems that > EVP_*

build CSR with x500UniqueIdentifier

2013-02-08 Thread Karsten Reimers
I need to build an CSR with x500UniqueIdentifier as subject like this | openssl req -noout -text -in csr.pem| |Certificate Request: Data: Version: 0 (0x0) Subject: x500UniqueIdentifier=karsten.reimers Subject Public Key Info: Public Key Algorithm: rsaEncryp

Re: Obtaining a TLS session key

2013-02-08 Thread Jouni Malinen
On Fri, Feb 8, 2013 at 12:11 AM, T J wrote: >> TLS keying material exporter, i.e., SSL_export_keying_material(), will >> make your life much easier if you are just looking for a mechanism to >> derive suitable keys for other uses assuming you are using recent >> enough OpenSSL. That tls_openssl.c

AES GCM + padding

2013-02-08 Thread Dirk Menstermann
Hi, I'm playing around with "EVP_aes_128_gcm". This works, but it seems that EVP_* does not include padding. Is this expected/needed or did I miss a step? Thanks Dirk __ OpenSSL Project http://www.

id-pda-dateOfBirth in Subject?

2013-02-08 Thread Walter H.
Hello, can someone please tell me the correct syntax and/or give me an example of using NID id-pda-dateOfBirth when requesting a certificate by calling openssl req -config openssl.cnf -new -key cert.key -subj "/.../id-pda-dateOfBirth=?" -out cert.csr must there be something special in the