Re: Apply signature to X509 certificate
You have two ways to follow. 1) To use an HSM to sign, the official way to do it is to use an openssl engine. If your HSM does not provide an openssl engine, it probably does provide a PKCS#11 module, and you can use the pkcs11 engine to load it and use it. 2) In some situations that is not possible (e.g. you need it to be signed on a different remote system). And I just had the same need this week, but for Certificate Requests. There are a lot of small non-documented things to do in this case but basically you need to: a) get the der encoded value of tbsCertificate field b) hash it c) apply pkcs1 padding and sign it d) put the signature on asn1 form e) add NIDs and other parameters to the cert_info field you identified. I spent a lot of time learning from forums and openssl code (X509_REQ_sign and functions it calls in my case) what I need to do. If you can, go for option 1). If nto I may help you more later with 2) On Thu, May 9, 2013 at 7:13 PM, Ken Goldman kgold...@us.ibm.com wrote: I have a need to sign an X509 certificate outside openssl, using a hardware security module. 1 - I have to first hash the certificate. I discovered X509_digest(), which is not documented. Is it the correct function? I also found ASN1_item_i2d() to serialize the cert_info member, from which point I can hash. Opinions? 2 - I have to apply the resulting signature and algorithm to the certificate. I have some sample code which assigns values to the low level X509 structure. E.g., x509-cert_info-signature_**algorithm = Obj_nid2obj(NID_** sha1WithRSAEncryption); Is that the only way, or is there a higher level call to add the algorithm ID in both places and the signature in one call? __**__**__ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- -- Cristian Thiago Moecke
Re: Apply signature to X509 certificate
2013/5/10 Cristian Thiago Moecke cont...@cristiantm.com.br You have two ways to follow. 2) In some situations that is not possible (e.g. you need it to be signed on a different remote system). And I just had the same need this week, but for Certificate Requests. There are a lot of small non-documented things to do in this case but basically you need to: a) get the der encoded value of tbsCertificate field b) hash it c) apply pkcs1 padding and sign it d) put the signature on asn1 form e) add NIDs and other parameters to the cert_info field you identified. I spent a lot of time learning from forums and openssl code (X509_REQ_sign and functions it calls in my case) what I need to do. If you can, go for option 1). If nto I may help you more later with 2) This could also be handled by some sort of engine that would work in two modes: * generate an intermediate result (hash) that can be processed (signed) at the remote site (how to get it there securely is another issue) * apply processed result (signature) to the remaining part of the signing process Kris On Thu, May 9, 2013 at 7:13 PM, Ken Goldman kgold...@us.ibm.com wrote: I have a need to sign an X509 certificate outside openssl, using a hardware security module. 1 - I have to first hash the certificate. I discovered X509_digest(), which is not documented. Is it the correct function? I also found ASN1_item_i2d() to serialize the cert_info member, from which point I can hash. Opinions? 2 - I have to apply the resulting signature and algorithm to the certificate. I have some sample code which assigns values to the low level X509 structure. E.g., x509-cert_info-signature_**algorithm = Obj_nid2obj(NID_** sha1WithRSAEncryption); Is that the only way, or is there a higher level call to add the algorithm ID in both places and the signature in one call? __**__** __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- -- Cristian Thiago Moecke
Trouble with Illegal instruction
Hello I have build OpenSSL 1.0.1e with fips 2.0.3 eistre:/ # openssl version OpenSSL 1.0.1e-fips 11 Feb 2013 when I use 'wget' with https I run in Illegal instruction I start with gdb and it comes Verbindungsaufbau zu eisler.nettworks.org (eisler.nettworks.org)|139.20.200.42|:443... verbunden. Program received signal SIGILL, Illegal instruction. [Switching to Thread 0xb733e700 (LWP 16808)] 0xb7560650 in fips_gcm_ghash_4bit_mmx () from /usr/lib/libcrypto.so.1.0.0 (gdb) Please can I solve that problem Thanks Holger __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Apply signature to X509 certificate
On 5/10/2013 5:37 AM, Cristian Thiago Moecke wrote: You have two ways to follow. 1) To use an HSM to sign, the official way to do it is to use an openssl engine. If your HSM does not provide an openssl engine, it probably does provide a PKCS#11 module, and you can use the pkcs11 engine to load it and use it. There's no engine and no PKCS#11. 2) In some situations that is not possible (e.g. you need it to be signed on a different remote system). And I just had the same need this week, but for Certificate Requests. There are a lot of small non-documented things to do in this case but basically you need to: a) get the der encoded value of tbsCertificate field b) hash it c) apply pkcs1 padding and sign it d) put the signature on asn1 form e) add NIDs and other parameters to the cert_info field you identified. I spent a lot of time learning from forums and openssl code (X509_REQ_sign and functions it calls in my case) what I need to do. If you can, go for option 1). If nto I may help you more later with 2) Yes, your flow is the same as mine. I'm looking for advice on the C function calls. Specifically, Is X509_digest() useful for a) and b)? Is there a high level call for d) and e) or must I do it using the ASN.1 API? (My HSM does c) and I know how to prepend the OID.) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Apply signature to X509 certificate
On 5/10/2013 6:17 AM, Krzysztof Konopko wrote: This could also be handled by some sort of engine that would work in two modes: * generate an intermediate result (hash) that can be processed (signed) I'm looking for advice on how to do that. at the remote site (how to get it there securely is another issue) We solved the secure (specifically authenticated and authorized) transport years ago. * apply processed result (signature) to the remaining part of the signing process Is there a high level API call to do that? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Apply signature to X509 certificate
2) In some situations that is not possible (e.g. you need it to be signed on a different remote system). And I just had the same need this week, but for Certificate Requests. There are a lot of small non-documented things to do in this case but basically you need to: a) get the der encoded value of tbsCertificate field b) hash it c) apply pkcs1 padding and sign it d) put the signature on asn1 form e) add NIDs and other parameters to the cert_info field you identified. I spent a lot of time learning from forums and openssl code (X509_REQ_sign and functions it calls in my case) what I need to do. If you can, go for option 1). If nto I may help you more later with 2) Yes, your flow is the same as mine. I'm looking for advice on the C function calls. Specifically, Is X509_digest() useful for a) and b)? I dont think so. Im almost sure that this funcion will digest the full certificate (aka certificate fingerprint). Must check... I used the following function for X509_REQ. Hope it helps you to find what you need for X509. i2d_X509_REQ_INFO(x509req-req_info,NULL); // note http://www.openssl.org/support/faq.html#PROG3 when using this function Is there a high level call for d) and e) or must I do it using the ASN.1 API? For that Ive used: ASN1_BIT_STRING_set(x509req-signature,signatureByteArray,signatureSize) x509req-signature-flags = ~(ASN1_STRING_FLAG_BITS_LEFT|0x07); x509req-signature-flags |= ASN1_STRING_FLAG_BITS_LEFT; x509req-sig_alg-algorithm = OBJ_nid2obj(nid); x509req-sig_alg-parameter = ASN1_TYPE_new(); //works for RSA... if you need ECDSA, need to check this x509req-sig_alg-parameter-type = V_ASN1_NULL; Hope that helps. (My HSM does c) and I know how to prepend the OID.) __**__**__ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- -- Cristian Thiago Moecke
Re: Apply signature to X509 certificate
On Fri, May 10, 2013 at 11:26:35AM -0400, Ken Goldman wrote: a) get the der encoded value of tbsCertificate field b) hash it c) apply pkcs1 padding and sign it d) put the signature on asn1 form e) add NIDs and other parameters to the cert_info field you identified. I spent a lot of time learning from forums and openssl code (X509_REQ_sign and functions it calls in my case) what I need to do. If you can, go for option 1). If nto I may help you more later with 2) Yes, your flow is the same as mine. I'm looking for advice on the C function calls. Specifically, Is X509_digest() useful for a) and b)? No. It is used to obtained digests of fully-formed certificates, including the existing signature, when signing a certificate, one signs only the parts that exclude the signature algorithm information and the signature bits. If you look at X509_digest() it is a simple wrapper around ASN1_item_digest: int X509_digest(const X509 *data, const EVP_MD *type, unsigned char *md, unsigned int *len) { return(ASN1_item_digest(ASN1_ITEM_rptr(X509),type,(char *)data,md,len)); } If you look at X509_sign(), it wraps ASN1_item_sign(): int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md) { x-cert_info-enc.modified = 1; return(ASN1_item_sign(ASN1_ITEM_rptr(X509_CINF), x-cert_info-signature, x-sig_alg, x-signature, x-cert_info,pkey,md)); } The thing to notice is that ASN.1 representation structure in the second case is for X509_CINF, not X509. The former excludes the signature part of the certificate. So my guess for exctracting a signature to be signed is that you want: X509 *cert; EVP_MD *mdalg = EVP_get_digestbyname(sha1); /* or whatever */ unsigned char mdbuf[EVP_MAX_MD_SIZE]; unsigned int mdlen; cert = ...; ASN1_item_digest(ASN1_ITEM_rptr(X509_CINF), mdalg, cert, mdbuf, mdlen)); this should place the requisite digest in mdbuf. Then ASN1_item_sign() needs to deal with padding, etc., which is signature algorithm dependent. Is there a high level call for d) and e) or must I do it using the ASN.1 API? An in memory X509 certificate is: struct x509_st { X509_CINF *cert_info; X509_ALGOR *sig_alg; ASN1_BIT_STRING *signature; ... } Just update the sig_alg and signature freeing old values and replacing with new and set x-cert_info-enc.modified = 1. The signature update code in ASN1_item_sign_ctx looks like: if (signature-data != NULL) OPENSSL_free(signature-data); signature-data = mdbuf; signature-length = mdlen; /* Make sure that the bit string has a 'not-used bits' value of 0 */ signature-flags = ~(ASN1_STRING_FLAG_BITS_LEFT|0x07); signature-flags |= ASN1_STRING_FLAG_BITS_LEFT; So all you need to figure out is how to set the sig_alg... -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Self-signed certificates and keyUsage extension
Must non-CA, self-signed certificates have the keyCertSign bit set in the keyUsage extension to be valid? If I don't have the bit set and execute the following command: openssl verify -check_ss_sig -CAfile ./my-ss-cert.pem ./my-ss-cert.pem I get the following error: error 20 at 0 depth lookup:unable to get local issuer certificate Maybe the right combination is to 1) set the keyCertSign bit in keyUsage and 2) set CA:FALSE in basicConstraints? Thanks.
Trouble with Illegal instruction
Hello I have build OpenSSL 1.0.1e with fips 2.0.3 eistre:/ # openssl version OpenSSL 1.0.1e-fips 11 Feb 2013 when I use 'wget' with https I run in Illegal instruction I start with gdb and it comes Verbindungsaufbau zu eisler.nettworks.org (eisler.nettworks.org)|139.20.200.42|:443... verbunden. Program received signal SIGILL, Illegal instruction. [Switching to Thread 0xb733e700 (LWP 16808)] 0xb7560650 in fips_gcm_ghash_4bit_mmx () from /usr/lib/libcrypto.so.1.0.0 (gdb) Please can I solve that problem Thanks Holger __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Apply signature to X509 certificate
Cristian Thiago Moecke contato-pbw9x2wndctn3hn+mpyg4faujnlxr...@public.gmane.org writes: You have two ways to follow. 1) To use an HSM to sign, the official way to do it is to use an openssl engine. If your HSM does not provide an openssl engine, it probably does provide a PKCS#11 module, and you can use the pkcs11 engine to load it and use it. As a slight simplification, you can create an RSA with your own RSA_ENGINE that uses your HSM. (You only need to provide signing, so this is relatively straightforward.) Then use that in the regular signing operation. (Similarly for DSA, EC_KEY, obviously, though IIRC the EC code is still in a private header.) [...] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: RSA blinding active by default?
The answer to your question is yes, RSA blinding is turned on by default. To verify that blinding is turned on by default, run this test: Run the following code after calling RSA_blinding_off(*RSA). Then, comment out RSA_blinding_off() and run it again. The output from this test verifies that RSA blinding is on by default. if (your_rsa_key-blinding == NULL){ nbspprintf(RSA blinding is off.\n); } -- View this message in context: http://openssl.6102.n7.nabble.com/RSA-blinding-active-by-default-tp44768p45057.html Sent from the OpenSSL - User mailing list archive at Nabble.com.
SSL_CTX_set{_preferred)_cipher_list?
What is the difference between SSL_CTX_SET_cipher_list and SSL_CTX_set_preferred_cipher_list ? When and why would I use the preferred version? I promise to turn any answers I got into a POD manpage for future inclusion :) And why is there an SSL_set_cipher_list function, but the (misnamed?) SSL_set_pref_cipher is a #define'd synonym? /r$ -- Principal Security Engineer Akamai Technology Cambridge, MA
Remove SSLv2 via #ifdef
Would there be any interest (and support) from the dev team for patches that completely remove SSLv2 API's? /r$ -- Principal Security Engineer Akamai Technology Cambridge, MA
Re: Remove SSLv2 via #ifdef
On Fri, May 10, 2013, Salz, Rich wrote: Would there be any interest (and support) from the dev team for patches that completely remove SSLv2 API's? What would the difference be between this and the no-ssl2 switch to Configure? Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: SSL_CTX_set{_preferred)_cipher_list?
On Fri, May 10, 2013 at 01:00:21PM -0600, Salz, Rich wrote: What is the difference between SSL_CTX_SET_cipher_list and SSL_CTX_set_preferred_cipher_list? Which version of OpenSSL has the preferred version? I don't see this in master. When and why would I use the preferred version? I promise to turn any answers I got into a POD manpage for future inclusion :) And why is there an SSL_set_cipher_list function, but the (misnamed?) SSL_set_pref_cipher is a #define'd synonym? Is your OpenSSL patched by some distribution or with local patches? -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Apply signature to X509 certificate
From: owner-openssl-us...@openssl.org On Behalf Of Viktor Dukhovni Sent: Friday, 10 May, 2013 12:20 On Fri, May 10, 2013 at 11:26:35AM -0400, Ken Goldman wrote: a) get the der encoded value of tbsCertificate field b) hash it c) apply pkcs1 padding and sign it d) put the signature on asn1 form e) add NIDs and other parameters to the cert_info field you identified. The 'signature' (really X509_ALGOR aka AlgorithmIdentifier) *within* cert_info (which is tbsCertificate) must be set before 'a' is done. It contains one OID (typically but not necessarily derived from NID) and syntactically can contain parameters but I don't see why it ever would. (AlgId for a key does depending on alg, AlgId for using a key doesn't need to.) After 'd' combine cert_info-aka-TBS + (copy of) AlgId + signature (in BITSTRING). (More below.) I spent a lot of time learning from forums and openssl code (X509_REQ_sign and functions it calls in my case) what I need to do. If you can, go for option 1). If nto I may help you more later with 2) Yes, your flow is the same as mine. I'm looking for advice on the C function calls. Specifically, Is X509_digest() useful for a) and b)? No. It is used to obtained digests of fully-formed certificates, including the existing signature, when signing a certificate, one signs only the parts that exclude the signature algorithm information and the signature bits. If you look at X509_digest() it is a simple wrapper around ASN1_item_digest: snip Right. The hash of the complete cert is often used as a fingerprint for display to a human, as a (overwhelmingly) unique and quickly distinguishable identifier of a cert. If you look at X509_sign(), it wraps ASN1_item_sign(): int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md) { x-cert_info-enc.modified = 1; return(ASN1_item_sign(ASN1_ITEM_rptr(X509_CINF), x-cert_info-signature, x-sig_alg, x-signature, x-cert_info,pkey,md)); } The thing to notice is that ASN.1 representation structure in the second case is for X509_CINF, not X509. The former excludes the signature part and the data encoded (as X509_CINF) is x-cert_info. of the certificate. So my guess for exctracting a signature to be signed is that you want: X509 *cert; EVP_MD *mdalg = EVP_get_digestbyname(sha1); /* or whatever */ unsigned char mdbuf[EVP_MAX_MD_SIZE]; unsigned int mdlen; cert = ...; ASN1_item_digest(ASN1_ITEM_rptr(X509_CINF), mdalg, cert, mdbuf, mdlen)); Data should be cert-cert_info as above. this should place the requisite digest in mdbuf. Then ASN1_item_sign() needs to deal with padding, etc., which is signature algorithm dependent. It lets EVP_DigestSign* deal with padding and signing algorithm. OP needs an equivalent using his HSM. Is there a high level call for d) and e) or must I do it using the ASN.1 API? An in memory X509 certificate is: struct x509_st { X509_CINF *cert_info; X509_ALGOR *sig_alg; ASN1_BIT_STRING *signature; ... } Just update the sig_alg and signature freeing old values and replacing with new and set x-cert_info-enc.modified = 1. If there are old values; it sounded to me like OP was constructing a new cert from scratch. In that case I think you also don't need enc.modified, but maybe better safe than sorry. The signature update code in ASN1_item_sign_ctx looks like: if (signature-data != NULL) OPENSSL_free(signature-data); signature-data = mdbuf; signature-length = mdlen; /* Make sure that the bit string has a 'not-used bits' value of 0 */ signature-flags = ~(ASN1_STRING_FLAG_BITS_LEFT|0x07); signature-flags |= ASN1_STRING_FLAG_BITS_LEFT; Almost, but you've mixed tabs and spaces in a way that makes the indentation misleading. So all you need to figure out is how to set the sig_alg... As above all you really need is the OID; _item_sign_ctx shows how to do the parameter but in practice it's NULL or omitted. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Defintion of OBJ_bsearch_pmeth()
Hello I can see a call to OBJ_bsearch_pmeth() in openssl source. By I could not find the definition of OBJ_bsearch_pmeth(). I greped the entire source. Can somebody help me to find the definition ? ./openssl-1.0.1d/crypto/evp/pmeth_lib.c:ret = OBJ_bsearch_pmeth(t, standard_methods,