Openssl 1.0.1x build using VS 2012

[Pravesh Rai]

Hi,

Even though I'm successful in getting the OpenSSL build using VS 2012, but
getting following error message:

OPENSSL_Uplink(07FED5A31000,08): no OPENSSL_Applink

while trying to 'load' libeay32.dll. The problem is solved, if we use
another libeay32.dll, which is built using VS 2005. Except for this, all
other development  usage environment is totally same.

Do anybody has any clue on this?

Thanks,
Pravesh

Is it Possible to revoke cert by Serial

[redpath]

Is it possible to revoke a cert by serial number?
I see all revoke commands you must have the cert?
I searched the form and this question is not answered.




--
View this message in context: 
http://openssl.6102.n7.nabble.com/Is-it-Possible-to-revoke-cert-by-Serial-tp46381.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: Is it Possible to revoke cert by Serial

[Salz, Rich]

 Is it possible to revoke a cert by serial number?

Using the ca command?  The answer is no.

 I searched the form and this question is not answered.

Use the source, Luke :)

I can't see a good reason why the crl txt_db needs the subject name.  It should 
be reasonable to modify ca.c to take the serial# instead of the cert (and 
perhaps a dummy subjectDN)

/r$

--  
Principal Security Engineer
Akamai Technology
Cambridge, MA
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: Is it Possible to revoke cert by Serial

[redpath]

Well what I was going to do is simply use the serial number for finding the
file int the newscerts directory
for the pem and issue the CA command with PEM. Since the backup of the
signed certs is in the newcerts directory.

I guess that would be appropriate. 



--
View this message in context: 
http://openssl.6102.n7.nabble.com/Is-it-Possible-to-revoke-cert-by-Serial-tp46381p46383.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Add SubjAltName to openssl command line?

[Erich Weiler]

Hi Y'all,

I've RTFM'd a bunch on this and can't find a clear answer, so to the lists I
go...  ;)

I can now create a cert/key pair quickly as such:

# openssl req -newkey rsa:2048 -x509 -nodes -out test.pem -keyout test.pem
-days 3650

And after answering the questions, I get a certificate and key in the same
file.  All is well.  Basically I don't need my certs signed for what I'm
using them for, so no CA is required for my purpose here.

I was wondering if there was also a way to quickly create a certificate and
key file in a similar fashion while also designating SubjAltName options on
the openssl command line?  Something like this maybe?

openssl req -newkey rsa:2048 -x509 -nodes -out test.pem -keyout test.pem
-days 3650 -subjAlt DNS:foo.com, DNS:bar.com

or whatever.  I know the -subjAlt option doesn't exist, but maybe there is
something like it that I can invoke without having to configure a custom
openssl.cnf config file for every one of these I want to create?

Thanks in advance for any insight!!!

cheers,
erich



--
View this message in context: 
http://openssl.6102.n7.nabble.com/Add-SubjAltName-to-openssl-command-line-tp46384.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

ECDSA_do_verify error?

[shixin]

 Hi, all:
I want to verify signature that the data are from NIST test vectors. 
But the result awalys error!
The source is as follow:
 #include stdio.h
#include string.h
#include openssl/ec.h
#include openssl/ecdsa.h
#include openssl/err.h
#include openssl/evp.h
#include openssl/obj_mac.h
#include openssl/bn.h

#pragma comment(lib, libeay32.lib)
#pragma comment(lib, ssleay32.lib)

int main(void)
{
int status = 0;
unsigned int digest_len = 0;
unsigned char digest[32] = {0};
char *message = This is only a test message. It is 48 bytes long;

EVP_MD_CTX md_ctx;
EC_KEY *pEccKey = NULL;
EC_GROUP *pEccGroup = NULL;
ECDSA_SIG *signature = NULL;
EC_POINT *pub_key = NULL;
BIGNUM *bn_priv_key = NULL;
BIGNUM *bn_x_key = NULL;
BIGNUM *bn_y_key = NULL;
BN_CTX *bn_ctx = NULL;

char *pub_key_x = NULL;
char *pub_key_y = NULL;
char *priv_key_ = NULL;
int pub_key_x_len = 0;
int pub_key_y_len = 0;
int priv_key_len = 0;

unsigned char msg[] = 
{\x60\xcd\x64\xb2\xcd\x2b\xe6\xc3\x38\x59\xb9\x48\x75\x12\x03\x61\xa2\x40\x85\xf3\x76\x5c\xb8\xb2\xbf\x11\xe0\x26\xfa\x9d\x88\x55\xdb\xe4\x35\xac\xf7\x88\x2e\x84\xf3\xc7\x85\x7f\x96\xe2\xba\xab\x4d\x9a\xfe\x45\x88\xe4\xa8\x2e\x17\xa7\x88\x27\xbf\xdb\x5d\xdb\xd1\xc2\x11\xfb\xc2\xe6\xd8\x84\xcd\xdd\x7c\xb9\xd9\x0d\x5b\xf4\xa7\x31\x1b\x83\xf3\x52\x50\x80\x33\x81\x2c\x77\x6a\x0e\x00\xc0\x03\xc7\xe0\xd6\x28\xe5\x07\x36\xc7\x51\x2d\xf0\xac\xfa\x9f\x23\x20\xbd\x10\x22\x29\xf4\x64\x95\xae\x6d\x08\x57\xcc\x45\x2a\x84};
unsigned char xx[] = 
{\x2d\x98\xea\x01\xf7\x54\xd3\x4b\xbc\x30\x03\xdf\x50\x50\x20\x0a\xbf\x44\x5e\xc7\x28\x55\x6d\x7e\xd7\xd5\xc5\x4c\x55\x55\x2b\x6d};
unsigned char yy[] = 
{\x9b\x52\x67\x27\x42\xd6\x37\xa3\x2a\xdd\x05\x6d\xfd\x6d\x87\x92\xf2\xa3\x3c\x2e\x69\xda\xfa\xbe\xa0\x9b\x96\x0b\xc6\x1e\x23\x0a};
unsigned char rr[] = 
{\x06\x10\x8e\x52\x5f\x84\x5d\x01\x55\xbf\x60\x19\x32\x22\xb3\x21\x9c\x98\xe3\xd4\x94\x24\xc2\xfb\x2a\x09\x87\xf8\x25\xc1\x79\x59};
unsigned char ss[] = 
{\x62\xb5\xcd\xd5\x91\xe5\xb5\x07\xe5\x60\x16\x7b\xa8\xf6\xf7\xcd\xa7\x46\x73\xeb\x31\x56\x80\xcb\x89\xcc\xbc\x4e\xec\x47\x7d\xce};

// openssl initialization
ERR_load_crypto_strings();
OpenSSL_add_all_algorithms();
   
// hash message with sha256
EVP_MD_CTX_init(md_ctx);
EVP_DigestInit(md_ctx, EVP_sha256());
EVP_DigestUpdate(md_ctx, (const void *)msg, strlen(msg));
EVP_DigestFinal(md_ctx, digest, digest_len);
EVP_MD_CTX_cleanup(md_ctx);

pEccKey = EC_KEY_new();
if (NULL == pEccKey) {
printf(ECC_KEY_new, error: %s\n,
ERR_error_string(ERR_get_error(), NULL));
goto prog_end;
}

// output ECDSA key string
pEccKey = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
if (NULL == pEccKey) {
printf(EC_KEY_new_by_curve_name, error: %s\n,
ERR_error_string(ERR_get_error(), NULL));
goto prog_end;
}

bn_ctx = BN_CTX_new();
bn_x_key = BN_new();
bn_y_key = BN_new();
pub_key = EC_POINT_new(EC_KEY_get0_group(pEccKey));
signature = ECDSA_SIG_new();
//
bn_x_key = BN_bin2bn(xx, strlen(xx), bn_x_key);
bn_y_key = BN_bin2bn(yy, strlen(yy), bn_y_key);
EC_KEY_set_public_key_affine_coordinates(pEccKey, bn_x_key, bn_y_key);

//
signature-r = BN_bin2bn(rr, strlen(rr), signature-r);
signature-s = BN_bin2bn(ss, strlen(ss), signature-s);

/* check key */
if (!EC_KEY_check_key(pEccKey)) {
fprintf(stderr, EC_KEY_check_key failed.\n);
}

// verify the signature
status = ECDSA_do_verify(digest, digest_len, signature,pEccKey);
if (status != 1) {
printf(ECDSA_do_verify, error: %s\n,
ERR_error_string(ERR_get_error(), NULL));
goto prog_end;
} else {
printf(ECDSA verify successfully!\n);
}


prog_end:

// openssl cleanup
if (pEccKey) EC_KEY_free(pEccKey);
if (pEccGroup) EC_GROUP_free(pEccGroup);
if (signature) ECDSA_SIG_free(signature);

if (pub_key) EC_POINT_free(pub_key);
if (bn_x_key) BN_free(bn_x_key);
if (bn_y_key) BN_free(bn_y_key);

if (pub_key_x)  OPENSSL_free(pub_key_x);
if (pub_key_y) OPENSSL_free(pub_key_y);

CRYPTO_cleanup_all_ex_data();
ERR_free_strings();
ERR_remove_state(0);

return 0;
}

  But why? The Programdoes not seemwrong.
 Looking forward to yourreply~~~

Best Wishes!
ShiXin

RE: Add SubjAltName to openssl command line?

[Salz, Rich]

You can use the $ENV:xxx construct.  It's a bit of a hack, but you only need 
one config file and change the env var each time...

--  
Principal Security Engineer
Akamai Technology
Cambridge, MA

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Add SubjAltName to openssl command line?

[Viktor Dukhovni]

On Thu, Aug 29, 2013 at 04:38:17PM -0700, Erich Weiler wrote:

 I was wondering if there was also a way to quickly create a certificate and
 key file in a similar fashion while also designating SubjAltName options on
 the openssl command line?

The bash script below uses inline command file descriptors (command),
to dynamically construct an ephemeral openssl config file.

It is a bit rough, since e.g. any non-ecdsa algorithm is assumed
to be RSA, and the ECDSA curve is hard-coded, ...  Still you get
the idea.

The output file has correct permissions courtesy of mktemp(1).
Otherwise, you you need to tweak the umask, since openssl's -out
option does not disable world/group read on the output file even
when saving private keys.

-- 
Viktor.

#! /bin/bash

# usage: fqdn out.pem [pkeyalg]

case $3 in
ecdsa)
tmp=$(mktemp $2.XX)
openssl req -sha256 -new 2/dev/null \
 -config (printf [req]\n%s\n%s\n[dn]\n[exts]\n%s\n[alts]\n%s\n \
   distinguished_name = dn \
   x509_extensions = exts \
   $(printf %s\n%s\n%s\n%s\n%s \
 basicConstraints= CA:false \
 extendedKeyUsage= serverAuth, clientAuth \
 subjectKeyIdentifier= hash \
 authorityKeyIdentifier  = keyid:always \
 subjectAltName=@alts) \
   DNS=$1) \
 -newkey param:(openssl ecparam -name prime256v1) \
   -keyout /dev/stdout -nodes \
 -x509 -set_serial 1 -days 0 -subj /  $tmp 
mv $tmp $2 ;;
*)  tmp=$(mktemp $2.XX)
openssl req -sha256 -new 2/dev/null \
 -config (printf [req]\n%s\n%s\n[dn]\n[exts]\n%s\n[alts]\n%s\n \
   distinguished_name = dn \
   x509_extensions = exts \
   $(printf %s\n%s\n%s\n%s\n%s \
 basicConstraints= CA:false \
 extendedKeyUsage= serverAuth, clientAuth \
 subjectKeyIdentifier= hash \
 authorityKeyIdentifier  = keyid:always \
 subjectAltName=@alts) \
   DNS=$1) \
 -newkey rsa:2048 \
   -keyout /dev/stdout -nodes \
 -x509 -set_serial 1 -days 0 -subj /  $tmp 
mv $tmp $2 ;;
esac
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Openssl 1.0.1x build using VS 2012

[Pravesh Rai]

Hi,

Even though I'm successful in getting the OpenSSL build using VS 2012, but
getting following error message:

OPENSSL_Uplink(07FED5A31000,08): no OPENSSL_Applink

while trying to 'load' libeay32.dll. The problem is solved, if we use
another libeay32.dll, which is built using VS 2005. Except for this, all
other development  usage environment is totally same.

Do anybody has any clue on this?

Thanks,
Pravesh