Re: [openssl-users] EVP_MD_CTX and EVP_PKEY_CTX? How to init? How to free?

2017-04-29 Thread Blumenthal, Uri - 0553 - MITLL 
Matt, 

*Thank you!* Crystal clear now. 

Semi-related question. Is RSA_NO_PADDING allowed for EVP signature? When I 
tried that (without using DigestSign of course), signing succeeded but 
verification always failed. Was that expected? Are there some special settings 
one needs to apply besides just setting the padding type?

Thanks!

Regards,
Uri

Sent from my iPhone

> On Apr 29, 2017, at 19:34, Matt Caswell  wrote:
> 
> 
> 
>> On 28/04/17 20:29, Blumenthal, Uri - 0553 - MITLL wrote:
>> I’m playing with RSA-PSS signatures, and stumbled upon a few problems. I
>> tried the OpenSSL manual pages, but still coming short of complete
>> understanding. :-)
>> 
>> 
>> 
>> This is how I initialize the contexts (error handlers removed for brevity):
>> 
>> 
>> 
>>  ctx = EVP_PKEY_CTX_new(privkey, NULL);
> 
> Don't do this. Just set ctx to NULL.
> 
>> 
>>  md_ctx = EVP_MD_CTX_create();
>> 
>>  const EVP_MD *md = EVP_sha256();
>> 
>>  rv = EVP_DigestInit_ex(md_ctx, md, NULL);
>> 
>>  rv = EVP_DigestSignInit(md_ctx, , md, NULL, privkey);
> 
> ctx gets "filled in" by the EVP_DigestSignInit call.
> 
>> 
>> 
>> 
>> First question: do I need EVP_DigestInit_ex() there?
> 
> No. It unnecessary.
> 
>> 
>> 
>> 
>> Second question: do I have to specify hash-function (EVP_MD*) twice?
>> First when initializing EVP_MD_CTX, and second for EVP_DigestSignInit()?
>> 
> 
> No...don't call EVP_DigestInit_ex() at all.
> 
>> 
>> 
>> At the end I need to dispose of both ctx and md_ctx.
> 
> "ctx" is "owned" by md_ctx. Just free md_ctx and ctx also gets freed.
> 
> 
> Matt
> -- 
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


smime.p7s
Description: S/MIME cryptographic signature
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Is there a "Golden" CA makefile?

2017-04-29 Thread John Lewis 
I fought easypki for a week trying to figure out how to actually use a
Sub CA and couldn't find one. I'm not going to teach anyone not to use a
Sub CA because that would be malpractice in my opinion. 


On Sat, 2017-04-29 at 23:53 +0100, Alan Buxey wrote:
> https://github.com/google/easypki ,
> http://pki.fedoraproject.org/wiki/PKI_Main_Page etc etc - we wrote a
> simple similar system when using OpenVPN years ago. it was (IMHO) very
> good but the powers that be decided that OpenVPN wasn't the way to go
> and so money was spent on a (inflexible and non-modifiable) closed
> source proprietary VPN solution instead :/
> 
> On 29 April 2017 at 21:01, John Lewis  wrote:
> > You misunderstand.
> >
> > I don't want a list of vetted root CAs. I just want a make based wrapper
> > over the OpenSSl commands to make it easier to run a CA. There are a few
> > of them, but if there was a one that is typically recommended instead, I
> > would use that one.
> >
> > On Sat, 2017-04-29 at 12:55 -0700, Kyle Hamilton wrote:
> >> The short answer is "no".
> >>
> >>
> >> The long answer is, OpenSSL is not in the business of vetting trust
> >> roots.  Its business is ensuring that TLS-secured communications
> >> happen correctly when it is used.  If you want an 'endorsed' set of
> >> roots, you can find such from other projects (that have no relation to
> >> OpenSSL, and for which OpenSSL can take no responsibility).
> >>
> >>
> >> Since I'm not a member of the OpenSSL project, I can tell you that
> >> there is a set of root certificates, vetted by Mozilla, available as
> >> part of Mozilla's NSS (Network Security Services) project.  OpenSSL
> >> cannot take any responsibility for that set of roots or any
> >> behavior/misbehavior of any of the CAs represented in that set.  I had
> >> also seen a script several years ago to convert Mozilla's format to
> >> OpenSSL format, but I have not needed to look into it and have thus
> >> lost the URL to that script since then.
> >>
> >>
> >> -Kyle H
> >>
> >>
> >> On Sat, Apr 29, 2017 at 10:24 AM, John Lewis 
> >> wrote:
> >> I am looking for a CA makefile to use with a openvpn tutorial
> >> I am
> >> writing https://github.com/Oflameo/openvpn_ws. Is there one
> >> officially
> >> endorsed by the openssl project?
> >>
> >> --
> >> openssl-users mailing list
> >> To unsubscribe:
> >> https://mta.openssl.org/mailman/listinfo/openssl-users
> >>
> >>
> >> --
> >> openssl-users mailing list
> >> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
> >
> >
> > --
> > openssl-users mailing list
> > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] EVP_MD_CTX and EVP_PKEY_CTX? How to init? How to free?

2017-04-29 Thread Matt Caswell 


On 28/04/17 20:29, Blumenthal, Uri - 0553 - MITLL wrote:
> I’m playing with RSA-PSS signatures, and stumbled upon a few problems. I
> tried the OpenSSL manual pages, but still coming short of complete
> understanding. :-)
> 
>  
> 
> This is how I initialize the contexts (error handlers removed for brevity):
> 
>  
> 
>   ctx = EVP_PKEY_CTX_new(privkey, NULL);

Don't do this. Just set ctx to NULL.

> 
>   md_ctx = EVP_MD_CTX_create();
> 
>   const EVP_MD *md = EVP_sha256();
> 
>   rv = EVP_DigestInit_ex(md_ctx, md, NULL);
>
>   rv = EVP_DigestSignInit(md_ctx, , md, NULL, privkey);

ctx gets "filled in" by the EVP_DigestSignInit call.

> 
>  
> 
> First question: do I need EVP_DigestInit_ex() there?

No. It unnecessary.

> 
>  
> 
> Second question: do I have to specify hash-function (EVP_MD*) twice?
> First when initializing EVP_MD_CTX, and second for EVP_DigestSignInit()?
> 

No...don't call EVP_DigestInit_ex() at all.

>  
> 
> At the end I need to dispose of both ctx and md_ctx.

"ctx" is "owned" by md_ctx. Just free md_ctx and ctx also gets freed.


Matt
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Is there a "Golden" CA makefile?

2017-04-29 Thread Alan Buxey 
https://github.com/google/easypki ,
http://pki.fedoraproject.org/wiki/PKI_Main_Page etc etc - we wrote a
simple similar system when using OpenVPN years ago. it was (IMHO) very
good but the powers that be decided that OpenVPN wasn't the way to go
and so money was spent on a (inflexible and non-modifiable) closed
source proprietary VPN solution instead :/

On 29 April 2017 at 21:01, John Lewis  wrote:
> You misunderstand.
>
> I don't want a list of vetted root CAs. I just want a make based wrapper
> over the OpenSSl commands to make it easier to run a CA. There are a few
> of them, but if there was a one that is typically recommended instead, I
> would use that one.
>
> On Sat, 2017-04-29 at 12:55 -0700, Kyle Hamilton wrote:
>> The short answer is "no".
>>
>>
>> The long answer is, OpenSSL is not in the business of vetting trust
>> roots.  Its business is ensuring that TLS-secured communications
>> happen correctly when it is used.  If you want an 'endorsed' set of
>> roots, you can find such from other projects (that have no relation to
>> OpenSSL, and for which OpenSSL can take no responsibility).
>>
>>
>> Since I'm not a member of the OpenSSL project, I can tell you that
>> there is a set of root certificates, vetted by Mozilla, available as
>> part of Mozilla's NSS (Network Security Services) project.  OpenSSL
>> cannot take any responsibility for that set of roots or any
>> behavior/misbehavior of any of the CAs represented in that set.  I had
>> also seen a script several years ago to convert Mozilla's format to
>> OpenSSL format, but I have not needed to look into it and have thus
>> lost the URL to that script since then.
>>
>>
>> -Kyle H
>>
>>
>> On Sat, Apr 29, 2017 at 10:24 AM, John Lewis 
>> wrote:
>> I am looking for a CA makefile to use with a openvpn tutorial
>> I am
>> writing https://github.com/Oflameo/openvpn_ws. Is there one
>> officially
>> endorsed by the openssl project?
>>
>> --
>> openssl-users mailing list
>> To unsubscribe:
>> https://mta.openssl.org/mailman/listinfo/openssl-users
>>
>>
>> --
>> openssl-users mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Is there a "Golden" CA makefile?

2017-04-29 Thread Salz, Rich via openssl-users 
I can point you to https://github.com/richsalz/pki-webpage  But it is *not 
official* and may not work for what you want.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Is there a "Golden" CA makefile?

2017-04-29 Thread John Lewis 
You misunderstand. 

I don't want a list of vetted root CAs. I just want a make based wrapper
over the OpenSSl commands to make it easier to run a CA. There are a few
of them, but if there was a one that is typically recommended instead, I
would use that one.

On Sat, 2017-04-29 at 12:55 -0700, Kyle Hamilton wrote:
> The short answer is "no".
> 
> 
> The long answer is, OpenSSL is not in the business of vetting trust
> roots.  Its business is ensuring that TLS-secured communications
> happen correctly when it is used.  If you want an 'endorsed' set of
> roots, you can find such from other projects (that have no relation to
> OpenSSL, and for which OpenSSL can take no responsibility).
> 
> 
> Since I'm not a member of the OpenSSL project, I can tell you that
> there is a set of root certificates, vetted by Mozilla, available as
> part of Mozilla's NSS (Network Security Services) project.  OpenSSL
> cannot take any responsibility for that set of roots or any
> behavior/misbehavior of any of the CAs represented in that set.  I had
> also seen a script several years ago to convert Mozilla's format to
> OpenSSL format, but I have not needed to look into it and have thus
> lost the URL to that script since then.
> 
> 
> -Kyle H
> 
> 
> On Sat, Apr 29, 2017 at 10:24 AM, John Lewis 
> wrote:
> I am looking for a CA makefile to use with a openvpn tutorial
> I am
> writing https://github.com/Oflameo/openvpn_ws. Is there one
> officially
> endorsed by the openssl project?
> 
> --
> openssl-users mailing list
> To unsubscribe:
> https://mta.openssl.org/mailman/listinfo/openssl-users
> 
> 
> -- 
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Is there a "Golden" CA makefile?

2017-04-29 Thread Kyle Hamilton 
The short answer is "no".

The long answer is, OpenSSL is not in the business of vetting trust roots.
Its business is ensuring that TLS-secured communications happen correctly
when it is used.  If you want an 'endorsed' set of roots, you can find such
from other projects (that have no relation to OpenSSL, and for which
OpenSSL can take no responsibility).

Since I'm not a member of the OpenSSL project, I can tell you that there is
a set of root certificates, vetted by Mozilla, available as part of
Mozilla's NSS (Network Security Services) project.  OpenSSL cannot take any
responsibility for that set of roots or any behavior/misbehavior of any of
the CAs represented in that set.  I had also seen a script several years
ago to convert Mozilla's format to OpenSSL format, but I have not needed to
look into it and have thus lost the URL to that script since then.

-Kyle H

On Sat, Apr 29, 2017 at 10:24 AM, John Lewis  wrote:

> I am looking for a CA makefile to use with a openvpn tutorial I am
> writing https://github.com/Oflameo/openvpn_ws. Is there one officially
> endorsed by the openssl project?
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Is there a "Golden" CA makefile?

2017-04-29 Thread Salz, Rich via openssl-users 
> I am looking for a CA makefile to use with a openvpn tutorial I am writing
> https://github.com/Oflameo/openvpn_ws. Is there one officially endorsed
> by the openssl project?

If there were, it would be in the source distribution.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Is there a "Golden" CA makefile?

2017-04-29 Thread John Lewis 
I am looking for a CA makefile to use with a openvpn tutorial I am
writing https://github.com/Oflameo/openvpn_ws. Is there one officially
endorsed by the openssl project?

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users