Can you be more specific about what your problem is? The cert appears
to be a self-signed cert.
The command openssl x509 -in test.pem -noout -text generates:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
d2:4e:d0:af:62:63:da:1b
Signature
I have noticed this as well. I believe it operates correctly in the
0.9.9 snapshot.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Larry Bugbee
Sent: February 13, 2008 8:41 PM
To: openssl-users@openssl.org
Subject: Re: ECC Self-Signed Certificate
Did you do
./config fips
And not other options? I think you might get errors like that if you
added the option shared, which is expressly prohibited in the user
guide.
Bill
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ed snooper
openssl x509 -in cert_file_name -noout -text
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Aaron
Sent: April 18, 2008 10:35 AM
To: openssl-users@openssl.org
Subject: Openssl
What is the command please to view the entire contents of a
You haven't specified which version of OpenSSL you are using, but if it
is a reasonably current version from the 0.9.8 stream, then ECDH should
be there.
For test routines, look at the ec... source in the test directory, like
ecdhtest.c
Bill
From:
Raj: There are several ways this can be done depending on your
particular application requirements. I suggest you refer to Chapter 6
in NIST Special Publication 800-56A, Recommendation for Pair-Wise Key
Establishment Schemes. You can download it from here
Let's assume that the public key is in a pem encoded X509 file called
x.pem
// Access the file
FILE*fptr=NULL;
fptr = fopen( x.pem, r );
// Read in the certificate to an X509 structure
X509*cert_A=NULL;
cert_A = PEM_read_X509_AUX( fptr, NULL,
I add the flags no-md2 no-ripemd160 no-bf no-camellia no-cast no-idea
no-mdc2 no-rc5
Bill
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of vaibhav bindroo
Sent: May 8, 2008 1:17 AM
To: openssl-users@openssl.org
Subject: Re: Building OpenSSL
As the error message says, you are getting this because the private key
file (privkey.pem) does not exist (No such file).
If you want to use this form of the command you must first generate the
private key file.
If you want to do it all at once then a slightly different form of the
command is
I had a similar problem. I found I had to define my own macros for this
as they were not in the OpenSSL set.
#define PEM_write_DSAPublicKey(fp,x) \
PEM_ASN1_write((int (*)())i2d_DSAPublicKey,\
PEM_STRING_DSA_PUBLIC,fp,(char *)x,NULL,NULL,0,NULL,NULL)
#define
whats wrong with the above code?
Thanks a ton
On Fri, Jun 20, 2008 at 4:50 PM, Bill Colvin
[EMAIL PROTECTED] wrote:
I had a similar problem. I found I had to define my own macros for this
as they were not in the OpenSSL set.
#define PEM_write_DSAPublicKey(fp,x) \
PEM_ASN1_write((int
it for my
intended purposes. Let me know if you have any more comments.
Thanks alot for all the help...I can see some light at the end of the
tunnel now
On Fri, Jun 20, 2008 at 5:55 PM, Bill Colvin
[EMAIL PROTECTED] wrote:
Check your include statements. You might need either or both
Richard: I suggest you look at
http://openssl.hoxt.com/openssl-web/docs/apps/ciphers.html
and
http://www.openssl.org/docs/ssl/SSL_COMP_add_compression_method.html
Bill
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Richard Hartmann
Sent: June 25,
Rabail: openssl-fips-1.1.1 is a 0.9.7 based version of openssl.
Therefore, you will be downgrading your 0.9.8b version if you choose to
do this.
Also, you should be using openssl-fips-1.1.2 now not openssl-fips-1.1.1
as it has fixed a minor problem with the earlier version. You may want
to
, but if i would install openssl-fips-1.1.2 , do i need
0.9.7m with it.
On Thu, Jun 26, 2008 at 5:00 PM, Bill Colvin
[EMAIL PROTECTED] wrote:
Rabail: openssl-fips-1.1.1 is a 0.9.7 based version of openssl.
Therefore, you will be downgrading your 0.9.8b version if you choose to
do this.
Also, you
Pietro: OpenSSL seems to provide add, double, invert and multiply
routines for EC points. There does not seem to be an explicit routine
for subtract in the include files.
The book Implementing Eliptic Curve Cryptography by Michael Rosing has
routines esub and poly_esub for doing a subtraction
The Secure Programming Cookbook is still available at O'Reilly
http://oreilly.com/catalog/9780596003944/
Bill
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Travis
Sent: July 30, 2008 5:21 PM
To: OpenSSL Users
Subject: best book on openssl as crypto
If you are looking to export crypto from Canada then the rules are
common to all NATO countries and are set out in the Wassenaar
Arrangement http://www.wassenaar.org/controllists/index.html Crypto is
covered in Category 5 - Part 2.
You need to have an export permit or and export exemption in
With the AES Key Wrap algorithm, the wrapped key is 8 bytes longer than
the original plaintext key. By default a checkword of A6A6A6A6A6A6A6A6
is pre-pended to the original plaintext key. In the OpenSSL code, this
is referred to as the IV. The Checkword plus plaintext key is then
subjected to
The answer is in: data too large for key size
According to Secure Programming Cookbook, when using RSA PKCS #1 v1.5
padding you can only encrypt messages up to 11 bytes smaller than the
modulus size in bytes. If you are using RSA-1024, then that is
(1024/8)-11=117 bytes.
Bill
-Original
I suspect that the smaller one is using Certicom's patented point compression
representation of the public key.
Not sure on the signature part of your question.
Bill
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruno VĂ©tel
Sent: October 9, 2008 4:35
From is filled with random data. It is not a zero terminated text
string, therefore, strlen(from) will probably be invalid.
Bill
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of chamara caldera
Sent: November 24, 2008 7:58 AM
To:
I suggest you carefully read the following function description paying close
attention to length.
DES_ncbc_encrypt() encrypts/decrypts using the cipher-block-chaining (CBC) mode
of DES. If the encrypt argument is non-zero, the routine cipher-block-chain
encrypts the cleartext data pointed to
From the FIPS 140-2 standard:
Security Level 2 enhances the physical security mechanisms of a Security
Level 1 cryptographic module by adding the requirement for
tamper-evidence, which includes the use of tamper-evident coatings or
seals or for pick-resistant locks on removable covers or doors
Why not take a look at destest.c in the test directory?
Bill
-Original Message-
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Thor Catarius
Sent: May 3, 2009 10:01 AM
To: openssl-users@openssl.org
Subject: Looking for DES
Try:
export OPENSSL_FIPS=1
your command line
unset OPENSSL_FIPS
Bill
-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Carl Anderson
Sent: May 8, 2009 8:39 AM
To: openssl-users@openssl.org
Subject: Re:
Doug: It is my understanding that the first byte of the public key is a flag
to indicate if the public key is compressed, uncompressed or hybrid:
-conv_form arg specifies the point conversion form
possible values: compressed
Dr. Stephen Henson wrote:
You need a recent 0.9.7 snapshot to use the 1.1.1 FIPS module, no
official
release supports it yet. There will be an official release real soon
now.
I have tried with openssl-0.9.7-stable-SNAP-20070223.tar.gz,
openssl-0.9.7-stable-SNAP-20070222.tar.gz and
Sorry for previous post. All worked fine with the shared term removed
from the config line using openssl-0.9.7m.
Steps I used are as follows:
cd /usr/src
tar -xvf openssl-fips-1.1.1.tar.gz
cd openssl-fips-1.1.1
./config fips
make
make install
cd ..
rm -rf openssl-fips-1.1.1
tar -xvf
Wei: Try just using just
./config fips --prefix=/opt/openssl-0.9.7m/
The shared optin causes the errors you were seeing.
Bill
__
OpenSSL Project http://www.openssl.org
User Support Mailing List
Kevin:
First OpenSSL has received FIPS certification (See Cert #733 at
http://csrc.nist.gov/cryptval/140-1/1401val2007.htm)
Second, if you require a version of OpenSSL that is FIPS capable, then you must
stick with the 0.9.7 stream. You must first build openssl-fips-1.1.1 according
to the
To add to the list:
openssl version
OpenSSL 0.9.7m-fips 23 Feb 2007
openssl prime 2
2 is not prime
__
OpenSSL Project http://www.openssl.org
User Support Mailing List
Nils Larsch wrote:
Bill Colvin wrote:
openssl version
OpenSSL 0.9.7m-fips 23 Feb 2007
openssl prime 2
2 is not prime
I've committed a patch [1] for this problem only in
openssl = 0.9.8
Nils
[1] http://cvs.openssl.org/chngview?cn=14780
Unfortunately the patch does not work
Ron: You need to determine why most of your object files are not being found,
for example /var/tmp/openssl-fips-1.1.1/crypto/aes/aes_cbc.o
It should exist after the make, but it would appear that it is not there when
you are doing the make install.
With regard to you question on SSH, it was
Ron: This may be a long shot, but have you tried it by leaving out the
make test step. It is not in the recommended steps for building the
FIPS version of OpenSSL in either the Security Policy or the User Guide.
I have always used:
./config fips
make
make install
Ron Maltz wrote:
It appears that the make install step is stripping off the directory
which each object file is in, thus they can't be located.
I don't think this is your issue. The for loop appears to be trying to
ensure that each of the .o files in the list is not in the libcrypto.a
Ron Maltz wrote:
BTW, when this is done, can I archive/tarup the /usr/local/ssl
directory
and copy it to another Sun server running the same h/w and OS version
and have it work properly?
/usr/local/ssl will definitely contain everything from your build of
openssl-fips-1.1.1.
Depending on the
Ron Maltz wrote:
I assume OpenSSH doesn't know about FIPS because there are no
configure
options to include if I compile it, thus the precompiled binary is
affected the same way (no FIPS configure options when it was
created).
Correct your OpenSSH will not operate in FIPS mode unless
Why not look in the test directory of the OpenSSL source? There are
lots of examples there.
Bill
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of imin macho
Sent: March 26, 2007 11:51 PM
To: openssl-users@openssl.org
Subject: sample code to
Add -nodes to your command line.
-Original Message-
hi everybody,
I did this command:
openssl req -newkey rsa:1024 -keyout testkey.pem -keyform PEM -out
testreq.pem
to create a pair of private key (testkey.pem) and a request
certificate (testreq.pem).
I read in book Network
I think this is what you should be doing:
1) build openssl-fips-1.1.1
./config fips
make
make install
2) build openssl-0.9.7m
./config fips --with-fipslibdir=/usr/local/ssl/lib \
--openssldir=/etc/ssl --prefix=/usr zlib-dynamic \
Raymond: It is possible that the functions you are referring to may be
required to support RSA (key wrapping; key establishment) methodology as
described on page 19 of the Security Policy.
You also have to take into consideration that all algorithms are
supported in the code, but certain
I have not found this to be the case in a linux environment. You might
want to perform the following experiment:
Create a small text file and call it test1.pt, say something like:
01 The quick brown fox jumps over the lazy dog
02 The quick brown fox jumps over the lazy dog
03 The quick brown
Suggest you pick up a copy of Secure Programming Cookbook. It has
exactly what you are looking for in chapters 7.10 and 7.11.
Bill
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Martin Salo
Sent: August 30, 2007 7:37 AM
To: openssl-users@openssl.org
Martin: I couldn't get your code to compile. However, I could get this
to work:
#include openssl/rsa.h
#include stdio.h
int main() {
// Do some init:
RSA *oRsaKey = NULL;
int iLength=2048;
// Generate the key:
oRsaKey = RSA_generate_key(iLength, 65537, NULL, NULL);
// Write key to hard disk
Martin: The buffer that you give to the AES encrypt algorithm must be
evenly divisible by 16. Since data may be any size you add padding to
get to a 16 byte boundary. If your data happens to be evenly divisible
by 16, you add an extra 16 bytes (so that padding always exists). It is
common to
Marek: I suspect Markus is referring to ECIES (Elliptic Curve
Integrated Encryption Scheme) as specified in ANSI X9.63 and the IEEE
P1363a Draft.
Bill
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Marek Marcola
Sent: September 19, 2007 7:35 AM
To:
You need to specify a cipher for encrypting your private key. Something
like:
openssl rsa -in nopassword.key -des3 -out password.key
You will be prompted for a passphrase.
-des3 could be replaced by -aes128, -aes192, or -aes256 if you want a
stronger cipher for encryption.
Bill
-Original
I have been doing some EC test code with the Sept. 5 snapshot and have
observed something that I find a little odd. So I thought I would
mention it so someone could take a look to see if it is a bug or what is
supposed to occur.
I have a PEM file with an EC private key.
I want to create an
Thanks for the explanation as to why this is occurring.
Bill
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dr. Stephen Henson
Sent: September 25, 2007 11:49 AM
To: openssl-users@openssl.org
Subject: Re: EC Oddity
Some of the newer functions in
I have OpenSSL-fips-1.1.1 and OpenSSL-0.9.7m built on a linux system
according to the guides.
Now consider the following simple test script:
#!/bin/bash
openssl aes-256-cbc -e -in a -out a.nofips -k 'abcdefghijk'
export OPENSSL_FIPS=1
openssl aes-256-cbc -e -in a -out a.fips -k
For a list of comparable key lengths for various algorithms, see Table 2
on page 63 of
http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-Part1-revised
2_Mar08-2007.pdf
Bill
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Schwartz
Sent:
They relate to the type of elliptic curve.
P is for polynomial basis curves. Also sometime referred to as prime
modulus curves.
B is for normal basis curves
K is for Koblitz curves. These are special cases of normal basis curves
that are faster for some operations.
Bill
-Original
The following footnote is on page 23 of the
OpenSSL FIPS 140-2 User Guide
(http://www.openssl.org/docs/fips/UserGuide-1.1.1.pdf)
September 27, 2007
The OPENSSL_FIPS=1 environment variable will enable FIPS mode for an
openssl command built from a FIPS capable OpenSSL distribution.
You should probably investigate HMAC-SHA1
There is an example of the openssl command in Appendix C of
http://www.openssl.org/docs/fips/SecurityPolicy-1.1.1.pdf
Bill
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Vittorio Giovara
Sent: December 8, 2007
First, if you pasted your original code into the email, then you have
several typos.
Second, two of the lines generate warnings on compilation about
incompatible pointer types - these are significant. The lines are:
num_byte = BN_dec2bn(dh_struct-p,str_p);
num_byte =
I would suggest that you examine RFC 2631 (section 2.1.1) or Secure
Programming Cookbook by Viega Messier (Section 8.17) for information
on this topic.
Typically with DH, two parties (A and B) wish to compute a shared
secret. Each computes a private public key pair, exchange public keys
and
I would characterize the Certicom patents as falling into 3 main
categories:
1) patents relating to the use of ECC in very specific application
circumstances
This represents the bulk of Certicom patents. For these patents you will
have to do your own research as they are dependent on
To summarize ECDH_compute_key, you provide a pointer to one party's EC
public Key, a pointer to another party's EC private key, and a pointer
to a hashing routine and the function will compute a shared secret
value.
However, there is much more to key exchange than merely understanding
how to use
59 matches
Mail list logo
