[openssl-users] OCSP Response Signed using RSASSA-PSS

2017-10-11 Thread Steven Madwin via openssl-users 


First, I know the caveat about ONLY use the OpenSSL OCSP Server for test
purposes. With that out of the way.

 

Is there any known plan on the horizon, when using the ocsp server, to allow
the OCSP response to be signed using the RSASSA-PSS signature algorithm? 

 

Thanks for any and all insight,
Steve Madwin

 

 

 




 

Steven Madwin

Software QA Engineer

Adobe Systems Incorporated

345 Park Avenue, MS-W15

San Jose, CA 95110-2704 USA

Phone:   408.536.4343

Fax: 408.536.6024

  steven.mad...@adobe.com

 

 



smime.p7s
Description: S/MIME cryptographic signature
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] OCSP Server -port

2017-11-09 Thread Steven Madwin via openssl-users 


Hi All,

 

Once upon a time in the 0.98 timeframe, when I first configured OpenSSL as a
test OCSP server, using the format -port  worked. This format however
stopped working when version 1.0 was released. After living inside Google
like Jeff Bridges in Tron, it came to light that the format needed to be
-port 0.0.0.0: at which point the OCSP server was resurrected. Now with
version 1.1 uses the v1.0 format it returns the message:

ocsp: Can't parse "0.0.0.0:" as an octal number

ocsp: Non-positive number "0.0.0.0:" for -port

ocsp: Use -help for summary.

error in ocsp

 

Falling back to the v0.98 format, that is going back to -port , allows
the server to start, and the message "Waiting for OCSP client
connections..." is displayed. The problem is, the client can't make the
connection and the OCSP process times out. This all leads up to the
question, has anyone been able to get version 1.1 to act as an OCSP server
using the -port option?

 

Thanks,

Steve

 

 




 

Steven Madwin

Software QA Engineer

Adobe Systems Incorporated

345 Park Avenue, MS-W15

San Jose, CA 95110-2704 USA

Phone:   408.536.4343

Fax: 408.536.6024

  steven.mad...@adobe.com

 

 



smime.p7s
Description: S/MIME cryptographic signature
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] RSA-PSS Certificate

2017-10-26 Thread Steven Madwin via openssl-users 
Thanks. Now all I need to do is figure out what parameter to pass the req or
ca command to get the get the subject key info to accept the new algorithm.

-Original Message-
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
Jakob Bohm
Sent: Wednesday, October 25, 2017 6:49 PM
To: openssl-users@openssl.org
Subject: Re: [openssl-users] RSA-PSS Certificate

On 26/10/2017 03:30, Steven Madwin via openssl-users wrote:
>
> Starting with the definition of the subjectPublicKeyInfo from RFC 
> 5280, Section 4.1 – Basic Certificate fields we see that the entry 
> contains two items:
>
> SubjectPublicKeyInfo ::= SEQUENCE {
>
> algorithm AlgorithmIdentifier,
>
> subjectPublicKey BIT STRING }
>
> In RFC 4055 - Additional Algorithms and Identifiers for RSA 
> Cryptography for use in the Internet X.509 Public Key Infrastructure 
> Certificate and Certificate Revocation List (CRL) Profile, Section 3 
> it states, “CAs that use the RSASSA-PSS algorithm for signing 
> certificates SHOULD include RSASSA-PSS-params in the 
> subjectPublicKeyInfo algorithm parameters in their own certificates.”
>
> This all leads to me wondering if anyone is aware if there is a plan 
> afoot to add the option of including the RSA-PSS params as a third 
> item in the Subject Public Key Info entry in a future version of OpenSSL?
>

In the X.509 standard, "AlgorithmIdentifier" is itself a structure (see for
example RFC5280 section 4.1.1.2).  The RSASSA-PSS-params is the second
element of that structure.  See RFC4055 section 6 for some (bad) examples of
AlgorithmIdentifier values, such as

rSASSA-PSS-SHA512-Identifier  AlgorithmIdentifier  ::=  {
   algorithm id-RSASSA-PSS,
   parameters rSSASSA-PSS-SHA512-params }

rSSASSA-PSS-SHA512-params RSASSA-PSS-params ::= {
   hashAlgorithm sha512Identifier,
   maskGenAlgorithm mgf1SHA512Identifier,
   saltLength 20,
   trailerField 1  }


-- Note: The saltLength should be 64, not 20, for
--    rSSASSA-PSS-SHA512-param, see RFC4055 section 3.1


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.
https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.wisemo.
com=02%7C01%7C%7C1c955d8fda014c805e2e08d51c13ca2d%7Cfa7b1b5a7b34438794a
ed2c178decee1%7C0%7C0%7C636445793698999630=izbl%2F1JP%2BpWj616mFxiNAaO
frEFAXrD6JIXjFw7L%2FdY%3D=0
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10 This public
discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe:
https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmta.openssl
.org%2Fmailman%2Flistinfo%2Fopenssl-users=02%7C01%7C%7C1c955d8fda014c80
5e2e08d51c13ca2d%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C63644579369899
9630=rOOgAhtfdLrxpnua8Ncipz4poNQ6O8X%2FFQFID2API5c%3D=0


smime.p7s
Description: S/MIME cryptographic signature
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] RSA-PSS Certificate

2017-10-25 Thread Steven Madwin via openssl-users 


Starting with the definition of the subjectPublicKeyInfo from RFC 5280,
Section 4.1 - Basic Certificate fields we see that the entry contains two
items:

 

SubjectPublicKeyInfo ::= SEQUENCE { 

algorithm AlgorithmIdentifier, 

subjectPublicKey BIT STRING }

 

In RFC 4055 - Additional Algorithms and Identifiers for RSA Cryptography for
use in the Internet X.509 Public Key Infrastructure Certificate and
Certificate Revocation List (CRL) Profile, Section 3 it states, "CAs that
use the RSASSA-PSS algorithm for signing certificates SHOULD include
RSASSA-PSS-params in the subjectPublicKeyInfo algorithm parameters in their
own certificates." 

 

This all leads to me wondering if anyone is aware if there is a plan afoot
to add the option of including the RSA-PSS params as a third item in the
Subject Public Key Info entry in a future version of OpenSSL?

 

Thanks,

Steve

 

 

 




 

Steven Madwin

Software QA Engineer

Adobe Systems Incorporated

345 Park Avenue, MS-W15

San Jose, CA 95110-2704 USA

Phone:   408.536.4343

Fax: 408.536.6024

  steven.mad...@adobe.com

 

 



smime.p7s
Description: S/MIME cryptographic signature
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] RSA-PSS Param File

2018-03-12 Thread Steven Madwin via openssl-users 


Hi All,

 

My ultimate goal is to generate an RSA-PSS key that will have the PSS
parameters in the subjectPublicKey section of the TBSCertificate. In order
to do that the first need is a paramfile. Here's the command being used to
to generate the parameter file:

 

OpenSSL> genpkey -genparam -paramfile .\pem\rsapssParams.pem -pkeyopt
rsa_keygen_bits:2048 -pkeyopt rsa_pss_keygen_md:sha256 -pkeyopt
rsa_pss_keygen_mgf1_md:sha256 -pkeyopt rsa_pss_keygen_saltlen:120

 

But, it returns the error:

NB: options order may be important!  See the manual page.

error in genpkey

 

The genpkey man page says for the -genparam option, "If used this option
must precede any -algorithm, -paramfile or -pkeyopt options.

With regard to the -paramfile option it says, "If used this option must
precede any -pkeyopt options.

 

Thus, with -genparam first followed by the -paramfile option and capped off
with the -pkeyopt options it looks to me that the order is correct.

 

If anyone has any enlightenment for me I'd be eternally grateful. 

 

Thanks,

Steve

 

 




 

Steven Madwin

Software QA Engineer

Adobe Systems Incorporated

345 Park Avenue, MS-W15

San Jose, CA 95110-2704 USA

Phone:   408.536.4343

Fax: 408.536.6024

  steven.mad...@adobe.com

 

 



smime.p7s
Description: S/MIME cryptographic signature
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

s_server configuration

2019-07-15 Thread Steven Madwin via openssl-users 


Hi All,

 

I’m trying to get an OCSP server operating in an SSL (really TLS1.2) 
environment. It works fine in the HTTP world, but I’m having issues with 
getting s_server to handle the communication in the Secure HTTPS world.

 

If anyone has any suggestions to get the connection to persist I’d be VERY 
appreciative!

 

This is what I’m seeing:

 

--- Using OpenSSL v1.1.1c to enable TLS on Port 8902 ---

 

C:\OpenSSL-Win64\bin>openssl  s_server -port 8902 -4 -certform PEM -cert 
"C:\OpenSSL-Win64\bin\PEM\test.cer" -cert_chain 
C:\OpenSSL-Win64\bin\PEM\DigiCertTrustChain.cer -keyform PEM -pass 
pass:password -key "C:\OpenSSL-Win64\bin\PEM\test_key.pem"  -status_verbose

 

Using default temp DH parameters

ACCEPT

 

cert_status: callback called

cert_status: AIA URL: http://ocsp.digicert.com

cert_status: Can't retrieve issuer certificate.

-BEGIN SSL SESSION PARAMETERS-

MFoCAQECAgMDBALAMAQABDBt6uS6sCfohxxHvmv7hPIXRbjKzDqNJqoCpymZR1qc

CpGHf1mBjQ5/B32R7/aXl8mhBgIEXS0L6KIEAgIcIKQGBAQBrQMCAQE=

-END SSL SESSION PARAMETERS-

Shared 
ciphers:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA

Signature Algorithms: 
RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1:RSA+SHA512:ECDSA+SHA512

Shared Signature Algorithms: 
RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1:RSA+SHA512:ECDSA+SHA512

Supported Elliptic Curve Point Formats: uncompressed

Supported Elliptic Groups: X25519:P-256:P-384

Shared Elliptic groups: X25519:P-256:P-384

---

No server certificate CA names sent

CIPHER is ECDHE-RSA-AES256-GCM-SHA384

Secure Renegotiation IS supported

POST / HTTP/1.1

Accept: */*

Content-Type: application/ocsp-request

Content-Length: 143

Character-Encoding: binary

User-Agent: PPKHandler

Host: gemma.adobe.com:8902

Connection: Keep-Alive

Cache-Control: no-cache

Cookie: AAMC_adobe_0=REGION%7C9; s_nr=1562971576381-Repeat; 
adcloud={%22_les_v%22:%22y%2Cadobe.com%2C1564005807%22}; 
AMCV_9E1005A551ED61CA0A490D45%40AdobeOrg=-1303530583%7CMCAID%7C2D05BCDE05032D0E-40001185A003F0F0%7CMCMID%7C06088709957453939181689303953590820094%7CMCAAMLH-1563576332%7C9%7CMCAAMB-1563576332%7Cj8Odv6LonN4r3an7LhD3WZrU1bUpAkFkkiY1ncBR96t2PTI%7CMCOPTOUT-1562978727s%7CNONE%7CvVersion%7C3.3.0%7CMCIDTS%7C18072%7CMCSYNCSOP%7C411-18079%7CMCCIDH%7C1521286796;
 
mbox=PC#ddd404f9c1d0418ba9692aaf983e9e03.28_36#1626216329|session#7b3f3fbfb1504526acdb639358290766#1562973437;
 s_vi=[CS]v1|2D05BCDE05032D0E-40001185A003F0F0[CE]; 
_fbp=fb.1.1561413807767.1078876052

 

0
 +00­ +0[1]

  _  


  _  

ƒ°â█g┘⌐├Z<₧é╚ @ERROR

shutting down SSL

CONNECTION CLOSED

 

 




 

Steven Madwin

Software PKI Engineer

Adobe Inc.

345 Park Avenue, MS-W15

San Jose, CA 95110-2704 USA

Phone:   408.536.4343

Fax: 408.536.6024

  steven.mad...@adobe.com

 

 



smime.p7s
Description: S/MIME cryptographic signature