Re: [openssl-users] Getting certificates from smartcards
Shoot, I need that functionality. Can I perhaps use the X509 *load_cert(BIO *err, const char *file, int format, const char *pass, ENGINE *e, const char *cert_descrip) function then? If yes, then can someone elaborate on how to use this function? Thanks. On Tuesday, 21 July 2015 10:56 PM, Anirudh Raghunath anirudhraghun...@rocketmail.com wrote: Shoot, I need that functionality. Can I perhaps use the X509 *load_cert(BIO *err, const char *file, int format, const char *pass, ENGINE *e, const char *cert_descrip) function then? If yes, then can someone elaborate on how to use this function? Thanks On Tuesday, 21 July 2015 8:19 PM, Victor Wagner vi...@wagner.pp.ru wrote: On Tue, 21 Jul 2015 13:58:21 + (UTC) Anirudh Raghunath anirudhraghun...@rocketmail.com wrote: Ah okay, that clears up quite a lot of doubts. But the certificate I want to load is a self signed certificate which has a private key attached to it. I used the XCA application to export the certificate-private key pair as a p12 file to the smart card. What should I do to get the certificate in this case? Thanks. It doesn't matter how you've installed certificate into smart card. Once it, and its corresponding private key is installed on the card, you can access them separately, using PKCS#11 API (and command-line pkcs11-tool utility). So, you can extract just certificate from certificate-private key pair and put it into the file (but typically you cannot extract private key. You can only use PKCS11 API or OpenSSL ENGINE API on top of it to perform cryptographic operations with this private key. This is what smartcards are for). If you have opensc pkcs11 engine, you also should have pkcs11-tool from opensc project. Use pkcs11-tool --module your pkcs11 module --list-objects to find out which certificate-private key pairs are available on your card (you probably already know ID of your key pair, because you've used ENGINE_load_private_key, and it requires key id as argument). Then use pkcs11-tool --module your pkcs11 module --write-object id --type cert --output-file filename.der to extract certificate from card. You can then convert it to pem format using openssl x509 -in filename.der -inform DER -out filename.pem or can just use function SSL_CTX_use_certificate_file passing SSL_FILETYPE_ASN1 as its argument. Personally I consider it ugly that one need to extract certificate from token before it can be used in openssl-based applications for any purpose except SSL-client authentication. Function int ENGINE_load_certificate(ENGINE *e, const char *key id, UI_METHOD *ui_method, void *callback_data) is clearly missing from API. Existence of such function would allow to use smartcards and other hardware tokens to be used 1. In the server applications 2. In the non-SSL (i.e. CMS signing) applications 3. For secondary protocols like OCSP or timestamping authority. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Converting Bin format to X509 format
Thanks for the quick response. I am currently working with smart cards and am using the engine provided by openSC to access the private key in the smart card. Long story short I have the EVP_PKEY object with me. Can I use this to sign a certificate or some file which can be used for SSL client verification. Merci On Wednesday, 22 July 2015 11:52 AM, Erwann Abalea erwann.aba...@opentrust.com wrote: Bonjour, An X.509 certificate is: Certificate ::= SEQUENCE { tbsCertificate TBSCertificate, signatureAlgorithm AlgorithmIdentifier, signatureValue BIT STRING } What you produced with « openssl rsautl -sign » is the content of the « signatureValue » element (not its BIT STRING structure, only the inner content).What is missing is all the rest, and it can’t be produced by the sole « openssl x509 … » command. Please refine your question. Cordialement,Erwann Abalea Le 22 juil. 2015 à 11:17, Anirudh Raghunath anirudhraghun...@rocketmail.com a écrit : Hello, I have used rsault -sign option to sign a text file which gives me a binary file. I would like to convert this to X509 so that I can use it in a ssl handshake. I understand the command: openssl x509 -inform format -in certfile -out cert.pem is used. I want to know what the parameters would be for a binary input file. Thanks in advance. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Converting Bin format to X509 format
Thank you for the extremely elaborate answer. Now I understand the big picture. I want to attach a file from the server side which can be collected in the client program(the test) and I want to sign it and send it back. I have the ssl server client connection ready through socket and ssl code. I want to know if there is a function to load the random file to the SSL_CTX object the way we do with certificates. Thanks anyways for taking the time to answer my trivial doubts :). On Wednesday, 22 July 2015 12:12 PM, Victor Wagner vi...@wagner.pp.ru wrote: On Wed, 22 Jul 2015 09:17:43 + (UTC) Anirudh Raghunath anirudhraghun...@rocketmail.com wrote: Hello, I have used rsault -sign option to sign a text file which gives me a binary file. I would like to convert this to X509 so that I can use it in a ssl handshake. I understand the command: openssl x509 -inform format -in certfile -out cert.pem is used. I want to know what the parameters would be for a binary input file. Thanks in advance. Unfortunately signed text file and certificate are quite different things. Of course, certificate is signed electronic document. But it is document of special binary format, which contains public key and information about owner of corresponding private key. And typically, it is not signed by you, it is signed by Certificate Authority (known to server). When you use certificate (and corresponding private key) during SSL handshake, it means than server sends you something, you sign this something using your private key and send signature to server along with certificate. Server verifies signature under data, which it remembers it have been sent to you, using public key contained in the certificate, and says Ok, this guy really owns private key corresponding to public key in this certificate. It also verifies signature under certificate using known beforehand and trusted CA certificates, to make sure that public key stored in the certificate really belongs to person mentioned in the certificate subject field. So, if you sign some text file using your certificate, this signature cannot be used in the SSL handshake any way. Because you've signed some text file, not a challenge send by server during SSL handshake. This signature proves that you, owner of private key, have had access to this text file (provided your private key is not compromised), but there is no way to use this signature to prove that your are one, who established connection with server. To prove so, you have to sign something send to your from server, not some data, known beforehand. Really, option -sign of this utility may produce some signed document format such as PKCS#7 or CMS, which contains signer's certificate. For same purpose which I've described above. If someone wants to verify if you've signed this file, one should have your certificate, with public key and your name in it. Simplest way to ensure this is to attach certificate to the signed message. Then recipient of message can validate certificate, extracted from message with known and trusted CA and then use it to verify signature under message. If you want use such a curved way to extract certificate from card, it is possbile, provided that your rsautl produces standard signed message format, i.e PKCS#7 may be openssl pkcs7 -inform der -in signedfile.bin -print_certs would do the trick and write certificate of one who signed the file into filename.pem But this is not called convert signed file to X509 format, it is called extract X509 certificate from signed file. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Sending files in SSL communication
Hello all, I have a ssl server client connection set up which I have written in C using sockets and openssl. I understand that I can attach a certificate of the server and send it to the client by attaching it to the SSL_CTX object. I used the SSL_CTX_use_certificate_file to do so. Now I can retrieve that certificate by using SSL_get_peer_certificate function on the client side. I also want to send a test( say a text file) from the server to the client for the client to sign it and send it back. What function do I use to do so? Is it similar to the way we attach certificates to the SSL_CTX? And how do I retrieve it on the client side?Thanks in advance.___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Sending files in SSL communication
But there is a way in which the server sends a test( for example a random number) and the client signs it with his private key right? On Wednesday, 22 July 2015 1:30 PM, Anirudh Raghunath anirudhraghun...@rocketmail.com wrote: But is there a way to send text files through SSL_write()? If so, can you please give a small example? Thanks. On Wednesday, 22 July 2015 1:27 PM, Salz, Rich rs...@akamai.com wrote: What you want is application-specific, not part of the TLS protocol. So you have to use SSL_read/SSL_write and pull the data out as needed. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Sending files in SSL communication
But is there a way to send text files through SSL_write()? If so, can you please give a small example? Thanks. On Wednesday, 22 July 2015 1:27 PM, Salz, Rich rs...@akamai.com wrote: What you want is application-specific, not part of the TLS protocol. So you have to use SSL_read/SSL_write and pull the data out as needed. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Converting Bin format to X509 format
Hello, I have used rsault -sign option to sign a text file which gives me a binary file. I would like to convert this to X509 so that I can use it in a ssl handshake. I understand the command: openssl x509 -inform format -in certfile -out cert.pem is used. I want to know what the parameters would be for a binary input file. Thanks in advance. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Getting certificates from smartcards
Shoot, I need that functionality. Can I perhaps use the X509 *load_cert(BIO *err, const char *file, int format, const char *pass, ENGINE *e, const char *cert_descrip) function then? If yes, then can someone elaborate on how to use this function? Thanks On Tuesday, 21 July 2015 8:19 PM, Victor Wagner vi...@wagner.pp.ru wrote: On Tue, 21 Jul 2015 13:58:21 + (UTC) Anirudh Raghunath anirudhraghun...@rocketmail.com wrote: Ah okay, that clears up quite a lot of doubts. But the certificate I want to load is a self signed certificate which has a private key attached to it. I used the XCA application to export the certificate-private key pair as a p12 file to the smart card. What should I do to get the certificate in this case? Thanks. It doesn't matter how you've installed certificate into smart card. Once it, and its corresponding private key is installed on the card, you can access them separately, using PKCS#11 API (and command-line pkcs11-tool utility). So, you can extract just certificate from certificate-private key pair and put it into the file (but typically you cannot extract private key. You can only use PKCS11 API or OpenSSL ENGINE API on top of it to perform cryptographic operations with this private key. This is what smartcards are for). If you have opensc pkcs11 engine, you also should have pkcs11-tool from opensc project. Use pkcs11-tool --module your pkcs11 module --list-objects to find out which certificate-private key pairs are available on your card (you probably already know ID of your key pair, because you've used ENGINE_load_private_key, and it requires key id as argument). Then use pkcs11-tool --module your pkcs11 module --write-object id --type cert --output-file filename.der to extract certificate from card. You can then convert it to pem format using openssl x509 -in filename.der -inform DER -out filename.pem or can just use function SSL_CTX_use_certificate_file passing SSL_FILETYPE_ASN1 as its argument. Personally I consider it ugly that one need to extract certificate from token before it can be used in openssl-based applications for any purpose except SSL-client authentication. Function int ENGINE_load_certificate(ENGINE *e, const char *key id, UI_METHOD *ui_method, void *callback_data) is clearly missing from API. Existence of such function would allow to use smartcards and other hardware tokens to be used 1. In the server applications 2. In the non-SSL (i.e. CMS signing) applications 3. For secondary protocols like OCSP or timestamping authority. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Getting certificates from smartcards
Hello, I would like to utilize the ENGINE_load_ssl_client_cert() function to load a certificate from my smart card. I have successfully loaded the engine and have also tried to play around with the ENGINE_load_private_key() function. It worked successfully and I was able to get the private key in an EVP_PKEY object. But I also want the certificate associated with it. I looked at the code of ENGINE_load_ssl_client_cert() but cannot understand the parameters passed to it. Can someone please guide me on how to use it and perhaps give a working example of the call to that function with the parameters clearly mentioned and explained? Thanks in advance. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Getting certificates from smartcards
Ah okay, that clears up quite a lot of doubts. But the certificate I want to load is a self signed certificate which has a private key attached to it. I used the XCA application to export the certificate-private key pair as a p12 file to the smart card. What should I do to get the certificate in this case? Thanks. On Tuesday, 21 July 2015 2:40 PM, Dr. Stephen Henson st...@openssl.org wrote: On Tue, Jul 21, 2015, Victor Wagner wrote: On Tue, 21 Jul 2015 06:58:24 + (UTC) Anirudh Raghunath anirudhraghun...@rocketmail.com wrote: As far as I can understand, this function is designed to be called from the client certificate callback, set with function SSL_CTX_set_client_cert_cb. This callback gets pointer to SSL structure (which should be passed to ENGINE_load_ssl_client_cert) and can use SSL_get_client_CA_list to obtain list of CAs, which server would trust. (SSL protocol allows to send this list to client). It's intended to be called automatically when SSL_CTX_set_client_cert_engine sets up a client authentication ENGINE. So, you would pass to the ENGINE_load_ssl_client_certs 1. reference to engine to use 2. pointer to SSL object of your client connection (don't know why it might be needed), This is there so the ENGINE can query other properties of the connection which might decide which chain to use. For example the supported signature algorithms. Unfortunately, I do not know any engine which does all the things above. I've looked into source of OpenSC pkcs11 engine version 0.1.8 and found out that it doesn't support this function. The CrytpoAPI ENGINE performs some of these tasks but so far it is the only one I'm aware of. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Loading pkcs11 engine opensc without using command line
Hello, I want to write a program in which I can load a certificate from a smartcard instead of having it in a file on the client machine. In order to do so I will be using the opensc's engine_pkcs11 module. The module works fine using the shell but I want to implement it as an independent program. For example if I use the rsautl module then I can provide the inkey option and keyform option to use the private key from the smartcard. Look at the snippet below: openssl rsautl -sign -in file -keyform engine -engine pkcs11 -inkey slot_1-id_54a4c9bdaf3ff82b3367b586a6658c23 -out sig In order to do so I have to load the engine first. I do that as follows: openssl engine dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:opensc-pkcs11.so which yields the result: (dynamic) Dynamic engine loading support [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so [Success]: ID:pkcs11 [Success]: LIST_ADD:1 [Success]: LOAD [Success]: MODULE_PATH:opensc-pkcs11.so Loaded: (pkcs11) pkcs11 engine I want to do the same using C code in an independent program so that I can use the: static X509 *pkcs11_load_cert(ENGINE * e, const char *s_slot_cert_id) function to get the certificate from the smart card. So I tried to debug engine.c using ddd debugger to understand exactly which part of the code was required to just load the engine. In the same program I want to use the opensc function to load certificate directly from the smartcard and then use it in further server client communication. Thanks in advance. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users