Re: openssl failed to connect to MS Exchange Server (Office365) on RHEL 7.x
Thank you so much for the response Jakob. Yes I agree with you about the connection succeeded and later rejected on credentials part. The same worked from all the RHEL Version below 7 so I was thinking it might be a issue at OS level. Based on your suggestion, I feel that the issue is with the Exchange Server. Please double confirm. Thanks and Regards Chandu On Sat, May 11, 2019, 3:02 PM Jakob Bohm via openssl-users < openssl-users@openssl.org> wrote: > Your transcript below seems to show a successful connection to Microsoft's > cloud mail, then Microsoft rejecting the password and closing the > connection. > > You are not connecting to your own Exchange server, but to a central > Microsoft > service that also handles their consumer mail accounts (hotmail.com, > live.com, > outlook.com etc.). This service load balances connections between many > servers > which cab give different results for each try. > > On 10/05/2019 17:01, Chandu Gangireddy wrote: > > Dear OpenSSL Users, > > > > At my corporate environment, I'm experience a challenge to use openssl > > s_client utility. I really appreciate if someone can help me narrow > > down the issue. > > > > Here the details - > > > > Platform: RHEL 7.x > > *Openssl version:* > > OpenSSL 1.0.2k-fips 26 Jan 2017 > > built on: reproducible build, date unspecified > > platform: linux-x86_64 > > options: bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) > > idea(int) blowfish(idx) > > compiler: gcc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DZLIB > > -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT > > -m64 -DL_ENDIAN -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 > > -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 > > -grecord-gcc-switches -m64 -mtune=generic -Wa,--noexecstack -DPURIFY > > -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 > > -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM > > -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM > > -DGHASH_ASM -DECP_NISTZ256_ASM > > OPENSSLDIR: "/etc/pki/tls" > > engines: rdrand dynamic > > > > Command tried to tes the connectivity between my Linux client server > > to remote office 365 exchange server using POP3 port - > > > > $ openssl s_client -crlf -connect outlook.office365.com:995 > > <http://outlook.office365.com:995> > > ... > > ... > > subject=/C=US/ST=Washington/L=Redmond/O=Microsoft > > Corporation/CN=outlook.com <http://outlook.com> > > issuer=/C=US/O=DigiCert Inc/CN=DigiCert Cloud Services CA-1 > > --- > > No client certificate CA names sent > > Peer signing digest: SHA256 > > Server Temp Key: ECDH, P-256, 256 bits > > --- > > SSL handshake has read 3952 bytes and written 415 bytes > > --- > > New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 > > Server public key is 2048 bit > > Secure Renegotiation IS supported > > Compression: NONE > > Expansion: NONE > > No ALPN negotiated > > SSL-Session: > > Protocol : TLSv1.2 > > Cipher: ECDHE-RSA-AES256-GCM-SHA384 > > Session-ID: > > 072FFFDC6177DE9CAB2B59EA06E486A25AD8A2882A9B82F16678BAD74E79 > > Session-ID-ctx: > > Master-Key: > > > DD7B59F38867FEAB9656B519FBCD743158E528C63FF9A96CE758120424159F26967F9F6FE57A9B5E7CAD806798322278 > > Key-Arg : None > > Krb5 Principal: None > > PSK identity: None > > PSK identity hint: None > > Start Time: 1557500061 > > Timeout : 300 (sec) > > Verify return code: 0 (ok) > > --- > > +OK The Microsoft Exchange POP3 service is ready. > > > [QgBOADYAUABSADEANABDAEEAMAAwADQAMgAuAG4AYQBtAHAAcgBkADEANAAuAHAAcgBvAGQALgBvAHUAdABsAG8AbwBrAC4AYwBvAG0A] > > *USER netco...@cox.com <mailto:netco...@cox.com>* > > *+OK* > > *PASS * > > *-ERR Logon failure: unknown user name or bad password.* > > *quit* > > *+OK Microsoft Exchange Server POP3 server signing off.* > > *read:errno=0* > > > > Operating System: > > Red Hat Enterprise Linux Server release 7.2 (Maipo) > > > > When I did the same from a different server, it worked as expected. > > Following are the two difference which I noticed between a working > > server and non-working server. > > * > > * > > *Working server details:* > > 1. Red Hat Enterprise Linux Server release 6.9 (Santiago) > > 2. openssl version > > OpenSSL 1.0.1e-fips 11 Feb 2013 > > built on: Mon Jan 30 07:47:24 EST 2017 > > platform: linu
openssl failed to connect to MS Exchange Server (Office365) on RHEL 7.x
Dear OpenSSL Users, At my corporate environment, I'm experience a challenge to use openssl s_client utility. I really appreciate if someone can help me narrow down the issue. Here the details - Platform: RHEL 7.x *Openssl version:* OpenSSL 1.0.2k-fips 26 Jan 2017 built on: reproducible build, date unspecified platform: linux-x86_64 options: bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx) compiler: gcc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM OPENSSLDIR: "/etc/pki/tls" engines: rdrand dynamic Command tried to tes the connectivity between my Linux client server to remote office 365 exchange server using POP3 port - $ openssl s_client -crlf -connect outlook.office365.com:995 ... ... subject=/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=outlook.com issuer=/C=US/O=DigiCert Inc/CN=DigiCert Cloud Services CA-1 --- No client certificate CA names sent Peer signing digest: SHA256 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 3952 bytes and written 415 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher: ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 072FFFDC6177DE9CAB2B59EA06E486A25AD8A2882A9B82F16678BAD74E79 Session-ID-ctx: Master-Key: DD7B59F38867FEAB9656B519FBCD743158E528C63FF9A96CE758120424159F26967F9F6FE57A9B5E7CAD806798322278 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1557500061 Timeout : 300 (sec) Verify return code: 0 (ok) --- +OK The Microsoft Exchange POP3 service is ready. [QgBOADYAUABSADEANABDAEEAMAAwADQAMgAuAG4AYQBtAHAAcgBkADEANAAuAHAAcgBvAGQALgBvAHUAdABsAG8AbwBrAC4AYwBvAG0A] *USER netco...@cox.com * *+OK* *PASS * *-ERR Logon failure: unknown user name or bad password.* *quit* *+OK Microsoft Exchange Server POP3 server signing off.* *read:errno=0* Operating System: Red Hat Enterprise Linux Server release 7.2 (Maipo) When I did the same from a different server, it worked as expected. Following are the two difference which I noticed between a working server and non-working server. *Working server details:* 1. Red Hat Enterprise Linux Server release 6.9 (Santiago) 2. openssl version OpenSSL 1.0.1e-fips 11 Feb 2013 built on: Mon Jan 30 07:47:24 EST 2017 platform: linux-x86_64 options: bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx) compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM OPENSSLDIR: "/etc/pki/tls" engines: dynamic Please let me know if you need any further details from my end. Thanks, in advance. Chandu
Re: How to add Postal code to a certificate request
Hi, I was able to add the postal code. But there is some problem with the Short Name. What should be given for the short name? I have given ZIP and also tried with PC. With the above values in the request, generation of certificate request is fine. But when trying to enroll for a certificate in isakmp-test.ssh.fi site, it is failing. But when I put the Short name as OID.2.5.4.17 it accepted. What is the correct Short name and Long name for the postal code Regards Suram - Original Message - From: Joern Sierwald [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, April 02, 2002 3:51 PM Subject: Re: How to add Postal code to a certificate request At 15:25 02.04.2002 +0530, you wrote: Hi, I have a doubt regarding the addition of postal code or PIN code or ZIP code to the certificate request. How to add Postal code to a certificate request. I tried to search for an NID for the postal code but could'nt found. What is the way to add the postal code to a certificate request?? Regards Suram __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] Put it in an OID 2.5.4.17, postal code. The postal code should also go into line 5 of the postal address, OID 2.5.4.16. Line 1 object's RDN Line 2 Street address or PO box Line 3 no default value Line 4 Physical Delivery Office Name, State or privince name Line 5 Postal Code Line 6 Country Name (from the DN) See Recommendation F.401 Use google to search for 2.5.4.17 postal code Jörn __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
How to add Postal code to a certificate request
Hi, I have a doubt regarding the addition of postal code or PIN code or ZIP code to the certificate request. How to add Postal code to a certificate request. I tried to search for an NID for the postal code but could'nt found. What is the way to add the postal code to a certificate request?? Regards Suram __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Doubt regarding Certificate's Public Key
Hi, Thank you very much for the response. I accept with you. In the case of an OCSP Responder, this is possible. But can we imagine of a case where the end-entity(ie., a user) gets two certificates from two different CA's for the same Public Key?? I would like to know what uses it may have Regards Suram - Original Message - From: Rick Ziegler [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, March 28, 2002 11:46 PM Subject: Re: Doubt regarding Certificate's Public Key One example where multiple certification is needed is an OCSP responder that responds for multiple CAs, and whose relying parties expect responses to indicate that the CA has delegated the authority to that responder. Because an OCSP response may only be signed by a single key, a response that includes information from multiple CAs must be signed by a key certified by each of those CAs. See the crude diagram below: OCSP request Issuer A, Serial 1? Issuer B, Serial 5? /OCSP request OCSP Response Issuer A, Serial 1 : GOOD Issuer B, Serial 5 : GOOD /signature/ optional certs cert a Issuer : Issuer A Subject: This Responder Extended Key Usage: OCSP-Signing /cert a cert b Issuer : Issuer A Subject: This Responder Extended Key Usage: OCSP-Signing /cert b /optional certs Hope that helps! On Thu, 2002-03-28 at 08:40, Chandu wrote: Hi, I have a query regarding the Certificates public key. Is it possible according to PKI standards to get more than one certificate from different CA's for the same public key? I feel theoritically it is possible. But I do not know how practical it is. If this is possible can some one give the practical situation of where it can be used? If not why it should not be allowed. I would like to have some comments and feeback on this issue. Regards Suram __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Richard Ziegler Software Engineer / ClearCase Administrator (617) 503-0442 CertCo, Inc. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: newbie question on OCSP
Hi, OCSP stands for Online Certificate Status Protocol. This, as the name suggests specifies a protocol to obtain the Status of a Certificate Online. There can be many reasons for a certificate to become invalid even before its actual lifetime for which it was issued. These may be Key Compromise etc etc.. Each CA maintains a list of all the revoked certificates. That list is called as the Certificate Revocation List (CRL). Our aim is to obtain the status of a certificate ie Valid or Invalid. To be more techincal Revoked or Not Revoked. One method of knowing this is using the LDAP protocol. Use this protocol a user can download the CRL and check it with the Serial Number of the Certificate in Question. If the serial number is found, it means the Certificate is revoked else the user can assume that the Certificate is not revoked. This requires a lot of memory in your system as the CRL size keep on increasing. For that reason the OCSP protocol was born. This might be the author's intention in bringing up this protocol. There is a server called an OCSP responder. This server will maintain all the certificates that are revoked for a particular CA. (The CA may itself be an OCSP responder also). User constructs an OCSP request as per the protocol with all the details of the Certificate for which the revocation status has to be found. The responder will respond with the status of that certificate saying whether it is GOOD, REVOKED or UNKOWN. This is my understanding of the OCSP protocol. I hope this helps... Regards Suram - Original Message - From: Issac Goldstand [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, March 08, 2002 1:17 AM Subject: newbie question on OCSP Can someone please help a poor newbie understand exactly what this is for and how it's used? I've tried looking at the documentation, but I feel like I'm drowning, probably because I'm trying to understand the details, but not quite getting the simple stuff,.. Thanks in advance, Issac __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Doubt regarding PKCS#1 padding
Hi, Iam having a problem with PKCS#1 padding. I have implemented the SCEP protocol and trying to test with a free OpenSource SCEP implementation from www.othello.org. In that Iam getting the following error rsa_routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:100 rsa_routines: RSA_EAY_PUBLIC_DECRYPT: padding check failed:rsa_eay.c:430. The strange thing is that, this problem is not comming all the time. We generate a request and sign it with the private key. The server is trying to verify the signature. In that process it is failing. What could be the reason for the above failure? Any help is highly appreciated. Regards Suram
Doubt regarding extracting the Extended Key usage attribute
Hi, Iam facing a problem regarding the extracting the Extended Key usage attribute. My requirement is to know if Extended Key Usage attribute Nid_OCSP_sign is present. I tried the following way X509 *pCert; /* The certificate */ int iVal; iVal = X509_get_ext_by_NID(pCert, NID_OCSP_sign, -1); if(iVal = 0) printf(Extended Key Usage Attribute NID_OCSP_sign present); Here Iam getting iVal as -1 indicating that it is not present. But when I try to print the certificate using X509_print(), I can see this extension present. Is there anything wrong with the code Iam using ? I request you to help me in finding the bug. Awaiting your valuable response... Regards Suram __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Doubt regarding the OCSP Extensions
HI all, I have a doubt regarding the OCSP extensions. Do we have to send all the extensions (CRL Referrences etc) in the request. I couldnt understand clearly from the RFC 2560 regarding it. Can some one help me to know what extenions are to be sent in the request and what extensionscan be expected in the response with out sending the corresponding extensions in the OCSP Request. Some one may please help me regarding the extensionsso that I will be able to understand better the OCSP rfc. Awaiting for your valuable responses. Thanks in advance Regards Suram
Re: Encrypt Private Key
Hi, I didnt understand the problem. You want to encrypt the Private key. With which key you want to encrypt and what encryption algorithm you would like to use. If you are using the DES encryption then the functions EVP_encrypt_init(), EVP_encrypt_update() and EVP_encrypt_final() functions. Thats the help I can do. Regards Chandu - Original Message - From: Ahmad Syukri [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, September 19, 2001 4:48 PM Subject: Encrypt Private Key Hi, Someone... plz help me! Could you plz tell me how to use PKCS8_encrypt() function? I tried to encrypt private key, but don't know how. The only clue I know is by using this function. It doesn't work! Part of my code as below. Sorry to bother you all, but I don't have much time... HELP! HELP! X509_SIG *p8 = PKCS8_encrypt(pbe_nid, cipher,p8pass, strlen(p8pass),NULL, 0, iter, p8inf)); PEM_write_bio_PKCS8(out, p8); OUTPUT: --- -BEGIN ENCRYPTED PRIVATE KEY- -END ENCRYPTED PRIVATE KEY- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Re: doubt regarding X509_verify_cert
Hi all and Hello Dr. Henson, please find attached files: cacert.pem - trusted certificate cakey.pem - trusted certificate's private key. selfcert.pem - certificate signed by the given trusted certificate. The following is the output when we try to use openssl verify utility: $ openssl verify -CApath /usr/local/lib/openscep/ -CAfile cacert.pem -verbose -issuer_checks tmp.pem tmp.pem: /unstructuredName=3.com error 29 at 0 depth lookup:subject issuer mismatch /unstructuredName=3.com error 29 at 0 depth lookup:subject issuer mismatch /unstructuredName=3.com error 29 at 0 depth lookup:subject issuer mismatch /C=CH/ST=Ticino/L=Bosco/Gurin/O=othello error 31 at 0 depth lookup:authority and issuer serial number mismatch /C=CH/ST=Ticino/L=Bosco/Gurin/O=othello error 31 at 0 depth lookup:authority and issuer serial number mismatch /C=CH/ST=Ticino/L=Bosco/Gurin/O=othello error 31 at 0 depth lookup:authority and issuer serial number mismatch /C=CH/ST=Ticino/L=Bosco/Gurin/O=othello error 31 at 0 depth lookup:authority and issuer serial number mismatch /C=CH/ST=Ticino/L=Bosco/Gurin/O=othello error 2 at 1 depth lookup:unable to get issuer certificate We could not make any progress with the OpenSSL verify utility as well. I request u to help us in this regard... Awaiting your valuable Response Regards Suram I have a doubt regarding the x509_verify_cert(). When we have a TRUSTED certificate with the authority-key-identifier extension, and when we are trying to verify a SELF certificate using the function X509_verify_cert(), the verification is failing. Upon a deeper look into the function, the function is failing as follows... When we call the X509_verify_cert() with the CTX, Before calling this function we are initializing the CTX-cert with the self-certificate, and we are adding the trusted-certificates in X509_STORE using the function X509_STORE_add_cert(). In the X509_verify_cert() 1. checks whether CTX-cert (self-certificate) is self-signed certificate or not by PUSHing the certificates into a chain. 2. It is looking for Trusted certificates whose subject name is same as the Issuer Name of CTX-cert(ie., self-certificate) and pushing the certificates into the chain in the CTX. Now we are checking the Trusted certificates are Self-signed or not by calling the function X509_check_issued( ). 3. We are passing the subject and issuer certificates the same Trusted Certificate. In this function we are checking the Serial Number of the Issuer certificate with the Serial number in the extension Authorithy Key Identifier of the Subject Certificate. Here we are facing problem. The problem is ASN1_INTEGER_cmp( ) is failing. The QUESTION is whether the Serial Number in the Trusted Certificate should be SAME as the Serial Number in the Authority Key Identifier extension? If the two need not be the same then we feel that there is a bug in the X509_check_issued ( ) function as we are using it to verify whether the certificate is self-signed or not. I would be thankful for any help regarding this question.. Regards Suram I've already responded to this in openssl-dev: Does this fail with the OpenSSL verify utility? If so what is the failure reason? Also try it with the -issuer_checks command line option. If that doesn't help much then if you could send me the certificate(s) causing the trouble I'll investigate further. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] --- -- Rama Krishna Prasad Chunduru Software engineer Intoto Software(I) Pvt Ltd Kharkhana Secundrabad selfcert.pem cacert.pem cakey.pem
Re: Doubt regarding BER encode(specific question)
Hello Dr. Henson, I would like to know how to BER encode the public key and put in the certificate request... As I understand from ur replies, it is difficult to do the above in the current release Openssl 0.9.6.. Is it possible to use some routines taken from 0.9.7 and use them with 0.9.6. If so can u help me in finding the correct functions from the library... If not please help me to do the same with 9.6.. Regards.. Suram - Original Message - From: Dr S N Henson [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, March 04, 2001 12:28 AM Subject: Re: Doubt regarding BER encode(specific question) chandu wrote: Hello again Dr. Henson, Once again thank u very much but I am still worried with the function which u pointed to... I have gone through the code of X509_REQ_set_pubkey( ) As far as I understood the function, it stores the public key in DER fromat as it uses the function i2d_PublicKey( ). I need the public key to be stored in BER format... I need to find out some way to store the public key in BER encoding... I request u to help me further in this regard DER is acceptable because a DER encoding is a special case of BER encoding. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Doubt regarding PKCS7_DataInit
Hi every body, I have a doubt regarding PKCS7_DataInit functions... I want to know the purpose of the functions PKCS7_DataInit, PKCS7_DataUpdate and PKCS7_DataFinal functions... and their application... Any help is highly appreciated... Regards Suram
Doubt regarding BER encode
Hi everybody, I have a doubt regarding BER encoding... I want to BER encode a piece of data. Can any one help me with the functions that must be used to BER encode and decode... Any help is highly appreciated... Regards Suram
Re: Doubt regarding BER encode(specific question)
Hello again Dr. Henson, Once again thank u very much but I am still worried with the function which u pointed to... I have gone through the code of X509_REQ_set_pubkey( ) As far as I understood the function, it stores the public key in DER fromat as it uses the function i2d_PublicKey( ). I need the public key to be stored in BER format... I need to find out some way to store the public key in BER encoding... I request u to help me further in this regard Regards Suram - Original Message - From: Dr S N Henson [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, March 03, 2001 11:07 PM Subject: Re: Doubt regarding BER encode(specific question) chandu wrote: Thank u Dr. Henson for the reply... My specific question is as follows... I want to set the public key in the certificate request (X509_REQ) structure. The draft for SCEP says that the public key has to be encoded to BER form and set it in the request... Can u help me in solving this puzzle of BER encoding and setting it to the request... If u can provide me with small piece of code to do the above task I will be very much greatful to u... Well there's some code in the apps/req.c application in the function make_REQ(). Setting the public key in a PKCS#10 request is done with the function: X509_REQ_set_pubkey(). Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Fw: How to add Key usage attribute...
Hi all, I have a question regarding the adding of the Key usage attribute to the PKCS10 certificate request. I tried using the following code.. ikeyUsageAttr = X509v3_KU_DIGITAL_SIGNATURE; iRetVal = X509_REQ_add1_attr_by_NID(preq, NID_key_usage,V_ASN1_INTEGER, (ikeyUsageAttr), 4); When I try to print the request using X509_REQ_print, it is not printing the key usage attribute. It is giving "Unable to print the value of the attribute" In X509_REQ_print ( ) function , there is no option to print the value of attribute of either type V_ASN1_INTEGER or V_ASN1_BIT_STRING My question is whether I am following the correct way to add the Key usage attribute.. If not what is the correct way to add it. If Yes What is the way to check and print the value of the key usage attribute... Any help regarding this is highly appreciated... Regards Suram __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
SCEP Server??
Hi all, Iam trying to implement the SCEP client protocol. I would like to test it against a known server. Can any one help me where I can find a server with which I can test my client implementation. Any directions and help is very much appreciated... Regards Suram
How to add authenticated attributes...
Hi all, I have a question about adding the pkcs7 signed attributes to the PKCS7_SIGNER_INFO. I tried to add the transaction-id, messageType and senderNonce attributes using the function PKCS7_add_signed_attribute(PKCS7_SIGNER_INFO *p7si, int nid, int atrtype, void *value). I need them to implement the SCEP protocol.. I couldnt figure out the 2nd parameter ie., nid. I couldnt find the corresponding nids in objects.h file. How to define new object identifiers and their nids. If some one can help me with a small example it will be highly appreciated. Regards Suram __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
How to add authenticated attributes...
Hi all, I have a question about adding the pkcs7 signed attributes to the PKCS7_SIGNER_INFO. I tried to add the transaction-id, messageType and senderNonce attributes using the function PKCS7_add_signed_attribute(PKCS7_SIGNER_INFO *p7si, int nid, int atrtype, void *value). I need them to implement the SCEP protocol.. I couldnt figure out the 2nd parameter ie., nid. I couldnt find the corresponding nids in objects.h file. How to define new object identifiers and their nids. If some one can help me with a small example it will be highly appreciated. Regards Suram __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
How to add X509V3 extensions..
Hi all, I have one doubt regarding the X509 v3 extensions. How to add the X509 v3 extension attributes to the certificate request? Regards Suram