Re: [openssl-users] RSA PSS Sigalgs for 1.1.0

2017-10-11 Thread Dr. Stephen Henson
On Wed, Oct 11, 2017, Wallboy wrote:

> 
> Browsers in the last year or so have added support for the the new TLS 1.3
> RSA-PSS Signature Algorithms (0x0804, 0x0805,...).
> 
> I see them added in 1.1.1 dev and they even work without TLS 1.3 enabled in
> the build. Is there any plan to add support for them to 1.1.0?
> 

No: it's a new feature and we don't add new features to stable branches.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] Engine configuration

2017-10-02 Thread Dr. Stephen Henson
On Mon, Oct 02, 2017, Dmitry Belyavsky wrote:

> Hello,
> 
> I have a question regarding engine configuration.
> 
> We need to implement such behaviour:
> - on load the engine is configured with the commands from config file, but
> the values can be overwritten via environment

That part can be done with the config file syntax see config(5) 

> - application can change the engine's configuration via ENGINE_ctrl_string
> functions.
> 
> Is there any way to distinguish whether engine is configured via the config
> file or via direct calls to ENGINE_ctrl* functions?
> 

Not currently no: the config file calls the relevant control operations. 

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] Missing EVP_PKEY method to set engine?

2017-10-01 Thread Dr. Stephen Henson
On Fri, Sep 29, 2017, Blumenthal, Uri - 0553 - MITLL wrote:

> Apologies in advance for cross-posting ??? but I???m not sure which of the 
> two mailing lists this belongs to.
> 
> A key (say, private key) is loaded from the pkcs11 engine via privkey = 
> ENGINE_load_private_key(engine, ); and this operation succeeds.
> 
> However the resulting key handle has its engine == NULL. I looked for a 
> method or a macro to explicitly set that value to the pointer to the engine 
> that this key is bound to, but couldn???t find any. I define new methods such 
> as pkcs11_pkey_rsa_decrypt(), and  try to make OpenSSL aware of them via:
> 
> EVP_PKEY_METHOD *orig_pmeth = EVP_PKEY_meth_find(EVP_PKEY_RSA);
> 
>    EVP_PKEY_METHOD *pmeth = EVP_PKEY_meth_new(EVP_PKEY_RSA, 
> EVP_PKEY_FLAG_AUTOARGLEN);
> 
>    EVP_PKEY_meth_copy(pmeth, orig_pmeth);
> 
>    EVP_PKEY_meth_get_decrypt(orig_pmeth, _init, );
> 
>    EVP_PKEY_meth_set_decrypt(pmeth, pdecr_init, pkcs11_pkey_rsa_decrypt);
> 

There doesn't seem to be any easy way to do that for an existing method. If
the ENGINE has its own ASN.1 method things become easier.

A workaround might be to use a copy of an existing A workaround might be to
create a copy of an existing ASN.1 method but I've not tried that.

> 
> In ENGINE_set_pkey_meths(engine, pkey_meths) what should pkey_meths() 
> actually be? Is it documented? 
> 
>  

Not currently but it similar to the cipher/digest functions but handles
EVP_PKEY_METHOD instead.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] Integrating New Cipher Suite

2017-10-01 Thread Dr. Stephen Henson
On Sun, Oct 01, 2017, Wallboy wrote:

> Hi,
> 
> I'm also interested in adding a few "pseudo" ciphersuites to OpenSSL.
> Notably the 16 GREASE ones Chrome currently uses (0x0A0A, 0x1A1A...0xFAFA).
> 
> I made similar changes to the files listed in this thread and compiled
> successfully (based on 1.1.0f). I see the new cipher when doing "openssl
> ciphers ALL:eNULL". 
> 
> However I had the same issue that when trying to include it using s_client,
> the ClientHello message did not actually send it:
> 
> openssl s_client -cipher "ECDHE-RSA-AES256-SHA:GREASE-0A0A" -connect
> www.google.com:443 -servername www.google.com
> 
> ClientHello contained two ciphersuites. The first one listed and also the
> SCSV cipher
> 
> I then tried this:
> 
> openssl s_client -cipher "ECDHE-RSA-AES256-SHA:GREASE-0A0A:@SECLEVEL=0"
> -connect www.google.com:443 -servername www.google.com
> 
> Bingo! But the ClientHello now sends 4 Ciphersuites. The first one listed,
> followed by my GREASE pseudo cipher, then TLS_RSA_WITH_RC4_128_MD5, then the
> SCSV cipher.
> 
> I'm not sure why that RC4 cipher is sent. Although it probably has to do
> with the fact I structured that GREASE cipher after it:
> 
>  {
>  1,
>  SSL3_TXT_GREASE1,
>  SSL3_CK_GREASE1,
>  SSL_kRSA,
>  SSL_aRSA,
>  SSL_RC4,
>  SSL_MD5,
>  SSL3_VERSION, TLS1_2_VERSION,
>  0, 0,
>  SSL_NOT_DEFAULT | SSL_MEDIUM,
>  SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
>  128,
>  128,
>  },
> 
> If I'm just trying to use it as a pseudo cipher for ClientHello messages,
> how should it look in the above struct? And how can I get it to send without
> specifying SECLEVEL=0?
> 

If you want to specify the ciphersuites in the cipher string then they need to
be part of the list of ciphers. However these wouldn't be normal ciphersuites:
they'd never be selected by a server for example. Giving them separate
definitions and handling does go against the requirements of GREASE draft
though.

Your problems are because you copied the definitions for that RC4 ciphersuite.
The fact it uses MD5 means it gets rules out at anything other than security
level 0.

If you just want to include them in a client hello you can do something
similar to the scsv code which adds its own pseudo-ciphersuite. In particular
the code in ssl_cipher_list_to_bytes().

> Bonus Question: Is it possible to remove the SCSV cipher in the ClientHello?
> 

You can't remove it without making source changes. Again it's in the
ssl_cipher_list_to_bytes() function.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] PKCS7 and RSA_verify

2017-09-27 Thread Dr. Stephen Henson
On Thu, Sep 28, 2017, ch wrote:

> Hello!
> 
> I am working on a tool for verifying SMIME-messages.
> Because cms and smime is only able to verify base64 pkcs7-signatures
> I try to do it "manually" and I now have a problem with the
> signing-timestamp.
> 

I'm not sure what you mean by "only able to verify base64 pkcs7-signatures"
it can handle PEM and DER forms too.

> Lets do an example:
> 
> openssl smime -sign -md sha1  -in plain.txt  -inkey mykey -signer
> mycert  -noattr  -outform der | openssl asn1parse -inform der
> 
> If I put plain.txt and the 128 byte signature (from asn1parse out of
> the pkcs7) into RSA_verify it works perfectly.
> Every call would produce the same signature-hexdump.
> 
> But if I remove the -noattr the signature-value will be different
> every second and then RSA_verify it not working anymore.
> 
> How can I handle this?
> 

When you don't use attributes the signature is over performed over the
content. If you use attributes then the signature is over the encoding of a
bunch of attributes including a signing time and the digest of the content.
Because the signing time changes the data being signed in the attributes
changes too.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] Error in X509_check_private_key when using pkcs11 engine (OpenSSL 1.0.2j)

2017-09-15 Thread Dr. Stephen Henson
On Fri, Sep 15, 2017, Anton Gerasimov wrote:

> So it turns out load_privkey() function of engine_pkcs11.so sets pub_key
> in the returned 'struct ec_key_st' to NULL. Is it a failure inside
> engine_pkcs11.so?
> 

Well sort of. OpenSSL requires that public key components are set for private
keys (except for a legacy RSA case).

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] Lost in STACK_OF again (porting M2Crypto to OpenSSL 1.1.* API)

2017-09-12 Thread Dr. Stephen Henson
On Tue, Sep 12, 2017, Mat??j Cepl wrote:

> Hi,
> 
> I am working on porting M2Crypto to OpenSSL 1.1.* API (in branch
> https://gitlab.com/mcepl/m2crypto/commits/openssl-1.1.0 ) and I
> got lost in STACK_OF structures.
> 
> Simplified function I have troubles with is (the real stuff with
> all Python2/Python3 shims is https://is.gd/Nbq3Qp ; the similar problem
> is couple of lines below in the function get_der_encoding_stack).
> 
> #include 
> #include 
> #include 
> 
> #include 
> 
> typedef STACK_OF(X509) SEQ_CERT;
> 
> ASN1_ITEM_TEMPLATE(SEQ_CERT) =
> ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0,
>   SeqCert, X509)
> ASN1_ITEM_TEMPLATE_END(SEQ_CERT)
> 
> IMPLEMENT_ASN1_FUNCTIONS(SEQ_CERT)
> 
> ...
> 
> STACK_OF(X509) *
>   make_stack_from_der_sequence(PyObject * pyEncodedString){
>   STACK_OF(X509) *certs;
>   Py_ssize_t encoded_string_len;
>   char *encoded_string;
> 
>   encoded_string_len = PyString_Size(pyEncodedString);
> 
>   if (encoded_string_len > INT_MAX) {
>   PyErr_SetString(PyExc_ValueError,
>   "object too large");
>   return NULL;
>   }
> 
>   encoded_string = PyString_AsString(pyEncodedString);
> 
>   if (!encoded_string) {
>   return NULL;
>   }
> 
>   certs = ASN1_seq_unpack(
>   (unsigned char *)encoded_string,
>   encoded_string_len,
>   d2i_X509, X509_free );
>   if (!certs) {
>   PyErr_SetString(_x509_err,
>   ERR_reason_error_string(
>   ERR_get_error()));
>   return NULL;
>   }
> 
>   return certs;
>   }
> 
> Obviously this fails to compile with these errors:
> 
> SWIG/_m2crypto_wrap.c: In function
> ???make_stack_from_der_sequence???:
> SWIG/_m2crypto_wrap.c:8718:13: warning: implicit declaration of
> function ???ASN1_seq_unpack???; did you mean ???ASN1_item_unpack [-
> Wimplicit-function-declaration]
>  certs = ASN1_seq_unpack((unsigned char *)encoded_string,
> encoded_string_len, d2i_X509, X509_free );
>  ^~~
>  ASN1_item_unpack
> SWIG/_m2crypto_wrap.c:8718:11: warning: assignment makes pointer
> from integer without a cast [-Wint-conversion]
>  certs = ASN1_seq_unpack((unsigned char *)encoded_string,
> encoded_string_len, d2i_X509, X509_free );
>    ^
> Obviously I have missed something from STACK_OF API, but I cannot
> for the love of the world find what. Did truly *_seq_unpack
> functions got lost on the way to 1.1 API? If I have to do the
> unpacking "manually", how to do it?
> 
> How can I get STACK_OF(X509) from the string with DER
> certificate?
> 
> I was looking also to the discussion by Jim Carroll on
> https://goo.gl/ZUxQH8 but I have probably misunderstood
> something. I believe I do everything I am supposed to, but still
> there is something apparently missing.
> 

Yes *_seq_unpack() is no longer in 1.1. What happens is that code above it
generates a function d2i_SEQ_CERT() which does the same as ASN1_seq_unpack()
for a certificate.

So something like this should work:

const unsigned char *tmp = (unsigned char *)encoded_string;

...

certs = d21_SEQ_CERT(NULL, , encoded_string_len);

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] Why is this OCSP response reporting a hash using SHA1?

2017-09-12 Thread Dr. Stephen Henson
On Mon, Sep 11, 2017, Robert Moskowitz wrote:

> 
> I would actually really like to have a SIMPLE OCSP responder.  But
> so far have not found one.  freeIPA has one buried within it, but
> that is too disruptive to install unless you buy into freeIPA.
> 

Well the OpenSSL ocsp respoder isn't much use for that, it only handles one
request at a time, can't handle dynamic updates in the status information
(needs to be restarted), has pretty awful performance (reads status from a
text file which resides in memory) and you can't tell it which interface to
bind to either.

There is a way to deal with some of those issues by running the ocsp utility
from a CGI script in a web server. The script decodes the OCSP request, hands
it to the ocsp utility and sends back the response. The down side is the
performance is worse: the OCSP utility has to parse the text file and read it
into memory on every incoming request.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] Why is this OCSP response reporting a hash using SHA1?

2017-09-08 Thread Dr. Stephen Henson
On Fri, Sep 08, 2017, Robert Moskowitz wrote:

> I am using the test responder:
> 
>openssl ocsp -port 2560 -text -rmd sha256\
>  -index index.txt \
>  -CA certs/ca-chain.cert.pem \
>  -rkey private/$ocspurl.key.pem \
>  -rsigner certs/$ocspurl.cert.pem \
>  -nrequest 1
> 
> 
> What is the SHA1 hash report about?  It comes right after the line:
> Certificate ID:
> 
> Certificate ID:
>   Hash Algorithm: sha1
>   Issuer Name Hash: CA1F5832FA387F0127D8E0583F7331D1B903DBF0
>   Issuer Key Hash: A3278D00B053BF259193A4833E669C451DAD36E0
>   Serial Number: 762900CAB55A4762

It's the hash algorithm used to hash the issuer name and key to identify them.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] Problems with server mode of openssl ocsp

2017-09-07 Thread Dr. Stephen Henson
On Thu, Sep 07, 2017, Robert Moskowitz wrote:

> Good progress.  A few questions:
> 
> on 
> https://jamielinux.com/docs/openssl-certificate-authority/online-certificate-status-protocol.html
> 
> The sample server test command is:
> 
> openssl ocsp -port 127.0.0.1:2560 -text -sha256 \
>   -index intermediate/index.txt \
>   -CA intermediate/certs/ca-chain.cert.pem \
>   -rkey intermediate/private/ocsp.example.com.key.pem \
>   -rsigner intermediate/certs/ocsp.example.com.cert.pem \
>   -nrequest 1
> 
> Turns out this is a wrong format for -port.  Only the portnum is
> allowed, not the host.  Turns out that
> 
> -port 2560
> 
> works as it seems to be listening on localhost.  But how DO you set
> up which address to listen on?  -host seems to be only for client
> mode, and I don't see how I would use -url.
> 

There is currently no option to do that.

> The -sha256 option results in the error:
> 
> ocsp: Digest must be before -cert or -serial
> ocsp: Use -help for summary.
> 
> I don't see either -cert or -serial in that command.  If I leave the
> hash out, it defaults to sha1.  How do I specify the hash?
> 

Do you mean the digest the response is signed with? Try the -rmd option if so.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] ASN1_TIME to time_t

2017-09-06 Thread Dr. Stephen Henson
On Wed, Sep 06, 2017, Michael Wojcik wrote:

> > From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf
> > Of Dr. Stephen Henson
> > Sent: Wednesday, September 06, 2017 10:26
> > 
> > No but there is a a round about way of achieving the same result. The
> > ASN1_TIME_diff() function will determine the difference between two
> > ASN1_TIME structures and return the result as a number of days and seconds.
> > 
> > So if you set one to the epoch time you can then calculate the time_t from
> > the difference.
> 
> That's almost certainly a much better approach than the one I described in my 
> previous email.
> 
> I assume ASN1_TIME_diff takes into account ASN.1 UTC Time versus Generalized 
> Time, and timezone information. Though it wouldn't be hard to have a few 
> different ASN1_TIME structures for the various permutations.
> 

Yes ASN1_TIME corresponds to the ASN.1 Time structure which ia a choice of
UTCTime and GeneralizedTime it acts in an appropriate way depending on the
type that has been passed in. Timezones should be handled properly though
there was a recent bug fixed: timezones are only rarely encountered in
practice and not legal in many standards (e.g. RFC5280).

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] ASN1_TIME to time_t

2017-09-06 Thread Dr. Stephen Henson
On Wed, Sep 06, 2017, Dmitry Belyavsky wrote:

> Dear Matt,
> 
> On Wed, Sep 6, 2017 at 11:16 AM, Matt Caswell  wrote:
> 
> >
> >
> > On 06/09/17 09:12, Dmitry Belyavsky wrote:
> > > Hello,
> > >
> > > Is there a way to convert ASN1_TIME to time_t or smth compatible? Quick
> > > googling does not show good results.
> >
> > In master you can use ASN1_TIME_to_tm() which will give you a struct tm.
> > Not available in released versions yet though.
> >
> 
> Is it implementable via API in 1.0.2?
> 

No but there is a a round about way of achieving the same result. The
ASN1_TIME_diff() function will determine the difference between two ASN1_TIME
structures and return the result as a number of days and seconds.

So if you set one to the epoch time you can then calculate the time_t from the
difference.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] Testing OCSP with openssl

2017-09-05 Thread Dr. Stephen Henson
On Tue, Sep 05, 2017, Robert Moskowitz wrote:

> Jamie Nugyen's guide uses openssl to test OCSP with 'openssl ocsp':
> 
> https://jamielinux.com/docs/openssl-certificate-authority/online-certificate-status-protocol.html
> 
> What is unclear here is:
> 
> Does openssl read the index.txt file once at startup, or does it
> read it with each query.  From the way I read his guide it reads
> like index.txt is only read at startup.
> 

Once on startup. The mini-responder is only a test utility.
It is not usable as a full blown responder.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] AES-CMAC digest with EVP

2017-08-31 Thread Dr. Stephen Henson
On Wed, Aug 30, 2017, Daniel Andrade wrote:

> Hello,
> 
> I have two buffers, one with a key and one with some data. The
> objective is to calculate the AES-CMAC of the data with this key. I
> managed to compute the AES-CMAC using type `EVP_aes_128_cbc()` with
> the low-level interface:
> 
> 1. CMAC_CTX *ctx = CMAC_CTX_new()
> 2. CMAC_Init
> 3. CMAC_Update
> 4. CMAC_Final
> 5. CMAC_CTX_free
> 
> Can this be done with the high-level EVP interface?
> 
> The EVP_DigestSign* set of functions expects a type EVP_MD, but
> EVP_aes_128_cbc() is of type EVP_CIPHER.
> 

Yes it is possible. One way is to create a new key using
EVP_PKEY_new_mac_key() with type EVP_PKEY_CMAC. You pass that key to
EVP_DigestSign*() with the digest set to NULL. You then have to set the cipher
to use with the EVP_PKEY_CTRL_CIPHER ctrl (unfortunately there is currently no
macro for this).

Then calling EVP_DigestSignUpdate() and EVP_DigestSignaFinal() should work in
the usual way and produce the correct CMAC.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] Not updating index.txt

2017-08-29 Thread Dr. Stephen Henson
On Tue, Aug 29, 2017, Robert Moskowitz wrote:

> I started out making certs from csrs with:
> 
> openssl ca -config $dir/openssl-intermediate.cnf -extensions
> usr_cert -days 375 -notext -md sha256 \
>   -in $dir/csr/$clientemail.csr.$format -out
> $dir/certs/$clientemail.cert.$format
> 
> And that worked well enough, but I found some limitations (DER) with
> it and switched to:
> 
> 
>openssl x509 -req -days 375 -extfile $dir/openssl-intermediate.cnf\
>-extensions usr_cert -sha256\
>-set_serial 0x$(openssl rand -hex $sn)\
>-inform $format -in $dir/csr/$clientemail.csr.$format\
>-outform $format -out $dir/certs/$clientemail.cert.$format\
>-CAkeyform $format -CAkey $dir/private/intermediate.key.$format\
>-CAform $format -CA $dir/certs/intermediate.cert.$format
> 
> I just noticed that this format does not update the index.txt file.
> Why?  What do I need to add so it does?
> 

Unlike ca the  index.txt file is not used by the x509 utility at all it also
only uses the configuration file for extensions.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] Cant seem to get prompt no to work

2017-08-18 Thread Dr. Stephen Henson
On Thu, Aug 17, 2017, Robert Moskowitz wrote:

> In the [ ca ] section I have:
> 
> prompt   = no
> 
> If I leave the = out I get an error, so I am assuming I got the
> format of this right.
> 
> Then I have
> 
> [ req ]
> distinguished_name  = req_distinguished_name
> 
> [ req_distinguished_name ]
> countryName = $ENV::countryName
> stateOrProvinceName = $ENV::stateOrProvinceName
> 
> In a terminal window I run:
> 
> export countryName=US
> export stateOrProvinceName=MI
> 
> then
> 
> openssl req -config openssl-root.cnf -key private/ca.key.pem \
>   -new -x509 -days 7300 -sha256 -extensions v3_ca -out
> certs/ca.cert.pem
> 
> 
> And I am still getting prompted for the DN fields:
> 
> You are about to be asked to enter information that will be incorporated
> into your certificate request.
> What you are about to enter is what is called a Distinguished Name or a DN.
> There are quite a few fields but you can leave some blank
> For some fields there will be a default value,
> If you enter '.', the field will be left blank.
> -
> US []:
> 
> What did I miss?
> 

Since this is the req command try "prompt = no" in the req section.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] 802.1AR certificate generation and the config file

2017-08-11 Thread Dr. Stephen Henson
On Fri, Aug 11, 2017, Robert Moskowitz wrote:

> 
> I would want the 'openssl req' command to prompt for hwType and
> hsSerialNum.  At least for now.
> 

Note that you can't get the 'openssl req' command prompt for this but you can
generate the extension in an appropriate syntax: see my other message for
details.

You could prompt externally and pass the values as environment variables to
openssl req of constuct the whole config file on the fly.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] 802.1AR certificate generation and the config file

2017-08-11 Thread Dr. Stephen Henson
On Fri, Aug 11, 2017, Robert Moskowitz wrote:

> Frustrated...
> 
> On 08/11/2017 11:14 AM, Salz, Rich via openssl-users wrote:
> >>My challenge comes to subjectAltName and its subfield
> >>hardwareModuleName
> >>per RFC 4108.   I guess I am not 'getting' the subjectAltName section of
> >>'man x509v3_config'.
> >Not all forms of SAN names are supported.  If you look in 
> >include/openssl/x509v3.h you see the following:
> ># define GEN_OTHERNAME   0
> ># define GEN_EMAIL   1
> ># define GEN_DNS 2
> ># define GEN_X4003
> ># define GEN_DIRNAME 4
> ># define GEN_EDIPARTY5
> ># define GEN_URI 6
> ># define GEN_IPADD   7
> ># define GEN_RID 8
> 
> I just spent over an hour googling around as well as reading openssl
> docs to get a list of distinguished_name fields.  Both in their full
> form and abbreviated form.  All I fined are the common ones in
> examples.
> 
> And for the list above for SAN, how are they presented in the
> openssl cli/config.  Again, just not finding it.
> 
> My search foo is weak.
> 
> pointers greatly appreciated.
> 

You can use the mini-ASN.1 compiler with the otherName syntax. This will
create the extension in the appropriate form but you wont get it displayed.

In outline it's like this:


# Use id-on-hardwareModuleName OID with otherName
subjectAltName = otherName:1.3.6.1.5.5.7.8.4;SEQ:hmodname

[hmodname]
hwType = OID:1.2.3.4 # Whatever OID you want.
hwSerialNum = FORMAT:HEX,OCT:01020304 # Some hex


Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] Fixed-size digest using EVP with algos ECDSA+SHA256

2017-08-09 Thread Dr. Stephen Henson
On Mon, Aug 07, 2017, Daniel Andrade wrote:

> Hi all,
> 
> I'm writing functions to create a digest of a data buffer using
> ECDSA+SHA256. I've been trying to work with only the high-level EVP
> interface, and not use the low-level interfaces.
> 
> My understanding is that the resulting digest is an ASN.1 structure.
> I have to feed this digest to the Intel SGX runtime, which requires
> a fixed-size input (they actually have two separates arrays, one for
> X and one for Y, each with 32-byte length).
> 
> Is it possible to get a fixed-sized digest using ECDSA/SHA256, I
> mean does OpenSSL have functions for this? Or could someone give me
> some pointers on how to proceed to convert that result to the
> 64-byte fixed size?
> 

The size will depend on the curve in use: presumably it's P-256 to produce
64 bytes.

In outline you do this:

1. Decode the signature into an ECDSA_SIG structure using d2i_ECDSA_SIG.
2. Extract the two BIGNUM elements, r and s using ECDSA_SIG_get0().
3. Generate padded encodings for r and s using BN_bn2binpad() or
BN_bn2lebinpad() depending on the format required (big or little endian).

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] shouldn't fipslink.pl include the fipscanister.lib in the link line?

2017-07-20 Thread Dr. Stephen Henson
On Thu, Jul 20, 2017, Sam Roberts wrote:

> 
> Most of the application is compiled with /MT, but openssl-fips-2.0.16
> is using /MD, could this be an issue? Can I/should I convince
> ms\do_fips to build against the multi-threaded runtime?
> 

Unfortunately you can't change that part of the build process in any way or
the result is no longer validated.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] Extract content of DER-encoded package by OID

2017-07-20 Thread Dr. Stephen Henson
On Thu, Jul 20, 2017, Justin Mogannam wrote:

> Thanks for the tips thus far. One of the last issues I'm having is actually
> declaring a CMS_ContentInfo structure. I just declare :
> 
> CMS_ContentInfo cms;
> 
> Amd gcc tells me "error: storage size of 'cms' isn't known". This goes back
> to my question 1 of the previous email: is there a particular function call
> to use to construct a CMS_ContentInfo structure? Thanks! 
> 

In common with many structures CMS_ContentInfo is opaque so you can only
declare pointers to the structure not the structure itself.  The
d2i_CMS_ContentInfo() function will return a pointer to a CMS_ContentInfo
structure containing the contents of the parsed DER buffer. You can then use
that pointer in other CMS utility functions.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] Extract content of DER-encoded package by OID

2017-07-19 Thread Dr. Stephen Henson
On Wed, Jul 19, 2017, Justin Mogannam wrote:

> 
> 2) Once again, I'm looking in openssl/cms.h, and I could not find the
> function prototype " d2i_CMS_ContentInfo". I even did a grep on the whole
> directory. Is it located somewhere else? I have OpenSSL 1.0.1, which is
> after 0.9.8 when the function was added to OpenSSL. 
> 

See:

https://www.openssl.org/docs/faq.html#PROG13


> 3) In looking at the function prototype (via
> https://www.openssl.org/docs/man1.0.2/crypto/d2i_CMS_ContentInfo.html):
> CMS_ContentInfo *d2i_CMS_ContentInfo(CMS_ContentInfo **a, unsigned char
> **pp, long length);
> I'm assuming **pp is just a pointer to the array with the DER-encoded
> certificate in it? I just want to make sure since some of the parameter
> names are a little ambiguous in OpenSSL. 
> 
> I'm assuming once I'm able to get the DER-encoded certificate in a CMS
> object, I can use the function you provided and the ones in cms.h to strip
> off "layers" of the certificate to get the encryptedKeyPackage that I want
> (which, of course as you mentioned, I'll be able to handle the rest from
> there). Thank you very much for your response, as it was very helpful, and I
> hope to get just as useful of a response back!
> 

I'm not sure what you mean by "certificate" here. The structure you mentioned
will be a CMS ContentInfo. 

Anyway see:

https://www.openssl.org/docs/faq.html#PROG3

for details about how to decode the DER form.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] shouldn't fipslink.pl include the fipscanister.lib in the link line?

2017-07-19 Thread Dr. Stephen Henson
On Wed, Jul 19, 2017, Sam Roberts wrote:

> 
> Note that the lib names used in the node gyp build of openssl vary a
> bit from the perl/ms makefile build.
> 
> Anyhow, still the same link errors. My eventual goal is to build a
> fips node on Windows (Linux works already), but one of its build
> pre-reqs is the openssl CLI:
> 
> C:\Users\rsam\node\out\Release>c:\users\rsam\perl\bin\perl.exe 
> c:\usr\local\ssl\
> fips-2.0\bin\fipslink.pl /nologo /subsystem:console /opt:ref /debug 
> /out:openssl
> -cli.exe .\fips_premain.obj @openssl-cli.exe.rsp
> Integrity check OK
> "C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\bin\amd64\cl.exe" 
> /Fo.\f
> ips_premain.obj  -c c:\usr\local\ssl\fips-2.0\lib/fips_premain.c
> Microsoft (R) C/C++ Optimizing Compiler Version 19.00.24210 for x64
> Copyright (C) Microsoft Corporation.  All rights reserved.
> 
> fips_premain.c
> link /nologo /subsystem:console /opt:ref /debug /out:openssl-cli.exe 
> .\fips_prem
> ain.obj @openssl-cli.exe.rsp
> fips_premain.obj : error LNK2001: unresolved external symbol FIPS_text_start
> fips_premain.obj : error LNK2001: unresolved external symbol 
> FIPS_incore_fingerp
> rint
> fips_premain.obj : error LNK2001: unresolved external symbol FIPS_signature
> crypto.lib(openssl.rand_lib.obj) : error LNK2001: unresolved external symbol 
> FIP
> S_rand_set_method
> crypto.lib(openssl.rand_lib.obj) : error LNK2001: unresolved external symbol 
> FIP
> S_get_default_drbg
> etc...
> 
> 
> I'd love any suggestions, as-is, the only way I can think of to figure
> out how FIPS builds are supposed to work is to do a pure-openssl fips
> build, get a dump of all the compile and link commands done by the
> generated makefiles, s and try working from there to reverse engineer
> what the ninja/batch file build should be trying to do.

Try linking with fipscanister.lib too: that's where those symbols are located.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] Extract content of DER-encoded package by OID

2017-07-19 Thread Dr. Stephen Henson
On Tue, Jul 18, 2017, Justin Mogannam wrote:

> Hello, 
> I have a signedData package that contains an encryptedKeyPackage
> (specifically OID 2.16.840.1.101.2.1.2.78.2, aka id-ct-KP-encryptedKeyPkg)
> that I want to extract from it. I am somewhat able to extract the sequence
> that contains this data via the OpenSSL command line: 
> 
> $ openssl asn1parse -in  -inform DER -strparse  offset I computed>
> 
> However, I am looking for the OpenSSL calls to do the same thing, ideally
> extract package contents by its OID without having to know the offset (such
> that I can extract the data from any given package by that particular OID).
> How would I go about doing this? I've been looking endlessly into asn1.h and
> x509.h, and am able to somewhat parse the entire package into a structure,
> but I could use some guidance as to how to further break it down into parts.
> Thank you, and I hope to hear a response back soon. 
> 

Well if this follows RFC6032 the outer part will be a ContentInfo structure
which you can parse using d2i_CMS_ContentInfo. From there you can use various
utility functions to analyse it.

For example CMS_get0_eContentType() to get the OID corresponding to the
encapsulated content type and CMS_get0_content() which (if I read the spec
correctly) should get you the EncryptedKeyPackage structure. After that you'll
have to parse it yourself because OpenSSL doesn't support that atructure.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] shouldn't fipslink.pl include the fipscanister.lib in the link line?

2017-07-13 Thread Dr. Stephen Henson
On Thu, Jul 13, 2017, Sam Roberts wrote:

> On Thu, Jul 13, 2017 at 1:41 PM, Dr. Stephen Henson <st...@openssl.org> wrote:
> >>
> >> Where is nt.mak? Its mentioned in the User Guide but I didn't find it
> >> in the github repo, or tarballs for openssl 1.0.2j or 1.1.0c, or
> >> tarballs for openssl-fips 2.0.9, or 2.0.16
> >>
> >
> > It's created by OpenSSL when you follow the Windows build procedure.
> 
> No luck so far. I dowloaded openssl-1.0.2l did the `perl Configure ...
> --with=fipsdir...` from section 4.3.3 and don't have a ms/nt.mak.
> 

Are you compiling with VC++ that's the only compiler which is a supported for
FIPS and Windows.

If you are then you need the next step which is:

ms\do_nasm

to get ms\nt.mak

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] shouldn't fipslink.pl include the fipscanister.lib in the link line?

2017-07-13 Thread Dr. Stephen Henson
On Thu, Jul 13, 2017, Sam Roberts wrote:

> On Thu, Jul 13, 2017 at 12:34 PM, Dr. Stephen Henson <st...@openssl.org> 
> wrote:
> 
> > If you do want to link against the static libraries then the easiest way to 
> > do
> > that is to examine the contents of nt.mak, look for FIPSLINK and adapt the
> > rule to your needs.
> 
> Where is nt.mak? Its mentioned in the User Guide but I didn't find it
> in the github repo, or tarballs for openssl 1.0.2j or 1.1.0c, or
> tarballs for openssl-fips 2.0.9, or 2.0.16
> 

It's created by OpenSSL when you follow the Windows build procedure.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] shouldn't fipslink.pl include the fipscanister.lib in the link line?

2017-07-13 Thread Dr. Stephen Henson
On Thu, Jul 13, 2017, Sam Roberts wrote:

> I'm having trouble linking on Windows with fipslink.pl, lots of FIPS_
> symbols are unresolved.
> 
> AFAICT, they are defined by the canister, and fipslink.pl is supposed
> to know this, and add them to the link libraries by itself, but it
> doesn't seem to do this.
> 
> Looking at the linux fipsld, it does appear to have code to find and
> add fipscanister.o to the link line.
> 
> Any idea what I am doing wrong, or not understanding about fipslink.pl?
> 

First if you want to link to the OpenSSL DLLs then you don't need fipslink.pl
at all: just link to them as you would any other application.

If you do want to link against the static libraries then the easiest way to do
that is to examine the contents of nt.mak, look for FIPSLINK and adapt the
rule to your needs.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] Loading multiple private keys a certificates on server program

2017-07-06 Thread Dr. Stephen Henson
On Tue, Jun 27, 2017, Neetish Pathak wrote:

> 
> SSL_CTX_use_certificate_file to load the certificate but the server always
> picks just the first certificate mentioned in the file and fails for one of
> the cases with no cipher shared message
> 
> What should we do to store multiple certificates and private keys at the
> server side so that it picks the right one corresponding to the requested
> cipher.
> 

You call SSL_CTX_use_certificate_file multiple times: once for each
certificate type. Similary for private keys.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] RSA_PKCS1_OAEP_PADDING

2017-05-15 Thread Dr. Stephen Henson
On Mon, May 15, 2017, RudyAC wrote:

> Hello Steve,
> 
> first of all thanks for helpful advice. When printing out all the fields of
> the message with the openssl command
> I got for every recipient two blocks. One block includes the OAEP padding
> and the other block (same recipient) includes the default padding.
> 
> d.ktri: 
> version: 
> d.issuerAndSerialNumber: 
>   issuer: C=DE, O=extern, OU=host3, CN=CA - host3
>   serialNumber: 12302977334217659119
> keyEncryptionAlgorithm: 
>   algorithm: rsaEncryption (1.2.840.113549.1.1.1)
>   parameter: NULL
> 
> d.ktri: 
> version: 
> d.issuerAndSerialNumber: 
>   issuer: C=DE, O=extern, OU=host3, CN=CA - host3
>   serialNumber: 12302977334217659119
> keyEncryptionAlgorithm: 
>   algorithm: rsaesOaep (1.2.840.113549.1.1.7)
>   parameter: SEQUENCE:
> 0:d=0  hl=2 l=  43 cons: SEQUENCE  
> 2:d=1  hl=2 l=  13 cons:  cont [ 0 ]
> 4:d=2  hl=2 l=  11 cons:   SEQUENCE  
> 6:d=3  hl=2 l=   9 prim:OBJECT:sha256
>17:d=1  hl=2 l=  26 cons:  cont [ 1 ]
>19:d=2  hl=2 l=  24 cons:   SEQUENCE  
>21:d=3  hl=2 l=   9 prim:OBJECT:mgf1
>32:d=3  hl=2 l=  11 cons:SEQUENCE  
>34:d=4  hl=2 l=   9 prim: OBJECT:sha256
> 
> How can I make sure that only the OAEP padding is used?
> 

What code are you using? The original you posted had a bug:

   CMS_final(cms, in, NULL, nflags);

/* encrypt content */
cms = CMS_encrypt(encerts, in, cipher, flags);

Which will overwrite the created cms structure.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] RSA_PKCS1_OAEP_PADDING

2017-05-11 Thread Dr. Stephen Henson
On Thu, May 11, 2017, RudyAC wrote:

> Hello,
> 
> I have the requirement to encrypt e-mails using RSA-OAEP padding. I use the
> library openssl-1.0.2k and encrypt with CMS container. The following
> function describes my method. My problem is that I'm not sure if this method
> really uses the RSA-OAEP padding.
> 
> bool
> smime_encrypt_cms(const std::string& infile, const std::string& outfile)
> {
> boolbResult = false;
> const char* inmode = "r";
> const char* outmode = "w";
> const EVP_CIPHER*   cipher = NULL;
> 
> 
> STACK_OF(X509)* encerts = NULL;
> BIO*in = NULL;
> BIO*out = NULL;
> BIO*bio_err = NULL;
> int flags = 0;
> 
>   X509 *recip;
>   int i = 0;
>   unsigned char *oaep_label = NULL;
>   int oaep_label_l = 0;
>   int nflags = CMS_PARTIAL | CMS_KEY_PARAM;
>   CMS_ContentInfo* cms = CMS_encrypt(NULL, NULL, cipher, nflags);
>   EVP_PKEY_CTX* wrap_ctx = NULL;
> 
> KWlog ( EV_D_APPL_14 , "smime_encrypt_cms () started" );
> 
> cipher = get_cipher();
> SMTPD_RAND_load_file ( NULL , bio_err , 0 );
> 
> encerts = sk_X509_new_null();
> 
> FOR_CONST_IT(EmailAndCertList, itRecip, _m_recipCertsList)
> {
> SMIME_key_list recip_encerts = (*itRecip)->smime_enc();
> 
> FOR_CONST_IT(SMIME_key_list, iter, recip_encerts)
> {
> sk_X509_push( encerts, (*iter).dup_cert());
> }
> }
> 
> 
> if ( ! ( in = BIO_new_file ( infile.c_str() , inmode ))) {
> KWlog_appl ( EV_E_APPL_INFO , "Can't open input file %s",
> infile.c_str() );
> _error_messages.push_back("Internal Error");
> goto exit;
> }
> 
> if ( ! ( out = BIO_new_file ( outfile.c_str() , outmode ))) {
> KWlog_appl ( EV_E_APPL_INFO , "Can't open output file %s",
> outfile.c_str() );
> _error_messages.push_back("Internal Error");
> goto exit;
> }
> 
> for (i = 0; i < sk_X509_num(encerts); i++) {
> 
>   CMS_RecipientInfo* r_info;
> 
>   recip = sk_X509_value(encerts, i);
>   r_info = CMS_add1_recipient_cert(cms, recip, nflags);
>   if (!r_info) {
>   KWlog_appl(EV_E_APPL_INFO,
>   "smime_encrypt_cms(): Error 
> while adding recipient certs to CMS info
> structure");
>   return false;
>   }
>   wrap_ctx = CMS_RecipientInfo_get0_pkey_ctx(r_info);
>   KWlog ( EV_D_APPL_14 , "smime_encrypt_cms () Set OAEP Padding");
>   EVP_PKEY_CTX_set_rsa_padding(wrap_ctx, RSA_PKCS1_OAEP_PADDING);
>   EVP_PKEY_CTX_set_rsa_oaep_md(wrap_ctx, EVP_sha256());
>   EVP_PKEY_CTX_set_rsa_mgf1_md(wrap_ctx, EVP_sha256());
>   EVP_PKEY_CTX_set0_rsa_oaep_label(wrap_ctx, oaep_label, 
> oaep_label_l);
>   }
> 
>CMS_final(cms, in, NULL, nflags);
> 
> /* encrypt content */
> cms = CMS_encrypt(encerts, in, cipher, flags);
> 
> 
> if( ! cms ) {
> KWlog ( EV_E_APPL_INFO , "Error creating CMS structure");
> KWlog_SSL ;
> _error_messages.push_back("Internal Error");
> goto exit;
> }
> 
> flags |= SMIME_OLDMIME;
> 
> /* Write out S/MIME message */
> if (!SMIME_write_CMS(out, cms, in, flags))
>   goto exit;
> 
> bResult = true;
> 
>  exit:
> SMTPD_RAND_write_file (NULL, bio_err);
> sk_X509_pop_free(encerts, X509_free);
> if (cms)
>   CMS_ContentInfo_free(cms);
> BIO_free(in);
> BIO_free_all(out);
> 
> KWlog ( EV_D_APPL_14 , "smime_encrypt_cms () finished" );
> return ( bResult );
> }
> 
> When using this function to encrypt an e-mail Thunderbird can decrypt the
> message. But is RSA-OAEP padding really used or is the default padding still
> used? How can I check this?
> 
> For comments I would be very grateful
> 

You can try printing out all the fields of the message with:

openssl cms -cmsout -noout -print

Near the top you should see: 

keyEncryptionAlgorithm: 
  algorithm: rsaesOaep (1.2.840.113549.1.1.7)

while the default padding give:

keyEncryptionAlgorithm: 
  algorithm: rsaEncryption (1.2.840.113549.1.1.1)

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] C++ How to parse Subject Directory Attributes Extension?

2017-05-09 Thread Dr. Stephen Henson
On Tue, May 09, 2017, Matthias Ballreich wrote:

> Here are nor some more details, which may help you to better understand.
> 
> 
> My Certificate contains the SubjectDirectoryAttributes-Extension with the 
> following Attributes:
> 
> OID   : Value
> ---
> (1.3.6.1.5.5.7.9.4) countryOfCitizenship  : DE
> (1.3.6.1.5.5.7.9.3) gender: F
> (1.3.6.1.5.5.7.9.1) dateOfBirth   : 1971-10-14 12:00:00 UTC
> (1.3.6.1.5.5.7.9.2) placeOfBirth  : Darmstadt
> 
> So i want to get these pairs of OID and Value.
> 
> I found no Struct like SUBJECT_DIRECTORY_ATTRIBUTES in the Source-Code i can 
> use. I got the Extension this way:
> 
> int loc = X509_get_ext_by_NID(certificate, NID_subject_directory_attributes, 
> -1);
> X509_EXTENSION *ex = X509_get_ext(certificate, loc);
> 
> But how can i get then all the data, which means all the OIDs and Values to 
> the OIDs? The ASN.1 Structure is:
> 
> SubjectDirectoryAttributes ::= Attributes
> 
> Attributes ::= SEQUENCE SIZE (1..MAX) OF Attribute
> 
> Attribute ::= SEQUENCE
> {
> type AttributeType
> values SET OF AttributeValue
> }
> 
> AttributeType ::= OBJECT IDENTIFIER
> AttributeValue ::= ANY DEFINED BY AttributeType
> 
> I found out that i get a custom extension with: X509_EXTENSION_get_object(ex) 
> and that the OpenSSL-Type X509_NAME_ENTRY is the equvivalent to the 
> ASN.1-Structure Attribute resp. AttributeTypeAndValue. So i tried to cast the 
> result of X509_EXTENSION_get_data(ex) to a STACK_OF(X509_NAME_ENTRY) and to 
> X509_NAME. But X509_NAME is the same as STACK_OF(X509_NAME_ENTRY).
> 
> Then i tried to get the number of attributes by calling the 
> sk_X509_NAME_ENTRY_num() function on the STACK_OF(X509_NAME_ENTRY) resp. 
> X509_NAME.entries, but i got not the right number. I expect to get the number 
> 3 or 4 (don't know the exactly internal counting - but the example cert 
> contains 4 Attributes, so the output should be 3 or 4 depending if the 
> counting will start at 0 or 1). But instead of 3 or 4 i got a much larger 
> number like 34335029 and this number is different every time i run the code. 
> So i think there is a problem with the casting or i did not choose the right 
> Data-Type(s).
> 
> I'm using OpenSSL 1.0.2j.
> 
> So what's wrong and how can i fix it? - Thanks in advice!
> 

Looks like the type isn't X509_NAME_ENTRY but X509_ATTRIBUTE and the extension
is a SEQUENCE OF Attribute. We don't have the direct equivalent as a specific
type IIRC but it isn't hard to add one just follow what is done for
GENERAL_NAMES which is a SEQUENCE OF GENERAL_NAME.

You can either add a custom extension or just parse the structure from the
extentsion contents.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] Some S/MIME CMS encrypted messages produce invalid key length when using the debug_decrypt option

2017-05-08 Thread Dr. Stephen Henson
On Mon, May 08, 2017, Harakiri via openssl-users wrote:

> Im using the cmd client openssl cms -decrypt with the "debug_decrypt" option 
> to have the same behaviour as before the bleichenbach security patch to use 
> decryption without recipient public keys.
> For some reason, some messages will produce the following error on OpenSSL 
> 1.0.2d and even OpenSSL 1.0.2k
> Error decrypting CMS structure6828:error:0607A082:digital envelope 
> routines:EVP_CIPHER_CTX_set_key_length:invalid key 
> length:evp_enc.c:593:6828:error:2E078076:CMS 
> routines:cms_EncryptedContent_init_bio:invalid key length:cms_enc.c:163:
> Calling cms -decrypt without the debug_decrypt option produces no error.
> What is weird, is that its always basically the same source e-mail encrypted 
> using openssl cms with aes-128-cbc and rsaesOaep and sometimes the resulting 
> messagewill produce this error and other times it works.
> 
> 

That's odd. What command line are you using to create the messages?

Would it be possible to create a test case that reproduces this error?

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] Problem building Linux shared library with static FIPS capable OpenSSL

2017-05-01 Thread Dr. Stephen Henson
On Mon, May 01, 2017, Nathan Glasser wrote:

> Hello,
> 
> We are using openssl-fips 2.0.14 with OpenSSL 1.0.2j.
> 
> We have a shared library on both Linux and Windows which uses static OpenSSL
> libraries. We'd like it to use static FIPS-capable OpenSSL libraries.
> 
> On Windows, everything is fine. On Linux, I have a problem. I am
> doing my tests on RedHat 6.0.
> 
> I am able to make standalone executables just fine, but shared library (.so)
> building does not work. I am linking using supplied the fipsld script.
> 
> The script gets error 139, which means a segmentation fault. Modifying
> the fipsld script to uncomment the "set -x" at the top shows me that
> the following is where the segmentation fault is occurring.
> 
>   # generate signature...
>   SIG=`"${TARGET}"`
> 
> It is attempting to run ${TARGET}, which is the .so file that has just been
> generated in the first link step. (It's not suprising to me that this results
> in a segmentation fault.) If I run the file which is left after the building
> aborts, I also get a segmentation fault.
> 
> I can see that there is another case - when the filename matches
> lib*|*.dll, which it does not.
> 
> If I try renaming the target to have "lib" at the start of the name,
> then when it runs this part
> 
>   # generate signature...
>   SIG=`"${PREMAIN_DSO}" "${TARGET}"`
> 
> it fails because there is no fips_premain_dso program. Nor can I find
> this anywhere in the openssl-fips or openssl packages. Should this have
> gotten built automatically in an earlier step?
> 
> I created a simplified test which consists of the fips_hmac sample (included
> in the OpenSSL Fips 2.0 manual), with main renamed to something else.
> 
> Can someone on this list please point me in the right direction for
> getting this to work? Thanks. Below are my makefile and build log.
> 

Try a shared build of the FIPS capable OpenSSL. You should then get
fips_premain_dso built as part of that process. Alternatively just do:

make fips_premain_dso

The fips_premain_dso executable isn't anything special: all it does is load
the library. It should then print out the signature which can then be embedded
for the second link step.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] EVP_MD_CTX and EVP_PKEY_CTX? How to init? How to free?

2017-04-30 Thread Dr. Stephen Henson
On Sun, Apr 30, 2017, Blumenthal, Uri - 0553 - MITLL wrote:

> 
> Semi-related question. Is RSA_NO_PADDING allowed for EVP signature? When I 
> tried that (without using DigestSign of course), signing succeeded but 
> verification always failed. Was that expected? Are there some special 
> settings one needs to apply besides just setting the padding type?
> 

With RSA_NO_PADDING it isn't possible to determine the length of the decrypted
data during verify. We should really return an error code if an atttempt is
made to use it for sign/verify.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] Integrating New Cipher Suite

2017-04-18 Thread Dr. Stephen Henson
On Fri, Apr 14, 2017, Schmicker, Robert wrote:

> 
> 
> After some debugging (exactly as mentioned above) it appears that the cipher 
> suite does not show up in the ClientHello using the s_client/s_server. I 
> modified the cipher for testing to use 512 bits instead of 64 so that it is 
> ranked highest.
> 
> Error server side:
> SSL routines:tls_post_process_client_hello:no shared 
> cipher:ssl/statem/statem_srvr.c:1979
> 
> Error Client side:
> SSL routines:ssl3_read_bytes:tlsv1 alert internal 
> error:ssl/record/rec_layer_s3.c:1469:SSL alert number 80
> 
> Any idea why the cipher would appear under the list of supported tls1.2 
> ciphers, yet it does not appear under the ClientHello even if specified with 
> the -cipher option?
> 

Hmm... it's not clear why the cipher isn't being sent in client hello. What
output do you get with -security_debug_verbose option? Also try including
@SECLEVEL=0 in the cipher string.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] RSA PKCS1 v2.1 - Multi-primes and RSASSA-PSS

2017-04-14 Thread Dr. Stephen Henson
On Tue, Apr 11, 2017, Davy Souza wrote:

> > In what context do you want to use it? For example CMS, certificates, TLS,
> general application code or via the command line?
> 
> 
> It's a C++ embedded application for a POS.  One requirement is to use PKCS#1 
> v2.1 for RSA functions.
> 

Then you need to use EVP_PKEY_sign/EVP_PKEY_verify or
EVP_DigestSign*/EVP_DigestVerify.

In either case you have an EVP_PKEY_CTX structure and you need to set the
padding mode and parameters using EVP_PKEY_CTX_set_rsa_padding(),
EVP_PKEY_CTX_set_rsa_pss_saltlen() and if you use
EVP_PKEY_sign/EVP_PKEY_verify EVP_PKEY_CTX_set_signature_md().

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] Integrating New Cipher Suite

2017-04-11 Thread Dr. Stephen Henson
On Tue, Apr 11, 2017, Schmicker, Robert wrote:

> Added a define in include/openssl/ssl.h:
># define SSL_TXT_MYCIPHER   "MYCIPHER"
> 
> Integrated into ssl/s3_lib.c:
>static SSL_CIPHER ssl3_ciphers[] = {
> 
>{
> 1,
> TLS1_TXT_ECDHE_ECDSA_WITH_MYCIPHER_SHA384,
> TLS1_CK_ECDHE_ECDSA_WITH_MYCIPHER_SHA384,
> SSL_kECDHE,
> SSL_aECDSA,
> SSL_MYCIPHER,
> SSL_AEAD,
> TLS1_2_VERSION, TLS1_2_VERSION,
> DTLS1_2_VERSION, DTLS1_2_VERSION,
> SSL_HIGH | SSL_FIPS,
> SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
> 64,
> 64,
>},

That's a pretty small number of bits. Do you really mean it to be only 64?

Does you ciphersuite show up with cipher -s?

It's possible it is being rejected because it has insufficient security. If
the number of bits is really 64 you could try droppping the security level to
0 to allow it.

If that doesn't help enable trace support with enable-ssl-trace and then try
the -trace command ot s_client/s_server and see if the new ciphersuites is
sent in ClientHello

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] Integrating New Cipher Suite

2017-04-10 Thread Dr. Stephen Henson
On Sat, Apr 08, 2017, Schmicker, Robert wrote:

> Hello,
> 
> I'm attempting to integrate a customized cipher suite for TLS 1.2,
> however no matter what I try I always seem to end up with this error
> (client side):
> 
> SSL routines:ssl_cipher_list_to_bytes:no ciphers
> available:ssl/statem/statem_clnt.c:3567
> 
> Can anyone give some further explanation on this?
> 
> Here's some snippets from the client and server setup.
> 
> client:
> 

That sounds like the cipher isn't visible.

I'd suggest trying s_client/s_server first.

Which version of OpenSSL are you using?

Does your new cipher appear in "openssl ciphers"? If so does the output look
sensible? Does it appear with the -s option too?

Is the cipher visible using "openssl list -cipher-algorithms" (OpenSSL 1.1.0)
or "openssl list-cipher-algorithms" (OpenSSL 1.0.2).

Is your new cipher usable via the command line utilities like "enc"? Does it
seems to be behaving as expected?

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] RSA PKCS1 v2.1 - Multi-primes and RSASSA-PSS

2017-04-10 Thread Dr. Stephen Henson
On Wed, Apr 05, 2017, Davy Souza wrote:

> Hi,
> 
> 
> I'm using RSA, but I need to know if OpenSSL RSA implements PKCS#1 v2.1. I 
> have the following questions:
> 
>1) Does OpenSSL support multi-prime?
> 

No.

>2) Does OpenSSL support RSASSA-PSS?
> 

Yes.

>3) If so, how can I use it?
> 

In what context do you want to use it? For example CMS, certificates, TLS,
general application code or via the command line?

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] how to implement functions for STACK OF custom type?

2017-03-24 Thread Dr. Stephen Henson
On Tue, Mar 21, 2017, lists wrote:

> Sorry, I first posted this on the -dev list, likely inappropriate... now with 
> an update:
> 
> I am exploring my options with OpenSSL and specifically I am trying to manage 
> the stacks for some custom objects.
> Currently, I have this code (sort of) in the headers:
> 
> typedef struct myThingA_st
> {
>  ASN1_OBJECT aID;
>  ASN1_OCTET_STRING aOCST;
> }
>  myThingA;
> 
> DECLARE_ASN1_ITEM(myThingA)
> DECLARE_ASN1_FUNCTIONS(myThingA)
> DECLARE_STACK_OF(myThingA)
> // the next one seems to be ininfluent for my purpose, is it?
> DECLARE_ASN1_SET_OF(myThingA)
> 
> typedef struct myThingB_st
> {
>  // SEQUENCE OF { ... }
>  STACK_OF(myThingA) myThingA_sk;
> }
>  myThingB;
> 
> // DECLARE_ASN1_ITEM(myThingB)
> DECLARE_STACK_OF(myThingB)
> // DECLARE_ASN1_FUNCTIONS(myThingB)
> // the next one seems to be ininfluent for my purpose, is it?
> DECLARE_ASN1_SET_OF(myThingB)
> 
> Then, in the .c file...
> 
> IMPLEMENT_STACK_OF(myThingA)
> IMPLEMENT_STACK_OF(myThingB)
> 
> I thought that the basic functions for the stacks to be available (such as 
> sk_myThingA_new, sk_myThingA_push...), yet by compiling a main, for 
> the first one that I try to use I get:
> 
>    undefined reference to `sk_myThingA_value'
> 
> What am I doing wrong here?

If you're using OpenSSL 1.1.0 you need to include:

DEFINE_STACK_OF(FOO)

in a header file and that should be it. That implements a set of inline
functions that do the right thing.

For OpenSSL versions before 1.1.0 it's a bit messier. The type specific
STACK_OF functions are actually macros which are generated by the mkstack.pl
script and appear in the safestack.h header file. If you want to create your
own one way is to extract a type specific section from safestack.h, copy it
to your own header file and do a search/replace for the new type.

So for example extract the sk_OPENSSL_BLOCK macros and replace OPENSSL_BLOCK
with FOO.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] Cannot read exported PKCS12 cert and private key

2017-03-14 Thread Dr. Stephen Henson
On Mon, Mar 13, 2017, Michael Wojcik wrote:

> I'll assume you mean you exported it "from a mainframe system" using RACF. 
> RACF has half a dozen export formats for certificates and keys; they're not 
> all supported by OpenSSL.
> 
> In particular (and despite the PEM delimiters), I suspect what you have here 
> is a PKCS#12 file in PEM format. The openssl pkcs12 utility doesn't support 
> PEM encoding, because that's not normally done. RACF will do it, though, just 
> to be difficult.
> 
> openssl asn1parse -in file -inform pem shows you have valid ASN.1 data, with 
> a big ol' blob at offset 26; adding -strparse 26 shows encrypted data. So 
> yes, looks like PKCS#12.
> 
> So, try this:
> 1. Edit the file and remove the PEM delimiters (" BEGIN CERTIFICATE " 
> and "- END CERTIFICATE ").
> 2. Convert the data from Base64 to binary:
> openssl base64 -d -in file -out file.der

Note this can be simplified a bit with:

openssl asn1parse -in file.pem -out file.der

That should work for any PEM ASN.1 structure.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] X25519: how to generate public key?

2017-03-14 Thread Dr. Stephen Henson
On Tue, Mar 14, 2017, Olivier Meunier wrote:

> Hi,
> 
> using openSSL 1.1.0e, I generate my private key using:
> openssl genpkey -algorithm x25519 -out x25519.key.pem
> 
> But I cannot find how to generate the public key. I tried:
> openssl ec -in x25519.key.pem -pubout -out x25519.key.pub.pem
> but got the errors:
> read EC key
> unable to load Key
> 16084:error:0608308E:digital envelope
> routines:EVP_PKEY_get0_EC_KEY:expecting a ec
> key:crypto\evp\p_lib.c:319:
> 
> What is the right command to get the public key?
> Thanks,
> 

X25519 is trteated as a distinct algorithm, not as an EC curve.

You don't actually "generate" the public key you can extract or calculate the
public key corresponding to a private key though. 

The pkey command can do this for any supported algorithm:

openssl pkey -in privkey.pem -pubout -out pubkey.pem

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] Extracting Handshake Information

2017-03-13 Thread Dr. Stephen Henson
On Tue, Mar 14, 2017, Vijayakumar Kaliaperumal wrote:

> Hello,
> 
> Is there a way in openssl we can extract the protocol(TLS/DTLS ) handshake
> information, like in clienthello,  the protocol version, ciphersuites
> offered, Random,  session id etc.
> 

You can get some useful information with the -trace option to
s_client/s_server which needs the configuration option enable-ssl-trace

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] Migrating from EVP_Verify*/EVP_Sign* to EVP_Digest*

2017-02-28 Thread Dr. Stephen Henson
On Tue, Feb 28, 2017, Tobias Nie?en wrote:

> Hello,
> 
> we are currently discussing support for RSASSA-PSS padding in the
> node.js built-in crypto module:
> https://github.com/nodejs/node/issues/1127
> 
> So far, the crypto module uses the older EVP_Sign/EVP_Verify APIs,
> which do not support specifying
> the padding (and salt length). We considered switching to the newer
> EVP_Digest* functions, but we
> cannot provide the public key during initialization of the signature
> / verification process as this would
> require unacceptable changes to the public API of the crypto module.
> Is there any way to use the
> new API without specifying the key during initialization?
> Considering that the old API just computes
> a message digest until EVP_SignFinal/EVP_VerifyFinal is called,
> shouldn't it be possible to do merely
> the same thing using the new API?
> 

No there isn't with the new API. The reason for that is that some operations
performed (for example which digests can be used, or which salt lengths are
permissible for PSS) depend on the public key. For example in the master
branch RSA-PSS keys can restrict the digest which can be use with the key. The
way the new API is structured you get the error as soon as you attempt the
operation.

> If it is impossible, is there any workaround?
> 

There is an alternative which may help. Instead of using EVP_Sign* which
computes the digest and signs with it you can instead call EVP_DigestInit_ex,
EVP_DigestUpdate and EVP_DigestFinal_ex() to compute the raw digest.

Then you can use the EVP_PKEY APIs to sign the raw digest with EVP_PKEY_sign()
using RSA-PSS or verify it with EVP_PKEY_verify().

If that isn't clear let me know and I'll explain further.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] How to override methods in EVP_PKEY_METHOD structure that is attached to a EVP_PKEY_CTX?

2017-02-27 Thread Dr. Stephen Henson
On Mon, Feb 27, 2017, Stephan M?hlstrasser wrote:

> Am 27.02.17 um 15:34 schrieb Dr. Stephen Henson:
> 
> >There shouldn't be any need to add the method to the list: it should be
> >possible to associate an EVP_PKEY with a non-default method (e.g. explicitly
> >or implemented in an ENGINE). I say *should* because there doesn't seem to be
> >currently a way to do that without changing EVP_PKEY internal fields (which
> >isn't possible in 1.1.0 anyway).
> 
> I'm sorry, I don't get what you are trying to tell me in the above
> paragraph. Are you talking about an alternative way to set up the
> methods in the EVP_PKEY_METHOD structure?
> 

Well this is by analogy with how the other algorithm specific methods work.

With RSA_METHOD et al there are two ways to provide your own mechanisms for
operations.

If it's a general purpose mechanism (e.g. a crypto accelerator) which should
perform all RSA operations you can provide the default method.

If you want to only affect certain keys (e.g. those tied to a specific HSM)
you *can* do this via the default method and just check each key as it goes
through (e.g. some ex_data attached to it) and only handle those of interest
passing the rest to the default operation.

There is an alternative way. You create a custom method and set that as the
key's internal method. Then any existing keys use the default method as usual
but the keys you care about go through the custom method.

For EVP_PKEY_METHOD you can provide the default implementation for an
algorithm but unfortunately there is no way to provide a key specific method
which is transparently used.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] How to override methods in EVP_PKEY_METHOD structure that is attached to a EVP_PKEY_CTX?

2017-02-27 Thread Dr. Stephen Henson
On Mon, Feb 27, 2017, Stephan M?hlstrasser wrote:

> Steve,
> 
> Am 25.02.17 um 05:53 schrieb Dr. Stephen Henson:
> >On Fri, Feb 17, 2017, Stephan M?hlstrasser wrote:
> >...
> >>Is it possible to override methods in an EVP_PKEY_METHOD structure,
> >>or would it be necessary to implement a whole OpenSSL engine to do
> >>what I want?
> >>
> >
> >It should be possible yes, though AFAIK no one has yet tried to do this so
> >there may be some pieces missing.
> >
> >In outline you'd retrieve the appropriate EVP_PKEY_METHOD for the algorithm 
> >of
> >interest, make a copy of it and then set the operation you wish to override,
> >you can also retrieve the original operation in case you sometimes wish to
> >call that.
> 
> thanks for confirming that this should be possible in principle.
> 
> I guess my problem was that I thought one must retrieve the
> EVP_PKEY_METHOD from the EVP_PKEY_CTX pointer. As you are saying it
> must be retrieved for the algorithm, I think I understood now that
> it must be fetched via EVP_PKEY_meth_find().
> 
> Is the following sketch roughly appropriate?
> 
> int my_sign_init_function(EVP_PKEY_CTX *ctx);
> int my_sign_function(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t
> *siglen, const unsigned char *tbs, size_t tbslen);
> 
> const EVP_PKEY_METHOD *rsa_meth = EVP_PKEY_meth_find(EVP_PKEY_RSA);
> EVP_PKEY_METHOD *new_rsa_meth = EVP_PKEY_meth_new(EVP_PKEY_RSA, 0);
> EVP_PKEY_meth_copy(new_rsa_meth, rsa_meth);
> EVP_PKEY_meth_set_sign(new_rsa_meth, my_sign_init_function,
> my_sign_function);
> EVP_PKEY_meth_add0(new_rsa_meth);
> 
> What is still unclear to me is how to retrieve the original function
> pointers from the EVP_PKEY_METHOD. EVP_PKEY_METHOD is an opaque
> structure, and I could not find a getter counterpart for
> EVP_PKEY_meth_set_sign().
> 
> How is it supposed to be possible to retrieve the original
> operations from an EVP_PKEY_METHOD pointer?
> 

Ah I see you're using OpenSSL 1.0.2. There isn't a way to get the existing
function pointers in 1.0.2, the "getter" functions are only in 1.1.0.

There shouldn't be any need to add the method to the list: it should be
possible to associate an EVP_PKEY with a non-default method (e.g. explicitly
or implemented in an ENGINE). I say *should* because there doesn't seem to be
currently a way to do that without changing EVP_PKEY internal fields (which
isn't possible in 1.1.0 anyway).

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] RSA_method_set_sign

2017-02-25 Thread Dr. Stephen Henson
On Sat, Feb 25, 2017, Melvyn Sopacua wrote:

> Hi Stephen,
> 
> thank you for taking the time to answer.
> 
> On Saturday 25 February 2017 04:18:01 Dr. Stephen Henson wrote:
> > On Sat, Jan 14, 2017, Melvyn Sopacua wrote:
> > > This is caused by the code in [3].
> > > That file also shows the problem: OpenSSL itself has access to
> > > X509_SIG (and friends) internals as demonstrated in encode_pkcs1().
> > > But, I don't see any way to setup the same context(s) from outside
> > > OpenSSL. There's no X509_*_set_ to setup the algorithm
> > > and parameters.
> > > 
> > > Am I missing something or is it simply no longer possible to
> > > implement these callbacks properly?
> > 
> > Can you give a pointer to the part that is causing problems?
> 
> The method I'm trying to port is this:
> https://github.com/melvyn-sopacua/qca/blob/openssl11-compat/plugins/qca-ossl/qca-ossl.cpp#L2745
> 
> > The rsa_sign interface is used where the only interface available is
> > passed the digest algorithm and the raw digest and it performs its
> > own formatting using DigestInfo etc.
> > 
> > If you don't want to do that then the rsa_priv_enc method is more
> > appropriate: it gets passed the block to encrypt (sign) and all the
> > DigestInfo formatting is handled by OpenSSL itself.
> 
> This may be a better approach in the long run. Thank you.
> 

Yes it looks like if you implement rsa_priv_enc instead the function becomes
much simpler and you just need the last part at around line 2814. You also have
to check the padding mode, all the X509_SIG stuff is then handle by OpenSSL
itself.

> > If you really need to it should be possible to set up or examine an
> > X509_SIG structure using the available APIs. For example to retieve
> > its fields you use X509_SIG_get0 and to set them X509_SIG_getm.
> 
> Well, that explains why I couldn't find it. I was looking for something 
> X509_SIG_*set* and never thought X509_SIG_getm() would be what I needed.
> 
> So:
> sig.algor= 
> sig.digest = 
> becomes
> X509_SIG_getm(sig, palg, pdigest);
> *palg = algor;
> *pdigest = digest;
> 
> And I'm guessing I have to free the structures retrieved by getm() if 
> they're not NULL. I may just wrap this in a X509_SIG_setup() function so 
> the freeing isn't forgotten.
> 

You can set the values in place using something like this:

unsigned char *tmps = NULL;
int tmpslen;
X509_SIG *sig = X509_SIG_new();
X509_ALGOR *alg;
ASN1_OCTET_STRING *digest;
X509_SIG_getm(sig, , );
X509_ALGOR_set0(alg, OBJ_nid2obj(type), V_ASN1_NULL, NULL);
ASN1_STRING_set(digest, m, m_len);
/* Allocate and encode */
tmpslen = i2d_X509_SIG(, );
X509_SIG_free(sig);

Then the encoded structure is "tmpslen" bytes in the buffer "tmps" which you
have to free up after use with OPENSSL_free().

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] How to override methods in EVP_PKEY_METHOD structure that is attached to a EVP_PKEY_CTX?

2017-02-24 Thread Dr. Stephen Henson
On Fri, Feb 17, 2017, Stephan M?hlstrasser wrote:

> Hi,
> 
> we use OpenSSL 1.0.2 together with PKCS#11 tokens by plugging
> methods into the RSA_METHOD structure that interface with the
> PKCS#11 token, and this works fine so far. However, for creating RSA
> signatures with PSS padding this strategy doesn't work anymore,
> because OpenSSL wants to directly encrypt with the private key in
> this case, which is not possible in PKCS#11.
> 
> Therefore my idea is to override the function pkey_rsa_sign() and
> plug a wrapper around it into the EVP_PKEY_METHOD structure that is
> associated with the EVP_PKEY_CTX to handle this special situation.
> 
> The header evp.h declares the following functions among others:
> 
> EVP_PKEY_METHOD* EVP_PKEY_meth_new(int id, int flags);
> void EVP_PKEY_meth_copy(EVP_PKEY_METHOD *dst, const EVP_PKEY_METHOD *src);
> 
> void EVP_PKEY_meth_set_sign(EVP_PKEY_METHOD *pmeth,
>   int (*sign_init)(EVP_PKEY_CTX *ctx),
>   int (*sign)(EVP_PKEY_CTX *ctx, unsigned char *sig,
> size_t *siglen, const unsigned char *tbs, size_t tbslen));
> 
> But I can't figure out how to use these functions to achieve what I
> want, because the following pieces seem to be missing:
> 
> - Retrieve the EVP_PKEY_METHOD pointer from a EVP_PKEY_CTX pointer
> - Set the EVP_PKEY_METHOD pointer for a EVP_PKEY_CTX pointer
> - Retrieve the existing "sign_init" and "sign" function pointers
> from an initialized EVP_PKEY_METHOD pointer for being able to wrap
> them
> 
> Is it possible to override methods in an EVP_PKEY_METHOD structure,
> or would it be necessary to implement a whole OpenSSL engine to do
> what I want?
> 

It should be possible yes, though AFAIK no one has yet tried to do this so
there may be some pieces missing.

In outline you'd retrieve the appropriate EVP_PKEY_METHOD for the algorithm of
interest, make a copy of it and then set the operation you wish to override,
you can also retrieve the original operation in case you sometimes wish to
call that.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] RSA_method_set_sign

2017-02-24 Thread Dr. Stephen Henson
On Sat, Jan 14, 2017, Melvyn Sopacua wrote:

> Hello all,
> 
> Some background: I'd like to have a workstation that uses OpenSSL 1.1 
> instead of a lower version. For that I'm porting various pieces of 
> software and quickly discovered that I was repeating myself. In addition 
> this teaches me more about the OpenSSL library, which I consider a great 
> benefit.
> This resulted in me working on a forwards-compatibility library, using 
> the OpenSSL Wiki as a guide and the KDE QCA library as a testbed. Work 
> in progress can be seen at [1] and [2].
> 
> However, I believe I've now hit a brick wall:
> Various functions in the realm RSA_method_set_* allow us to set 
> callbacks for RSA operations. However, I see no way to implement these, 
> since various (all?) X509 structures are now opaque. In addition, the 
> default RSA_sign implementation calls the rsa_sign callback in the 
> provided RSA structure, so we'll create an infinite loop if we wrap it 
> like this:
> 
> RSA_method_set_sign(meth, my_rsa_sign);
> int my_rsa_sign(...) {
>   RSA_sign(...);
>   store_state_on_our_object();
> }
> 
> This is caused by the code in [3].
> That file also shows the problem: OpenSSL itself has access to X509_SIG 
> (and friends) internals as demonstrated in encode_pkcs1(). But, I don't 
> see any way to setup the same context(s) from outside OpenSSL. There's 
> no X509_*_set_ to setup the algorithm and parameters.
> 
> Am I missing something or is it simply no longer possible to implement 
> these callbacks properly?
> 

Can you give a pointer to the part that is causing problems?

The rsa_sign interface is used where the only interface available is passed
the digest algorithm and the raw digest and it performs its own formatting
using DigestInfo etc.

If you don't want to do that then the rsa_priv_enc method is more appropriate:
it gets passed the block to encrypt (sign) and all the DigestInfo formatting
is handled by OpenSSL itself.

If you really need to it should be possible to set up or examine an X509_SIG
structure using the available APIs. For example to retieve its fields you use
X509_SIG_get0 and to set them X509_SIG_getm.

The contained X509_ALGOR can be set up using X509_ALGOR_set0 and examined with
X509_ALGOR_get0.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] Using RSASSA-PSS in command line smime / cms utility

2017-02-24 Thread Dr. Stephen Henson
On Mon, Feb 13, 2017, Harakiri via openssl-users wrote:

> Can i set the padding RSASSA-PSS or alg ECDSA via command line when using 
> openssl smime or openssl cms command?
> I can't find an option for it.

You have to use the cms command and -keyopt rsa_padding_mode:pss check out the
documentation of pkeutil for other PSS options such as setting the salt
length.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] Specify padding scheme with EVP_VerifyFinal

2017-02-24 Thread Dr. Stephen Henson
On Thu, Feb 23, 2017, open...@tuta.io wrote:

> Hi Michel,
> 
> it looks like what I am looking for, but the software uses EVP_VerifyInit_ex 
> which is a typedef for EVP_DigestInit_ex. How are those functions related to 
> EVP_DigestVerifyInit? Can I use EVP_DigestVerify* functions along with 
> EVP_Verify* functions? I must not break compatibility with the old 
> implementation which needs to support arbitrary MD algorithms.
> 

You have to use the EVP_Digest* functions if you want to change the RSA
padding mode (or other parameters). This is not supported in the older
EVP_Verify* API.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] Signing an XML file

2016-12-14 Thread Dr. Stephen Henson
On Wed, Dec 14, 2016, Salz, Rich wrote:

> > Is there some equivalent to PHP's openssl_sign_pkcs7 function for C/C++ 
> > users?
> 
> Look at the apps/pkcs7.c file as a starting point.  Get the command line 
> doing what you want, and then work through the code to pull out only the bits 
> you need.
> 

Actually smime.c is the utility you want for PKCS#7. Alternatively cms.c if
you want CMS (the successor to PKCS#7).

Those though are general purpose utilities which do all sorts of things which
most appications don't care about. There are some demos in demos/smime and
demos/cms which are much simpler.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] How to produce a nested CMS / PKCS#7 structure?

2016-11-29 Thread Dr. Stephen Henson
On Mon, Nov 28, 2016, Wim Lewis wrote:

> 
> However, I think the other half of my problem remains: if I'm putting
> another CMS object into a SignedData, AuthEnvelopedData, or other kind of
> wrapper, the OCTET STRING should contain the encoding of that object's
> structure (e.g. a BER-encoded AuthEnvelopedData, SignedData,
> ContentWithAttributes, etc. structure), not a ContentInfo *containing* that
> structure, right? How do I get OpenSSL to give me that encoded object
> without an enclosing ContentInfo?
> 

It's my understanding that the content should be a ContentInfo but I can't see
a definitive reference to this.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] How to produce a nested CMS / PKCS#7 structure?

2016-11-25 Thread Dr. Stephen Henson
On Tue, Nov 22, 2016, Wim Lewis wrote:

> I'm trying to produce nested structures, like signed-enveloped-signed data. 
> This is explicitly described in the various RFCs, but I can't figure out how 
> to get OpenSSL to produce valid output, and I can't find any code examples of 
> doing this.
> 
> What I'm doing (which doesn't quite work) is this: first I create the inner 
> content using (e.g.) CMS_encrypt(), getting a CMS_ContentInfo structure. This 
> works correctly and if I write it out I get what I expect. Then I want to 
> create another CMS_ContentInfo, e.g. using CMS_sign(), which envelops the 
> first one. How do I cause the ContentInfo of the SignedData structure to be 
> the ContentInfo I obtained from CMS_encrypt()? The closest I can come is code 
> like this:
> 
> 
> CMS_ContentInfo *innerCms = ;// Create the inner CMS content.
> BIO *inbetween = BIO_new(BIO_s_mem());   // Write it to a buffer.
> i2d_CMS_bio(inbetween, innerCms);
> CMS_ContentInfo *outerCms = CMS_sign(cert, key, NULL, inbetween, 
> CMS_BINARY|CMS_PARTIAL|CMS_NOSMIMECAP);
> CMS_set1_eContentType(outerCms, OBJ_nid2obj(NID of innerCms));   // Set 
> the content-type
> CMS_final(outerCms, inbetween, NULL, CMS_BINARY|CMS_NOSMIMECAP); // 
> Finalize the CMS structure
> 
> (My actual code checks all the return values, but I left those off for 
> clarity.)
> 
> Unfortunately, this produces output like this:
> 
>ContentInfo {
>   contentType = :pkcs7-signedData;
>   content = SignedData {
>  ... various ...
>  contentInfo = ContentInfo {
> contentType = :pkcs7-envelopedData;
> content = [0] EXPLICIT OctetString{...}
>  }
>   }
> }
>  
> where the inner OCTET STRING contains *another* ContentInfo, which then 
> contains the nested object.
> 
> But from my understanding, the correct syntax for a nested CMS structure is 
> this:
> 
>ContentInfo {
>   contentType = :pkcs7-signedData;
>   content = SignedData {
>  ... various ...
>  contentInfo = ContentInfo {
> contentType = :pkcs7-envelopedData;
> content = [0] EXPLICIT EnvelopedData {
> ...fields of the EnvelopedData structure...
> }
>  }
>   }
> }
> 
> In other words, I have two extra, incorrect levels of encapsulation: the 
> OCTET STRING and the extra ContentInfo.
> 

Something like that did happen for PKCS#7 but the  OCTET STRING encapsulation
is correct for CMS.

If you look in RFC5652:

SignedData ::= SEQUENCE {
version CMSVersion,
digestAlgorithms DigestAlgorithmIdentifiers,
encapContentInfo EncapsulatedContentInfo,
certificates [0] IMPLICIT CertificateSet OPTIONAL,
crls [1] IMPLICIT RevocationInfoChoices OPTIONAL,
signerInfos SignerInfos }

The content is of type Encapsulated ConentInfo:

EncapsulatedContentInfo ::= SEQUENCE {
eContentType ContentType,
eContent [0] EXPLICIT OCTET STRING OPTIONAL }

  ContentType ::= OBJECT IDENTIFIER

Here eContent is always an OCTET STRING if it is present.

It also says:

 eContent is the content itself, carried as an octet string.  The
 eContent need not be DER encoded.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] SMIME signing with SHA1

2016-11-22 Thread Dr. Stephen Henson
On Tue, Nov 22, 2016, Harald Koch wrote:

> Hello,
> 
> I???m facing a critical situation in my application when creating a signed 
> SMIME message using SHA1 as message digest algorithm. In openSSL 1.0.2 (i.e. 
> 1.0.2h), the following command worked as expected:
> 
> /opt/openssl-1.0.2h/bin/openssl smime -sign -in original_message -signer 
> cert_key.pem -md sha1
> 
> The message output contains a header using sha1:
> 
> Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; 
> micalg="sha1"; boundary="??7E9FFA1842442B7192D83A53D8D35C89"
> 
> 
> With openSSL 1.1.0c, I get a segmentation fault with the same command. Using 
> md5 or sha256 (or even not providing the parameter ???-md???, resultig in 
> sha256) the command works as expected. Trying to determine where the 
> segmentation fault happen, I used my C program to step through every function 
> call, it turns out that ???SMIME_write_PKCS7??? seems to be the critical 
> point.
> 
> I???m sure I???m using the correct LD_LIBRARY_PATH environment variable value 
> for every test in Linux. The platforms I tested are Linux 32bit & 64bit, Mac 
> OS 10.12.1. 
> 

It's a bug in OpenSSL 1.1.0. Fix is:

https://github.com/openssl/openssl/pull/1985

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] X25519 not listed in ecparam -list_curves

2016-11-14 Thread Dr. Stephen Henson
On Mon, Nov 14, 2016, Blumenthal, Uri - 0553 - MITLL wrote:

> As "-list-curves" is not supposed to work here, what would be a good way to 
> tell if a given installation supports X25519?
> 

Well only OpenSSL 1.1.0 currently supports X25519. One way is to look at
the output of:

openssl list -public-key-algorithms

Though that command doesn't exist before OpenSSL 1.1.0. Alternatively just
generate a private key with:

openssl genpkey -algorithm X25519

Which will work in OpenSSL 1.1.0 but give an error in previous versions.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] C++ : Extracting CRL from a PKCS12

2016-11-14 Thread Dr. Stephen Henson
On Wed, Nov 02, 2016, Richard Stanek wrote:

> My original requirements were to extract the user certificate, the
> private key, and the CAs.  For that I was using the call to
> PKCS12_parse(...).  This satisfied the original requirements.  Very
> easy to find, understand, and use.
> 
> The new requirements that I have are that I also need to extract a CRL
> from that PKCS12.  I see that there is a CRLBag defined in the IETF
> RFC 7292 PKCS12 Standard (https://tools.ietf.org/html/rfc7292), so I
> know a CRL could exist inside a PKCS12.  I can't seem to find any API
> or C++ examples that extract a CRL from a PKSC12.
> 
> Is there an API, example code, or advice on how to extract a CRL from a 
> PKCS12?
> 

I've never come across a PKCS#12 file containig a CRL before: would it be
possible to send me a sample which obviously doesn't contain any important
private keys.

To answer your question, yes it is should be possible but it is messy. You
need to parse the PKCS#12 file manually (see source to PKCS12_parse). In
the funtion parse_bag you add an extra case for NID_crlBag and call
PKCS12_SAFEBAG_get1_crl() on the bag, you should then get back an X509_CRL
pointer or NULL on error.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] X25519 not listed in ecparam -list_curves

2016-11-14 Thread Dr. Stephen Henson
On Fri, Nov 04, 2016, Viktor J?gersk?pper wrote:

> Hi,
> 
> OpenSSL 1.1.0 implemented X25519. "openssl s_client -cipher kEECDH
> -curves X25519 -connect google.com:443" works as expected, and I get
> "Server Temp Key: X25519, 253 bits". But X25519 is not listed in the
> output of "openssl ecparam -list_curves" in version 1.1.0b (I use
> 1.1.0b-2 from Debian). Should it be listed there anyway?
> 

The ecparam operation lists curves supported by the EC* API. The X25519 curve
(for various reasons defined in the standards) is treated as a distinct
algorithm so it is not listed by ecparam.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] Building an application with OpenSSL and FIPS support.

2016-10-11 Thread Dr. Stephen Henson
On Mon, Oct 10, 2016, Matthew Heimlich wrote:

> $openssl version
> 
> returns:
> 
> OpenSSL 1.0.2j-fips
> 
> My FIPS module version is openssl-fips-2.0.13
> 
> $OPENSSL_FIPS=1 openssl md5 /dev/null
> 
> returns:
> 
> Error setting digest md5
> 140066569107136:error:060A80A3:digital envelope 
> routines:FIPS_DIGESTINIT:disabled for fips:fips_md.c:180:
> 
> $OPENSSL_FIPS=1 openssl sha1 /dev/null
> 
> returns:
> 
> SHA1(/dev/null)= da39a3ee5e6b4b0d3255bfef95601890afd80709
> 
> Do that appears to be working correctly.
> 

Can you give more details of the steps you are using to link your application?

If you're linking to the OpenSSL shared libraries then you don't need to use
fipsld at all. I'd suggest you try that as a first step and see if your
application works.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] Porting to OpenSSL 1.1

2016-10-11 Thread Dr. Stephen Henson
On Tue, Oct 11, 2016, Bernhard Rosenkraenzer wrote:

> 
> 
> Also from Qt 5.7:
> rsa = RSA_new();
> memcpy(rsa, EVP_PKEY_get1_RSA(pkey), sizeof(RSA));
> [breaks because sizeof(RSA) is no longer known]
> for EC, there's EC_KEY_dup -- for RSA and DSA, not so much.
> 

That wouldn't work because the RSA structure contains pointers and you just
end up copying the "top level". Well it might appear to work but you could end
up accessing freed memory or leaking when the parent structure is freed.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] Building an application with OpenSSL and FIPS support.

2016-10-10 Thread Dr. Stephen Henson
On Fri, Oct 07, 2016, Matthew Heimlich wrote:

> Which returns
> 
> 
> Attempting to set FIPS mode to 1...
> Last error was: 2d06b06f
> FIPS_mode_set failed: 2d06b06f
> FIPS mode is: 0???
> 
> So it would appear that my FIPS mode is never even being set, and walking 
> through the code would seem to confirm this. In addition, the error code 
> doesn't seem to be present in the FIPS documentation, but errstr informs me 
> that it is
> 
> 
> error:2D06B06F:FIPS routines:DSA_BUILTIN_PARAMGEN2:fingerprint does not match 
> nonpic relocated???
> 
> Any tips on where to go from here?
> 

Which versions of the FIPS module and OpenSSL are you using?

In the FIPS capable OpenSSL try this:

OPENSSL_FIPS=1 openssl md5 /dev/null
OPENSSL_FIPS=1 openssl sha1 /dev/null

Please give details of any errors you get.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] Linking FIPS 2.0.12 and OpenSSL 1.0.2f - "multiple definition of `bn_div_3_words"

2016-10-10 Thread Dr. Stephen Henson
On Fri, Oct 07, 2016, craig_we...@trendmicro.com wrote:

> I am trying to build a library of FIPS 2.0.12 and OpenSSL 1.0.2f for MIPS 
> architecture on vxWorks.  I am getting this error during the link step:
> 
> ../libcrypto.a(bn-mips.o)(.text+0x700): In function `bn_div_3_words':
> : multiple definition of `bn_div_3_words'
> /usr/local/src/w/branches/zorro/tos390_tls/vendor/openssl-fips-2.0.12_installation/lib//fipscanister.o(.text+0x321c0):
>  first defined here
> 
> I see that others have encountered this problem in the past, but I have found 
> no explanation or resolution.
> 

The FIPS module uses some source from regular OpenSSL. In order to avoid
duplicate symbol errors (like the one above) the ones in the FIPS module are
renames to FIPS_symbol or fips_symbol.

Unfortunately some of these haven't been renamed on some of the less commonly
used platforms. The result is the error you see above.

We can't just change the symbol name in the FIPS module as that would require
a change letter and approval. What you can however do is rename the symbol in
regular OpenSSL. The way you do this is to change occurrences of
bn_div_3_words to ossl_bn-div_3_words and the recompile regular
OpenSSL with this change: without the "fips" option. The reason for this is
that you want to ensure you have renamed all the symbols in regular OpenSSL:
if you missed any you'll get a linker error.

Then you compile a FIPS capable OpenSSL and you shouldn't get a link error any
more.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] BN_mod_inverse:no inverse when calling OCSP_basic_sign

2016-10-05 Thread Dr. Stephen Henson
On Wed, Oct 05, 2016, Eric To wrote:

> 
> Any hint on troubleshooting this would be great. Here is how I call the
> OCSP_basic_sign:
> 
> OCSP_BASICRESP *bresp;
> X509 *signer;
> EVP_PKEY *key;
> ...
> OCSP_basic_sign(bresp,
> signer, key,
> EVP_sha1(),
> NULL, 0);
> 
> But getting the following error internally from OCSP_basic_sign:
> 
> OPENSSL ERROR: error:0306E06C:bignum routines:BN_mod_inverse:no inverse
> OPENSSL ERROR: error:0D0DC006:asn1 encoding routines:ASN1_item_sign_ctx:EVP
> lib
> 

Where does the key come from? Trying using the -check option to the rsa
utility to see if it is valid.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] M_ASN1_D2I_* replacement in OpenSSL 1.1.0

2016-09-20 Thread Dr. Stephen Henson
On Tue, Sep 20, 2016, Aleksandr Konstantinov wrote:

> Hello,
> 
> Thanks a lot. One more question if possible. Is there any way to express
> single element of the ASN1 sequence which can be any
> of ASN1_OCTET_STRING or ASN1_UTF8STRING and potentially other types?

That depends what you mean. If the supported types are well defined then you
can use the CHOICE construction.

If just about anything could go in the element then you can use ASN1_ANY which
encodes and decodes ASN1_TYPE.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] M_ASN1_D2I_* replacement in OpenSSL 1.1.0

2016-09-19 Thread Dr. Stephen Henson
On Mon, Sep 19, 2016, Aleksandr Konstantinov wrote:

> 
> Thanks. Your answer helped a lot and I'm progressing now. Could You please
> also give me a hint what M_ASN1_BIT_STRING_dup/ASN1_BIT_STRING_dup could be
> replaced with?
> 

ASN1_STRING_dup should work fine: ASN1_BIT_STRING is actually typedefed to
ASN1_STRING.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] SKM_ASN1_SET_OF_i2d

2016-09-13 Thread Dr. Stephen Henson
On Tue, Sep 13, 2016, Thomas Francis, Jr. wrote:

> What???s the replacement for code that used SKM_ASN1_SET_OF_i2d in OpenSSL 
> 1.1?  The code I???ve got that calls this function is getting the DER 
> encoding of a STACK_OF() as a sorted SET.  This STACK_OF() is of a custom 
> ASN1 type; and is a member of another structure that is also a custom ASN1 
> structure.
> 
> The call looks like this:
> 
> int len = SKM_ASN1_SET_OF_i2d(structureName, containingStructure->member, 
> NULL, i2d_structureName, V_ASN1_SET, V_ASN1_UNIVERSAL, IS_SET);*
> 
> 
> ???structureName??? is the typedef???d name of the C struct, which was also 
> passed to the DEFINE_STACK_OF() and DECLARE_ASN1_FUNCTIONS() macros (in 
> OpenSSL < 1.1, it???s DECLARE_STACK_OF(), not DEFINE_STACK_OF() ).
> 
> ???containingStructure??? is a pointer to a C struct, and its member, 
> ???member??? is of the type, STACK_OF(structureName).
> 

There isn't a precise equivalent but it looks like you need an i2d function to
encode as SET OF. You can do that.

First you need a typedef for the STACK_OF something like:

typedef STACK_OF(FOO) FOOS

Then you create an ASN.1 ITEM template like this:

ASN1_ITEM_TEMPLATE(FOOS) =
ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SET_OF, 0, foos, FOO)
ASN1_ITEM_TEMPLATE_END(FOOS)

You then add IMPLEMENT_ASN1_FUNCTIONS(FOOS) and DECLARE_ASN1_FUINCTION(FOOS).

This will produce new functions i2d_FOOS, d2i_FOOS, FOOS_new() and
FOOS_free() which should do what you want. If you don't want the new/free ones
you can use IMPLEMENT_ASN1_ENCODE_FUNCTIONS instead.

This is used in OpenSSL in a few places such as the implementation of
GeneralNames which is a SEQUENCE_OF GeneralName.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] Verifying RSA-SHA1 signature?

2016-09-12 Thread Dr. Stephen Henson
On Mon, Sep 12, 2016, Nikolay Kudryavtsev wrote:

> 
> Whenever I try to verify data signed with my own key, everything
> works. But for that data that I got from a third party nothing
> works. That third party is adamant that the signature is correct and
> it's RSA_SHA1, but they've been unwilling to explain the details on
> how they sign it and what they use to verify.
> 
> So what are the proper way of dealing with this?
> 

You can extract the expected digest using either rsautl or pkeyutl and the
public key. If that fails then there is a problem with either the key or the
format. If you can successfully extract the digest then you can try various
transormations on the input data in an attempt to get the same digest. 

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] openssl asn1parse using both -genstr and -genconf options

2016-09-10 Thread Dr. Stephen Henson
On Sat, Sep 10, 2016, shanthi thomas wrote:

> Hi,    I'm trying to use openssl asn1parse subprogram to encode an ASN1
> structure. Some of the data in the ASN1 structure is static and I was
> planning to use a CONF file as shown in the examples for this via the
> -genconf option. However some of the data I need to pass via a command line
> argument for which I was planning to use the -genstr option. However, I'm
> not sure how to use both the -genstr and the -genconf in a single command. I
> could find any examples of this either.  Can someone point me to any good
> examples on how to use both these options together?

While you can use -genstr and -genconf together their use is rather limited
and probably wont do what you want.

Instead I'd suggest passing values using environment variables and uses the
config file environment variable options to include them in the appropriate
places.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] M_ASN1_D2I_* replacement in OpenSSL 1.1.0

2016-09-09 Thread Dr. Stephen Henson
On Fri, Sep 09, 2016, Aleksandr Konstantinov wrote:

> Hello,
> 
> Thanks for your answer. Here is one of d2i functions simplified:
> 
> MYEXT * d2i_MYEXT(MYEXT ** myext, unsigned char ** pp, long length) {
>   M_ASN1_D2I_vars(myext, MYEXT *, MYEXT_new);
>   M_ASN1_D2I_Init();
>   M_ASN1_D2I_start_sequence();
>   M_ASN1_D2I_get_EXP_opt(ret->intmember, d2i_ASN1_INTEGER, 1);
>   M_ASN1_D2I_get_opt(ret->intmember, d2i_ASN1_INTEGER, V_ASN1_INTEGER);
>   M_ASN1_D2I_Finish(myext, MYEXT_free, ASN1_F_D2I_MYEXT);
> }
> 
> 

Presumably the two fields aren't the same? I'll call one intmember2 for
this example.

The above would translate to something like:

ASN1_SEQUENCE(MYEXT) = {
ASN1_EXP_OPT(MYEXT, intmember, ASN1_INTEGER, 1),
ASN1_OPT(MYEXT, intmember2, ASN1_INTEGER)
} ASN1_SEQUENCE_END(MYEXT)

IMPLEMENT_ASN1_FUNCTIONS(MYEXT)

Then you include:

DECLARE_ASN1_FUNCTIONS(MYEXT)

in a header file.

That generates four functions MYEXT_new(), MYEXT_free(), d2i_MYEXT() and 
i2d_MYEXT().

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] M_ASN1_D2I_* replacement in OpenSSL 1.1.0

2016-09-08 Thread Dr. Stephen Henson
On Thu, Sep 08, 2016, Aleksandr Konstantinov wrote:

> Hello all,
> 
> I'm in process of porting our project to OpenSSL 1.1.0. We have part of
> code which heavily uses M_ASN1_D2I_* and M_ASN1_I2D_* for defining d2i_*
> and i2d_* methods for new extension. For example code uses M_ASN1_D2I_vars,
> M_ASN1_D2I_Init and M_ASN1_D2I_start_sequence to start reading sequence of
> items and then proceeds with M_ASN1_D2I_get_* for content of the
> sequence. Could please anybody advise what would be proper replacement for
> those macros in OpenSSL 1.1.0? Is there any new API for such things? Or
> shall one do raw byte banging?
> 

Those old macros were updated way back in OpenSSL 0.9.7 and finally retired in
OpenSSL 1.1.0.

You need to write an appropriate ASN.1 module to encode and decode your
structure. There are many examples of this such as in crypto/cms/cms_asn1.c
and some much simpler ones in crypto/x509v3 which are perhaps better suited to
you needs.

They use macros which start with ASN1_SEQUENCE*

Is it possible to look at your old code? Then I could give some more specific
pointers.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] Using RSA_PKCS1_OAEP_PADDING with high level EVP_Seal functions

2016-09-08 Thread Dr. Stephen Henson
On Wed, Sep 07, 2016, Daniel Knoppel wrote:

> Dear all,
> 
> I was wondering about two things:
> 
> 1. Can the EVP_Seal*() functions be told to use RSA_PKCS1_OAEP_PADDING,
> or do I need to stick with the lower level RSA_public_encrypt()?
> 
> >From the source code it seems to me that RSA_PKCS1_PADDING is hardcoded
> because EVP_SealInit() [1] calls EVP_PKEY_encrypt_old() [2], which in
> turn has the line with hardcoded padding:
> 
> ret = RSA_public_encrypt(key_len, key, ek, EVP_PKEY_get0_RSA(pubk),
> RSA_PKCS1_PADDING);
> 

EVP_Seal*() is an old function hard coded to use RSA_PKCS1_PADDING as you've
observed.

You don't need to use the low level RSA_public_encrypt() function for
OAEP. Instead use the EVP_PKEY APIs EVP_PKEY_encrypt() and EVP_PKEY_decrypt()
with the padding mode modified and appropriate parameters set.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] Obtaining PKCS7 data length

2016-09-02 Thread Dr. Stephen Henson
On Tue, Aug 30, 2016, David wrote:

> Hi,
> 
> I have some PKCS7 data which I can read like this with OpenSSL:
> 
> $ openssl asn1parse -i -inform der -in data.dat
> 0:d=0  hl=4 l=16208 cons: SEQUENCE
> 4:d=1  hl=2 l=9 prim:  OBJECT:pkcs7-signedData
> .. more ..
> 
> I can load it in code like so:
> 
> // buf contains the raw data, len the length
> BIO *bio = BIO_new_mem_buf(buf, len);
> 
> PKCS7 *pkcs7 = d2i_PKCS7_bio(bio, NULL);
> if (!pkcs7) {
> // die
> }
> printf("Success!");
> 
> This works fine and I can successfully obtain signer information etc.
> However I'd like to obtain the length value as parsed from the input
> data. In my example this was 16208, seen in the second line of the ASN1
> output.
> 
> I noticed there is a length attribute to the PKCS7 structure (see
> include/openssl/pkcs7.h) but pkcs7->length is always zero when I print it.
> 
> How can I obtain the length of the overall sequence which contains PKCS7
> signed data?  This is important because the length I already have may be
> longer than the actual PKCS7 data.
> 

I'm curious: why do you want that information?

If you want the entire length of the parsed data you can use d2i_PKCS7() to
parse the buffer: the passed pointer is then incremented to immediately follow
the PKCS7 structure. You can then get the length by subtracting the
start of the buffer.

If you want the length of the intial SEQUENCE then this data is handled
automatically by the parser and isn't directly available. You can use an ASN.1
function such as ASN1_get_object() to obtain it. However this wont always be
what you want: if the PKCS#7 structure used indefinite length constructed
encoding then you wont get anything useful.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] RSA sign using SHA256 with mgf1 padding

2016-09-02 Thread Dr. Stephen Henson
On Mon, Aug 29, 2016, Moshe Wiener (mowiener) wrote:

> Hello,
> I'm running an application which runs an authentication session with a 
> server. The server provides some random data, and my application needs to 
> sign it with its private key, and send back the signature. The server which 
> knows the public key verifies the signature, and it good then the client 
> which runs my application is authenticated.
> This session used to run OK, until the server was changed so instead of using 
> PKCS#1_v1.5 now it uses PKCS#1_v2.1
> Now, the server uses signature algorithm of SHA256 WITH RSA AN DMGF1.
> In my application I use OpenSSL.
> I think that I need to use 'RSA_padding_add_PKCS1_OAEP_mgf1' but couldn't 
> figure out what to put in each of its arguments.
> Is there somewhere a sample code which implements RSA signature with mgf1 
> padding and a SHA256 hash?

While you can call the low level RSA padding functions directly that is not
recommended.

You should instead use the EVP functions to sign the data with the padding
mode switched to PSS.

In outline:

Call EVP_DigestSignInit(), set digest, and key and get the EVP_PKEY_CTX
associated with the operation.

Use the EVP_PKEY_CTX to change the padding mode to PSS. You do this with:
EVP_CTX_set_rsa_padding(ctx, RSA_PKCS1_PSS_PADDING).

(optional)use the EVP_PKEY_CTX to change other parameters such as the salt
length.

Call EVP_DigestSignUpdate() with the data to be hashed.

Obtain the signature with EVP_DigestSignFinal().

If that isn't clear I can come up with some sample code.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] EVP_SealInit question

2016-08-15 Thread Dr. Stephen Henson
On Mon, Aug 15, 2016, Norm Green wrote:

> Ok, thanks.
> 
> What I don't understand is what key transport has to do with
> EV_SealInit() ?  Why is key transport important here ?
> 

Because EVP_SealInit() generates a random symmetric key and encrypts it using
one or more public keys. For this to work the public key algorithm has to
support encryption of the symmetric key using a public key aka key transport.

Of the public key algorithms OpenSSL currently implements only RSA has that
operation.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] EVP_SealInit question

2016-08-15 Thread Dr. Stephen Henson
On Mon, Aug 15, 2016, Norm Green wrote:

> The man page for EVP_SealInit says:
> 
> "The public key must be RSA because it is the only OpenSSL public
> key algorithm that supports key transport."
> 
> 1 ) Is this still true?

Yes: the only algorithm we currently support which handles key transport is
RSA.

> 2) Will this restriction change now that RSA key transport is being
> dropped from TLS 1.3 (or so I've read...)?
> 

Don't undertand. The algorithm limitation has nothing to do with TLS
restrictions.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] additional data (MAC'ed only) over TLS connection?

2016-08-15 Thread Dr. Stephen Henson
On Mon, Aug 15, 2016, Thomas Knauth wrote:

> Hi list,
> 
> the EVP_EncryptUpdate function has the option to pass data that is
> only MAC'ed but not encrypted. Is there some similar provision in the
> BIO interface? I have a use case, where I'd like to "inject"
> pre-encrypted/pre-mac'ed data into a TLS stream. Any suggestion on a
> low-effort way to do this?
> 

In the BIO interface as such, no.

However you can retrieve the EVP_CIPHER_CTX associated with the BIO and handle
things that way.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] BIO_seek() on bio_f_cipher with EVP_aes_256_ctr

2016-08-11 Thread Dr. Stephen Henson
On Thu, Aug 11, 2016, William King wrote:

> 
> 
> Does the BIO_seek() not handle incrementing or decrementing the IV
> counter? is there a callback that needs to be set to calculate what the
> IV counter value should be for a given file position for the cipher?
> 

Calling BIO_seek() on a chain of BIOs can have unpredictable results
especially if any buffer data or have internal state.

I'd suggest you use the cipher directly instead of through a cipher BIO.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] Migration from AES_ctr128_encrypt to EVP

2016-08-08 Thread Dr. Stephen Henson
On Mon, Aug 08, 2016, Vladimir A. Petrov wrote:

> Hello,
> 
> I need to migrate some code from the old style software implemented
> AES_ctr128_encrypt to the EVP interface. I spent pretty much time reading
> OpenSSL manual pages and Wiki as well as googling. Unfortunately, I still
> can't get an idea how to migrate from these AES_* functions to the API
> provided by EVP. The closest info that I found is the proposal made by Dr
> Stephen N. Henson (
> https://mta.openssl.org/pipermail/openssl-users/2015-March/000776.html) to
> switch to EVP_aes_128_ctr, but there is no such 'ctr' mode in EVP for AES.
> 
> 

I'm not sure what you mean by "but there is no such 'ctr' mode in EVP for
AES": can you clarify?

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] FIPS mode: Need to use FIPS versions of (EVP) methods ?

2016-08-02 Thread Dr. Stephen Henson
On Tue, Aug 02, 2016, jonetsu wrote:

> FIPS: Need to use FIPS versions of (EVP) methods ?
> 
> In FIPS mode, is there a need to use the FIPS_* methods instead of the
> regular ones once FIPS_mode_set(1) was successfully executed ?  For
> instance, is there a need to use FIPS_evp_sha1() instead of EVP_sha1()
> ?  Wouldn't the FIPS version of EVP_sha1() be used automatically when
> in FIPS mode ?
> 

The FIPS implementation of sha1 is automatically used in FIPS mode yes. You
shouldn't use FIPS_evp_sha1() etc.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] overload engine for openssl dgst -sign

2016-08-01 Thread Dr. Stephen Henson
On Mon, Aug 01, 2016, Syed Elec wrote:

> Hi everyone,
> 
> I'm currently working on an engine and I have a question about 'overload'
> the openssl dgst -sign ... command line using this engine.
> 
> I can overload the openssl dgst only (for digests) using ENGINE_set_digests
> but how overload the whole command openssl dgst -sign
> 
> for example :
> openssl dgst -md5 -binary -engine myengine -keyform engine -sign key.pem
> -out dgst.sig file
> 

You need to provide support for the appropriate public key algorithm e.g. an
RSA_METHOD. This can either be for general purpose acceleration of a key
specific method which is used only for keys loaded from that ENGINE.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] different encrypted text for the same plain text message

2016-07-30 Thread Dr. Stephen Henson
On Sat, Jul 30, 2016, R-D intern wrote:

> Thank you,  Stephen. 
> You answered regarding randomness in different sessions if session
> resumption is on. But my question revolves around the same messages within
> the same Session. How different encrypted texts are formed of the same
> plaintext between a client -server? 
> Is it only the iv changes or the MAC,  BULK encryption keys as well? 
> 

That has already been answered: only the IV changes. The technique used
depends on the version of TLS/SSL. There is also some additional data put
through the MAC which depends on the record sequence number. So even with the
same application data different data is MACed.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] different encrypted text for the same plain text message

2016-07-29 Thread Dr. Stephen Henson
On Fri, Jul 29, 2016, R-D intern wrote:

> Hello Benjamin,
> Thanks for the reply.
> I know the purpose and benefit of creating different cipher texts of the
> same corresponding plain text.But I would like to know about the places
> where this randomness gets introduced to create different encrypted
> texts.Because SSL handshake takes place only once. After creation of  pre
> secret key(for an entire session) at both the client and the server ends,
> master key is created based on pre secret key, identifier label, client and
> server random numbers which is again maintained for an entire session . The
> master key is responsible for creating MAC key, bulk encryption key and IV
> for client - server  read - write.  If the bulk encryption key (which is
> responsible for encrypting the message ) for an entire session is fixed and
> constant, then how is the encrypted text different?

The master key along with client and server random values is used to derive
the session keys. That is the random values from the current session. So if
you resume a session the master key is the same but the random values differ
and so the session keys are different too.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] Load secrets to context.

2016-07-27 Thread Dr. Stephen Henson
On Wed, Jul 27, 2016, john gloster wrote:

> Thanks Victor.
> 
> Could you explain the reason in below cases? These are in cases when we use
> both the APIs as mentioned above.
> 
> cert_file : Server's certifcate
> chain_file: Complete certificate chain; starting with Server's certifcate,
> followed by intermediate CA certificate and ending with Root CA certificate
> 
> 
> Scenario 1 - Failing case
> 
> SSL_CTX_use_certificate_file() : Loaded cert_file
> SSL_CTX_use_certificate_chain_file() : Loaded chain_file
> 
> Test: When tried to connect to the server, only Server's certificate and
> Root CA certificate were presented in the CERTIFICATE message of the
> handshake; intermediate CA certificates were missing.
> 
> 

Do you get an error from either function? Do you get the same behaviour if you
omit SSL_CTX_use_certificate_chain_file()?

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] PKCS7_sign conflict with PKCS7_decrypt?

2016-07-26 Thread Dr. Stephen Henson
On Tue, Jul 26, 2016, Jim Carroll wrote:

> After experimenting, I can confirm this is the same issue we're seeing,
> although experiencing it very differently from the MIT/Kerberos team.  I can
> confirm that right now PKCS7 sign/encrypt/decrypt is broken. I'd love to
> help fix it, but I'm not yet up to speed on bio_enc.c and evp_enc.c. For
> now, I think wait for a fix is the best approach. 
> 
> What is the accepted way for "the great unwashed" to follow tickets?  I got
> into the ticket system as a guest, but as guest I can't asked to be notified
> about status updates.  Is there a process to request a full account on
> rt.openssl.org?
> 
> Once the fix is ready, I'll submit a unittest to help with regression
> testing PKCS7 sign-encrypt-decrypt-verify. 
> 

A fix is currently being reviewed. It includes a test. It just happense that
the standard CMS/PKCS#7 tests use a very short content length. If it is a
little longer they trigger the bug.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] PKCS7_sign conflict with PKCS7_decrypt?

2016-07-26 Thread Dr. Stephen Henson
On Tue, Jul 26, 2016, Jim Carroll wrote:

> Steve -- thanks, but I don't think I was clear enough. 
> 
> I am trying to get back the signed content, but when I call PKCS7_decrpyt()
> I get back an empty buffer.  Is this my flawed understanding of
> PKCS7_sign().  Is there some other way to get back the original signed
> content that I'm missing?
> 

That is the overlapping buffers bug (ticket 4628). I suggest you try pre5
instead of the current master or wait for this bug to be fixed 

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] X509 Version changes?

2016-07-26 Thread Dr. Stephen Henson
On Thu, Jul 21, 2016, Jim Carroll wrote:

> I've run into what appears to be a change to defaults between 0.9.8 and
> 1.1.0, and I wanted to make sure it's not a bug we've introduced. 
> 
> While reviewing unittests, we see that calls to X509_REQ_new() generate an
> X509 object with the version set to -1.  When we write this object to a PEM
> file and read it back, the version is set then set to 0.  Is this expected
> (GIGO) behavior?
> 

Can you give a few more details about how you are doing this?

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] PKCS7_sign conflict with PKCS7_decrypt?

2016-07-26 Thread Dr. Stephen Henson
On Tue, Jul 26, 2016, Jim Carroll wrote:

> Running into trouble -- any attempt to PKCS7_decrypt() S/MIME content that
> was created with PKCS7_sign()+PKCS7_encrypt() yields an empty result set.  I
> have the distinct impression I'm doing something dumb -- but several days of
> debugging I'm completely stuck.
> 
> I've created an MVCE and included it below. The code was built and run on
> Windows 8.1 Pro, Visual C++ 2008 Express, using OpenSSL 1.1.0-pre6-dev
> (32-bit build).
> 
> Interesting point -- If I remove the PKCS7_sign() code, I have no problem
> encrypting and decrypting the content. I strongly suspect my issue has
> something todo with S/MIME headers interfering with encryption or
> decryption.  But that theory would suggest there's a bug in OpenSSL's S/MIME
> handling. I find that hard to swallow -- more likely I'm missing some sort
> of required flag.
> 

What you're doing is sign followed by encrypt which gives a signed messsage
within an encrypted one.

Then you just decrypt which ends up giving you the signed content back. So if
you want to process that you have to verify it first.

Note there is a big in the current master which breaks CMS/PKCS#7 (overlapping
buffers check) so you'll have to either try an earlier version or wait for it
to be fixed.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] Help finding replacement for ASN1_seq_unpack_X509

2016-07-21 Thread Dr. Stephen Henson
On Thu, Jul 21, 2016, Jim Carroll wrote:

> Steve,  
> 
> I ran into problems with swig when I tried to deploy you suggestion. Your
> solution was slick pre-processor magic's and I was having difficulty
> reversing the magic to troubleshoot swig (and I was a little shy about
> admitting I didn't understand your suggestion).
> 

Well there are various things going on underneath which can be hard to follow
if you aren't used to them. Here's a bit more detail about what is going on.

Initially we just include the necessary headers:

#include 
#include 

ASN.1 encode/decode routines generally use a structure name. We have
STACK_OF(X509) but no name for that so we can make one up which I call
SEQ_CERT:

typedef STACK_OF(X509) SEQ_CERT;

The next bit defines an ASN.1 module structure which says the SEQ_CERT is
a SEQUENCE OF X509:

ASN1_ITEM_TEMPLATE(SEQ_CERT) =
ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, SeqCert, X509)
ASN1_ITEM_TEMPLATE_END(SEQ_CERT)

Here SEQ_CERT is the structure name which that macro defines as a SEQUENCE OF
X509. The "SeqCert" is just a string that is used as a name in the definition:
it can be anything.

Now that's all very well but it doesn't actually define any functions. The bit
that does that is this:

IMPLEMENT_ASN1_FUNCTIONS(SEQ_CERT)

This implements four functions but we're only interested in the encode and
decode ones which look like this:

 int i2d_SEQ_CERT(SEQ_CERT *a, unsigned char **pp);
 TYPE *d2i_SEQ_CERT(SEQ_CERT **a, unsigned char **pp, long length);

These behave like regular ASN.1 functions you pass in SEQ_CERT: which is
STACK_OF(X509) to the i2d_SEQ_CERT and it encodes the result as a SEQUENCE
OF X509 which is the same format as the original.

Similarly you can decode using d2i_SEQ_CERT() and get back a STACK_OF(X509).

If you have this in a separate module you can declare the new functions (e.g.
in a header file) with:

DECLARE_ASN1_FUNCTIONS(SEQ_CERT)

Hope that helps. If you have any further problems let me know.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] Help finding replacement for ASN1_seq_unpack_X509

2016-07-21 Thread Dr. Stephen Henson
On Thu, Jul 21, 2016, Jim Carroll wrote:

> 
> I ran into problems with swig when I tried to deploy you suggestion. Your
> solution was slick pre-processor magic's and I was having difficulty
> reversing the magic to troubleshoot swig (and I was a little shy about
> admitting I didn't understand your suggestion).
> 
> I've spent more time reading ASN1 headers since then, and I'm starting to
> get a glimmer of understanding of whats/what. I'm now circling back to your
> solution and I think I'm getting on top of the swig issue.
> 

I'd be interested in knowing more details of the swig problems you had. If it
helps you can just include my code snippet in a separate C source file and
then just use the i2d/d2i functions in the swig wrapper itself.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] Same openssl app behaves differently depending on platform

2016-07-21 Thread Dr. Stephen Henson
On Thu, Jul 21, 2016, Carl Heyendal wrote:

> I have an app that uses openssl to connect to a server on a different 
> machine. In one case on my Ubuntu machine the app has no problem getting a 
> secure connection. But when I recompile the same app for an embedded target 
> board and run it I get this error:
> 
> # ./client3 192.168.1.99
> Enter PEM pass phrase:
> connecting to 192.168.1.99:16001
> ** client3.c:77 Error connecting SSL object
> 1024:error:04091068:rsa routines:INT_RSA_VERIFY:bad signature:rsa_sign.c:278:
> 1024:error:1408D07B:SSL routines:ssl3_get_key_exchange:bad 
> signature:s3_clnt.c:2004:
> 
> The app uses the same private key and certificate in both cases.
> 

It could be a compiler bug on the embedded platform. Does it pass "make test"?

Have you tried it with optimisation turned off?

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] Help finding replacement for ASN1_seq_unpack_X509

2016-07-21 Thread Dr. Stephen Henson
On Thu, Jul 21, 2016, Salz, Rich wrote:

> 
> > STACK_OF(X509)* stack = sk_x509_new_null();
> > sk_x509_push(stack, cert);
> > sk_x509_push(stack, ca);
> > 
> > return ASN1_seq_pack_X509(stack, i2d_X509, NULL, len_out);
> 
> Okay, so your just pushing two DER-format blobs one after the other.
> Yes, what you thought to do is fine. :)

Actually that is including a SEQUENCE header and not just the DER blobs. So if
the result must be compatible with the original format the snippet I suggested
would be appropriate here.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] Help finding replacement for ASN1_seq_unpack_X509

2016-07-21 Thread Dr. Stephen Henson
On Wed, Jul 20, 2016, Jim Carroll wrote:

> Thanks muchI have a corollary question if you don't mind.  In OpenSSL
> 1.1.0, what is the accepted procedure to convert a STACK_OF(X509) to DER?
> 

It depends on what you mean by "to DER" and what the other ends is expecting.

The code snipped I suggested will do that: if you call i2d_SEQ_CERT (or
whatever you called it) that will work. That wraps the whole lot in a SEQUENCE
header which is the same as the original. That is it is a SEQUENCE OF X509.

> Would it be acceptable to just iterate the stack elements, passing each X509
> through i2d_X509 and appending the results -- would that generate valid DER?
> Is there a better way?
> 

It depends on what the other side expects. If you just do that that and EOF
signals the and of the last certificate you'll be fine. If you append
additional data afterwards then you need to mark the last certificate somehow.
The certificate sequence version prepends the data with the length of all the
certificates so it automatically handles that.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] Help finding replacement for ASN1_seq_unpack_X509

2016-07-19 Thread Dr. Stephen Henson
On Tue, Jul 19, 2016, Jim Carroll wrote:

> OpenSSL 1.1.0 has upgraded the safestack.h macro system, but I'm having
> difficulty understanding the changes. I'm porting a piece of code from
> OpenSSL 0.9.8 that uses ASN1_seq_unpack_X509. In 0.9.8, safestack.h had this
> definition.
> 
> #define ASN1_seq_unpack_X509(buf, len, d2i_func, free_func) \
> 
> SKM_ASN1_seq_unpack(X509, (buf), (len), (d2i_func), (free_func))
> 
> Could anyone point me in the right direction and how this needs to be
> adapted?
>  
> 

Ah, that uses some ancient stuff which is originally from OpenSSL 0.9.6. For
1.1.0 this has changed. You need to create a typedef for a STACK_OF(X509) and
then define ASN.1 functions for it for a SEQUENCE OF X509. That is a lot
easier than it sounds. This should do it:

#include 
#include 

typedef STACK_OF(X509) SEQ_CERT;

ASN1_ITEM_TEMPLATE(SEQ_CERT) =
ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, SeqCert, X509)
ASN1_ITEM_TEMPLATE_END(SEQ_CERT)

IMPLEMENT_ASN1_FUNCTIONS(SEQ_CERT)

This defines a function d2i_SEQ_CERT() which replaces the original macro.

Note that this construct should also work in earlier versions of OpenSSL too
including 0.9.8.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] RSA sign message

2016-07-19 Thread Dr. Stephen Henson
On Tue, Jul 19, 2016, Gabriel Iva??cu wrote:

> Hi,
> 
> I need to RSA sign a message using SHA256 as hash and PKCS1 v1.5 as padding.
> 
> I am however confused about the *type* parameter of RSA_sign function [0]
> 
> What is the value that I should use for *type* in my particular case?
> 

If you want to hash and sign the hash you should use EVP functions such as
 EVP_DigestSign*() functions instead. If you already have the hash you can
use RSA_sign (though EVP_PKEY_sign() is preferred) the type parameter in
the NID of the digest algorithm, for SHA256 you use NID_sha256.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] Regarding Signature Algorithm: ecdsa-with-SHA512

2016-07-17 Thread Dr. Stephen Henson
On Sun, Jul 17, 2016, Abhilash K.V wrote:

> I am trying to generate a CSR using EC and wanted to have signature
> algorithm as ???ecdsa-with-SHA512???.
> 
> But in the generated csr I am getting signature algorithms as ???Signature
> Algorithm: ecdsa-with-SHA1??? always.
> 
> 
> if (!X509_REQ_sign(req, privkey, EVP_ecdsa())) {
> 

Don't use EVP_ecdsa() it is an old "linked digest" which uses SHA1 and is only
retained for compatibility with old code. Use EVP_sha512() instead.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] EVP_get_digestbyobj fails for ecdsa-with-SHA256

2016-07-08 Thread Dr. Stephen Henson
On Thu, Jul 07, 2016, Chris Bare wrote:

> Ok, that makes sense with what I'm seeing. I just tried changing this:
> const EVP_MD* md = EVP_get_digestbyobj(sig_alg_oid);
> to this:
> const EVP_MD* md = EVP_get_digestbyname("SHA256");
> 
> and it all worked correctly.
> so given that I have an OID for ecdsa-with-SHA256, is there a function that
> will return just the digest algorithm?
> I'm trying to be as flexible as possible, so I don't want to hard code this
> or have my own limited lookup table.
> 

OBJ_find_sigid_algs() you pass it the NID of the signature algorithm and it
reurns the public key NID and the digest NID.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] Unable to decrypt CMS object encrypted with EC prime256v1 certificate

2016-07-06 Thread Dr. Stephen Henson
On Wed, Jul 06, 2016, Stephan M?hlstrasser wrote:

> 
> While doing research on this, we found one thing that looks
> suspicious in the CMS objects generated by OpenSSL 1.0.2. When
> dumping the CMS object with dumpasn1, the key wrap algorithm is
> encoded as follows:
> 
> SEQUENCE {
>  OBJECT IDENTIFIER '1 3 132 1 11 3'
>  SEQUENCE {
>OBJECT IDENTIFIER aes256-wrap (2 16 840 1 101 3 4 1 45)
>NULL
>}
>  }
> 

That's strange: I just tried OpenSSL 1.0.2 and the master branch and I don't
get a NULL in either case.

Also that algorithm isn't something you'd get by default with OpenSSL. Has it
been modified in some way?

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] Unable to decrypt CMS object encrypted with EC prime256v1 certificate

2016-07-06 Thread Dr. Stephen Henson
On Wed, Jul 06, 2016, Stephan M?hlstrasser wrote:

> Am 06.07.16 um 05:15 schrieb Dr. Stephen Henson:
> >...
> >>Is the CMS object broken, or is this a problem in OpenSSL?
> >>
> >
> >Well the OpenSSL version does interop OK with the Bouncy Castle version of
> >ECDH and CMS. I've checked through your test message and the problem is that
> >the AES unwrapping algorithm checks fail meaning it can't proceed any 
> >further.
> >That could be down to a CMS problem, an ECDH issue or a problem with the wrap
> >algorithm either in the version you are testing or OpenSSL.
> >
> >Is it possible to get any debugging information from the other version you 
> >are
> >using: for example the content encryption key it is expecting or the ECDH
> >shared secret?
> 
> I don't know whether that is possible, I will check.
> 
> >Have you tried generating an message with OpenSSL and decrypting it with the
> >other version?
> 
> Yes, the other version cannot decrypt the CMS object generated by
> OpenSSL. I did some tests with Bouncy Castle, and it also cannot
> decrypt the CMS object.
> 
> What might be interesting is that on the other hand Windows
> CryptoAPI is able to decrypt the CMS object (tested on Windows 10).
> 

Just to clarify: you're saying that neither this third party version nor
BouncyCastler can decrypt the OpenSSL generated CMS objects?

> While doing research on this, we found one thing that looks
> suspicious in the CMS objects generated by OpenSSL 1.0.2. When
> dumping the CMS object with dumpasn1, the key wrap algorithm is
> encoded as follows:
> 
> SEQUENCE {
>  OBJECT IDENTIFIER '1 3 132 1 11 3'
>  SEQUENCE {
>OBJECT IDENTIFIER aes256-wrap (2 16 840 1 101 3 4 1 45)
>NULL
>}
>  }
> 
> Note the NULL parameter in the aes256-wrap algorithm identifier.
> Compare that to RFC 3565, "2.3.2.  AES CEK Wrap Process":
> 
> https://tools.ietf.org/html/rfc3565#section-2.3.2
> 
> "In all cases the parameters field MUST be absent."
> 
> Does this refer to the parameters field of the AlgorithmIdentifier
> of the AES key wrap algorithm? Then it would be incorrect to include
> the NULL here.
> 

I'll check. That looks like a bug as the code should be excluding the NULL.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] How to turn on certain elements in CMS objects

2016-07-06 Thread Dr. Stephen Henson
On Wed, Jul 06, 2016, Stephan M?hlstrasser wrote:

> So do I understand it correctly that OpenSSL currentls only supports
> RFC3278? Does that mean that it can't process CMS enveloped data
> objects that are created according to RFC5753?
> 

OpenSSL should be able to decrypt either RFC3278 or RFC5753 forms.

> In my other thread titled "Unable to decrypt CMS object encrypted
> with EC prime256v1 certificate" the CMS object that cannot be
> decrypted with OpenSSL does contain the EC parameters. Can that be
> related to the problem?
> 

It shouldn't affect OpenSSL's ability to decrypt the object as that
information is not used anywhere in the key derivation.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] How to turn on certain elements in CMS objects

2016-07-06 Thread Dr. Stephen Henson
On Wed, Jul 06, 2016, Dr. Stephen Henson wrote:

> On Fri, Jul 01, 2016, Stephan M?hlstrasser wrote:
> 
> > 
> > First the AlgorithmIdentifier includes the EC curve name:
> > 
> >   40   19:   SEQUENCE {
> >   427: OBJECT IDENTIFIER ecPublicKey (1 2 840
> > 10045 2 1)
> >   518: OBJECT IDENTIFIER ansiX9p256r1 (1 2 840
> > 10045 3 1 7)
> >  : }
> > 
> > In CMS objects created with OpenSSL with the same recipient
> > certificate, the curve name is always omitted. Is it possible to
> > make OpenSSL emit the curve name as well?
> > 
> 
> No as this is a violation of the standards. From RFC3278:
> 
>   originator MUST be the alternative originatorKey.  The
>   originatorKey algorithm field MUST contain the id-ecPublicKey
>   object identifier (see Section 8.1) with NULL parameters.  The
>   originatorKey publicKey field MUST contain the DER-encoding of a
>   value of the ASN.1 type ECPoint (see Section 8.2), which
>   represents the sending agent's ephemeral EC public key.
> 

Correction... that is not allowed by RFC3278 but is allowed in RFC5753 but
OpenSSL doesn't currently generate that format. It's not clear what purpose it
serves as the EC parameters are specified in the recipient's key and
certificate anyway.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


  1   2   3   4   5   6   7   8   9   10   >