Re: RSA digital signature verification failure with openssl 1.1.0j
I found that if the signing and verification are all done by command line or all done by API, the verification will pass. But if cross, then failed. Any default configuration are different? -- Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html
RSA digital signature verification failure with openssl 1.1.0j
I am working on the upgrade my program written 4 years before with updated
openssl version 1.1.0j from 1.0.1e. There are so many changes between the
two versions. I updated my code with 1.1.0 API, but it failed and I cannot
figure out the reason.
The RSA key pair and message signature are generated with openssl command
line as follows,
key generation and cert generation
$openssl req -new -keyout private/userkey.pem -out usercert-req.pem -config
./openssl.cnf
$openssl ca -in usercert-req.pem -out newcerts/usercert.pem -days 180
-config ./openssl.cnf
Sign.
openssl dgst -sha256 -sign userkey.pem -out signature.binary msg
openssl dgst -hex -sha256 -sign userkey.pem -out signature.hex msg
//get public key from cert
openssl x509 -pubkey -noout -in usercert.pem > pubkey.pem
Verify
openssl dgst -sha256 -verify pubkey.pem -signature signature.binary msg
The result is verification OK
But I have to use the API to verify the signature in hex format, and the
result is verification failure. Can anyone help me to figure out the
problem. The code first loads the certification and retrieve the public key
from certificate into EVP_PKEY, and then translate the hex digest (messasge)
to binary format, and use
EVP_DigestVerifyInitial/EVP_DigestVerifyUpdate/EVP_DigestVerifyFinal to
verify the signature.
It works in openssl 1.01e, and I tried to update the related functions in
the 1.1.0version, it still fails. Am I missing something in the new version?
This is the C code I am using:
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
int hex_to_bin(char ch)
{
if ((ch >= '0') && (ch <= '9'))
return ch - '0';
if ((ch >= 'a') && (ch <= 'f'))
return ch - 'a' + 0x0A;
if ((ch >= 'A') && (ch <= 'F'))
return ch - 'A' + 0x0A;
return -1;
}
int hex2bin(unsigned char *dst, const char *src, unsigned count)
{
while (count--) {
int hi = hex_to_bin(*src++);
int lo = hex_to_bin(*src++);
if ((hi < 0) || (lo < 0))
return -1;
*dst++ = (hi << 4) | lo;
}
return 0;
}
int main() {
FILE *fp;
X509 *x509 = NULL;
EVP_PKEY *pkey = NULL;
unsigned char *sigbuf = NULL;
unsigned char md[32];
unsigned char *digest = NULL;
unsigned int i, siglen = 0;
siglen = 128;
char line[siglen * 2 + 3];
char *buf;
int num = 0; //number of license
const char cert_filestr[] = "./cert.pem";
const char license_filename_str[] = "./signature";
const char digest_filename_str[] = "./digest";
//
//load certificate and get pub key
//***
//OpenSSL_add_all_algorithms();
//ERR_load_crypto_strings();
fp = fopen(cert_filestr, "r");
if (!fp) {
printf("Error opening certificate file \n");
return -1;
}
x509 = PEM_read_X509(fp, NULL, NULL, NULL);
fclose(fp);
pkey = X509_get_pubkey(x509);
if(!pkey){
printf("Fail to create pkey!");
return -1;
}
//*
//
//load license.info (digest)
//
//
fp =fopen(digest_filename_str, "r");
if(!fp)
{
printf("Error opening digest file\n");
return -1;
}
digest = (unsigned char*)malloc(64+10);
digest = fgets(line, sizeof(line), fp);
fclose(fp);
//*
//
//load license.key (signature)
//
//
//
fp = fopen(license_filename_str, "r");
if (!fp) {
printf("Error opening license file \n");
return -1;
}
//**
//change the sigature format from Hex to Binary
//
fp = fopen(license_filename_str, "r");
unsigned int len = siglen ;
sigbuf = (unsigned char*)malloc(len);
if((buf = fgets(line, sizeof(line), fp)) != NULL)
{
printf("*Retrieved line of length %d :\n",
(int)strlen(buf));
printf("*signature**\n%s", buf);
hex2bin(sigbuf , buf, siglen);
}
fclose(fp);
//**
//
//verify signature
//
//
openssl 1.1 timeline
Hi, Just wonder what is the planned or expected date for the Openssl 1.1 release with the new SP 800-90 random number algorithms? Thank you. Ying __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Hey
wow this is awesome give it a look http://www.finance15cinews.net/biz/?employment=0410777 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
FWD:
wow this is crazy check it out http://www.finance15elnews.net/biz/?page=7115048 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Hello
wow this is pretty awesome you should give it a look http://www.finance15dynews.net/biz/?read=9799495 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
fwd:
wow this is pretty crazy you should check it out http://www.thanews.net/biz/?employment=8003005 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: RE: OpenSSL 1.0.1a
This error has caught a lots of people, I think it deserved a new version release to fixed this bug. Or at least saying 1.0.1a is not suitable for not x86 platform on the web page and offering the daily snap as a work around. As from the website, 1.0.1a is the latest released, and it contains such an fatal error, seems it will damage the image of the project. -- qun-ying - Original Message - From: Peter Heimann heima...@web.de To: openssl-users@openssl.org Cc: Spence, Thomas CIV USAF AFDW 844 CS/SCOX thomas.spe...@pentagon.af.mil Sent: Wednesday, April 25, 2012 12:08:45 AM Subject: Re: RE: OpenSSL 1.0.1a On 01/-10/-28163 08:59 PM, Spence, Thomas CIV USAF AFDW 844 CS/SCOX wrote: I am using AIX 5.3 with gcc 4.3.5. ld: 0711-317 ERROR: Undefined symbol: OPENSSL_ia32cap_P I had the same problem with the file crypto/evp/e_rc4_hmac_md5.c. Linking on non-x86 hardware failed. Try to replace this file with a newer version from openssl-1.0.1-stable-SNAP-20120420.tar.gz (or a later snapshot). -- Peter Heimann __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
would like to get some clearification on CVE-2011-4619
Hi, Regarding this SGC-Restart DoS Attack (CVE-2011-4619), does it require the server to use the SGC certificate or it doesn't matter what kind of certificate is used by the server? -- Qunying
Re: Why CVS?
Hi, It seems there is an effort to provide a git repository: http://repo.or.cz/w/mirror-openssl.git Qunying __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Should DTLS causing program abort when getting an incorrectly formatted fragment?
Hi,
While working on DTLS, in d1_both.c:dtls1_get_message_fragment():787~866
There are calls to OPENSSL_assert (line 787):
/* read handshake message header */
i=s-method-ssl_read_bytes(s,SSL3_RT_HANDSHAKE,wire,
DTLS1_HM_HEADER_LENGTH, 0);
if (i = 0) /* nbio, or an error */
{
s-rwstate=SSL_READING;
*ok = 0;
return i;
}
OPENSSL_assert(i == DTLS1_HM_HEADER_LENGTH);
...
and line 866:
/* XDTLS: an incorrectly formatted fragment should cause the
* handshake to fail */
OPENSSL_assert(i == (int)frag_len);
The two calls causing program to abort when incorrectly formatted fragment is
received. Does it really so serious that a program restart is needed?
At the end of the function, there is an error label (line 904)
f_err:
ssl3_send_alert(s,SSL3_AL_FATAL,al);
s-init_num = 0;
*ok=0;
return(-1);
}
The above two test could goto f_err in stead of aborting the whole program.
From a user point of view, the abort is not good, it is not so an fatal error
from my understanding. Please enlighten me if I miss something.
--
qun-ying
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
About client certification verification
Hi, I would like to clarify if SSL server request client to send certification, and does not do the verification in OpenSSL (verification error is ignored, and certificate is verified somewhere else), will the client certificate still participate in the negotiation of keys? Thanks -- qun-ying __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: where is the memory being held
I found a solution without hacking into the library itself. Since my system is running glibc, I forced all mem request to use mmap with mallopt(M_MMAP_THRESHOLD, 0), which release the memory back to the system when free is called, testing shows so far so good. -- qun-ying - Original Message From: David Schwartz dav...@webmaster.com To: openssl-users@openssl.org Cc: Scott Neugroschl scot...@xypro.com Sent: Tue, September 28, 2010 3:08:48 PM Subject: Re: where is the memory being held On 9/27/2010 4:13 PM, Scott Neugroschl wrote: As David said, yes. On the other hand, you could re-implement malloc() and free() for your platform. There's really no way to make that help very much. It might help a little, but the fundamental problem is this: If you want to implement each 'malloc' so that a later 'free' can return the memory to the operating system, you can. But that requires rounding up even small allocations to at least a page, which increases your memory footprint. If you don't implement each 'malloc' that way, you still wind up with the problem that one small allocation that has not been freed in the middle of a bunch of larger allocations that have been freed prevents you from returning any of the memory used by the larger allocations to the operating system. Generally, what you need are algorithms designed for low memory footprint and a way to 'group' allocations that will tend to be freed as a unit (such as those related to a single SSL session) such that when they are all freed, the memory can be returned to the OS. OpenSSL simply is not designed this way. You could probably hack OpenSSL to pass a pointer to a session object to calls to malloc/free (perhaps using TSD) and use that TSD pointer as an allocation context. That might increase the chances that the whole allocation context is freed. It may even be sufficient (or at least helpful) just to hook all OpenSSL calls to malloc/free and process them from their own arena. DS __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: where is the memory being held
Does it mean that it is hard to change the behavior? -- qun-ying --- On Fri, 9/24/10, David Schwartz dav...@webmaster.com wrote: Sounds like OpenSSL wasn't what you wanted. OpenSSL is intended for use on general-purpose computers with virtual memory. It is not designed to return virtual memory to the system, which in your case means it won't return physical memory to the system. Ouch. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: where is the memory being held
Hi, I think I should clarify something here. The app is running in a small device that does not have virtual memory (no swap space) and the memory is limited (256/512 M). In peek connections, it may use up to 90% of the system memory, and when connection goes down, memory usage is not coming down. This leave very little memory for other part of the system, as this app is only a small part of a bigger system. The memory usage is a big concern as it is always running with the box. So far periodically restart the app is not a good solution. -- qun-ying This all seems normal. Virtual memory is not normally considered a scarce resource and unless the consumption is really absurd, it's not worth worrying about. Unless your virtual memory use grows linearly with constant load, it's generally not worth worrying about. If it grows in an exponentially decreasing way with constant load or grows linearly with increasing peak load, I wouldn't worry about it at all. DS __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
where is the memory being held
Hi, I have an SSL apllication, that it suppose to run for a long time. After some time of running, I found the usage of the memory is growing. I stop all SSL connections and checked all SSL * has been freed but it could not release the memory back to the system. After some investigation, I found there is no memory leak, but seems lot of memory are unable to release back to system. mtrace found out there are quite a lot of fragmented memory being held by the SSL library. I would like to know what could I do to reduce the memory held by SSL library after all connections have been dropped? I am handling the SSL session through share memory myself and that part of the memory is allocated from the start. mallinfo() reports after some test and no connection for a while: system bytes = 28271952 in use bytes = 1809184 non-inuse bytes = 26462768 non-inuse chunks = 81 mmap regions =4 mmap bytes = 1773568 Total (incl. mmap): system bytes = 30045520 in use bytes = 3582752 releasable bytes = 462496 -- qun-ying __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: TLSv1.2 in openssl
If you just want to study it, gnutls has support TLS1.2, I suppose now most Linux distributions include it by default also. -- qun-ying --- On Tue, 7/14/09, Akos Vandra axo...@gmail.com wrote: From: Akos Vandra axo...@gmail.com Subject: Re: TLSv1.2 in openssl To: openssl-users@openssl.org Received: Tuesday, July 14, 2009, 1:52 AM I understand. I know this was intended as a hint, unfortunately I am but a student, so I cannot fund the project. So I suppose the latest version is TLSv1.0? Or is there support for TLSv1.1 also? Regards, Vandra Ákos 2009/7/13 Dr. Stephen Henson st...@openssl.org On Mon, Jul 13, 2009, Akos Vandra wrote: Hello! How can I invoke openssl s_server and s_client so that they communicate in TLSv1.2 mode? I can see options only for -tls1, but I am currently studyinganalizingimplementing tls1.2, so I would need them to communicate with that protocol. Not currently supported by OpenSSL. Due to the need to pay the bills funded tasks take priority and nobody so far had offered to fund TLS v1.2 support. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-us...@openssl.org Automated List Manager majord...@openssl.org __ Be smarter than spam. See how smart SpamGuard is at giving junk email the boot with the All-new Yahoo! Mail. Click on Options in Mail and switch to New Mail today or register for free at http://mail.yahoo.ca __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
verifying CRL with critical extensions
Hi, May I know is the current version of OpenSSL supports verification for CRL with critical extensions? I am currently runing 0.9.7m. Thanks -- qun-ying __ The new Internet Explorer® 8 - Faster, safer, easier. Optimized for Yahoo! Get it Now for Free! at http://downloads.yahoo.com/ca/internetexplorer/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
IE could not connect to a chaine-cert's ssl server
Hi, I try to test out some chained certificates with web server. My setup is as follow: my-cacert.pem == my ca certificate level1.cert = my level1 certificate signed by my ca level1.key = my level1's key file level2.pem = my level2 certificate use as a server side certificate ca.pem = include my-cacert.pem and level1.cert as a chained CA source for the sslserver. I have installed my-cacert.pem into IE/firefox as trusted CA. When using IE7 to connect, I always get Internet Explorer cannot display the webpage. and nothing happened. When using firefox, it informs me that it is an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. I would like to know is there anything wrong with my generated certificates? Attached also the network capture for IE7 connection. It seems IE FIN the connection. Server: Linux lighttpd 1.4.19 Client: Windows XP, IE7, firefox 3.0.3 Actually, I try Aapche 2.x also, same result. Thanks for your help! -- qun-ying __ Ask a question on any topic and get answers from real people. Go to Yahoo! Answers and share what you know at http://ca.answers.yahoo.com ca.pem Description: Binary data chained-cert.pcap Description: Binary data level1.cert Description: Binary data level1.key Description: Binary data level2.pem Description: Binary data my-cacert.pem Description: Binary data lighttpd.conf Description: Binary data
RE: IE could not connect to a chaine-cert's ssl server
Ah, I miss that one. Thanks. -- qun-ying --- On Wed, 2/4/09, Giang Nguyen cau...@hotmail.com wrote: From: Giang Nguyen cau...@hotmail.com Subject: RE: IE could not connect to a chaine-cert's ssl server To: openssl-users@openssl.org Received: Wednesday, February 4, 2009, 2:02 PM i think it's because your my-cacert.pem is not considered a CA: it has CA:FALSE arch [temp]$ openssl x509 -in my-cacert.pem -BEGIN CERTIFICATE- MIIC9jCCAl+gAwIBAgIBADANBgkqhkiG9w0BAQUFADB4MQswCQYDVQQGEwJDQTET MBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQ dHkgTHRkMRAwDgYDVQQDEwdteS1yb290MR8wHQYJKoZIhvcNAQkBFhByb290QHdp ZGdpdHMuY29tMB4XDTA5MDIwNDAxNTA1MloXDTEyMDIwNDAxNTA1MloweDELMAkG A1UEBhMCQ0ExEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0 IFdpZGdpdHMgUHR5IEx0ZDEQMA4GA1UEAxMHbXktcm9vdDEfMB0GCSqGSIb3DQEJ ARYQcm9vdEB3aWRnaXRzLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA sFZr5Htj5VUc69iYiFaRGGCQvsgrCw6kJFo9DZVRkMvmDYwpZ8vVg6H/l1xL+mWA Ur2T/z32JvLKPEH7DyXzQehdVFjVxS2zmfdIOI8P7CMH3pOuhiko8vPc+xhS5a4q 6Khvryx0n88RB1xj58WKtW9Op9FsG0ASE33Kh4oRhtMCAwEAAaOBjzCBjDAJBgNV HRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIEsDAsBglghkgBhvhCAQ0EHxYdT3BlblNT TCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFDKh9W+fw4bPij+S9LXC m/RIl2xEMB8GA1UdIwQYMBaAFDKh9W+fw4bPij+S9LXCm/RIl2xEMA0GCSqGSIb3 DQEBBQUAA4GBAKt7JnTmCzTQTw+bKtgkpR50Dw2wpQwL2pjYtVfRXX4eBcvgvLtY BAktaD03TN1ZKurZX6dWY0n9GP2nwUIQfkkQdXVlkOE//EiObPj6A0knzn2Rc/Cl nVgkYYWsQ122359RC8/1N+piN0XZrxM9JIfl9wcij71HZAeueddl3olF -END CERTIFICATE- arch [temp]$ arch [temp]$ openssl x509 -in my-cacert.pem -text | grep -A1 Constra X509v3 Basic Constraints: CA:FALSE arch [temp]$ the openssl verify command succeeds, but i think it's because it's more lenient (http://openssl.org/docs/apps/verify.html#) _ Windows Live™: E-mail. Chat. Share. Get more ways to connect. http://windowslive.com/howitworks?ocid=TXT_TAGLM_WL_t2_allup_howitworks_022009__ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org __ Be smarter than spam. See how smart SpamGuard is at giving junk email the boot with the All-new Yahoo! Mail. Click on Options in Mail and switch to New Mail today or register for free at http://mail.yahoo.ca __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Time Diff?
Averroes wrote: Hi all, Perhaps someone noticed this: When I create a certificate there is difference between system (OS) time and creation time of certificate. Approximately one hour. certificate info: Validity Not Before: Sep 14 09:57:24 2001 GMT Not After : Sep 13 09:57:24 2006 GMT -- GMT time and immediately after signing: Fri Sep 14 10:58:32 BST 2001 --- local time zone Any ideas? Regards __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: JAVA/JNI Wrapper for OpenSSL.
what platform/compiler are you running? take note of the order you supply the library. move the -lcrypto to the last of your link command may solve your problem. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: JAVA/JNI Wrapper for OpenSSL.
app_RAND_load_file() is not in the library. it is only a function used in the openssl command tool. you can get the function definition in apps/app_rand.c __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: JAVA/JNI Wrapper for OpenSSL.
the Java thread dump gives a lot of information unralted(I don't know how to interprete it either). try to insert a lot of debug print in your C code and find out exactly where it fails and check every return code from the OpenSSL library calll, from there it is much easier to find the problem.. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Netscape 6.01 and SSL: crash?
Don't use Netscape 6.01! Use Mozilla in stead (latest milestone is 0.8). It is much more stable and with features that Netscape does not have. -- (~._.~) s ^ (Qun-Ying) (65) 874-6643 ( O ) ()~*~() (_)-(_)[EMAIL PROTECTED] * [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Message status - undeliverable
What happend? Please stop this message! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 11, 2001 12:22 PM To: [EMAIL PROTECTED] Subject: Message status - undeliverable The message that you sent was undeliverable to the following: RShyamsundar __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Novell Spam
Could somebody hele me stop this message? thanks Ying li -Original Message- From: Dale Peakall [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 11, 2001 1:10 PM To: [EMAIL PROTECTED] Subject: Novell Spam Would every subscriber in the U.S. please call Novell's toll free number: 1-800-453-1267 and ask to speak to D.N. Johnson about the spam on this list. It's a disgrace that their software is so broken and is really getting on my nerves. I was going to forward every message I received back to [EMAIL PROTECTED] but unfortunately outlooks mail filtering is just broken. Perhaps, you might like to configure your systems to notify novell of the problem in this manner. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Message status - undeliverable
This is a strange email. Why you send it to me? Please don't send it again. thanks Ying Li -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 10, 2001 1:50 PM To: [EMAIL PROTECTED] Subject: Message status - undeliverable The message that you sent was undeliverable to the following: IMagesh __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Message status - undeliverable
Yes. I got the same message. Could somebody tell me why? -Original Message- From: Jennifer Arden [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 10, 2001 2:20 PM To: [EMAIL PROTECTED] Subject: RE: Message status - undeliverable Can someone please take care of this. This is annoying. I have been receiving this same message for at least fifty times -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, January 10, 2001 4:32 PM To: [EMAIL PROTECTED] Subject: Message status - undeliverable The message that you sent was undeliverable to the following: IMagesh __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
test certificate with full extensions
Hi, I'd like to see whether my program can read most of the certificate extensions (better in full implementation) defined in X.509 and PKIX. Are there any samples available at any places? Please email me privately. Thanks in advance. Regards, Xiaoying __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Installation problem with mingw32 on NT4 SP4
I used to get this kind of error. Active perl seems not working quite well together with cygwin/mingw32. Try to get a perl version for cygwin. QUERAN LOIC wrote: --- Reçu de CMB.QUERALO 0298002339 13-12-00 10.29 I try to install OpenSSL 0.9.6 with gcc 2.95.2, make 3.76.1 and Active Perl 5.6.0 620 as indicated in install.w32. I obtain the followin error message : "gcc: .cryptocryptlib.c: No such file or directory" although make issues "gcc -o tmp\cryptlib.o -Ioutinc -Itmp -O3 -fomit- frame-pointer -DDSO_WIN32 -c .\crypto\cryptlib.c" and crypto\cryptlib.c exists. Why can't it properly read the "\"s ? Thanks in advance for any help. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
strange result from i2d_X509()
Hi, I am trying to create a X509 certificate and store the result in a memory location for later usage. But the result return from i2d_X509() is wrong. I can get the correct result if I write the X509 structure through either PEM_write_X509() or i2d_X509_bio(). I am running OpenSSL 0.9.6 under Slackware 7.1 with gcc 2.95.2. The process: X509 *x; char *buffer; int len; . X509 contain a valid certificate len = i2d_X509(x, NULL); buffer = malloc(len); len = i2d_X509(x, buffer); ... The result in buffer is not correct. Is anything wrong with the process? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Q: not understand the meaning of codes in apps/x509.c
Hi, While going through the code in apps/x509.c, in line:979, function x509_certify(). What does the 3 lines do? It seems useless for the upkey is free after parameters being copied to? As int EVP_PKEY_copy_parameters(EVP_PKEY *to,EVP_PKEY *from); is defined as copy from the second argument to the first. What are the normal sequences of function calls (roughly) to certify a certificate request? Thanks __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
signed after/before encryption?
While normally the original data before encryption gets signed, what is the effect of signing the encrypted data? In this form, the verification can take place without decrypting the data. Any pros and cons of this method? Thanks -- (~._.~) Öì Ⱥ Ó¢ (Qun-Ying) (65) 874-6643 ( O ) TrustCopy Pte Ltd / Kent Ridge Digital Labs ()~*~() 21 Heng Mui Keng Terrace, Singapore 119613 (_)-(_)[EMAIL PROTECTED] * [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: signed after/before encryption?
I am sorry for my unclear questions. In a scenario that the signature is stored in PKCS#7 format which is encrypted with the recipient's public key. While the data is encrypted with 3DES. If the data are to be stored in its encryption form and only decrypted when its in use, does the verification of encrypted data's signature have the same level of security of the decrypted data's signature? The reason for this is that if the data have been corrupted, there is no point to decrypt them. -- (~._.~) Öì Ⱥ Ó¢ (Qun-Ying) (65) 874-6643 ( O ) TrustCopy Pte Ltd / Kent Ridge Digital Labs ()~*~() 21 Heng Mui Keng Terrace, Singapore 119613 (_)-(_)[EMAIL PROTECTED] * [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Base64 in MIME file...is LF really required?
After you create the base 64 BIO, set the following flag, BIO_set_flags(b64, BIO_FLAGS_BASE64_NO_NL); to parse the input without linefeed. -- (~._.~) Öì Ⱥ Ó¢ (Qun-Ying) (65) 874-6743 ( O ) TrustCopy Pte Ltd / Kent Ridge Digital Labs ()~*~() 21 Heng Mui Keng Terrace, Singapore 119613 (_)-(_)[EMAIL PROTECTED] * [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Private Keys and PKCS#12
Marco Donati wrote: I generate the key, then use it to sign a certificate request (PKCS#10). The PKCS#10 is sent to a CA. When the certificate is issued by the CA it is downloaded (via LDAP) and stored into the original P12 with its key I need it in PKCS12 for compatibility with onother application. You may create a PKCS12 file without a cert. But I am not sure how well it works regards with compatibility and not sure whether it will break anything. I modified the origin p12_crt.c to remove the requiement of a cert. You can see from the attached file that I just commented out the cert. related code. -- (~._.~) Öì Ⱥ Ó¢ (Qun-Ying) (65) 874-6743 ( O ) TrustCopy Pte Ltd / Kent Ridge Digital Labs ()~*~() 21 Heng Mui Keng Terrace, Singapore 119613 (_)-(_)[EMAIL PROTECTED] * [EMAIL PROTECTED] p12_crt.c
Re: Newbie question: Compiling OpenSSL under VC++ 6.0
In your VC installation, you should be able to found a batch file under C:\progra~1\micros~2\vc98\bin, it is named "vcvars32.bat", just run the batch file under your DOS prompt, it will setup all the environment for you. -- (~._.~) Öì Ⱥ Ó¢ (Qun-Ying) (65) 874-6743 ( O ) TrustCopy Pte Ltd / Kent Ridge Digital Labs ()~*~() 21 Heng Mui Keng Terrace, Singapore 119613 (_)-(_)[EMAIL PROTECTED] * [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
BIO and proxy?
Hi, I have not dug into the source code yet, but I want to know how to use the proxy support? Does it work transparently with those web proxy server, acting as a tunnel for communication between two sites? Thanks -- (~._.~) Öì Ⱥ Ó¢ (Qun-Ying) (65) 874-6743 ( O ) ()~*~() (_)-(_)[EMAIL PROTECTED] * [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: ??: RSA pri key storage format
?? wrote: no default format. if you use openssl, pem is default.It is DER encode of you private key, then base64 it. with addtion alogorithm information, it became .pem file. PKCS is another format to store one' s certificate of private key or crl. Not strange, often used by IE, Netscape. It can just store private key. The reason you lost your password in converting you private key file because you have not assign a aloghrithm and a psssword But the default behavior of the 'openssl rsa' only output PBE on PEM format, for DER is only the plain DER of the key. What are the common format to store private key? Is PKCS12 without cert a particle way? or use PKCS5? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
how to make dynamic library for Linux
It seems OpenSSL only support dynamic library on solaris system and dll under Windows. How do I make a dynamic library for Linux? Is there other issue to take care other than change the relevent compile options? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
PKCS7 usage?
Hi All, I am little bit confuse on the usage of the PKCS7_* functions. If I have a file that need to be signed and I want the signed data to be separately from the file and store else where. I follow the sign.c example, but get lost a little bit, should I get the digest using EVP_digest*() functions or just use the PKCS7_* functions? Which sequence should I follow? For a sending and receiving scenario, is the X509 * the cert. of the receiver? and EVP_PKEY * the sender's private key? (Referring to signed.c example) Is the sender's cert also need to include in the PKCS7? -- (~._.~) Öì Ⱥ Ó¢ (Qun-Ying) (65) 874-6743 ( O ) ()~*~() (_)-(_)[EMAIL PROTECTED] * [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PKCS7 usage?
Dr S N Henson wrote: Well it doesn't have to be a file. Any BIO will do. The S/MIME API doesn't currently have an init/update/final equivalent though. I am facing a problem here: the decrypted data is stored in some strange format (beyond my control), and I have to read in the data into buffer block by block to verify the data. How do I setup such operations? Regards -- (~._.~) Öì Ⱥ Ó¢ (Qun-Ying) (65) 874-6743 ( O ) TrustCopy Pte Ltd / Kent Ridge Digital Labs ()~*~() 21 Heng Mui Keng Terrace, Singapore 119613 (_)-(_)[EMAIL PROTECTED] * [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
conver PKCS7 *p7 to DER string?
Hi, If I have the signature generated, how do I convert the p7 into a DER string without writing out to a file? How do I know the size of the buffer to prepare? Thanks -- (~._.~) Öì Ⱥ Ó¢ (Qun-Ying) (65) 874-6743 ( O ) ()~*~() (_)-(_)[EMAIL PROTECTED] * [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
