Unable to read DER encoded CRL (but able to read the file in windows) ?
I am getting the below error message when i am try to READ the CRL content . 19104:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1294: 19104:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:380:Type=X509_ALGOR 19104:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:749:Field=sig_alg, Type=X509_CRL_INFO 19104:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:749:Field=crl, Type=X509_CRL -- View this message in context: http://old.nabble.com/Unable-to-read-DER-encoded-CRL-%28but-able-to-read-the-file-in-windows%29---tp33776779p33776779.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
How to get the Certificate Keyusage retire error ? (lCert-ex_kusage =0)
I am using openssl 0.9.8g version . i convert the PEM certificate file to X509 format and try to read the key usage value . Keyuage =lCertificate-ex_kusage ; Some time the keyusage = 128 Some time Keyusage is 0 for the same certificate . why this problem occurs ... -- View this message in context: http://old.nabble.com/How-to-get-the-Certificate-Keyusage-retire-error---%28lCert-%3Eex_kusage-%3D0%29-tp33556624p33556624.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
what is ASN1_OCTET_STRING ?
I want to know what is ASN1_OCTET_STRING and how to convert that into c++ string /char * -- View this message in context: http://old.nabble.com/what-is--ASN1_OCTET_STRINGtp33545023p33545023.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Java signature verification fail in openssl
My steps are 1. raw data eg.balamurugan 2. i am calculating hash for this data using sha256 which is 256 bit for readable i convert this into (32 to 64 byte) hex string not hex represent. eg hash string is a123sdf... which is 64 characters 3. now i am giving this 64 character string into the RSA_sign() function with 2048 RSA Private key. and input is a123sdf...(64 characters). NID_sha1() 4. the output is 256 character (binary) which i encode into base 64... Verification: 1. decode the Base64 code 2. calculate hash for raw data using sha256 which result in 64 character eg.(a123sdf. 3.Calling RSA-verify() with inputs hash string (a123sdf... 64 character) ,NID_sha1(),RSA public Key, are my steps are right if not in which place i am doing wrong ..? m data :a12df146d87db3ce911e61444eed322bbd027a58cfa27ceec3626317ebe62f89 sig-digest-data :?*?H?b9???A6w?(? Memcompare fail mLen :64sig-digest-length :20 Assuming 'mLen' is the m_length/m_len passed to RSA_verify, it appears your digest-to-compare is 64 hex chars (32 bytes) while the digest specified by the signer is 20 bytes. It looks like you are computing the wrong hash, maybe SHA256 instead of SHA1, and also representing it wrongly. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- View this message in context: http://old.nabble.com/Java-signature-verification-fail-in-openssl-tp32589928p32594391.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Java signature verification fail in openssl
Jeffrey Walton-3 wrote: On Tue, Oct 4, 2011 at 10:58 AM, brajan balamurugan@gmail.com wrote: hi can any one tell me why the signature verification in openssl fail when the message is signed bu java IBM fips compliant.i am using openssl 0.9.8g in power Pc. i am getting error in if (((unsigned int)sig-digest-length != m_len) || (memcmp(m,sig-digest-data,m_len) != 0)) line of source code in RSA_verify(). the value are m data :a12df146d87db3ce911e61444eed322bbd027a58cfa27ceec3626317ebe62f89 sig-digest-data :�*�H�b9���A6w�(� Memcompare fail mLen :64 sig-digest-length :20 DSA? Java uses a DER encoded signature per RFC 3279: SEQUENCE ::= { r INTEGER, s INTEGER } Jeff Hi Jeff ,, i didnt get what u are asking as DSA ? . i am using SHA1WithRSA in java __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- View this message in context: http://old.nabble.com/Java-signature-verification-fail-in-openssl-tp32589928p32594404.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Java signature verification fail in openssl
Jakob Bohm-7 wrote: On 10/4/2011 4:58 PM, brajan wrote: hi can any one tell me why the signature verification in openssl fail when the message is signed bu java IBM fips compliant.i am using openssl 0.9.8g in power Pc. i am getting error in if (((unsigned int)sig-digest-length != m_len) || (memcmp(m,sig-digest-data,m_len) != 0)) line of source code in RSA_verify(). the value are m data :a12df146d87db3ce911e61444eed322bbd027a58cfa27ceec3626317ebe62f89 sig-digest-data :�*�H�b9���A6w�(� Memcompare fail mLen :64sig-digest-length :20 why this is happening.? whether is it due to d2i_X509_SIG() this function Was the signature made with a different hash algorithm than the one you try to use to verify it? While signing the message in JAVA they are using Sha1WithRSA ... so i used RSA_verify with NID_sha1(). __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- View this message in context: http://old.nabble.com/Java-signature-verification-fail-in-openssl-tp32589928p32594410.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Java signature verification fail in openssl
hi can any one tell me why the signature verification in openssl fail when the message is signed bu java IBM fips compliant.i am using openssl 0.9.8g in power Pc. i am getting error in if (((unsigned int)sig-digest-length != m_len) || (memcmp(m,sig-digest-data,m_len) != 0)) line of source code in RSA_verify(). the value are m data :a12df146d87db3ce911e61444eed322bbd027a58cfa27ceec3626317ebe62f89 sig-digest-data :�*�H�b9���A6w�(� Memcompare fail mLen :64sig-digest-length :20 why this is happening.? whether is it due to d2i_X509_SIG() this function -- View this message in context: http://old.nabble.com/Java-signature-verification-fail-in-openssl-tp32589928p32589928.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
PEM_read_PublicKey API gives illegal instruction..
hi i installed the openssl-fips 1.2 in opensuse kernel 2.6.25.5-1.1-default Opensuse version 11.1. i try to run the following code . i got the illegal instruction .. and i need to knoe i installed the fips 1.2 fully.. GDB out of my code 27 FIPS_mode_set(1); (gdb) 31 strcpy(msg,This is dapta ia bull shit why its not working to my program any give ne reason); (gdb) 35 FILE *myfile = fopen(mykey_backup.pem, rb); (gdb) 37 RSA *rsa = PEM_read_RSAPrivateKey(myfile,NULL, NULL, NULL); //reading key values from the file (gdb) 39 signature = (unsigned char*) malloc(RSA_size(rsa)); (gdb) 41 if(RSA_sign(NID_sha256,(const unsigned char *)msg,strlen(msg),signature,i,rsa)) (gdb) 42 printf(signed\n); (gdb) signed 47 fclose(myfile); (gdb) 52 myfile = fopen(mykey_backup.pem, rb); (gdb) 53 strcpy(msg,This is dapta ia bull shit why its not working to my program any give ne reason); (gdb) 55 RSA *rsa1 = PEM_read_RSA_PUBKEY(myfile,NULL,NULL,NULL); (gdb) Program received signal SIGILL, Illegal instruction. 0x7fff8b39d350 in PEM_read_RSA_PUBKEY () from /usr/lib64/libcrypto.so.0.9.8 Current language: auto; currently asm (gdb) -- View this message in context: http://old.nabble.com/PEM_read_PublicKey-API-gives-illegal-instruction..-tp32503879p32503879.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Error While Signature verification ..
hi i am using openssl 0.9.8g version to verify the Java signed message. while verifing i got bad signature error how ever the same signature is verified in the Java correctlu ... erro occur in if (((unsigned int)sig-digest-length != m_len) || (memcmp(m,sig-digest-data,m_len) != 0)) { RSAerr(RSA_F_RSA_VERIFY,RSA_R_BAD_SIGNATURE); } else ret=1; why this error occuring .and how to over come this error -- View this message in context: http://old.nabble.com/Error-While-Signature-verification-..-tp32503816p32503816.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RSA_Verify error:04077064:rsa routines:RSA_verify:algorithm mismatch
hi can any one tell whats wrong i am doing in this code... I sign the Message using Java IBMFIPS compliant the code to sign the message is //Signs the hash of each chunk and adds it to the Message Header //data is 256Kb length //Get private key function is created by me to read the DER key formated file GetPrivateKey privkey = new GetPrivateKey(); Signature genSign = Signature.getInstance(SHA1withRSA,IBMJCEFIPS); genSign.initSign(privkey.get()); genSign.update(data.getBytes()); byte[] byteSignedData = genSign.sign(); Get Private Key function code File privateKeyFile = new File(Certificates + File.separator+mykey.der); byte[] encodedKey = new byte[(int)privateKeyFile.length()]; new FileInputStream(privateKeyFile).read(encodedKey); PKCS8EncodedKeySpec privateKeySpec = new PKCS8EncodedKeySpec(encodedKey); KeyFactory kf = KeyFactory.getInstance(RSA,IBMJCEFIPS); RSAPrivateCrtKey privatekey = (RSAPrivateCrtKey) .generatePrivate(privateKeySpec); return privatekey; I am verifying this signature using openssl 0.9.8g, RSA_Verify() function. -- View this message in context: http://old.nabble.com/RSA_Verify-error%3A04077064%3Arsa-routines%3ARSA_verify%3Aalgorithm-mismatch-tp32478403p32478403.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Does Openssl 0.9.8g Support RSASSA-PKCSV1.5 with EMSA PKCSV1.5
Can any one tell which API i need to use for the above Encryption method according to RFC3447 to Sign a message with SHA256 algorithm.. -- View this message in context: http://old.nabble.com/Does-Openssl-0.9.8g-Support-RSASSA-PKCSV1.5-with-EMSA-PKCSV1.5-tp32316532p32316532.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Does Openssl 0.9.8g supports RFC5280
can any one tell me whether openssl 0.9.8g supports RFC5280 or not -- View this message in context: http://old.nabble.com/Does-Openssl-0.9.8g-supports-RFC5280-tp32288662p32288662.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
how to disable theCRL check and time check in X509_verify_cert() api..?
can any one tell me how to remove the crl revocation check and Expiry check. i want to validate the signature of the certificate alone no CRL or Expiry check. any flag i need to set -- View this message in context: http://old.nabble.com/how-to-disable-theCRL-check-and-time-check-in-X509_verify_cert%28%29-api..--tp32097727p32097727.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Using PEM_read_X509 openSSL Api-Sample Certificate
Mayur Premi wrote: Hi , I am using X509* ** pX = * PEM_read_X509*(FILE *fp, X509 **x, pem_password_cb *cb, void *u); to get a X509 certificate structure from PEM format File. My File(fp) looks like below: -BEGIN CERTIFICATE- MIIEQzCCAyugAwIBAgIPAMdMAQEALqZRDlTBXHdHMA0GCSqGSIb3DQEBCwUAMGAxCzAJBgNVBAYTAkdCMSUwIwYDVQQKDBxXQUMgQXBwbGljYXRpb24gU2VydmljZXMgTHRkMSowKAYDVQQDDCFXQUMgQXBwbGljYXRpb24gU2VydmljZXMgTHRkIFRFU1QwHhcNMTEwNDI3MDg0NDIxWhcNMjYwNDI3MDg0NDIxWjBXMQswCQYDVQQGEwJHQjElMCMGA1UECgwcV0FDIEFwcGxpY2F0aW9uIFNlcnZpY2VzIEx0ZDEhMB8GA1UEAwwYV0FDIEFTTCBJbnRlcm5hbCBDQSBURVNUMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAjuY5+eOh/4+EpslfIsixpDEJquJSOcMjuX/AOhgR5b5FeoU/KiS5VKFiTHyRKdWOVbRwpR3jvmT6wgeRaqV5Y+CgtskCaRsERUxf5rtBdFZtwfYkWhSteli+nMTMO/FJ87gvIGmpguitqehtzdXkYXz7cPIMQRkMlZTi9LLSzkh9SSlj6n8RTEGwXsHmuFUiSAWE7Z4wAN3EuYbPxxvzBHz7b91rlkqT/EtPFjoW9jcnSYw6HF0gr2DegZpgIc1KuAULkasZxhEANJDF/GJSnnow01t6tlmTLqmZrns+kGOioMT1PbEbdyYXKeKfoUnZvD+DOSGhfzy3K1EF4OiCkwIDAQABo4IBATCB/jAfBgNVHSMEGDAWgBQp5dzy2tJEArpTqcQWNXG6J7y5WTASBgNVHRMBAf8ECDAGAQH/AgEAMFIGA1UdIARLMEkwRwYGZ4ENAQEBMD0wOwYIKwYBBQUHAgEWL2h0dHA6Ly9jYS53YWNhcHBzLm5ldC9yZXBvc2l0b3J5L1dpZGdldENQUy5odG1sMA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQU8G2pqrYU/O/vZCje2QEVW4quJjMwRAYDVR0fBD0wOzA5oDegNYYzaHR0cDovL2NybC5wcC5jYS53YWNhcHBzLm5ldC9jcmwvV0FDRG9tYWluLVRFU1QuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQCBF8E8pQkcxSHcNU5rzFrJZY3KiZvaO+p0csuaqxzPTByKkGCPZA+/evM8X9fimMIJMQyFkER8GLvEw2QS/1Jc2WJBnpYfjiCr7nCzViUFH2XYKJqmRx4TDqyDjXmW1/sEo3659VBny8493UMuuXxP4737BJRteRf7O/YwrHeOUEegYZOBfamvG+JYaLqflRM+W7XbP7j3IrdoWUEnyoMBUWCMra2jn/WmhNxa8wknxyLUB815dt33kQOHjjeMKjcXx+kZ5igg7bJW9QkenBKp86VSDhnod+sACgPuNqg9R5jJQp2GXBaykOMnKvNJ8/pCdo3rdSuuzZxxMXUXnbyw -END CERTIFICATE- The above api is returning me a NULL in pX and x both . Q1 ) So was wondering whether the PEM File am passing as input to the Api is correct or not ? Q2) And which amongst pX and x will give me the required X509 Certificate.? I could not find any explanation of the api on net , only got the signature so need some help for the above problem. Regards, Mayur hi mayur, The PEM encode file you are passing is wrong. you cant remove the new line character from the file.. Sample file Looks -BEGIN CERTIFICATE- MIIDITCCAoqgAwIBAgIQL9+89q6RUm0PmqPfQDQ+mjANBgkqhkiG9w0BAQUFADBM MQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkg THRkLjEWMBQGA1UEAxMNVGhhd3RlIFNHQyBDQTAeFw0wOTEyMTgwMDAwMDBaFw0x MTEyMTgyMzU5NTlaMGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh MRYwFAYDVQQHFA1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKFApHb29nbGUgSW5jMRcw FQYDVQQDFA53d3cuZ29vZ2xlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC gYEA6PmGD5D6htffvXImttdEAoN4c9kCKO+IRTn7EOh8rqk41XXGOOsKFQebg+jN gtXj9xVoRaELGYW84u+E593y17iYwqG7tcFR39SDAqc9BkJb4SLD3muFXxzW2k6L 05vuuWciKh0R73mkszeK9P4Y/bz5RiNQl/Os/CRGK1w7t0UCAwEAAaOB5zCB5DAM BgNVHRMBAf8EAjAAMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9jcmwudGhhd3Rl LmNvbS9UaGF3dGVTR0NDQS5jcmwwKAYDVR0lBCEwHwYIKwYBBQUHAwEGCCsGAQUF BwMCBglghkgBhvhCBAEwcgYIKwYBBQUHAQEEZjBkMCIGCCsGAQUFBzABhhZodHRw Oi8vb2NzcC50aGF3dGUuY29tMD4GCCsGAQUFBzAChjJodHRwOi8vd3d3LnRoYXd0 ZS5jb20vcmVwb3NpdG9yeS9UaGF3dGVfU0dDX0NBLmNydDANBgkqhkiG9w0BAQUF AAOBgQCfQ89bxFApsb/isJr/aiEdLRLDLE5a+RLizrmCUi3nHX4adpaQedEkUjh5 u2ONgJd8IyAPkU0Wueru9G2Jysa9zCRo1kNbzipYvzwY4OA8Ys+WAi0oR1A04Se6 z5nRUP8pJcA2NhUzUnC+MY+f6H/nEQyNv4SgQhqAibAxWEEHXw== -END CERTIFICATE- i hope this will help you. Thanks Balamurugan -- View this message in context: http://old.nabble.com/Using-PEM_read_X509-openSSL-Api-tp32098074p32098332.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
X509_Verify API always returns -1 . how to over come this
hi can any one tell me how to over that error i am validating the certificate using X509_verify_cert() the out put of this is Signature verification error.. i go through the code and found ASN1_item_verify function is called where can i find this function c code and how to over come the Verification error -- View this message in context: http://old.nabble.com/X509_Verify-API-always-returns--1-.-how-to-over-come-this-tp32098418p32098418.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
openssl 0.9.8g bug..?
hi i am using openssl 0.9.8g version .. ASN1_item_verify () in this function Void* asn is used as ASN1_VALUE* asn. my complier show error for that.. whether it is the reason for X509_verify(cert,cakey) function fails .? -- View this message in context: http://old.nabble.com/openssl-0.9.8g-bug..--tp32098585p32098585.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Trust Chain Loading and signature verification of a certificate
hi i am having 10 Different CA Root certificates and each having depth of 3 intermediate Certificate in a Folder. i want to verify the Signature of the incoming certificate which P7b file which can have certificates need to validate (3 different certificates to validate) or one certificate need to validate with its intermediate CA. Intermediate certificates also can be in the P7b file but not the Root Certificate or Self Signed Certificates. pls can any one tell me how to load the Trust Chain and verify . i am not able to understand the X509_STORE and X509_STORE_CTX concepts. (i am using c++ ) Thanks Regards Balamurugan -- View this message in context: http://old.nabble.com/Trust-Chain-Loading-and-signature-verification-of-a-certificate-tp32088489p32088489.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org