Re: Openssl certificate date issue

On 12 Oct 2010, at 11:48 PM, Vinay Kumar L wrote: > I am trying to generate certificate which is valid for 20years. As the > 20years crosses unix end time(January 19, 2038 03:14:07 GMT) from the current > date, openssl certificate generated will have wrong dates My understanding is that this is

Re: How can I load a PEM key stored in a string instead from a file?

PEM_read_PrivateKey() is a wrapper around PEM_ASN1_read() (which reads an arbitrary ASN.1 object from a PEM-encoded blob) and d2i_PrivateKey() (which knows how to read a private key blob specifically). PEM_ASN1_read() simply creates a BIO from the FILE* that you give it, and calls PEM_ASN1_read

Re: How does "privatekey" ever get defined?

On 1 Nov 2010, at 12:05 PM, Eichenberger, John wrote: > I am planning on adding code to call SSL_CTX_use_PrivateKey. I do not > have a key file to supply, so I cannot use SSL_CTX_use_PrivateKey_file. > > However, I thought I would ask about this because I've reviewed the code > for both of those

Re: default certs path not used

On Feb 4, 2011, at 2:08 PM, Kārlis Repsons wrote: > perhaps there is someone out there, who knows why openssl doesn't seem > to look for certs in /etc/ssl/certs as indicated in openssl.cnf: > > [ ca ] > default_ca = CA_default# The default ca section > > [ CA_default ] > dir

Re: Verify signed text

On 30 Mar 2011, at 9:59 AM, luis hernandez wrote: > i get a file with a signed base64 string produced using the following > commands: > > openssl dgs -md5 -sign key.pem stringtosign.txt | openssl enc -base64 -A > > signedbase64string.txt > > that signed string is part of a text file that inc

Re: DH: safe prime issue

On 30 Mar 2011, at 6:19 AM, ikuzar wrote: > I 'd like to know if it is a security issue when p ( a DH param ) is not a > safe prime ? > is it more easier to attack DH algorithm with a non safe prime ... ? Yes. If p-1 does not have large factors, then it is easier to compute the discrete logarith

Re: Verify signed text

On 30 Mar 2011, at 12:02 PM, luis hernandez wrote: > Thanks Wim, > > i know that cer pem files have the public key in it like: > > -BEGIN PUBLIC KEY- > MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDD0ltQNthUNUfzq0t1GpIyapjz... > -END PUBLIC KEY- > -BEGIN CERTIFICATE- > MIIE/TC

Re: How is MD5 fingerprint on X509 created?

On 19 Apr 2011, at 10:55 AM, Matt C wrote: > Should I be hashing the entire contents of the PEM file, only part, or is > there additional data I need to add? The fingerprint that openssl computes is the hash of the entire certificate in DER format. You should be able to recover the DER-formatte

Re: Conversion of RSA Encrypted message to Base64 format !!!

On 20 Apr 2011, at 3:01 AM, pattabi raman wrote: > How can I use the funtion "BIO_new_fp(stdout, BIO_NOCLOSE)" to print the > value to another character array instead of "stdout"? If not this, which Bio_ > function I can use so that it will convert to Base64 and put it in char > buffer ?? I t

Re: Clients glomming onto a listener

On 10 May 2011, at 4:13 PM, David Schwartz wrote: > On 5/10/2011 2:10 AM, John Hollingum wrote: >> Pretty much immediately after the accept the program forks a handler, >> but the rogue clients must be glomming onto the main process before the >> SSL negotiation is complete. > > Calling 'fork' wi

Re: SSL Communication using BIO

On 23 May 2011, at 1:29 PM, Harshvir Sidhu wrote: > Anyone any comments on this. Is openssl appropriate choice for my case? As I understand it you want OpenSSL to handle the protocol and encryption, but you don't want OpenSSL to do any network I/O itself: you want to do that (via the C# sockets

Re: Replacement of functions that operate with sockets

On 15 Jun 2011, at 11:57 AM, wrote: > Whether is it possible to implement? I have read in the documentation about > BIO-functions, and could not understand is it possible to implement or not. > Thanks for any help or suggestions. Yes, this is possible. It is asked on this mailing list every no

Re: problem with EVP_DecryptFinal_ex function

On 22 Jun 2011, at 5:46 AM, Damir Musulin wrote: > I have created a decrypt function and it fails (how wonderful) > > The problem lies in the EVP_DecryptFinal_ex. > I have made use of the ERR_print_errors_fp(stderr); option to see what > is wrong but it is quite > a cryptic message: > 2621:error:

Re: Reliable identification by DN (or something else) for commercially-signed certs?

On 26 Jun 2011, at 11:39 AM, Leo Richard Comerford wrote: > What should I use to whitelist certificates by? Specifically, what can > I whitelist on to prevent false positives? For example, the obvious > thing seems to be Distinguished Name. But can I safely assume that any > two certificates issue

Re: Need to extract the checksum from a signature

On 4 Jul 2011, at 7:47 AM, Roland Flury wrote: > At the moment I use the PHP function openssl_pkcs7_verify() to verify > the signature (I also could use the openssl command line tool with a > system command). But verify is not enough, because I need to send back > the digest. > > Is there any

Re: Updating code using ASN1_HEADER

On Jun 29, 2011, at 5:22 AM, Kenneth Porter wrote: > I need to update an old piece of code written for 0.9.7 that uses the > obsolete ASN1_HEADER struct as part of importing a Netscape certificate [...] It looks like that piece of code was adapted from load_cert() in openssl's apps.c. Try look

Re: SSL_read returns SSL_ERROR_WANT_READ

On 11 Jul 2011, at 3:18 PM, Carla Strembicke wrote: > The server recieves the encrypted data and sends to the lower level and > where it is pumped into the SSL structure ( which is using these memory > buffers) using the BIO_write call ( I acutally see that bytes are written > into it) and th

Re: Bug in OpenSSL 0.9.8e

On 20 Jul 2011, at 2:25 AM, Vinay Kumar wrote: > Hi All, > > I am using OpenSSL OpenSSL 0.9.8e. The OpenSSL function sometimes > sha1_block_host_order () crashes on Linux. Is there any fix available for > this issue or what are the modifications need to be done? Please guide me. > > The core

Re: Simple question: Maximum length of PEM file?

On 26 Jul 2011, at 10:16 PM, Katif wrote: > Can you tell me what are the application dependency factor here so we'll be > able to chase a limit? > > It is used as an RSA key exchange certification/private key pairing. > > Thanks... The two things that are variable size are the key material it

Re: Handshake question

On 27 Jul 2011, at 1:52 PM, castre...@gmail.com wrote: > Using memory buffers and blocking IO. > > I begin the handshake by the client intiating hello message. > The server reads message, and data is put in its ssl output. This is sent > back to client. > The client read the data ( SSL_read)

Re: Handshake question

On 27 Jul 2011, at 4:37 PM, castre...@gmail.com wrote: > There is no data to send to the client ( I have checked the BIO out and there > is no pending data to send out). > This is my main problem. > > When I check the clients state using SSL_state_string from the last read it > returns "UNKWN

Re: Usage of macro OPENSSL_NO_STDIO

On 17 Aug 2011, at 7:36 AM, Kchitiz Saxena wrote: > Can somebody briefly explain the use of macro OPENSSL_NO_STDIO. There are few > functions like SSL_CTX_use_certificate_file() which are defined only if this > macro is not defined. What is the functionality which is derived out of this > macro

Re: Help compiling,assembling and linking RC4 code.

On 19 Aug 2011, at 4:08 AM, rastir...@rastirrat.force9.co.uk wrote: > What I am try to do is build the assembly language version of RC4. So far > I have been able to create the rc4-586.asm file by running the rc4-586.pl > script. > > I specifically want to run rc4speed and rc4test but using the

Re: Open SSL API's Support For IPv6.

On 21 Sep 2011, at 6:17 AM, Akanksha Shukla wrote: > Currently we are using OpenSSL 0.9.8 version. I have question about few of > the API's support for IPV6. > > 1) BIO_new_connect() [...] > > Queries : > 1) Do the above mentioned API's support IPv6? I don't think so. BIO_new_connect() (and BIO

Re: strong TLS connections

On 7 Oct 2011, at 7:40 PM, Kristen J. Webb wrote: > I'm exploring the security of TLS for TCP/IP connections. > I would like to establish TLS connections using server certificates > (managing client certs via external or internal PKI is painful). > My understanding is that a TLS connection with a

Re: Difference b/w TLS Connection and TLS Session

On 4 Nov 2011, at 7:12 AM, Mr.Rout wrote: > Can any body please let me know "what is the difference between TLS > Connection and TLS Session ? If a client makes a connection to a server it has previously connected to, it can re-use the cryptographic parameters (such as the initial session key /

Re: openssl and SHA256

On Jan 18, 2012, at 11:47 AM, Scott Wilson wrote: > Does openssl support SHA256? Yes, it does. I'm not sure why it doesn't show up in the output of "list-message-digest-commands" or the usage message, but "openssl sha256" will compute a SHA256 digest, and "openssl dgst --help" lists it. _

Re: About the usage of SSL_get_ex_new_index

On 7 Feb 2012, at 8:50 AM, Bruce (Riji) Cai wrote: > Hi all, > > From man page of SSL_CTX_set_verify, I saw this example snippet: > > /*** snippet begin */ > ... > > mydata_t mydata; > > ... > mydata_index =

Re: weak key check?

On Feb 16, 2012, at 9:22 AM, Kenneth Goldman wrote: > Many laptops and desktops and some servers now come with a TPM chip, > a free source of hardware random numbers. Even aside from TPM or other HSMs, hardware random number generators have been a common feature of PC motherboard chipsets for

Re: weak key check?

On Feb 17, 2012, at 5:05 PM, anthony berglas wrote: > Taking a different slant, is it possible to provide the "Entropy" using a > pass phrase. So a given pass phrase will always generate the same key pair. > This means that for simple applications no key store is required. Much like > passwo

Re: weak key check?

On Feb 20, 2012, at 8:38 AM, Jakob Bohm wrote: > On 2/17/2012 10:16 PM, Wim Lewis wrote: >> Even aside from TPM or other HSMs, hardware random number generators have >> been a common feature of PC motherboard chipsets for a decade or so. I >> assume, perhaps optimistically,

Re: missing symbols when building openssl1.0.0g as static library..

On 28 Feb 2012, at 9:57 AM, JonathonS wrote: > Here is the command I used to build openssl: > > ./Configure --prefix=/home/user/openssl_release > --openssldir=/home/user/openssl_release no-asm threads zlib shared > linux-x86_64 > > After the binaries have been built, it produces libcrypto.a and

Re: missing symbols when building openssl1.0.0g as static library..

On 28 Feb 2012, at 5:15 PM, JonathonS wrote: > Thanks guys. Sorry for the confusion. I thought "U" meant undefined > and "T" meant it *belongs* in the text section, NOT that it actually > *exists* in the text section :) > > Here is my linker command. > > g++ -g -o unit_tests unit_tests.o -L/hom

Re: AES-256 Implementation and OpenSSL

On 2 Apr 2012, at 8:09 AM, Theodore Tolstoy wrote: > It seems to implement AES-{128,192,256} ECB mode of > encryption/decryption(?). Am I wrong? > > Is it possible to use OpenSSL to achieve equivalent results? Yes. The low-level openssl AES implementation (AES_ecb_encrypt(), etc.) is available

Re: ENGINE Structural and functional references

On 4 Apr 2012, at 12:10 PM, Sunjeet Singh wrote: > If I have multiple SSL connections using an engine at the same time, IS IT > TRUE THAT- > 1. I should have at least one structural and one functional reference for the > entire duration within which the engine will be used i.e., between the call

Re: Revival of ERR_free_state_table / alt solution

On Oct 7, 2009, at 8:19 AM, Thomas Harning Jr. wrote: I'm writing a browser and a library that use OpenSSL for cryptography support. I want to best be able to fully cleanup state when my plugin/library is unloaded, however it seems to me that it's not possible to clear out all thread-associated

Re: Memory leaks...

On Nov 7, 2009, at 2:50 PM, barcaroller wrote: I'm getting some memory leaks when I use OpenSSL. I was not able to get rid of these leaks, even when I use EVP_cleanup() and ERR_free_strings() at the end of my program. [] ==27769== 24 bytes in 1 blocks are still reachable in loss r

Re: Simple question about SSL certs

On Jul 26, 2010, at 12:55 PM, Bryan Boone wrote: > I would like to write an LDAP client that when a user connects to an LDAP > server with SSL, that the client cert is automatically downloaded to the > client. Then a prompt asks the client to accept or reject the cert. Is this > possible when

Re: Simulating Mac keychain CSR with OpenSSL

On Jul 28, 2010, at 2:38 PM, Todd Oberly wrote: > It's obviously asking for just a subset of what would typically go into a > CSR. I tried generating several different CSR's with OpenSSL, containing > various information (and then converting the files to Mac line endings), but > the instructio

Re: Basics concepts about openssl+rsa

On Aug 17, 2010, at 12:37 PM, Leandro Santiago wrote: > It's really a basic doubt: How can I parse a file with the public key > to a struct which I can use to encrypt the string. Maybe just a > simple_example.c... :-) And also an example about decrypt using the > private key, of course :-) > > I'

Re: Basics concepts about openssl+rsa

On Aug 17, 2010, at 3:19 PM, Wim Lewis wrote: > But for any real-world application, you'll want to do the standard business > of generating a session key, encrypting the message using conventional > symmetric encryption, and encrypting the session key with the public key. > S

Re: Code Sample | Download Certificate

On Sep 15, 2010, at 6:24 AM, Ranjith Venkatesh wrote: > Is it possible to download a certificate given the website eg: > https://domainX.com using openssl functions? > If yes, what are relevant functions and relevant code samples? It's possible to do this using "openssl s_client -showcerts". You

Re: Remote access to my CA

On 17 Apr 2012, at 10:48 AM, Nathan Smyth wrote: > I created a CA on my local machine (using CA.sh), which I used to develop > some socket-based applications. The apps access the CA using > SSL_CTX_load_verify_locations, with the (local) path of the CA. > > I'm now distributing the applications

Re: Remote access to my CA

On 17 Apr 2012, at 2:04 PM, Nathan Smyth wrote: >> If the apps only need to be able to verify certificates issued by that CA, >> then all they need is a copy of the CA's certificate and to know that that >> certificate should be used as a trust root. (And, perhaps, access to a CRL >> or somethi

Re: Question on openssl dgst: which private key?

On Jun 26, 2012, at 7:20 PM, Dave Thompson wrote: > It's probably still easier to write a small program, > but if you really want to do it yourself, you can see > the structure by asn1parse'ing an existing one, or > looking at the code starting with ec/ec_asn1.c . It is > SEQUENCE > version

Re: How to know which curve to use for which cipher

(I think this is more appropriate for openssl-users than -dev, so I'm responding to that list.) On 10 Jul 2012, at 8:59 AM, Sirshendu Rakshit wrote: > My questions are: > 1) Is this a good way to know the EC_KEY using the curve-name Or there is > some better way to know it? If you're hardcoding

Re: change passphrase on CA

On 21 Aug 2012, at 8:03 AM, Brian J. Murrell wrote: > I have an openssl generated CA and I want to change the passphrase on > the CA certificate/key. I can't seem to find any documentation on how > to go about that. IIRC, the newer way is to use the 'pkey' subcommand, and the older way is to us

Re: What exactly does the -binary switch do when creating s/mime output?

On 21 Aug 2012, at 2:39 PM, Bart W Jenkins wrote: > Given: > > openssl smime -binary -sign -passin "pass:SomePassword" -signer cert.pem > -inkey key.pem -in Document.txt -out Document.txt.sig -outform DER > > What *exactly* is done to the s/mime text to create a "binary" file? Are you asking a

Re: Digital certificate with more than 1 year validity

On 17 Sep 2012, at 9:13 PM, Santhosh AP wrote: > Kindly help us to create digital certificate having more than 365 day’s > validity. At present we are using OpenSSL 0.9.7a Feb 19 2003 version. Kindly > confirm is it possible to cross the certificate validity more than 1 year, if > it’s possible

Re: RSA quintuple vs. xmldsig mismatch

On 29 Oct 2012, at 8:44 AM, Miroslav Mikluš wrote: > The xmldsig (http://www.w3.org/TR/xmldsig-core/#sec-RSAKeyValue) > use the first form of RSA representation with respect to the : > http://tools.ietf.org/html/rfc3447#section-3.2 The RSAKeyValue element contains a public key, but the quintuple

Re: How do I tell openssl where its configuration file is, without a commandline argument?

On 28 Nov 2012, at 12:31 PM, Ted Byers wrote: > Is it possible to tell openssl where the configuration file is, e.g. > by setting an environment variable, without passing a commandline > argument? If I remember correctly, you can set the OPENSSL_CONF environment variable to the path of the conf

Re: genrsa question how secure is the random creation

On 11 Dec 2012, at 3:27 PM, redpath wrote: > an RSA pair is created. Its not so much I want to know how a pair is randomly > selected but how secure is that random selection. Random number generators > are a series and this selection could be followed for brute force deciphering. I think the r

Re: How to use a binary public key

On Jan 23, 2013, at 1:12 PM, Tovey, Dwight (LaserJet R&D FW Eng.) wrote: > Hello all – > > I have a need to send a bit of RSA encrypted data to a device. The device > will provide it’s public key via SNMP as 140 bytes of binary data. I’m > assuming that the data is DER format, but I can’t swe

Re: Reading an encrypted file

On 5 Mar 2013, at 6:57 AM, Greg Keene wrote: > Is there an API that will allow me to read an encrypted file directly into > memory? If possible I would like to bypass decrypting the file and writing > it back out to the hard drive. What format is the encrypted file in? If it's just (for examp

Re: Creating CSR with very long organizationName

On 8 May 2013, at 3:10 AM, Cipriano Groenendal - Byte Internet wrote: > Hey all, > > I'm trying to create a CSR using a very long organizationName, but I keep > getting the message > > 140605698299560:error:0D07A097:asn1 encoding > routines:ASN1_mbstring_ncopy:string too long:a_mbstr.c:154:max

Re: Question about intermediate certificate chain

On 21 May 2013, at 5:02 PM, Jorge Ventura wrote: > Because the client trust the connection when I inform the > intermediate, I suppose the server is not sending the intermediate, > only the first certificate in the chain and in this case the command > fail. That is a reasonable conclusion. You ca

Re: Question about intermediate certificate chain

On 21 May 2013, at 5:37 PM, Jorge Ventura wrote: > Somech, > The server side is using one .pem file like this: > > > > > > > The was signed by one root CA available at client > side and the two intermediate was supplied by the same root authority. > I think that I didn't forgot that. It

Re: openssl 1.0.1e Signature verification problems

On 14 Jun 2013, at 6:09 AM, anand rao wrote: > I am using openssl 1.0.1e to create a CA and generate certificates. > > I am facing an issue while generating the device certificates. > After creating the ca certificate using below command > > # openssl req -x509 -new -newkey rsa:1024 -keyout priv

Re: Extracting data from custom extension

On 15 Jul 2013, at 4:24 PM, jimits10 wrote: > i have a custom extension with test oid 1.2.3.4.5. I try to extract the oid > data in the following manner: [] > On investigating i found that ASN1 String was encoded in the form that it > had 04 at the start to denote ASN1 coding followed by the l

Re: Does OpenSSL support AES-256-CCM?

On 6 Aug 2013, at 12:57 PM, Richard Cook wrote: > I'm trying to determine if the current development version of OpenSSL > supports AES-256-CCM. I've cloned the repository from > https://github.com/openssl/openssl, built locally and tried the following > commands: > > ./openssl ciphers | grep C

Re: Warning for SSL_read()

On 12 Aug 2013, at 3:36 AM, John Selbie wrote: > I'm upgrading a socket server written for non-blocking TCP sockets to use > OpenSSL in non-blocking mode. > > In the man page for SSL_read, the following is stated: > > "When an SSL_read() operation has to be repeated because of > SSL_ERROR_WANT

Re: tlsv1 alert unknown ca

On 1 Oct 2013, at 3:00 PM, Troyanker, Vlad wrote: > PROBLEM: the server fails SSL connection with SSL_accept: tlsv1 alert unknown > ca > > The funny part I cannot even find where in source code that error (code > SSL_R_TLSV1_ALERT_UNKNOWN_CA) gets thrown. I am looking through > openssl-1.0.1e/

Re: Openssl 0.9.8r <-> openssl 1.0.1e

On 8 Jan 2014, at 12:14 PM, Hasan, Rezaul (NSN - US/Arlington Heights) wrote: > If I have a Linux CLIENT machine running with openssl 0.9.8r > establishing HTTPS sessions with a Linux SERVER running openssl 1.0.1e > > Is there any problems I should anticipate? In other words, shoul

Re: Regarding openssl-devel

On 12 Mar 2014, at 4:44 AM, banupriya wrote: > Hi All, > > I would like to know how different is openssl-devel from openssl098 version. > > Thanks in Advance, > Banupriya K There is a detailed changelog here: http://www.openssl.org/news/changelog.html In terms of API, they are not much d

Re: SSL vs. SSH in the context of CVE 2014-0160

On 8 Apr 2014, at 7:14 PM, Chris Hill wrote: > Team, I am having a discussions with a few friends about why this OpenSSL > vuln (CVE 2014-0160) does not affect SSH. This may be TOO basic for many of > you (apologize in advance), but can't think of any other way to prove my > point other than sp

Re: OpenSSL version 1.0.1g release signed with unauthorized key???

On 9 Apr 2014, at 4:12 PM, Jakob Bohm wrote: > Attention: The .asc file I downloaded directly from openssl.org for the > 1.0.1g tarball was signed with a key NOT authorized by the fingerprints.txt > file distributed in previous tarballs, nor by the (unverifiable) > fingerprints.txt available fr

Re: Looking more at the Heatbleed

On 10 Apr 2014, at 2:02 PM, mclellan, dave wrote: > We are looking more deeply into Heartbleed to determine the risk to our > proprietary, non-open application. > 1. Background summary: Our proprietary client/server protocol is > protected by TLS with OpenSSL 1.0.1c and 1.0.1e. We do not

Re: serverFull and otherFull

On 21 Apr 2014, at 10:27 PM, Sri Ramya wrote: > can any one explain me what is server full and theotherfull in openssl > terminology??? I think we need more context. Where are you seeing those terms? __ OpenSSL Project

Re: Format of sig in EVP_SignFinal for DSA keys

On 6 Oct 2014, at 2:11 PM, Grahame Grieve wrote: > I can't find any documentation as the exact format of sig produced by > EVP_SignFinal when using a DSA key. It's 71 bytes, but 71 bytes of > what? Just guessing here, but there are two formats I've seen for (EC)DSA signatures. One of them is an

Re: OPENSSL_cleanse()

On Oct 23, 2014, at 10:17 PM, Vladimir Zatsepin wrote: > Does somebody know how OPENSSL_cleanse() works? > I don't understand what this [17, 63, 0xF] values means. Why such values were > chosen? I think it's a simplistic random number generator, like a linear congruential generator- it's tryi

Re: [openssl-users] OpenSSL and iCloud

On Jan 5, 2015, at 12:01 PM, open...@comaxis.com wrote: > Are there any known problems using OpenSSL with iCloud? I am trying to > connect to imap.mail.me.com using port 993. My call to SSL_Connect() > returns 0, with SSL_get_error() returing 1 (SSL_ERROR_SSL). I am using > OpenSSL version 1.0.

Re: [openssl-users] Custom OID strange characters

On Aug 11, 2015, at 9:24 AM, Robert Sandilands wrote: > I am trying to build a certificate request with a custom OID and it is > encoding strange characters in the certificate. > > For example I specify the following line in the .cnf file: > bla_policy = ASN1:PRINTABLESTRING:blabla > Then I get

Re: [openssl-users] Custom OID strange characters

On Aug 11, 2015, at 2:03 PM, Robert Sandilands wrote: > So this leads to the next question: > > How do I teach OpenSSL the format of the value for a custom extension without > writing code? What do you want OpenSSL to do with that knowledge? Presumably, the reason you're adding a custom exten

Re: [openssl-users] OPENSSL_SYS_VOS meaning

On Aug 24, 2015, at 11:33 AM, David Luengo López wrote: > 439 #define DUMMY_SEED "" /* at least MD_DIGEST_LENGTH */ > 440 /* Note that the seed does not matter, it's just that > 441 * ssleay_rand_add expects to have something to hash. */ > 442

Re: [openssl-users] Converting DER encoded unsigned CSR to internal OpenSSL format

On Nov 9, 2015, at 3:46 PM, Peter P. wrote: > I'm writing an application using Openssl 1.0.2d where I am trying to take a > DER encoded unsigned CSR and read it into an X509_REQ data structure via the > d2i_X509_REQ_bio() function. This function errors out during when I attempt > to read in my

Re: [openssl-users] CMS with Symmetric key

On Apr 4, 2016, at 3:42 PM, Jakob Bohm wrote: > Unless you can point out a clause in the "CMS" format RFCs > that allow use without X.509 certificates, there is no reason > why the "CMS" part of the OpenSSL library should be able to > any such thing. The CMS RFC (RFC 5652) specifies password bas

Re: [openssl-users] Question about stateOrProvince

On Aug 30, 2016, at 6:28 PM, Tim Boring wrote: > When creating a CSR, openssl displays the following > > > State or Province Name (full name) [Some-State]: > ... > And a couple lines up from that is a comment pointing to RFC 3280, which > defines the following: The original definition is from

[openssl-users] How to produce a nested CMS / PKCS#7 structure?

I'm trying to produce nested structures, like signed-enveloped-signed data. This is explicitly described in the various RFCs, but I can't figure out how to get OpenSSL to produce valid output, and I can't find any code examples of doing this. What I'm doing (which doesn't quite work) is this: f

Re: [openssl-users] How to produce a nested CMS / PKCS#7 structure?

On Nov 25, 2016, at 12:43 PM, Dr. Stephen Henson wrote: > Something like that did happen for PKCS#7 but the OCTET STRING encapsulation > is correct for CMS. Aha, and this difference is called out in RFC5652 [5.2.1]. Thanks, that clarifies things for me a little. So typically it's only the oute

Re: [openssl-users] PEM_write_bio_RSAPrivateKey assure Randomness of PK

On 23. maí 2018, at 10:08 f.h., redpath wrote: > SO if I add this RAND usage below, em I seeding to assure a different RSA key > pair each time run of creating a RSA pair. > > I would certainly replace the time with the UUID of the device to be unique > to the device. You would have to acquire t

Re: [openssl-users] command passwd

On 16. júl. 2018, at 1:51 e.h., Carl-Valentin Schmitt wrote: > mcrypt not only has md5, it has blowfish too and other keys. You can download > source at http://sf.net > mcrypt is a linux command as follower oft command crypt. I don't think the "openssl passwd" command has eve

Re: [openssl-users] porting socket ssl python to c++

This pair of articles is quite old, so some of the API details have changed, but it has an overall description of how to use OpenSSL: https://www.linuxjournal.com/article/4822 https://www.linuxjournal.com/article/5487 The link to the example code is broken, but you can find it here: http

Re: [openssl-users] updating openssl

On 6. nóv. 2018, at 2:02 e.h., Paul wrote: > I configured Openvpn server on ubuntu 16.04 and ubuntu was using a old > version of openssl 1.0.2 and I was updating openssl to v1.1.1 > Now I've installed the openssl but now unable to mv file installed to ln -s > /usr/local/ssl/bin/openssl /usr/bin

Re: [openssl-users] Creating PKCS#8 from pvk format

On 4. des. 2018, at 4:00 e.h., zhongju li via openssl-users wrote: > Now I need to convert the key in RSA format to EVP_PKEY, then to PKCS#8. I > have tried the following functions, all of these functions return 0 (failure) > without any further debugging information/clues: > EVP_PKEY_assign_R

Re: Is there a way to retrieve the certificate from SSL_CTX?

On 5. mar. 2019, at 10:14 f.h., Paul Smith wrote: > E.g., I'm adding my certificate with SSL_CTX_use_certificate(); is there a > way to get it back out? Does SSL_CTX_get0_certificate() do what you need? (The "get0" (vs "get") indicates its reference-counting semantics.)

Re: asn1parse genstr question

On Apr 21, 2019, at 8:58 AM, Dmitry Belyavsky wrote: > openssl asn1parse -genstr "UTF8String:ф" -out content > > I get a 6-byte file. If I understand correctly, it starts with a 2-byte > header indicating the content length and then contains an encoded letter 'ф' > I want. But the encoding of

Re: How to Sign and Encrypt in CMS ?

On May 5, 2019, at 7:13 PM, Dr. Pala wrote: > small question - I was playing around with the CMS interface and I was > wondering what is the right way to generate a signed and encrypted CMS. In > particular, for PKCS#7, you could use the signed_and_encrypted choice... but > in CMS, there is t

Re: PkiPath with openssl

On Jun 17, 2019, at 8:09 AM, Tobias Wolf wrote: > there already a function available? In fact I´d like to provide a > STACK(X509)* as a parameter and get the pem or der encoded asn1 structure > back. Assuming you've already assembled the list of certificates you want to encode, I think you c

Re: PkiPath with openssl

On Jun 17, 2019, at 11:35 PM, Tobias Wolf wrote: > The specification said about sorting and providing the pki path in correct > order. Ah, I thought you were asking about producing the correct DER representation, not assembling the list of certs. In that case, take a look at the documentati

Re: Does openssl sanity check ALPN strings?

On Jun 26, 2019, at 4:25 PM, Hal Murray wrote: > If a client passes {99, "a", "z" } with a length of 3 to > SSL_CTX_set_alpn_protos, > does that get rejected or sent to the server? > > If a somebody sends that to a server, does it get passed to the alpn callback? I don't think OpenSSL does an

Re: PrivateKey Decrypt Failure

On Sep 11, 2019, at 3:31 AM, Chitrang Srivastava wrote: > I am using openssl 1.1.1b and I am storing private key encrypted. > > I am storing private key as > PEM_write_bio_PrivateKey(bio, pkey, EVP_aes_128_cbc(), PKeyPassPKCS12, 0, 0, > NULL); I don't think that PEM_write_bio_PrivateKey() wil