Re: [twsocket] SSL PEM error
Hello, As I told you I am still learning about thoses Smartcards but it seems that the SmartCards has some functions you can call, I tested one called random number generator, but it also can make authentication key calculation and I suppose this is why the private key cannot not be extracted but only used by the card when you call some of its functions to compute some encryption or crypto key validation. I know the card I use has a signature and a authentication X.509 certificate that I can access, but it do not have a encryption certificate so I cannot use it to do strong Virtual Disk Image encryption, for this i'll need to request the encryption certificate to the authority of the SmartCard constructor. I am also looking into some other PKCS11 code and sample to try to see how I could integrate to ICS if my knowledge and skills permit it. regards. AG Arno Garrels wrote: I know that private key cannot be extracted from the SmartCard type I use That's hard to believe, if OpenSSL can read the key, and it must read it, then it should be possible to write it to a PEM file as well, IMHO. AG Maybe the smartcart is smarter than I can imagige ;-) I must admit that AG I haven't used one in my live. AG -- AG Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] SSL PEM error
Dod wrote: Hello Arno, First of all I have to say I am actually learning about SSL so I am not yet fluent with it, excuse my answers and stupid beginner's questions . Does your PEM file actually include a private key? Or is the private key stored in a separate PEM file? Not sure about public or private key as my OpenSSL tests has been done using PKCS11 but because the SmartCard has two certificates, I had to extract them manually, convert into cert/pem and pass them as OpenSSL's parameter. PEM files are simple text files with either LF or CRLF line breaks. They may contain both the certificate and the private key. The certificate always includes the public key. When you open a PEM file with a text editor the start and end lines may look like: -BEGIN RSA PRIVATE KEY- [Base64 encoded data..] -END RSA PRIVATE KEY- -BEGIN CERTIFICATE- [Base64 encoded data..] -END CERTIFICATE- Which demo are you talking about? icsSimpleSSL Which PEM files are specified in Demo's Cert File and Key File Edits? The demo has CAfile, CertFile and PrivateKey properties, I tried to set them as I did it with OpenSSL command line. Do this no start line error mean many things ? I do not know. This is an OpenSSL error. Have you opened the files in a text editor yet? Are there actually no start lines? Anyway strange, if the PEM files work with OpenSSL.exe they must work with TSslContext as well, provided OpenSSL.exe and the OpenSsl libraries are from the same build. -- Arno Garrels regards. -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] SSL PEM error
Hello Arno, I have correct BEGIN/END CERTIFICATE but none of PEM have a RSA PRIVATE KEY section. With OpenSSL I use PKCS11 but has I had to manually extract auth certificate I supposed PKCS11 access would not be really needed anymore, but may be it is still needed because the private key is still in smartcard and I only extracted public key ? regards. AG When you open a PEM file with a text editor the start and end lines may AG look like: AG -BEGIN RSA PRIVATE KEY- AG [Base64 encoded data..] AG -END RSA PRIVATE KEY- AG -BEGIN CERTIFICATE- AG [Base64 encoded data..] AG -END CERTIFICATE- -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] SSL PEM error
Dod wrote: Hello Arno, I have correct BEGIN/END CERTIFICATE but none of PEM have a RSA PRIVATE KEY section. The private key must not neccessarily be an RSA key, do you see any other PRIVATE KEY section? With OpenSSL I use PKCS11 but has I had to manually extract auth certificate I supposed PKCS11 access would not be really needed anymore, but may be it is still needed because the private key is still in smartcard and I only extracted public key ? That's possible. AFAIK, OpenSSL supports PKCS11 only thru a dynamic Engine, to list current active engines you could type openssl engine -v -t on the command prompt. -- Arno regards. When you open a PEM file with a text editor the start and end lines may look like: -BEGIN RSA PRIVATE KEY- [Base64 encoded data..] -END RSA PRIVATE KEY- -BEGIN CERTIFICATE- [Base64 encoded data..] -END CERTIFICATE- -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] SSL PEM error
Hello Arno, Only one BEGIN/END section in each PEM that is only CERTIFICATE. AG The private key must not neccessarily be an RSA key, do you see any other AG PRIVATE KEY section? AG That's possible. AFAIK, OpenSSL supports PKCS11 only thru a dynamic AG Engine, to list current active engines you could type AG openssl engine -v -t on the command prompt. I do load the dynamic engine to make my connection sucessful and access local certificate using key 0:0400 OpenSSL parameter. I found a PKCS11 library than can access all objects stored on the SmartCard so may be I could use it to make my connection work thru ICS if I can pass correct certificates to ICS. Regards. -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] SSL PEM error
Dod wrote: Hello Arno, Only one BEGIN/END section in each PEM that is only CERTIFICATE. The private key must not neccessarily be an RSA key, do you see any other PRIVATE KEY section? That's possible. AFAIK, OpenSSL supports PKCS11 only thru a dynamic Engine, to list current active engines you could type openssl engine -v -t on the command prompt. I do load the dynamic engine to make my connection sucessful and access local certificate using key 0:0400 OpenSSL parameter. I found a PKCS11 library than can access all objects stored on the SmartCard so may be I could use it to make my connection work thru ICS if I can pass correct certificates to ICS. ICS-SSL currently does not include openssl engine support, however that was just a matter of some hours work to translate the related C headers, but more work was required in order to wrap engine support nicely in a Delphi component. So at the time the only way is to use PEM files. I guess you made some mistake exporting the certificate and private key, try again, I currently don't recall the correct command line, however there are countless FAQ available on the net. -- Arno Garrels Regards. -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] SSL PEM error
Hello Arno, I thought ICS was based on OpenSSL as it use the libeay32.dll and ssleay32.dll like OpenSSL.exe do. Currently I am able to do a connection using OpenSSL.exe (using pkcs11 engine) or sTunnel.exe that is configured with nearly same parameters syntax as OpenSSL as it also rely on libeay32 and ssleay32. I know that private key cannot be extracted from the SmartCard type I use so may be this is why I need to use this parameter -keyform engine -key 0:0400. I also use -cert c:\documents and settings\dod\bureau\myAuth.pem that contains the public X.509 auth certificate. May be -key parameter is used to ask the Smartcard to do some computation ? regards. AG ICS-SSL currently does not include openssl engine support, however that AG was just a matter of some hours work to translate the related C headers, AG but more work was required in order to wrap engine support nicely in a AG Delphi component. So at the time the only way is to use PEM files. AG I guess you made some mistake exporting the certificate and private AG key, try again, I currently don't recall the correct command line, however AG there are countless FAQ available on the net. -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] SSL PEM error
Dod wrote: Hello Arno, I thought ICS was based on OpenSSL as it use the libeay32.dll and ssleay32.dll like OpenSSL.exe do. OpenSSL is a huge crypto library, ICS uses just parts of it. Engines have been introduced after ICS-SSL started and nobody obviously implemented it later on. I agree that Engines should be supported, at least the built-in, static hardware accelerators (as FastStream asked several times), which looks like an easy enhancement on the first glance. I'll see if I can add it when I have some minutes left. Currently I am able to do a connection using OpenSSL.exe (using pkcs11 engine) or sTunnel.exe that is configured with nearly same parameters syntax as OpenSSL as it also rely on libeay32 and ssleay32. I know that private key cannot be extracted from the SmartCard type I use That's hard to believe, if OpenSSL can read the key, and it must read it, then it should be possible to write it to a PEM file as well, IMHO. -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
[twsocket] SSL PEM error
Hi, I am starting to use with ICS SSL using basic icsSSL sample but I get this error : Can't load private key error:0906D06C:PEM routines:PEM_read_bio:no start line. After google'ing I see it sometimes happend with bad formatted PEM files as the BEGIN and END format is critical but if I do connection using OpenSSL or sTunnel I get no error so PEM file should be well formatted. regards. -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] SSL PEM error
Dod wrote: Hi, I am starting to use with ICS SSL using basic icsSSL sample but I get this error : Can't load private key error:0906D06C:PEM routines:PEM_read_bio:no start line. Does your PEM file actually include a private key? Or is the private key stored in a separate PEM file? Which demo are you talking about? Which PEM files are specified in Demo's Cert File and Key File Edits? -- Arno Garrels After google'ing I see it sometimes happend with bad formatted PEM files as the BEGIN and END format is critical but if I do connection using OpenSSL or sTunnel I get no error so PEM file should be well formatted. regards. -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] SSL PEM error
Hello Arno, First of all I have to say I am actually learning about SSL so I am not yet fluent with it, excuse my answers and stupid beginner's questions . AG Does your PEM file actually include a private key? AG Or is the private key stored in a separate PEM file? Not sure about public or private key as my OpenSSL tests has been done using PKCS11 but because the SmartCard has two certificates, I had to extract them manually, convert into cert/pem and pass them as OpenSSL's parameter. AG Which demo are you talking about? icsSimpleSSL AG Which PEM files are specified in Demo's Cert File and Key File AG Edits? The demo has CAfile, CertFile and PrivateKey properties, I tried to set them as I did it with OpenSSL command line. Do this no start line error mean many things ? regards. -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be