I am having some trouble with the examples in Rescorla's _SSL and TLS:
Designing and Building Secure Systems_ book. I feel like I am making
a minor mistake somewhere, but I'm just overlooking where. I would
appreciate another set of eyes to tell me where I am going wrong.
First of all, the examples distributed with Chapter 8 of the book do
not work at this point. I think this is because the certs expired
long ago:
$ openssl x509 -in server.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 268 (0x10c)
Signature Algorithm: dsaWithSHA1
Issuer: C=US, O=Claymore Systems, Inc., OU=Widgets Division,
CN=PowerTier EJB CA
Validity
Not Before: Oct 12 22:07:33 1999 GMT
Not After : Aug 1 22:07:33 2002 GMT
Subject: C=US, O=Claymore Systems, Inc., OU=Widgets
Division, CN=localhost
Subject Public Key Info:
[................]
$
(etc...)
This isn't itself a problem, because of course anybody who serious
about this topic is going to want to ${obtain} their own certs.
The problem that I am running into involves generating my own certs.
Naturally, since I am just playing around at this point (and trying to
teach myself some interesting new things), I want to be my own CA. I
am running into one or more problems in this area.
Basically, when I generate my own CA keys, CA cert, server keys, and
server cert, I see the following when I run the example from chapter 8
of the book:
$ make test-setup
[ more on this in a moment.... ]
$ ./sserver
Couldn't read key file
23745:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad
decrypt:evp_enc.c:461:
23745:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c:425:
23745:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM
lib:ssl_rsa.c:669:
This is the part that I am stuck on, and I'm not seeing my mistake
yet.
I'm attaching a Makefile to this email that will show you exactly how
I am creating my keys and my certs. The things that I would like to
point out are: (1) I am using a vanilla copy of Rescorla's code here:
http://www.rtfm.com/sslbook/examples/c-examples.tar.gz (2) for the
sake of simplicity I have hardcoded the passphrase "secret"
everywhere, which goes along with Rescorla's C code (please correct me
if I am wrong....) (3) my code generates DSS/DH keys, just to go along
with EKR's actual C code and (4) I'm not doing anything with cert
serial numbers yet.
The Makefile is just something that I whipped together. It depends on
having /dev/random and Expect available. It should be very easy to
understand how I am generating the keys/certs here. Type "make
test-setup" to generate the keys/certs. Type "make test-clean" to
clean everything up.
I would appreciate it if somebody could point out where I am going
wrong. Thanks!
--kevin
PS Here are my additions to Rescorla's Makefile, in case the mailing
list software axes my attachment:
#########################################################################
#########################################################################
#########################################################################
.PHONY: test-clean test-setup create_dh_group create_random_data create_ca_cert
create_server_keypair do_signing create_client_keypair
create_dh_group:
@echo Creating DH group
openssl dhparam -check -text -5 1024 -out dh1024.pem
create_random_data:
@echo Generating some random data \(THIS TAKES SOME TIME\)
# todo: make this obtain more random data
dd if=/dev/random of=random.pem count=1 bs=128
create_ca_cert:
@echo Generate CA keypair
# openssl genrsa -des3 -passout pass:secret -out ca_key.pem 2048
#
openssl dsaparam -out dsa_params 2048
expect -c 'set timeout -1; \
spawn openssl gendsa -des3 -out ca_key.pem dsa_params ; \
expect "Enter PEM pass phrase" ; \
send -- "secret\r"; \
expect "Verifying - Enter PEM pass phrase" ; \
send -- "secret\r"; expect eof;'
@echo
@echo Generate public-key certificate for CA
(echo US; echo NH; echo Grovers Corners; echo XYZ Corp ; \
echo engineering ; echo Bob the Certificate Authority ; \
echo [EMAIL PROTECTED] ) \
| openssl req -new -key ca_key.pem -x509 -days 3 -out ca_cert.cer
-passin pass:secret
# cat ca_key.pem ca_cert.cer >root.pem
cp ca_cert.cer root.pem
create_server_keypair:
@echo Generate Server DSA keypair
expect -c 'set timeout -1; \
spawn openssl gendsa -des3 -out server_key.pem dsa_params ;\
expect "Enter PEM pass phrase" ; \
send -- "secret\r"; \
expect "Verifying - Enter PEM pass phrase" ; \
send -- "secret\r" ; expect eof'
do_signing:
# NOTE: I am using "localhost" here.
@echo Generate Server Certificate Signing Request \(CSR\)
(echo US; echo NH; echo Grovers Corners; echo XYZ Corp ; \
echo engineering ; echo localhost ; \
echo [EMAIL PROTECTED] ; echo secret ; \
echo XYZ Corp) \
| openssl req -new -key server_key.pem -out server_request.csr -passin
pass:secret
@echo
@echo Have CA sign CSR
openssl x509 -req -days 3 -in server_request.csr -CA ca_cert.cer -CAkey
ca_key.pem -CAcreateserial -out server.cer -passin pass:secret
@echo
@echo Creat .pem file that example wants
cat server_key.pem server.cer >server.pem
create_client_keypair:
@echo Create Client RSA keypair
# todo: revisit this after I get the server working
openssl genrsa -des3 -passout pass:secret -out client.pem 2048
test-clean:
rm -f *.cer *.pem *.csr dhparam
test-setup: create_dh_group create_random_data create_ca_cert
create_server_keypair do_signing create_client_keypair
--
GnuPG ID: B280F24E
OPENSSLDIR=/users/ekr/src/freebsd/openssl-0.9.4
CFLAGS=-g -I$(OPENSSLDIR)/include
LD=-L$(OPENSSLDIR) -lssl -lcrypto
OBJS=common.o
all: sclient sserver rclient mserver pclient
sclient: sclient.o client.o read_write.o $(OBJS)
$(CC) sclient.o client.o read_write.o $(OBJS) -o sclient $(LD)
rclient: rclient.o client.o read_write.o $(OBJS)
$(CC) rclient.o client.o read_write.o $(OBJS) -o rclient $(LD)
pclient: pclient.o client.o read_write.o $(OBJS)
$(CC) pclient.o client.o read_write.o $(OBJS) -o pclient $(LD)
sserver: server.o sserver.o echo.o $(OBJS)
$(CC) sserver.o server.o echo.o $(OBJS) -o sserver $(LD)
mserver: server.o mserver.o echo.o $(OBJS)
$(CC) mserver.o server.o echo.o $(OBJS) -o mserver $(LD)
#########################################################################
#########################################################################
#########################################################################
.PHONY: test-clean test-setup create_dh_group create_random_data create_ca_cert
create_server_keypair do_signing create_client_keypair
create_dh_group:
@echo Creating DH group
openssl dhparam -check -text -5 1024 -out dh1024.pem
create_random_data:
@echo Generating some random data \(THIS TAKES SOME TIME\)
# todo: make this obtain more random data
dd if=/dev/random of=random.pem count=1 bs=128
create_ca_cert:
@echo Generate CA keypair
# openssl genrsa -des3 -passout pass:secret -out ca_key.pem 2048
#
openssl dsaparam -out dsa_params 2048
expect -c 'set timeout -1; \
spawn openssl gendsa -des3 -out ca_key.pem dsa_params ; \
expect "Enter PEM pass phrase" ; \
send -- "secret\r"; \
expect "Verifying - Enter PEM pass phrase" ; \
send -- "secret\r"; expect eof;'
@echo
@echo Generate public-key certificate for CA
(echo US; echo NH; echo Grovers Corners; echo XYZ Corp ; \
echo engineering ; echo Bob the Certificate Authority ; \
echo [EMAIL PROTECTED] ) \
| openssl req -new -key ca_key.pem -x509 -days 3 -out ca_cert.cer
-passin pass:secret
# cat ca_key.pem ca_cert.cer >root.pem
cp ca_cert.cer root.pem
create_server_keypair:
@echo Generate Server DSA keypair
expect -c 'set timeout -1; \
spawn openssl gendsa -des3 -out server_key.pem dsa_params ;\
expect "Enter PEM pass phrase" ; \
send -- "secret\r"; \
expect "Verifying - Enter PEM pass phrase" ; \
send -- "secret\r" ; expect eof'
do_signing:
# NOTE: I am using "localhost" here.
@echo Generate Server Certificate Signing Request \(CSR\)
(echo US; echo NH; echo Grovers Corners; echo XYZ Corp ; \
echo engineering ; echo localhost ; \
echo [EMAIL PROTECTED] ; echo secret ; \
echo XYZ Corp) \
| openssl req -new -key server_key.pem -out server_request.csr -passin
pass:secret
@echo
@echo Have CA sign CSR
openssl x509 -req -days 3 -in server_request.csr -CA ca_cert.cer -CAkey
ca_key.pem -CAcreateserial -out server.cer -passin pass:secret
@echo
@echo Creat .pem file that example wants
cat server_key.pem server.cer >server.pem
create_client_keypair:
@echo Create Client RSA keypair
# todo: revisit this after I get the server working
openssl genrsa -des3 -passout pass:secret -out client.pem 2048
test-clean:
rm -f *.cer *.pem *.csr dhparam
test-setup: create_dh_group create_random_data create_ca_cert
create_server_keypair do_signing create_client_keypair