Client certificates
Hi, I have a CA, and I have a web server. The web server's cert is signed by the CA. On this server I want to only allow those clients which have valid cert's for accessing it (no anonymous access that is). In apache this is done by adding a list of the user's certs. This is fairly simple. If I have understood the principles correctly, the user's certificates must contain the user's private key, right? How do I create (with openssl) a certificate for each of these users, which would be installable on the client's browsers (in PEM or DER format)? Finally, for the server's safety, I must sign these private cert's with either the CA or the web server. Please note that I have read the http://www.pseudonym.org/ssl/ssl_cook.html page. Is this the only way to do it? Is it possible for a server to make these client certificate and distribute them to the users in an offline manner, which the users in turn can install on their browsers. Regards, Svein __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: CA depth
On Tue, Jul 30, 2002 at 05:52:09AM -0700, Oleg Shema wrote: > > Hello, openssl. > > Can anybody describe, how can I make CA certificates with depth more tham zero? I think, you mean this: openssl.cnf: basicConstraints = CA:true,pathlen:5 more details at doc/openssl.txt Christian __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
SSL_CTX_use_PrivateKey_ASN1
I've been trying to get SSL_CTX_use_PrivateKey_ASN1 to
load in a der encoded private key without success. I
have gotten my application working with pem encoded
certificates but have hit a brick wall with loading
der encoded private keys(I have no problem loading the
client/ca certs)
The code leading up to the SSL_CTX_use_PrivateKey_ASN1
call is as so:
FILE *fp = fopen(clientKeyFile, "r");
if{fp != NULL) {
// get the length of the key(why cant
SSL_CTX_use_PrivateKey_ASN1 do this?)
char *buf = new char[BUF_SIZE];
int len = fread(buf, sizeof(char), BUF_SIZE, fp);
fclose(fp);
delete buf;
if(!(SSL_CTX_use_PrivateKey_ASN1(SSL_FILETYPE_ASN1,
my_ssl_ctx, (unsigned char *)clientKeyFile, len))) {
fprintf(stderr, "Error loading key\n");
}
}
Am I using the right function call? To load pem
encoded keys I was using the following:
SSL_CTX_use_PrivateKey_file(ss->my_ssl_ctx,
clientKeyFile, SSL_FILETYPE_PEM) which works fine.
Thanks in advance,
Dermot
__
Do You Yahoo!?
Everything you'll ever need on one web page
from News and Sport to Email and Music Charts
http://uk.my.yahoo.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
OpenSSL Commandline Interface
Lutz, Thank you for your assistance with my last problem, which helped me to get past error 19. I am now failing error 20, as is seen below in the ssl_engine_log output. I do not seem to have any problem when I use a browser to connect to the site. My problem comes when I attempt to use OpenSSL on the commandline. The application we are developing does not use a browser client interface. We need to use the OpenSSL commandline interface. I am issuing the OpenSSL call for s_client form a second machine on the local LAN below. The syntax I am using for the OpenSSL call is: openssl s_client -showcerts -connect 10.0.0.210:443 -CAfile ca-bumdle.crt -cert DST_crt.pem -key DST_key.pem -state -debug The result from the OpenSSL call fails with indicating the message below: SSL_connect:SSLv3 write client key exchange A write to 0039F7B8 [008E3A08] (139 bytes => -1 (0x)) SSL_connect:error in SSLv3 write change cipher spec A SSL_connect:error in SSLv3 write change cipher spec A write:errno=10053 The ssl_engine_log output reports this error: [30/Jul/2002 04:35:28 32764] [info] Connection to child 1 established (server www.servername.com:443, client 10.0.0.10)[30/Jul/2002 04:35:28 32764] [info] Seeding PRNG with 1160 bytes of entropy[30/Jul/2002 04:35:30 32764] [error] Certificate Verification: Error (20): unable to get local issuer certificate\[30/Jul/2002 04:35:30 32764] [error] SSL handshake failed (server www.servername.com:443, client 10.0.0.10) (OpenSSL library error follows)[30/Jul/2002 04:35:30 32764] [error] OpenSSL: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned The ssl_engine_log output with a browser-based session follows: [30/Jul/2002 05:17:40 32764] [info] Initial (No.1) HTTPS request received for child 1 (server www.servername.com:443)[30/Jul/2002 05:17:40 32764] [info] Connection to child 1 closed with unclean shutdown (server www.servername.com:443, client 10.0.0.10)[30/Jul/2002 05:17:40 32764] [info] Connection to child 1 established (server www.servername.com:443, client 10.0.0.10)[30/Jul/2002 05:17:40 32764] [info] Seeding PRNG with 1160 bytes of entropy[30/Jul/2002 05:17:40 32764] [info] Connection: Client IP: 10.0.0.10, Protocol: SSLv3, Cipher: RC4-MD5 (128/128 bits)[30/Jul/2002 05:17:40 32755] [info] Connection: Client IP: 10.0.0.10, Protocol: SSLv3, Cipher: RC4-MD5 (128/128 bits)[30/Jul/2002 05:17:40 32755] [info] Initial (No.1) HTTPS request received for child 0 (server www.servername.com:443)[30/Jul/2002 05:17:40 32764] [info] Initial (No.1) HTTPS request received for child 1 (server www.servername.com:443)[30/Jul/2002 05:17:40 32764] [info] Connection to child 1 closed with unclean shutdown (server www.servername.com:443, client 10.0.0.10)[30/Jul/2002 05:17:40 32755] [info] Connection to child 0 closed with unclean shutdown (server www.servername.com:443, client 10.0.0.10) Is the syntax I am using in the OpenSSL call wrong or is there something else that I may be overlooking? I have tried a varity of different combinations thus far without any success. Any assistance is very much appreciated. Thank You Jim
OpenSSL with Webmin
Hello list!!! I'm newer on this and i'm trying to use SSL with webmin. I've a server RH 7.2 with Webmin installed. I did : CA -newca CA -newreq CA -signreq CA -pkcs12 "my certificate" how i must configure webmin from a windowz pc Thanks a lot for your help Sorry about my poor english. Hernán _ Charle con sus amigos online usando MSN Messenger: http://messenger.msn.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
CA depth
Hello, openssl. Can anybody describe, how can I make CA certificates with depth more tham zero? ThanksDo You Yahoo!? Yahoo! Health - Feel better, live better
Re: OpenSSL and Web pages
- Original Message - From: "Chuo HUANG(CMS)" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, July 30, 2002 11:49 AM Subject: OpenSSL and Web pages > Hello! > > I have programmed succefully a piece of VC++ with OpenSSL. The program is to > read the private key in a client's machine and do the signature. I'd like to > set cookies using this Signature to Client's machine later. > > What makes me confused is how to combine my VC++ program with web page, for > example: a php file or a cold fusion file? I tried to make a .dll file using > most of my successful win32 application I talked before.And I set a property of > that DLL as Signature. The Dll was built succefully but the IE stopped when I > using this DLL in a html file. It stopped in the statement using the first > OPenSSL: pkey = PEM_read_PrivateKey(fp12, NULL,NULL, NULL); > > Do you have any idea about how can I combine my VC++ program with web page? > Many thanks, Why not have a look at Capicom? It's a standard component from Microsoft for cryptography that can be utilized in VC++ but also in VBScript (ASP, HTML). You can find the info on msdn.microsoft.com. There's also an active discussion list on discuss.microsoft.com. hth Meint __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL Security Altert - Remote Buffer Overflows
On 07/30/02 09:05 AM, Louis LeBlanc sat at the `puter and typed: > On 07/30/02 11:08 AM, Ben Laurie sat at the `puter and typed: > > > > > > Apply the attached patch to OpenSSL 0.9.6d, or upgrade to OpenSSL > > 0.9.6e. Recompile all applications using OpenSSL to provide SSL or > > TLS. > > > > > > > > So when will 0.9.6e be available? The news page claims it's there, > but there's no link from the source page. > Uh, heh. Nevermind, I just found it. Thanks folks. L -- Louis LeBlanc [EMAIL PROTECTED] Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://www.keyslapper.org ԿԬ Liar, n.: A lawyer with a roving commission. -- Ambrose Bierce, "The Devil's Dictionary" __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL Security Altert - Remote Buffer Overflows
On 07/30/02 11:08 AM, Ben Laurie sat at the `puter and typed: > > > Apply the attached patch to OpenSSL 0.9.6d, or upgrade to OpenSSL > 0.9.6e. Recompile all applications using OpenSSL to provide SSL or > TLS. > > > So when will 0.9.6e be available? The news page claims it's there, but there's no link from the source page. Thanks Lou -- Louis LeBlanc [EMAIL PROTECTED] Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://www.keyslapper.org ԿԬ QOTD: "A child of 5 could understand this! Fetch me a child of 5." __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: OpenSSL Security Altert - Remote Buffer Overflows
> > OpenSSL Security Advisory [30 July 2002] > > Does this affect Apache Web Servers? If they are compiled with OpenSSL support then 'yes'. Jeffrey Altman * Sr.Software Designer Kermit 95 2.0 GUI available now!!! The Kermit Project @ Columbia University SSH, Secure Telnet, Secure FTP, HTTP http://www.kermit-project.org/Secured with MIT Kerberos, SRP, and [EMAIL PROTECTED] OpenSSL. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
OpenSSL stability
All, Are there any declarations of the stability of the APIs found in the OpenSSL distribution? For example, are there any guarantees or even "we will try not to"'s which limit the amount of change that the APIs can undergo from release to release? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: libcrypto stack routines
Ok I finally figured it out: the compare routine's signature needs to be
int my_cmp(X509_ATTRIBUTE **a, X509_ATTRIBUTE **b);
not
int my_cmp(X509_ATTRIBUTE *a, X509_ATTRIBUTE *b);
However, my compare routine can only compare a few types of attributes
like OCTET_STRINGs and BMPSTRINGs.. It is not a generic, multi-purpose
compare routine. If anyone has one or knows of one please let me know!!
Chris Jarshant wrote:
> Is there documentation (aside from looking at the header files) on how to
> use things like STACK_OF(type) and the sk_*_find() functions?
> Perhaps I'm going about it wrong, but I can't figure it out.
> Any help would be most apprecianted. I'm trying to do this:
>
> given a STACK_OF(PKCS12_SAFEBAG) instance and a
> STACK_OF(X509_ATTRIBUTES) instance, I'm trying to find the
> safebag which has all of the attributes in the given attribute stack. So,
> here's the code pseudo-code (omitting return values):
>
> void find_bag(STACK_OF(PKCS12_SAFEBAG) *bags,
> STACK_OF(X509_ATTRIBUTES) *attribs) {
>
> foreach (s in safebag) {
> bag_attribs = safebag[s]->attrib;
> foreach (i in attribs) {
> attrib = sk_X509_ATTRIBUTE_value(attribs, i);
> if ((attrib_pos = sk_X509_ATTRIBUTE_find(bag_attribs, attrib)) < 0) {
> printf("couldn't find attrib %d\n", i);
> return;
> } else {
> printf("FOUND attrib at position %d\n", attrib_pos);
> }
> }
> /* all given attributes found in this bag */
> printf("bag %d has all the attributes, it's the one you want", s);
> }
>
> The sk_X509_ATTRIBUTE_find() *always* returns -1. I believe this is
> because the base OpenSSL installation does not include a compare function
> for the X509_ATTRIBUTE type, so the sk_*_find function can't find an
> X509_ATTRIBUTE given a STACK_OF them. I tried declaring a compare
> function myself with the signature:
>
> int my_cmp(X509_ATTRIBUTE *a, X509_ATTRIBUTE *b);
>
> but when it's called during the sk_*_find invocation, it is passing invalid
> arguments (i.e. they're not pointers to X509_ATTRIBUTE structures).
>
> Anyone have any idea of a better way to do this, or if there is indeed a good
> X509_ATTRIBUTE compare function I can use when calling the sk_* functions
> when dealing with X509_ATTRIBUTES?
>
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
RE: OpenSSL Security Altert - Remote Buffer Overflows
> OpenSSL Security Advisory [30 July 2002] Does this affect Apache Web Servers? Regards Grant Walters Brainbench 'Most Valuable Professional' for Unix Admin Walters & Associates, P O Box 13-043 Johnsonville, Wellington, NEW ZEALAND Telephone: +64 4 4765175, CellPhone 025488265, ICQ# 23511989 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
question for private key
Hi, If we want to know what is in private key, use command , $ openssl rsa -noout -text -in private.key then there are exponent1 and exponent2. I wonder what is this. Best regards! == Long-Ji. Chen Dept. Control/Instr. Eng. Kangwon National University Chunchon 200-701, Korea == __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Self signed certificate
I have set up some certificates using CA.pl but when I try to connect to any openssl server I get back the self signed certificate in certificate chain error. What is it that causes this error to be reported? I created the certificates like so: $perl CA.pl -newca $perl CA.pl -newreq $perl CA.pl -signreq I am using newcert.pem as the client cert and the key in newreq.pem as the client key. I am using the ca cert generated as the client ca cert. Should I be doing something else to make this work? Thanks Dermot __ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL and Web pages
On Tue, Jul 30, 2002 at 10:49:02AM +0100, Chuo HUANG(CMS) wrote: > Hello! > > I have programmed succefully a piece of VC++ with OpenSSL. The program is to > read the private key in a client's machine and do the signature. I'd like to > set cookies using this Signature to Client's machine later. > > What makes me confused is how to combine my VC++ program with web page, for A custom apache module could be a solution. Naina merchant is such a module. > example: a php file or a cold fusion file? I tried to make a .dll file using > most of my successful win32 application I talked before.And I set a property of > that DLL as Signature. The Dll was built succefully but the IE stopped when I > using this DLL in a html file. It stopped in the statement using the first > OPenSSL: pkey = PEM_read_PrivateKey(fp12, NULL,NULL, NULL); > > Do you have any idea about how can I combine my VC++ program with web page? > Many thanks, > > Zoe > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] -- Naina library: http://www.unity.net/~vf/naina_r1.tgz __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
OpenSSL Security Altert - Remote Buffer Overflows
OpenSSL Security Advisory [30 July 2002] This advisory consists of two independent advisories, merged, and is an official OpenSSL advisory. Advisory 1 == A.L. Digital Ltd and The Bunker (http://www.thebunker.net/) are conducting a security review of OpenSSL, under the DARPA program CHATS. Vulnerabilities --- All four of these are potentially remotely exploitable. 1. The client master key in SSL2 could be oversized and overrun a buffer. This vulnerability was also independently discovered by consultants at Neohapsis (http://www.neohapsis.com/) who have also demonstrated that the vulerability is exploitable. Exploit code is NOT available at this time. 2. The session ID supplied to a client in SSL3 could be oversized and overrun a buffer. 3. The master key supplied to an SSL3 server could be oversized and overrun a stack-based buffer. This issues only affects OpenSSL 0.9.7 before 0.9.7-beta3 with Kerberos enabled. 4. Various buffers for ASCII representations of integers were too small on 64 bit platforms. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0656 to issues 1-2, CAN-2002-0657 to issue 3, and CAN-2002-0655 to issue 4. In addition various potential buffer overflows not known to be exploitable have had assertions added to defend against them. Who is affected? Everyone using OpenSSL 0.9.6d or earlier, or 0.9.7-beta2 or earlier or current development snapshots of 0.9.7 to provide SSL or TLS is vulnerable, whether client or server. 0.9.6d servers on 32-bit systems with SSL 2.0 disabled are not vulnerable. SSLeay is probably also affected. Recommendations --- Apply the attached patch to OpenSSL 0.9.6d, or upgrade to OpenSSL 0.9.6e. Recompile all applications using OpenSSL to provide SSL or TLS. A patch for 0.9.7 is available from the OpenSSL website (http://www.openssl.org/). Servers can disable SSL2, alternatively disable all applications using SSL or TLS until the patches are applied. Users of 0.9.7 pre-release versions with Kerberos enabled will also have to disable Kerberos. Client should be disabled altogether until the patches are applied. Known Exploits -- There are no know exploits available for these vulnerabilities. As noted above, Neohapsis have demonstrated internally that an exploit is possible, but have not released the exploit code. References -- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0655 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0656 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0657 Acknowledgements The project leading to this advisory is sponsored by the Defense Advanced Research Projects Agency (DARPA) and Air Force Research Laboratory, Air Force Materiel Command, USAF, under agreement number F30602-01-2-0537. The patch and advisory were prepared by Ben Laurie. Advisory 2 == Vulnerabilities --- The ASN1 parser can be confused by supplying it with certain invalid encodings. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0659 to this issue. Who is affected? Any OpenSSL program which uses the ASN1 library to parse untrusted data. This includes all SSL or TLS applications, those using S/MIME (PKCS#7) or certificate generation routines. Recommendations --- Apply the patch to OpenSSL, or upgrade to OpenSSL 0.9.6e. Recompile all applications using OpenSSL. Users of 0.9.7 pre-release versions should apply the patch or upgrade to 0.9.7-beta3 or later. Recompile all applications using OpenSSL. Exploits There are no known exploits for this vulnerability. References -- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0659 Acknowledgements This vulnerability was discovered by Adi Stav <[EMAIL PROTECTED]> and James Yonan <[EMAIL PROTECTED]> independently. The patch is partly based on a version by Adi Stav. The patch and advisory were prepared by Dr. Stephen Henson. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ Available for contract work. "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff Index: CHANGES === RCS file: /e/openssl/cvs/openssl/CHANGES,v retrieving revision 1.618.2.158 diff -u -r1.618.2.158 CHANGES --- CHANGES 2002/05/09 22:40:31 1.618.2.158 +++ CHANGES 2002/07/30 09:14:15 @@ -2,6 +2,35 @@ OpenSSL CHANGES ___ + Changes in security patch + +Changes marked "(CHATS)" were sponsored by the Defense Advanced +Research Projects Agency (DARPA) and Air Force Research Laboratory, +Air Force Materiel Command, USAF, under agreement number +F30602-01-2-0537. + + *) Add various sanity checks to asn1_get_length() to reject +
[Crypt::SSLeay] compile problems on Slackware Linux 8.1
I'm getting an unusual problem, (maybe). I've seen this problem posted before on this list and many others, but haven't been able to figure out the problem yet. I'll just tell you that I'm trying to compile and install Crypt::SSLeay so I can use Fetchyahoo. If that makes any difference or not. Anyway, I'll start by the error or warning messages generated from perl Makefile.PL: Note (probably harmless): No library found for -lgcc Note (probably harmless): No library found for -lRSAglue Note (probably harmless): No library found for -lrsaref Followed by a successfull make, and an error ridden make test / make install: PERL_DL_NONLAZY=1 /usr/bin/perl -Iblib/arch -Iblib/lib -I/usr/lib/perl5/i386-linux -I/usr/lib/perl5 -e 'use Test::Harness qw(&runtests $verbose); $verbose=0; runtests @ARGV;' t/*.t t/net_ssl...dubious Test returned status 0 (wstat 11, 0xb) t/ssl_context...dubious Test returned status 0 (wstat 11, 0xb) FAILED--2 test scripts could be run, alas--no output ever seen make: *** [test_dynamic] Error 2 Does anyone know what could cause this? All I want is my Fetchyahoo to get my mail without giving me this message: Logging in insecurely via plaintext as Legg83. Thanks in advance. __ Do You Yahoo!? Yahoo! Health - Feel better, live better http://health.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
OpenSSL and Web pages
Hello! I have programmed succefully a piece of VC++ with OpenSSL. The program is to read the private key in a client's machine and do the signature. I'd like to set cookies using this Signature to Client's machine later. What makes me confused is how to combine my VC++ program with web page, for example: a php file or a cold fusion file? I tried to make a .dll file using most of my successful win32 application I talked before.And I set a property of that DLL as Signature. The Dll was built succefully but the IE stopped when I using this DLL in a html file. It stopped in the statement using the first OPenSSL: pkey = PEM_read_PrivateKey(fp12, NULL,NULL, NULL); Do you have any idea about how can I combine my VC++ program with web page? Many thanks, Zoe __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Urgent: VC++ Component with OPenSSL
Hello!
Did you use OpenSSL in a VC++ Component before?
I am developing an ATL component with VC++ in windows 2000 environment but
encountered the problem . I am not sure if I can use OpenSSL function in a
component. For example:
pkey = PEM_read_PrivateKey(fp12, NULL,NULL, NULL);??
Pls give me some help.
Zoe
Details::
Hello!
I am developing an ATL component with VC++ in windows 2000 environment.
Actually, I'd like to use this component in a web server.
When Client wants to connect to the Server, Client downloads this
component---OutCtl from Server.
The task of the component OutCtl is:
1. Read private key of the client ( in a special place of client machine:
key.pem)
2. Do the digital signature
I set one property of the component as Signature.
Then I'd like to pass this property to Client side by VBScript or JavaScript.
I will use that property later.
The function using OpenSSL in my component mainly as the following:
#include
#include
#include
#include
#include
#include
#include
#include
void COutCtl: : DoSignature( )
{
int err;
int sig_len;
unsigned char sig_buf [4096];
static char keyfile[] = "D:\key.pem";
static char data[] = "I owe you...";
EVP_MD_CTX md_ctx;
EVP_PKEY * pkey;
FILE *fp12;
/* Just load the crypto library error strings,
* SSL_load_error_strings() loads the crypto AND the SSL ones */
/* SSL_load_error_strings();*/
ERR_load_crypto_strings();
OpenSSL_add_all_algorithms();
/* Read private key */
fp12 = fopen (keyfile, "r+");
if (fp12 == NULL) {
printf ("Can't read private key.\n");
exit (1);
}
pkey = PEM_read_PrivateKey(fp12, NULL,NULL, NULL);
fclose (fp12);
if (pkey == NULL) {
ERR_print_errors_fp (stderr);
exit (1);
}
/* Do the signature */
EVP_SignInit (&md_ctx, EVP_sha1());
EVP_SignUpdate (&md_ctx, data, strlen(data));
sig_len = sizeof(sig_buf);
err = EVP_SignFinal (&md_ctx, sig_buf, &sig_len, pkey);
if (err != 1) {
ERR_print_errors_fp(stderr);
exit (1);
}
// m_bstrSignature will be passed to the property Signature
m_bstrSignature= (CComBSTR) sig_buf;
EVP_PKEY_free (pkey);
}
STDMETHODIMP COutCtl::get_Signature (BSTR *pval)
{
*pval= m_bstrSignature;
return S_OK;
}
Then in a test page OutCtl.html:
ATL 3.0 test pages for object OutCtl
document.write ("Hello!! " & OutCtl.Signature)
The component OutCtl passed when building Dll .
When I test another property (a string for testing purpose), The test page
OutCtl.html works. But It loaded extremely slowly when I added the funtion void
COutCtl: : DoSignature( ) in my component. There is no error appeared. Only IE
stopped there when open OutCtl.html. I tried to debug step by step. At last I
found the problem appeared when the first statement needing OpenSSL being used:
key = PEM_read_PrivateKey(fp12, NULL,NULL, NULL);
Actually, I have used the same function of void COutCtl: : DoSignature( ) in a
VC++ Application ( not a ATL Component), And the whole application is OK. I can
print out the Signature.
But Can't I work with Open SSL in a Component? By the way, I have found all the
.h files of OpenSSL in my External Dependencies , such as evp.h, sha.h,
pem.h...Etc. I have set Debug Multithreaded DLL in project setting.
Is there anyone using OPenSSL in a component before?
I do appreciate if you can give me any information about my problem.
Thank you!
Zoe
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: How to support Wrong Format Certificate
On Tue, Jul 30, 2002 at 03:27:40PM +0800, Stone Shi wrote:
> Hello, all
>
> I installed Apache+mod_ssl+OpenSSL as HTTPS Server, and I must make the
> server support the Wrong Format Certificate(See in attechment).
> How can I do?
I could see nothing wrong with this certificate.
DER encoding is good enough; one could make it PEM easily if required
> private key in following format
>
> typedef struct {
> unsigned int bits;
> unsigned char modulus[128];
> unsigned char publicExponent[128];
> unsigned char exponent[128];
> unsigned char prime[2][64];
> unsigned char primeExponent[2][64];
> unsigned char coefficient[64];
> } R_RSA_PRIVATE_KEY;
Maybe, private key was saved as
write(, just_another_one_encoding, sizeof(R_RSA_PRIVATE_KEY))
If so, one could read() it back and set a EVP_PKEY.
It's still unclean how exactly numbers were broken into unsigned chars,
BN_bin2bn() may be handy to set EVP_PKEY RSA components.
hope this helps,
Vadim
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
How to support Wrong Format Certificate
Title: How to support Wrong Format Certificate
Hello, all
I installed Apache+mod_ssl+OpenSSL as HTTPS Server, and I must make the
server support the Wrong Format Certificate(See in attechment).
How can I do?
private key in following format
typedef struct {
unsigned int bits;
unsigned char modulus[128];
unsigned char publicExponent[128];
unsigned char exponent[128];
unsigned char prime[2][64];
unsigned char primeExponent[2][64];
unsigned char coefficient[64];
} R_RSA_PRIVATE_KEY;
CpcmCert.cer
Description: Binary data
key
Description: Binary data
