[openssl-users] CMS-supported ciphers
Hello! I see the CMS-Interface (CMS_encrypt, X_write_CMS, ...) does not support AES128-GCM. https://mta.openssl.org/pipermail/openssl-dev/2015-April/001177.html Is there a list of all supporting ciphers for CMS? Or how can I find out without trying it? Thanks! Chris -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] CMS/SMIME: RSASSA-PSS, RSAES-OAEP
Hello! I have an application that uses 3DES for encryption and SHA1 for signing. It is MIME-content and so I use SMIME and CMS. Is there a way to do RSAES-OAEP for keyencryption and RSASSA-PSS for signing with the commandline-tools too or do I need to use the API? Cheers, Chris -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] PKCS7 and RSA_verify
Hi! I thought the difference between PEM and DER is NOT ONLY a different encoding of the string? base64 vs. binary So to understand that clear please let me ask: If I convert a PEM-signature from base64 to binary then it is DER? Thanks Chris On 2017-09-28 11:23, Wouter Verhelst wrote: On 28-09-17 01:19, ch wrote> If the pkcs-signature is binary encoded it is not working for verifiying a SMIME-message in my experience with smime or cms-smime on the console. I tried to convert the binary ones to base64 but that does not everytime the trick. What you call "base64" is commonly known as "PEM" :-) You can get it to parse binary, but to do so you need to specify "-inform der". -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] PKCS7 and RSA_verify
Hello! Thanks for the support. On 2017-09-28 01:06, Dr. Stephen Henson wrote: On Thu, Sep 28, 2017, ch wrote: Hello! I am working on a tool for verifying SMIME-messages. Because cms and smime is only able to verify base64 pkcs7-signatures I try to do it "manually" and I now have a problem with the signing-timestamp. I'm not sure what you mean by "only able to verify base64 pkcs7-signatures" it can handle PEM and DER forms too. If the pkcs-signature is binary encoded it is not working for verifiying a SMIME-message in my experience with smime or cms-smime on the console. I tried to convert the binary ones to base64 but that does not everytime the trick. Lets do an example: openssl smime -sign -md sha1 -in plain.txt -inkey mykey -signer mycert -noattr -outform der | openssl asn1parse -inform der If I put plain.txt and the 128 byte signature (from asn1parse out of the pkcs7) into RSA_verify it works perfectly. Every call would produce the same signature-hexdump. But if I remove the -noattr the signature-value will be different every second and then RSA_verify it not working anymore. How can I handle this? When you don't use attributes the signature is over performed over the content. If you use attributes then the signature is over the encoding of a bunch of attributes including a signing time and the digest of the content. Because the signing time changes the data being signed in the attributes changes too. Would PKCS7_verify (or something else) handle that for me or do I need to consider that different content with RSA_verify? Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org Again, thanks for the support! chris -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] PKCS7 and RSA_verify
Hello! I am working on a tool for verifying SMIME-messages. Because cms and smime is only able to verify base64 pkcs7-signatures I try to do it "manually" and I now have a problem with the signing-timestamp. Lets do an example: openssl smime -sign -md sha1 -in plain.txt -inkey mykey -signer mycert -noattr -outform der | openssl asn1parse -inform der If I put plain.txt and the 128 byte signature (from asn1parse out of the pkcs7) into RSA_verify it works perfectly. Every call would produce the same signature-hexdump. But if I remove the -noattr the signature-value will be different every second and then RSA_verify it not working anymore. How can I handle this? Thanks! Chris -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
verify without issuer-certificate?
hi! Can I verify a message or just a certificate WITHOUT having all the issuer certificats (up to the RootCA) in my store?? Is there a option in the commandline tools? I was not able to find one in the man-pages. thanks, chris __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
cms sign with md5
hi all! how can I tell openssl cms to sign not with sha1 but with md5? i tried the -md5 option but got an error. thanks! br, chris __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: cms sign with md5
hi! my command is: ./openssl cms -sign -md5 -signer cert.cer -inkey priv.key -in file.txt and i get this usage-error-message with the parameter-description. think I use the md5 parameter wrong. any ideas?? without -md5 it delivers a correct signed output but it is sha1. thanks, chris kartik rustagi wrote: Which error? On Tue, Sep 14, 2010 at 3:34 PM, ch ch_m...@gmx.at mailto:ch_m...@gmx.at wrote: hi all! how can I tell openssl cms to sign not with sha1 but with md5? i tried the -md5 option but got an error. thanks! br, chris __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org mailto:openssl-users@openssl.org Automated List Manager majord...@openssl.org mailto:majord...@openssl.org -- Regards Kartik Rustagi __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
extract the signature from a signed message
hi! is it possible to extracht from a signed mime-message just the signature? i will parse it with asn1parse, but this needs just the signature as far i figured out. if i give it the whole message it struggles. or how is it possible to pass a whole signed message to asn1parse? thanks for help! br, chris __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: UltraSPARC T2 - OpenSSL - PKCS11 ???
Thanks for your help everyone ! I've checked T5120 hardware specifications : 8 cores 8 threads/core so I used the multi 64 option : signverifysign/s verify/s rsa 512 bits 0.s 0.s 121283.7 202718.0 rsa 1024 bits 0.s 0.s 30643.1 115804.2 rsa 2048 bits 0.0002s 0.s 5282.8 44109.6 rsa 4096 bits 0.0421s 0.0009s 23.7 1071.3 It looks much better ! Does it look relevent to you ? About the multi 64 option : I tried multi 70 to be sure there will be always a thread waiting to be executed. I've noticed some improvement but not much ... Is this a good idea ? -- View this message in context: http://www.nabble.com/UltraSPARC-T2---OpenSSL---PKCS11-tp24952022p25002897.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
UltraSPARC T2 - OpenSSL - PKCS11 ???
Hi, I'm currently working on a project involving a Sun T5120 and some crypto... (I'm also to to OpenSSL T2) T2 is supposed to be quite fast for crypto operations : openssl speed rsa signverifysign/s verify/s rsa 512 bits 0.0047s 0.0005s210.7 2072.0 rsa 1024 bits 0.0246s 0.0014s 40.7701.3 rsa 2048 bits 0.1554s 0.0048s 6.4206.3 rsa 4096 bits 1.0780s 0.0175s 0.9 57.0 openssl speed -engine pkcs11 rsa signverifysign/s verify/s rsa 512 bits 0.s 0.s 26514.1 31260.8 rsa 1024 bits 0.s 0.s 25112.3 30151.4 rsa 2048 bits 0.s 0.s 23563.2 29678.7 rsa 4096 bits 0.7007s 0.0184s 1.4 54.4 Compaired to the first speed test it looks pretty good ! To give me an idea how fast it is, I've run the same test on a desktop machine: signverifysign/s verify/s rsa 512 bits 0.000216s 0.15s 4637.7 67700.3 rsa 1024 bits 0.000835s 0.41s 1197.1 24520.1 rsa 2048 bits 0.004752s 0.000128s210.4 7809.1 rsa 4096 bits 0.030489s 0.000440s 32.8 2273.9 I guess something goes wrong ? I'm using the OpenSSL that was installed by default with Solaris 10 (it is supposed to be build with pkcs11 suport). Why is the T2 so slow (even when not using the pkcs11 engine) ? -- View this message in context: http://www.nabble.com/UltraSPARC-T2---OpenSSL---PKCS11-tp24952022p24952022.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org