Dynamic Engine Loading Support
OpenSSL 0.9.7b how do i enable/build openssl with dynamic engine loading support? I am trying to load opensc engine using [EMAIL PROTECTED] satish]# opensslOpenSSL> engine dynamic -pre SO_PATH:/usr/local/lib/opensc/engine_opensc.so -pre ID:opensc -pre LIST_ADD:1 -pre LOADopenssl:Error: 'engine' is an invalid command. Standard commandsasn1parse ca ciphers crl crl2pkcs7dgst dh dhparam dsa dsaparamenc errstr gendh gendsa genrsanseq passwd pkcs12 pkcs7 pkcs8rand req rsa rsautl s_clients_server s_time sess_id smime speedspkac verify version x509 Message Digest commands (see the `dgst' command for more details)md2 md4 md5 mdc2 rmd160sha sha1 Cipher commands (see the `enc' command for more details)base64 bf bf-cbc bf-cfb bf-ecbbf-ofb cast cast-cbc cast5-cbc cast5-cfbcast5-ecb cast5-ofb des des-cbc des-cfbdes-ecb des-ede des-ede-cbc des-ede-cfb des-ede-ofbdes-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb des-ofbdes3 desx rc2 rc2-40-cbc rc2-64-cbcrc2-cbc rc2-cfb rc2-ecb rc2-ofb rc4rc4-40 OpenSSL> what am i doing wrong? is there something else i need to build openssl / opensc satish
RE: Dynamic Engine Loading Support
It does look like it is build in with the engine... OpenSSL> version -a OpenSSL 0.9.7b 10 Apr 2003 built on: Thu Aug 28 09:57:24 PDT 2003 platform: linux-pentium options: bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) idea(int) blowf ish(idx) compiler: gcc -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSS L_NO_KRB5 -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -mcpu=pentium -Wall -DSHA 1_ASM -DMD5_ASM -DRMD160_ASM OPENSSLDIR: "/usr/local/ssl" OpenSSL> satish -Original Message- From: Geoff Thorpe [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 03, 2003 5:08 PM To: [EMAIL PROTECTED] Cc: Bommareddy, Satish (Satish) Subject: Re: Dynamic Engine Loading Support On September 3, 2003 03:06 pm, Bommareddy, Satish (Satish) wrote: > OpenSSL 0.9.7b > how do i enable/build openssl with dynamic engine loading support? > I am trying to load opensc engine using > > [EMAIL PROTECTED] satish]# openssl > OpenSSL> engine dynamic -pre > SO_PATH:/usr/local/lib/opensc/engine_opensc.so -pre ID:opensc -pre > LIST_ADD:1 -pre LOAD > openssl:Error: 'engine' is an invalid command. It appears your version of openssl was built without engine support (ie. configured with "no-engine"). If you run "openssl version -a", do you see something like "-DOPENSSL_NO_ENGINE" in the list of compilation flags? If so, build your own version of openssl by configuring it for another installation directory (inside your $HOME if you don't have root access of course) and make sure that new installation occurs earlier in your $PATH than the system's bundled version. Cheers, Geoff -- Geoff Thorpe [EMAIL PROTECTED] http://www.geoffthorpe.net/ __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Equivalent API for X509_NAME_oneline
Is there an equivalent API to do exactly the opposite of what X509_NAME_oneline() does? if i have a issuer name in the form of a string, is there an API which will give me a pointer to/update the X509_NAME object? satish
Accelerating RSA Key Generation
HI One of the applications we are working on requires us to generate RSA key pairs at a rate of about 20-25 key pairs/second is there any application out there which can do this?? is using /dev/random, /etc/entropy or accelerator card with RNG any faster?? and can this achieve the speed we require? satish
RE: Accelerating RSA Key Generation
key size 1024. Only RSA the requirement is to generate 1024 RSA keys for installation into a device during manufacturing satish -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dr. Stephen Henson Sent: Thursday, December 04, 2003 6:13 PM To: [EMAIL PROTECTED] Subject: Re: Accelerating RSA Key Generation On Thu, Dec 04, 2003, Bommareddy, Satish (Satish) wrote: > HI > > One of the applications we are working on requires us to generate RSA key > pairs at a rate of about 20-25 key pairs/second is there any application out > there which can do this?? is using /dev/random, /etc/entropy or accelerator > card with RNG any faster?? and can this achieve the speed we require? > What size of key pair? Do they need to be secure or would any set of key pairs do? What kind of length of time do you need to sustain this rate? What's the intended purpose of the keypairs? If you don't have to use RSA then other public key algorithms could be used which have must quicker key generation times. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Searching for Paddingfunction in SHA-1
crypto/rsa/rsa_pk1.c -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Peter Steiert Sent: Wednesday, March 10, 2004 7:19 AM To: [EMAIL PROTECTED] Subject: Searching for Paddingfunction in SHA-1 Hello @ll, i'm currently having an intensive look at the hashalgorithms implemented in openssl (mainly SHA-1). I'm searching for the padding algorithms but didn't find them. Can anybody help and tell me where they are located? Thanks for your help. Peter __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[no subject]
Here is what i am
trying to do...
Config file has
these lines:
[ CA_default
]
..
x509_extensions = usr_cert
[ usr_cert
]
basicConstraints=CA:FALSE
keyUsage =
digitalSignature, keyEnciphermentsubjectKeyIdentifier=hashauthorityKeyIdentifier=keyid,issuer:always
#
Certificate PoliciescertificatePolicies = ia5org,@capol
[ capol
]
##
Generic Certificate
Policies#[capol]policyIdentifier=avayaCPSCPS.1=https://www.foo.com;
[EMAIL PROTECTED]
[capoln]explicitText="Please visit http://www.foo.com for details.";organization="Product
CA"noticeNumbers=1
I am
using the following to read
// Read
config fileint readSSLConfigFile(char
*pSSLConfigFile){
long errorline = -1;
// Read the
config file to set up the necessary
extension pConfig =
NCONF_new(NULL);
if(NCONF_load(pConfig, pSSLConfigFile, &errorline) <
0)
{
if(errorline <=
0)
{
// Log message Error loading config
file
}
else
{
// Log message Error on line %ld of config file %s:,
errorline
}
return FAILURE;
}
// load
openssl builtin modules
OPENSSL_load_builtin_modules();
// load
config
if(CONF_modules_load(pConfig, NULL, 0) <=
0)
{
// log error configuring
OpenSSL
return FAILURE;
}
// get the
section we will need, the
extensions if((section =
NCONF_get_string(pConfig, BASE_SECTION, DEFAULT_CA)) ==
NULL)
{
// Log config base section lookup
failed
return FAILURE;
}
// Now we
need to get the extension section
pGlobalExtensions = NULL;
pGlobalExtensions = NCONF_get_string(pConfig, section,
V3_EXTENSIONS);
if(!pGlobalExtensions)
{
// Log message failed to read global config
file
return FAILURE;
}
else
{
X509V3_CTX
ctx;
X509V3_set_ctx_test(&ctx);
X509V3_set_nconf(&ctx,
pConfig);
if(!X509V3_EXT_add_nconf(pConfig, &ctx, pGlobalExtensions,
NULL))
{
// Log message Failed to load extension section %s
pGlobalExtensions
return
FAILURE;
}
} return
SUCCESS;}
It fails at X509V3_EXT_add_nconf. when i comment out the line
containing the policy identifier (@capol)
it works fine.
am i missing something???
satish
RE: your mail
the oid is declared in the config file as [ new_oid ] avayaCPS=10.1.1 satish -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dr. Stephen Henson Sent: Thursday, March 11, 2004 6:38 AM To: [EMAIL PROTECTED] Subject: Re: your mail On Wed, Mar 10, 2004, Bommareddy, Satish (Satish) wrote: > Here is what i am trying to do... > > Config file has these lines: > [ CA_default ] > .. > x509_extensions = usr_cert > > [ usr_cert ] > > basicConstraints=CA:FALSE > > keyUsage = digitalSignature, keyEncipherment > subjectKeyIdentifier=hash > authorityKeyIdentifier=keyid,issuer:always > > # Certificate Policies > certificatePolicies = ia5org,@capol > > [ capol ] > # > # Generic Certificate Policies > # > [capol] > policyIdentifier=avayaCPS > CPS.1= https:// <https://www.foo.com> www.foo.com; > [EMAIL PROTECTED] > > [capoln] > explicitText="Please visit http://www.foo.com for details."; > organization="Product CA" > noticeNumbers=1 > > > It fails at X509V3_EXT_add_nconf. when i comment out the line containing the > policy identifier (@capol) it works fine. > > am i missing something??? > Actually OpenSSL is missing something. It should give an extension error if the policy identifier is not present. If avayaCPS isn't a valid OID name then this will fail as the error code should indicate. You need to add a *valid* OID for that name (i.e one belonging to your organization). Looking at the rest of the extension I'm not sure what you intend to convey by those fields but they look strange... Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Certificate date validation
How do I check to see how many days are left for the validity of a certificate. Is there a openssl command which tells me the days or time left? X509_cmd_current_time returns a positive integer if a certificate is till valid? What does this signify? Is there a way to convert this to the time left? What I am trying to do is write a app to check the certificate and give me the days left. satish
