Re: Beginner's questions with openssl API
On Mon, 7 Jan 2002, Mack Stevenson wrote: > Hi Bear, > > Thank you for replying. > > > > > - I gather that it's a bad idea to just encrypt all the files with the > > > passphrase chosen by the user, right? > > > >You don't use the passphrase *directly*, but you should certainly > >use the user's passphrase. Run it through a cryptographic hash > >and use the results as your encryption key. > > Can I use either the SHA or RIPEMD-160 hashes from openssl for this purpose? You should use the PBE (Password Based Encryption) routines instead of hashing directly. They are based on PKCS#5 (1.5 and 2.0) and PKCS#12. You can take a look at my EVP tutorial (sorry but i don't know any other :-P)... http://spisa.act.uji.es/~juan/tutoriales/openssl/evp/ Unfortunately by now it's in spanish, but the code could help you. Hope you can find it useful. Juan. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
OpenSSL ocsp and SmartTrust Servant OCSP
Title: A-Trust Hi All, I am trying to use the OpenSSL command ocsp together with SmartTrust Servant OCSP 4.0 and consistently get 'internalerror (2)' when trying to verify the status of a certificate. Does anyone have experience with SmartTrust OCSP and OpenSSL ? Best regards Franz Brandl Associated Consultant A-Trust Gesellschaft für Sicherheitssysteme im elektronischen Datenverkehr GmbH
Re: Root cert questions
> By definition, a "root cert" is one where the issuer is also the signer. > How you determine issuer===signer can be problematic (insert various > Gutman data here :), but most software probably compares DN's. I might not have been clear on this - the table is intended to be used as the "cert store" for certs issued by the CA, not a general purpose cert store. The CA has complete control over everything that goes into the table, and will include a bunch of companion java servlets that query the database. (Think nsRevocationUrl and the like, or similiar PKIX lookup functions.) If the database has strong integrity checks, the servlets can be thin. Anyway, my current test for a "root cert" has been whether X509_verify(cert, X509_get_pubkey(cert)) (or "x509_verify(x,x)" in the PostgreSQL binding) returns true. I originally planned to compare keyids, but have decided to just cache the results of this test instead. I've been ignoring the subject and issuer DNs for now from the assumption that an attacker could exploit any difference in how I recognize root certs (self-signature or subject/issuer DN) to slip in some bad certs. But this is an exercise in futility unless the cert chains will be acceptable to others, hence the questions. > If your > libpkixpg functions generate the keyid if not present, then your schema > looks correct. Nope, if the keyid is absent you get a null. But this isn't an issue since my signing code always adds the keyids. > A more correct term, although not as impressive, is > probably "self-signed cert." Since the intention is to label the terminal certs in a cert chain maintained by the CA, a "root cert" could be a CA cert signed by a third party. That's the end of the chain as far as the database is concerned. You're unlikely to get such a cert from Verisign, but you might get a restricted one from a parent organization. In this case, the test for root certs would become something like X509_verify(cert, X509_get_pubkey(parentcert)) where the 'parentcert' is the foreign signing key. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
How to do When root CA'cert expired!!?
hello, I am a graduate student of Southeast University. We are studying abount CA system. Now we meet a problem that the CA Certificate we created before will expire soon. And we have a CA center for accepting and signing certification request,and a CA application for query. If we change the CA certificate to a new one, we must setup two application servers separately for old CA's users and new CA's user. Because we need user's certicate,and servers's SSLCACertificate should be consistent with the CACertificate of user's certificate. I hope I have express my problem clealy. Can you tell me that is there any other better way to solve the problem. And another question,it may be a dumb question,but i would like to know can i prolong the CACertificate's period of validity?and how? Thanks a lot! sinserely Jenny Xu 2001.12.31 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
openssl to find out expiration date in pfx-files???
Hello folks! I am looking for a solution to extract the expiration date of a certificate to a text file to bring finaly all of the expiration dates in a database, so I know when the next certificate expires. I am using IIS 5.0 extracting my keys including private key to a *.pfx-file. I can use openssl pkcs12 -in infile -out outfile -nodes to create a pem-file which I can read line by line. Unfortunately there is no expiration date which I can use in this type of file. How can I obtain the expiration date of certificate in the form of a Microsoft pfx-file or a convertion using openssl??? Many thanx and best regards, Karl-Heinz __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
openssl-0.9.6 compile problem in windows 2000 + vc 6.0
Hello, openssl-0.9.6, openssl-0.9.6a, openssl-0.9.6-stable-snap-20020103, openssl-engine-0.9.6c, openssl-0.9.6c, openssl-snap-20020103, these versions can not be compiled under windows2000 + VC6.0. Whenever I use "perl Configure VC-WIN32" or "perl Configure VC-NT", run "ms\do_ms" or "ms\do_nt", the following errors will be meeting: Use of uninitialized value at util\mkdef.pl line 516 Use of uninitialized value at util\mkdef.pl line 517 Use of uninitialized value at util\mkdef.pl line 516 Use of uninitialized value at util\mkdef.pl line 517 Use of uninitialized value at util\mkdef.pl line 516 Use of uninitialized value at util\mkdef.pl line 517 Use of uninitialized value at util\mkdef.pl line 516 ... I have to use openssl-0.9.5a. It's awful! Can you give me some suggestions? Thank you. Sincerely, Cao __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Problems compiling openssl 9.6c on win2000 with vc6.0
Title: Problems compiling openssl 9.6c on win2000 with vc6.0 I have installed openssl 9.6c according the instructions in the INSTALL file: perl Configure VC-WIN32 ms\do_ms nmake -f ms\ntdll.mak The result of the make is an error compling the file .\crypto\engine\hw_aep.c. Error: Cannot open include file unistd.h Does anyone know how to resolve this problem?
RSA_verify question
Hi I am using RSA_verify to verify that the signiture that I am getting with a message is correct The process that I am using is as follows. Get the user public key from file and put it in a RSA structure ERR_print_errors returns no error Get Server private key from file and put in another RSA structure (I know it is not used verify but I want to sign late too) ERR_print_errors returns no error Read the signed message digest from disk and decode (pASN1-> ... used later) ERR_print_errors returns no error Create a digest of the data using (digest used EVP_sha1()) - (hard coded string for testing) EVP_DigestInit EVP_DigestUpdate EVP_DigestFinal ERR_print_errors returns no error RSA_verify(NID_sha1, (unsigned char *) &md, len_md, pASN1->data, pASN1->length, PubRsaKey); - failed : returns 0 ERR_print_errors returns 6114:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:100: 6114:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay.c:396: All data read from disk is from a MS client encoded using CryptEncodeObject. All data is read and decoded (d2i finctions) without reported error Please advise on what action I need to take to resolve this or what the problem(s) could be. My app is not too large and is attached for additional info. Hylton Tregenza z.cpp Description: z.cpp
Doubt regarding extracting the Extended Key usage attribute
Hi, Iam facing a problem regarding the extracting the Extended Key usage attribute. My requirement is to know if Extended Key Usage attribute Nid_OCSP_sign is present. I tried the following way X509 *pCert; /* The certificate */ int iVal; iVal = X509_get_ext_by_NID(pCert, NID_OCSP_sign, -1); if(iVal >= 0) printf("Extended Key Usage Attribute NID_OCSP_sign present"); Here Iam getting iVal as -1 indicating that it is not present. But when I try to print the certificate using X509_print(), I can see this extension present. Is there anything wrong with the code Iam using ? I request you to help me in finding the bug. Awaiting your valuable response... Regards Suram __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re:win32
I am using msvc C++ & opensll 0.9.6c. In NT4 environment I set the RANDFILE value to RANDOM.pem, should the value end in .rnd. Do i need to do anything special or explicit in the openssl.cnf, to confirm it, when I am creating ref or ca certs? In my application, I have build a C++ wrapper around openssl functions. During the handshaking phase should my application point to the same RANDOM.* seed file to create the random number used as input to the key generation process. robert
Re: RSA keys auth.
> Jeffrey Altman wrote: > > > A passphrase consisting of human readable/typable text provides > > approximately 2 bits of entropy per character. > > English text contains approx. 3.5 bits of entropy per character. Password half password of password normal password English password text password is password not password the password 'password', password or password similar password text password. (I know, "the", "a", "in", "of", etc. But these extremely common English words are also extremely short, and are often eliminated from these entropy counts anyway as 'semantic glue.') __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[no subject]
hi! i have an axis development board and i want to run an snmp agent on it. the agent need the openssl library, but if i try to compile it there is an error: "could not read symbols nvalid operation" can you tell me why? thanks bernd -- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]