test; ignore please
test __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Capicom signing openssl verification
Hi, I can sign and verify the digital signature of a web-form with my private and public key using capicom but now I need to verify the digital signature on a Sun Solaris server with openssl 0.9.6c. I exported my public key and uploaded it to the Sun server. On the server I have my public key and the digital signed text signed with my private key. Then on the Sun server I do : openssl dgst -sha1 -binary -verify ivan_public.key -signature 19870193.pem text 19870193.pem is the signed web-form (signed with capicom). I believe the format is PKCS7. Text is the file containing the ascii text from the web-form. Openssl returns Verification Failure . Any idea of what I'm doing wrong ? kind regards, Ivan __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Attribute Certificates
Hello. Actually no is possible with OpenSSL to generate Attribute Certificates. Only is possible to generate it with IAIK to JAVA. Greetings. ---Mensaje original--- De: [EMAIL PROTECTED] Fecha: viernes, 12 de abril de 2002 15:06:20 A: [EMAIL PROTECTED] Asunto: Attribute Certificates Hi All, Is it possible with openssl to generate Attribute Certificates? Attribute certificates are a relatively new concept in public key infrastructure technology and promise much. Regards #-- Averroes __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Capicom signing openssl verification
Ivan, SorryI've got a question from your question. How do you export your public key from your certificate? Would I be able to export a public key from a cert created and signed through OpenSSL commands? Grateful for your comments!! Best regards, H. Chan - Original Message - From: Ivan Saez [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, April 15, 2002 3:30 PM Subject: Capicom signing openssl verification Hi, I can sign and verify the digital signature of a web-form with my private and public key using capicom but now I need to verify the digital signature on a Sun Solaris server with openssl 0.9.6c. I exported my public key and uploaded it to the Sun server. On the server I have my public key and the digital signed text signed with my private key. Then on the Sun server I do : openssl dgst -sha1 -binary -verify ivan_public.key -signature 19870193.pem text 19870193.pem is the signed web-form (signed with capicom). I believe the format is PKCS7. Text is the file containing the ascii text from the web-form. Openssl returns Verification Failure . Any idea of what I'm doing wrong ? kind regards, Ivan __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Capicom signing openssl verification
$openssl x509 -pubout ... Aleksey. Howard Chan wrote: 0bc601c1e456$5ee179c0$086fa8c0@vrjyu"> Ivan,SorryI've got a question from your question. How do you export yourpublic key from your certificate? Would I be able to export a public keyfrom a cert created and signed through OpenSSL commands? Grateful for yourcomments!!Best regards,H. Chan- Original Message -From: "Ivan Saez" [EMAIL PROTECTED]To: [EMAIL PROTECTED]Sent: Monday, April 15, 2002 3:30 PMSubject: Capicom signing openssl verification Hi,I can sign and verify the digital signature of a web-form with myprivate and publickey using capicom but now I need to verify the digital signature on aSun Solaris server with openssl 0.9.6c. I exported my public key anduploaded it to the Sun server. On the server I have my public key andthe digital signed text signed with my private key. Then on the Sunserver I do :openssl dgst -sha1 -binary -verify ivan_public.key -signature19870193.pem text19870193.pem is the signed web-form (signed with capicom). I believe theformat isPKCS7. Text is the file containing the ascii text from the web-form.Openssl returns Verification Failure . Any idea of what I'm doing wrong?kind regards,Ivan__OpenSSL Project ht tp://www.openssl.orgUser Support Mailing List[EMAIL PROTECTED]Automated List Manager [EMAIL PROTECTED] __OpenSSL Project http://www.openssl.orgUser Support Mailing List[EMAIL PROTECTED]Automated List Manager [EMAIL PROTECTED]
Re: Capicom signing openssl verification
Howard, Ivan, SorryI've got a question from your question. How do you export your public key from your certificate? Would I be able to export a public key from a cert created and signed through OpenSSL commands? Grateful for your comments!! With openssl : openssl x509 -in cert -pubkey -noout Replase cert with the name of you certificate-file. The certificate-file could I make through MS-IE. IE has a export facility. Best regards, H. Chan - Original Message - From: Ivan Saez [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, April 15, 2002 3:30 PM Subject: Capicom signing openssl verification Hi, I can sign and verify the digital signature of a web-form with my private and public key using capicom but now I need to verify the digital signature on a Sun Solaris server with openssl 0.9.6c. I exported my public key and uploaded it to the Sun server. On the server I have my public key and the digital signed text signed with my private key. Then on the Sun server I do : openssl dgst -sha1 -binary -verify ivan_public.key -signature 19870193.pem text 19870193.pem is the signed web-form (signed with capicom). I believe the format is PKCS7. Text is the file containing the ascii text from the web-form. Openssl returns Verification Failure . Any idea of what I'm doing wrong ? kind regards, Ivan __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] Ivan Ing. Ivan Saez Scheihing , Eindhoven University of Technology Systeemhuis/Bush BG 3.41 tel. 040-2475044 P.O.Box 513, 5600 MB Eindhoven, The Netherlands E-Mail: [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Capicom signing openssl verification
Sorry, mistype $openssl x509 -pubkey ... Aleksey. Aleksey Sanin wrote: [EMAIL PROTECTED]"> $openssl x509 -pubout ... Aleksey. Howard Chan wrote: 0bc601c1e456$5ee179c0$086fa8c0@vrjyu"> Ivan,SorryI've got a question from your question. How do you export yourpublic key from your certificate? Would I be able to export a public keyfrom a cert created and signed through OpenSSL commands? Grateful for yourcomments!!Best regards,H. Chan- Original Message -From: "Ivan Saez" [EMAIL PROTECTED]To: [EMAIL PROTECTED]Sent: Monday, April 15, 2002 3:30 PMSubject: Capicom signing openssl verification Hi,I can sign and verify the digital signature of a web-form with myprivate and publickey using capicom but now I need to verify the digital signature on aSun Solaris server with openssl 0.9.6c. I exported my public key anduploaded it to the Sun server. On the server I have my public key andthe digital signed text signed with my private key. Then on the Sunserver I do :openssl dgst -sha1 -binary -verify ivan_public.key -signature19870193.pem text19870193.pem is the signed web-form (signed with capicom). I believe theformat isPKCS7. Text is the file containing the ascii text from the web-form.Openssl returns Verification Failure . Any idea of what I'm doing wrong?kind regards,Ivan__OpenSSL Project http://www.openssl.orgUser Support Mailing List[EMAIL PROTECTED]Automated List Manager [EMAIL PROTECTED] __OpenSSL Project http://www.openssl.orgUser Support Mailing List[EMAIL PROTECTED]Automated List Manager [EMAIL PROTECTED]
Memory leak in TLS client side app
Hi all, I have written a TLS client using the OpenSSL library. It uses memory BIOs as the input/output BIOs to the SSL connection. The code flow of the client is as follows * SSL_CTX_new(...) * SSL_CTX_use_certificate_ASN1(...) * SSL_CTX_use_RSAPrivateKey_ASN1(...) * X509_STORE_add_cert() // To add CA cert * other init actions * for ever * SSL_new(...) * create read write BIOs * SSL_connect(...) * . * SSL_free(...) * wait for reconnect event * endfor As the above code flow shows, the client has to periodically (based on time or event) perform a TLS handshake with a TLS server for authentication (EAP-TLS). When this client is run for many iterations, it leaks memory. After tracking OpenSSL mallocs, I have found that it leaks ~ 9K. This 9K leak does not happen for every iteration, but it happens for every n iteration. (Sometimes n is 1 or 3, it is variable ). Soon this leads to lack of memory because the app will be running for ever. Any ideas on what could be causing the memory leak or tips on how to trace back this memory leak, is highly appreciated. thanks, Krishna __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Memory leak in TLS client side app
If you are using Linux I stroingly recommend to try Valgrind: http://developer.kde.org/~sewardj/ a very nice memory leaks/memory access check tool. Aleksey Krishnaswamy R. wrote: Hi all, I have written a TLS client using the OpenSSL library. It uses memory BIOs as the input/output BIOs to the SSL connection. The code flow of the client is as follows * SSL_CTX_new(...) * SSL_CTX_use_certificate_ASN1(...) * SSL_CTX_use_RSAPrivateKey_ASN1(...) * X509_STORE_add_cert() // To add CA cert * other init actions * for ever * SSL_new(...) * create read write BIOs * SSL_connect(...) * . * SSL_free(...) * wait for reconnect event * endfor As the above code flow shows, the client has to periodically (based on time or event) perform a TLS handshake with a TLS server for authentication (EAP-TLS). When this client is run for many iterations, it leaks memory. After tracking OpenSSL mallocs, I have found that it leaks ~ 9K. This 9K leak does not happen for every iteration, but it happens for every n iteration. (Sometimes n is 1 or 3, it is variable ). Soon this leads to lack of memory because the app will be running for ever. Any ideas on what could be causing the memory leak or tips on how to trace back this memory leak, is highly appreciated. thanks, Krishna __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Using 3DES algorithm in SSL with only 2 keys
Hello, In OpenSSL, is it possible to use the 3DES algorithm in an SSL connection so that only 2 keys are used (so that the first and third keys are they same) ? If so, could you please tell me how to do it. The need for this is to use only 112bit key length because of 128bit key export restriction. Choosing DES-CBC3-SHA chooses the 3DES with CBC using 3 keys. I am not sure which cipher to choose if we want 3DES with CBC using 2 keys only. [There seems to be an init function (des_ede_init_key()) in ~/crypto/evp/e_des3.c which sets the third and the first key to be the same. But not clear when it gets invoked.] Thanks, Krishna __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [BUG suggested PATCH] EVP_DecodeUpdate 0.9.6b 0.9.6c
On Thu, Apr 11, 2002 at 12:39:59PM +0200, Pavel Tsekov wrote: Hello, there! :) My colleague Nedelcho Stanev and myself have identified what we would think to be a bug (or a flaw) in the EVP_DecodeUpdate() routine. We were trying to read base64 encoded data with the base64 BIO which has the 'next' member pointed to membuf BIO in which we write the encoded data. So far so good ... Eventually it turned up that some of the data we pass to the BIO chain is properly decoded while other not - or more properly would be to say - partially decoded. We tried to debug the problem and here is what we have found: The EVP_DecodeUpdate() routine errnously returns 0 (EOF) if the buffer passed it, ends with CRLF and EVP_DecodeBlock() has just processed the data upto the ending CRLF. Attached is a patch and a testcase. I tried to follow the coding style and to make the change not intrusive :) though its a very small change :) Here is how to reproduce: 1. Base64 encode a file lets say 200kb 2. unix2dos the output 3. Use the attached testcase to decode the file I could easily reproduce your problem and solution. I am currently checking in your patch. Thanks, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Using 3DES algorithm in SSL with only 2 keys
Krishnaswamy R. [EMAIL PROTECTED] writes: In OpenSSL, is it possible to use the 3DES algorithm in an SSL connection so that only 2 keys are used (so that the first and third keys are they same) ? No. The TLS keys are randomly generated and alwyas 3-key 3DES. If so, could you please tell me how to do it. The need for this is to use only 112bit key length because of 128bit key export restriction. Which country has such an export restriction? Not the US. -Ekr -- [Eric Rescorla [EMAIL PROTECTED]] http://www.rtfm.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Questions First Post
Salve all, since three days I'm playing with the OpenSSL API. A little confusing I have to admit. Hope this first post is not too stupid ... Q1: Why is this not a key? When a key is generated with RSA_generate_key, RSA_check_key is 1 and it is saved with PEM_write_RSAPrivateKey. When checked with openssl rsa -in file -check it says it's OK. Writing the public key with PEM_write_RSAPublicKey gives a file but it can't be read by openssl rsa -in filename. I'm lost on why this happens ... (Tried the _bio_ as well) Q2: How to convert from EVP_PKEY to RSA? EVP_PKEY_get1_RSA segfaults on me :( Actually I don't understand why there is an RSA argument to write and and an EVP_PKEY return from read ... Q3: How to use a RSA to encrypt an IV for a blockcipher? IV is the session key, is it not? Q4: Has someone easy code to share? Should do basics like RSA and session key generation, encoding of files with the BIO_. Thanks in Advance! -- Yours, Christoph Puppe We secure your business.(TM) *** HiSolutions AGphone: +49 30 533289-0 Bouchestrasse 12fax: +49 30 533289-99 D-12435 Berlin www: http://www.HiSolutions.com/ *** _ E-Mail Disclaimer Der Inhalt dieser E-Mail ist ausschliesslich fuer den bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten, so beachten Sie bitte, dass jede Form der Kenntnisnahme, Veroeffentlichung, Vervielfaeltigung oder Weitergabe des Inhalts dieser E-Mail unzulaessig ist. Wir bitten Sie, sich in diesem Fall mit dem Absender der E-Mail in Verbindung zu setzen. The information contained in this email is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any form of disclosure, reproduction, distribution or any action taken or refrained from in reliance on it, is prohibited and may be unlawful. Please notify the sender immediately. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
J/Crypto 3.3 DER encoded certificate cannot be read by openssl-0.9.6b
Hello, there! :) I've checked google in this but to no avail - so I'm asking here... Hope its not a duplicate thread. Trying to read the attached DER form of a X509 certificate with OpenSSL 0.9.6c and 0.9.6b yields the following error: paveltz@MORDOR ~ $ openssl x509 -in ./1.der -inform DER unable to load certificate 3212:error:0D06B078:asn1 encoding routines:ASN1_get_object:header too long:asn1_ lib.c:139: I've tried to use the asn1parse utility but to no avail: paveltz@MORDOR ~ $ openssl asn1parse -inform DER -in ./1.der -dump 0:d=0 hl=16 l=-991318795 cons: VISIBLESTRING Error in encoding 3552:error:0D06B078:asn1 encoding routines:ASN1_get_object:header too long:asn1_ lib.c:139: The certificate was produced by calling JCRYPTO_X509Certificate.toDER method. Any help ? :) Any information on how to debug further ? 1.der Description: application/x509-ca-cert
Growing file size with des-ecb encryption
Hi All, I am not sure if this question made it to the list last time I sent it. Apologies if this is a duplicate. I am wondering why the file size grows by 8 bytes when doing openssl des-ecb -nosalt -in infile -out outfile -K $Key -iv 0 -p What is in those 8 extra bytes? Is this a bug or a feature? Best regards, Jukka Alve __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Validation of an CA
Hello all, i created my own ca with openssl, but on each try openssl created the ca for just 30 days validation. How could i set up the validation to 365 days? I didn´t found something in the openssl.cnf. Thanks a lot, it is very important. JK __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
ASN1_get_object() disabled test causes crashes?
OpenSSL people,
First of all, many thanks for your excellent libraries. I apologize if
this issue has already been addressed or if I am writing to the wrong
mailing list.
The application I am developing makes very frequent calls to
d2i_X509_bio(), on untrusted data streams can sometimes be corrupt or
partly corrupt. I am seeing sudden blow-ups of the process: it
suddenly grows to a very large and apparently random size (e.g.,
200MB, 500MB, 800MB...) and keeps on running. This happens with both
engine-0.9.6b and engine-0.9.6c. I suspect the problem is in
d2i_X509()'s ASN1 parser.
I managed to partly reproduce the problem by running the program
tucked at the end of this message for about 20 to 30 minutes. I am
saying partly, because with this program I did not manage to have
the process grow and keep on running; rather, it grows and immediately
segfaults with a huge core file. Both the original application (which
I am not able to debug directly) and the test program output a lot of
ASN1 errors from d2i_X509() and downwards.
Looking in crypto/asn1/asn1_lib.c:ASN1_get_object() I saw this:
#if 0
fprintf(stderr,p=%d + *plength=%ld omax=%ld + *pp=%d (%d %d)\n,
(int)p,*plength,omax,(int)*pp,(int)(p+ *plength),
(int)(omax+ *pp));
#endif
#if 0
if ((p+ *plength) (omax+ *pp))
{
ASN1err(ASN1_F_ASN1_GET_OBJECT,ASN1_R_TOO_LONG);
/* Set this so that even if things are not long enough
* the values are set correctly */
ret|=0x80;
}
#endif
Which seemed suspicious to me. Since *plength is read from the parsed
stream, corruption could make it be any number, which is, if not
sanity-checked, eventually fed to OPENSSL_malloc() and memcpy() by
ASN1_get_object()'s users. That could explain the blow-ups and the
crashes. Removing the #if and changing the test to
if (*plength 0 || *plength (omax - (p - *pp)))
(p + *plength can wrap) got rid of the blow-ups and core files.
So:
- Was the test #if'd out on purpose? Is there a problem with putting
it back? Do you have any recommendations?
- Could this explain also a blow-up without a segfault? Could
something else?
- Is this a security issue? I imagine that a crafted invalid
certificate could bring down a server, maybe even cause it to send
sensitive information (because of the memcpy()).
Thanks in advance,
--
Adi Stav - developer
Topaz Prism RD
Mercury Interactive
+972-3-5399481
[EMAIL PROTECTED]
#include stdlib.h
#include stdio.h
#include openssl/x509.h
int main(int argc, char *argv[])
{
unsigned char cert[10240], buf[10240], *p = cert;
unsigned len;
FILE *certfile;
int stat;
int i;
OpenSSL_add_all_algorithms();
ERR_load_crypto_strings();
if (argc != 3) {
fprintf(stderr, usage: %s cert iterations\n, argv[0]);
return 6;
}
if (!(certfile = fopen(argv[1], r))) {
perror(argv[1]);
return 3;
}
i = atoi(argv[2]);
while ((stat = fread(p, 1, sizeof cert - (p - cert), certfile)) 0) {
p += stat;
}
if (stat 0) {
perror(argv[1]);
return 1;
}
len = p - cert;
while (i--) {
int randlen;
X509 *x509;
randlen = random() % 1500;
memcpy(buf, cert, randlen);
RAND_pseudo_bytes(buf + randlen, len - randlen);
p = buf;
if ((x509 = d2i_X509(NULL, p, len))) {
X509_free(x509);
} else {
ERR_print_errors_fp(stderr);
}
}
return 0;
}
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
RE: Adding Application Attributes to X509 Certificates?
Title: RE: Adding Application Attributes to X509 Certificates?
the line MyAttribute=MyValue is not correct
you must give a valid ASN1Object as the value
examples :
1.2.3.4 = DER:05:00# oid=1.2.3.4 value = ASN1Null
1.2.3.4 = DER:16:05:68:65:6C:6C:6F # ASN1IA5String for hello
1.2.3.4 = DER:02:02:01:00 # ASN1Integer for 256
1.2.3.4 = DER:18:0f:32:30:30:32:30:34:31:35:31:32:34:38:34:35:5a # ASN1GeneralizedTime (2002/04/15 12:48:35)
-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]De la part de Brian Skrab
Envoye : jeudi 11 avril 2002 13:44
A : Richard Levitte - VMS Whacker
Cc : [EMAIL PROTECTED]
Objet : Re: Adding Application Attributes to X509 Certificates?
Richard Levitte - VMS Whacker wrote:
Do you mean that the attributes do not necessarely need to be part of
the CSR? I agree, I just thought that was what you were after.
You are correct. The attributes do not have to be part of the CSR. I
should have been more clear about that fact. I mentioned the CSR
because I was able to get the attributes to appear in the CSR (as
request attributes), but not the signed certificate as attributes or
extensions.
Absolutely. If you look in the default openssl.cnf, you'll see that
the CA_default section has a key called x509_extensions which names
the section where the extensions are stored. If you go to that
section usr_cert, you'll see the extensions that are added to the
new certificates. That default section is of course ignored if you've
given a different section name with -extensions.
I have moved my additions into the default usr_cert section of the
config file. Executing the following command delivers the same error as
mentioned in my last message:
openssl ca -keyfile cakey.pem -in csr.pem -out crt.pem
So, you either haven't added an OID named MyAttribute, or you have
misspelled something. Care to show us your configuration file?
Absolutely. Below is the text of my openssl.cnf.
#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
RANDFILE = $ENV::HOME/.rnd
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
# To use this configuration file with the -extfile option of the
# openssl x509 utility, name here the section containing the
# X.509v3 extensions to use:
extensions = usr_cert
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
[ new_oids ]
# We can add new OIDs in here for use by 'ca' and 'req'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
MyAttribute=2.44.88
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
dir = /usr/local/apache/conf/ssl.csr # Where everything is kept
certs = $dir # Where the issued certs are kept
new_certs_dir = $dir/ca.db.certs
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/ca.db.index
serial = $dir/ca.db.serial
RANDFILE = $dir/ca.db.rand
certificate = $dir/ca.crt
private_key = $dir/ca.key
x509_extensions = usr_cert # The extentions to add to the cert
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = md5 # which md to use.
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_anything
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix :
AW: Validation of an CA
openssl req -new -x509 -nodes -out server.pem -keyout server.pem -days 365 -Ursprüngliche Nachricht- Von: Juergen Kaus [mailto:[EMAIL PROTECTED]] Gesendet: Montag, 15. April 2002 09:49 An: [EMAIL PROTECTED] Betreff: Validation of an CA Hello all, i created my own ca with openssl, but on each try openssl created the ca for just 30 days validation. How could i set up the validation to 365 days? I didn´t found something in the openssl.cnf. Thanks a lot, it is very important. JK __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[Q] DH encryption/decryption question
Hi, Now I'm trying to make a tiny client server program which communicate
with each other using DH key enc/decryption method on TCP/IP socket.
According to DH algorithm, it must do the task as follows:
1. server generates p g value.
2. client receive p g from server.
3. client server generates a private public key each.
4. client server send their public key to each other.
5. client server generates the same symmetric key x, and
the blowfish key x', using p, g, their private key, and
received the other's public key.
6. client encrypts any message y using x' into z, then sends z
to server
7. server receives z, then decrypts it to the original message y
using x'.
It seems trivial, however, my C codes have failed to achieve it.
Besides socket communication, it doesn't work at all on the same
machine. What's wrong with my code? Here is it:
/* sample.c */
/* encryption/decryption test on the same program */
.. /* some include preprocessors */
int main ( void )
{
DH *dh_svr, *dh_cli;
char *pk_svr, *pk_cli;
char key_svr[1024], key_cli[1024];
BF_KEY bf_key_svr, bf_key_cli;
/* server generates p, g */
dh_svr = DH_generate_parameters(1024, DHGRP, NULL, NULL);
/* client get p, g from server */
dh_cli = DH_new();
dh_cli-p = BN_dup(dh_svr-p);
dh_cli-g = DH_dup(dh_svr-g);
/* client server generate private/public keys */
DH_generate_key(dh_svr);
pk_svr = (char*)malloc(DH_size(dh2));
DH_generate_key(dh_cli);
pk_cli = (char*)malloc(DH_size(dh_cli));
/* client a server exchange public keys, then computes
symmetric key using them */
DH_compute_key(pk_svr, dh_cli-pub_key, dh_svr);
DH_compute_key(pk_cli, dh_svr-pub_key, dh_cli);
/* client server generate a blowfish key */
MDC(pk_svr, 1024, key_svr);
BF_set_key(bf_key_svr, MDC2_DIGEST_LENGTH, key_svr);
MDC(pk_cli, 1024, key_cli);
BF_set_key(bf_key_cli, MDC2_DIGEST_LENGTH, key_cli);
/* Now, both client server have the same symmetric
blowfish key to enc/decrypt message */
/* the test */
{
char in[8] = 1234567;
char buf[1024];
char out[8];
/* client encrypts in[] to buf[] */
BF_ecb_encrypt(in, buf, bf_key_cli, BF_ENCRYPT);
/* server decrypts buf[] to out[] */
BF_ecb_encrypt(in, buf, bf_key_svr, BF_DECRYPT);
printf(%s - %s\n, in, out);
}
exit(0);
}
I think there is no trap to fall in to the false result, but
it NEVER works. What's wrong with it? Can anyone help me?
Thanks.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: J/Crypto 3.3 DER encoded certificate cannot be read by openssl-0.9.6b
Please, ignore this post. Monday, April 15, 2002, 4:34:58 PM, you wrote: PT Trying to read the attached DER form of a X509 certificate with PT OpenSSL 0.9.6c and 0.9.6b yields the following error: __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: J/Crypto 3.3 DER encoded certificate cannot be read by openssl-0.9.6b
At 16:34 15.04.2002 +0200, you wrote: Hello, there! :) I've checked google in this but to no avail - so I'm asking here... Hope its not a duplicate thread. Trying to read the attached DER form of a X509 certificate with OpenSSL 0.9.6c and 0.9.6b yields the following error: paveltz@MORDOR ~ $ openssl x509 -in ./1.der -inform DER unable to load certificate 3212:error:0D06B078:asn1 encoding routines:ASN1_get_object:header too long:asn1_ lib.c:139: I've tried to use the asn1parse utility but to no avail: paveltz@MORDOR ~ $ openssl asn1parse -inform DER -in ./1.der -dump 0:d=0 hl=16 l=-991318795 cons: VISIBLESTRING Error in encoding 3552:error:0D06B078:asn1 encoding routines:ASN1_get_object:header too long:asn1_ lib.c:139: The certificate was produced by calling JCRYPTO_X509Certificate.toDER method. Any help ? :) Any information on how to debug further ? I'd debug the function that wrote the file. I have no idea what it is, but it is not a DER-encoded certificate. In fact, when looking at it with a hex editor it looks a bit like random data, I didn't run a statistical test, though. Did you encrypt it? Jörn __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
OCSP Responder
Hi All, Here is what i got by running openssl as OCSP responder: othe:~# netstat -tuan Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:0.0.0.0:* LISTEN After trying to send many requests: Waiting for OCSP client connections... invalid revocation date [...] invalid revocation date invalid revocation date Invalid request Responder Error: malformedrequest (1) Openssl OCSP responder crashed :-( My question is, the OCSP Responder act as a deaom since it listen on port and wait for requests. Does openssl OCSP Responder mature to support attack throughout the wild network? Regards #-- Averroes __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Growing file size with des-ecb encryption
I don't know what that command is outputting, but typically the output of OpenSSL commands is an ASN.1 structure which may, for example, contain the algorithm identifier, identifying which algorithm was used for encryption. The increased size could also be a padding factor, for example padding out to the nearest 8-byte boundary. Steven -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Jukka Alve Sent: Monday, 15 April 2002 9:13 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Growing file size with des-ecb encryption Hi All, I am not sure if this question made it to the list last time I sent it. Apologies if this is a duplicate. I am wondering why the file size grows by 8 bytes when doing openssl des-ecb -nosalt -in infile -out outfile -K $Key -iv 0 -p What is in those 8 extra bytes? Is this a bug or a feature? Best regards, Jukka Alve __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Looking for a consultant / contractor
Hello Mr Rich Adilli, I am interested in providing consultancy/contractor services to your project and would like to find out more information. I have been working with openssl to provide hardware acceleration (custom made chips (security processors)) from openssl for encryption/key negotiation for SSL. I can be reached in any of the following means: 1. E-Mail: [EMAIL PROTECTED] 2. Ph: (408) 937 1058 (home) If you need additional information on my background and experience, let me know. Thanks S. Ramamoorthy (Ram). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Rich Adili Sent: Monday, April 15, 2002 5:17 PM To: [EMAIL PROTECTED] Subject: Looking for a consultant / contractor Hi, We're looking for someone who is familiar with OpenSSL to do a job for us. Would like to provide some very simple encryption capability in our embedded box. The job would basically entail providing a subset of the code that will compile into a compact form on a minimal OS. If you're interested in discussing this, please contact me. Rich Adili [EMAIL PROTECTED] Senior Architect(604) 430-1446 x282 INDE Electronics(604) 657-7514 cell. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
