Re: Macro definitions for AdNovum's pkcs11 openssl extension
Martin Buechler wrote: Hi, Just trying to get openssl using various PKCS#11 libraries. I adapted the Makefile in openssl/apps to include AdNovum's PKCS#11 code from the contirb section of openssl.org, but there a lots of macro definitions missing. Searching the web did not yield anything helpful. Am I missing here something or is it just, that the header files containing those definitions are absent? Thanks in advance Martin [EMAIL PROTECTED] apps]# make make[1]: Wechsel in das Verzeichnis Verzeichnis »/usr/local/src/openssl-0.9.7c« making all in apps... make[2]: Wechsel in das Verzeichnis Verzeichnis »/usr/local/src/openssl-0.9.7c/apps« gcc -DMONOLITH -I.. -I../include -fPIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_NO_KRB5 -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -march=athlon-tbird -Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -c -o p11_drv.o p11_drv.c p11_drv.c: In function `PKCS11_new': p11_drv.c:147: warning: implicit declaration of function `PKCS11err' p11_drv.c:147: `PKCS11_F_PKCS11_NEW' undeclared (first use in this function) p11_drv.c:147: (Each undeclared identifier is reported only once p11_drv.c:147: for each function it appears in.) p11_drv.c:147: `PKCS11_R_OUT_OF_MEMORY' undeclared (first use in this function) p11_drv.c: In function `PKCS11_setDoLogin': p11_drv.c:237: `PKCS11_F_PKCS11_SETDOLOGIN' undeclared (first use in this functi on) p11_drv.c:237: `PKCS11_R_NULL_POINTER_PROVIDED' undeclared (first use in this function) p11_drv.c: In function `PKCS11_setPinCallback': p11_drv.c:267: `PKCS11_F_PKCS11_SETPINCALLBACK' undeclared (first use in this function) p11_drv.c:267: `PKCS11_R_NULL_POINTER_PROVIDED' undeclared (first use in this function) p11_drv.c: In function `PKCS11_get_cert': p11_drv.c:361: `PKCS11_F_PKCS11_GET_CERT' undeclared (first use in this function) p11_drv.c:361: `PKCS11_R_NULL_POINTER_PROVIDED' undeclared (first use in this function) p11_drv.c:403: `PKCS11_R_BAD_CERTIFICATE' undeclared (first use in this function) p11_drv.c: In function `PKCS11_get_private_key': p11_drv.c:440: `PKCS11_F_PKCS11_GET_PRIVATE_KEY' undeclared (first use in this function) p11_drv.c:440: `PKCS11_R_NULL_POINTER_PROVIDED' undeclared (first use in this function) make[2]: *** [p11_drv.o] Fehler 1 make[2]: Verlassen des Verzeichnisses Verzeichnis »/usr/local/src/openssl-0.9.7c/apps« make[1]: *** [sub_all] Fehler 1 make[1]: Verlassen des Verzeichnisses Verzeichnis »/usr/local/src/openssl-0.9.7c« make: *** [top] Fehler 2 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] Did you included pkcs11.h , pkcs11f.h and pkcs11d.h ? If not than here you answer ... Those definitions are direct definition from PKCS#11 standard (be carefull about versions of standard , if AdNovum's PKCS#11 is 2.11 and you will take beta of 2.2 from rsalab site than expect troubles) __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: target already defined - linux-pentium error on configuring openssl
Use ./config threads --prefix=/usr/local/test/openssl/ --openssldir=/usr/share/ssl/ shared zlib that is without krb5. In default it will take the kerberos libraries. Thanks Mathan I want to install openssl in my rhl 9 system. When I gave ./config threads --prefix=/usr/local/test/openssl/ --openssldir=/usr/share/ssl/ shared zlib krb5 It got me Configuring for linux-pentium target already defined - linux-pentium What might be the problem ?. -Murugesan. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: revoking expired certificates
Rich Salz wrote: Gerd Schering wrote: Hi, It is possible (via the ca utility) to revoke certificates that already have expired. Hard to say. The ITU X.509 standard says that if a certificate is revoked, it stays on the CRL for one CRL past its expiration date. In other words, if the order is: revoke, issue crl-1, expire, issue crl-2, then the cert should still be on crl-2; but not on crl-3 and beyond. The specification is not explicit about what to do if the order is expire, issue crl-1. My belief is that you do NOT put it on the CRL list. That seems to be clear to me. But let me be somewhat more specific. If I use the openssl ca utility, it is technically possible to revoke a cert which has expired for instance for one year. If I generate a CRL (via the ca utility) the cert appears on the CRL. Does this make any sense? Gerd -- -- -- Gerd Schering, Email: [EMAIL PROTECTED] -- -- smime.p7s Description: S/MIME Cryptographic Signature
Re: Hardware crypto speed anyone?
Rich Salz wrote: we got ahold of an AEP1000 crypto accelerator for testing purposes. I am stumped. The numbers look horrible. The openssl speed program is not good for testing anything other than the openssl software implementations. It does a repeated single-threaded call to RSA_sign, etc. With hardware crypto, your CPU spends most of its time waiting for data to flow to/from the device (e.g., across the PCI bus). Try running 10 speed tests simultaneously in the background, or write a multi-threaded test, etc. Speed already does multithreaded (-multi n) - I wrote it when I had to test a multi-pipe crypto board. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit. - Robert Woodruff __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: revoking expired certificates
But let me be somewhat more specific. If I use the openssl ca utility, it is technically possible to revoke a cert which has expired for instance for one year. If I generate a CRL (via the ca utility) the cert appears on the CRL. Does this make any sense? The crl tool has to be able to include an expired certificate in order to handle this flow revoke crl-n expire crl-n+1 remove-from-crl-list make sense? /r$ -- Rich Salz, Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]