Newbie question
Hi, I am trying to create RSA public and private keys on Windows with OpenSSL 0.9.7e. I want to save both to disk for later use, but I can't figure out how to read them again... I am doing the following: CUT code to seed the pool rsa = RSA_generate_key(RSA_KEY_LENGTH, RSA_F4, NULL, (char *)stdout); put rsa into a buffer p pub_rsa = d2i_RSAPublicKey(NULL, (const unsigned char**) p, (long)len); len -= (p-buf); priv_rsa = d2i_RSAPrivateKey(NULL, (const unsigned char**)p,(long)len); error handling // save public key BIO *pub = BIO_new_file(pubkey_file, w); PEM_write_bio_RSAPublicKey(pub, pub_rsa); BIO_free(pub); // save private key BIO *priv = BIO_new_file(privkey_file, w+); PEM_write_bio_RSAPrivateKey(priv, priv_rsa, NULL, NULL, 0, NULL, NULL); // load saved private key and write it to a new file for comparison RSA *r_rsa; BIO *tmp = BIO_new_file(privkey.txt, w); BIO_reset(priv); PEM_read_bio_RSAPrivateKey(priv, r_rsa, NULL, NULL); BIO_free(priv); PEM_write_bio_RSAPrivateKey(tmp, r_rsa, NULL, NULL, 0, NULL, NULL); CUT My idea was to compare the privkey_file with privkey.txt and verify that they are identical. I am unfortunately getting an access violation in the call to PEM_read_bio_RSAPrivateKey() in libeay32.dll. I must be doing something wrong... How should I go about reading those keys from disk? Thanks a lot in advance, jules __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
compiling openssl with zlib support on win32
Hi, I'm trying to compile openssl (0.9.7f) with zlib (1.2.2) support using VisualStudio 2003. Here's what I am doing ... add -DZLIB to end of $cflags in utils\pl\vc-32.pl then from a VisualC++ command shell: cd base_of_openssl_source set path=%path%;c:\cygwin\bin (this is for the perl interpreter) perl Configure VC-WIN32 threads zlib zlib-dynamic ms\do_masm.bat place zlib .h files in inc32 nmake -f ms\ntdll.mak I then stick zlib1.dll in the out32 folder, and run ssltest -zlib and I get the following output TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 512 bit RSA [12:13:53] 1675 file=.\crypto\dso\dso_lib.c, line=380, thread=1816, number=6, address=00972580 [12:13:53] 1672 file=.\crypto\dso\dso_lib.c, line=103, thread=1816, number=36, address=0099A0A0 [12:13:53] 1674 file=.\crypto\stack\stack.c, line=126, thread=1816, number=16, address=0099A170 [12:13:53] 1673 file=.\crypto\stack\stack.c, line=124, thread=1816, number=20, address=0099A110 [12:13:53] 1676 file=.\crypto\dso\dso_win32.c, line=262, thread=1816, number=10, address=0099A208 [12:13:53] 1677 file=.\crypto\dso\dso_win32.c, line=132, thread=1816, number=4, address=00972570 92 bytes leaked in 6 chunks if I do all the above without the references to zlib, then I don't get the above leak msgs, but I also don't get zlib :-( Louis Solomon www.SteelBytes.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: compiling openssl with zlib support on win32
In message [EMAIL PROTECTED] on Thu, 31 Mar 2005 21:07:28 +1000, Louis Solomon [SteelBytes] [EMAIL PROTECTED] said: louis I then stick zlib1.dll in the out32 folder, and run louis ssltest -zlib louis and I get the following output louis TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 512 bit RSA louis [12:13:53] 1675 file=.\crypto\dso\dso_lib.c, line=380, thread=1816, louis number=6, address=00972580 louis [12:13:53] 1672 file=.\crypto\dso\dso_lib.c, line=103, thread=1816, louis number=36, address=0099A0A0 louis [12:13:53] 1674 file=.\crypto\stack\stack.c, line=126, thread=1816, louis number=16, address=0099A170 louis [12:13:53] 1673 file=.\crypto\stack\stack.c, line=124, thread=1816, louis number=20, address=0099A110 louis [12:13:53] 1676 file=.\crypto\dso\dso_win32.c, line=262, thread=1816, louis number=10, address=0099A208 louis [12:13:53] 1677 file=.\crypto\dso\dso_win32.c, line=132, thread=1816, louis number=4, address=00972570 louis 92 bytes leaked in 6 chunks louis louis if I do all the above without the references to zlib, then I louis don't get the above leak msgs, but I also don't get zlib :-( Hmm, I wouldn't be surprised if we've forgotten to unload the shared library for zlib, and thereby created that leak. Note that the leak isn't very important, and a one-time thingy. It's not like it's going to grow over time. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Unreachable codes in OpenSSL 0.9.7f
Hello All, I find some unreachable codes in OpenSSL 0.9.7f . Their details are as follows. File Name Line No Code Snippet pk7_lib.c 187 break;p7-d.signed_and_enveloped-enc_data-content_type = OBJ_nid2obj(NID_pkcs7_data);break; evp_pkey.c 209 EVP_PKEY_free(pkey);return NULL;break; evp_pkey.c 291 p8-broken = PKCS8_OK;return p8;break; evp_pkey.c 297 p8-pkey-type = V_ASN1_SEQUENCE;return p8;break; evp_pkey.c 302 EVPerr(EVP_F_EVP_PKCS8_SET_BROKEN,EVP_R_PKCS8_UNKNOWN_BROKEN_TYPE);return NULL;break; tasn_enc.c 125 return asn1_i2d_ex_primitive(pval, out, it, tag, aclass);break; tasn_enc.c 458 return i2c_ASN1_BIT_STRING((ASN1_BIT_STRING *)*pval, cout ? cout : NULL);break; tasn_enc.c 468 return i2c_ASN1_INTEGER((ASN1_INTEGER *)*pval, cout ? cout : NULL);break; tasn_dec.c 167 return asn1_d2i_ex_primitive(pval, in, len, it, tag, aclass, opt, ctx);break; evp_enc.c 250 default:return 0;break; p12_kiss.c 289 return parse_bags(bag-value.safes, pass, passlen, pkey, cert, ca, keyid, keymatch); break; p12_kiss.c 293 default:return 1;break; s3_lib.c 1228 {SSLerr(SSL_F_SSL3_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);return(ret);}break; s3_lib.c 1264 {SSLerr(SSL_F_SSL3_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);return(ret);}break; s3_lib.c 1367 {SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);return(0);}break; s3_lib.c 1400 {SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);return(0);}break; pkcs12.c 838 BIO_printf (bio_err, "\n");return 1;break; Thanks, Prakash __Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: Unreachable codes in OpenSSL 0.9.7f
On Thu, Mar 31, 2005 at 06:56:36AM -0800, prakash babu wrote: I find some unreachable codes in OpenSSL 0.9.7f. Their details are as follows. File Name Line No Code Snippet pk7_lib.c 187 break; p7-d.signed_and_enveloped-enc_data-content_type = OBJ_nid2obj(NID_pkcs7_data); break; I will go out on a limb and venture to say that the first break; looks like a bug introduced during a code merge... A code review of whatever merge introduced this and perhaps other problems is in order. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
unreachable l code in OpenSSL 0.9.7f
Hello All, I find some unreachable codes in OpenSSL 0.9.7f . Their details are as follows. File:pk7_lib.cLine: 187break;p7-d.signed_and_enveloped-enc_data-content_type =OBJ_nid2obj(NID_pkcs7_data);break; File : evp_enc.cLine : 250 default:return 0;break; File : evp_pkey.cLine : 209 EVP_PKEY_free(pkey);return NULL;break; File: evp_pkey.cLine: 291p8-broken = PKCS8_OK;return p8;break; File : evp_pkey.cLine : 297p8-pkey-type = V_ASN1_SEQUENCE;return p8;break; File : evp_pkey.cLine :302EVPerr(EVP_F_EVP_PKCS8_SET_BROKEN,EVP_R_PKCS8_UNKNOWN_BROKEN_TYPE);return NULL;break; File : tasn_enc.cLine :125return asn1_i2d_ex_primitive(pval, out, it, tag, aclass);break; File: tasn_enc.cLine: 458return i2c_ASN1_BIT_STRING((ASN1_BIT_STRING *)*pval, cout ? cout : NULL);break; File:tasn_enc.cLine: 468return i2c_ASN1_INTEGER((ASN1_INTEGER *)*pval, cout ? cout : NULL);break; File: tasn_dec.cLine: 167return asn1_d2i_ex_primitive(pval, in, len, it, tag, aclass, opt, ctx); break;File : p12_kiss.cLine : 289 return parse_bags(bag-value.safes, pass, passlen, pkey, cert, ca,keyid, keymatch); break; File : p12_kiss.cLine : 293default:return 1;break; File : s3_lib.cLine :1228{SSLerr(SSL_F_SSL3_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);return(ret);}break; File :s3_lib.cLine :1264{SSLerr(SSL_F_SSL3_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);return(ret);}break; File: s3_lib.cLine: 1367{SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);return(0);}break; File :s3_lib.cLine:1400{SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);return(0);}break; File: pkcs12.cLine: 838BIO_printf (bio_err, "\n");return 1;break; Thanks, Prakash Do you Yahoo!? Yahoo! Small Business - Try our new resources site!
Re: [openssl-users] How to get CRL in my application.
Thanks Erwann. I wrote a test program in CURL to get the CRL using http. It worked. I have one more question though. How do I extract the URL string from the CA certificate? Also I see that there can be multiple DPs in the CA certificate? Which function should I use to extract them? I checked the OpenSSL documentation but didn't find it. Thanks once again. Calista. --- Erwann ABALEA [EMAIL PROTECTED] wrote: Bonjour, Hodie IV Kal. Apr. MMV est, Calista scripsit: Is there a function in OpenSSL to retrieve the CRL? No, AFAIK. Depending on the retrieval method (ldap, http, ftp, X.500, ...), you have to write your own handler. If not, can anyone explain how to do this? wget will work for http and ftp, possibly https. curl will work for ftp, http, https, I don't know for ldap. My application has a list of CA certificates, initially I have the CRLs too but depending on next update date the application has to get it. Don't rely on the 'next update' field. It's an 'at last' date. A CA usually create CRLs that are valid for several days, and update them on a daily basis. For each CA you have, specify somewhere in your application the retrieval period, and make sure the period is no longer than the validity period of the CRL (don't less the 'next update' happen to be today). -- Erwann ABALEA [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ Do you Yahoo!? Make Yahoo! your home page http://www.yahoo.com/r/hs __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RH9, rpm build error: file not found
I am attempting to use rpmbuild to make an openssl binary from the latest openssl release (openssl-0.9.7f) as of march 22, 2005. This seems to be my best option since I have an older version of openssl that was installed with RH9 as an RPM. The error I get is: RPM build error: File not found: /var/tmp/openssl-0.9.7e-root/var/ssl/lib This is actually my first time to use rpmbuild, so I haven't made much progress as far as troubleshooting is concerned. I looked in the openssl.spec file, and I see in the %file section that /lib is there, along with /certs, /misc, and /private. These three directories seemed to have been created, but lib has not. Thanks in advance. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Using Unix Domain Sockets?
On Wed, Mar 30, 2005, David Brock wrote: I'm fairly new to openSSL so forgive me if this is a silly question. Is it possible to create a Unix Domain Socket and then attach it to a BIO (using BIO_set_fd)? I have tried to do it (for a server), but I keep getting a failure when I call BIO_do_accept(). Is there something I am missing, or can I only use AF_INET sockets with BIOs? You can only use an AF_INET socket with accept and connect BIOs because the socket creation and address handling only supports that type. If however you handle the addressing and connect/accept yourself and create a socket BIO from the connected socket it should work. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: How to get CRL in my application.
On Thu, Mar 31, 2005 at 08:13:19AM -0800, Calista wrote: How do I extract the URL string from the CA certificate? Also I see that there can be multiple DPs in the CA certificate? Which function should I use to extract them? See http://eaptls.spe.net/download/ppp-2.4.3-eaptls-0.7.patch in function eaptls_get_crl. Hope it's what you're looking for. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Untrusted server
After doing a little reading, it looks like what I had in mind is not possible with SSL. In SSL the data sent by the server is encrypted using a symmetric key which is different for each session. Is there a protocol understood by web browsers where the server data is encrypted with its (unchanged) private key instead? Alternatively, does one of the SSL encryption scheme allow for pre-encryption, in which the symmetric key is used for a second step encryption only? I want the untrusted server to be unable to read the contents of the data it is serving unless it asks explicitely the trusted server for the key. I also want any client to read the contents of the data sent by the untrusted server without additional software installed. -- Denis. On 30 Mar 2005, at 18:36, Denis wrote: Hello Is it possible to separate the job of a server serving SSL documents in two servers, a trusted server and an untrusted server in that way: - One server is on the Internet and distributes documents using the SSL protocol (untrusted) - One server is offline and uploads encrypted documents to the first server for Internet clients at scheduled intervals (trusted) Only the trusted server knows of the private key. Is that practically possible? Will it work without additional software on the clients (a standard SSL-enabled web browser will do)? Thanks, -- Denis. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: compiling openssl with zlib support on win32
Hmm, I wouldn't be surprised if we've forgotten to unload the shared library for zlib, and thereby created that leak. Note that the leak isn't very important, and a one-time thingy. It's not like it's going to grow over time. but are you sure? or is this just a guess. Louis Solomon www.SteelBytes.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Untrusted server
Denis wrote: After doing a little reading, it looks like what I had in mind is not possible with SSL. In SSL the data sent by the server is encrypted using a symmetric key which is different for each session. Is there a protocol understood by web browsers where the server data is encrypted with its (unchanged) private key instead? Alternatively, does one of the SSL encryption scheme allow for pre-encryption, in which the symmetric key is used for a second step encryption only? I want the untrusted server to be unable to read the contents of the data it is serving unless it asks explicitely the trusted server for the key. I also want any client to read the contents of the data sent by the untrusted server without additional software installed. -- Denis. I'm still not sure if I understand what you want to do. I guess that you are trying to use something like free webspace and you do not trust the untrusted server's administrator and s/he should not be able to read the documents you are distributing to you users. In this case I'd say that there is no way doing this in the way you want to do, that is displaying the content inline with a standard web-browser without plugins. One approach would be not to use a web server but an email server (possibly triggered by a web server). Then you can send eMails which might be pre-encrypted using S/MIME to your clients and S/MIME-Clients like Thunderbird usually can show documents inline without user interaction (other than entering their passwords if so configured). I hope you already realized that solving your problem demands the management and distribution of client certificates/keys for encrption to your users, whereas the server's key would only be needed to sign your documents. Hope it helps. Ted ;) -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26 smime.p7s Description: S/MIME Cryptographic Signature
Re: compiling openssl with zlib support on win32
In message [EMAIL PROTECTED] on Fri, 1 Apr 2005 14:57:34 +1000, Louis Solomon [SteelBytes] [EMAIL PROTECTED] said: louis Hmm, I wouldn't be surprised if we've forgotten to unload the shared louis library for zlib, and thereby created that leak. Note that the leak louis isn't very important, and a one-time thingy. It's not like it's going louis to grow over time. louis louis but are you sure? or is this just a guess. For now, it's just a guess. Cheers, RIchard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Newbie question (with answer - long)
On Fri, 2005-04-01 at 07:31 +0530, Denis wrote: Don't you need to allocate some memory to be able to store the RSA key in r_rsa? I assumed that would happen automatically due to the 'pointer-to- pointer' parameter. Best regards, jules BTW: Doing the following solved my problem: RSA *read_pub_key(const char *pubkey_file) { RSA *key = NULL; BIO *bp; ERR_load_crypto_strings(); bp = BIO_new(BIO_s_file()); if (BIO_read_filename(bp, pubkey_file) = 0) { perror(pubkey_file); goto exit;; } key = PEM_read_bio_RSAPublicKey(bp, NULL, NULL, NULL); if (!key) { ERR_print_errors_fp(stderr); goto exit; } exit: BIO_free(bp); return key; } RSA *read_priv_key(const char *privkey_file) { RSA *key = NULL; BIO *bp; SSLeay_add_all_algorithms(); ERR_load_PEM_strings(); bp = BIO_new(BIO_s_file()); if (BIO_read_filename(bp, privkey_file) = 0) { perror(privkey_file); goto exit; } key = PEM_read_bio_RSAPrivateKey(bp, NULL, NULL, NULL); if (!key) { ERR_print_errors_fp(stderr); goto exit; } exit: BIO_free(bp); return key; } void create_rsa_files(const char *pubkey_file, const char *privkey_file) { RSA *rsa; RSA *pub_rsa; RSA *priv_rsa; int len; unsigned char buf[RSA_KEY_LENGTH * 2]; unsigned char *p; HCRYPTPROV cx = NULL; if (!CryptAcquireContextA(cx, NULL, NULL, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT)) { DWORD err = GetLastError(); printf(Could not acquire a cryptographic context - %X\n, err); } unsigned char seed[64]; if (!CryptGenRandom(cx, 64, seed)) printf(Could not get random seed\n); RAND_seed(seed, 64); if (!CryptReleaseContext(cx, 0)) { DWORD err = GetLastError(); printf(Could not release the cryptographic context - %X\n, err); } rsa = RSA_generate_key(RSA_KEY_LENGTH, RSA_F4, NULL, (char *)stdout); RSA_blinding_on(rsa, NULL); p = buf; /* Save the public key into buffer, we know it will be big enough * but we should really check how much space we need by calling the * i2d functions with a NULL second parameter */ len = i2d_RSAPublicKey(rsa, p); len += i2d_RSAPrivateKey(rsa, p); printf(The public and private key are now both in a char array\n); printf(and are taking up %d bytes\n, len); printf(%s\n, buf); RSA_free(rsa); p = buf; pub_rsa = d2i_RSAPublicKey(NULL, (const unsigned char**) p, (long)len); len -= (p-buf); priv_rsa = d2i_RSAPrivateKey(NULL, (const unsigned char**)p, (long)len); if ((pub_rsa == NULL) || (priv_rsa == NULL)) ERR_print_errors_fp(stderr); if (!RSA_check_key(priv_rsa)) printf(Private RSA not validated\n); else printf(Private RSA OK\n); // store public key BIO *pub = BIO_new_file(pubkey_file, w); PEM_write_bio_RSAPublicKey(pub, pub_rsa); BIO_free(pub); RSA_free(pub_rsa); // store private key BIO *priv = BIO_new_file(privkey_file, w); PEM_write_bio_RSAPrivateKey(priv, priv_rsa, NULL, NULL, 0, NULL, NULL); BIO_free(priv); RSA_free(priv_rsa); } __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]