Re: Missing header on creating smime

[Eddy Tan]

--- Dr. Stephen Henson [EMAIL PROTECTED] wrote:
  What needs to be done to add that header as default on
  openssl smime command?
  
 
 Nothing :-) I've just added support, it will appear in the
 next stable snapshot and subsequent versions of OPenSSL.

Cool!
In the meantime I´ll use a script to play around with the header
until that version´s up.

Thanks,
Eddy

__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

0.9.8-dev: FORMAT:HEX,OCT issue

[Andrea Cogliati]

Guys,
I'm trying to use 0.9.8-dev (SNAP-20050428) to issue domain controller
certificates for Windows Smart Card logon. I get this error when using
FORMAT:HEX modifier with OCT type:
Error Loading extension section dc_cert
3550:error:0E06D06C:configuration file routines:NCONF_get_string:no
value:conf_lib.c:329:group=CA_default name=email_in_dn
3550:error:22075093:X509 V3 routines:v2i_GENERAL_NAME:othername
error:v3_alt.c:501:
3550:error:2206B080:X509 V3 routines:X509V3_EXT_conf:error in
extension:v3_conf.c:93:name=subjectAltName,
value=otherName:1.3.6.1.4.1.311.25.1;FORMAT:HEX,OCT: 
010203040506070809101112
13141516

This is my dc_cert section, offending line is the last one:
[ dc_cert ]
crlDistributionPoints = URI:http://pig-dc/demoCA/crl.pem
extendedKeyUsage = clientAuth,serverAuth
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
msCertTemplate = ASN1:BMP:DomainController
subjectAltName =
otherName:1.3.6.1.4.1.311.25.1;FORMAT:HEX,OCT: 
010203040506070809101112131415
16

If I don't use FORMAT:HEX, everything runs fine. Any advise?
TIA,
Andrea
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: [openssl-users] OCSP structure compliance RFC2560

[Antonio Ruiz Martínez]

Hello!

Erwann ABALEA wrote:

  Bonsoir,

Hodie III Kal. Mai. MMV est, Antonio Ruiz Martnez scripsit:
  
  
I'm seeing the structure generated by OpenSSL in a OCSPRequest. However, from 
my point of view it doesn't accomplish with the standar because there is not 
any number of the version. Is it correct?

  
  
[...]

  
  
TBSRequest ::= SEQUENCE
{
  version[0] EXPLICIT INTEGER { v1(0) } DEFAULT v1,

  
  
Here, the version is told to be OPTIONAL. As per the ASN.1 standard,
DEFAULT implies OPTIONAL.
  


Thanks for your answer,
Antonio.

Re: 0.9.8-dev: FORMAT:HEX,OCT issue

[Dr. Stephen Henson]

On Mon, May 02, 2005, Andrea Cogliati wrote:

 Guys,
 
 I'm trying to use 0.9.8-dev (SNAP-20050428) to issue domain controller
 certificates for Windows Smart Card logon. I get this error when using
 FORMAT:HEX modifier with OCT type:
 
 Error Loading extension section dc_cert
 3550:error:0E06D06C:configuration file routines:NCONF_get_string:no
 value:conf_lib.c:329:group=CA_default name=email_in_dn
 3550:error:22075093:X509 V3 routines:v2i_GENERAL_NAME:othername
 error:v3_alt.c:501:
 3550:error:2206B080:X509 V3 routines:X509V3_EXT_conf:error in
 extension:v3_conf.c:93:name=subjectAltName,
 value=otherName:1.3.6.1.4.1.311.25.1;FORMAT:HEX,OCT: 
 010203040506070809101112
 13141516
 
 
 This is my dc_cert section, offending line is the last one:
 
 [ dc_cert ]
 
 crlDistributionPoints = URI:http://pig-dc/demoCA/crl.pem
 extendedKeyUsage = clientAuth,serverAuth
 basicConstraints = CA:FALSE
 keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 msCertTemplate = ASN1:BMP:DomainController
 subjectAltName =
 otherName:1.3.6.1.4.1.311.25.1;FORMAT:HEX,OCT: 
 010203040506070809101112131415
 16
 
 
 If I don't use FORMAT:HEX, everything runs fine. Any advise?
 

http://www.openssl.org/docs/apps/x509v3_config.html#NOTES

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

How to get SSL DLL's compiling from Cygwin?

[Manel Rodero]

Hello,

I'm trying to compile OpenSSL 0.9.7f under Windows 2000 (using Cygwin) but I
don't know if I get all the files after the compilation process. For
example, I don't have libeay32.dll nor ssleay32.dll.

To setup the compilation environment I've downloaded Cygwin setup, installed
it with base + perl + gcc + make. After entering a bash shell, I've
downloaded http://www.openssl.org/source/openssl-0.9.7f.tar.gz and
uncompressed it.

Then I've test both options (explained in INSTALL.W32), ./configure and
./Configure mingw. Both of them compile without problems doing 'make', then
I can create and pass the tests using 'make test' and after it I can install
using 'make install' (under /usr/local/ssl).

But, after this compilation I don't have out32dll or out32 directories,
where it is supposed to find the DLLs to copy them to our final directory
like in these commands explained in INSTALL.W32:

$ md c:\openssl
$ md c:\openssl\bin
$ md c:\openssl\lib
$ md c:\openssl\include
$ md c:\openssl\include\openssl
$ copy /b inc32\openssl\*   c:\openssl\include\openssl
$ copy /b out32dll\ssleay32.lib c:\openssl\lib
$ copy /b out32dll\libeay32.lib c:\openssl\lib
$ copy /b out32dll\ssleay32.dll c:\openssl\bin
$ copy /b out32dll\libeay32.dll c:\openssl\bin
$ copy /b out32dll\openssl.exe  c:\openssl\bin

Why? Is this a problem of compiling OpenSSL under Cygwin? Do I need to
compile using another environment? (all the information I've found is
relative to using Visual C as the environment but I can't use it at this
moment).

Any idea?

Thank you very much!

--

o o o  Manel Rodero   | LCFIB - UPC
o o o  Helpdesk Manager   | Campus Nord - Modul B6
o o o  Laboratori de Calcul   | Jordi Girona, 1-3
U P C  Facultat Informatica Barcelona | 08034 Barcelona (Spain)
  |
   manel AT fib upc edu   | Tel: +00 34 93 401 6940
   http://www.fib.upc.edu/~manel  | Fax: +00 34 93 401 7040

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Client validation troubles on z/OS.

[John Young]

Does anyone have any suggestions, regarding this issue?

Any help would be greatly appreciated.

John Young


--- John Young [EMAIL PROTECTED] wrote:
 We are having an issue getting client validation to work on z/OS,
 with
 OpenSSL 0.9.7d.
 
 We have the same code running on several Xnix platforms and Windows,
 with no trouble.
 
 On z/OS, following SSL_do_handshake, we are receiving a -1 return. 
 Following the failure we receive the following from
 ERR_error_string():
 
 error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no
 certificate
 returned
 
 Are there any known gotcha's or issues on the z/OS (or OS/390) in
 this
 regard?
 
 Any suggestions as to what we might try or look at, to resolve this
 issue?
 
 Thanks,
 John Young
 
 John Young
 
 
   
 __ 
 Do you Yahoo!? 
 Make Yahoo! your home page 
 http://www.yahoo.com/r/hs

__
 OpenSSL Project
 http://www.openssl.org
 User Support Mailing List   
 openssl-users@openssl.org
 Automated List Manager  
 [EMAIL PROTECTED]
 

John Young



__ 
Do you Yahoo!? 
Make Yahoo! your home page 
http://www.yahoo.com/r/hs
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Using non-std OIDs in config file

[Bob Bramwell]

I am trying to add two new OIDs to my configuration, and then specify that a 
certificate should contain such objects with values that I specify.  After 
extensive RTFMing and a lot of time wading through the configuration code I 
still have not got a working setup.  Can anyone provide an example?

What I have been trying is along the lines of the config file included below, 
and the complaint from openssl req is:

Error Loading extension section v3_req
28763:error:2207C081:X509 V3 routines:DO_EXT_CONF:unknown extension:v3_conf.c:128:
28763:error:2206B080:X509 V3 routines:X509V3_EXT_conf:error in 
extension:v3_conf.c:92:name=msOID2, value=V0.0

Is there any more complete documentation on the config file format?  I have not 
yet found any formal explanation of constructs like:
	   certificatePolicies = ia5org,@policy
What else are we not being told? :-)

Thanks,
Bob.

#OpenSSL config file
dir = .
oid_section = new_oids
[ ca ]
default_ca  = CA_default
[ CA_default ]
serial  = $dir/serial
database= $dir/certindex.txt
new_certs_dir   = $dir/certs
certificate = $dir/jasomi.com-cacert.pem
private_key = $dir/jasomi.com-cakey.pem
default_days= 3650
default_md  = sha1
preserve= no
email_in_dn = no
nameopt = default_ca
certopt = default_ca
policy  = policy_match
x509_extensions = v3_ca
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName= match
organizationalUnitName  = optional
commonName  = supplied
emailAddress= optional
[ req ]
default_bits= 2048  # Size of keys
default_keyfile = key.pem   # name of 
generated keys
default_md  = sha1  # message digest 
algorithm
string_mask = nombstr   # permitted 
characters
distinguished_name  = req_distinguished_name
x509_extensions  = v3_req
oid_section	= new_oids

[ req_distinguished_name ]
# Variable name Prompt string
#---
0.organizationName  = Organization Name (company)
organizationalUnitName  = Organizational Unit Name (department, 
division)
emailAddress= Email Address
emailAddress_max= 40
localityName= Locality Name (city, district)
stateOrProvinceName = State or Province Name (full name)
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
commonName  = Common Name (hostname, IP, or your name)
commonName_max  = 64

# Default values for the above, for consistency and less typing.
# Variable name Value
# --
0.organizationName_default  = Jasomi Networks Inc.
localityName_default= Calgary
stateOrProvinceName_default = Alberta
countryName_default = CA
organizationalUnitName_default  = Engineering Department
emailAddress_default= [EMAIL PROTECTED]
commonName_default  = jasomi.com
[ v3_ca ]
# subjectAltName=${ENV::ALTNAME}
basicConstraints= critical,CA:FALSE
subjectKeyIdentifier= hash
authorityKeyIdentifier  = keyid:always,issuer:always
keyUsage= digitalSignature, keyCertSign, cRLSign
crlDistributionPoints   = URI:http://www.jasomi.com/CRL
#
msOID2 = V0.0
msOID1 = CA
[ v3_req ]
basicConstraints= critical,CA:FALSE
subjectKeyIdentifier= hash
keyUsage= digitalSignature, keyCertSign, cRLSign
crlDistributionPoints   = URI:http://www.jasomi.com/CRL
#
msOID2 = V0.0
msOID1 = DomainController
[ new_oids ]
# MS Certificate Template Name
msOID1 = 1.3.6.1.4.1.311.20.2
# MS something or other (CA version?)
msOID2 = 1.3.6.1.4.1.311.21.1
--
Bob BramwellJasomi Networks (Canada) | This space
Ph: 403 269 2938 x155   #310 602 11th 

Re: Using non-std OIDs in config file

[Dr. Stephen Henson]

On Mon, May 02, 2005, Bob Bramwell wrote:

 I am trying to add two new OIDs to my configuration, and then specify that 
 a certificate should contain such objects with values that I specify.  
 After extensive RTFMing and a lot of time wading through the configuration 
 code I still have not got a working setup.  Can anyone provide an example?
 
 What I have been trying is along the lines of the config file included 
 below, and the complaint from openssl req is:
 
 Error Loading extension section v3_req
 28763:error:2207C081:X509 V3 routines:DO_EXT_CONF:unknown 
 extension:v3_conf.c:128:
 28763:error:2206B080:X509 V3 routines:X509V3_EXT_conf:error in 
 extension:v3_conf.c:92:name=msOID2, value=V0.0
 
 Is there any more complete documentation on the config file format?  I have 
 not yet found any formal explanation of constructs like:
  certificatePolicies = ia5org,@policy

Yes, its in the X509v3_config manual page or:

http://www.openssl.org/docs/apps/x509v3_config.html

OpenSSL 0.9.8-dev supports a mini-ASN1 compiler which allows custom extensions
to be generated. 

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Using non-std OIDs in config file

[Bob Bramwell]

Aha!  One I hadn't come across.  Thank you.  I will read it tonight and maybe 
tomorrow I can make some progress.

Cheers,
Bob.
Dr. Stephen Henson wrote:
On Mon, May 02, 2005, Bob Bramwell wrote:

I am trying to add two new OIDs to my configuration, and then specify that 
a certificate should contain such objects with values that I specify.  
After extensive RTFMing and a lot of time wading through the configuration 
code I still have not got a working setup.  Can anyone provide an example?

What I have been trying is along the lines of the config file included 
below, and the complaint from openssl req is:

Error Loading extension section v3_req
28763:error:2207C081:X509 V3 routines:DO_EXT_CONF:unknown 
extension:v3_conf.c:128:
28763:error:2206B080:X509 V3 routines:X509V3_EXT_conf:error in 
extension:v3_conf.c:92:name=msOID2, value=V0.0

Is there any more complete documentation on the config file format?  I have 
not yet found any formal explanation of constructs like:
	   certificatePolicies = ia5org,@policy

Yes, its in the X509v3_config manual page or:
http://www.openssl.org/docs/apps/x509v3_config.html
OpenSSL 0.9.8-dev supports a mini-ASN1 compiler which allows custom extensions
to be generated. 

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

--
Bob BramwellJasomi Networks (Canada) | This space
Ph: 403 269 2938 x155   #310 602 11th Ave SW | intentionally
FX: 403 269 2993Calgary, AB, T2R 1J8 | left blank.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

EVP Function call errors

[Don C. Weber]

I am not sure why I am geting the following errors when I try to call
functions that are included by OpenSSL. I basically copied the code out
of the O'Reilly OpenSSL book, so the code should be okay. I have
included the OpenSSL EVP headers (and even tried to include all the
digest headers) but I still get this compile error.

I have been working off the assumption that it is an include error but
nothing I try fixes it. I have tried to include openssl/evp.h and
/usr/include/openssl/evp.h.

Here is the compile error:


/usr/qt/3/bin/uic form1.ui -o form1.h
g++ -c -pipe -Wall -W -march=pentium3 -pipe -O2  -DQT_NO_DEBUG
-I/usr/qt/3/mkspecs/linux-g++ -I. -I. -I/usr/qt/3/include -o hasher.o
hasher.cpp
/usr/qt/3/bin/uic form1.ui -i form1.h -o form1.cpp
g++ -c -pipe -Wall -W -march=pentium3 -pipe -O2  -DQT_NO_DEBUG
-I/usr/qt/3/mkspecs/linux-g++ -I. -I. -I/usr/qt/3/include -o form1.o
form1.cpp
/usr/qt/3/bin/moc form1.h -o moc_form1.cpp
g++ -c -pipe -Wall -W -march=pentium3 -pipe -O2  -DQT_NO_DEBUG
-I/usr/qt/3/mkspecs/linux-g++ -I. -I. -I/usr/qt/3/include -o moc_form1.o
moc_form1.cpp
g++  -o hasher hasher.o form1.o moc_form1.o   -L/usr/qt/3/lib
-L/usr/X11R6/lib -lqt -lXext -lX11 -lm
form1.o(.text+0x2cb): In function `Form1::computeHash(QString, QString)':
: undefined reference to `OpenSSL_add_all_digests'
form1.o(.text+0x2de): In function `Form1::computeHash(QString, QString)':
: undefined reference to `EVP_get_digestbyname'
form1.o(.text+0x305): In function `Form1::computeHash(QString, QString)':
: undefined reference to `EVP_DigestInit'
form1.o(.text+0x323): In function `Form1::computeHash(QString, QString)':
: undefined reference to `EVP_DigestUpdate'
form1.o(.text+0x335): In function `Form1::computeHash(QString, QString)':
: undefined reference to `EVP_DigestFinal'
collect2: ld returned 1 exit status
make: *** [hasher] Error 1



Here is the function where I call the (er!!) functions:


QString Form1::computeHash(QString hash_algorithm, QString hash_input )
{

//Declare Local Variables
const EVP_MD *m;
EVP_MD_CTX ctx;
unsigned char *ret;
unsigned int *ret_len = 0;
const char *input = hash_input.ascii();
const char *change_ret;


OpenSSL_add_all_digests();

if (!(m = EVP_get_digestbyname(hash_algorithm.ascii(
return NULL;

if (!(ret=(unsigned char *)malloc(EVP_MAX_MD_SIZE)))
return NULL;

EVP_DigestInit(ctx, m);

EVP_DigestUpdate(ctx, input, strlen(input));

EVP_DigestFinal(ctx, ret, ret_len);

change_ret = ( const char*) ret;
return QString::fromLatin1(change_ret, -1);

}

It's probably a simple C++ error that I am forgetting about.


Thanks in advance,
Cutaway
-- 
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: EVP Function call errors

[Michael D'Errico]

g++  -o hasher hasher.o form1.o moc_form1.o   -L/usr/qt/3/lib
-L/usr/X11R6/lib -lqt -lXext -lX11 -lm
You need to add -lcrypto and maybe -lssl.
Mike
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]