Re: Signing a file
Hello Stephen, Thanks for helping me, I'm new using open-ssl I really appreciate your support. OK firstly no, I didn't find the "private-key" string using the binary editor, I searched for it but I didn't find it. Thanks for the suggestion, I generated a dummy key with the same software. After using "openssl rsa -inform NET -in file.key" I got: unable to load Private Key 3554:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:946: 3554:error:0D06C03A:asn1 encoding routines:ASN1_D2I_EX_PRIMITIVE:nested asn1 error:tasn_dec.c:628: 3554:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_D2I:nested asn1 error:tasn_dec.c:566:Field=os, Type=NETSCAPE_ENCRYPTED_PKEY 3554:error:0D09806F:asn1 encoding routines:d2i_Netscape_RSA:decoding error:n_pkey.c:242: Then I used "openssl asn1parse -inform DER -in file.key" and I got this: 0:d=0 hl=4 l= 710 cons: SEQUENCE 4:d=1 hl=2 l= 64 cons: SEQUENCE 6:d=2 hl=2 l= 9 prim: OBJECT:PBES2 17:d=2 hl=2 l= 51 cons: SEQUENCE 19:d=3 hl=2 l= 27 cons: SEQUENCE 21:d=4 hl=2 l= 9 prim: OBJECT:PBKDF2 32:d=4 hl=2 l= 14 cons: SEQUENCE 34:d=5 hl=2 l= 8 prim: OCTET STRING 44:d=5 hl=2 l= 2 prim: INTEGER :0800 48:d=3 hl=2 l= 20 cons: SEQUENCE 50:d=4 hl=2 l= 8 prim: OBJECT:des-ede3-cbc 60:d=4 hl=2 l= 8 prim: OCTET STRING 70:d=1 hl=4 l= 640 prim: OCTET STRING Hope you can help, Roberto On 8/30/05, Dr. Stephen Henson <[EMAIL PROTECTED]> wrote: > On Tue, Aug 30, 2005, Roberto Arias Alegria wrote: > > > Hello, > > > > I tried to sign a file using a private key (a file with a .key > > extension) using this: > > openssl rsautl -sign -in myfile.txt -inkey mykey.key -out signed > > > > But I got a meesage "unable to load private key". > > > > The private key was generated using a propiertary software (in fact, a > > government-made software, not a known commercial solution) so I have > > little information about how it was generated. Anyway, I tried to > > follow the solution with NET files provided in the man pages (open it > > in a binary editor and found the string "private-key" and then the > > 0x30 0x80 values, and copy everythin from here to the end of the file) > > but I found that the file actually starts with 0x30 0x82, so I didn't > > edit anything. > > > > Is there another way to sign information using a ".key" file? It is > > possible that the file could be in another format and the original > > software just labeled it as ".key"? > > Firstly that command line probably wont "sign a file" in the way you mean. You > should use the -sign option in the dgst command for that. > > So it includes the string "private-key" in it? Ugh, that's a horibly insecure > private key format. Did you try using NET format for the whole file? That is: > > openssl rsa -inform NET -in file.key > > How large is the file? What does: > > openssl asn1parse -inform DER -in file.key > > show? If the output has lots of lines with INTEGER on them and lots of digits > don't post it. > > If you can generate a test key of zero importance with the same software you > could post that. > > Steve. > -- > Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage > OpenSSL project core developer and freelance consultant. > Funding needed! Details on homepage. > Homepage: http://www.drh-consultancy.demon.co.uk > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Openssl Engine calling code (soft pkcs11) also written in openssl conflict
I've been working with some patches to curl I found on the curl mailing list to support openssl and opensc's engine_pkcs11. Basically it consists of Curl 7.14 + patch which adds dynamic engine support -> opensc-20050826 [engine_pkcs11.so] -> soft-pkcs11 1.2 on Ubuntu Linux (5.04) Kernel 2.6.10-5-386 The problem is that engine_pkcs11 from opensc registers custom rsa functions for its purposes. They dlopen a pkcs11 library in my case soft-pkcs11 which is also implemented using openssl. The problem is that the soft token seems to be calling the rsa functions registered by opensc and not the original versions. I need some advice or background on overriding crypto implementations to figure out how to make soft-pkcs11 not inherit the opensc's overridden functions. I would have thought since soft-pkcs11 was dlopened that this wouldn't have inherited the modified functions. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: What does Outlook 2003 look for in a S/MIME cert?
On Wed, Aug 31, 2005, Jason Haar wrote: > > > The other thing is that I can use Outlook to send an encrypted email to > myself, then access that mailbox using Thunderbird (with the same cert) > - and Thunderbird reads it fine. So Outlook must have successfully used > the private key to do the encryption. It's weird - it can generate > encrypted emails, but can't read them... > > Sending encrypted mail just uses the public key but if SSL client authentication works then something will use the private key OK. What about signed mail using that certificate, does that verify OK? Can thunderbird generated encrypted mail using the same key and certificate be read using Outlook? Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: What does Outlook 2003 look for in a S/MIME cert?
Dr. Stephen Henson wrote: > >Where was the private key used created? Was it generated under CryptoAPI or >imported as a PKCS#12 file from an external source? > > > It was created using OpenSSL - turned into a p12 and imported. >Due to various deficiencies in the internal format for Windows private keys >there are some which it can use the public key but not the private key because >it can't be represented in its format. An example if if the two primes are of >different size. > > Unless you know something specific to Outlook, I don't think that's the problem. We use the same method to create standard user certs for accessing HTTPS web sites - and they work fine under Windows/MSIE. The other thing is that I can use Outlook to send an encrypted email to myself, then access that mailbox using Thunderbird (with the same cert) - and Thunderbird reads it fine. So Outlook must have successfully used the private key to do the encryption. It's weird - it can generate encrypted emails, but can't read them... Is anyone successfully using S/MIME within Outlook? I don't expect many on this list to be Outlook users - but I expect a lot are like me and mainly have Outlook users surrounding them :-) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: ASN1_OBJECT myth in X509_NAME_add_entry_xxx
Thanks, Dr. Henson. I know those functions work because they perform search against those "standard" objects based on length and data fields, i.e., they don't care about sn or ln. I guess I am trying to find out, that during the creation of X509_NAME_ENTRY, when ASN1_OBJECT is attached, why the sn, ln and nid are NOT assigned values. I can see theoretically, it is because it avoids duplicate those redundant entries. I am just curious where the missing links lie.. If you can point me out, I'd appreciate it since I've been sifting through the code but couldn't identify it by myself.. --- "Dr. Stephen Henson" <[EMAIL PROTECTED]> wrote: > On Tue, Aug 30, 2005, Lincoln wrote: > > > Hi, > > Would any guru please take a look at this > following > > question? Thanks! > > Don't try to access the ASN1_OBJECT structures > directly. Use functions such as > OBJ_obj2nid() etc instead. > > Steve. > -- > Dr Stephen N. Henson. Email, S/MIME and PGP keys: > see homepage > OpenSSL project core developer and freelance > consultant. > Funding needed! Details on homepage. > Homepage: http://www.drh-consultancy.demon.co.uk > __ > OpenSSL Project > http://www.openssl.org > User Support Mailing List > openssl-users@openssl.org > Automated List Manager > [EMAIL PROTECTED] > Start your day with Yahoo! - make it your home page http://www.yahoo.com/r/hs __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Signing a file
On Tue, Aug 30, 2005, Roberto Arias Alegria wrote: > Hello, > > I tried to sign a file using a private key (a file with a .key > extension) using this: > openssl rsautl -sign -in myfile.txt -inkey mykey.key -out signed > > But I got a meesage "unable to load private key". > > The private key was generated using a propiertary software (in fact, a > government-made software, not a known commercial solution) so I have > little information about how it was generated. Anyway, I tried to > follow the solution with NET files provided in the man pages (open it > in a binary editor and found the string "private-key" and then the > 0x30 0x80 values, and copy everythin from here to the end of the file) > but I found that the file actually starts with 0x30 0x82, so I didn't > edit anything. > > Is there another way to sign information using a ".key" file? It is > possible that the file could be in another format and the original > software just labeled it as ".key"? Firstly that command line probably wont "sign a file" in the way you mean. You should use the -sign option in the dgst command for that. So it includes the string "private-key" in it? Ugh, that's a horibly insecure private key format. Did you try using NET format for the whole file? That is: openssl rsa -inform NET -in file.key How large is the file? What does: openssl asn1parse -inform DER -in file.key show? If the output has lots of lines with INTEGER on them and lots of digits don't post it. If you can generate a test key of zero importance with the same software you could post that. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Signing a file
Hello, I tried to sign a file using a private key (a file with a .key extension) using this: openssl rsautl -sign -in myfile.txt -inkey mykey.key -out signed But I got a meesage "unable to load private key". The private key was generated using a propiertary software (in fact, a government-made software, not a known commercial solution) so I have little information about how it was generated. Anyway, I tried to follow the solution with NET files provided in the man pages (open it in a binary editor and found the string "private-key" and then the 0x30 0x80 values, and copy everythin from here to the end of the file) but I found that the file actually starts with 0x30 0x82, so I didn't edit anything. Is there another way to sign information using a ".key" file? It is possible that the file could be in another format and the original software just labeled it as ".key"? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: CA generation/certificate serial number
Frédéric Donnat wrote: Hi, Sorry for the mistake (nothing to deal with openssl.cnf file). I was just looking for ca.txt file. Is it normal behavior of openssl to be able to view a certificate without serial number using (without any error mentioned): openssl x509 -in some_cert_without_sn.pem -text But to be unable to verify it using: openssl verify -CAfile some_cert_without_sn.pem some_cert_without_sn.pem Sample: (attached self-sign cert name pipo-bad.pem) hmm, the attached certificate as has a serial number it's 0x0 [EMAIL PROTECTED] simple]$ LD_LIBRARY_PATH=/usr/local/ossl-0.9.8/lib /usr/local/ossl-0.9.8/bin/openssl verify -verbose -CAfile pipo-bad.pem pipo-bad.pem pipo-bad.pem: /C=UK/CN=OpenSSL Group error 7 at 0 depth lookup:certificate signature failure 18588:error:04077068:rsa routines:RSA_verify:bad signature:rsa_sign.c:218: 18588:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:a_verify.c:168: well the signature really seems to be wrong. How did you create the certificate ? Cheers, Nils __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: OSSL 0.9.8 Engine problems
Steffen Pankratz wrote: ... well, if openssl is build without DES support the DES nids are not added to the internal list of OIDs when OPENSSL_add_all_ciphers is called, hence the OBJ_* functions know nothing about DES. logical any chance to make openssl aware of -des-ecb when build without DES cipher support using a dynamic Engine module? what about adding the necessary ciphers in the engine initialization function (have a look at crypto/evp/c_allc.c to see which functions are necessary) ? but loading seems to be ok openssl enc -engine des-ecb engine "des-ecb" set. i tried a OSSL build with DES cipher support and got this openssl enc -engine des-ecb -e -des-ecb -out testo -in testi parallel processing engine "des-ecb" set. enter des-ecb encryption password: Verifying - enter des-ecb encryption password: Error setting cipher DES-ECB 10220:error:0607C085:digital envelope routines:EVP_CIPHER_CTX_ctrl:ctrl operation not implemented:evp_enc.c:533: 10220:error:0607B086:digital envelope routines:EVP_CipherInit_ex:initialization error:evp_enc.c:171: is the EVP_CIPH_CTRL_INIT flag set in the EVP_CIPHER structure ? it is (if you like, code is attached) if the flag is set you must provide a support for this flag in EVP_CIPHER::ctrl otherwise you get the above error (so if you don't need that functionality don't use it). Cheers, Nils __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: What does Outlook 2003 look for in a S/MIME cert?
On Wed, Aug 31, 2005, Jason Haar wrote: > > No - that's not it. I thought of that and so sent myself the email. As > such it's encrypted with my private key + my public key (i.e. I am Bob > and Alice) - so that can't be it. It's as though it has encrypting > rights but not decrypting rights. However, I've checked the extendedkey > options and that's not the case - they're not even mentioned - it's a > cert that can do S/MIME - that's it. Thunderbird is 100% happy, Outlook > is happy enough sending with it - just not reading. I also made sure my > public key was associated with a Contacts entry for myself (that's how > Outlook tracks public keys) - so it should have all it needs to do the job. > Where was the private key used created? Was it generated under CryptoAPI or imported as a PKCS#12 file from an external source? Due to various deficiencies in the internal format for Windows private keys there are some which it can use the public key but not the private key because it can't be represented in its format. An example if if the two primes are of different size. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: ASN1_OBJECT myth in X509_NAME_add_entry_xxx
On Tue, Aug 30, 2005, Lincoln wrote: > Hi, > Would any guru please take a look at this following > question? Thanks! Don't try to access the ASN1_OBJECT structures directly. Use functions such as OBJ_obj2nid() etc instead. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: What does Outlook 2003 look for in a S/MIME cert?
In message <[EMAIL PROTECTED]> on Wed, 31 Aug 2005 07:11:28 +1200, Jason Haar <[EMAIL PROTECTED]> said: Jason.Haar> Richard Levitte wrote: Jason.Haar> Jason.Haar> > Jason Haar writes: Jason.Haar> > Jason.Haar> >> ... *IT CAN'T READ THE "SENT ITEMS" COPY OF THE EMAIL Jason.Haar> >> IT JUST SENT* Jason.Haar> > Jason.Haar> > My first thought is that OutLook may have stored the Jason.Haar> > encrypted mail in the Sent Items folder... Jason.Haar> Jason.Haar> No - that's not it. ... In that case, I'm as clueless as you are... I don't use OutLook, so I'm not much help... Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
ASN1_OBJECT myth in X509_NAME_add_entry_xxx
Hi,
Would any guru please take a look at this following
question? Thanks!
Dr. Lincoln
X509_NAME_add_entry_by_NID() adds a ASN1_NAME_ENTRY
which contains a pointer to ASN1_OBJECT, among other
things.
Does any expert know why the ASN1_OBJECT referenced in
ASN1_NAME_ENTRY has NULL for sn, ln, nid?
The calling sequence is
X509_NAME_add_entry_by_NID
=> lookup ASN1_OBJECT, X509_NAME_ENTRY_create_by_OBJ
=> X509_NAME_ENTRY_set_object +
X509_NAME_ENTRY_set_data
Where X509_NAME_ENTRY_set_object calls
ne->object = OBJ_dup(obj).
I see ASN1_OBJECT being duplicated above.
Looking at the ASN1_dup() does not reveal those NULL
assignments...
I'd appreciate your help if you can enlighten me on
this myth...
Test code is shown below
-
int main(){
char buf[1024], *field, *value;
X509_NAME *name = NULL;
int i, n, j;
X509_NAME_ENTRY *ne = NULL;
ASN1_OBJECT *obj = NULL;
ASN1_STRING *astr = NULL;
/* it prints
* sn=O; ln=organizationName; nid=17 ;legth=3;
flags=0
* 55,04,0a ==> which is ASN1 encoding of 2.5.4.10 for
"O"
*/
obj = OBJ_txt2obj("O", 0);
printf("sn=%s; ln=%s; nid=%d ;legth=%d; flags=%d\n",
obj->sn, obj->ln, obj->nid, obj->length, obj->flags);
for (j=0; jlength; j++){
printf("%02x,", obj->data[j]);
}
name = X509_NAME_new();
field = "O";
value = "VeriSign Japan K.K.";
if (!X509_NAME_add_entry_by_NID(name, 17,
MBSTRING_ASC, value, -1, -1, 0)){
printf("adding entry %s error\n", field);
}
/*
* I would expect the ASN1_OBJECT prints out
the same stuff
* However, it prints
* entry#0:
* sn=(null); ln=(null); nid=0 ;legth=3; obj_data=U;
flags=9
* 55,04,0a, ==> which is ASN1 encoding of 2.5.4.10
for "O"
*/
n = sk_X509_NAME_ENTRY_num(name->entries);
for (i=0; ientries, i);
obj = ne->object;
printf("sn=%s; ln=%s; nid=%d ;legth=%d; obj_data=%s;
flags=%d\n", obj->sn, obj->ln, obj->nid, obj->length,
obj->data, obj->flags);
for (j=0; jlength; j++){
printf("%02x,", obj->data[j]);
}
}
Start your day with Yahoo! - make it your home page
http://www.yahoo.com/r/hs
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
Re: What does Outlook 2003 look for in a S/MIME cert?
Richard Levitte wrote: Jason Haar writes: Under Windows (which trusts the CA), Outlook is happy to associate the cert with digital signing, and can send both signed and encrypted emails. However (and here's the shocker) *IT CAN'T READ THE "SENT ITEMS" COPY OF THE EMAIL IT JUST SENT* Stupid or what? ;-) My first thought is that OutLook may have stored the encrypted mail in the Sent Items folder. Meaning it's encrypted using the recipient's public key, meaning only the recipient can read them. No - that's not it. I thought of that and so sent myself the email. As such it's encrypted with my private key + my public key (i.e. I am Bob and Alice) - so that can't be it. It's as though it has encrypting rights but not decrypting rights. However, I've checked the extendedkey options and that's not the case - they're not even mentioned - it's a cert that can do S/MIME - that's it. Thunderbird is 100% happy, Outlook is happy enough sending with it - just not reading. I also made sure my public key was associated with a Contacts entry for myself (that's how Outlook tracks public keys) - so it should have all it needs to do the job. -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Autosigned Certificates : Need explanation
Also a newbie to ssl, but with the help of this list got it working a few weeks ago. This document was very helpful for me when installing on solaris, even though it is for RH, and you are using debian http://www.linux-sxs.org/internet_serving/apache2.html Also, for Common Name, using the IP address of the box worked for me. -Original Message- From: max <[EMAIL PROTECTED]> Sent: Aug 30, 2005 6:09 AM To: openssl-users@openssl.org Subject: Autosigned Certificates : Need explanation Hello all, I'm a newbie in ssl and certificates and I need some explanation about (I've already red manuals and howtos but still too dark for me) : On debian, * To generate a self-signed certificate, I use these commands : /usr/lib/ssl/misc/CA.sh -newca openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem /usr/lib/ssl/misc/CA.sh -sign Files resulting of these operations are demoCA/cacert.pem demoCA/private/cakey.pem, newreq.pem, newcert.pem Questions : These commands are they sufficient and good ? To generate other certificates on the same host, should I execute again (and use the demoCA): openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem /usr/lib/ssl/misc/CA.sh -sign in the same directory ? Self signed certificates, even if they are not signed by an official CA, provide a good security level for TLS communications ? Can I obtain official and free certificates ? To finish, the recurrent issue (sorry), but in a real case : I've got to servers with mail servers and openldap (both in a lan but not in the same site) and I want to replicate openldap db using TLS. machine 1 name : server1.domain.com machine 2 name: server2 (no domain name) theses machines have no entry in dns (like ldap.domain.com). During CA creation, what Common Name should I provide on each host ? During selfsigned certificates creation, what Common Name should I provide on each host ? Should I use the same CA for both certificates ? If someone could answer simply and clearly, it could be helpful. Thx. Max __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: apachectl startssl question/problem on two boxes
please disregard -Original Message- From: [EMAIL PROTECTED] Sent: Aug 30, 2005 9:24 AM To: openssl-users@openssl.org Subject: apachectl startssl question/problem on two boxes when running usr/local/apache2/bin/apachectl startssl on a development box, apache starts correctly. when running the same command on a new box which has been upgraded to apache2, the same startssl command, or apachectl by itself, just displays a menu list. startssl is not in the menu list. if just apachectl is run on the dev box, it displays a different menu with different options. Any idea what might be the difference between the two boxes? or why two different menu options appears? Is there a way to determine if the apache versions are the same? tia, dk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: OSSL 0.9.8 Engine problems
On Sat, 27 Aug 2005 13:22:19 +0200 Nils Larsch <[EMAIL PROTECTED]> wrote: > Steffen Pankratz wrote: > > Hi > > > > I compiled OSSL with no-des, so there is no DES cipher available in OSSL. > > I build a Engine module which supports the des-ecb cipher. > > > > openssl engine - dynamic -pre > > "SO_PATH:~/openssl-0.9.8/engines/des-ecb.so" -pre LOAD -t > > (dynamic) Dynamic engine loading support > > [Success]: SO_PATH:~/openssl-0.9.8/engines/des-ecb.so > > [Success]: LOAD > > Loaded: (des-ecb) DES-ECB engine support > > [ available ] > > > > if i try to use the engine: > > openssl enc -engine des-ecb -e -des-ecb -out testo -in testi > > > > i get: > > unknown option '-des-ecb' > > > > is it cause my NID is wrong, the Engine module isn't loaded properly or > > OSSL is compiled without DES cipher support? > > well, if openssl is build without DES support the DES nids are not > added to the internal list of OIDs when OPENSSL_add_all_ciphers is > called, hence the OBJ_* functions know nothing about DES. > logical any chance to make openssl aware of -des-ecb when build without DES cipher support using a dynamic Engine module? > > > > but loading seems to be ok > > > > openssl enc -engine des-ecb > > engine "des-ecb" set. > > > > i tried a OSSL build with DES cipher support and got this > > > > openssl enc -engine des-ecb -e -des-ecb -out testo -in testi > > parallel processing > > engine "des-ecb" set. > > enter des-ecb encryption password: > > Verifying - enter des-ecb encryption password: > > Error setting cipher DES-ECB > > 10220:error:0607C085:digital envelope routines:EVP_CIPHER_CTX_ctrl:ctrl > > operation not implemented:evp_enc.c:533: > > 10220:error:0607B086:digital envelope > > routines:EVP_CipherInit_ex:initialization error:evp_enc.c:171: > > is the EVP_CIPH_CTRL_INIT flag set in the EVP_CIPHER structure ? it is (if you like, code is attached) basically i took the rsaref example and the openssl DES implementation and tried to build a dynamic Engine module -- Best regards, Steffen Pankratz. des-ecb.c Description: Binary data
apachectl startssl question/problem on two boxes
when running usr/local/apache2/bin/apachectl startssl on a development box, apache starts correctly. when running the same command on a new box which has been upgraded to apache2, the same startssl command, or apachectl by itself, just displays a menu list. startssl is not in the menu list. if just apachectl is run on the dev box, it displays a different menu with different options. Any idea what might be the difference between the two boxes? or why two different menu options appears? Is there a way to determine if the apache versions are the same? tia, dk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: What does Outlook 2003 look for in a S/MIME cert?
There may be an option to encrypt the mail with both the receivers and the sender's public key - just so you can read the message. It's debatable whether this should be a standard setting or not. - Tim Metzinger -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Richard Levitte Sent: Tuesday, August 30, 2005 7:36 AM To: openssl-users@openssl.org Cc: Jason Haar Subject: Re: What does Outlook 2003 look for in a S/MIME cert? Jason Haar writes: > Under Windows (which trusts the CA), Outlook is happy to associate the > cert with digital signing, and can send both signed and encrypted emails. > However (and here's the shocker) *IT CAN'T READ THE "SENT ITEMS" COPY OF > THE EMAIL IT JUST SENT* > > Stupid or what? ;-) My first thought is that OutLook may have stored the encrypted mail in the Sent Items folder. Meaning it's encrypted using the recipient's public key, meaning only the recipient can read them. Yeah, if that's the case, it *is* stupid. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: What does Outlook 2003 look for in a S/MIME cert?
Jason Haar writes: Under Windows (which trusts the CA), Outlook is happy to associate the cert with digital signing, and can send both signed and encrypted emails. However (and here's the shocker) *IT CAN'T READ THE "SENT ITEMS" COPY OF THE EMAIL IT JUST SENT* Stupid or what? ;-) My first thought is that OutLook may have stored the encrypted mail in the Sent Items folder. Meaning it's encrypted using the recipient's public key, meaning only the recipient can read them. Yeah, if that's the case, it *is* stupid. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
What does Outlook 2003 look for in a S/MIME cert?
I am having difficulty getting Outlook to read S/MIME encrypted emails, and I'm wondering what's wrong. We have an internal PKI, and I have created a signed cert that can be used for S/MIME. Thunderbird happily sends and receives signed and encrypted emails with it. Under Windows (which trusts the CA), Outlook is happy to associate the cert with digital signing, and can send both signed and encrypted emails. However (and here's the shocker) *IT CAN'T READ THE "SENT ITEMS" COPY OF THE EMAIL IT JUST SENT* Stupid or what? ;-) So I'm thinking there must be something about the cert or the CA that signed the cert that Outlook 2003 (fully patched) doesn't like. I'm hoping someone on this list will go "oh that was a known problem back with XYZ - do this". PS: The CA was created by OpenSSL-0.9.? some 4 years ago. As such some of it's OIDs/etc may be responsible for this "issue". Hopefully someone knows? Thanks! -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Autosigned Certificates : Need explanation
Hello all, I'm a newbie in ssl and certificates and I need some explanation about (I've already red manuals and howtos but still too dark for me) : On debian, * To generate a self-signed certificate, I use these commands : /usr/lib/ssl/misc/CA.sh -newca openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem /usr/lib/ssl/misc/CA.sh -sign Files resulting of these operations are demoCA/cacert.pem demoCA/private/cakey.pem, newreq.pem, newcert.pem Questions : These commands are they sufficient and good ? To generate other certificates on the same host, should I execute again (and use the demoCA): openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem /usr/lib/ssl/misc/CA.sh -sign in the same directory ? Self signed certificates, even if they are not signed by an official CA, provide a good security level for TLS communications ? Can I obtain official and free certificates ? To finish, the recurrent issue (sorry), but in a real case : I've got to servers with mail servers and openldap (both in a lan but not in the same site) and I want to replicate openldap db using TLS. machine 1 name : server1.domain.com machine 2 name: server2 (no domain name) theses machines have no entry in dns (like ldap.domain.com). During CA creation, what Common Name should I provide on each host ? During selfsigned certificates creation, what Common Name should I provide on each host ? Should I use the same CA for both certificates ? If someone could answer simply and clearly, it could be helpful. Thx. Max __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Using RSA_private_encrypt instead of RSA_sign
Hello, I am writing an Cryptographic Service Provider using openssl cryptolibrary. I am using RSA_private_encrypt to sign a message instead of using RSA_sign. Does that x509 thing all that necessary? What could be the effect if I generate a digital certificate using my Cryptographic Service Provider? Please help Thanks in advance, Bhupendra Start your day with Yahoo! - make it your home page
CA generation/certificate serial number
Hi, Sorry for the mistake (nothing to deal with openssl.cnf file). I was just looking for ca.txt file. Is it normal behavior of openssl to be able to view a certificate without serial number using (without any error mentioned): openssl x509 -in some_cert_without_sn.pem -text But to be unable to verify it using: openssl verify -CAfile some_cert_without_sn.pem some_cert_without_sn.pem Sample: (attached self-sign cert name pipo-bad.pem) [EMAIL PROTECTED] simple]$ LD_LIBRARY_PATH=/usr/local/ossl-0.9.8/lib /usr/local/ossl-0.9.8/bin/openssl verify -verbose -CAfile pipo-bad.pem pipo-bad.pem pipo-bad.pem: /C=UK/CN=OpenSSL Group error 7 at 0 depth lookup:certificate signature failure 18588:error:04077068:rsa routines:RSA_verify:bad signature:rsa_sign.c:218: 18588:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:a_verify.c:168: I'm using openssl 0.9.8. regards, Fred -Original Message- From: Frédéric Donnat Sent: Mon 8/29/2005 11:51 AM To: openssl-users@openssl.org Cc: Subject:/usr/local/ossl-0.9.8/ssl/openssl.cnf Hi all, Could someone telle where i can find the following file: ca.txt I'm reading opthe HOWTO and i see the following comment (cetificates.txt): This is NOT the recommended way to create a" CA certificate, see ca.txt." regards, Fred __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] pipo-bad.pem Description: pipo-bad.pem
Re: DES_ede3_cbc_encrypt and padding
Alicia da Conceicao wrote: Greetings: The DES_ede3_cbc_encrypt() routine does not appear to properly pad data to fill out the last block. Consider, if the last block contains 4 bytes for the unencrypted text "test", DES_ede3_cbc_encrypt() is only padding the remaining characters with NULL characters: 74:65:73:74:00:00:00:00 But shouldn't it be padded as follow: 74:65:73:74:00:00:00:04 with the last byte containing the number of padded bytes. Note that if the last block is full, then an additional block of padding is added with 00:00:00:00:00:00:00:08. Is CBC padding in OpenSSL handled by a separate routine? Shouldn't CBC padding be handled by the CBC routine? Thanks in advance. Alicia. I noticed also a make test persistent failure if DES is enabled in Sparc/Solaris9/gcc342 hosts (4host tested) in 0.9.8. In my journey around 0.9.8 to solve the problem, a segmentation fault is done calling des cbc encrypt/decrypt. Note also that i'd no problems at all to compile&test openssl until this last release. -- Dott. Mag. Sergio Rabellino Technical Staff Department of Computer Science University of Torino (Italy) http://www.di.unito.it/~rabser Tel. +39-0116706701 Fax. +39-011751603 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
