Re: Description of the X509 object
[EMAIL PROTECTED] schrieb: Hello, The following URL gives information about x509 certificate management. http://www.columbia.edu/~ariel/ssleay/x509_certs.html Regards, Thanks this look very good. smime.p7s Description: S/MIME Cryptographic Signature
Re: How do I remove padding during AES decryption
Hello, Please can any one tell me how do I remove the pad bytes during AES decyrption using AES_cbc_encryption. Provided that block_size is size of encryption algorithm block size and last block is in dst you may use something like that: . . pad = dst[block_size - 1]; if (pad block_size) { goto err; } for (i = 1; i pad; i++) { if (dst[block_size - 1 - i] != pad) { goto err; } } len = block_size - pad; . . Proper length is returned in len. Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: How to retrive the delta CRL location and revocation reason?
Hi Team, I am seeing the segmentation fault while executing the DELTA CDP retrieval code for second time. Should I need to clean the strings after created by the OBJ_create() function? Please have a look at the piece of code. First time it is running fine. Second time it is giving segmatation fault at OBJ_create(). How to avoid this? Any thoughts on the same are appreciated. Int i, ii, nid var; X509_CRL crl; DIST_POINT *pnt, *pnt1; nid = OBJ_create(2.5.29.46, DCRLDP, Dela CRL Distribution Point); X509V3_EXT_add_alias(nid, NID_crl_distribution_points); pnt = X509_CRL_get_ext_d2i(crl, nid, var, NULL); ii = sk_DIST_POINT_num(pnt); for (i = 0; i sk_DIST_POINT_num(pnt); i++) { pnt1 = sk_DIST_POINT_value(pnt, i); if(pnt1-distpoint) { if(pnt1-distpoint-type == 0) { int j=0; GENERAL_NAMES *gen; GENERAL_NAME *gen1; gen = pnt1-distpoint-name.fullname; for(j = 0; jsk_GENERAL_NAME_num(gen);j++) { gen1 = sk_GENERAL_NAME_value(gen, j); printf(type is %d\n,gen1-type); switch (gen1-type) { case GEN_URI: printf(Here is the DELTA CDP. GOT IT\n); printf(%s\n,gen1-d.ia5-data); strcpy(delta_cdp, (char*)gen1-d.ia5-data); break; } } } } } == -Original Message- From: Surendra Babu Ande (WT01 - SOFTWARE PRODUCTS GROUP) Sent: Monday, September 04, 2006 6:13 PM To: 'openssl-users@openssl.org' Subject: RE: How to retrive the delta CRL location and revocation reason? Hi, Thank you for the information. I enabled the Freshest CRL extension in base CRL thru our LONGHORN server settings. Now I could get the Delta CRL's CDP succcessfully. Thanks a lot. Millions of Thanks for your help, -Surendra -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dr. Stephen Henson Sent: Saturday, September 02, 2006 10:35 PM To: openssl-users@openssl.org Subject: Re: How to retrive the delta CRL location and revocation reason? On Sat, Sep 02, 2006, [EMAIL PROTECTED] wrote: Hi, Please have a look at the attached delta crl, base crl and certificate. I could retrieve the CDP for base crl using traditional way. But I am seeing problem in retrieving the CDP of delta crl. Well among other things that certificate doesn't include a delta CRLDP in its extension which explains why you can't find it... Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: X509_CRL_get_nextUpdate: How to get the CRL's next update time in seconds?
Hi Team, How can I get the next update time of CRL in no. of seconds? The API of X509_CRL_get_nextUpdate(crl) returning value in different format. How do I convert that API's return value in to "seconds"? My aim is to obtain the next CRL update time in seonds. How to achieve that? Could some body throw some light on the same? With best regards, -Surendra The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.www.wipro.com The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com
Can I stop the CA from generating the human readable data in th e PEM certificate files?
I'd like the PEM certs my CA creates to just start with BEGIN CERTIFICATE and not contain the other stuff in the beginning (WebLogic doesn't seem to like it). Is there a CA option or config file entry to achieve this? Here's the stuff I want to avoid: Certificate: Data: Version: 1 (0x0) Serial Number: 100 (0x64) Signature Algorithm: md5WithRSAEncryption Issuer: C=US, ST=District of Columbia, L=Washington, O=US Government, OU=Department of the Treasury, OU=HR Connect, OU=CA, OU=all, OU=3, CN=HRCPO Certificate Authority/[EMAIL PROTECTED] Validity Not Before: Sep 11 18:35:34 2006 GMT Not After : Sep 10 18:35:34 2009 GMT Subject: C=US, ST=District of Columbia, O=US Government, OU=Department of the Treasury, OU=HR-Connect, OU=ALL, OU=ALL, OU=1, CN=hrcsun41.hrconnect.treas.gov/[EMAIL PROTECTED] Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:9d:2d:65:96:c7:b5:29:9f:93:45:5c:65:47:cb: 8b:79:c5:ba:b1:29:ea:81:fd:d2:5b:cc:c2:4d:19: 04:f5:78:01:86:2d:20:c8:36:77:94:73:3c:98:52: 86:07:76:f5:b5:90:16:13:bf:d6:2a:6c:29:70:fa: 29:e6:95:68:1e:a8:21:0b:6d:e6:2e:2e:e4:8c:3a: a1:2a:a7:de:e1:18:81:04:41:91:5c:75:6e:25:d3: d3:f8:42:25:bd:52:f7:28:d0:c7:e7:25:85:11:63: f1:12:6f:a4:31:db:ab:5c:c6:2e:a6:f9:62:63:a3: 24:0c:0b:f7:93:44:62:64:5f Exponent: 65537 (0x10001) Signature Algorithm: md5WithRSAEncryption ce:c4:53:be:53:0e:87:9c:c1:93:92:70:09:1f:3c:d9:4b:7b: 51:1b:61:a6:ee:8d:6d:c1:11:c6:81:20:f0:e9:1a:7c:1b:95: e4:e8:a7:44:f4:bf:fd:02:11:ed:cf:28:08:de:18:d4:4d:d5: ed:22:37:89:94:e6:f5:33:21:7c:94:0d:27:f0:68:cf:ee:c7: b1:98:db:7a:37:95:7f:fe:1b:57:4c:e4:0d:9a:de:26:41:6b: f2:f5:8c:1d:f5:97:45:b7:13:fc:18:59:aa:97:d4:6b:7f:f5: e8:a6:9d:dc:da:1c:ad:44:b6:fb:c3:ac:94:24:36:6f:0f:55: 21:10:97:21:f8:32:d3:43:f9:d0:59:3a:6c:4e:16:17:68:19: ec:1c:f1:88:4f:51:cc:64:8a:14:d0:58:99:ef:13:63:79:0f: 7d:37:48:82:e2:c4:ae:a3:34:0f:b5:88:53:42:60:d7:c9:49: f3:38:28:06:b3:f5:3d:32:bc:f5:94:e5:52:9f:81:93:0e:76: 1c:fc:5b:ed:b6:e8:30:c3:7b:fd:2c:64:8c:c9:9d:c8:a7:46: 75:8b:5c:38:f3:d0:a4:98:f6:26:06:6f:2d:6c:83:e5:06:b7: 43:ce:ae:64:40:b2:7e:c5:03:cf:09:d5:b7:be:51:e6:c2:6d: 12:f7:a2:e3 Timothy M. Metzinger, CISSP, PMP Northop Grumman Information Technologies/Nortel Government Solutions Department of the Treasury Office of the Chief Information Officer HR Connect Program Office 202-622-0579(voice) HR Connect: Connecting people, performance, and technology __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Can I stop the CA from generating the human readable data in th e PEM certificate files?
I'd like the PEM certs my CA creates to just start with BEGIN CERTIFICATE and not contain the other stuff in the beginning (WebLogic doesn't seem to like it). Is there a CA option or config file entry to achieve this? Here's the stuff I want to avoid: Certificate: Data: Version: 1 (0x0) Serial Number: 100 (0x64) Signature Algorithm: md5WithRSAEncryption Issuer: C=US, ST=District of Columbia, L=Washington, O=US Government, OU=Department of the Treasury, OU=HR Connect, OU=CA, OU=all, OU=3, CN=HRCPO Certificate Authority/[EMAIL PROTECTED] Validity Not Before: Sep 11 18:35:34 2006 GMT Not After : Sep 10 18:35:34 2009 GMT Subject: C=US, ST=District of Columbia, O=US Government, OU=Department of the Treasury, OU=HR-Connect, OU=ALL, OU=ALL, OU=1, CN=hrcsun41.hrconnect.treas.gov/[EMAIL PROTECTED] Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:9d:2d:65:96:c7:b5:29:9f:93:45:5c:65:47:cb: 8b:79:c5:ba:b1:29:ea:81:fd:d2:5b:cc:c2:4d:19: 04:f5:78:01:86:2d:20:c8:36:77:94:73:3c:98:52: 86:07:76:f5:b5:90:16:13:bf:d6:2a:6c:29:70:fa: 29:e6:95:68:1e:a8:21:0b:6d:e6:2e:2e:e4:8c:3a: a1:2a:a7:de:e1:18:81:04:41:91:5c:75:6e:25:d3: d3:f8:42:25:bd:52:f7:28:d0:c7:e7:25:85:11:63: f1:12:6f:a4:31:db:ab:5c:c6:2e:a6:f9:62:63:a3: 24:0c:0b:f7:93:44:62:64:5f Exponent: 65537 (0x10001) Signature Algorithm: md5WithRSAEncryption ce:c4:53:be:53:0e:87:9c:c1:93:92:70:09:1f:3c:d9:4b:7b: 51:1b:61:a6:ee:8d:6d:c1:11:c6:81:20:f0:e9:1a:7c:1b:95: e4:e8:a7:44:f4:bf:fd:02:11:ed:cf:28:08:de:18:d4:4d:d5: ed:22:37:89:94:e6:f5:33:21:7c:94:0d:27:f0:68:cf:ee:c7: b1:98:db:7a:37:95:7f:fe:1b:57:4c:e4:0d:9a:de:26:41:6b: f2:f5:8c:1d:f5:97:45:b7:13:fc:18:59:aa:97:d4:6b:7f:f5: e8:a6:9d:dc:da:1c:ad:44:b6:fb:c3:ac:94:24:36:6f:0f:55: 21:10:97:21:f8:32:d3:43:f9:d0:59:3a:6c:4e:16:17:68:19: ec:1c:f1:88:4f:51:cc:64:8a:14:d0:58:99:ef:13:63:79:0f: 7d:37:48:82:e2:c4:ae:a3:34:0f:b5:88:53:42:60:d7:c9:49: f3:38:28:06:b3:f5:3d:32:bc:f5:94:e5:52:9f:81:93:0e:76: 1c:fc:5b:ed:b6:e8:30:c3:7b:fd:2c:64:8c:c9:9d:c8:a7:46: 75:8b:5c:38:f3:d0:a4:98:f6:26:06:6f:2d:6c:83:e5:06:b7: 43:ce:ae:64:40:b2:7e:c5:03:cf:09:d5:b7:be:51:e6:c2:6d: 12:f7:a2:e3 Timothy M. Metzinger, CISSP, PMP Northop Grumman Information Technologies/Nortel Government Solutions Department of the Treasury Office of the Chief Information Officer HR Connect Program Office 202-622-0579(voice) HR Connect: Connecting people, performance, and technology __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Can I stop the CA from generating the human readable data in th e PEM certificate files?
Hello, I'd like the PEM certs my CA creates to just start with BEGIN CERTIFICATE and not contain the other stuff in the beginning (WebLogic doesn't seem to like it). Is there a CA option or config file entry to achieve this? Use -notext option. Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
SHA 256 Cert
HI, How do i tell if a X509 cert is a SHA256 cert. Thanks kb __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: SHA 256 Cert
Hello, How do i tell if a X509 cert is a SHA256 cert. Checking signature algorithm OID, which is: pkcs-1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 1 } sha256WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 11 } Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: SHA 256 Cert
Hi Marek, Thanks for the reply, How do i find it through the X509 struct ? X509 *myX509 = is this the field ? myX509-sig_alg-algorithm-nid and what value should i hold that would tell me that it's sha256 thanks Bisla From: Marek Marcola [EMAIL PROTECTED] Reply-To: openssl-users@openssl.org To: openssl-users@openssl.org Subject: Re: SHA 256 Cert Date: Mon, 18 Sep 2006 19:53:08 +0200 Hello, How do i tell if a X509 cert is a SHA256 cert. Checking signature algorithm OID, which is: pkcs-1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 1 } sha256WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 11 } Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: SHA 256 Cert
Hello, How do i find it through the X509 struct ? X509 *myX509 = is this the field ? myX509-sig_alg-algorithm-nid In general: myX509-sig_alg-algorithm object. pkcs-1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 1 } sha256WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 11 } which means: 1.2.840.113549.1.1.11 I've attached simple test code. Best regards, -- Marek Marcola [EMAIL PROTECTED] #include stdio.h #include errno.h #include openssl/x509.h #include openssl/ssl.h int main() { X509 *x509 = NULL; FILE *fp; BIO *b; char buf[80]; SSL_load_error_strings(); SSLeay_add_all_algorithms(); if ((fp = fopen(./1037.pem, r)) == NULL) { fprintf(stderr, fopen: %s\n, strerror(errno)); goto err; } if ((x509 = PEM_read_X509(fp, NULL, NULL, NULL)) == NULL) { ERR_print_errors_fp(stderr); goto err; } /* first print */ if ((b = BIO_new(BIO_s_file())) == NULL) { goto err; } BIO_set_fp(b, stdout, BIO_NOCLOSE); BIO_puts(b, 1) Signature algorithm: ); i2a_ASN1_OBJECT(b, x509-sig_alg-algorithm); BIO_puts(b, \n); BIO_free(b); /* second print */ i2t_ASN1_OBJECT(buf, sizeof(buf), x509-sig_alg-algorithm); printf(2) Signature algorithm: %s\n, buf); return (0); err: return (1); }
RE: How do I remove padding during AES encryption/ decryption
Hi, Thanks for the reply. I have my sample test case like this. #define KEYSIZE 256 #define AES_BLOCK_SIZE 32 void test_main() { char key[KEYSIZE+1]; int I,keylen; char data[AES_BLOCK_SIZE] ; char cbuf[AES_BLOCK_SIZE]; char pbuf[AES_BLOCK_SIZE]; strcpy(key,2ea24d27bc6e40e70b0a2ab08b0831675cf1274834f98a58709edeeb56af f547); strcpy(data,000 0); keylen = strlen(key); { AES_KEY ctx; unsigned char iv[AES_BLOCK_SIZE]; memset(cbuf, 0,AES_BLOCK_SIZE); AES_set_encrypt_key(key, KEYSIZE, ctx); AES_cbc_encrypt(data, cbuf, AES_BLOCK_SIZE, ctx, iv, AES_ENCRYPT); for (i =0 ; i sizeof(data) ; i++) printf(%d...input = %d \n,data[i],i); printf(\n); for (i =0 ; i sizeof(cbuf); i++) printf(%d...encoded data =%d \n,cbuf[i],i); printf(\n); } { AES_KEY ctx; int len,pad,flag =0; unsigned char iv[AES_BLOCK_SIZE]; memset(pbuf, 0,AES_BLOCK_SIZE); memset(iv, 0, AES_BLOCK_SIZE); AES_set_decrypt_key(key, KEYSIZE, ctx); AES_cbc_encrypt(cbuf,pbuf, AES_BLOCK_SIZE, ctx, iv, AES_DECRYPT); } } Please can any tell me what could be the problem with this code? Regards, Jaya. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marek Marcola Sent: Monday, September 18, 2006 3:39 PM To: openssl-users@openssl.org Subject: Re: How do I remove padding during AES decryption Hello, Please can any one tell me how do I remove the pad bytes during AES decyrption using AES_cbc_encryption. Provided that block_size is size of encryption algorithm block size and last block is in dst you may use something like that: . . pad = dst[block_size - 1]; if (pad block_size) { goto err; } for (i = 1; i pad; i++) { if (dst[block_size - 1 - i] != pad) { goto err; } } len = block_size - pad; . . Proper length is returned in len. Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]