FW: Minimazing OpenSSL Size
Title: FW: Minimazing OpenSSL Size Hello, I've integrated openssl server (openssl 0.9.7i) in my embedded SW. Operation System is eCos. My need is to use a constant certificate for a secure web communication with clients. There's no need to dynamically create certifications. certificate type: SSL v3, md5RSA, sha1, RSA 512 bit. b.t.w. web server is GoAhead. I'm trying to reduce the package because of a limited flash size. I removed the following modules using compilation flags: rc2, rc4, idea, bf, cast, txt_db, krb5, md2, md4, mdc2, ripemd, ec but yet the size of the library and the executable didn't change a much: libcrypto.a (including debug info) changed from 16.8MB to 15.7MB. executable file (stripped and gzipped) size decreased by only 120KB. to tell the truth, I expected much more (about 500KB). Is there something else I could do? Are there any other useless modules I may remove? Thanks in advance, -- Amir
Transfer Encoding : Chunked
Hi All, I am implementing an HTTP 1.1 client in C++ using openssl for SSL. Sometimes the Http response I get back says that the Transfer Encoding : chunked I really donot do anything extra here in this case. As usual I do a SSL_Pending to see if any data is pending in the SSL buffer and if not finish reading. To further elaborate I am implementing a WebServices client in C++. The problem is sometimes the binary data in some of the Soap XML tags are complete and sometimes they are not. Although a similar tool written in java seems to work fine. Am I missing something here or is what I am doing ok. Thanks Vinu __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
AW: Transfer Encoding : Chunked
Well, the best idea is to make it right by really checking how many bytes are missing by implementing a special case when transder encodnd is chunked. You should have a look at the RFC to check how to handle chunked data. HTH, ..sk Hi All, I am implementing an HTTP 1.1 client in C++ using openssl for SSL. Sometimes the Http response I get back says that the Transfer Encoding : chunked I really donot do anything extra here in this case. As usual I do a SSL_Pending to see if any data is pending in the SSL buffer and if not finish reading. To further elaborate I am implementing a WebServices client in C++. The problem is sometimes the binary data in some of the Soap XML tags are complete and sometimes they are not. Although a similar tool written in java seems to work fine. Am I missing something here or is what I am doing ok. Thanks Vinu __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: iaik.asn1.CodingException: No ASN.1 AlgorithmID
Thanks Stephen. Your solutionworks. Thanks, Babu On 10/3/06, Dr. Stephen Henson [EMAIL PROTECTED] wrote: On Mon, Oct 02, 2006, Eshwaramoorthy Babu wrote: Hi, I have created a private key using the below command and signed the csr openssl genrsa -out host.key When I try to use the host.key in my server, I am egtting the below error - caused by: A lifecycle exception was thrown while trying to initialize the Tomcat server caused by: LifecycleException:Protocol handler initialization failed: java.io.IOException: An AXSecurityException was thrown while trying to create the server socket on the port [ 8001] with the message: iaik.asn1.CodingException: No ASN.1 AlgorithmID type! - Looks like the private key is not ASN.1 type. Can anyone help me to resolve this issue. Probably doesn't like OpenSSL private key format. YOu can use variousutilities to convert the default form to other forms. You could try DER formatfirst then pkcs8 format in PEM and DER format. Steve.--Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepageOpenSSL project core developer and freelance consultant.Funding needed! Details on homepage.Homepage: http://www.drh-consultancy.demon.co.uk__OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.orgAutomated List Manager [EMAIL PROTECTED]
Segmentation Fault in SSL_CTX_load_verify_locations
I have this problem of segmention fault : Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 16384 (LWP 8321)] 0x4003f866 in SSL_CTX_load_verify_locations () from /usr/lib/libssl.so.0 Here is the code : #define CIPHER_LIST ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH #define CAFILE /home/kenzo/prova/provola/rsa/CA/cacert.pem #define CADIR /home/kenzo/prova/provola/rsa/CA/certs #define CERTFILE /home/kenzo/prova/provola/rsa/CA/newcert.pem SSL_CTX *setup_client_ctx (void) { SSL_CTX *ctx; //SSL_CTX *ctx = SSL_CTX_new( NULL); ctx = SSL_CTX_new(SSLv23_method( )); if (SSL_CTX_load_verify_locations(ctx, CAFILE, 0) != 1) error(Error loading CA file and/or directory); Thanks __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Segmentation Fault in SSL_CTX_load_verify_locations
Hello, Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 16384 (LWP 8321)] 0x4003f866 in SSL_CTX_load_verify_locations () from /usr/lib/libssl.so.0 Here is the code : #define CIPHER_LIST ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH #define CAFILE /home/kenzo/prova/provola/rsa/CA/cacert.pem #define CADIR /home/kenzo/prova/provola/rsa/CA/certs #define CERTFILE /home/kenzo/prova/provola/rsa/CA/newcert.pem SSL_CTX *setup_client_ctx (void) { SSL_CTX *ctx; //SSL_CTX *ctx = SSL_CTX_new( NULL); ctx = SSL_CTX_new(SSLv23_method( )); Check if ctx is NULL here. If is NULL add code: SSL_load_error_strings(); ERR_print_errors_fp(stderr); to check real error. Maybe you should add: SSLeay_add_ssl_algorithms(); to load crypto algorithms. if (SSL_CTX_load_verify_locations(ctx, CAFILE, 0) != 1) error(Error loading CA file and/or directory); Use NULL instead of 0 (defined as ((void*)0) - sometimes, when no function declaration is available, this tells to compiler what context should be used: null pointer (machine zero should be used by compiler) or memory address zero. Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Segmentation Fault in SSL_CTX_load_verify_locations
CTX is NULL as you say! - (null) Now say : 8423:error:140A90A1:SSL routines:SSL_CTX_new:library has no ciphers:ssl_lib.c:1366: Thanks Marek Marcola ha scritto: Hello, Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 16384 (LWP 8321)] 0x4003f866 in SSL_CTX_load_verify_locations () from /usr/lib/libssl.so.0 Here is the code : #define CIPHER_LIST ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH #define CAFILE /home/kenzo/prova/provola/rsa/CA/cacert.pem #define CADIR /home/kenzo/prova/provola/rsa/CA/certs #define CERTFILE /home/kenzo/prova/provola/rsa/CA/newcert.pem SSL_CTX *setup_client_ctx (void) { SSL_CTX *ctx; //SSL_CTX *ctx = SSL_CTX_new( NULL); ctx = SSL_CTX_new(SSLv23_method( )); Check if ctx is NULL here. If is NULL add code: SSL_load_error_strings(); ERR_print_errors_fp(stderr); to check real error. Maybe you should add: SSLeay_add_ssl_algorithms(); to load crypto algorithms. if (SSL_CTX_load_verify_locations(ctx, CAFILE, 0) != 1) error(Error loading CA file and/or directory); Use NULL instead of 0 (defined as ((void*)0) - sometimes, when no function declaration is available, this tells to compiler what context should be used: null pointer (machine zero should be used by compiler) or memory address zero. Best regards, __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Segmentation Fault in SSL_CTX_load_verify_locations
Solved adding SSL_library_init (); thanks Marek Marcola ha scritto: Hello, Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 16384 (LWP 8321)] 0x4003f866 in SSL_CTX_load_verify_locations () from /usr/lib/libssl.so.0 Here is the code : #define CIPHER_LIST ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH #define CAFILE /home/kenzo/prova/provola/rsa/CA/cacert.pem #define CADIR /home/kenzo/prova/provola/rsa/CA/certs #define CERTFILE /home/kenzo/prova/provola/rsa/CA/newcert.pem SSL_CTX *setup_client_ctx (void) { SSL_CTX *ctx; //SSL_CTX *ctx = SSL_CTX_new( NULL); ctx = SSL_CTX_new(SSLv23_method( )); Check if ctx is NULL here. If is NULL add code: SSL_load_error_strings(); ERR_print_errors_fp(stderr); to check real error. Maybe you should add: SSLeay_add_ssl_algorithms(); to load crypto algorithms. if (SSL_CTX_load_verify_locations(ctx, CAFILE, 0) != 1) error(Error loading CA file and/or directory); Use NULL instead of 0 (defined as ((void*)0) - sometimes, when no function declaration is available, this tells to compiler what context should be used: null pointer (machine zero should be used by compiler) or memory address zero. Best regards, __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Transfer Encoding : Chunked
I am implementing an HTTP 1.1 client in C++ using openssl for SSL. Sometimes the Http response I get back says that the Transfer Encoding : chunked I really donot do anything extra here in this case. As usual I do a SSL_Pending to see if any data is pending in the SSL buffer and if not finish reading. What do you mean by finish reading? Do you mean that you do more reading until you are finished or that you consider the reading to be finished at that point? To further elaborate I am implementing a WebServices client in C++. The problem is sometimes the binary data in some of the Soap XML tags are complete and sometimes they are not. Although a similar tool written in java seems to work fine. Am I missing something here or is what I am doing ok. Sounds like you aren't correctly following the HTTP/1.1 specification. More than one chunk may be supplied and you need to process them all until you receive an end of response indication. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
using pfx / pkcs12 as keystore
Hello List, Note: The following message has also been posted in java - itext library mailing list! I'm struggling now for almost one day with using an openssl generated .p12 file as my java keystore. I tried a lot of things with openssl and no doubt - I learned a lot, but at the end I found out the following: By the way - I'm using TinyCA as openssl frontend - maybe this is the problem but I don't think so... Anyway: I create a certificate + private key, then export it to a .p12 file - I do this on the openssl shell. Then I run: /usr/local/bin/pdfsigner.sh -c=/tmp/my.pfx -p=12345 -i=/var/spool/pdfprint/smbprn.0199.eGZuqx.pdf -o=/var/spool/pdfprint/Unbenannt1.pdf -v=0 Exception in thread main java.security.cert.CertificateParsingException: java.io.IOException: subject key, Unknown key spec: Invalid RSA modulus size. at sun.security.x509.X509CertInfo.init(X509CertInfo.java:155) at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1679) at sun.security.x509.X509CertImpl.init(X509CertImpl.java:173) at sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:90) at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:389) at com.sun.net.ssl.internal.ssl.PKCS12KeyStore.a(DashoA12275) at com.sun.net.ssl.internal.ssl.PKCS12KeyStore.engineLoad(DashoA12275) at java.security.KeyStore.load(KeyStore.java:652) at pdfsigner.sign(pdfsigner.java:109) at pdfsigner.main(pdfsigner.java:72) Caused by: java.io.IOException: subject key, Unknown key spec: Invalid RSA modulus size. at sun.security.x509.X509Key.parse(X509Key.java:155) at sun.security.x509.CertificateX509Key.init(CertificateX509Key.java:58) at sun.security.x509.X509CertInfo.parse(X509CertInfo.java:706) at sun.security.x509.X509CertInfo.init(X509CertInfo.java:153) ... 9 more after importing my .p12 file into Windows XP's certificates, and exporting it again to a pfx, my java program, which just has thrown a few exceptions and of course did not work, now it does. Her an excerpt of the relevant code: KeyStore ks = KeyStore.getInstance(pkcs12); try{ ks.load(new FileInputStream(pfxNameVal), pfxPassVal.toCharArray()); } catch (Exception ex) { System.out.println(Error while reading the certificate - possible cause: Invalid password\nBelow is the detailed error message:);throw ex;} String alias = (String)ks.aliases().nextElement(); PrivateKey key = (PrivateKey)ks.getKey(alias, pfxPassVal.toCharArray()); java.security.cert.Certificate[] chain = ks.getCertificateChain(alias); PdfReader reader = new PdfReader(inPDFVal); FileOutputStream fout = new FileOutputStream(outPDFVal); Is there a way to skip the windows part in the process of creating Java-suitable pfx's ? Thank you all for your help in advanced, Felix Joussein -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Interoperable w/ CryptoAPI
OpenSSL is as standards-conforming as it's possible to be, to my knowledge. Thus, if CryptoAPI is conformant, it should be essentially a no-op. -Kyle H On 10/3/06, Rich Conlan [EMAIL PROTECTED] wrote: Does anybody know how hard it is to make OpenSSL play nice with Window's CryptoAPI? In particular, to make it so that a file encrypted under OpenSSL can be decrypted under CryptoAPI and vice-versa? Regards, Richard M. Conlan Google, Inc. -- -Kyle H __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
error - 'no shared cipher' when from viewing ec cert
Hi, I've compiled successfully Apache (2.2) with OpenSSL (0.9.8b) on win32. Has tested it with success with a self-signed rsa cert. Proceed to generate a ec cert with secp160r1. Was unable to start Apache after changing settings in httpd-ssl.conf. Changes: SSLCertificateFile d:/www/Apache2/conf/secp160r1.crt SSLCertificateKeyFile d:/www/Apache2/conf/secp160r1.key Attempted to check ec cert using command: openssl s_server -cert secp160r1.crt -key secp160r1.key and received error SSL routines: SSL3_GET_CLIENT_HELLO:no shared cipher Run command openssl x509 -in secp160r1.crt -text and noted that the signature algorithm is ecdsa-wit-SHA1. I remember that neither IE nor Firefox seem to be able to read DSA cert so am wondering whether this is the cause of the no shared cipher error. How can this be resolved? Can I convert the signature (maybe to RSA?) while still maintaining my ec key? But I still don't understand why I can't start Apache after pointing to the EC related files. Only error I received for Apache log was 'no RSA or DSA server certificate found for 'www.example.com:443'?!' Any advice, please? Thanks! SS __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
SSL: connect failed..Please help..
Dear all,Thank you very much for your time. This is my first message in this forum.All, I got error message in minisip command prompt when I tried using TLS (Transport Method = TLS and Network Port = 5061).But, without TLS , I can make a call with minisip. The error message says :A. in client command promptinit 6/9: Creating MSip SIP stackinit 7/9: Connecting GUI to SIP logicinit 8.2/9: Starting TCP transport worker threadinit 8.3/9: Starting TLS transport worker threadinit 9/9: Registering Identities to registrar server Registering user [EMAIL PROTECTED] to proxy 202.95.149.251, requesting domain202.95.149.251 SipMessageTransport: sendMessage: creating new socket Creating new SSL_CTXSSL: connect failed SipMessageTransport: sendMessage: exception thrown!SipMessageTransport: sendMessage: creating new socketSSL: connect failedSipMessageTransport: sendMessage: exception thrown!SipMessageTransport: sendMessage: creating new socketSSL: connect failedSipMessageTransport: sendMessage: exception thrown!SipMessageTransport: sendMessage: creating new socketSSL: connect failedSipMessageTransport: sendMessage: exception thrown!B. in server terminaltls_tcpconn_init: Setting in ACCEPT mode (server)11(5927) tcpconn_add: hashes: 835, (5927) handle_new_connect: new connection: 0x422d88f0 24 flags: 000211(5927) send2child: to tcp child 0 7(5919), 0x422d88f07(5919) received n=4 con=0x422d88f0, fd=207(5919) DBG: io_watch_add(0x80ed320, 20, 2, 0x422d88f0), fd_no=17(5919) tls_update_fd: New fd is 207(5919) tls_accept: Error in SSL: 7(5919) tls_error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number 7(5919) DBG: io_watch_del (0x80ed320, 20, 1, 0x10) fd_no=2 called7(5919) releasing con 0x422d88f0, state -2, fd=20, id=117(5919) extra_data 0x422e8a0811(5927) handle_tcp_child: reader response= 422d88f0, -2 from 011(5927) tcpconn_destroy: destroying connection 0x422d88f0, flags 000211(5927) tls_close: Closing SSL connection11(5927) tls_update_fd: New fd is 2411(5927) tls_shutdown: Shutdown successful11(5927) tls_tcpconn_clean: Entered What`s wrong? How to solve the error "SSL3_GET_RECORD:wrong version number" and "SSL: connect failed"?I do hope any body can help me, again :)Please tell me if I have shown my openser.cfg file. Thanks Thank you for your attention and Have a nice day :)Regards, FeriantoNote:1. I use Redhat 9 [EMAIL PROTECTED] root]# rpm -qa|grep -i sslperl-Crypt-SSLeay-0.45-7openssl-devel-0.9.7a-2openssl-perl-0.9.7a-2openssl-0.9.7a-2pyOpenSSL-0.5.1-8mod_ssl-2.0.40-21openssl096b-0.9.6b-3docbook-style-dsssl-1.76-8openssl096-0.9.6-15[EMAIL PROTECTED] root]# Get your email and more, right on the new Yahoo.com
RE: using pfx / pkcs12 as keystore
Unknown key spec: Invalid RSA modulus size from JVM is due to outdated JVM version. JVM should be 1.4 or upwards. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Felix Joussein Sent: Wednesday, October 04, 2006 2:56 AM To: openssl-users@openssl.org Subject: using pfx / pkcs12 as keystore Hello List, Note: The following message has also been posted in java - itext library mailing list! I'm struggling now for almost one day with using an openssl generated .p12 file as my java keystore. I tried a lot of things with openssl and no doubt - I learned a lot, but at the end I found out the following: By the way - I'm using TinyCA as openssl frontend - maybe this is the problem but I don't think so... Anyway: I create a certificate + private key, then export it to a .p12 file - I do this on the openssl shell. Then I run: /usr/local/bin/pdfsigner.sh -c=/tmp/my.pfx -p=12345 -i=/var/spool/pdfprint/smbprn.0199.eGZuqx.pdf -o=/var/spool/pdfprint/Unbenannt1.pdf -v=0 Exception in thread main java.security.cert.CertificateParsingException: java.io.IOException: subject key, Unknown key spec: Invalid RSA modulus size. at sun.security.x509.X509CertInfo.init(X509CertInfo.java:155) at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1679) at sun.security.x509.X509CertImpl.init(X509CertImpl.java:173) at sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java :90) at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory .java:389) at com.sun.net.ssl.internal.ssl.PKCS12KeyStore.a(DashoA12275) at com.sun.net.ssl.internal.ssl.PKCS12KeyStore.engineLoad(DashoA12275) at java.security.KeyStore.load(KeyStore.java:652) at pdfsigner.sign(pdfsigner.java:109) at pdfsigner.main(pdfsigner.java:72) Caused by: java.io.IOException: subject key, Unknown key spec: Invalid RSA modulus size. at sun.security.x509.X509Key.parse(X509Key.java:155) at sun.security.x509.CertificateX509Key.init(CertificateX509Key.java:58) at sun.security.x509.X509CertInfo.parse(X509CertInfo.java:706) at sun.security.x509.X509CertInfo.init(X509CertInfo.java:153) ... 9 more after importing my .p12 file into Windows XP's certificates, and exporting it again to a pfx, my java program, which just has thrown a few exceptions and of course did not work, now it does. Her an excerpt of the relevant code: KeyStore ks = KeyStore.getInstance(pkcs12); try{ ks.load(new FileInputStream(pfxNameVal), pfxPassVal.toCharArray()); } catch (Exception ex) { System.out.println(Error while reading the certificate - possible cause: Invalid password\nBelow is the detailed error message:);throw ex;} String alias = (String)ks.aliases().nextElement(); PrivateKey key = (PrivateKey)ks.getKey(alias, pfxPassVal.toCharArray()); java.security.cert.Certificate[] chain = ks.getCertificateChain(alias); PdfReader reader = new PdfReader(inPDFVal); FileOutputStream fout = new FileOutputStream(outPDFVal); Is there a way to skip the windows part in the process of creating Java-suitable pfx's ? Thank you all for your help in advanced, Felix Joussein -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] DISCLAIMER == This e-mail may contain privileged and confidential information which is the property of Persistent Systems Pvt. Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Pvt. Ltd. does not accept any liability for virus infected mails. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: using pfx / pkcs12 as keystore
Thans for your answer. Unfortunatly it did not work out as excpeted. I have the choice of using either blackdown-jdk-1.4.2 or sun-jdk-1.5. Any of those versions accepts my .p12 key. Maybe you could be so kind and write me a brief step- by- step of the required openssl commands, which bring success on your machine. That would be very kind of you! Many thanks in advanced! Regards, Felix Joussein Ambarish Mitra schrieb: Unknown key spec: Invalid RSA modulus size from JVM is due to outdated JVM version. JVM should be 1.4 or upwards. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Felix Joussein Sent: Wednesday, October 04, 2006 2:56 AM To: openssl-users@openssl.org Subject: using pfx / pkcs12 as keystore Hello List, Note: The following message has also been posted in java - itext library mailing list! I'm struggling now for almost one day with using an openssl generated .p12 file as my java keystore. I tried a lot of things with openssl and no doubt - I learned a lot, but at the end I found out the following: By the way - I'm using TinyCA as openssl frontend - maybe this is the problem but I don't think so... Anyway: I create a certificate + private key, then export it to a .p12 file - I do this on the openssl shell. Then I run: /usr/local/bin/pdfsigner.sh -c=/tmp/my.pfx -p=12345 -i=/var/spool/pdfprint/smbprn.0199.eGZuqx.pdf -o=/var/spool/pdfprint/Unbenannt1.pdf -v=0 Exception in thread main java.security.cert.CertificateParsingException: java.io.IOException: subject key, Unknown key spec: Invalid RSA modulus size. at sun.security.x509.X509CertInfo.init(X509CertInfo.java:155) at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1679) at sun.security.x509.X509CertImpl.init(X509CertImpl.java:173) at sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java :90) at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory .java:389) at com.sun.net.ssl.internal.ssl.PKCS12KeyStore.a(DashoA12275) at com.sun.net.ssl.internal.ssl.PKCS12KeyStore.engineLoad(DashoA12275) at java.security.KeyStore.load(KeyStore.java:652) at pdfsigner.sign(pdfsigner.java:109) at pdfsigner.main(pdfsigner.java:72) Caused by: java.io.IOException: subject key, Unknown key spec: Invalid RSA modulus size. at sun.security.x509.X509Key.parse(X509Key.java:155) at sun.security.x509.CertificateX509Key.init(CertificateX509Key.java:58) at sun.security.x509.X509CertInfo.parse(X509CertInfo.java:706) at sun.security.x509.X509CertInfo.init(X509CertInfo.java:153) ... 9 more after importing my .p12 file into Windows XP's certificates, and exporting it again to a pfx, my java program, which just has thrown a few exceptions and of course did not work, now it does. Her an excerpt of the relevant code: KeyStore ks = KeyStore.getInstance(pkcs12); try{ ks.load(new FileInputStream(pfxNameVal), pfxPassVal.toCharArray()); } catch (Exception ex) { System.out.println(Error while reading the certificate - possible cause: Invalid password\nBelow is the detailed error message:);throw ex;} String alias = (String)ks.aliases().nextElement(); PrivateKey key = (PrivateKey)ks.getKey(alias, pfxPassVal.toCharArray()); java.security.cert.Certificate[] chain = ks.getCertificateChain(alias); PdfReader reader = new PdfReader(inPDFVal); FileOutputStream fout = new FileOutputStream(outPDFVal); Is there a way to skip the windows part in the process of creating Java-suitable pfx's ? Thank you all for your help in advanced, Felix Joussein -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] DISCLAIMER == This e-mail may contain privileged and confidential information which is the property of Persistent Systems Pvt. Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Pvt. Ltd. does not accept any liability for virus infected mails. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager