Public/private key encryption/decryption
Hi, I'm trying to make an application encypting data on the server side using a public key and decrypting it on the client side using the related private key. Now i've run in two problems: I have a private key and a related certificate file created from a certificate request (CSR) and signed by an own CA. Both are created using OpenSSL. The first problem is that I can't get the public key out of the cerificate using PEM_read_RSA_PUBKEY. I've exported the public key alone to a single file, from that I can load the public key. Trying to load it from the certificate gives an no starting line error. Second, and maybe even worse, when encrypting data with the public key using RSA_public_encrypt and again decrypting it with the private one using RSA_private_decrypt, the decrypted data differs widely from the original data. When I try the same using OpenSSL's rsautl command-line tool, it works perfectly with this key pair (public key/private key as well as certificate/private key). Both keys and certificate are in PEM format. The certificates signature is valid. Could anyone give me some hint what might be going on here? Thanks and regards Till Elsner __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: openssl/crypto/cms/
On Tue, Apr 8, 2008 at 5:48 AM, shankar ks [EMAIL PROTECTED] wrote: Hi Hobblet, Sorry for the late reply as I was busy with searching of other things . You have given a command regarding my question, but i did not understand that and how to use it to get the information of CMS from openssl CVS. I am not aware of using CVS also . I want to download the source code of the CMS from this CVS on to my windows system and implement that in the OVMS system. As i down loaded the 0.9.8e but I did not find any file like /crypto/cms .. CVS is an Open Source 'revision control system' which runs on UNIX and Windows. As it has been originally developed for UNIX, the commandline I specified should work on any UNIX box which has CVS installed out of the box. For Windows, I'll refer you to the FAQ at http://worldforge.org/doc/faq/cvs/#windows1 have a look at their 'Windows Specific' section. Then go to the TortoiseCVS website and install the software - it's a very good Windows client which encapsulates CVS with a GUI. At the TortoiseCVS website, you will find a lot of information on how to use it and which the equivalent of the given commandline is for the Tortoise UI. Alternatively, you can google for 'CVS Win32' or 'CVS Windows' for additional sites with information and software, though I personally preferred to use TortoiseCVS when I have to use CVS in a Windows-only environment -- now I have moved software revision control off to a dedicated UNIX machine, which makes it so much easier and faster for large projects. There are also several good books available about CVS which include info on Windows and UNIX setup and usage (O'Reilly series, for one). When you get the latest sourcecode using CVS, you will get the source tree for 0.9.9, in which you will find said ./crypto/cms/ directory and several other additions to 0.9.8. Check it out! Take care, Ger Thanks in advance --Shankar On 4/2/08, Ger Hobbelt [EMAIL PROTECTED] wrote: On Wed, Apr 2, 2008 at 5:26 AM, shankar ks [EMAIL PROTECTED] wrote: Hi all, When i refer to the Openssl CVS, I did not find the file related to openssl/crypto/cms/ , All files in this folder are showing the difference , but not the exact files... where can i get the cms files. and one more thing is i downloaded the OpenSSl kit of 0.9.8f version, but i did not find any files or folders with the specified names in the kit, means there is no folder availble with the name openssl/crypto/cms/... Like I said, it's in the latest CVS; 0.9.8 is the latest stable release IIRC, while the CVS I referred to was the development tree (0.9.9). Run this to grab it all; there _will_ be a complete crypto/cms/ directory in there plus a cms.c tool sourcecode in apps/ : cvs -z3 -d [EMAIL PROTECTED]:/openssl-cvs co -R . -- Met vriendelijke groeten / Best regards, Ger Hobbelt -- web: http://www.hobbelt.com/ http://www.hebbut.net/ mail: [EMAIL PROTECTED] mobile: +31-6-11 120 978 -- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- --Best Regards Shankar -- Met vriendelijke groeten / Best regards, Ger Hobbelt -- web: http://www.hobbelt.com/ http://www.hebbut.net/ mail: [EMAIL PROTECTED] mobile: +31-6-11 120 978 -- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: CMS usage
Shankar, When you have trouble using CVS, please search the net for information or a good book about it, because many projects use this revision control system. You will not find CMS in any 0.9.8 source tree; you will need to use OpenSSL 0.9.9 sources - which are available through CVS or, when you must, through the 0.9.9 source tree snapshots published at the OpenSSL ftp site (see 'sources' - snapshots ftp on the OPenSSL web site). CMS comes with a sample app and documentation (in the doc/ directory in the form of .pod files, which will be processed when you build OpenSSL - Perl is mandatory then). Documentation is available in the form of a sample application and accompanying documentation in 0.9.9: doc/apps/cms.pod is the documentation master copy. apps/cms.c is the sample app source code. Tip: For maximum ease of first use, get yourself a Linux or BSD box and build the OpenSSL sources and documentation on that one first - that is the platform where almost everybody else is working on, so you'll have the least number of surprises there. If you don't know how to use Linux, find someone who does or get a book about it. Once done on such a UNIX machine, move to Win32/Windows and rebuild the 0.9.9 snapshot/CVS source tree there. I give you this advice because the Windows platform can become quite cumbersome once you tread outside the Microsoft-published development realm and it doesn't look to me like you have the experience there yet. Added benefit is that when you build it on a Linux box, I hope you will quite quickly be able to produce a working CMS test application, which you can use to verify [part of] your operation. Last but certainly not least: do not mix 0.9.9 with 0.9.8 unless you know what you are doing. Sincerely, Ger Hobbelt On Tue, Apr 8, 2008 at 7:00 AM, shankar ks [EMAIL PROTECTED] wrote: Hi steve , I am trying to find out the source code for CMS in openssl , I have done signing, compression, encryption of my data using Openssl API's in C programing language.. Now I need to inplement all those signing , compression, encryption data as a CMS package. I have reffered to the CVS of openssl : http://cvs.openssl.org/dir?d=openssl/crypto/cms , Here i found the CMS , but when i Download the latest versions of openssl like 0.9.8g , there i did not find any files realted to cms (like /crypto/cms) .. Even i tried to implement the CMS using the PKCS#7 Api's, but there is no proper information is available for those .. Can you please give me where I will get the source code of CMS for the SSL's given on openssl organisation.. and also give me the information of how to use the CMS API's or some document related to those usages ... Thanks in Advance -- --Best Regards Shankar -- Met vriendelijke groeten / Best regards, Ger Hobbelt -- web: http://www.hobbelt.com/ http://www.hebbut.net/ mail: [EMAIL PROTECTED] mobile: +31-6-11 120 978 -- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Public/private key encryption/decryption
Hi Till, The error u got is you can not read the public key as in the certificate it is not finding the lines as BEGIN RSA CERTIFICATE so here i am giving you the code , use it directly , it will work fine as i refined it many times ... pubk = RSA_new(); if(pubk == NULL) printf(error to create new RSA structure \n); fp = fopen (recevercert, r); if (fp == NULL){ printf(error opening the pub file\n); exit (1); } x509 = PEM_read_X509(fp, NULL, NULL, NULL); fclose (fp); if (x509 == NULL) { printf(error reading the certificate \n); ERR_print_errors_fp (stderr); exit (1); } pub=X509_get_pubkey(x509); if (pub == NULL) { printf(error reading the public key \n); ERR_print_errors_fp (stderr); exit (1); } pubk = EVP_PKEY_get1_RSA(pub); if(pub == NULL) printf(error setting the public key from EVP_PKEY_set1_RSA function \n); after this you do encryption and decryption , then it will work fine, one more thing here is you should not use RSA_encrypt or decrypt functions for large amount of data , it is not recommended , so u must avoid of using asymmetric alrorithems for large amount of data or for files .. or I recommend not to use it for any data or file except for encryption of keys only. -- Regards Shankar On 4/8/08, Till Elsner [EMAIL PROTECTED] wrote: Hi, I'm trying to make an application encypting data on the server side using a public key and decrypting it on the client side using the related private key. Now i've run in two problems: I have a private key and a related certificate file created from a certificate request (CSR) and signed by an own CA. Both are created using OpenSSL. The first problem is that I can't get the public key out of the cerificate using PEM_read_RSA_PUBKEY. I've exported the public key alone to a single file, from that I can load the public key. Trying to load it from the certificate gives an no starting line error. Second, and maybe even worse, when encrypting data with the public key using RSA_public_encrypt and again decrypting it with the private one using RSA_private_decrypt, the decrypted data differs widely from the original data. When I try the same using OpenSSL's rsautl command-line tool, it works perfectly with this key pair (public key/private key as well as certificate/private key). Both keys and certificate are in PEM format. The certificates signature is valid. Could anyone give me some hint what might be going on here? Thanks and regards Till Elsner __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- --Best Regards Shankar
CRYPTO_add_lock() segmentation fault (core dump included)
Hello! I wrote a multithreaded server using OpenSSL v 0.9.7a (running on a RH Enterprise Linux 2.6.9-55.0.2.ELsmp). The problem is my server is crashing at random times (it could stay alive for 24 hours or can crash within 4 hours). Inspecting the cores file I found that it crashes in the same location every time #0 0x00ba503f in CRYPTO_add_lock () from /lib/libcrypto.so.4 I defined the two needed callbacks (according to crypto man page) like this: struct CRYPTO_dynlock_value { pthread_mutex_t mutex; }; static pthread_mutex_t *mutex_buf = NULL; static void locking_function(int mode, int n, const char *file, int line) { if (mode CRYPTO_LOCK) { pthread_mutex_lock(mutex_buf[n]); } else { pthread_mutex_unlock(mutex_buf[n]); } } static unsigned long id_function(void) { return ((unsigned long) pthread_self()); } The core dump (some lines where trimmed) looks something like this: Core was generated by '/foo/bar -args'. Program terminated with signal 11, Segmentation fault. Reading symbols from /lib/libnss_dns.so.2...done. Loaded symbols for /lib/libnss_dns.so.2 #0 0x00ba503f in CRYPTO_add_lock () from /lib/libcrypto.so.4 (gdb) bt #0 0x00ba503f in CRYPTO_add_lock () from /lib/libcrypto.so.4 #1 0x00be368c in BIO_free () from /lib/libcrypto.so.4 #2 0x00c9d1f5 in SSL_free () from /lib/libssl.so.4 #3 0x0805b29f in wns::ServerPort::EndPort (this=0x8f5ad08) at serverport.cpp:57 #4 0x0805de03 in wns::ServerPort::CloseSocket (this=0x8f5ad08) at serverport.cpp:186 #5 0x0805d144 in wns::ServerPort::disconnect (this=0x8f5ad08) at serverport.cpp:153 #6 0x0058a28c in ost::SocketService::run (this=0x8db48d0) at socketport.cpp:743 #7 0x00e7113d in ccxx_exec_handler (th=0x8db48d0) at thread.cpp:1097 #8 0x00a813cc in start_thread () from /lib/tls/libpthread.so.0 #9 0x003bac3e in clone () from /lib/tls/libc.so.6 What can be the problem of this crashes? Should I update to 0.9.8g? Please advice! Thanks! __ Whozin - Are you in? We pay you to read your own e-mail! Primul webmail adevărat în limba română !
RE: CRYPTO_add_lock() segmentation fault (core dump included)
Oh :) I forgot to mention that I instantiated those variables (it was like obvious for me). Here is the initialization code: int Server::TLS_init() { int i; mutex_buf = (pthread_mutex_t*) malloc(CRYPTO_num_locks() * sizeof(pthread_mutex_t)); if (mutex_buf == NULL) { return -1; } for (i = 0; iCRYPTO_num_locks(); i ) { pthread_mutex_init(mutex_buf[i], NULL); } CRYPTO_set_locking_callback(locking_function); CRYPTO_set_id_callback(id_function); SSL_library_init(); SSL_load_error_strings(); return 0; } int Server::TLS_cleanup() { int i; if (mutex_buf == NULL) { return 0; } CRYPTO_set_locking_callback(NULL); CRYPTO_set_id_callback(NULL); for (i = 0; iCRYPTO_num_locks(); i ) { pthread_mutex_destroy(mutex_buf[i]); } free(mutex_buf); mutex_buf = NULL; return 0; } I'm calling TLS_init in server's constructor and TLS_cleanup in server's destructor. --- Nirvana __ Whozin - Are you in? We pay you to read your own e-mail! Primul webmail adevărat în limba română !
Re: RE: CRYPTO_add_lock() segmentation fault (core dump included)
There seems to be an error in my email client. There is an i(plus)(plus). - Original Message From: [EMAIL PROTECTED] To: openssl-users@openssl.org Date: Tue, 8 Apr 2008 12:50:07 0200 Subject: RE: CRYPTO_add_lock() segmentation fault (core dump included) Hello, Oh :) I forgot to mention that I instantiated those variables (it was like obvious for me). Here is the initialization code: int Server::TLS_init() { int i; mutex_buf = (pthread_mutex_t*) malloc(CRYPTO_num_locks() * sizeof(pthread_mutex_t)); if (mutex_buf == NULL) { return -1; } for (i = 0; iCRYPTO_num_locks(); i ) { pthread_mutex_init(mutex_buf[i], NULL); } Maybe changing i to i may help. CRYPTO_set_locking_callback(locking_function); CRYPTO_set_id_callback(id_function); SSL_library_init(); SSL_load_error_strings(); return 0; } int Server::TLS_cleanup() { int i; if (mutex_buf == NULL) { return 0; } CRYPTO_set_locking_callback(NULL); CRYPTO_set_id_callback(NULL); for (i = 0; iCRYPTO_num_locks(); i ) { pthread_mutex_destroy(mutex_buf[i]); } Maybe changing i to i may help. free(mutex_buf); mutex_buf = NULL; return 0; } Best regards, -- Marek Marcola __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] --- Nirvana __ Whozin - Are you in? We pay you to read your own e-mail! Primul webmail adevărat în limba română !
RE: CRYPTO_add_lock() segmentation fault (core dump included)
Hello, Oh :) I forgot to mention that I instantiated those variables (it was like obvious for me). Here is the initialization code: int Server::TLS_init() { int i; mutex_buf = (pthread_mutex_t*) malloc(CRYPTO_num_locks() * sizeof(pthread_mutex_t)); if (mutex_buf == NULL) { return -1; } for (i = 0; i CRYPTO_num_locks(); i ) { pthread_mutex_init(mutex_buf[i], NULL); } Maybe changing i to i++ may help. CRYPTO_set_locking_callback(locking_function); CRYPTO_set_id_callback(id_function); SSL_library_init(); SSL_load_error_strings(); return 0; } int Server::TLS_cleanup() { int i; if (mutex_buf == NULL) { return 0; } CRYPTO_set_locking_callback(NULL); CRYPTO_set_id_callback(NULL); for (i = 0; i CRYPTO_num_locks(); i ) { pthread_mutex_destroy(mutex_buf[i]); } Maybe changing i to i++ may help. free(mutex_buf); mutex_buf = NULL; return 0; } Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: RE: CRYPTO_add_lock() segmentation fault (core dump included)
Yes! There was an mistake when I copied the code. There is i as you said. for (i = 0; iCRYPTO_num_locks(); i ) { pthread_mutex_init(mutex_buf[i], NULL); } - Original Message From: [EMAIL PROTECTED] To: openssl-users@openssl.org Date: Tue, 8 Apr 2008 12:50:07 0200 Subject: RE: CRYPTO_add_lock() segmentation fault (core dump included) Hello, Oh :) I forgot to mention that I instantiated those variables (it was like obvious for me). Here is the initialization code: int Server::TLS_init() { int i; mutex_buf = (pthread_mutex_t*) malloc(CRYPTO_num_locks() * sizeof(pthread_mutex_t)); if (mutex_buf == NULL) { return -1; } for (i = 0; iCRYPTO_num_locks(); i ) { pthread_mutex_init(mutex_buf[i], NULL); } Maybe changing i to i may help. CRYPTO_set_locking_callback(locking_function); CRYPTO_set_id_callback(id_function); SSL_library_init(); SSL_load_error_strings(); return 0; } int Server::TLS_cleanup() { int i; if (mutex_buf == NULL) { return 0; } CRYPTO_set_locking_callback(NULL); CRYPTO_set_id_callback(NULL); for (i = 0; iCRYPTO_num_locks(); i ) { pthread_mutex_destroy(mutex_buf[i]); } Maybe changing i to i may help. free(mutex_buf); mutex_buf = NULL; return 0; } Best regards, -- Marek Marcola __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] --- Nirvana __ Whozin - Are you in? We pay you to read your own e-mail! Primul webmail adevărat în limba română !
RE: CRYPTO_add_lock() segmentation fault (core dump included)
I wrote a multithreaded server using OpenSSL v 0.9.7a (running on a RH Enterprise Linux 2.6.9-55.0.2.ELsmp). The problem is my server is crashing at random times (it could stay alive for 24 hours or can crash within 4 hours). Inspecting the cores file I found that it crashes in the same location every time Since your mutex array is actually a null pointer then you are bound to experience crashes. I'm surprized it lasts 4 seconds ;-) M. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: openssl/crypto/cms/
Hi Hobbelt, I downloaded the tortoiseCMS and tried to checkout the data , but it was asking for a password , and giving connection error like to many authentication was failed for shankar ... ... -- Shankar On 4/8/08, Ger Hobbelt [EMAIL PROTECTED] wrote: On Tue, Apr 8, 2008 at 5:48 AM, shankar ks [EMAIL PROTECTED] wrote: Hi Hobblet, Sorry for the late reply as I was busy with searching of other things . You have given a command regarding my question, but i did not understand that and how to use it to get the information of CMS from openssl CVS. I am not aware of using CVS also . I want to download the source code of the CMS from this CVS on to my windows system and implement that in the OVMS system. As i down loaded the 0.9.8e but I did not find any file like /crypto/cms .. CVS is an Open Source 'revision control system' which runs on UNIX and Windows. As it has been originally developed for UNIX, the commandline I specified should work on any UNIX box which has CVS installed out of the box. For Windows, I'll refer you to the FAQ at http://worldforge.org/doc/faq/cvs/#windows1 have a look at their 'Windows Specific' section. Then go to the TortoiseCVS website and install the software - it's a very good Windows client which encapsulates CVS with a GUI. At the TortoiseCVS website, you will find a lot of information on how to use it and which the equivalent of the given commandline is for the Tortoise UI. Alternatively, you can google for 'CVS Win32' or 'CVS Windows' for additional sites with information and software, though I personally preferred to use TortoiseCVS when I have to use CVS in a Windows-only environment -- now I have moved software revision control off to a dedicated UNIX machine, which makes it so much easier and faster for large projects. There are also several good books available about CVS which include info on Windows and UNIX setup and usage (O'Reilly series, for one). When you get the latest sourcecode using CVS, you will get the source tree for 0.9.9, in which you will find said ./crypto/cms/ directory and several other additions to 0.9.8. Check it out! Take care, Ger Thanks in advance --Shankar On 4/2/08, Ger Hobbelt [EMAIL PROTECTED] wrote: On Wed, Apr 2, 2008 at 5:26 AM, shankar ks [EMAIL PROTECTED] wrote: Hi all, When i refer to the Openssl CVS, I did not find the file related to openssl/crypto/cms/ , All files in this folder are showing the difference , but not the exact files... where can i get the cms files. and one more thing is i downloaded the OpenSSl kit of 0.9.8f version, but i did not find any files or folders with the specified names in the kit, means there is no folder availble with the name openssl/crypto/cms/... Like I said, it's in the latest CVS; 0.9.8 is the latest stable release IIRC, while the CVS I referred to was the development tree (0.9.9). Run this to grab it all; there _will_ be a complete crypto/cms/ directory in there plus a cms.c tool sourcecode in apps/ : cvs -z3 -d [EMAIL PROTECTED]:/openssl-cvs co -R . -- Met vriendelijke groeten / Best regards, Ger Hobbelt -- web: http://www.hobbelt.com/ http://www.hebbut.net/ mail: [EMAIL PROTECTED] mobile: +31-6-11 120 978 -- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- --Best Regards Shankar -- Met vriendelijke groeten / Best regards, Ger Hobbelt -- web: http://www.hobbelt.com/ http://www.hebbut.net/ mail: [EMAIL PROTECTED] mobile: +31-6-11 120 978 -- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- --Best Regards Shankar
CMS_EnvelopedData
Hi , I want to use the cms fuctions in my application program ( which is in C - language), my goal is to sign the document using the RSA_sign function then want to envelope the signature with the original data . so can any one explain me how to envelope this using CMS funtions . and also how to verify it .. please help me in this regard.. -- --Best Regards Shankar
Re: CRYPTO_add_lock() segmentation fault (core dump included)
On Tue, 2008-04-08 at 03:35 -0500, Ion Scerbatiuc wrote: Hello! I wrote a multithreaded server using OpenSSL v 0.9.7a (running on a RH Enterprise Linux 2.6.9-55.0.2.ELsmp). The problem is my server is crashing at random times (it could stay alive for 24 hours or can crash within 4 hours). Inspecting the cores file I found that it crashes in the same location every time #0 0x00ba503f in CRYPTO_add_lock () from /lib/libcrypto.so.4 I defined the two needed callbacks (according to crypto man page) like this: struct CRYPTO_dynlock_value { pthread_mutex_t mutex; }; static pthread_mutex_t *mutex_buf = NULL; static void locking_function(int mode, int n, const char *file, int line) { if (mode CRYPTO_LOCK) { pthread_mutex_lock(mutex_buf[n]); } else { pthread_mutex_unlock(mutex_buf[n]); } } static unsigned long id_function(void) { return ((unsigned long) pthread_self()); } Did you call CRYPTO_set_add_lock_callback() as well? You probably want to set that and use the callback to do pthread_mutex_init(). Cheers, Geoff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Re: CRYPTO_add_lock() segmentation fault (core dump included)
Thank you for your reply! I didn't find any refferences to CRYPTO_set_add_lock_callback() in openssl man pages nor the meaning of this functions/callbacks. I didn't understand what does CRYPTO_add_lock () do. Can you provide some information on this functions and maybe some code examples. Thanks in advance Best regards, Ion - Original Message From: Geoff Thorpe To: openssl-users@openssl.org Date: Tue, 08 Apr 2008 10:44:35 -0400 Subject: Re: CRYPTO_add_lock() segmentation fault (core dump included) On Tue, 2008-04-08 at 03:35 -0500, Ion Scerbatiuc wrote: Hello! I wrote a multithreaded server using OpenSSL v 0.9.7a (running on a RH Enterprise Linux 2.6.9-55.0.2.ELsmp). The problem is my server is crashing at random times (it could stay alive for 24 hours or can crash within 4 hours). Inspecting the cores file I found that it crashes in the same location every time #0 0x00ba503f in CRYPTO_add_lock () from /lib/libcrypto.so.4 I defined the two needed callbacks (according to crypto man page) like this: struct CRYPTO_dynlock_value { pthread_mutex_t mutex; }; static pthread_mutex_t *mutex_buf = NULL; static void locking_function(int mode, int n, const char *file, int line) { if (mode CRYPTO_LOCK) { pthread_mutex_lock(mutex_buf[n]); } else { pthread_mutex_unlock(mutex_buf[n]); } } static unsigned long id_function(void) { return ((unsigned long) pthread_self()); } Did you call CRYPTO_set_add_lock_callback() as well? You probably want to set that and use the callback to do pthread_mutex_init(). Cheers, Geoff __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Whozin - Are you in? We pay you to read your own e-mail! Primul webmail adevărat în limba română !
Re: Re: CRYPTO_add_lock() segmentation fault (core dump included)
On Tue, 2008-04-08 at 10:04 -0500, Ion Scerbatiuc wrote: Thank you for your reply! You're welcome :-) I didn't find any refferences to CRYPTO_set_add_lock_callback() in openssl man pages nor the meaning of this functions/callbacks. Ahh, well once you start to understand this stuff better, consider yourself invited to submit patches to the documentation (look for the .pod files in ./doc/crypto/). I didn't understand what does CRYPTO_add_lock () do. Nor did I until I saw your mail and took a quick look in the relevant headers and code (crypto/crypto.h and crypto/cryptlib.c, respectively). Can you provide some information on this functions and maybe some code examples. Nope, but I would if I could. May the source be with you. :-) Cheers, Geoff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: CRYPTO_add_lock() segmentation fault (core dump included)
Ion Scerbatiuc wrote: Thank you for your reply! I didn't find any refferences to CRYPTO_set_add_lock_callback() in openssl man pages nor the meaning of this functions/callbacks. I didn't understand what does CRYPTO_add_lock () do. CRYPTO_add_lock() does atomic additions (or subtractions). It isn't necessary to set CRYPTO_set_add_lock_callback(), in the absence of add_lock_callback it falls back on CRYPTO_lock(),_unlock() pair to do the job. In your back trace, the code dies in CRYPTO_add_lock(). It could mean the pointer is bad. If you could do a disassembly of CRYPTO_add_lock in gdb, staring at the location of fault *could* point you to the source of error (CRYPTO_add_lock() being a small function). Can you provide some information on this functions and maybe some code examples. Thanks in advance Best regards, Ion -jb -- Real computer scientists don't comment their code. The identifiers are so long they can't afford the disk space. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: CRYPTO_add_lock() segmentation fault (core dump included)
jimmy bahuleyan wrote: Ion Scerbatiuc wrote: Thank you for your reply! I didn't find any refferences to CRYPTO_set_add_lock_callback() in openssl man pages nor the meaning of this functions/callbacks. I didn't understand what does CRYPTO_add_lock () do. CRYPTO_add_lock() does atomic additions (or subtractions). It isn't necessary to set CRYPTO_set_add_lock_callback(), in the absence of add_lock_callback it falls back on CRYPTO_lock(),_unlock() pair to do the job. In your back trace, the code dies in CRYPTO_add_lock(). It could mean the pointer is bad. If you could do a disassembly of CRYPTO_add_lock in gdb, staring at the location of fault *could* point you to the source of error (CRYPTO_add_lock() being a small function). Well, thinking about it, the first param to CRYPTO_add_lock() can't be bad (since it's var). You could as well check if add_lock_callback has some (non-zero) value. -jb -- Real computer scientists don't comment their code. The identifiers are so long they can't afford the disk space. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: CRYPTO_add_lock() segmentation fault (core dump included)
On Tue, Apr 8, 2008 at 12:10 PM, Ion Scerbatiuc [EMAIL PROTECTED] wrote: Oh :) [...] for (i = 0; i CRYPTO_num_locks(); i ) { Erm, shouldn't those two loops have an increment (i++ instead of just 'i') there, or is this a copypaste-in-email failure? ;-) -- for (i = 0; i CRYPTO_num_locks(); i++ ) { This is in both your init and cleanup code. -- Met vriendelijke groeten / Best regards, Ger Hobbelt -- web: http://www.hobbelt.com/ http://www.hebbut.net/ mail: [EMAIL PROTECTED] mobile: +31-6-11 120 978 -- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: openssl/crypto/cms/
To get the sources from the CVS repository, you should log in as anonymous user, i.e. use user anonymous and no password at all (empty password). This you can also see in the original commandline I specified: cvs -z3 -d [EMAIL PROTECTED]:/openssl-cvs co -R . -- Met vriendelijke groeten / Best regards, Ger Hobbelt -- web: http://www.hobbelt.com/ http://www.hebbut.net/ mail: [EMAIL PROTECTED] mobile: +31-6-11 120 978 -- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Verification Failed via openssl 0.9.8e to smtp.gmail.com
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, guys! I spent a whole night to configure my postfix to relay on Gmail's smtp server. However, I found that the TLS verification has some weird problems. First, I found that the postfix can't verify the server: certificate verification failed for smtp.gmail.com[74.125.47.111]:587: untrusted issuer /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/[EMAIL PROTECTED] (From my mail.log) Then, I was trying to add the certificate manually for openssl to recongnize: openssl s_client -connect smtp.gmail.com:587 -starttls smtp -showcerts And grap the content between --Begin Certificate -- and --End Certificate --. Save it to google.pem. Then copy this pem file to /etc/ssl/certs and do a c_rehash the directory. When I verified the certificate via openssl: openssl verify google.pem It shows OK, seems everything is OK. I restarted my postfix server again. Strangely, it still showed that the server's issuer can't be recognized. Openssl gmail gave: Verify return code: 21 (unable to verify the first certificate) However, if I add -CAfile /etc/ssl/certs/google.pem. It's OK. In my postfix, I also set the smtp_tls_CAfile = /etc/ssl/certs/google.pem. So it should find the file by itself. But I still got the untrusted issuer message. However, if I changed the CAfile to Thawte_Premium_Server_CA.pem, postfix reported it's OK now. I just want to ask why I can't get verification when I used the google.pem which I got from openssl connection? Thanks! - -- DigitalPig E-mail: digitalpiglee AT gmail DOT com ALL WE SEEN IS ILLUSION. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Processed by Mailcrypt 3.5.8 http://mailcrypt.sourceforge.net/ iD8DBQFH+4n5nGLZWqngJSERAqggAJ4nY4PB+VWVBHuHu3o8CUuFLc2fSwCfckqt uv+35XRYtA4kk5TuBB4VjPA= =gSVZ -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Re: CRYPTO_add_lock() segmentation fault (core dump included)
Yes, there is copypaste-in-email failure :) - Original Message From: Ger Hobbelt To: openssl-users@openssl.org Date: Tue, 8 Apr 2008 12:36:27 0200 Subject: Re: CRYPTO_add_lock() segmentation fault (core dump included) On Tue, Apr 8, 2008 at 12:10 PM, Ion Scerbatiuc wrote: Oh :) [...] for (i = 0; iCRYPTO_num_locks(); i ) { Erm, shouldn't those two loops have an increment (i instead of just 'i') there, or is this a copypaste-in-email failure? ;-) -- for (i = 0; iCRYPTO_num_locks(); i ) { This is in both your init and cleanup code. -- Met vriendelijke groeten / Best regards, Ger Hobbelt -- web: http://www.hobbelt.com/ http://www.hebbut.net/ mail: [EMAIL PROTECTED] mobile: 31-6-11 120 978 -- __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] --- Nirvana __ Whozin - Are you in? We pay you to read your own e-mail! Primul webmail adevărat în limba română !
Re: porting
The most important thing to look at are the BIO_* functions. These are the functions that abstract out the underlying transport layer (be it TCP, UNIX sockets, memory) so that the library itself doesn't need to know about them. The easiest way to understand how to do it, if you have a custom TCP implementation, would be to take the received packets into memory, then feed them into a BIO_mem. (This exposes the process by which the library works, and what it needs to do to make everything work. There might be a more optimized solution available, but you should understand what the library is doing before you try to implement it. Premature optimization is the bane of intelligent implementation.) -Kyle H On Tue, Apr 8, 2008 at 10:56 AM, Tomas Neme [EMAIL PROTECTED] wrote: We have a multi-platform (Linux-Windows-Mac-PSP-Wii-NDS-PS2 as per right now) game engine, and wanted to add SSL to the networking layer. I'd like to know what do we need to do in order for OpenSSL to use our TCP implementation, or where to look for. I'm struggling through the documentation and examples, but I'm not sure if there's a way to do this, or what We'll be very thankful for any pointers Tomás
sk_value causes seg fault
Openssl team, I've had a recurring problem utilizing postgresql over SSL on our Solaris platform (had a similar problem on FreeBSD but one thing at a time). Essentially, when client's connect and read/write using SSL to our database, the result is a segfault. It was happening predominantly with our replication, so we stopped using ssl and instead tunneled the traffic over a secure ssh connection. There was no doubt that the issue was occurring in the SSL layers because if we disabled, problem went away...if we re enabled, problem re-occurred. (http://archives.postgresql.org/pgsql-general/2007-08/msg01911.php) Today, issue cropped up again...same stack trace: #0 0xfee8ec23 in sk_value () from /usr/local/ssl/lib/libcrypto.so.0.9.8 #1 0xfef5b05b in ssl3_output_cert_chain () from /usr/local/ssl/lib/libssl.so.0.9.8 #2 0x in ?? () This appears to be version 0.9.8e Obviously the problem could be in the way that postgresql is interfacing with libssland I am working with postgresql users/committers to help troubleshoot but I thought that maybe the openssl folks could help. Any thoughts or suggestions would be appreciated. You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost. http://tc.deals.yahoo.com/tc/blockbuster/text5.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: sk_value causes seg fault
--- [EMAIL PROTECTED] wrote: #0 0xfee8ec23 in sk_value () from /usr/local/ssl/lib/libcrypto.so.0.9.8 #1 0xfef5b05b in ssl3_output_cert_chain () from /usr/local/ssl/lib/libssl.so.0.9.8 #2 0x in ?? () This appears to be version 0.9.8e Sorry for wasting your time Looks like I was using the 0.9.8e libraries but compiling with the 0.9.7d headers. That can't be good. You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost. http://tc.deals.yahoo.com/tc/blockbuster/text5.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Entrust .ent files: PEM in disguise?
People keep sending me .ent files (example at the bottom of this message). They look to me a lot like Privacy-Enhanced Mail (remember Privacy-Enhanced Mail?) files. I've got all my S/MIME stuff set up and working with pgg under Emacs pgg, but I'm not making much headway with these proprietary .ent files. What I've tried so far is to do a dumb conversion to PEM: output at the bottom of this message below the Entrust archive. Then I try to decrypt it (this is probably where I'm screwing up the most egregiously): $ openssl smime -inform PEM -decrypt -inkey decryption_key.pem body.pem That tells me: Error reading S/MIME message 32477:error:0906D066:PEM routines:PEM_read_bio:bad end line:pem_lib.c:746: I doubt there's an actual S/MIME message in this thing, although it does mention RFC822. However, the PEM routines seem to be barfing before it gets around to the S/MIME parts. It's like the PEM code doesn't like -END PRIVACY-ENHANCED MESSAGE-. I also tried spitting out just what I think is the body part as a pkcs7 file but that fails with ASN1_get_object:header too long. Which means, unless I'm mistaken, that it's not DER-encoded. Any suggestions? Thanks in advance, Neale == Body_Txt.txt.ent: [ENTRUST ARCHIVE START] NTFAaa0w==LA==AAyi/A== MB8CAQAwGjAYGQxCb2R5X1R4dC50eHQZAAICBDMDAgbA [ENTRUST FILE START] ac///YzQ==AAATow==AAAP1w==YA==AAADWA==//KXPg==AA== MEUCAQAwNjAfCgEABAxCb2R5X1R4dC50eHQEDEJvZHlfVHh0LnR4dDAPFw0wODA0 MDgyMTI1NTNaAwIGwAIBAAIB/wMCB4A= [ENTRUST HEADER START] Proc-Type: 4,ENCRYPTED Content-Domain: RFC822 EntrustFile-Version: 2.0 TimeDate-Info: 1207689953 Permission-Info: 33206 FileAttributes-Info: 8224 DEK-Info: DES-EDE3-CBC,DB9439FF6C79D581 Originator-Certificate: MIIDwjCCAyugAwIBAgIEPF/B4jANBgkqhkiG9w0BAQUFADBtMQswCQYDVQQGEwJV UzEYMBYGA1UEChMPdS5zLiBnb3Zlcm5tZW50MR0wGwYDVQQLExRkZXBhcnRtZW50 IG9mIGVuZXJneTElMCMGA1UECxMcc2FuZGlhIG5hdGlvbmFsIGxhYm9yYXRvcmll czAeFw0wNjA5MjYyMDQ3MTBaFw0wODA5MjYyMTE3MTBaMIGrMQswCQYDVQQGEwJV UzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MR0wGwYDVQQLExREZXBhcnRtZW50 IG9mIEVuZXJneTElMCMGA1UECxMcU2FuZGlhIE5hdGlvbmFsIExhYm9yYXRvcmll czESMBAGA1UECxMJZW1wbG95ZWVzMSgwDAYDVQQFEwUyMDIyNjAYBgNVBAMTEUpl ZmZyZXkgRy4gSGVsbGVyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrN2ru qkwRGAoJ8CUwnNXR9FkwdMVWicZgeUwNxDn9xe1r8xRUWORlem+7uZQpuIPQ/kFu V0EQhGLGPdLQoGJyT0phZdhfyVfflq6tURYH5+pM/fDl3bPM9HUZYZEHchyQdX15 qNjt0aJNB19T+ZmzCHHC8Mddjo3CjDcNQprCewIDAQABo4IBLjCCASowCwYDVR0P BAQDAgUgMB0GA1UdEQQWMBSBEmpnaGVsbGVAc2FuZGlhLmdvdjCBlQYDVR0fBIGN MIGKMIGHoIGEoIGBpH8wfTELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD3Uucy4gZ292 ZXJubWVudDEdMBsGA1UECxMUZGVwYXJ0bWVudCBvZiBlbmVyZ3kxJTAjBgNVBAsT HHNhbmRpYSBuYXRpb25hbCBsYWJvcmF0b3JpZXMxDjAMBgNVBAMTBUNSTDI3MB8G A1UdIwQYMBaAFOTEHuPpahVdXl20Nl+gKKmdJ01WMB0GA1UdDgQWBBTD6ADl6cLv 3xCvz+QHGTyt5nz6fjAJBgNVHRMEAjAAMBkGCSqGSIb2fQdBAAQMMAobBFY3LjED AgSwMA0GCSqGSIb3DQEBBQUAA4GBAD8rFfOxw4hGBe/UqeCHPnIjR7+zXQKwutPa fCHBPXMmjDIOwCJTSoVKFN1XGtX891gvhIL071yZDOTmN0/k61bAevlpRUuWcutn L7vWlorP/cSRqbRuxKbEIDld4zfu00SEDpN3E3t9PWJGgjsS6nmLWQ5sqCDWVYev tT7yT1Ek Key-Info: RSA, Ha8768p3JPlrwMR0F6lt0NYZsdpKBHbnVgVMCcg4BAqB6fbUXpa7e1eWlDQF5oOX UhUNP5lfYh8f9kZEcH09K86E8z7vTXf8dmjGwR1WokAYCO/m590O27D7CJoggkq9 ptpywjzhHK3cIO88wuxFy9wsCp6hTWfZNixYviACkQo= Originator-Certificate: MIIEiDCCA/GgAwIBAgIEPF/yIjANBgkqhkiG9w0BAQUFADBtMQswCQYDVQQGEwJV UzEYMBYGA1UEChMPdS5zLiBnb3Zlcm5tZW50MR0wGwYDVQQLExRkZXBhcnRtZW50 IG9mIGVuZXJneTElMCMGA1UECxMcc2FuZGlhIG5hdGlvbmFsIGxhYm9yYXRvcmll czAeFw0wNzA0MzAxNDEyMDNaFw0wOTA0MzAxNDQyMDNaMIGrMQswCQYDVQQGEwJV UzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MR0wGwYDVQQLExREZXBhcnRtZW50 IG9mIEVuZXJneTElMCMGA1UECxMcU2FuZGlhIE5hdGlvbmFsIExhYm9yYXRvcmll czESMBAGA1UECxMJZW1wbG95ZWVzMSgwDAYDVQQFEwUyMDIyNjAYBgNVBAMTEUpl ZmZyZXkgRy4gSGVsbGVyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8oPIz aZjXQILHJzAuFNlf7+24Nkp0en9+STvheis6uINdAg3pPdq1QjBrcye7QJKqs7gN waBIzhU8OCUeMHdSc+FIQAFH5vr3B82WJUtDudRAv+EMiMghCWVSu4AX83UhRWst 2z7tSgacb+AIvs6GEysl7VHULkJX4te1T1HbeQIDAQABo4IB9DCCAfAwCwYDVR0P BAQDAgeAMCsGA1UdEAQkMCKADzIwMDcwNDMwMTQxMjAzWoEPMjAwODA5MjMwNjQy MDNaMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEKAjAdBgNVHREEFjAUgRJqZ2hlbGxl QHNhbmRpYS5nb3YwggEUBgNVHR8EggELMIIBBzCBh6CBhKCBgaR/MH0xCzAJBgNV BAYTAlVTMRgwFgYDVQQKEw91LnMuIGdvdmVybm1lbnQxHTAbBgNVBAsTFGRlcGFy dG1lbnQgb2YgZW5lcmd5MSUwIwYDVQQLExxzYW5kaWEgbmF0aW9uYWwgbGFib3Jh dG9yaWVzMQ4wDAYDVQQDEwVDUkwzNDB7oHmgd4Z1bGRhcDovLzEzNC4yNTMuMTgx LjE4MC9vdT1zYW5kaWElMjBuYXRpb25hbCUyMGxhYm9yYXRvcmllcyxvdT1kZXBh cnRtZW50JTIwb2YlMjBlbmVyZ3ksbz11LnMuJTIwZ292ZXJubWVudCxjPVVTPz9i YXNlMB8GA1UdIwQYMBaAFOTEHuPpahVdXl20Nl+gKKmdJ01WMB0GA1UdDgQWBBSr YdcGlV9VINyWKZnkwB4NCCkWIDAJBgNVHRMEAjAAMBkGCSqGSIb2fQdBAAQMMAob BFY3LjEDAgSwMA0GCSqGSIb3DQEBBQUAA4GBAGK6A/MFxak9Mnl8LQhwX8kh6ndu 4wNRpbQDbaA2X8dPbNEbmjr5VKm8bvaIRHwiUX+MKHK6t0ERAwx/6cSgQnB09m+t UyKSznmrD4uog1CznXOeXO3XVu4mcER3j5QXUCgFjd2+/7OPqsjMOsoEhEggqpa3 A4j3/RBVad8fp6Ji MIC-Info: SHA1, RSA,
segv in big number code
Hi, I am running openssl 0.9.7 on an MP-RAS Unix box with 32 bit Intel hardware. Very occassionally (four times in eight months) I have seen a segmentation fault in the big number code, when CRYTPO_malloc calls malloc. I understand that heap corruption can arise from just about anywhere, but it is interesting that the backtrace is so similar each time. The back trace from the dump is pretty garbled, and actual parameter values were not available, but it looks like this: _real_malloc(?) malloc(num) default_malloc_ex(num,file,line) CRYPTO_malloc((int)sizeof(BN_ULONG)*(words+1), __FILE__,__LINE__) bn_expand_internal(b, words) bn_expand2(r, max+1) BN_uadd(X, X, n) BN_mod_inverse(Ri,R,tmod,ctx) BN_MONT_CTX_set((BN_MONT_CTX *)dh-method_mont_p, dh-p,ctx) dh-meth-generate_key(dh) DH_generate_key I know it's a long shot, but since I cannot recreate it, and since the dump is pretty much worthless, I am wondering if anyone has had a similar problem, and if so, is there a later version of openssl that fixes it? Thanks, Tom
Apache 2 with ECC certificates
I patched the Apache 2.2.2 source and followed the instructions(https://issues.apache.org/bugzilla/attachment.cgi?id=18657action=edit ), and installed many versions of openssl, including the stable 0.9.8g version, and I also tried current snapshots as of april 2008. I managed to get Apache 2 up and running with an ECC keypair(httpd-ssl.conf was set to SSLCipherSuite ECDHE-ECDSA-AES256-SHA), and I was able connect to the server with openssl s_client -connect 10.1.0.1:443 -cipher ECDHE-ECDSA-AES256-SHA, though when I connect with my browser (Firefox 2.0.0.13), I am prompted that I do not have the necessary security protocol/cipher enabled, on both windows and linux firefox versions. This is not true; I checked about:config and security.ssl3.ecdhe_ecdsa_aes_256_sha is set to true. I am able to connect to other test servers on the internet, using the same curve (secp521r1) and tls cipher (ECDHE-ECDSA-AES256-SHA). Is something wrong with my certificates(Pasted below)? I generated them with ECCcertgen.sh bundled with openssl... Apache does not generate any errors. One of my test keypairs is pasted below (I used a secp521r1 curve, but I didn't change the comments. They still indicate secp160r1 or something like that). server.crt -BEGIN CERTIFICATE- MIICzDCCAi4CCQD1ETS+CH2UgzAJBgcqhkjOPQQBMIGoMQswCQYDVQQGEwJVUzEL MAkGA1UECBMCQ0ExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxHzAdBgNVBAoTFlN1 biBNaWNyb3N5c3RlbXMsIEluYy4xJjAkBgNVBAsTHVN1biBNaWNyb3N5c3RlbXMg TGFib3JhdG9yaWVzMSswKQYDVQQDEyJUZXN0IENBIChFbGxpcHRpYyBjdXJ2ZSBz ZWNwMTYwcjEpMB4XDTA4MDQwODE5MDUyMloXDTEyMDUxNzE5MDUyMlowgawxCzAJ BgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEf MB0GA1UEChMWU3VuIE1pY3Jvc3lzdGVtcywgSW5jLjEmMCQGA1UECxMdU3VuIE1p Y3Jvc3lzdGVtcyBMYWJvcmF0b3JpZXMxLzAtBgNVBAMTJlRlc3QgU2VydmVyIChF bGxpcHRpYyBjdXJ2ZSBzZWNwMTYwcjIpMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG AAQBDCsO6Bh+KHUoF95v1abLMuD9HwEdzw2G7AV6PG7Y7JPu9xzbofcKQx3N4LJa JzZoMqs3DlTcLnDHsKvVxZGNg0MA1JdcplH5hesOoDVKaQ0eLSHuZC8bP4PuiLUV WyD1pEHf3nwJUpfaTAEki2M/mNKbkW1r8mKo/MwIvjBUXTxDMEIwCQYHKoZIzj0E AQOBjAAwgYgCQgDNHA9Nxmqv2tAtCgyhoW8nmsWbqpIxCzBz7FUf1zjpVHUIBYRJ WqEctNlSB7Nm0KGqGkdRVqVAf1peSkjPD0IpYgJCAW7t6LhErN7tqHaNKSqQTz0E o3pyQzAr9NLGHiqU0d6p0wpGARbfZjWwWY1aQPx9SghzSwRDiaK0Pq8cPCq6i2N+ -END CERTIFICATE- server.key -BEGIN EC PRIVATE KEY- MIHcAgEBBEIB8kqp15qXITJChy2IfqYh/MalRx7KrbrAPFQc+k4+IIOvqSsEa3uN RvvN5W7tHAT2ZqP7fxKrcNQcYO9bzIf0pqWgBwYFK4EEACOhgYkDgYYABAEMKw7o GH4odSgX3m/Vpssy4P0fAR3PDYbsBXo8btjsk+73HNuh9wpDHc3gslonNmgyqzcO VNwucMewq9XFkY2DQwDUl1ymUfmF6w6gNUppDR4tIe5kLxs/g+6ItRVbIPWkQd/e fAlSl9pMASSLYz+Y0puRbWvyYqj8zAi+MFRdPEMwQg== -END EC PRIVATE KEY- Any help would be appreciated. Thank you __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Public/private key encryption/decryption
Seems like the problem disapeared now, even thought I cannot exactly tell why. Seems like I messed up some of that ugly pointer stuff that now works fine after some changes in the code. Again, thanks for your help. Thanks and regards Till Elsner Am 08.04.2008 um 09:04 schrieb shankar ks: Hi Till, The error u got is you can not read the public key as in the certificate it is not finding the lines as BEGIN RSA CERTIFICATE so here i am giving you the code , use it directly , it will work fine as i refined it many times ... pubk = RSA_new(); if(pubk == NULL) printf(error to create new RSA structure \n); fp = fopen (recevercert, r); if (fp == NULL){ printf(error opening the pub file\n); exit (1); } x509 = PEM_read_X509(fp, NULL, NULL, NULL); fclose (fp); if (x509 == NULL) { printf(error reading the certificate \n); ERR_print_errors_fp (stderr); exit (1); } pub=X509_get_pubkey(x509); if (pub == NULL) { printf(error reading the public key \n); ERR_print_errors_fp (stderr); exit (1); } pubk = EVP_PKEY_get1_RSA(pub); if(pub == NULL) printf(error setting the public key from EVP_PKEY_set1_RSA function \n); after this you do encryption and decryption , then it will work fine, one more thing here is you should not use RSA_encrypt or decrypt functions for large amount of data , it is not recommended , so u must avoid of using asymmetric alrorithems for large amount of data or for files .. or I recommend not to use it for any data or file except for encryption of keys only. -- Regards Shankar On 4/8/08, Till Elsner [EMAIL PROTECTED] wrote: Hi, I'm trying to make an application encypting data on the server side using a public key and decrypting it on the client side using the related private key. Now i've run in two problems: I have a private key and a related certificate file created from a certificate request (CSR) and signed by an own CA. Both are created using OpenSSL. The first problem is that I can't get the public key out of the cerificate using PEM_read_RSA_PUBKEY. I've exported the public key alone to a single file, from that I can load the public key. Trying to load it from the certificate gives an no starting line error. Second, and maybe even worse, when encrypting data with the public key using RSA_public_encrypt and again decrypting it with the private one using RSA_private_decrypt, the decrypted data differs widely from the original data. When I try the same using OpenSSL's rsautl command-line tool, it works perfectly with this key pair (public key/private key as well as certificate/private key). Both keys and certificate are in PEM format. The certificates signature is valid. Could anyone give me some hint what might be going on here? Thanks and regards Till Elsner __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- --Best Regards Shankar
Re: Apache 2 with ECC certificates
On Tue, Apr 08, 2008 at 08:43:51PM -0400, Big BDI wrote: Is something wrong with my certificates(Pasted below)? I generated them with ECCcertgen.sh bundled with openssl... Apache does not generate any errors. One of my test keypairs is pasted below (I used a secp521r1 curve, but I didn't change the comments. They still indicate secp160r1 or something like that). The cert does not have basicConstraints or keyUsage bits. It is an X509 cert, not an X509v3 cert. Otherwise it looks fine. Try this pair of CA cert/key and Server cert/key. Don't worry (for me), they are fresh random keys not used anywhere. Identically built certs work with TLS in pre-release Postfix 2.6. If these work better, perhaps the extentions are relevant. If so, you just need to craft a suitable extension section in the conf file. These use secp256r1 (aka prime256v1). begin 644 eckeys.cpio.gz M'XL(`L?_$``^V967/B2!*`YUF_0OVV^X[EMAIL PROTECTED])`08/RFHR3N MP3\^LTMX\VWV.V9V=C7$^R*4ZLJ[,)#\9:4A#`D*[EMAIL PROTECTED]@D!T(9;97T72 MS^\(J?+E+Q)D+4^%7+B\)ZGQ6*\_-HOHNB1?VFTO7V]R6=_09B07F4C])X M2S''@]CQ-KZ4F/3HC-:S#$O\?]`!_?3PT=NA[%4[ZYFR5T_=R?29KC6, [EMAIL PROTECTED]4YR;$C/0T?%/-[NUI0GTV*Q'FV',\S3--O$7TIX^=*I$IL[?9 M[`WKKM=C[SGBV24M^L%A//O.-%^76K;]8%_[VSC^90H:9[ZT6PS'0' M,\[U;SUYODZWFS7N_0\[A8;'[EMAIL PROTECTED]'DU)EJWI9G.[80LI_C7;_)XN9L_' M$$]':AYM\F##=IOEA3S)/EFN-'@E8%K$L\W`+.E_UHS#2+ZE:_XR0$`O M!PBO!W1VR9BFV__USA^7P;=WR724\G?TR(.RQL;?]'XXDI'V1:[EMAIL PROTECTED] MQWHQYK4N)[EMAIL PROTECTED]I8T+`4V9J,;S.-5Q+$AP8*!?M M7B:9@F,X8E$36L(XP4K*58$W`8TWE*DLW(7]@)!A)*P\05A1,)5P M)F)5P)J18]2A+68BR#6GI=`RQ52G%9:P)TR:B\Q;8$ERCG6=;2J60KK MU*YKT*;@$5XIEC6WG0AG:;`MSP;\\OU:[EMAIL PROTECTED]/#ELZ9V] M3_'8;,8;N!X+FK?K#3?;C?PL5I)B^FXB.`J[SC4U7^WG;[EMAIL PROTECTED];[EMAIL PROTECTED] MC0['Q*J.+04CQLN.T,X0)A%T[5Q9:*D-NW%:[EMAIL PROTECTED] M[9`9XO'G,T_H93A_]3\3.S1NAG/**XPWZV\-W*L^=6OG7RFN_K?PAM_TJ MFW.8QI:+R5-(MC$RLFRD'SN_TOQ6$(0K9BABE#0F+*58$K(#1LRD89% M#[EMAIL PROTECTED]AF4P^YRM!G,B7(X;A4;X,4ZSF6LB4P5^%1V [EMAIL PROTECTED]@%^\=*CG.#6ZJX43'J8HED8V%SGG^/%R7L:`RM]7` MN4`Y.'[EMAIL PROTECTED]^X+$].IDWL+(SV+1,ZYEO,]SPY/ MED5V-P4I/9,47IWX-\/98+JUM)O()Y.J5Q5.[YLF,[EMAIL PROTECTED]=2-XMFSR2# MB/37N2'3FF7`[L7!)Y3#EL/]VG1[QO'^.2$/M[EMAIL PROTECTED]'WHEE/\MSI/IUM M#NZ)])@2SB2+R)X(4)D-DY$9955WEU1[BA\I5.E3:EOO66;TT\*Z6R* M:.3DOHG.BCER\/N=OC)[EMAIL PROTECTED]IV[1G1G[S#+M(')2WUQ4K0YLPTLD M.W#J)[EMAIL PROTECTED](2Z)2I;-D^/[EMAIL PROTECTED]NL.Y+B)/ M=;Y7'?K!IK2@W!$JM.6]U7^S7,E_OUXE(^W)H:[EMAIL PROTECTED])5%_[85IR M;G#YYU3*DVHG`_ZM5PF$R.TQAKUW?]Y*#WZCTPN*+BP]NZ\OL]KD4#N1 MC+MH]B-W,MT]S.O#5`J/6;^)H-/4^O[1`J*`#F'FDUBLYBLAI-1U2B1:05. MW[YO3KF!)XD+E-C\HX$5'9CTAD%BET'+?:@6:1?%8]DVS;%J$!+-JRLY M=^K#,EI[W.*PZ3G;[EMAIL PROTECTED]GH:+T]:,5JMIAO[I)D]V:@/LTYM[$M+-Q\O M=[EMAIL PROTECTED];2%[IAV!10:3BU%*)!K6*2;DE*QZS` M?MEV:X'LN$7056Q:]?U$Q?)ZA#UI-HW^R.ZORSO;+([EMAIL PROTECTED]QI9Y ME,G3@_[W=V:UC$=%+$P1L[?X^9S^R\_8.?C.W^/F7,_LO,G,Q]\W\7! MQT[A',.B5=T+?3[8V68IG.;]9+O[U7[FL/0BM7)O5WJQ.HS%*M]NA$TL MKS;M#([EMAIL PROTECTED]H*-JRH=QH^U;QQW;:(R:^]=L9FM;^2CZZOM2T1RFO;;`2Y M/'[EMAIL PROTECTED](Q5WLD1\3-'P`_G2-A$F6V(5#U;%WSF#QTA92\$F M'=ST]%2*GKZ;%..$ZE]Q0GW#JC==ZYF[EMAIL PROTECTED]@0N`[K\6C! MN+;F`'!7'JTVC:/%B[6=Q5CW=^XH:-4-TZEN(1-Z]55^F-[*U6RX3H-V6/ MMCN#^^Z0DT]--;[EMAIL PROTECTED];K-*T;GQP_+V]OEHK^WAY=F* MB+Z/T1Z/,$WH];/5']_UKV?_M1\Z__H^8=J?QFCRWX?1%/5]C/;-`.._QVCT M$,^64_K[95O_GVRF`\EDF*;L6FB2%DN.D4)QSE(K!6A-QX)PG6ITBA/* MR(U!$:2#D)6@:,I[DD.HX$;+SIWV,S$:(98ZQB!-D'`,DR8L!X4E MJ921(11@):GQ7;([EMAIL PROTECTED]@3L$,[EMAIL PROTECTED],R-G]'[EMAIL PROTECTED]:6 MSMWBOP;N:31N0IGS[EMAIL PROTECTED]'A6C+42/ITCP^=S=F4,0']+U#(#JFDJ' MK3RCV0]U1XT.WZ)U![\#3:HS/(,#!EC\_-5O3$51_T_R'(-.UL6NQ=-^P MSSQ',`*,`YB3P;^QZX$FW$TK)G,[EMAIL PROTECTED]'.Q8'Y#YYT*FH9,`2/$4#` M-X1;4[%`V?6!4T.]%F-19!]NV*0Y04EHQ$3U_$C+8Y8)3`YU7!)AK,H M`K!?*C(-$)IRQ(CT:[EMAIL PROTECTED]@4N1CBL91J+9A[EMAIL PROTECTED]'*OG[EMAIL PROTECTED]A-P9G! M//UI'SF3T-C`R$600$[EMAIL PROTECTED]4?MA7)YM1T]QDK)(I:0_YR89?4'ZQIG M=O_VG!D]Q.ZZ'4=.;#7X,SV4$^:8]Z\F#OE`FUXNN?=W`]'80OY95HM! M_6[QX`WW:1,`SG0+X02'.4G%C+!^W+FC.RF=E!C'4]C!%GUP'LLVR1(SPER M49$VE6ZPJQ\B9677ZRLMO;#!N6RI=EW.5(;=1+-%AV2I_6R*$UZET(QG M_YF6IG-1U*5WK$ULPZ.NN[^4UG:#CMN]FJ97$DI1%X1Q]4I[1T%,60:6 M3TAI77BS;9+`)D6_+S[K!X$?=\,()??`.4%7=L?8;$:[-P7!.63,:OH;22 M'\;S0%:M-9KT]JCEW2:LSS1^UU9K\I=8E/L5*+WF$]RO0.DUG^!^!4JO M^03W*U#*F+0#MQ,WI`T=]-25!NH'J$CNJ'HM.MFZ6L'CMA947+\7*ZC\KY M6M'KHD1[EMAIL PROTECTED]T'WHR5E#['I^W13$=+4X+%.'*^OYI)4\G,BN7ADW3K5[\I* MKH#I*W9*W\E7_'SW5R:O6*GKVCZ;C:M([5JKA;:5C')*4\;SJ9]W(WVY6#9 M)@NAN,IF:.I[==J7^73;_GC_R/.ZGKE\FTW?)_M]ZT\_?\PHG7,)/ @GS[]]B$?\B$?\B$?\B$?\B$?\B_+/\[EMAIL PROTECTED] ` end -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Apache2 with ECC certificates
I managed to get Apache 2 up and running with an ECC keypair(httpd-ssl.conf was set to SSLCipherSuite ECDHE-ECDSA-AES256-SHA), and I was able connect to the server with openssl s_client -connect 10.1.0.1:443 -cipher ECDHE-ECDSA-AES256-SHA, though when I connect with my browser (Firefox 2.0.0.13), I am prompted that I do not have the necessary security protocol/cipher enabled, on both windows and linux firefox versions. This is not true; I checked about:config and security.ssl3.ecdhe_ecdsa_aes_256_sha is set to true. I am able to connect to other test servers on the internet, using the same curve (secp521r1) and tls cipher (ECDHE-ECDSA-AES256-SHA). Apache does not generate any errors. Is something wrong with my test certificates(Pasted below)? I generated them with ECCcertgen.sh bundled with openssl. server.crt -BEGIN CERTIFICATE- MIICzDCCAi4CCQD1ETS+CH2UgzAJBgcqhkjOPQQBMIGoMQswCQYDVQQGEwJVUzEL MAkGA1UECBMCQ0ExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxHzAdBgNVBAoTFlN1 biBNaWNyb3N5c3RlbXMsIEluYy4xJjAkBgNVBAsTHVN1biBNaWNyb3N5c3RlbXMg TGFib3JhdG9yaWVzMSswKQYDVQQDEyJUZXN0IENBIChFbGxpcHRpYyBjdXJ2ZSBz ZWNwMTYwcjEpMB4XDTA4MDQwODE5MDUyMloXDTEyMDUxNzE5MDUyMlowgawxCzAJ BgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEf MB0GA1UEChMWU3VuIE1pY3Jvc3lzdGVtcywgSW5jLjEmMCQGA1UECxMdU3VuIE1p Y3Jvc3lzdGVtcyBMYWJvcmF0b3JpZXMxLzAtBgNVBAMTJlRlc3QgU2VydmVyIChF bGxpcHRpYyBjdXJ2ZSBzZWNwMTYwcjIpMIGbMBAGByqGSM49AgEGBSuBBAAjA4GG AAQBDCsO6Bh+KHUoF95v1abLMuD9HwEdzw2G7AV6PG7Y7JPu9xzbofcKQx3N4LJa JzZoMqs3DlTcLnDHsKvVxZGNg0MA1JdcplH5hesOoDVKaQ0eLSHuZC8bP4PuiLUV WyD1pEHf3nwJUpfaTAEki2M/mNKbkW1r8mKo/MwIvjBUXTxDMEIwCQYHKoZIzj0E AQOBjAAwgYgCQgDNHA9Nxmqv2tAtCgyhoW8nmsWbqpIxCzBz7FUf1zjpVHUIBYRJ WqEctNlSB7Nm0KGqGkdRVqVAf1peSkjPD0IpYgJCAW7t6LhErN7tqHaNKSqQTz0E o3pyQzAr9NLGHiqU0d6p0wpGARbfZjWwWY1aQPx9SghzSwRDiaK0Pq8cPCq6i2N+ -END CERTIFICATE- server.key -BEGIN EC PRIVATE KEY- MIHcAgEBBEIB8kqp15qXITJChy2IfqYh/MalRx7KrbrAPFQc+k4+IIOvqSsEa3uN RvvN5W7tHAT2ZqP7fxKrcNQcYO9bzIf0pqWgBwYFK4EEACOhgYkDgYYABAEMKw7o GH4odSgX3m/Vpssy4P0fAR3PDYbsBXo8btjsk+73HNuh9wpDHc3gslonNmgyqzcO VNwucMewq9XFkY2DQwDUl1ymUfmF6w6gNUppDR4tIe5kLxs/g+6ItRVbIPWkQd/e fAlSl9pMASSLYz+Y0puRbWvyYqj8zAi+MFRdPEMwQg== -END EC PRIVATE KEY- Any feedback is appreciated. Thank you __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Create public/private key pair from trusted moduli?
Hi, I am working on a client/server application. I am using RSA and need to ship keys in my binary, however I would rather generate key pairs on binary execution that get signed by the login server. Correct me if I am wrong but can I simply create my CA and keys and place the moduli of these keys inside the binary and then use the moduli to generate a public/private key pair that is trusted by the server? Basic idea here is to just hardcode the moduli in the binary. I have not seen any code performing this. Am I totally off? thanks in advance. julian __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
pkcs#7 Api's in openssl
Hi Every body, I am working on securtiy issues , my job is sign, compress, encrypty the file as CMS package. In order to fullfill conditions I have to use pkcs7 API's . but I did not understand how they will envelope the signed , compressed , encrypted data , and how they will be usefull for receiver . I am getting some example programs for the signing and encryption , but I did not get any examples for the envelope of compression using pkcs functions If any body knows please give me information of these compression using pkcs funtions and data regarding the implementation of the pkcs funtions (any document or pdf or examples of signin, encryption , compression.) .. and source which explains the usage of PKCS#7 API's in openssl... -- --Best Regards Shankar
Create public/private key pair from trusted moduli?
Hi, I am working on a client/server application. I am using RSA and need to ship keys in my binary, however I would rather generate key pairs on binary execution that get signed by the login server. Correct me if I am wrong but can I simply create my CA and keys and place the moduli of these keys inside the binary and then use the moduli to generate a public/private key pair that is trusted by the server? Basic idea here is to just hardcode the moduli in the binary. I have not seen any code performing this. Am I totally off? thanks in advance. julian __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]