openssl smime problem: the output of smime -decrypt is not the same to the original one

2009-04-13 Thread xh 

Hi everyone,

I find the output of the openssl smime -decrypt is not the same with the 
original one.

My OS is Fedora 10 and the openssl version is 0.9.8g.

I use the following command to get the encrypt version of the file a.txt
# openssl smime -encrypt -in a.txt -out b.txt mycert.pem

and try to use the following command to the paintext from the b.txt to c.txt
# openssl smime -decrypt -in b.txt -out c.txt -recip mycert.pem -inkey 
priv.key


The following is the hex dump and from the dump we can see that 0a 
become 0d0a.

I think that should be a problem in the linux systems.

# xxd a.txt
000: 6269 6e0a 626f 6f74 0a64 6576 0a65 7463  bin.boot.dev.etc
010: 0a65 7670 5f70 6b63 7331 315f 7465 7374  .evp_pkcs11_test
020: 2e63 0a68 6f6d 650a 6c69 620a 6c6f 7374  .c.home.lib.lost
030: 2b66 6f75 6e64 0a6d 6564 6961 0a6d 6973  +found.media.mis
040: 630a 6d6e 740a 6e65 740a 6f70 740a 7065  c.mnt.net.opt.pe
050: 7273 6f6e 616c 0a70 726f 630a 726f 6f74  rsonal.proc.root
060: 0a73 6269 6e0a 7365 6c69 6e75 780a 7372  .sbin.selinux.sr
070: 760a 7379 730a 746d 700a 7479 7065 7363  v.sys.tmp.typesc
080: 7269 7074 0a75 7372 0a76 6172 0a77 730a  ript.usr.var.ws.
[r...@amadis mykey]# xxd c.txt
000: 6269 6e0d 0a62 6f6f 740d 0a64 6576 0d0a  bin..boot..dev..
010: 6574 630d 0a65 7670 5f70 6b63 7331 315f  etc..evp_pkcs11_
020: 7465 7374 2e63 0d0a 686f 6d65 0d0a 6c69  test.c..home..li
030: 620d 0a6c 6f73 742b 666f 756e 640d 0a6d  b..lost+found..m
040: 6564 6961 0d0a 6d69 7363 0d0a 6d6e 740d  edia..misc..mnt.
050: 0a6e 6574 0d0a 6f70 740d 0a70 6572 736f  .net..opt..perso
060: 6e61 6c0d 0a70 726f 630d 0a72 6f6f 740d  nal..proc..root.
070: 0a73 6269 6e0d 0a73 656c 696e 7578 0d0a  .sbin..selinux..
080: 7372 760d 0a73 7973 0d0a 746d 700d 0a74  srv..sys..tmp..t
090: 7970 6573 6372 6970 740d 0a75 7372 0d0a  ypescript..usr..
0a0: 7661 720d 0a77 730d 0a   var..ws..

thanks,
-Derek
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: openssl-0.9.8k.tar.gz

2009-04-13 Thread Kyle Hamilton 
This is entirely site-specific, and nobody here has any idea what
you're talking about.  Try talking to your Purdue University helpdesk.

-Kyle H

On Mon, Apr 13, 2009 at 6:40 AM, Chuck Aaron  wrote:
> I have saved this file off the openssl site to my documents. I am trying to
> copy the *.gz file with
> secure fx from my documents and the Alpha server using vms 8.3 and it will
> not allow me to
> transfer the file. Any ideas on how I get it there to unzip it?
>
> Thanks,
> Chuck
> __
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    openssl-us...@openssl.org
> Automated List Manager                           majord...@openssl.org
>
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Query on OpenSSL for Certificate verification

2009-04-13 Thread Kyle Hamilton 
Then don't return from the original SSL_CTX_set_verify callback until
you either:
a) receive a valid OCSP response that says it's okay,
b) receive a valid OCSP response that says it's not okay,
c) receive an invalid OCSP response (i.e., OCSP failure), or
d) time out.

You're perilously close to a "chicken and egg" problem here:

1) You need the certificate to check
2) you cannot get the certificate to check until you attempt to make
the connection
3) once you connect, you are stuck in a state machine where you
haven't checked the certificate.

Some browsers try to handle this kind of situation by scanning HTML
for links and pre-loading them to the cache.  These tend not to work
all that well.

If you're returning asynchronously, then you also need to have a
mechanism to send asynchronous exceptions.  Either that, or you have
to make it synchronous until the OCSP response is returned.

-Kyle H

On Mon, Apr 13, 2009 at 2:35 PM, Vijay Kothamasu (vikotham)
 wrote:
> Hi Kyle,
>
> Sorry for the delayed response, I am just back form my Vacation.
>
> Thank you so much for your response and the information provided.
>
> But even with the SSL_CTX_set_verify() callback invocation, the result of the 
> certificate validation need to be returned in the context of the callback 
> function itself in a synchronous manner. Where as in our scenario, the cert 
> validation status is reported back in an Asynchronous manner as I explained 
> earlier.
>
> I am just wondering how can I realize that scenario.
>
> Thanks again.
>
> Regards
> Vijay
>
>
>
>
>
> -Original Message-
> From: Kyle Hamilton [mailto:aerow...@gmail.com]
> Sent: Tuesday, April 07, 2009 12:26 PM
> To: openssl-users@openssl.org
> Cc: Kamalakanta Palei (kpalei); kvi...@gmail.com; Vijay Kothamasu (vikotham)
> Subject: Re: Query on OpenSSL for Certificate verification
>
> This is a protocol called OCSP, with its "designated responder" mechanism.
>
> If you want to implement it, call the OCSP functions with the DR address and 
> the fields that OCSP needs during the SSL_CTX_set_verify() callback 
> invocation; if you really need to, create two separate SSL_CTX contexts, one 
> of which calls a function to check the certificate status, the other of which 
> always passes (so that the DR certificate doesn't need to be in the client's 
> local store).
>
> Note that I consider this insecure.  First, the denial of service potential 
> (the DR goes down).  Second, man-in-the-middle or redirection attacks (the DR 
> is replaced by a bogus one).  Third, the entire point of X.509 is to allow 
> for clients to have all the information they need to verify certificates in 
> the absence of an online authority.
>
> For more information I suggest you read the cryptographic literature for the 
> protocols that exist.
>
> -Kyle H
>
> On Mon, Apr 6, 2009 at 8:18 AM, Vijay Kothamasu (vikotham) 
>  wrote:
>> Hi,
>>
>> I am just wondering if there is a way to realize the following
>> scenario with the help of OpenSSL libraries, here is the brief explanation 
>> in this regard.
>>
>> -
>> I have a client and Server who need to setup a secure connection using
>> TLS/SSL. But as part of handshake Server sends its certificate to the
>> Client. But Client doesn't have any certificates with it to
>> Authenticate the certificate, rather it needs to communicate (a
>> non-blocking call )with another entity(like Certificate Authority (CA)
>> ) to get the certificate validated. This CA will look through its list
>> of certificates to authenticate the it and inform back to the Client
>> in an Asynchronous manner(may be some callback) that the certificate
>> is valid. Now the Client will proceed further with the Server to
>> complete the Handshake and setup the connection.
>>
>> Here is a pictorial description of this scenario for better clarity
>>
>>
>> -
>>
>> I went through the available documentation, to the best of my
>> understanding I couldn't find the library APIs(SSL/BIO/X509) to
>> realize the above scenario.
>>
>> Is there any way to fit in the above verification setup as part of the
>> handshake? It will be of great help if anybody can provide me the
>> pointers in this regard.
>>
>> Thanks for your help in advance.
>>
>> Regards
>> Vijay
>
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Resource temporarily unavailable error with SSL_connect

2009-04-13 Thread Dan Maartens 
Thanks for your response Dave. With -state and -msg enabled, it seems to be
hanging after SSL_accept:SSLv3 flush data. When I abort the client at this
point (as it will retry forever with no success), I get: failed in SSLv3
read client certificate A.

Given the stupefying nature of this problem, I'm fairly certain it has
something to do with our multithreading, but if you have any additional
suggestion I'd certainly appreciate it.

Dan

On Fri, Apr 10, 2009 at 5:11 PM, Dave Thompson <
dave.thomp...@princetonpayments.com> wrote:

> > From: owner-openssl-us...@openssl.org On Behalf Of Dan Maartens
> > Sent: Friday, 10 April, 2009 18:39
>
> >   This is on SuSE 10.3. The socket is non-blocking, for the only
> reason
> > that I thought it would make debugging the problem easier.
> > With the socket in blocking mode (which is all I need),
> > I have the problem where SSL_connect never returns.
>
> See below.
>
> >   I'm looking at errno becuase the information
> > returned by SSL_get_error wasn't very useful. To recap,
> > here's the results of all the various debugging that I have in place:
> >   SSL_connect: -1
> >   SSL_get_error: 2
> >   ERR_error_string: error:0002:lib(0):func(0):system lib
> >   errno: 11
>
> SSL_get_error() returns only a 'top-level' state classification.
> You don't decode it with the ERR_ stuff; that's for ERR_get_error().
> 2 is SSL_ERROR_WANT_READ and means you should call again when the socket
> is readable, normally most simply by select() or poll() telling you so.
>
> >   A few other notes, I am connecting to the openssl/s_server,
> > so that end should be OK. This is all happening inside of a
> > multi-threaded app, which could be part of the problem.
> > In a separate, very simple (and non-threaded) client app which I wrote,
> > I can connect via TCP and SSL and transmit/read just fine.
> > So that rules out machine/network level stuff.
>
> >   I have also tried calling SSL_connect in a loop, just to test
> > to see if waiting/re-calling helps, but it doesn't.
> > The same error occurs each time.
>
> Obviously no data is being received. With a blocking socket it waits,
> and with a nonblocking socket it keeps telling you to wait for receive.
>
> So there is some difference between your multithreaded and your
> simple/nonthreaded. Can you run the s_server with -msg and watch
> or log its output (without too much clutter from other clients)?
> Does it receive a good connect+hello and try to send a response?
>
> If the server is sending a response but the client doesn't get it,
> there may indeed be some network/environment issue that is different
> between your multithread app and your simple/nonthread test.
>
>
>
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   majord...@openssl.org
>

Re: OCSP stapling

2009-04-13 Thread Dr. Stephen Henson 
On Mon, Apr 13, 2009, Rene Hollan wrote:

> What, if any, support is there in openssl to support OCSP stapling?
> 
> I have code that does an OCSP check for received certs, but obviously
> want to "play nice" and make use of any stapled OCSP response first,
> 

It is supported in the latest versions of OpenSSL. The s_server utility
supports it in a minimal way. There is a patch to mod_ssl which is a more
realistic implementation including OCSP response caching and expiry.

The s_client utility also includes an example.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: CMS Structure Access

2009-04-13 Thread Gary Kennedy 

Dr. Stephen Henson wrote:

On Wed, Apr 08, 2009, Gary Kennedy wrote:

Specifically, I'm after the version & digestAlgorithms fields of the 
signed-data CMS structure, (read-only at this stage).


How may I go about accessing these fields without 'illegally' including the 
cms_lcl.h header?




You can't at present as there isn't a function to access them.

Why do you need to access those btw?



To perform strict validation of a CMS message before it goes further 
into the application. Specifically the ROA/BOA/AAO/etc products of 
resource certification.


It's not set in stone at the moment though, so we'll see what happens :)

On a more general basis, why are these structures obscured? (Apart from the 
'prevent-shooting-in-foot' reason - which I've already done with all the 
other structures, like X509)




The main reason is to stop applications manually accessing the structure
fields. If the structure needs to be updated in future for newer versions of
CMS we can freely change the structure size and add, delete or modify fields
without breaking applications or introducing binary compatibility issues.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org


--
Gary Kennedy   email:  g...@apnic.net
Software Engineer, APNIC
http://www.apnic.net   phone: +61 7 3858 3100

 * Sent by email to save paper. Print only if necessary.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

OCSP stapling

2009-04-13 Thread Rene Hollan 
What, if any, support is there in openssl to support OCSP stapling?

I have code that does an OCSP check for received certs, but obviously
want to "play nice" and make use of any stapled OCSP response first,

X509_get_serialNumber

2009-04-13 Thread sarym binome 

hi all
i want to extract the the serial number or the subject name from an X509 
certificate
i used X509_get_serialNumber but i don't know how can i use it , i can't print 
it cause it's a struct
this is my certificate
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 3 (0x3)
Signature Algorithm: md5WithRSAEncryption
Issuer: CN=ARAN CA
Validity
Not Before: Mar 27 13:45:00 2009 GMT
Not After : Jul 25 13:45:00 2009 GMT
Subject: CN=0.0.0.3
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (512 bit)
Modulus (512 bit):
00:eb:a6:38:2e:b3:17:4a:0a:4a:d3:88:17:47:c6:
b4:a5:42:ec:94:a3:14:49:ce:f2:5e:ba:19:aa:aa:
f7:34:cf:da:26:46:0b:45:dd:ee:b3:df:a8:9c:80:
f2:63:8d:72:d3:22:a4:68:b1:66:d8:65:cd:6c:17:
b1:1c:b7:f1:9d
Exponent: 65537 (0x10001)
Signature Algorithm: md5WithRSAEncryption
6f:0e:a8:07:1b:0e:b6:99:ba:53:4e:18:0c:2a:82:fd:7b:a6:
5e:72:05:8a:4d:c4:5c:20:d7:db:93:a4:64:02:37:a7:99:93:
f4:29:cb:19:6c:2e:02:51:01:65:58:79:1e:2f:8b:3f:84:9c:
6f:30:a9:48:71:ab:89:0b:84:10:b7:72:45:32:75:96:6c:f2:
f0:34:c2:0f:10:e1:80:84:e1:59:e1:b5:9a:9d:8c:5a:2e:ae:
6e:1b:4c:ef:a3:ba:f9:79:6d:71:11:d9:e5:7e:4c:69:97:8d:
58:7f:ef:0b:dd:17:7a:ab:f5:6e:84:9b:7c:c0:42:f1:b7:de:
ed:d6
-BEGIN CERTIFICATE-
MIIBTjCBuAIBAzANBgkqhkiG9w0BAQQFADASMRAwDgYDVQQDEwdBUkFOIENBMB4X
DTA5MDMyNzEzNDUwMFoXDTA5MDcyNTEzNDUwMFowEjEQMA4GA1UEAxMHMC4wLjAu
MzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDrpjgusxdKCkrTiBdHxrSlQuyUoxRJ
zvJeuhmqqvc0z9omRgtF3e6z36icgPJjjXLTIqRosWbYZc1sF7Ect/GdAgMBAAEw
DQYJKoZIhvcNAQEEBQADgYEAbw6oBxsOtpm6U04YDCqC/XumXnIFik3EXCDX25Ok
ZAI3p5mT9CnLGWwuAlEBZVh5Hi+LP4ScbzCpSHGriQuEELdyRTJ1lmzy8DTCDxDh
gIThWeG1mp2MWi6ubhtM76O6+XltcRHZ5X5MaZeNWH/vC90Xeqv1boSbfMBC8bfe
7dY=
-END CERTIFICATE-
any suggestion or help ??

 

Best regards

_
Découvrez tout ce que Windows Live a à vous apporter !
http://www.microsoft.com/windows/windowslive/

Re: (DTLS) Nexuiz needs information on the open-ssl UDP stuff.

2009-04-13 Thread Wes Hardaker 
> On Sat, 11 Apr 2009 22:49:46 -0700 (PDT), Miguel Ghobangieno 
>  said:

MG> They're all multi-treaded. How to do it in a single threaded app
MG> with multiple users?

Here's another documented example of a working hack:

  http://www.net-snmp.org/wiki/index.php/DTLS_Implementation_Notes

Hopefully future versions of OpenSSL will incorporate some of the
necessary fixes posted by others to get around this type of method of
doing things.
-- 
"In the bathtub of history the truth is harder to hold than the soap,
 and much more difficult to find."  -- Terry Pratchett
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

openssl-0.9.8k.tar.gz

2009-04-13 Thread Chuck Aaron 
I have saved this file off the openssl site to my documents. I am trying 
to copy the *.gz file with
secure fx from my documents and the Alpha server using vms 8.3 and it 
will not allow me to

transfer the file. Any ideas on how I get it there to unzip it?

Thanks,
Chuck
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

test

2009-04-13 Thread Chuck Aaron 


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

how to create cert file for windowxp sp3

2009-04-13 Thread shawnlau 
Hi all!

 

  I have a question that makes me feel so confuse.

  I have updated OPENSSL.rpm to openssl-0.9.8e-7.el5, and have a little
modify to openssl.cnf and CA scripts! The change like below:

  The  OPENSSL.cnf:

  dir= ./demoCA  # Where everything is kept

private_key = $dir/private/cakey.pem   # The private key

RANDFILE  = $dir/private/.rand   # private random number file

default_days= 730

default_bits = 2048

 

The CA script

DAYS="-days 1825"   # change to 5 years default 1 year

CATOP=./demoCA# default ../../CA

Add this line in script, when create newca it is more easy to create crl.pem
file.

echo "00" > ${CATOP}/crlnumber

 

After that, I create CA ,also create  cert and key file for a windows
client. Like below:

 

 

openssl pkcs12 -export -in ./demoCA/cacert.pem -inkey
./demoCA/private/cakey.pem -out rootca.p12

openssl pkcs12 -export -in ./newcert.pem -inkey ./newkey.pem -out client.p12

 

Then copy these file on windows and import them via mmc, After I import the
rootca.p12 into Trusted Root Certificate issue organization and import
client.p12 into Personal, and refresh , when I double-click personal
certificate, there was an error always like below:

 

Because the certificate path in the certificate authority certificate does
not seem to approach the authority or can not be used as end-entity
certificate, the certificate is invalid

 

How to deal with this problem?

 

3ks and regards!

 

Shawn!