RE: FIPS 14-2 vs MD5
Roger No-Spam wrote: > When building openssl in FIPS 140-2 mode, the MD5 algorithm is > not available for use. There are, however, several RFCs that mandate > the use of MD5. Would it be possible to partition a system into a > FIPS 140-2 part (more security critical parts, e.g SSL) and one other > part that can include support for RFCs that mandate MD5 (e.g. TCP MD5 > checksum option, PPP CHAP, etc.). Would it be possible to FIPS 140-2 > validate such a system? What would the requirements be regarding the > partitioning? Simply disable all those things in FIPS mode. There is no requirement that your system be useful in FIPS mode, only that it be secure. That is what everyone else does. For example, the first Windows versions to support high-security modes disabled all networking devices and all removable media devices. Linux requires you to remove the power cord. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
FIPS 14-2 vs MD5
Hello, When building openssl in FIPS 140-2 mode, the MD5 algorithm is not available for use. There are, however, several RFCs that mandate the use of MD5. Would it be possible to partition a system into a FIPS 140-2 part (more security critical parts, e.g SSL) and one other part that can include support for RFCs that mandate MD5 (e.g. TCP MD5 checksum option, PPP CHAP, etc.). Would it be possible to FIPS 140-2 validate such a system? What would the requirements be regarding the partitioning? Any pointers to where I can find more info on this topic would be much appreciated. /Roger _ Med Windows Live kan du ordna, redigera och dela med dig av dina foton. http://www.microsoft.com/sverige/windows/windowslive/products/photo-gallery-edit.aspx
Re: OpenSSL FIPS Module version 1.2
Hello Steve, Do you know any fixes in the current 0.9.8k that also applicable to FIPS module or there is none? Thank you, -Pandit From: Dr. Stephen Henson To: openssl-users@openssl.org Sent: Saturday, August 15, 2009 6:39:40 AM Subject: Re: OpenSSL FIPS Module version 1.2 On Fri, Aug 14, 2009, Pandit Panburana wrote: > Hello, > > I have a few questions about the FIPS module. > >1) The current version of OpenSSL FIPS Module is 1.2. It is based on >0.9.8e and 0.9.8f of standard OpenSSL. The latest stable version is >0.9.8k. How are fixes get into validated FIPS module? > There have been no issues so far which have required any changed to the FIPS module itself. The FIPS module is a tiny subset of a version of OpenSSL between 0.9.8e and 0.9.8f. You can (and indeed *should*) use the current version of OpenSSL 0.9.8 (currently 0.9.8k) with the validated moduled. That way you get all the updates and fixes in the rest of OpenSSL. >2) The current procedure suggests that the FIPS module is built on the >same target platform of the application. Is it possible that the target >platform is different than the building platform but they both are x86 >base platforms (here OS is Linux but may have different version)? > As long as you follow the build procedure to the letter. You can use the resulting binaries on any binary compatible platform. >3) Is there any work around for cross compilation? > Not without revalidation as this would require a different build procedure. However there are many low cost ways to compile native code on all sorts of platforms (e.g. ARM) which would avoid the need to cross compile. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Projecthttp://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Fwd: Benachrichtung zum Übermittlungsstatus (Fehlge schlagen)
I'm not sure about you guys, but I find this very annoying 2009/8/17 > Dies ist eine automatisch erstellte Benachrichtigung +APw-ber den > Zustellstatus. > > +ANw-bermittlung an folgende Empf+AOQ-nger fehlgeschlagen. > > c...@next-motion.de > > > > > Final-Recipient: rfc822;c...@next-motion.de > Action: failed > Status: 5.2.2 > X-Display-Name: Carsten Breitbarth - next.motion OHG > > > > -- Forwarded message -- > From: Serge Fonville > To: openssl-users@openssl.org > Date: Mon, 17 Aug 2009 18:20:37 +0200 > Subject: Re: Creating certificates > What does your openssl.cnf look like, since it is used in the req? > > On Mon, Aug 17, 2009 at 6:00 PM, Gerald Iakobinyi-Pich > wrote: > >> Hy, >> >> So my end goal is to have a CA, which I can use to sign certificates. I >> have set up a CA, that was not that hard. But now I want to create >> certificates signed by my CA, and I want to provide the subject from the >> command line. I don't want it to be read from the openssl.cnf. That is >> because I have to create more certificates, and I do not want to modify the >> opennssl.cnf, for each of them. >> >> I have tried to create certificates, signed by my CA, and the subject >> information was provided in the openssl.cnf file. That I have succeeded. >> >> Then I have tried to provide the subject information from the command >> line, and that I have failed. And I have verified the contents of the >> certificate, and the subject was not what I have specified in the command >> line, but what was found in the config file. >> >> So it looks to me like if this option: -subj >> "/C=DE/L=Munchen/ST=Bayern/O=Org/OU=Dev/CN=Test Certificate" is ignored, and >> like openssl tries to read this info from the config file, and I do not >> understand why :(. >> >> >> Regards, >> Gerald >> >> >> >> On Mon, Aug 17, 2009 at 6:31 PM, Serge Fonville > > wrote: >> >>> Hi, >>> >>> I assume you have done a lot of googling and have read the docs >>> extensively. >>> >>> First, what is your end goal? >>> Since creating a certificate and having it signed by your own CA is not >>> that difficult. >>> What resources have you consulted. >>> What have you already tried. >>> Have you looked at the resulting certificate to verify its contents >>> >>> Regards, >>> >>> Serge Fonville >>> >>> On Mon, Aug 17, 2009 at 4:41 PM, Gerald Iakobinyi-Pich < >>> nutri...@gmail.com> wrote: >>> Hello, I am trying to create a certificate, on win, and I am having some troubles with OpenSSL. First I generate a key. That's ok. Then I create a request: openssl req -config .\openssl.cnf -subj "/C=DE/L=Munchen/ST=Bayern/O=Org/OU=Dev/CN=Test Certificate" -new -days 365 -key ..\demo_store\private\private_key_client.pem -outform PEM -out ..\demo_store\request\req_server.csr -passin pass:pass Then I want to sign this: openssl x509 -inform PEM -req -in ..\demo_store\request\req_server.csr -outform DER -out ..\demo_store\certs\cert_server.der -CAform DER -CA ..\demo_store\certs\ca_cert.der -CAkeyform PEM -CAkey ..\demo_store\private\ca_private_key.pem -CAcreateserial And the message printed out is: Loading 'screen' into random state - done Signature ok subject=/C=RO Getting CA Private Key Now, what disturbs me, is that it seems that the subject I have provided with "-subj" in the first "openssl req" command has been ignored. Why is that happening? What am I doing wrong? Thanks, Gerald >>> >> > >
Re: Creating certificates
What does your openssl.cnf look like, since it is used in the req? On Mon, Aug 17, 2009 at 6:00 PM, Gerald Iakobinyi-Pich wrote: > Hy, > > So my end goal is to have a CA, which I can use to sign certificates. I > have set up a CA, that was not that hard. But now I want to create > certificates signed by my CA, and I want to provide the subject from the > command line. I don't want it to be read from the openssl.cnf. That is > because I have to create more certificates, and I do not want to modify the > opennssl.cnf, for each of them. > > I have tried to create certificates, signed by my CA, and the subject > information was provided in the openssl.cnf file. That I have succeeded. > > Then I have tried to provide the subject information from the command line, > and that I have failed. And I have verified the contents of the certificate, > and the subject was not what I have specified in the command line, but what > was found in the config file. > > So it looks to me like if this option: -subj > "/C=DE/L=Munchen/ST=Bayern/O=Org/OU=Dev/CN=Test Certificate" is ignored, and > like openssl tries to read this info from the config file, and I do not > understand why :(. > > > Regards, > Gerald > > > > On Mon, Aug 17, 2009 at 6:31 PM, Serge Fonville > wrote: > >> Hi, >> >> I assume you have done a lot of googling and have read the docs >> extensively. >> >> First, what is your end goal? >> Since creating a certificate and having it signed by your own CA is not >> that difficult. >> What resources have you consulted. >> What have you already tried. >> Have you looked at the resulting certificate to verify its contents >> >> Regards, >> >> Serge Fonville >> >> On Mon, Aug 17, 2009 at 4:41 PM, Gerald Iakobinyi-Pich < >> nutri...@gmail.com> wrote: >> >>> Hello, >>> >>> I am trying to create a certificate, on win, and I am having some >>> troubles with OpenSSL. First I generate a key. That's ok. Then I create a >>> request: >>> >>> openssl req -config .\openssl.cnf -subj >>> "/C=DE/L=Munchen/ST=Bayern/O=Org/OU=Dev/CN=Test Certificate" -new -days 365 >>> -key ..\demo_store\private\private_key_client.pem -outform PEM -out >>> ..\demo_store\request\req_server.csr -passin pass:pass >>> >>> Then I want to sign this: >>> openssl x509 -inform PEM -req -in ..\demo_store\request\req_server.csr >>> -outform DER -out ..\demo_store\certs\cert_server.der -CAform DER -CA >>> ..\demo_store\certs\ca_cert.der -CAkeyform PEM -CAkey >>> ..\demo_store\private\ca_private_key.pem -CAcreateserial >>> >>> And the message printed out is: >>> Loading 'screen' into random state - done >>> Signature ok >>> subject=/C=RO >>> Getting CA Private Key >>> >>> >>> Now, what disturbs me, is that it seems that the subject I have provided >>> with "-subj" in the first "openssl req" command has been ignored. >>> Why is that happening? What am I doing wrong? >>> >>> Thanks, >>> Gerald >>> >>> >>> >> >
Re: Creating certificates
Hy, So my end goal is to have a CA, which I can use to sign certificates. I have set up a CA, that was not that hard. But now I want to create certificates signed by my CA, and I want to provide the subject from the command line. I don't want it to be read from the openssl.cnf. That is because I have to create more certificates, and I do not want to modify the opennssl.cnf, for each of them. I have tried to create certificates, signed by my CA, and the subject information was provided in the openssl.cnf file. That I have succeeded. Then I have tried to provide the subject information from the command line, and that I have failed. And I have verified the contents of the certificate, and the subject was not what I have specified in the command line, but what was found in the config file. So it looks to me like if this option: -subj "/C=DE/L=Munchen/ST=Bayern/O=Org/OU=Dev/CN=Test Certificate" is ignored, and like openssl tries to read this info from the config file, and I do not understand why :(. Regards, Gerald On Mon, Aug 17, 2009 at 6:31 PM, Serge Fonville wrote: > Hi, > > I assume you have done a lot of googling and have read the docs > extensively. > > First, what is your end goal? > Since creating a certificate and having it signed by your own CA is not > that difficult. > What resources have you consulted. > What have you already tried. > Have you looked at the resulting certificate to verify its contents > > Regards, > > Serge Fonville > > On Mon, Aug 17, 2009 at 4:41 PM, Gerald Iakobinyi-Pich > wrote: > >> Hello, >> >> I am trying to create a certificate, on win, and I am having some troubles >> with OpenSSL. First I generate a key. That's ok. Then I create a request: >> >> openssl req -config .\openssl.cnf -subj >> "/C=DE/L=Munchen/ST=Bayern/O=Org/OU=Dev/CN=Test Certificate" -new -days 365 >> -key ..\demo_store\private\private_key_client.pem -outform PEM -out >> ..\demo_store\request\req_server.csr -passin pass:pass >> >> Then I want to sign this: >> openssl x509 -inform PEM -req -in ..\demo_store\request\req_server.csr >> -outform DER -out ..\demo_store\certs\cert_server.der -CAform DER -CA >> ..\demo_store\certs\ca_cert.der -CAkeyform PEM -CAkey >> ..\demo_store\private\ca_private_key.pem -CAcreateserial >> >> And the message printed out is: >> Loading 'screen' into random state - done >> Signature ok >> subject=/C=RO >> Getting CA Private Key >> >> >> Now, what disturbs me, is that it seems that the subject I have provided >> with "-subj" in the first "openssl req" command has been ignored. >> Why is that happening? What am I doing wrong? >> >> Thanks, >> Gerald >> >> >> >
Re: Creating certificates
Hi, I assume you have done a lot of googling and have read the docs extensively. First, what is your end goal? Since creating a certificate and having it signed by your own CA is not that difficult. What resources have you consulted. What have you already tried. Have you looked at the resulting certificate to verify its contents Regards, Serge Fonville On Mon, Aug 17, 2009 at 4:41 PM, Gerald Iakobinyi-Pich wrote: > Hello, > > I am trying to create a certificate, on win, and I am having some troubles > with OpenSSL. First I generate a key. That's ok. Then I create a request: > > openssl req -config .\openssl.cnf -subj > "/C=DE/L=Munchen/ST=Bayern/O=Org/OU=Dev/CN=Test Certificate" -new -days 365 > -key ..\demo_store\private\private_key_client.pem -outform PEM -out > ..\demo_store\request\req_server.csr -passin pass:pass > > Then I want to sign this: > openssl x509 -inform PEM -req -in ..\demo_store\request\req_server.csr > -outform DER -out ..\demo_store\certs\cert_server.der -CAform DER -CA > ..\demo_store\certs\ca_cert.der -CAkeyform PEM -CAkey > ..\demo_store\private\ca_private_key.pem -CAcreateserial > > And the message printed out is: > Loading 'screen' into random state - done > Signature ok > subject=/C=RO > Getting CA Private Key > > > Now, what disturbs me, is that it seems that the subject I have provided > with "-subj" in the first "openssl req" command has been ignored. > Why is that happening? What am I doing wrong? > > Thanks, > Gerald > > >
Problem creating certificates
Hello, I am trying to create a certificate, on win, and I am having some troubles with OpenSSL. First I generate a key. That's ok. Then I create a request: openssl req -config .\openssl.cnf -subj "/C=DE/L=Munchen/ST=Bayern/O=Org/OU=Dev/CN=Test Certificate" -new -days 365 -key ..\demo_store\private\private_key_client.pem -outform PEM -out ..\demo_store\request\req_server.csr -passin pass:pass Then I want to sign this: openssl x509 -inform PEM -req -in ..\demo_store\request\req_server.csr -outform DER -out ..\demo_store\certs\cert_server.der -CAform DER -CA ..\demo_store\certs\ca_cert.der -CAkeyform PEM -CAkey ..\demo_store\private\ca_private_key.pem -CAcreateserial And the message printed out is: Loading 'screen' into random state - done Signature ok subject=/C=RO Getting CA Private Key Now, what disturbs me, is that it seems that the subject I have provided with "-subj" in the first "openssl req" command has been ignored. Why is that happening? What am I doing wrong? Thanks, Gerald
Creating certificates
Hello, I am trying to create a certificate, on win, and I am having some troubles with OpenSSL. First I generate a key. That's ok. Then I create a request: openssl req -config .\openssl.cnf -subj "/C=DE/L=Munchen/ST=Bayern/O=Org/OU=Dev/CN=Test Certificate" -new -days 365 -key ..\demo_store\private\private_key_client.pem -outform PEM -out ..\demo_store\request\req_server.csr -passin pass:pass Then I want to sign this: openssl x509 -inform PEM -req -in ..\demo_store\request\req_server.csr -outform DER -out ..\demo_store\certs\cert_server.der -CAform DER -CA ..\demo_store\certs\ca_cert.der -CAkeyform PEM -CAkey ..\demo_store\private\ca_private_key.pem -CAcreateserial And the message printed out is: Loading 'screen' into random state - done Signature ok subject=/C=RO Getting CA Private Key Now, what disturbs me, is that it seems that the subject I have provided with "-subj" in the first "openssl req" command has been ignored. Why is that happening? What am I doing wrong? Thanks, Gerald
Re: OpenSSL FIPS Module version 1.2
Kyle Hamilton wrote: ... There were plans for a "rolling validation", where fixes are rolled into the next validation effort, but I haven't heard anything from the Open Source Software Institute about that. My fear is that they have no funding for such an effort. Correct. At one point we though we would have an ongoing sponsorship, but that didn't happen. Each validation requires a big (to us) lump of cash for the test lab so without that funding we're stuck. You can, however, use the OpenSSL FIPS Module 1.2 as a base, make the changes you need for cross-compilation and such, and then get the result blesse^Wvalidated. This has been done, at least several times. Even if you can't use the v1.2 validation directly it provides a useful template for a "roll your own" validation. Given the many v1.2 based validations already on the books that should be almost entirely a rubber stamp exercise, absent any novel complications. Although please note that if you decide to purchase your own validation, use the *documentation* from v1.2 but the *source* tarball from the most current 0.9.8. Since you're paying for the validation from scratch you might as well use the most up-to-date software which has a number of happy-to-glad improvements that can't be retroactively incorporated in the existing validation. -Steve M. -- Steve Marquess Open Source Software institute marqu...@oss-institute.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: ecdsa-signed certificates algorithm recognition problems
Just a quick note. openss x509 prints out the correct thing if I use 0.9.8h (the default openssl on my machine is 0.9.7-something). Now just the java part of my problem remains, but I suspect that has something to do with my setup. Sorry for the previous message. Laura Laura Arhire wrote: Hello I have successfully managed to create and use certificates which contained and were signed by ecdsa keys in my own prototype program. However, upon attempting to import such a certificate in the java certificate store, I came upon some trouble. It seems there is something wrong with the way I am generating these certificates, as the signature algorithm and the public key algorithm come up as unknown. Sorry for lengthy message which follows. In short, I have the following certificate in PEM format: -BEGIN CERTIFICATE- MIIB+DCCAbagAwIBAgIBAzAJBgcqhkjOPQQBMEkxCzAJBgNVBAYTAlJPMR8wHQYD VQQDExZJbmNvcnJlY3QgVGVzdGluZyBUZWFtMRkwFwYDVQQKExBpbmNvcnJlY3Qt Y2xpZW50MB4XDTA5MDgxNzA5MTkxM1oXDTEwMDgxNzA5MTkxM1owSTELMAkGA1UE BhMCUk8xHzAdBgNVBAMTFkluY29ycmVjdCBUZXN0aW5nIFRlYW0xGTAXBgNVBAoT EGluY29ycmVjdC1jbGllbnQwgeowgbsGByqGSM49AgEwga8CAQEwIAYHKoZIzj0B AQIVAP9/MEMEFP98 BBQcl778VL16i2Ws+J+B1NStxWX6RQMVABBTzeQsFNaW5naHVhUXUzvz+DNFBCkE Spa1aI71cyhGZGmJaMOLuRPL/IIjpihVMWiUfVncyRIEI1E3esX7MgIVAQAA AAH0yPknrtPKdSJXAgEBAyoABAm8/G3NfWWhjeRofpq+hNTibLFO/qRFRPoK yjjVrr53ZII/d++boA8wCQYHKoZIzj0EAQMxADAuAhUAn03MMNELjv87OQc/XRN8 T9u6itoCFQDZieQkFfLKnvg50xT0Tusg0s0ehw== -END CERTIFICATE- (prettyfied version to be found at bottom). When running "openssl x509 -in wrong-root-ecdsa160.crt -noout -text" on it, I get: Certificate: Data: Version: 3 (0x2) Serial Number: 3 (0x3) Signature Algorithm: UNKNOWN Issuer: C=RO, CN=Incorrect Testing Team, O=incorrect-client Validity Not Before: Aug 17 09:19:13 2009 GMT Not After : Aug 17 09:19:13 2010 GMT Subject: C=RO, CN=Incorrect Testing Team, O=incorrect-client Subject Public Key Info: Public Key Algorithm: UNKNOWN Unable to load Public Key 3104:error:0D09C08F:asn1 encoding routines:d2i_PublicKey:unknown public key type:d2i_pu.c:104: 3104:error:0B077066:x509 certificate routines:X509_PUBKEY_get:err asn1 lib:x_pubkey.c:228: Signature Algorithm: UNKNOWN 30:2e:02:15:00:9f:4d:cc:30:d1:0b:8e:ff:3b:39:07:3f:5d: 13:7c:4f:db:ba:8a:da:02:15:00:d9:89:e4:24:15:f2:ca:9e: f8:39:d3:14:f4:4e:eb:20:d2:cd:1e:87 I suspect the reason why the signature/public key algorithms come up as unknown is the same reason I can't get java to load up this certificate as well. The code used to generate this certificate is (removed return-value testing for brevity): EC_KEY *ec_key = EC_KEY_new_by_curve_name(NID_secp160r1); EC_KEY_generate_key(ec_key); EC_KEY_check_key(ec_key); FILE *f; X509 *x; EVP_PKEY *pk; X509_NAME *name = NULL; pk=EVP_PKEY_new(); x=X509_new(); EVP_PKEY_assign_EC_KEY(pk, ec_key); f = fopen("wrong-root-ecdsa160.key", "w"); PEM_write_PrivateKey(f, pk, NULL, NULL, 0, 0, NULL); fclose(f); X509_set_version(x, 2); ASN1_INTEGER_set(X509_get_serialNumber(x), 3); // certificate validity X509_gmtime_adj(X509_get_notBefore(x), 0); X509_gmtime_adj(X509_get_notAfter(x), (long) 60 * 60 * 24 * 365); X509_set_pubkey(x, pk); name = X509_get_subject_name(x); const char *grp = "incorrect-client"; X509_NAME_add_entry_by_txt(name, "C", MBSTRING_ASC, (const unsigned char*) "RO", -1, -1, 0); X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC, (const unsigned char*) "Incorrect Testing Team", -1, -1, 0); X509_NAME_add_entry_by_txt(name, "O", MBSTRING_ASC, (const unsigned char*) grp, -1, -1, 0); X509_set_issuer_name(x, name); X509_sign(x, pk, EVP_ecdsa()); f = fopen("wrong-root-ecdsa160.crt", "w"); PEM_write_X509(f, x); fclose(f); I can use such the certificate without a problem in my prototype, add it to the trusted CAs, use it in client-server handshake etc. Any ideas on what I'm doing wrong and how can i get the openssl x509 command to output the correct certificate? If I run: FILE *root_file = fopen("wrong-root-ecdsa160.crt", "r"); X509 *root_cert = PEM_read_X509(root_file, NULL, NULL, NULL); X509_print_fp(stdout, root_cert); everything prints out as expected: Certificate: Data: Version: 3 (0x2) Serial Number: 3 (0x3) Signature Algorithm: ecdsa-with-SHA1 Issuer: C=RO, CN=Incorrect Testing Team, O=incorrect-client Validity Not Before: Aug 17 09:19:13 2009 GMT Not After : Aug 17 09:19:13 2010 GMT Subject: C=RO, CN=Incorrect Testing Team, O=incorrect-client Subject Public Key Info: Public Key Algorithm: id-ecPublicKey EC Public Key: pub: 04:09:bc:fc:6d:cd:7d:65:a1:8d:e4:68:7e:9a:be:
ecdsa-signed certificates algorithm recognition problems
Hello I have successfully managed to create and use certificates which contained and were signed by ecdsa keys in my own prototype program. However, upon attempting to import such a certificate in the java certificate store, I came upon some trouble. It seems there is something wrong with the way I am generating these certificates, as the signature algorithm and the public key algorithm come up as unknown. Sorry for lengthy message which follows. In short, I have the following certificate in PEM format: -BEGIN CERTIFICATE- MIIB+DCCAbagAwIBAgIBAzAJBgcqhkjOPQQBMEkxCzAJBgNVBAYTAlJPMR8wHQYD VQQDExZJbmNvcnJlY3QgVGVzdGluZyBUZWFtMRkwFwYDVQQKExBpbmNvcnJlY3Qt Y2xpZW50MB4XDTA5MDgxNzA5MTkxM1oXDTEwMDgxNzA5MTkxM1owSTELMAkGA1UE BhMCUk8xHzAdBgNVBAMTFkluY29ycmVjdCBUZXN0aW5nIFRlYW0xGTAXBgNVBAoT EGluY29ycmVjdC1jbGllbnQwgeowgbsGByqGSM49AgEwga8CAQEwIAYHKoZIzj0B AQIVAP9/MEMEFP98 BBQcl778VL16i2Ws+J+B1NStxWX6RQMVABBTzeQsFNaW5naHVhUXUzvz+DNFBCkE Spa1aI71cyhGZGmJaMOLuRPL/IIjpihVMWiUfVncyRIEI1E3esX7MgIVAQAA AAH0yPknrtPKdSJXAgEBAyoABAm8/G3NfWWhjeRofpq+hNTibLFO/qRFRPoK yjjVrr53ZII/d++boA8wCQYHKoZIzj0EAQMxADAuAhUAn03MMNELjv87OQc/XRN8 T9u6itoCFQDZieQkFfLKnvg50xT0Tusg0s0ehw== -END CERTIFICATE- (prettyfied version to be found at bottom). When running "openssl x509 -in wrong-root-ecdsa160.crt -noout -text" on it, I get: Certificate: Data: Version: 3 (0x2) Serial Number: 3 (0x3) Signature Algorithm: UNKNOWN Issuer: C=RO, CN=Incorrect Testing Team, O=incorrect-client Validity Not Before: Aug 17 09:19:13 2009 GMT Not After : Aug 17 09:19:13 2010 GMT Subject: C=RO, CN=Incorrect Testing Team, O=incorrect-client Subject Public Key Info: Public Key Algorithm: UNKNOWN Unable to load Public Key 3104:error:0D09C08F:asn1 encoding routines:d2i_PublicKey:unknown public key type:d2i_pu.c:104: 3104:error:0B077066:x509 certificate routines:X509_PUBKEY_get:err asn1 lib:x_pubkey.c:228: Signature Algorithm: UNKNOWN 30:2e:02:15:00:9f:4d:cc:30:d1:0b:8e:ff:3b:39:07:3f:5d: 13:7c:4f:db:ba:8a:da:02:15:00:d9:89:e4:24:15:f2:ca:9e: f8:39:d3:14:f4:4e:eb:20:d2:cd:1e:87 I suspect the reason why the signature/public key algorithms come up as unknown is the same reason I can't get java to load up this certificate as well. The code used to generate this certificate is (removed return-value testing for brevity): EC_KEY *ec_key = EC_KEY_new_by_curve_name(NID_secp160r1); EC_KEY_generate_key(ec_key); EC_KEY_check_key(ec_key); FILE *f; X509 *x; EVP_PKEY *pk; X509_NAME *name = NULL; pk=EVP_PKEY_new(); x=X509_new(); EVP_PKEY_assign_EC_KEY(pk, ec_key); f = fopen("wrong-root-ecdsa160.key", "w"); PEM_write_PrivateKey(f, pk, NULL, NULL, 0, 0, NULL); fclose(f); X509_set_version(x, 2); ASN1_INTEGER_set(X509_get_serialNumber(x), 3); // certificate validity X509_gmtime_adj(X509_get_notBefore(x), 0); X509_gmtime_adj(X509_get_notAfter(x), (long) 60 * 60 * 24 * 365); X509_set_pubkey(x, pk); name = X509_get_subject_name(x); const char *grp = "incorrect-client"; X509_NAME_add_entry_by_txt(name, "C", MBSTRING_ASC, (const unsigned char*) "RO", -1, -1, 0); X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC, (const unsigned char*) "Incorrect Testing Team", -1, -1, 0); X509_NAME_add_entry_by_txt(name, "O", MBSTRING_ASC, (const unsigned char*) grp, -1, -1, 0); X509_set_issuer_name(x, name); X509_sign(x, pk, EVP_ecdsa()); f = fopen("wrong-root-ecdsa160.crt", "w"); PEM_write_X509(f, x); fclose(f); I can use such the certificate without a problem in my prototype, add it to the trusted CAs, use it in client-server handshake etc. Any ideas on what I'm doing wrong and how can i get the openssl x509 command to output the correct certificate? If I run: FILE *root_file = fopen("wrong-root-ecdsa160.crt", "r"); X509 *root_cert = PEM_read_X509(root_file, NULL, NULL, NULL); X509_print_fp(stdout, root_cert); everything prints out as expected: Certificate: Data: Version: 3 (0x2) Serial Number: 3 (0x3) Signature Algorithm: ecdsa-with-SHA1 Issuer: C=RO, CN=Incorrect Testing Team, O=incorrect-client Validity Not Before: Aug 17 09:19:13 2009 GMT Not After : Aug 17 09:19:13 2010 GMT Subject: C=RO, CN=Incorrect Testing Team, O=incorrect-client Subject Public Key Info: Public Key Algorithm: id-ecPublicKey EC Public Key: pub: 04:09:bc:fc:6d:cd:7d:65:a1:8d:e4:68:7e:9a:be: 84:d4:e2:6c:b1:4e:fe:a4:45:44:fa:0a:ca:38:d5: ae:be:77:64:82:3f:77:ef:9b:a0:0f Field Type: prime-field Prime: 00:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff: ff:ff:7f:ff:ff:ff A
Re: UltraSPARC T2 - OpenSSL - PKCS11 ???
Thanks for your help everyone ! I've checked T5120 hardware specifications : 8 cores 8 threads/core so I used the multi 64 option : signverifysign/s verify/s rsa 512 bits 0.s 0.s 121283.7 202718.0 rsa 1024 bits 0.s 0.s 30643.1 115804.2 rsa 2048 bits 0.0002s 0.s 5282.8 44109.6 rsa 4096 bits 0.0421s 0.0009s 23.7 1071.3 It looks much better ! Does it look relevent to you ? About the multi 64 option : I tried multi 70 to be sure there will be always a thread waiting to be executed. I've noticed some improvement but not much ... Is this a good idea ? -- View this message in context: http://www.nabble.com/UltraSPARC-T2---OpenSSL---PKCS11-tp24952022p25002897.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org