Re: RSA OAEP encrypt with a label
Thank you Martin. I have tried using the function, however using the
code I have pasted below I get the error "Error = oaep decoding error"
when trying to unpadd to retrieve the original data.
For simplicity the code I have added here does not encrypt/decrypt, but
only attempts to pad and unpadd.
What could be the cause of this problem here?
--
ERR_load_RSA_strings();
int status;
const int RSA_LENGTH = 256;
const int LABEL_LENGTH = 10;
const int PADDED_DATA_LENGTH = 256;
const int ORIGINAL_DATA_LENGTH = 16;
unsigned char paddedData[PADDED_DATA_LENGTH];
unsigned char unPaddedData[ORIGINAL_DATA_LENGTH];
unsigned char originalData[ORIGINAL_DATA_LENGTH] =
{ 0x4C, 0x2E, 0x20, 0x4C, 0x65, 0x74, 0x27, 0x73,
0x20, 0x68, 0x6F, 0x70, 0x65, 0x0D, 0x0A, 0x00 };
unsigned char label[LABEL_LENGTH] =
{ 0xB8, 0x37, 0xA4, 0x26, 0xA8,
0xBF, 0x8A, 0xA0, 0xBE, 0xEB };
status = RSA_padding_add_PKCS1_OAEP
( paddedData, PADDED_DATA_LENGTH,
originalData, ORIGINAL_DATA_LENGTH,
label, LABEL_LENGTH );
status = RSA_padding_check_PKCS1_OAEP
( unPaddedData, ORIGINAL_DATA_LENGTH,
paddedData, PADDED_DATA_LENGTH,
RSA_LENGTH, label, LABEL_LENGTH );
if ( status == -1 ) {
std::cout << "Unpadding failed! ";
printf("Error = %s\n",ERR_reason_error_string(ERR_get_error()));
}
else {
std::cout << "Unpadding was OK! Lenght of the recovered data: "
<< status << std::endl;
}
--
Thank for all help so far :)
- Einar
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
Re: How to re-use a socket with a new SSL session?
On Fri, Sep 11, 2009 at 12:51:15PM +1000, Andrew Sumner wrote: > Victor, you've just described exactly what I've been trying to do. A clean > shutdown on both sides, socket connection left open, then a "client HELLO" > after which both sides initiate SSL again. > > I just can't seem to find a method of doing it that actually works. Initially, does your client build an SSL connection over an already (TCP) established connection passed to it as a file descriptor? Initially, does your server accept an SSL connection over an already (TCP) established connection passed to it as a file descriptor? Do both parties call SSL_shutdown() at least once, and a second time if the initial return value is zero? Do you use an external session cache (store serialized SSL_SESSION objects) in a store accessible to multiple processes via IPC or an appropriate shared resource with robust locking? If so, the re-connect will be efficient, if you pre-load the saved session into the client SSL state. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
load certificate into rsa
Dear Group, I want to use the openssl crypt library to sign and verify messages. Apparently I can use a RSA struct and RSA_sign and RSA_verify for that. however my certificates are of the form -BEGIN CERTIFICATE- MIIDDTCCAnagAwIBAgIJAMWKwoNrQvTvMA0GCSqGSIb3DQEBBQUAMGMxCzAJBgNV ... -END CERTIFICATE- how ever can I load such a certificate into my RSA struct? concerning encryption, for public and private keys I could use PEM_read_RSAPublicKey and PEM_read_bio_RSAPublicKey to load my keys. Are there methods like this for certificates and certificate private keys? Thank You! Michael
Re: load certificate into rsa
On Fri, Sep 11, 2009, Michael Prinzinger wrote: > Dear Group, > > I want to use the openssl crypt library to sign and verify messages. > Apparently I can use a RSA struct and RSA_sign and RSA_verify for that. > > however my certificates are of the form > -BEGIN CERTIFICATE- > MIIDDTCCAnagAwIBAgIJAMWKwoNrQvTvMA0GCSqGSIb3DQEBBQUAMGMxCzAJBgNV > ... > -END CERTIFICATE- > > how ever can I load such a certificate into my RSA struct? > concerning encryption, for public and private keys I could use > PEM_read_RSAPublicKey and PEM_read_bio_RSAPublicKey > to load my keys. > > Are there methods like this for certificates and certificate private keys? > The low level RSA_sign() and RSA_verify() functions shouldn't be used to sign bulk data. Instead you should use the EVP_Sign*() and EVP_Verify*() interface. There you use a generalised key structure EVP_PKEY. You can get a public key from a certificate using X509_get_pubkey(). You can get a private key into an EVP_PKEY structure using PEM_read_PrivateKey() and a certificate into an X509 structure using PEM_read_X509(). See the manual pages for more information and actual examples. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: A PKI in a web page
Actually I am looking for a simple software with command line interface to operate a CA, sub-CA then client and server certs, that is eventually capable of publishing into the web public certs and crl / policies. If I can't find a package around openssl, I will probably end up using direct openssl commands ..., but I need something to publish CA certificate and CRL on a web page . http://devel.it.su.se/pub/jsp/polopoly.jsp?d=1026&a=3290 was very good at that, but it dates now from 2005, I'am afraid it won't be updated . Here's a list of opensource pki software I run into with my comment (#) http://ejbca.sourceforge.net/ #complex and no tomcat (jboss etc ...) http://pki.openca.org/ #complex http://www.opentrust.com/index.php?lang=en #licence ... http://www.newpki.org/ # Last update December 14, 2005 http://devel.it.su.se/pub/jsp/polopoly.jsp?d=1026&a=3290 #What I use but dates 2005-10-22 http://tinyca.sm-zone.net/ #Last update 2006, perhaps too much gui ? gtk ! http://www.pyca.de/ # Last update 29-Apr-2003 http://www.vpnc.org/SimpleCA/ #no date !? http://xca.sourceforge.net/ #Last update 2007 http://www.cymc.online.fr/openwebpki/ #windows only http://sourceforge.net/projects/phpki/ #perhaps too gui (web) , no-way to use direct cli !? no fully tested yet ... other list http://middleware.internet2.edu/hepki-tag/opensrc.html If you have others ? let me know, thanks . Mounir IDRASSI a écrit : Hi, You can have a look at PHPki (http://sourceforge.net/projects/phpki) : it's has the advantage of publishing a CRL and certificates on a web pages, plus enrollment and revocation pages. It's based on PHP and it invokes the openssl utility with conf files created on the fly for each operation. I have been using it for a year now and it was easy to modify it to accommodate my own requirements (like supporting SHA1 instead of the default MD5 and adding new templates). I hope it can be useful for you as it is for me. Cheers, -- Mounir IDRASSI IDRIX http://www.idrix.fr jehan procaccia wrote: Good initiative I'll give it a try ... although I am looking for "intermediate" size PKI free software, I am a bit confused with large scale software like openca or ejbca , too complex :-( I used to operate my pki with a perl-openssl package from http://devel.it.su.se/pub/jsp/polopoly.jsp?d=1026&a=3290 but it dates from 2005 without evolution ... Now that I am about to re-create a new root, I'am looking for a new software very close to openssl with command line interface, but still able to publish crl and certs on a web page . any advice ? Regards . Richard Salz a écrit : >From my blog, at https://www.ibm.com/developerworks/mydeveloperworks/blogs/soma/entry/a_pki_in_a_web_page10 I'm making available my small set of web pages and Perl script that implement a self-service PKI built around OpenSSL. The Perl script and config are under 250 lines and the couple of web pages involved are under 200 lines; there's also a couple of screen shots to guide someone through installing a cert on Microsoft Windows. It's all in the public domain. Enjoy. -- STSM, DataPower CTO WebSphere Appliance Architect http://www.ibm.com/software/integration/datapower/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: A PKI in a web page
CSP-0.34 dates from 2007. ftp://ftp.su.se/pub/users/leifj/ is where it can be found. You're using either 0.31 or 0.32, if you're using one with a date from 2005. -Kyle H On Fri, Sep 11, 2009 at 8:24 AM, jehan procaccia wrote: > Actually I am looking for a simple software with command line interface to > operate a CA, sub-CA then client and server certs, that is eventually > capable of publishing into the web public certs and crl / policies. > If I can't find a package around openssl, I will probably end up using > direct openssl commands ..., but I need something to publish CA certificate > and CRL on a web page . > http://devel.it.su.se/pub/jsp/polopoly.jsp?d=1026&a=3290 was very good at > that, but it dates now from 2005, I'am afraid it won't be updated . > > Here's a list of opensource pki software I run into with my comment (#) > http://ejbca.sourceforge.net/ #complex and no tomcat (jboss etc ...) > http://pki.openca.org/ #complex > http://www.opentrust.com/index.php?lang=en #licence ... > http://www.newpki.org/ # Last update December 14, 2005 > http://devel.it.su.se/pub/jsp/polopoly.jsp?d=1026&a=3290 #What I use but > dates 2005-10-22 > http://tinyca.sm-zone.net/ #Last update 2006, perhaps too much gui ? gtk ! > http://www.pyca.de/ # Last update 29-Apr-2003 > http://www.vpnc.org/SimpleCA/ #no date !? > http://xca.sourceforge.net/ #Last update 2007 > http://www.cymc.online.fr/openwebpki/ #windows only > http://sourceforge.net/projects/phpki/ #perhaps too gui (web) , no-way to > use direct cli !? no fully tested yet ... > other list http://middleware.internet2.edu/hepki-tag/opensrc.html > > If you have others ? let me know, thanks . > > Mounir IDRASSI a écrit : >> >> Hi, >> >> You can have a look at PHPki (http://sourceforge.net/projects/phpki) : >> it's has the advantage of publishing a CRL and certificates on a web >> pages, plus enrollment and revocation pages. It's based on PHP and it >> invokes the openssl utility with conf files created on the fly for each >> operation. >> I have been using it for a year now and it was easy to modify it to >> accommodate my own requirements (like supporting SHA1 instead of the >> default MD5 and adding new templates). I hope it can be useful for you >> as it is for me. >> >> Cheers, >> -- >> Mounir IDRASSI >> IDRIX >> http://www.idrix.fr >> >> jehan procaccia wrote: >> >>> >>> Good initiative I'll give it a try ... >>> although I am looking for "intermediate" size PKI free software, >>> I am a bit confused with large scale software like openca or ejbca , >>> too complex :-( >>> I used to operate my pki with a perl-openssl package from >>> http://devel.it.su.se/pub/jsp/polopoly.jsp?d=1026&a=3290 >>> but it dates from 2005 without evolution ... >>> Now that I am about to re-create a new root, I'am looking for a new >>> software very close to openssl with command line interface, but still >>> able to publish crl and certs on a web page . >>> any advice ? >>> >>> Regards . >>> >>> Richard Salz a écrit : >>> >From my blog, at https://www.ibm.com/developerworks/mydeveloperworks/blogs/soma/entry/a_pki_in_a_web_page10 I'm making available my small set of web pages and Perl script that implement a self-service PKI built around OpenSSL. The Perl script and config are under 250 lines and the couple of web pages involved are under 200 lines; there's also a couple of screen shots to guide someone through installing a cert on Microsoft Windows. It's all in the public domain. Enjoy. -- STSM, DataPower CTO WebSphere Appliance Architect http://www.ibm.com/software/integration/datapower/ __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-us...@openssl.org Automated List Manager majord...@openssl.org >>> >>> __ >>> OpenSSL Project http://www.openssl.org >>> User Support Mailing List openssl-us...@openssl.org >>> Automated List Manager majord...@openssl.org >>> >> >> __ >> OpenSSL Project http://www.openssl.org >> User Support Mailing List openssl-us...@openssl.org >> Automated List Manager majord...@openssl.org >> > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-us...@openssl.org > Automated List Manager majord...@openssl.org > __ OpenSSL Project
