Re: missing steps with CRLs
On Thu, 2010-02-04 at 15:59 -0500, Adam Grossman wrote: > On Thu, 2010-02-04 at 20:17 +0100, Dr. Stephen Henson wrote: > > On Thu, Feb 04, 2010, Adam Grossman wrote: > > > > > On Thu, 2010-02-04 at 18:09 +0100, Dr. Stephen Henson wrote: > > > > On Thu, Feb 04, 2010, Adam Grossman wrote: > > > > > > > > > hello once again, > > > > > > > > > > i am trying to get CRLs working for client certs. i have read about a > > > > > million different ways of doing this, but this is how i am doing it: > > > > > > > > > > X509_CRL *x509_c; > > > > > X509_STORE *store = SSL_CTX_get_cert_store(ctx); > > > > > X509_LOOKUP* lu = X509_STORE_add_lookup(store, X509_LOOKUP_file()); > > > > > > > > > > X509_load_cert_crl_file(lu,,X509_FILETYPE_PEM); > > > > > X509_STORE_set_flags (store, X509_V_FLAG_CRL_CHECK | > > > > > X509_V_FLAG_CRL_CHECK_ALL); > > > > > > > > > > and when the server recieves the peer cert, i do: > > > > > > > > > > peer = SSL_get_peer_certificate(ssl); > > > > > SSL_get_verify_result(ssl); > > > > > > > > > > but certs in the CRL are being verified. what am i doing wrong? > > > > > > > > > > just as a warning, once this is setup, i have a few more follow > > > > > questions. > > > > > > > > > > > > > What happens if you don't include the CRLs? You should get an error > > > > about it > > > > being unable to lookup the CRL. > > > > > > > > Can you get this to work with s_server? > > > > > > > > Steve. > > > > > > if i do not include the CRLs, a get this error from the browser (Error > > > code: ssl_error_unknown_ca_alert). > > > > > > i need this to work if there is no CRL for the CA, to let it through, > > > and if there is, look it up. i do not even have a problem doing it by > > > hand (verifying the serial # of the peer cert against known ones in the > > > CRL lists), but i could not find a way to pull the serial numbers out of > > > the CRLs. > > > > > > i am not sure what i am looking for in s_server. i ran it, it printed > > > out the HTTP request, and nothing else. it did give a "bad > > > gethostbyaddr", but i do not know if that has anything to with it. > > > > > > > Include the -crl_check and -crl_check_all arguments to s_server. You can > > also > > include the -www option which causes it to send a status page back to the > > browser. Any CRLs can be included in the -CAfile file. > > > > Steve. > > It's kind of hard to do this for this server. The cert is requested > after the 2nd handshake, so unless i am attaching to my server, it's > very hard to use the s_server. i am also trying this from the O'Reilly > openssl book. and for what i need to do, i would prefer to go this > route: > > after the handshake is complete; > > peer=SSL_get_peer_certificate(ssl); > > store=X509_STORE_new(); > r=X509_STORE_load_locations(store,NULL,CA_cert_path); > > r=X509_STORE_set_default_paths(store); > > > lookup=X509_STORE_add_lookup(store,X509_LOOKUP_file()); > > r=X509_load_crl_file(lookup, ,X509_FILETYPE_PEM); > > X509_STORE_set_flags(store,X509_V_FLAG_CRL_CHECK | > X509_V_FLAG_CRL_CHECK_ALL); > > verify_ctx = X509_STORE_CTX_new(); > r=X509_STORE_CTX_init(verify_ctx,store,peer,NULL); > r=X509_verify_cert(verify_ctx); > > and the verify always fails, even when i have a client cert from the > same CA as the CRL, but is not in the revoked list. > > thank you so much, > -=- adam grossman (please ignore my stupidity, it was a permission problem on the CA cert file sorry...) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: PKCS#12 Problems
> From: owner-openssl-us...@openssl.org On Behalf Of Dan Letkeman > Sent: Thursday, 04 February, 2010 14:36 > So i'm transferring it with FTP, could that be the problem? Any other > way to transfer it to a windows machine? > On Thu, Feb 4, 2010 at 11:24 AM, Patrick Patterson > wrote: > > How are you transfering the file around? perhaps your > getting some form of > > corruption during your file transfer? Make sure you are in BINARY mode in FTP. It's not usually (perhaps not ever) the client default. When you get the file on the target, check its size in bytes matches exactly that from the origin. Even one byte difference in a binary file (like P12 DER) is fatal. To answer as asked (but probably superfluous): You could also use SFTP (Putty provides a Windows client) which AFAICT does ONLY binary/image/no-cleverness; (get and) run NFS software on the Windows machine so that Linux (or Unix) can mount and access it; or (get and) run Samba on Linux so that Windows can access it. Or (re)configure a webserver on the Linux to serve this file as application/octet-stream or a similar type that a browser on Windows (can't render and) will store. Or write to removable media in a Windows-understandable filesystem and move that to the Windows. Today that's USB memory or disk (probably FAT) or maybe CD-R; or floppy if you still have them. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: missing steps with CRLs
On Thu, 2010-02-04 at 20:17 +0100, Dr. Stephen Henson wrote: > On Thu, Feb 04, 2010, Adam Grossman wrote: > > > On Thu, 2010-02-04 at 18:09 +0100, Dr. Stephen Henson wrote: > > > On Thu, Feb 04, 2010, Adam Grossman wrote: > > > > > > > hello once again, > > > > > > > > i am trying to get CRLs working for client certs. i have read about a > > > > million different ways of doing this, but this is how i am doing it: > > > > > > > > X509_CRL *x509_c; > > > > X509_STORE *store = SSL_CTX_get_cert_store(ctx); > > > > X509_LOOKUP* lu = X509_STORE_add_lookup(store, X509_LOOKUP_file()); > > > > > > > > X509_load_cert_crl_file(lu,,X509_FILETYPE_PEM); > > > > X509_STORE_set_flags (store, X509_V_FLAG_CRL_CHECK | > > > > X509_V_FLAG_CRL_CHECK_ALL); > > > > > > > > and when the server recieves the peer cert, i do: > > > > > > > > peer = SSL_get_peer_certificate(ssl); > > > > SSL_get_verify_result(ssl); > > > > > > > > but certs in the CRL are being verified. what am i doing wrong? > > > > > > > > just as a warning, once this is setup, i have a few more follow > > > > questions. > > > > > > > > > > What happens if you don't include the CRLs? You should get an error about > > > it > > > being unable to lookup the CRL. > > > > > > Can you get this to work with s_server? > > > > > > Steve. > > > > if i do not include the CRLs, a get this error from the browser (Error > > code: ssl_error_unknown_ca_alert). > > > > i need this to work if there is no CRL for the CA, to let it through, > > and if there is, look it up. i do not even have a problem doing it by > > hand (verifying the serial # of the peer cert against known ones in the > > CRL lists), but i could not find a way to pull the serial numbers out of > > the CRLs. > > > > i am not sure what i am looking for in s_server. i ran it, it printed > > out the HTTP request, and nothing else. it did give a "bad > > gethostbyaddr", but i do not know if that has anything to with it. > > > > Include the -crl_check and -crl_check_all arguments to s_server. You can also > include the -www option which causes it to send a status page back to the > browser. Any CRLs can be included in the -CAfile file. > > Steve. It's kind of hard to do this for this server. The cert is requested after the 2nd handshake, so unless i am attaching to my server, it's very hard to use the s_server. i am also trying this from the O'Reilly openssl book. and for what i need to do, i would prefer to go this route: after the handshake is complete; peer=SSL_get_peer_certificate(ssl); store=X509_STORE_new(); r=X509_STORE_load_locations(store,NULL,CA_cert_path); r=X509_STORE_set_default_paths(store); lookup=X509_STORE_add_lookup(store,X509_LOOKUP_file()); r=X509_load_crl_file(lookup, ,X509_FILETYPE_PEM); X509_STORE_set_flags(store,X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL); verify_ctx = X509_STORE_CTX_new(); r=X509_STORE_CTX_init(verify_ctx,store,peer,NULL); r=X509_verify_cert(verify_ctx); and the verify always fails, even when i have a client cert from the same CA as the CRL, but is not in the revoked list. thank you so much, -=- adam grossman __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: PKCS#12 Problems
I tried re ordering the commands and tried renaming it to pfx and it doesn't make any difference. openssl pkcs12 -in proxy.p12 -info -clcerts This seems to work fine. It asked me for the password, shows me the Certificate, then asked me for the pem pass phrase, and shows me the Private Key. So i'm transferring it with FTP, could that be the problem? Any other way to transfer it to a windows machine? Dan. On Thu, Feb 4, 2010 at 11:24 AM, Patrick Patterson wrote: > On February 4, 2010 11:38:36 am Dan Letkeman wrote: >> Ok, when I try to import it into Internet Explorer and I get this >> error: "The file type is not recognizable. Select another file" >> > That's really strange - although it SHOULDN'T make an iota of difference, > rename your .p12 to .pfx, and see what happens. > >> So i'm guessing I did something wrong. The CA certificate for the >> company we bought the certificate from is already in the Astaro and in >> Internet Explorer's CA list. >> >> I just combined the certificate and our key on a linux box that has >> openssl. >> >> openssl -pkcs12 -in proxy.pem -inkey proxy.key -export -out proxy.p12 >> > Well, aside from the extra - in front of the pkcs12, this looks right. > > Just for fun try re-ordering the commands - again, it SHOULDN'T make a > difference, but you never know :) > > openssl pkcs12 -export -in proxy.pem -inkey proxy.key -out proxy.p12 > > How are you transfering the file around? perhaps your getting some form of > corruption during your file transfer? > > What happens if you immediately try and re-parse the PKCS12 file on the same > Linux box? > > openssl pkcs12 -in proxy.p12 -info -clcerts > > Have fun. > > Patrick. > >> >> On Thu, Feb 4, 2010 at 9:08 AM, Patrick Patterson >> >> wrote: >> > On February 3, 2010 05:57:36 pm Dan Letkeman wrote: >> >> The server i'm trying to import it into is and Astaro Firewall. >> >> www.astaro.com. I have also just tried to import it into Internet >> >> Explorer on Windows XP and I get an error. >> > >> > Again - what error do you get - just saying that you get an error doesn't >> > really help us to help you. >> > >> >> The Astaro only takes PKCS12 files. >> > >> > Ok - do you need to configure any sort of CA certificate? What values >> > does the Astaro require in the certificate? >> > >> > -- >> > Patrick Patterson >> > President and Chief PKI Architect, >> > Carillon Information Security Inc. >> > http://www.carillon.ca >> > __ >> > OpenSSL Project http://www.openssl.org >> > User Support Mailing List openssl-us...@openssl.org >> > Automated List Manager majord...@openssl.org >> >> __ >> OpenSSL Project http://www.openssl.org >> User Support Mailing List openssl-us...@openssl.org >> Automated List Manager majord...@openssl.org > > -- > Patrick Patterson > President and Chief PKI Architect, > Carillon Information Security Inc. > http://www.carillon.ca > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-us...@openssl.org > Automated List Manager majord...@openssl.org > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Legacy renegotiation in 0.9.8m and "notlsext"
It was not clear to me whether the new code in 0.9.8 to support secure renegotiation requires "tlsext" support, or is still enabled even with OpenSSL 0.9.8m Configured with "notlsext" (I can't deploy a "tlsext" build of 0.9.8m, because this breaks binary compatibility of shared libraries with previous 0.9.8 releases). It appears that the secure renegotiation code is still present in a "notlsext" configuration, and does not break binary compatibility. If someone could confirm this "officially", that would be great. In looking at the code, I found a surprising assymetry between the s_client and s_server changes for 0.9.8m. The s_client code supports the "-legacy_renegotiation" flag with "notlsext", but the "s_server" code does not. I am guessing this is unintentional: --- apps/s_client.c 2010-02-04 12:37:56.126584525 -0500 +++ apps/s_client.c 2009-12-16 15:34:19.907161627 -0500 @@ -238,2 +245,8 @@ BIO_printf(bio_err," -sess_in arg - file to read SSL session from\n"); +#ifndef OPENSSL_NO_TLSEXT + BIO_printf(bio_err," -servername host - Set TLS extension servername in ClientHello\n"); + BIO_printf(bio_err," -tlsextdebug - hex dump of all TLS extensions received\n"); + BIO_printf(bio_err," -status - request certificate status from server\n"); + BIO_printf(bio_err," -no_ticket- disable use of RFC4507bis session tickets\n"); +#endif BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n"); --- apps/s_server.c 2010-02-04 12:37:56.135583361 -0500 +++ apps/s_server.c 2009-12-08 08:47:27.109842042 -0500 @@ -378,2 +397,13 @@ BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR); +#ifndef OPENSSL_NO_TLSEXT + BIO_printf(bio_err," -servername host - servername for HostName TLS extension\n"); + BIO_printf(bio_err," -servername_fatal - on mismatch send fatal alert (default warning alert)\n"); + BIO_printf(bio_err," -cert2 arg- certificate file to use for servername\n"); + BIO_printf(bio_err," (default is %s)\n",TEST_CERT2); + BIO_printf(bio_err," -key2 arg - Private Key file to use for servername, in cert file if\n"); + BIO_printf(bio_err," not specified (default is %s)\n",TEST_CERT2); + BIO_printf(bio_err," -tlsextdebug - hex dump of all TLS extensions received\n"); + BIO_printf(bio_err," -no_ticket- disable use of RFC4507bis session tickets\n"); + BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n"); +#endif } -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: missing steps with CRLs
On Thu, Feb 04, 2010, Adam Grossman wrote: > On Thu, 2010-02-04 at 18:09 +0100, Dr. Stephen Henson wrote: > > On Thu, Feb 04, 2010, Adam Grossman wrote: > > > > > hello once again, > > > > > > i am trying to get CRLs working for client certs. i have read about a > > > million different ways of doing this, but this is how i am doing it: > > > > > > X509_CRL *x509_c; > > > X509_STORE *store = SSL_CTX_get_cert_store(ctx); > > > X509_LOOKUP* lu = X509_STORE_add_lookup(store, X509_LOOKUP_file()); > > > > > > X509_load_cert_crl_file(lu,,X509_FILETYPE_PEM); > > > X509_STORE_set_flags (store, X509_V_FLAG_CRL_CHECK | > > > X509_V_FLAG_CRL_CHECK_ALL); > > > > > > and when the server recieves the peer cert, i do: > > > > > > peer = SSL_get_peer_certificate(ssl); > > > SSL_get_verify_result(ssl); > > > > > > but certs in the CRL are being verified. what am i doing wrong? > > > > > > just as a warning, once this is setup, i have a few more follow > > > questions. > > > > > > > What happens if you don't include the CRLs? You should get an error about it > > being unable to lookup the CRL. > > > > Can you get this to work with s_server? > > > > Steve. > > if i do not include the CRLs, a get this error from the browser (Error > code: ssl_error_unknown_ca_alert). > > i need this to work if there is no CRL for the CA, to let it through, > and if there is, look it up. i do not even have a problem doing it by > hand (verifying the serial # of the peer cert against known ones in the > CRL lists), but i could not find a way to pull the serial numbers out of > the CRLs. > > i am not sure what i am looking for in s_server. i ran it, it printed > out the HTTP request, and nothing else. it did give a "bad > gethostbyaddr", but i do not know if that has anything to with it. > Include the -crl_check and -crl_check_all arguments to s_server. You can also include the -www option which causes it to send a status page back to the browser. Any CRLs can be included in the -CAfile file. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: missing steps with CRLs
On Thu, 2010-02-04 at 18:09 +0100, Dr. Stephen Henson wrote: > On Thu, Feb 04, 2010, Adam Grossman wrote: > > > hello once again, > > > > i am trying to get CRLs working for client certs. i have read about a > > million different ways of doing this, but this is how i am doing it: > > > > X509_CRL *x509_c; > > X509_STORE *store = SSL_CTX_get_cert_store(ctx); > > X509_LOOKUP* lu = X509_STORE_add_lookup(store, X509_LOOKUP_file()); > > > > X509_load_cert_crl_file(lu,,X509_FILETYPE_PEM); > > X509_STORE_set_flags (store, X509_V_FLAG_CRL_CHECK | > > X509_V_FLAG_CRL_CHECK_ALL); > > > > and when the server recieves the peer cert, i do: > > > > peer = SSL_get_peer_certificate(ssl); > > SSL_get_verify_result(ssl); > > > > but certs in the CRL are being verified. what am i doing wrong? > > > > just as a warning, once this is setup, i have a few more follow > > questions. > > > > What happens if you don't include the CRLs? You should get an error about it > being unable to lookup the CRL. > > Can you get this to work with s_server? > > Steve. if i do not include the CRLs, a get this error from the browser (Error code: ssl_error_unknown_ca_alert). i need this to work if there is no CRL for the CA, to let it through, and if there is, look it up. i do not even have a problem doing it by hand (verifying the serial # of the peer cert against known ones in the CRL lists), but i could not find a way to pull the serial numbers out of the CRLs. i am not sure what i am looking for in s_server. i ran it, it printed out the HTTP request, and nothing else. it did give a "bad gethostbyaddr", but i do not know if that has anything to with it. thank you, -=- adam grossman __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: PKCS#12 Problems
On February 4, 2010 11:38:36 am Dan Letkeman wrote: > Ok, when I try to import it into Internet Explorer and I get this > error: "The file type is not recognizable. Select another file" > That's really strange - although it SHOULDN'T make an iota of difference, rename your .p12 to .pfx, and see what happens. > So i'm guessing I did something wrong. The CA certificate for the > company we bought the certificate from is already in the Astaro and in > Internet Explorer's CA list. > > I just combined the certificate and our key on a linux box that has > openssl. > > openssl -pkcs12 -in proxy.pem -inkey proxy.key -export -out proxy.p12 > Well, aside from the extra - in front of the pkcs12, this looks right. Just for fun try re-ordering the commands - again, it SHOULDN'T make a difference, but you never know :) openssl pkcs12 -export -in proxy.pem -inkey proxy.key -out proxy.p12 How are you transfering the file around? perhaps your getting some form of corruption during your file transfer? What happens if you immediately try and re-parse the PKCS12 file on the same Linux box? openssl pkcs12 -in proxy.p12 -info -clcerts Have fun. Patrick. > > On Thu, Feb 4, 2010 at 9:08 AM, Patrick Patterson > > wrote: > > On February 3, 2010 05:57:36 pm Dan Letkeman wrote: > >> The server i'm trying to import it into is and Astaro Firewall. > >> www.astaro.com. I have also just tried to import it into Internet > >> Explorer on Windows XP and I get an error. > > > > Again - what error do you get - just saying that you get an error doesn't > > really help us to help you. > > > >> The Astaro only takes PKCS12 files. > > > > Ok - do you need to configure any sort of CA certificate? What values > > does the Astaro require in the certificate? > > > > -- > > Patrick Patterson > > President and Chief PKI Architect, > > Carillon Information Security Inc. > > http://www.carillon.ca > > __ > > OpenSSL Project http://www.openssl.org > > User Support Mailing Listopenssl-users@openssl.org > > Automated List Manager majord...@openssl.org > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org -- Patrick Patterson President and Chief PKI Architect, Carillon Information Security Inc. http://www.carillon.ca __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: missing steps with CRLs
On Thu, Feb 04, 2010, Adam Grossman wrote: > hello once again, > > i am trying to get CRLs working for client certs. i have read about a > million different ways of doing this, but this is how i am doing it: > > X509_CRL *x509_c; > X509_STORE *store = SSL_CTX_get_cert_store(ctx); > X509_LOOKUP* lu = X509_STORE_add_lookup(store, X509_LOOKUP_file()); > > X509_load_cert_crl_file(lu,,X509_FILETYPE_PEM); > X509_STORE_set_flags (store, X509_V_FLAG_CRL_CHECK | > X509_V_FLAG_CRL_CHECK_ALL); > > and when the server recieves the peer cert, i do: > > peer = SSL_get_peer_certificate(ssl); > SSL_get_verify_result(ssl); > > but certs in the CRL are being verified. what am i doing wrong? > > just as a warning, once this is setup, i have a few more follow > questions. > What happens if you don't include the CRLs? You should get an error about it being unable to lookup the CRL. Can you get this to work with s_server? Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: PKCS#12 Problems
Ok, when I try to import it into Internet Explorer and I get this error: "The file type is not recognizable. Select another file" So i'm guessing I did something wrong. The CA certificate for the company we bought the certificate from is already in the Astaro and in Internet Explorer's CA list. I just combined the certificate and our key on a linux box that has openssl. openssl -pkcs12 -in proxy.pem -inkey proxy.key -export -out proxy.p12 On Thu, Feb 4, 2010 at 9:08 AM, Patrick Patterson wrote: > On February 3, 2010 05:57:36 pm Dan Letkeman wrote: >> The server i'm trying to import it into is and Astaro Firewall. >> www.astaro.com. I have also just tried to import it into Internet >> Explorer on Windows XP and I get an error. >> > Again - what error do you get - just saying that you get an error doesn't > really help us to help you. > >> The Astaro only takes PKCS12 files. >> > Ok - do you need to configure any sort of CA certificate? What values does the > Astaro require in the certificate? > > -- > Patrick Patterson > President and Chief PKI Architect, > Carillon Information Security Inc. > http://www.carillon.ca > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-us...@openssl.org > Automated List Manager majord...@openssl.org > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
missing steps with CRLs
hello once again, i am trying to get CRLs working for client certs. i have read about a million different ways of doing this, but this is how i am doing it: X509_CRL *x509_c; X509_STORE *store = SSL_CTX_get_cert_store(ctx); X509_LOOKUP* lu = X509_STORE_add_lookup(store, X509_LOOKUP_file()); X509_load_cert_crl_file(lu,,X509_FILETYPE_PEM); X509_STORE_set_flags (store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL); and when the server recieves the peer cert, i do: peer = SSL_get_peer_certificate(ssl); SSL_get_verify_result(ssl); but certs in the CRL are being verified. what am i doing wrong? just as a warning, once this is setup, i have a few more follow questions. thanks everyone ahead of time, -=- adam grossman __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL PKCS11 engine implementation
Hi Christian, I have gone through the engine_pkcs11 source code and I was not able to find any RSA encryption and decryption implemented by this engine . Thanks in advance Samule On Thu, Feb 4, 2010 at 8:39 PM, Christian Hohnstaedt < christ...@hohnstaedt.de> wrote: > Hi Samuel, > > you are aware of the PKCS#11 engine from the OpenSC project ? > http://www.opensc-project.org/engine_pkcs11 > > If this is not already the engine you want to implement, > maybe its sources could give some hints and inspirations. > >Christian > > > On Thu, Feb 04, 2010 at 06:24:13AM -0800, Samuel123smith wrote: > > > > Hi ALL, > > > > I was trying to write openssl pkcs11 engine implementation for RSA . Now > ,I > > am stuck with the implementating RSA padding which is required for RSA > > encryption,decryption ,signing and verifying. > > > > I was trying to find the mechanism which is needed for each padding. > > > > RSA_PKCS1_PADDING ---> Mechanism used is CKM_RSA_PKCS > > RSA_PKCS1_OAEP_PADDING--> Mechanism used is CKM_RSA_PKCS_OAEP (please > > confirm if it is correct) > > > > I was not able to figure out which mechanism to use for > > > > RSA_SSLV23_PADDING > > RSA_NO_PADDING > > > > Do any one knows which pkcs11 mechanism to be used for this padding? > > > > Need your help and assistance to solve this problem > > > > Thanks in advance > > Samuel > > -- > > View this message in context: > http://old.nabble.com/OpenSSL-PKCS11-engine-implementation-tp27452205p27452205.html > > Sent from the OpenSSL - User mailing list archive at Nabble.com. > > > > __ > > OpenSSL Project http://www.openssl.org > > User Support Mailing Listopenssl-users@openssl.org > > Automated List Manager majord...@openssl.org > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org >
Re: OpenSSL PKCS11 engine implementation
Hi Samuel, you are aware of the PKCS#11 engine from the OpenSC project ? http://www.opensc-project.org/engine_pkcs11 If this is not already the engine you want to implement, maybe its sources could give some hints and inspirations. Christian On Thu, Feb 04, 2010 at 06:24:13AM -0800, Samuel123smith wrote: > > Hi ALL, > > I was trying to write openssl pkcs11 engine implementation for RSA . Now ,I > am stuck with the implementating RSA padding which is required for RSA > encryption,decryption ,signing and verifying. > > I was trying to find the mechanism which is needed for each padding. > > RSA_PKCS1_PADDING ---> Mechanism used is CKM_RSA_PKCS > RSA_PKCS1_OAEP_PADDING--> Mechanism used is CKM_RSA_PKCS_OAEP (please > confirm if it is correct) > > I was not able to figure out which mechanism to use for > > RSA_SSLV23_PADDING > RSA_NO_PADDING > > Do any one knows which pkcs11 mechanism to be used for this padding? > > Need your help and assistance to solve this problem > > Thanks in advance > Samuel > -- > View this message in context: > http://old.nabble.com/OpenSSL-PKCS11-engine-implementation-tp27452205p27452205.html > Sent from the OpenSSL - User mailing list archive at Nabble.com. > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: PKCS#12 Problems
On February 3, 2010 05:57:36 pm Dan Letkeman wrote: > The server i'm trying to import it into is and Astaro Firewall. > www.astaro.com. I have also just tried to import it into Internet > Explorer on Windows XP and I get an error. > Again - what error do you get - just saying that you get an error doesn't really help us to help you. > The Astaro only takes PKCS12 files. > Ok - do you need to configure any sort of CA certificate? What values does the Astaro require in the certificate? -- Patrick Patterson President and Chief PKI Architect, Carillon Information Security Inc. http://www.carillon.ca __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
OpenSSL PKCS11 engine implementation
Hi ALL, I was trying to write openssl pkcs11 engine implementation for RSA . Now ,I am stuck with the implementating RSA padding which is required for RSA encryption,decryption ,signing and verifying. I was trying to find the mechanism which is needed for each padding. RSA_PKCS1_PADDING ---> Mechanism used is CKM_RSA_PKCS RSA_PKCS1_OAEP_PADDING--> Mechanism used is CKM_RSA_PKCS_OAEP (please confirm if it is correct) I was not able to figure out which mechanism to use for RSA_SSLV23_PADDING RSA_NO_PADDING Do any one knows which pkcs11 mechanism to be used for this padding? Need your help and assistance to solve this problem Thanks in advance Samuel -- View this message in context: http://old.nabble.com/OpenSSL-PKCS11-engine-implementation-tp27452205p27452205.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
Hi, I used X509_add1_ext_i2d(x509Cert, NID_subject_key_identifier, keyid, 0, 0); to set the SKID value and it works now!! Thanks for all the help!! -Ujwal
Stunnel 4.31 released
The ChangeLog entry: Version 4.31, 2010.02.03, urgency: MEDIUM: * New features - Log file reopen on USR1 signal was added. * Bugfixes - Some regression issues introduced in 4.30 were fixed. SHA-1 value for stunnel-4.31.tar.gz: f51fc544a0554f6eee2bfca1fcb8ddcb8386ce32 Home page: http://stunnel.mirt.net/ Download: ftp://stunnel.mirt.net/stunnel/ Best regards, Michal Trojnara __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
