rsaEncryption vs sha1WithRSAEncryption: the same???
Dear all, I have been digging a bit into the OpenSSL code to answer because I have a doubt. Using keys on file and, also, using smart cards via the OpenSC engine, I am almost sure that by producing a PKCS7 the signature is of type sha1WithRSAEncryption (at least without any special options), that implies using specific kinds of padding for the digest before the RSA encryption, for instance. The signature in the PKCS7, though, is marked as an object of type rsaEncryption (can tell with the asn1parse command). Is it correct to say that they are are the same, or, better, that 1) rsaEncryption includes the sha1WithRSAEncryption type 2) sha1WithRSAEncryption is what the PKCS7 API does by default? Otherwise, which is the actual difference? Thanks __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
[ANNOUNCE] Engine_cudamrg for OpenSSL - A cryptographic engine for CUDA supported devices
Engine_cudamrg for OpenSSL - A cryptographic engine for CUDA supported devices http://code.google.com/p/engine-cuda/ I'm pleased to announce the release of version 0.1.0 of Engine_cudamrg for OpenSSL. Engine_cudamrg is a cryptographic engine that can accelerate some operation using a CUDA supported device, we currently support the following cipher types: * AES-128-ECB * AES-128-CBC * AES-192-ECB * AES-192-CBC * AES-256-ECB * AES-256-CBC We support both encryption and decryption for theese cipher types. For future releases we plan to optimize currently supported cipher types, add more cipher types and digest algorithms. You can download the source code using the following link: http://engine-cuda.googlecode.com/files/engine_cudamrg-v_0.1.0.tar.gz In addition, a fresh version of the source code is available via SVN under the GNU General Public License v3: http://engine-cuda.googlecode.com/svn/trunk/ You can find detailed instruction on installation, configuration and usage at the address http://code.google.com/p/engine-cuda/wiki/, a performance analysis at the address http://code.google.com/p/engine-cuda/wiki/benchmarkVersion010 Feel free to report any bug or suggestion to the mailing list at the address engine-cuda...@googlegroups.com or through the issue tracker at the address http://code.google.com/p/engine-cuda/issues/list If you want to test it or use it please let me known your opinion through the mailing list or directly to my email address, same way if someone want to join the development team or help me to improve or translate the documentation in other languages different from those currently supported (English and Italian). Enjoy, Paolo Margara __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: C library verification of Key Usage
This worked... Thank you very much... -P On 09/08/2010 02:27 PM, Dr. Stephen Henson wrote: On Tue, Sep 07, 2010, Paul Douglas wrote: Hi Everyone, I'm trying to figure out the required openssl c library calls to check/verify if a certificate supports Web Server Authentication. From the command line it looks like I could use openssl x509 -purpose -in ./certificate -noout and then check for: SSL server : Yes I'd like to perform a similar verification from my application. I've been searching for examples that indicate how to do this, but so far I haven't been able to find any. You can duplicate that functionality with the function X509_check_purpose(). In that case: rv = X509_check_purpose(cert, X509_PURPOSE_SSL_SERVER, 0); Should do the trick. If the return value is 1 it can be used if 0 it can't. Any other positive value indicates it is tolerated but not strictly according to standard. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
SSL_WRITING Problem
Platform: AIX 5.3 Compiler: xlc_r SSL: openssl-0.9.7d Problem Description: C++ code using non-blocking sockets. SSL_CTX_new(TLSv1_client_method()); SSL_CTX_set_mode(m_ctx, SSL_MODE_AUTO_RETRY); We are seeing instances where SSL_connect() returns -1, which is normal for non-blocking sockets. A call to SSL_get_error() always returns SSL_ERROR_SYSCALL while calls to SSL_want() will return either SSL_READING or SSL_WRITING. In the case of SSL_READING, a subsequent call to SSL_connect() will complete the handshake. However, when SSL_want() returns SSL_WRITING, we cannot proceed. For SSL_WRITING a subsequent call to SSL_connect() results in the socket closing unexpectedly. If we attach a callback to the socket, an infinite callback loop ensues. If we wait and reissue the SSL_want(), SSL_WRITING is always returned. How do we proceed when faced with the SSL_WRITING state during the handshake? Thanks. Pete Loevinger/COMSYS ISGS Civil Rockville, MD 870/3A30 (301) 640-3565
Re: Intermediate root CA's -- lost and confused :(
Also, gnutls-client works correctly and lists the entire CA chain, which would also seem to indicate the server is supplying them. Connecting with openssl s_client as per the command you provided is not showing the certificate chain. openssl s_client -verify 10 -CAfile /etc/ssl/certs/Thawte_Premium_Server_CA.pem -connect strategic.wiki.csupomona.edu:443 Try gnutls without the TLS extensions processing occurring and you will see that the server is not sending back the certificate chain: gnutls-cli --priority 'NONE:+VERS-SSL3.0:+AES-128-CBC:+RSA:+SHA1:+COMP-NULL' --debug 10 --x509cafile /etc/ssl/certs/Thawte_Premium_Server_CA.pem strategic.wiki.csupomona.edu -p 443 This fails. You need to correct your server configuration so that it correctly sends out the chain. Tim. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
cms sign with md5
hi all! how can I tell openssl cms to sign not with sha1 but with md5? i tried the -md5 option but got an error. thanks! br, chris __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: cms sign with md5
Which error? On Tue, Sep 14, 2010 at 3:34 PM, ch ch_m...@gmx.at wrote: hi all! how can I tell openssl cms to sign not with sha1 but with md5? i tried the -md5 option but got an error. thanks! br, chris __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- Regards Kartik Rustagi
Unstable output
Hi, I've made a test program. I have an unstable output with keys/data in the magic option. With other data/keys the output is stable (doc option). Does someone has a reason for it? The source has been made for an linux environment. Best regards, Wim /* ** Include files */ #include stdio.h #include stdlib.h #include string.h #include termios.h #include unistd.h #include time.h #include openssl/des.h #include fcntl.h #include errno.h #define BUFSIZE 350 #define MAGIC 1 #define DOC 2 static const unsigned char initVector[8] = {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};// The initialization vector static unsigned char skC1[8]; static unsigned char skC2[8]; static unsigned char in[BUFSIZE]={0}; static unsigned char out[BUFSIZE]={0}; /*---*/ static void debugHexPrint(unsigned char *tag, unsigned char *data, unsigned int size) { unsigned int i; printf(%s: , tag); for(i=0;isize;i++) printf(%02X , *(data+i)); printf(\n); } /*---*/ int main(int argc, char *argv[]) { des_key_schedule kSched1, kSched2; des_cblock iv; int i; struct timeval start, stop; int inSize; int outSize; int result; int type; if (argc 2) { printf( testdes V01.00\n); printf( use: \testdes magic\ or \testdes doc\\n); return 0; } for(i=0;iargc;i++) { if (!strcmp(argv[i],magic)) type = MAGIC; if (!strcmp(argv[i],doc)) type = DOC; } printf(Encrypt message\n\r); memset(in,0,sizeof(in)); memset(out,0,sizeof(out)); if (type == MAGIC) { printf(MAGIC\n); memcpy(skC1, \x0A\xBE\x32\x6C\x63\x79\x4C\x70, 8); memcpy(skC2, \xC0\x60\xBA\xA2\xE6\xDB\x83\x95, 8); inSize = 16; memcpy(in,\x01\x02\x03\x04\x05\x06\x07\x08\x80\x00\x00\x00\x00\x00\x00\x00, inSize); } if (type == DOC) { printf(DOC\n); memcpy(skC1, \x97\x9e\xc1\x3b\x1c\xbf\xe9\xdc, 8); memcpy(skC2, \xd0\x1a\xb0\xfe\xd3\x07\xea\xe5, 8); inSize = 16; memcpy(in, \x21\x0B\x01\x05\x40\xAA\x00\x00\x20\x80\x00\x00\x00\x00\x00\x00, inSize); } i = inSize; DES_set_key_checked(skC1, kSched1); // set the key schedule DES_set_key_checked(skC2, kSched2); // set the key schedule memcpy(iv,initVector,sizeof(initVector)); // set the initialization vector memset(out, 0, BUFSIZE); des_ede2_cbc_encrypt(in, out, (long)inSize, kSched1, kSched2, iv, DES_ENCRYPT); debugHexPrint( skC1: , skC1, 8); debugHexPrint( skC2: , skC2, 8); debugHexPrint( IN : , in, inSize); debugHexPrint( OUT : , out, inSize); debugHexPrint( IV : , (char *)iv, sizeof(iv)); printf( Encrypt message done\n\r); return 0; }
[FWD] install openssl on a ox 10.6.x
Forwarded to openssl-users for public discussion. Best regards, Lutz - Forwarded message from jsl j...@xtok.com - From: jsl j...@xtok.com Subject: install openssl on a ox 10.6.x Date: Tue, 14 Sep 2010 11:27:57 +0100 To: openssl-b...@openssl.org Dear Sirs Can you help us to install the app openssl ona mac os x? Thanks José Lourenço - End forwarded message - -- Lutz Jaenicke jaeni...@openssl.org OpenSSL Project http://www.openssl.org/~jaenicke/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: cms sign with md5
hi! my command is: ./openssl cms -sign -md5 -signer cert.cer -inkey priv.key -in file.txt and i get this usage-error-message with the parameter-description. think I use the md5 parameter wrong. any ideas?? without -md5 it delivers a correct signed output but it is sha1. thanks, chris kartik rustagi wrote: Which error? On Tue, Sep 14, 2010 at 3:34 PM, ch ch_m...@gmx.at mailto:ch_m...@gmx.at wrote: hi all! how can I tell openssl cms to sign not with sha1 but with md5? i tried the -md5 option but got an error. thanks! br, chris __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org mailto:openssl-users@openssl.org Automated List Manager majord...@openssl.org mailto:majord...@openssl.org -- Regards Kartik Rustagi __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
alpine/cacert problem
I noticed that our CA store (/usr/local/ssl/cacert.pem) was pretty old, with some expired certificates in it, etc. I exported the certificate list out of a Windows firefox and put that in place and I thought things were fine. I did 'openssl verify' on a few of our certificates from different vendors and all looked good. Every certificate in this new CA list gave output from 'openssl x509 -text' without complaint. Then I found that people complained that alpine didn't work. That's a mail client to our imap server. It was compiled with the openssl library. alpine is out of the University of Washington, and their distribution site says they only take questions from their own population. The problem is that when it is starting, it binds up in STARTTLS. I checked that 'openssl verify' still worked on the mail server certificate against the new CA list. I found that if I cut down our CA list to the certs for the issuing CA, that alpine worked ok as well. Actually, lots of certs can be in the CA list, but not all of them. Maybe I could use trial and error and snip out some of the ~200 of them and run with the remaining list that alpine still liked. By binding up, it keeps displaying a changing pattern indicating I'm working on it, so it's not a loop in openssl; it must be returning to alpine to let it do its display before trying again, or whatever it's doing. I guess I could cut the CA list down to CAs we used on campus, but applications that reach across the Internet might have issues. I guess people may have been already having issues with expired CA certs in that prior list, of course. Anyway, it smells like something that a memory management problem would cause, like not leaving enough space for a certificate, or issuer name, or subject name, or something. However, I don't know how alpine could cause such interference with openssl. We had been using an old alpine, v1.10, but I grabbed v2.00 and compiled and linked it with current openssl and it has the same symptoms. Can anyone suggest how a program using the openssl libraries to verify certificates could do something that would trash the verification process? I'm sorry to bother the list with this, but it would really help me to focus on a particular set of calls, since the alternative is trying to both debug alpine while learning the openssl calls as well. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: alpine/cacert problem
On Tue, Sep 14, 2010 at 11:27:09AM -0400, Allan E. Johannesen wrote: I noticed that our CA store (/usr/local/ssl/cacert.pem) was pretty old, with some expired certificates in it, etc. I exported the certificate list out of a Windows firefox and put that in place and I thought things were fine. I did 'openssl verify' on a few of our certificates from different vendors and all looked good. You could try to use a CApath/ directlry (indexed via c_rehash), instead of a CAfile. This should scale better. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Intermediate root CA's -- lost and confused :(
Remember that you need to include -showcerts in the s_client line to get it to dump certificates. -Kyle H On Mon, Sep 13, 2010 at 6:04 PM, Tim Hudson tim.hud...@pobox.com wrote: Also, gnutls-client works correctly and lists the entire CA chain, which would also seem to indicate the server is supplying them. Connecting with openssl s_client as per the command you provided is not showing the certificate chain. openssl s_client -verify 10 -CAfile /etc/ssl/certs/Thawte_Premium_Server_CA.pem -connect strategic.wiki.csupomona.edu:443 Try gnutls without the TLS extensions processing occurring and you will see that the server is not sending back the certificate chain: gnutls-cli --priority 'NONE:+VERS-SSL3.0:+AES-128-CBC:+RSA:+SHA1:+COMP-NULL' --debug 10 --x509cafile /etc/ssl/certs/Thawte_Premium_Server_CA.pem strategic.wiki.csupomona.edu -p 443 This fails. You need to correct your server configuration so that it correctly sends out the chain. Tim. __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-us...@openssl.org Automated List Manager majord...@openssl.org smime.p7s Description: S/MIME Cryptographic Signature
RE: Using openssl commandline tool from script
From: owner-openssl-us...@openssl.org On Behalf Of Gary Sent: Tuesday, 14 September, 2010 11:20 I am trying to call the openssl tool from a script, and I am having some problems. What I am currently doing is: , | echo -n some data | openssl enc -e -aes-256-cbc -k some key ` and then testing the result with , | echo -n encrypted data | openssl enc -e -aes-256-cbc -k some key ` (obviously I should get back the data I started with). Use -d to decrypt (as you do below, so I hope this is just a typo). And (raw) encrypted data is very likely to contain character codes that aren't ASCII printable (or 8859/Unicode/etc. if applicable) and you can't reliably type, or include in shell commands/arguments, or are treated specially by echo (which could be a shell builtin or external e.g. /bin/echo which are often significantly different). More often than not it works fine, but sometimes the encryption will produce output that contains values which echo (for the decrypt) balks at. Sometimes? I'd expect most of the time. I tried base64 en/decoding the data: , | echo -n some data | openssl enc -e -aes-256-cbc -k some key -base64 ` and , | echo -n U2FsdGVkX1/EbpoczzWXJQC+RkTFvf7k2yL3LYWXCXrlDssu5p93tRAjtdODxB Ma | openssl enc -d -base64 -aes-256-cbc -k some key ` and got error reading input file which I guess is because of the / in the encoded and encrypted data. Any suggestions here? Drop -n. base64 data is standardly lines *with ending NL*. If you (just) let it output you should see that, but if you capture with x=`...|openssl enc -e` or x=$( ... ) and just use $x that normalizes whitespace. For data over 48 bytes, base64 is *multiple* lines, which will be harder to echo, unless you use -A to put it all on one line, which may still be difficult to handle because it's long. The / is no problem; the base64 charset is letters (both cases) digits slash and plus, and equals for padding if necessary, with linebreaks and other whitespace (if used) skipped. These were chosen decades ago because they survive practically all processing done on all systems everywhere. Or is there a better solution to getting some data and encrypted data into openssl than echoing it, without writing it to a file and (preferably) without manipulating the data before passing it to openssl? Base64 is the usual way of doing this manually or semimanually, precisely because it was designed to use only safe characters. Writing and reading a file is usually the simplest and easiest way to handle arbitrary bits, commonly 'binary'. Since you've excluded that, awk and perl can (usually?) be persuaded to output any bytes; or you can write your own decode/dearmor program(s?). Or you could store it in a database and fetch it back out; for base64 you can use standard commandline utilities like mysql, sqlcmd, sqlplus; for 'binary' you'll have to write your own programs. But many databases are actually files. Although you could use a remote database (server), then it isn't a file *on your system*; does that count? But you could also remote a file with NFS, AFS, NetBios/Samba/etc. Ciphertext is always 'binary' (for modern computer ciphers). Whether your plaintext is so, or is limited to printable characters that you can echo and print and type etc., is up to you, or your users/customers/boss(es)/etc. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org