Adding Hash to Application : Static Build - OpenSSL With FIPS
Hi All, According to UserGuide i am trying to add hash to my Project DLL as i am linking the OpenSSL Lib statically. While calling fipslink.pl i do see following link errors.. Dump from the command prompt ... TSPFIPSnmake -f Add_FipsHash_TSP.mak Microsoft (R) Program Maintenance Utility Version 8.00.50727.42 Copyright (C) Microsoft Corporation. All rights reserved. Building CiscoTSP with Hash for Self Test SET FIPS_LINK=link SET FIPS_CC=cl SET FIPS_CC_ARGS=/Fo\fips_premain.obj -I -I /MD /Ox /O2 /Ob2 /W3 /WX /Gs 0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32 -DWINDLL -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DDSO_WIN32 -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE / Fdout32 -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MD C2 -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_KRB5 -D OPENSSL_FIPS -DOPENSSL_NO_DYNAMIC_ENGINE /Zl -c SET FIPS_PREMAIN_SRC=C:\OpenSSL-work\OpenSSL_Downloaded\openssl-0.9.8l\o penssl-fips-1.2\out32\fips_premain.c SET PREMAIN_DSO_EXE=C:\OpenSSL-work\OpenSSL_Downloaded\openssl-0.9.8l\op enssl-fips-1.2\out32\fips_premain_dso.exe SET PREMAIN_SHA1_EXE=C:\OpenSSL-work\OpenSSL_Downloaded\openssl-0.9.8l\o penssl-fips-1.2\out32\fips_standalone_sha1.exe SET FIPS_SHA1_EXE=C:\OpenSSL-work\OpenSSL_Downloaded\openssl-0.9.8l\open ssl-fips-1.2\out32\fips_standalone_sha1.exe SET O_FIPSCANISTER=C:\OpenSSL-work\OpenSSL_Downloaded\openssl-0.9.8l\ope nssl-fips-1.2\out32\fipscanister.lib SET FIPS_TARGET=..\Win32\ReleaseMinDependency\CiscoTSP.dll SET FIPSLIB_D=C:\OpenSSL-work\OpenSSL_Downloaded\openssl-0.9.8l\openssl- fips-1.2\out32 perl fipslink.pl /nologo /opt:ref /machine:x86 /subsystem:console /dll / NOENTRY msvcrt.lib /NODEFAULTLIB:nochkclr.obj /INCLUDE:__dllmaincrtstar...@12 /m ap /out:..\Win32\ReleaseMinDependency\CiscoTSP.dll @C:\DOCUME~1\drajesh\LOCALS ~1\Temp\nm4A1.tmp Integrity check OK cl /Fo\fips_premain.obj -I -I /MD /Ox /O2 /Ob2 /W3 /WX /Gs0 /GF /Gy /nologo -DOP ENSSL_SYSNAME_WIN32 -DWIN32 -DWINDLL -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DDSO_WIN3 2 -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE /Fdout32 -DOPENSSL_NO_C AMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_CMS -D OPENSSL_NO_JPAKE -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_KRB5 -DOPENSSL_FIPS -DOPENSSL _NO_DYNAMIC_ENGINE /Zl -c C:\OpenSSL-work\OpenSSL_Downloaded\openssl-0.9.8l\ope nssl-fips-1.2\out32/fips_premain.c fips_premain.c link /nologo /opt:ref /machine:x86 /subsystem:console /dll /NOENTRY msvcrt.lib / NODEFAULTLIB:nochkclr.obj /INCLUDE:__dllmaincrtstar...@12 /map /out:..\Win32\Rel easeMinDependency\CiscoTSP.dll @C:\DOCUME~1\drajesh\LOCALS~1\Temp\nm4A1.tmp C:\OpenSSL-work\OpenSSL_Downloaded\openssl-0.9.8l\openssl-fips-1.2\out32\fips_pr emain_dso.exe ..\Win32\ReleaseMinDependency\TSP.dll 5292:error:2507606A:DSO support routines:WIN32_BIND_FUNC:could not bind to the r equested symbol name:.\crypto\dso\dso_win32.c:288:symname(FINGERPRINT_premain) 5292:error:2506C06A:DSO support routines:DSO_bind_func:could not bind to the req uested symbol name:.\crypto\dso\dso_lib.c:294: Get hash failure at fipslink.pl line 48. NMAKE : fatal error U1077: 'C:\Perl\bin\perl.EXE' : return code '0x1' Can some suggest me if i am missing anything Thanks, Rajesh.
mini project in C using openssl
Hi. My name is Gabriel. I'm newbie in openssl and I need to develop a aplication in C languaje using openssl. If anyone on this mailing list can help me, and is interested in working in this mini project (for free or not) Please contact me via e-mail. Best regards gabriel
Re: Using OAEP/PSS RSA padding with CMS
On Sun, Oct 24, 2010, Michael Orlov wrote: Hi, What is the default RSA padding that is used in CMS when signing and when encrypting messages? Is there any way to influence the choice of padding in CMS? E.g., use PSS for signing and OAEP for encryption when using RSA, as is possible for dgst (sigopt) / pkeyutl (pkeyopt) with rsa_padding_mode:. I didn't find any relevant command-line switches for that in cms. This is not currrently supported. The latest development releases include support for PSS in certificates and certificate requests but no OAEP/PSS support for CMS yet. Do you know of any examples using these modes? Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Certificate chaining
Probably I was not clear in my question. When I have several certificates like server cert + key, intermediate and root and want all them to bundle in a single file say, PKCS#12. Is there a specific sequence to bundle them? For example: first option = key + server cert + intermediate + root second option = root + intermediate + server cert + key third option = server cert + key + intermediate + root ... Please throw some light here. Thanks. On Thu, Oct 21, 2010 at 11:11 PM, Suresh suresh.chi...@gmail.com wrote: Thank you for a detailed reply Dave. There is a standard ASN.1 structure, PKCS#7 aka Cryptographic Message Syntax or CMS, which can carry multiple certs and/or CRLs in DER (or PEM-ified single DER, as opposed to PEM concatenation) and is fairly commonly used for that purpose. This makes me understand PKCS#7 or PKCS#12 can take several certificates and key in PEM format into a single file. When packaging server, intermediate and key into a single file is there a sequence to do that ? Also, please correct me if my understanding is correct. Thanks. On Tue, Oct 19, 2010 at 8:40 PM, Dave Thompson dthomp...@prinpay.com wrote: From: owner-openssl-us...@openssl.org On Behalf Of liv2luv Sent: Tuesday, 19 October, 2010 11:26 I am new to SSL and Certificates. I have generated a CSR and certificate for signing. In return I've got three certificates. a. Root CA's certificate b. Intermediate Certificate c. Server certificate After some searching, understand I need to combine them in the sequence as server, intermediate and root certificate. Probably not. For an OpenSSL server, you do need entity + intermediate as below, unless the/each client has the intermediate as trusted (which is sometimes possible). It rarely makes sense to transmit a root in protocol, since the peer must have it already to trust it. After that I converted the PEM format to DER to see the certificate. It is only showing the top certificate (server certificate) in this case. OpenSSL x509 can look at a certificate file in either DER or PEM with exactly the same capabilities. If you mean you had multiple certs (e.g. the chain) in one file in PEM format and did openssl x509 -inform pem -outform der that only converts the first cert found, just like openssl x509 -inform pem -text -noout only displays the first cert. To process with the commandline utility like this you must put each cert in a separate file. As to recombining later, see below. How can the certificate chain be created in a single file? There is no standard format for just putting multiple certs, or anything else, in DER format into a file. In a few places OpenSSL accepts multiple certs in PEM format in a file. SSL_CTX_load_verify_locations (CAfile), used by -CAfile in several utilities, takes certs (and CRLs if used) in PEM format in one file. SSL_CTX_use_certificate_chain_file takes entity cert plus chain (excluding root, which as above is not needed) in PEM format, and thus should be what you need. This concatenated PEM format is not a standard as far as I know, although I believe some others have adopted OpenSSL's method. Remember that PEM format (here) is actually just DER encoded in base64 plus labels; the real data is actually the same. There is a standard ASN.1 structure, PKCS#7 aka Cryptographic Message Syntax or CMS, which can carry multiple certs and/or CRLs in DER (or PEM-ified single DER, as opposed to PEM concatenation) and is fairly commonly used for that purpose. The SSL routines in OpenSSL do not use PKCS#7 directly, although code you write using lower-level libcrypto can, and the commandline utility pkcs7 can display them from which you can capture them into one or more files in PEM format and manipulate further. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- Suresh -- Suresh
Re: Using OAEP/PSS RSA padding with CMS
This is not currrently supported. The latest development releases include support for PSS in certificates and certificate requests but no OAEP/PSS support for CMS yet. Do you know of any examples using these modes? I don't know of any such examples. I thought about using OpenSSL's CMS functionality as a ready solution for message exchange between two servers that have the same software, instead of directly using dgst -sign / rand -base64 (session key) / enc / pkeyutl -encrypt (upon sending a message) and pkeyutl -decrypt / enc -d / dgst -verify (upon receiving a message). CMS also has the benefit of failing if certificates don't verify against a trusted root CA, whereas failure needs to be simulated for openssl verify. But thinking about it, am I right that for CMS, the padding mechanism doesn't really matter (as long as one is used), because asymmetric keys are only used for signing a digest, and encrypting a random session key? Which padding mechanism is used in CMS, the one defined in PKCS 1.5? Although, even if that is true, having OAEP/PSS in CMS would still be nice, from cryptographic standards compliance point of view. Thanks, Michael __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
How can I load a PEM key stored in a string instead from a file?
Hello to all. I'm using the openssl api in a C application. Currently to load a private key (generated by openssl command), I do: _privKeyFile = fopen(filename, rt); _privKey = PEM_read_PrivateKey(_privKeyFile, NULL, NULL, NULL); _rsa = EVP_PKEY_get1_RSA(_privKey); The _rsa is the object I need to decrypt my data. But now I need do keep the private key in a database, and not in files anymore. In database I store these keys in a common plain text format and I can't use the filesystem. So imagine I have key as char[]. How can I get a EVP_PKEY object from a key that is a string? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: How can I load a PEM key stored in a string instead from a file?
PEM_read_PrivateKey() is a wrapper around PEM_ASN1_read() (which reads an arbitrary ASN.1 object from a PEM-encoded blob) and d2i_PrivateKey() (which knows how to read a private key blob specifically). PEM_ASN1_read() simply creates a BIO from the FILE* that you give it, and calls PEM_ASN1_read_bio(). If you want, you can instead create a BIO from your string using something like BIO_new_mem_buf() and call PEM_ASN1_read_bio() yourself. (A BIO is an openssl object that's like a more general-purpose FILE*.) BTW, if your keys are stored in a database, there's probably no need for them to be PEM-encoded; you can save a bit of space and time by storing them in DER format and calling d2i_PrivateKey() directly. (PEM format is more or less just base64-encoded DER.) There's a FAQ entry on this: http://www.openssl.org/support/faq.html#PROG3 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: mini project in C using openssl
Hi, Check this out, its a nice little C example: http://agabrielson.wordpress.com/2010/07/15/openssl-an-example-from-the-command-line/ Anthony On Oct 26, 2010, at 7:32 AM, g A b R i E L wrote: Hi. My name is Gabriel. I'm newbie in openssl and I need to develop a aplication in C languaje using openssl. If anyone on this mailing list can help me, and is interested in working in this mini project (for free or not) Please contact me via e-mail. Best regards gabriel
Re: How can I load a PEM key stored in a string instead from a file?
Sorry. I don't understand everything. Do you have any code example? I've tried to read the source code of these functions, but PEM_read_PrivateKey is a macro (and I hate read big macros) :-( 2010/10/26 Wim Lewis w...@omnigroup.com: PEM_read_PrivateKey() is a wrapper around PEM_ASN1_read() (which reads an arbitrary ASN.1 object from a PEM-encoded blob) and d2i_PrivateKey() (which knows how to read a private key blob specifically). PEM_ASN1_read() simply creates a BIO from the FILE* that you give it, and calls PEM_ASN1_read_bio(). If you want, you can instead create a BIO from your string using something like BIO_new_mem_buf() and call PEM_ASN1_read_bio() yourself. (A BIO is an openssl object that's like a more general-purpose FILE*.) BTW, if your keys are stored in a database, there's probably no need for them to be PEM-encoded; you can save a bit of space and time by storing them in DER format and calling d2i_PrivateKey() directly. (PEM format is more or less just base64-encoded DER.) There's a FAQ entry on this: http://www.openssl.org/support/faq.html#PROG3 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: mini project in C using openssl
Another link: http://code.google.com/p/ssl3fuzzerapi/source/browse/#svn/trunk On Wed, Oct 27, 2010 at 6:34 AM, Anthony Gabrielson agabriels...@comcast.net wrote: Hi, Check this out, its a nice little C example: http://agabrielson.wordpress.com/2010/07/15/openssl-an-example-from-the-command-line/ Anthony On Oct 26, 2010, at 7:32 AM, g A b R i E L wrote: Hi. My name is Gabriel. I'm newbie in openssl and I need to develop a aplication in C languaje using openssl. If anyone on this mailing list can help me, and is interested in working in this mini project (for free or not) Please contact me via e-mail. Best regards gabriel
RE: Certificate chaining
From: owner-openssl-us...@openssl.org On Behalf Of Suresh Sent: Tuesday, 26 October, 2010 10:41 Probably I was not clear in my question. When I have several certificates like server cert + key, intermediate and root and want all them to bundle in a single file say, PKCS#12. Is there a specific sequence to bundle them? snip examples Not that I know of, but I rarely use nontrivial chains. It might depend on what software will (later) use them. Please throw some light here. Thanks. On Thu, Oct 21, 2010 at 11:11 PM, Suresh suresh.chi...@gmail.com wrote: There is a standard ASN.1 structure, PKCS#7 aka Cryptographic Message Syntax or CMS, which can carry multiple certs and/or CRLs in DER (or PEM-ified single DER, as opposed to PEM concatenation) and is fairly commonly used for that purpose. This makes me understand PKCS#7 or PKCS#12 can take several certificates and key in PEM format into a single file. When packaging server, intermediate and key into a single file is there a sequence to do that ? I'm not sure if you're asking about the formats or openssl. 7 can't carry (private) keys as such; it can do certs and/or CRLs and/or arbitrary data. (Its design purpose was to carry signed and/or encrypted data, with certs and CRLs as an add-on, but they have become a tail that sometimes wags the dog.) You could write programs that put private key(s) as encrypted data, but nothing else will expect this. 12 can carry (private) keys and certs (but AFAIK not CRLs). openssl pkcs7 doesn't support building, although you could write a program that does. It can read either DER or PEM, and convert to the other, and extract certs into PEM (which another command, openssl x509, can then convert to DER). openssl pkcs12 can build DER from local PEM files (which can have been converted from DER by other openssl commands), or extract DER into local PEM files (which can be converted to DER by other openssl commands). If your goal is to transport a key with the certs needed for it, for example from server-primary to server-backup, or central-keygen to entity, etc., use 12. That's exactly what it was designed for. If you're doing something else, there may be other answers. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org