RSA implementaion in C using openssl
Hi, I have to implement the RSA algorithm in our solaris10 ( which has openssl already) using C programming. Anyone please forward any doc / sample code / Weblink anything would be a great help me. Thanks, Pattabi.
Re: RSA implementaion in C using openssl
On Sun, Mar 6, 2011 at 4:51 AM, pattabi raman rprt...@gmail.com wrote: Hi, I have to implement the RSA algorithm in our solaris10 ( which has openssl already) using C programming. Anyone please forward any doc / sample code / Weblink anything would be a great help me. c = m^e mod n m = c^d mod n 'Raw RSA' is fairly benign, but you should be careful of issues when using it in a protocol. For example, see http://www.mozilla.org/security/announce/2006/mfsa2006-60.html. (Thanks GB). Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: RSA implementaion in C using openssl
Hi , I need to implement the entire RSA logic in C program to encrypt the customer key for one of our application functionality. I am bit confused on RSA API, which gives me struggle like Which method to call / order of the methods to be executed etc... Pls guide me. Thanks, Pattabi/
Re: RSA implementaion in C using openssl
On Sun, Mar 6, 2011 at 5:23 AM, pattabi raman rprt...@gmail.com wrote: Hi , I need to implement the entire RSA logic in C program to encrypt the customer key for one of our application functionality. I am bit confused on RSA API, which gives me struggle like Which method to call / order of the methods to be executed etc... EVP_PKEY_keygen, EVP_PKEY_encrypt, EVP_PKEY_decrypt, EVP_PKEY_sign, and EVP_PKEY_verify. Since you are doing the product key stuff, you will probably want the sign/verify gear. Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: BN_mod_mul_montgomery() causing cpu spike
David Schwartz wrote: On 3/2/2011 10:23 AM, prakgen wrote: I've enabled fips in sshd (OpenSSH 5.5p1) Why? He either works in, or develops products for, a DoD or federal government environment where use of FIPS validated cryptography is mandated. No one uses FIPS validated cryptography for fun (there is no technical, functional, or security advantage, in fact FIPS validated crypto is undesirable from any purely practical perspective). -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877-673-6775 marqu...@opensslfoundation.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
ssleay_rand_add crash on OS X
Hi, I try to generate a RSA key with a simple one liner like this: == RSA *rsakey = RSA_generate_key(1024, RSA_F4, NULL, NULL); == Works fine under Linux, but crashes under Mac OS X Snow Leopard (using Openssl 1.0.0d compiled from source): == Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: 13 at address: 0x 0x0001000b1a81 in ssleay_rand_add () (gdb) bt #0 0x0001000b1a81 in ssleay_rand_add () == Do I need to call some kind of random number generator initialization routine first or is something else wrong? -- Yours sincerely, Floris Bos P.S. I tried to search the OpenSSL request tracker to see if this is a known issue, but received the following error when trying to perform a search: System error error: Can't call method delete on an undefined value at /v/openssl/sw/libexec/rt/WebRT/html/Elements/SetupSessionCookie line 90. context: ... 86: }; 87: undef $cookies{$cookiename}; 88: } 89: elsif ( !($session{'CurrentUser'} $session{'CurrentUser'}-id) ) { 90: eval { tied(%session)-delete; }; 91: tie %session, $session_class, undef, 92: $backends{$RT::DatabaseType} ? { 93: Handle = $RT::Handle-dbh, 94: LockHandle = $RT::Handle-dbh, ... code stack: /v/openssl/sw/libexec/rt/WebRT/html/Elements/SetupSessionCookie:90 /v/openssl/sw/libexec/rt/WebRT/html/autohandler:73 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
using Cross-certificates in Browser
Hi, I am facing issue for using cross-certificates. Purpose is to use cross-certificates so that user of 1 CA doesn't need the self-signed cert from another CA. I created 2 CAs - Dohatec.com and Flora.com. I have used OpenSSL to generate cross-certificate of Dohatec.com, signed by Flora.com, as seen in the pic below -- http://old.nabble.com/file/p31080570/cross-certificate%2Bnot%2Brecognized.png when I try to import it in Mozilla Firefox's Authorities tab, it gives error msg - http://old.nabble.com/file/p31080570/cross-certificate%2Bissue.png Couldn't get anything out of it. am i missing something fundamental? Or i have done wrong in cross-certification? the following command i have used for cross - openssl ca -config ca.cnf -preserveDN -ss_cert dohatec.pem -out dohatec-cross-cert.pem please suggest a way around. -- View this message in context: http://old.nabble.com/using-Cross-certificates-in-Browser-tp31080570p31080570.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: FIPS compliance question regarding openssl distributions
In the example of building the openssl FIPS *capable* distribution, it seems one should take the distribution from the official openssl.org/source website and validate it using PGP. However, FreeBSD ships openssl distribution within its source tree. You must follow the instructions contained in the Security Policy document with no deviations. It's that simple. So the answer to the question of can you start with a different distribution is a simple 'no' - even if the files are almost identical (or in fact even identical) you don't get that choice - you must follow the documented procedure. Tim. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
x509 cert contains subject in hexa code
Hi, I am using openssl 0.9.8g and certtool (GnuTLS 2.4.2) 2.4.2 I am on Debien/Lenny. I have generate a priv key for my CA, then a cert for this CA. Next, I am signing csr using, this command : /usr/bin/certtool --generate-certificate --load-request ${fqdn}.csr --outfile ${fqdn}.scsr \ --load-ca-certificate /etc/ssl/cert/$(hostname -f)_CA.pem --load-ca-privkey /etc/ssl/private/$(hostname -f)_CA.key \ --template ${fqdn}.info with .info like this (example: www.ppprod.biz.info): cn = www.ppprod.biz country = FR serial = 11 email = dbou...@ppprod.net tls_www_client tls_www_server signing_key encryption_key All seems to be ok, but when I am typing openssl x509 -text -in www.ppprod.biz.scsr -noout -subject I see ... subject= /C=\xA8\xAE\x96\xBF\xD44/O=\xA8\xAE\x96\xBF\xD44/OU=\xA8\xAE\x96\xBF\xD44/L=\xA8\xAE\x96\xBF\xD44/ST=\xA8\xAE\x96\xBF\xD44/CN=\xA8\xAE\x96\xBF\xD44/UID=\xA8\xAE\x96\xBF\xD44 And then, when I am using the cert, verify failed. Example, with openvpn: Sun Mar 6 22:55:17 2011 us=224040 VERIFY OK: depth=1, /C=FR/CN=www.ppprod.net Sun Mar 6 22:55:17 2011 us=224503 VERIFY ERROR: could not extract Common Name from X509 subject string ('/C=_xC8_x08_xE2_xBF_xD4_xB4U_x05_xB0_x08_xE2_xBF_xD0_xD5/O=_xC8_x08_xE2_xBF_xD4_xB4U_x05_xB0_x08_xE2_xBF_xD0_xD5/OU=_xC8_x08_xE2_xBF_xD4_xB4U_x05_xB0_x08_xE2_xBF_xD0_xD5/L=_xC8_x08_xE2_xBF_xD4_xB4U_x05_xB0_x08_xE2_xBF_xD0_xD5/ST=_xC8_x08_xE2_xBF_xD4_xB4U_x05_xB0_x08_xE2_xBF_xD0_xD5/CN=_xC8_x08_xE2_xBF_xD4_xB4U_x05_xB0_x08_xE2_xBF_xD0_xD5/UID=_xC8_x08_xE2_xBF_xD4_xB4U_x05_xB0_x08_xE2_xBF_xD0_xD5') -- note that the Common Name length is limited to 64 characters Sun Mar 6 22:55:17 2011 us=224589 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Sun Mar 6 22:55:17 2011 us=224615 TLS Error: TLS object - incoming plaintext read error Sun Mar 6 22:55:17 2011 us=224637 TLS Error: TLS handshake failed How can I set a correct format for subject field ? Thanks. Dim __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Inserting lib version in .so file
Hi, I've got an interrogation on .so file ! I'm compiling the 0.9.8r file of openssl using the config command with those threads shared zlib-dynamic options ... All is going fine :-) My question is : Why i'm not finding the version in the openssl/lib/libcrypto.so.0.9.8 when i'm using the command : #objdump -p openssl/lib/libcrypto.so.0.9.8 ? My objdump -p result : openssl/lib/libcrypto.so.0.9.8: file format elf64-x86-64 Dynamic Section: NEEDED libdl.so.2 NEEDED libc.so.6 SONAME libcrypto.so.0.9.8 SYMBOLIC 0x INIT 0x00069a68 FINI 0x0011f428 HASH 0x01b8 GNU_HASH 0x56c0 STRTAB 0x0001f7a8 SYMTAB 0xba38 STRSZ0xf4ff SYMENT 0x0018 PLTGOT 0x0036caa0 PLTRELSZ 0x08e8 PLTREL 0x0007 JMPREL 0x00069180 RELA 0x00030780 RELASZ 0x00038a00 RELAENT 0x0018 VERNEED 0x00030720 VERNEEDNUM 0x0002 VERSYM 0x0002eca8 RELACOUNT0x25b5 Version References: required from libdl.so.2: 0x09691a75 0x00 05 GLIBC_2.2.5 required from libc.so.6: 0x0d696913 0x00 04 GLIBC_2.3 0x0d696917 0x00 03 GLIBC_2.7 0x09691a75 0x00 02 GLIBC_2.2.5 When i executin an objdump -p on the libcrypto.so.0.9.8 of my distribution i have this : openssl/lib/libcrypto.so.0.9.8: file format elf64-x86-64 Program Header: LOAD off0x vaddr 0x paddr 0x align 2**21 filesz 0x00174aac memsz 0x00174aac flags r-x LOAD off0x00175000 vaddr 0x00375000 paddr 0x00375000 align 2**21 filesz 0x00027e28 memsz 0x0002b898 flags rw- DYNAMIC off0x00180fa8 vaddr 0x00380fa8 paddr 0x00380fa8 align 2**3 filesz 0x01e0 memsz 0x01e0 flags rw- NOTE off0x0190 vaddr 0x0190 paddr 0x0190 align 2**2 filesz 0x0024 memsz 0x0024 flags r-- EH_FRAME off0x0015315c vaddr 0x0015315c paddr 0x0015315c align 2**2 filesz 0x7304 memsz 0x7304 flags r-- STACK off0x vaddr 0x paddr 0x align 2**3 filesz 0x memsz 0x flags rw- Dynamic Section: NEEDED libdl.so.2 NEEDED libz.so.1 NEEDED libc.so.6 SONAME libcrypto.so.0.9.8 INIT 0x00073e38 FINI 0x00132e48 HASH 0x01b8 GNU_HASH 0x5748 STRTAB 0x0001fbc8 SYMTAB 0xbb28 STRSZ0xf6cb SYMENT 0x0018 PLTGOT 0x003819d8 PLTRELSZ 0xa230 PLTREL 0x0007 JMPREL 0x00069c08 RELA 0x00030de8 RELASZ 0x00038e20 RELAENT 0x0018 VERDEF 0x00030d50 VERDEFNUM0x0002 VERNEED 0x00030d88 VERNEEDNUM 0x0002 VERSYM 0x0002f294 RELACOUNT0x225e Version definitions: 1 0x01 0x0745b558 libcrypto.so.0.9.8 2 0x00 0x06692428 OPENSSL_0.9.8 Version References: required from libdl.so.2: 0x09691a75 0x00 06 GLIBC_2.2.5 required from libc.so.6: 0x0d696913 0x00 05 GLIBC_2.3 0x0d696917 0x00 04 GLIBC_2.7 0x09691a75 0x00 03 GLIBC_2.2.5 As you can see there an Version definitions section that i don't have : Version definitions: 1 0x01 0x0745b558 libcrypto.so.0.9.8 2 0x00 0x06692428 OPENSSL_0.9.8 How can i tell the configure to add the necessary option to the linker for obtaining this Version References Section ??? That's the same for the openssl/lib/libssl.so.0.9.8 :-( Thanks in advance for your answer, Gérald. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: FIPS compliance question regarding openssl distributions
On 3/6/2011 3:48 PM, Tim Hudson wrote: In the example of building the openssl FIPS *capable* distribution, it seems one should take the distribution from the official openssl.org/source website and validate it using PGP. However, FreeBSD ships openssl distribution within its source tree. You must follow the instructions contained in the Security Policy document with no deviations. It's that simple. So the answer to the question of can you start with a different distribution is a simple 'no' - even if the files are almost identical (or in fact even identical) you don't get that choice - you must follow the documented procedure. ...for building the fipscanister. Once you have that, that binary artifact (which you affirm as validated) can be used as the basis for building an openssl 0.9.8 package in a usual manner. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Compilation Error in application referencing FIPS Object Module using g++
Hi, I am using FIPS Object Module and encountered an error while compiling my application using g++. “fips_premain.c:71: error: initializer-string for array of chars is too long” I cannot change fips_premain.c since its part of FIPS validation I guess. Please suggest any sollution.