RE: Certificate alias lost during export to .p12 ?
From: owner-openssl-users On Behalf Of Nyyr Sent: Tuesday, December 10, 2013 15:37 I received certificate from CA and it had no alias set: snip (as expected; alias is local to your system and CA doesn't know it) So I set alias via: snip: x509 -setalias myalias I then exported the certificate along with my private key to .p12 via: openssl pkcs12 -export -in QCA1530646_2.pem -inkey private_q.key -name testname -out Q20131024.p12 and verified via: openssl pkcs12 -in Q20131024.p12 -nokeys | openssl x509 -alias -noout Enter Import Password: MAC verified OK No Alias and there is no alias set! For some reason not clear to me commandline 'pkcs12 -export' discards any alias attached to the user cert (i.e. the one matching the privatekey). If you want a 'friendlyname' in PKCS12, you must use option -name -- as you did, but with a different value than you used for the alias -- while for a CA cert it can use either an alias or option -caname. Other sw that reads p12 and uses it should see friendlynames. But if you have friendlyname(s) in PKCS12 as above (or from elsewhere), 'pkcs12 (import)' ignores it and does not attach it to the output cert(s). So you actually lose the alias on export AND the friendlyname on import. Sorry. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Problem in build ing the openssl-1.0.1 in x86-64bit
Hi All, When we are trying to build the openssl-1.0.1 in x86-64 board we are facing the following error x86cpuid.s: Assembler messages: x86cpuid.s:8: Error: suffix or operands invalid for `push' x86cpuid.s:9: Error: suffix or operands invalid for `push' x86cpuid.s:10: Error: suffix or operands invalid for `push' x86cpuid.s:11: Error: suffix or operands invalid for `push' x86cpuid.s:13: Error: suffix or operands invalid for `pushf' x86cpuid.s:14: Error: suffix or operands invalid for `pop' x86cpuid.s:17: Error: suffix or operands invalid for `push' x86cpuid.s:18: Error: suffix or operands invalid for `popf' x86cpuid.s:19: Error: suffix or operands invalid for `pushf' x86cpuid.s:20: Error: suffix or operands invalid for `pop' x86cpuid.s:128: Error: suffix or operands invalid for `pop' x86cpuid.s:129: Error: suffix or operands invalid for `pop' x86cpuid.s:130: Error: suffix or operands invalid for `pop' x86cpuid.s:131: Error: suffix or operands invalid for `pop' x86cpuid.s:143: Error: suffix or operands invalid for `pop' x86cpuid.s:145: Error: relocated field and relocation type differ in signedness x86cpuid.s:159: Error: suffix or operands invalid for `pop' x86cpuid.s:161: Error: relocated field and relocation type differ in signedness x86cpuid.s:167: Error: suffix or operands invalid for `pushf' x86cpuid.s:168: Error: suffix or operands invalid for `pop' x86cpuid.s:172: Error: suffix or operands invalid for `push' x86cpuid.s:173: Error: suffix or operands invalid for `push' x86cpuid.s:190: Error: suffix or operands invalid for `pushf' x86cpuid.s:191: Error: suffix or operands invalid for `pop' x86cpuid.s:221: Error: suffix or operands invalid for `pop' x86cpuid.s:223: Error: relocated field and relocation type differ in signedness x86cpuid.s:251: Error: suffix or operands invalid for `push' x86cpuid.s:260: Error: suffix or operands invalid for `pop' x86cpuid.s:268: Error: suffix or operands invalid for `push' x86cpuid.s:287: Error: suffix or operands invalid for `pop' remake[5]: *** [x86cpuid.o] Error 1 Makefile:278: *** [build_crypto] Error 1 /workspace/toolchains/4.0_i686_64/WR4.0.hg/SOURCES/wrlinux-4/layers/xerox/dist/openssl/Makefile:167: *** [openssl.compile] Error 2 I checked the Google it show that assembly code in x86cpuid.s is compactable for x86-32bit. it will show above error when we try to build in 64-bit machine. Please help by providing your suggestion. Thanks Sakthi ::DISCLAIMER:: The contents of this e-mail and any attachment(s) are confidential and intended for the named recipient(s) only. E-mail transmission is not guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or may contain viruses in transmission. The e mail and its contents (with or without referred errors) shall therefore not attach any liability on the originator or HCL or its affiliates. Views or opinions, if any, presented in this email are solely those of the author and may not necessarily reflect the views or opinions of HCL or its affiliates. Any form of reproduction, dissemination, copying, disclosure, modification, distribution and / or publication of this message without the prior written consent of authorized representative of HCL is strictly prohibited. If you have received this email in error please delete it and notify the sender immediately. Before opening any email and/or attachments, please check them for viruses and other defects.
RSA and plausible deniability
Hello all ! I would like to know if RSA allows plausible deniability ? I'm on a crypto app, and the RSA_private_* functions seem to return 0 if error. I want to implement plausible deniability, deciphering with a wrong key would work but show a -- Cordialement, Adnan RIHAN. Directeur-Gérant de Eolis-Software, société de services informatiques, Brazzaville. $this-setMobile(+33 (0) 6 78 62 26 20);__ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
how to get a maximum digest length of a specific algorithm by nid
Hello, Is there an easy way in OpenSSL to call some function which returns the length of the digest/hash it returns? Like SHA256 would return 32 (maximum digest length of 32 bytes). Dereck
What does RSA_public_encrypt use for hash and mgf
Can someone tell me what hash algorithm the RSA_public_encrypt function uses? Is this SHA1 only for both? Dereck
Re: [openssl-users] Somewhat conflicting configuration and strange behaviour
It's not strange. You removed the RSA-* from client side, the result is that the server can't match anything in common between what the client proposed and what the server accepts. The error you get has been sent by the server. -- Erwann ABALEA Le 11/12/2013 22:34, Walter H. a écrit : Hello, Thanks for your reply; Very strange in FF when I disable the use of the RSA-* Ciphersuites in FF, then I get the following error Secure Connection failed Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap) the certificate is mimicked by the origin certificate - look on the origin certificate of https://www.google.nl Thanks, Walter On 11.12.2013 20:56, Erwann Abalea wrote: Bonjour, The certificate specifies digitalSignature as its sole key usage. That means the certified key can only be used to sign data, and not perform any decrypt operation. If your server+client are negotiating a (EC)DHE-RSA-* ciphersuite, that's OK because the server's RSA private key will then be used to sign the (EC)DHE parameters and ephemeral public key, and the key exchange mechanism will be based on (EC)DHE. But if the negotiated ciphersuite is AES-* or DES-* or RC4-* or anything similar using RSA as the key exchange mechanism, it won't work because the private key will then be used to decrypt the premaster secret. Only NSS checks this, so Firefox under any OS, and Chrome under Linux. If you want to get rid of this message, choose either one of: - create a new certificate for your server with keyUsage=digitalSignature+keyEncipherment - setup your server to only allow (EC)DHE key exchange mechanisms, by tweaking its acceptable ciphersuites __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: What does RSA_public_encrypt use for hash and mgf
The documentation says: RSA_PKCS1_OAEP_PADDING EME-OAEP as defined in PKCS #1 v2.0 with SHA-1, MGF1 and an empty encoding parameter. This mode is recommended for all new applications. -- Ken Goldman kgold...@us.ibm.com 914-945-2415 (862-2415) From: Dereck Hurtubise djhurtub...@gmail.com To: openssl-users@openssl.org Date: 12/12/2013 07:55 AM Subject:What does RSA_public_encrypt use for hash and mgf Sent by:owner-openssl-us...@openssl.org Can someone tell me what hash algorithm the RSA_public_encrypt function uses? Is this SHA1 only for both? Dereck
Re: RSA and plausible deniability
[Corrected, sorry for not finished previous mail] Hello all ! I would like to know if RSA allows plausible deniability ? I'm on a crypto app, and the RSA_private_* functions seem to return 0 if error. I want to implement plausible deniability, deciphering with a wrong key would work but show a random like text. Thanks for your help. -- Cordialement, Adnan RIHAN. Directeur-Gérant de Eolis-Software, société de services informatiques, Brazzaville. $this-setMobile(+33 (0) 6 78 62 26 20); Le 12 déc. 2013 à 01:57, Adnan RIHAN axel50...@gmail.com a écrit : Hello all ! I would like to know if RSA allows plausible deniability ? I'm on a crypto app, and the RSA_private_* functions seem to return 0 if error. I want to implement plausible deniability, deciphering with a wrong key would work but show a -- Cordialement, Adnan RIHAN. Directeur-Gérant de Eolis-Software, société de services informatiques, Brazzaville. $this-setMobile(+33 (0) 6 78 62 26 20); __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: What does RSA_public_encrypt use for hash and mgf
I read that. Still doesn't give me a clue if the hash and the mgf both use sha1 On Thu, Dec 12, 2013 at 3:21 PM, Kenneth Goldman kgold...@us.ibm.comwrote: The documentation says: *RSA_PKCS1_OAEP_PADDING* EME-OAEP as defined in PKCS #1 v2.0 with SHA-1, MGF1 and an empty encoding parameter. This mode is recommended for all new applications. -- Ken Goldman kgold...@us.ibm.com 914-945-2415 (862-2415) From:Dereck Hurtubise djhurtub...@gmail.com To:openssl-users@openssl.org Date:12/12/2013 07:55 AM Subject:What does RSA_public_encrypt use for hash and mgf Sent by:owner-openssl-us...@openssl.org -- Can someone tell me what hash algorithm the RSA_public_encrypt function uses? Is this SHA1 only for both? Dereck
Re: ssh-add refuses to use the key on my USB thumb drive
Or 'mount -o umask=077' I think. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Machines should not be friendly. Machines should be obedient. signature.asc Description: Digital signature
Re: What does RSA_public_encrypt use for hash and mgf
On Thu, Dec 12, 2013, Dereck Hurtubise wrote: I read that. Still doesn't give me a clue if the hash and the mgf both use sha1 They do both use SHA1. OpenSSL 1.0.2 and later via the EVP_PKEY interface can be set to use other digests. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: how to get a maximum digest length of a specific algorithm by nid
|Did you see EVP_MD_size() at http://www.openssl.org/docs/crypto/EVP_DigestInit.html |Le 12/12/2013 09:29, Dereck Hurtubise a écrit : Hello, Is there an easy way in OpenSSL to call some function which returns the length of the digest/hash it returns? Like SHA256 would return 32 (maximum digest length of 32 bytes). Dereck
Re: how to get a maximum digest length of a specific algorithm by nid
How do you use EVP_MD_size() if the only thing you have is the NID of the algorithm? On Thu, Dec 12, 2013 at 5:59 PM, Michel msa...@paybox.com wrote: Did you see EVP_MD_size() at http://www.openssl.org/docs/crypto/EVP_DigestInit.html Le 12/12/2013 09:29, Dereck Hurtubise a écrit : Hello, Is there an easy way in OpenSSL to call some function which returns the length of the digest/hash it returns? Like SHA256 would return 32 (maximum digest length of 32 bytes). Dereck
Re: how to get a maximum digest length of a specific algorithm by nid
On Thu, Dec 12, 2013, Dereck Hurtubise wrote: How do you use EVP_MD_size() if the only thing you have is the NID of the algorithm? Call EVP_get_digestbynid() to get the EVP_MD first. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
