Re: use openssl function in own application
On 13 December 2013 17:33, andreas andreas.moro...@gmx.net wrote: Hello, in our public hospital we have a application that has to encrypt data with a certificate. At the moment we call a batch files that does openssl.exe rsautl -encrypt -in %1 -out %1.enc -inkey SanitelCF.cer -certin -pkcs I don't know what it is that you are encrypting, however normally you would not directly encrypt messages in this way. RSA is usually used to encrypt some symmetric session key, and then your message is encrypted using this session key. Here you are directly encrypting files using RSA...if those files are actually raw keys then thats probably ok. IS it possible to implement this in our application using openssl libraries ? Yes: To load the certificate you can use PEM_read_X509 (or one of the other similar variants). See https://www.openssl.org/docs/crypto/pem.html This will give you an X509 structure. To obtain the public key from the certificate use X509_get_pubkey. This function is defined in x509.h and is apparently undocumented as far as I can see. Its quite straight forward though - just pass the X509 structure in and you get an EVP_PKEY structure back. To encrypt use EVP_PKEY_encrypt. See https://www.openssl.org/docs/crypto/EVP_PKEY_encrypt.html The manual page above gives some example code for encrypting. It shows how to set the padding type. For your particular situation you need to use RSA_PKCS1_PADDING. Don't forget to free up your EVP_PKEY and X509 structures using EVP_PKEY_free and X509_free. Can anyone please tell me if there are sample file that implement that encryption ? You can take a look at how the rsautl app does it in apps/rsautl.c. This essentially works the same way as I have outlined above except that it uses RSA_public_encrypt to do the encryption, rather than EVP_PKEY_encrypt that I have suggested. Hope that helps, Matt Thanks Andreas __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl-users] Somewhat conflicting configuration and strange behaviour
On 14.12.2013 00:00, Dr. Stephen Henson wrote: How are you disabling RSA key exchange? by setting all ciphers beginning with RSA to no in FF If you disable RSA for authentication too you'll hit problems if you don't have a non-RSA certificate. So for example: ECDHE-ECDSA-3DES-EDE-SHA needs an ECDSA certificate (that's the same as ECDHE-ECDSA-DES-CBC3-SHA). can you please give an example of such an ECDSA certificate? You can disable RSA key exchange by appending the string !kRSA to the cipher string, for example: DEFAULT:!kRSA. Also if you want to support EDH ciphersuites you need to set some DH parameters and for ECDH a suitable curve. this the option in squid against my client: http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/cert/squid.pem cipher=DEFAULT:!kRSA options=NO_SSLv2,SINGLE_DH_USE dhparams=/etc/squid/cert/dhparam.pem Thanks, Walter smime.p7s Description: S/MIME Cryptographic Signature
PBKDF2 doc
Hello ! I’m using OpenSSL 0.9.8 on mac (Mavericks), and I want to use a PBKDF but I can’t find any doc/man about it on OpenSSL’s website. I’m working on QCA, an OpenSSL wrapper for Qt, and when I arrived there was « PKCS5_PBKDF2_HMAC_SHA1 », a function I can’t find either on the OpenSSL website, it’s marked as DEPRECATED on OSX, so my question is: Is there one or multiple PBKDF2 on OpenSSL ? If yes, where can I find the doc please ? Thank you for your help. -- Regards, Adnan RIHAN.