Re: [openssl-users] help with timestamping
Okay I have the cert from sym -BEGIN CERTIFICATE- MIIFSzCCBDOgAwIBAgIQVPN9oXFnUbxqjQrSdLKLEzANBgkqhkiG9w0BAQsFADB3 MQswCQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAd BgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxKDAmBgNVBAMTH1N5bWFudGVj IFNIQTI1NiBUaW1lU3RhbXBpbmcgQ0EwHhcNMTYwMTEyMDAwMDAwWhcNMjcwNDEx MjM1OTU5WjCBgDELMAkGA1UEBhMCVVMxHTAbBgNVBAoTFFN5bWFudGVjIENvcnBv cmF0aW9uMR8wHQYDVQQLExZTeW1hbnRlYyBUcnVzdCBOZXR3b3JrMTEwLwYDVQQD EyhTeW1hbnRlYyBTSEEyNTYgVGltZVN0YW1waW5nIFNpZ25lciAtIEcxMIIBIjAN BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAn/vfjx+nz54+GsvraK3PJxzugVWp hwhY5YFNCRTg7dDz1A8/IbYeDjTU8WgKb32Pidny6qfYJTikjDbK7ijPM/h1Pdid z5LdVuP2sHlUZrVFgkNE0mqxqxeiw+XvAOon8yeIDoc89m68qez2uy5qdwYivfq4 f8MkB/c/u0yw/0PLk8oSqpUkAJCyKzai0t3Ss9GZMt3P9MxzFkmDfyTr7XhG0+5f bEJlG2eN8CYaDl6HblqPoIJ+bp/NJt69Ye9EXkWLqJTTHAQyof+kp6KqdwHbKt4P TJI2xmmsXISArSX17TDDaB0X2wpNmjR4WQGbawKFOOIncaIUVDBgkyBIIwIDAQAB o4IBxzCCAcMwDAYDVR0TAQH/BAIwADBmBgNVHSAEXzBdMFsGC2CGSAGG+EUBBxcD MEwwIwYIKwYBBQUHAgEWF2h0dHBzOi8vZC5zeW1jYi5jb20vY3BzMCUGCCsGAQUF BwICMBkaF2h0dHBzOi8vZC5zeW1jYi5jb20vcnBhMEAGA1UdHwQ5MDcwNaAzoDGG L2h0dHA6Ly90cy1jcmwud3Muc3ltYW50ZWMuY29tL3NoYTI1Ni10c3MtY2EuY3Js MBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMIMA4GA1UdDwEB/wQEAwIHgDB3BggrBgEF BQcBAQRrMGkwKgYIKwYBBQUHMAGGHmh0dHA6Ly90cy1vY3NwLndzLnN5bWFudGVj LmNvbTA7BggrBgEFBQcwAoYvaHR0cDovL3RzLWFpYS53cy5zeW1hbnRlYy5jb20v c2hhMjU2LXRzcy1jYS5jZXIwKAYDVR0RBCEwH6QdMBsxGTAXBgNVBAMTEFRpbWVT dGFtcC0yMDQ4LTQwHQYDVR0OBBYEFO1rYM87WPg+Msy/pOir6OqiUEJ/MB8GA1Ud IwQYMBaAFK9j1sqjToVy4Ke8QfMpojh/gHViMA0GCSqGSIb3DQEBCwUAA4IBAQCi jV5dHe5O0pP9T+X0babwiUVVuwjKqyShFiTJTxfBn/TdAprCR8Cp3IiJd8GGhvHV SZbz+x6Y1skdNSOImYpi4XWoTXinPewkgBWeaNQ6pMJM3HFslp2OHgwubFIBnlaQ P6Jeks222kEaJIOheqNf/o07bznRP0FfVhwnDOV8BdhnNojlsMLDBKNaVrgSBI7U nCRrG2a0vqAa4bXN7ONEpLE855LzWN3f6LFYS3BLzpAAzNyj0dJudRZURALvG1RE Y+i1cMi5R5pbRcRudpoYsfcQM8gLUfVVjP0hHkGPTj6QXYAByLwkfoZoFBUUNDV0 SbeHUinWll6ioxbUsNN7 -END CERTIFICATE- openssl x509 -in newsym1.cer -noout -subject subject= /C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec SHA256 TimeStamping Signer - G1 Still getting openssl ts -verify -data SHA.sha -in SHA.sha.tsr -CApath newsym1.cer Verification: FAILED 139630315571016:error:2107C080:PKCS7 routines:PKCS7_get0_signers:signer certificate not found:pk7_smime.c:476: On 27 April 2016 at 14:53, Jakob Bohmwrote: > OK, It looks like this signing service is (quite unusually) > not providing the certificate in its message, which is quite > unusual. > > All it provides is some information /about/ that certificate, > specifically it provides the following info: > > The certificate was issued to C=US, O=Symantec Corporation, > OU=Symantec Trust Network, > CN=Symantec SHA256 TimeStamping Signer - G1 > > The certificate was issued by C=US, O=Symantec Corporation, > OU=Symantec Trust Network, CN=Symantec SHA256 TimeStamping CA > > The certificate serial number (in hex) is > 54 F3 7D A1 71 67 51 BC 6A 8D 0A D2 74 B2 8B 13 > > The certificate fingerprint (SHA-256) is > 82 D5 56 DB DB 5D AD 5FA0 7B B6 07 26 A6 D8 6E > 73 0B 5B B7 29 88 5B B6DE 4F F2 75 29 02 2C FC > > Someone with knowledge of the Symantec/Verisign/Thawte/GeoTrust/ > TrustCenter repository web site may be able to use this > information to download the missing certificates, but there > is no information in this file that would allow a computer > to do this. > > I wonder if changing some parameter in the timestamp request > would cause the Symantec server to return a more complete > timestamp token. > > Or maybe something else is failing. > > > > On 23/04/2016 00:54, Alex Samad wrote: >> >> Here is a dump. >> >> I can see the CN - but I could see that before. >> >> There is also a RSA - maybe a signature or maybe is the public key for the >> cert. >> >> I would expect to see some signed data (sha + symantec cert + time) >> and also the public cert ( and maybe the intermediaries..) >> >> >> <30 82 03 AB> >>0 939: SEQUENCE { >> <30 03> >>4 3: SEQUENCE { >> <02 01> >>6 1: INTEGER 0 >> : } >> <30 82 03 A2> >>9 930: SEQUENCE { >> <06 09> >> 13 9: OBJECT IDENTIFIER signedData (1 2 840 113549 1 7 2) >> : (PKCS #7) >> >> 24 915: [0] { >> <30 82 03 8F> >> 28 911: SEQUENCE { >> <02 01> >> 32 1: INTEGER 3 >> <31 0D> >> 35 13: SET { >> <30 0B> >> 37 11: SEQUENCE { >> <06 09> >> 39 9: OBJECT IDENTIFIER sha-256 (2 16 840 1 101 3 4 2 1) >> : (NIST Algorithm) >> : } >> : } >> <30 82 01 1B> >> 50 283: SEQUENCE { >> <06 0B> >> 54 11: OBJECT IDENTIFIER tSTInfo (1 2 840 113549 1 9 16 1 4) >> : (S/MIME Content Types) >> >> 67 266: [0] { >> <04 82 01 06> >> 71 262: OCTET STRING, encapsulates { >> <30 82 01 02> >> 75
Re: [openssl-users] ECDSA Certificate does not work
AH! Thanks man. My postfix server seems to work now with ciphers-sets using ECDSA! I just wish openssl would have complained about it (or had given me a warning or something). Anyway, I'm using Postfix 2.11, but either way, I like it when I can do things manually. :P Thanks. On 4/28/16, Viktor Dukhovniwrote: > On Thu, Apr 28, 2016 at 07:44:53AM +0200, Danny wrote: > >> I've been trying to get an ECDSA certificate to work with a Postfix >> installation lately. > > See also http://www.postfix.org/postfix-tls.1.html, which does all > the magic to create RSA and/or ECDSA keys for Postfix 3.1 or later. > > # postfix tls new-server-cert -a ecdsa -b secp521r1 > > -- > Viktor. > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Forthcoming OpenSSL releases
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Forthcoming OpenSSL releases The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.0.2h, 1.0.1t. These releases will be made available on 3rd May 2016 between approximately 1200-1500 UTC. They will fix several security defects with maximum severity "high". Please see the following page for further details of severity levels: https://www.openssl.org/policies/secpolicy.html Please also note that, as per our previous announcements, support for 1.0.1 will end on 31st December 2016. Yours The OpenSSL Project Team -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBCAAGBQJXIgXGAAoJEAEKUEB8TIy9XK0IAI/LuJqMK0oC4MXuNqKJAtGZ SYiUWCn0GDqsfucgyOX/OdHjMvkyIPW4Vbt8jZ1HzEmW3DRIalstOgE4MnObZe5a W5ecH1r8cLDTdVMGmSV3u/W1UP6kZScHa5af23emteCmC8zS7s+PDBctEJAPACZm n4olGIHA0yOes79lOsU+nnPzfSaAtNWSCHV/BRLy/Ia5c7oeR2PWnGOvY8oIQllL UNTkNr3qx9n06zjBtHh4dF+bW78eAwLUlY0wUcb2kYRAVeJfXCrJr8nvYIULBMlg pA+WO/GMdoG697qZ5Y6EnNR16X8Hpse5d03LH3EZQ62Gr8Dh3NodWyRMFaIkig0= =cJ4f -END PGP SIGNATURE- -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] How to plug in different digest algorithm implementation into the PKCS7 functions?
Am 26.04.16 um 16:25 schrieb Stephan Mühlstrasser: Hi, I'm trying to plug my own digest algorithm implementation into the PKCS7 functions for creating a signature (using OpenSSL 1.0.2). The hash computation shall be performed on a hardware device. For that purpose I wanted to supply my own EVP_MD data structure to PKCS7_add_signature(). A rough sketch of my code for replacing the standard SHA-256 implementation looks like this: static const EVP_MD my_digest_impl = { NID_sha256, ... /* contains function pointers for my own implementation */ }; PKCS7 *p7 = PKCS7_new(); PKCS7_set_type(p7, NID_pkcs7_signed); PKCS7_SIGNER_INFO *si = PKCS7_add_signature(p7, cert, pkey, _digest_impl); PKCS7_content_new(sig_parms->p7, NID_pkcs7_data); PKCS7_set_detached(p7, 1); BIO *p7bio = PKCS7_dataInit(p7, NULL); ... ... How can I plug in my own digest implementation? Do I need to implement a full OpenSSL engine for this purpose? I was able to implement this requirement now by calling BIO_set_md() on the BIO that is created by PKCS7_dataInit(). The code for replacing the digest function looks like this (error checking omitted): static const EVP_MD my_digest_impl = { NID_sha256, ... /* contains function pointers for my own implementation */ }; EVP_MD_CTX *ctx; BIO *p7bio = PKCS7_dataInit(p7, NULL); BIO_get_md_ctx(p7bio, ) ctx->flags |= EVP_MD_CTX_FLAG_NO_INIT; BIO_set_md(sig_parms->p7bio, _digest_impl); ctx->update = my_digest_impl.update; ctx->md_data = OPENSSL_malloc(my_digest_impl.ctx_size); /* ... Now the ctx->md_data member is initialized with data specific to the hardware device ... */ my_digest_impl.init(ctx); The use of the EVP_MD_CTX_FLAG_NO_INIT flag is necessary, because otherwise the digests init() function would be called from BIO_set_md() without the necessary information for initializing the hardware device. With the flag being set the data can be assigned to the md_data member after the call to BIO_set_md() and then the digest's init() function can be called. I'd appreciate any comments if there's a problem with this approach. So far this seems to be working fine. -- Stephan -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] X509_ALGOR_get_md?
Hi, I note that OpenSSL provides a function X509_ALGOR_set_md() to set the message digest algorithm to be used on a signature, but it doesn't seem to provide a corresponding X509_ALGOR_get_md() function. Is this correct, or did I miss something? If I didn't miss anything, then how can I figure out which hashing algorithm was used for a given X.509 certificate? Thanks, -- Wouter Verhelst -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] ECDSA Certificate does not work
On Thu, Apr 28, 2016 at 07:44:53AM +0200, Danny wrote: > I've been trying to get an ECDSA certificate to work with a Postfix > installation lately. See also http://www.postfix.org/postfix-tls.1.html, which does all the magic to create RSA and/or ECDSA keys for Postfix 3.1 or later. # postfix tls new-server-cert -a ecdsa -b secp521r1 -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] ECDSA Certificate does not work
On Thu, Apr 28, 2016 at 07:44:53AM +0200, Danny wrote: > Dear OpenSSL users, > > I've been trying to get an ECDSA certificate to work with a postfix > installation lately. > , however, it seems that when I try to use the aECDSA protocol with a > client the server gives "no shared cipher" errors. > > I had created the certificate like the following: > > openssl ecparam -name secp521r1 -genkey -param_enc explicit -out > private/ec-email-server.pem TLS does not support explicit EC parameters. You must use a named curve by OID. The "-param_enc explicit" option must not be used. You must also enable ECDHE in s_server to use ECDSA, since neither RSA key transport nor DHE are possible. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users