Re: [openssl-users] help with timestamping

2016-04-28 Thread Alex Samad 
Okay I have the cert from sym

-BEGIN CERTIFICATE-
MIIFSzCCBDOgAwIBAgIQVPN9oXFnUbxqjQrSdLKLEzANBgkqhkiG9w0BAQsFADB3
MQswCQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAd
BgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxKDAmBgNVBAMTH1N5bWFudGVj
IFNIQTI1NiBUaW1lU3RhbXBpbmcgQ0EwHhcNMTYwMTEyMDAwMDAwWhcNMjcwNDEx
MjM1OTU5WjCBgDELMAkGA1UEBhMCVVMxHTAbBgNVBAoTFFN5bWFudGVjIENvcnBv
cmF0aW9uMR8wHQYDVQQLExZTeW1hbnRlYyBUcnVzdCBOZXR3b3JrMTEwLwYDVQQD
EyhTeW1hbnRlYyBTSEEyNTYgVGltZVN0YW1waW5nIFNpZ25lciAtIEcxMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAn/vfjx+nz54+GsvraK3PJxzugVWp
hwhY5YFNCRTg7dDz1A8/IbYeDjTU8WgKb32Pidny6qfYJTikjDbK7ijPM/h1Pdid
z5LdVuP2sHlUZrVFgkNE0mqxqxeiw+XvAOon8yeIDoc89m68qez2uy5qdwYivfq4
f8MkB/c/u0yw/0PLk8oSqpUkAJCyKzai0t3Ss9GZMt3P9MxzFkmDfyTr7XhG0+5f
bEJlG2eN8CYaDl6HblqPoIJ+bp/NJt69Ye9EXkWLqJTTHAQyof+kp6KqdwHbKt4P
TJI2xmmsXISArSX17TDDaB0X2wpNmjR4WQGbawKFOOIncaIUVDBgkyBIIwIDAQAB
o4IBxzCCAcMwDAYDVR0TAQH/BAIwADBmBgNVHSAEXzBdMFsGC2CGSAGG+EUBBxcD
MEwwIwYIKwYBBQUHAgEWF2h0dHBzOi8vZC5zeW1jYi5jb20vY3BzMCUGCCsGAQUF
BwICMBkaF2h0dHBzOi8vZC5zeW1jYi5jb20vcnBhMEAGA1UdHwQ5MDcwNaAzoDGG
L2h0dHA6Ly90cy1jcmwud3Muc3ltYW50ZWMuY29tL3NoYTI1Ni10c3MtY2EuY3Js
MBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMIMA4GA1UdDwEB/wQEAwIHgDB3BggrBgEF
BQcBAQRrMGkwKgYIKwYBBQUHMAGGHmh0dHA6Ly90cy1vY3NwLndzLnN5bWFudGVj
LmNvbTA7BggrBgEFBQcwAoYvaHR0cDovL3RzLWFpYS53cy5zeW1hbnRlYy5jb20v
c2hhMjU2LXRzcy1jYS5jZXIwKAYDVR0RBCEwH6QdMBsxGTAXBgNVBAMTEFRpbWVT
dGFtcC0yMDQ4LTQwHQYDVR0OBBYEFO1rYM87WPg+Msy/pOir6OqiUEJ/MB8GA1Ud
IwQYMBaAFK9j1sqjToVy4Ke8QfMpojh/gHViMA0GCSqGSIb3DQEBCwUAA4IBAQCi
jV5dHe5O0pP9T+X0babwiUVVuwjKqyShFiTJTxfBn/TdAprCR8Cp3IiJd8GGhvHV
SZbz+x6Y1skdNSOImYpi4XWoTXinPewkgBWeaNQ6pMJM3HFslp2OHgwubFIBnlaQ
P6Jeks222kEaJIOheqNf/o07bznRP0FfVhwnDOV8BdhnNojlsMLDBKNaVrgSBI7U
nCRrG2a0vqAa4bXN7ONEpLE855LzWN3f6LFYS3BLzpAAzNyj0dJudRZURALvG1RE
Y+i1cMi5R5pbRcRudpoYsfcQM8gLUfVVjP0hHkGPTj6QXYAByLwkfoZoFBUUNDV0
SbeHUinWll6ioxbUsNN7
-END CERTIFICATE-


openssl x509 -in newsym1.cer -noout -subject
subject= /C=US/O=Symantec Corporation/OU=Symantec Trust
Network/CN=Symantec SHA256 TimeStamping Signer - G1


Still getting

 openssl ts -verify -data SHA.sha -in SHA.sha.tsr  -CApath newsym1.cer
Verification: FAILED
139630315571016:error:2107C080:PKCS7
routines:PKCS7_get0_signers:signer certificate not
found:pk7_smime.c:476:





On 27 April 2016 at 14:53, Jakob Bohm  wrote:
> OK, It looks like this signing service is (quite unusually)
> not providing the certificate in its message, which is quite
> unusual.
>
> All it provides is some information /about/ that certificate,
> specifically it provides the following info:
>
> The certificate was issued to C=US, O=Symantec Corporation,
> OU=Symantec Trust Network,
> CN=Symantec SHA256 TimeStamping Signer - G1
>
> The certificate was issued by C=US, O=Symantec Corporation,
> OU=Symantec Trust Network, CN=Symantec SHA256 TimeStamping CA
>
> The certificate serial number (in hex) is
> 54 F3 7D A1 71 67 51 BC 6A 8D 0A D2 74 B2 8B 13
>
> The certificate fingerprint (SHA-256) is
> 82 D5 56 DB DB 5D AD 5FA0 7B B6 07 26 A6 D8 6E
> 73 0B 5B B7 29 88 5B B6DE 4F F2 75 29 02 2C FC
>
> Someone with knowledge of the Symantec/Verisign/Thawte/GeoTrust/
> TrustCenter repository web site may be able to use this
> information to download the missing certificates, but there
> is no information in this file that would allow a computer
> to do this.
>
> I wonder if changing some parameter in the timestamp request
> would cause the Symantec server to return a more complete
> timestamp token.
>
> Or maybe something else is failing.
>
>
>
> On 23/04/2016 00:54, Alex Samad wrote:
>>
>> Here is a dump.
>>
>> I can see the CN - but I could see that before.
>>
>> There is also a RSA - maybe a signature or maybe is the public key for the
>> cert.
>>
>> I would expect to see some signed data (sha + symantec cert + time)
>> and also the public cert ( and maybe the intermediaries..)
>>
>>
>>  <30 82 03 AB>
>>0 939: SEQUENCE {
>>  <30 03>
>>4   3:   SEQUENCE {
>>  <02 01>
>>6   1: INTEGER 0
>> : }
>>  <30 82 03 A2>
>>9 930:   SEQUENCE {
>>  <06 09>
>>   13   9: OBJECT IDENTIFIER signedData (1 2 840 113549 1 7 2)
>> :   (PKCS #7)
>>  
>>   24 915: [0] {
>>  <30 82 03 8F>
>>   28 911:   SEQUENCE {
>>  <02 01>
>>   32   1: INTEGER 3
>>  <31 0D>
>>   35  13: SET {
>>  <30 0B>
>>   37  11:   SEQUENCE {
>>  <06 09>
>>   39   9: OBJECT IDENTIFIER sha-256 (2 16 840 1 101 3 4 2 1)
>> :   (NIST Algorithm)
>> : }
>> :   }
>>  <30 82 01 1B>
>>   50 283: SEQUENCE {
>>  <06 0B>
>>   54  11:   OBJECT IDENTIFIER tSTInfo (1 2 840 113549 1 9 16 1 4)
>> : (S/MIME Content Types)
>>  
>>   67 266:   [0] {
>>  <04 82 01 06>
>>   71 262: OCTET STRING, encapsulates {
>>  <30 82 01 02>
>>   75

Re: [openssl-users] ECDSA Certificate does not work

2016-04-28 Thread Danny 
AH!
Thanks man.
My postfix server seems to work now with ciphers-sets using ECDSA!
I just wish openssl would have complained about it (or had given me a
warning or something).

Anyway, I'm using Postfix 2.11, but either way, I like it when I can
do things manually. :P

Thanks.

On 4/28/16, Viktor Dukhovni  wrote:
> On Thu, Apr 28, 2016 at 07:44:53AM +0200, Danny wrote:
>
>> I've been trying to get an ECDSA certificate to work with a Postfix
>> installation lately.
>
> See also http://www.postfix.org/postfix-tls.1.html, which does all
> the magic to create RSA and/or ECDSA keys for Postfix 3.1 or later.
>
> # postfix tls new-server-cert -a ecdsa -b secp521r1
>
> --
>   Viktor.
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Forthcoming OpenSSL releases

2016-04-28 Thread OpenSSL 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Forthcoming OpenSSL releases


The OpenSSL project team would like to announce the forthcoming release of
OpenSSL versions 1.0.2h, 1.0.1t.

These releases will be made available on 3rd May 2016 between approximately
1200-1500 UTC.  They will fix several security defects with maximum severity
"high".

Please see the following page for further details of severity levels:
https://www.openssl.org/policies/secpolicy.html

Please also note that, as per our previous announcements, support for 1.0.1
will end on 31st December 2016.

Yours

The OpenSSL Project Team
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEcBAEBCAAGBQJXIgXGAAoJEAEKUEB8TIy9XK0IAI/LuJqMK0oC4MXuNqKJAtGZ
SYiUWCn0GDqsfucgyOX/OdHjMvkyIPW4Vbt8jZ1HzEmW3DRIalstOgE4MnObZe5a
W5ecH1r8cLDTdVMGmSV3u/W1UP6kZScHa5af23emteCmC8zS7s+PDBctEJAPACZm
n4olGIHA0yOes79lOsU+nnPzfSaAtNWSCHV/BRLy/Ia5c7oeR2PWnGOvY8oIQllL
UNTkNr3qx9n06zjBtHh4dF+bW78eAwLUlY0wUcb2kYRAVeJfXCrJr8nvYIULBMlg
pA+WO/GMdoG697qZ5Y6EnNR16X8Hpse5d03LH3EZQ62Gr8Dh3NodWyRMFaIkig0=
=cJ4f
-END PGP SIGNATURE-
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] How to plug in different digest algorithm implementation into the PKCS7 functions?

2016-04-28 Thread Stephan Mühlstrasser 

Am 26.04.16 um 16:25 schrieb Stephan Mühlstrasser:

Hi,

I'm trying to plug my own digest algorithm implementation into the PKCS7
functions for creating a signature (using OpenSSL 1.0.2). The hash
computation shall be performed on a hardware device.

For that purpose I wanted to supply my own EVP_MD data structure to
PKCS7_add_signature(). A rough sketch of my code for replacing the
standard SHA-256 implementation looks like this:

static const EVP_MD my_digest_impl =
{
NID_sha256,
...
/* contains function pointers for my own implementation */
};

PKCS7 *p7 = PKCS7_new();

PKCS7_set_type(p7, NID_pkcs7_signed);

PKCS7_SIGNER_INFO *si = PKCS7_add_signature(p7, cert, pkey,
_digest_impl);

PKCS7_content_new(sig_parms->p7, NID_pkcs7_data);

PKCS7_set_detached(p7, 1);

BIO *p7bio = PKCS7_dataInit(p7, NULL);
...

...
How can I plug in my own digest implementation? Do I need to implement a
full OpenSSL engine for this purpose?


I was able to implement this requirement now by calling BIO_set_md() on 
the BIO that is created by PKCS7_dataInit(). The code for replacing the 
digest function looks like this (error checking omitted):


static const EVP_MD my_digest_impl =
{
 NID_sha256,
 ...
 /* contains function pointers for my own implementation */
};

EVP_MD_CTX *ctx;
BIO *p7bio = PKCS7_dataInit(p7, NULL);

BIO_get_md_ctx(p7bio, )

ctx->flags |= EVP_MD_CTX_FLAG_NO_INIT;

BIO_set_md(sig_parms->p7bio, _digest_impl);

ctx->update = my_digest_impl.update;
ctx->md_data = OPENSSL_malloc(my_digest_impl.ctx_size);

/* ... Now the ctx->md_data member is initialized with data specific to 
the hardware device ... */


my_digest_impl.init(ctx);

The use of the EVP_MD_CTX_FLAG_NO_INIT flag is necessary, because 
otherwise the digests init() function would be called from BIO_set_md() 
without the necessary information for initializing the hardware device. 
With the flag being set the data can be assigned to the md_data member 
after the call to BIO_set_md() and then the digest's init() function can 
be called.


I'd appreciate any comments if there's a problem with this approach. So 
far this seems to be working fine.


--
Stephan

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] X509_ALGOR_get_md?

2016-04-28 Thread Wouter Verhelst 

Hi,

I note that OpenSSL provides a function X509_ALGOR_set_md() to set the 
message digest algorithm to be used on a signature, but it doesn't seem 
to provide a corresponding X509_ALGOR_get_md() function.


Is this correct, or did I miss something? If I didn't miss anything, 
then how can I figure out which hashing algorithm was used for a given 
X.509 certificate?


Thanks,

--
Wouter Verhelst
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] ECDSA Certificate does not work

2016-04-28 Thread Viktor Dukhovni 
On Thu, Apr 28, 2016 at 07:44:53AM +0200, Danny wrote:

> I've been trying to get an ECDSA certificate to work with a Postfix
> installation lately.

See also http://www.postfix.org/postfix-tls.1.html, which does all
the magic to create RSA and/or ECDSA keys for Postfix 3.1 or later.

# postfix tls new-server-cert -a ecdsa -b secp521r1

-- 
Viktor.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] ECDSA Certificate does not work

2016-04-28 Thread Viktor Dukhovni 
On Thu, Apr 28, 2016 at 07:44:53AM +0200, Danny wrote:
> Dear OpenSSL users,
> 
> I've been trying to get an ECDSA certificate to work with a postfix
> installation lately.
> , however, it seems that when I try to use the aECDSA protocol with a
> client the server gives "no shared cipher" errors.
> 
> I had created the certificate like the following:
> 
> openssl ecparam -name secp521r1 -genkey -param_enc explicit -out
> private/ec-email-server.pem

TLS does not support explicit EC parameters.  You must use a named
curve by OID.  The "-param_enc explicit" option must not be used.

You must also enable ECDHE in s_server to use ECDSA, since neither
RSA key transport nor DHE are possible.

-- 
Viktor.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users