date:20180925

Re: [openssl-users] openssl-users Digest, Vol 46, Issue 46

2018-09-25 Thread Vinay Mummadi

Hi Richard,

CC = 
/u/build/build1/engtools/linux/2.6.18-8.el5/x86_64/gcc/versions/4.3.2/bin/gcc
CXX = 
/u/build/build1/engtools/linux/2.6.18-8.el5/x86_64/gcc/versions/4.3.2/bin/g++

I was using these for openssl 1.1.0h and it compiled with this option " 
enable-ec_nistp_64_gcc_128"

Any other possibility, Please suggest.
--
Vinay
9008855944

On 9/25/18, 10:52 PM, "openssl-users on behalf of 
openssl-users-requ...@openssl.org"  wrote:

Send openssl-users mailing list submissions to
openssl-users@openssl.org

To subscribe or unsubscribe via the World Wide Web, visit

https://clicktime.symantec.com/a/1/SXS5XgWCQv7_XKjynYvihvgWkHBXM75USaaY43D_lOU=?d=7U6BPcrfpQINoyAkaWunm-Zlxgg6nczKEb9ZYXUfcNhzNfvR2d74CjA_35NwXwCg2RmGxDD2gqG7TcqIzSct_FMsWOb9VEMhQqKgoGJyVI_ItuSei6LGnLenR9YJi6TsTKsDHJo6bTNEgQNuVYFDBsNp1aCcfNYAiYfSl1J3xd_9ybL1pedLE7cfRJuAWroMNo3zsb40q9IP2dL2nqyGLQWlF5Oyy0_0IliS1xgXE6-mWi-BS2Eu0EhPWhSPbuHFpq3s7Spfo8D88OojTXiT8GAu0BoQ7E0tonETjZ3kpBq3CY74WaE6CtoirEO-zWarTsJDrJqrDExmOAWKaeSQNNw4Pvefo2hLZfYK-wfTeildTjU0j5dNkkbOtMSGOlg7sM10mgp1zuxpwiY0-I3PRPmMVPA%3D=https%3A%2F%2Fmta.openssl.org%2Fmailman%2Flistinfo%2Fopenssl-users
or, via email, send a message with subject or body 'help' to
openssl-users-requ...@openssl.org

You can reach the person managing the list at
openssl-users-ow...@openssl.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of openssl-users digest..."


Today's Topics:

   1. Re: Build issues with openssl-1.1.1 (Richard Levitte)
   2. Certificate format question? (Scott Neugroschl)
   3. Re: Certificate format question? (Viktor Dukhovni)
   4. Re: Certificate format question? (Scott Neugroschl)
   5. Re: Certificate format question? (Hubert Kario)


--

Message: 1
Date: Mon, 24 Sep 2018 15:42:48 +0200 (CEST)
From: Richard Levitte 
To: openssl-users@openssl.org
Subject: Re: [openssl-users] Build issues with openssl-1.1.1
Message-ID: <20180924.154248.2078713038705571598.levi...@openssl.org>
Content-Type: Text/Plain; charset=us-ascii

I'm noticing these from the dump:

Recorded environment:

...
CC = 
/u/build/build1/engtools/linux/2.6.18-8.el5/x86_64/gcc/versions/4.3.2/bin/gcc
CXX = 
/u/build/build1/engtools/linux/2.6.18-8.el5/x86_64/gcc/versions/4.3.2/bin/g++

Could it be that those compilers don't have support for 128 bit
integers on your platform?  In that case, you should remove
'enable-ec_nistp_64_gcc_128' from your configuration command.

Cheers,
Richard

In message <4b3e5be8-18c9-4847-a71f-10ee9b410...@digicert.com> on Mon, 24 
Sep 2018 13:12:51 +, Vinay Mummadi  said:

> Hi team,
> 
> I have downloaded openssl-1.1.1.tar.gz and executed the build it fails 
during make with this error.
> 
> Following are the steps.
> 
> 1 "./config
>  
--prefix=/u/build/build2/openssl/openssl.SYMC-1.1.1.shared/root/app/symc/packages/openssl.SYMC-1.1.1.shared
>  shared zlib -L$baseLinkDir/lib -lz enable-ec_nistp_64_gcc_128"
> 
> 2 "make depend"
> 
> 1 "make"
> 
> I see this error
> 
> crypto/ec/ecp_nistp224.c:48:4: error: #error "Your compiler doesn't 
appear to support 128-bit
> integer types"
> 
> crypto/ec/ecp_nistp224.c:75: error: expected '=', ',', ';', 'asm' or 
'__attribute__' before 'widelimb'
> 
> crypto/ec/ecp_nistp224.c:78: error: expected '=', ',', ';', 'asm' or 
'__attribute__' before 'widefelem'
> 
> crypto/ec/ecp_nistp224.c:426: error: expected ')' before 'out'
> 
> crypto/ec/ecp_nistp224.c:454: error: expected ')' before 'out'
> 
> crypto/ec/ecp_nistp224.c:491: error: expected ')' before 'out'
> 
> crypto/ec/ecp_nistp224.c:503: error: expected ')' before 'out'
> 
> crypto/ec/ecp_nistp224.c:519: error: expected ')' before 'out'
> 
> crypto/ec/ecp_nistp224.c:537: warning: type defaults to 'int' in 
declaration of 'widefelem'
> 
> crypto/ec/ecp_nistp224.c:537: error: expected ';', ',' or ')' before 'in'
> 
> crypto/ec/ecp_nistp224.c: In function 'felem_square_reduce':
> 
> crypto/ec/ecp_nistp224.c:603: error: 'widefelem' undeclared (first use in 
this function)
> 
> crypto/ec/ecp_nistp224.c:603: error: (Each undeclared identifier is 
reported only once
> 
> crypto/ec/ecp_nistp224.c:603: error: for each function it appears in.)
> 
> crypto/ec/ecp_nistp224.c:603: error: expected ';' before 'tmp'
> 
> crypto/ec/ecp_nistp224.c:604: warning: implicit declaration of function 
'felem_square'
> 
> crypto/ec/ecp_nistp224.c:604: error: 'tmp' undeclared (first use in this 
function)
> 
> crypto/ec/ecp_nistp224.c:605: warning:

Re: [openssl-users] Certificate format question?

2018-09-25 Thread Scott Neugroschl

Steffen Nurpmeso, Tuesday, September 25, 2018 11:57 AM


> The RFC 7468 term "parsers SHOULD ignore whitespace and other non-
>base64 characters" makes me wonder.  

The relevant clause is a few sentences up: "Data before the encapsulation 
boundaries are
permitted, and parsers MUST NOT malfunction when processing such data.


-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] An example issuing an intermediate CA with policy mappings?

2018-09-25 Thread Krehbiel, Richard

For my testing I want to explore the behaviors of policies, policy constraints, 
and policy mappings.  I have figured out how to request and issue certs with 
custom policy OIDs, but I haven't yet seen a method of granting an intermediate 
cert with policy mappings.   Can openssl do this?  How?  Thanks.


KASTLE SYSTEMS

855.527.8531  |  KASTLE.COM


Follow us on LinkedIn or 
Twitter for Security Tips!
Click 
Here
 to see why the Washington Post is calling our Hands-Free Mobile Credential 
"the end of the badge."

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Certificate format question?

2018-09-25 Thread Steffen Nurpmeso

Viktor Dukhovni wrote in <5d44b1e9-cdb3-49c1-a3e5-4ab0d889c...@dukhovni.org>:
 |That particular parser tries to parse an arbitrary single
 |PEM-encoded object, rather than a first object of a particular
 |type (as with "pkey", "req", "x509", ...).  The code for that
 |is more specialized, and does support leading free-form text.
 |
 |While it could skip to the first boundary, and a well written
 |pull request would be welcome, it is not critical for asn1parse
 |to be able to ignore free-form text above the PEM object.
 |
 |In the meantime:
 |
 |   $ perl -ne 'print if (/^-BEGIN/../^-END/);' foo.pem |
 |   openssl asn1parse

The RFC 7468 term "parsers SHOULD ignore whitespace and other non-
base64 characters" makes me wonder.  I know (or used to know) that
the OpenSSL base64 decoder is (or was) pretty bad in doing so.
But this RFC is about PKIX specifics, of course, yet i (as a MUA
maintainer) struggled with how to deal with embedded data in
base64 encodings, and this RFC seems to explicitly allow them.
And i struggled because i have seen mail messages with data
embedded in base64; the rewrite of the MIME encoder (MUA commit
[d91a4bd0]), necessary to deal with those sequences. says a. o.:

In both cases: except that we, due to lack of a context, cannot
give an error message, say, once per handled message.  I.e., we
cannot provide any error logging in order to avoid a possibly
infinite amount of such messages.

Regarding the garbage in base64 parts that we now simply skip.
I mean, it is possible to embed abuse porn or similar shit in
between the valid data, and now we _also_ simply skip over the
"garbage", silently extraditing our users to automatic parsers
which may gobble that s..t!

Also because the mutt(1) MUA is pretty good in skipping over
things.

--steffen
|
|Der Kragenbaer,The moon bear,
|der holt sich munter   he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Certificate format question?

2018-09-25 Thread Viktor Dukhovni

That particular parser tries to parse an arbitrary single
PEM-encoded object, rather than a first object of a particular
type (as with "pkey", "req", "x509", ...).  The code for that
is more specialized, and does support leading free-form text.

While it could skip to the first boundary, and a well written
pull request would be welcome, it is not critical for asn1parse
to be able to ignore free-form text above the PEM object.

In the meantime:

   $ perl -ne 'print if (/^-BEGIN/../^-END/);' foo.pem |
   openssl asn1parse

> On Sep 25, 2018, at 1:15 PM, Hubert Kario  wrote:
> 
> then it looks like the parser used in asn1parse -inform pem is non-
> compliant...
> 
> https://github.com/openssl/openssl/issues/7317

-- 
Viktor.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Certificate format question?

2018-09-25 Thread Hubert Kario

On Tuesday, 25 September 2018 00:55:16 CEST Viktor Dukhovni wrote:
> > On Sep 24, 2018, at 6:25 PM, Scott Neugroschl  wrote:
> > 
> > I tried googling, but couldn’t find an answer to this…
> > 
> > I came across a certificate that had some text garbage before the 
> > BEGIN CERTIFICATE  line.
> > 
> > I know that the cert is defined as the data between the delimiters.  Do
> > the specs say anything about data before the BEGIN delimiter?  Would a
> > certificate with such data be valid?  I know OpenSSL accepts such a cert,
> > but is this an extension, or is it explicitly permitted by the
> > standards/specifications?
> https://tools.ietf.org/html/rfc7468#section-2

then it looks like the parser used in asn1parse -inform pem is non-
compliant...

https://github.com/openssl/openssl/issues/7317

-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic

signature.asc
Description: This is a digitally signed message part.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Certificate format question?

2018-09-25 Thread Scott Neugroschl




>On Sept 24, 2018, at 3:55 PM, Viktor Dukhovni wrote:
>> On Sep 24, 2018, at 6:25 PM, Scott Neugroschl > wrote:
>> 
>> I tried googling, but couldn’t find an answer to this…
>>  
>> I came across a certificate that had some text garbage before the  BEGIN 
>> CERTIFICATE  line.
>>  
>> I know that the cert is defined as the data between the delimiters.  Do the 
>> specs say anything about data before the BEGIN
>>delimiter?  Would a certificate with such data be valid?  I know OpenSSL 
>>accepts such a cert, but is this an extension, or is it 

>>explicitly permitted by the standards/specifications?

>https://tools.ietf.org/html/rfc7468#section-2

Thanks, Viktor, appreciated.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] openssl-users Digest, Vol 46, Issue 46

Re: [openssl-users] Certificate format question?

[openssl-users] An example issuing an intermediate CA with policy mappings?

Re: [openssl-users] Certificate format question?

Re: [openssl-users] Certificate format question?

Re: [openssl-users] Certificate format question?

Re: [openssl-users] Certificate format question?

7 matches

Site Navigation

Mail list logo

Footer information