Re: osf-contact Striking out everywhere
Thanks for the clarification.
If resolution found, would you want me to report that here?
I'm off to the Node Team.
Thanks,
Erik
Original Message
From: Viktor Dukhovni
Sent: Mon Jun 03 15:25:35 PDT 2019
To: openssl-users@openssl.org
Subject: Re: osf-contact Striking out everywhere
On Mon, Jun 03, 2019 at 02:52:42PM -0700, Erik Madsen wrote:
> if (typeof options.clientCertEngine === 'string') {
> if (c.context.setClientCertEngine)
> c.context.setClientCertEngine(options.clientCertEngine);
>
> options.clientCertEngine is just the path of the SO file
>
> and it is calling openssl function:
>
> SSL_CTX_set_client_cert_engine (SSL_CTX *ctx, ENGINE *e)
>
> am I wrong that there should be a second argument passed from Node to
> Openssl?
This question is best asked and answered on the node list (but it
may be worth mentioning that in an object-oriented language, the
'self' argument of object methods is generally implicit).
--
Viktor.
Re: osf-contact Striking out everywhere
On Mon, Jun 03, 2019 at 02:52:42PM -0700, Erik Madsen wrote:
> if (typeof options.clientCertEngine === 'string') {
> if (c.context.setClientCertEngine)
> c.context.setClientCertEngine(options.clientCertEngine);
>
> options.clientCertEngine is just the path of the SO file
>
> and it is calling openssl function:
>
> SSL_CTX_set_client_cert_engine (SSL_CTX *ctx, ENGINE *e)
>
> am I wrong that there should be a second argument passed from Node to
> Openssl?
This question is best asked and answered on the node list (but it
may be worth mentioning that in an object-oriented language, the
'self' argument of object methods is generally implicit).
--
Viktor.
Re: osf-contact Striking out everywhere
Sorry about thatIm new to this format
It was a snip of this:
if (typeof options.clientCertEngine === 'string') {
if (c.context.setClientCertEngine)
c.context.setClientCertEngine(options.clientCertEngine);
options.clientCertEngine is just the path of the SO file
and it is calling openssl function:
SSL_CTX_set_client_cert_engine (SSL_CTX *ctx, ENGINE *e)
am I wrong that there should be a second argument passed from Node to
Openssl?
Really appreciate all your support
On 6/3/19 12:58 PM, Viktor Dukhovni wrote:
On Mon, Jun 03, 2019 at 12:54:46PM -0700, Erik Madsen wrote:
any thoughts here?
You're posting images instead of text, and to the wrong list.
The issue seems to be in node.
Re: osf-contact Striking out everywhere
On Mon, Jun 03, 2019 at 12:54:46PM -0700, Erik Madsen wrote: > any thoughts here? You're posting images instead of text, and to the wrong list. The issue seems to be in node. -- Viktor.
Re: osf-contact Striking out everywhere
any thoughts here? On 6/3/19 10:03 AM, Erik Madsen wrote: Is there any possibility of setting second argument here from config? SSL_CTX_set_client_cert_engine (SSL_CTX * ctx, ENGINE * ) I think at this point it's a Node issue not allowing for an engine to be used for the key...I know GOST works, but pretty sure that allows for a PrivateKey to be set. I am almost 100% that node is getting the cert, but failing to get the key from the engine, so it's throwing the error "no client cert method" and according to strace, my engine is loading, but this call in Node crypto is setting engine fine, but in the TLS connection, there is no PEM formatted key. One would think if cURL and s_client can work, NodeJs should also... It will probably end up being something silly :O Thanks, Erik *From:* Viktor Dukhovni *Sent:* Mon Jun 03 09:40:15 PDT 2019 *To:* openssl-users@openssl.org *Subject:* Re: osf-contact Striking out everywhere On Mon, Jun 03, 2019 at 04:41:47PM +0100, Matt Caswell wrote: On 03/06/2019 15:16, Erik Madsen wrote: Thanks for the reply! Is there any link for avail variables for openssl.conf? See: https://www.openssl.org/docs/man1.1.1/man5/config.html [ssl_section] KeyForm = ENG no success...but at this point, honestly just scrambling. KeyForm is not a defined parameter for the SSL module. The supported parameters are listed in: https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html
Re: osf-contact Striking out everywhere
Is there any possibility of setting second argument here from config? SSL_CTX_set_client_cert_engine (SSL_CTX * ctx, ENGINE * ) I think at this point it's a Node issue not allowing for an engine to be used for the key...I know GOST works, but pretty sure that allows for a PrivateKey to be set. I am almost 100% that node is getting the cert, but failing to get the key from the engine, so it's throwing the error "no client cert method" and according to strace, my engine is loading, but this call in Node crypto is setting engine fine, but in the TLS connection, there is no PEM formatted key. One would think if cURL and s_client can work, NodeJs should also... It will probably end up being something silly :O Thanks, Erik Original Message From: Viktor Dukhovni Sent: Mon Jun 03 09:40:15 PDT 2019 To: openssl-users@openssl.org Subject: Re: osf-contact Striking out everywhere On Mon, Jun 03, 2019 at 04:41:47PM +0100, Matt Caswell wrote: > On 03/06/2019 15:16, Erik Madsen wrote: > > > Thanks for the reply! Is there any link for avail variables for > > openssl.conf? > > See: > > https://www.openssl.org/docs/man1.1.1/man5/config.html > > > > > [ssl_section] > > KeyForm = ENG > > > > no success...but at this point, honestly just scrambling. KeyForm is not a defined parameter for the SSL module. The supported parameters are listed in: https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html -- Viktor.
Re: Trying to get a public info for a certificate
Thanks a lot, Matt and Viktor! You guys are absolutely right, X509_get0_pubkey_bitstr gives me the same struct that was once inside of cert_info->key->public_key. @Viktor I had also tried your second approach (didn't know about the first one!) and for some reason it doesn't have the "correct" data. My guess is you're right and the application has been hashing the wrong thing all along. I will look into it. Anyway, thanks a lot you guys, you are the best! On Mon, Jun 3, 2019 at 11:31 AM Viktor Dukhovni wrote: > On Mon, Jun 03, 2019 at 10:40:02AM -0500, Daniel Pedraza wrote: > > > There's a part of the code where we're doing a sha256 hash of the public > > key of our certificate. On the older OpenSSL, we were able to get the > > public key by doing cert->cert_info->key->public_key->data. On the newer > > version, we no longer have access to the cert_info struct. > > > > I tried doing: > > > > EVP_PKEY * public_key = X509_get0_pubkey(cert); > > > > this gives me an EVP_PKEY value, which I tried to convert to a char** by > > doing this: > > > > unsigned char *buf, *p; > > int len = i2d_PublicKey(public_key, NULL); > > buf = OPENSSL_malloc(len); > > p = buf; > > i2d_PublicKey(public_key, ); > > To obtain the serialized buffer 'buf' of length 'len' that you > can then checksum, there are two essentially equivalent approaches: > >1. X509 *cert = ...; > X509_PUBKEY *xpk = X509_get_X509_PUBKEY(cert); > int len = i2d_X509_PUBKEY(xpk, NULL); > unsigned char *buf = malloc(len); /* error check */ > unsigned char *buf2 = buf; > > i2d_X509_PUBKEY(xpk, ); > OPENSSL_assert(buf2 - buf == len); > >2. X509 *cert = ...; > EVP_PKEY *pkey = X509_get0_pubkey(cert); > int len = i2d_PUBKEY(pkey, NULL); > unsigned char *buf = malloc(len); /* error check */ > unsigned char *buf2 = buf; > > i2d_PUBKEY(pkey, ); > OPENSSL_assert(buf2 - buf == len); > > The first approach avoids having to reconstruct (allocate, use and > free) the X509_PUBKEY (SPKI) from the underlying EVP_PKEY, so will > be slightly more efficient. > > > This gives me a buffer with the correct length, but it seems like it has > > different data from what the public_key->data used to give me. > > I don't recall what public_key->data contains, but if different it > was probably not the right thing to use, since you should be capturing > the complete SPKI structure (public key algorithm OID, any parameters > and the key data). If it contains just the key bits, without the > algorithm and parameters, it is unwise to use that. > > If needed for backwards-compatibility, you should be able to recover > the key bitstring with X509_get0_pubkey_bitstr(3), but you really > should not. The SPKI is the right object to fingerprint. > > -- > Viktor. >
Re: osf-contact Striking out everywhere
On Mon, Jun 03, 2019 at 04:41:47PM +0100, Matt Caswell wrote: > On 03/06/2019 15:16, Erik Madsen wrote: > > > Thanks for the reply! Is there any link for avail variables for > > openssl.conf? > > See: > > https://www.openssl.org/docs/man1.1.1/man5/config.html > > > > > [ssl_section] > > KeyForm = ENG > > > > no success...but at this point, honestly just scrambling. KeyForm is not a defined parameter for the SSL module. The supported parameters are listed in: https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html -- Viktor.
Re: Trying to get a public info for a certificate
On Mon, Jun 03, 2019 at 10:40:02AM -0500, Daniel Pedraza wrote: > There's a part of the code where we're doing a sha256 hash of the public > key of our certificate. On the older OpenSSL, we were able to get the > public key by doing cert->cert_info->key->public_key->data. On the newer > version, we no longer have access to the cert_info struct. > > I tried doing: > > EVP_PKEY * public_key = X509_get0_pubkey(cert); > > this gives me an EVP_PKEY value, which I tried to convert to a char** by > doing this: > > unsigned char *buf, *p; > int len = i2d_PublicKey(public_key, NULL); > buf = OPENSSL_malloc(len); > p = buf; > i2d_PublicKey(public_key, ); To obtain the serialized buffer 'buf' of length 'len' that you can then checksum, there are two essentially equivalent approaches: 1. X509 *cert = ...; X509_PUBKEY *xpk = X509_get_X509_PUBKEY(cert); int len = i2d_X509_PUBKEY(xpk, NULL); unsigned char *buf = malloc(len); /* error check */ unsigned char *buf2 = buf; i2d_X509_PUBKEY(xpk, ); OPENSSL_assert(buf2 - buf == len); 2. X509 *cert = ...; EVP_PKEY *pkey = X509_get0_pubkey(cert); int len = i2d_PUBKEY(pkey, NULL); unsigned char *buf = malloc(len); /* error check */ unsigned char *buf2 = buf; i2d_PUBKEY(pkey, ); OPENSSL_assert(buf2 - buf == len); The first approach avoids having to reconstruct (allocate, use and free) the X509_PUBKEY (SPKI) from the underlying EVP_PKEY, so will be slightly more efficient. > This gives me a buffer with the correct length, but it seems like it has > different data from what the public_key->data used to give me. I don't recall what public_key->data contains, but if different it was probably not the right thing to use, since you should be capturing the complete SPKI structure (public key algorithm OID, any parameters and the key data). If it contains just the key bits, without the algorithm and parameters, it is unwise to use that. If needed for backwards-compatibility, you should be able to recover the key bitstring with X509_get0_pubkey_bitstr(3), but you really should not. The SPKI is the right object to fingerprint. -- Viktor.
Re: Trying to get a public info for a certificate
On 03/06/2019 16:40, Daniel Pedraza wrote: > Hi guys! > > I'm trying to upgrade an old C project from OpenSSL 1.0.2 to the newest 1.1.1 > version. Everything's going smoothly, except for one little detail: > > There's a part of the code where we're doing a sha256 hash of the public key > of > our certificate. On the older OpenSSL, we were able to get the public key by > doing cert->cert_info->key->public_key->data. On the newer version, we no > longer > have access to the cert_info struct. > > I tried doing: > > EVP_PKEY * public_key = X509_get0_pubkey(cert); > > this gives me an EVP_PKEY value, which I tried to convert to a char** by > doing this: > > unsigned char *buf, *p; > int len = i2d_PublicKey(public_key, NULL); > buf = OPENSSL_malloc(len); > p = buf; > i2d_PublicKey(public_key, ); > > This gives me a buffer with the correct length, but it seems like it has > different data from what the public_key->data used to give me. > > Granted, I am not very savvy with OpenSSL, or with ssl in general, so maybe > I'm > doing something wrong/dumb? I've spent a fair bit of time on the > documentation/wiki but I can´t seem to find the answer. Seems to me like this > should be something very straightforward? > > Any help would be v much appreciated Probably what you want is the X509_get0_pubkey_bitstr() function. This gives you the data as an ASN1_BIT_STRING structure (i.e. what used to be accessible as cert->cert_info->key->public_key). Matt
Trying to get a public info for a certificate
Hi guys! I'm trying to upgrade an old C project from OpenSSL 1.0.2 to the newest 1.1.1 version. Everything's going smoothly, except for one little detail: There's a part of the code where we're doing a sha256 hash of the public key of our certificate. On the older OpenSSL, we were able to get the public key by doing cert->cert_info->key->public_key->data. On the newer version, we no longer have access to the cert_info struct. I tried doing: EVP_PKEY * public_key = X509_get0_pubkey(cert); this gives me an EVP_PKEY value, which I tried to convert to a char** by doing this: unsigned char *buf, *p; int len = i2d_PublicKey(public_key, NULL); buf = OPENSSL_malloc(len); p = buf; i2d_PublicKey(public_key, ); This gives me a buffer with the correct length, but it seems like it has different data from what the public_key->data used to give me. Granted, I am not very savvy with OpenSSL, or with ssl in general, so maybe I'm doing something wrong/dumb? I've spent a fair bit of time on the documentation/wiki but I can´t seem to find the answer. Seems to me like this should be something very straightforward? Any help would be v much appreciated -Daniel
Signing using EVP_PKEY_encrypt when using pkcs11 engine
Hi,
I'm trying to modify the evm/ima utility so that it can use a HSM to
perform signing. I've setup SoftHSM and used this to create a
certificate with an RSA public key pair. The evmctl code creates the
hash and then calls a function to perform the sign operation which
ends up calling
len = RSA_private_encrypt(size + asn1->size, buf, hdr->sig,
key, RSA_PKCS1_PADDING);
My idea was to keep the hash calculation as is, and replace the
RSA_private_encrypt with code that uses the private key in the HSM to
encrypt the hash buffer that has been calculated.
My initialisation looks like this
/* Load the configuration using OPENSSL_CONF environment variable */
OPENSSL_config(NULL);
/* Try and load PKCS11 engine */
const char* s = getenv("OPENSSL_CONF");
printf("Trying to load pkcs#11 engine\n");
printf("OPENSSL_CONF=%s\n", s);
pkcs_engine = ENGINE_by_id("pkcs11");
if (!pkcs_engine) {
printf("PKCS#11 engine not found, not using HSM\n");
} else {
int rv = ENGINE_init(pkcs_engine);
if (!rv) {
fprintf(stderr, "PKCS#11 could not be initialised\n");
ENGINE_free(pkcs_engine);
pkcs_engine = NULL;
}
ENGINE_set_default(pkcs_engine, ENGINE_METHOD_ALL);
}
OpenSSL_add_all_algorithms();
OpenSSL_add_all_digests();
ERR_load_crypto_strings();
and then I load the private key with
key = ENGINE_load_private_key(pkcs_engine, keyid, UI_OpenSSL(), NULL);
if (!key) {
log_err("%s: Failed to load private key with id: %s\n", keyid,
__func__);
ERR_print_errors_fp(stderr);
}
and then use the following to perform the encryption
/* Create context */
hsm_key_ctx = EVP_PKEY_CTX_new(hsm_key, NULL);
if (hsm_key_ctx == NULL) {
log_err("sign_hash_v2: failed to create context\n");
ERR_print_errors_fp(stderr);
return -1;
}
rv = EVP_PKEY_encrypt_init(hsm_key_ctx);
if (rv <= 0) {
log_err("sign_hash_v2: failed to init encrypt (rv=%d\n", rv);
ERR_print_errors_fp(stderr);
EVP_PKEY_CTX_free(hsm_key_ctx);
return -1;
}
/* TODO: What padding??? RSA_PKCS1_PSS_PADDING?? */
rv = EVP_PKEY_CTX_set_rsa_padding(hsm_key_ctx, RSA_PKCS1_PADDING);
if (rv <= 0) {
log_err("sign_hash_v2: failed to set RSA_PKCS1_PADDING
(rv=%d\n", rv);
ERR_print_errors_fp(stderr);
EVP_PKEY_CTX_free(hsm_key_ctx);
return -1;
}
if (rv <= 0) {
log_err("sign_hash_v2: failed to set RSA_PKCS1_PADDING
(rv=%d\n", rv);
ERR_print_errors_fp(stderr);
EVP_PKEY_CTX_free(hsm_key_ctx);
return -1;
}
/* Create signature */
outlen = 0;
rv = EVP_PKEY_encrypt(hsm_key_ctx, NULL, , buf, size +
asn1->size);
if ((rv <= 0) || (outlen == 0)) {
log_err("sign_hash_v2: failed to learn needed output buf
len (rv=%d)\n", rv);
ERR_print_errors_fp(stderr);
EVP_PKEY_CTX_free(hsm_key_ctx);
return -1;
}
/*outlen = 256;*/
log_info("EVP_PKEY_encrypt: outlen: %lu\n", outlen);
rv = EVP_PKEY_encrypt(hsm_key_ctx, hdr->sig, , buf,
size + asn1->size);
if (rv <= 0) {
log_err("sign_hash_v2: EVP_PKEY_encrypt() failed (rv=%d)\n", rv);
ERR_print_errors_fp(stderr);
EVP_PKEY_CTX_free(hsm_key_ctx);
return -1;
}
But I find that when I create a signature for a particular file it's
always different with each invocation of the utility. If I try and
verify it using the associated public key I get:
RSA_public_decrypt() failed: -1
errno: No data available (61)
error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01
error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed
Is there something I am missing in my code above? I tried setting the
Engine in EVP_PKEY_CTX_new but get:
sign_hash_v2: failed to create context
140174165591744:error:260C0065:engine
routines:ENGINE_get_pkey_meth:unimplemented public key
method:tb_pkmeth.c:128:
140174165591744:error:0609D09C:digital envelope
routines:INT_CTX_NEW:unsupported algorithm:pmeth_lib.c:166:
errno: Invalid argument (22)
Any help appreciated,
Martin.
Re: Compile EC(Elliptic Curve) crypto
Thanks, I will check out. On Mon, Jun 3, 2019 at 6:18 PM Jakob Bohm via openssl-users < openssl-users@openssl.org> wrote: > On 03/06/2019 14:35, Chitrang Srivastava wrote: > > Hi, > > > > I am porting Openssl 1.1.1b for an embedded platform. > > I see that EC folder generate some of function in assembly for e.g > > These functions are generated based on environment like > > x86-64/ppc/armv8 etc. > > Is there any C version of these function to use directly ? > > Thanks, > > > All algorithms etc. are available as C code, the assembler optimizations > are used if they exist for a compilation target and have not been > explicitly disabled with the configure option "no-asm". > > Because embedded platforms often have slow CPUs, keeping the assembler > optimizations enabled is especially advantageous on such systems. > > Enjoy > > Jakob > -- > Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com > Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 > This public discussion message is non-binding and may contain errors. > WiseMo - Remote Service Management for PCs, Phones and Embedded > >
Re: Compile EC(Elliptic Curve) crypto
On 03/06/2019 14:35, Chitrang Srivastava wrote: Hi, I am porting Openssl 1.1.1b for an embedded platform. I see that EC folder generate some of function in assembly for e.g These functions are generated based on environment like x86-64/ppc/armv8 etc. Is there any C version of these function to use directly ? Thanks, All algorithms etc. are available as C code, the assembler optimizations are used if they exist for a compilation target and have not been explicitly disabled with the configure option "no-asm". Because embedded platforms often have slow CPUs, keeping the assembler optimizations enabled is especially advantageous on such systems. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded
Compile EC(Elliptic Curve) crypto
Hi, I am porting Openssl 1.1.1b for an embedded platform. I see that EC folder generate some of function in assembly for e.g These functions are generated based on environment like x86-64/ppc/armv8 etc. Is there any C version of these function to use directly ? Thanks,
