RE: Decrypting encrypted e-mail in OE 5
= Original Message From [EMAIL PROTECTED] = The picture shows that you have the High Crypto pack installed (The 128bit encryption statement in the about box). So my assumptions are wrong and I have no idea at the moment what else could cause your problem, sorry. :-( After trying again and again, I figured out some strange thing. I retrieve my personal digital certificate from the CA using IE. If someone encrypt an e-mail using this digital certificate, the encrypted e-mail can't be decrypted in Outlook Express even if the digital certificate exist. I tried to export the certificate from IE then import to Netscape. Then I remove the certificate from IE immediately. Finally I export the certificate from Netscape as a .p12 file and import this .p12 file back to IE. In simple words, IE - Netscape - IE. Now the same encrypted e-mail can be decrypted in Outlook Express. What do Netscape and IE actually do during the process of import/export PKCS#12 file? The same digital certificate, but different outcome. Please help me to solve this problem. Thank you. Angus Lee --- Get Your Free Email at http://www.hknetmail.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Decrypting encrypted e-mail in OE 5
Hi, I've set up my own CA using OpenSSL. I suppose there're no known problems/mistakes in my CA setup. I could used the digital certificates issued by this CA to send secure e-mail and login intranet web sites (in my office) which require client authentication. Now I have two e-mail accounts, suppose one is S and another one is W. S is using IE 5 with SP2 (but the Outlook Express version is 5.5 as reported by the application) while W is using IE 6. Both run on Microsoft Windows 2000 with SP2. S and W exchange their public certificate by sending a signed e-mail to one another. Then both reply with an encrypted e-mail using Outlook Express. W which has IE 6 has no problem decrypting the encryted e-mail sent by S. S which has IE 5 SP2 could NOT decrypt the encrypted e-mail sent by W. The error message is: Error Decrypting Message You cannot read the message. -- -- This might be because: o You may have lost or deleted the Digital ID that the message is encrypted to. o You may have installed the Digital ID that the message is encrypted to on another computer. o The sender may have meant the message for somebody else. o You do not have the necessary security package installed on this computer. I have the some problem on another machine which has IE 5.5 SP2 installed. Could someone please help me? The BIG problem is that both S and W have no problem decrypting e-mail when I use digital certificates issued by Thawte. I guess there may be something wrong with my CA setup. Please also find the openssl.cnf I use for my own CA. Thank you very much. Angus Lee --- Get Your Free Email at http://www.hknetmail.com openssl.cnf Description: Binary data
RE: Decrypting encrypted e-mail in OE 5
= Original Message From [EMAIL PROTECTED] = Now I have two e-mail accounts, suppose one is S and another one is W. S is using IE 5 with SP2 (but the Outlook Express version is 5.5 as reported by the application) while W is using IE 6. Both run on Microsoft Windows 2000 with SP2. S and W exchange their public certificate by sending a signed e-mail to one another. Then both reply with an encrypted e-mail using Outlook Express. W which has IE 6 has no problem decrypting the encryted e-mail sent by S. S which has IE 5 SP2 could NOT decrypt the encrypted e-mail sent by W. Just want to more information: Netscape 4.78 has no such problem. Is there any incompatibilities between Netscape and IE when dealing with encrypted e-mail? I scanned the web and found that there're some S/MIME version 2 or version 3 standards. Do they affect? Angus Lee --- Get Your Free Email at http://www.hknetmail.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Parsing CRL
Hi, I'm writing a Eudora S/MIME plug-in. In it, I have my own store of digital certificates. I want to add support to CRL in the plug-in. What I want to do is that my plug-in will download the certificate revocation list from the CA server, or the user manually download and save to a local file, then the plug-in would parse the CRL and mark any digital certificates in its store as revoked accordingly. Is there any function in OpenSSL that allows me to parse a CRL and mark a particular digital certificate as revoked? Angus Lee --- Get Your Free Email at http://www.hknetmail.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Verify signature of a multipart message
= Original Message From [EMAIL PROTECTED] = Ugh. I checked OpenSSL (Netscape?) 4.73 too and it does the same. The cause is that Netscape isn't properly excluding the content. It is including a zero length content. This is a recent addition to Netscape and is a bug. I'll see if I can develop a work around. In other words, do you mean that I couldn't verify the digital signature of those e-mail come from Netscape. I'm developing a Eudora S/MIME plug-in for our University. I've asked my colleague to send me a signed message using Outlook Express. He accidentally sent both plain text and HTML format to me. So the message is a multipart message, but I could verify the digital signature without any problem. By the way, my colleague used a digital certificate generated using OpenSSL to sign the e-mail. Did it matter? Angus Lee --- Get Your Free Email at http://www.hknetmail.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Verify signature of a multipart message
= Original Message From [EMAIL PROTECTED] = I could use OpenSSL to decrypt this signed and encrypted message. Then when I verify the digital signature, OpenSSL told me that 'content and data present'. Is there anything wrong with my code? Can you send me a copy of the message and/or signature. The signed but decrypted version that is? b4dec.txt is the original signed and encrypted message, while afterdec.txt is what I got after decryption. cityuca.pem is the CA certificate of the signer. What version of Netscape is this BTW? 4.71 (40 bit). Angus Lee --- Get Your Free Email at http://www.hknetmail.com vfymsg.zip
Verify signature of a multipart message
Hi, I sent an signed and encrypted email to myself using Netscape. The email contains not only the text portion, but also two attachments. I could use OpenSSL to decrypt this signed and encrypted message. Then when I verify the digital signature, OpenSSL told me that 'content and data present'. It astronished me. I opened the decrypted message and found a multipart/signed message. The first part is the original message which is a multipart message having three parts. The second part of the multipart/signed message is the digital signature. So what's wrong? I tried to cut the message body (i.e. exclude the digital signature part) out and use OpenSSL to sign this message with the same private key. After that, I could verify this signed message. However the original one that come from Netscape still couldn't and have the same error always. Is there anything wrong with my code? Angus Lee --- Get Your Free Email at http://www.hknetmail.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
BIO_flush() vs BIO_reset()
Hi, It looks like that the effect of BIO_flush() and BIO_reset() are alike. Indeed is there any differences between them? I want to know also if I can pick up the certificate that belongs to the CA which sign a particular certificate from a stack of certificates? I mean I have a certificate that is signed by, say, CA 1. Now I have a handful of certificates which may belongs to some CA's or persons. Can I find out the certificate of CA 1 from all the certificates in my hand? Thank you. Angus Lee --- Get Your Free Email at http://www.hknetmail.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Test if it is a CA cert
Hi, Is there any function in OpenSSL that allows me to test if a given certificate is a CA cert or not? Thank you. Angus Lee --- Get Your Free Email at http://www.hknetmail.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: sk_pop_free() cannot convert parameter 2
= Original Message From [EMAIL PROTECTED] = C:\Work\EudSMIME\SetngDlg.cpp(378) : error C2664: 'sk_pop_free' : cannot convert parameter 2 from 'void (PKCS12_SAFEBAG *)' to 'void (__cdecl *)(void)' None of the functions with this name in scope match the target type From those errors it looks like you are trying to call these macros in C++. Why do you need to do that? You can parse PKCS#12 files much more easily with PKCS12_parse() which should have no problems. Could you please give me a segment of the sample code that would convert PKCS#12 file to PEM format. I'm nor very familiar with the API's in OpenSSL. What I do now is copy from the code segment of pkcs12.c in OpenSSL 0.9.5a. Thank you. Angus Lee --- Get Your Free Email at http://www.hknetmail.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
PKCS12 unpack error
Hi, VC6 reported that there're error with the following line: if (!(asafes = M_PKCS12_unpack_authsafes(p12))) return 0; The error was: error C2664: 'ASN1_seq_unpack' : cannot convert parameter 4 from 'void (struct pkcs7_st *)' to 'void (__cdecl *)(void)' None of the functions with this name in scope match the target type I use OpenSSL 0.9.5a compiled using VC6 on Win98SE. What's wrong? Thank you. Angus Lee --- Get Your Free Email at http://www.hknetmail.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
A CA's certificate?
Hi, Is a self-signed certificate always a CA certificate? If not, what criterias do Netscape use so it can determine which certificate is your own, which is other's and which is CA's? Is there any function in OpenSLL that enables me to tell whether a certificate is a server certificate? Angus Lee --- Get Your Free Email at http://www.hknetmail.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Use public key and private key in certificate
= Original Message From [EMAIL PROTECTED] = What the certificate contains depends on how you requested and made the cert. If you used CA.pl or CA.sh, which are in mycert.key. Then I rename newcert.pem to mycert.cert. In which case I have the cert in one file and the private key in another file. This mirrors what other tools, such as BSAFE or IsaSilk do. My final year project supervisor created an X.509v3 certificate for me using the CA in our lab. I tried to export my certificate from Netscape using the 'Export Certificate' function in it. Then I convert the .p12 file back to PEM format and found that it contains both the certificate and my private key. I suppose there must be some way for me to read in the cert7.db and key3.db files and do the same thing in my own program. What are you trying to do? Are you trying to use OpenSSL as a message encryption tool like PGP? I'm indeed writing a plugin for Netscape which works more or less like an S/MIME plugin. I need to authenticate and identify the person who use the plugin to request for document decryption key from my server. Then I need to use an X.509v3 certificate. But my supervisor asked me if I could make use of the public key and private key associated with the certificate to do any public key encryption because I use PGP to do this now. Then I think I need to read in Netscape's cert7.db and key3.db files. I wonder if this is workable or not. Now I extract user's certificate from the cert7.db file, but Netscape's site documented that this file's format is going to change and suggested people using the NSS (or PSM, I couldn't remembered). At present I have another problem with my program on the server. I have written the same segment of code for use in the plugin as well as in the server program. However that in the server program fails while that in the plugin works without any problem. Here is the code in question: --- BIO_set_mem_buf(in, bm, 0); BIO_write(in, *cert, cert_len); if ((x = (X509 *)PEM_read_bio_X509(in, NULL, NULL, NULL)) != NULL) { name = (X509_NAME *)X509_get_subject_name(x); /* common name */ obj = OBJ_nid2obj(NID_commonName); last = -1; /* if (( */ i = X509_NAME_get_index_by_OBJ(name, obj, last); /* ) = 0) { */ if (i = 0) { ne = X509_NAME_get_entry(name, i); common_name = X509_NAME_ENTRY_get_data(ne); } --- i is -1 in my server program running on Caldera OpenLinux 2.3. The same code produces i = 0 on Windows NT with the same set of input. Angus Lee --- Get Your Free Email at http://www.hknetmail.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Use public key and private key in certificate
= Original Message From [EMAIL PROTECTED] = certificate contains only public key inside, private key usually is keeping on server (owner of certificate). From certificate you can extract public key only. If I extract the certificate and certificate's private key from Netscape's db, is it possible to use any openssl functions to do any public key encryption? Angus Lee --- Get Your Free Email at http://www.hknetmail.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
X509_NAME_get_index_by_OBJ return -1
Hi, Does the following piece of code have any problem? I got i = 0 when I first run it yesterday night, but a couple minutes later when I run it again, i = -1. I passed the same thing to this function. I think it shouldn't gave different results, am I right? bool is_user_accessible(unsigned char **cert, unsigned int cert_len, unsigned char *document_filename, unsigned int filename_len) { bool return_value = false; BIO *in = BIO_new(BIO_s_mem()); BUF_MEM *bm = BUF_MEM_new(); X509 *x = NULL; X509_NAME *name; ASN1_OBJECT *obj; int i, last; X509_NAME_ENTRY *ne; ASN1_STRING *common_name = NULL, *email = NULL; BIO_set_mem_buf(in, bm, 0); BIO_write(in, *cert, cert_len); if ((x = (X509 *)PEM_read_bio_X509(in, NULL, NULL, NULL)) != NULL) { name = (X509_NAME *)X509_get_subject_name(x); /* common name */ obj = OBJ_nid2obj(NID_commonName); i = X509_NAME_get_index_by_OBJ(name, obj, last); if (i = 0) { ne = X509_NAME_get_entry(name, i); common_name = X509_NAME_ENTRY_get_data(ne); } /* more code follows */ } Angus Lee --- Get Your Free Email at http://www.hknetmail.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Off-topic: db_dump185 compile error
Hi, I realized that Netscape's cert7.db is of Berkley's db format, so I tried to dump out the contents using the db_dump185 program. When I compiled the db_dump185 program, several erros appeared warning me something like '0x40' ba ba ba ... Has anyone tried to compile db_dump185 to dump out the contents of cert7.db? Do I need to include any libraries or C include files? Angus Lee --- Get Your Free Email at http://www.hknetmail.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
error creating serial number index
= Original Message From [EMAIL PROTECTED] = You should include SSLeay_add_all_algorithms(). I could verify the signature using X509_REQ_verify() now. The problem now come to saving the index.txt file. I sign the certificate request, and the index.txt file is saved with information like: V 100223091809Z 01 unknown /CN=Guest [EMAIL PROTECTED] However my program won't have those information after unknwon. Later when I try to sign another certificate request, "error creating serial number index" occured. Any problem cuased the problem? Angus Lee --- Get Your Free Email at http://www.hknetmail.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
API to Generate X.509 Certificate ...
Hi, I'm a final year Computer Science student. I'm trying to use openssl to generate X.509 certificate in my program, but I couldn't found any API to do so. Does openssl have any API for me to generate X.509 certificate in my C program? Thanks. Angus Lee [EMAIL PROTECTED] -- _ Get Your FREE Email From : http://www.hkmail.com.hk Sign up and save your money NOW !! powered by OutBlaze __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]