Re: How to Sign and Encrypt in CMS ?
> > > I was playing around with the CMS interface and I was wondering what is > the right way to generate a signed and encrypted CMS. > take a look at this thread https://marc.info/?l=openssl-users=141606382825289 > >
Re: Issue with smartcard authentication for openvpn
> padding = 3 means "no padding" indicating that the data for signature is > already padded. That's why the data size (flen) is 256 (hashed data padded to > the rsa key size of 2048 bits, I guess). If you are using OpenSSL 1.1.1, this > could be due to PSS padding in which case current implementation passes > pre-padded data for raw signature to the callback. AFAIK, pkcs11-helper only > handles PKCS1 padding (CKM_RSA_PKCS) though pkcs11 standard does support raw > signatures. https://github.com/OpenSC/pkcs11-helper/blob/0e2ae10ef9611beef92457171e8c78d8e936dfca/lib/pkcs11h-openssl.c#L570 if (padding != RSA_PKCS1_PADDING) { rv = CKR_MECHANISM_INVALID; goto cleanup; }
Re: How can I make openssl doesn't add a signed attribute "signingTime" when I sign a cms/cades singnature?
Hello Shiyao, the signing time attribute has always been considered mandatory or in any case useful and only with CAdES optional and even with PAdES not allowed. A request similar to yours has already been received (see https://mta.openssl.org/pipermail/openssl-users/2017-February/005240.html) I also believe that CMS API flag would be useful that allows suppression of the signing-time attribute. Antonio On Wed, Mar 13, 2019 at 12:57 PM shiyao_...@foxitsoftware.cn wrote: > > Hello everyone, > > I am working on a project about how to use openssl libs to implement a > PAdES(whitch is based on CAdES) signature because I saw that the master > branch of openssl has supported CAdES-BES signature. But now there is a > problem I don't know how to solve it. So I am asking for some help. > According to the PAdES reference, signing-time attribute in CMS signature > shall not be present in a PAdES signature. In openssl libs, signing-time > attribute is set in the function CMS_SignerInfo_sign. But I can't find a way > to control it not to set signing-time attribute. So I want to know if there > is a way to not to set signing-time attribute or delete this attribute > without changing the openssl source code. > > Regards, > Shiyao Liu > > > shiyao_...@foxitsoftware.cn
Re: Add pkcs11 command
OK thanks, initial implementation of STORE into my pkcs11 engine (1) is ready. I am able to do this openssl storeutl -engine pkcs11 'pkcs11:objecttype=cert;object=test' and this is result: engine "pkcs11" set. 0: Certificate -BEGIN CERTIFICATE- MIIC/DCCAeSgAwIBAgIUDrAyYf/dMsavGGEuYMLqJxFrHOUwDQYJKoZIhvcNAQEL ... (1) https://github.com/openssl/openssl/pull/8200 On Wed, Mar 6, 2019 at 4:37 PM Richard Levitte wrote: > What you need to do on bind is to create a whole OSSL_STORE_LOADER for > pkcs11. OSSL_STORE_LOADER_set_open only sets the opening functions, > which is expected to take a URI and parse that into something > sensible, and return a context. There are other functions to set as > well, such as the 'load', 'eof', 'error' and 'close' functions. > > The OSSL_STORE_LOADER callback set is designed to work somewhat > vaguely like the stdio API, but instead of handling a set of bytes, it > handles a set of objects, which can be whatever the OSSL_STORE API > knows how to handle. > > When you're done building the OSSL_STORE_LOADER (including a scheme > name, that's absolutely important), you hook it into libcrypto with > OSSL_STORE_register_loader(), an voilà, you should be able to do this: > > openssl storeutil -engine yourengine \ > 'pkcs11:token=yourtoken;object=my-certificate;objecttype=cert;id=1234' > > (I'm sorry, I don't know the URI scheme enough to say how to specify > that you want to get a list of all accessible certificates or other > objects) > > There is the manual OSSL_STORE_LOADER(3) found in > doc/man3/OSSL_STORE_LOADER.pod, > and the 'file:' scheme loader is in crypto/store/loader_file.c, but > fair warning, that one is a bit more complex than you would probably > expect from the average store loader. > > Cheers, > Richard >
Re: Add pkcs11 command
OSSL_STORE_LOADER_set_open on bind ? On Wed, Mar 6, 2019 at 10:35 AM Richard Levitte wrote: > > There is a more generic command to do exactly this sort of thing, > 'openssl storeutil', available since OpenSSL 1.1.1. > > The pkcs11 backend / engine needs to implement the functionality > required to hook with the OSSL_STORE functionality for storeutil to be > useful. > > Cheers, > Richard > > On Wed, 06 Mar 2019 09:47:01 +0100, > Antonio Iacono wrote: > > > > There are some good tools for pkcs11, like pkcs11-tool of the OpenSC > > project, but often only need the list of key ids to perform signature > > operations with the engine. > > > > I would propose a new pkcs11 command which, for now, only makes the > > list of ids and labels of keys present in a token. > > > > I have already prepared a draft in this branch > > https://github.com/opensignature/openssl/tree/add-pkcs11-command/apps > > > > Thanks, > > Antonio > > > -- > Richard Levitte levi...@openssl.org > OpenSSL Project http://www.openssl.org/~levitte/
Re: Add pkcs11 command
I can write the function inside pkcs11 engine but then how do I "hook" it to storeutl? The first obstacle is here "No URI given, nothing to do" but with pkcs11 I have no URI or File. Thanks On Wed, Mar 6, 2019 at 10:35 AM Richard Levitte wrote: > > There is a more generic command to do exactly this sort of thing, > 'openssl storeutil', available since OpenSSL 1.1.1. > > The pkcs11 backend / engine needs to implement the functionality > required to hook with the OSSL_STORE functionality for storeutil to be > useful. > > Cheers, > Richard > > On Wed, 06 Mar 2019 09:47:01 +0100, > Antonio Iacono wrote: > > > > There are some good tools for pkcs11, like pkcs11-tool of the OpenSC > > project, but often only need the list of key ids to perform signature > > operations with the engine. > > > > I would propose a new pkcs11 command which, for now, only makes the > > list of ids and labels of keys present in a token. > > > > I have already prepared a draft in this branch > > https://github.com/opensignature/openssl/tree/add-pkcs11-command/apps > > > > Thanks, > > Antonio > > > -- > Richard Levitte levi...@openssl.org > OpenSSL Project http://www.openssl.org/~levitte/
Add pkcs11 command
There are some good tools for pkcs11, like pkcs11-tool of the OpenSC project, but often only need the list of key ids to perform signature operations with the engine. I would propose a new pkcs11 command which, for now, only makes the list of ids and labels of keys present in a token. I have already prepared a draft in this branch https://github.com/opensignature/openssl/tree/add-pkcs11-command/apps Thanks, Antonio
Re: [openssl-users] Smartcard cert used for encrypt\decrypt
> Does anybody know how to use the smartcard to encrypt and decrypt files? Hi Boyd, there are many ways to encrypt/decrypto with smartcard but since you wrote to the list of OpenSSL I answer you how to do with OpenSSL. In the meantime you need two other software, in addition to openssl, the engine and the pkcs11 library. A step-by-step guide can be found here: https://github.com/OpenSC/OpenSC/wiki/Quick-Start-with-OpenSC Antonio -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Problems on authentication during TLS handshake
Il giorno mar 8 gen 2019 alle ore 19:32 Jin Xie ha scritto: > Thank you! I would have a try. > > Look here: https://github.com/MicrochipTech/cryptoauth-openssl-engine Antonio -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Possible bug in crypto/engine
Thanks Dmitry and Matthias, I solved, as suggested the problem was not openssl, but libp11 I had compiled with version 1.1 of libcrypto instead version 3. Antonio Il giorno dom 6 gen 2019 alle ore 23:53 Dr. Matthias St. Pierre < matthias.st.pie...@ncp-e.com> ha scritto: > Antonio, > > > > did you debug the preinstalled openssl app or have you tried to debug your > own version, built with a debug configuration? > > > > You get the best results in the debugger if you use the > `debug-linux-x86_64` config target and > after building (you only need to run `make`, not `make install`) run it in > the debugger directly from the source > > directory as follows: > > > > util/shlib_wrap.sh gdb apps/openssl cms -sign -signer cert.pem - > inkey 101 -keyform engine -engine pkcs11 > > > > If you can reproduce the crash with your debug version, please post a > backtrace of the call stack when it’s stopped > > at the segmentation fault. > > > > HTH, > > Matthias > > > > *Von:* openssl-users *Im Auftrag von > *Antonio > Iacono > *Gesendet:* Sonntag, 6. Januar 2019 19:55 > *An:* openssl-users@openssl.org > *Betreff:* [openssl-users] Possible bug in crypto/engine > > > > Hi, > > > > I sign a text file with: > > openssl cms -sign -signer cert.pem -inkey 01 -keyform engine -engine > pkcs11 > > in openssl.cnf > > [pkcs11_section] > engine_id = pkcs11 > dynamic_path = /path/pkcs11.so > MODULE_PATH = /path/opensc-pkcs11.so > > everything works well but if I write a wrong key, es. -inkey 101, this is > gdb result: > > > > PKCS11_get_private_key returned NULL > cannot load signing key file from engine > 140737353990592:error:26096080:engine > routines:ENGINE_load_private_key:failed loading private > key:crypto/engine/eng_pkey.c:78: > unable to load signing key file > Program received signal SIGSEGV, Segmentation fault. > __GI___pthread_rwlock_wrlock (rwlock=0x0) at pthread_rwlock_wrlock.c:27 > 27pthread_rwlock_wrlock.c: No *such* file or directory > > > > I realized that the error is probably here: > > crypto/engine/eng_lib.c line 93 > > if (e->destroy) > e->destroy(e); > > CRYPTO_free_ex_data(CRYPTO_EX_INDEX_ENGINE, e, >ex_data); > > if I comment these lines openssl does not crash > > > > I do not know engine well and I do not know what these two lines do, if > anyone has any suggestions I can do some tests > > > > Thanks, > > Antonio Iacono > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Possible bug in crypto/engine
Hi, I sign a text file with: openssl cms -sign -signer cert.pem -inkey 01 -keyform engine -engine pkcs11 in openssl.cnf [pkcs11_section] engine_id = pkcs11 dynamic_path = /path/pkcs11.so MODULE_PATH = /path/opensc-pkcs11.so everything works well but if I write a wrong key, es. -inkey 101, this is gdb result: PKCS11_get_private_key returned NULL cannot load signing key file from engine 140737353990592:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:crypto/engine/eng_pkey.c:78: unable to load signing key file Program received signal SIGSEGV, Segmentation fault. __GI___pthread_rwlock_wrlock (rwlock=0x0) at pthread_rwlock_wrlock.c:27 27pthread_rwlock_wrlock.c: No *such* file or directory I realized that the error is probably here: crypto/engine/eng_lib.c line 93 if (e->destroy) e->destroy(e); CRYPTO_free_ex_data(CRYPTO_EX_INDEX_ENGINE, e, >ex_data); if I comment these lines openssl does not crash I do not know engine well and I do not know what these two lines do, if anyone has any suggestions I can do some tests Thanks, Antonio Iacono -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Support for CAdES Basic Electronic Signatures (CAdES-BES)
Hi everyone, the patch discussed in this pull request https://github.com/openssl/openssl/pull/7893 adds support for adding ESS signing-certificate[-v2] attributes to CMS signedData. Although it implements only a small part of the RFC 5126 - CMS Advanced Electronic Signatures (CAdES), it is sufficient many cases to enable the openssl cms app to create signatures which comply with legal requirements of some European States (e.g Italy). Feedback are welcome, thanks, Antonio -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Create a signed file from detached signature and clear file content
Hi, I think I have solved. Maybe you can write better and in fewer lines anyway this attached code works. Antonio 2017-12-20 11:07 GMT+01:00 Antonio Iacono <ant...@gmail.com>: > > Hi, > assuming I have the following: > - data.txt > - data.p7s (the detached signature) > > Can I generate the bundled (p7m) signed file ? > > I tried: > > content = BIO_new_file("data.txt", "rb"); > signature = BIO_new_file("data.p7s", "rb"); > p7 = d2i_PKCS7_bio(signature, NULL); > PKCS7_set_detached(p7, 0); > bundled = BIO_new_file("bundled.p7m", "wb"); > i2d_PKCS7_bio_stream(bundled, p7, content, 0); > > but the generated file (bundled.p7m) is identical to the signature file > (data.p7s) > > Thanks, > Antonio > > > #include #include #include #include #include int main (int argc, char *argv[]) { PKCS7 *p7, *p7signature; PKCS7_SIGNER_INFO *si; char buf[1024 * 4]; char **args; char *infile = NULL; char *signaturefile = NULL; char *outfile = NULL; char *cont; BIO *data, *p7bio, *out = NULL, *signature = NULL; int badarg = 0; long contlen; STACK_OF (X509) * certs = NULL; STACK_OF (PKCS7_SIGNER_INFO) * sinfos; ASN1_OCTET_STRING *os = NULL; #ifndef NO_SHA256 EVP_add_digest (EVP_sha256 ()); #endif #ifndef NO_SHA1 EVP_add_digest (EVP_sha1 ()); #endif args = argv + 1; while (!badarg && *args && *args[0] == '-') { if (!strcmp (*args, "-p7s")) { if (args[1]) { args++; signaturefile = *args; } else badarg = 1; } else if (!strcmp (*args, "-in")) { if (args[1]) { args++; infile = *args; } else badarg = 1; } else if (!strcmp (*args, "-out")) { if (args[1]) { args++; outfile = *args; } else badarg = 1; } else badarg = 1; args++; } if (badarg || argc < 2) { printf ("%s", "\nUse: \n\n"); printf ("%s", "-in content_file \n-p7s signature_p7s \n-out file_p7m\n\n"); return 1; } data = BIO_new (BIO_s_file ()); if (!BIO_read_filename (data, infile)) goto err; if (!(out = BIO_new_file (outfile, "w"))) goto err; p7 = PKCS7_new (); PKCS7_set_type (p7, NID_pkcs7_signed); signature = BIO_new_file (signaturefile, "r"); if (!signature) goto err; p7signature = d2i_PKCS7_bio (signature, NULL); certs = p7signature->d.sign->cert; for (int c = 0; c < sk_X509_num (certs); c++) { X509 *cert = sk_X509_value (certs, c); PKCS7_add_certificate (p7, cert); } sinfos = p7signature->d.sign->signer_info; for (int i = 0; i < sk_PKCS7_SIGNER_INFO_num (sinfos); i++) { si = sk_PKCS7_SIGNER_INFO_value (sinfos, i); PKCS7_add_signer (p7, si); } PKCS7_content_new (p7, NID_pkcs7_data); if ((p7bio = PKCS7_dataInit (p7, NULL)) == NULL) goto err; for (;;) { int i = BIO_read (data, buf, sizeof (buf)); if (i <= 0) break; BIO_write (p7bio, buf, i); } contlen = BIO_get_mem_data (p7bio, ); os = p7->d.sign->contents->d.data; ASN1_STRING_set0 (os, (unsigned char *) cont, contlen); i2d_PKCS7_bio (out, p7); PKCS7_free (p7); BIO_free (p7bio); BIO_free_all (out); return 0; err: ERR_load_crypto_strings (); ERR_print_errors_fp (stderr); return 1; } -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Fwd: Create a signed file from detached signature and clear file content
Hi, assuming I have the following: - data.txt - data.p7s (the detached signature) Can I generate the bundled (p7m) signed file ? I tried: content = BIO_new_file("data.txt", "rb"); signature = BIO_new_file("data.p7s", "rb"); p7 = d2i_PKCS7_bio(signature, NULL); PKCS7_set_detached(p7, 0); bundled = BIO_new_file("bundled.p7m", "wb"); i2d_PKCS7_bio_stream(bundled, p7, content, 0); but the generated file (bundled.p7m) is identical to the signature file (data.p7s) Thanks, Antonio -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users