Question about PKCS7.
I have a piece of date need to be PKCS7 signed (pkcs-7 2), and authenticateAttributes is always required. authenticateAttributes { contentType { {pkcs-9 3} {pkcs-7 1}} messsageDigest { {pkcs-9 4} -- an octet string } Firstly, I am not clear what is the messageDigest from. Is it the digest of the "content" part, or I should add other random data, and then digest it. In pkcs7_sign() function. to add the authenticateAttributes, function PKCS7_add_signed_attribute() should be called. /* If you do this then you get signing time automatically added */PKCS7_add_signed_attribute(si, NID_pkcs9_contentType, V_ASN1_OBJECT,OBJ_nid2obj(NID_pkcs7_data)); I can't see the interface to fill the attribute value. Secondly, it is about the DER format, could someone give me a DER example for it? Thanks in advance, Dennis
Help for handshake failure with cisco router.
Hi, When my Cisco router request a SSL connection to the openssl s_server, handshake failed. I am no familiar with the SSL handshake procedure, could someone tell me why does it happen? I attached all the debug and state message following: == D:\OSPSSLopenssl s_server -accept 443 -verify 1 -CApath .\ -CAfile MyCaCert.pem-cert .\certs\SerCert.pem -key .\certs\SerKEY.pem -state -debugverify depth is 1Using default temp DH parametersEnter PEM pass phrase:ACCEPTbad gethostbyaddrSSL_accept:before/accept initializationread from 00442AE0 [00AF0040] (7 bytes = 7 (0x7)) - 16 03 00 00 2d 01 -.0007 - SPACES/NULSread from 00442AE0 [00AF0047] (43 bytes = 43 (0x2B)) - 00 29 03 00 2b 93 ed 45-88 ea 30 e8 7e 72 ed ce .)..+..E..0.~r..0010 - d5 53 81 47 fe db 30 e9-19 68 6b 43 7e 25 6e 68 .S.G..0..hkC~%nh0020 - e7 ed 6a ab 00 00 02 00-08 01 ..j...002b - SPACES/NULSSSL_accept:SSLv3 read client hello Awrite to 00442AE0 [00AF9070] (79 bytes = 79 (0x4F)) - 16 03 00 00 4a 02 00 00-46 03 00 38 c7 e2 e2 45 J...F..8...E0010 - fa e3 96 ed d5 30 c8 9c-fa d5 5f 7b 27 2b 1c 3f .0_{'+.?0020 - ff 54 8f b9 e3 72 26 53-8c 7b c6 20 48 d4 64 b0 .T...rS.{. H.d.0030 - 10 54 5f 54 18 68 80 fa-d9 73 b6 f7 d3 5c da e4 .T_T.h...s...\..0040 - e2 aa d9 2d 3c 61 2c 89-3a e3 f1 ed 00 08 ...-a,.:.004f - SPACES/NULSSSL_accept:SSLv3 write server hello Awrite to 00442AE0 [00AF4858] (1489 bytes = 1489 (0x5D1)) - 16 03 00 05 cc 0b 00 05-c8 00 05 c5 00 03 6a 30 ..j00010 - 82 03 66 30 82 02 cf a0-03 02 01 02 02 10 4c a7 ..f0..L.0020 - ea e7 84 c7 ef 02 75 ae-15 1a 76 06 c9 b5 30 0d ..u...v...0.0030 - 06 09 2a 86 48 86 f7 0d-01 01 04 05 00 30 56 31 ..*.H0V10040 - 11 30 0f 06 03 55 04 07-13 08 49 6e 74 65 72 6e .0...UIntern0050 - 65 74 31 17 30 15 06 03-55 04 0a 13 0e 56 65 72 et1.0...UVer0060 - 69 53 69 67 6e 2c 20 49-6e 63 2e 31 28 30 26 06 iSign, Inc.1(0.0070 - 03 55 04 0b 13 1f 56 65-72 69 53 69 67 6e 20 4f .UVeriSign O0080 - 6e 53 69 74 65 20 53 75-62 73 63 72 69 62 65 72 nSite Subscriber0090 - 20 44 65 6d 6f 30 1e 17-0d 30 30 30 33 30 33 30 Demo0...000303000a0 - 30 30 30 30 30 5a 17 0d-30 30 30 35 30 32 32 33 0Z..0005022300b0 - 35 39 35 39 5a 30 81 84-31 0b 30 09 06 03 55 04 5959Z0..1.0...U.00c0 - 06 13 02 55 53 31 13 30-11 06 03 55 04 08 13 0a ...US1.0...U00d0 - 63 61 6c 69 66 6f 72 6e-69 61 31 12 30 10 06 03 california1.0...00e0 - 55 04 07 13 09 66 75 6c-6c 65 72 74 6f 6e 31 0f Ufullerton1.00f0 - 30 0d 06 03 55 04 0a 13-06 6e 65 74 72 75 65 31 0...Unetrue10100 - 0b 30 09 06 03 55 04 0b-13 02 63 68 31 0f 30 0d .0...Uch1.0.0110 - 06 03 55 04 03 13 06 6f-73 70 6e 63 63 31 1d 30 ..Uospncc1.00120 - 1b 06 09 2a 86 48 86 f7-0d 01 09 01 16 0e 78 75 ...*.Hxu0130 - 77 40 6e 65 74 72 75 65-2e 63 6f 6d 30 81 9f 30 [EMAIL PROTECTED]0140 - 0d 06 09 2a 86 48 86 f7-0d 01 01 01 05 00 03 81 ...*.H..0150 - 8d 00 30 81 89 02 81 81-00 b8 2e 1b b7 8d 32 a4 ..0...2.0160 - 21 12 8a 19 16 80 d3 ab-29 84 46 a9 e2 9f 49 15 !...).F...I.0170 - 2e 7a 6d 3b 56 f6 5b 79-59 12 20 b2 03 54 bc fe .zm;V.[yY. ..T..0180 - ac b5 44 72 d8 1f 61 35-e1 07 4a f8 ff b8 d5 cc ..Dr..a5..J.0190 - a8 6c d6 74 38 9c 0c c2-6d c4 89 40 07 46 53 f9 .l.t8...m..@.FS.01a0 - 14 00 e5 34 c7 d9 1b 5e-d7 d1 58 44 f6 69 fb 8a ...4...^..XD.i..01b0 - 5a c2 eb 3a 3f ce 69 01-f9 7c 42 be cf 41 e9 34 Z..:?.i..|B..A.401c0 - 9c 83 d0 16 bf 46 c5 7b-9d 9c a6 4c 17 56 f1 d6 .F.{...L.V..01d0 - 1c 77 08 44 ef 20 f3 61-79 02 03 01 00 01 a3 82 .w.D. .ay...01e0 - 01 04 30 82 01 00 30 09-06 03 55 1d 13 04 02 30 ..0...0...U001f0 - 00 30 81 b1 06 03 55 1d-1f 04 81 a9 30 81 a6 30 .0U.0..00200 - 81 a3 a0 81 a0 a0 81 9d-86 81 9a 6c 64 61 70 3a ...ldap:0210 - 2f 2f 64 69 72 65 63 74-6f 72 79 2e 76 65 72 69 file://directory.veri0220 - 73 69 67 6e 2e 63 6f 6d-2f 4f 55 20 3d 20 56 65 sign.com/OU = Ve0230 - 72 69 53 69 67 6e 20 4f-6e 53 69 74 65 20 53 75 riSign OnSite Su0240 - 62 73 63 72 69 62 65 72-20 44 65 6d 6f 2c 20 4f bscriber Demo, O0250 - 20 3d 20 22 56 65 72 69-53 69 67 6e 2c 20 49 6e = "VeriSign, In0260 - 63 2e 22 2c 20 4c 20 3d-20 49 6e 74 65 72 6e 65 c.", L = Interne0270 - 74 3f 63 65 72 74 69 66-69 63 61 74 65 72 65 76 t?certificaterev0280 - 6f 63 61 74 69 6f 6e 6c-69 73 74 3b 62 69 6e 61 ocationlist;bina0290 - 72 79 3f 62 61 73 65 3f-6f 62 6a 65 63 74 63 6c ry?base?objectcl02a0 - 61 73 73 3d 2a 30 0b 06-03 55 1d 0f 04 04 03 02 ass=*0...U..02b0 - 05 a0 30 32 06 03 55 1d-11 04 2b 30 29 82 0a 6e ..02..U...+0)..n02c0 - 65 74 72 75 65 2e 63 6f-6d 87 04 cf 5f e3 73 81 etrue.com..._.s.02d0 - 15 64 65 6e 6e 69 73 78-77 64 40 68 6f 74 6d 61 .dennisxwd@hotma02e0 - 69 6c 2e 63 6f 6d 30 0d-06 09 2a 86 48 86 f7 0d il.com0...*.H...02f0 - 01 01 04 05 00 03 81 81-00 94 34 9d a9 c6 cf ea ..4.0300 - 43 d5 35
Problem found when upgrade to openssl-0.9.5
When I upgrade my applications by using openssl-0.9.5 beta1 to replace openssl-0.9.4, at running time I found: "error:02001003:system library:fopen:BN lib" when function called at:SSL_CTX_load_verify_locations(ssl,caPath,caFile); I compile and run both version in the same environment. What is wrong? Dennis
unable to get local issuer certificate?
I have a client - server programs, which are refered to openssl s_server s_client. And I have my own CA (verisign test Onsite). I applied certificatefor both my server and client from this same test CA.When I test it in my own client and server program, I found the following error, although the SSL connection can be established. and when I test by openssl sample s_server and s_client. It works well, no any error found. This is log message from my server side: 2224131514:: *** INFO SSL_accept:before/accept initialization 2224131514:: *** INFO SSL_accept:SSLv3 read client hello A 2224131514:: *** INFO SSL_accept:SSLv3 write server hello A 2224131514:: *** INFO SSL_accept:SSLv3 write certificate A 2224131514:: *** INFO SSL_accept:SSLv3 write certificate request A 2224131514:: *** INFO SSL_accept:SSLv3 write server done A 2224131514:: *** INFO SSL_accept:SSLv3 flush data 2224131514:: *** ERROR Certificate verify error: num = 20 : unable to get local issuer certificate 2224131514:: *** ERROR Certificate verify error: num = 21 : unable to verify the first certificate 2224131514:: *** INFO SSL_accept:SSLv3 read client certificate A 2224131514:: *** INFO SSL_accept:SSLv3 read client key exchange A 2224131514:: *** INFO SSL_accept:SSLv3 read certificate verify A 2224131514:: *** INFO SSL_accept:SSLv3 read finished A 2224131514:: *** INFO SSL_accept:SSLv3 write change cipher spec A 2224131514:: *** INFO SSL_accept:SSLv3 write finished A 2224131514:: *** INFO SSL_accept:SSLv3 flush data I guessed,the error "unable to get local issuer certificate" means my CA certificate isn't loaded? and error "unable to verify the first certificate" is generated when checking my server's certificate? Am I right?I compared the code between my server and openssl s_server, no differences. I am sure the correct path_file name have been set for my CA server. What is the possible reason for it? Any advices? Dennis
Re: How to make pkcs7 signing data?
Steve Wrote: This is one area that will be updated in OpenSSL 0.9.5. There is an 'smime' application in the 0.9.5 development release and a simpler API that does most of the hard work. That might be a good place to start. For the pkcs7 function in openssl, what does it do exactly for the current version? I found the command: openssl pkcs7 .. and in file crypt/pkcs7/sign.c, some functions seem to provide the "contentType=signedData" encoding and decoding. But when I tried to run it, always failed at "PEM_write_PKCS7(STDOUT,p7);" What is wrong? Dennis __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Certificate Signing Request Key Generation
In your attached file: bash-2.03# openssl req -new -key ../private/www.windreiter.com.key www.windreiter.com.csr Using configuration from /usr/local/openssl-0.9.4/openssl.cnf Unable to load config info Enter PEM pass phrase: unable to find 'distinguished_name' in config problems making Certificate Request The problem is that config file couldnot be loaded. You should update the openssl.cnf by your way, also think it as default file. Then command: openssl req -new -key ../private/www.windreiter.com.key -config /your_config_file_dir/your_config.cnf www.windreiter.com.csr Dennis - Original Message - From: Oliver Koenig To: [EMAIL PROTECTED] Sent: Thursday, January 06, 2000 8:27 AM Subject: Certificate Signing Request Key Generation Hello guys, I have a problem with my Certificate Signing request. Could you please let me know which commands I have to execute in order to generate a key and a certificate signing request. I have asked thawte.com for help, but they gave me the worng instruction. I hava an Apache SSL 1.3.9, a 1.3.7 patch and OpenSSL 0.9.4? Maybe i am just too stupid for this!! I am not a real PC-wiz. sorry! Pelase see the attached e-mail. Thanks you very much, Oliver
Can't load client's private key ?
Hi, I have a problem when I try load a private key from a PEM-format key file: The private key and certificate are both exported and converted from Verisign's free Personal ID (which is installed into IE 5). My load_key function is : ... static EVP_PKEY *load_key(char *key_file, int format){BIO *key=NULL;EVP_PKEY *pkey=NULL; key=BIO_new(BIO_s_file()); if (key == NULL){ }if (BIO_read_filename(key,key_file) = 0){ }if (format == FORMAT_PEM){pkey=PEM_read_bio_PrivateKey(key,NULL,NULL,NULL);}... if (key != NULL) BIO_free(key);return(pkey);}.. When it is called, pkey is always return NULL. And When I use the private and certificate to make SSL connection, everything works well. //Register a certificate from Cert fileif (SSL_CTX_use_certificate_file(pchSslSupport-sslCtx, certFile, cfType) = 0) {SslErrorHandler(ERR_SSL_CTX_USE_CERTF_FAILED);return(-1);}//Establish private key from Key fileif (SSL_CTX_use_PrivateKey_file(pchSslSupport-sslCtx, keyFile, kfType) = 0) {SslErrorHandler(ERR_SSL_CTX_USE_PRIKEYF_FAILED);return(-1);} What is wrong?? My private key file looks like : -BEGIN RSA PRIVATE KEY- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,C780DCD57F8F0503 . -END RSA PRIVATE KEY- Any advice is appreciated, Dennis
Can't load client's private key ?
Hi, I have a problem when I try load a private key from a PEM-format key file: The private key and certificate are both exported and converted from Verisign's free Personal ID (which is installed into IE 5). My load_key function is : ... static EVP_PKEY *load_key(char *key_file, int format){BIO *key=NULL;EVP_PKEY *pkey=NULL; key=BIO_new(BIO_s_file()); if (key == NULL){ }if (BIO_read_filename(key,key_file) = 0){ }if (format == FORMAT_PEM){pkey=PEM_read_bio_PrivateKey(key,NULL,NULL,NULL);}... if (key != NULL) BIO_free(key);return(pkey);}.. When it is called, pkey is always return NULL. And When I use the private and certificate to make SSL connection, everything works well. //Register a certificate from Cert fileif (SSL_CTX_use_certificate_file(pchSslSupport-sslCtx, certFile, cfType) = 0) {SslErrorHandler(ERR_SSL_CTX_USE_CERTF_FAILED);return(-1);}//Establish private key from Key fileif (SSL_CTX_use_PrivateKey_file(pchSslSupport-sslCtx, keyFile, kfType) = 0) {SslErrorHandler(ERR_SSL_CTX_USE_PRIKEYF_FAILED);return(-1);} What is wrong?? My private key file looks like : -BEGIN RSA PRIVATE KEY- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,C780DCD57F8F0503 . -END RSA PRIVATE KEY- Any advice is appreciated, Dennis