Re: Special characters in config file
Thanks. --- Dr. Stephen Henson [EMAIL PROTECTED] wrote: On Thu, Jul 03, 2003, Fiel Cabral wrote: Hello, Does anyone have an idea of the escape sequences supported by the config file? I'm trying to escape special characters that could occur in the distinguished name attribute values in the [req] section. Thank you for any tips. These are documented in the config manual page. The set of escapes supported is currently very limited, you can't use the octal \NNN or hex \xNN forms. This will be fixed at some point... Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Special characters in config file
Hello, Does anyone have an idea of the escape sequences supported by the config file? I'm trying to escape special characters that could occur in the distinguished name attribute values in the [req] section. Thank you for any tips. -Fiel Cabral __ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Determining if a cert is a CA cert.
If someone gives my program just one X.509 v1 or v2 certificate, how do I check if it is a CA certificate? These are the things I do to check if it is a root CA certificate: a. Check if the subject and issuer names match. b. Check if the certificate is self-signed. But if the certificate is a sub CA certificate, then is there a way to find out? Are X.509 v1 or v2 sub CA certificates common? Thanks for any ideas. -Fiel __ Do you Yahoo!? Yahoo! Calendar - Free online calendar with sync to Outlook(TM). http://calendar.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Fwd: make tests hangs
I'm asking because this didn't happen when I built openssl 0.9.6c nor with openssl 0.9.6e on unixware. --- Fiel Cabral [EMAIL PROTECTED] wrote: Date: Sun, 23 Mar 2003 14:16:49 -0800 (PST) From: Fiel Cabral [EMAIL PROTECTED] Subject: make tests hangs To: [EMAIL PROTECTED] Why does the make tests command hang? I'm compiling openssl 0.9.6i on unixware. The script 'testss' stops at this line: + echo convert the certificate request into a self signed certificate using 'x509' convert the certificate request into a self signed certificate using 'x509' + ../apps/openssl x509 -md5 -CAcreateserial -in reqCA.ss -days 30 -req -out certCA.ss -signkey keyCA.ss -Fiel __ Do you Yahoo!? Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop! http://platinum.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Do you Yahoo!? Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop! http://platinum.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Fwd: make tests hangs
oops... I had RANDFILE pointing to the name of an old prngd UNIX domain socket. --- Fiel Cabral [EMAIL PROTECTED] wrote: Date: Mon, 24 Mar 2003 07:30:50 -0800 (PST) From: Fiel Cabral [EMAIL PROTECTED] Subject: Fwd: make tests hangs To: [EMAIL PROTECTED] I'm asking because this didn't happen when I built openssl 0.9.6c nor with openssl 0.9.6e on unixware. --- Fiel Cabral [EMAIL PROTECTED] wrote: Date: Sun, 23 Mar 2003 14:16:49 -0800 (PST) From: Fiel Cabral [EMAIL PROTECTED] Subject: make tests hangs To: [EMAIL PROTECTED] Why does the make tests command hang? I'm compiling openssl 0.9.6i on unixware. The script 'testss' stops at this line: + echo convert the certificate request into a self signed certificate using 'x509' convert the certificate request into a self signed certificate using 'x509' + ../apps/openssl x509 -md5 -CAcreateserial -in reqCA.ss -days 30 -req -out certCA.ss -signkey keyCA.ss -Fiel __ Do you Yahoo!? Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop! http://platinum.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Do you Yahoo!? Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop! http://platinum.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Do you Yahoo!? Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop! http://platinum.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
make tests hangs
Why does the make tests command hang? I'm compiling openssl 0.9.6i on unixware. The script 'testss' stops at this line: + echo convert the certificate request into a self signed certificate using 'x509' convert the certificate request into a self signed certificate using 'x509' + ../apps/openssl x509 -md5 -CAcreateserial -in reqCA.ss -days 30 -req -out certCA.ss -signkey keyCA.ss -Fiel __ Do you Yahoo!? Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop! http://platinum.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
make tests hangs
(please ignore if you receive more than one copy) Why does the make tests command hang? I'm compiling openssl 0.9.6i on unixware. The script 'testss' stops at this line: + echo convert the certificate request into a self signed certificate using 'x509' convert the certificate request into a self signed certificate using 'x509' + ../apps/openssl x509 -md5 -CAcreateserial -in reqCA.ss -days 30 -req -out certCA.ss -signkey keyCA.ss -Fiel __ Do you Yahoo!? Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop! http://platinum.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
DSA private key ASN.1
Hello openssl users: Which document/standard specifies the format of a DSA private key? DSA_private_key = { version, p, q, g, y, x } This is how the openssl dsa library reads/writes it so there must be a basis. I've looked at FIPS186-2 but it doesn't show the ASN.1 anywhere. Thanks in advance. -Fiel __ Do you Yahoo!? Yahoo! News - Today's headlines http://news.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
encrypted PKCS1 format
When the dsa command is used to generate an encrypted dsa private key, it outputs a PEM encoded file. Does the PEM encoded file simply contain the Base 64 encoding of the ciphertext (which can be decrypted immediately) or does it contain an ASN.1 structure that has the ciphertext inside (and thus requires parsing)? Is it possible to generate an encrypted private key in DER output format? __ Do You Yahoo!? Yahoo! Finance - Get real-time stock quotes http://finance.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Fwd: Added generationQualifier and pseudonym to objects.txt but now subject name contains numeric OIDs!
Reposted. I'm adding new OIDs to objects.txt but I'm finding that when the X509 subject name is printed, it contains OIDs for the OIDs I added. Does anyone know how to fix this? --- Fiel Cabral [EMAIL PROTECTED] wrote: Date: Mon, 24 Jun 2002 16:04:10 -0700 (PDT) From: Fiel Cabral [EMAIL PROTECTED] Subject: Added generationQualifier and pseudonym to objects.txt but now subject name contains numeric OIDs! To: Lutz Jaenicke [EMAIL PROTECTED] CC: OpenSSL Users [EMAIL PROTECTED] Dear Lutz Jaenicke and OpenSSL Users: I could not wait for 0.9.7 to come out so I decided to add the X509 OIDs for generationQualifier and pseudonym to crypto/objects/objects.txt. Now, I can create a certificate request containing these distinguished name attributes BUT when I do openssl req -text, I get a couple of OIDs in the subject DN! Like: CN=abc/2.5.4.44=Jr. (generationQualifier) Initially I only had a long form for the attribute in objects.txt so I tried adding the short form as well but that did not help. Do you know which file to modify so I can supply the friendly-names for the attributes: pseudonym and generationQualifier? Thank you. -Fiel Cabral __ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Added generationQualifier and pseudonym to objects.txt but now subject name contains numeric OIDs!
Dear Lutz Jaenicke and OpenSSL Users: I could not wait for 0.9.7 to come out so I decided to add the X509 OIDs for generationQualifier and pseudonym to crypto/objects/objects.txt. Now, I can create a certificate request containing these distinguished name attributes BUT when I do openssl req -text, I get a couple of OIDs in the subject DN! Like: CN=abc/2.5.4.44=Jr. (generationQualifier) Initially I only had a long form for the attribute in objects.txt so I tried adding the short form as well but that did not help. Do you know which file to modify so I can supply the friendly-names for the attributes: pseudonym and generationQualifier? Thank you. -Fiel Cabral __ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Question: pkcs12 -cacerts does not check CA:TRUE when outputting certs?
When pkcs12 is passed the -cacerts option, is it supposed to print out only CA certificates? It seems like the -cacerts option does not check if the certificate contains basicConstraints CA:TRUE. Is this the correct behavior or is it a bug? Thanks. Fiel Cabral __ Do You Yahoo!? LAUNCH - Your Yahoo! Music Experience http://launch.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
generationQualifier OID?
I am looking at objects.txt and comparing it with RFC2459 and noticed that the generationQualifier DN attribute is missing. Should it be added? -Fiel Cabral __ Do You Yahoo!? Yahoo! Games - play chess, backgammon, pool and more http://games.yahoo.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PKI book in relation to VPNs
Eric, Thank you for your post. Thanks to the other people who posted their suggestions, as well. I bought Planning for PKI and it was very helpful. It described the contents of certificates, extensions, PKCS7 and PKCS10 clearly. -Fiel Cabral --- Eric Rescorla [EMAIL PROTECTED] wrote: Fiel Cabral [EMAIL PROTECTED] writes: Could anyone recommend one or more books on the following topics: PKI,VPN,IPSec,LDAP,SCEP,OCSP? I looked around and found the RSA PKI book by Nash, et. al. but I'm having a hard time finding more books. For PKI, check out: Planning for PKI: Best Practices Guide For Deploying Public Key Infrastructure by Housley and Polk http://www.amazon.com/exec/obidos/ASIN/0471397024/qid=1007480175/sr=8-2/ref=sr_8_3_2/107-6458714-3717315 and Understanding the Public Key Infrastructure by Adams http://www.amazon.com/exec/obidos/ASIN/157870166X/qid=1007480252/sr=1-1/ref=sr_1_14_1/107-6458714-3717315 I've only looked at Housley and Polk (the chairs of PKIX) but Carlisle Adams is an active PKIX participant and a smart guy. For VPN, there's IPsec by Harkins and Doraswamy http://www.amazon.com/exec/obidos/ASIN/0130118982/qid=1007480363/sr=2-2/ref=sr_2_11_2/107-6458714-3717315 and Virtual Private Networks: Technologies and Solutions by Yuan and Strayer http://www.amazon.com/exec/obidos/ASIN/0201702096/qid=1007480469/sr=1-3/ref=sr_1_11_3/107-6458714-3717315 Neither of these books is wholly satisfactory. Harkins and Doraswamy is old and was always a bit thin. Yuan and Strayer is rather academic for my taste. -Ekr -- [Eric Rescorla [EMAIL PROTECTED]] Author of SSL and TLS: Designing and Building Secure Systems http://www.rtfm.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Do You Yahoo!? Check out Yahoo! Shopping and Yahoo! Auctions for all of your unique holiday gifts! Buy at http://shopping.yahoo.com or bid at http://auctions.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
PKI book in relation to VPNs
Could anyone recommend one or more books on the following topics: PKI,VPN,IPSec,LDAP,SCEP,OCSP? I looked around and found the RSA PKI book by Nash, et. al. but I'm having a hard time finding more books. Thanks. -Fiel __ Do You Yahoo!? Buy the perfect holiday gifts at Yahoo! Shopping. http://shopping.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: private key
Thanks. I looked at the asn1parse output and found that d2i_RSAPrivateKey() expected an INTEGER for the version number in the ASN1.DER file but it read something else so it exited. --- Dr S N Henson [EMAIL PROTECTED] wrote: Fiel Cabral wrote: I'm writing a program that uses openssl to read the private key from a ASN1.DER encoded file. The openssl API outputs the following: 17752:error:0D080071::lib(13) :func(128) :reason(113):a_int.c:191: 17752:error:0D09D082::lib(13) :func(157) :reason(130):d2i_r_pr.c:124: I'm using the load_key() function from openssl/apps/x509.c but I got this error. I'm sure that my file is valid. Can anyone give me some hints? Depends on the format of the private key. You might need to use a different function or be unable to use it at all if its an undocumented proprietary format (Oracle webserver is one example that). See what: openssl asn1parse -inform DER -in key.der produces. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/
private key
I'm writing a program that uses openssl to read the private key from a ASN1.DER encoded file. The openssl API outputs the following: 17752:error:0D080071::lib(13) :func(128) :reason(113):a_int.c:191: 17752:error:0D09D082::lib(13) :func(157) :reason(130):d2i_r_pr.c:124: I'm using the load_key() function from openssl/apps/x509.c but I got this error. I'm sure that my file is valid. Can anyone give me some hints? Thanks. Fiel Cabral __ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
checking the private key
I'm writing a program that uses openssl to read the private key from a ASN1.DER encoded file. The openssl API outputs the following: 17752:error:0D080071::lib(13) :func(128) :reason(113):a_int.c:191: 17752:error:0D09D082::lib(13) :func(157) :reason(130):d2i_r_pr.c:124: I'm using the load_key() function from openssl/apps/x509.c but I got this error. I'm sure that my file is valid. Can anyone give me some hints? Thanks. Fiel Cabral __ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]