Re: build openssl for android

2012-09-12 Thread Jason Goldberg 
For Android, check out this project as an example:

https://github.com/eighthave/openssl-android

They have the Android-specific Makefile configs for doing an NDK build.  You 
could patch it with your changes and generate the .so libraries you need.

On Sep 12, 2012, at 12:05 PM, Indtiny s 
mailto:indt...@gmail.com>> wrote:


Hi,

I have to build the openssl 1.0.1c for the android , I have added new  ECC-CCM 
chiper key support at the openssl , hence i want build the same for android-ndk 
and use in my application as shared libraries . is there any guide to build the 
same ..?

Rgds
Indu

Re: Elliptic Curve key generation help

2012-08-15 Thread Jason Goldberg 
You can actually skip the step of using the BN functions and write your keypair 
directly to PEM format:

PEM_write_bio_ECPrivateKey

You can then use the BIO functions to either read a string from memory, write 
it to file, etc.  See: http://www.openssl.org/docs/crypto/bio.html#

Jason

On Aug 15, 2012, at 5:59 AM, Mohammad khodaei 
mailto:m_khod...@yahoo.com>>
 wrote:

Hi,

Based on the previous conversations, I tried to generate Elliptic Curve 
public/Private key pair. I want to convert the output BIGNUM* to char* in order 
to perform the rest of my task. Using BN_bn2hex is the correct api to do this? 
It seems it returns a 32 byte Hex while when I generate EC keys by command, it 
is much bigger. I want an output like this for public key and private key:

-BEGIN EC PARAMETERS-
BggqhkjOPQMBBw==
-END EC PARAMETERS-
-BEGIN EC PRIVATE KEY-
MHcCAQEEIDbJzdK8bkYoC4CsuFCBBGPHg21AC1vHh7Dg67tTZ8z9oAoGCCqGSM49
AwEHoUQDQgAEuhRNaqvmtnVpzewv8g3zh2PDh1FwoojEQguGKGCseKffEIoLn6ua
Vn9cpsV7OX5hvcafIyqC+gIPuJovPi0Buw==
-END EC PRIVATE KEY-


and

-BEGIN PUBLIC KEY-
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEuhRNaqvmtnVpzewv8g3zh2PDh1Fw
oojEQguGKGCseKffEIoLn6uaVn9cpsV7OX5hvcafIyqC+gIPuJovPi0Buw==
-END PUBLIC KEY-


Here is my code:

EC_KEY *ecKey = EC_KEY_new();
EC_GROUP *group = EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1);
EC_KEY_set_group(ecKey, group);

int iECGenKey = EC_KEY_generate_key(ecKey);

BIGNUM *pPubKey, *pPrivKey;

pPrivKey = (BIGNUM*) EC_KEY_get0_private_key(ecKey);
char* pchPrivKey = BN_bn2hex(pPrivKey);
int nBytes = BN_num_bytes(pPrivKey);

string strPrivKey;
strPrivKey.assign(pchPrivKey);
if (pPrivKey != NULL)
OPENSSL_free(pPrivKey);

pPubKey = (BIGNUM*) EC_KEY_get0_public_key(ecKey);
char* pchPubKey = BN_bn2hex(pPubKey);
string strPubKey;
strPubKey.assign(pchPubKey);
if (pPubKey != NULL)
OPENSSL_free(pPubKey);



It would be appreciated if you can help me.

Thanks


From: Thomas Leavy mailto:tombu...@gmail.com>>
To: "openssl-users@openssl.org<mailto:openssl-users@openssl.org>" 
mailto:openssl-users@openssl.org>>
Cc: "mailto:openssl-users@openssl.org>>" 
mailto:openssl-users@openssl.org>>
Sent: Wednesday, August 15, 2012 2:52 AM
Subject: Re: Elliptic Curve key generation help

Wow can't believe I already got an answer! Thanks so much guys I should be good 
to go.

On Aug 14, 2012, at 6:59 PM, Jason Goldberg 
mailto:jgoldb...@oneid.com>> wrote:

Before you call generate_key, you need to initialize your EC_KEY with a curve:

EC_GROUP *group = EC_GROUP_new_by_curve_name(curve);
EC_KEY_set_group(testKey, group);

For 'curve' you could use, for example, NIST P256 which is defined with the 
macro: NID_X9_62_prime256v1

You can then use these primitives to get the public and private keys:

EC_KEY_get0_private_key
EC_KEY_get0_public_key

Jason

On Aug 14, 2012, at 5:49 PM, Tom Leavy 
mailto:tombu...@gmail.com>>
 wrote:

I have been trying to figure out how to generate an elliptic curve public 
private key pair and can't find much information on how you properly do that. 
So far I have done the following and I'm pretty sure I am missing a step 
someplace.

void makeECCKeyPair() {
EC_KEY *testKey = EC_KEY_new();
EC_KEY_generate_key(testKey);
}

Re: Elliptic Curve key generation help

2012-08-14 Thread Jason Goldberg 
Before you call generate_key, you need to initialize your EC_KEY with a curve:

EC_GROUP *group = EC_GROUP_new_by_curve_name(curve);
EC_KEY_set_group(testKey, group);

For 'curve' you could use, for example, NIST P256 which is defined with the 
macro: NID_X9_62_prime256v1

You can then use these primitives to get the public and private keys:

EC_KEY_get0_private_key
EC_KEY_get0_public_key

Jason

On Aug 14, 2012, at 5:49 PM, Tom Leavy 
mailto:tombu...@gmail.com>>
 wrote:

I have been trying to figure out how to generate an elliptic curve public 
private key pair and can't find much information on how you properly do that. 
So far I have done the following and I'm pretty sure I am missing a step 
someplace.

void makeECCKeyPair() {
EC_KEY *testKey = EC_KEY_new();
EC_KEY_generate_key(testKey);
}

Re: client server management of client SSL certificates

2012-07-29 Thread Jason Goldberg 
There are Javascript libraries which range from generating key pairs to 
creating x509 certificates.  So you could generate a keypair in the browser, 
then generate a certificate signing request, send the CSR to a remote API along 
with a challenge response, and then get back a signed x509 certificate from 
your RA -- all in the browser using XHR.

However, you can't get anything out of the browser without a local application. 
 You'd need some combination of the HTML5 FileWriter API and an application 
registered to a URL protocol which could be triggered by the browser to read 
your certificates and install them.  I make no comment on the security of that 
scheme, but it definitely seems possible.

On Jul 29, 2012, at 12:52 AM, Sanford Staab 
mailto:sanfo...@gmail.com>> wrote:

Good questions and similar to what is on my mind.  Please let me know if you 
get any good answers to these questions.

From: Ted Byers
Sent: Saturday, July 28, 2012 12:15 PM
To: openssl-users@openssl.org
Subject: client server management of client SSL certificates

I am familiar with basic usage of openssl to make certificates, but what I am 
unclear about is how one has a CA (certificate authority) on a server, for a 
given organization, and an RA (registration authority) using a different server 
in that organization, and then supports creating client certificates on a given 
user's machine once that user has logged into a secure website and passed a 
series of challenges and responses established between the RA and the user.  
And perhaps, someone can shed a little light on whether there is anything more 
between an RA and CA than simply a message from the RA that a given person, who 
gives the right responses to these challenge questions, ought to receive a 
certificate.

How does one do that in a manner that is user friendly (i.e. without requiring 
the user to install openssl on his personal computer or mobile device, or 
having the user's private key transmitted over the web)?  I would suppose that 
the key would remain confidential once the user has established a SSL 
connection with the server, so it could be made using a cgi script that in turn 
uses openssl to make the csr and then send the private key and certificate to 
the user.  But then, the user would have to figure out how and where to install 
the key and certificate, and there is the question of whether or not the 
client's private key ought to ever be on the server.  I know people who are 
'technically challenged' (you could almost describe them as Luddites, except 
that they are addicted to their smart phones and other assorted mobile devices 
- to the point they deserve the tickets they'd get while using them when 
driving) who could benefit from use of a combination of server and client 
certificates, if somehow I could establish a web server that makes it as easy 
for them to get their client certificates as it is for them to browse 
amazon.com to buy a book.  Anything beyond that and their 
eyes would start to glaze over when you start giving them instructions on how 
to proceed.  And we really want to avoid the glazed eye phenomenon!  And we 
also want to avoid having a company's MIS or his designated assistant, having 
to create and install these certificates on every mobile device (smart phone, 
laptop, &c.) the company's staff have, or having to go to each of their homes 
to install the keys and certificates on their home computers.

Is there a JavaScript solution that handles creating the private key and CSR in 
the client's browser, and transmits the CSR to the server so it can create and 
sign the certificate which then sends it back to the browser so a different 
JavaScript function can handle installing both the key and certificate in the 
right places, and back up both to a 'safe' place?  If so, is there a variant 
which is certain to work in all browsers and that can install the certificates 
in all the browsers installed on the clients machine as well as in all the 
email clients installed on the clients machine (so the user can encrypt or 
sign, or both, any document, and check signatures and decrypt documents, 
regardless of whether transmitted via email or the web)?

Any information that can be provided would be greatly appreciated.

Thanks

Ted

Re: Read RSA PrivateKey from PEM in buffer

2012-07-29 Thread Jason Goldberg 
Copy the PEM key from your buffer into a BIO instance (using BIO_write for 
example), and then use PEM_read_bio_RSAPrivateKey.

Jason

On Jul 29, 2012, at 5:52 AM, Jonas Schnelli 
 wrote:

> Hi
> 
> I can read in a RSA private key from file without problems (with 
> PEM_read_RSAPrivateKey).
> But now i would like to read in a PEM RSA Key from a "void *buffer" with 
> "size_t length".
> How can i do this? PEM_read_RSAPrivateKey only reads from FILE.
> I'm sure theres a ways to work around writing a tmp file.
> 
> Thanks for the help
> --
>  
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   majord...@openssl.org

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Porting OpenSSL to andorid platform

2012-07-27 Thread Jason Goldberg 
For Android, you'll need to download the Android NDK toolchain and then pull 
down this project:

https://github.com/eighthave/openssl-android

Use NDK to build the project above and that will generate the .so files you can 
link to.

For iOS, check out:

https://github.com/x2on/OpenSSL-for-iPhone

That will build you Mach-format libs containing i386, armv6 and armv7 object 
code which you can link to.  Then just add libssl and libcrypt to your project 
and include the OpenSSL headers directory.

Jason

On Jul 26, 2012, at 11:19 PM, Bibhudatta Biswal 
mailto:bbi...@kodiaknetworks.com>>
 wrote:

Hi,

We are planning to integrate OpenSSL to our VoIP product to secure Voice and 
Signaling. Our VoIP products runs on multiple platforms like Android, Iphone, 
Windows, Windows Mobile, Nucleus etc. I want to know the list of things that I 
need to take care to generate the OpenSSL static library for the above 
mentioned platforms.

Thanks & Regards,
Bibhu