Re: Openssl upgrade to 1.1.1o on Red Linux 5.11

2022-06-22 Thread Ken Goldman 

On 6/22/2022 10:32 AM, Gaurav Mittal11 wrote:

Hi Team,

Is there any way to upgrade openssl in redhat 5.11 as I am getting error its 
not supported.

 > uname -a

Linux serverxxx 2.6.18-419.el5 #1 SMP Wed Feb 22 22:40:57 EST 2017 x86_64 
x86_64 x86_64 GNU/Linux

Red Hat Enterprise Linux Server release 5.11 (Tikanga)

 >> ./config --prefix=/opt/openssl-1.1.1o --openssldir=/opt/openssl/1.1.1o

Operating system: x86_64-whatever-linux2

This system (linux-x86_64) is not supported. See file INSTALL for details.



Generally, that's a bad idea.  All the other packages are tested against a 
particular
version and you never know what will break.

If it's just for testing, I build openssl in a local directory and link
my program to it.

Openssl 3.0.0 creating ECC key from X and Y, PEM_write_PUBKEY fails

2021-10-22 Thread Ken Goldman 

I have X and Y as bignums.  I create EVP_PKEY with this.

I suspect that I have to do another step to indicate that I supplied X and Y 
and not a compressed
public key.


param_bld = OSSL_PARAM_BLD_new();   
rc = getEcCurveString(, gets strings like prime256v1
irc = OSSL_PARAM_BLD_push_utf8_string(param_bld, 
OSSL_PKEY_PARAM_GROUP_NAME,
  curveString, 0);
irc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_EC_PUB_X, x);
irc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_EC_PUB_Y, y);
params = OSSL_PARAM_BLD_to_param(param_bld);
ctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL);   
irc = EVP_PKEY_fromdata_init(ctx);
irc = EVP_PKEY_fromdata(ctx, evpPubkey, EVP_PKEY_PUBLIC_KEY, params);

following that, this fails with

irc = PEM_write_PUBKEY(pemFile, evpPubkey);

==88032== Invalid read of size 8
+=88032==at 0x4CB27F7: ec_point_is_compat (ec_local.h:328)
==88032==by 0x4CB2AB1: EC_POINT_point2oct (ec_oct.c:82)
==88032==by 0x4CA506F: i2o_ECPublicKey (ec_asn1.c:1158)
==88032==by 0x4E7B0D2: ec_spki_pub_to_der (encode_key2any.c:701)
==88032==by 0x4E79DBE: key_to_pubkey (encode_key2any.c:154)
==88032==by 0x4E7A490: key_to_spki_pem_pub_bio (encode_key2any.c:348)
==88032==by 0x4E7B9CA: key2any_encode (encode_key2any.c:1043)
==88032==by 0x4E7F539: ec_to_SubjectPublicKeyInfo_pem_encode 
(encode_key2any.c:1359)
==88032==by 0x4CF2C3F: encoder_process (encoder_lib.c:632)
==88032==by 0x4CF17AC: OSSL_ENCODER_to_bio (encoder_lib.c:63)
==88032==by 0x4CF1897: OSSL_ENCODER_to_fp (encoder_lib.c:85)
==88032==by 0x4D8BE33: PEM_write_PUBKEY (pem_all.c:226)

point is null

Re: openssl 3.0.0 get ECC public key modulus from EVP_PKEY

2021-10-14 Thread Ken Goldman 

On 10/14/2021 6:39 AM, Matt Caswell wrote:


"priv" (OSSL_PKEY_PARAM_PRIV_KEY) 

The private key value.

Since its an integer using EVP_PKEY_get_bn_param() would be appropriate here, 
but not EVP_PKEY_get_octet_string_param().

Basically you need to know the type of the parameter you are attempting to access and use 
the right kind of "getter" to match the type - otherwise it will fail.


That helped!

https://www.openssl.org/docs/manmaster/man7/EVP_PKEY-EC.html

I found that page a bit confusing.  Is it right that




are all actually BIGNUM?  I.e., not C int or unsigned int?



While I'm on that page:

 should call EVP_PKEY_get_utf8_string_param().  This seems to 
require an allocated array.
How does one find the size to allocate?  Does it follow the typical "if buf is NULL, 
return just the size"
so it can be malloced.

 same question.

Re: openssl 3.0.0 get ECC public key modulus from EVP_PKEY

2021-10-13 Thread Ken Goldman 

On 10/13/2021 12:06 PM, Matt Caswell wrote:


On 12/10/2021 23:37, Ken Goldman wrote:

In pre-3.0.0, I used this, omitting the error checking, malloc, ...

ecPoint = EC_KEY_get0_public_key(ecKey);
ecGroup = EC_KEY_get0_group(ecKey);
EC_POINT_point2oct(ecGroup, ecPoint,
   POINT_CONVERSION_UNCOMPRESSED,
   *modulusBin, *modulusBytes, NULL);

In 3.0.0, I tried this, expecting to get a BIGNUM and then convert

    irc = EVP_PKEY_get_bn_param(eccKey, OSSL_PKEY_PARAM_PUB_KEY, (BIGNUM 
**)pub);

It returns 0.

What's the correct way to get the uncompressed ECC public key?


Refer to this man page:

https://www.openssl.org/docs/man3.0/man7/EVP_PKEY-EC.html

For an EC key, the public key parameter is:

"pub" (OSSL_PKEY_PARAM_PUB_KEY) 
The public key value in EC point format.

You will note that this is an octet string and not an integer which is why 
EVP_PKEY_get_bn_param is failing.


I tried

irc = EVP_PKEY_get_octet_string_param(eccKey, 
OSSL_PKEY_PARAM_PRIV_KEY,
  *priv, 256, (size_t 
*)privLen);

which failed.

In common_get_params() the eccKey is cast to an EC_KEY and there are BIGNUMs 
for X,Y,Z.
The EC_GROUP looks populated.

It fails on

(p = OSSL_PARAM_locate(params,
   OSSL_PKEY_PARAM_EC_DECODED_FROM_EXPLICIT_PARAMS))


Alternatively you could get the x and y components of the public key separately 
using:

"qx" (OSSL_PKEY_PARAM_EC_PUB_X) 
Used for getting the EC public key X component.

"qy" (OSSL_PKEY_PARAM_EC_PUB_Y) 
Used for getting the EC public key Y component.

In this case EVP_PKEY_get_bn_param would be appropriate.

Matt

openssl 3.0.0 get ECC public key modulus from EVP_PKEY

2021-10-12 Thread Ken Goldman 

In pre-3.0.0, I used this, omitting the error checking, malloc, ...

ecPoint = EC_KEY_get0_public_key(ecKey);
ecGroup = EC_KEY_get0_group(ecKey);
EC_POINT_point2oct(ecGroup, ecPoint,
   POINT_CONVERSION_UNCOMPRESSED,
   *modulusBin, *modulusBytes, NULL);

In 3.0.0, I tried this, expecting to get a BIGNUM and then convert

irc = EVP_PKEY_get_bn_param(eccKey, OSSL_PKEY_PARAM_PUB_KEY, 
(BIGNUM **)pub);

It returns 0.

What's the correct way to get the uncompressed ECC public key?

EVP_EncryptInit_ex2() operation

2021-09-27 Thread Ken Goldman 

Does it make sense to initialize the context once and then use it multiple 
times, or is cleaner to create a new one from the raw key byte string each time?

I've seen sample code that uses this to 'reset' the context for a new 
encryption.

EVP_EncryptInit_ex2(e, NULL, NULL, NULL, NULL);

1. Is this guaranteed?  Documented?
2. Does the iv get reset as well?
3. Is the padding retained, or must I call EVP_CIPHER_CTX_set_padding() again?

openssl 3.0.0 equivalent to RSA_get0_key

2021-09-20 Thread Ken Goldman 

... and RSA_get0_factors.

I know about EVP_PKEY_get_bn_param().  However, that allocates new bignums.  
Therefore, the caller has to say, if >3.0.0, free them, else don't.

The deprecated get0 functions just returned pointers that did not have to be 
separately freed.

Is there a call to pass in an EVP_PKEY and get references to existing n,e,p, 
not allocated bignums?

Openssl 3.0.0. EVP_PKEY RSA is NULL

2021-09-14 Thread Ken Goldman 

I am doing the following, but the EVP_PKEY->pkey->rsa is null.
Am I misusing the API or missing a step?

(error checking removed)

EVP_PKEY*rsa_pub_key = NULL;
EVP_PKEY_CTX*ctx = NULL;
OSSL_PARAM_BLD  *param_bld = NULL;
OSSL_PARAM  *params = NULL;

BIGNUM *n = NULL;
BIGNUM *e = NULL;

[these bignums are initialized using bin2bn]

param_bld = OSSL_PARAM_BLD_new();
irc = OSSL_PARAM_BLD_push_BN(param_bld, "n", n);
irc = OSSL_PARAM_BLD_push_BN(param_bld, "e", e);
params = OSSL_PARAM_BLD_to_param(param_bld);

(do I perhaps need an 'end'?

ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL);
irc = EVP_PKEY_fromdata_init(ctx);
irc = EVP_PKEY_fromdata(ctx, (EVP_PKEY **)rsa_pub_key,  /* 
freed by caller */
EVP_PKEY_PUBLIC_KEY, params);

Probing rsa_pub_key here in the debugger.


type = 6
references = 1
rsa = 0  (probably NULL)

Re: Openssl 3.0.0. EVP_PKEY_CTX vs EVP_PKEY

2021-09-14 Thread Ken Goldman 

On 9/14/2021 11:40 AM, Tomas Mraz wrote:

On Tue, 2021-09-14 at 11:11 -0400, Ken Goldman wrote:

Conceptually, how are these different?

When do I use one vs the other?


The EVP_PKEY is an object holding data (well, rather a reference, but
that is fairly irrelevant) of a private key, public key, or domain
parameters for asymetric crypto keys.

The EVP_PKEY_CTX is an operation context - that is a context to make
some operations with an EVP_PKEY such as signing/verification,
encryption/decryption, key generation (starting with domain parameters
EVP_PKEY), key checking.


Where would I learn this?


I suppose in the manual pages - I'd start with EVP_PKEY_new and
EVP_PKEY_CTX_new man pages. Yeah, the discoverability is not that good
I suppose. And there is no good high level overview.


In other words, the EVP_PKEY holds the public key.  When I want to use
it to encrypt / verify, I create a temporary EVP_PKEY_CTX?  Is that it?
Do I also use a ctx to initialize the key?

Perhaps, to make the EVP_PKEY from n and e.:

OSSL_PARAM_BLD_push_BN() for n and e parameters
EVP_PKEY_CTX_new_from_name the RSA
EVP_PKEY_fromdata using the parameters

Openssl 3.0.0. EVP_PKEY_CTX vs EVP_PKEY

2021-09-14 Thread Ken Goldman 

Conceptually, how are these different?

When do I use one vs the other?

Where would I learn this?

Re: EVP_MAC_init - specify the hash algorithm

2021-09-09 Thread Ken Goldman 

Where does one get the parameter values?

E.g., where would I see the value strings for the EVP_MAC_new algorithm
and the digest parameter values.

I can guess HMAC and SHA256, but are they documented?

Case sensitive?  Which is preferred?

You use EVP_MAC_new, which is undocumented.  The doc sample
uses EVP_MAC_fetch.  Which is preferred?

On 7/13/2021 7:06 PM, Dr Paul Dale wrote:


Your code should look more like:

OSSL_PARAMS params[2];
EVP_MAC *mac = EVP_MAC_new(NULL, "HMAC", NULL);
EVP_MAC_CTX *mac_ctx = EVP_MAC_CTX_new(mac);
EVP_MAC_free(mac); /* Now or later is all good and depends on the app 
reusing it or not */

params[0] = OSSL_PARAMS_construct_utf8_string("digest", "SHA256", 0);
params[1] = OSSL_PARAMS_construct_end();

EVP_MAC_init(mac_ctx, key, key_len, params);
EVP_MAC_update(mac_ctx, data1, data1_len);
EVP_MAC_update(mac_ctx, data2, data2_len);
EVP_MAC_update(mac_ctx, data3, data3_len);
EVP_MAC_final(mac_ctx, out, _size, out_len);
EVP_MAC_CTX_free(mac_ctx);

TYPE_new() and TYPE_free()

2021-08-27 Thread Ken Goldman 

Assuming that I use the ASN1_SEQUENCE, ASN1_SEQUENCE_END,
DECLARE_ASN1_FUNCTIONS, IMPLEMENT_ASN1_FUNCTIONS macros ...

TYPE_free() says that it frees all sub-objects.  Can I
assume that, if the sub-objects are also defined
with those macros, that it will iterate all the way?

TYPE_new() allocates the object.  Does it set
all the pointers to NULL, and iterate down
through sub-structure - so that the free is safe?

Re: openssl 3.0.0 valgrind failure on OPENSSL_ia32_cpuid - retract, sorry

2021-08-27 Thread Ken Goldman 

On 8/27/2021 3:46 PM, Ken Goldman wrote:

I run valgrind on all my software to find memory leaks.  This worked for
openssl 1.0.2 and 1.1.1, but fails with 3.0.0.  Suggestions?


Sorry, I updated valgrind and all is well.

openssl 3.0.0 valgrind failure on OPENSSL_ia32_cpuid

2021-08-27 Thread Ken Goldman 

I run valgrind on all my software to find memory leaks.  This worked for
openssl 1.0.2 and 1.1.1, but fails with 3.0.0.  Suggestions?

vex amd64->IR: unhandled instruction bytes: 0xF3 0xF 0x1E 0xFA 0x49 0x89 0xD8 
0x31
vex amd64->IR:   REX=0 REX.W=0 REX.R=0 REX.X=0 REX.B=0
vex amd64->IR:   VEX=0 VEX.L=0 VEX.n=0x0 ESC=0F
vex amd64->IR:   PFX.66=0 PFX.F2=0 PFX.F3=1
==29625== valgrind: Unrecognised instruction at address 0x56b2b10.
==29625==at 0x56B2B10: OPENSSL_ia32_cpuid (x86_64cpuid.s:36)
==29625==by 0x569FA37: OPENSSL_cpuid_setup (cpuid.c:147)
==29625==by 0x55163C2: ??? (in /home/kgold/openssl30/libcrypto.so.3)
==29625== Your program just tried to execute an instruction that Valgrind
==29625== did not recognise.  There are two possible reasons for this.
==29625== 1. Your program has a bug and erroneously jumped to a non-code
==29625==location.  If you are running Memcheck and you just saw a
==29625==warning about a bad jump, it's probably your program's fault.
==29625== 2. The instruction is legitimate but Valgrind doesn't handle it,
==29625==i.e. it's Valgrind's fault.  If you think this is the case or
==29625==you are not sure, please let us know and we'll try to fix it.
==29625== Either way, Valgrind will now raise a SIGILL signal which will
==29625== probably kill your program.
==29625==
==29625== Process terminating with default action of signal 4 (SIGILL)
==29625==  Illegal opcode at address 0x56B2B10
==29625==at 0x56B2B10: OPENSSL_ia32_cpuid (x86_64cpuid.s:36)
==29625==by 0x569FA37: OPENSSL_cpuid_setup (cpuid.c:147)
==29625==by 0x55163C2: ??? (in /home/kgold/openssl30/libcrypto.so.3)

Re: 3.0.0. IMPLEMENT_ASN1_FUNCTIONS missing _it prototypes

2021-08-27 Thread Ken Goldman 

On 8/24/2021 5:56 AM, Matt Caswell wrote:



On 23/08/2021 20:42, Ken Goldman wrote:

I get warnings on all my ASN1_SEQUENCE_END, a missing prototype for the _it 
functions.
The code is working, but I'd like a clean compile.

3.0.0 only, 1.0.2 and 1.1.1 are OK.

Example:

#include 
#include 
#include 
#include 

typedef struct {
 ASN1_TIME *notBefore;
 ASN1_TIME *notAfter;
} TPM_PARTIAL_CERT_VALIDITY;

ASN1_SEQUENCE(TPM_PARTIAL_CERT_VALIDITY) = {
 ASN1_SIMPLE(TPM_PARTIAL_CERT_VALIDITY, notBefore, ASN1_TIME),
 ASN1_SIMPLE(TPM_PARTIAL_CERT_VALIDITY, notAfter, ASN1_TIME),
} ASN1_SEQUENCE_END(TPM_PARTIAL_CERT_VALIDITY) 


Change this line to:

} static_ASN1_SEQUENCE_END(TPM_PARTIAL_CERT_VALIDITY)



static_ worked on 3.0, 1.1.1, and 1.0.2.  I found that
it failed on 1.0.1e with:

certifyx509.c:125: error: expected ',' or ';' before 'static_ASN1_SEQUENCE_END'
certifyx509.c:128: warning: no previous prototype for 'TPM_ADDTOCERT_new'

If this makes sense, I can add an ifdef.

(Support for 1.0.1 is a requirement. Sorry.)

Re: HMAC verification with EVP Interface

2021-08-26 Thread Ken Goldman 

On 8/26/2021 5:35 AM, d0 wrote:

Don't forget to use CRYPTO_memcmp for comparing the HMACs, not regular
ol' memcmp.


What's the rationale?  The HMAC result isn't secret.

3.0.0. IMPLEMENT_ASN1_FUNCTIONS missing _it prototypes

2021-08-23 Thread Ken Goldman 

I get warnings on all my ASN1_SEQUENCE_END, a missing prototype for the _it 
functions.
The code is working, but I'd like a clean compile.

3.0.0 only, 1.0.2 and 1.1.1 are OK.

Example:

#include 
#include 
#include 
#include 

typedef struct {
ASN1_TIME *notBefore;
ASN1_TIME *notAfter;
} TPM_PARTIAL_CERT_VALIDITY;

ASN1_SEQUENCE(TPM_PARTIAL_CERT_VALIDITY) = {
ASN1_SIMPLE(TPM_PARTIAL_CERT_VALIDITY, notBefore, ASN1_TIME),
ASN1_SIMPLE(TPM_PARTIAL_CERT_VALIDITY, notAfter, ASN1_TIME),
} ASN1_SEQUENCE_END(TPM_PARTIAL_CERT_VALIDITY)   line 97 is here

certifyx509.c:97: warning: no previous prototype for 
'TPM_PARTIAL_CERT_VALIDITY_it'

Re: Set X509 public key in 1.0.2

2021-08-23 Thread Ken Goldman 

On 8/20/2021 7:19 PM, Thomas Dwyer III wrote:

1.0.2 has X509_PUBKEY_get() (without the zero) which I believe increases the 
reference count on the EVP_PKEY.




Perfect!

It was not in the 1.0.2 man page, but it seems to be portable across
1.0.1, 1.1.1, 3.0.0.

Set X509 public key in 1.0.2

2021-08-20 Thread Ken Goldman 

I have an X509_PUBKEY structure holding the algorithm and public key.
I want to set it in the X509 structure.

In 1.1.1 and up, I can use

evpPubkey = X509_PUBKEY_get0(addToCert->key);/* X509_PUBKEY */
X509_set_pubkey(x509Certificate, evpPubkey);

However, 1.0.2 doesn't have these.

What's a good approach?

I could access the X509.cert_info.key and set the
value, but I expect that would cause a double free later
when I free both the X509 and the structure holding the
X509_PUBKEY.

Is the something like a X509_PUBKEY_dup function?

(Yes, I know that 1.0.2 is obsolete, but there are some LTS
distros, and I'd rather not drop support for 1.0.2 if I can
figure this out.)

Re: IMPLEMENT_ASN1_FUNCTIONS tutorial or help

2021-08-19 Thread Ken Goldman 

On 8/17/2021 9:47 PM, Sands, Daniel via openssl-users wrote:

The dump you show below is:
Attributes (set, tagged with a 0, optional)
Version
privateKeyAlgorithm
privateKey

This is a PKCS#8 packet for a key.  The encapsulated data is the RSA public key 
in PKCS1 format.  I know OpenSSL has built-in PKCS#8 capability, though I do 
note that the optional attribute set is out of sequence.

Either way, you could look at the PKCS8 source code and simply move the 
attribute to the beginning and otherwise duplicate the ASN1 parts and structure 
there, even if OpenSSL fails to parse this not-quite-spec packet.


For the record, it was an inconsistency - ASN1_SIMPLE requires a pointer, 
ASN1_EMBED does not.

I used the example in x_x509.c, which uses EMBED, but I could not find the 
corresponding typedef.

(I have no opportunity to change the input.  It comes from a standard HSM.)

Re: IMPLEMENT_ASN1_FUNCTIONS tutorial or help

2021-08-17 Thread Ken Goldman 

My latest attempt to code the below DER is this.  It compiles, but the d2i 
segfaults on
apparently the second element.

Anything obviously wrong?

typedef struct  {
ASN1_INTEGER *version;
ASN1_INTEGER *serialNumber;
X509_ALGOR *signature;
X509_PUBKEY *key;
} TPM_ADDTOCERT;

ASN1_SEQUENCE(TPM_ADDTOCERT) = {
ASN1_EXP_OPT(TPM_ADDTOCERT, version, ASN1_INTEGER, 0),
ASN1_EMBED(TPM_ADDTOCERT, serialNumber, ASN1_INTEGER),
ASN1_EMBED(TPM_ADDTOCERT, signature, X509_ALGOR),
ASN1_SIMPLE(TPM_ADDTOCERT, key, X509_PUBKEY),
} ASN1_SEQUENCE_END(TPM_ADDTOCERT)

DECLARE_ASN1_FUNCTIONS(TPM_ADDTOCERT)
IMPLEMENT_ASN1_FUNCTIONS(TPM_ADDTOCERT)

const unsigned char *tmpptr = out.addedToCertificate.t.buffer;
TPM_ADDTOCERT *addToCert = d2i_TPM_ADDTOCERT(NULL,
  , out.addedToCertificate.t.size);

On 8/16/2021 4:56 PM, Ken Goldman wrote:


The dump looks like this:

  0 337: SEQUENCE {
   4   3: . [0] {
   6   1: . . INTEGER 2
    : . . }
   9  21: . INTEGER 00 87 12 50 78 0A C9 8B 60 DD AC FA 75 18 05 EC DC 30 51 53 
23
  32  13: . SEQUENCE {
  34   9: . . OBJECT IDENTIFIER sha256WithRSAEncryption (1 2 840 113549 1 1 11)
    : . . . (PKCS #1)
  45   0: . . NULL
    : . . }
  47 290: . SEQUENCE {
  51  13: . . SEQUENCE {
  53   9: . . . OBJECT IDENTIFIER rsaEncryption (1 2 840 113549 1 1 1)
    : . . . . (PKCS #1)
  64   0: . . . NULL
    : . . . }
  66 271: . . BIT STRING, encapsulates {
  71 266: . . . SEQUENCE {
  75 257: . . . . INTEGER
    : . . . . . 00 B0 83 4A E9 41 78 E0 6A C3 0F D6 E4 B9 7D 96
    : . . . . . 70 74 05 00 C9 E2 2C 6C 4C 6E 16 02 40 5C 35 29
    : . . . . . F6 EF 9F 55 3A BD 4B 74 1D 6A 21 38 20 69 C8 88
    : . . . . . A3 6B 56 62 2A 91 02 41 58 92 97 87 19 1C AD 19
    : . . . . . 53 56 FB 7E 9D 86 B8 4E 8D 82 6A 87 A7 93 55 8F
    : . . . . . AB E8 89 D7 63 0B C9 02 99 D8 37 F8 FB 6B 32 98
    : . . . . . 6A 05 3F 9E 22 B6 D3 6F BB BE 2D AC 6C 74 17 5D
    : . . . . . 15 EE 84 E5 A4 8F 9C C3 83 CD 83 81 63 EC B5 85
    : . . . . . 6B 1A B8 57 80 2C ED E3 A7 F2 8C F7 3F 13 D9 27
    : . . . . . 2E 64 37 49 E6 47 8E 0A 11 64 46 72 DD F9 EB 4F
    : . . . . . B8 13 58 0B 47 F7 72 AB 29 D6 A5 05 44 30 E7 8D
    : . . . . . FE 86 8A E8 5F 10 91 13 04 57 47 96 A7 97 28 3C
    : . . . . . 39 BD 23 3F C6 41 5E 45 3F A5 41 F5 BF 7D C2 7C
    : . . . . . CC F9 97 20 3F 20 82 AF 64 8C BC 0D 99 F4 BA 10
    : . . . . . 53 58 C5 EC 86 DE 26 ED D9 D6 F2 60 49 C9 E7 9B
    : . . . . . 6A 64 D2 BC C5 0E B0 1D EB 45 43 89 A6 4E 64 B4
    : . . . . . A1
336   3: . . . . INTEGER 65537
    : . . . . }
    : . . . }
    : . . }
    : . }

Re: [EXTERNAL] Re: IMPLEMENT_ASN1_FUNCTIONS tutorial or help

2021-08-17 Thread Ken Goldman 

On 8/17/2021 12:57 PM, Sands, Daniel via openssl-users wrote:

Now I would like to do the other end, where I have der and I want to
parse back to the structure, using d2i()

1 - Is there a tutorial on this?


Seems like you don't need one. If you got i2d working you should have d2i

already!




I wasn't clear.  The input and output sides are different asn.1.

For the input side, a poster give me the structure and I only need the i2d().
That's done - amazing.

This worked so well that I would like to use the same pattern for the output 
side,
where I need d2i().

I posted the DER dump below, but I don't know how to map that to the
structures that the openssl macros can consume.


If you want a generalized parser, you need the schema.  Yes, you could make an 
ASN1 structure to parse THAT input, but if you want to parse all input of that 
type, you need to know about optional values, arbitrary repeats, etc.  The 
schema would specify all of that.



I don't need a generalized parser, and there is no schema.  It's the output of 
an ISO standard HSM (a TPM).  It doesn't change, so I just want to part that 
specific output.

The only variation is that the public key could be ECC.

Any clue on how to code that structure?

Re: IMPLEMENT_ASN1_FUNCTIONS tutorial or help

2021-08-17 Thread Ken Goldman 

On 8/17/2021 10:38 AM, Matt Caswell wrote:



On 16/08/2021 21:56, Ken Goldman wrote:

I am trying to parse some ASN.1 DER so I can add it to an X.509 certificate.

For the input side, a poster showed me

ASN1_SEQUENCE, ASN1_SEQUENCE_END, and then
DECLARE_ASN1_FUNCTIONS, IMPLEMENT_ASN1_FUNCTIONS

which created the i2d() function.


It should also give you the d2i() function too!




Now I would like to do the other end, where I have der and I
want to parse back to the structure, using d2i()

1 - Is there a tutorial on this?


Seems like you don't need one. If you got i2d working you should have d2i 
already!



I wasn't clear.  The input and output sides are different asn.1.

For the input side, a poster give me the structure and I only need the
i2d().  That's done - amazing.

This worked so well that I would like to use the same pattern for
the output side, where I need d2i().

I posted the DER dump below, but I don't know how to map that
to the structures that the openssl macros can consume.



Matt




2 - Can someone show me this structure?

The DER is a version, serial number, signature algorithm,
public key algorithm, and public key.

The dump looks like this:

  0 337: SEQUENCE {
   4   3: . [0] {
   6   1: . . INTEGER 2
    : . . }
   9  21: . INTEGER 00 87 12 50 78 0A C9 8B 60 DD AC FA 75 18 05 EC DC 30 51 53 
23
  32  13: . SEQUENCE {
  34   9: . . OBJECT IDENTIFIER sha256WithRSAEncryption (1 2 840 113549 1 1 11)
    : . . . (PKCS #1)
  45   0: . . NULL
    : . . }
  47 290: . SEQUENCE {
  51  13: . . SEQUENCE {
  53   9: . . . OBJECT IDENTIFIER rsaEncryption (1 2 840 113549 1 1 1)
    : . . . . (PKCS #1)
  64   0: . . . NULL
    : . . . }
  66 271: . . BIT STRING, encapsulates {
  71 266: . . . SEQUENCE {
  75 257: . . . . INTEGER
    : . . . . . 00 B0 83 4A E9 41 78 E0 6A C3 0F D6 E4 B9 7D 96
    : . . . . . 70 74 05 00 C9 E2 2C 6C 4C 6E 16 02 40 5C 35 29
    : . . . . . F6 EF 9F 55 3A BD 4B 74 1D 6A 21 38 20 69 C8 88
    : . . . . . A3 6B 56 62 2A 91 02 41 58 92 97 87 19 1C AD 19
    : . . . . . 53 56 FB 7E 9D 86 B8 4E 8D 82 6A 87 A7 93 55 8F
    : . . . . . AB E8 89 D7 63 0B C9 02 99 D8 37 F8 FB 6B 32 98
    : . . . . . 6A 05 3F 9E 22 B6 D3 6F BB BE 2D AC 6C 74 17 5D
    : . . . . . 15 EE 84 E5 A4 8F 9C C3 83 CD 83 81 63 EC B5 85
    : . . . . . 6B 1A B8 57 80 2C ED E3 A7 F2 8C F7 3F 13 D9 27
    : . . . . . 2E 64 37 49 E6 47 8E 0A 11 64 46 72 DD F9 EB 4F
    : . . . . . B8 13 58 0B 47 F7 72 AB 29 D6 A5 05 44 30 E7 8D
    : . . . . . FE 86 8A E8 5F 10 91 13 04 57 47 96 A7 97 28 3C
    : . . . . . 39 BD 23 3F C6 41 5E 45 3F A5 41 F5 BF 7D C2 7C
    : . . . . . CC F9 97 20 3F 20 82 AF 64 8C BC 0D 99 F4 BA 10
    : . . . . . 53 58 C5 EC 86 DE 26 ED D9 D6 F2 60 49 C9 E7 9B
    : . . . . . 6A 64 D2 BC C5 0E B0 1D EB 45 43 89 A6 4E 64 B4
    : . . . . . A1
336   3: . . . . INTEGER 65537
    : . . . . }
    : . . . }
    : . . }
    : . }

IMPLEMENT_ASN1_FUNCTIONS tutorial or help

2021-08-16 Thread Ken Goldman 

I am trying to parse some ASN.1 DER so I can add it to an X.509 certificate.

For the input side, a poster showed me

ASN1_SEQUENCE, ASN1_SEQUENCE_END, and then
DECLARE_ASN1_FUNCTIONS, IMPLEMENT_ASN1_FUNCTIONS

which created the i2d() function.

Now I would like to do the other end, where I have der and I
want to parse back to the structure, using d2i()

1 - Is there a tutorial on this?

2 - Can someone show me this structure?

The DER is a version, serial number, signature algorithm,
public key algorithm, and public key.

The dump looks like this:

 0 337: SEQUENCE {
  4   3: . [0] {
  6   1: . . INTEGER 2
   : . . }
  9  21: . INTEGER 00 87 12 50 78 0A C9 8B 60 DD AC FA 75 18 05 EC DC 30 51 53 
23
 32  13: . SEQUENCE {
 34   9: . . OBJECT IDENTIFIER sha256WithRSAEncryption (1 2 840 113549 1 1 11)
   : . . . (PKCS #1)
 45   0: . . NULL
   : . . }
 47 290: . SEQUENCE {
 51  13: . . SEQUENCE {
 53   9: . . . OBJECT IDENTIFIER rsaEncryption (1 2 840 113549 1 1 1)
   : . . . . (PKCS #1)
 64   0: . . . NULL
   : . . . }
 66 271: . . BIT STRING, encapsulates {
 71 266: . . . SEQUENCE {
 75 257: . . . . INTEGER
   : . . . . . 00 B0 83 4A E9 41 78 E0 6A C3 0F D6 E4 B9 7D 96
   : . . . . . 70 74 05 00 C9 E2 2C 6C 4C 6E 16 02 40 5C 35 29
   : . . . . . F6 EF 9F 55 3A BD 4B 74 1D 6A 21 38 20 69 C8 88
   : . . . . . A3 6B 56 62 2A 91 02 41 58 92 97 87 19 1C AD 19
   : . . . . . 53 56 FB 7E 9D 86 B8 4E 8D 82 6A 87 A7 93 55 8F
   : . . . . . AB E8 89 D7 63 0B C9 02 99 D8 37 F8 FB 6B 32 98
   : . . . . . 6A 05 3F 9E 22 B6 D3 6F BB BE 2D AC 6C 74 17 5D
   : . . . . . 15 EE 84 E5 A4 8F 9C C3 83 CD 83 81 63 EC B5 85
   : . . . . . 6B 1A B8 57 80 2C ED E3 A7 F2 8C F7 3F 13 D9 27
   : . . . . . 2E 64 37 49 E6 47 8E 0A 11 64 46 72 DD F9 EB 4F
   : . . . . . B8 13 58 0B 47 F7 72 AB 29 D6 A5 05 44 30 E7 8D
   : . . . . . FE 86 8A E8 5F 10 91 13 04 57 47 96 A7 97 28 3C
   : . . . . . 39 BD 23 3F C6 41 5E 45 3F A5 41 F5 BF 7D C2 7C
   : . . . . . CC F9 97 20 3F 20 82 AF 64 8C BC 0D 99 F4 BA 10
   : . . . . . 53 58 C5 EC 86 DE 26 ED D9 D6 F2 60 49 C9 E7 9B
   : . . . . . 6A 64 D2 BC C5 0E B0 1D EB 45 43 89 A6 4E 64 B4
   : . . . . . A1
336   3: . . . . INTEGER 65537
   : . . . . }
   : . . . }
   : . . }
   : . }

Re: Misunderstanding openssl verify

2021-08-16 Thread Ken Goldman 

On 8/16/2021 10:04 AM, Viktor Dukhovni wrote:

It seems as though the 'verify' command checks the issuer,
but not the signature of the certificate - the last parameter.

>

As documented.


Then I am not understanding the documentation.

https://www.openssl.org/docs/man1.1.1/man1/verify.html

says

"The final operation is to check the validity of the certificate chain.
...
 The certificate signature is checked as well "

However. my experience is that the certificate signature is not
checked.  I can hand modify the validity, public key, or
signature, but the command still returns "OK".

Misunderstanding openssl verify

2021-08-16 Thread Ken Goldman 

It doesn't seem to be verifying the signature on the certificate
parameter.  Version 1.1.1k.

I create an incorrectly signed self signed certificate and convert it from
der to pem.

A basic

openssl verify -CAfile c1.pem c1.pem

Returns OK, even though the signature is bad.  Why?

Editing the der to change the after date, the public key, or the
signature still returns OK.  Why?

Editing the der to change the issuer causes a failure.

Adding -check_ss_sig correctly causes a signature failure.

It seems as though the 'verify' command checks the issuer,
but not the signature of the certificate - the last parameter.

Re: openssl 3.0 - id2_x509() now fails

2021-08-09 Thread Ken Goldman 

On 8/9/2021 3:50 AM, Tomas Mraz wrote:

On Fri, 2021-08-06 at 18:06 -0400, Ken Goldman wrote:

On 8/6/2021 1:11 PM, Ken Goldman wrote:

I have an application where I have to create a partial x509
certificate.  It gets sent to an HSM, which fills in the public key
and signs it.

I was calling

  X509_new
  X509_set_version
  X509_set_issuer_name
  X509_get_notBefore
  X509_get_notAfter
  X509_set_subject_name
  X509_EXTENSION_create_by_OBJ

and then
  i2d_x509
to send the serialized partial certificate to the HSM.

This worked in 1.0.1, 1.0.2, 1.1.1, but fails in 3.0.0.

In debugging, even this fails.

  X509_new
  i2d_x509

Suggestions?


Following up, I found that just omitting the signature from the
X509 structure causes i2d_x509 to fail.

I tried i2d_re_X509_tbs(), but it also failed.


I am afraid with the current 3.0 codebase there are not many options
how to workaround apart from either signing the certificate with a
bogus key - if the HSM is able to re-sign such certificate.


My hope is that the maintainers will revert this change.  Perhaps
they can write a new variant of i2d_x509 that requires the full
certificate rather than change the existing API.

The i2d__re_x509_tbs() API seems promising (tbs is 'to be signed'),
but it apparently is strict on what data must be there.

The HSM (TPM, ISO 11889) cannot change.  It expects a
partial certificate.  It's API is already defined.


Another (more complicated) option would be to define your own ASN.1
X509 structure where the signature would be optional and thus the
stricter encoder that is now in 3.0 codebase would allow encoding the
incomplete certificate.


If you can post some hints on how to do this, I'll try it.

My alternative is to write the asn1 code from scratch, but I know
how fragile that will be.

Re: openssl 3.0 - id2_x509() now fails

2021-08-06 Thread Ken Goldman 

On 8/6/2021 1:11 PM, Ken Goldman wrote:

I have an application where I have to create a partial x509 certificate.  It 
gets sent to an HSM, which fills in the public key and signs it.

I was calling

 X509_new
 X509_set_version
 X509_set_issuer_name
 X509_get_notBefore
 X509_get_notAfter
 X509_set_subject_name
 X509_EXTENSION_create_by_OBJ

and then
 i2d_x509
to send the serialized partial certificate to the HSM.

This worked in 1.0.1, 1.0.2, 1.1.1, but fails in 3.0.0.

In debugging, even this fails.

 X509_new
 i2d_x509

Suggestions?


Following up, I found that just omitting the signature from the
X509 structure causes i2d_x509 to fail.

I tried i2d_re_X509_tbs(), but it also failed.

openssl 3.0 - id2_x509() now fails

2021-08-06 Thread Ken Goldman 

I have an application where I have to create a partial x509 certificate.  It 
gets sent to an HSM, which fills in the public key and signs it.

I was calling

X509_new
X509_set_version
X509_set_issuer_name
X509_get_notBefore
X509_get_notAfter
X509_set_subject_name
X509_EXTENSION_create_by_OBJ

and then
i2d_x509
to send the serialized partial certificate to the HSM.

This worked in 1.0.1, 1.0.2, 1.1.1, but fails in 3.0.0.

In debugging, even this fails.

X509_new
i2d_x509

Suggestions?

openssl 3.0 genpkey

2021-08-05 Thread Ken Goldman 

Should these be posted here or as github issues?  (May be user error)

1

openssl genpkey -algorithm rsa -outform der -out key.der -quiet

returns:

genpkey: Option -quiet needs a value

But the docs don't indicate that a value is needed.

2

openssl genpkey -algorithm rsa -outform der -out key.der -text

Docs say that the unencrypted key should be printed, but it isn't.

3

openssl genpkey  -cipher des3

returns:

genpkey: Use -help for summary.

I tried other values for -cipher but none worked

4

-aes-128-cbc works but is not documented

Re: EVP_MD_CTX_free documentation

2021-07-30 Thread Ken Goldman 

Thanks.  It would be good to document it (and that all the _new's
return NULL on an error).

On 7/30/2021 3:03 PM, Matt Caswell wrote:

All our _free functions will accept NULL. We rely on this extensively 
*everywhere*. We perhaps could be better at documenting it, but you can rely on 
it.

Matt

On 30/07/2021 17:55, Ken Goldman wrote:

It would be nice if the documentation would guarantee that
this function is a no-op when the parameter is NULL - like
the standard free() call.

This would save coding (if not NULL) all the time.

Same comment for all the _free functions.

I know I can look at the code, but that doesn't
provide an API guarantee.

EVP_MD_CTX_free documentation

2021-07-30 Thread Ken Goldman 

It would be nice if the documentation would guarantee that
this function is a no-op when the parameter is NULL - like
the standard free() call.

This would save coding (if not NULL) all the time.

Same comment for all the _free functions.

I know I can look at the code, but that doesn't
provide an API guarantee.

Re: RSA_set0_key() equivalent for 3.0.0

2021-07-14 Thread Ken Goldman 

On 7/13/2021 5:14 PM, William Roberts wrote:

Outside of the migration guide others have pointed out, I think the functions 
you need are:

https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_set1_RSA.html 


Use use EVP level now as pointed out in the guide.


Perhaps I'm reading it incorrectly, but I think that API is
deprecated.

1 - When I read the SYNOPSIS, there are a few APIs, then a
"deprecated since OpenSSL 3.0" separator, and then more APIs.

I thought that APIs below the separator are deprecated.
Is that wrong?

2 - In evp.h, there is this:

OSSL_DEPRECATEDIN_3_0
int EVP_PKEY_set1_RSA(EVP_PKEY *pkey, struct rsa_st *key);

I interpreted that to mean it's deprecated.

Is that wrong?

3 - When I try to use it, I get:

warning: 'EVP_PKEY_set1_RSA' is deprecated (declared at 
openssl/include/openssl/evp.h:1344)

Seems deprecated.

Re: RSA_set0_key() equivalent for 3.0.0

2021-07-14 Thread Ken Goldman 

On 7/13/2021 5:08 PM, Nicola Tuveri wrote:

There is the migration guide: 
https://github.com/openssl/openssl/tree/master/doc/man7/migration_guide.pod 




The migration guide is very general.  It says that the low level APIs are 
deprecated,
and should be replaced with EVP functions.

Is there anything more specific - replace RSA_set0_key() with ...

RSA_set0_key() equivalent for 3.0.0

2021-07-13 Thread Ken Goldman 

What is the 3.0.0 equivalent to RSA_set0_key() when I
want to create a key token from n and e.

Meta question:  Is there a porting guide for these
type of questions - something that says, "If you
used this before, use this now."

Re: EVP_MAC_init - specify the hash algorithm

2021-07-13 Thread Ken Goldman 

On 7/13/2021 2:50 PM, Matt Caswell wrote:



On 13/07/2021 19:02, Ken Goldman wrote:

Porting to 3.0 ... HMAC_Init_ex() had a place for
the hash algorithm.  EVP_MAC_init() does not,
unless it's embedded in the 'params' parameter.

Any advice?  Or a sample for doing an
HMAC with 3.0?



If its just a straight forward HMAC you want you can do it very simply with the 
one-shot EVP_Q_mac function:

unsigned char *EVP_Q_mac(OSSL_LIB_CTX *libctx, const char *name, const char 
*propq,
  const char *subalg, const OSSL_PARAM *params,
  const void *key, size_t keylen,
  const unsigned char *data, size_t datalen,
  unsigned char *out, size_t outsize, size_t *outlen);

Supply "HMAC" for the name param and "SHA256" (or whatever) for the subalg.


It's not.  It's the usual init/update/final pattern.

EVP_MAC_init - specify the hash algorithm

2021-07-13 Thread Ken Goldman 

Porting to 3.0 ... HMAC_Init_ex() had a place for
the hash algorithm.  EVP_MAC_init() does not,
unless it's embedded in the 'params' parameter.

Any advice?  Or a sample for doing an
HMAC with 3.0?

Re: Random and rare Seg faults at openssl library level

2021-01-07 Thread Ken Goldman 

On 1/7/2021 10:11 AM, Michael Wojcik wrote:


$ cat /etc/redhat-release && openssl version
CentOS Linux release 7.9.2009 (Core)
OpenSSL 1.0.2k-fips  26 Jan 2017


Ugh. Well, OP should have made that clear in the original message.

And this is one of the problems with using an OpenSSL supplied by the OS vendor.


In defense of "the OS vendor", meaning the distro, it's a big task to
upgrade to a new openssl major release.  Because there is often not ABI
compatibility, every package has to be ported, built, and tested.
A distro release that is in long term support doesn't do that often.

Re: Random and rare Seg faults at openssl library level

2021-01-06 Thread Ken Goldman 

On 1/6/2021 12:10 PM, Gimhani Uthpala wrote:


I am getting seg-faults at openssl level. This only occurred very randomly and 
the following are stacks that seg faults  at openssl level in the given 2 
cases. We are using openssl 1.0.2k.


The usual cause is that you are compiling with one version of openssl and 
(static or dynamic) linking with a different one.
The cause of that is typically that you have more than one version of openssl 
installed.

If this is a 3rd party application, not one you're building, you have to find 
out what version of openssl they expect.

openssl with Rust

2020-06-23 Thread Ken Goldman 
Environment is Windows, Visual Studio Code, the Shining Light openssl 
build and the openssl crate.


Does anyone have experience getting this to link?

Environment variables?
cargo.toml
anything else?

OpenSSL version 3.0.0-alpha1 build failed

2020-04-30 Thread Ken Goldman 

My build failed with the below.

x86_64 Linux kernel 2.6.32
RHEL 6.7
Perl 5.10.1

Everything through 1.1.1e was successful.

~~


./config
Operating system: x86_64-whatever-linux2
Configuring OpenSSL version 3.0.0-alpha1 for target linux-x86_64
Using os-specific seed configuration
*** glibc detected *** /usr/bin/perl: double free or corruption (out): 
0x02a401e0 ***

=== Backtrace: =
/lib64/libc.so.6[0x3c2fa75dee]
/lib64/libc.so.6[0x3c2fa78c80]
/usr/lib64/perl5/CORE/libperl.so(Perl_sv_clear+0x6a5)[0x3c35ab93c5]
/usr/lib64/perl5/CORE/libperl.so(Perl_sv_free2+0x52)[0x3c35ab95d2]
/usr/lib64/perl5/CORE/libperl.so(Perl_av_undef+0x58)[0x3c35aa4018]
/usr/lib64/perl5/CORE/libperl.so(Perl_sv_clear+0x598)[0x3c35ab92b8]
/usr/lib64/perl5/CORE/libperl.so(Perl_sv_free2+0x52)[0x3c35ab95d2]
/usr/lib64/perl5/CORE/libperl.so(Perl_sv_clear+0x47c)[0x3c35ab919c]
/usr/lib64/perl5/CORE/libperl.so(Perl_sv_free2+0x52)[0x3c35ab95d2]
/usr/lib64/perl5/CORE/libperl.so(Perl_hv_free_ent+0x42)[0x3c35a9e8c2]
/usr/lib64/perl5/CORE/libperl.so[0x3c35a9fde1]
/usr/lib64/perl5/CORE/libperl.so(Perl_hv_clear+0xfa)[0x3c35a9ffea]
/usr/lib64/perl5/CORE/libperl.so(Perl_leave_scope+0xea8)[0x3c35ad6258]
/usr/lib64/perl5/CORE/libperl.so(Perl_pp_unstack+0x59)[0x3c35aa8419]
/usr/lib64/perl5/CORE/libperl.so(Perl_runops_standard+0x16)[0x3c35aa4b06]
/usr/lib64/perl5/CORE/libperl.so(perl_run+0x338)[0x3c35a4d0d8]
/usr/bin/perl(main+0x154)[0x400e74]
/lib64/libc.so.6(__libc_start_main+0xfd)[0x3c2fa1ed1d]
[snipped]

Re: Fails on verifying signature - RSA_padding_check_PKCS1_type_1:invalid padding

2020-02-13 Thread Ken Goldman 

On 2/13/2020 12:40 PM, Pedro Lopes wrote:
When I try to verify the signature, fails 
with RSA_padding_check_PKCS1_type_1:invalid padding.


That error typically means that the verification public key does
does not match the signing private key.

Re: Add ECDSA signature R and S to X509 structure

2019-08-26 Thread Ken Goldman 

On 8/17/2019 5:35 AM, Billy Brumley wrote:

Hey Ken,


I have an ECDSA signature supplied to me as R and S byte arrays and
lengths (from an HSM).

How do I add them to the X509 structure?

Is there an API, a set of calls, or do you have any hints?


You might be looking for ECDSA_SIG_set0:

https://www.openssl.org/docs/man1.1.0/man3/ECDSA_SIG_set0.html

You might find some snippets in ecdsatest.c.

Hope it helps,


I think so.  This seems to work.  Does it make sense? Is there a better way?

- convert R and S, bin to bignum
- use ECDSA_SIG_set0 to create an ECDSA_SIG
- use i2d to convert the ECDSA_SIG to DER
- memcpy the DER into X509->signature->data

Add ECDSA signature R and S to X509 structure

2019-08-16 Thread Ken Goldman 
I have an ECDSA signature supplied to me as R and S byte arrays and 
lengths (from an HSM).


How do I add them to the X509 structure?

Is there an API, a set of calls, or do you have any hints?

~~

For RSA, I simply filled in the ASN1_BIT_STRING length, data, and flags, 
but an RSA signature is a simply BIT_STRING.


For ECDSA, the BIT_STRING is a SEQUENCE of two INTEGERs.

I could construct the SEQUENCE DER manually and then add it as with RSA, 
but that seems like a hack.  Is there a better way?


Is there a better way for RSA?  I suspect that peering inside the 
ASN1_BIT_STRING will break for openssl 1.1.

Adding signature items to X509 certificate structure

2019-07-31 Thread Ken Goldman 
This use case is that I have an HSM that internally forms an X509 
certificate and returns the signature.  I have to reconstruct the X509 
structure externally.


I have everything but the signature and its algorithm.

How can I programmatically set these values?

What I do now is:

- X509_ALGOR_set0() to set the x509->cert_info->signature and 
x509->sigalg members with OBJ_nid2obj(NID_sha256WithRSAEncryption)


- free the x509->signature->data, malloc one of the right size, set 
x509->signature->length and memcpy the signature


Is there a better way?

It feels like this requires a lot peering inside structures, and I 
suspect it will need a rework for openssl 1.1.

Re: Building a DER sequence

2019-07-10 Thread Ken Goldman 

On 7/3/2019 4:30 PM, Viktor Dukhovni wrote:

On Jul 3, 2019, at 2:41 PM, Ken Goldman  wrote:


That link points to the X509_dup page.  It doesn't explain how to
build a DER sequence, does it?


The documentation is incomplete, and much RTFS is required, but it
and code pointers should get you started.


Here's what I have today.

I have a STACK_OF(ASN1_TYPE) to which I have added the issuer, validity, 
and subject.


I can get the DER with i2d_ASN1_SEQUENCE_ANY.

I have a STACK_OF(X509_EXTENSION) to which I have added several extensions.

Questions:

1 - Is the an API sequence to add the extension STACK to the asn1_type 
STACK?


2 - If not, is there an API sequence to get the DER for the extension 
STACK.  If so, I can append it and adjust the overall length.


3 - Is there a way to get the extension DER from a standard x509 
certificate.  If so, I can create it and pull out what I need.


4 - I'm trying to create DER that includes only issuer, validity, 
subject, and extensions.  It's not a standard X509 certificate.  Is 
there a better way?

Re: Building a DER sequence

2019-07-03 Thread Ken Goldman 

On 7/1/2019 6:03 PM, Viktor Dukhovni wrote:

On Mon, Jul 01, 2019 at 09:40:25PM +, Salz, Rich via openssl-users wrote:

I see those macros, but ... is there any documentation?
   
No.


There's a high-level overview at:

 https://www.openssl.org/docs/manmaster/man3/X509_dup.html


That link points to the X509_dup page.  It doesn't explain how to
build a DER sequence, does it?

Re: Building a DER sequence

2019-07-03 Thread Ken Goldman 

On 7/1/2019 5:19 PM, Viktor Dukhovni wrote:



On Jun 25, 2019, at 10:59 AM, Ken Goldman  wrote:

I have to build a DER byte stream for a sequence containing:

algorithm ID
issuer
validity
subject name
extensions

What is the general approach?


See for example:

https://github.com/openssl/openssl/blob/bc42bd6298702a1abf70aa6383d36886dd5af4b3/crypto/x509/x_x509.c#L18-L31



Does link just point to array of macros?

If so, they don't help without any explanation.

Re: Building a DER sequence

2019-07-01 Thread Ken Goldman 

On 6/26/2019 11:34 AM, Salz, Rich via openssl-users wrote:

 Do I construct a sequence and add items to it - top down?

No, because then you have to go back and patch the sequence length and perhaps 
slide everything up or down a copule of bytes.

I would look at an existing simple sequence and start writing your own based on 
that; look for ASN1_SEQUENCE macros in crypto/x509/x*.c files.  Another set of 
macros will declare the i2d/d2i and PEM functions if needed.


[I'm happy to read if someone can point me to an article, but I haven't 
found anything.]


I am stuck on the X509 extensions.  I.e., with sample certificates,

dumpasn1 shows:

[snip]
453 448: . . [3] {
457 444: . . . SEQUENCE {
461  74: . . . . SEQUENCE {
463   3: . . . . . OBJECT IDENTIFIER subjectAltName (2 5 29 17)
   : . . . . . . (X.509 extension)
[snip]

What's that [3]?  Perhaps it means x509v3?

With openssl, it dumps as

X509v3 extensions:
X509v3 Subject Alternative Name: critical

How do I build the x509v3 extensions item (and convert it to an 
ASN1_TYPE that I can push on the stack.


That is, I have the sequence using

X509V3_EXT_conf_nid
i2d_X509_EXTENSION
ASN1_STRING_set

but how do I encapsulate that in a [3] and then to an ASN1_TYPE that I 
can push on the STACK_OF(ASN1_TYPE) stack?


~~

A separate question:

I can build an X509_EXTENSION using X509V3_EXT_conf_nid.  How would I 
connect several of them.  Would I use STACK_OF(X509_EXTENSION), push

the extensions, and then use i2d_something?  What's the 'something'.

Re: Building a DER sequence

2019-07-01 Thread Ken Goldman 

On 6/26/2019 11:34 AM, Salz, Rich via openssl-users wrote:

 Do I construct a sequence and add items to it - top down?

No, because then you have to go back and patch the sequence length and perhaps 
slide everything up or down a copule of bytes.

I would look at an existing simple sequence and start writing your own based on 
that; look for ASN1_SEQUENCE macros in crypto/x509/x*.c files.  Another set of 
macros will declare the i2d/d2i and PEM functions if needed.


I see those macros, but ... is there any documentation?

What partially worked was
create an X509 item
use i2d to serialize it
ASN1_STRING_SET using the DER
built an ASN1_TYPE from the ASN1_STRING with ASN1_TYPE_set
sk_ASN1_TYPE_push

and then i2d_ASN1_SEQUENCE_ANY to get the DER result.

The items are _X509_NAME and X509_VAL.  Is there a shorter way?

Building a DER sequence

2019-06-26 Thread Ken Goldman 

I have to build a DER byte stream for a sequence containing:

algorithm ID
issuer
validity
subject name
extensions

What is the general approach?

Is there openssl support for this?

Do I construct a sequence and add items to it - top down?

Or do I construct the items and then make a sequence from it - bottom up?

Or do I place the items in a custom structure and then write the i2d() 
myself?


Any advice, pointers, or sample code would be welcome.

Re: why does RAND_add() take "randomness" as a "double"?

2019-05-22 Thread Ken Goldman 

On 5/21/2019 9:48 PM, Paul Dale wrote:

Double makes sense.  Entropy is often estimated as a real value.



Having a human readable calculation using floating point doesn't (to me) 
mean that an API argument has to be a double.


From what I see in the code, the parameter 'double entropy' is used
to increment a value that eventually reaches # define ENTROPY_NEEDED 32.

Couldn't the number have been an unsigned long?  If more precision was 
needed, make the units 1/64k and make ENTROPY_NEEDED 32 * 64k.  It's a 
bit more work for the caller, but removes the (perhaps only) place 
floating point is needed.

Re: why does RAND_add() take "randomness" as a "double"?

2019-05-22 Thread Ken Goldman 

On 5/21/2019 10:07 PM, Salz, Rich via openssl-users wrote:

 >Then just set it to 1.0 and be done with it.
 

That hardly helps on systems that don't have floating point at all.


No it doesn't.  Such systems aren't supported by OpenSSL.  There are many 
places were floating point is used/supported.
Removing the second arg to RAND_add is the least of the problems (look at 
various asm files)


The assembler code can be bypassed on those systems.

I see a few places where it's used to force an alignment, but perhaps 
there's another way.


It's used in test programs to report performance.

For us, the random number generator was the problem.

Re: why does RAND_add() take "randomness" as a "double"?

2019-05-21 Thread Ken Goldman 

On 5/21/2019 10:15 AM, Laszlo Ersek wrote:

[snip]

Can someone please explain what is gained by using a floating point type
here?

Is it really a relevant use case that entropy is fed from an external
source to OpenSSL such that truncating the amount to a whole number of
bits would cause significant lossage? (Admittedly, it could be relevant
if the individual randomness bit counts were in the (0, 1) interval,
both boundaries exclusive.)

Using floating point for randomness representation is a problem for
environments that prefer to avoid floating point altogether, such as
edk2 ("UEFI") firmware


I agree, and I reported this back in 2016.  We also have an environment 
that does not have floating point.

Re: Issue in linking Openssl1.1.1b to application

2019-05-09 Thread Ken Goldman 

On 5/9/2019 10:03 AM, vin wrote:

Hi

I was using an application with openssl0.9.8k .The procedure i used to link
openssl to my application using visual studio -2008 was after building
openssl i was linking libeay32.lib and ssleay32.lib to my application and
including header files from include folder.

Now with openssl1.1.1b ,after building openssl I am linking openssl.lib
,libcrypto.lib and libssl.lib to my application and including header
files.Building application using visual studio 2008 .And when i try to
register that built dll in windows 7 32 bit machine ,its giving error as
"RegSvr32 : The module XXX.dll failed to load.  Make sure the binary is
stored at the specified path or debug it to check for problems with the
binary or dependent .DLL files.
"

Can anyone please tell me whether the library linking is enough or any dll
linking needs to be done??
Any step i am missing please let me know?


I believe that you have to set the path to the dll in your PATH 
environment variable.  There may be some default directories, but 
setting the path should work.

Re: Using (not building) openssl with mingw on Windows 10

2019-03-22 Thread Ken Goldman 

On 3/22/2019 12:18 PM, Michael Wojcik wrote:


I seem to have discarded some of your older messages. Did you ever
send us the actual link command that's being used? Maybe that will
throw some light on the problem.


"c:/program files/mingw/bin/gcc.exe" -D_MT -DTPM_WINDOWS -I.  -shared -o 
libibmtss.dll tssfile.o tsscryptoh.o tsscrypto.o tssprintcmd.o tss.o 
tssproperties.o tssmarshal.o tssauth.o tssutils.o tsssocket.o tssdev.o 
tsstransmit.o tssresponsecode.o tssccattributes.o tssprint.o Unmarshal.o 
CommandAttributeData.o tss20.o tssauth20.o Commands.o ntc2lib.o tssntc.o
-Wl,--out-implib,libibmtss.a "c:/program 
files/openssl64/lib/libcrypto.lib" "c:/program files/MinGW/lib/libws2_32.a"


tsscrypto.o: In function `TSS_Crypto_Init':
c:\Users\KennethGoldman\tpm2\utils/tsscrypto.c:109: undefined reference 
to `OPENSSL_init_crypto'

tsscrypto.o: In function `TSS_Hash_GetMd':
c:\Users\KennethGoldman\tpm2\utils/tsscrypto.c:133: undefined reference 
to `EVP_get_digestbyname'

...
continues for all OpenSSL function names

~~

My guess is that this link snippet is wrong, but I don't know what it 
should be.


"c:/program files/openssl64/lib/libcrypto.lib"

~~

For Openssl 32-bit, this worked, but the .a is not in the 64-bit Shining 
Light build.


"c:/program files/openssl/lib/mingw/libcrypto-1_1.a"

Re: Using (not building) openssl with mingw on Windows 10

2019-03-21 Thread Ken Goldman 

On 3/20/2019 6:44 PM, Sergio NNX wrote:

I've been happily using the Shining Light 32-bit binaries with both
openssl 1.0 and 1.1 and mingw.



Getting back to this:



I tried mingw linking against these



"c:/program files/openssl64/lib/libcrypto.lib"
"c:/program files/openssl64/lib/libssl.lib"



but the gcc linker failed to find the openssl functions.



Anyone have any ideas?


We have been using OpenSSL for Windows (x64) built with MinGW for a long 
time.


Can you send your linker command.  What from the OpenSSL64/lib
directory do you link to?

Below is your compiler command, but it's my linker that's failing.

     compiler: gcc.exe -m64 -DWINVER=0x0501 -D_WIN32_WINNT=0x0501 
-D_WIN32_IE=0x0501 -DPTW32_STATIC_LIB -D__CLEANUP_C -m64 -O2 -pipe 
-mms-bitfields -fno-builtin -march=core2 -mtune=core2 -DL_ENDIAN 
-DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 
-DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m 
-DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM 
-DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM 
-DECP_NISTZ256_ASM -DX25519_ASM -DPADLOCK_ASM -DPOLY1305_ASM 
-DWINVER=0x0501 -D_WIN32_WINNT=0x0501 -D_WIN32_IE=0x0501 
-DPTW32_STATIC_LIB -D__CLEANUP_C -DUNICODE -D_UNICODE 
-DWIN32_LEAN_AND_MEAN -DOPENSSL_SSL_CLIENT_ENGINE_AUTO=capi 
-DOPENSSL_CAPIENG_DIALOG -m64 -pipe -mms-bitfields -fno-builtin 
-march=core2 -mtune=core2 -D_MT -DZLIB -DNDEBUG -I/mingw/include


@Ken: this seems to be a quite old thread, but if you need either the 
include files or the .a files

       or both, we could email them to you.


I have the include files.

I think I need the .a files or equivalent, but I prefer to use the 
Shining Light install.  If I get a private copy from you, I have to

distribute it.

Besides the process and legal issues, it doesn't feel right to
distribute security code that I got via email from an unknown
person with the email name 'sfhacker'.  :-)

Re: Using (not building) openssl with mingw on Windows 10

2019-03-21 Thread Ken Goldman 

On 3/20/2019 12:41 PM, Michael Wojcik wrote:



Sounds like you might have import libraries there. Does "ar t 
libcrypto.lib" show a bunch of .obj members, or a bunch of .dll 
members? If it's the latter, then it's just an import library that 
tells the linker what DLL needs to be loaded at runtime.


ar t libcrypto.lib returns about 4100 lines of:

libcrypto-1_1-x64.dll
libcrypto-1_1-x64.dll
...

So it's an 'import library'.  But I get link errors, with each openssl 
function missing.


Any clues?

We build static (non-import) OpenSSL libraries for Windows, but at 
least for 1.0.2 we had to tweak the configuration process. The stock 
Configure wanted to link OpenSSL with the static Microsoft C runtime 
if you were building static libraries, whereas we wanted static 
libraries linked with the dynamic runtime. (I don't remember offhand 
if we had to do the same for 1.1.1.)


I'm not building OpenSSL.  I use Shining Light, because I don't want to
ship OpenSSL with my code and I certainly don't want to require
my users to build it.

Re: Using (not building) openssl with mingw on Windows 10

2019-03-20 Thread Ken Goldman 

On 10/29/2018 7:18 AM, Jakob Bohm via openssl-users wrote:

On 26/10/2018 23:08, Ken Goldman wrote:
I've been happily using the Shining Light 32-bit binaries with both 
openssl 1.0 and 1.1 and mingw.


On a new machine, I tried the 64-bit binaries.  However, they're 
missing the openssl/lib/mingw directory where the .a files resided.


It looks like the link procedure changed.  Any hints before I start 
experimenting?



Note that Win32 (Microsoft) .LIB files are actually standard unix-style
.a files with the file names changed to match the the historic
MS-DOS/Win16 practice (which had a different file format).

So it is highly likely the .LIB files can be used with mingw by just
copying/symlinking them, or even just using a Mingw option to load
.LIB files.

Beware however of the crazy GNU interpretation that listing a library
file explicitly means include *all* the code from the library, not
just the referenced object files.


Getting back to this:

I tried mingw linking against these

"c:/program files/openssl64/lib/libcrypto.lib"
"c:/program files/openssl64/lib/libssl.lib"

but the gcc linker failed to find the openssl functions.

Anyone have any ideas?

~~

I observe that the .a file is 3 mb while the .lib is 900k.

~~

The 32-bit build still has the mingw .a files, which I suppose
is a work around.

ECC keypair generation with password

2019-02-28 Thread Ken Goldman 

I've been using this command to generate a password protected ECC keypair.

openssl ecparam -name prime256v1 -genkey -noout | openssl pkey -aes256 
-passout pass:passwd -text > tmpecprivkey.pem


The output is a
-BEGIN ENCRYPTED PRIVATE KEY-

which I parsed using

PEM_read_PrivateKey(pemKeyFile, NULL, NULL, (void *)password);
*ecKey = EVP_PKEY_get1_EC_KEY(evpPkey);
privateKeyBn = EC_KEY_get0_private_key(ecKey);

Now I must send the PEM file to a crypto library that does not support
-BEGIN ENCRYPTED PRIVATE KEY-

It expects
-BEGIN EC PRIVATE KEY-

Its parser does accept a password.

Is there a way to generate that PEM file?  I.e.

A password protected ECC keypair in -BEGIN EC PRIVATE KEY- format/

[openssl-users] Using (not building) openssl with mingw on Windows 10

2018-10-26 Thread Ken Goldman 
I've been happily using the Shining Light 32-bit binaries with both 
openssl 1.0 and 1.1 and mingw.


On a new machine, I tried the 64-bit binaries.  However, they're missing 
the openssl/lib/mingw directory where the .a files resided.


It looks like the link procedure changed.  Any hints before I start 
experimenting?


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] HMAC key in PEM or other format

2018-09-28 Thread Ken Goldman 
Is there a standard format for passing around an HMAC key?  Can openssl 
read and write it?


I know that an HMAC key is just a random number, and I can probably
pass it around in binary, hex ascii, or base64.  But I'd rather use a 
standard format if there is one.




--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] rsaOAEP OID in X509 certificate

2018-08-09 Thread Ken Goldman 

On 8/9/2018 10:51 AM, Stephane van Hardeveld wrote:


I will discuss this, but as far as I understand, these OID are allowed by
the X 509 standard:
4.1.2.7.  Subject Public Key Info

 [snip]

And in rfc4055, 4.1

  Openssl is capable of parsing it, only retrieving it gives an error on
unknown algorithm (which is correct, since only rsaEncryption OID is
recognized). Java I did not try yet, but the online ASN.1 parsers were also
capable of decoding it, see enclosed png.


I understand that the X509 standard permits it.

However, I'm looking at the practical side - crypto libraries.

If openssl, Java, etc. can't use the results, and a typical CA can't 
create the certificate, then you require custom code.


The drawback is that custom code, especially DER parsing code, is a 
security risk.  It's hard to get correct when facing an attacker sending 
malformed certificates.


You have to decide whether the benefit to this "meets the X509 standard 
but isn't supported" OID is worth the potential for an exploitable bug.


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] rsaOAEP OID in X509 certificate

2018-08-09 Thread Ken Goldman 

On 8/9/2018 4:14 AM, Stephane van Hardeveld wrote:

Hi Ken,

I am trying to do two thing:
1: Generate X 509 certificates, with RSA-PSS signing, with different Hashing
and Masking (SHA1 and SHA256), including an RSA Public key as content. This
RSA 'content key' should specify it will be used for RSA-OAEP decryption.
2: Verify X 509 certificates, produced by other tools, which have the same
format


Do you really have to use a non-standard OID for the public key?

If you do, you will be creating a certificate that cannot be parsed by
openssl, Java's crypto library, and perhaps others.  Your users will
have to write custom code to validate the certificate and to extract the 
public key.


In addition, you'll need custom CA code to create the certificates.

I worry that custom crypto code can open attack surfaces compared
to using well tested standards.  Parsing DER securely is known to be
hard.


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] rsaOAEP OID in X509 certificate

2018-08-08 Thread Ken Goldman 
1 - If you are trying to extract the public key, X509_get_pubkey() won't 
work.  I have sample code to do it.  Let me know if you want the 
complete function.


Basically:

X509_get_X509_PUBKEY
X509_PUBKEY_get0_param
d2i_RSAPublicKey

2 - If you are trying to verify a certificate chain, it does not work 
with openssl 1.1.  You have to stay at 1.0 until someone (perhaps me) 
submits a fix.


~

BTW, the only time I ever saw rsaAOEP was for TPM 1.2 EK certificates. 
If you're working with the TPM, I can supply a lot of sample code.


On 8/8/2018 12:01 PM, Stephane van Hardeveld wrote:

Hello all,

By default, if I create an X 509 certificate with a public key in it, the
object identifier is rsaEncyption (1.2.840.113549.1.1.1). Is it possible to
specify a different object identifier, e.g. rsaOAEP (1.2.840.113549.1.1.7)?
I looked into the various EVP_PKEY and EVP_PKEY_CTX functions, and other
places in code, but the only place this object ID is specified is in
obj_dat.h, and not used anywhere else (as far as I can see...)

Regards,
Stephane van Hardeveld




--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] openssl 1.1 certificate verification fails with non-standard public key algorithm

2018-07-25 Thread Ken Goldman 

On 7/25/2018 4:27 PM, Viktor Dukhovni wrote:


Yes, that's what I'm saying, but also asking the broader list for feedback
on such a change.  Should security level zero succeed even with unsupported
EE keys (which somehow get used with some other software???).


For background, this is the TPM 1.2 endorsement key certificate.  I.e., 
this is a real application with millions of certificates issued.  The 
key is an RSA-2048 key.


The TCG (for a while) specified

  Public Key Algorithm: rsaesOaep

rather than the commonly used

  Public Key Algorithm: rsaEncryption

because the key is an encryption key rather than a signing key.
The X509 certificate parser fails to get the public key.



An alternative fix (I got a patch for 098 from an openssl maintainer)
that accepts rsaOaep would also fix the issue.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] openssl 1.1 certificate verification fails with non-standard public key algorithm

2018-07-25 Thread Ken Goldman 

On 7/25/2018 10:47 AM, Viktor Dukhovni wrote:




On Jul 25, 2018, at 10:05 AM, Ken Goldman  wrote:

I have a certificate with a non-standard public key algorithm -rsaesOaep.  See 
snippet #2.

With openssl 1.0, I can validate  the certificate chain.  With openssl 1.1 it 
fails with the error X509_V_ERR_EE_KEY_TOO_SMALL.  See dump #1.

I believe that this is due to new 1.1 code x509_vfy.c:check_key_level() calling 
X509_get0_pubkey().  That call will fail for the non-standard algorithm.

The certificate is for old vendor hardware that cannot be updated.  What are my 
choices?

- Remain on 1.0
- Some configuration option?
- Something else?


The immediate cause is the order of the checks in check_key_level().
It first checks for a supported key, and only then short-circuits
the logic at level <= 0 (my fault).  Perhaps level 0 should not be
strict in this way, in which case we might reverse the order of
then (pkey == NULL) and (level <= 0) tests:

static int check_key_level(X509_STORE_CTX *ctx, X509 *cert)
{
 EVP_PKEY *pkey = X509_get0_pubkey(cert);
 int level = ctx->param->auth_level;

 /* Unsupported or malformed keys are not secure */
 if (pkey == NULL)
 return 0;

 if (level <= 0)
 return 1;
 if (level > NUM_AUTH_LEVELS)
 level = NUM_AUTH_LEVELS;

 return EVP_PKEY_security_bits(pkey) >= minbits_table[level - 1];
}


If you're suggesting that altering the above code to do the level check 
before the call to get pkey, I think that would fix my problem.


... if I can set level to a negative value.  How do I set level?  Is 
there an API or a configuration file.



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] openssl 1.1 certificate verification fails with non-standard public key algorithm

2018-07-25 Thread Ken Goldman 

Seeking advice.

I have a certificate with a non-standard public key algorithm 
-rsaesOaep.  See snippet #2.


With openssl 1.0, I can validate  the certificate chain.  With openssl 
1.1 it fails with the error X509_V_ERR_EE_KEY_TOO_SMALL.  See dump #1.


I believe that this is due to new 1.1 code x509_vfy.c:check_key_level() 
calling X509_get0_pubkey().  That call will fail for the non-standard 
algorithm.


The certificate is for old vendor hardware that cannot be updated.  What 
are my choices?


- Remain on 1.0
- Some configuration option?
- Something else?


#1 ~

openssl verify -CAfile cafile.pem infcert.pem

error 66 at 0 depth lookup: EE certificate key too weak
error infcert.pem: verification failed
22794983405376:error:0609E09C:digital envelope 
routines:pkey_set_type:unsupported algorithm:crypto/evp/p_lib.c:206:
22794983405376:error:0B09406F:x509 certificate 
routines:x509_pubkey_decode:unsupported 
algorithm:crypto/x509/x_pubkey.c:113:


#2 ~

Subject:
Subject Public Key Info:
Public Key Algorithm: rsaesOaep
Unable to load Public Key
140619228055400:error:0609E09C:digital envelope 
routines:PKEY_SET_TYPE:unsupported algorithm:p_lib.c:239:
140619228055400:error:0B07706F:x509 certificate 
routines:X509_PUBKEY_get:unsupported algorithm:x_pubkey.c:155:

X509v3 extensions:

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Get raw RSA public key from X509 certificate

2018-04-27 Thread Ken Goldman 

On 04/27/18 04:50, Matt Caswell wrote:



On 26/04/18 23:48, Ken Goldman wrote:

On 04/26/18 16:37, Matt Caswell wrote:



On 26/04/18 21:17, Ken Goldman wrote:

I have to get the raw public modulus, but I cannot X509_get_pubkey()
because of a non-standard object identifier.

I can use X509_get_X509_PUBKEY() to get part way there.  I see the DER
wrapped key in the public_key.data element, but I don't know an API to
get to that element.


How about X509_PUBKEY_get0_param():

https://www.openssl.org/docs/man1.1.0/crypto/X509_PUBKEY_get0_param.html



Thanks!  That got me halfway there.

That gives me a DER steam that is a SEQUENCE of two INTEGERs.  The first
is the public modulus and the second one is the exponent.

How do I go from that SEQUENCE to the components, and then from the
components to their byte streams and lengths?

I assume it's some raw DER function like d2i_something.



How about create a mem-bio backed by the buffer containing the raw data
and then call d2i_RSAPublicKey_bio()?


That was it!  What threw me off is that the documentation says:

 TYPE *d2i_TYPE(TYPE **a, unsigned char **ppin, long length);

but RSAPublicKey isn't a type.  So the pattern of TYPE being a structure 
name didn't hold.


(There is  a d2i_RSAPublicKey() function, so I didn't need the BIO.)

For the record. here's the resulting set of calls:

X509 * = d2i_X509()
X509_PUBKEY * = X509_get_X509_PUBKEY()
X509_PUBKEY_get0_param()
RSA * = d2i_RSAPublicKey()

RSA_get0_key()
BN_bn2bin()

For a more standard certificate, the first 4 calls can be replaced by:

X509 * = d2i_X509()
EVP_PKEY * = X509_get_pubkey();
RSA * = EVP_PKEY_get1_RSA()


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Get raw RSA public key from X509 certificate

2018-04-26 Thread Ken Goldman 

On 04/26/18 16:37, Matt Caswell wrote:



On 26/04/18 21:17, Ken Goldman wrote:

I have to get the raw public modulus, but I cannot X509_get_pubkey()
because of a non-standard object identifier.

I can use X509_get_X509_PUBKEY() to get part way there.  I see the DER
wrapped key in the public_key.data element, but I don't know an API to
get to that element.


How about X509_PUBKEY_get0_param():

https://www.openssl.org/docs/man1.1.0/crypto/X509_PUBKEY_get0_param.html



Thanks!  That got me halfway there.

That gives me a DER steam that is a SEQUENCE of two INTEGERs.  The first 
is the public modulus and the second one is the exponent.


How do I go from that SEQUENCE to the components, and then from the 
components to their byte streams and lengths?


I assume it's some raw DER function like d2i_something.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Get raw RSA public key from X509 certificate

2018-04-26 Thread Ken Goldman 
I have to get the raw public modulus, but I cannot X509_get_pubkey() 
because of a non-standard object identifier.


I can use X509_get_X509_PUBKEY() to get part way there.  I see the DER 
wrapped key in the public_key.data element, but I don't know an API to 
get to that element.


Am I on the right track, or is there a better way?

Could some very kind person give me the code flow?



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] X509 certificate algorithm

2018-04-25 Thread Ken Goldman 

On 08/16/12 09:33, Dr. Stephen Henson wrote:

On Thu, Aug 16, 2012, Kenneth Goldman wrote:


I call these:

d2i_X509()
X509_print_fp()

which calls
 pkey_set_type()
 EVP_PKEY_asn1_find()
and that call fails.

I've traced the following error down to the rsaOAEP algorithm, which has a
nid of 919.  I've included both the openssl and dumpasn1 dump of the
X509 certificate.  Am I doing something wrong in openssl, or is there
a problem with the certificate?  I tried certificates from two
vendors, and they both fail at the same point.




Well the problem is that OpenSSL doesn't currently support OAEP certificates.
I've never come across one so if you could send an example that would be
useful.


I'm back working with these certificates and find that it still fails 
with the latest openssl.


Another user has apparently hit the same issue.

https://github.com/openssl/openssl/pull/1441

Is there any chance of rsaOAEP being supported?

These are TPM 1.2 endorsement key certificates and there are 
(unfortunately) 100M's of them shipped.


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] FIPS_mode_set(1) failing

2018-03-05 Thread Ken Goldman 

This call fails on two platforms with:

fips.c(143): OpenSSL internal error, assertion failed: FATAL FIPS 
SELFTEST FAILURE


(or line 139)

The openssl installs are:

OpenSSL 1.0.1e-fips 11 Feb 2013
OpenSSL 1.0.2g-fips 1 Mar 2016

Any hints?  Do I have to call a self test before entering FIPS mode?

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Certificate for RSA 2048 key says 2058

2017-12-27 Thread Ken Goldman 

On 12/14/2017 1:34 PM, Viktor Dukhovni wrote:




On Dec 14, 2017, at 1:11 PM, Ken Goldman <kgold...@us.ibm.com> wrote:

I generate a key and self signed certificate like this:


openssl genrsa -out cakey.pem -aes256 -passout pass: 2048
openssl req -new -x509 -key cakey.pem -out cacert.pem -days 3650


When I dump the certificate, I see

Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2058 bit)
Modulus:
02:b1:4c:dd:59:4d:72:8d:93:4b:e5:07:89:53:f7:


Why 2058 - 10 extra bits?  I know that, at times, ASN.1 DER needs an extra byte 
to make a number positive, but 10 bits?


What version of OpenSSL is this?  When I try this with OpenSSL 1.1.0 I get:

$ openssl version
OpenSSL 1.1.0h-dev  xx XXX 

$ for i in $(seq 20); do openssl req -nodes -new -x509 -newkey rsa:2048 -keyout cakey.pem 
-out cacert.pem -days 3650 -subj "/CN=Root CA" 2>/dev/null; openssl x509 -text 
-in cacert.pem | grep 'Public-Key:'; done
 Public-Key: (2048 bit)
 Public-Key: (2048 bit)
 Public-Key: (2048 bit)
Same results with master from git.



OpenSSL 1.0.1e-fips 11 Feb 2013 - and I get the same results as you for 
1000's of passes. So, apparently, something strange happened to the one

key that I generated for my CA.

It feels like some random leading zero case, but I can't reproduce it 
with another key.





--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] [openssl-dev] Is X509_free(NULL) ok?

2017-12-22 Thread Ken Goldman 

On 12/22/2017 9:24 AM, Salz, Rich via openssl-users wrote:

if (ptr!= NULL) free(ptr);
   
That shouldn’t be necessary for OpenSSL.  If you find places where it is, please open an issue.
   


OK.  I'll mention a few, but it's a global issue.

The code may handle NULL.  However, conservative users won't go by what 
the code happens to do today.  We have to go by the API documentation, 
which is the contract between the library and the user.  If the API is 
silent, we cautiously assume it's not guaranteed, and can change in the 
future.





--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] [openssl-dev] Is X509_free(NULL) ok?

2017-12-22 Thread Ken Goldman 

On 12/22/2017 8:06 AM, Salz, Rich via openssl-users wrote:

Our intent is that all FREE functions can handle NULL.  If you find
things missing or undocumented, please open an issue on GitHub.
Thanks!


It would be great if that was documented for all _free() functions.  I 
currently always code


if (ptr!= NULL) free(ptr);

because the behavior isn't defined.

BTW, "can handle" should explicitly say what happens.  Perhaps use the C 
library text, which says:


If ptr is NULL, no operation is performed.




--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Certificate for RSA 2048 key says 2058

2017-12-14 Thread Ken Goldman 

I generate a key and self signed certificate like this:

> openssl genrsa -out cakey.pem -aes256 -passout pass: 2048
> openssl req -new -x509 -key cakey.pem -out cacert.pem -days 3650

When I dump the certificate, I see

Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2058 bit)
Modulus:
02:b1:4c:dd:59:4d:72:8d:93:4b:e5:07:89:53:f7:


Why 2058 - 10 extra bits?  I know that, at times, ASN.1 DER needs an 
extra byte to make a number positive, but 10 bits?


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] OpenSSL engine and TPM usage.

2017-10-26 Thread Ken Goldman 

On 10/26/2017 3:33 AM, Michael Ströder wrote:

Michael Richardson wrote:


Jakob Bohm  wrote:

wow, further evidence that everything needs an upgrade path.


 From the viewpoint of hardware vendors the upgrade path is selling new
hardware. It's simply like that. Not very sustainable...


All the TPMs I know of have the ability to do a "field upgrade".  They 
can accept vendor signed firmware updates.  In fact, the newer ones can 
switch between TPM 1.2 and the new TPM 2.0 API.


No need to touch the hardware.



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Storing private key on tokens

2017-09-27 Thread Ken Goldman 

On 9/27/2017 2:19 PM, Dirk-Willem van Gulik wrote:



On 27 Sep 2017, at 20:02, Michael Wojcik

The tokens / HSMs I've used don't let you generate a key somewhere
else and install it on the token. They insist on doing the key
generation locally. That is, after all, part of the point of using
a token - the key never leaves it.


I've found that the Feitian ePass2000's and the Yubico keys allow for
importing of the private key. They do usually want the 'extra' flags
to specify use:


FWIW, the TPM hardware also permits key import.  It does validate 
attributes, so users will know that the key was not generated on chip.



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] openssl 1.0 and 1.1 co-exist

2017-07-31 Thread Ken Goldman 

On 6/22/2017 7:05 AM, Jakob Bohm wrote:

On 22/06/2017 04:31, Viktor Dukhovni wrote:

On Wed, Jun 21, 2017 at 01:44:34PM -0400, Ken Goldman wrote:


This is probably Linux specific ...

Can both openssl versions co-exist on the same platform.  I know that 
the

.so is versioned, but how about the header files?  Can I choose which
library to build with?


I wasn't specific enough.

1 - ... using standard rpms, not a custom install
2 - ... building as well as executing
3 - ... just modifying the makefile to point to different headers and so

I.e., do the headers both go into /usr/include/openssl (which would clash)?

Do the .so's both have the same name - libcrypto.so?

It already works with a custom install and makefile.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Openssl 1.1 RSA_get0_key() documentation

2017-07-28 Thread Ken Goldman 

On 7/28/2017 4:05 PM, Salz, Rich via openssl-users wrote:

The __current__ code for this function returns values if the **BIGNUM is
not NULL.  Thus, it appears safe to pass in NULL for values not needed.




If this behavior is guaranteed, it would be nice if it was documented.


Wanna open an issue to fix the doc? :)



I'd be happy to, but I don't know how.

I'd also be willing to help with documentation, if that's possible.


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Openssl 1.1 RSA_get0_key() documentation

2017-07-27 Thread Ken Goldman 
The __current__ code for this function returns values if the **BIGNUM is 
not NULL.  Thus, it appears safe to pass in NULL for values not needed.


However, the documentation is silent on this behavior.

If this behavior is guaranteed, it would be nice if it was documented.

If not, a comment in the code to than effect would be useful.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] openssl 1.0 and 1.1 co-exist

2017-06-21 Thread Ken Goldman 

This is probably Linux specific ...

Can both openssl versions co-exist on the same platform.  I know that 
the .so is versioned, but how about the header files?  Can I choose 
which library to build with?


Do the headerso in the same /usr/include/openssl or are there links?

Are there ifdefs in the header files.

Is there a FAQ covering this?

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] NMAKE error

2017-05-01 Thread Ken Goldman 

On 5/1/2017 12:00 PM, Jordan Brown wrote:

On 5/1/2017 8:53 AM, James Condren wrote:


Thanks for the prompt response.  Just a little background:  I am
trying to install OpenSSL on a Windows PC so I can view a server cert.



It might be simpler to install cygwin and an already-built OpenSSL.


If installing prebuilt binaries is possible, this is far easier than cygwin:

http://slproweb.com/products/Win32OpenSSL.html


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Functions for retrive public key from x509 cert

2017-03-28 Thread Ken Goldman 

On 3/28/2017 5:25 AM, Christian Adja via openssl-users wrote:


Someone can tell me what function is called for retrieve public key from
x509 cert? in the case of EC public key?


X509_get_pubkey()

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Issues while "configuring before compiling" OpenSSL on Raspberry-Pi

2017-02-12 Thread Ken Goldman 

It is definitely possible, because we run openssl on the Pi.

We did not, however, compile it ourselves.  We install from a Pi repository.

On 2/12/2017 8:13 AM, Ajay Garg wrote:

Any ideas please?
Is compiling openssl even possible on Raspberry-Pi?





--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Generate ECC key with password protection

2017-01-13 Thread Ken Goldman 

On 1/13/2017 2:02 PM, Viktor Dukhovni wrote:

parameter setting error
139854491113288:error:06089094:digital envelope
routines:EVP_PKEY_CTX_ctrl:invalid operation:pmeth_lib.c:404:


In that case, your OpenSSL library is broken, or was built without
EC support.  Perhaps you're running the wrong openssl(1) binary.


Perhaps++.  The command ran on a 1.0.2 platform.


EC key creation is supported in 1.0.2:


openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013

The C API's seem to support EC.  Perhaps the openssl binary does not?

RHEL 6.7 is still at 1.0.1.

Can I create the key and certificates on the 1.0.2 platform and use them 
with the C API on 1.0.1?





--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Generate ECC key with password protection

2017-01-13 Thread Ken Goldman 

On 1/13/2017 1:21 PM, Viktor Dukhovni wrote:

On Fri, Jan 13, 2017 at 06:18:51PM +, Viktor Dukhovni wrote:


Still no success.  I think this is exactly what you suggested, and 
something I had already tried.


openssl genpkey -out cakeyecc.pem -outform PEM -pass pass: -aes256 
-algorithm ec -pkeyopt ec_paramgen_curve:prime256v1 -pkeyopt 
ec_param_enc:named_curve -text


parameter setting error
139854491113288:error:06089094:digital envelope 
routines:EVP_PKEY_CTX_ctrl:invalid operation:pmeth_lib.c:404:



Easier to read the documentation and use the appropriate value.


https://www.openssl.org/docs/man1.1.0/apps/genpkey.html


Yikes.  That's not in the  1.0.2 documentation at

https://www.openssl.org/docs/man1.0.2/apps/genpkey.html

Could it be that 1.0.2 doesn't support creation of EC keys?

Or, if the syntax is different, where can I find it?


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Generate ECC key with password protection

2017-01-13 Thread Ken Goldman 

Thanks for the help.  Am I getting closer?

On 1/13/2017 9:44 AM, Viktor Dukhovni wrote:

Also, take a look at test/certs/mkcert.sh:


I looked at that, but what is $bits?


The curve name.

You're sure fond of leaving off the leading "-" in option names.
You'll also really want the "ec_param_enc" option when you get
the rest of the syntax right.


OK, sorry, hyphen-o-phobia.

I gather now that there are two -pkeyopt:

ec_paramgen_curve
ec_param_enc

I tried prime256v1 for each, and also named_curve and explicit
for the second, in many combinations.

It's also not 100% clear whether I specify -pkeyopt each time, or once 
and then pairs of opt:value.


In all combinations, I now get:

openssl genpkey -out cakeyecc.pem -outform pem -pass pass: -aes256 
-algorithm ec -pkeyopt ec_paramgen_curve:prime256v1 
ec_param_enc:explicit -text


parameter setting error
140171547424584:error:06089094:digital envelope 
routines:EVP_PKEY_CTX_ctrl:invalid operation:pmeth_lib.c:404:





--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Generate ECC key with password protection

2017-01-13 Thread Ken Goldman 

Thanks, getting closer ...

On 1/12/2017 5:47 PM, Viktor Dukhovni wrote:

My latest attempt is this.  It gives me a usage error.  Any hints?

openssl genpkey -out cakeyecc.pem -outform pem  -pass pass: aes-256-cbc 
-algorithm ec pkeyopt ec_paramgen_curve:prime256v1 -text


The "aes-256-cbc" argument is wrong.  Try "-aes256".


BTW, I got aes-256-cbc from

https://wiki.openssl.org/index.php/Command_Line_Elliptic_Curve_Operations

and > openssl list-cipher-commands



Also, take a look at test/certs/mkcert.sh:


I looked at that, but what is $bits?

I got prime256v1, the curve I want, from

openssl ecparam -list_curves

My next tries:

openssl genpkey -out cakeyecc.pem -outform pem -pass pass: -aes256 
-algorithm ec pkeyopt ec_paramgen_curve:prime256v1 -text


openssl genpkey -out cakeyecc.pem -outform pem -pass pass: -aes256 
-algorithm ec pkeyopt ec_paramgen_curve:prime256v1 pkeyopt 
ec_param_enc:named_curve -text


openssl genpkey -out cakeyecc.pem -outform pem -pass pass: -aes256 
-algorithm ec pkeyopt ec_paramgen_curve:prime256v1 pkeyopt 
ec_param_enc:explicit -text


I get:

Error generating key
140529942484808:error:100C708B:elliptic curve routines:PKEY_EC_KEYGEN:no 
parameters set:ec_pmeth.c:294:


It's probably this LOC, but what am I missing?

if (ctx->pkey == NULL && dctx->gen_group == NULL) {
ECerr(EC_F_PKEY_EC_KEYGEN, EC_R_NO_PARAMETERS_SET);
return 0;
}


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Generate ECC key with password protection

2017-01-12 Thread Ken Goldman 

On 7/20/2016 10:26 AM, Jakob Bohm wrote:

On 20/07/2016 16:21, Ken Goldman wrote:

From these web pages:

https://wiki.openssl.org/index.php/Command_Line_Elliptic_Curve_Operations

https://www.openssl.org/docs/manmaster/apps/ecparam.html

the "openssl ecparam -genkey" command does not accept a password. The
(perhaps) equivalent "openssl genrsa" command does.

Is there a openssl command that can generate an ECC key pair where the
output file is password protected?


openssl genpkey


My latest attempt is this.  It gives me a usage error.  Any hints?

openssl genpkey -out cakeyecc.pem -outform pem  -pass pass: 
aes-256-cbc -algorithm ec pkeyopt ec_paramgen_curve:prime256v1 -text





--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] ECDSA_SIG_new and ECDSA_SIG_free details

2017-01-03 Thread Ken Goldman 

1 - Is this a bit of a bug?

ECDSA_SIG_free() frees the r and s BIGNUMs before is frees the structure 
itself.  However, ECDSA_SIG_new() doesn't set r and s to

NULL.  It calls zalloc, which sets them to 0x00 bytes.

OK, in most platforms, the NULL pointer is an all 0x00 bytes value, but 
it's not guaranteed by the C standard.


E.g., http://c-faq.com/null/confusion4.html


2 - It would be nice if the man page advised that ECDSA_SIG_free() frees 
the two r and s BIGNUMs before is frees the structure iteslf


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] EVP_DigestVerifyFinal with ECDSA signature

2017-01-03 Thread Ken Goldman 

I'm trying to use the EVP interface for signature verification.

However, EVP_DigestVerifyFinal() takes a signature and length as 
parameters.  While I understand this for RSA, ECDSA signatures have R 
and S elements.


Is there a convertor function?

If I must convert by hand, how is it done?  In certificates, I see a 
0x04 followed by R and S arrays.


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Raw EC key to EVP_PKEY to certificate

2016-12-31 Thread Ken Goldman 

Perfect, thanks.

On 12/30/2016 8:27 PM, Viktor Dukhovni wrote:



On Dec 30, 2016, at 8:20 PM, Ken Goldman <kgold...@us.ibm.com> wrote:

- EC_KEY ecKey = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1)
- convert x and y from bin to bignum
- EC_KEY_set_public_key_affine_coordinates(ecKey, x, y)
- EVP_PUBKEY evpPubkey = EVP_PKEY_new()
- EVP_PKEY_set1_EC_KEY(evpPubkey, ecKey);
- X509_set_pubkey(x509Certificate, evpPubkey);


Start with:

EC_KEY *eckey = EC_KEY_new();
EC_GROUP *group = EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1);
EC_GROUP_set_asn1_flag(group, OPENSSL_EC_NAMED_CURVE);
EC_KEY_set_group(eckey, group);
...




--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Raw EC key to EVP_PKEY to certificate

2016-12-30 Thread Ken Goldman 
My overall goal is to create an X509 certificate for an ECC public key. 
I am starting with the X and Y points.  The curve is NIST_P256.


Here's the basic code.  Am I close?

- EC_KEY ecKey = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1)
- convert x and y from bin to bignum
- EC_KEY_set_public_key_affine_coordinates(ecKey, x, y)
- EVP_PUBKEY evpPubkey = EVP_PKEY_new()
- EVP_PKEY_set1_EC_KEY(evpPubkey, ecKey);
- X509_set_pubkey(x509Certificate, evpPubkey);

I'm getting far more information that I suspect I need.  See the two 
dumps below.


My result looks like this:

   Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:e7:de:55:b0:09:2f:0a:83:0a:c9:fc:f0:82:d7:
97:e0:4e:02:7d:75:08:44:74:3e:5f:b6:b3:29:3d:
ad:69:b3:f4:c5:3d:65:ed:94:23:89:37:5c:d5:e5:
4c:0b:77:d4:55:f6:3c:83:24:27:fb:cb:21:dc:66:
df:11:5d:ac:65
Field Type: prime-field
Prime:
00:ff:ff:ff:ff:00:00:00:01:00:00:00:00:00:00:
00:00:00:00:00:00:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff
A:
00:ff:ff:ff:ff:00:00:00:01:00:00:00:00:00:00:
00:00:00:00:00:00:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:fc
B:
5a:c6:35:d8:aa:3a:93:e7:b3:eb:bd:55:76:98:86:
bc:65:1d:06:b0:cc:53:b0:f6:3b:ce:3c:3e:27:d2:
60:4b
Generator (uncompressed):
04:6b:17:d1:f2:e1:2c:42:47:f8:bc:e6:e5:63:a4:
40:f2:77:03:7d:81:2d:eb:33:a0:f4:a1:39:45:d8:
98:c2:96:4f:e3:42:e2:fe:1a:7f:9b:8e:e7:eb:4a:
7c:0f:9e:16:2b:ce:33:57:6b:31:5e:ce:cb:b6:40:
68:37:bf:51:f5
Order:
00:ff:ff:ff:ff:00:00:00:00:ff:ff:ff:ff:ff:ff:
ff:ff:bc:e6:fa:ad:a7:17:9e:84:f3:b9:ca:c2:fc:
63:25:51
Cofactor:  1 (0x1)
Seed:
c4:9d:36:08:86:e7:04:93:6a:66:78:e1:13:9d:26:
b7:81:9f:7e:90

while other certificates I see look like this:

Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:b2:72:2e:90:17:f8:19:2e:20:bb:cd:ee:fd:0a:
c5:f8:79:9f:33:e2:e3:04:f5:54:2c:39:7d:bb:b7:
7d:d5:b4:51:38:02:df:f1:14:44:81:9f:1e:1d:e1:
df:0e:4d:94:c8:15:26:5d:2a:96:9f:c2:dc:f0:c1:
3c:78:c1:1d:eb
ASN1 OID: prime256v1
NIST CURVE: P-256


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] big endian vs little endian

2016-12-18 Thread Ken Goldman 

On 12/18/2016 11:21 AM, sahorwitz wrote:

I am obviously a newbie and missing something. How then do I encrypt the file
on one machine (little endian), transmit it to another machine (big endian)
and decrypt it there?


Why do you think endian'ness is an issue?



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Can you suggest any technical name for changing sources from openssl-1.0.2 to openssl-1.1.0?

2016-11-28 Thread Ken Goldman 

On 11/28/2016 3:40 PM, Salz, Rich wrote:

Perhaps I didn't understand the original question.  If all you want
to do is compare 1.0.2 and 1.1.0, then look at
OPENSSL_VERSION_NUMBER; if defined at it's 0x10101000L or greater,
then you;'re on the 1.1.x branch, otherwise you are not and therefore
on 1.0.2 or earlier.


I want to compare pre 1.1 (typically 1.0) and 1.1 and up.

My 1.0 has

./opensslv.h:#define OPENSSL_VERSION_NUMBER 0x1000105fL

My 1.1 has

./openssl/opensslv.h:# define OPENSSL_VERSION_NUMBER  0x1010003fL

Neither agree with your example, but would comparing to 0x1010  work?

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] openssl-1.1.0b : Getting keys from TPM

2016-11-28 Thread Ken Goldman 
To read a public key, use the TPM2_ReadPublic command.  I have an open 
source utility (tpm2pem) that converts that TPM format key to PEM.


If you need the private key, you will have to "duplicate" it to a key 
you know and then use that key to decrypt it.  It's possible.  However, 
it defeats the purpose of using the TPM as a hardware key store.  It 
would be better to use the TPM to do the private key operations.


For a TSS, I offer this, which has an ever expanding set of utilities 
and sample programs.  Let me know what you need for sample code.


https://sourceforge.net/projects/ibmtpm20tss/?source=navbar

I also suggest debugging with a SW TPM.

https://sourceforge.net/projects/ibmswtpm2/

The tpm2pem utility currently comes with the attestation client and server:

https://sourceforge.net/projects/ibmtpm20acs/

On 11/3/2016 12:02 PM, Zvi Vered wrote:

Hi Ken,

1. I mean: read from TPM

2. In order to create an SSL session with the server, should I need also
the private key ?

3. I want to use TPM 2.0


On 11/2/2016 11:06 PM, Zvi Vered wrote:


I want to use openssl in order to send\receive encrypted
messages to a
server.

My Target has TPM.

Can you please explain how to configure the openssl library to take
public+private keys from TPM ?

Should I use a specific TPM library ?



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Can you suggest any technical name for changing sources from openssl-1.0.2 to openssl-1.1.0?

2016-11-28 Thread Ken Goldman 
I'd like an answer to this one also.  I could not find that define.  I 
did find about 10 variations, all uncommented.


Could someone simply post the definitive answer?

On 11/23/2016 8:50 AM, Salz, Rich wrote:

Look at the OPENSSL version define.






--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Openssl 1.1 port - hash state serializing

2016-11-16 Thread Ken Goldman 
I have a simulation of a hardware device that has the following 
characteristics:


- does hashing functions
- resource constrained
- multi-user

Therefore, a typical pattern is that one application starts a digest 
calculation, then the hash state must get swapped out for another user.


In 1.0, I did this by (cheating) serializing the hash state to swap out, 
than deserializing to swap back in.  This required looking inside the 
hash state structure.  I know it wasn't portable accross versions, but 
the structure was pretty stable.


Is there a way to do this in 1.1?  Can one be added?

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

  1   2   3   >