Memory handling and BIO_*
Hi there, I am struggling with the BIO_* API to understand how I can control the memory. I found a nice function for read-only memory: BIO *data = BIO_new_mem_buf((void*)array, len); but I do not understand how to control output memory (I need to write to a C++ std::stringstream). So what I am doing is memory duplication for now: std::stringstream ss; char *binary; long biolen = BIO_get_mem_data(bio_buffer,&binary); ss.str( std::string(binary, biolen) ); Has anyone found a way to pass from a BIO_* to a std::stringstream for write operation ? Thanks, -- Mathieu __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: What is RAND_screen for ?
On Tue, Mar 16, 2010 at 6:25 PM, Dr. Stephen Henson wrote: > On Tue, Mar 16, 2010, Mathieu Malaterre wrote: > >> Hi there, >> >> I am looking at an old piece of code: >> >> http://cpansearch.perl.org/src/SAMPO/smime-0.7/smimeutil.c >> >> ... >> #ifdef WINDOWS >> LOG_PRINT("RAND_screen..."); >> RAND_screen(); /* Loading video display memory into random state */ >> #endif >> ... >> >> And I was wondering why RAND_screen was being called only on windows ? >> > > It was used at one point for PRNG seeding. Now OpenSSL gathers entropy from a > number of OS specific sources and doesn't need the explicit call any more. What do you mean 'doesn't anymore' ? I am looking at openssl 0.9.8m and it reveal: cat ./apps/smime.c ... else if (operation == SMIME_ENCRYPT) { ... need_rand = 1; } ... if (need_rand) { app_RAND_load_file(NULL, bio_err, (inrand != NULL)); ... which in turn: cat apps/app_rand.c ... int app_RAND_load_file(const char *file, BIO *bio_e, int dont_warn) { int consider_randfile = (file == NULL); char buffer[200]; #ifdef OPENSSL_SYS_WINDOWS BIO_printf(bio_e,"Loading 'screen' into random state -"); BIO_flush(bio_e); RAND_screen(); BIO_printf(bio_e," done\n"); #endif ... Did I misunderstood something ? This is still in use in 0.9.8m, right ? Should I use another function instead ? Thanks again for your help, -- Mathieu __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
What is RAND_screen for ?
Hi there, I am looking at an old piece of code: http://cpansearch.perl.org/src/SAMPO/smime-0.7/smimeutil.c ... #ifdef WINDOWS LOG_PRINT("RAND_screen..."); RAND_screen(); /* Loading video display memory into random state */ #endif ... And I was wondering why RAND_screen was being called only on windows ? Thanks, -- Mathieu __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: CMS with PBE (Was Re: Decrypting a password encrypted pkcs7-envelopedData): success !
On Thu, Nov 26, 2009 at 7:59 PM, Dr. Stephen Henson wrote: > On Mon, Nov 23, 2009, Mathieu Malaterre wrote: > >> Steve, >> >> >> Do you have a sample PBE blob you want to decrypt? >> > >> > Here is one: >> > >> > $ wget http://idisk.mac.com/dclunie-Public/securedicomfileset.tar.bz2 >> > $ openssl asn1parse -in DICOMDIR -inform DER >> > >> > It was generated using Bouncy Castle >> >> I forgot to mention, if you need help from me, do not hesitate ! >> > > I've added experimental support to HEAD. This seems to decrypt the example OK > and can decrypt its own output. It adds a new option -pwri_password to the > cms utility (will need something better at some point). EXCELLENT ! This works on my machine: tar xvfz openssl-SNAP-20091127.tar.gz cd openssl-SNAP-20091127/ ./config --prefix=$HOME/local --openssldir=$HOME/local/openssl make make install /home/mathieu/local/bin/openssl cms -decrypt -in DICOMDIR -pwri_password password -inform DER > out.dcm Thanks so much :) -- Mathieu __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: CMS with PBE (Was Re: Decrypting a password encrypted pkcs7-envelopedData)
Steve, >> Do you have a sample PBE blob you want to decrypt? > > Here is one: > > $ wget http://idisk.mac.com/dclunie-Public/securedicomfileset.tar.bz2 > $ openssl asn1parse -in DICOMDIR -inform DER > > It was generated using Bouncy Castle I forgot to mention, if you need help from me, do not hesitate ! Thanks again, -- Mathieu __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: CMS with PBE (Was Re: Decrypting a password encrypted pkcs7-envelopedData)
On Tue, Nov 10, 2009 at 5:15 PM, Dr. Stephen Henson wrote: > On Tue, Nov 10, 2009, Mathieu Malaterre wrote: > >> >> Thanks for taking the time to answer, this will save me some time ! >> How hard would you say is this task (I have neither a previous >> knowledge of OpenSSL, nor a knowledge of cryptography) ? As a first >> step I would just like to decrypt a PBE RFC3852 blob (proof of >> concept). >> > > Well if it was trivial I would've already added it. It needs quite a bit of > knowledge of how the OpenSSL ASN1 code and the CMS stuff works internally. ok :) > Do you have a sample PBE blob you want to decrypt? Here is one: $ wget http://idisk.mac.com/dclunie-Public/securedicomfileset.tar.bz2 $ openssl asn1parse -in DICOMDIR -inform DER It was generated using Bouncy Castle Thanks, -- Mathieu __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: CMS with PBE (Was Re: Decrypting a password encrypted pkcs7-envelopedData)
On Tue, Nov 10, 2009 at 4:56 PM, Dr. Stephen Henson wrote: > On Tue, Nov 10, 2009, Mathieu Malaterre wrote: > >> On Wed, Nov 4, 2009 at 12:17 PM, Mathieu Malaterre >> wrote: >> >> Answering to myself, it looks like it: >> >> >> *) Initial support for Cryptographic Message Syntax (aka CMS) based >> on RFC3850, RFC3851 and RFC3852. New cms directory and cms utility, >> support for data, signedData, compressedData, digestedData and >> encryptedData, envelopedData types included. Scripts to check against >> RFC4134 examples draft and interop and consistency checks of many >> content types and variants. >> [Steve Henson] >> >> >> This is really cool ! >> > > Actually PBE isn't included. AES key wrap is which can be handled on the > command line but not PBES2 (or any other kind) of PBE at present. Hi Steve, Thanks for taking the time to answer, this will save me some time ! How hard would you say is this task (I have neither a previous knowledge of OpenSSL, nor a knowledge of cryptography) ? As a first step I would just like to decrypt a PBE RFC3852 blob (proof of concept). Thanks, -- Mathieu __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: CMS with PBE (Was Re: Decrypting a password encrypted pkcs7-envelopedData)
On Wed, Nov 4, 2009 at 12:17 PM, Mathieu Malaterre wrote: > Hi, > > On Wed, Apr 29, 2009 at 9:41 PM, Dr. Stephen Henson wrote: >> On Wed, Apr 29, 2009, Randy Turner wrote: >> >>> >>> Just for my own edification, from this thread, it sounds like OpenSSL >>> doesn't support password-protected >>> PKCS#7 bundlesis this interpreation correct? >>> >> >> No. It supports password encrypted data for PKCS#7. That uses the encrypted >> data type. Handling of that type is necessary to process PKCS#12 structures. >> >> In CMS this type is a pwri structure as part of the enveloped data type. That >> isn't currently supported. > > Quick question: what is the status of CMS with Password Based > Encryption in OpenSSL 1.0 ? Answering to myself, it looks like it: *) Initial support for Cryptographic Message Syntax (aka CMS) based on RFC3850, RFC3851 and RFC3852. New cms directory and cms utility, support for data, signedData, compressedData, digestedData and encryptedData, envelopedData types included. Scripts to check against RFC4134 examples draft and interop and consistency checks of many content types and variants. [Steve Henson] This is really cool ! -- Mathieu __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
CMS with PBE (Was Re: Decrypting a password encrypted pkcs7-envelopedData)
Hi, On Wed, Apr 29, 2009 at 9:41 PM, Dr. Stephen Henson wrote: > On Wed, Apr 29, 2009, Randy Turner wrote: > >> >> Just for my own edification, from this thread, it sounds like OpenSSL >> doesn't support password-protected >> PKCS#7 bundlesis this interpreation correct? >> > > No. It supports password encrypted data for PKCS#7. That uses the encrypted > data type. Handling of that type is necessary to process PKCS#12 structures. > > In CMS this type is a pwri structure as part of the enveloped data type. That > isn't currently supported. Quick question: what is the status of CMS with Password Based Encryption in OpenSSL 1.0 ? Thanks, -- Mathieu __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Decrypting a password encrypted pkcs7-envelopedData
On Wed, Apr 29, 2009 at 12:14 PM, Dr. Stephen Henson wrote: > On Wed, Apr 29, 2009, Mathieu Malaterre wrote: > >> Hi there, >> >> I am trying to decrypt a file like this: >> >> $ openssl asn1parse -in sec -inform DER >> 0:d=0 hl=2 l=inf cons: SEQUENCE >> 2:d=1 hl=2 l= 9 prim: OBJECT:pkcs7-envelopedData >>13:d=1 hl=2 l=inf cons: cont [ 0 ] >>15:d=2 hl=2 l=inf cons: SEQUENCE >>17:d=3 hl=2 l= 1 prim: INTEGER :00 >>20:d=3 hl=2 l= 122 cons: SET >>22:d=4 hl=2 l= 120 cons: cont [ 3 ] >>24:d=5 hl=2 l= 1 prim: INTEGER :00 >>27:d=5 hl=2 l= 35 cons: cont [ 0 ] >>29:d=6 hl=2 l= 9 prim: OBJECT:PBKDF2 >>40:d=6 hl=2 l= 22 cons: SEQUENCE >>42:d=7 hl=2 l= 16 prim: OCTET STRING [HEX >> DUMP]:CFF092E4F1471FE68AF0DE2299D7AC56 >>60:d=7 hl=2 l= 2 prim: INTEGER :03E8 >>64:d=5 hl=2 l= 44 cons: SEQUENCE >>66:d=6 hl=2 l= 11 prim: OBJECT:1.2.840.113549.1.9.16.3.9 >>79:d=6 hl=2 l= 29 cons: SEQUENCE >>81:d=7 hl=2 l= 9 prim: OBJECT:aes-128-cbc >>92:d=7 hl=2 l= 16 prim: OCTET STRING [HEX >> DUMP]:B1218FF14CBFC9A9E9D21064834DD9E7 >> 110:d=5 hl=2 l= 32 prim: OCTET STRING [HEX >> DUMP]:504E1467FFE2112639C3128BD8D95BCD174BB0839E69AA79313A21CC1C947E9B >> 144:d=3 hl=2 l=inf cons: SEQUENCE >> 146:d=4 hl=2 l= 9 prim: OBJECT:pkcs7-data >> 157:d=4 hl=2 l= 29 cons: SEQUENCE >> 159:d=5 hl=2 l= 9 prim: OBJECT:aes-128-cbc >> 170:d=5 hl=2 l= 16 prim: OCTET STRING [HEX >> DUMP]:9E8C79FBC450997A71895D84938025A3 >> 188:d=4 hl=2 l=inf cons: cont [ 0 ] >> >> >> I tried the following command: >> >> $ openssl smime -decrypt -binary -in sec -inform DER -out >> outputfile.txt -passin stdin >> >> But the command line requires a -inkey arg. So I guess I am not using >> openssl command line properly. Could someone please correct my >> decryption command line (from the asn1parse output). >> > > That involves the use of a password based recipient info structure which > OpenSSL doesn't currently support. Ah ! Thanks for the info. Doing some google search on the openssl mailing list it appears that PKCS5_PBKDF2_HMAC_SHA1 could be the function I am looking for ? Is this correct ? If this is the case I need to write something like: OpenSSL_add_all_algorithms(); EVP_PKEY *pkey = ??; // complex part data = BIO_new_mem_buf(array, len); // output of fread p7=d2i_PKCS7_bio(data,NULL)) p7bio=PKCS7_dataDecode(p7,pkey,NULL,NULL); What I am not clear is how do I create this EVP_PKEY from PKCS5_PBKDF2_HMAC_SHA1 function... Thanks for your help, -- Mathieu __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Decrypting a password encrypted pkcs7-envelopedData
Hi there, I am trying to decrypt a file like this: $ openssl asn1parse -in sec -inform DER 0:d=0 hl=2 l=inf cons: SEQUENCE 2:d=1 hl=2 l= 9 prim: OBJECT:pkcs7-envelopedData 13:d=1 hl=2 l=inf cons: cont [ 0 ] 15:d=2 hl=2 l=inf cons: SEQUENCE 17:d=3 hl=2 l= 1 prim: INTEGER :00 20:d=3 hl=2 l= 122 cons: SET 22:d=4 hl=2 l= 120 cons: cont [ 3 ] 24:d=5 hl=2 l= 1 prim: INTEGER :00 27:d=5 hl=2 l= 35 cons: cont [ 0 ] 29:d=6 hl=2 l= 9 prim: OBJECT:PBKDF2 40:d=6 hl=2 l= 22 cons: SEQUENCE 42:d=7 hl=2 l= 16 prim: OCTET STRING [HEX DUMP]:CFF092E4F1471FE68AF0DE2299D7AC56 60:d=7 hl=2 l= 2 prim: INTEGER :03E8 64:d=5 hl=2 l= 44 cons: SEQUENCE 66:d=6 hl=2 l= 11 prim: OBJECT:1.2.840.113549.1.9.16.3.9 79:d=6 hl=2 l= 29 cons: SEQUENCE 81:d=7 hl=2 l= 9 prim: OBJECT:aes-128-cbc 92:d=7 hl=2 l= 16 prim: OCTET STRING [HEX DUMP]:B1218FF14CBFC9A9E9D21064834DD9E7 110:d=5 hl=2 l= 32 prim: OCTET STRING [HEX DUMP]:504E1467FFE2112639C3128BD8D95BCD174BB0839E69AA79313A21CC1C947E9B 144:d=3 hl=2 l=inf cons: SEQUENCE 146:d=4 hl=2 l= 9 prim: OBJECT:pkcs7-data 157:d=4 hl=2 l= 29 cons: SEQUENCE 159:d=5 hl=2 l= 9 prim: OBJECT:aes-128-cbc 170:d=5 hl=2 l= 16 prim: OCTET STRING [HEX DUMP]:9E8C79FBC450997A71895D84938025A3 188:d=4 hl=2 l=inf cons: cont [ 0 ] I tried the following command: $ openssl smime -decrypt -binary -in sec -inform DER -out outputfile.txt -passin stdin But the command line requires a -inkey arg. So I guess I am not using openssl command line properly. Could someone please correct my decryption command line (from the asn1parse output). Thanks, -- Mathieu __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Enveloped-data content type of the cryptographic message syntax defined in RFC 2630
On Sun, Apr 26, 2009 at 10:50 AM, Mathieu Malaterre wrote: > Hi there, > > After posting to sci.crypt, I was suggested to use OpenSSL. > Basically I need to implement a section of the DICOM standard (read: > medical image format), where for anonymization reason I need to > encrypt patient related information. > As stated in the standard I need to enrypt some content in an > "Enveloped-data content type of the cryptographic message syntax > defined in RFC 2630". > I am a complete newbie in the crypto world, so I'd appreciate some > help to get me started. > As far as I understand RFC 2630 is also what is called PKCS #7, correct ? > If this is correct could someone let me know if I can use the > command line openssl pkcs7 to encrypt a file (this would be my > Enveloped-data content). After searching a little more on the web, it appears this RFC was obsolete twice: by RFC 3369 and then RFC 3852. Using RFC 3852 lead to much more results, in particular: PKCS7_encrypt. I'll start playing with openssl smime to see if it fits my needs. Thanks, -- Mathieu __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Enveloped-data content type of the cryptographic message syntax defined in RFC 2630
Hi there, After posting to sci.crypt, I was suggested to use OpenSSL. Basically I need to implement a section of the DICOM standard (read: medical image format), where for anonymization reason I need to encrypt patient related information. As stated in the standard I need to enrypt some content in an "Enveloped-data content type of the cryptographic message syntax defined in RFC 2630". I am a complete newbie in the crypto world, so I'd appreciate some help to get me started. As far as I understand RFC 2630 is also what is called PKCS #7, correct ? If this is correct could someone let me know if I can use the command line openssl pkcs7 to encrypt a file (this would be my Enveloped-data content). Thank you! -- Mathieu __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org