Re: problems wih openssl 0.9.7b & 0.9.7c
<>
From 0.9.7a to 0.9.7b
<>
CRYPTO_add and memory leaks
Hi, I've a little problem with the function CRYPTO_add. Actually, when I use the function OCSP_basic_add1_cert, I know that in that function the CRYPTO_add is called. My problem is, I use the function OCSP_basic_add1_cert to add the certificate chain to my ocsp response and even after the memmry free of the OCSP_BASICRESP and the OCSP_RESPONSE there is still memory unfreed for approximately 4 bytes. I know for sure that those 4 bytes comes when I use the OCSP_basic_add1_cert function, I've comment the function and my problem is solved. Any ideas ??? Olivier
Memory leak with ocsp
Hi, in order to add the certificate chain in my ocsp response, I use the OCSP_basic_add1_cert function. My problem is the following, even after freing the OCSP_BASICRESP pointer there is always 4 bytes unfreed in memory. I know that those 4 bytes comes from the OCSP_basic_add1_cert function because when I comment the line I don't have memory leaks. Any idea ? Thanks, Olivier Michiels
A question about ENGINE
Hi, I've developped my own ENGINE with OpenSSL. I use that ENGINE to use the private keys of my root certificates. Those certificates are used to sign X509 certificates, CRLs and OCSP responses. On the other part, one of my component that use the ENGINE must open a ssl connection, the private key and the certificate are not used by the ENGINE. My question is, how can I setup a ssl connection without having the ENGINE used by the SSL connection ? Thanks, Michiels Olivier
Re: SSL connection handshake and ENGINE
Well, it's my own ENGINE not one priveded by OpenSSL. BTW, the private key is a software private key, so I guess something is wrong with my ENGINE or the way I use the software private key. Olivier On Fri, 2003-07-18 at 18:26, Dr. Stephen Henson wrote: On Fri, Jul 18, 2003, Michiels Olivier wrote: > The problem is I didn't implement the decrypt function in my ENGINE. The > decrypt used is the one from openssl. Whe the s_server is able to > decrypt the data and not my server ? > I'm a little confused here. What is your setup? Are you using one of the supplied OpenSSL ENGINEs or writing your own? Is the private key in software or does it reside on the nCipher box? The standard RSA decrypt routine wont work unless it has all the private key components in the RSA structure. This typically wont be true for hardware protected keys which will redirect the operation to the hardware by customising some of the RSA operations. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL connection handshake and ENGINE
Part of this message was stripped for security reasons. If this has made the contents unusable, please contact your correspondent or mailto:[EMAIL PROTECTED]
Re: SSL connection handshake and ENGINE
The problem is I didn't implement the decrypt function in my ENGINE. The decrypt used is the one from openssl. Whe the s_server is able to decrypt the data and not my server ? Olivier On Fri, 2003-07-18 at 14:54, Dr. Stephen Henson wrote: On Fri, Jul 18, 2003, Michiels Olivier wrote: > Hi, > I'm trying to have a client and a server communicates through a SSL > connection. I've created a client certificate and a server certificate. > They both use openssl but the server set an ENGINE which I've developed > myself. I'va had to develop it to load private keys from my nCipher. > When I'm using s_client and s_server with the certificates and keys I've > created earlier everything works perfectly but when I'm trying to > connect the s_client to my server I receive this error: > ERR_error_string: error:1408F455:SSL routines:SSL3_GET_RECORD:decryption > failed or bad record mac. > When I'm debugging the code, it appears that the function > RSA_eay_private_decrypt is unable to decrypt the server private key > during the call of RSA_padding_check_PKCS1_type_2 function. > > Is it possible that my ENGINE interferes during the decryption of the > server private key. I've put logging messages on my ENGINE and it seems > that nothing happened in it. > > What could be my problem ? > It looks like the RSA decryption of the SSL premaster secret is failing. I suggest you try the ENGINE out with something like rsautl and possibly log the data before and after RSA encrypt client side then see if the ENGINE can decrypt it properly. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Extracting Issuer Certificate
No, you don't have the issuer certificate included in your certificate, you only have the issuer distinguished name. On Friday 07 February 2003 15:44, openssl utilisateur wrote: > hi again > thx for your reply > what i am asking about is how to extract issuer certificate if it was > included with the certificate > thx again > > > > > > > > From: Rich Salz <[EMAIL PROTECTED]> > > >Reply-To: [EMAIL PROTECTED] > >To: openssl utilisateur <[EMAIL PROTECTED]> > >CC: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> > >Subject: Re: your mail > >Date: Fri, 7 Feb 2003 09:27:22 -0500 (EST) > > > > > could someone tell me how to extract the certification path from an > > > >ordinary > > > > > certificate (X509 certificate) > > > >The certificate doesn't have a path, it just has the DN of its issuer. > >You have to calculate the path yourself by getting the cert of > >the issuer, following up the chain, and so on. (I.e., no path, just the > >first step. :) > > > >It gets very complicated if one CA is certified by two other CA's: this > >is called cross certification and makes the path analysis much harder. > > /r$ > > > > > >__ > >OpenSSL Project http://www.openssl.org > >User Support Mailing List[EMAIL PROTECTED] > >Automated List Manager [EMAIL PROTECTED] > > _ > MSN Messenger : discutez en direct avec vos amis ! > http://www.msn.fr/msger/default.asp > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] -- --- Michiels Olivier Senior Development Engineer GlobalSign http://www.globalsign.net --- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Rep:Re: IBM 4758 engine status?
This driver is working. You have to recompiled it before using it. But the problem is that it is not the sharing object needed by openssl ENGINE. Michiels Olivier On Friday 20 December 2002 09:30, Jean Pierre Cognasse wrote: > Hello, > > I did not read your conversation from the start but did you try the > driver from > http://oss.software.ibm.com/developerworks/opensource/4758/index.html ? > > I very concerned by using the linux driver because I would like to use > it under QNX V6 and I don't understand exactly what I need in addition > to use the linux driver. > > Jipé > > -Message d'origine- > De: Arne Ansper <[EMAIL PROTECTED]> > A: [EMAIL PROTECTED] > Date: 19/12/02 > Objet: Re: IBM 4758 engine status? > > > Do you know if one exists in the open community? I've done a > > preliminary > > > port but there are still a few lingering problems... > > no i do not know. you might try to ask from ibm again. > > arne > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > _ > GRAND JEU SMS : Pour gagner un NOKIA 7650, envoyez le mot IF au 61321 > (prix d'un SMS + 0.35 euro). Un SMS vous dira si vous avez gagné. > Règlement : http://www.ifrance.com/_reloc/sign.sms > > > _ > Envie de discuter en "live" avec vos amis ? Télécharger MSN Messenger > http://www.ifrance.com/_reloc/m la 1ère messagerie instantanée de France > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] -- --- Michiels Olivier Senior Development Engineer GlobalSign http://www.globalsign.net --- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: question!!
I don't know for OpenSSL but OpenLDAP you can. On Thu, 2002-11-28 at 14:43, Touria Zaddaoui wrote: > Hi everybody, > i have a question about openssl and LDAP, is there any option with openssl > that can be used to publish an openssl generated certificate to an LDAP > directory. i'll be very greatful if i get an answer. > thanks to all > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OCMP(Onlie Certificate Status Protocol)
Yes, the version 0.9.7 of OpenSSL includes ocsp. But what do you want to do with OCSP. Do you want to implement an OCSP client or an OCSP responder ? Michiels Olivier On Fri, 2002-11-22 at 12:34, HASEGAWA Takashi wrote: > Hello. > > I have a question. > > I want to use OCMP(Onlie Certificate Status Protocol). > OpenSSL has OCSP ? > > What mast I do for using OCSP ? > > Would you like to tell me ? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OCSP
Hi, the best way to understand how the OCSP APIs works is to read the ocsp.c file. I've wrote my own responder with this file as a base. Michiels Olivier On Mon, 2002-11-18 at 11:20, Jiří Olša wrote: > hello, > > i'm writing OCSP responder, and i cant find any documentation > about OpenSSL-OCSP API,... is there anything? > How could man get it? > > thanx for answers > > Jiri Olsa > > __ > Reklama: > FIMFARUM - Cesky celovecerni loutkovy film na motivy pohadek Jana Wericha. >www.fimfarum.cz V kinech od 28. listopadu. http://www.fimfarum.cz > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Sharing object for the 4758 CCA
Hi, I'm looking for the libCSUNSAPI.so file in order to use openssl engine with my IBM 4758 CCA device. Can you tell me where can I found it ??? Thanks, Michiels Olivier __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OCSP and netscape 7 or mozilla
Thanks for your response, but my problem was not related to the signature
but related to the time on my server (incorrect time).
So, thanks for your help anyway.
Michiels Olivier
Perry The Cynic wrote:
On Mon, Oct 21, 2002 at 07:41:42AM +0200, Michiels Olivier wrote:
Hi,
my certificate is verified without OCSP and all my roots are there. Do I
have to install the certificate that sign the OCSP response ?
Well, verifying the OCSP response means verifying the cert chain of its
signer. That can be either the CA for the cert you're inquiring about, in
which case Mozilla should already have it (how else did it verify the
cert?). If the OCSP response is signed by a designated responder key, you
may have to explicitly stuff that cert into Mozilla. I don't think the
response contains that cert in the default case.
If you set Mozilla into "verify everything with that server over there"
mode, you are fully responsible for establishing the cert hierarchy for
that key, of course.
Cheers
-- perry
Thanks,
Michiels Olivier
Perry The Cynic wrote:
Make sure the browser has the necessary root and intermediate
certificates to verify the OCSP response. The local OCSP test has
access to your cert database, but Mozilla doesn't unless you
explicitly provided them (by sticking them into a PKCS7 when you
imported the root cert, or imported them explicitly).
Cheers
-- perry
--On Friday, October 18, 2002 9:45 AM +0200 Michiels Olivier
<[EMAIL PROTECTED]> wrote:
Hi,
I've just implemented an OCSP responder and I want to test it with
netscape or mozilla. Both browsers returns that the certificate
cannot be
verified for an unknown reason but when I use the ocsp client of openssl
it works.
Any idea ?
Michiels Olivier
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
---
Perry The Cynic
[EMAIL PROTECTED]
To a blind optimist, an optimistic realist must seem like an Accursed
Cynic.
---
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
---
Perry The Cynic [EMAIL PROTECTED]
To a blind optimist, an optimistic realist must seem like an Accursed Cynic.
---
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: OCSP and netscape 7 or mozilla
Do you also believe that this is a mistake in Mozilla ? Michiels Olivier Francisco Perez Botella wrote: El Vie 18 Oct 2002 09:45, Michiels Olivier escribio: Hi, I've just implemented an OCSP responder and I want to test it with netscape or mozilla. Both browsers returns that the certificate cannot be verified for an unknown reason but when I use the ocsp client of openssl it works. Any idea ? we got the same response the oter day trying to import a pkcs12 made with openssl and signed by our onw ca (that is listed in organizations and acepted) Michiels Olivier __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
OCSP and netscape 7 or mozilla
Hi, I've just implemented an OCSP responder and I want to test it with netscape or mozilla. Both browsers returns that the certificate cannot be verified for an unknown reason but when I use the ocsp client of openssl it works. Any idea ? Michiels Olivier __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
My own ENGINE for NFast
Original Message Subject: My own ENGINE for NFast Date: Wed, 02 Oct 2002 15:54:20 +0200 From: Michiels Olivier <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] To: Openssl Users <[EMAIL PROTECTED]> Hi, I'm writing my own NFast ENGINE because the chil interface do not provide me enough functionalities. Right I have implemented the two functions hwnfast_load_privkey and hwnfast_load_pubkey. I can load keys with those functions but I don't know how to fill the EVP_PKEY data structure. The reference to my private key is a pointer to a NFast specific structure (M_KeyID) and the public key is in a buffer. I've looked the code of the hw_ncipher but I think I can't use it like that. The keys are stored this way: I have two files (hash,blob) that contains the pirvate key protected by a logical token and the public key is store in a pem file. My question is, how do I create the two EVP_PKEY in my implementation. Thank, Michiels Olivier __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
My own ENGINE for NFast
Hi, I'm writing my own NFast ENGINE because the chil interface do not provide me enough functionalities. Right I have implemented the two functions hwnfast_load_privkey and hwnfast_load_pubkey. I can load keys with those functions but I don't know how to fill the EVP_PKEY data structure. The reference to my private key is a pointer to a NFast specific structure (M_KeyID) and the public key is in a buffer. I've looked the code of the hw_ncipher but I think I can't use it like that. The keys are stored this way: I have two files (hash,blob) that contains the pirvate key protected by a logical token and the public key is store in a pem file. My question is, how do I create the two EVP_PKEY in my implementation. Thank, Michiels Olivier __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Signature and ENGINE
Hi everybody, I'm curious to know how can I sign something using an ENGINE. When I'm looking in the x509.c code, I see the setup_engine function but the variable 'e' is not used in the rest of the code, is it normal ? Why initialize an ENGINE to not using it ? Thanks, Michiels Olivier __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Validity period of certificates
Hi, take the BEGIN CERTIFICATE to the END CERTIFICATE part, put it in a file, then do : openssl x509 -in yourfile -text. You will see the start and the end date at the beginning of the response. Hope this help, Michiels Olivier Radboud Platvoet wrote: >Hi everyone, > >I would like to know if there is a way to find out for what period a >certificate is valid (ie: the start and end date). > >This is the certificate from which I like to determine the validity period: > >-BEGIN RSA PRIVATE KEY- >MIICXQIBAAKBgQDHbmDreHdsfXmdgiveojbx2hVrJPvzxzQ0Ug6g0KxOYUVSSLbs >xBCW5PGQEn6a++AI6SMt13MTidpUJZmiPiOB2/D7Lg1YMJNQgJ8VfpzWESvgtQCV >6txwVWz0gGSnmJ8EkLhaY0t57PhrEqM2RpZKgiBl08bueXCazblhWpyvOQIDAQAB >AoGAB33wCiiGY/76uJ4RQ9XYNpG4yEOla20KWwTSI9xy/KbO0d6FcLOU4/ZJ1N28 >/9mCexM3DRvQ6OT+3LZk5SFsd/1dOEi+P5rhIOAe/0VReiS5oIlhqr6lhOF4/WHp >OZwglVDuB1U+zqX3fb6exkBlfcg8nv/iaI7GrxRl+ib9bWECQQD3crtg8DkLXT1o >zwqgNyobPQgv0TJaCHAIub/XVjN2jkTU6HJPrPh6RUBTPAx/pW5CSuxGqcRDRgan >RP6Zqu8NAkEAzlLSauaZhGGQXROxaac8Q7v423e/CTXKwCHAhkOIlKHBcq2Qzvo6 >PrHzAKYVsOx5fwMZATe86Kz8OeSgoCFV3QJATILFPWwJt2HVIxshhfiIpHNynJZq >ozwIqCoHD2Yv83B6B/r3nXs2OVhAU3w1wSI9vXG9LPxBGywD0qSatJkN4QJBAMoR >MUVDLU0KpHGUDOhVwl7wJO0EnRNvHHAJXl3gnE49EZG3zR/4z7yBWWXkQ1AweVlc >dkvMA/a5HJmygWHy4/0CQQCybDrUXfLGmfCL3R95fc3/XfHF+VodnfZoWY09hjQO >wYPK/0sAatyAW4I9ks0XCoWbPBJEOueX5TAixPhh0pkn >-END RSA PRIVATE KEY- >-BEGIN CERTIFICATE- >MIICkzCCAfygAwIBAgIBADANBgkqhkiG9w0BAQQFADCBgzELMAkGA1UEBhMCTkwx >FTATBgNVBAgTDFp1aWQgSG9sbGFuZDESMBAGA1UEBxMJUm90dGVyZGFtMRMwEQYD >VQQKEwpEaWdpdm94IEJWMSEwHwYDVQQLExhSZXNlYXJjaCBhbmQgRGV2ZWxvcG1l >bnQxETAPBgNVBAMTCFMyU2VydmVyMB4XDTAyMDkyNzA3MzM1NFoXDTAzMDkyNzA3 >MzM1NFowgYMxCzAJBgNVBAYTAk5MMRUwEwYDVQQIEwxadWlkIEhvbGxhbmQxEjAQ >BgNVBAcTCVJvdHRlcmRhbTETMBEGA1UEChMKRGlnaXZveCBCVjEhMB8GA1UECxMY >UmVzZWFyY2ggYW5kIERldmVsb3BtZW50MREwDwYDVQQDEwhTMlNlcnZlcjCBnzAN >BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAx25g63h3bH15nYIr3qI28doVayT788c0 >NFIOoNCsTmFFUki27MQQluTxkBJ+mvvgCOkjLddzE4naVCWZoj4jgdvw+y4NWDCT >UICfFX6c1hEr4LUAlerccFVs9IBkp5ifBJC4WmNLeez4axKjNkaWSoIgZdPG7nlw >ms25YVqcrzkCAwEAAaMVMBMwEQYJYIZIAYb4QgEBBAQDAgZAMA0GCSqGSIb3DQEB >BAUAA4GBAA4al9nd/lph0P+RKoOfDPZXLFf1kfU7dHJIrXR5F9HvhVuVNyFLNyTO >JXq8M/mcPM9eGNEfOwdGjHZCM91pduauvTZ6rqUOHIDV5oQdqVsCEMdZa5t2aTS+ >g+ffMr6+aAm+ax3eU3/5tk1T2RkVOsIFEYCymiaMcXsVCFUvi/Pn >-END CERTIFICATE- > >Any help is greatly appreciated! > >Thanks, >Radboud > >__ >OpenSSL Project http://www.openssl.org >User Support Mailing List[EMAIL PROTECTED] >Automated List Manager [EMAIL PROTECTED] > > __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
OpenSSL engine NFast
Hi, I'm trying to uderstand how the engine object is working with openssl-engine. I'm using a NFast crypto device (chil) and when I look into hw_ncipher.c I found three interristing functions: static int hwcrhk_insert_card(const char *prompt_info, const char *wrong_info, HWCryptoHook_PassphraseContext *ppctx, HWCryptoHook_CallerContext *cactx); static int hwcrhk_get_pass(const char *prompt_info, int *len_io, char *buf, HWCryptoHook_PassphraseContext *ppctx, HWCryptoHook_CallerContext *cactx); static void hwcrhk_log_message(void *logstr, const char *message); How can I use them ? They are all static. I found that they are in the HWCryptoHook_InitInfo hwcrhk_globals structure but how can I have access to this structure ? Is the process of the engine call them automatically or do I have to specify somewhere when I want the user to enter a physical token ? Thanks for your help, Michiels Olivier __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Openssl Engine
Hi,
Currently I've an application that creates keys, certificate requests
and certificates using NFast and openssl-0.9.5.
I've updated my code to use the openssl-engine.
Everything works perferctly with some modifications.
Now, I would like to use the ENGINE concept with my NFast.
I've already understood that the identifier of my ENGINE is chil and
I've wrote some code to test if I can have a new pointer to a ENGINE
structure.
What I would like to know is how to use this ENGINE pointer with my
existing code, for example, what are the commands available for the
NFAST. I've tried this little code but it doesn't work.
#include
#include
int main(int argc,char* argv[])
{
ENGINE *e;
BIO *err;
ENGINE_load_builtin_engines();
if ((e = ENGINE_by_id(argv[1])) == NULL)
{
fprintf(stderr,"Error for: %s\n",argv[1]);
return -1;
}
err = BIO_new_fp(stderr,BIO_NOCLOSE);
if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
{
BIO_printf(err,"can't use that engine\n");
ERR_print_errors(err);
ENGINE_free(e);
return -1;
}
BIO_printf(err,"engine \"%s\" set.\n", ENGINE_get_id(e));
if (ENGINE_ctrl_cmd_string(e,"get_passphrase","Password:",0) == 0)
{
ERR_print_errors(err);
ENGINE_free(e);
return -1;
}
/* Free our "structural" reference. */
ENGINE_free(e);
return 0;
}
The output is has follows:
engine "chil" set.
25983:error:260AC089:engine routines:func(172):reason(137):eng_ctrl.c:136:
25983:error:260AB089:engine routines:func(171):reason(137):eng_ctrl.c:314:
I need to ask passwords in order to have my NFast working.
How can I do that ?
Thanks
Michiels Olivier
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
