Preamble Change with PKCS12 -> PEM
I was evaluating openssl-1.0.0a and performed a PKCS12 conversion to PEM using the following command: openssl pkcs12 -in myfile.p12 -nodes -out myfile.pem However, I noticed that in the resulting PEM file the preamble for the resulting private key displayed "-BEGIN PRIVATE KEY-" If I performed the same command using openssl-0.9.8k, the preamble for the private key is displayed as "-BEGIN RSA PRIVATE KEY-" (which is consistent with prior versions of openssl). I also noticed that the extracted private key is different when I use 1.0.0a. It is smaller but the certificate extracted from the p12 file is the same for both versions of openssl. I believe this may be due to a FIPS flag, but I cannot confirm that in reviewing the config files or code (but it may be there). Does anybody know why the premable and private key is different when I use 1.0.0a (it is causing me some import problems of the private key with other software)? Thanks, Rick Robinson CISSP, ISSAP | Senior Security Architect | Distinguished Member of Technical Staff | Technology, Strategy, and Development | Avaya Inc. | 1300 West 120th Ave | B2-D31 | Westminster, CO 80234 | Voice/Fax 303-538-0749 | ri...@avaya.com | PGP KeyID 0x0610169B | A New Era of Intelligent Communications __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Dynamic engine / smart card support for CSR generation
I truely appreciate the help. I reviewed the certsc.cnf file and made sure I exactly duplicated the recommended additions including using "engines" instead of "engine." But I am still having a few problems... Here is what I have in my config file (certsc.cnf): --- openssl_conf = openssl_init [openssl_init] oid_section = new_oids engines = engine_section [ engine_section ] dynamic = dynamic_section [ dynamic_section ] engine_id = dynamic SO_PATH = /usr/lib/opensc/engine_pkcs11.so ID = pkcs11 LIST_ADD = 1 NO_VCHECK = 1 LOAD = EMPTY --- The error codes have changed. I am pretty sure this is a parsing problem. But I am not sure where to go next. Here are the errors I am now getting. --- Using configuration from certsc.cnf Error configuring OpenSSL 7683:error:0E07406D:configuration file routines:CONF_modules_load:module initialization error:conf_mod.c:234:module=engines, value=engine_section, retcode=-1 --- Any further recommendations? Is there a tool that will verbosely parse the config file and provide some more detail on the meaning of the return code (-1)? Or any other tools you recommend? If it makes any difference, I am using 0.9.7g Regards, Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nils Larsch Sent: Saturday, July 09, 2005 2:17 AM To: openssl-users@openssl.org Subject: Re: [openssl-users] Dynamic engine / smart card support for CSR generation Robinson, Richard L (Rick) wrote: > I am still running into a few problems and am hoping for a little more > debugging assistance. > > I created these entries in my configuration file (certsc.cnf): > > > engine = engine_section > > [ engine_section ] > smartcard = smartcard_engine > > [ smartcard_engine ] > engine_id = smartcard > SO_PATH = /usr/lib/opensc/engine_pkcs11.so MODULE_PATH = > /usr/lib/pkcs11/opensc-pkcs11.so ID = smartcard LIST_ADD = 1 NO_VCHECK > = 1 LOAD = EMPTY > as Erwann Abalea already told you need something like: openssl_conf = openssl_init; [openssl_init] engines = engine_section; ... in your conf (btw: it should be "engines" and not "engine"). The "openssl_conf" and "engines" Entries are mandatory, without them openssl won't find/parse the engine section. Nils __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: [openssl-users] Dynamic engine / smart card support for CSR generation
I am still running into a few problems and am hoping for a little more debugging assistance. I created these entries in my configuration file (certsc.cnf): engine = engine_section [ engine_section ] smartcard = smartcard_engine [ smartcard_engine ] engine_id = smartcard SO_PATH = /usr/lib/opensc/engine_pkcs11.so MODULE_PATH = /usr/lib/pkcs11/opensc-pkcs11.so ID = smartcard LIST_ADD = 1 NO_VCHECK = 1 LOAD = EMPTY And then I made the following OpenSSL call... --- openssl req \ -config $ConfigFile \ -engine smartcard \ -newkey rsa:1024 # -new \ -sha1 \ -key id_45 \ -keyform engine \ -text \ -out certsc.csr --- But received these error message... invalid engine "smartcard" 6779:error:2606A074:engine routines:ENGINE_by_id:no such engine:eng_list.c:379:id=smartcard 6779:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:153:filename(libsmartcard.so): libsmartcard.so: cannot open shared object file: No such file or directory 6779:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:244: 6779:error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:eng_dyn.c:365: It seems as if the engine 'smartcard' is not recognized. Any suggestions would be greatly appreciated. Regards, Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Erwann ABALEA Sent: Friday, July 08, 2005 9:08 AM To: openssl-users@openssl.org Subject: Re: [openssl-users] Dynamic engine / smart card support for CSR generation Bonjour, Hodie post. Non. Iul. MMV est, Robinson, Richard L (Rick) scripsit: > I get errors indicating the engine (pkcs11) is not known. This sort > of makes sense if the engine was discarded ones the previous command > was exited. I have tried various engine IDs but have had not luck. Use the autoconfig feature of OpenSSL. Update your openssl.cnf file, by adding this: - openssl_conf = openssl_init [openssl_init] oid_section = new_oids engine = engine_section [ engine_section ] dynamic = dynamic_section [ dynamic_section ] engine_id = dynamic SO_PATH = /usr/lib/opensc/engine_pkcs11.so ID = pkcs11 LIST_ADD = 1 NO_VCHECK = 1 LOAD = EMPTY - adjust the commands to your specific case, then set the environment variable OPENSSL_CONF to point to this openssl.cnf file, and you'll be able to use 'openssl req' as usual. I don't know how the change of ENGINE id will perform with the rest, but you should now go a little farther. -- Erwann ABALEA <[EMAIL PROTECTED]> __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Dynamic engine / smart card support for CSR generation
All - I am working to integrate a smart card as part of a certificate request on Linux with OpenSSL but I am having a hard time using a script file to keep the engine loaded AND use it for a certificate request. Interactively with openSSL everything works fine. I can load the engine with one command (engine) and submit the request with another openssl command (req)... But both of these commands must be performed without exiting the openssl prompt. However, from a script file perspective, I am not able figure out how to get the "openssl REQ -engine" command to remember or reload the dynamic engine. Any help would be appreciated. Specific Details: I can issue this command which dynamically loads the engine: Openssl engine dynamic -vvv -pre SO_PATH:/usr/lib/opensc/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre NO_VCHECK:1 -pre LOAD And it works great. But if I follow that command with this separate openssl command (from the linux prompt): openssl req -config cert.cnf -engine pkcs11 -newkey rsa:1024 -sha1 -key id_45 -keyform engine -text -out csr.pem I get errors indicating the engine (pkcs11) is not known. This sort of makes sense if the engine was discarded ones the previous command was exited. I have tried various engine IDs but have had not luck. So... I am open to ideas. How can I keep the engine loaded? How can I find out what "engine IDs" are valid for the "openssl req -engine engine_id" command? How can I make the pkcs11 engine "static?" Any suggestions or advice would be appreciated. It seems as thought I am very close. Thanks, Rick [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: testing for primality
Thanks. Found the paper after some additional searching. Met Rivest at RSA Conf. Nice guy. No need for long teeth. Rick -Original Message- From: Charles B Cranston [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 04, 2003 7:33 AM To: [EMAIL PROTECTED] Subject: Re: testing for primality Robinson, Richard L (Rick) wrote: > I checked the RSA web site and could not find the paper you > are referencing. Could you please forward me a link? I really don't see how you could have missed it. It is only the 10th listing on their Technical Notes page: http://www.rsasecurity.com/rsalabs/technotes/index.html There are links to both PS and PDF under the title: Are 'Strong' Primes Needed for RSA? Paraphrased from the abstract: We argue that...it is unnecessary to use strong primes in the RSA cryptosystem...There are two parts to this argument. First, the use of strong primes provides NO ADDITIONAL PROTECTION against factoring attacks, because Lenstra's method of factoring based on elliptic curves (ECM) circumvents any protection that might have been offered using string primes... [emphasis added] The authors are Ronald L Rivest and Robert D Silverman. Rivest is, I hope all realize, the R in RSA... For those of us really long in the tooth, the A is the same Adelman (sp?) as in AVL balanced binary trees. I wonder if Vel'ski-Landis (REAL sp?) is still active? -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: testing for primality
I checked the RSA web site and could not find the paper you are referencing. Could you please forward me a link? Thanks, Rick -Original Message- From: Charles B Cranston [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 03, 2003 10:04 AM To: [EMAIL PROTECTED] Subject: Re: testing for primality With the advent of elliptically-based factoring methods, there ARE no strong primes. That is a technologically obsolete concept. There is a paper at RSA Labs that explains this. Synopsis: the concept of "strong" primes was with respect to the best performing factoring algorithm at the time. If this algorithm failed, it was called "strong". The analagous method can be used but using an elliptical curve. For any given pair of primes, an attack with a particular elliptical curve can succeed or fail, but there are an unlimited number of elliptical curves, and at the time the paper was written there was no known "strong set" of prime pairs that were strong with respect to ALL elliptical curves. Therefore, you try to factor with one elliptical curve, if it fails, you can try another elliptical curve, etc, and there is no set of prime pairs that is any more or less vulnerable to this technique, that could be called "strong". Hope I got that right -- it has been more than a year since I read the paper. Robinson, Richard L (Rick) wrote: > When OpenSSL creates a public/private RSA key pair, does it test to > see if the keys were created using strong primes (or primes at all)? > If so, how? -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
private key creation and checking
When the private keys are created, are there checks performed to determine the quality/primality of the keys? If so, is there documentation on how the keys are checked? Thanks, Rick Robinson [EMAIL PROTECTED]
