Error Using FIPS compliant OpenSSL Library Files in VC++ in Visual Studio 2005

2014-03-05 Thread Scott Thomas 
Bonjour All, 

I had successfully compiled FIPS complaint OpenSSL and got 
libeayfips32.lib  ssleay32.lib with the complete module on the path
 C:\usr\local\ssl\fips2.0\. I followed these steps: 

== 
1. Compile openssl-fips2.0 
== 
Open Visual Studio 2008 Command Prompt. 
cd openssl-fips2.0\ 
ms\do_fips [no-asm] 
        
Compiled FIPS module is located at C:\usr\local\ssl\fips-2.0 
        
=== 
2. Integrate compiled openssl-fips2.0 in openssl-1.0.1e 
=== 
Open Visual Studio 2008 Command Prompt. 
cd openssl-1.0.1e\ 
perl Configure VC-WIN32 fips --with-fipslibdir=C:\usr\local\ssl\fips-2.0 
ms\do_nasm 
nmake -f ms\nt.mak 
nmake -f ms\nt.mak install 
        
Compiled FIPS compliant OpenSSL exe is located at 
C:\usr\local\ssl\bin\openssl.exe 
Compiled FIPS compliant OpenSSL libeay32.lib  ssleay32.lib are located at 
C:\usr\local\ssl\lib\ 
Compiled FIPS compliant OpenSSL libeay32.dll  ssleay32.dll are located at 
C:\usr\local\ssl\bin\ 


but i am facing issues in using them with VisualC++ in 
Visual Studio 2005. Normal versions of libeay32.lib  ssleay32.lib 
work 100% fine with me. I want to simulate the tests and want to compile
 the source (C:\openssl-fips-2.0\fips\sha\fips_shatest.C) in my VC++ 
VC2005 console application. 

Create a new VC++ win32 console application project. In the 
resource files, add the compiled fips module files libeayfips32.lib 
 ssleay32.lib from C:\usr\local\ssl\fips2.0\lib\. 
In the Source files, add the code file from the source code of 
C:\openssl-fips-2.0\fips\sha\fips_shatest.C. Right click on the source 
file and click properties. In the General section add the include files 
path and set them to C:\usr\local\ss\include\ and 
C:\usr\local\ssl\fips2.0\include\ and i am not using the precompiled 
headers option. 

When i compile the application i get the following lost list of errors: 

error LNK2001: unresolved external symbol _FIPS_digestfinal     
libeayfips32.lib 
error LNK2001: unresolved external symbol _FIPS_drbg_set_callbacks  
libeayfips32.lib 
error LNK2001: unresolved external symbol _FIPS_md_ctx_cleanup      
libeayfips32.lib 

 

 

 

 
error LNK2001: unresolved external symbol _EC_KEY_generate_key          
libeayfips32.lib


Microsoft
 states that error LNK2001 occurs when Code references something (such 
as a function, variable, or label) that the linker can't find in the 
libraries and object files. 

It means there is certainly some issue in FIPS complied 
libeayfips32.lib  ssleay32.lib files. Kindly help me in this 
regard.

Regards 
Scott Thomas

Help regarding Compile FIPS compliant OpenSSL on Windows platform

2014-03-02 Thread Scott Thomas 
 15.00.30729.01 for 80x86
Copyright (C) Microsoft Corporation.  All rights reserved.

cl : Command line warning D9035 : option 'O' has been deprecated and will be 
removed in a future release
uid.c
cl /Fotmp32\o_time.obj  -Iinc32 -Itmp32 /MT /Ox /O2 /Ob2 -O /Fdout32 
-DOPENSSL_NO_RC5 -DOPENSSL_NO_MD2 -DOPENSSL
_NO_KRB5 -DOPENSSL_NO_JPAKE -DOPENSSL_NO_DYNAMIC_ENGINE /Zl -c .\crypto\o_time.c
Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 15.00.30729.01 for 80x86
Copyright (C) Microsoft Corporation.  All rights reserved.

cl : Command line warning D9035 : option 'O' has been deprecated and will be 
removed in a future release
o_time.c
cl /Fotmp32\o_str.obj  -Iinc32 -Itmp32 /MT /Ox /O2 /Ob2 -O /Fdout32 
-DOPENSSL_NO_RC5 -DOPENSSL_NO_MD2 -DOPENSSL_
NO_KRB5 -DOPENSSL_NO_JPAKE -DOPENSSL_NO_DYNAMIC_ENGINE /Zl -c .\crypto\o_str.c
Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 15.00.30729.01 for 80x86
Copyright (C) Microsoft Corporation.  All rights reserved.

cl : Command line warning D9035 : option 'O' has been deprecated and will be 
removed in a future release
o_str.c
.\crypto\o_str.c(66) : fatal error C1083: Cannot open include file: 
'strings.h': No such file or directory
NMAKE : fatal error U1077: 'C:\Program Files\Microsoft Visual Studio 
9.0\VC\BIN\cl.EXE' : return code '0x2'
Stop.
Please help me to get fips enabled libeay32.dll


Scott Thomas

Extended\Enhanced Key usage in Sub CA Certificates

2011-01-29 Thread Scott Thomas 
Bonjour,  
I had made a test 5 level CA and  doing Microsoft smart card logon from the end 
tier CA, i had a BIG BIG  problem that my Sub CAs did not have smart card logon 
extension in EKU,  so my end entity certificates were unable to  do SC logon. 
The error was that the client certificate  chain  certificates are not valid 
for intended usage. Actually the SC logon  extension was missing in all upper 
layer Sub ca certs. I diagnosed it  after a long time and included the desired 
extension  in all my subCA certs. Actually microsoft deals it like a constraint 
if  an extension is not present. 

As there are a lot of  extensions and thinking about the evolution, many 
extensions will be  created n used in future, so if i add a particular set of 
extension in  my sub ca certs then in future then i would set a constraint  on 
my PKI solution and i would not be able to use these new extensions  in end 
entity.


Is it the best solution to remove EKU in all my sub ca certs to avoid 
constraints ?


Waiting for Reply
Regards
Scott

Custom Attributes in the Subject of X.509 Certificate

2011-01-12 Thread Scott Thomas 
Bonjour All, 

First i explain the scenarion. My domain name is lets say idtech.com. Under it 
i 
have created an ou=certificate users. Users are created under this OU.
So my FQDN of a user is CN=scott,OU=Certificate Users,DC=idtech,DC=com. Same 
FQDN is in the subject of the user certificate  SC logon is working fine.

If i want to add some custom attributes in the Subject of X.509 certificate , 
lets say NIC=148795-89759  EmpNo=AQ5116494.
then my Subject can become :
CN=scott,NIC=148795-89759,EmpNo=AQ5116494,OU=Certificate Users,DC=idtech,DC=com

Is it possible in OpenSSL ?

Regards
Scott Thomas

Re: [error] Certificate Verification: Error (34): unhandled critical extension

2010-06-11 Thread Scott Thomas 
Bonjour Peter Sylvester, 


Extensions are ignored in the root.
Without telling what critical extensions you have, it is difficult to help.

I had some extensions set to critical in my Sub CA certificates, i have re 
generated all the sub CA certificates and now it works fine. Thats rite that 
critical extension are only ignored in root, if Sub CA's contain some critical 
extensions apache mutual authentication fails. Thanks so  much for the guidance 
...

Best Regards
Scott Thomas

Mutual Authentication using Multiple CA's in Apache (mod_ssl) does not work

2010-06-07 Thread Scott Thomas 
Bonjour All Users, 


My setup has a ROOT CA and 3 level of Sub CA's. I have generated apache web 
server and client certificates from every the ROOT and Sub CA's. 

I have configured my APACHE web server for client certificate (mutual) 
authentication. I have generated the apache web server certificate and client 
certificates from the ROOT CA with proper extensions. In case of Root CA, it 
works well. Mutual authentication works fine.

In case of Sub CA, the apache web server certifictae and client certificates 
are generated by SubCA with the same extensions/profile as in case of ROOT CA. 
But when i try to authenticate users from Sub CA's then following error occurs 
unhandled critical extension. SSLCACertificateFile contains the concatenated 
certifcates of all the CA's( issuing CA certtificate is at top and Root ca 
certificate is at bottom of this file)


Here is my vhost file

NameVirtualHost *:80
NameVirtualHost *:443

VirtualHost *:80
DocumentRoot /srv/www/htdocs/
ServerName XX
RewriteEngine On
RewriteRule ^(.*)$ https://%{SERVER_NAME}$1 [L,R]
/VirtualHost

VirtualHost *:443

DocumentRoot /srv/www/htdocs/
ServerName X
SSLEngine on
SSLCipherSuite HIGH
SSLProtocol all -SSLv2

SSLCertificateFile /etc/apache2/certificates/cert.pem
SSLCertificateKeyFile /etc/apache2/certificates/key.pem
SSLCACertificateFile /etc/apache2/certificates/chain.pem
#SSLCertificateChainFile /etc/apache2/certificates/chain.pem
//chain.pem contains all the upper level certificates concanetated such that 
(1st certificate is of issuing CA , going downward towards the root CA...
// i have also tried with the SSLCertificateChainFile directive but the error 
is same ...

Directory /srv/www/htdocs/
SSLVerifyClient require
SSLRequireSSL
SSLRequire %{SSL_CLIENT_S_DN_CN} eq 
SSLVerifyDepth 3
SSLOptions +StdEnvVars +ExportCertData
/Directory

/VirtualHost

I am using OpenSSL version 0.9.8h release 28 May 2008 and Apache version 
2.2.10-2.5

Kindly guide me in this aspect.
Waiting for your kind Reply

Best Regards
Scott Thomas