Re: openssl cms resign with RSA-PSS corrupts the CMS(?)
With PSS, for the first signature, PSS alg ID and params are encoded correctly, but not for the second signature(resign). 2542:d=7 hl=2 l= 9 prim: OBJECT:S/MIME Capabilities 2553:d=7 hl=2 l= 108 cons: SET 2555:d=8 hl=2 l= 106 cons: SEQUENCE 2557:d=9 hl=2 l= 11 cons: SEQUENCE 2559:d=10 hl=2 l= 9 prim: OBJECT:aes-256-cbc 2570:d=9 hl=2 l= 11 cons: SEQUENCE 2572:d=10 hl=2 l= 9 prim: OBJECT:aes-192-cbc 2583:d=9 hl=2 l= 11 cons: SEQUENCE 2585:d=10 hl=2 l= 9 prim: OBJECT:aes-128-cbc 2596:d=9 hl=2 l= 10 cons: SEQUENCE 2598:d=10 hl=2 l= 8 prim: OBJECT:des-ede3-cbc 2608:d=9 hl=2 l= 14 cons: SEQUENCE 2610:d=10 hl=2 l= 8 prim: OBJECT:rc2-cbc 2620:d=10 hl=2 l= 2 prim: INTEGER :80 2624:d=9 hl=2 l= 13 cons: SEQUENCE 2626:d=10 hl=2 l= 8 prim: OBJECT:rc2-cbc 2636:d=10 hl=2 l= 1 prim: INTEGER :40 2639:d=9 hl=2 l= 7 cons: SEQUENCE 2641:d=10 hl=2 l= 5 prim: OBJECT:des-cbc 2648:d=9 hl=2 l= 13 cons: SEQUENCE 2650:d=10 hl=2 l= 8 prim: OBJECT:rc2-cbc 2660:d=10 hl=2 l= 1 prim: INTEGER :28 2663:d=5 hl=2 l= 0 cons: SEQUENCE 2665:d=5 hl=2 l= 0 prim: OCTET STRING 2667:d=4 hl=4 l= 723 cons: SEQUENCE 2671:d=5 hl=2 l= 1 prim: INTEGER :01 2674:d=5 hl=3 l= 149 cons: SEQUENCE 2677:d=6 hl=3 l= 143 cons: SEQUENCE 2680:d=7 hl=2 l= 11 cons: SET 2682:d=8 hl=2 l= 9 cons: SEQUENCE 2684:d=9 hl=2 l= 3 prim: OBJECT:countryName 2689:d=9 hl=2 l= 2 prim: PRINTABLESTRING :IN 2693:d=7 hl=2 l= 11 cons: SET ==multiple lines truncated== 2949:d=7 hl=2 l= 9 prim: OBJECT:S/MIME Capabilities 2960:d=7 hl=2 l= 108 cons: SET 2962:d=8 hl=2 l= 106 cons: SEQUENCE 2964:d=9 hl=2 l= 11 cons: SEQUENCE 2966:d=10 hl=2 l= 9 prim: OBJECT:aes-256-cbc 2977:d=9 hl=2 l= 11 cons: SEQUENCE 2979:d=10 hl=2 l= 9 prim: OBJECT:aes-192-cbc 2990:d=9 hl=2 l= 11 cons: SEQUENCE 2992:d=10 hl=2 l= 9 prim: OBJECT:aes-128-cbc 3003:d=9 hl=2 l= 10 cons: SEQUENCE 3005:d=10 hl=2 l= 8 prim: OBJECT:des-ede3-cbc 3015:d=9 hl=2 l= 14 cons: SEQUENCE 3017:d=10 hl=2 l= 8 prim: OBJECT:rc2-cbc 3027:d=10 hl=2 l= 2 prim: INTEGER :80 3031:d=9 hl=2 l= 13 cons: SEQUENCE 3033:d=10 hl=2 l= 8 prim: OBJECT:rc2-cbc 3043:d=10 hl=2 l= 1 prim: INTEGER :40 3046:d=9 hl=2 l= 7 cons: SEQUENCE 3048:d=10 hl=2 l= 5 prim: OBJECT:des-cbc 3055:d=9 hl=2 l= 13 cons: SEQUENCE 3057:d=10 hl=2 l= 8 prim: OBJECT:rc2-cbc 3067:d=10 hl=2 l= 1 prim: INTEGER :28 3070:d=5 hl=2 l= 62 cons: SEQUENCE 3072:d=6 hl=2 l= 9 prim: OBJECT:rsassaPss 3083:d=6 hl=2 l= 49 cons: SEQUENCE 3085:d=7 hl=2 l= 13 cons: cont [ 0 ] 3087:d=8 hl=2 l= 11 cons: SEQUENCE 3089:d=9 hl=2 l= 9 prim: OBJECT:sha256 3100:d=7 hl=2 l= 26 cons: cont [ 1 ] 3102:d=8 hl=2 l= 24 cons: SEQUENCE 3104:d=9 hl=2 l= 9 prim: OBJECT:mgf1 3115:d=9 hl=2 l= 11 cons: SEQUENCE 3117:d=10 hl=2 l= 9 prim: OBJECT:sha256 3128:d=7 hl=2 l= 4 cons: cont [ 2 ] 3130:d=8 hl=2 l= 2 prim: INTEGER :DE 3134:d=5 hl=4 l= 256 prim: OCTET STRING [HEX DUMP]:66C7A406905E0BEF3BE8A55B8BA05915020B6960BDE4700C3C3FB2F115FE5BA60B453EFF39BA37E4D16CA3A86582B3057D05875766BE99C51BC5BEC9CD1AAE3BEC34943160BB06784209F1A3773E07A101BA3E2231FDF85FAB91872A081E37410905A09DAF530600BF9099B054B1DF869826E864A95F5D55DAE84A0CEC43E52F6D13574E1EF66A4E3A65883788E265D6C174211ADBCFEA96A9DD186887BFE040D6D0B59547D8763157D322F0307D7AF31 23B0ECFB11E1E7EA228861F4363DBA8D478A7E44F1DEB77A3904FBD90CAA41E291A2E094ABCBD5134146FB1C0F42BC8D7B4829DEFEE7BACDFC024FB8B9FAF16F225EB3C96D866C535B2A06E83DCF007 Thanks, Thulasi. On Sat, 20 Feb 2021 at 00:40, Alon Bar-Lev wrote: > Thanks! > Was about to write... I tested both 1.1 and master branches and result is > the same. > > > On Fri, 19 Feb 2021 at 21:04 Thulasi Goriparthi < > thulasi.goripar...@gmail.com> wrote: > >> I am able to reproduce this issue with 1.1.1j too. >> >> openssl version -a >> >> OpenSSL 1.1.1j 16 Feb 2021 >> >> built on: Fri Feb 19 18:56:06 2021 UTC >> >> platform: darwin64-x86_64-cc >> >> options: bn(64,64) rc4(16x,int) des(int) idea(int) blowfish(ptr) >> >> compiler: cc -fPIC -arch x86_64 -g -Wall -DL_ENDIAN -DOPENSSL_PIC >> -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT >> -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM >> -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM >> -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -D_REENTRANT >> -DND
Re: openssl cms resign with RSA-PSS corrupts the CMS(?)
I am able to reproduce this issue with 1.1.1j too. openssl version -a OpenSSL 1.1.1j 16 Feb 2021 built on: Fri Feb 19 18:56:06 2021 UTC platform: darwin64-x86_64-cc options: bn(64,64) rc4(16x,int) des(int) idea(int) blowfish(ptr) compiler: cc -fPIC -arch x86_64 -g -Wall -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -D_REENTRANT -DNDEBUG OPENSSLDIR: "/usr/local/ssl" ENGINESDIR: "/usr/local/lib/engines-1.1" Seeding source: os-specific openssl cms -sign -in msg -text -signer cert1.pem -out 1.cms -keyopt rsa_padding_mode:pss openssl cms -verify -in 1.cms -CAfile ca.pem Content-Type: text/plain hello world Verification successful openssl cms -resign -in 1.cms -signer cert2.pem -out 2.cms -keyopt rsa_padding_mode:pss openssl cms -verify -in 2.cms -CAfile ca.pem Error reading S/MIME message 4757167552:error:0D078079:asn1 encoding routines:asn1_item_embed_d2i:field missing:crypto/asn1/tasn_dec.c:425:Field=algorithm, Type=X509_ALGOR 4757167552:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:646:Field=signatureAlgorithm, Type=CMS_SignerInfo 4757167552:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:615:Field=signerInfos, Type=CMS_SignedData 4757167552:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:646: 4757167552:error:0D08403A:asn1 encoding routines:asn1_template_ex_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:496:Field=d.signedData, Type=CMS_ContentInfo 4757167552:error:0D0D106E:asn1 encoding routines:b64_read_asn1:decode error:crypto/asn1/asn_mime.c:143: 4757167552:error:0D0D40CC:asn1 encoding routines:SMIME_read_ASN1:asn1 sig parse error:crypto/asn1/asn_mime.c:451: Thanks, Thulasi. On Sat, 20 Feb 2021 at 00:09, Viktor Dukhovni wrote: > On Fri, Feb 19, 2021 at 11:19:42PM +0530, Thulasi Goriparthi wrote: > > > I am able to reproduce this issue with 1.1.1i > > OpenSSL 1.1.1j has been released. Do you still see the problem with > 1.1.1j? > > -- > Viktor. >
Re: openssl cms resign with RSA-PSS corrupts the CMS(?)
Hi Alon, I am able to reproduce this issue with 1.1.1i echo "hello world" > msg /* pkcs1 */ openssl cms -sign -in msg -text -signer cert1.pem -out 1.cms openssl cms -verify -in 1.cms -CAfile ca.pem openssl cms -resign -in 1.cms -signer cert2.pem -out 2.cms openssl cms -verify -in 2.cms -CAfile ca.pem /* pss */ openssl cms -sign -in msg -text -signer cert1.pem -out 1.cms -keyopt rsa_padding_mode:pss openssl cms -verify -in 1.cms -CAfile ca.pem openssl cms -resign -in 1.cms -signer cert2.pem -out 2.cms -keyopt rsa_padding_mode:pss openssl cms -verify -in 2.cms -CAfile ca.pem Thanks, Thulasi. On Fri, 19 Feb 2021 at 13:16, Alon Bar-Lev wrote: > Hello OpenSSL masters, > > Can someone please try to reproduce the below issue? > > Thanks, > Alon > > On Sat, 13 Feb 2021 at 23:23 Alon Bar-Lev wrote: > >> Hello, >> >> I am trying to resign a CMS using the openssl tool. >> >> When I use RSA-PKCS1 everything is working fine. >> >> When I use RSA-PSS it seems like the asn1 is produced corrupted, I do not >> see the signature in asn1dump. >> >> I prepared a demo[1] to help people reproduce the issue, tested with >> openssl-1.1.1i. >> >> The script output pasted below shows that CMS resign without PSS works >> correctly, while the same sequence with PSS produces a corrupted CMS file. >> >> What am I doing wrong? >> >> Regards, >> Alon Bar-Lev >> >> [1] https://github.com/alonbl/openssl-cms-pss >> >> --- >> >> === >> CMS without PSS >> === >> cms -sign 1.cms >> cms -verify 1.cms >> hello world >> Verification successful >> cms -resign 1.cms to 2.cms >> cms -verify 2.cms >> hello world >> Verification successful >> === >> CMS with PSS >> === >> cms -sign 1.cms >> cms -verify 1.cms >> hello world >> Verification successful >> cms -resign 1.cms to 2.cms >> cms -verify 2.cms >> Error reading S/MIME message >> 140438977062208:error:0D078079:asn1 encoding >> routines:asn1_item_embed_d2i:field >> missing:../crypto/asn1/tasn_dec.c:425:Field=algorithm, Type=X509_ALGOR >> 140438977062208:error:0D08303A:asn1 encoding >> routines:asn1_template_noexp_d2i:nested asn1 >> error:../crypto/asn1/tasn_dec.c:646:Field=signatureAlgorithm, >> Type=CMS_SignerInfo >> 140438977062208:error:0D08303A:asn1 encoding >> routines:asn1_template_noexp_d2i:nested asn1 >> error:../crypto/asn1/tasn_dec.c:614:Field=signerInfos, Type=CMS_SignedData >> 140438977062208:error:0D08303A:asn1 encoding >> routines:asn1_template_noexp_d2i:nested asn1 >> error:../crypto/asn1/tasn_dec.c:646: >> 140438977062208:error:0D08403A:asn1 encoding >> routines:asn1_template_ex_d2i:nested asn1 >> error:../crypto/asn1/tasn_dec.c:496:Field=d.signedData, Type=CMS_ContentInfo >> FATAL: verify 2.cms failed >> >> >>
encoding/decoding ECX private key with optional public key
Hello, Is there any option either in 1.1.1 or 3.0.0 to encode ECX(x25519, x448, ed25519, ed448) private keys along with optional/implicit public key as specified in https://tools.ietf.org/html/rfc8410#page-7 Is there any plan to provide this support in future? I ask this as I have come across an h/w which generates ecx (private) key, returns reference to the private key and the corresponding public key(octet string). Private key reference instead of actual private key is encoded while storing the key persistently. Public key derived by s/w from this "dummy" private key wouldn't be the correct public key and h/w doesn't have the ability/support to take in the private key reference to generate the public key. This makes saving public key along with private key (reference) unavoidable at the time of key generation. I would like to know how other h/w engines/providers supporting ecx keygen are handling this situation. Thanks, Thulasi.
OCSP Responder app
OCSP responder app is trying to read OCSP_RESPONSE instead of OCSP_REQUEST in do_responder function. Created https://github.com/openssl/openssl/issues/13904 Thanks, Thulasi.
Re:
I am not sure why the code you have shared is trying to decrypt the signature. If it is done as part of signature verification, don't do this. Use the actual EVP_PKEY_verify API with corresponding public key. If you certainly need the decrypted signature, you should do public encryption with NONE padding. A Private key is not necessary. Thanks, Thulasi On Fri, 29 Jan 2021 at 17:47, Narayana, Sunil Kumar wrote: > Yeah, it sounds correct. But since it’s an old application code & we are > not sure why was it done so, we are little worried to change. > > Can you please take a look the attachment which has the complete flow, and > provide your views which helps us to change it to PEM_read_PrivateKey() > or variants as you suggested > > > > Regards, > > Sunil > > > > *From:* Thulasi Goriparthi > *Sent:* 29 January 2021 17:24 > *To:* Narayana, Sunil Kumar > *Cc:* openssl-users@openssl.org > *Subject:* Re: > > > -- > > NOTICE: This email was received from an EXTERNAL sender > -- > > > > Isn't it obvious to use PEM_read_PrivateKey() or variants to load the > private key as EVP_PKEY > > and use EVP_PKEY_decrypt* as specified in > https://www.openssl.org/docs/man1.0.2/man3/EVP_PKEY_decrypt.html > <https://protect-us.mimecast.com/s/pIHaCqx23xSzZMNwiZOok8?domain=openssl.org> > ? > > > > Thanks, > > Thulasi. > > > > On Fri, 29 Jan 2021 at 16:59, Narayana, Sunil Kumar > wrote: > > Hi Thulasi, > > > > Currently in (1.0.1) we are following the following sequence, which now > need to replace with EVP. > > > > *Current sequence* > > > > //to create RSA pubkey > > rsa = PEM_read_bio_RSA_PUBKEY(keybio, NULL, NULL, NULL); // !!! > > > > //to decrypt using RSA utility > > RSA_public_decrypt(len, (unsigned char*)buffer,decrypted,rsa, > RSA_PKCS1_PADDING) ; > > > > As you mentioned , if we use PEM_read_bio_PUBKEY to get EVP_PKEY, it will > be a pubkey right ? but in order to decrypt as per the example in > https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_decrypt_init.html > <https://protect-us.mimecast.com/s/iJORCrkY3ki1EBZJTzdO87?domain=openssl.org> > > We need to use an RSA private key > > > > Please suggest. > > > > Regards, > > Sunil > > *From:* Thulasi Goriparthi > *Sent:* 29 January 2021 13:07 > *To:* Narayana, Sunil Kumar > *Cc:* openssl-users@openssl.org > *Subject:* Re: > > > -- > > NOTICE: This email was received from an EXTERNAL sender > -- > > > > Hope, you are referring to > https://www.openssl.org/docs/man1.0.2/man3/EVP_PKEY_encrypt.html > <https://protect-us.mimecast.com/s/v2osCv2j32i2xk8Vtz2d4K?domain=openssl.org> > > > > Use PEM_read_bio_PUBKEY to get EVP_PKEY. > > eng is for engine reference. If you have no engine, it can be NULL. > > > > Thanks, > > Thulasi. > > > > On Fri, 29 Jan 2021 at 10:13, Narayana, Sunil Kumar > wrote: > > Dear Openssl team, > > > > While migrating from 1.0.2 to 3.0 we observe that > RSA_public_decrypt() API been deprecated in 3.0. > > We referred the example provided in man page but we are not clear in > generating the initial ‘key’ required to create CTX. > > Please suggest on (key , eng) params to proceed > > > > Also currently we are using PEM_read_bio_RSA_PUBKEY() to generate RSA, I > think this might not require in case of EVP, please suggest. > > > > /* > > * NB: assumes key, eng, in, inlen are already set up > > * and that key is an RSA private key > > */ > > ctx = EVP_PKEY_CTX_new(key, eng); > > > > > > Regards, > > Sunil > > > > > > > Notice: This e-mail together with any attachments may contain information > of Ribbon Communications Inc. and its Affiliates that is confidential > and/or proprietary for the sole use of the intended recipient. Any review, > disclosure, reliance or distribution by others or forwarding without > express permission is strictly prohibited. If you are not the intended > recipient, please notify the sender immediately and then delete all copies, > including any attachments. > > > Notice: This e-mail together with any attachments may contain information > of Ribbon Communications Inc. and its Affiliates that is confidential > and/or proprietary for the sole use of the intended recipient. Any review, > disclosure, reliance or distribution by others or forwarding without > express permission is strictly prohibited. If you are not the intended >
Re:
Isn't it obvious to use PEM_read_PrivateKey() or variants to load the private key as EVP_PKEY and use EVP_PKEY_decrypt* as specified in https://www.openssl.org/docs/man1.0.2/man3/EVP_PKEY_decrypt.html ? Thanks, Thulasi. On Fri, 29 Jan 2021 at 16:59, Narayana, Sunil Kumar wrote: > Hi Thulasi, > > > > Currently in (1.0.1) we are following the following sequence, which now > need to replace with EVP. > > > > *Current sequence* > > > > //to create RSA pubkey > > rsa = PEM_read_bio_RSA_PUBKEY(keybio, NULL, NULL, NULL); // !!! > > > > //to decrypt using RSA utility > > RSA_public_decrypt(len, (unsigned char*)buffer,decrypted,rsa, > RSA_PKCS1_PADDING) ; > > > > As you mentioned , if we use PEM_read_bio_PUBKEY to get EVP_PKEY, it will > be a pubkey right ? but in order to decrypt as per the example in > https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_decrypt_init.html > > We need to use an RSA private key > > > > Please suggest. > > > > Regards, > > Sunil > > *From:* Thulasi Goriparthi > *Sent:* 29 January 2021 13:07 > *To:* Narayana, Sunil Kumar > *Cc:* openssl-users@openssl.org > *Subject:* Re: > > > -- > > NOTICE: This email was received from an EXTERNAL sender > -- > > > > Hope, you are referring to > https://www.openssl.org/docs/man1.0.2/man3/EVP_PKEY_encrypt.html > <https://protect-us.mimecast.com/s/C67CC73AG3hQlMmXs8mmvp?domain=openssl.org> > > > > Use PEM_read_bio_PUBKEY to get EVP_PKEY. > > eng is for engine reference. If you have no engine, it can be NULL. > > > > Thanks, > > Thulasi. > > > > On Fri, 29 Jan 2021 at 10:13, Narayana, Sunil Kumar > wrote: > > Dear Openssl team, > > > > While migrating from 1.0.2 to 3.0 we observe that > RSA_public_decrypt() API been deprecated in 3.0. > > We referred the example provided in man page but we are not clear in > generating the initial ‘key’ required to create CTX. > > Please suggest on (key , eng) params to proceed > > > > Also currently we are using PEM_read_bio_RSA_PUBKEY() to generate RSA, I > think this might not require in case of EVP, please suggest. > > > > /* > > * NB: assumes key, eng, in, inlen are already set up > > * and that key is an RSA private key > > */ > > ctx = EVP_PKEY_CTX_new(key, eng); > > > > > > Regards, > > Sunil > > > > > > > Notice: This e-mail together with any attachments may contain information > of Ribbon Communications Inc. and its Affiliates that is confidential > and/or proprietary for the sole use of the intended recipient. Any review, > disclosure, reliance or distribution by others or forwarding without > express permission is strictly prohibited. If you are not the intended > recipient, please notify the sender immediately and then delete all copies, > including any attachments. > > > Notice: This e-mail together with any attachments may contain information > of Ribbon Communications Inc. and its Affiliates that is confidential > and/or proprietary for the sole use of the intended recipient. Any review, > disclosure, reliance or distribution by others or forwarding without > express permission is strictly prohibited. If you are not the intended > recipient, please notify the sender immediately and then delete all copies, > including any attachments. >
Re:
Hope, you are referring to https://www.openssl.org/docs/man1.0.2/man3/EVP_PKEY_encrypt.html Use PEM_read_bio_PUBKEY to get EVP_PKEY. eng is for engine reference. If you have no engine, it can be NULL. Thanks, Thulasi. On Fri, 29 Jan 2021 at 10:13, Narayana, Sunil Kumar wrote: > Dear Openssl team, > > While migrating from 1.0.2 to 3.0 we observe that > RSA_public_decrypt() API been deprecated in 3.0. > > We referred the example provided in man page but we are not clear in > generating the initial ‘key’ required to create CTX. > > Please suggest on (key , eng) params to proceed > > > > Also currently we are using PEM_read_bio_RSA_PUBKEY() to generate RSA, I > think this might not require in case of EVP, please suggest. > > > > /* > > * NB: assumes key, eng, in, inlen are already set up > > * and that key is an RSA private key > > */ > > ctx = EVP_PKEY_CTX_new(key, eng); > > > > > > Regards, > > Sunil > > > > > Notice: This e-mail together with any attachments may contain information > of Ribbon Communications Inc. and its Affiliates that is confidential > and/or proprietary for the sole use of the intended recipient. Any review, > disclosure, reliance or distribution by others or forwarding without > express permission is strictly prohibited. If you are not the intended > recipient, please notify the sender immediately and then delete all copies, > including any attachments. >
Encoding of AlgorithmIdentifier with NULL parameters
I am trying to provide a test certificate generated by openssl-3.0.0-alpha10 to a third party certificate parser/manager. This software expects AlgorithmIdentifier to either have parameters or to have null encoded (05 00) parameters which seems to be missing in the certificate. Certificate generated by openssl-3.0.0-alpha10 0:d=0 hl=4 l=1030 cons: SEQUENCE 4:d=1 hl=4 l= 752 cons: SEQUENCE 8:d=2 hl=2 l= 3 cons: cont [ 0 ] 10:d=3 hl=2 l= 1 prim: INTEGER :02 13:d=2 hl=2 l= 1 prim: INTEGER :01 * 16:d=2 hl=2 l= 11 cons: SEQUENCE * * 18:d=3 hl=2 l= 9 prim: OBJECT:sha256WithRSAEncryption* * 29:d=2 hl=3 l= 143 cons: *SEQUENCE 32:d=3 hl=2 l= 11 cons: SET 34:d=4 hl=2 l= 9 cons: SEQUENCE 36:d=5 hl=2 l= 3 prim: OBJECT:countryName Certificate generated by openssl-1.1.1g 0:d=0 hl=4 l= 988 cons: SEQUENCE 4:d=1 hl=4 l= 708 cons: SEQUENCE 8:d=2 hl=2 l= 3 cons: cont [ 0 ] 10:d=3 hl=2 l= 1 prim: INTEGER :02 13:d=2 hl=2 l= 1 prim: INTEGER :01 * 16:d=2 hl=2 l= 13 cons: SEQUENCE * * 18:d=3 hl=2 l= 9 prim: OBJECT:sha256WithRSAEncryption* * 29:d=3 hl=2 l= 0 prim: NULL * 31:d=2 hl=3 l= 143 cons: SEQUENCE 34:d=3 hl=2 l= 11 cons: SET 36:d=4 hl=2 l= 9 cons: SEQUENCE 38:d=5 hl=2 l= 3 prim: OBJECT:countryName >From https://tools.ietf.org/html/rfc5280#section-4.1.1.2, It isn't clear if NULL parameters can be completely omitted or if it should still have NULL encoding. Is this a too stringent check in the third-party s/w or a miss in openss-3.0.0-alpha10? Thanks, Thulasi.
openssl asym_cipher/signature provider
Hello, Is it acceptable for an openssl provider to implement an algorithm (rsaEncryption) as asym_cipher or signature algorithm without implementing corresponding keymgmt or redirecting the same to the 'default' provider? I ask, as our engine implementation handles key import dynamically at time of offloading crypto operation, using ex_data of key objects. I want to quickly upgrade this to a provider to convince myself that the basic upgrade from engine to provider isn't time consuming. Thanks, Thulasi.
Re: CMS decryption of message with OAEP using Hardware security module
CMS_Decrypt doesn't need to feed this information explicitly and it will part of CMS envelope of the encrypted data. https://tools.ietf.org/html/rfc3560#page-4 Thanks, Thulasi. On Tue, 18 Feb 2020 at 17:16, Thulasi Goriparthi < thulasi.goripar...@gmail.com> wrote: > Sorry for this. I see that you already knew about it. > > On Tue, 18 Feb, 2020, 17:08 Thulasi Goriparthi, < > thulasi.goripar...@gmail.com> wrote: > >> https://www.openssl.org/docs/man1.1.0/man3/EVP_PKEY_CTX_ctrl_str.html >> >> Thanks, >> Thulasi. >> >> On Tue, 18 Feb, 2020, 16:43 RudyAC, wrote: >> >>> Hello Thulasi, >>> >>> thank you for your quick response. >>> >>> the encryption takes not place in the HSM because we only store the >>> private >>> keys inside the HSM. For encryption we use the openssl CMS_encrypt() >>> function. In case of OAEP I use the parameters: >>> EVP_PKEY_CTX_set_rsa_oaep_md(wrap_ctx, EVP_sha256()); >>> EVP_PKEY_CTX_set_rsa_mgf1_md(wrap_ctx, EVP_sha256()); >>> EVP_PKEY_CTX_set0_rsa_oaep_label(wrap_ctx, oaep_label, >>> oaep_label_l); >>> and call CMS_final() at last. >>> For decryption we use the HSM where the private keys are stored and the >>> openssl PKCS11 engine is used. >>> Therefore we call CMS_decrypt(). Unfortunately there are no OAEP >>> parameters >>> that can be specified at CMS_decrypt(). >>> >>> By default we do encryption and decryption without HSM. Using the same >>> functions (CMS_encrypt(),CMS_decrypt()) it works very well. But now it >>> is my >>> job to do decryption with a HSM (Utimaco). >>> >>> My question is if there is a possibility to tell CMS_decrypt() that the >>> encrypted email uses OAEP padding or is there only a problem at the side >>> of >>> the HSM provider. >>> >>> Best regards >>> Rudy >>> >>> >>> >>> -- >>> Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html >>> >>
Re: CMS decryption of message with OAEP using Hardware security module
Sorry for this. I see that you already knew about it. On Tue, 18 Feb, 2020, 17:08 Thulasi Goriparthi, < thulasi.goripar...@gmail.com> wrote: > https://www.openssl.org/docs/man1.1.0/man3/EVP_PKEY_CTX_ctrl_str.html > > Thanks, > Thulasi. > > On Tue, 18 Feb, 2020, 16:43 RudyAC, wrote: > >> Hello Thulasi, >> >> thank you for your quick response. >> >> the encryption takes not place in the HSM because we only store the >> private >> keys inside the HSM. For encryption we use the openssl CMS_encrypt() >> function. In case of OAEP I use the parameters: >> EVP_PKEY_CTX_set_rsa_oaep_md(wrap_ctx, EVP_sha256()); >> EVP_PKEY_CTX_set_rsa_mgf1_md(wrap_ctx, EVP_sha256()); >> EVP_PKEY_CTX_set0_rsa_oaep_label(wrap_ctx, oaep_label, >> oaep_label_l); >> and call CMS_final() at last. >> For decryption we use the HSM where the private keys are stored and the >> openssl PKCS11 engine is used. >> Therefore we call CMS_decrypt(). Unfortunately there are no OAEP >> parameters >> that can be specified at CMS_decrypt(). >> >> By default we do encryption and decryption without HSM. Using the same >> functions (CMS_encrypt(),CMS_decrypt()) it works very well. But now it is >> my >> job to do decryption with a HSM (Utimaco). >> >> My question is if there is a possibility to tell CMS_decrypt() that the >> encrypted email uses OAEP padding or is there only a problem at the side >> of >> the HSM provider. >> >> Best regards >> Rudy >> >> >> >> -- >> Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html >> >
Re: CMS decryption of message with OAEP using Hardware security module
https://www.openssl.org/docs/man1.1.0/man3/EVP_PKEY_CTX_ctrl_str.html Thanks, Thulasi. On Tue, 18 Feb, 2020, 16:43 RudyAC, wrote: > Hello Thulasi, > > thank you for your quick response. > > the encryption takes not place in the HSM because we only store the private > keys inside the HSM. For encryption we use the openssl CMS_encrypt() > function. In case of OAEP I use the parameters: > EVP_PKEY_CTX_set_rsa_oaep_md(wrap_ctx, EVP_sha256()); > EVP_PKEY_CTX_set_rsa_mgf1_md(wrap_ctx, EVP_sha256()); > EVP_PKEY_CTX_set0_rsa_oaep_label(wrap_ctx, oaep_label, > oaep_label_l); > and call CMS_final() at last. > For decryption we use the HSM where the private keys are stored and the > openssl PKCS11 engine is used. > Therefore we call CMS_decrypt(). Unfortunately there are no OAEP parameters > that can be specified at CMS_decrypt(). > > By default we do encryption and decryption without HSM. Using the same > functions (CMS_encrypt(),CMS_decrypt()) it works very well. But now it is > my > job to do decryption with a HSM (Utimaco). > > My question is if there is a possibility to tell CMS_decrypt() that the > encrypted email uses OAEP padding or is there only a problem at the side of > the HSM provider. > > Best regards > Rudy > > > > -- > Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html >
Re: CMS decryption of message with OAEP using Hardware security module
Do you mean RSA OAEP decryption done by HSM fails? Possible tests: 1. Try RSA OAEP encryption/decryption with HSM. - basic test. 2. Encrypt with HSM and decrypt using openssl crypto library. - To make sure RSA OAEP encryption of the HSM works fine. 3. If test 2 fails, check if all the parameters (hash, mgf, salt length) used for OAEP are same on both sides. If they match and decryption still fails, check with your HSM vendor. If they don't, try fixing the parameters and repeat test 2. RSA_NO_PADDING always works as all it does is modular exponentiation. Thanks, Thulasi. On Mon, 17 Feb, 2020, 19:22 RudyAC, wrote: > Hi, > > I have the requirement to decrypt e-mails where RSA-OAEP padding is used. I > use the library openssl-1.0.2k and decrypt with CMS container > (CMS_decrypt). > This works very well unless the private key is stored in a Hardware > security > module and the cryptographic operation is performed via the PKCS11 engine > from openssl. > > When decrypting an email which uses OAEP I got the error message: > > 47235129370352:error:06065064:digital envelope > routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:529: > > To analyze the problem I encrypted an clear text using OAEP padding and > setup a decryption function using > RSA_private_decrypt(). Here I use padding mode "RSA_NO_PADDING" and the > decryption also works with the PKCS11 engine. Unfortunately CMS does not > support setting the padding mode. > > For any comments I would be very grateful > > Regards Rudy > > > > -- > Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html >
Re: Naming of methods in RSA_METHOD
Operations that a private key can do are decrypt and sign. Similarly, operations that a public key can do are encrypt and verify. The legacy priv_enc(raw) just refers to raw signing, and is almost same as sign(with proper padding mechanisms). It is just a misnomer, as data encrypted with a private key can be decrypted by everyone with the corresponding public key. It is actually a sign operation, that lets everyone verify the signature. Thanks, Thulasi. On Sat, 8 Feb, 2020, 08:17 Rafael Ferrer, wrote: > I implemented some custom engines and RSA_meth_set_priv_enc seems to map > to other libraries' RSA decrypt operation (NCryptDecrypt on Windows > CNG, Cipher class with Cipher.DECRYPT_MODE on Android). They can do a > TLS connection just fine with a self-signed cert. > > > I looked at another custom engine and they seem to also use RSA decrypt for > RSA_meth_set_priv_enc: > > > https://github.com/tpm2-software/tpm2-tss-engine/blob/master/src/tpm2-tss-engine-rsa.c#L163 > > BoringSSL's (deprecated) rsa_meth_st only has a sign and a decrypt, > having no encrypt operation: > > > https://commondatastorage.googleapis.com/chromium-boringssl-docs/rsa.h.html#rsa_meth_st > > > Is this just a naming quirk? I want to put down the nagging feeling I > have a bug somewhere. > >
Re: Compute EC_KEY starting from X or Y coordinate only
Call to EC_POINT_set_compressed_coodinates() with with x-coordinate and y-bit will resolve the curve equation for y and chooses y out of two possible y values based on y-bit input. You can retrieve the x and y co-ordinates using EC_POINT_get_affine_coordinates as below, where x-cordinate matches with your input x. EC_POINT_get_affine_coordinates(group, ec_pub_key, bn_x, bn_y, NULL); Thanks, Thulasi. On Sat, 26 Oct 2019 at 13:21, Luca Di Mauro wrote: > I checked the 'test' folder but I didn't found any tests that help me > in this case. > > However the only doubt is how I can use the API offered by openssl library. > I understand how retreive a point (and consequently to assign it to a > public key) starting from a compressed-y representation (which belongs > to this standard > https://tools.ietf.org/id/draft-jivsov-ecc-compact-05.html). > > My doubt now is how to obtain a point (x,y) given the coordinate, > which means resolve the equation y^2= x^3 + ax + b. > Can you give me some tips to found a solution? > > Luca > > Billy Brumley ha scritto: > > >> If I have an x-point which follows this representation > >> https://tools.ietf.org/id/draft-jivsov-ecc-compact-05.html (so it is > >> composed by 33 byte and first byte is '0x02') and I use > >> 'EC_POINT_set_compressed_coordinates_GFp' function, it will be > >> considered as compressed-y-0 or compressed-y-1? Or it is correctly > >> considered as the x coordinate? > > > > What you are saying and what you are doing are two different things. > > > > Your code is at a very low level. > > > > Above this there is some encoding of points, depending on any number > > of standards. OpenSSL implements some of them, but at a higher level. > > > > The low level API you're talking about provides maximum flexibility to > > map that high level encoding in to the API's "x-coord + y-bit" > > concept. It's up to you to figure out the details. (Including > > determining if the encoding in OpenSSL matches what's expected in your > > spec.) > > > > You need to play around a bit with the lib -- you can't expect this > > list to interpret the standard for you. Check the "test" folder for > > sample code. > > > > BBB > > > >
Re: Compute EC_KEY starting from X or Y coordinate only
02 indicates y bit is 0 03 indicates y bit is 1 http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.202.2977=rep1=pdf Thanks, Thulasi. On Fri, 25 Oct 2019 at 16:50, Luca Di Mauro wrote: > > Mh, maybe I didn't understand. > > If I have an x-point which follows this representation > https://tools.ietf.org/id/draft-jivsov-ecc-compact-05.html (so it is > composed by 33 byte and first byte is '0x02') and I use > 'EC_POINT_set_compressed_coordinates_GFp' function, it will be > considered as compressed-y-0 or compressed-y-1? Or it is correctly > considered as the x coordinate? > > Luca > > Billy Brumley ha scritto: > > >> Thank you! I thought they were the same. > >> > >> And given an x-only coordinate, how can I find the y coordinate? I > >> don't find the relative functions on the documentation. > > > > Well it depends on what you mean. Internally, > > EC_POINT_set_compressed_coordinates_GFp will internally automatically > > compute the y coordinate based on the y_bit argument. > > > > EC_POINT_set_compressed_coordinates_GFp(group, p, x, 0, ... > > EC_POINT_get_affine_coordinates_GFp(group, p, X0, Y0 ... > > > > That will get you one of the points in X0, Y0. > > > > EC_POINT_set_compressed_coordinates_GFp(group, p, x, 1, ... > > EC_POINT_get_affine_coordinates_GFp(group, p, X1, Y1 ... > > > > That will get you the other point in X1, Y1. (Where X0 = X1 = x.) > > > > (But you are probably looking to do something cryptographically > > interesting between set/get, which is application specific.) > > > > Generally, in addition to the man pages which you seem to have found, > > check the "tests" folder if you are looking for examples to get > > started. > > > > BBB > > > >
Re: EVP_aes_256_xts() problems with multiple calls to EVP_CipherUpdate
Agree that XTS specific deviation should have been documented similar to some of the AEAD ciphers with EVP interface. Thanks, Thulasi. On Tue, 1 Oct 2019 at 08:46, Norm Green wrote: > Could be, but that's not how EVP_CipherUpdate is documented to work. If > this is an XTS mode limitation and not a bug, shouldn't the limitation be > documented on a man page somewhere? And shouldn't my second call to > EVP_CipherUpdate fail? > > Norm Green > > > On 9/30/2019 8:04 PM, Thulasi Goriparthi wrote: > > As 512 byte blocks are independently encrypted, they should be decrypted > similarly. This is how XTS mode is defined. > i.e Try to decrypt 512 byte blocks separately with two CipherUpdates. > > Thanks, > Thulasi. > > On Tue, 1 Oct 2019 at 06:43, Norm Green > wrote: > >> Hi all, >> >> I'm using OpenSSL 1.1.1d on Linux with the cipher EVP_aes_256_xts() in >> order to write database/disk encryption software. >> >> When encrypting, I have problems if I call EVP_CipherUpdate() and >> encrypt the data in chunks. Encrypting only works when I encrypt the >> entire payload with one and only one call to EVP_CipherUpdate. >> >> If I try to break the data into chunks (and make more than one call to >> EVP_CipherUpdate), then decrypting the data produces garbage after the >> first chunk that was encrypted >> When decrypting, I always decrypt all data in one call to >> EVP_CipherUpdate . >> >> For example, when encrypting 1024 bytes, this pseudo-code sequence works: >> >> char payload[1024]; >> char encrypted[1024]; >> int destSize = sizeof(encrypted); >> EVP_CipherInit_ex(); >> EVP_CipherUpdate(ctx, encrypted, , payload, sizeof(payload)); >> EVP_CipherFinal(); (produces no additional data) >> >> However if I break the 1024 payload into 2 x 512 byte chunks, decrypting >> the entire 1024 bytes of cipher text produces garbage every time: >> >> char payload[1024]; >> char encrypted[1024]; >> int destSize = sizeof(encrypted); >> EVP_CipherInit_ex(); >> EVP_CipherUpdate(ctx, encrypted, , payload, 512); // first chunk >> destSize -= 512; >> EVP_CipherUpdate(ctx, [512], , [512], 512); >> // second chunk >> EVP_CipherFinal(); (produces no additional data) >> >> I have a short C program that demonstrates the problem that I can post >> if necessary. >> >> Can anyone explain what's going on? >> >> Norm Green >> CTO, GemTalk Systems Inc. >> > >
Re: EVP_aes_256_xts() problems with multiple calls to EVP_CipherUpdate
As 512 byte blocks are independently encrypted, they should be decrypted similarly. This is how XTS mode is defined. i.e Try to decrypt 512 byte blocks separately with two CipherUpdates. Thanks, Thulasi. On Tue, 1 Oct 2019 at 06:43, Norm Green wrote: > Hi all, > > I'm using OpenSSL 1.1.1d on Linux with the cipher EVP_aes_256_xts() in > order to write database/disk encryption software. > > When encrypting, I have problems if I call EVP_CipherUpdate() and > encrypt the data in chunks. Encrypting only works when I encrypt the > entire payload with one and only one call to EVP_CipherUpdate. > > If I try to break the data into chunks (and make more than one call to > EVP_CipherUpdate), then decrypting the data produces garbage after the > first chunk that was encrypted > When decrypting, I always decrypt all data in one call to EVP_CipherUpdate > . > > For example, when encrypting 1024 bytes, this pseudo-code sequence works: > > char payload[1024]; > char encrypted[1024]; > int destSize = sizeof(encrypted); > EVP_CipherInit_ex(); > EVP_CipherUpdate(ctx, encrypted, , payload, sizeof(payload)); > EVP_CipherFinal(); (produces no additional data) > > However if I break the 1024 payload into 2 x 512 byte chunks, decrypting > the entire 1024 bytes of cipher text produces garbage every time: > > char payload[1024]; > char encrypted[1024]; > int destSize = sizeof(encrypted); > EVP_CipherInit_ex(); > EVP_CipherUpdate(ctx, encrypted, , payload, 512); // first chunk > destSize -= 512; > EVP_CipherUpdate(ctx, [512], , [512], 512); > // second chunk > EVP_CipherFinal(); (produces no additional data) > > I have a short C program that demonstrates the problem that I can post > if necessary. > > Can anyone explain what's going on? > > Norm Green > CTO, GemTalk Systems Inc. >
Re: EVP_KEY_cmp and -_parameters issues
RSA keys wouldn't have parameters that are separated from key components. So, EVP_PKEY_cmp() is applicable, but not EVP_PKEY_cmp_parameters(). DH keys, which are generally used for key exchange, are short lived, though the group parameters can be comparatively valid for longer duration (let's say for a whole session) and can be used to generate multiple DH keys. So, EVP_PKEY_cmp_parameters() is useful to validate peer's public key parameters during key exchange to confirm that both peers are working in the same group. Though EVP_PKEY_cmp() function can be extended to compare both parameters and key components for DH keys, it wouldn't be of much use as DH keys are ephemeral and we never need to compare two of them for their key components. Thanks, Thulasi. On Wed, 7 Aug 2019 at 12:27, wrote: > > I have a question to following situation with RSA and DH structures: > > I’m testing these in separated unit tests. > > Both test cases (each one for RSA and DH) are doing the same: > > > > I’m creating a new DH or RSA structure, filling it with my params (pqg …) and > convert it to an EVP_PKEY (for example: EVP_PKEY_assign_DH => pkey1) > > Next step, I’m writing and reading this structure with these functions: > > PEM_write_bio_PrivateKey() (not PEM_write_bio_PrivateKey_traditional() ) > (with password) > > EVP_PKEY* pkey2 = PEM_read_bio_PrivateKey() (with same password) > > (or even without a password) > > > > Now I want to compare these two EVP_PKEY* variables (pkey1 and pkey2) and for > that I can use these two functions: > > EVP_PKEY_cmp(pkey1, pkey2) (compares components and params) > > EVP_PKEY_cmp_parameters(pkey1, pkey2) (compares params) > > > > Now the Problem: > > Even the tests work the same way, the one with RSA only accept the > compare-function “EVP_PKEY_cmp” and not the other one. > > The one with DH is only with the “EVP_PKEY_cmp_parameters” successful. > > > > Question: > > Why can the first compare function find the components and params of the RSA > structure (and even after the PEM_write_bio…) and not of the DH? > > Also, why it’s with the second compare function (only params) the other way > around (keys match in DH unit test and not in RSA unit test)? > > > > Thanks
Re: [openssl-users] EC_KEY_check_key
>> For such tests, it's always better safe than sorry. Not sure, if repeating the same test (or the test of the same value) would add any safety. Thanks, Thulasi. On Fri, 2 Nov 2018 at 16:53, Jakob Bohm via openssl-users wrote: > > On 02/11/2018 08:50, Thulasi Goriparthi wrote: > > Hi, > > > > I am going through the checks done by EC_KEY_check_key method. I see > > the following checks in order. > > > > 1. Is point at infinity? - reject. > > 2. Is point not on curve? reject. > > 3. Is point not in the primary subgroup? reject. > > 4. If priv key(scalar) available, then check if scalar * G != point. > > If so, reject. > > > > If priv key is available and we do step 4, isn't step 3 redundant? Can > > we change this to something like this? > > > > if (priv key) > > step 4 > > else > > step 3 > > For such tests, it's always better safe than sorry. > > > Enjoy > > Jakob > -- > Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com > Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 > This public discussion message is non-binding and may contain errors. > WiseMo - Remote Service Management for PCs, Phones and Embedded > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] EC_KEY_check_key
Hi, I am going through the checks done by EC_KEY_check_key method. I see the following checks in order. 1. Is point at infinity? - reject. 2. Is point not on curve? reject. 3. Is point not in the primary subgroup? reject. 4. If priv key(scalar) available, then check if scalar * G != point. If so, reject. If priv key is available and we do step 4, isn't step 3 redundant? Can we change this to something like this? if (priv key) step 4 else step 3 Thanks, Thulasi. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Chinese remainder algorithm
Hello Jan, Decide on what your public exponent(e) should be, and either use RSA_X931_derive_ex() if you are using an older openssl which supports this function or follow rsa_builtin_keygen() from crypto/rsa/rsa_gen.c on how to derive private exponent(d) and modulus(n). By the way, technically, you do not need private exponent(d) for signing, as you already have CRT components. What is the function that complained about missing d? Thanks, Thulasi. On 31 July 2018 at 16:19, Jan Bilek wrote: > Hi all, > > I need to reconstruct public and private keys for data signing operation > from p, q, dmp1, dmq1 and iqmp. When I fill values in as per below then > OpenSSL complains about missing d. > > RSA* pkey = RSA_new(); > pkey->n = NULL; > pkey->e = NULL; > pkey->d = NULL; > > pkey->p= BN_bin2bn(secureP.data(), secureP.size(), NULL); > pkey->q= BN_bin2bn(secureQ.data(), secureQ.size(), NULL); > pkey->dmp1 = BN_bin2bn(secureDmp1.data(), secureDmp1.size(), NULL); > pkey->dmq1 = BN_bin2bn(secureDmq1.data(), secureDmq1.size(), NULL); > pkey->iqmp = BN_bin2bn(secureIqmp.data(), secureIqmp.size(), NULL); > > I did my homework on Google/Stackoverflow/OpenSSL docu, but I haven't been > able to find out any good way to do this, while it is obvious that openssl > needs to know this by deafult for its internals. > Would you have any hint on where next with this? > > Thank you, > Jan > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] TLS handshake certificate validation options
Hello, You can register a verify callback function using X509_STORE_set_verify_cb() and X509_verify_cert() will call this function, which can be used to by-pass targeted errors like X509_V_ERR_INVALID_PURPOSE etc. Check callb function from apps/x509.c Thanks, Thulasi. On 16 July 2018 at 20:48, Tong wrote: > Dear openssl-users: > > We have some old certificates that have ill-formed value for the > subjectAltName extension, causing the TLS handshake to fail. > > Are there any options that can be configured to by-pass the parsing of the > subjectAltName extension (or all the x509v3 extensions) during TLS > handshake, without disabling the certificate validation all together? > > Thanks for any suggestions. > > > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] X509_STORE_free() and X509_LOOKUP_free() also frees the X509 certificates inside it
X509_STORE_add_cert increments the reference count of the each cert, but only by 1. X509_STORE_free decrements the ref count by 1. So after decrementing, if ref_count is 0, certificate will be freed. Jakob is saying that if you want them to stay even after X509_STORE_free, explicitly increment the ref count before calling free using something like below. CRYPTO_add(certificate-references, 1, CRYPTO_LOCK_X509); decrypt the ref count when you really want to free them and call X509_free(certificate). On 10 June 2015 at 10:20, Nayna Jain naynj...@in.ibm.com wrote: Thanks Jacob, So, does that API do not increment reference count internally itself. I mean if I have to explicitly do that, what is the API for that ? Thanks Regards, Nayna Jain [image: Inactive hide details for Jakob Bohm ---06/10/2015 09:49:54 AM---On 10/06/2015 05:22, Nayna Jain wrote: ]Jakob Bohm ---06/10/2015 09:49:54 AM---On 10/06/2015 05:22, Nayna Jain wrote: From: Jakob Bohm jb-open...@wisemo.com To: openssl-users@openssl.org Date: 06/10/2015 09:49 AM Subject: Re: [openssl-users] X509_STORE_free() and X509_LOOKUP_free() also frees the X509 certificates inside it Sent by: openssl-users openssl-users-boun...@openssl.org -- On 10/06/2015 05:22, Nayna Jain wrote: Hi all, I am using X509_STORE and X509_LOOKUP to verify the certificate and its chain. But at the end when I do X509_STORE_free(store) and X509_LOOKUP_free(lookup), it is also doing free of the X509* certificate which I added. But I don't want that, because after that when I immediately try to access X509* certificate for further operation, then it results in core dump And if I don't do X509_STORE_free() then it will leave the memory leak. Let me know how to resolve this and if I misunderstood something. X509 objects (and many other objects in the API) are reference counted. Increment the reference count of each certificate as you add it to the X509_STORE, this should make the X509 object stay around after X509_STORE_free() frees it. However there is a shortage of documentation on the reference counting functions involved. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. *http://www.wisemo.com* http://www.wisemo.com/ Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] X509_STORE_free() and X509_LOOKUP_free() also frees the X509 certificates inside it
On 10 June 2015 at 16:47, Jakob Bohm jb-open...@wisemo.com wrote: On 10/06/2015 12:41, Thulasi Goriparthi wrote: X509_STORE_add_cert increments the reference count of the each cert, but only by 1. Sounds like there should be X509_STORE_add0_cert() and X509_STORE_add1_cert() like for other parts of the library. X509_STORE_free decrements the ref count by 1. So after decrementing, if ref_count is 0, certificate will be freed. Jakob is saying that if you want them to stay even after X509_STORE_free, explicitly increment the ref count before calling free using something like below. Interesting! I assumed (based on the standard refcounting paradigm) that the reference count of a new object would be 1, and that some API (perhaps X509_free()) would decrement and free if it hit 0. Yes. You are correct. STORE_free, just decrements the ref count and calls X509_free. X509_free in turn checks if ref count is only 1 (in reference to the one incremented by new) before proceeding with free. If it is, it will decrement ref_count and proceed to free. CRYPTO_add(certificate-references, 1, CRYPTO_LOCK_X509); Is there really no proper API wrapping this? I couldn't find any right now. There is X509_OBJECT_up_ref_count() which takes care of X509_OBJECT s. But that requires allocating X509_OBJECT and copying X509 over there. decrypt the ref count when you really want to free them and call X509_free(certificate). Is there really no proper API wrapping this? On 10 June 2015 at 10:20, Nayna Jain naynj...@in.ibm.com wrote: Thanks Jacob, So, does that API do not increment reference count internally itself. I mean if I have to explicitly do that, what is the API for that ? Thanks Regards, Nayna Jain [image: Inactive hide details for Jakob Bohm ---06/10/2015 09:49:54 AM---On 10/06/2015 05:22, Nayna Jain wrote: ]Jakob Bohm ---06/10/2015 09:49:54 AM---On 10/06/2015 05:22, Nayna Jain wrote: From: Jakob Bohm jb-open...@wisemo.com To: openssl-users@openssl.org Date: 06/10/2015 09:49 AM Subject: Re: [openssl-users] X509_STORE_free() and X509_LOOKUP_free() also frees the X509 certificates inside it Sent by: openssl-users openssl-users-boun...@openssl.org -- On 10/06/2015 05:22, Nayna Jain wrote: Hi all, I am using X509_STORE and X509_LOOKUP to verify the certificate and its chain. But at the end when I do X509_STORE_free(store) and X509_LOOKUP_free(lookup), it is also doing free of the X509* certificate which I added. But I don't want that, because after that when I immediately try to access X509* certificate for further operation, then it results in core dump And if I don't do X509_STORE_free() then it will leave the memory leak. Let me know how to resolve this and if I misunderstood something. X509 objects (and many other objects in the API) are reference counted. Increment the reference count of each certificate as you add it to the X509_STORE, this should make the X509 object stay around after X509_STORE_free() frees it. However there is a shortage of documentation on the reference counting functions involved. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] X509_STORE_free() and X509_LOOKUP_free() also frees the X509 certificates inside it
On 10 June 2015 at 18:05, Thulasi Goriparthi thulasi.goripar...@gmail.com wrote: On 10 June 2015 at 16:47, Jakob Bohm jb-open...@wisemo.com wrote: On 10/06/2015 12:41, Thulasi Goriparthi wrote: X509_STORE_add_cert increments the reference count of the each cert, but only by 1. Sounds like there should be X509_STORE_add0_cert() and X509_STORE_add1_cert() like for other parts of the library. X509_STORE_free decrements the ref count by 1. So after decrementing, if ref_count is 0, certificate will be freed. Jakob is saying that if you want them to stay even after X509_STORE_free, explicitly increment the ref count before calling free using something like below. Interesting! I assumed (based on the standard refcounting paradigm) that the reference count of a new object would be 1, and that some API (perhaps X509_free()) would decrement and free if it hit 0. Yes. You are correct. STORE_free, just decrements the ref count and calls X509_free. X509_free in turn checks if ref count is only 1 (in reference to the one incremented by new) before proceeding with free. If it is, it will decrement ref_count and proceed to free. Correction: X509_free or any free, just decrements the ref_count first and then if it is 0, it will proceed to real free. So, if there is any explicit up ref count, there is no need to decrement it (shouldn't be decremented) before calling X509_free CRYPTO_add(certificate-references, 1, CRYPTO_LOCK_X509); Is there really no proper API wrapping this? I couldn't find any right now. There is X509_OBJECT_up_ref_count() which takes care of X509_OBJECT s. But that requires allocating X509_OBJECT and copying X509 over there. decrypt the ref count when you really want to free them and call X509_free(certificate). Sorry for the confusion, decrementing ref count wouldn't be required. Is there really no proper API wrapping this? On 10 June 2015 at 10:20, Nayna Jain naynj...@in.ibm.com wrote: Thanks Jacob, So, does that API do not increment reference count internally itself. I mean if I have to explicitly do that, what is the API for that ? Thanks Regards, Nayna Jain [image: Inactive hide details for Jakob Bohm ---06/10/2015 09:49:54 AM---On 10/06/2015 05:22, Nayna Jain wrote: ]Jakob Bohm ---06/10/2015 09:49:54 AM---On 10/06/2015 05:22, Nayna Jain wrote: From: Jakob Bohm jb-open...@wisemo.com To: openssl-users@openssl.org Date: 06/10/2015 09:49 AM Subject: Re: [openssl-users] X509_STORE_free() and X509_LOOKUP_free() also frees the X509 certificates inside it Sent by: openssl-users openssl-users-boun...@openssl.org -- On 10/06/2015 05:22, Nayna Jain wrote: Hi all, I am using X509_STORE and X509_LOOKUP to verify the certificate and its chain. But at the end when I do X509_STORE_free(store) and X509_LOOKUP_free(lookup), it is also doing free of the X509* certificate which I added. But I don't want that, because after that when I immediately try to access X509* certificate for further operation, then it results in core dump And if I don't do X509_STORE_free() then it will leave the memory leak. Let me know how to resolve this and if I misunderstood something. X509 objects (and many other objects in the API) are reference counted. Increment the reference count of each certificate as you add it to the X509_STORE, this should make the X509 object stay around after X509_STORE_free() frees it. However there is a shortage of documentation on the reference counting functions involved. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] X509_STORE_free() and X509_LOOKUP_free() also frees the X509 certificates inside it
On 10 June 2015 at 18:45, Viktor Dukhovni openssl-us...@dukhovni.org wrote: On Wed, Jun 10, 2015 at 04:11:45PM +0530, Thulasi Goriparthi wrote: Jakob is saying that if you want them to stay even after X509_STORE_free, explicitly increment the ref count before calling free using something like below. CRYPTO_add(certificate-references, 1, CRYPTO_LOCK_X509); That should be: CRYPTO_add(certificate-references, 1, CRYPTO_LOCK_X509); the references parameter should be a pointer. Thank you for the correction. -- Viktor. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] External encryption chip and EC{DSA, DH} (with engine?)
Thanks Remy for asking the question in my mind. ENGINE_set_default_EC_METHOD will be perfect to offload EC Point multiplication, doubling and addition offered by some h/w crypto accelerators. Hi Matt, What is the reason to keep ec_method, ecdh_method and ecdsa_method structure definitions in local header files ec_locl.h, ech_locl.h and ecs_locl.h respectively unlike their peers.. dh_method, dsa_method, rsa_meth_st and rand_meth_st which are defined in exported header files? ENGINE_set_default_EC_METHOD is really nice idea. Even if it is not immediate, please discuss the possibility of having this with your team. Thanks, Thulasi. On 3 June 2015 at 18:28, Matt Caswell m...@openssl.org wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/06/15 06:32, Rémy Grünblatt wrote: Hello. I have a custom external hardware encryption chip that can computes some operations like the addition of two points, the inverse of one point, etc. I read that if I want to move some calculus from openssl to this chip, Openssl engines are the way to go. By defining a custom EC_METHOD, for example, I can just move the inverse on the chip while keeping other functions in openssl (not moving them). Still, how do I ask to my Engine to use this new custom EC_METHOD ? I see functions like ENGINE_set_default_ECDSA, or ENGINE_set_default_ECDH, but I don't want to change thoses, only the underlying EC_METHOD which is used for calculus. I do not know if it's clear, but what i'm searching for is a kind of ENGINE_set_default_EC_METHOD which could be used by the tests from ectest.c, for example. Any idea ? Unfortunately, I don't think such a thing exists. In fact the definition of EC_METHOD is not defined in any public header file so it is not currently possible to provide your own version without hacking OpenSSL itself. Matt -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJVbvn8AAoJENnE0m0OYESRwtsH/1p941OTgrEMPuLlkyulf4DA E3HzZNqgShlGBK6y4NrI+1bwPAHNeRe1weQuaOokDqiY9k+Qh/B4ncKVKbH3kJFF c8xlKhf9GsMzsfV+sqeTSX0b16cvTbos0l6JEVGcypLib7jtcJcE9a966dC699Cz 7k6Adq6mpznm30JFFARon0Ov7htLvCvU6nRgBnV3nSh/+++5iNe1ZQht06El92Ap VPvbYz54zePaQgndI/lgtNEA9RQcI/Zsbn3dJzs9FDWyMs4JCjf0Yl2oCtzfeb2c wMX6nJFiTOMa6rMUpPedTd2QS/XrOHUpPdcRxWpz4grYklqVAizlKrtHPutwrpo= =//we -END PGP SIGNATURE- ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] ECDSA with random number
Hi Piotr, As you have found out, choosing the per message random number in ECDSA signature is crucial for the security of private key. Leaving this responsibility on users is dangerous. This is the reason you won't find any crypto API to feed the random number for ECDSA signature. If you want to see how ECDSA is implemented, refer crypto/ecdsa/ecs_ossl.c. Signature is generated in the following two steps. ecdsa_sign_setup: -- chooses the random number (k) and generates the first part of the ECDSA signature (r). -- returns inverse of k(required to generate second part of signature) and r ecdsa_do_sign: -- uses k inverse and r (received from ecdsa_sign_setup) to generate the second part of the signature(s). Thanks, Thulasi. On 7 May 2015 at 13:58, Piotr Łobacz piotr.lob...@radmor.com.pl wrote: As in the subject is it possible to generate signature with given random number? According to the documentation of ECDSA uses RNG so it would be difficult to find out private key from signature but i want just to test my data to check if signature is being generated properly and i have'nt found any possible place where i would be able to pass random value. Any ideas? -- Piotr Łobacz Biuro Systemów i Oprogramowania RADMOR S.A. tel. (58) 6996 929 e-mail: piotr.lob...@radmor.com.pl www.radmor.com.pl RADMOR S.A., ul. Hutnicza 3, 81-212 Gdynia NIP: 586-010-21-39 REGON: 190432077 KRS: 074029 (Sąd Rejonowy Gdańsk-Północ w Gdańsku) Kapitał zakładowy wpłacony: 9 282 830 PLN ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] access to ecdh_method and ecdsa_method structure definitions
Hi all, What is the reason behind keeping ecdh_method and ecdsa_method structure definitions in local header files ech_locl.h and ecs_locl.h respectively unlike their peers.. dh_method, dsa_method, rsa_meth_st and rand_meth_st which are defined in exported header files? Thanks, Thulasi. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Help with using a dynamic engine with SSL_CTX
I had similar trouble a while ago. I understood that if crypto/ssl application need to use RAND method before the intended engine is loaded, default_RAND_method would be populated with RAND_SSLeay(). ENGINE_set_RAND wouldn't overwrite this as rand wrappers prefer default_RAND_method than engine's default RAND method. So, One need to explicitly call either RAND_set_rand_method(rand_method_pointer) if one can directly access engine's rand method or RAND_set_rand_engine(e) where e is preferred engine's reference. Thanks, Thulasi. On 10 December 2014 at 22:05, Brian Watson bwats9...@gmail.com wrote: I checked and ENGINE_set_RAND function is being called. What I can't figure out is the following: 1. RAND_get_rand_method() is called to get the random method and in a normal case default_RAND_METHOD would be null which would cause code to call ENGINE_get_rand() to be called to get the random method for the engine associated for RAND. 2. In my particular case something has already caused default_RAND_METHOD to be populated before I load my engine and the only place I see that it can get reset is via RAND_set_rand_method() which can be called by RAND_cleanup() and ENGINE_cleanup(). Any ideas? On Wed, Dec 10, 2014 at 8:25 AM, Brian Watson bwats9...@gmail.com wrote: I didn't call that one, but I'll give it a try. I also read that if someone subsequently calls ENGINE_load_builtin_engines()that it'll reset things back to how they were so I'll look at that also. Thanks, BW On Wed, Dec 10, 2014 at 1:06 AM, Dmitry Belyavsky beld...@gmail.com wrote: Hello Brian, Do you call ENGINE_set_RAND function? On Tue, Dec 9, 2014 at 11:19 PM, Brian Watson bwats9...@gmail.com wrote: I thought that's what the following does: ENGINE_set_default(engine, ENGINE_METHOD_RAND). I'm also trying to figure out in rand_lib.c and RAND_get_rand_method() what causes default_RAND_meth to change. Thanks, BW On Tue, Dec 9, 2014 at 1:52 PM, Dmitry Belyavsky beld...@gmail.com wrote: Hello! Do you set your RNG as default when the engine is loaded? On Tue, Dec 9, 2014 at 10:44 PM, Brian Watson bwats9...@gmail.com wrote: Hi, I am doing the following: 1. I have a dynamic engine that I would like to use to produce random numbers on Android (aosp). 2. I can successfully load the dynamic engine by using the Android OpenSSLEngine.getInstance() which takes care of loading the engine and I can see that the binding is there via bind_engine and bind_helper via some debug prints that I have put in the engine. I follow this up by calling ENGINE_set_default() for ENGINE_METHOD_RAND. I am using the Apache Harmony jsse library. 3. Some time later there is a call to SSL_CTX_new() which starts the process of establishing the TLS session, etc. 4. I would like to see my random number generator get invoked to provide random numbers when needed, but for some reason the ssleay one is being called. 5. I can open an adb shell and run the openssl command and explicitly load the engine via: openssl engine dynamic –pre SO_PATH:/system/lib/ssl/engines/MyEngine.so –pre ID:myengine –pre LOAD. With this I see my random number generator get used, but when I try to do this programatically it doesn't get called. I have a couple of questions: 1. Should this work even when using the SSL_CTX... api's? 2. Am I setting up the engine too soon and then the SSL_CTX.. commands clear them out? I've looked around a lot so any help would be greatly appreciated! Thanks, BW ___ openssl-users mailing list openssl-users@openssl.org https://mta.opensslfoundation.net/mailman/listinfo/openssl-users -- SY, Dmitry Belyavsky ___ openssl-users mailing list openssl-users@openssl.org https://mta.opensslfoundation.net/mailman/listinfo/openssl-users ___ openssl-users mailing list openssl-users@openssl.org https://mta.opensslfoundation.net/mailman/listinfo/openssl-users -- SY, Dmitry Belyavsky ___ openssl-users mailing list openssl-users@openssl.org https://mta.opensslfoundation.net/mailman/listinfo/openssl-users ___ openssl-users mailing list openssl-users@openssl.org https://mta.opensslfoundation.net/mailman/listinfo/openssl-users ___ openssl-users mailing list openssl-users@openssl.org https://mta.opensslfoundation.net/mailman/listinfo/openssl-users
Re: [openssl-users] Any way to create a large encrypted finish message?
One can't change the encrypted finished size unless one is using variable padding. encrypted finished size depends on 3 parameters: protocol version, cipher type, MAC type, Protocol version decides if explicit IV is included in the record and unencrypted finished message size. For SSL3 and TLS1.0, there wouldn't be any explicit IV. For SSL3, unencrypted finished size would be of 40 bytes (4 (handshake header) + 16(MD5 hash)+20(SHA hash) ) and for other protocols it will be 16 bytes(4(handshake header) + 12 bytes(xor of MD5 and SHA1 hashes)) Cipher Type decides, if the data needs to be padded or not. If it is block cipher, there would be 1 block of must padding of block length(16 for AES, 8 for DES). It also decides explicit IV length. MAC(hash) type decides the length of the MAC tag that will be appended to the unencrypted data before padding. For TLS1.2, AES256-SHA/AES128-SHA, encrypted finished message consists of 16 byte explicit IV + 16 byte finished message + 20 byte hash + 16 byte must padding. so, it will be of 68 bytes. For DES-CBC3-SHA, it will be 8 byte explicit IV + 16 byte finished message + 20 byte hash + 8 byte must padding. i.e it will be 52 bytes. Thanks, Thulasi. On 11 December 2014 at 04:15, Vyas Pentakota npent...@brocade.com wrote: Hi I am working on issue involving openssl TLS 1.2 finish message decryption. I was wondering if anyone can tell me how I can generate “encrypted handshake message” (client finish message) record larger than 64 bytes only using RSA AES256-SHA/ AES128-SHA/DES-CBC3-SHA. Your suggestion is greatly appreciated. Thank you Vyas ___ openssl-users mailing list openssl-users@openssl.org https://mta.opensslfoundation.net/mailman/listinfo/openssl-users ___ openssl-users mailing list openssl-users@openssl.org https://mta.opensslfoundation.net/mailman/listinfo/openssl-users
Re: [openssl-users] Any way to create a large encrypted finish message?
A correction regarding padding. On 11 December 2014 at 16:53, Thulasi Goriparthi thulasi.goripar...@gmail.com wrote: One can't change the encrypted finished size unless one is using variable padding. encrypted finished size depends on 3 parameters: protocol version, cipher type, MAC type, Protocol version decides if explicit IV is included in the record and unencrypted finished message size. For SSL3 and TLS1.0, there wouldn't be any explicit IV. For SSL3, unencrypted finished size would be of 40 bytes (4 (handshake header) + 16(MD5 hash)+20(SHA hash) ) and for other protocols it will be 16 bytes(4(handshake header) + 12 bytes(xor of MD5 and SHA1 hashes)) Cipher Type decides, if the data needs to be padded or not. If it is block cipher, there would be 1 block of must padding of block length(16 for AES, 8 for DES). It also decides explicit IV length. MAC(hash) type decides the length of the MAC tag that will be appended to the unencrypted data before padding. For TLS1.2, AES256-SHA/AES128-SHA, encrypted finished message consists of 16 byte explicit IV + 16 byte finished message + 20 byte hash + 16 byte must padding. so, it will be of 68 bytes. In this case, there would only be 12 bytes of padding as record is already 36 bytes, making it 64 bytes. For DES-CBC3-SHA, it will be 8 byte explicit IV + 16 byte finished message + 20 byte hash + 8 byte must padding. i.e it will be 52 bytes. Same here,there would only be 12 bytes of padding as record is already 36 bytes, making it 64 bytes. Thanks, Thulasi. On 11 December 2014 at 04:15, Vyas Pentakota npent...@brocade.com wrote: Hi I am working on issue involving openssl TLS 1.2 finish message decryption. I was wondering if anyone can tell me how I can generate “encrypted handshake message” (client finish message) record larger than 64 bytes only using RSA AES256-SHA/ AES128-SHA/DES-CBC3-SHA. Your suggestion is greatly appreciated. Thank you Vyas ___ openssl-users mailing list openssl-users@openssl.org https://mta.opensslfoundation.net/mailman/listinfo/openssl-users ___ openssl-users mailing list openssl-users@openssl.org https://mta.opensslfoundation.net/mailman/listinfo/openssl-users
Re: EVP_verify APIs
On 27 October 2014 14:03, Gayathri Manoj gayathri.an...@gmail.com wrote: Hi All, How can I replace RSA_public_decrypt() with EVP_Verify*(). I wanted to replace the below api with EVP_verify*() RSA_public_decrypt(Len, SgnData, dBuffer, rsa_pub_key, RSA_PKCS1_PADDING); I have tried with EVP_MD_CTX md_ctx; unsigned char *decryptBuffer = NULL; EVP_PKEY *pubKey = NULL; PubKey = X509_get_pubkey(X509cert); decryptBuf = (uchar *) malloc(EVP_MD_size(EVP_sha1())); EVP_VerifyInit(md_ctx, EVP_sha1()); EVP_VerifyUpdate (md_ctx, dBuffer, strlen(dBuffer)-1); errorCode = EVP_VerifyFinal(md_ctx, SgnData, Len, PubKey); Getting errorCode as 0. ERR[bad signature] certificate's Signature Algorithm is SHA256withRSA Why are you using EVP_sha1() while allocating decryptBuf and in EVP_VerifyInit() if signature alg is SHA256-RSA? Please let me know how can I solve this issue. Thanks, Gayathri
Re: Apache SSL proxy to Weblogic fails
On 19 September 2014 22:34, Stromas, Aaron aaron.stro...@rsa.com wrote: Greetings, I am looking for help with a problem I've ran into a using mod_proxy/mod_ssl. The Apache HTTP server on SLES 11 SP3 64 bit, OpenSSL 1.0.1.f acts as SSL proxy to the Weblogic 10.3 running on Redhat. The mod_ssl is configured correctly - it works when proxying to SSL connections to non-SSL serves. Also, the certificate on the proxy was issued with extensions allowing it to be used as both SSL client and server. Yet, the Apache proxy fails connection over SSL to the Weblogic’s HTTPS port. Below is the excerpt from the Apache errors log. Any advice will be gerately appreciated. TIA [Thu Sep 18 09:32:14 2014] [debug] mod_proxy.c(1036): Running scheme https handler (attempt 0) [Thu Sep 18 09:32:14 2014] [debug] mod_proxy_http.c(1995): proxy: HTTP: serving URL https://appdev2.example.com:8102/auth/logon.jsp?aa_param=user [Thu Sep 18 09:32:14 2014] [debug] proxy_util.c(2022): proxy: HTTPS: has acquired connection for (appdev2.example.com) [Thu Sep 18 09:32:14 2014] [debug] proxy_util.c(2078): proxy: connecting https://appdev2.example.com:8102/auth/logon.jsp?aa_param=user to appdev2.example.com:8102 [Thu Sep 18 09:32:14 2014] [debug] proxy_util.c(2236): proxy: connected /auth/logon.jsp?aa_param=user to appdev2.example.com:8102 [Thu Sep 18 09:32:14 2014] [debug] proxy_util.c(2487): proxy: HTTPS: fam 2 socket created to connect to appdev2.example.com [Thu Sep 18 09:32:14 2014] [debug] proxy_util.c(2619): proxy: HTTPS: connection complete to 10.40.0.224:8102 (appdev2.example.com) [Thu Sep 18 09:32:14 2014] [info] [client 10.40.0.224] Connection to child 0 established (server aaproxiedel1:443) [Thu Sep 18 09:32:14 2014] [info] Seeding PRNG with 144 bytes of entropy [Thu Sep 18 09:32:14 2014] [debug] ssl_engine_io.c(1090): [client 10.40.0.224] SNI extension for SSL Proxy request set to ' appdev2.example.com' [Thu Sep 18 09:32:14 2014] [debug] ssl_engine_kernel.c(1903): OpenSSL: Handshake: start [Thu Sep 18 09:32:14 2014] [debug] ssl_engine_kernel.c(1911): OpenSSL: Loop: before/connect initialization [Thu Sep 18 09:32:14 2014] [debug] ssl_engine_kernel.c(1911): OpenSSL: Loop: SSLv2/v3 write client hello A [Thu Sep 18 09:32:14 2014] [debug] ssl_engine_io.c(1939): OpenSSL: read 7/7 bytes from BIO#994fe0 [mem: 9ea880] (BIO dump follows) [Thu Sep 18 09:32:14 2014] [debug] ssl_engine_io.c(1872): +-+ [Thu Sep 18 09:32:14 2014] [debug] ssl_engine_io.c(1911): | : 15 03 00 00 02 02 28 ..( | [Thu Sep 18 09:32:14 2014] [debug] ssl_engine_io.c(1917): +-+ Content type 15 is alert. [Thu Sep 18 09:32:14 2014] [debug] ssl_engine_kernel.c(1916): OpenSSL: Read: SSLv2/v3 read server hello A [Thu Sep 18 09:32:14 2014] [debug] ssl_engine_kernel.c(1940): OpenSSL: Exit: error in SSLv2/v3 read server hello A [Thu Sep 18 09:32:14 2014] [info] [client 10.40.0.224] SSL Proxy connect failed [Thu Sep 18 09:32:14 2014] [info] SSL Library Error: 336032784 error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure [Thu Sep 18 09:32:14 2014] [info] [client 10.40.0.224] Connection closed to child 0 with abortive shutdown (server aaproxiedel1:443) [Thu Sep 18 09:32:14 2014] [error] (502)Unknown error 502: proxy: pass request body failed to 10.40.0.224:8102 (appdev2.example.com) [Thu Sep 18 09:32:14 2014] [error] [client 141.1.3.134] proxy: Error during SSL Handshake with remote server returned by /auth/logon.jsp [Thu Sep 18 09:32:14 2014] [error] proxy: pass request body failed to 10.40.0.224:8102 (appdev2.example.com) from 141.1.3.134 () [Thu Sep 18 09:32:14 2014] [debug] proxy_util.c(2040): proxy: HTTPS: has released connection for (appdev2.example.com) [Thu Sep 18 09:32:14 2014] [debug] ssl_engine_kernel.c(1921): OpenSSL: Write: SSL negotiation finished successfully [Thu Sep 18 09:32:14 2014] [info] [client 141.1.3.134] Connection closed to child 2 with standard shutdown (server aaproxiedel1:443) Best regards, -a -- *Aaron Stromas | ** RSA ** The Security Division of EMC | Practice Consultant | Identity Fraud Protection Practice | M – 240 271 64 58 | aaron.stro...@rsa.com aaron.stro...@rsa.com*
Re: SSL v3.0 is not set as default protocol upon disabling v2.
SSLv23_client_method supports all protocols by default and connects using the highest protocol that server supports(as received from server hello) I suggest you try disabling TLS 1.0 along with SSL2 if you want to force your client to use SSL3 without changing the context's method. SSL_CTX_set_options(ctx, SSL_OP_ALL| SSL_OP_NO_SSLv2 | SSL_OP_NO_TLSv1); If the server supports TLS1.1 and TLS 1.2, update the client ctx option to use SSL_OP_NO_TLSv1_1 and SSL_OP_NO_TLSv1_2 also. On 12 September 2014 18:01, abhijit pai abhijitpa...@gmail.com wrote: Hello All, I am using openSSL in my custom HTTP client. Here I use SSLv23_client_method() and disable SSLv2 using SSL_CTX_set_options(ctx, SSL_OP_ALL| SSL_OP_NO_SSLv2) I would expect the handshake method sent out to the server be SSL v3.0 but to my surprise it is TLS 1.0, which for some reasons the server does not support. This is a generic code, that would talk to even TLS 1.x enabled servers, so I cannot fix it using SSLv3_client_method(). Is there any other API that I am not aware of that could help me achieve it? Thanks in advance! Regards, Abhijit __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: openssl sess_id failed
Assuming you are not using your own session id generation callback function, I guess there is something wrong with your rand function/method which is not able to generate a unique session id in 10 attempts. -- Debug def_generate_session_id function in ssl/ssl_sess.c -- Debug RAND_pseudo_bytes and see if it is really generating rand bytes. See if you have seeded the rand function or not. Thanks, Thulasi. 2014-09-12 12:44 GMT+05:30 yu.wang alber...@bluectrl.com: Dear Sir, 我应用的openssl版本为:openssl1.0.1i,平台为rtems操作系统,我在使用openssl 给 http 网络通信过程中会出现如下错误: error:140B512D:SSL routines:ssl_get_new_session:ssl session id callback failed 我不知道这是什么原因造成的,但是我同样的采用04年的openssl0.9.7d完全可以运行过去,没有错误。 期待您的解答! Thanks ! Best Regards, yu.wang Tel: 18817881895
Re: Segfaults using EVP_PKEY in concurrent threads
thread callback funcs are missing. openssl FAQ says.. Multi-threaded applications must provide two callback functions to OpenSSL by calling CRYPTO_set_locking_callback() and CRYPTO_set_id_callback(), for all versions of OpenSSL up to and including 0.9.8[abc...]. As of version 1.0.0, CRYPTO_set_id_callback() and associated APIs are deprecated by CRYPTO_THREADID_set_callback() and friends. This is described in the threads(3) manpage detailed info can be found in doc/crypto/threads.pod. On Sat, Aug 30, 2014 at 5:30 PM, Ralf r...@ramses-pyramidenbau.de wrote: Hi there, I have some problems with concurrent access to a EVP_PKEY*. My intention: My application uses one EVP_PKEY* from several threads at the same time in order to generate several md-signatures at once. I had a deeper look into openssl's sources and actually it should be locked. Here's a absolutely minimal reconstruction of my problem: [1] You have a 50% chance, that this application will segfault. Additionally it seems to be a Heisenbug as it does not segfault when being debugged In my case, I always used ECDSA private keys. (This application actually makes no sense, but it's the minimal reconstruction of my problem) Why does it segfault? What am I doing wrong? My quick 'n dirty fix was to serialize access to the EVP_PKEY* but this makes my application damn slow And there's no EVP_PKEY_dup() function... [1] http://pastebin.com/4zPaUEp7 Thanks in advance! Ralf __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: SSL Library Error: error:2D06D075:FIPS routines:fips_pkey_signature_test:test failure (Type=RSA SHA1 X931)
$ openssl genrsa 2048 key.pem $ openssl req -new -x509 -key key.pem -out cert.pem -sha256 On Tue, Aug 12, 2014 at 11:08 AM, Abdul Anshad ab...@visolve.com wrote: Could you please provide me the steps for creating a self signed certificate meeting the current FIPS standard ? Thank you for the response. Regards, Abdul On 12-Aug-14 3:02 AM, Kurt Cancemi wrote: Your using a SHA-1 signed certificate, the current FIPS standard mandates a SHA-256 (SHA-2) signed certificate with a bit size = 2048. --- Kurt Cancemi https://www.x64Architecture.com On Mon, Aug 11, 2014 at 5:24 AM, Abdul Anshad ab...@visolve.com wrote: Hello All, I have a set up which runs Apache http-2.4.10 and Openssl-1.0.1i, when I try to start the http server with FIPS mode i get the following error. [Mon Aug 11 14:39:24.407781 2014] [suexec:notice] [pid 380] AH01232: suEXEC mechanism enabled (wrapper: /apps/apache/2.4.10/bin/suexec) [Mon Aug 11 14:39:24.428616 2014] [ssl:emerg] [pid 380] AH01885: FIPS mode failed [Mon Aug 11 14:39:24.428656 2014] [ssl:emerg] [pid 380] SSL Library Error: error:2D06D075:FIPS routines:fips_pkey_signature_test:test failure (Type=RSA SHA1 X931) [Mon Aug 11 14:39:24.428663 2014] [ssl:emerg] [pid 380] AH02312: Fatal error initialising mod_ssl, exiting. AH00016: Configuration Failed Could somebody help me out with this issue ? Thanks in advance. -- Regards, Abdul --- This email is free from viruses and malware because avast! Antivirus protection is active. http://www.avast.com __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-...@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-...@openssl.org Automated List Manager majord...@openssl.org --- This email is free from viruses and malware because avast! Antivirus protection is active. http://www.avast.com __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-...@openssl.org Automated List Manager majord...@openssl.org
Re: Handshake finish msg
Assuming that finish you meant is Handshake Finished messages of SSL/TLS protocol, I assure you, you can see them with openssl too. Implementations can't (won't deliberately) change the protocol. Run s_server and s_client of openssl with -msg -debug -state options to see the handshake messages exchanged in detail. $ openssl s_server -cert cert.pem -key key.pem -msg -debug -state $ openssl s_client -cipher cipher suite -msg -debug -state On Tue, Aug 12, 2014 at 1:41 AM, Idan Freiberg spe...@gmail.com wrote: hi all, I did a little comparison between microsoft's handshake process to openssl one. At the end of Msft handshake process i can see a finish, which i dont see when using openssl . Can i have that finish msg using openssl too? Thanks Idan Idan Freiberg
Re: Question on EVP_DecryptFinal_ex
On Mon, Aug 4, 2014 at 4:50 AM, David Li dlipub...@gmail.com wrote: Hi Thulasi/Rich, Thanks! This prompted me to uncover another bug in the code. I did encrypt an extra block of zeros! Now everything makes sense. Can't help to dig a little deeper into this: In AES-CBC mode, the decryption can be paralleled. Is this what the EVP_DecryptUpdate is doing behind the scene? CBC decryption could be parallelised, but EVP_DecryptUpdate doesn't do it as it uses a single context. IV will be maintained in the context and would be updated only after decryption of each block. If you strictly want to parallelise, you can do it with considerable changes to your app by maintaining a separate context for each block and initializing all those contexts with corresponding IVs. Though I haven't quantified, I believe, the performance advantage that you try to get by parallelising would be lost in maintaining too many contexts. Parallelisation would be adavantageous for hardware multi-core crypto accelerators. For example, I need to break a long string into blocks to use EVP_EncryptUpdate but I only need to feed the ciphertext into EVP_DecryptUpdate once. You don't have to break your input into blocks. EVP_EncryptUpdate can take input of any length. EVP_EncryptUpdate can(not must) be called multiple times when all the input to be encrypted is not available at once. i.e if you have a big file to be encrypted and you have only 4k byte read buffer, you can encrypt it in 4K byte chunks using EncryptUpdate. David On Fri, Aug 1, 2014 at 8:36 PM, Salz, Rich rs...@akamai.com wrote: Just wanted to say that Thulasi’s explanations and advice are exactly correct; thanks! -- Principal Security Engineer Akamai Technologies, Cambridge MA IM: rs...@jabber.me Twitter: RichSalz
Re: Use of parity bits on DES
On Thu, Jul 31, 2014 at 5:10 PM, Laurent Broussy lbrou...@elbeconseil.com wrote: Hi, Like describe in the FIPS 46-3 a DES key must have it heavy bit as parity bit. I try to encipher with a key without no correct parity bits and with this key where I put the correct parity bits the same message using openssl. I obtain two different enciphered messages. My answers are : 1 Is-it normal that OpenSSL can use a DES key with no correct parity bits ? Yes. You can get the correctness of parity bits checked prior to encryption in many ways. 1. If you intend to use EVP interface, compile crypto library with EVP_CHECK_DES_KEY to strictly check for correct parity and strength. 2. If you are directly preparing the key schedule, use DES_set_key_checked instead of DES_set_key or DES_set_key_unchecked. You can also set the library global variable DES_check_key to 1 and use DES_set_key. 2 Why the result with the two different key is not the same (normally only 56 bits are used and are the same in the two keys) Encrypt wouldn't check the parity or expand 56 bits to 64 bits. It assumes, this check is already done and expects 8 byte key. Thank you for your response. Regards. L. Broussy
Re: Question on EVP_DecryptFinal_ex
On Sat, Aug 2, 2014 at 12:16 AM, David Li dlipub...@gmail.com wrote:
Hi Thulasi,
You are right! It's a bug on my part.
I have a follow-up question regarding what EVP_DecryptFinal is doing.
In my case, the original string is 27 bytes long, the ciphertext length
is 48 ( I am using AES-CBC-128). The decrypted plaintext before
finalization is 32 but the finalization added 11 more bytes. So the total
decrypted len is 43.
I guess, you must be feeding 43 byte (=32 byte) plaintext for encryption
which outputs 48 byte ciphertext. For 27 byte plaintext, there would only
be 32 byte ciphertext, of which, first 16 byte get decrypted with
DecryptUpdate to result in first 16 bytes of plaintext, and last 16 bytes
get decrypted with DecryptFinal to result in last 11 bytes of plaintext.
(removes padding that gets applied during encryption)
There might be an issue with encrypt too which may be feeding additional 16
bytes (27 + 16) to EncryptUpdate. Do you apply padding yourself for
plaintext and send 32 bytes for encryption? If so, you should explicitly
tell the encrypt context to skip the padding by calling
EVP_CIPHER_CTX_set_padding(ctx, 0)
Can you explain where the 11 more bytes are coming from after
finalization? Also It seems OK even if I don't use finalization,
You must always call EncryptFinal/DecryptFinal, These functions will take
care of un-aligned last block. EncryptFinal applies the padding and
encrypts, and DecryptFinal decrypts the last block and removes the padding.
David
On Thu, Jul 31, 2014 at 8:22 PM, Thulasi Goriparthi
thulasi.goripar...@gmail.com wrote:
On Fri, Aug 1, 2014 at 5:46 AM, David Li dlipub...@gmail.com wrote:
Hi,
I am using openssl 1.0.1h and AES128 CBC mode to encrypt some arbitrary
long ASCII string.
I encountered an issue at decryption. If I use EVP_DecryptFinal_ex then
the output is unrecognizable. If I remove the following then the output is
OK.
if ((rc = EVP_DecryptFinal_ex(ctx, debuf, tmplen)) == 0) {
printf ( Finalization error: %d\n, rc);
return -1;
}
You are most probably over-writing the decrypted data you have got with
EVP_DecryptUpdate. Skip the the length that you have already decrypted in
debuf. i.e If you have got outlen bytes from DecryptUpdate, you should
supply debuf+outlen as second argument to EVP_DecryptFinal
Can anyone explain why?
David
Re: SSL connection broken after upgrading from 0.9.8a to 1.0.1e version of openssl
On Fri, Aug 1, 2014 at 3:07 AM, Nayna Jain naynj...@in.ibm.com wrote: Hi all, We got one of our openssl version upgraded to openssl 1.0.1e version. But after that I am facing this error at client side. error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number But I am not sure why is it giving wrong version number as both client and server has SSLv3 connection. Below are the details: Client is 0.9.8a and calls SSLv3_method() for ivSMethod() Server is upgraded to 1.0.1e and calls SSLv3_method() for ivSMethod() Client when tries to connect to server , I get the error error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number Logically I thought, it will work as both are SSLv3 and nothing changed there, but still it fails with wrong version number .. When I tried using openssl s_client it fails as below with similar error message testsystem:~ # openssl s_client -connect ip:port -msg CONNECTED(0003) SSL 2.0 [length 008f], CLIENT-HELLO 01 03 01 00 66 00 00 00 20 00 00 39 00 00 38 00 This client is advertising TLS 1.0 as max supported protocol version in SSLv2 compatible Client Hello. This also indicates that you haven't capped your client SSL context to use only SSL3. 00 35 00 00 16 00 00 13 00 00 0a 07 00 c0 00 00 33 00 00 32 00 00 2f 03 00 80 00 00 66 00 00 05 00 00 04 01 00 80 08 00 80 00 00 63 00 00 62 00 00 61 00 00 15 00 00 12 00 00 09 06 00 40 00 00 65 00 00 64 00 00 60 00 00 14 00 00 11 00 00 08 00 00 06 04 00 80 00 00 03 02 00 80 00 00 ff 8f 40 b0 f6 58 d0 06 2b 60 08 0e 2c bf d9 79 06 0d 95 aa 0e 1e d4 b0 f4 aa c5 7b 2a b8 9d 02 8d 4971:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:572: What did server send? -msg -debug dump from server side would help. I tried with another client having openssl 1.0.1e client, still I am facing the same error. Can someone help to debug this please ? There is no more further information could be traced on why it failed. If someone have idea on debugging tools for tracking openssl connection, do let me know. Thanks Regards, Nayna Jain __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Question on EVP_DecryptFinal_ex
On Fri, Aug 1, 2014 at 5:46 AM, David Li dlipub...@gmail.com wrote:
Hi,
I am using openssl 1.0.1h and AES128 CBC mode to encrypt some arbitrary
long ASCII string.
I encountered an issue at decryption. If I use EVP_DecryptFinal_ex then
the output is unrecognizable. If I remove the following then the output is
OK.
if ((rc = EVP_DecryptFinal_ex(ctx, debuf, tmplen)) == 0) {
printf ( Finalization error: %d\n, rc);
return -1;
}
You are most probably over-writing the decrypted data you have got with
EVP_DecryptUpdate. Skip the the length that you have already decrypted in
debuf. i.e If you have got outlen bytes from DecryptUpdate, you should
supply debuf+outlen as second argument to EVP_DecryptFinal
Can anyone explain why?
David
Re: TPS performance with TLS1.0 and TLS1.2
On Jul 25, 2014 5:15 PM, Dr. Stephen Henson st...@openssl.org wrote: On Thu, Jul 24, 2014, Denis Berezhnoy wrote: Hi guys, I have a question regarding TLS1.0 and TLS1.2 performance. Is it a correct expectation is that TPS (transactions per seconds) performance is worse with TLS1.2 protocol compared to TLS1.0? I found is that TLS1.2 has additional overhead in explicit IV vector initialization with random bytes. In my environment which is based off openss1.0.1g I can see difference between TLS1.0 and TLS 1.2 protocols due to this extra initialization. Can you confirm, that you don't see much difference if explicit IV initialization is skipped in tls1_enc(). If yes, it could be a problem with random number generator being used. Are you using any customized rand method? This a general question but I think that TLS1.2 performance should be worse due extra checks. Can you please confirm if my observation makes any sense? The additional explicit IV will have some effect on the speed, how much depends on the record size. But that's if you compare the same ciphersuite. The GCM ciphersuites (which can be used in TLS 1.2) should show a considerable *increase* in performance compared to any you can use in TLS 1.0. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: `openssl pkcs8` and -iter option?
Seems -iter option is added to master only in the below commit. By date, it is later than 1.0.1g and probably 1.0.1h too. commit 8a6c6bbf21cc11ea0fed69a106250af0d734d786 Author: Naftuli Tzvi Kay rfkro...@gmail.com Date: Tue Jun 3 12:48:06 2014 -0700 Added custom PBKDF2 iteration count to PKCS8 tool. On Wed, Jul 23, 2014 at 11:03 AM, Jeffrey Walton noloa...@gmail.com wrote: I'm having trouble getting `openssl pkcs8` to complete. openssl genrsa -out rsa-priv.pem 1024 openssl pkcs8 -in rsa-priv.pem -inform PEM -topk8 -v1 PBE-SHA1-RC4-128 -iter 1000 \ -out rsa-enc-priv-v1.pem -passout pass:test When the second command runs, the help is dumped. I noticed the man page lists the -iter option (https://www.openssl.org/docs/apps/pkcs8.html), but the help printed on failure does not. Any ideas how to make the command work? * Which: /usr/local/ssl/macosx-x64/bin/openssl Version: OpenSSL 1.0.1g 7 Apr 2014 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: `openssl pkcs8` and -iter option?
I didn't see it with 1.0.2-beta2 released yesterday. Not sure, if it would be added to the final 1.0.2 release. On Wed, Jul 23, 2014 at 12:36 PM, Jeffrey Walton noloa...@gmail.com wrote: Seems -iter option is added to master only in the below commit. By date, it is later than 1.0.1g and probably 1.0.1h too. OK, thanks. Would that be a 1.0.2 option; or a 1.1.0 option? On Wed, Jul 23, 2014 at 2:41 AM, Thulasi Goriparthi thulasi.goripar...@gmail.com wrote: Seems -iter option is added to master only in the below commit. By date, it is later than 1.0.1g and probably 1.0.1h too. commit 8a6c6bbf21cc11ea0fed69a106250af0d734d786 Author: Naftuli Tzvi Kay rfkro...@gmail.com Date: Tue Jun 3 12:48:06 2014 -0700 Added custom PBKDF2 iteration count to PKCS8 tool. On Wed, Jul 23, 2014 at 11:03 AM, Jeffrey Walton noloa...@gmail.com wrote: I'm having trouble getting `openssl pkcs8` to complete. openssl genrsa -out rsa-priv.pem 1024 openssl pkcs8 -in rsa-priv.pem -inform PEM -topk8 -v1 PBE-SHA1-RC4-128 -iter 1000 \ -out rsa-enc-priv-v1.pem -passout pass:test When the second command runs, the help is dumped. I noticed the man page lists the -iter option (https://www.openssl.org/docs/apps/pkcs8.html), but the help printed on failure does not. Any ideas how to make the command work? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: s_client CKE protocol version is wrong?
Version that is sent by Client in Client Hello may not necessarily be the version of communication. It gets adjusted with what Server can support. In your case, as you force the server to support only TLSv1, communication protocol gets adjusted to TLSv1(03 01) even though client supports TLSv1.2(03 03) Pre-master-secret needs to be constructed always with Protocol Version sent in Client Hello.
Re: Do I need to call BIO_free(network_bio) or not?
In the example, only internal_bio is set using SSL_set_bio as below. *SSL_set_bio(ssl, internal_bio, internal_bio);* network_bio is not linked to SSL session. So it has to be freed explicitly. On Fri, Jul 18, 2014 at 2:01 AM, Iñaki Baz Castillo i...@aliax.net wrote: 2014-07-17 14:29 GMT+02:00 Dr. Stephen Henson st...@openssl.org: Your code uses a doesn't use BIO pairs but the same rule applies. The call to SSL_free() will call BIO_free_all on the BIO or BIOs passed to SSL_set_bio() internal_bio and network_bio in this example. Thanks. Then the example in the documentation is really wrong and may cause a crash, right? I mean the BIO_free(network_bio); line at the end. -- Iñaki Baz Castillo i...@aliax.net __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Converting public part of 'EVP_PKEY' structure to 'unsigned char*' , and back.
*Guessing the context that is sent to EVP_PKEY_derive_set_peer is
initialized/created with a pkey belonging to different group. *
*In other words, EC keys of both parties in DH are not of the same group. *
On Mon, Jun 30, 2014 at 10:13 AM, pratyush parimal
pratyush.pari...@gmail.com wrote:
Hi all,
Did anyone have any luck with this one?
Thanks,
Pratyush Parimal.
-- Forwarded message --
From: pratyush parimal pratyush.pari...@gmail.com
Date: Wed, Jun 25, 2014 at 10:43 AM
Subject: Converting public part of 'EVP_PKEY' structure to 'unsigned
char*' , and back.
To: openssl-users@openssl.org
Hi all,
I was trying to use ECDH (in OpenSSL v1.0.1f) for a project, and after
generating the EVP_PKEY structure, I needed to extract its public key and
send it over to the other party. I was unable to find a straightforward way
which worked for me.
What I tried was this:
EVP_PKEY*
extract_peerkey_3(EVP_PKEY* EVP_PKEY_both) //'both' meaning it contains
public + private
{
int len = 0;
len = i2d_PUBKEY(EVP_PKEY_both, NULL); //find out required buffer length
unsigned char *buf, *p;
buf = (unsigned char*) malloc(len); //allocate
p = buf;
len = i2d_PUBKEY(EVP_PKEY_both, p);
const unsigned char* p2 = buf;
EVP_PKEY* EVP_PKEY_public = d2i_PUBKEY(NULL, p2, len);
if (EVP_PKEY_public == NULL)
{
handleCryptoError(d2i failed, ERR_get_error());
}
return EVP_PKEY_public;
}
The function doesn't throw an error, but when I pass the returned
'EVP_PKEY_public' structure to the function 'EVP_PKEY_derive_set_peer', I
get an error message error:10071065:elliptic curve
routines:EC_POINT_cmp:incompatible objects.
I also tried to follow the steps given at
http://stackoverflow.com/questions/1819/how-does-one-access-the-raw-ecdh-public-key-private-key-and-params-inside-opens
.
When i reconstruct the EVP_PKEY using the steps EC_POINT_oct2point() -
EC_KEY_set_public_key()
- EVP_PKEY_set1_EC_KEY(), the resulting EVP_PKEY does work for me. In
fact I'm able to derive the same secret on both sides using this sequence,
but I feel it's too roundabout.
I also saw the following:
http://marc.info/?l=openssl-usersm=116474297608094w=2, which talks
about using 'i2d_PUBKEY', but I haven't been able to make it work so far.
Is my usage of d2i_PUBKEY or i2d_PUBKEY wrong in some way? Does anyone
know how to use them properly?
Any help will be appreciated.
Thanks!
Pratyush Parimal
Re: Decryption succeed in GCM mode when tag is truncated
EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, sizeof(gcm_tag), gcm_tag); When you change tag length with the above statement, you are telling the decrypt context to consider only those many number of bytes for tag comparision. On Wed, Jun 18, 2014 at 4:52 PM, Michel msa...@paybox.com wrote: Hi all, I was surprised that decryption succeeded in GCM mode althought the tag was shorter than the one produced when encrypting, as it is not the case in CCM. Is it the intended behaviour ? In order to rule out a possible bug in my program, I finally used the example code at : https://github.com/openssl/openssl/blob/master/demos/evp/aesccm.c https://github.com/openssl/openssl/blob/master/demos/evp/aesgcm.c using OpenSSL 1.0.1h. When altering line 91 of of aesccm.c with 'sizeof(ccm_tag)-1', decryption failed. But doing the same with aesgcm.c, line 100 : sizeof(gcm_tag)-10, decryption succeeded. Thanks in advance for any assistance with this. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Decryption succeed in GCM mode when tag is truncated
Truncate-able tags gave a way to truncated hmac extension. Haven't gone through CCM RFC 3610 completely. I can see the restriction of possible M values(Tag lengths) to 2, 4, 6, 8, 10, 12, 14, 16. Can you try reducing the tag size accordingly and see if it succeeds. On Wed, Jun 18, 2014 at 6:52 PM, Michel msa...@paybox.com wrote: Thank for your answer. But isn't this strategy very hazardous ? And why just for GCM and not CCM ? Le 18/06/2014 14:37, Thulasi Goriparthi a écrit : EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, sizeof(gcm_tag), gcm_tag); When you change tag length with the above statement, you are telling the decrypt context to consider only those many number of bytes for tag comparision.
Re: Decryption succeed in GCM mode when tag is truncated
In the test program, you are feeding a fixed ccm_tag to decryption process. This will not work for CCM, as tag length itself will also be an input for tag generation. Change in tag length, will change the tag produced. I modified the decryption api(aes_ccm_decrypt) to take the tag generated by encryption api(aes_ccm_encrypt). It works fine. Note: Tag length will internally be embedded within the IV(nonce). On Wed, Jun 18, 2014 at 8:12 PM, Michel msa...@paybox.com wrote: I tried all of 2, 4, 6, 8, 10, 12, 14, 16 values, and always got a Plaintext not available: tag verify failed. Even when tag length of decryption was equal to tag length of encryption. :-( It just works for : tag length of decryption = tag length of encryption = 16. Thanks again for your help. Le 18/06/2014 16:14, Thulasi Goriparthi a écrit : Truncate-able tags gave a way to truncated hmac extension. Haven't gone through CCM RFC 3610 completely. I can see the restriction of possible M values(Tag lengths) to 2, 4, 6, 8, 10, 12, 14, 16. Can you try reducing the tag size accordingly and see if it succeeds. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Decryption succeed in GCM mode when tag is truncated
One more thing to correct myself. 2 as tag length is not allowed. only 4, 6, 8, 10, 12, 14, 16 are allowed. On Wed, Jun 18, 2014 at 11:55 PM, Thulasi Goriparthi thulasi.goripar...@gmail.com wrote: In the test program, you are feeding a fixed ccm_tag to decryption process. This will not work for CCM, as tag length itself will also be an input for tag generation. Change in tag length, will change the tag produced. I modified the decryption api(aes_ccm_decrypt) to take the tag generated by encryption api(aes_ccm_encrypt). It works fine. Note: Tag length will internally be embedded within the IV(nonce). On Wed, Jun 18, 2014 at 8:12 PM, Michel msa...@paybox.com wrote: I tried all of 2, 4, 6, 8, 10, 12, 14, 16 values, and always got a Plaintext not available: tag verify failed. Even when tag length of decryption was equal to tag length of encryption. :-( It just works for : tag length of decryption = tag length of encryption = 16. Thanks again for your help. Le 18/06/2014 16:14, Thulasi Goriparthi a écrit : Truncate-able tags gave a way to truncated hmac extension. Haven't gone through CCM RFC 3610 completely. I can see the restriction of possible M values(Tag lengths) to 2, 4, 6, 8, 10, 12, 14, 16. Can you try reducing the tag size accordingly and see if it succeeds. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: What is the reason for error SSL negotiation failed: error:04075070:rsa routines:RSA_sign:digest too big for rsa key
Or use another hash type for signature which can produce not more than 53 bytes of hashed data. (i.e MD5, SHA1, SHA256, SHA384) while using 512-bit keys. OpenSSL by default uses SHA512 hash for signature. Change the code to use any other hash. 512 bit(64 byte) RSA key can only encrypt 53 bytes at max. 64 - 11 byte padding and SHA512 produces 64 bytes of hashed data. Thanks, Thulasi. On Tue, Feb 26, 2013 at 11:42 PM, Viktor Dukhovni openssl-us...@dukhovni.org wrote: On Tue, Feb 26, 2013 at 11:30:18PM +0530, Nayna Jain wrote: Both server and client authenticate each other. And so client also sends the certificate. Here client certificate has RSA 512 bits and md5. Server certificates has RSA 1024 bits and md5. Bottom-line: DO NOT use 512-bit RSA moduli, they are trivially factored on commodity hardware. Both server and client are using the API SSLv23_server_method() and SSLv23_client_method() respectively Opensssl version used is 1.0.1c. So, when I initiate the connection from client, I get this error SSL negotiation failed: error:04075070:rsa routines:RSA_sign:digest too big for rsa key on client side. Can someone please explain the reason for this error ? http://archives.neohapsis.com/archives/postfix/2013-02/0235.html The negotiated TLSv1.2 digest produces output that is too wide to be signed with an RSA 512-bit private key. The client key should be at least 1024-bits, and in many cases stronger. It is arguably the case that OpenSSL should not present a client certificate that cannot sign using the agreed digest. One approach is for the client to not offer ciphersuites that are too wide for its private key. This said, DO NOT use 512-bit RSA keys. I'm puzzled by their apparent popularity, why does your client have such a key? -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: What is the reason for error SSL negotiation failed: error:04075070:rsa routines:RSA_sign:digest too big for rsa key
On Wed, Feb 27, 2013 at 1:39 AM, Viktor Dukhovni openssl-us...@dukhovni.org wrote: On Wed, Feb 27, 2013 at 12:49:55AM +0530, Thulasi Goriparthi wrote: Or use another hash type for signature which can produce not more than 53 bytes of hashed data. (i.e MD5, SHA1, SHA256, SHA384) while using 512-bit keys. OpenSSL by default uses SHA512 hash for signature. Change the code to use any other hash. Interestingly enough, it is in fact SHA384 that fails with RSA-512. The client and server agree on: ECDHE-RSA-AES256-GCM-SHA384 Signature Hash type is not controlled by the CipherSuite and can be dynamically chosen by Signer. First two bytes of signature(prepended) will give us the information about the private key type and hash type that were used to do the signing. These additional two bytes will also be received along with signature for the verification. 512 bit(64 byte) RSA key can only encrypt 53 bytes at max. 64 - 11 byte padding and SHA512 produces 64 bytes of hashed data. and the handshake fails when the client's key is RSA-512. Indeed the shortest RSA key that seems to work is RSA-745, tests with RSA-744 consistently fail. I don't know why the requisite key size is substantially larger than the digest length + expected padding. In any case, none of this should be exposed to the user. Ideally, the client side should not offer ciphersuites it cannot use. Perhaps the library does not generally know which if any client key will be used until after the server's client certificate request. The simplest answer is to avoid obsolete weak keys. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
padding differences for SSL 3.0/TLS 1.x records
Can somebody please tell me what were the attacks which made SSL 3.0 record padding to be modified in TLS 1.x forcing each byte in the padding data to contain padding length instead of leaving them arbitrary except for the last byte? Will it be a problem, If I let SSL 3.0 records to be padded similar to that of TLS 1.x records? Thanks, Thulasi.
Re: Obtaining a TLS session key
s-s3-tmp.key_block s-s3-tmp.key_block_length I think, these are the variables you are looking for.. Memory for the key_block is allocated in ssl3_setup_key_block() or tls1_setup_key_block() functions. Key Block contains keys and IVs in the following order as specified in RFC. client write MAC key server write MAC key client write encryption key server write encryption key client write IV(if applicable) server write IV(if applicable) Thanks, Thulasi. On Thu, Feb 7, 2013 at 3:42 AM, T J jordan.tre...@gmail.com wrote: Sorry to keep hammering away at this, but I think I am missing something here. OpenSSL does all this for a TLS connection anyway right? I mean, after a handshake, encryption keys, IV's etc are generated so that the TLS connection can use them for encrypting/decrypting data. Surely I shouldn't have to reinvent the wheel and do what OpenSSL already does... All I want to do is get those keys, after the connection has been established and use them directly in my own app instead of using the SSL connection normally. Isn't there something like ssl-s3-final_key ? On 01/02/13 17:26, Viktor Dukhovni wrote: On Fri, Feb 01, 2013 at 10:05:15AM +1300, T J wrote: These are sufficient to generate a session unique key via a suitable KDF salted with an application-specific string. OK, great. So I get the master key and run it through the a KDF and I get a 256 bit encryption key for use in my application. Sounds easy... Not just the master key, also the client_random, server_random (from the SSL handshake) and a *fixed* application-specific salt, that yields a different key than another application might derive under the same conditions. Question 1: previously, you said: ... the expansion function of HKDF is a reasonable choice. ... but now you mention salt which implies I should also use the extraction stage. If the salt is random, doesn't that mean the client and server would end up with different keys? The salt is the same on client and server. Question 2: Where do the client_random and server_random values come from and what are they for? The SSL handshake, IIRC the master secret does not change when a session is reused, but client random and server_random do. __**__**__ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Client Random
Thanks Jakob. But still, it is not clear to me. If server random is not present, a malicious user can copy all the messages from client and can replay them multiple times leading to DoS attack. But even if client random is not present, I believe, attacker cannot replay messages from server side as client is going to choose the pre-master-secret. i.e attacker cannot replay any encrypted record as he will not be able to decrypt the pre-master-secret encrypted by server's public key and so, cannot generate the session key. Am I still missing something trivial? Thanks, Thulasi. On 5 February 2013 21:21, Jakob Bohm jb-open...@wisemo.com wrote: On 2/5/2013 12:05 PM, Thulasi wrote: Hello all, ** This is not regarding OpenSSL software but about the protocol in general. I am trying to understand the use of 32 byte(4 byte data + 28 byte rand) client random which is part of Client Hello. I understand that Server Random is required to avoid replay attacks by making server to dynamically contribute in the derivation of session keys along with Pre-master-secret chosen by Client, but what additional security is derived from Client Random? The same benefits, but seen from the other end. Server random protects the server from being attacked with replays of client packets, amongst other benefits. Client random protects the client from being attacked with replays of server packets, amongst other benefits. Simple, really. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded __**__**__ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
pk11_library_init() of pkcs#11 engine
Hello all,
I am trying to use pkcs#11 engine as dynamic engine for Apache configured
with OpenSSL. I ran into segmentation faults when I hit Apache server with
multiple sslswamp clients. I tracked down the problem to
pk11_library_init() in hw_pk11.c where a child process tries to free the
memory allocated by parent thinking of it as a memory leak.
Code snippet and comments are as below.
/*
* pk11_library_initialized is set to 0 in pk11_finish() which is
called
* from ENGINE_finish(). However, if there is still at least one
* existing functional reference to the engine (see engine(3) for
more
* information), pk11_finish() is skipped. For example, this can
happen
* if an application forgets to clear one cipher context. In case
of a
* fork() when the application is finishing the engine so that it
can be
* reinitialized in the child, forgotten functional reference causes
* pk11_library_initialized to stay 1. In that case we need the PID
* check so that we properly initialize the engine again.
*/
if (pk11_library_initialized)
{
if (pk11_pid == getpid())
{
return (1);
}
else
{
global_session = CK_INVALID_HANDLE;
/*
* free the locks first to prevent memory leak in
case
* the application calls fork() without finishing
the
* engine first.
*/
pk11_free_all_locks();
}
}
**
pk11_free_locks() is freeing the memory allocated for find_locks by the
parent. If I comment this out, my test works fine. But I stopped from
making it a real fix because of the preceding comment.
Why is it necessary that a parent should do ENGINE_finish first before
forking? Can't a process simultaneously use the pkcs#11 engine with it's
child?
Thanks,
Thulasi.
Re: [openssl-users] cipher suite ECDH-ECDSA-AES128-SHA256
The answer however has changed: experimental TLS v1.2 code is present in HEAD and the 1.0.1 stable branch. The code hasn't been fully tested yet so some bugs may remain. There are some known interop problems with some ECC ciphersuites: that is OpenSSL can connect to some servers but not others. At this point it isn't clear if the problem is with the servers or OpenSSL. From ssl/tls1.h of today's snapshot, it looks to me that CipherSuites from rfc 5288 and 5289(ECC and GCM TLS1.2 CipherSuites) are not added yet. Thanks, Thulasi. On 25 May 2011 15:51, Dr. Stephen Henson st...@openssl.org wrote: On Wed, May 25, 2011, Erwann ABALEA wrote: Bonjour, Hodie VIII Kal. Iun. MMXI, shoutee scripsit: I want to run a TLS Server with support of cipher suite 'ECDH-ECDSA-AES128-SHA256' (RFC 5289). Unfortunately I can't find these cipher suite within tls1.h. ECDSA is only available with SHA1. Since openssl supports SHA256 I thought that ECDSA with SHA256 should be available, or am I missing something? I'm using openssl-1.0.0d. The ciphersuites defined in RFC5289 apply to TLS1.2 only. OpenSSL doesn't support (yet) TLS1.2. If your next question is when will OpenSSL support TLS1.2?, you'll find the answer in the archives, as it has been asked quite some times. The answer however has changed: experimental TLS v1.2 code is present in HEAD and the 1.0.1 stable branch. The code hasn't been fully tested yet so some bugs may remain. There are some known interop problems with some ECC ciphersuites: that is OpenSSL can connect to some servers but not others. At this point it isn't clear if the problem is with the servers or OpenSSL. If anyone knows of any public servers supporting TLS v1.2 I'd be interested in some interop testing. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Sending encrypted URL params to PHP: How to calculate size of encrypted data?
As you are planning to use symmetric encryption for payload, encrypted data length will be same as that of payload assuming your payload is properly padded. On 17 May 2011 14:54, G S stokest...@gmail.com wrote: Re-sending. Forgot to finish the subject... Hi all. I have an iPhone app that retrieves database info by issuing HTTP GETs to PHP pages on a server. All I want to do is encrypt the parameters sent in the URL, to prevent people from spoofing our app and abusing our database (most likely with spam). I've seen people ask this question in forums, and they usually get barraged with questions about why they want to do it, rather than answers. Let me try to head a few off: 1. It's neither practical nor necessary to maintain sessions on the server. We're not using cookies, certificates, or HTTPS. I don't even need the returned data to be encrypted (it's just DB queries coming back as XML). 2. I can't use GnuPG because of its license. 3. I want to use a public-key mechanism because the key will be sent in the clear from DB to app; I don't want to try to hide a private key in the app itself. As I understand it, the typical procedure is as follows: 1. Generate a random key and initialization vector to encrypt the block of text. 2. Encrypt that random key with the RSA public key. 3. Encrypt the data payload with the random key and IV, using Blowfish or other encryption. 4. Send the encrypted data payload, encrypted random key, and IV to the server for decryption. I think I'm nearly there: I'm generating a random key and IV; I have the public key coming back from the database and being loaded with PEM_read_bio_RSA_PUBKEY(). Now I guess I need to use the EVP_encrypt functions to encrypt the payload, but how do you calculate the size of the output buffer that's required for the encrypted data? I assume a normal next step is to add the encrypted key, IV, and encrypted payload as parameters in the HTTP GET and unravel all this using appropriate functions (and the private RSA key) in PHP on the server. Correct? Thanks! Gavin
