[openssl-users] Escaped Issuer/Subject

[c.hol...@ades.at]

I thought about escaping regarding DN itself (LDAP DN).

https://www.ietf.org/rfc/rfc4514.txt

https://www.ibm.com/support/knowledgecenter/en/ssw_i5_54/rzahy/rzahyunderdn.htm

https://msdn.microsoft.com/en-us/library/aa366101%28v=vs.85%29.aspx

Best regards
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Escaped Issuer/Subject

[c.hol...@ades.at]

Hi!

Is it possible to get the distinguished name of issuer or subject in a 
escaped form out of the box?


e.g.
C=US, O=test, Inc., OU=department=1, CN=tester "
C=US, O=test\, Inc., OU=department\=1, CN=tester \"

cheers,
chris


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] GCM cipher decryption

[c.hol...@ades.at]

Thanks!
It works.

Chris
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] GCM cipher decryption

[c.hol...@ades.at]

Hi!

2 questions about GCM and the following OpenSSL-Sample please.

https://wiki.openssl.org/index.php/EVP_Authenticated_Encryption_and_Decryption#Authenticated_Decryption_using_GCM_mode

and the function

int decrypt(unsigned char *ciphertext, int ciphertext_len, unsigned char 
*aad, int aad_len, unsigned char *tag, unsigned char *key, unsigned char 
*iv, unsigned char *plaintext)



* Is ciphertext the pure ciperhtext OR
is it with IV and TAG still in the string??

* If the 2nd: The IV is expected to be in front of the ciphertext and 
the TAG is expected to be past of the ciphertext - correct?

| IV | ciphertext | TAG |

thanks!
Christoph
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Padding OAEP

[c.hol...@ades.at]

Hi!

I had a look into Apache Santuario. A XML-Security-Framework using OpenSSL.
For my eyes it looks like only OAEP with MGF SHA1 is supported out of 
the OpenSSL-box.


Other digests need to be handeled manually.
In Santuario they wrote an own RSA_padding_check_PKCS1_OAEP with 2 new 
parameters for MGF and digest.


Chris
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Padding OAEP

[c.hol...@ades.at]

I had some further analysis.
I am looking for RSA-decryption with OAEP-padding and MGF1 and digest 
SHA-256.

Is there a way to do it??

Thanks!

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Padding OAEP

[c.hol...@ades.at]

Hello!

I try to do some XML-ENC with OpenSSL 
(https://www.w3.org/TR/xmlenc-core1/#sec-RSA-OAEP, section 5.5.2) and I 
have some problems with the padding.

Now I have some problems with decrypting a RSA-encoded string.

For identifier "rsa-oaep-mgf1p" I use RSA_PKCS1_OAEP_PADDING for padding 
and it is fine.
For "http://www.w3.org/2001/04/xmlenc#rsa-1_5; I use RSA_PKCS1_PADDING 
and it is also ok.


But it is not working for "rsa-oaep". I tried any padding setting possible.
Any ideas??

Thanks!
Chris




-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] CMS: Encrypt with binary encoding

[c.hol...@ades.at]

Yes, but then there is no MIME-Header.
Can I have MIME with binary encoding??


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] CMS: Encrypt with binary encoding

[c.hol...@ades.at]

Hi!

Is there a way to get binary (not base64) encoding out of CMS-encrypt??

openssl cms -encrypt -in plain.txt  mycer.cer

gives me a MIME-part with
Content-Transfer-Encoding: base64

But I'd like to have binary.
Thanks for help!

Chris
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] RSA-OAEP (without MGF1P)

[c.hol...@ades.at]

Hi!

Dealing with XML Security and enncryption/decryption I am looking for 
support of padding RSA-OAEP.


As far I can see PKCS 1.5 and RSA-OAEP-MGF1P is supported within OpenSSL.

Can anyone tell me what about RSA-OAEP and the support for it?

Thanks!

Chris

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Missing ctrl-defines for GCM

[c.hol...@ades.at]

Hi!

I am trying OpenSSL EVP for some AES-GCM encryption/decryption testing.

Having Debian 8.4 (testing) my installed evp.h does not include the 
following defines I need.


#define EVP_CTRL_AEAD_SET_IVLEN 0x9
#define EVP_CTRL_AEAD_GET_TAG 0x10
#define EVP_CTRL_AEAD_SET_TAG 0x11

If I set it manually it seems to work. I found it as "ctrl() values" on
https://github.com/openssl/openssl/blob/master/include/openssl/evp.h.

My distributions OpenSSL is 1.0.1k 8 Jan 2015.

So 2 questions.
- Why is it not included in my evp.h. Is it too old?
- If it is too old, is it ok to define it by myself or is it a bad idea?

Thanks for help!
Chris



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Verify signature without certificate included in it

[c.hol...@ades.at]

Ahh... i see.
-certfile

Thanks!

Chris


On 2016-04-22 20:22, c.hol...@ades.at wrote:

hi!

I am using openssl-smime for signing outgoing messages and verifying 
incoming.

My question is about verifying.

If the partner signs a message where the certificate is included in 
the signature all is OK.
If he signes only with issuer and serial included in the signature i 
get an error ("signer certificate not found").


If I parse the signature with openssl-asn1parse I can see the content 
of the signature. So I see whats included.


Do not know how to describe it in a better way. Is there a name for 
signatures with/without certificate-information?


How can I get the signature get verifyed if there is no certificate 
included in it?


Thanks for help!
Chris



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Verify signature without certificate included in it

[c.hol...@ades.at]

hi!

I am using openssl-smime for signing outgoing messages and verifying 
incoming.

My question is about verifying.

If the partner signs a message where the certificate is included in the 
signature all is OK.
If he signes only with issuer and serial included in the signature i get 
an error ("signer certificate not found").


If I parse the signature with openssl-asn1parse I can see the content of 
the signature. So I see whats included.


Do not know how to describe it in a better way. Is there a name for 
signatures with/without certificate-information?


How can I get the signature get verifyed if there is no certificate 
included in it?


Thanks for help!
Chris

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] SMIME: 1.0.0e vs. 1.0.1e

[c.hol...@ades.at]

Hi!

I'd like to finish the thread I started.

- My first statement was wrong. Also 1.0.0e is not able to process my 
SMIME-sample.
The reason was that I had a smime-binary-patch installed at the 1.0.0e 
some years ago and I did not remember about it.
Without the patch installed in the 1.0.1e it looks like a change in 
functionality between the version.


- Many thanks to Dr. Stephen Henson for his help and support.
This solution (parse it externally and verify it with openssl-cms) works 
fine.


Best regards,
Chris
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] SMIME: 1.0.0e vs. 1.0.1e

[c.hol...@ades.at]

I'd like to add the following to my thread.

- If I use option -nosigs then it is working.
But sure its not verifying. If I change the content it is still ok with 
this option in place.


- I tried also the current 1.0.1r and get the same behaviour with 1.0.1e.

- Option -binary does not help.

Thank!
Cheers,
chris
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] SMIME: 1.0.0e vs. 1.0.1e

[c.hol...@ades.at]

Hello!

I have a little problem with an update from an old 1.0.0e (vanilla 
compiled) vs.

debians (7.9, stable) 1.0.1e.

I try to verify an smime-signature
Tried with the same smime-file and with the same certificates on the 
same machine.

The certificates are fine and are ok if I verify them.


openssl smime -verify -purpose any -in "myfile.txt" -out "myfile.out"  
-CApath /etc/ssl/certs -CAfile "cert.cer"


It works fine with 1.0.0e.
Text: Verification successful
Return: 0


But I get the following with 1.0.1e.
Text: Verification failure
139728980395688:error:21071065:PKCS7 
routines:PKCS7_signatureVerify:digest failure:pk7_doit.c:1169:
139728980395688:error:21075069:PKCS7 routines:PKCS7_verify:signature 
failure:pk7_smime.c:410:

Return: 4



The myfile.txt (shortened):
--
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; 
micalg="sha1"; boundary="EEFE59145E95831000EE06DE4309E3A9"


This is an S/MIME signed message

--EEFE59145E95831000EE06DE4309E3A9
Content-Transfer-Encoding: binary
Content-Type: application/edi-consent
Content-Disposition: attachment; name="abc.xml"; filename="abc.xml"


..
..
--EEFE59145E95831000EE06DE4309E3A9
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"

MIIIawYJKoZIhvcN7nTRPWZsxevEqzakh6vKxTTE8sn5mzeU4QoEqAP1EOuATPan0VpAXtfJfBQfq/I=
...
EEFE59145E95831000EE06DE4309E3A9
-


Can anyone please help, thanks!

Best regards,
christoph




--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users