[openssl-users] Escaped Issuer/Subject
I thought about escaping regarding DN itself (LDAP DN). https://www.ietf.org/rfc/rfc4514.txt https://www.ibm.com/support/knowledgecenter/en/ssw_i5_54/rzahy/rzahyunderdn.htm https://msdn.microsoft.com/en-us/library/aa366101%28v=vs.85%29.aspx Best regards -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Escaped Issuer/Subject
Hi! Is it possible to get the distinguished name of issuer or subject in a escaped form out of the box? e.g. C=US, O=test, Inc., OU=department=1, CN=tester " C=US, O=test\, Inc., OU=department\=1, CN=tester \" cheers, chris -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] GCM cipher decryption
Thanks! It works. Chris -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] GCM cipher decryption
Hi! 2 questions about GCM and the following OpenSSL-Sample please. https://wiki.openssl.org/index.php/EVP_Authenticated_Encryption_and_Decryption#Authenticated_Decryption_using_GCM_mode and the function int decrypt(unsigned char *ciphertext, int ciphertext_len, unsigned char *aad, int aad_len, unsigned char *tag, unsigned char *key, unsigned char *iv, unsigned char *plaintext) * Is ciphertext the pure ciperhtext OR is it with IV and TAG still in the string?? * If the 2nd: The IV is expected to be in front of the ciphertext and the TAG is expected to be past of the ciphertext - correct? | IV | ciphertext | TAG | thanks! Christoph -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Padding OAEP
Hi! I had a look into Apache Santuario. A XML-Security-Framework using OpenSSL. For my eyes it looks like only OAEP with MGF SHA1 is supported out of the OpenSSL-box. Other digests need to be handeled manually. In Santuario they wrote an own RSA_padding_check_PKCS1_OAEP with 2 new parameters for MGF and digest. Chris -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Padding OAEP
I had some further analysis. I am looking for RSA-decryption with OAEP-padding and MGF1 and digest SHA-256. Is there a way to do it?? Thanks! -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Padding OAEP
Hello! I try to do some XML-ENC with OpenSSL (https://www.w3.org/TR/xmlenc-core1/#sec-RSA-OAEP, section 5.5.2) and I have some problems with the padding. Now I have some problems with decrypting a RSA-encoded string. For identifier "rsa-oaep-mgf1p" I use RSA_PKCS1_OAEP_PADDING for padding and it is fine. For "http://www.w3.org/2001/04/xmlenc#rsa-1_5; I use RSA_PKCS1_PADDING and it is also ok. But it is not working for "rsa-oaep". I tried any padding setting possible. Any ideas?? Thanks! Chris -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] CMS: Encrypt with binary encoding
Yes, but then there is no MIME-Header. Can I have MIME with binary encoding?? -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] CMS: Encrypt with binary encoding
Hi! Is there a way to get binary (not base64) encoding out of CMS-encrypt?? openssl cms -encrypt -in plain.txt mycer.cer gives me a MIME-part with Content-Transfer-Encoding: base64 But I'd like to have binary. Thanks for help! Chris -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] RSA-OAEP (without MGF1P)
Hi! Dealing with XML Security and enncryption/decryption I am looking for support of padding RSA-OAEP. As far I can see PKCS 1.5 and RSA-OAEP-MGF1P is supported within OpenSSL. Can anyone tell me what about RSA-OAEP and the support for it? Thanks! Chris -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Missing ctrl-defines for GCM
Hi! I am trying OpenSSL EVP for some AES-GCM encryption/decryption testing. Having Debian 8.4 (testing) my installed evp.h does not include the following defines I need. #define EVP_CTRL_AEAD_SET_IVLEN 0x9 #define EVP_CTRL_AEAD_GET_TAG 0x10 #define EVP_CTRL_AEAD_SET_TAG 0x11 If I set it manually it seems to work. I found it as "ctrl() values" on https://github.com/openssl/openssl/blob/master/include/openssl/evp.h. My distributions OpenSSL is 1.0.1k 8 Jan 2015. So 2 questions. - Why is it not included in my evp.h. Is it too old? - If it is too old, is it ok to define it by myself or is it a bad idea? Thanks for help! Chris -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Verify signature without certificate included in it
Ahh... i see. -certfile Thanks! Chris On 2016-04-22 20:22, c.hol...@ades.at wrote: hi! I am using openssl-smime for signing outgoing messages and verifying incoming. My question is about verifying. If the partner signs a message where the certificate is included in the signature all is OK. If he signes only with issuer and serial included in the signature i get an error ("signer certificate not found"). If I parse the signature with openssl-asn1parse I can see the content of the signature. So I see whats included. Do not know how to describe it in a better way. Is there a name for signatures with/without certificate-information? How can I get the signature get verifyed if there is no certificate included in it? Thanks for help! Chris -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Verify signature without certificate included in it
hi! I am using openssl-smime for signing outgoing messages and verifying incoming. My question is about verifying. If the partner signs a message where the certificate is included in the signature all is OK. If he signes only with issuer and serial included in the signature i get an error ("signer certificate not found"). If I parse the signature with openssl-asn1parse I can see the content of the signature. So I see whats included. Do not know how to describe it in a better way. Is there a name for signatures with/without certificate-information? How can I get the signature get verifyed if there is no certificate included in it? Thanks for help! Chris -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] SMIME: 1.0.0e vs. 1.0.1e
Hi! I'd like to finish the thread I started. - My first statement was wrong. Also 1.0.0e is not able to process my SMIME-sample. The reason was that I had a smime-binary-patch installed at the 1.0.0e some years ago and I did not remember about it. Without the patch installed in the 1.0.1e it looks like a change in functionality between the version. - Many thanks to Dr. Stephen Henson for his help and support. This solution (parse it externally and verify it with openssl-cms) works fine. Best regards, Chris -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] SMIME: 1.0.0e vs. 1.0.1e
I'd like to add the following to my thread. - If I use option -nosigs then it is working. But sure its not verifying. If I change the content it is still ok with this option in place. - I tried also the current 1.0.1r and get the same behaviour with 1.0.1e. - Option -binary does not help. Thank! Cheers, chris -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] SMIME: 1.0.0e vs. 1.0.1e
Hello! I have a little problem with an update from an old 1.0.0e (vanilla compiled) vs. debians (7.9, stable) 1.0.1e. I try to verify an smime-signature Tried with the same smime-file and with the same certificates on the same machine. The certificates are fine and are ok if I verify them. openssl smime -verify -purpose any -in "myfile.txt" -out "myfile.out" -CApath /etc/ssl/certs -CAfile "cert.cer" It works fine with 1.0.0e. Text: Verification successful Return: 0 But I get the following with 1.0.1e. Text: Verification failure 139728980395688:error:21071065:PKCS7 routines:PKCS7_signatureVerify:digest failure:pk7_doit.c:1169: 139728980395688:error:21075069:PKCS7 routines:PKCS7_verify:signature failure:pk7_smime.c:410: Return: 4 The myfile.txt (shortened): -- MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="EEFE59145E95831000EE06DE4309E3A9" This is an S/MIME signed message --EEFE59145E95831000EE06DE4309E3A9 Content-Transfer-Encoding: binary Content-Type: application/edi-consent Content-Disposition: attachment; name="abc.xml"; filename="abc.xml" .. .. --EEFE59145E95831000EE06DE4309E3A9 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIIIawYJKoZIhvcN7nTRPWZsxevEqzakh6vKxTTE8sn5mzeU4QoEqAP1EOuATPan0VpAXtfJfBQfq/I= ... EEFE59145E95831000EE06DE4309E3A9 - Can anyone please help, thanks! Best regards, christoph -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users