R: Unable to verify a RSA SHA512 signature maded from CLI from a C source code.
Have you miss the OpenSSL_add_all_algorithms() initialization? Da: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] Per conto di Roberto Martelloni Inviato: venerdì 3 febbraio 2012 12:31 A: openssl-users@openssl.org Oggetto: Unable to verify a RSA SHA512 signature maded from CLI from a C source code. Hello to all, I can't verify a signature from a C code but maded with openssl command line . Anyone can give me some hints ? I create my RSA key pair with this command: /usr/bin/openssl genrsa -out RSA-1024.key 1024 /usr/bin/openssl rsa -in RSA-1024.key -pubout > RSA-1024-public.key I made the signature with: /usr/bin/openssl dgst -binary -sha512 -sign RSA-1024.key -out serial.SHA512.asc serial.SHA512 If I verify it from CLI all work /usr/bin/openssl dgst -sha512 -verify RSA-1024-public.key -signature serial.txt.SHA512.asc serial.txt.SHA512 Verified OK But when I try to check it from source code all get wrong. Here the code http://nopaste.info/da38ec303b.html What is wrong ? thank you ! R. -- Roberto Martelloni __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
R: Error - AES-256 CBC encrypting using EVP routines and decrypting using command line
Use K iv parameters to pass HEX formatted key,iv
Francesco Petruzzi francesco.petru...@innovery.it
The information contained in this electronic message and any
attachments (the "Message") is intended for one or more specific individuals
or entities, and may be confidential, proprietary, privileged or otherwise
protected by law. If you are not the intended recipient, please notify the
sender immediately, delete this Message and do not disclose, distribute, or
copy it to any third party or otherwise use this Message. Electronic
messages are not secure or error free and can contain viruses or may be
delayed, and the sender is not liable for any of these occurrences. The
sender reserves the right to monitor, record and retain electronic messages.
Le informazioni contenute in questo messaggio e gli eventuali
allegati (il "Messaggio") si intendono inviate a uno o piú specifici
destinatari. Il contenuto del Messaggio puó essere confidenziale, riservato
e comunque protetto dalla legge applicabile. Se non siete i destinatari del
Messaggio, siete pregati di informare immediatamente il mittente, cancellare
questo Messaggio, non rivelarlo, non distribuirlo ne' inoltrarlo a terzi,
non copiarlo né farne alcun uso. I messaggi di posta elettronica non sono
sicuri e sono soggetti ad alterazioni, possono essere trasmettitori di Virus
informatici o soggetti a ritardi nella distribuzione. Il mittente del
Messaggio non puó essere in alcun modo considerato responsabile per queste
evenienze. Il mittente si riserva il diritto di archiviare, ritenere e
controllare i messaggi di posta elettronica.
_
Da: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
Per conto di ~ Kunal Sharma ~
Inviato: martedì 25 maggio 2010 14.30
A: openssl-users@openssl.org
Oggetto: Error - AES-256 CBC encrypting using EVP routines and decrypting
using command line
Friends,
I'm trying to verify that my encryption and decryption routines work ok. One
way I do it is to encrypt the data and save it to a file. The I feed the
encrypted file to my decryption routine and write the decrypted data to
another file. I compare the original data and the contents of the decrypted
file and they are same. So the routines work fine in tandem.
Another method I want to use it to encrypt the data and save it to a file.
Then I feed the encrypted file to Openssl command line to decrypt.
I get my encrypted data in the file rgconf_encrypted. Then I run the
following command:
openssl enc -d -aes-256-cbc -in rgconf_encrypted
I enter the decryption password "As different as chalk and cheese" which I
used to encrypt the data. But I get the error "bad magic number".
Am I missing something here ? I need to be able to use a simple phrase as my
encryption password so I can decrypt it on command line as well. Please
provide any pointers on what could be wrong here.
Below is the code for my encryption routine.
Thanks,
Kunal
++
int encrypt(void)
{
EVP_CIPHER_CTX ctx;
unsigned char ibuf[1024],obuf[1024];
int rfd, wfd,ilen,olen,tlen;
unsigned char key32[] = "As different as chalk and cheese";
unsigned char iv[] = "As dark as pitch";
EVP_CIPHER_CTX_init(&ctx);
if(!EVP_CipherInit_ex(&ctx, EVP_aes_256_cbc(),NULL,key32,
iv,AES_ENCRYPT) ) {
console_printf("Couldnt initialize cipher\n");
return 1;
}
/* read the original contents that are stored in file
/etc/rgconf */
if((rfd = open("/etc/rgconf",O_RDONLY) ) == -1) {
console_printf("Couldnt open input file\n");
return 1;
}
/* open a file /et.rgconf_encrypted to store encrypted data */
if((wfd = creat("/etc/rgconf_encrypted",0644) ) == -1) {
console_printf("Couldn't open output file for
writing\n");
return 1;
}
while((ilen = read(rfd,ibuf,1024) ) > 0) {
if(EVP_CipherUpdate(&ctx,obuf,&olen,ibuf,ilen)){
write(wfd,obuf,olen);
}
else {
console_printf("Encryption error\n");
return 1;
}
}
if(!EVP_CipherFinal_ex(&ctx,obuf+olen,&tlen)) {
console_printf("Trouble with padding the last
block\n");
return 1;
}
write(wfd,obuf+olen,tlen);
EVP_CIPHER_CTX_cleanup(&ctx);
close(rfd);
close(wfd);
console_printf("AES 256 CBC encryption complete\n");
Re: [?? Probable Spam] PEM_read_bio_X509 - Segmentation fault
Have you try to initialize cert to NULL before use? Francesco Petruzzi [EMAIL PROTECTED] The information contained in this electronic message and any attachments (the "Message") is intended for one or more specific individuals or entities, and may be confidential, proprietary, privileged or otherwise protected by law. If you are not the intended recipient, please notify the sender immediately, delete this Message and do not disclose, distribute, or copy it to any third party or otherwise use this Message. Electronic messages are not secure or error free and can contain viruses or may be delayed, and the sender is not liable for any of these occurrences. The sender reserves the right to monitor, record and retain electronic messages. Le informazioni contenute in questo messaggio e gli eventuali allegati (il "Messaggio") si intendono inviate a uno o piú specifici destinatari. Il contenuto del Messaggio puó essere confidenziale, riservato e comunque protetto dalla legge applicabile. Se non siete i destinatari del Messaggio, siete pregati di informare immediatamente il mittente, cancellare questo Messaggio, non rivelarlo, non distribuirlo ne' inoltrarlo a terzi, non copiarlo né farne alcun uso. I messaggi di posta elettronica non sono sicuri e sono soggetti ad alterazioni, possono essere trasmettitori di Virus informatici o soggetti a ritardi nella distribuzione. Il mittente del Messaggio non puó essere in alcun modo considerato responsabile per queste evenienze. Il mittente si riserva il diritto di archiviare, ritenere e controllare i messaggi di posta elettronica. - Original Message - From: "BiGNoRm6969" <[EMAIL PROTECTED]> To: Sent: Monday, December 08, 2008 7:01 PM Subject: [?? Probable Spam] PEM_read_bio_X509 - Segmentation fault > > Hi, > > The function PEM_read_bio_X509 always create a Segmentatio Fault. > > Code: > string certificateFile = > "/home/norm/Desktop/tmp/SSLServer_RootCertificate.pem"; > X509* cert; > BIO* bio_cert = BIO_new_file(certificateFile.c_str(), "rb"); > PEM_read_bio_X509(bio_cert, &cert, NULL, NULL); > > Any idea whats causing the problem ? I tryed it on linux and also on > windows xp...same problem. > > > -- > View this message in context: http://www.nabble.com/PEM_read_bio_X509---Segmentation-fault-tp20900358p20900358.html > Sent from the OpenSSL - User mailing list archive at Nabble.com. > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: DER encoding SubjectPublicKeyInfo
you can see using the lengths the second sequence contains only
algoritm oid and parameters (in this case NULL parameters). This is
AlgorithmIdentifier.
Below the bit string contains the der encoding of subjectPublicKey
(encoded).
Francesco Petruzzi
[EMAIL PROTECTED]
- Original Message -
From: "Roger Boden" <[EMAIL PROTECTED]>
To:
Sent: Tuesday, April 22, 2008 11:43 AM
Subject: RE: DER encoding SubjectPublicKeyInfo
Thanks, that explains the 0x30 tag value. What about the DER encoding? Is
that correct?
The 'openssl asn1parse' output of the DER encoding is:
0:d=0 hl=3 l= 159 cons: SEQUENCE
3:d=1 hl=2 l= 13 cons: SEQUENCE
5:d=2 hl=2 l= 9 prim: OBJECT:rsaEncryption
16:d=2 hl=2 l= 0 prim: NULL
18:d=1 hl=3 l= 141 prim: BIT STRING
To me this does not look correct. There is a NULL object that should not be
there. Also the algorithm identifier and the bit string should be in the
same sequence.
What ASN.1 type is i2d_X509_PUBKEY() supposed to encode? Is this a bug in
this function, or am I using the wrong API?
Regards Roger
> To: openssl-users@openssl.org
> Subject: Re: DER encoding SubjectPublicKeyInfo
> From: [EMAIL PROTECTED]
> Date: Tue, 22 Apr 2008 00:09:21 +0200
>
> Hello,
>
> [EMAIL PROTECTED] wrote on 04/21/2008 10:45:18 PM:
>
>>
>> Hi,
>>
>> I need to DER encode an RSA public key as a SubjectPublicKeyInfo. The
> ASN.1 definition
>> of SubjectPublicKeyInfo is
>>SubjectPublicKeyInfo ::= SEQUENCE {
>> algorithmAlgorithmIdentifier,
>> subjectPublicKey BIT STRING }
>>
>> According to rfc 3279, the bit string subjectPublicKey should hold the
> DER encoding of
>> the following ASN.1 defintion:
>> RSAPublicKey ::= SEQUENCE {
>> modulusINTEGER,-- n
>> publicExponent INTEGER } -- e
>>
>> In order to achieve this encoding I tried to call i2d_X509_PUBKEY(). The
> DER output of
>> this function for an RSA test key is:
>> 0x30 0x81 0x9f 0x30 0x0d 0x06 0x09 0x2a
>> 0x86 0x48 0x86 0xf7 0x0d 0x01 0x01 0x01
>> 0x05 0x00 0x03 0x81 0x8d 0x00 0x30 0x81
>> 0x89 0x02 0x81 0x81 0x00 0xac 0xaa 0x98
>> 0xf8 0xeb 0x58 0x8c 0x0d 0xec 0xf3 0xbe
>> 0xd4 0xd0 0xd0 0xe8 0x0a 0x4d 0x02 0x70
>> 0x30 0xa1 0x1f 0xea 0xa1 0x02 0xaa 0x9d
>> 0xb0 0x16 0x91 0x8a 0x39 0xfe 0x79 0x9a
>> 0xf3 0x46 0xbb 0xc9 0x49 0x23 0x9d 0x37
>> 0xa5 0x13 0xe6 0x2f 0x9e 0xe3 0x94 0xfb
>> 0x31 0xd9 0x8d 0x80 0x79 0x7d 0xbe 0xdf
>> 0x1e 0xf4 0x88 0x6c 0x45 0xc6 0x3e 0xbf
>> 0x4c 0x93 0x58 0xe9 0x5c 0x7a 0x63 0xd5
>> 0x9e 0xb1 0x23 0xf0 0x43 0x50 0x23 0x0d
>> 0xe8 0xc6 0x9f 0x40 0x79 0x3e 0x5a 0x15
>> 0xf0 0x4a 0x1a 0x68 0xc5 0xdb 0xb1 0x69
>> 0x9b 0x5d 0x5c 0x6c 0x12 0x1b 0xaa 0x24
>> 0x36 0x15 0x11 0x45 0x12 0xe5 0x37 0x85
>> 0xa4 0xa8 0x59 0xeb 0x2b 0x2c 0xc4 0x14
>> 0xa4 0x70 0x11 0x72 0x51 0x02 0x03 0x01
>> 0x00 0x01
>>
>> What type encoding is 0x30? I was expecting to see 0x10 (the type value
> for SEQUENCE).
> ASN.1 encodes objects as TLV (tag, length, value).
> Tag is constructed with class, type, object value.
> If object value is less then 31 all this information is encoded
> in one byte (class - 2bits, type - 1bit, object value - 5bits).
> Because ASN.1 SEQUENCE has value of 0x10 (which is less then 31)
> all this is encoded in one byte as:
>
> ASN_CLASS_UNIVERSAL | ASN_TYPE_CONSTRUCTED | ASN_OBJECT_SEQUENCE
>
> where:
> ASN_CLASS_UNIVERSAL = 0x00
> ASN_TYPE_CONSTRUCTED = 0x20
> ASN_OBJECT_SEQUENCE = 0x10
>
> which gives you 0x30
>
> Best regards,
> --
> Marek Marcola
>
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager [EMAIL PROTECTED]
_
Ladda ner hela Windows Live gratis och upptäck fördelarna!
http://get.live.com/
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
Re: [Norton AntiSpam] question on reading PEM from memory
Try to split b64 data in 64 chars lines. Francesco Petruzzi [EMAIL PROTECTED] The information contained in this electronic message and any attachments (the "Message") is intended for one or more specific individuals or entities, and may be confidential, proprietary, privileged or otherwise protected by law. If you are not the intended recipient, please notify the sender immediately, delete this Message and do not disclose, distribute, or copy it to any third party or otherwise use this Message. Electronic messages are not secure or error free and can contain viruses or may be delayed, and the sender is not liable for any of these occurrences. The sender reserves the right to monitor, record and retain electronic messages. Le informazioni contenute in questo messaggio e gli eventuali allegati (il "Messaggio") si intendono inviate a uno o piú specifici destinatari. Il contenuto del Messaggio puó essere confidenziale, riservato e comunque protetto dalla legge applicabile. Se non siete i destinatari del Messaggio, siete pregati di informare immediatamente il mittente, cancellare questo Messaggio, non rivelarlo, non distribuirlo ne' inoltrarlo a terzi, non copiarlo né farne alcun uso. I messaggi di posta elettronica non sono sicuri e sono soggetti ad alterazioni, possono essere trasmettitori di Virus informatici o soggetti a ritardi nella distribuzione. Il mittente del Messaggio non puó essere in alcun modo considerato responsabile per queste evenienze. Il mittente si riserva il diritto di archiviare, ritenere e controllare i messaggi di posta elettronica. - Original Message - From: "coco coco" <[EMAIL PROTECTED]> To: Sent: Tuesday, June 14, 2005 9:24 AM Subject: [Norton AntiSpam] question on reading PEM from memory > I'm trying to read a certificate in PEM format from memory, using BIO, but > everytime, it just returns NULL. Can anyone point out what's wrong with this > code? > > char * mykey = > "-BEGIN CERTIFICATE-\n" \ > "MIIBzjCCATegAwIBAgIIB+d8Z03zbQQwDQYJKoZIhvcNAQEFBQAwHzEMMAoGA1UEAxMDY3NwMQ8 wDQYDVQQGDAbkuK3lm70wHhcNMDUwMjA2MDc1OTQ3WhcNMDcwMjA2MDc1OTQ3WjAfMQwwCgYDVQQ DEwNjc3AxDzANBgNVBAYMBuS4reWbvTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAi5ERCTk 3RC8W/9T+ozruc9kWhLh9vQ1Ke130TfzWgX0wK2qGNUy+C4CCsjn6ThO8vz4QQtbt1QSwl8+BUAU dAto2iiHyI4nzxEnwhTheRDFnJsjMwwbjkYXZIDgpt+EiT9U0UryHtNaPUK7+se9Ee7PpjbJb51v wHhIGOikhDdkCAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEBADANBgkqhkiG9w0BAQUFAAOBgQB/nUF ATa4V8CXo0nMZYzBGA+bddbkphmW1unD/BLLbWq4ant4bgALt0a1nqHKEAPkeHXryxvsvZAoRR4m I7YvEjQvKaA06AwniATOcMDsa3RrHRoXp+/N2OfNMzjYt3Wa0ZqiI9Y/u1odrkvFamhKuCpMzvrJ SOACsiKB31v2fuw==\n" > \ > "-END CERTIFICATE-\n"; > > BIO *bio = BIO_new_mem_buf(mykey, -1); > > X509 *x509 = NULL; > PEM_read_bio_X509(bio, &x509, 0, NULL); > > if (x509 == NULL) > std::cout << "PEM_read_bio_X509 failed..." << std::endl; > > The problem is PEM_read_bio_X509() always return NULL for x509. I must have > done something wrong, but have no clue what is going on here. Browsing thru > the book "Network Security with OpenSSL" over and over again, and even > reading the code of OpenSSL, the way I invoked those functions seems correct > to me. > > Any help would be very much appreciated. > > rgds > > _ > Express yourself instantly with MSN Messenger! Download today - it's FREE! > http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: linking ssleay32.dll statically inside the app?
Yes! You must compile openssl using the static option (see compilation instruction) or download an already compiled ssleay32.lib for windows. Then you can include it in your project (remember to download also the include file). This choice implies that if you want to use a new version of openssl library you must recompile your application. Francesco Petruzzi [EMAIL PROTECTED] - Original Message - From: Serge To: openssl-users@openssl.org Sent: Monday, January 10, 2005 2:29 PM Subject: linking ssleay32.dll statically inside the app? Hi, is it possible to link statically the ssleay32.dll along my application so I won't need to provide the dll to my customers? I use windows xp and msvc++ 6.0. thank you. Do you Yahoo!?All your favorites on one personal page Try My Yahoo!
Re: Error Loading DER certificate
Reset the file pointer before.
Francesco Petruzzi
[EMAIL PROTECTED]
- Original Message -
From: "Aftab Alam" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, November 29, 2004 12:35 PM
Subject: Error Loading DER certificate
> Hi All,
> I am using the following code to load a DER encoded certificate. In case
of
> PEM the certificate gets loaded fine but the d2i_X509_fp function always
> return me NULL
>FILE * fPointer;
> X509 *x509Cert = NULL;
> fPointer = fopen(szPath,"rb");
>
> if(fPointer == NULL)
> {
> cout<<"No certifcate found at"< return 0;
> }
>
>
> //If path is valid then we check if there is
> //a certificate on the path that can be loaded
>
> x509Cert = PEM_read_X509(fPointer, NULL, NULL, NULL);
> //PEM_read_X509(fPointer, &x509Cert, NULL, NULL);
>
> if(!x509Cert)
> {
> //cout<<"certificate was not loaded by OpenSSL error method
> has to be captured later \n\n one more thing it only supports PEM
> format"< cout<<"not PEM format"<
> //might be the certificate sent is in DER fortmat so
> try converting it to PEM
> //d2i_X509();
> if(!x509Cert)
> {
> d2i_X509_fp(fPointer,NULL);
> if(!x509Cert)
> {
> cout<<"The input is not a valid certificate
> file"< fclose(fPointer);
> return 0;
> }
>
> }
>
> }
>
> any comments on what I am doing wrong ?
>
> regards
> Muhammad Aftab Alam
>
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
>
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: PKCS#11 and openssl: how to get a certificate onto the smart card?
Only for example:
You must open a session first. If certificate are stored in private space
you must also login.
int scan_PKCS11_cert() {
X509 *crt=NULL;
CK_BYTE *p=NULL;
CK_RV rv;
CK_OBJECT_HANDLE hCert = CK_INVALID_HANDLE;
int ret=0;
CK_ULONG Matches;
CK_ULONG ulCertAttributeCount = 3;
CK_OBJECT_CLASS certClass = CKO_CERTIFICATE;
CK_CERTIFICATE_TYPE certType=CKC_X_509;
CK_BYTE*value=NULL;
CK_ATTRIBUTE CertTemplate[]={
{CKA_CLASS,&certClass,sizeof(CK_OBJECT_CLASS)},
{CKA_CERTIFICATE_TYPE, &certType, sizeof(CK_CERTIFICATE_TYPE)},
{CKA_VALUE,(void *)NULL,0}};
rv = pFunctionList->C_FindObjectsInit(hSession, CertTemplate, 2);
if (rv != CKR_OK) { goto err; }
while (1) {
rv = pFunctionList->C_FindObjects(hSession, &hCert, 1,
&Matches);
if (rv != CKR_OK) { goto err; }
if (Matches==0) break;
value=(unsigned char *)OPENSSL_malloc(6000);//size is an
example, you can get first the size then the value
CertTemplate[2].ulValueLen=6000;
CertTemplate[2].pValue=p=value;
rv =
pFunctionList->C_GetAttributeValue(hSession,hCert,&CertTemplate[2],1);
if (rv == CKR_OK) {
crt=d2i_X509(NULL,&p,CertTemplate[2].ulValueLen);
if (crt) {
// make something with cert
X509_free(crt);
}
}
OPENSSL_free(value);
}
rv = pFunctionList->C_FindObjectsFinal(hSession);
if (rv != CKR_OK) {goto err;}
return 1;
err:
return 0;
}
Francesco Petruzzi
[EMAIL PROTECTED]
The information contained in this electronic message and any attachments
(the "Message") is intended for one or more specific individuals or
entities, and may be confidential, proprietary, privileged or otherwise
protected by law. If you are not the intended recipient, please notify the
sender immediately, delete this Message and do not disclose, distribute, or
copy it to any third party or otherwise use this Message. Electronic
messages are not secure or error free and can contain viruses or may be
delayed, and the sender is not liable for any of these occurrences. The
sender reserves the right to monitor, record and retain electronic messages.
Le informazioni contenute in questo messaggio e gli eventuali allegati (il
"Messaggio") si intendono inviate a uno o piú specifici destinatari. Il
contenuto del Messaggio puó essere confidenziale, riservato e comunque
protetto dalla legge applicabile. Se non siete i destinatari del Messaggio,
siete pregati di informare immediatamente il mittente, cancellare questo
Messaggio, non rivelarlo, non distribuirlo ne' inoltrarlo a terzi, non
copiarlo né farne alcun uso. I messaggi di posta elettronica non sono sicuri
e sono soggetti ad alterazioni, possono essere trasmettitori di Virus
informatici o soggetti a ritardi nella distribuzione. Il mittente del
Messaggio non puó essere in alcun modo considerato responsabile per queste
evenienze. Il mittente si riserva il diritto di archiviare, ritenere e
controllare i messaggi di posta elettronica.
- Original Message -
From: "Andreas Feldner" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, March 23, 2004 6:45 PM
Subject: PKCS#11 and openssl: how to get a certificate onto the smart card?
> Hi,
>
> probably I'm overlooking something obvious: I have a smart card that can
be
> accessed through a suitable PKCS#11 library and I have a working
sort-of-CA
> using openssl. I know how to generate key pairs on the smart card and
> (hopefully) how to read the public key off the card. But how do I get a
> certificate from that?
>
> Thanks in advance,
>
> Andreas.
>
> --
> Dr. Andreas Feldner e-mail: [EMAIL PROTECTED]
>
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
>
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: Simpel keystore for use in Windows?
You can use PKCS12. Using libeay you can create: PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert, STACK_OF(X509) *ca, int nid_key, int nid_cert, int iter, int mac_iter, int keytype); save: int i2d_PKCS12_fp(FILE *fp, PKCS12 *p12); read: PKCS12 *d2i_PKCS12_fp(FILE *fp, PKCS12 **p12); parse: int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca); Francesco Petruzzi [EMAIL PROTECTED] The information contained in this electronic message and any attachments (the "Message") is intended for one or more specific individuals or entities, and may be confidential, proprietary, privileged or otherwise protected by law. If you are not the intended recipient, please notify the sender immediately, delete this Message and do not disclose, distribute, or copy it to any third party or otherwise use this Message. Electronic messages are not secure or error free and can contain viruses or may be delayed, and the sender is not liable for any of these occurrences. The sender reserves the right to monitor, record and retain electronic messages. Le informazioni contenute in questo messaggio e gli eventuali allegati (il "Messaggio") si intendono inviate a uno o piú specifici destinatari. Il contenuto del Messaggio puó essere confidenziale, riservato e comunque protetto dalla legge applicabile. Se non siete i destinatari del Messaggio, siete pregati di informare immediatamente il mittente, cancellare questo Messaggio, non rivelarlo, non distribuirlo ne' inoltrarlo a terzi, non copiarlo né farne alcun uso. I messaggi di posta elettronica non sono sicuri e sono soggetti ad alterazioni, possono essere trasmettitori di Virus informatici o soggetti a ritardi nella distribuzione. Il mittente del Messaggio non puó essere in alcun modo considerato responsabile per queste evenienze. Il mittente si riserva il diritto di archiviare, ritenere e controllare i messaggi di posta elettronica. - Original Message - From: "Hellan.Kim KHE" <[EMAIL PROTECTED]> To: "OpenSSL Users" <[EMAIL PROTECTED]> Sent: Tuesday, March 23, 2004 4:35 PM Subject: Simpel keystore for use in Windows? I need a simpel keystore, maybe containing a users private key, users certificate and 4-5 public certificates. I'm looking for some standard format for saving these keys/certificates to a single password protected file. At the moment I need it for a Windows environment, but I don't want to use Windows/CAPI keystore, since the application might move to a Java platform at some point in time. I was looking for something like PKCS#12. I don't know much about PKCS#12, but I don't think it can handle what I need? Any ideas on how to approach this problem appreciated! Thanks, Kim Hellan ___ www.kmd.dk www.kundenet.kmd.dk www.eboks.dk www.civitas.dk www.netborger.dk Hvis du har modtaget denne mail ved en fejl vil jeg gerne, at du informerer mig og sletter den. KMD skaber it-services, der fremmer effektivitet hos det offentlige, erhvervslivet og borgerne. If you received this e-mail by mistake, please notify me and delete it. Thank you. Our mission is to enhance the efficiency of the public sector and improve its service of the general public. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
PKCS7 signature process standard question
From RFC2630: 5.4 Message Digest Calculation Process The message digest calculation process computes a message digest on either the content being signed or the content together with the signed attributes. In either case, the initial input to the message digest calculation process is the "value" of the encapsulated content being signed. Specifically, the initial input is the encapContentInfo eContent OCTET STRING to which the signing process is applied. Only the octets comprising the value of the eContent OCTET STRING are input to the message digest algorithm, not the tag or the length octets. The result of the message digest calculation process depends on whether the signedAttributes field is present. When the field is absent, the result is just the message digest of the content as described above. When the field is present, however, the result is the message digest of the complete DER encoding of the SignedAttributes value contained in the signedAttributes field. Is this the standard? Why openssl use only the authenticated attributes for digest calculation? Francesco Petruzzi [EMAIL PROTECTED] The information contained in this electronic message and any attachments (the "Message") is intended for one or more specific individuals or entities, and may be confidential, proprietary, privileged or otherwise protected by law. If you are not the intended recipient, please notify the sender immediately, delete this Message and do not disclose, distribute, or copy it to any third party or otherwise use this Message. Electronic messages are not secure or error free and can contain viruses or may be delayed, and the sender is not liable for any of these occurrences. The sender reserves the right to monitor, record and retain electronic messages.Le informazioni contenute in questo messaggio e gli eventuali allegati (il "Messaggio") si intendono inviate a uno o piú specifici destinatari. Il contenuto del Messaggio puó essere confidenziale, riservato e comunque protetto dalla legge applicabile. Se non siete i destinatari del Messaggio, siete pregati di informare immediatamente il mittente, cancellare questo Messaggio, non rivelarlo, non distribuirlo ne' inoltrarlo a terzi, non copiarlo né farne alcun uso. I messaggi di posta elettronica non sono sicuri e sono soggetti ad alterazioni, possono essere trasmettitori di Virus informatici o soggetti a ritardi nella distribuzione. Il mittente del Messaggio non puó essere in alcun modo considerato responsabile per queste evenienze. Il mittente si riserva il diritto di archiviare, ritenere e controllare i messaggi di posta elettronica.
Re: Perhaps Off Topic: Entrust PKI
p7b file from entrust is simply a pkcs7 signed envelope that contains only certificates. You can use openssl function in order to open envelope and extract the certificates. Francesco Petruzzi [EMAIL PROTECTED] - Original Message - From: "Thomas H Jones II" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, March 03, 2004 8:10 AM Subject: Perhaps Off Topic: Entrust PKI > I know this list is for discussion of OpenSSL, but I have a more general > certificate problem. > > The company I work for was bought by a global telecom. This telecom uses > the Entrust PKI software. Unfortunately, new company policy means that I > have to replace my regular client certificate with this Entrust > software's certificate. > > I am wanting to export my certificate so that I can install it on my > Unix box as well, as I don't want to be limited to sending mail JUST > from my Windows box. Unfortunately, Entrust only seems to export .p7b > files. Is there a way, using OpenSSL to convert this file to something > more generally useable? > > -tom > __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: X509_NAME_oneline
You can use X509_NAME_print_ex(...)
for example:
char * X509_NAME_oneline_ex(X509_NAME *a,char *buf,int *size,unsigned long
flag) {
BIO *out=NULL;
out=BIO_new(BIO_s_mem());
if(X509_NAME_print_ex(out,a,0,flag)>0) {
if (buf!=NULL && *size>(int)BIO_number_written(out)) {
memset(buf,0,*size);
BIO_read(out,buf,BIO_number_written(out));
} else {
*size=BIO_number_written(out);
}
}
BIO_free(out);
return (buf);
}
char * X509_NAME_oneline_readable(X509_NAME *a,char *buf,int size) {
return X509_NAME_oneline_ex(a,buf,size,XN_FLAG_ONELINE);
}
/* reverse */
char * X509_NAME_oneline_RFC2253(X509_NAME *a,char *buf,int size) {
return X509_NAME_oneline_ex(a,buf,size,XN_FLAG_RFC2253);
}
there are some other flags, see documentation.
Francesco Petruzzi
[EMAIL PROTECTED]
- Original Message -
From: "Kevin Coffman" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, February 20, 2004 4:56 PM
Subject: X509_NAME_oneline
> I read in a posting somewhere that X509_NAME_oneline() is depracated.
> Can someone tell me the preferred alternative?
>
> Thanks,
> K.C.
>
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
>
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: How to convert internal ASN1_INTEGER into little endian content octets
You must save original pointer because i2c and i2d function move pointer in order to prepare it for subsequent calls. ASN1_INTEGER * serial; unsigned char * serialNumberDER,*temp; size = i2c_ASN1_INTEGER(serial, NULL); temp=serialNumberDER = new unsigned char[*size]; size = i2c_ASN1_INTEGER(serial, &temp); serialNumberDER contains required value francesco petruzzi - Original Message - From: "Andrzej Posiadala" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, February 11, 2004 1:57 PM Subject: How to convert internal ASN1_INTEGER into little endian content octets > Hi , > > i'm trying to convert ASN1_INTEGER (specifically certificate serial > number) into its DER representation. > I'm using i2c_ASN1_INTEGER - and if it's the right function - then I don't > understand why it moves a pointer passed to it as second parameter behind > reserved memory. > Here is what I'm doing: > > int size; > ASN1_INTEGER * serial; > unsigned char * serialNumberDER; > > size = i2c_ASN1_INTEGER(serial, NULL); > serialNumberDER = new unsigned char[*size]; > size = i2c_ASN1_INTEGER(serial, & serialNumberDER); > > The function has this code at the end: > > *pp+=ret; > > where pp is a pointer to serialNumberDER, so in effect it moves > serialNumberDER behind created array of unsigned char. > > Please, explain it to me. > Thanks in advance. > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
