Re: [openssl-users] segv in 1.0.2 bn_power5

[sandeep kiran p]

Can anyone help me here?

Thanks
Sandeep

On Wed, Apr 6, 2016 at 6:34 PM, sandeep kiran p 
wrote:

> Hi,
>
> Ours is a TLS proxy component where we act as MITM for certain traffic
> between clients and servers for analysis. We recently migrated from 1.0.1q
> to 1.0.2g after which we are seeing frequent crashes in the process all
> with the following backtrace
>
> #1  0x7f877ea2427f in sigcrash (signo=11, info=,
> ctx=0x7fff899b5f80)
> #2  
> #3  bn_sqr8x_internal () at x86_64-mont5.s:1369
> #4  0x7f877b5a7ebf in bn_power5 () at x86_64-mont5.s:797
> #5  0x0100 in ?? ()
> #6  0x7fff899b6530 in ?? ()
> #7  0x7f8786e9f140 in ?? ()
> #8  0x in ?? ()
>
> The process is single threaded where we process packets as they come
> along. When the process is lightly loaded (around 10 connections) things
> are fine. We see the crash when we are processing say more than 40
> connections.
>
> Everything was working perfectly fine in 1.0.1.
>
> Can someone hep us on what could have gone wrong with 1.0.2?
>
> Thanks
> Sandeep
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] segv in 1.0.2 bn_power5

[sandeep kiran p]

Hi,

Ours is a TLS proxy component where we act as MITM for certain traffic
between clients and servers for analysis. We recently migrated from 1.0.1q
to 1.0.2g after which we are seeing frequent crashes in the process all
with the following backtrace

#1  0x7f877ea2427f in sigcrash (signo=11, info=,
ctx=0x7fff899b5f80)
#2  
#3  bn_sqr8x_internal () at x86_64-mont5.s:1369
#4  0x7f877b5a7ebf in bn_power5 () at x86_64-mont5.s:797
#5  0x0100 in ?? ()
#6  0x7fff899b6530 in ?? ()
#7  0x7f8786e9f140 in ?? ()
#8  0x in ?? ()

The process is single threaded where we process packets as they come along.
When the process is lightly loaded (around 10 connections) things are fine.
We see the crash when we are processing say more than 40 connections.

Everything was working perfectly fine in 1.0.1.

Can someone hep us on what could have gone wrong with 1.0.2?

Thanks
Sandeep
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Deadlock in RAND_poll's Heap32First/Heap32Next call

[sandeep kiran p]

Hi all,

We (and a couple of others) had faced this issue on Windows 7 and Windows
2008 systems. We raised the issue with MS and very recently they released a
hotfix to address the problem in Ntdll.dll. If you ever face the issue,
please install the hotfix from http://support.microsoft.com/kb/2719306

Thanks
Sandeep

Re: Deadlock in RAND_poll's Heap32First call

[sandeep kiran p]

Jakob,

The last time we had this discussions, I mentioned when 0 is passed as the
second argument to CreateToolhelp32Snapshot, it takes a snapshot of all the
heaps for all the processes in the system. I was wrong. This routine only
takes the snapshot of all heaps of a single process whose process ID is
passed as the second argument to the call. If a 0 is passed there, it lets
you enumerate the current process's heap. Whereas for processes and
threads, you get a list of all the processes and threads running in the
system.

So even with CreateToolhelp32Snapshot (with 0 passed as second argument)
you are just looking at the current processes's heaps. The only difference
wrt GetProcessHeap is that, with CreateToolhelp32Snapshot you would look at
all the heaps created within the process and not just the default heap.

Thanks
Sandeep

 On Thu, Apr 5, 2012 at 8:30 PM, Jakob Bohm  wrote:

> On 4/5/2012 2:22 PM, sandeep kiran p wrote:
>
>> Hi,
>>
>> I had described about the deadlock we are seeing in Heap32First and
>> Heap32Next APIs in my previous post. Here is where you can see the post.
>>
>> http://groups.google.com/**group/mailing.openssl.users/**
>> browse_thread/thread/**3223701a7f64a957/**56d67d77c9960429?q=Deadlock+**
>> in+RAND_poll%27s+Heap32First+**call#<http://groups.google.com/group/mailing.openssl.users/browse_thread/thread/3223701a7f64a957/56d67d77c9960429?q=Deadlock+in+RAND_poll%27s+Heap32First+call#>
>>
>> Believing that this is a problem with Windows APIs, we raised an incident
>> with Microsoft. MS is still investigating the problem and has asked us to
>> instead use GetProcessHeap and HeapWalk to enumerate the heap entries of
>> the default process heap. Here is what they said
>>
>> "
>>
>> Conceptually, the biggest change between using GetProcessHeap/HeapWalk
>> compared to Heap32First/Heap32Next is that you are accessing a heap handle
>> to which you already have access inside of the process – the default
>> process heap. All components are expected to use this heap and it has
>> serialized access to ensure that multiple threads from the same process do
>> not deadlock/corrupt the heap when accessing them simultaneously.
>> Heap32First, on the other hand, accesses all heaps in the process,
>> including private heaps that other components in the process created. Those
>> private heaps might have been created with the HEAP_NO_SERIALIZE option
>> which disallows application requested locking. Components (such as SSIS in
>> your case) typically use this option when they perform the synchronization
>> of memory access on their own to gain efficiency. However, if another
>> component in the process start using those private heaps, it circumvents
>> the synchronization that the component puts in place.
>>
>>  "
>>
>>
>> And since we lock the heap before reading its contents, the chances of
>> another thread working on the same heap at the same time are nullified. I
>> have made changes to RAND_win.c to use GetProcessHeap and HeapWalk APIs.
>> Would you be interested in accommodating the fix to mainstream code?
>>
>>
>> Please let me know your comments.
>>
>>
>>  I am afraid that MS misunderstood the situation completely and got you
> confused too.
>
> Most *other* uses of heap walking are about looking at your own heap to
> find out something about your own code, and then it makes sense to either
> use a heap that has internal locks (the default heap or a specific heap
> allocated without the HEAP_NO_SERIALIZE option), or to take the lock you
> yourself is using with a specific heap allocated with HEAP_NO_SERIALIZE.
>
> This is the situation which MS PSS was talking about in its answer.
>
> But the RAND code in openSSL is using the heap walking to get as many
> random allocation details as possible from all processes in the system to
> seed its RNG.
>
> So limiting the RAND code to only a single heap from its own process will
> effectively make that code useless and severely weaken the security of all
> cryptographic keys and nonces produced by openSSL.  It is simply not an
> option.
>
> You will have to go back to MS PSS and explain that you are not trying to
> look at a single heap, but at all heaps of all processes and ask why the
> "snapshot" lock in the toolhelp32 API does not protect the "non-invasive
> debugger" (this is the relevant Microsoft phrase) calling toolhelp32 from
> locking issues in the target process.  If they tell you to suspend the
> process being debugged, remind them that a "non-invasive debugger" is not
> allowed to interfere with its target

Deadlock in RAND_poll's Heap32First call

[sandeep kiran p]

Hi,

I had described about the deadlock we are seeing in Heap32First and
Heap32Next APIs in my previous post. Here is where you can see the post.

http://groups.google.com/group/mailing.openssl.users/browse_thread/thread/3223701a7f64a957/56d67d77c9960429?q=Deadlock+in+RAND_poll%27s+Heap32First+call#

Believing that this is a problem with Windows APIs, we raised an incident
with Microsoft. MS is still investigating the problem and has asked us to
instead use GetProcessHeap and HeapWalk to enumerate the heap entries of
the default process heap. Here is what they said

"

Conceptually, the biggest change between using GetProcessHeap/HeapWalk
compared to Heap32First/Heap32Next is that you are accessing a heap handle
to which you already have access inside of the process – the default
process heap. All components are expected to use this heap and it has
serialized access to ensure that multiple threads from the same process do
not deadlock/corrupt the heap when accessing them simultaneously.
Heap32First, on the other hand, accesses all heaps in the process,
including private heaps that other components in the process created. Those
private heaps might have been created with the HEAP_NO_SERIALIZE option
which disallows application requested locking. Components (such as SSIS in
your case) typically use this option when they perform the synchronization
of memory access on their own to gain efficiency. However, if another
component in the process start using those private heaps, it circumvents
the synchronization that the component puts in place.

 "


And since we lock the heap before reading its contents, the chances of
another thread working on the same heap at the same time are nullified. I
have made changes to RAND_win.c to use GetProcessHeap and HeapWalk APIs.
Would you be interested in accommodating the fix to mainstream code?


Please let me know your comments.


Thanks,

Sandeep

Re: Deadlock in RAND_poll's Heap32First call

[sandeep kiran p]

MSDN says

" To enumerate the heap or module states for all processes, specify
TH32CS_SNAPALL and set *th32ProcessID* to zero. "

So it presumably does the heap and module walk for all processes and not
only for the current process.

Do you think  *CreateToolhelp32Snapshot's*  lock on the read-only snapshot
could be a possible culprit?

I am now thinking about removing the calls to Heap32First and Heap32Next in
rand_win.c and look for alternate sources of entropy.

Thanks for you help.

Regards
Sandeep

On Sat, Feb 25, 2012 at 2:38 AM, Jakob Bohm  wrote:

> On 2/24/2012 2:14 PM, sandeep kiran p wrote:
>
>> You mentioned that OpenSSL is holding a "snapshot" lock in rand_win.c. I
>> couldn't find anything like that in that file. Can you specifically point
>> me to the code that you are referring to? I would also like to get an
>> opinion on possible workarounds that I can enforce to avoid the deadlock.
>>
>>  In OpenSSL 1.0.0 it is line 486 which says
>
> module_next && (handle = snap(TH32CS_SNAPALL,0))
>
> where snap is a pointer to KERNEL32.**CreateToolhelp32Snapshot()
>
>
>  1. Can I remove the heap traversal routines Heap32First and Heap32Next?
>> Will it badly affect the PRNG output later on?
>>
> It depends how good the other sources of random numbers are,
> more below.
>
>
>> 2. Can I replace Heap32First and Heap32Next calls with any other sources
>> of entropy? What if I make a call to CryptGenRandom again in place of the
>> heap traversal routines?
>>
> Calling CryptGenRandom() twice isn't going to help much.
>
> If CryptGenRandom() is as good as it is "supposed to" be,
> the other entropy sources are not really needed.  But if
> CryptGenRandom() is somehow broken or untrustworthy,
> calling it a million times wouldn't help.
>
> Anyway, I have my doubts about the value of using the local
> heap walking functions as a source of entropy, as they
> reflect only the state of your own process.  Pretending that
> the address and size of each malloc()-ed memory block in
> your process contributes 3 to 5 bytes of additional entropy
> (which is what the comments say) is wildly optimistic and
> quite unrealistic.
>
> In a long-running web browser or a similarly long running
> web server, the net total of the memory layout effects of
> thousands of semi-chaotic previous network requests and
> user actions might contribute a total of 10 to 50 bits of
> entropy.  But in a typical freshly started process, the
> layout is going to be pretty deterministic (if the OS
> uses address layout randomization, it probably does so
> based on entropy sources already incorporated into its
> standard random source, i.e. CryptGenRandom() on Windows).
>
>
>> 3. Any other possible ways out?
>>
>> Thanks,
>> Sandeep
>>
>> On Thu, Feb 23, 2012 at 10:08 PM, Jakob Bohm > jb-open...@wisemo.com>**> wrote:
>>
>>From the evidence given, I would *almost* certainly characterize
>>this as a deadlock bug in ntdll.dll, the deepest, most trusted
>>user mode component of Windows!
>>
>>Specifically, nothing should allow regular user code such as
>>OpenSSL to hold onto NT internal critical sections while not
>>running inside NTDLL, and NTDLL should be designed not to
>>deadlock against itself.
>>
>>There is one other possibility though:
>>
>>The OpenSSL code in rand_win.c holds on to a "snapshot" lock
>>on some of the heap data while walking it.  It may be doing
>>this in a way not permitted by the rules that are presumed
>>by the deadlock avoidance design of the speed critical heap
>>locking code.
>>
>>
>>On 2/23/2012 2:11 PM, sandeep kiran p wrote:
>>
>>Hi,
>>
>>OpenSSL Version: 0.9.8o
>>OS : Windows Server 2008 R2 SP1
>>
>>I am seeing a deadlock in a windows application between two
>>threads, one thread calling Heap32First from OpenSSL's
>>RAND_poll and the other that allocates memory over the heap.
>>
>>Here is the relevant stack trace from both the threads
>>involved in deadlock.
>>
>>Thread 523
>>
>>ntdll!ZwWaitForSingleObject+a
>>ntdll!**RtlpWaitOnCriticalSection+e8
>>ntdll!RtlEnterCriticalSection+**d1
>>ntdll!RtlpAllocateHeap+18a6
>>ntdll!RtlAllocateHeap+16c
>>ntdll!RtlpAllocateUserBlock+**145
>>ntdll!**RtlpLowFragHeapAllocFromContex**t+4e7
>>ntdll!RtlAllocateH

Re: Deadlock in RAND_poll's Heap32First call

[sandeep kiran p]

You mentioned that OpenSSL is holding a "snapshot" lock in rand_win.c. I
couldn't find anything like that in that file. Can you specifically point
me to the code that you are referring to? I would also like to get an
opinion on possible workarounds that I can enforce to avoid the deadlock.

1. Can I remove the heap traversal routines Heap32First and Heap32Next?
Will it badly affect the PRNG output later on?

2. Can I replace Heap32First and Heap32Next calls with any other sources of
entropy? What if I make a call to CryptGenRandom again in place of the heap
traversal routines?

3. Any other possible ways out?

Thanks,
Sandeep

On Thu, Feb 23, 2012 at 10:08 PM, Jakob Bohm  wrote:

> From the evidence given, I would *almost* certainly characterize
> this as a deadlock bug in ntdll.dll, the deepest, most trusted
> user mode component of Windows!
>
> Specifically, nothing should allow regular user code such as
> OpenSSL to hold onto NT internal critical sections while not
> running inside NTDLL, and NTDLL should be designed not to
> deadlock against itself.
>
> There is one other possibility though:
>
> The OpenSSL code in rand_win.c holds on to a "snapshot" lock
> on some of the heap data while walking it.  It may be doing
> this in a way not permitted by the rules that are presumed
> by the deadlock avoidance design of the speed critical heap
> locking code.
>
>
> On 2/23/2012 2:11 PM, sandeep kiran p wrote:
>
>> Hi,
>>
>> OpenSSL Version: 0.9.8o
>> OS : Windows Server 2008 R2 SP1
>>
>> I am seeing a deadlock in a windows application between two threads, one
>> thread calling Heap32First from OpenSSL's RAND_poll and the other that
>> allocates memory over the heap.
>>
>> Here is the relevant stack trace from both the threads involved in
>> deadlock.
>>
>> Thread 523
>> 
>> ntdll!ZwWaitForSingleObject+a
>> ntdll!**RtlpWaitOnCriticalSection+e8
>> ntdll!RtlEnterCriticalSection+**d1
>> ntdll!RtlpAllocateHeap+18a6
>> ntdll!RtlAllocateHeap+16c
>> ntdll!RtlpAllocateUserBlock+**145
>> ntdll!**RtlpLowFragHeapAllocFromContex**t+4e7
>> ntdll!RtlAllocateHeap+e4
>> ntdll!**RtlInitializeCriticalSectionEx**+d2
>> ntdll!**RtlpActivateLowFragmentationHe**ap+181
>> ntdll!**RtlpPerformHeapMaintenance+27
>> ntdll!RtlpAllocateHeap+1819
>> ntdll!RtlAllocateHeap+16c
>>
>>
>> Thread 454
>> -
>> ntdll!NtWaitForSingleObject+**0xa
>> ntdll!**RtlpWaitOnCriticalSection+0xe8
>> ntdll!RtlEnterCriticalSection+**0xd1
>> ntdll!RtlLockHeap+0x3b
>> ntdll!**RtlpQueryExtendedHeapInformati**on+0xf4
>> ntdll!RtlQueryHeapInformation+**0x3c
>> ntdll!**RtlQueryProcessHeapInformation**+0x3ad
>> ntdll!**RtlQueryProcessDebugInformatio**n+0x3b0
>> kernel32!Heap32First+0x71
>>
>> WinDBG reports that thread 523 and 454 both hold locks and are waiting
>> for each other locks thereby resulting in a deadlock.
>>
>> On searching, I have found a couple instances where such an issue has
>> been reported with Heap32Next on Windows 7 but haven't found anything that
>> helps me solve the problem. Most of the references I found conclude that
>> this could be because of a possible bug in heap traversal APIs. If someone
>> has faced a similar problem, can you guide me to possible workarounds by
>> which I can avoid the deadlock? Can I remove the heap traversal routines
>> and find some other sources of entropy?
>>
>> Thanks for your help.
>>
>> Regards
>> Sandeep
>>
>>
>>
>>
>>
>>
> Enjoy
>
> Jakob
> --
> Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
> Transformervej 29, 2730 Herlev, Denmark.  Direct +45 31 13 16 10
> This public discussion message is non-binding and may contain errors.
> WiseMo - Remote Service Management for PCs, Phones and Embedded
>
> __**__**__
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   majord...@openssl.org
>

Deadlock in RAND_poll's Heap32First call

[sandeep kiran p]

Hi,

OpenSSL Version: 0.9.8o
OS : Windows Server 2008 R2 SP1

I am seeing a deadlock in a windows application between two threads, one
thread calling Heap32First from OpenSSL's RAND_poll and the other that
allocates memory over the heap.

Here is the relevant stack trace from both the threads involved in deadlock.

Thread 523

ntdll!ZwWaitForSingleObject+a
ntdll!RtlpWaitOnCriticalSection+e8
ntdll!RtlEnterCriticalSection+d1
ntdll!RtlpAllocateHeap+18a6
ntdll!RtlAllocateHeap+16c
ntdll!RtlpAllocateUserBlock+145
ntdll!RtlpLowFragHeapAllocFromContext+4e7
ntdll!RtlAllocateHeap+e4
ntdll!RtlInitializeCriticalSectionEx+d2
ntdll!RtlpActivateLowFragmentationHeap+181
ntdll!RtlpPerformHeapMaintenance+27
ntdll!RtlpAllocateHeap+1819
ntdll!RtlAllocateHeap+16c


Thread 454
-
ntdll!NtWaitForSingleObject+0xa
ntdll!RtlpWaitOnCriticalSection+0xe8
ntdll!RtlEnterCriticalSection+0xd1
ntdll!RtlLockHeap+0x3b
ntdll!RtlpQueryExtendedHeapInformation+0xf4
ntdll!RtlQueryHeapInformation+0x3c
ntdll!RtlQueryProcessHeapInformation+0x3ad
ntdll!RtlQueryProcessDebugInformation+0x3b0
kernel32!Heap32First+0x71

WinDBG reports that thread 523 and 454 both hold locks and are waiting for
each other locks thereby resulting in a deadlock.

On searching, I have found a couple instances where such an issue has been
reported with Heap32Next on Windows 7 but haven't found anything that helps
me solve the problem. Most of the references I found conclude that this
could be because of a possible bug in heap traversal APIs. If someone has
faced a similar problem, can you guide me to possible workarounds by which
I can avoid the deadlock? Can I remove the heap traversal routines and find
some other sources of entropy?

Thanks for your help.

Regards
Sandeep

Re: specifying certificate extensions on command line

[sandeep kiran p]

Anyone? can I do this without the conf file?

Thanks
Sandeep

On Thu, Dec 1, 2011 at 7:36 PM, sandeep kiran p wrote:

> Hi,
>
> Is there any way to specify the certificate extensions (when using "req"
> and "ca" tools) directly on the command line rather than using the
> -extensions argument? I am looking for a way where I can avoid using the
> config file with the "req" and "ca" commands.
>
> Thanks,
> Sandeep
>

specifying certificate extensions on command line

[sandeep kiran p]

Hi,

Is there any way to specify the certificate extensions (when using "req"
and "ca" tools) directly on the command line rather than using the
-extensions argument? I am looking for a way where I can avoid using the
config file with the "req" and "ca" commands.

Thanks,
Sandeep

Re: certificates stored in ldap

[sandeep kiran p]

You can check IETF RFC 4523 for the schema.

On Wed, Nov 23, 2011 at 4:51 PM, prabhu kalyan rout wrote:

> Thanks for the document. This document tells me about the ldif file
> but its not saying anything about
> the schema. I need step by step procedure.
>
> please help
>
>
> On Mon, Nov 21, 2011 at 9:51 PM, Erwin Himawan  wrote:
> > Although, this doc is outdated, I find that this doc is
> > helpful: http://vandervlies.xs4all.nl/~andre/Docs/pkildap.html
> >
> >
> > On Mon, Nov 21, 2011 at 7:53 AM, prabhu kalyan rout 
> > wrote:
> >>
> >> Hi,
> >> I am trying to store user certificates to ldap. But i dont know how to
> do
> >> it.
> >>
> >> Can anybody please tell me step by step procedure to do this or point
> >> me some link where it says how to do this.
> >>
> >> Thanks
> >> __
> >> OpenSSL Project http://www.openssl.org
> >> User Support Mailing Listopenssl-users@openssl.org
> >> Automated List Manager   majord...@openssl.org
> >
> >
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   majord...@openssl.org
>

Certification Authority's Database

[sandeep kiran p]

Hi,

A quick question. Does the SubjectName in a certificate really need point
to an LDAP DN in a X500 Directory that a CA uses or do CAs manage the
SubjectName DNs without actually using any sort of Directory? I want to
know whether it is a general practice for CAs not to maintain any LDAP
Directories when issuing certificates with DNs. If it does not use DNs from
an LDAP directory, how does the CA maintain a hierarchy for the SubjectName
DNs it issues?

If it is not done through a Directory, how does a CA maintain the list of
certificates it issues to a particular Subject. Will it just be file system
based storage?

Thanks
Sandeep

Re: Is certificate a CA or Client Certificate

[sandeep kiran p]

Are you sure there is an ExtendedKeyUsage indicating a "Certificate Sign"
OID? Cert Sign AFAIK is only indicated in KeyUsage extension.

-Sandeep

On Sat, Oct 1, 2011 at 9:24 AM,  wrote:

> On 01-10-2011 01:09, Dave Thompson wrote:
>
>> From: owner-openssl-users@openssl.**org On 
>> Behalf Of
>>> jb-open...@wisemo.com
>>> Sent: Thursday, 29 September, 2011 18:46
>>> Because the attributes mentioned are only meaningful if covered by the
>>> digital signature on the certificate, it cannot change in any format
>>> conversion that keeps the certificate valid.
>>>
>>> The true format of certificates is binary BER encoded X.509.
>>>
>>> A .cer file is simply that structure directly.
>>>
>> Yes, or sometimes converted to PEM format. PEM is the binary
>> represented in base64 plus dashes-BEGIN-x and dashes-END-x lines.
>> It looks different in e.g. notepad but is fundamentally the same.
>>
> I was trying to keep it simple for the OP.  In fact both .cer and .p7b
> files can be Base64 encoded PEM style.  PEM encoding a .p12/.pfx
> file is less useful and might not even be allowed.
>
>
>  A P7b/PKCS#7 file is really a digitally signed message with
>>> zero or more
>>> attached signatures to help the recipient to check the signature, each
>>>
>> OYM attached *certificates* to help check the signature(s)
>>
> Sorry, typo, I was in a hurry when I wrote the message.
>
>  certificate is the same X.509 BER structure, just placed inside a list
>>> (SEQUENCE) inside a PKCS#7 structure (which is also BER encoded just
>>> like the certificate).  When using a P7b file to transport
>>> certificates,
>>> the message and signature fields are just left blank.
>>>
>>> A P12/PFX/PKCS#12 file is an encrypted file which stores various
>>> certificates (the same X.509 BER structure as before), various
>>> private keys and hints on where these items should be imported
>>> into CryptoAPI and/or the old Netscape browser.
>>>
>>>  Yes.
>>
>>  So whatever the format, after loading and unpacking, you are left
>>> with an X.509 structure which contains a few mandatory fields
>>> (such as Subject, Issuer, Public Key, Private Key, Serial Number),
>>>
>> NOT PrivateKey! Also validityPeriod (start-time and end-time).
>> BTW originally serialNumber often was truly serial (1, 2, 3, etc.)
>> but for some time now it has been more common to make it
>> a large unique (random or obscured) number.
>>
> Oops! big typo, of cause not the private key.  "Such as" means there are
> other fields not mentioned.
>
>  and a lot of optional fields.  One of those optional fields is a
>>> list of "authenticated attributes".  Each entry in that list has
>>>
>> Although included in the signed part, it is just called 'extensions'.
>> 'authenticatedAttributes' and separate 'unauthenticatedAttributes'
>> are fields in PKCS#7/CMS SignedData.
>>
> Sorry about that, Its hard to keep track of these subtle variations
> without looking them up.
>
>  a "type OID", a "critical" flag and some data.  The entries may
>>> be found in any order, your code needs to work whatever field
>>> entry comes first, needs to ignore any entry whose "type OID"
>>> you don't understand.
>>>
>>>  You can ignore an extension you don't understand if it is
>> non-critical; you should give an error if it is critical
>> and you are actually relying on the cert for something.
>> If just looking at a specific extension, as here, you
>> don't need to even see other/unknown extensions.
>>
> I would have mentioned it, but for the OPs problem (deciding the
> certificate
> category), ignoring critical extensions is fine, so I removed that part
> from
> my post before hitting send.
>
>  The optional "CA" occurs in this list as an entry with the "CA"
>>> OID and a TRUE/FALSE value.  So CA may be "not there", TRUE
>>> or FALSE.
>>>
>>>  Actually the extension is BasicConstraints; it contains
>> CA: boolean and pathLen: OPTIONAL INTEGER. You can have:
>> - omitted
>> - CA=false
>> - CA=true pathlen=unspecified
>> - CA=true pathlen=somenumber
>> For deciding 'CA or not' pathlen doesn't matter.
>>
> Oh, I forgot it was in the same Ext, this may affect any manual
> parsing the OP might write.
>
>  The optional "Key Usage" also occurs in this list as an entry
>>> with the "Key Usage" OID and a value which is a list of OIDs
>>> (one for each usage).  So Key Usage mat be "not there",
>>> "there" with the "certificate sign" OID listed in its value,
>>> or "there" without the "certificate sign" OID in its value.
>>>
>>>  You have two things conflated here.
>> KeyUsage value is 9 predefined bits, including certSign.
>> *Extended*KeyUsage value is a list of extensible OIDs.
>> A cert can have either or both or neither.
>> If you have both and they conflict, reliers should reject.
>>
> Oops, I really was a bit fast yesterday, so there are really 3 exts to
> check for "can act as a CA at all":
>
> - BasicConstraints (look for CA:TRUE bit)
> - KeyUsage (look for "certificate sign" bit being set)
> - ExtendedKeyUsage (look for 

Re: Extracting and verifying encrypted certificate digest

[sandeep kiran p]

It is not clear why you want to separate the signature from the certificate
and validate it independently. Moreover, you can validate the signature on
the certificate data by using the public key of the CA that signed the
certificate. If you want to make sure that the complete certificate you
received is valid, try using "openssl verify" command. It does the signature
validation as well a bunch of other checks as documented in the man pages.

-Sandeep

On Mon, Jul 4, 2011 at 12:56 PM, DarkMike  wrote:

>
> The result of my weekend reading, is the following command,
> which could pretty nicely do the thing for me:
>
> 'openssl sha1 -verify rsa_public_key.pem -signature rsa_signature.bin
> data_for_digest_computation.txt`
>
> the questions would be:
>
> - how to split x509 pem certificate with embedded encrypted digest
> (Signature Alg: sha1RsaEncrypted)
>  into:
>  - rsa_signature.bin
>  - data_for_digest_computation.txt
>  as expected by the above command written in bold
>
> in other words
>
> - how to convert hex dump of the signature, which is embedded in the pem
> ceritficate
>  (I hope it is this part of the pem certificate):
>
>Signature Algorithm: sha1WithRSAEncryption
>88:a9:c6:1f:a3:3e:6a:72:19:54:ee:f4:a6:d5:be:26:da:08:
>6b:34:99:b5:67:4b:1e:86:64:3f:4f:c8:0d:e7:f2:83:88:c7:
>a5:7e:07:b0:16:bf:69:55:c9:28:55:b0:6e:f5:aa:76:1e:f5:
>d8:67:02:fa:0d:ac:92:2b:62:fc:45:04:eb:f5:5f:94:d4:d1:
>b3:fa:de:21:5f:88:4b:69:6b:a3:df:6b:50:8e:27:c6:18:19:
>ec:12:98:6a:c2:d1:66:4e:cc:b8:33:5d:cf:48:7d:06:7d:7f:
>10:6a:c8:9a:fe:e2:65:35:aa:88:59:89:09:6b:49:b9:33:29:
>e2:67
>
>  into the form expected by command written in bold (rsa_signature.bin)
>
> - how to separate from pem certificate the data on which the signature was
> computed
>  into the form expected by command written in bold
> (data_for_digest_computation.txt)
>
> If anyone knows any better way to do the above with openssl command line
> tool, please let me know,
>
> regards,
> Mike
>
>
> DarkMike wrote:
> >
> > Hi all,
> >
> > I would like to do the following with openssl command line tool:
> >
> > 1. Create CA
> > 2. Create Client
> > 3. Verify Client in One Way Authentication (OWA)
> >
> > Now, I have successfully did first 2 steps using:
> >
> > ./CA.sh –newca
> > ./CA.sh –newreq
> > ./CA.sh –sign
> >
> > I have got private and public keys for both sides CA and Client,
> > as a part of OWA procedure the third side device called Server gets
> Client
> > certificate.
> >
> > Server needs to:
> >
> > - extract sha1 hash signed with Client private RSA key (Signature Alg:
> > sha1RsaEncrypted) from the certificate
> > - decrypt sha1 hash using Client public RSA key
> > - regenerate sha1 hash on the original message to check if it is correct
> >
> > Once I have got familiar with the OWA I thought the above are ones of
> most
> > common things
> > anyone will want to do with openssl, however google is unable to find any
> > examples for it so far.
> >
> > What openssl commands will do the above things for me?
> >
> > It would also help me a lot to know the routines I need to use to do the
> > same from within C program.
> > Any help would be much appreciated.
> >
> > regards,
> > Mike
> >
>
> --
> View this message in context:
> http://old.nabble.com/Extracting-and-verifying-encrypted-certificate-digest-tp31987195p31987327.html
> Sent from the OpenSSL - User mailing list archive at Nabble.com.
>
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   majord...@openssl.org
>

Re: [openssl-users] CA

[sandeep kiran p]

If this isn't resolved yet, can you post the contents of the old cert, new
cert and the user cert?

-Sandeep

On Fri, May 20, 2011 at 8:33 PM, Alex Bergmann  wrote:

> Hi Erwann!
>
> On 05/19/2011 10:20 AM, Erwann ABALEA wrote:
>
>  "old" end-user certificates can only be verified by the "old" CA
>> certificate, of course (in case the CA is "renewed", with its key
>> changed, etc).
>>
>
> I didn't "renew" the CA certificate, I've used the existing private key
> to create thr new one.
>
> >> The only way I found was to give the new Root Certificate the same
> >> serial number as the previous one.
> >
> > That's forbidden by X.509 standard. And the serial number has nothing
> > to do with the SKI/AKI.
>
> I agree, using the same serial number seems to be not valid.
>
> But, according to RFC 3280 the Authority Key Identifier "MAY be based on
> either the key identifier ... or on the issuer name and serial number".
>
> My Root CA Certificate and user certificates shows exactly this
> information:
>
> Root CA Certificate:
> 
> X509v3 Subject Key Identifier:
>   A8:C3:14:22:3A:48:50:66:78:89:97:02:A8:B0:CE:D3:EE:FC:0F:1E
> X509v3 Authority Key Identifier:
>   keyid:A8:C3:14:22:3A:48:50:66:78:89:97:02:A8:B0:CE:D3:EE:FC:0F:1E
>   DirName:
>   serial:1C:26:30:4D:53:64:7A:83
>
> User Certificate:
> -
> X509v3 Subject Key Identifier:
>   7C:F7:66:B5:A4:83:42:1A:FF:AA:CB:0D:07:37:8A:81:E7:48:B8:1D
> X509v3 Authority Key Identifier:
>   keyid:A8:C3:14:22:3A:48:50:66:78:89:97:02:A8:B0:CE:D3:EE:FC:0F:1E
>   DirName:
>   serial:1C:26:30:4D:53:64:7A:83
>
> So the Root CA Certificate serial number is part of my X509v3 Authority
> Key Identifier.
>
> > Did you change the private key of the CA? If not, then:
> >   - the SKI of the new CA certificate will be the same as the old
> > certificate (it's a *Key* identifier, and is generally constructed
> > from the public key)
>
> I didn't change the private key, so the X509v3 Subject Key Identifier is
> always the same, right.
>
> >   - you don't need to have the same serial number (remember, it's
> > forbidden by X.509 standard)
>
> Right, I've check that with RFC 2459.
>
>   - you will be able to verify old end-user certificates with the new
>>CA certificate (since the CA key didn't change), if the rest of the
>>CA certificate permits it (validity dates, extensions).
>>
>
> This seems to be a problem if you're using openssl to verify the
> certificate. I've generated a new CA certificate with the same CA key as
> before. But only the verification with the "old" CA certificate was working.
>
> #> openssl verify -CAfile newca.pem user_cert.pem
> user_cert.pem: 
> error 20 at 0 depth lookup:unable to get local issuer certificate
>
> According to old threads on this list this message has something to do
> with the AKID/SKID.
>
> > If you were in this situation, and only were able to verify end-user
> > certificates if the new CA certificate had the same serial number as
> > the old one, then I'm sure you made a mistake in your tests.
>
> I agree, maybe I did something wrong here. What steps would I have to do to
> recertify my CA with openssl?
>
>
> Cheers,
> Alex
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   majord...@openssl.org
>

Re: How do calculate the

[sandeep kiran p]

Agreed they can't see the original parameters, but can't they replay the
same encrypted data and make the server believe that the request came from a
genuine client? If the server, through some mechanism, is able to validate
that the client possesses the original Key and IV before sending the XML
data, then your purpose is solved.

-Sandeep

On Wed, May 18, 2011 at 3:57 PM, G S  wrote:

> I'm probably being obtuse here, but I don't see how encrypting your
>> request with a public key would help you with your original problem.
>>
>> What stops a rogue app from doing the same encryption?
>>
>
> They can't see what the parameters are.  So what are they going to encrypt?
>

Re: unable to get local issuer certificate

[sandeep kiran p]

I am not aware of what dpkg-reconfigure does, but try adding
"-CAfile /usr/share/ca-certificates/home.jltaylor.net.crt" to s_client and
check again.

-Sandeep

On Fri, Jan 14, 2011 at 10:47 AM, Jonathan Taylor wrote:

> I am trying to setup a TurnKey(debian based) MediaWiki installation to
> contact an LDAP server(W2K3) over SSL but I am having issues with the
> SSL part. I have setup the LDAP server as a certificate authority and
> have created my RSA private key as follows:
>
>openssl req -new -newkey rsa:2048 -nodes -keyout
> wiki.home.jltaylor.net.key -out wiki.home.jltaylor.net.csr
>
> This generated my private key along with a certificate signing request
> that is used to get my certificate. I took this CSR and fed it into my
> CA website and it spit out a certificate. I then copied this along
> with the CA certificate over to my wiki box. I then ran the following:
>
>cat wiki.home.jltaylor.net.key wiki.home.jltaylor.net.cer >
> wiki.home.jltaylor.net.pem
>
> The .cer file was provided by the CA website. I took my CA
> certificate(home.jltaylor.net.crt) and copied it to the
> /usr/share/ca-certificates folder then I ran:
>
>dpkg-reconfigure ca-certificates
>
> I selected my new certificate for installation, it said it installed 1
> new certificate. I have tested that OpenSSL validates that my
> certificate is valid:
>
>root@mediawiki ~# openssl verify wiki.home.jltaylor.net.pem
>wiki.home.jltaylor.net.pem: OK
>root@mediawiki ~#
>
> But if I use OpenSSL to validate that it can communicate with my LDAP
> server I get this:
>
>root@mediawiki ~# openssl s_client -connect
> domain.home.jltaylor.net:636 -cert wiki.home.jltaylor.net.pem
>CONNECTED(0003)
>depth=0 /CN=domain.home.jltaylor.net
>verify error:num=20:unable to get local issuer certificate
>verify return:1
>depth=0 /CN=domain.home.jltaylor.net
>verify error:num=27:certificate not trusted
>verify return:1
>depth=0 /CN=domain.home.jltaylor.net
>verify error:num=21:unable to verify the first certificate
>verify return:1
>---
>Certificate chain
>0 s:/CN=domain.home.jltaylor.net
>   i:/DC=net/DC=jltaylor/DC=home/CN=home-jltaylor CA
>---
>Server certificate
>-BEGIN CERTIFICATE-
>...
>-END CERTIFICATE-
>subject=/CN=domain.home.jltaylor.net
>issuer=/DC=net/DC=jltaylor/DC=home/CN=home-jltaylor CA
>---
>Acceptable client certificate CA names
>/DC=net/DC=jltaylor/DC=home/CN=home-jltaylor CA
>...
>---
>SSL handshake has read 4889 bytes and written 2184 bytes
>---
>New, TLSv1/SSLv3, Cipher is RC4-MD5
>Server public key is 1024 bit
>Secure Renegotiation IS supported
>Compression: NONE
>Expansion: NONE
>SSL-Session:
>Protocol  : TLSv1
>Cipher: RC4-MD5
>Session-ID:
> 44076F9E3A8BEE6AADE9B06913A697B85678514E0AD6A0202303B317D8C9
>Session-ID-ctx:
>Master-Key:
>
> DA87A121993F11D68E8A5BE4C5D6BA725A7EEE0A40AA768B05A85B27B479DBA542FFCB0A10E6D4B38E5143645C52B9C1
>Key-Arg   : None
>Start Time: 1294966198
>Timeout   : 300 (sec)
>Verify return code: 21 (unable to verify the first certificate)
>---
>root@mediawiki ~#
>
> It sounds like it is having issues getting a local copy of the CA
> certificate but I believe I have my client setup to make the CA
> certificate available.  Any help is appreciated.
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   majord...@openssl.org
>

Re: Error 20 at 0 depth lookup:unable to get local issuer certificate

[sandeep kiran p]

The -untrusted argument to verify command takes a single file containing
multiple certificates concatenated together. Try adding cert1.pem and
cert2.pem into a single file and check again.

Thanks,
Sandeep

On Tue, Dec 14, 2010 at 12:00 PM, Vinay Kumar L <
vinaykuma...@globaledgesoft.com> wrote:

>  Hi all,
>
> I have generated certificate chain using Openssl(OpenSSL 0.9.8e). The
> certificate hierarchy is as follows:
>
> ca.pem >cert1.pem>cert2.pem->last.pem
>
> Openssl doesn't give any error when verifying these certificate
> chain(Certificate chain verification is successful) during TLS connection
> establishment(Connection establishment is successful) but when verified
> using Openssl command *openssl verify *gives following error:
>
> *# openssl verify -CAfile ca.pem -untrusted cert1.pem cert2.pem last.pem*
> cert2.pem: OK
> last.pem: /C=IN/O=Xyz/OU=CableLabs Key Distribution Center/CN=kdc.xyz.com
> error 20 at 0 depth lookup:unable to get local issuer certificate
>
> The Subject and Issuer names in certificates are correct. Please let me
> know the cause of error and changes required in the certificate hierarchy.
>
> Regards,
> Vinay
>
>

Re: error: unable to get local issuer certificate

[sandeep kiran p]

mydomain.com.crt is an End-Entity certificate and not a CA cert. You need a
CA certificate to sign and issue EE certs. CA certs at minimum should have
BasicConstraints extension with CA:true and KeyUsage extension with certsign
bit set.

So you either need to get a CA cert from GoDaddy or setup a test CA on your
own using OpenSSL. GoDaddy, I am sure would not provide you with a CA
certificate as that would then empower you to be a legitimate Certification
Authority and allow you to issue valid certificates to other users without
GoDaddy knowing about it.

-Sandeep

On Wed, Oct 20, 2010 at 8:50 AM, Ariel  wrote:

> On Wed, Oct 20, 2010 at 11:10 AM, sandeep kiran p  > wrote:
>
>> Is *mydomain.com.crt a CA cert? Does it have Basic Constraints with
>> CA=true? Does it also have the certsign bit set in the KeyUsage extension?
>> *
>> *
>> *
>> *-Sandeep
>> *
>>
>> Hi Sandeep,
>
> The cert I got from GoDaddy doesn't has "CA=true" and the extensions
> doesn't contain 'certsign'.
> Here's the output of my cert (I removed some parts of the keys)
>
> $ openssl x509 -noout -text -in mydomain.com.crt
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number:
> b1:a7:bb:13:d6:89:31
> Signature Algorithm: sha1WithRSAEncryption
> Issuer: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=
> http://certificates.godaddy.com/repository, CN=Go Daddy Secure
> Certification Authority/serialNumber=07912213
> Validity
> Not Before: Oct 16 15:57:29 2010 GMT
> Not After : Oct 16 15:57:29 2012 GMT
> Subject: C=US, ST=State, L=City, O=MyDomain, Inc, OU=MyDomain,
> CN=*.mydomain.com
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> RSA Public Key: (2048 bit)
> Modulus (2048 bit):
> 00:e8:0c:85:83:d1:da:d4:12:fb:32:99:ee:c4:d0:
> 7f:53:5d:bd:b9:92:a4:66:09:59:8b:72:21:0b:37:
> ...
> 1d:f6:94:eb:ef:42:10:64:a7:3f:5e:5e:1d:ca:9f:
> 44:77:6c:47:f5:b6:37:13:96:62:75:cd:d2:71:56:
> cf:29
> Exponent: 65537 (0x10001)
> X509v3 extensions:
> X509v3 Basic Constraints: critical
> CA:FALSE
> X509v3 Extended Key Usage:
> TLS Web Server Authentication, TLS Web Client
> Authentication
> X509v3 Key Usage: critical
> Digital Signature, Key Encipherment
> X509v3 CRL Distribution Points:
> URI:http://crl.godaddy.com/gds2-0.crl
>
> X509v3 Certificate Policies:
> Policy: 2.16.840.1.114413.1.7.23.2
>   CPS: https://certs.godaddy.com/repository/
>
> Authority Information Access:
> OCSP - URI:http://ocsp.godaddy.com/
> CA Issuers - URI:
> http://certificates.godaddy.com/repository/gd_intermediate.crt
>
> X509v3 Authority Key Identifier:
>
>  keyid:FD:AC:61:32:93:6C:45:D6:E2:EE:85:5F:9A:BA:E7:76:99:68:CC:E7
>
> X509v3 Subject Alternative Name:
> DNS:*.mydomain.com, DNS:mydomain.com
> X509v3 Subject Key Identifier:
> 19:A7:0D:CA:B7:50:DF:ED:FC:C6:05:8C:03:5F:CB:64:55:8A:07:01
> Signature Algorithm: sha1WithRSAEncryption
> 9a:df:f2:03:98:cc:21:31:a4:2d:d7:8a:73:65:ff:77:fc:55:
> f8:9c:e6:56:16:92:4b:e4:c6:08:71:e8:e5:8b:b1:a6:32:3e:
> 80:a1:82:e8:b4:8e:ca:49:8e:d4:1d:aa:5d:18:40:00:20:46:
> ...
> dc:70:be:5e:03:ab:4f:f0:38:21:3d:f9:34:ce:27:ba:b2:31:
> 39:e0:81:f9:06:8e:0c:20:24:80:b6:2c:6b:c9:bb:10:64:c4:
> 10:32:47:1e:92:ca:51:63:ab:67:3c:d5:e1:ed:23:06:61:02:
> 5b:d2:02:4e
>
>
>
>
> Seems that my cert is not valid for what I want to do. So what kind of
> certificate should I ask to GoDaddy?
>
> Thanks again,
>
> - Ariel
>
>
>
>> On Wed, Oct 20, 2010 at 5:27 PM, Ariel wrote:
>>
>>> Hi group
>>>
>>> I'm having problems trying to use a certificate I got from GoDaddy (it's
>>> a wildcard cert) to sign client certificates requests and then validate
>>> them.
>>> This is my actual environment:
>>>
>>>- *mydomain.com.key*  --> The private key used to request the
>>>GoDaddy's cert
>>>- *mydomain.com.crt*  --> The certificate I got from GoDaddy
>>>- *gd_bundle.crt* --> Bundle file sent by GoDaddy
>>>
>>>
>&g

Re: error: unable to get local issuer certificate

[sandeep kiran p]

Is *mydomain.com.crt a CA cert? Does it have Basic Constraints with CA=true?
Does it also have the certsign bit set in the KeyUsage extension?*
*
*
*-Sandeep
*
On Wed, Oct 20, 2010 at 5:27 PM, Ariel  wrote:

> Hi group
>
> I'm having problems trying to use a certificate I got from GoDaddy (it's a
> wildcard cert) to sign client certificates requests and then validate them.
> This is my actual environment:
>
>- *mydomain.com.key*  --> The private key used to request the GoDaddy's
>cert
>- *mydomain.com.crt*  --> The certificate I got from GoDaddy
>- *gd_bundle.crt* --> Bundle file sent by GoDaddy
>
>
> I concatenated my cert with the bundle one and also with some others I
> found at GoDaddy's repository [1] in my attempt to to have a valid chained
> root with:
>
>   $ cat mydomain.com.crt gd_bundle.crt > combined_1.crt
>   $ cat mydomain.com.crt godaddy/gd_intermediate.crt > combined_2.crt
>   $ cat mydomain.com.crt godaddy/gd_cross_intermediate.crt > combined_3.crt
>   $ cat mydomain.com.crt godaddy/gd-class2-root.crt > combined_4.crt
>   $ cat mydomain.com.crt godaddy/ca_bundle.crt > combined_5.crt
>
>
> Here I'm going to reproduce the steps I followed using the openssl command
> line tools:
>
>1. Create a client certificate signing request (CSR file), with a
>private key, and using as 'Subject' for the cert the same attribute values
>that our certificate's Issuer has.
>2. Sign the request using my domain's private key and a CA file
>(different in each test)
>3. Export the client certificate to PKCS#12 format that browsers can
>import
>4. Verify the client certificate against differents CA certificates
>(trying to see if it pass with someone)
>
> So here's the command line steps I used:
>
>   # creating the client cert request using as subject the same values our
> GoDaddy's cert has
>   $ openssl req -new -newkey rsa:1024 -nodes -subj '/CN=*.
> mydomain.com/O=MyDomain, Inc./OU=MyDomain/C=US/ST=State/L=City' -keyout
> test1.key -out test1.csr
>   Generating a 1024 bit RSA private key
>   ...++
>   .++
>   writing new private key to 'test1.key'
>   -
>
>   # signing the csr using the same key used to get GoDaddy's cert
>   $ openssl x509 -req -days 365 *-CA mydomain.com.crt* -CAkey
> mydomain.com.key -CAcreateserial -in test1.csr -out test1.crt
>   Signature ok
>   subject=/CN=*.mydomain.com/O=MyDomain,
> Inc./OU=MyDomain/C=US/ST=State/L=City
>   Getting CA Private Key
>
>   # exporting the certificate into PCKS#12 (browser format)
>   $ openssl pkcs12 -export -inkey test1.key -out test1.pfx -in test1.crt
> -name "Client Certificate - Test 1"
>
>   # Trying to VERIFY the client certificate against different CA files
>   $ openssl verify -CAfile mydomain.com.crt test1.crt
>   $ openssl verify -CAfile combined_1.crt test1.crt
>   $ openssl verify -CAfile combined_2.crt test1.crt
>   $ openssl verify -CAfile combined_3.crt test1.crt
>   $ openssl verify -CAfile combined_4.crt test1.crt
>   $ openssl verify -CAfile combined_5.crt test1.crt
>
> In all the verification process I got the following output:
>
> *  test1.crt: /CN=*.mydomain.com/O=MyDomain,
> Inc./OU=MyDomain/C=US/ST=State/L=City*
> *  error 20 at 0 depth lookup:unable to get local issuer certificate*
>
>
>
> I run the above steps using different CA files (the combined ones I
> created) to sign the requests and I always get the same result :(
>
> What I'm missing here? How can I create and issue client certificates that
> can be recognized?
>
> I'd appreciate some light here :)
>
> Thanks,
>
> [1] https://certs.godaddy.com/anonymous/repository.seam
>
> --
> Ariel Diaz Bermejo
> http://www.linkedin.com/in/adiazbermejo
>
>

Re: seeding PRNG

[sandeep kiran p]

You don't need to call RAND_write_file. RAND_load_file("/dev/random",bytes )
will seed the PRNG with whatever is the value of "bytes" variable.

-Sandeep

On Sun, Sep 19, 2010 at 3:59 AM, krishnamurthy santhanam <
krishnamurth...@gmail.com> wrote:

> Hi,
>
>
> I need to seed PRNG  of 128 bytes. in the below program is seeding 1024
> byte.
>
>
> is it possible seed 128 bytes of data using RAND_seed(). Any example should
> be helpful for me.
>
> #include
>
> #include
>
> #include
>
>
>
>
> main()
>
> {
>
> /*int nb,l;
>
> l=RAND_load_file("/dev/random",bytes );
>
> printf("Seeded the PRNG with %d byte(s) of data from prngseed.dat.\n",l);
>
> RAND_write_file("prngseed.dat");
>
> nb=RAND_load_file("prngseed.dat", -1);
>
> printf("Seeded the PRNG with %d byte(s) of data from prngseed.dat.\n",nb);
>
> */
>
>
> }
>
> Thanks for your time,
> Krishnamurthy
>

Re: OpenSSL verification SHA1 with RSA problem

[sandeep kiran p]

If you haven't figured it out yet, you need to provide the -a/-base64 option
to 'openssl enc' to encode/decode the base64 data. Check 'man enc'.

-Sandeep

On Sun, Sep 5, 2010 at 1:13 PM, tera tellence wrote:

> Hi,
>
> Thank you for the reply.
>
> I now send the signature and original message as base64 format from System
> A(Java Machine) and now at System B I decode it using:
>
> openssl enc -d -in sig.b64 -out sig.bin
>
> But unfortunately, the output file is empty!
>
> I wonder why!
>
> Also, I do the same on my original file that I pass to System B (in
> base64).
>
> I decode it as:
>
> openssl enc -d -in orig.b64 -out orig.bin
>
> But the orig.bin now contains the text that I sent(string) and not the
> binary.
>
> What am I missing?
>
>
> On Fri, Sep 3, 2010 at 10:13 AM, tera tellence wrote:
>
>> Dear all,
>>
>>
>> I have to sign a message with a private key using the sha1 with RSA using
>> the Java JCE(Bouncy Castle engine) on System A.
>>
>> I then have to pass the public key, the original message and the signature
>> to  System B which uses OpenSSL to verify the signature.
>>
>> At the openSSL end, I use:
>>
>> openssl dgst -sha1 -verify pubkey.pem -signature s.sign data.sha1
>>
>>
>> Where: pubkey.pem is the public key I pass as a PEM format.
>>
>> s.sign= signature in hex format( here I am not sure what format to use)
>>
>> data.sha1= I get send the original message to system B as a hex string. At
>> System B I compute the sha1 digest of this hex string and store it at
>> data.sha1 to verify.
>>
>>
>> However the verification always fails.
>>
>>
>> With this regard, what are the expected formats of the files?
>>
>> Is there a way to use a hex file for data and signature? or even a base64
>> encoded signature and data for verification?
>>
>> What am I doing wrong here?
>>
>>
>> Please help!!
>>
>>
>> Regards,
>>
>> Tera Tellence
>>
>
>

Re: certificate request formates compateble to sign

[sandeep kiran p]

You can use what ever file extensions you may want but the contents of the
file should be a PKCS#10 structure. File extensions should not matter.

-Sandeep

On Fri, Sep 10, 2010 at 10:58 AM, prasanth  wrote:

> Hi,
>
> what are the file extention formats like PEM, CSR ,P10 .. that can be
> signed by using
>
> openssl ca
>
> Thanks
> Alex
>
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   majord...@openssl.org
>

Re: SSL/TLS with server names picked from DNS

[sandeep kiran p]

You are right. A trusted list of server names at the client (hard coded in a
config file) would be sufficient. The only downside of it would be for the
domain admin to touch up this file each time he/she modifies the LDAP SRV
list in DNS. Also note that we have absolutely no control on what goes into
server certificates. Each site may issue certificates differently and all
sites may not oblige to incorporate a new property into the server
certificates.

Thanks,
Sandeep

On Tue, Aug 24, 2010 at 1:26 PM, Steffen DETTMER <
steffen.dett...@ingenico.com> wrote:

> Hi!
>
> * sandeep kiran p wrote on Wed, Aug 11, 2010 at 20:36 -0700:
> > Ours is an LDAP client application that fetches LDAP server names on
> > the fly using DNS SRV Resource Records. We then randomly pick one the
> > servers returned from DNS, establish an SSL/TLS connection with that
> > server and then perform a bind operation using user credentials (DN
> > and password). User credentials are protected since everything goes
> > encrypted between the client and server.
> >
> > Recently we discovered that such a mechanism could be vulnerable to a
> > DNS spoofing attack where an attacker could modify (or drop) the
> > server list returned by the DNS and inject his/her own malicious
> > directory server name. Client would then blindly establish an SSL/TLS
> > connection with that server and would end up handing over the user
> > credentials to it. Note that, as part of the SSL handshake, the
> > malicious serve would provide a certificate signed by the same CA that
> > signed a genuine server certificate.
>
> I think this is a common pitfall: the server connected to is
> authenticated (i.e. it really is ldap.malicious.com) but it is not
> checked if the peer is /authorized/ to get the credentials.
>
> It is like asking someone to show his passport, verifying if the
> passport is authentic, but neither checking the name written on the
> passwort nor checking if it is on the guest list at all...
>
> If not everyone is authorized, I think you need some definition
> of permissions, like an association of DN and permissions or a
> white list. Don't know if major public CAs offer this, but maybe
> you also could define a dedicated property in the certificate
> (but all CAs you trust must guarantee to use this properties ONLY
> for this case - I guess it will become at least very expensive).
> But maybe some hostname white list is sufficient. This list must
> be authentic (hardcoded, local config file or dynamic file which
> is cryptographically signed), so non-DNSSEC'd TXT records won't
> help of course.
>
>
>
> But if you do not want to communicate with everyone, why rely on
> PKI, maybe you just want to have a local list of the certificates
> of authorized peers? PKI is good to authenticate everyone,
> without knowing in advance, but seems you do not want this, but
> just want to communicate with someone known/trusted/authorized in
> advance. Sometimes PKI seems to me like a hammer making every
> problem looking like a nail, but in turn it has to advantage that
> a well researched crypto system is used.
>
> Also it should be noted that in case of MITM the link from LDAP
> client to ldap.malicious.com IS secured! Only the attacker can
> read the traffic, ensured cryptographically!
>
> oki,
>
> Steffen
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> --[ end of mail
> ]-->8===
>
>
>
> About Ingenico: Ingenico is a leading provider of payment solutions, with
> over 15 million terminals deployed in more than 125 countries. Its 2,850
> employees worldwide support retailers, banks and service providers to
> optimize and secure their electronic payments solutions, develop their offer
> of services and increase their point of sales revenue. More information on
> http://www.ingenico.com/.
>  This message may contain confidential and/or privileged information. If
> you are not the addressee or authorized to receive this for the addressee,
> you must not use, copy, disclose or take any action based on this message or
> any information herein. If you have received this message in error, please
> advise the sender immediately by reply e-mail and delete this message. Thank
> you for your cooperation.
>  P Please consider the environment before printing this e-mail
>
>
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   majord...@openssl.org
>

Re: SSL/TLS with server names picked from DNS

[sandeep kiran p]

We will have to check if all our sites are ready to accommodate the list of
servers file which will be fetched securely. They should also be ready to
update that list each time a server is added or removed from DNS SRV
records.

I am not sure if I got your second option. You said that I should be running
a validation service on each server. Fine I can do that. But how can the
common name be validated? The attacker modifies the DNS SRV response and
inserts a name which is similar to the common name attribute in the
certificate that the malicious server forwards to the client. This name is
also similar to the hostname where the malicious server is running. In such
a case, even if I run some validation service, won't the names match?

Thanks,
Sandeep

On Thu, Aug 12, 2010 at 4:25 PM, David Schwartz wrote:

> Sandeep Kiran P wrote:
>
> > We dont have any control on how the server generates its certificates.
> > As said earlier, we only control the client portion of SSL/TLS.
> > Sites where our client application runs, is handed over the location
> > where trusted CA certs are stored and thats all we have.
>
> > Secondly, as you pointed out, if we were to maintain a list of
> > legitimate server certs, we could have as well maintained a list of
> > server names at the client. The advantage with using DNS SRV RR is,
> > a domain admin can add or remove servers without having to make any
> > changes to the affected client applications.
>
> There are a few fairly obvious solutions to this problem. Just pick
> whichever one of them is the least awful for your application.
>
> You could, for example, reserve a particular domain name known to the
> client
> just for securely retrieving the list of authorized common names for
> servers. The client can securely retrieve something like:
> 'https://serverlist.mydomain.com/server.list.txt'. Then it can still use
> SRV
> records to find servers but ignore the servers if the list doesn't appear
> in
> the server.list file.
>
> This adds only a slight administrative burden in running a secure web
> server
> that serves the server list file and in adding a new server's name to that
> file.
>
> You could also run a validation service on each server. The client, when
> told to use a particular server, would simply confirm the validation
> service
> is present on that server. Just make sure the validation service can't be
> MITMed. (Easily done by ensuring the validation process validates the
> server's common name.)
>
> DS
>
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   majord...@openssl.org
>

Re: SSL/TLS with server names picked from DNS

[sandeep kiran p]

We dont have any control on how the server generates its certificates. As
said earlier, we only control the client portion of SSL/TLS. Sites where our
client application runs, is handed over the location where trusted CA certs
are stored and thats all we have.

Secondly, as you pointed out, if we were to maintain a list of legitimate
server certs, we could have as well maintained a list of server names at the
client. The advantage with using DNS SRV RR is, a domain admin can add or
remove servers without having to make any changes to the affected client
applications.

Thanks.
Sandeep



On Thu, Aug 12, 2010 at 6:04 PM, Scott Gifford wrote:

> On Wed, Aug 11, 2010 at 11:36 PM, sandeep kiran p  > wrote:
>  [ ... ]
>
>> Client would then blindly establish an SSL/TLS connection with that server
>> and would end up handing over the user credentials to it. Note that, as part
>> of the SSL handshake, the malicious serve would provide a certificate signed
>> by the same CA that signed a genuine server certificate. Meaning to say,
>> verification of the malicious server certificate would pass at the client.
>> If you still want to know how, I can explain further. Also note that the
>> malicious server is hosted on a machine with host name similar to the value
>> of SubjectName's "cn" attribute of the certificate it offers.
>>
>
> One possible solution would be to use OpenSSL's CA scripts to establish
> your own CA (the scripts make it fairly simple), and only accept
> certificates signed by your own CA.  You would need to install that CA
> public certificate as a trusted certificate in all the clients.  If this
> works for you, a nice bonus is that it saves money and time getting the
> certificates.
>
> Another would be to maintain a database of legitimate certificates or their
> fingerprints and only accept certificates with a matching fingerprint.  Of
> course, if you're going to maintain this database, you could just as well
> maintain the list of hosts locally and use that instead of DNS, which could
> be another solution.
>
> Hope this helps.
>
> --Scott.
>
>

SSL/TLS with server names picked from DNS

[sandeep kiran p]

Hi,

Ours is an LDAP client application that fetches LDAP server names on the fly
using DNS SRV Resource Records. We then randomly pick one the servers
returned from DNS, establish an SSL/TLS connection with that server and then
perform a bind operation using user credentials (DN and password). User
credentials are protected since everything goes encrypted between the client
and server.

Recently we discovered that such a mechanism could be vulnerable to a DNS
spoofing attack where an attacker could modify (or drop) the server list
returned by the DNS and inject his/her own malicious directory server name.
Client would then blindly establish an SSL/TLS connection with that server
and would end up handing over the user credentials to it. Note that, as part
of the SSL handshake, the malicious serve would provide a certificate signed
by the same CA that signed a genuine server certificate. Meaning to say,
verification of the malicious server certificate would pass at the client.
If you still want to know how, I can explain further. Also note that the
malicious server is hosted on a machine with host name similar to the value
of SubjectName's "cn" attribute of the certificate it offers.

In such a case, how can I stop this attack? Is it against SSL/TLS philosophy
to fetch server names on the fly as we do above using DNS as it defeats the
very essence of matching hostnames with the "cn" attribute? Or is there way
at the SSL/TLS level for the client to identify that it's talking to a bad
server? Or, as a last option should I put some check in the client
application itself that would identify the bad server?

PS: DNSSEC is not an option for me.

Thanks,
Sandeep

Re: RSA_generate_key

[sandeep kiran p]

RSA is a structure containing the public modulus, private modulus, exponent
etc. Your rsa1 variable is a pointer to this structure. Why would you want
to print an address using %d?

-Sandeep

On Tue, Aug 3, 2010 at 9:40 AM, krishnamurthy santhanam <
krishnamurth...@gmail.com> wrote:

> yes ..i am not able to find the 128 byte RSA key.. how should get
> those information?
>
> kris
>
> On Tue, Aug 3, 2010 at 1:15 AM, Michael S. Zick wrote:
>
>>  On Mon August 2 2010, krishnamurthy santhanam wrote:
>> > Hi,
>> >
>> > i am new to OpenSSL..i have to use RSA_generate key function to generate
>> > key..below is the program and outcome..is this the way to generate key?
>> >
>> > #include
>> > #include
>> > #include
>> > int main()
>> > {
>> > char *plain="Sample text"; //Sample text (plain text) to Encrypt/Decrypt
>> > char *ciphertext;
>> > printf("%s\n",plain);
>> > // Generate RSA key
>> > RSA *rsa1= RSA_generate_key(1024,65537,NULL,NULL);
>> > // RSA_size() will determine how much memory must be allocated for an
>> > if(rsa1==NULL) {
>> > printf("NO RSA!\n\n");
>> > ERR_load_crypto_strings();
>> > ERR_print_errors_fp(stdout);
>> >   }
>> >   else
>> > {
>> > printf("RSA OK!\n");
>> > }
>> > ciphertext = (char *)malloc(RSA_size(rsa1));
>> > printf("rsa key = %d\n",rsa1);
>> > printf("RSA size = %d\n",RSA_size(rsa1));
>> > RSA_free(rsa1);
>> > }
>> >
>> > $ gcc -o rsa1 rsa1.c -lcrypto
>> >
>> > Output
>> > -
>> > $ ./rsa1
>> > Sample text
>> > RSA OK!
>> > rsa key = 473608208
>>
>> > RSA size = 128
>> >
>>
>> Times 8 bits per octet == 1024 bits as requested.
>>
>> >
>> > Please correct me if i am missing anything ..
>> >
>>
>> Does your %d recognize a number that is 128 bytes long?
>>
>> Mike
>> >
>> > kris
>>  >
>>
>>
>> __
>> OpenSSL Project http://www.openssl.org
>> User Support Mailing Listopenssl-users@openssl.org
>> Automated List Manager   majord...@openssl.org
>>
>
>

Modifying SSL Handshake messages

[sandeep kiran p]

Hi,

Can someone tell me if there is any tool to modify the handshake messages
between client and server on the fly? For example, changing the list of
cipher suites offered by the client, changing the trusted CA names sent by
server etc. I understand that such a change would be caught by the
"finished" message, but I would like to know if any such tool really exists
that can help me modify the contents of the messages on the wire.

I know there are some tools that can capture packets on the wire, modify
them and then resend it, but thats not what I am looking for. I am looking
for something that would drop the original message and replace it
(completely or partially) with a new message.

Thanks,
Sandeep

Re: where to find the ca.txt file

[sandeep kiran p]

Your server certificate isn't getting verified against the client's trust
store(myca.pem). This could be the case where the CA that signed the server
cert isn't present in the client's trust store. You can use Openssl's verify
command to check why this is happening.

-Sandeep

On Thu, Apr 29, 2010 at 1:23 AM, sara bai  wrote:

>
> hi:
> Actually I got some error when connect ssl server by this way   . I've created
> a self-signed certificate
>
> # openssl s_client -ssl3 -connect 127.0.0.1: -verify 10 -showcerts
> -cert /home/myCA/certs/client.pem -key /home/myCA/private/client.pem -CAfile
> /home/myCA/certs/myca.pem -msg -debug
>
>
> >> verify error:num=20:unable to get local issuer certificate
>
>  verify error:num=27:certificate not trusted
>  verify error:num=21:unable to verify the first certificate
>
>  No client certificate CA names sent
> >> Verify return code: 21 (unable to verify the first certificate)
>
>
> I have no idea how to send client cercificate CA names ...
>
>
> 2010/4/29 Vladimir Belov 
>
>
>> I think there is no such file yet. I could be mistaken.
>>
>> For what do you need this file? Do you want to know how to create a
>> self-signed test certificate  or something else?
>>
>>
>>>

Re: Information wanted on OpenSSL cipher alias HIGH, MEDIUM and LOW.

[sandeep kiran p]

Run the following command to know which ciphers get selected.

 # openssl ciphers 'ALL:!SSLv2:!EXPORT:!LOW:!MEDIUM:!DH'
AES256-SHA:AES128-SHA:DES-CBC3-SHA

-Sandeep

On Thu, Apr 15, 2010 at 10:45 AM, Bhat, Jayalakshmi Manjunath <
jayalakshmi.b...@hp.com> wrote:

> Hi All,
>
> I wanted to know when we use "ALL:!SSLv2:!EXPORT:!LOW:!MEDIUM:!DH" to
> select
> the ciphers how do OpenSSL understands what are ciphers are available under
> LOW and MEDIUM. Ssleay.txt documents names LOW,MEDIUM and HIGH as aliases.
> Please can someone provide me more information on this?
>
> Thanks in advance
> Jayalakshmi.
>

Re: How to include an attribute on a client cert?

[sandeep kiran p]

Unless you have a registered NID corresponding to the object you want to
insert into the certificate request, req command wouldn't process it.

-Sandeep

On Fri, Mar 12, 2010 at 3:17 AM, Andre Rodrigues <
acastanheira2...@yahoo.com.br> wrote:

> Hi,
>
> I need to generate client certs and include some information on them. How
> to do it?
>
> I inserted the following line in the [ req_attributes ] section of my
> /etc/ssl/openssl.cnf, just after the unstructuredName tag
>
> cpfNumber  = CPF Number
>
>
> But when I generate the client request:
>
>
> openssl req -new -key privatekey_cl.pem -out subscription_cl.pem
>
> The field cpfNumber doesn´t show up.
>
> Any ideas?
>
> Thanks,
> André
>
>
>
>
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   majord...@openssl.org
>

Should CSR be protected?

[sandeep kiran p]

Hi,

A quick question here. Should the Certificate Signing Request message be
protected when requesting for Certificate from CA? If I am sending a PKCS10
request to a remote CA, there could be a possibility that an attacker might
intercept the request, replace the Public Key and Signature fields with his
own (correct) values and just leave the subject field as-is. The issued
certificate would then contain the subject name of the original client but
the public key of the attacker. In such a case, would it be the
responsibility of the client to check and make sure the public key on the
issued certificate matches his own public key?

Thanks,
Sandeep

Re: Server won't request for client certificate

[sandeep kiran p]

Can you provide the trace output files that Kyle asked for? Probably that
can help us understand whats happening.

-Sandeep

On Tue, Feb 2, 2010 at 9:58 AM, Felipe Franciosi wrote:

> Hi all,
>
> Thanks for all the feedback I received regarding this matter.
>
> I'm just sending one last message to close the issue: despite
> BIO_do_handshake() succeeding, I couldn't retrieve the client certificate
> with SSL_get_peer_certificate(). :-(
>
> What I did is remove the BIO layer from my software and use SSL directly
> over unix sockets. Now it works like a charm.
>
> Cheers,
> Felipe
>
>
> On Mon, Feb 1, 2010 at 8:55 PM, Felipe Franciosi wrote:
>
>> Dear Kyle, David and Dr.Henson, thanks for all your replies.
>>
>> I will have a look on the debug generated by s_client and probably post
>> them here in a minute.
>>
>> In the meantime, let me appologise for not being specific about the error
>> I am getting and provide you with more information:
>>
>> When the client doesn't have a certificate at all, BIO_do_handshake()
>> fails, accusing this:
>> 20070:error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not
>> return a certificate:s3_srvr.c:2455:
>>
>> (Which is the correct behaviour)
>>
>> When I use my client (with the proper CA signed certificates),
>> BIO_do_handshake() actually succeeds. The error I get is that
>> SSL_get_peer_certificate() actually returns NULL (when I believe it should
>> return my client's certificate instead).
>>
>> My best regards,
>> Felipe
>>
>>
>> On 1 Feb 2010, at 19:08, Dr. Stephen Henson wrote:
>>
>>  On Mon, Feb 01, 2010, Felipe Franciosi wrote:
>>>
>>>  Dear Patrick,

 Thanks for the reply!

 I took the error checking out on purpose for the sake of the message
 size.
 I'm sending my client's code, but I still think the problem is on the
 server.

>>>
>>> What error printing do you do? You should call
>>> ERR_print_errors_fp(stderr) or
>>> similar and see if it gives you any useful message (see FAQ).
>>>
>>> Steve.
>>> --
>>> Dr Stephen N. Henson. OpenSSL project core developer.
>>> Commercial tech support now available see: http://www.openssl.org
>>> __
>>> OpenSSL Project http://www.openssl.org
>>> User Support Mailing Listopenssl-users@openssl.org
>>> Automated List Manager   majord...@openssl.org
>>>
>>
>>
>

Re: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag

[sandeep kiran p]

Man page of CMS_verify says the following

CMS_get0_signers() retrieves the signing certificate(s) from *cms*, it must
be called after a successful CMS_verify() operation.

So, CMS_get0_signers should be called after CMS_verify but you seem to do it
the other way round. Secondly, why do you need to build the X509 cert from
the DSA parameters? When your C# application creates the CMS signed message,
does it not use a Certificate and its Private Key? Your stack of certs
should include this certificate. I also presume that the signing certificate
isn't included in the contentInfo message as you have set the CMS_NOINTERN
flag for CMS_verify.

Thanks,
Sandeep

On Wed, Jan 27, 2010 at 5:36 AM, Ujwal Chinthala wrote:

>  Hi,
>
>
>
> Thanks for all the help. I modified the code based on your comments.
>
>
>
> Basically, I am trying to verify a CMS data signed by a C# program. So I
> have the base 64 decoded CSM data stored as nBytes a BYTE array.
>
>
>
> I have to verify the data(nBytes) using the DSA params and public key which
> is hard coded in the code as const char arrays(uLicenseCheckG,
>
> uLicenseCheckP, uLicenseCheckQ and uLicenseCheckY).
>
>
>
> I tried to verify even using the *CMS_NO_CONTENT_VERIFY* flag.
> CMS_verify() fails with error “*signer certificate not found*”.
>
>
>
> I digged in to the code and found that CMS_Verify() tries to copy the
> st(stack of x509 certs) to cms and fails? I am copying the skid value from
> the
>
> cms and creating the x509Cert using that so they match. I have notices that
> the x509Cert->skid is becoming NULL after the call to CMS_verify().
>
> Is there anything wrong with the above x509 cert created above with the
> public key and DSA params and skid. Am I missing something?
>
> What else do I need to verify correctly?
>
>
>
> Please find the modified code below.
>
>
>
> -Ujwal
>
>
>
>
>
>
>
> //COPY the DSA params and public keys from const char arrays into DSA
> structure
>
> DSA  *dsaParams= DSA_new();
>
>   dsaParams->g = BN_new();
>
>   dsaParams->p = BN_new();
>
>   dsaParams->q = BN_new();
>
>   dsaParams->pub_key = BN_new();
>
>   BN_bin2bn((const unsigned char *)uLicenseCheckG, sizeof(
> uLicenseCheckG), dsaParams->g);
>
>   BN_bin2bn((const unsigned char *)uLicenseCheckP, sizeof(
> uLicenseCheckP), dsaParams->p);
>
>   BN_bin2bn((const unsigned char *)uLicenseCheckQ, sizeof(
> uLicenseCheckQ), dsaParams->q);
>
>   BN_bin2bn((const unsigned char *)uLicenseCheckY, sizeof(
> uLicenseCheckY), dsaParams->pub_key);
>
>
>
> //Create a EVP_PKEY to use in creating a certificate
>
> EVP_PKEY *evpTemp = EVP_PKEY_new();
>
>   EVP_PKEY_assign_DSA(evpTemp, dsaParams);
>
>
>
>   //Create a CMS content info structure out of the license key
>
>   CMS_ContentInfo *cms = NULL;
>
>   BIO *bioBuff = BIO_new_mem_buf((char *)nBytes, nCountOfBytes);
>
>   BIO_set_mem_eof_return(bioBuff,0);
>
>   cms = d2i_CMS_bio(bioBuff, NULL);// i believe this finds the end of
> ASN1 data
>
>
>
>
>
>   STACK_OF(CMS_SignerInfo) *sinfos;
>
>   CMS_SignerInfo *si;
>
>   sinfos = CMS_get0_SignerInfos(cms);
>
>   si = sk_CMS_SignerInfo_value(sinfos, 0);
>
>   ASN1_OCTET_STRING* keyid;
>
>   X509_NAME* issuer;
>
>   ASN1_INTEGER* sno;
>
>   int rc = CMS_SignerInfo_get0_signer_id(si, &keyid, &issuer, &sno);
>
> //USE THIS KEYID TO SET THE x509Cert->skid VALUE
>
>   printf ("si: %d %p %p %p\n", rc, keyid, issuer, sno);
>
>
>
>   //create a x509 cert with above DSA params and public key and skid
>
>   X509 *x509Cert = X509_new();
>
>   X509_set_version(x509Cert, 2);
>
>   ASN1_INTEGER_set(X509_get_serialNumber(x509Cert), 0);
>
>   x509Cert->skid = ASN1_OCTET_STRING_dup(keyid);
>
>   X509_gmtime_adj(X509_get_notBefore(x509Cert),0);
>
>   X509_gmtime_adj(X509_get_notAfter(x509Cert), (long) 60*60*24*365);
>
>
>
>   int error = X509_set_pubkey(x509Cert, evpTemp);
>
>   if (error) {
>
> printf("set public key error: %s", ERR_error_string(
> ERR_get_error(), NULL));
>
>   }
>
>   X509_print_fp(stdout, x509Cert);
>
>
>
>   //create a stack of x509 cert to use it in CMS_verify
>
>   STACK_OF(X509) *st=sk_X509_new_null();
>
>   sk_X509_push(st, x509Cert);
>
>
>
>   //x509Cert->skid is valid here
>
>   printf ("skid: %p\n", x509Cert->skid);
>
>
>
> //It fails here with “signer certificate not found” error
>
> //Also tried using the CMS_NO_CONTENT_VERIFY
>
>   int cmsVerify = CMS_verify(cms, st, NULL, NULL, NULL, CMS_NOINTERN|
> CMS_NO_SIGNER_CERT_VERIFY);
>
>
>
>   errortemp = ERR_get_error();
>
>   ERR_error_string(errortemp, errorbuff);
>
>   printf("countofbytes = %d, error num = %d, and error = %s\n",
> nCountOfBytes,errortemp, errorbuff);
>
>   //x509Cert->skid is in-valid here
>
>   printf ("skid: %p\n", x509Cert->skid);
>
>
>
>
>
>
>

Re: Integrating openssl cert in MS

[sandeep kiran p]

You might want to check the permissions on C:\Documents and Settings\All
Users\Application Data\Microsoft\Crypto. Administrators and system account
should have full control on that folder and its sub folders.

-Sandeep

On Mon, Jan 25, 2010 at 1:54 AM, Christoph Ohliger <
christoph.ohli...@fh-rosenheim.de> wrote:

> Hi,
>
> I am trying to integrate a openssl Cert (cert.p12) in a MS certificate
> store (different XP, 2003 machines). I am getting always the same error "The
> private key that you are importing might require a cryptographic service
> provider that is not installed on your system". Anyone who can point me to
> the right direction ?
>
> regards
> Christoph
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   majord...@openssl.org
>

Re: utf8string vs printablestring mismatch in certificate checking

[sandeep kiran p]

>1.0.0 uses a different algorithm for computing hashes which relies on a
form of canonical encoding.

Does that mean we need to recompute the hashes for existing CA certs and
CRLs if we are to work with 1.0.0 since it seems to generate a different
hash value for the same cert?

-Sandeep

On Tue, Jan 19, 2010 at 1:55 PM, Dr. Stephen Henson wrote:

> On Tue, Jan 19, 2010, Colin Phipps wrote:
>
> > We are having trouble using openssl's certificate checking to validate
> > certain certificates where certificates in the chain are inconsistent in
> > their choice of string encoding.
> >
> > Using e.g. openssl-0.9.8e-12.el5, the connection in the accompanying
> > certificate chain (intermediate cert and final cert only attached) will
> > never be made by openssl. I think that this is because the intermediate
> cert
> > has issuer "Government of Korea" (utf8, type 12) but the root cert is
> > subject "Government of Korea" (printable, type 19), so it doesn't see
> this
> > intermediate cert as signed by this issuing cert due to the names not
> > matching (although they do match semantically, as it were); openssl looks
> > for the wrong hash value in the CAdir and, even if I fake up a symlink in
> > the CAdir to the right root cert, it doesn't use it.
> >
> > Internet Explorer accepts the same certificate chain, and presumably that
> is
> > how it is in use in the field (Korea is known for being quite IE-centric,
> or
> > at least it used to be). I have seen this problem on another
> > private/governmental CA before but the problem was fixed before I got
> around
> > to looking for solutions.
> >
> > Have I diagnosed the problem correctly? Is this behaviour by openssl
> correct
> > or incorrect, likely to change, or is it possible to make it work at the
> > application level?
> >
>
> Changing the encoding does violate a few standards including RFC3280 and
> RFC5280 but a few errant CAs exist which do it.
>
> Your analysis of that case is correct. If you use the command:
>
> openssl x509 -in mogaha.pem -subject -issuer -nameopt multiline,show_type
> -noout -subject_hash -issuer_hash
>
> You can clearly see the result:
>
> subject=
>countryName   = PRINTABLESTRING:KR
>organizationName  = PRINTABLESTRING:Government of Korea
>organizationalUnitName= PRINTABLESTRING:GPKI
>commonName= PRINTABLESTRING:GPKIRootCA
> issuer=
>countryName   = PRINTABLESTRING:KR
>organizationName  = PRINTABLESTRING:Government of Korea
>organizationalUnitName= PRINTABLESTRING:GPKI
>commonName= PRINTABLESTRING:GPKIRootCA
> 20e6f02d
> 20e6f02d
>
> Note the two hash values are the same.
>
> Whereas for mogaha_int.pem you get:
>
> subject=
>countryName   = PRINTABLESTRING:KR
>organizationName  = UTF8STRING:Government of Korea
>organizationalUnitName= UTF8STRING:GPKI
>commonName= UTF8STRING:CA134040001
> issuer=
>countryName   = PRINTABLESTRING:KR
>organizationName  = UTF8STRING:Government of Korea
>organizationalUnitName= UTF8STRING:GPKI
>commonName= UTF8STRING:GPKIRootCA
> 610e5e7b
> 449b326d
>
> You can see here that the string types differ and the second hash value
> (issuer) doesn't match those for mogaha.pem.
>
> If you tried getting those hash values with with OpenSSL 1.0.0 or later
> using:
>
> openssl x509 -in mogaha.pem -subject_hash -issuer_hash -noout
>
> you get this:
>
> mogaha.pem:
>
> 11e07c09
> 11e07c09
>
> mogaga_int.pem
> aac725e5
> 11e07c09
>
> Here you'll see that now the issuer hash matches because 1.0.0 uses a
> different algorithm for computing hashes which relies on a form of canonical
> encoding.
>
> So the best I can suggest is using 1.0.0 which is currently in beta.
>
> For compatibility reasons we can't backport the modified algorithm to
> 0.9.8.
>
> I think MSIE uses SKID/AKID to build chains if the extensions are present
> avoiding DN matching altogether though that can introduce its own problems.
>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   majord...@openssl.org
>

Re: Unable to load CRL

[sandeep kiran p]

Krishna,

>m_pfCRLFile = fopen( m_pszCRLFile , "wb");

"wb" opens the file in write (binary) mode. But your intention is to read
the CRL. Change the mode to "rb" and check again.

-Sandeep

On Thu, Jan 7, 2010 at 10:12 PM, Radha krishna Meduri -X (radmedur - HCL at
Cisco)  wrote:

>
> Hi Experts
>
> I am writing simple standalone cpp program to read CRL file but could
> not. Please correct me If I miss anything in the program...I am getting
> "Unable to read CRL file" as in the last printf statement.
>
> #include "openssl/ssl.h"
> #include "stdio.h"
>
> int main()
> {
>
> FILE* m_pfCRLFile=0;
> const char* m_pszURL;
>
> const char* m_pszCRLFile = "test_pem.crl";
>
> printf("systhesized file name= %s\n", m_pszCRLFile);
>
> m_pfCRLFile = fopen( m_pszCRLFile , "wb");
>
> if( !m_pfCRLFile )
> {
> printf("Unable to open file %s for writing", m_pszCRLFile);
> exit(0);
> }
>
> X509_CRL *pCRL=0, *pTempCRL = 0;
>
> pCRL = d2i_X509_CRL_fp( m_pfCRLFile, &pTempCRL );
>
> if( !pCRL )
> {
>printf("Unable to read using d2i_X509_CRL_fp\n");
>pCRL = PEM_read_X509_CRL(m_pfCRLFile, &pTempCRL, NULL, 0);
> }
>
> if( !pCRL )
> {
>printf("Unable to read CRL file\n" );
>exit(0);
> }
>
> Thanks
> Radhakrishna.
>
> -Original Message-
> From: owner-openssl-us...@openssl.org
> [mailto:owner-openssl-us...@openssl.org] On Behalf Of Radha krishna
> Meduri -X (radmedur - HCL at Cisco)
> Sent: Thursday, December 24, 2009 11:23 AM
> To: openssl-users@openssl.org
> Subject: RE: Unable to load CRL
>
>
> Hi Steve
>
> I guess that is not the problem as I will be able to read same CRL file
> if I place CRL file into another webserver. I am not able to post CRL
> here as this is open alias.
>
> BTW I want to write test program to check the CRL file. Could you please
> share the same if you have any?
>
> Thanks
> Radhakrishna.
>
> -Original Message-
> From: owner-openssl-us...@openssl.org
> [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson
> Sent: Monday, December 14, 2009 9:02 PM
> To: openssl-users@openssl.org
> Subject: Re: Unable to load CRL
>
> On Mon, Dec 14, 2009, Radha krishna Meduri -X (radmedur - HCL at Cisco)
> wrote:
>
> >
> > Hi Patrick
> >
> > We are using following code snippet to load CRL's.
> >
> > X509_CRL *pCRL, *pTempCRL = 0;
> > pCRL = d2i_X509_CRL_fp( pfCrlFile, &pTempCRL );
> >
> > if( !pCRL )
> > {
> > rewind(pfCrlFile);
> > pCRL = PEM_read_X509_CRL(pfCrlFile, &pTempCRL, NULL, 0); }
> >
> > rewind(pfCrlFile);
> >
> > if( !pCRL )
> > {
> > logEvent( MLOG_ERROR, RADIUS_C_SERVER, "Unable to read CRL file" );
> > break; }
> >
> > Ultimately we are getting "Unable to read CRL file" if we are loading
> > DER format CRL. Did you see anything wrong there?
> >
>
> Is the fp opened in binary mode? Text mode translation on that fp will
> corrupt the CRL loading in DER mode.
>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   majord...@openssl.org
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   majord...@openssl.org
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   majord...@openssl.org
>

SSL/TLS renegotiation attack

[sandeep kiran p]

Hi,

Ours is an LDAP directory enabled application where we use SSL/TLS to
protect binds to the directory. Right now we are using OpenSSL 0.9.8g to do
this. Our application depends on external directory servers for
authentication which are not maintained by us. So it is only the client side
of SSL/TLS that we are concerned with.

My question here is, with the above setup, are we also affected by the
renegotiation attack (CVE-2009-3555)? Should we also upgrade to OpenSSL
0.9.8l? If I understand the attack correctly, it only affects servers that
support renegotiation since the client is not aware that the server actually
requests a renegotiation. Or are there any other scenarios where my client
could also be affected?

Thanks,
Sandeep

Re: Application crashes when trying to access X509 Certificate Extension returned by X509_get_ext method

[sandeep kiran p]

Sanjay,

Can you check if it still fails when you do a memcpy instead of direct
assignment? Something like,

OrgPtr = (char *)malloc (Extension->value->length);
if (NULL == OrgPtr) assert("Malloc failure");

memcpy(OrgPtr, Extension->value->data, Extension->value->length);

-Sandeep

On Thu, Nov 26, 2009 at 8:44 AM, Sanjay Bhat  wrote:

>  Hi Kyle,
>
> Thanks a ton for the quick reply buddy :)
>
> When we debug our application in visual studio, we see that both
> "Extension" and "Extension->value" are not NULL. But
> "Extension->value->data" seems to be NULL or corrupted, causing our
> application to crash.
>
> I am trying these options for debugging the problem :
> > make sure the X509 certificate we are using is a valid one, containing
> the extension we are looking for, because "Certificate->valid" is set to 0
> for our certificate.
> > debug through the openssl function X509_get_ext( ) in visual studio by
> attaching the openssl source, to see why "Extension->value->data" is not
> being set correctly.
> > also try using some older openssl version instead of the current 0.9.8 d
> we are currently using.
>
> I will update again after trying these options.
>
> I suspect something being wrong in this certificate itself, may be it does
> not comply to the X509 certificate format. Can you please confirm that the
> certificate we are using is a valid x509 certificate ?
>
> This is the certificate we are using :
>
> static unsigned char *LETestDefaultKey = {
>   "-BEGIN RSA PRIVATE KEY-\r\n"
>   "MIIBPAIBAAJBAM6ss7cWYg0Yf7Ot6PkdWBtQ0Pp89YO/2rG0K8iAJW5AY399hh/s\r\n"
>   "VjiIfPZpqCwqJka/2r23jzZJfW8X19nTiqECAwEAAQJATBeXv0P1a77mXYAdM4LT\r\n"
>   "SpNRrbfOKOi9GworyJEtts5Cn153ROK3750NHrOeaXbkFl89/UD0oMsO22TnF+Ol\r\n"
>   "lQIhAO0gkTZggugyZ7HDQihy/7EVAgK9rg7SPc5JnyZITW5bAiEA3x+q4AZDXUHW\r\n"
>   "26W7BlZoedPy6Mo5wWNb/gN9x/T987MCIQCt8TfUFZOxVFgwU7USCtl5QpnI/O7T\r\n"
>   "PHHOAr9Vy6/RBQIhAJPO76y+mWuzDPmu/YmCPm3OWZGbPc1929gXSgDnrD//AiEA\r\n"
>   "vwlwVtb26OSBJX47M+MZeWsiD3GVydtRdcL9+Xy0XEw=\r\n"
>   "-END RSA PRIVATE KEY-\r\n"
>  };
> static unsigned char *LETestDefaultCert = {
>   "-BEGIN CERTIFICATE-\r\n"
>   "MIIBojCCAUygAwIBAgIBMzANBgkqhkiG9w0BAQQFADAqMQswCQYDVQQGEwJVUzEb\r\n"
>   "MBkGA1UEAxMSTm92ZWxsIE5TdXJlIEF1ZGl0MB4XDTA1MTAxMTE3NDEyOFoXDTE1\r\n"
>   "MTAwOTE3NDEyOFowJjELMAkGA1UEBhMCVVMxFzAVBgNVBAMTDlNlY3VyZUxvZ2lu\r\n"
>   "U1NPMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAM6ss7cWYg0Yf7Ot6PkdWBtQ0Pp8\r\n"
>   "9YO/2rG0K8iAJW5AY399hh/sVjiIfPZpqCwqJka/2r23jzZJfW8X19nTiqECAwEA\r\n"
>   "AaNhMF8wDgYDVR0PAQH/BAQDAgWgMBgGA1UdEQQRMA+BDWFyZ2xAYmxhaC5jb20w\r\n"
>   "EQYJYIZIAYb4QgEBBAQDAgWgMCAGDGCGSAGG+DcBglsKAQQQFg5TZWN1cmVMb2dp\r\n"
>   "blNTTzANBgkqhkiG9w0BAQQFAANBABaOsowc+4encEksW5w1v1dHg7DNdBbQJHct\r\n"
>   "JSNfzPfE8igm617Ggsfrb0nkc50mdlyugkfZC/dX+sx4vtQk1Ok=\r\n"
>   "-END CERTIFICATE-\r\n"
>  };
> Looking forward for your reply... have a wonderful day ahead !!!
>
> Regards,
> Sanjay
>
> >>> Kyle Hamilton  11/24/2009 4:56 AM >>>
>
> Are you checking to make sure that there *is* data in that extension?
> Or that the extension value even exists?
>
> if (NULL == Extension->value) assert("Extension->value NULL");
> if (NULL == Extension->value->data) assert ("Extension->value->data NULL");
> OrgPtr=Extension->value->data;
>
> -Kyle H
>
> On Fri, Nov 20, 2009 at 3:50 AM, Sanjay Bhat  wrote:
> >
> > Hi,
> >
> > Our application running in windows 2008 64-bit platform crashes when we
> try
> > to access the data member of X509_EXTENSION returned by X509_get_ext().
> >
> > We are using  0.9.8d version of openssl compiled for windows 64 bit
> > platform.
> >
> > We are clueless why this is happening and are badly stuck with this.
> Please
> > help us.
> >
> > Here is the code snippet of our application with the point of crash in
> bold
> > :
> >
> > BOOL GetX509ObjectString(X509 *Certificate, unsigned char *ASN1, unsigned
> > char *Short, unsigned char *Description, unsigned char *Buffer, unsigned
> > long BufSize)
> > {
> > X509_EXTENSION  *Extension;
> > int nid;
> > int Position;
> > ASN1_STRING *Value;
> > unsigned char   *OrgPtr;
> >
> > if (!Buffer) {
> > return(FALSE);
> > }
> > Buffer[0]='\0';
> >
> > nid = OBJ_create(ASN1, Short, Description);
> > Position=X509_get_ext_by_NID(Certificate, nid, -1);
> > if (Position==-1) {
> > return(FALSE);
> > }
> >
> >  Extension=X509_get_ext(Certificate, Position);
> >   if (!Extension) {
> > return(FALSE);
> > }
> >
> > /* The M_d2i function alters the pointer, so keep a copy */
> > OrgPtr=Extension->value->data; //This is the point of crash.
> Referencing
> > data member seems to be causing the crash
> > Value=M_d2i_ASN1_IA5STRING(NULL, &(Extension->value->data),
> > Extension->value->length);
> > Extension->value->data=OrgPtr;
> > strncpy(Buffer, Value->data, min(Value->length+1, BufSize));
> > Buffer[min(Valu

Re: CryptoAPI calls failing in rand_win on Windows 7

[sandeep kiran p]

>RAND_poll runs very quickly with a near-empty heap.

Do you mean that the calls
to Heap32First, Heap32Next, Heap32ListFirst, Heap32ListNext are failing? Can
you check the return values from these calls? (using GetLastError?). In any
case, the heap traversals are bounded by the 1 sec limit. Even if the
variable "good" is 0, the very first block of heap allocated by the current
process is retrieved. Can you exactly specify which CryptoAPI is taking so
much time?

-Sandeep

On Fri, Nov 6, 2009 at 11:45 AM, James Baker  wrote:

> Background:  Testing a Ruby app on 64-bit Windows 7 Ultimate, I found
> that OpenSSL::PKey::RSA.generate() was taking 98 seconds.  Jumping to
> C, sampling showed that the great majority of this time was spent in
> Heap32Next, which led me to the "heap list and heap walking" section
> of RAND_poll in crypto/rand/rand_win.c
>
> The heap walking (and thread and module walking) are limited to 1s
> unless the variable "good" is set, and advapi32.dll is loaded, which
> means that "poll the CryptoAPI PRNG" using the conjunction of
> CryptAcquireContextW and CryptGenRandom must be failing.
>
> The 98 seconds comes from walking the contents of the heap after
> loading a Rails environment - RAND_poll runs very quickly with a
> near-empty heap.  Are the crypo-API calls ever expected to fail under
> any Windows platform, or is this the abnormality? I'm not aware of any
> changes in Win7 that would break those calls (though I'm investigating
> whether something permission/security-related is in play here), but
> I'm not aware of much about Win7 in general.  I also don't see any
> Win7-related changes in the OpenSSL changelog - has this platform been
> validated already?
>
> Thanks,
> James
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   majord...@openssl.org
>

Re: How to change the default signature algorithm from MD5 to SHA1

[sandeep kiran p]

You need to add/change the "default_md" for the "req" section. You are
probably changing the value in "CA_default" section and thats why its not
reflecting in your certificate. Heres what needs to be done in openssl.cnf
file.

[ req ]

default_md = sha1


-Sandeep

On Mon, Oct 26, 2009 at 2:12 AM, Madhu  wrote:

> Hello,
>
> I want to generate a self signed certificate that uses 'sha1RSA' as
> signature algorithm.
>
> I tried changing the default signature algorithm in OpenSSL config file
> (default_md), but there is no effect of the change on the certificate. The
> certificate shows 'md5RSA' as the signature algorithm.
>
> Appreciate any help on how to achieve this.
>
> Here are the detailed steps for your reference.
> 1) vi /etc/sfw/openssl/openssl.cnf
> 2) Original: default_md=md5. Modified this to default_md=sha1
> 3) Restarted the system
> 4) Gave the following commands
> /usr/sfw/bin/openssl genrsa 1024 > host.key
> chmod 400 host.key
> /usr/sfw/bin/openssl req -new -x509 -days 365 -key host.key > host.cer
> 5) Irrespective of the value for "default_md" in the openssl.cnf file, the
> signature algorithm is specified as "md5RSA" in the certificate.
> 6) When I give the following command, the sha1 signature algorithm is used,
> however changing to the following command introduces lot of additional
> dependencies in my code.
> /usr/sfw/bin/openssl req -new -x509 -sha1 -days 365 -key host.key >
> host.cer
> 7) Version of OpenSSL used is 0.9.7d 17 Mar 2004 (+ security patches to
> 2006-09-29) on a Solaris 10 machine with kernel patch id 137138-09.
> 8) I've performed a truss and dtrace to find the value read from the config
> file, but was not able to view the values for config parameters.
>
> Thanks
> Madhu
>
> madhu
>
>
> 

Re: [FWD] Build incorrect crypt/decrypt in Win32. x86. MSVC 2003. MinGW.

[sandeep kiran p]

Can someone comment on why this fails on windows? I too observed that the
decryption does not result in the original plain text on windows.
-Sandeep

On Sun, Oct 18, 2009 at 5:58 AM, Lutz Jaenicke  wrote:

> Forwarded to openssl-users for public discussion.
>
> Best regards,
>Lutz
>
> - Forwarded message from User User  -
>
> From: User User 
> To: r...@openssl.org
> Subject: Build incorrect crypt/decrypt in Win32. x86. MSVC 2003. MinGW.
> Date: Sun, 18 Oct 2009 07:46:40 +0400
> Reply-To: User User 
>
>  Hello openssl Hackers.
> I am beginner in openssl. Learn for wrote simple crypto_test.cpp  program.
> Test it under CentOS, FreeBSD and Win32.
> Linux,BSD work fine, but windows builds uncorrect.
> Build in MS VC .Net 2003 and MingGW, both not work in crypt/decrypt cycles
> correctly.
> Send code in attach, and openssl makefile and simple description in
> README.TXT
> I can't understand. is it a bug or my build problems.
> Please, show right way.
> Thank you.
> Nick.
> 
> RESULTS:
>
> --[ FreeBSD ]--
> ./crypto_test -e plaintext encypt.bsd 123
> ./crypto_test -d encypt.bsd plaintext.out.bsd 123
> ./openssl dgst -rmd160 plaintext encypt.bsd plaintext.out.bsd
>
> RIPEMD160(plaintext)=
> d7ca608f0430c3248527572662af5e50d93e87ca
> RIPEMD160(encypt.bsd)   =9a465d7a2304833f0d7a967ce5a04687b7350441
> RIPEMD160(plaintext.out.bsd)=
>  d7ca608f0430c3248527572662af5e50d93e87ca
>
> --[ WIN32 ]--
> crypto_test.exe -e plaintext encrypt.w32 123
> crypto_test.exe -d encrypt.w32 plaintext.out.w32 123
> openssl.exe dgst -rmd160 plaintext encrypt.w32 plaintext.out.w32
>
> RIPEMD160(plaintext)=
> d7ca608f0430c3248527572662af5e50d93e87ca
> RIPEMD160(encrypt.w32)  =e1ae968afaa4fa259a4f81012804769fe2d13dd6
> RIPEMD160(plaintext.out.w32)=
>  753e049eb8c31e2116e575402db6f7dd7abdbfa1
>
>
> ] Code of crypto_test.cpp
> #include 
> #include 
>
> #include 
> #include 
> #include 
>
> #define BUF_SIZE32767
>
> int enc(char* fin, char* fout, unsigned char* key);
> int dec(char* fin, char* fout, unsigned char* key);
>
> int main(int argc, char* argv[])
> {
>ERR_load_crypto_strings();
>if(argc<5){
>printf("Need more args:\n\t1 -  -e/-d\n\t2 - file_in\n\t3 -
> file_out\n\t4 - pass\n\t");
>exit(0);
>}
>
>int ret =0;
>if(!strcmp(argv[1], "-e")){
>ret = enc(argv[2], argv[3], (unsigned char*)argv[4]);
>}else if(!strcmp(argv[1], "-d")){
>ret = dec(argv[2], argv[3], (unsigned char*)argv[4]);
>}else{
>printf("Unknown direction: %s\n",argv[1]);
>exit(0);
>}
>
>if(!ret)
>printf("Completed\n");
>else
>printf("Error:%d",ret);
>
>ERR_free_strings();
>
>return ret;
> }
>
> int enc(char* fin, char* fout, unsigned char* key){
>int ret = 0;
>
>printf("Mode ENCRYPT\n");
>
>BIO *bin = BIO_new_file(fin, "r");
>
>if(!bin){
>ret = ERR_get_error();
>printf("Decryption failed,
> reason:%s\n",ERR_reason_error_string(ret));
>return ret;
>}
>
>BIO *bout = BIO_new_file(fout, "w");
>
>if(!bout)
>return ERR_get_error();
>
>BIO* cipher = BIO_new(BIO_f_cipher());
>
>BIO_set_cipher(cipher, EVP_bf_ecb(), key, 0, 1);
>BIO_push(cipher, bout);
>
>void* buff = malloc(BUF_SIZE+1);
>int rlen = 0, written =0;
>
>do{
>memset(buff, 0, BUF_SIZE+1);
>if(!(rlen=BIO_read(bin, buff, sizeof(buff))) ){
>break;
>}
>
>if( (written = BIO_write(cipher, buff,
> (int)strlen((char*)buff)) ) <=0 ){
>ret = ERR_get_error();
>printf("Encryption failed,
> reason:%s\n",ERR_reason_error_string(ret));
>break;
>}
>
>}while(1);
>
>free(buff);
>BIO_flush(cipher);
>BIO_free_all(cipher);
>
>return ret;
> }
>
> int dec(char* fin, char* fout, unsigned char* key){
>int ret = 0;
>
>printf("Mode DECRYPT\n");
>BIO *bin = BIO_new_file(fin, "r");
>
>if(!bin)
>return ERR_get_error();
>
>BIO *bout = BIO_new_file(fout, "w");
>
>if(!bout)
>return ERR_get_error();
>
>BIO* cipher = BIO_new(BIO_f_cipher());
>
>BIO_set_cipher(cipher, EVP_bf_ecb(), key, 0, 0);
>BIO_push(cipher, bin);
>
>void* buff = malloc(BUF_SIZE+1);
>int rlen = 0, written =0;
>
>do{
>memset(buff, 0, BUF_SIZE+1);
>
>if(!(rlen=BIO_read(cipher, buff, sizeof(buff))) ){
>break;
>}
>
>if(!BIO_get_cipher_status(cipher)){
>  

Re: Debugging OpenSSL with Visual Studio

[sandeep kiran p]

Thanks Dave. I figured out how to do this. I first built a static version of
libeay32 and ssleay32 using ms\nt.mak (added /Zi and removed /Wx in CFLAGS).
I then created an empty VS2005 project and added apps\req.c apps\apps.c
apps\app_rand.c to the project (I had to look into req utility, similar
would be the procedure for other tools). I then linked libeay and ssleay to
the project. Now everything built fine. But as you said, I am able to
break/stepinto/display but cannot do a go-to-defn of any OpenSSL API from my
project. When I say go-to-def, it always points to the prototype declaration
in a .h file.
Thanks,
Sandeep


On Tue, Oct 20, 2009 at 6:21 PM, Dave Thompson <
dave.thomp...@princetonpayments.com> wrote:

> >   From: owner-openssl-us...@openssl.org On Behalf Of sandeep kiran p
> >   Sent: Saturday, 17 October, 2009 02:12
>
> >   Can someone point me to the instructions that are needed to build
> > and debug OpenSSL using Visual Studio on windows? I want to navigate
> > through the code for the 'openssl req' command using VS. I've built a
> > debug version (both static and dynamic) of OpenSSL as per the instruction
> > in INSTALL.W32 doc. I have found an earlier post on a similar topic
> > http://www.mail-archive.com/openssl-users@openssl.org/msg56791.html .
> > But it just describes building a debug variant.
>
> >   The question here is, do I need to create a new VS project
> comprising
> > of apps/openssl.c and link libeay32.lib and ssleay32.lib libraries that
> > I have built earlier? When I did this, I see a lot of unresolved external
> > symbols (_prime_main, _ocsp_main etc) when building  the solution. Is
> there
> > any documented procedure for accomplishing what I intend to?
>
> I don't know about documented.
>
> If you want to compile the apps/* code in VS, I think you need to
> do the whole directory; openssl.c is just a dispatcher that calls
> the other 'commands'. If you're using dynamic, I think you need
> (a copy of?) ms\applink.c also. But remember the 'apps' mostly just
> wrap the -lcrypto and/or -lssl routines, so if you need to look at
> much of what is going on, you'll probably need to debug them too.
> Unless you only want to look at API-level results.
>
> The last time I did this, 0.9.8g on VC++6.0 (yes, a while ago),
> I did commandline (nmake) build of everything including apps,
> except I manually added /Zi /Yd to cflags in nt*.mak (they used to
> be in util/pl/VC-32.pl but seem to have gotten lost somewhere);
> then I created a VS console-exe project with nothing in it, but
> in ProjectSettings Debug specified my executable (from the dir
> which also contains the .pdb, and the .dll and .pdb if not static).
> I could break/step/display fine, but go-to-defn etc. didn't work.
>
>
>
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   majord...@openssl.org
>

Re: The infamous win32 X509_NAME #define problem

[sandeep kiran p]

Same here. I too faced the same issue when I was trying to build the 'req'
utility using Visual Studio. A short list of errors is as below
d:\ssl\openssl-0.9.8k\include\openssl\store.h(390) : error C2059: syntax
error : 'type'
d:\ssl\openssl-0.9.8k\include\openssl\store.h(397) : error C2059: syntax
error : ','
d:\ssl\openssl-0.9.8k\include\openssl\store.h(397) : error C2143: syntax
error : missing ')' before '('
d:\ssl\openssl-0.9.8k\include\openssl\store.h(397) : error C2143: syntax
error : missing ')' before '('
d:\ssl\openssl-0.9.8k\include\openssl\store.h(397) : error C2091: function
returns function
d:\ssl\openssl-0.9.8k\include\openssl\store.h(397) : error C2091: function
returns function


All these errors seem to crop up because X509_NAME and X509_EXTENSIONS were
defined in wincrypt.h. Though we seem to #undef them in x509.h
for OPENSSL_SYS_WIN32. Is there any way out?

Thanks,
Sandeep

On Fri, Oct 16, 2009 at 6:11 PM, Domingo Kiser wrote:

> Hello all,
>
> I am working on porting a linux app that depends on OpenSSL to windows
> and ran into the visual studio 2009 "c2226" unexpected type "LPCSTR".
> The order of #includes that can generate this error is shown below.
> Note that only ssl includes are used.  Adding a #undef X509_NAME after
> the rand include fixes the problem, BUT only if rand is included
> before engine.  I looked at both header files and noticed that rand
> includes windows.h, which causes the problem.  Also, engine.h includes
> rand.h.   Rand does not use the X509_NAME type within its header
> definition, but engine does.
>
> Long story short, I think rand.h should undefine X509_NAME immediately
> after its include of windows.hthis seemed to fix my problems.  The
> other solution was to include rand, undefine the name, then include
> engine.
>
> I ran into a previous post on the net to use the NOCRYPT option which
> forces visual studio to not include the windows crypto api's, which is
> ultimately the culprit in redefining X509_NAME.  This worked as well,
> but I didn't feel it was the correct solution.
>
> Chime in and let me know if I am off base here or if the rand.h header
> fix is a valid one.
>
> Code:
> #include 
> #include 
> // do the following if proposed fix to rand.h is not there
> // this only works if engine.h follows rand.h, at least In
> // my initial screwing around
> // undef X509_NAME
> #include 
> #incude 
> #include 
> #include 
>
>
> Cheers,
>
> --Domingo
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   majord...@openssl.org
>

Debugging OpenSSL with Visual Studio

[sandeep kiran p]

Hi,
Can someone point me to the instructions that are needed to build and debug
OpenSSL using Visual Studio on windows? I want to navigate through the code
for the 'openssl req' command using VS. I've built a debug version (both
static and dynamic) of OpenSSL as per the instruction in INSTALL.W32 doc. I
have found an earlier post on a similar topic
http://www.mail-archive.com/openssl-users@openssl.org/msg56791.html . But it
just describes building a debug variant.

The question here is, do I need to create a new VS project comprising of
apps/openssl.c and link libeay32.lib and ssleay32.lib libraries that I have
built earlier? When I did this, I see a lot of unresolved external
symbols (_prime_main, _ocsp_main etc) when building  the solution. Is there
any documented procedure for accomplishing what I intend to?

Thanks,
Sandeep

Question regarding Certificate path validation

[sandeep kiran p]

Hi All,
A very quick question regarding Certificate path validation. RFC5280
mentions that path validation begins at the trust anchor and proceeds
towards the end entity certificate. The public key from ith certificate is
used in verifying the signature on i+1th certificate (verification also
involves checking other parameters as well). This proceeds till end entity
certificate is reached.

But I see some online references which mention that the validation procedure
starts from the end entity certificate and proceeds towards the root CA.
Heres one of them from mozilla.

https://developer.mozilla.org/en/Introduction_to_Public-Key_Cryptography#How_CA_Certificates_Are_Used_to_Establish_Trust

It mentions that that the issuer of the ith certificate is located and its
public key used to verify the signature on ith certificate thereby the
validation seems to proceed bottomup.

Can someone clarify which of the two methods is correct?

Thanks,
Sandeep

Re: Anonymous DH client

[sandeep kiran p]

>why can't the client calculate the shared secret on its own ?

Client calculates the Shared secret on its own when it receives the server's
public key.
>What is the point of generating the DH params and the shared key in the
server (Bob) and sending it to the client (Alice)

Server only sends the DH Parameters (P and G) and its Public Key to the
client. It doesn't send the its Shared Key anywhere.

-Sandeep

On Wed, Aug 26, 2009 at 6:37 AM, Ram G  wrote:

> Thank you for your response. I hope you can help me get answers to the
> following questions -
>
>  1) Why do we need to deviate from the Diffie-Hellman Key exchange theory
> - why can't the client calculate the shared secret on its own ?
>
> 2) What is the point of generating the DH params and the shared key in the
> server (Bob) and sending it to the client (Alice) - won't it be accessible
> to an attacker when it is sent in the clear ?
>
> Thanks
>
> Ramg
>
> On Tue, Aug 25, 2009 at 4:56 PM, Dr. Stephen Henson wrote:
>
>>  On Tue, Aug 25, 2009, Ram G wrote:
>>
>> > Hi,
>> >
>> > I'm trying to use openSSL without certificates and authentication
>> through
>> > Anonymous Diffie-Hellman key exchange. I have managed to successfully
>> > exchange messages between server and client by modifying some of the
>> sample
>> > programs available with the source code.
>> >
>> > The salient features of the modified client and server test programs
>> are:
>> > 1) Not loading certificates
>> > 2) Loading the DH params in the server by reading dhparams.pem
>> > 3) Setting the cipher to ADH-AES128-SHA on both client and server
>> >
>> > I have a question regarding the DH key exchange - don't we have to load
>> DH
>> > params on the client side as well ?
>> >
>> > What I have been able to gather from online sources on DH key exchange
>> is
>> > that
>> >
>> > 1) Alice and Bob decides on the prime P and generator G
>> > 2) Alice decides on a random number X and sends G(power of X) mod P to
>> Bob
>> > 3) Bob decides on a random number Y and sends G(power of Y) mod P to
>> Alice
>> > 4) Both Bob and Alice can calculate the shared secret on their own
>> >
>> > In my test program, I did not do anything on the client side to generate
>> the
>> > shared key.
>> >
>> > I would really appreciate if someone can shed some light on how
>> anonymous DH
>> > works in OpenSSL.
>> >
>>
>> The DH parameters are supplied by the server and sent to the client during
>> the
>> handshake so the client doesn't need any DH parameters.
>>
>> Steve.
>> --
>> Dr Stephen N. Henson. OpenSSL project core developer.
>> Commercial tech support now available see: http://www.openssl.org
>> __
>> OpenSSL Project http://www.openssl.org
>> User Support Mailing Listopenssl-users@openssl.org
>> Automated List Manager   majord...@openssl.org
>>
>
>

Re: PEM_read is always returning null

[sandeep kiran p]

Why dont you try something as,
  X509* user_cert = NULL;
  if ((user_cert  = PEM_read_X509(fp, NULL, NULL, NULL)) == NULL)
  {
/* Error */
  }

or with a bio as,

X509 *x = NULL;

if (!PEM_read_bio_X509(bp, &x, 0, NULL))
   {
   /* Error */
   }


On Tue, Aug 18, 2009 at 5:24 AM, Azlan  wrote:

>
>
>
> Azlan wrote:
> >
> > Hello every one..I'm working with an application in which a module should
> > read a "pem" certificate successfully.I've written 2 types of programs,
> > but both are failing(PEM_read constantly returning null )..here are my
> > codes..
> >
> >
> > #include
> > #include 
> > #include 
> > #include 
> > #include 
> > #include 
> > #include 
> > #include 
> > #include 
> > int main( int argc,char *argv[])
> > {
> > FILE *fp;
> > X509 *x=X509_new();
> > if(x==NULL)
> > printf("error\n");
> >
> > fp=fopen(argv[1],"r");
> > PEM_read_X509(fp,&x,NULL,NULL);
> > if(x==NULL)
> > printf("error reading \n");
> > else
> > printf("reading success\n");
> > fclose(fp);
> > X509_free(x);
> > return(0);
> > }
> >
> >
> > here is my second one..using "bio"
> >
> > do
> >{
> >X509 *x509Cert/*=X509_new();  result is same even if this
> > statement is X509 *x509Cert = X509_new(); */
> >BIO *cert;
> >if ((cert=BIO_new(BIO_s_file())) == NULL)
> > {
> > printf("Error Initializing BIO pointer");
> > break;
> > }
> >
> >if (BIO_read_filename(cert,argv[1]) <= 0)
> >{
> > printf("Error opening file\n");
> > break;
> >}
> >
> > if (PEM_read_bio_X509(cert,&x509Cert,NULL,NULL)!=NULL)
> > {
> >  printf("\nReading from file success!\n");
> > }
> >
> > }while(0);
> >
> > Both programs are returning "NULL " out of PEM_read.
> > Even though i found similar post sabout PEM_read, none of them is solving
> > my problem..please help me with this..
> >
> > Thank you in advance.
> >
> Sorry..I forgot to mention something..
> In my first program,the result would be "reading success"..the problem is
> PEM_read_X509(fp,&x,NULL,NULL)
> is not returning valid X509 into "x"(it's returning null..u can check by
> if(PEM_read_X509(fp,&x,NULL,NULL)==NULL).Even after the call of function
> PEM_read; x has the previous value(X509_new()   which is not null).Thats
> why
> out put is "reading success."
> Please help me getting out of this.
> Thanks.
> --
> View this message in context:
> http://www.nabble.com/PEM_read-is-always-returning-null-tp25022589p25023748.html
> Sent from the OpenSSL - User mailing list archive at Nabble.com.
>
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   majord...@openssl.org
>

Re: Creating CA certificates

[sandeep kiran p]

Can you send the commands that you are using to run s_server and s_client?

On Tue, Aug 18, 2009 at 4:43 AM, vishal saraswat <
vishalsaraswat...@gmail.com> wrote:

> Hi all,
>
> I am sorry, I forgot to tell you that the final PEM I create is composed of
> key and certificate both.
>
> cat server_key.pem server server_cert.pem > server.pem
>
> I read on some blogs that some server require both to be in one file that
> why to be on safer side I started following this practice. I hope its fine.
>
> Now I suppose that one a client is successfully connected it should return
> me code as 0 and an OK message. Right? But I get return value as
> 7(Certificate Signature Failure), 21(Unable to verify the first
> certificate.)
>
> Are we on the same pitch?
>
> Thanks a lot.
>
> -Vishal
>
> *p.s. - Can I connect multiple s_client to a single s_server ?*
>
>
> On Tue, Aug 18, 2009 at 4:18 AM, Goetz Babin-Ebell wrote:
>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>> vishal saraswat schrieb:
>> | Hi Serge,
>> Hello cishal,
>>
>> | I use the following commands to start the server and the client :
>> |
>> | Server:
>> | openssl s_server -accept // -cert //
>> You do know that the server needs the private key and the certifivate to
>> work ?
>> You only set the certificate file name.
>>
>>
>> Goetz
>>
>> - --
>> DMCA: The greed of the few outweighs the freedom of the many
>> -BEGIN PGP SIGNATURE-
>> Version: GnuPG v2.0.9 (GNU/Linux)
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>>
>> iD8DBQFKio382iGqZUF3qPYRAnPmAJ4gQQvSBW0ATCqtguIkU26bBjYxbQCdHe+8
>> 8UhhAYQqMkeSZi3JkvF0M7Y=
>> =Gikv
>> -END PGP SIGNATURE-
>> __
>> OpenSSL Project http://www.openssl.org
>> User Support Mailing Listopenssl-users@openssl.org
>> Automated List Manager   majord...@openssl.org
>>
>
>

Re: Creating CA certificates

[sandeep kiran p]

You should also provide the server's private key to the "openssl s_server"
command. From above, I see that your server's private key is server-key.pem,
therefore your command should be something as,
openssl s_server -accept ** -cert * -key
server-key.pem*
*
*
Here server-key.pem would be your server's private key file.

Thanks
*Sandeep
*
On Tue, Aug 18, 2009 at 2:36 AM, vishal saraswat <
vishalsaraswat...@gmail.com> wrote:

> Hi Serge,
>
> I followed this link but landed into the same problem.
>
> I use the following commands to start the server and the client :
>
> Server:
> openssl s_server -accept ** -cert **
>
> Client:
> openssl s_client -connect localhost:**
>
> I was wondering, do I need to do anything specific for client certificate.
>
> Thanks a lot,
>
> -Vishal
>
>
> On Tue, Aug 18, 2009 at 1:53 AM, Serge Fonville 
> wrote:
>
>> I forgot,
>>
>> I used this as examples
>> http://www.g-loaded.eu/2005/11/10/be-your-own-ca/
>>
>> Also, googling on openssl certificate authority seems to belp
>>
>> On Tue, Aug 18, 2009 at 10:51 AM, Serge Fonville <
>> serge.fonvi...@gmail.com> wrote:
>>
>>> The request is signed with the ca private key.
>>> What command do you use when you start the s_server
>>>
>>> HTH
>>>
>>> Regards,
>>>
>>> Serge Fonville
>>>
>>>   On Tue, Aug 18, 2009 at 10:38 AM, vishal saraswat <
>>> vishalsaraswat...@gmail.com> wrote:
>>>
 Hi,

 To my surprise. I tried the same steps and I am getting a similar kind
 of error.

 Please help me as well, if you get a solution.

 Thanks and regards,
 Vishal


 On Tue, Aug 18, 2009 at 1:32 AM, Abhishek Kane >>> > wrote:

> Hi,
>
> I am using following steps to create Ca & server certificate :
>
> 1. Create CA certificate
> shell> *openssl genrsa 2048 > ca-key.pem*
>
>
>
>
>
> shell> *openssl req -new -x509 -nodes -days 1000 \*
>  *-key ca-key.pem > ca-cert.pem*
>
>
> 2. Create server certificate
> shell> *openssl req -newkey rsa:2048 -days 1000 \*
>  *-nodes -keyout server-key.pem > server-req.pem*
> shell> *openssl x509 -req -in server-req.pem -days 1000 \*
>  *-CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > 
> server-cert.pem*
>
> Now, the certificates get created without any error. But when i run
> openssl s_server i get following error :
>
> unable to load server certificate private key file
> 4174:error:0906D06C:PEM routines:PEM_read_bio:no start
> line:pem_lib.c:644:Expecting: ANY PRIVATE KEY
>
> Are the steps correct?
>
> Thanks,
> Kane
>


>>>
>>
>

Re: RSA/DSA key bit strength

[sandeep kiran p]

openssl rsa -in key.pem -des3 -out keyout.pem
This indicates a command to store the RSA private key read from key.pem file
in an encrypted form in keyout.pem. The encryption algorithm used would be
des3. It doesnt mean RSA works in modes like CBC etc.



On Thu, Aug 13, 2009 at 3:49 AM, Sudarshan Soma wrote:

> On Thu, Aug 13, 2009 at 2:22 PM,  wrote:
> >
> >>On Thu 13/08/09 4:46 AM , Sudarshan Soma sudarshan...@gmail.com sent:
> >>Hi
> >>Can anone please clarify this data with OPENSSL 0.9.8i:
> >>
> >>RSA uses key ranges from 768-2048 and can operate only in CBC mode
> >>
> >>DSA uses key length of 1024 and operates only in CBC
> >
> > ? CBC chaining mode only applies to symmetric cipher algorithms such as
> AES and 3DES as far as I know.
> >
> > RSA uses PKCS padding, v1.5, OEAP, PSS, etc.
> >
> > DSA - no idea.
> >
> > Carl
> >
> >
> > __
> > OpenSSL Project http://www.openssl.org
> > User Support Mailing Listopenssl-users@openssl.org
> > Automated List Manager   majord...@openssl.org
> >
>
> Hi I was just confused with option des3 below for rsa where we can
> encrypt publc keys with with des3 CBC modes or something similar to
> that.
> openssl rsa -des3
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   majord...@openssl.org
>