pkcs12_parse problem
Hi all, I've installed openssl 0.9.8a version and I'm using new features from pkcs12_create (cert maybe null). Everytime I call PKCS12_parse it transforms pkey address into 0x0, so it's impossible to recover values from pk12 object. I've searched some example codes and they seem the same as mine, but... For the moment, my code looks like: EVP_PKEY *pkey, *pkey1; pkey = EVP_PKEY_new(); if (EVP_PKEY_assign_RSA(pkey, rsa) == 0) { EVP_PKEY_free(pkey); return NULL; } if ((pk12 = PKCS12_create(pass,"clave",pkey,NULL,NULL,0,0,0,0,0)) == NULL) { EVP_PKEY_free(pkey); return NULL; } ... [other things] pkey1 = EVP_PKEY_new(); if (PKCS12_parse(pk12,pass , &pkey1,NULL, NULL) != 1) return 1; if ((rsa = EVP_PKEY_get1_RSA(pkey1)) == NULL) return 1; Any idea??? Thanks, Alicia Asín __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: R: PKCS12_parse problem
On Fri, Oct 25, 2002, Marco Donati wrote: > Well... the application is actually an intermediate library, so every >''cryptographic'' operation is enclosed between > OpenSSL_add_all_algorithms()...EVP_cleanup() calls. > > There are no OpenSSL_add_all_algorithms() calls without the final EVP_cleanup() and >vice versa, there are no EVP_cleanup() calls without the initial >OpenSSL_add_all_algorithms(). > > Are you saying that this is not enough and that the library should call >OpenSSL_add_all_algorithms()...EVP_cleanup() only ONCE ? > This could be not straightforward > Well let me explain a bit... OpenSSL has an internal global table of supported algorithms (digests and ciphers). Certain operations such as PKCS12_parse() lookup digests and ciphers from this table so if it can't find one it gives the error you are seeing. Now addding and removing all ciphers whenever you use an OpenSSL command is not really recommended, it will repeatedly rebuild the table and it is not thread safe. One thread could access a partially complete table. So ideally you should only build the table in a single threaded context before calling any OpenSSL functions and clean it up only after no further calls will be made. However one added complication is that a change was made to OpenSSL 0.9.6g which avoids a problem of duplicate calls to OpenSSL_add_all_algorithms() creating duplicate table entries by only making the first call work. This has a problem because EVP_cleanup() doesn't reset the flag so effectively only the first call to OpenSSL_add_all_algorithms() works. This isn't what earlier 0.9.6X did and this will be fixed for 0.9.6h. You can get the old baheviour by deleting the relevant lines from OpenSSL_add_all_ciphers() and OpenSSL_add_all_digest(). Steve. -- Dr. Stephen Henson [EMAIL PROTECTED] OpenSSL Project http://www.openssl.org/~steve/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
R: PKCS12_parse problem
Well... the application is actually an intermediate library, so every ''cryptographic'' operation is enclosed between OpenSSL_add_all_algorithms()...EVP_cleanup() calls. There are no OpenSSL_add_all_algorithms() calls without the final EVP_cleanup() and vice versa, there are no EVP_cleanup() calls without the initial OpenSSL_add_all_algorithms(). Are you saying that this is not enough and that the library should call OpenSSL_add_all_algorithms()...EVP_cleanup() only ONCE ? This could be not straightforward Thanks in advance > -Messaggio originale- > Da: Dr. Stephen Henson [mailto:steve@;openssl.org] > Inviato: mercoledì 23 ottobre 2002 18.14 > A: [EMAIL PROTECTED] > Oggetto: Re: PKCS12_parse problem > > > On Wed, Oct 23, 2002, Marco Donati wrote: > > > Adding OpenSSL_add_all_ciphers() or > OpenSSL_add_all_digests() doesn't help. > > > > If we comment out the OpenSSL_add_all_algorithms() call, we > get the ''correct'' error: > > > > << > > 5257:error:2306B076:PKCS12 routines:PKCS12_gen_mac:unknown > digest algorithm:p12_mutl.c:80: > > 5257:error:2307E06D:PKCS12 routines:VERIFY_MAC:mac > generation error:p12_mutl.c:105: > > 5257:error:23076071:PKCS12 routines:PKCS12_parse:mac verify > failure:p12_kiss.c:121: > > >> > > > > If we put the OpenSSL_add_all_algorithms() back in the code > we get the ''unexplained'' error: > > > > << > > 5637:error:2306B076:lib(35):func(107):reason(118):p12_mutl.c:80: > > 5637:error:2307E06D:lib(35):func(126):reason(109):p12_mutl.c:105: > > 5637:error:23076071:lib(35):func(118):reason(113):p12_kiss.c:121: > > >> > > > > Let me underline again some facts: > > > > 1) the first call to PKCS12_parse is ok > > > > 2) the PKCS12_parse calls starting from the second reports > the error above > > > > 3) if we restart the application we have the same behavior > (first call OK, then errors) > > > > 4) the error happens only with OpenSSL 0.9.6g, NOT with > OpenSSL 0.9.6c (we haven't tried intermediate versions) > > > > 5) with openSSL 0.9.6g we get ''similar'' (related?) error > in calls like > > > Are you calling EVP_cleanup() in between calls? > > You should really only call OpenSSL_add_all_algorithms() once > on application > startup and EVP_cleanup() when it shuts down. > > Steve. > -- > Dr. Stephen Henson [EMAIL PROTECTED] > OpenSSL Project http://www.openssl.org/~steve/ > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PKCS12_parse problem
On Wed, Oct 23, 2002, Marco Donati wrote: > Adding OpenSSL_add_all_ciphers() or OpenSSL_add_all_digests() doesn't help. > > If we comment out the OpenSSL_add_all_algorithms() call, we get the ''correct'' >error: > > << > 5257:error:2306B076:PKCS12 routines:PKCS12_gen_mac:unknown digest >algorithm:p12_mutl.c:80: > 5257:error:2307E06D:PKCS12 routines:VERIFY_MAC:mac generation error:p12_mutl.c:105: > 5257:error:23076071:PKCS12 routines:PKCS12_parse:mac verify failure:p12_kiss.c:121: > >> > > If we put the OpenSSL_add_all_algorithms() back in the code we get the >''unexplained'' error: > > << > 5637:error:2306B076:lib(35):func(107):reason(118):p12_mutl.c:80: > 5637:error:2307E06D:lib(35):func(126):reason(109):p12_mutl.c:105: > 5637:error:23076071:lib(35):func(118):reason(113):p12_kiss.c:121: > >> > > Let me underline again some facts: > > 1) the first call to PKCS12_parse is ok > > 2) the PKCS12_parse calls starting from the second reports the error above > > 3) if we restart the application we have the same behavior (first call OK, then >errors) > > 4) the error happens only with OpenSSL 0.9.6g, NOT with OpenSSL 0.9.6c (we haven't >tried intermediate versions) > > 5) with openSSL 0.9.6g we get ''similar'' (related?) error in calls like > Are you calling EVP_cleanup() in between calls? You should really only call OpenSSL_add_all_algorithms() once on application startup and EVP_cleanup() when it shuts down. Steve. -- Dr. Stephen Henson [EMAIL PROTECTED] OpenSSL Project http://www.openssl.org/~steve/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
PKCS12_parse problem
Adding OpenSSL_add_all_ciphers() or OpenSSL_add_all_digests() doesn't help. If we comment out the OpenSSL_add_all_algorithms() call, we get the ''correct'' error: << 5257:error:2306B076:PKCS12 routines:PKCS12_gen_mac:unknown digest algorithm:p12_mutl.c:80: 5257:error:2307E06D:PKCS12 routines:VERIFY_MAC:mac generation error:p12_mutl.c:105: 5257:error:23076071:PKCS12 routines:PKCS12_parse:mac verify failure:p12_kiss.c:121: >> If we put the OpenSSL_add_all_algorithms() back in the code we get the ''unexplained'' error: << 5637:error:2306B076:lib(35):func(107):reason(118):p12_mutl.c:80: 5637:error:2307E06D:lib(35):func(126):reason(109):p12_mutl.c:105: 5637:error:23076071:lib(35):func(118):reason(113):p12_kiss.c:121: >> Let me underline again some facts: 1) the first call to PKCS12_parse is ok 2) the PKCS12_parse calls starting from the second reports the error above 3) if we restart the application we have the same behavior (first call OK, then errors) 4) the error happens only with OpenSSL 0.9.6g, NOT with OpenSSL 0.9.6c (we haven't tried intermediate versions) 5) with openSSL 0.9.6g we get ''similar'' (related?) error in calls like ''X509_verify(userCert,X509_extract_key(CACert))'' or ''X509_CRL_verify(crl,pubKey)'' that returned no error with the same files/data using OpenSSL 0.9.6c Help! :-) - Original Message - Don't you also have to call OpenSSL_add_all_ciphers(); OpenSSL_add_all_digests(); ERR_load_crypto_strings(); ? I had to. And I think there's a replacement in 0.9.7 IIRC. - Original Message - From: "Francesco Dal Bello" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, October 17, 2002 11:44 AM Subject: R: PKCS12_parse problem On Wed, Oct 16, 2002, Dr. Stephen Henson wrote: > What error do you get (see FAQ)? These are the errors reported: 21153:error:06074079:lib(6):func(116):reason(121):evp_pbe.c:89:TYPE=pbeWithS HA1And3-KeyTripleDES-CBC 21153:error:23077073:lib(35):func(119):reason(115):p12_decr.c:82: 21153:error:2306A075:lib(35):func(106):reason(117):p12_decr.c:121: 21153:error:23076072:lib(35):func(118):reason(114):p12_kiss.c:127: > Are you calling OpenSSL_add_all_algorithms() more than once? My function is like the following: int MyFunc() { OpenSSL_add_all_algorithms(); SSL_load_error_strings(); ... if (!PKCS12_parse(p12, passphrase, &prkey, NULL,NULL)) { error handling ERR_print_error_fp(stderr); } ... EVP_cleanup(); } The first call to this function is OK. Subsequent calls cause the error above. Thanks in advance. Francesco. -Messaggio originale- Da: Dr. Stephen Henson [mailto:steve@;openssl.org] Inviato: mercoledì 16 ottobre 2002 23.53 A: [EMAIL PROTECTED] Oggetto: Re: PKCS12_parse problem On Wed, Oct 16, 2002, Francesco Dal Bello wrote: > > Greetings. > > I recently re-compiled my application with OpenSSL 0.9.6g (it was > previously linked with 0.9.6c). > > I have a problem with the ''PKCS12_parse'' function that I didn't have > before (platform is Solaris 8). > > If my application calls ''PKCS12_parse'' more than once (at different > moments, even distant in time) on the same PKCS#12, ONLY THE FIRST CALL > SUCCEED. > Calls after the first return 0. > > Since I'm only interested in extracting the private key, my call is > like: > > if (!PKCS12_parse(p12, passphrase, &prkey, NULL,NULL)) > error handling > > This problem didn't happen with 0.9.6c. > > I'm quite sure that the p12 argument is a valid pointer to a PKCS#12 > structure because every time I : > > open the key file (abort if it fails), > > read the pkcs12 by means of d2i_PKCS12_fp (close file and abort if it > fails) > > close the key file > > call the PKCS12_parse > > > Any hint, FAQ or known problem? > What error do you get (see FAQ)? Are you calling OpenSSL_add_all_algorithms() more than once? I've seen this reported before but couldn't reproduce it myself. Steve. -- Dr. Stephen Henson [EMAIL PROTECTED] OpenSSL Project http://www.openssl.org/~steve/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __
PKCS12_parse problem
Greetings. I recently re-compiled my application with OpenSSL 0.9.6g (it was previously linked with 0.9.6c). I have a problem with the ''PKCS12_parse'' function that I didn't have before (platform is Solaris 8). If my application calls ''PKCS12_parse'' more than once (at different moments, even distant in time) on the same PKCS#12, ONLY THE FIRST CALL SUCCEED. Calls after the first return 0. Since I'm only interested in extracting the private key, my call is like: if (!PKCS12_parse(p12, passphrase, &prkey, NULL,NULL)) error handling This problem didn't happen with 0.9.6c. I'm quite sure that the p12 argument is a valid pointer to a PKCS#12 structure because every time I : open the key file (abort if it fails), read the pkcs12 by means of d2i_PKCS12_fp (close file and abort if it fails) close the key file call the PKCS12_parse Any hint, FAQ or known problem? Thanks in advance Francesco __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]