Re: Loading raw EC and RSA keys with OpenSSL 3

[Jonathan Wernberg]

Tomas Mraz wrote:
> Jonathan Wernberg wrote:
>> Hi openssl-users mailing list.
>> 
>> We are having some troubles converting some code from OpenSSL 1.x to
>> OpenSSL 3.x APIs, to get rid of deprecation warnings, and hope
>> someone may be able to give us some hints in the right direction.
>> 
>> One thing we want to do is to convert an EC private key from raw
>> format into a EVP_PKEY. Today we do as below (error checking, freeing
>> and secure memory context things removed for brevity, private key is
>> in "privkey" and curve in "nid"):
>> 
>> BIGNUM *privkey_bn = BN_bin2bn(privkey, privkey_len, NULL);
>> EC_KEY *eckey = EC_KEY_new_by_curve_name(nid);
>> const EC_GROUP *group = EC_KEY_get0_group(eckey);
>> EC_POINT *pubkey_point = EC_POINT_new(group);
>> EC_POINT_mul(group, pubkey_point, privkey_bn, NULL, NULL, NULL);
>> EC_KEY_set_private_key(eckey, privkey_bn);
>> EC_KEY_set_public_key(eckey, pubkey_point);
>> EVP_PKEY *pkey = EVP_PKEY_new();
>> EVP_PKEY_assign_EC_KEY(pkey, eckey);
>> 
>> Basically we chained a lot of operations because we could not find
>> any single function that did it for us. Some of these operations are
>> now deprecated, such as the EC_KEY ones. We tried experimenting with
>> the OSSL fromdata() function instead (omitted the mapping from "nid"
>> to "sn" for brevity):
>> 
>> BIGNUM *privkey_bn = BN_bin2bn(privkey, privkey_len, NULL);
>> EC_GROUP *group = EC_GROUP_new_by_curve_name(nid);
>> EC_POINT *pubkey_point = EC_POINT_new(group);
>> EC_POINT_mul(group, pubkey_point, privkey_bn, NULL, NULL, NULL);
>> unsigned char pubkey_buf[65]; // size just an example
>> EC_POINT_point2oct(grp, pubkey_point, POINT_CONVERSION_UNCOMPRESSED,
>> pubkey_buf, sizeof(pubkey_buf), NULL);
>> OSSL_PARAM_BLD *param_bld = OSSL_PARAM_BLD_new();
>> OSSL_PARAM_BLD_push_utf8_string(param_bld,
>> OSSL_PKEY_PARAM_GROUP_NAME, sn, 0);
>> OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PRIV_KEY,
>> privkey_bn);
>> OSSL_PARAM_BLD_push_octet_string(param_bld, OSSL_PKEY_PARAM_PUB_KEY,
>> pubkey_buf, sizeof(pubkey_buf));
>> OSSL_PARAM *params = OSSL_PARAM_BLD_to_param(param_bld);
>> EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL);
>> EVP_PKEY_fromdata_init(ctx);
>> EVP_PKEY *pkey = NULL;
>> EVP_PKEY_fromdata(ctx, , EVP_PKEY_KEYPAIR, params);
>> EVP_PKEY_CTX_free(ctx);
>> ctx = EVP_PKEY_CTX_new(pkey, NULL);
>> EVP_PKEY_check(ctx);
>> 
>> Although it works, it does not feel right. We ended up chaining many
>> more operations than before. Our understanding was that the new
>> OpenSSL 3.x API was redesigned partially to remove low-level
>> manipulations like these. We have looked though both the migration
>> document and the reference API without finding anything that does our
>> job better. OSSL_DECODERs as frequently suggested in the migration
>> documentation do not seem to support raw EC key formats at all. The
>> EVP_PKEY_new_raw_private_key() functions mentioned in the reference
>> API does not appear to support NIST P curves, according to the
>> documentation. The OSSL fromdata() way above does not calculate the
>> public key from the private one itself, nor does it verify that the
>> points are on the curve, and we are uncertain if there are anything
>> else it does not do that we need to do to not compromise security. We
>> could use d2i_PrivateKey() or d2i_AutoPrivateKey(), which both seem
>> to read in the key data in a secure way and derive the public part
>> automatically. But that way would require us to implement custom
>> logic in our code to manually put together DER data from the raw key
>> data, for multiple curve types.
>> 
>> What is the recommended and safe way to read in an EC private key
>> from raw format into an EVP_PKEY object ready to be used?
>> 
>> Another thing we want to do is to convert an RSA public key from raw
>> modulus and exponent components into proper DER encoded
>> SubjectPublicKeyInfo data. Today we piggyback on OpenSSL to
>> accomplish this like this:
>> 
>> BIGNUM *n = BN_bin2bn(modulus, (int)modulus_len, NULL);
>> BIGNUM *e = BN_bin2bn(exponent, (int)exponent_len, NULL);
>> RSA *rsa = RSA_new();
>> RSA_set0_key(rsa, n, e, NULL);
>> int data_len = i2d_RSA_PUBKEY(rsa, NULL);
>> uint8_t *data_buf = malloc((size_t)data_len);
>> uint8_t *pdata = data_buf;
>> data_len = i2d_RSA_PUBKEY(rsa, );
>> 
>> However, some of those functions are now deprecated. Unfortunately
>> our best attempt with OpenSSL 3.x compatible APIs ended up being this
>> comparably long sequence of operations:
>> 
>> BIGNUM *n = BN_bin2bn(modulus, (int)modulus_len, NULL);
>> BIGNUM *e = BN_bin2bn(exponent, (int)exponent_len, NULL);
>> EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL);
>> OSSL_PARAM_BLD *param_bld = OSSL_PARAM_BLD_new();
>> OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_N, n);
>> OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_E, e);
>> OSSL_PARAM *params = OSSL_PARAM_BLD_to_param(param_bld);
>> EVP_PKEY_fromdata_init(ctx);
>> EVP_PKEY *pkey = 

Re: Loading raw EC and RSA keys with OpenSSL 3

[Tomas Mraz]

On Tue, 2022-08-23 at 12:09 +, Jonathan Wernberg wrote:
> TL;DR: With OpenSSL 3.x API, what is the recommended and safe way to
> read in an EC private key from raw format into an EVP_PKEY object
> ready to be used? What is the easiest way to convert an RSA public
> key from raw modulus and exponent components to proper DER encoded
> SubjectPublicKeyInfo data?
> 
> Hi openssl-users mailing list.
> 
> We are having some troubles converting some code from OpenSSL 1.x to
> OpenSSL 3.x APIs, to get rid of deprecation warnings, and hope
> someone may be able to give us some hints in the right direction.
> 
> One thing we want to do is to convert an EC private key from raw
> format into a EVP_PKEY. Today we do as below (error checking, freeing
> and secure memory context things removed for brevity, private key is
> in "privkey" and curve in "nid"):
> 
> BIGNUM *privkey_bn = BN_bin2bn(privkey, privkey_len, NULL);
> EC_KEY *eckey = EC_KEY_new_by_curve_name(nid);
> const EC_GROUP *group = EC_KEY_get0_group(eckey);
> EC_POINT *pubkey_point = EC_POINT_new(group);
> EC_POINT_mul(group, pubkey_point, privkey_bn, NULL, NULL, NULL);
> EC_KEY_set_private_key(eckey, privkey_bn);
> EC_KEY_set_public_key(eckey, pubkey_point);
> EVP_PKEY *pkey = EVP_PKEY_new();
> EVP_PKEY_assign_EC_KEY(pkey, eckey);
> 
> Basically we chained a lot of operations because we could not find
> any single function that did it for us. Some of these operations are
> now deprecated, such as the EC_KEY ones. We tried experimenting with
> the OSSL fromdata() function instead (omitted the mapping from "nid"
> to "sn" for brevity):
> 
> BIGNUM *privkey_bn = BN_bin2bn(privkey, privkey_len, NULL);
> EC_GROUP *group = EC_GROUP_new_by_curve_name(nid);
> EC_POINT *pubkey_point = EC_POINT_new(group);
> EC_POINT_mul(group, pubkey_point, privkey_bn, NULL, NULL, NULL);
> unsigned char pubkey_buf[65]; // size just an example
> EC_POINT_point2oct(grp, pubkey_point, POINT_CONVERSION_UNCOMPRESSED,
> pubkey_buf, sizeof(pubkey_buf), NULL);
> OSSL_PARAM_BLD *param_bld = OSSL_PARAM_BLD_new();
> OSSL_PARAM_BLD_push_utf8_string(param_bld,
> OSSL_PKEY_PARAM_GROUP_NAME, sn, 0);
> OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PRIV_KEY,
> privkey_bn);
> OSSL_PARAM_BLD_push_octet_string(param_bld, OSSL_PKEY_PARAM_PUB_KEY,
> pubkey_buf, sizeof(pubkey_buf));
> OSSL_PARAM *params = OSSL_PARAM_BLD_to_param(param_bld);
> EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL);
> EVP_PKEY_fromdata_init(ctx);
> EVP_PKEY *pkey = NULL;
> EVP_PKEY_fromdata(ctx, , EVP_PKEY_KEYPAIR, params);
> EVP_PKEY_CTX_free(ctx);
> ctx = EVP_PKEY_CTX_new(pkey, NULL);
> EVP_PKEY_check(ctx);
> 
> Although it works, it does not feel right. We ended up chaining many
> more operations than before. Our understanding was that the new
> OpenSSL 3.x API was redesigned partially to remove low-level
> manipulations like these. We have looked though both the migration
> document and the reference API without finding anything that does our
> job better. OSSL_DECODERs as frequently suggested in the migration
> documentation do not seem to support raw EC key formats at all. The
> EVP_PKEY_new_raw_private_key() functions mentioned in the reference
> API does not appear to support NIST P curves, according to the
> documentation. The OSSL fromdata() way above does not calculate the
> public key from the private one itself, nor does it verify that the
> points are on the curve, and we are uncertain if there are anything
> else it does not do that we need to do to not compromise security. We
> could use d2i_PrivateKey() or d2i_AutoPrivateKey(), which both seem
> to read in the key data in a secure way and derive the public part
> automatically. But that way would require us to implement custom
> logic in our code to manually put together DER data from the raw key
> data, for multiple curve types.
> 
> What is the recommended and safe way to read in an EC private key
> from raw format into an EVP_PKEY object ready to be used?
> 
> Another thing we want to do is to convert an RSA public key from raw
> modulus and exponent components into proper DER encoded
> SubjectPublicKeyInfo data. Today we piggyback on OpenSSL to
> accomplish this like this:
> 
> BIGNUM *n = BN_bin2bn(modulus, (int)modulus_len, NULL);
> BIGNUM *e = BN_bin2bn(exponent, (int)exponent_len, NULL);
> RSA *rsa = RSA_new();
> RSA_set0_key(rsa, n, e, NULL);
> int data_len = i2d_RSA_PUBKEY(rsa, NULL);
> uint8_t *data_buf = malloc((size_t)data_len);
> uint8_t *pdata = data_buf;
> data_len = i2d_RSA_PUBKEY(rsa, );
> 
> However, some of those functions are now deprecated. Unfortunately
> our best attempt with OpenSSL 3.x compatible APIs ended up being this
> comparably long sequence of operations:
> 
> BIGNUM *n = BN_bin2bn(modulus, (int)modulus_len, NULL);
> BIGNUM *e = BN_bin2bn(exponent, (int)exponent_len, NULL);
> EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL);
> OSSL_PARAM_BLD *param_bld = OSSL_PARAM_BLD_new();
> 

Loading raw EC and RSA keys with OpenSSL 3

[Jonathan Wernberg]

TL;DR: With OpenSSL 3.x API, what is the recommended and safe way to read in an 
EC private key from raw format into an EVP_PKEY object ready to be used? What 
is the easiest way to convert an RSA public key from raw modulus and exponent 
components to proper DER encoded SubjectPublicKeyInfo data?

Hi openssl-users mailing list.

We are having some troubles converting some code from OpenSSL 1.x to OpenSSL 
3.x APIs, to get rid of deprecation warnings, and hope someone may be able to 
give us some hints in the right direction.

One thing we want to do is to convert an EC private key from raw format into a 
EVP_PKEY. Today we do as below (error checking, freeing and secure memory 
context things removed for brevity, private key is in "privkey" and curve in 
"nid"):

BIGNUM *privkey_bn = BN_bin2bn(privkey, privkey_len, NULL);
EC_KEY *eckey = EC_KEY_new_by_curve_name(nid);
const EC_GROUP *group = EC_KEY_get0_group(eckey);
EC_POINT *pubkey_point = EC_POINT_new(group);
EC_POINT_mul(group, pubkey_point, privkey_bn, NULL, NULL, NULL);
EC_KEY_set_private_key(eckey, privkey_bn);
EC_KEY_set_public_key(eckey, pubkey_point);
EVP_PKEY *pkey = EVP_PKEY_new();
EVP_PKEY_assign_EC_KEY(pkey, eckey);

Basically we chained a lot of operations because we could not find any single 
function that did it for us. Some of these operations are now deprecated, such 
as the EC_KEY ones. We tried experimenting with the OSSL fromdata() function 
instead (omitted the mapping from "nid" to "sn" for brevity):

BIGNUM *privkey_bn = BN_bin2bn(privkey, privkey_len, NULL);
EC_GROUP *group = EC_GROUP_new_by_curve_name(nid);
EC_POINT *pubkey_point = EC_POINT_new(group);
EC_POINT_mul(group, pubkey_point, privkey_bn, NULL, NULL, NULL);
unsigned char pubkey_buf[65]; // size just an example
EC_POINT_point2oct(grp, pubkey_point, POINT_CONVERSION_UNCOMPRESSED, 
pubkey_buf, sizeof(pubkey_buf), NULL);
OSSL_PARAM_BLD *param_bld = OSSL_PARAM_BLD_new();
OSSL_PARAM_BLD_push_utf8_string(param_bld, OSSL_PKEY_PARAM_GROUP_NAME, sn, 0);
OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PRIV_KEY, privkey_bn);
OSSL_PARAM_BLD_push_octet_string(param_bld, OSSL_PKEY_PARAM_PUB_KEY, 
pubkey_buf, sizeof(pubkey_buf));
OSSL_PARAM *params = OSSL_PARAM_BLD_to_param(param_bld);
EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL);
EVP_PKEY_fromdata_init(ctx);
EVP_PKEY *pkey = NULL;
EVP_PKEY_fromdata(ctx, , EVP_PKEY_KEYPAIR, params);
EVP_PKEY_CTX_free(ctx);
ctx = EVP_PKEY_CTX_new(pkey, NULL);
EVP_PKEY_check(ctx);

Although it works, it does not feel right. We ended up chaining many more 
operations than before. Our understanding was that the new OpenSSL 3.x API was 
redesigned partially to remove low-level manipulations like these. We have 
looked though both the migration document and the reference API without finding 
anything that does our job better. OSSL_DECODERs as frequently suggested in the 
migration documentation do not seem to support raw EC key formats at all. The 
EVP_PKEY_new_raw_private_key() functions mentioned in the reference API does 
not appear to support NIST P curves, according to the documentation. The OSSL 
fromdata() way above does not calculate the public key from the private one 
itself, nor does it verify that the points are on the curve, and we are 
uncertain if there are anything else it does not do that we need to do to not 
compromise security. We could use d2i_PrivateKey() or d2i_AutoPrivateKey(), 
which both seem to read in the key data in a secure way and derive the public 
part automatically. But that way would require us to implement custom logic in 
our code to manually put together DER data from the raw key data, for multiple 
curve types.

What is the recommended and safe way to read in an EC private key from raw 
format into an EVP_PKEY object ready to be used?

Another thing we want to do is to convert an RSA public key from raw modulus 
and exponent components into proper DER encoded SubjectPublicKeyInfo data. 
Today we piggyback on OpenSSL to accomplish this like this:

BIGNUM *n = BN_bin2bn(modulus, (int)modulus_len, NULL);
BIGNUM *e = BN_bin2bn(exponent, (int)exponent_len, NULL);
RSA *rsa = RSA_new();
RSA_set0_key(rsa, n, e, NULL);
int data_len = i2d_RSA_PUBKEY(rsa, NULL);
uint8_t *data_buf = malloc((size_t)data_len);
uint8_t *pdata = data_buf;
data_len = i2d_RSA_PUBKEY(rsa, );

However, some of those functions are now deprecated. Unfortunately our best 
attempt with OpenSSL 3.x compatible APIs ended up being this comparably long 
sequence of operations:

BIGNUM *n = BN_bin2bn(modulus, (int)modulus_len, NULL);
BIGNUM *e = BN_bin2bn(exponent, (int)exponent_len, NULL);
EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL);
OSSL_PARAM_BLD *param_bld = OSSL_PARAM_BLD_new();
OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_N, n);
OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_E, e);
OSSL_PARAM *params = OSSL_PARAM_BLD_to_param(param_bld);
EVP_PKEY_fromdata_init(ctx);
EVP_PKEY *pkey = NULL;

Re: Larger RSA keys (Modulus bits > 16384)

[Phillip Hallam-Baker]

The RSA algorithm will work with keys of any length and longer is stronger.

But less than 2048 is not acceptably secure by today's standards and the
sad part is that going beyond 2048 bits doesn't improve it by very much.

Add one bit to the key size of a symmetric cipher like AES and you double
the work factor. Go from 128 bits to 192 and your work factor increases by
2^64 times. That is really big.

Add one bit to an RSA key size and the result is barely noticeable. And the
longer the keys get, the less effect extra bits have.

2024 is considered equivalent to a 2^112 work factor
3072 gets you to roughly 2^128

So 50% more bits, 10424 of them buys you a measly 2^16 improvement.

To get to a 2^256 bit work factor you need 15360 bits.

Your computation times go up with the square of the number of bits and
bignum libraries tend to be limited to 16K bits. There really isn't a good
reason to go beyond 16K and a lot of stuff is going to break.


On Sun, Dec 26, 2021 at 10:22 AM Grégory Widmer via openssl-users <
openssl-users@openssl.org> wrote:

> Dear OpenSSL users,
>
> I have a question about OpenSSL. Recently, I asked myself if there was a
> maximum bit length for the modulus of a RSA key.
>
> I tried to type :
>
> user@host:~$ openssl genrsa 32768
> Warning: It is not recommended to use more than 16384 bit for RSA keys.
>  Your key size is 32768! Larger key size may behave not as
> expected.
> Generating RSA private key, 32768 bit long modulus (2 primes)
>
> I got this warning, and I wonder why a larger key size may behave not as
> expected.
>
> Could anyone explain or give resources on why this doesn't work ?
>
> My guess is that, having the following : (M = message, C = Ciphered)
>
> If M^e is < n, we could easily compute the original message ?
>
> Also, I want to apologize if my question is redundant, I tried to search
> on GitHub and through the mailing list, but there is no search feature in
> the mailing list.
>
> Have a nice day !
>
> Grégory Widmer
>
>
> PS : This question is for knowledge purpose only, I don't use RSA keys
> anymore (except with GPG), I prefer ECC :)
>

Re: Larger RSA keys (Modulus bits > 16384)

[Jakob Bohm via openssl-users]

On 26/12/2021 16:21, Grégory Widmer via openssl-users wrote:


Dear OpenSSL users,

I have a question about OpenSSL. Recently, I asked myself if there was 
a maximum bit length for the modulus of a RSA key.


I tried to type :

user@host:~$ openssl genrsa 32768
Warning: It is not recommended to use more than 16384 bit for RSA keys.
 Your key size is 32768! Larger key size may behave not as 
expected.

Generating RSA private key, 32768 bit long modulus (2 primes)

I got this warning, and I wonder why a larger key size may behave not 
as expected.



I don't know, but maybe it is a reference to other RSA libraries not working
with keys larger than 2 Kibibytes.  In particular the GPG documentation 
warns

that using larger RSA or DH keys is much less efficient in terms of security
overhead that they recommend ECC instead.

However only the author of that warning message can answer why they 
wrote it.


Could anyone explain or give resources on why this doesn't work ?

My guess is that, having the following : (M = message, C = Ciphered)


> C = M^e ≡ n
>
> e = 65537
>
> n = p X q


If M^e is < n, we could easily compute the original message ?


In general the formula is C = (M^e % n) also written as C ≡ M^e (mod n),
I am not sure why you used the ≡ congruence symbol as a modulus operator
(% in C, C++ etc. mod in many textbooks).

Also, many systems for using RSA pad M to enough bits that M^e > n, thus
ensuring that the modulo operation affects the result.  In particular,
both versions of PKCS#1 do that in different ways.  There was an
unfortunate ISO standard that forgot to do that and it was found to be
insecure.

For signing, the keys are swapped so S = (M^d % n) or S ≡ M^d (mod n),
where d is the secret key, while the recipient checks that M ≡ S^e (mod n)
or that M2 = (S^e % n) can be securely unpadded back to the actual M.


Also, I want to apologize if my question is redundant, I tried to 
search on GitHub and through the mailing list, but there is no search 
feature in the mailing list.


Have a nice day !

Grégory Widmer


PS : This question is for knowledge purpose only, I don't use RSA keys 
anymore (except with GPG), I prefer ECC :)




--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

Larger RSA keys (Modulus bits > 16384)

[Grégory Widmer via openssl-users]

Dear OpenSSL users,

I have a question about OpenSSL. Recently, I asked myself if there was a 
maximum bit length for the modulus of a RSA key.


I tried to type :

user@host:~$ openssl genrsa 32768
Warning: It is not recommended to use more than 16384 bit for RSA keys.
 Your key size is 32768! Larger key size may behave not as 
expected.

Generating RSA private key, 32768 bit long modulus (2 primes)

I got this warning, and I wonder why a larger key size may behave not as 
expected.


Could anyone explain or give resources on why this doesn't work ?

My guess is that, having the following : (M = message, C = Ciphered)

If M^e is < n, we could easily compute the original message ?

Also, I want to apologize if my question is redundant, I tried to search 
on GitHub and through the mailing list, but there is no search feature 
in the mailing list.


Have a nice day !

Grégory Widmer


PS : This question is for knowledge purpose only, I don't use RSA keys 
anymore (except with GPG), I prefer ECC :)

Re: [openssl-users] DTLS Server with support for both EC and RSA keys

[Matt Caswell]

On 04/02/17 22:23, Suman Paul wrote:
> Hi,
> 
> I have a server that implements DTLS using OpenSSL 1.0.1 but supports
> only RSA keys as of today. I want to add support to this server to
> accept EC keys to be able to implement the newer ECDHE-ECDSA cipher
> suites while retaining support for RSA. Any pointers as to how to go
> about this?
> 
> What I believe is that each kind of key would need a different
> SSL_CTX object. So I want to switch to the correct context for the
> SSL session as per the cipher supported by the client (maybe from the
> cipher list advertised in the ClientHello). Is that the best way of
> implementing this?

No. You can add both the RSA certificate and the ECDSA certificate to
the same SSL_CTX. Just call one of the SSL_CTX_use_certificate*()
functions twice - once for each certificate type.

Matt

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] DTLS Server with support for both EC and RSA keys

[Suman Paul]

Hi,

I have a server that implements DTLS using OpenSSL 1.0.1 but supports only RSA 
keys as of today. I want to add support to this server to accept EC keys to be 
able to implement the newer ECDHE-ECDSA cipher suites while retaining support 
for RSA. Any pointers as to how to go about this? 

What I believe is that each kind of key would need a different SSL_CTX object. 
So I want to switch to the correct context for the SSL session as per the 
cipher supported by the client (maybe from the cipher list advertised in the 
ClientHello). Is that the best way of implementing this?

Thanks
Suman

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Protecting RSA keys

[Sergio Magra]

Hi everybody,

 

I'm new with OpenSSL and I have some questions.

 

The thing is that several RSA key pairs (each one for a
different user) will be stored in a shared secured location (Safenet HSM).
As the key pairs will be stored in the same place, we are looking for a way
to ensure that one user is able to use only its own key pair, and not the
key pair of another user.

 

In this way, I'm thinking on a passphrase to protect the
private key, so when the user needs to use its key pair for signing or
encrypting, he must provide the passphrase. As he knows its passphrase and
not the passphrase of the other key pairs, he is able to use only its own
key pair.

 

 

Until now, the theory. I don't know if I'm right.

 

Supposing that I'm right, I tried to generate protected key
pairs, but when using them, I'm never prompted for the passphrase. So, I'm
able to use any of the keys created, instead of using only my own key.

 

Can you help me with this issue?

 

 

Thanks in advance

 

Best regards

 

Sergio Magra   

 

 

___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Protecting RSA keys

[Sergio Magra]

Hi everybody,

 

I'm new with OpenSSL and I have some questions.

 

The thing is that several RSA key pairs (each one for a
different user) will be stored in a shared secured location. As the key
pairs will be stored in the same place, we are looking for a way to ensure
that one user is able to use only its own key pair, and not the key pair of
another user.

 

In this way, I'm thinking on a passphrase to protect the
private key, so when the user needs to use its key pair for signing or
encrypting, he must provide the passphrase. As he knows its passphrase and
not the passphrase of the other key pairs, he is able to use only its own
key pair.

 

 

Until now, the theory. I don't know if I'm right.

 

If yes, I tried to generate protected key pairs, but when
using them, I'm never prompted for the passphrase. So, I'm able to use any
of the keys created.

 

Can you help me with this issue?

 

 

Thanks in advance

 

Best regards

 

Sergio Magra   

 

 

___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Secure storage of private (RSA) keys

[Salz, Rich]

Akamai Technologies is pleased to offer the following patch to OpenSSL. It adds 
a secure arena that is used to store RSA private keys.  This arena is mmap'd, 
with guard pages before and after so pointer over- and under-runs won't wander 
into it. It's also locked into memory so it doesn't appear on disk, and when 
possible it's also kept out of core files.  This patch is a variant of what 
we've been using to help protect customer keys for a decade.



This should really be considered more of a proof of concept than something that 
you want to put directly into production. It slides into the ASN1 code rather 
than adding a new API (OPENSSL_secure_allocate et al), the overall code isn't 
portable, and so on. If there is community interest, we would be happy to help 
work on addressing those issues.  Let me restate that: *do not just take this 
patch and put it into production without careful review.*



OpenSSL is important to us, and this is the first of what we hope will be 
several significant contributions in the near future.



Thanks.



/r$


--
Principal Security Engineer
Akamai Technology
Cambridge, MA


diff -uNr -x'*.[oas]' openssl-1.0.1g.orig/crypto/Makefile 
openssl-1.0.1g/crypto/Makefile
--- openssl-1.0.1g.orig/crypto/Makefile 2014-04-10 13:11:56.0 -0400
+++ openssl-1.0.1g/crypto/Makefile  2014-04-10 13:02:39.0 -0400
@@ -35,14 +35,16 @@
 LIB= $(TOP)/libcrypto.a
 SHARED_LIB= libcrypto$(SHLIB_EXT)
 LIBSRC=cryptlib.c mem.c mem_clr.c mem_dbg.c cversion.c ex_data.c 
cpt_err.c \
-   ebcdic.c uid.c o_time.c o_str.c o_dir.c o_fips.c o_init.c fips_ers.c
+   ebcdic.c uid.c o_time.c o_str.c o_dir.c o_fips.c o_init.c fips_ers.c \
+   secure_malloc.c buddy_allocator.c
 LIBOBJ= cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o cpt_err.o ebcdic.o \
-   uid.o o_time.o o_str.o o_dir.o o_fips.o o_init.o fips_ers.o $(CPUID_OBJ)
+   uid.o o_time.o o_str.o o_dir.o o_fips.o o_init.o fips_ers.o 
$(CPUID_OBJ) \
+   secure_malloc.o buddy_allocator.o
 
 SRC= $(LIBSRC)
 
 EXHEADER= crypto.h opensslv.h opensslconf.h ebcdic.h symhacks.h \
-   ossl_typ.h
+   ossl_typ.h secure_malloc.h
 HEADER=cryptlib.h buildinf.h md32_common.h o_time.h o_str.h o_dir.h 
$(EXHEADER)
 
 ALL=$(GENERAL) $(SRC) $(HEADER)
diff -uNr -x'*.[oas]' openssl-1.0.1g.orig/crypto/asn1/tasn_dec.c 
openssl-1.0.1g/crypto/asn1/tasn_dec.c
--- openssl-1.0.1g.orig/crypto/asn1/tasn_dec.c  2014-03-17 12:14:20.0 
-0400
+++ openssl-1.0.1g/crypto/asn1/tasn_dec.c   2014-04-10 16:32:23.0 
-0400
@@ -169,6 +169,11 @@
int otag;
int ret = 0;
ASN1_VALUE **pchptr, *ptmpval;
+
+int ak_is_rsa_key  = 0; /* Are we parsing an RSA key? */
+int ak_is_secure_field = 0; /* should this field be allocated from the 
secure arena? */
+int ak_is_arena_active = 0; /* was the secure arena already activated? 
*/
+
if (!pval)
return 0;
if (aux  aux-asn1_cb)
@@ -407,6 +412,11 @@
if (asn1_cb  !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL))
goto auxerr;
 
+/* Watch out for this when OpenSSL is upgraded! */
+/* We have to be sure that it-sname will still be RSA */
+if (it-sname[0] == 'R'  it-sname[1] == 'S'  it-sname[2] 
== 'A'  it-sname[3] == 0)
+ak_is_rsa_key = 1;
+
/* Get each field entry */
for (i = 0, tt = it-templates; i  it-tcount; i++, tt++)
{
@@ -445,8 +455,30 @@
/* attempt to read in field, allowing each to be
 * OPTIONAL */
 
+ 
+/* Watch out for this when OpenSSL is upgraded! */
+/* We have to be sure that seqtt-field_name will 
still be */
+/* d, p, and q */
+ak_is_secure_field = 0;
+ak_is_arena_active = 0;
+if (ak_is_rsa_key)
+{
+/* ak_is_rsa_key is set for public keys too */
+/* however those don't have these variables */
+const char *f = seqtt-field_name;
+if ((f[0] == 'd' || f[0] == 'p' || f[0] == 
'q')  f[1] == 0)
+{
+ak_is_secure_field = 1;
+ak_is_arena_active = 
start_secure_allocation();
+}
+}
+
ret = asn1_template_ex_d2i(pseqval, p, len,
seqtt, isopt, ctx);
+ 
+if (ak_is_secure_field  !ak_is_arena_active)
+stop_secure_allocation();
+ 
if (!ret)
   

Re: Secure storage of private (RSA) keys

[Hannes Frederic Sowa]

Hello!

On Fri, Apr 11, 2014 at 01:22:21PM -0400, Salz, Rich wrote:
 Akamai Technologies is pleased to offer the following patch to OpenSSL. It 
 adds a secure arena that is used to store RSA private keys.  This arena is 
 mmap'd, with guard pages before and after so pointer over- and under-runs 
 won't wander into it. It's also locked into memory so it doesn't appear on 
 disk, and when possible it's also kept out of core files.  This patch is a 
 variant of what we've been using to help protect customer keys for a decade.

Have you thought about mprotecting the guard pages with
mprotect(PROT_NONE) so the application crashes in case of a stray
memory access?

Thanks,

  Hannes

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: Secure storage of private (RSA) keys

[Salz, Rich]

 Have you thought about mprotecting the guard pages with
 mprotect(PROT_NONE) so the application crashes in case of a stray memory 
 access?

Yes, rats.  My message implied that we do that.  And I then posted the wrong 
version of the code. :(

Here's the right version of cmm_init.

/r$ 

--  
Principal Security Engineer
Akamai Technology
Cambridge, MA

void *
cmm_init(int size, int mem_min_unit, int overrun_bytes)
{
int i;
size_t pgsize = (size_t)sysconf(_SC_PAGE_SIZE);
size_t aligned = (pgsize + size + (pgsize - 1))  ~(pgsize - 1);

mem_arena_size = size;
Mem_min_unit   = mem_min_unit,
Overrun_bytes  = overrun_bytes;
/* make sure mem_arena_size and Mem_min_unit are powers of 2 */
assert(mem_arena_size  0);
assert(mem_min_unit  0);
assert(0 == ((mem_arena_size-1)mem_arena_size));
assert(0 == ((Mem_min_unit-1)Mem_min_unit));

cmm_bittable_size = (mem_arena_size/Mem_min_unit) * 2;

i = cmm_bittable_size;
cmm_max_free_lists = -1;
while(i) {
i=1;
cmm_max_free_lists++;
}

cmm_free_list = malloc(cmm_max_free_lists * sizeof(void *));
assert(cmm_free_list);
memset(cmm_free_list, 0, cmm_max_free_lists*sizeof(void *));

cmm_bittable = malloc(cmm_bittable_size3);
assert(cmm_bittable);
memset(cmm_bittable, 0, cmm_bittable_size3);

cmm_bitmalloc = malloc(cmm_bittable_size3);
assert(cmm_bitmalloc);
memset(cmm_bitmalloc, 0, cmm_bittable_size3);

cmm_arena = mmap(NULL, pgsize + mem_arena_size + pgsize, 
PROT_READ|PROT_WRITE,
 MAP_ANON|MAP_PRIVATE, 0, 0);
assert(MAP_FAILED  != cmm_arena);
mprotect(cmm_arena, pgsize, PROT_NONE);
mprotect(cmm_arena + aligned, pgsize, PROT_NONE);
set_bit(cmm_arena, 0, cmm_bittable);
cmm_add_to_list(cmm_free_list[0], cmm_arena);

/* first bit means that table is in use, multi-arena management */
/* SETBIT(cmm_bittable, 0); */

return cmm_arena;
}

RE: AES encryption using RSA keys

[Dave Thompson]

   From: owner-openssl-us...@openssl.org On Behalf Of krishnamurthy
santhanam
   Sent: Friday, 26 August, 2011 16:11

   Thanks for your detailed Explanation Dave. I am going to encrypt 
 using AES in server side using EVP , 
   EVP_EncryptInit_ex(x, EVP_aes_256_cbc(), NULL, key,iv))
   EVP_EncryptUpdate(x, outbuf, outlen, (const unsigned char*)
intext, strlen(intext)))
   EVP_EncryptFinal_ex(x,outbuf+outlen,tmplen)) 

   client will be using JAVE to decrypt the same. should i use 
 the above same funtion to encrypt the or i must use 

   AES_cbc_encrypt();  

It's your choice. You can use EVP and select AES (or other); or 
you can use AES directly, but you can't just call AES_cbc_encrypt: 
you have to set the key schedule first, and you have to add padding 
on encrypt and remove it on decrypt. These are the sort of details 
that EVP handles for you (exact details vary by algorithm).



__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: AES encryption using RSA keys

[krishnamurthy santhanam]

Thanks for your detailed Explanation Dave. I am going to encrypt using AES
in server side using EVP ,
EVP_EncryptInit_ex(x, EVP_aes_256_cbc(), NULL, key,iv))
EVP_EncryptUpdate(x, outbuf, outlen, (const unsigned char*) intext,
strlen(intext)))
EVP_EncryptFinal_ex(x,outbuf+outlen,tmplen))

client will be using JAVE to decrypt the same. should i use the above same
funtion to encrypt the or i must use

AES_cbc_encrypt();

to encrypt the same.

Thanks for your time,
Krishnamurthy
On Fri, Aug 26, 2011 at 5:20 AM, Dave Thompson dthomp...@prinpay.comwrote:

From: owner-openssl-us...@openssl.org On Behalf Of krishnamurthy
 santhanam
Sent: Wednesday, 24 August, 2011 02:32

Basically when we encrypt something using an RSA key (whether
 public

  or private), the encrypted value must be smaller than the key (due to
  the maths used to do the actual encryption). So if you have a 1024-bit
 key,
  in theory we could encrypt any 1023-bit value (or a 1024-bit value
 smaller

  than the key) with that key.

 More precisely, smaller than the modulus 'N' but
 large enough not to be subject to a trivial break.
 An RSA public key is the pair (e,n) where e is usually small,
 and the private key is in principle the pair (d,n) where d is
 usually a substantial fraction of n. RSA private keys may
 and in OpenSSL do also include additional 'Chinese Remainder
 Theorem' aka CRT information to make computation faster.

 Plus, most actual RSA encryption schemes add padding.
 In particular simply RSA-encrypting raw user data allows
 an adversary to determine if a guessed plaintext is correct,
 which in general is considered an unacceptable weakness.
 Thus the value size you can encrypt is somewhat less than
 the RSA modulus size because of this padding; the commonly
 used PKCS#1 v1.5 'classic' and v2 OAEP are 11 and 41 bytes.
 If used certain ways v1.5 has weakness (see Bleichenbacher's
 attack on early SSL) which is why OAEP was created.

below is the code snippet i am trying to do AES Encryption.
  it works fine. if i see some example in openssl they are using KEY value
  EVP_MAX_KEY_LENGTH(32 bytes). can i use RSA public key(1024 bit) to
 encrypt
  the same value and use private to decrypt the value.

 It's not entirely 'fine', see below.

 EVP_MAX_KEY_LENGTH is the maximum length for *any* (supported)
 *symmetric* algorithm. It is useful if you want to write generic
 code that works for various algorithms selectable at runtime,
 as many common systems like SSL/TLS SMIME/CMS/PKCS7 PGP do.
 If you are using only a specific cipher you can use the key length
 for that cipher which might be smaller.

 However, the key lengths for *asymmetric* algorithms, including RSA,
 are all separate. You need to use the correct one for each.

unsigned char key[] =
 {0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15};
unsigned char iv[] = {1,2,3,4,5,6,7,8};
char intext[] = string to make the random number generator
 think it has entropy;
// Straight encrypt
 EVP_CIPHER_CTX x;
EVP_CIPHER_CTX_init(x);
 if(!EVP_EncryptInit_ex(x, EVP_aes_256_cbc(), NULL, key,
 iv))
 printf(\n ERROR!! \n);

 The key for AES-256 is 32 bytes, and IV for AES-anything 16 bytes.
 You are using partly unknown possibly garbage values, which means
 you may be unable to decrypt the result in any other program.
 (Of course in any real use the IV should be random or at least unique
 and unpredictable, and the key should be random or at least secret.)

 if(!EVP_EncryptUpdate(x, outbuf, outlen,
  (const unsigned char*) intext, strlen(intext)))
printf(\n ERROR!! \n);
if(!EVP_EncryptFinal_ex(x,outbuf+outlen,tmplen))
printf(\n ERROR!! \n);
 outlen+=tmplen;

 In general when any OpenSSL call returns an error, you should look
 at the error stack: http://www.openssl.org/support/faq.html#PROG6
 For these particular calls (symm encrypt without engine) it's not vital,
 but if and when you start doing other things it becomes valuable.

 }
EVP_CIPHER_CTX_cleanup(x);

 This should be within the routine (before the closing brace).

 Now to your actual question:

 Yes in abstract you can encrypt and decrypt data directly with RSA.
 In practice people usually don't, because of the limitations.
 Most widespread systems like SSL/TLS and SMIME and PGP are 'hybrid',
 where for encryption the data is encrypted with a symmetric algorithm
 and a random 'working' or 'session' key, and public-key algorithms
 like RSA DH or ECDH are used to transfer or share that working key;
 in the simplest case, the working key is just RSA-encrypted.
 Similarly for signing people don't actually RSA-sign their data;
 instead a hash like SHA1 is computed from the data, and that hash
 (plus limited overhead like an OID) is signed by RSA or [EC]DSA.
 These 

RE: AES encryption using RSA keys

[Dave Thompson]

   From: owner-openssl-us...@openssl.org On Behalf Of krishnamurthy
santhanam
   Sent: Wednesday, 24 August, 2011 02:32

   Basically when we encrypt something using an RSA key (whether public

 or private), the encrypted value must be smaller than the key (due to 
 the maths used to do the actual encryption). So if you have a 1024-bit
key, 
 in theory we could encrypt any 1023-bit value (or a 1024-bit value smaller

 than the key) with that key.

More precisely, smaller than the modulus 'N' but 
large enough not to be subject to a trivial break.
An RSA public key is the pair (e,n) where e is usually small, 
and the private key is in principle the pair (d,n) where d is 
usually a substantial fraction of n. RSA private keys may 
and in OpenSSL do also include additional 'Chinese Remainder 
Theorem' aka CRT information to make computation faster.

Plus, most actual RSA encryption schemes add padding.
In particular simply RSA-encrypting raw user data allows 
an adversary to determine if a guessed plaintext is correct, 
which in general is considered an unacceptable weakness.
Thus the value size you can encrypt is somewhat less than 
the RSA modulus size because of this padding; the commonly 
used PKCS#1 v1.5 'classic' and v2 OAEP are 11 and 41 bytes.
If used certain ways v1.5 has weakness (see Bleichenbacher's 
attack on early SSL) which is why OAEP was created.
 
   below is the code snippet i am trying to do AES Encryption. 
 it works fine. if i see some example in openssl they are using KEY value 
 EVP_MAX_KEY_LENGTH(32 bytes). can i use RSA public key(1024 bit) to
encrypt 
 the same value and use private to decrypt the value. 
 
It's not entirely 'fine', see below. 

EVP_MAX_KEY_LENGTH is the maximum length for *any* (supported)
*symmetric* algorithm. It is useful if you want to write generic 
code that works for various algorithms selectable at runtime, 
as many common systems like SSL/TLS SMIME/CMS/PKCS7 PGP do. 
If you are using only a specific cipher you can use the key length 
for that cipher which might be smaller.

However, the key lengths for *asymmetric* algorithms, including RSA, 
are all separate. You need to use the correct one for each.
 
   unsigned char key[] =
{0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15};
   unsigned char iv[] = {1,2,3,4,5,6,7,8};
   char intext[] = string to make the random number generator
think it has entropy;
   // Straight encrypt
EVP_CIPHER_CTX x;
   EVP_CIPHER_CTX_init(x);
if(!EVP_EncryptInit_ex(x, EVP_aes_256_cbc(), NULL, key,
iv))
printf(\n ERROR!! \n);

The key for AES-256 is 32 bytes, and IV for AES-anything 16 bytes.
You are using partly unknown possibly garbage values, which means 
you may be unable to decrypt the result in any other program.
(Of course in any real use the IV should be random or at least unique 
and unpredictable, and the key should be random or at least secret.)

if(!EVP_EncryptUpdate(x, outbuf, outlen,
 (const unsigned char*) intext, strlen(intext)))
   printf(\n ERROR!! \n);
   if(!EVP_EncryptFinal_ex(x,outbuf+outlen,tmplen))
   printf(\n ERROR!! \n);
outlen+=tmplen;

In general when any OpenSSL call returns an error, you should look 
at the error stack: http://www.openssl.org/support/faq.html#PROG6
For these particular calls (symm encrypt without engine) it's not vital, 
but if and when you start doing other things it becomes valuable.

}
   EVP_CIPHER_CTX_cleanup(x);

This should be within the routine (before the closing brace).

Now to your actual question:

Yes in abstract you can encrypt and decrypt data directly with RSA. 
In practice people usually don't, because of the limitations.
Most widespread systems like SSL/TLS and SMIME and PGP are 'hybrid', 
where for encryption the data is encrypted with a symmetric algorithm 
and a random 'working' or 'session' key, and public-key algorithms 
like RSA DH or ECDH are used to transfer or share that working key;
in the simplest case, the working key is just RSA-encrypted.
Similarly for signing people don't actually RSA-sign their data; 
instead a hash like SHA1 is computed from the data, and that hash 
(plus limited overhead like an OID) is signed by RSA or [EC]DSA.
These hybrids are what EVP_{Seal,Open}* and EVP_{Sign,Verify}* do.



__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

AES encryption using RSA keys

[krishnamurthy santhanam]

Basically when we encrypt something using an RSA key (whether public or
private), the encrypted value must be smaller than the key (due to the maths
used to do the actual encryption). So if you have a 1024-bit key, in theory
we could encrypt any 1023-bit value (or a 1024-bit value smaller than the
key) with that key.

below is the code snippet i am trying to do AES Encryption. it works fine.
if i see some example in openssl they are using KEY value EVP_MAX_KEY_LENGTH(32
bytes). can i use RSA public key(1024 bit) to encrypt the same value and use
private to decrypt the value.


int main(int argc, char* argv[])
 {
unsigned char outbuf2[1024];
 unsigned char outbuf[1024];
int outlen, outlen2, tmplen;
unsigned char key[] = {0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15};
unsigned char iv[] = {1,2,3,4,5,6,7,8};
char intext[] = string to make the random number generator think it
has entropy;
// Straight encrypt
 EVP_CIPHER_CTX x;
EVP_CIPHER_CTX_init(x);
 if(!EVP_EncryptInit_ex(x, EVP_aes_256_cbc(), NULL, key, iv))
 printf(\n ERROR!! \n);
 if(!EVP_EncryptUpdate(x, outbuf, outlen,(const unsigned char*)
intext, strlen(intext)))

printf(\n ERROR!! \n);

if(!EVP_EncryptFinal_ex(x,outbuf+outlen,tmplen))

printf(\n ERROR!! \n);
 outlen+=tmplen;
 }


EVP_CIPHER_CTX_cleanup(x);

Thanks,
Krishnamurthy

components of RSA keys?

[Mike Mohr]

Good afternoon,

When generating an RSA key, several components are described in the
output file.  Per the RSA specification on wikipedia, I can identify
the following values:

prime1: p
prime2: q
modulus: N = p * q
publicExponent: e
privateExponent: d

What I'm not clear about is what function these values play:

exponent1: ??
exponent2: ??
coefficient: ??

Can someone explain?

Thanks,
Mike
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: components of RSA keys?

[Mounir IDRASSI]

Take a look at : 
http://en.wikipedia.org/wiki/RSA#Using_the_Chinese_remainder_algorithm


exponent1 = dp
exponent2 = dq
coefficient = qInv

--
Mounir IDRASSI
IDRIX
http://www.idrix.fr

On 12/23/2010 9:48 PM, Mike Mohr wrote:

Good afternoon,

When generating an RSA key, several components are described in the
output file.  Per the RSA specification on wikipedia, I can identify
the following values:

prime1: p
prime2: q
modulus: N = p * q
publicExponent: e
privateExponent: d

What I'm not clear about is what function these values play:

exponent1: ??
exponent2: ??
coefficient: ??

Can someone explain?

Thanks,
Mike
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: components of RSA keys?

[Jeffrey Walton]

On Thu, Dec 23, 2010 at 3:48 PM, Mike Mohr akih...@gmail.com wrote:
 Good afternoon,

 When generating an RSA key, several components are described in the
 output file.  Per the RSA specification on wikipedia,
You should question anything on Wiki since it is generally unedited.
Don't make the mistake of the fellow posting on sci.crypt who claimed
Dr. Adler's reference implementation of ADLER-32 was wrong because
there was a discrepancy in Wiki. From Need peer review: May have
found mistake in Adler-32!:

This is going out the Mr. Adler, his friends at zlib, the related
newsgroups comp.compression and sci.crypt, and the newsgroups
sci.math and sci.math.num-analysis... This post relates to suspec
calculations... [1]

 I can identify the following values:

 prime1: p
 prime2: q
 modulus: N = p * q
 publicExponent: e
 privateExponent: d

 What I'm not clear about is what function these values play:

 exponent1: ??
 exponent2: ??
 coefficient: ??
See Handbook of Applied Cryptography. All chapters are avialable
online. http://www.cacr.math.uwaterloo.ca/hac/.

Jeff

[1] 
http://groups.google.com/group/comp.compression/browse_thread/thread/5a37a9fcd32786fd/9859a0c61a3fb333
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: components of RSA keys?

[Mike Mohr]

Thanks much for the clarification.  I'm interested in re-implementing
RSA for my own education; can someone point me to the location in the
openssl sources where the RSA keys are actually generated (so I can
see how the BIGNUMs are manipulated)?

Thanks,
Mike

On Thu, Dec 23, 2010 at 1:17 PM, Mounir IDRASSI
mounir.idra...@idrix.net wrote:
 Take a look at :
 http://en.wikipedia.org/wiki/RSA#Using_the_Chinese_remainder_algorithm

 exponent1 = dp
 exponent2 = dq
 coefficient = qInv

 --
 Mounir IDRASSI
 IDRIX
 http://www.idrix.fr

 On 12/23/2010 9:48 PM, Mike Mohr wrote:

 Good afternoon,

 When generating an RSA key, several components are described in the
 output file.  Per the RSA specification on wikipedia, I can identify
 the following values:

 prime1: p
 prime2: q
 modulus: N = p * q
 publicExponent: e
 privateExponent: d

 What I'm not clear about is what function these values play:

 exponent1: ??
 exponent2: ??
 coefficient: ??

 Can someone explain?

 Thanks,
 Mike
 __
 OpenSSL Project                                 http://www.openssl.org
 User Support Mailing List                    openssl-us...@openssl.org
 Automated List Manager                           majord...@openssl.org

 __
 OpenSSL Project                                 http://www.openssl.org
 User Support Mailing List                    openssl-us...@openssl.org
 Automated List Manager                           majord...@openssl.org

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: components of RSA keys?

[Mounir IDRASSI]

Start at function rsa_builtin_keygen in file crypto/rsa/rsa_gen.c.
Good hack,

--
Mounir IDRASSI
IDRIX
http://www.idrix.fr


On 12/24/2010 12:35 AM, Mike Mohr wrote:

Thanks much for the clarification.  I'm interested in re-implementing
RSA for my own education; can someone point me to the location in the
openssl sources where the RSA keys are actually generated (so I can
see how the BIGNUMs are manipulated)?

Thanks,
Mike

On Thu, Dec 23, 2010 at 1:17 PM, Mounir IDRASSI
mounir.idra...@idrix.net  wrote:

Take a look at :
http://en.wikipedia.org/wiki/RSA#Using_the_Chinese_remainder_algorithm

exponent1 = dp
exponent2 = dq
coefficient = qInv

--
Mounir IDRASSI
IDRIX
http://www.idrix.fr

On 12/23/2010 9:48 PM, Mike Mohr wrote:

Good afternoon,

When generating an RSA key, several components are described in the
output file.  Per the RSA specification on wikipedia, I can identify
the following values:

prime1: p
prime2: q
modulus: N = p * q
publicExponent: e
privateExponent: d

What I'm not clear about is what function these values play:

exponent1: ??
exponent2: ??
coefficient: ??

Can someone explain?

Thanks,
Mike
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Skipping the OID and BIT string prefix in DER formatted RSA keys

[Nick Kelsey]

Hi guys,

I am using the following command to output the public key for a given
RSA private key:
openssl rsa -in keyfile.private.pem -pubout -outform DER

The output includes a SEQ with an OID, followed by a BIT string
containing the DER formatted public key I need.
Deleting the first 22 bytes (leaving everything after the BIT string
header) worked in the target application.

Is there a trick to getting openssl not to output the OID and BIT string
wrapper?

Thanks,

Nick
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: Skipping the OID and BIT string prefix in DER formatted RSA keys

[Dave Thompson]

 From: owner-openssl-us...@openssl.org On Behalf Of Nick Kelsey
 Sent: Thursday, 01 July, 2010 02:00

 I am using the following command to output the public key for a given
 RSA private key:
 openssl rsa -in keyfile.private.pem -pubout -outform DER
 
 The output includes a SEQ with an OID, followed by a BIT string
 containing the DER formatted public key I need.

Right-ish. That's the 'SubjectPublicKeyInfo' format defined by X.509 
and used by lots of other things including OpenSSL. It's SEQ of 
- the Algorithm ID (actually a sub-SEQ of an OID plus a 'parameters' 
object; for RSA the parameters are ASN.1 NULL encoded as 05 00; 
for some algorithms e.g. DSA the parameters contain real info)
- plus the algorithm-dependent keyinfo wrapped in a BITSTRING; 
for RSA this is the PKCS#1 RSAPublicKey (SEQ of N and E).

 Deleting the first 22 bytes (leaving everything after the BIT string
 header) worked in the target application.
 
Note it won't always be the same. The length of the ASN.1 headers 
(for DER) varies depending on the length of the data being encoded. 
For RSAPublicKey with conventional small E (so N takes most of the 
space) N larger than about 1900 bits will make the headers bigger.
If you want to do this reliably, you should parse the 3 TLV's.

 Is there a trick to getting openssl not to output the OID and 
 BIT string
 wrapper?
 
I believe not with the commandline. In code you should be able to 
get the RSA* internal object (out of a generic EVP if appropriate) 
and call i2d_RSAPublicKey or PEM_write[_bio]_RSAPublicKey .
(Not _RSA_PUBKEY which does the X.509-wrapped version.)



__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Prevent RSA keys from being paged out?

[Conor]

Greetings community,

Can anyone tell me if the crypto libraries perform any sort of
locking on private key structures to prevent them from being
paged out of memory? Or is it required to call mlock/munlock
or the equivalent on other platforms explicitly?

Thank you in advance for your replies.

Conor.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: read rsa keys

[Neil Dugan]

Dr. Stephen Henson wrote:

On Mon, Jul 27, 2009, Neil Dugan wrote:


Hi,

I have been trying to read the keys generated by openssl genrsa ... and 
openssl rsa -pubout ... commands.


I successfully (according to the return code) read the private key with

if (in = BIO_new_file(rsakey.pem, r)) {
int ok;
printf (Created private BIO\n);
ok = (PEM_read_bio_RSAPrivateKey(in, rsa, NULL, NULL) != NULL);
printf (ok = %s\n, (ok != 0) ? true:false);
BIO_free(in);
}

but the similar code using PEM_read_bio_RSAPublicKey() doesn't want to 
work.




Use PEM_read_bio_RSA_PUBKEY() instead.

Steve.


Thanks that seemed to work.
But the PEM_write_RSAPublicKey(stdout, rsa); call doesn't output the 
same data as what is in the key file.  So did it get read properly?

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: read rsa keys

[Dr. Stephen Henson]

On Mon, Jul 27, 2009, Neil Dugan wrote:

 Dr. Stephen Henson wrote:
 On Mon, Jul 27, 2009, Neil Dugan wrote:
 Hi,

 I have been trying to read the keys generated by openssl genrsa ... and 
 openssl rsa -pubout ... commands.

 I successfully (according to the return code) read the private key with

 if (in = BIO_new_file(rsakey.pem, r)) {
 int ok;
 printf (Created private BIO\n);
 ok = (PEM_read_bio_RSAPrivateKey(in, rsa, NULL, NULL) != NULL);
 printf (ok = %s\n, (ok != 0) ? true:false);
 BIO_free(in);
 }

 but the similar code using PEM_read_bio_RSAPublicKey() doesn't want to 
 work.

 Use PEM_read_bio_RSA_PUBKEY() instead.
 Steve.

 Thanks that seemed to work.
 But the PEM_write_RSAPublicKey(stdout, rsa); call doesn't output the same 
 data as what is in the key file.  So did it get read properly?

Well that's a different format so you wont get the same. Use
PEM_write_RSA_PUBKEY() as well and they should be the same.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: read rsa keys segmentation fault

[Neil Dugan]

Neil Dugan wrote:


Dr. Stephen Henson wrote:

On Mon, Jul 27, 2009, Neil Dugan wrote:


Hi,

I have been trying to read the keys generated by openssl genrsa ... 
and openssl rsa -pubout ... commands.


I successfully (according to the return code) read the private key with

if (in = BIO_new_file(rsakey.pem, r)) {
int ok;
printf (Created private BIO\n);
ok = (PEM_read_bio_RSAPrivateKey(in, rsa, NULL, NULL) != NULL);
printf (ok = %s\n, (ok != 0) ? true:false);
BIO_free(in);
}

but the similar code using PEM_read_bio_RSAPublicKey() doesn't want 
to work.




Use PEM_read_bio_RSA_PUBKEY() instead.

Steve.


Thanks that seemed to work.
But the PEM_write_RSAPublicKey(stdout, rsa); call doesn't output the 
same data as what is in the key file.  So did it get read properly?


I found that PEM_write_RSA_PUBKEY(stdout, rsa); does print the 
correct key.


Why the two very similar functions?  and why aren't they outputing the 
same data?


Now I have updated the code, to try and encrypt/decrypt some test 
data.  Why is it causing a segmentation fault at line 39 the 
RSA_private_decrypt(size, from, to, rsa, RSA_NO_PADDING); call?




__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: read rsa keys segmentation fault

[Neil Dugan]

Neil Dugan wrote:


Dr. Stephen Henson wrote:

On Mon, Jul 27, 2009, Neil Dugan wrote:


Hi,

I have been trying to read the keys generated by openssl genrsa ... 
and openssl rsa -pubout ... commands.


I successfully (according to the return code) read the private key with

if (in = BIO_new_file(rsakey.pem, r)) {
int ok;
printf (Created private BIO\n);
ok = (PEM_read_bio_RSAPrivateKey(in, rsa, NULL, NULL) != NULL);
printf (ok = %s\n, (ok != 0) ? true:false);
BIO_free(in);
}

but the similar code using PEM_read_bio_RSAPublicKey() doesn't want 
to work.




Use PEM_read_bio_RSA_PUBKEY() instead.

Steve.


Thanks that seemed to work.
But the PEM_write_RSAPublicKey(stdout, rsa); call doesn't output the 
same data as what is in the key file.  So did it get read properly?


I found that PEM_write_RSA_PUBKEY(stdout, rsa); does print the
correct key.

Now I have updated the code, to try and encrypt/decrypt some test
data.  Why is it causing a segmentation fault at line 39 the
RSA_private_decrypt(size, from, to, rsa, RSA_NO_PADDING); call?





#include openssl/ssl.h
#include openssl/rsa.h
#include stdio.h

BIO *bio_err=0;

void print_data(unsigned char *data, int size)
{
	int x;
	printf ( : );
	for (x = 0; x  size; x++) {
		if ((x  0)  (x % 16 == 0)) 
			printf (\n%04x : , x);
		printf (%02x , data[x]);
	}
	printf (\n--\n);
}

unsigned char * public_encrypt(RSA *rsa, unsigned char *from)
{
	int size = RSA_size(rsa);
	unsigned char *to;
	if (to = malloc(size)) {
		int x;
		RSA_public_encrypt(size, from, to, rsa, RSA_NO_PADDING);
		return (to);
	}
	else {
		printf(memory allocation error\n);
		return (NULL);
	}
}

unsigned char * private_decrypt(RSA *rsa, unsigned char *from)
{
	int size = RSA_size(rsa);
	unsigned char *to;
	if (to = malloc(size)) {
		int x;
		RSA_private_decrypt(size, from, to, rsa, RSA_NO_PADDING);
		return (to);
	}
	else {
		printf(memory allocation error\n);
		return (NULL);
	}
}

int main (int argc, char**argv)
{
	RSA *rsa;
	int size;

	if ((rsa = RSA_new()) != NULL) {
		printf (Allocated new RSA structure\n);
		BIO *in;
		if (in = BIO_new_file(rsakey.pem, r)) {
			int ok;
			printf (Created private BIO\n);
			ok = (PEM_read_bio_RSAPrivateKey(in, rsa, NULL, NULL) != NULL);
			printf (ok = %s\n, (ok != 0) ? true:false);
			BIO_free(in);
		}

		if (in = BIO_new_file(pubkey.pem, r)) {
			int ok;
			printf (Created public BIO\n);
			ok = (PEM_read_bio_RSA_PUBKEY(in, rsa, NULL, NULL) != NULL);
			printf (ok = %s\n, (ok != 0) ? true:false);
			BIO_free(in);
		}

		//PEM_write_RSAPublicKey(stdout, rsa);
		PEM_write_RSA_PUBKEY(stdout, rsa);

		size = RSA_size(rsa);
		if (size  0) {
			unsigned char *encrypted;
			unsigned char *plain;
			int x;

			// generate and print the plain text
			plain = malloc(size);
			for (x = 0; x  size; x++) plain[x] = x  0xFF;
			print_data(plain,size);

			// encrypt and print
			encrypted = public_encrypt(rsa,plain);
			print_data(encrypted,size);
			free (plain);

			// decrypt and print
			plain = private_decrypt(rsa,encrypted);
			print_data(plain,size);

			// cleanup
			free(encrypted);
			free(plain);
		}
		RSA_free(rsa);
	}
	
}

read rsa keys

[Neil Dugan]

Hi,

I have been trying to read the keys generated by openssl genrsa ... 
and openssl rsa -pubout ... commands.


I successfully (according to the return code) read the private key with

if (in = BIO_new_file(rsakey.pem, r)) {
int ok;
printf (Created private BIO\n);
ok = (PEM_read_bio_RSAPrivateKey(in, rsa, NULL, NULL) != NULL);
printf (ok = %s\n, (ok != 0) ? true:false);
BIO_free(in);
}

but the similar code using PEM_read_bio_RSAPublicKey() doesn't want to 
work.


Can someone help with ether some example code, or some idea what I am 
doing wrong?


I want to be able to encript/decrypt a string with both the private 
and public keys.


Hopefully Neil.

#include openssl/ssl.h
#include openssl/rsa.h
#include stdio.h

BIO *bio_err=0;



int main (int argc, char**argv)
{
	SSL_CTX *ctx;
	SSL *ssl;
	BIO *sbio;

	RSA *rsa;

#if 0
	if ((rsa = RSA_new()) != NULL) {
		printf (Allocated new RSA structure\n);
		if (RSA_print(bio_err, rsa, 0) == 0)
			printf (Failed to print\n);
		printf (size = %d bytes\n, RSA_size(rsa));
		RSA_free(rsa);
	}
#endif
#if 0
	if ((rsa = RSA_generate_key(2048, 17, NULL, NULL)) != NULL) {
		int ok;
		printf (Allocated new RSA structure\n);
		ok = PEM_write_RSAPublicKey(stdout, rsa);
		RSA_free(rsa);
	}
#endif
	if ((rsa = RSA_new()) != NULL) {
		printf (Allocated new RSA structure\n);
		BIO *in;
		if (in = BIO_new_file(rsakey.pem, r)) {
			int ok;
			printf (Created private BIO\n);
			ok = (PEM_read_bio_RSAPrivateKey(in, rsa, NULL, NULL) != NULL);
			printf (ok = %s\n, (ok != 0) ? true:false);
			BIO_free(in);
		}

		if (in = BIO_new_file(pubkey.pem, r)) {
			int ok;
			printf (Created public BIO\n);
			ok = (PEM_read_bio_RSAPublicKey(in, rsa, NULL, NULL) != NULL);
			printf (ok = %s\n, (ok != 0) ? true:false);
			BIO_free(in);
		}

		PEM_write_RSAPublicKey(stdout, rsa);
		RSA_free(rsa);
	}
	
}

Re: read rsa keys

[Dr. Stephen Henson]

On Mon, Jul 27, 2009, Neil Dugan wrote:

 Hi,

 I have been trying to read the keys generated by openssl genrsa ... and 
 openssl rsa -pubout ... commands.

 I successfully (according to the return code) read the private key with

 if (in = BIO_new_file(rsakey.pem, r)) {
   int ok;
   printf (Created private BIO\n);
   ok = (PEM_read_bio_RSAPrivateKey(in, rsa, NULL, NULL) != NULL);
   printf (ok = %s\n, (ok != 0) ? true:false);
   BIO_free(in);
 }

 but the similar code using PEM_read_bio_RSAPublicKey() doesn't want to 
 work.


Use PEM_read_bio_RSA_PUBKEY() instead.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Device with both 1024-bit and 2048-bit RSA keys --- OpenSSL support?

[Goetz Babin-Ebell]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

[EMAIL PROTECTED] wrote:
| (sorry that previous one looked so terrible.  Here it is with plain text)
|
| Can a single OpenSSL context support both 1024-bit and 2048-bit RSA at
| the same time?  For example, if a client device has both 1024-bit and
| 2048-bit RSA keys, will the SSL/TLS handshake allow the server to pick
| whether 1024 or 2048-bit RSA should be used?

The client certificate has no influence on the selected ciphers.
It is only used for client authentication.

The server certificate (and with that the server key) have influence
on the used ciphers in a session.

And while an SSL_CTX can have more than one cert/key pair,
you can only set one cert/key for every key type
(one RSA key/cert, one EC key/cert, ...)

It might be possible to twist the TLS hostname extension to
select between a 2048 and a 1024 cert/key, but that would
be something client and server would have to cooperate on...


Bye

Goetz

- --
DMCA: The greed of the few outweighs the freedom of the many
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.4-svn0 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIogNv2iGqZUF3qPYRAjw3AJsGvI1rp+6Da4yNf0TGPgh+v+GwZACfdl5w
/tbqtRMB3ovEpRvSkzV9rts=
=1wHC
-END PGP SIGNATURE-
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Device with both 1024-bit and 2048-bit RSA keys --- OpenSSL support?

[altan]

Can
a single OpenSSL context support both 1024-bit and 2048-bit RSA at the
same time?  For example, if a client device has both 1024-bit and
2048-bit RSA keys, will the SSL/TLS handshake allow the server to pick
whether 1024 or 2048-bit RSA should be used?











I do not believe this works but would appreciate any input from others.




 




My understanding is that the client 
provides a list of supported ciphersuites during the Client Hello process.  
However, the ciphersuites enumeration does not indica
te the bit length of the 
RSA key, only that RSA can be used.  For example, 
TLS_DHE_RSA_WITH_AES_128_CBC_SHA doesn’t indicate if 1024-bit or 2048-bit RSA 
is 
required.  It seems that the server needs to look at the client’s certificate 
to 
determine the number of bits used by the RSA key --- but even if the server 
requests the client’s certificate, this happens after the cipher has been 
chosen.




 




I appreciate any input on this, whether it’s “you got it all wrong”, “you got 
it all right”, or anything 
in the middle.




 




Thanks

... Altan

Re: Device with both 1024-bit and 2048-bit RSA keys --- OpenSSL support?

[altan]

(sorry that previous one looked so terrible.  Here it is with plain 
text)


Can a single OpenSSL context support both 1024-bit and 2048-bit RSA at 
the same time?  For example, if a client device has both 1024-bit and 
2048-bit RSA keys, will the SSL/TLS handshake allow the server to pick 
whether 1024 or 2048-bit RSA should be used?


I do not believe this works but would appreciate any input from others.

My understanding is that the client provides a list of supported 
ciphersuites during the Client Hello process.  However, the 
ciphersuites enumeration does not indica te the bit length of the RSA 
key, only that RSA can be used.  For example, 
TLS_DHE_RSA_WITH_AES_128_CBC_SHA doesn’t indicate if 1024-bit or 
2048-bit RSA is required.  It seems that the server needs to look at 
the client’s certificate to determine the number of bits used by the 
RSA key --- but even if the server requests the client’s certificate, 
this happens after the cipher has been chosen.


I appreciate any input on this, whether it’s “you got it all wrong”, 
“you got it all right”, or anything in the middle.


Thanks

... Altan
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Strategy for freeing EVP and RSA keys

[Kenneth Goldman]

I'd like confirmation that I understand how to free RSA keys.

I create an RSA *key.  I then use it to create an EVP_PKEY
using EVP_PKEY_new() and EVP_PKEY_assign_RSA().

Later, want to free everything.

I _think_ that EVP_PKEY_free() will free both the EVP_PKEY and the
RSA objects.  Is that correct - that there's an implied free of the RSA
object?

If so, is this the correct strategy:

If the EVP_PKEY was created correctly
  free the EVP_KEY
else if the RSA key created correctly
  free the RSA key

--
Ken Goldman   [EMAIL PROTECTED]
914-784-7646 (863-7646)
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RSA keys

[timo\.tolkki]

Hi all,

Someone of you can tell me how can I extract public and private keys from RSA 
structure returned by the function RSA_generate_key?

I'm using openssl in my c++ simulation work and I must exchange public keys 
between simulated server and client, I cannot exchange the whole RSA structure!?

Thanks in advance,
Timo


--
Passa a Infostrada. ADSL e Telefono senza limiti e senza canone Telecom
http://infostrada.it


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: RSA keys

[Marek Marcola]

Hello,
 
 Someone of you can tell me how can I extract public and private keys from RSA 
 structure returned by the function RSA_generate_key?
 
 I'm using openssl in my c++ simulation work and I must exchange public keys 
 between simulated server and client, I cannot exchange the whole RSA 
 structure!?

#include stdio.h

#include openssl/bn.h
#include openssl/rsa.h

int main()
{
RSA *r;

r = RSA_generate_key(32,656537,NULL,NULL);
if( r==NULL ) {
printf(Key failed);
exit(1);
} else {
printf(public modulus (n):\n);
printf(   %s\n,BN_bn2hex(r-n));

printf(public exponent (e):\n);
printf(   %s\n,BN_bn2hex(r-e));

printf(private exponent (d):\n);
printf(   %s\n,BN_bn2hex(r-d));

printf(secret prime factor (p):\n);
printf(   %s\n,BN_bn2hex(r-p));
printf(secret prime factor (q):\n);
printf(   %s\n,BN_bn2hex(r-q));

printf(dmp1 [ d mod (p-1) ]:\n);
printf(   %s\n,BN_bn2hex(r-dmp1));
printf(dmq1 [ d mod (q-1) ]:\n);
printf(   %s\n,BN_bn2hex(r-dmq1));

printf(iqmp [ q^-1 mod p ]:\n);
printf(   %s\n,BN_bn2hex(r-iqmp));
}

printf(RSA SIZE: %d\n, RSA_size(r));

return(0);
}

Best regards,
-- 
Marek Marcola [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Problem with d2i functions and RSA keys in C

[Florian MANACH]

Hi,

I'm trying to encrypt and decrypt data using RSA.

In order to test, I generated a key pair using openssl rsa -outform DER 
and I transformed it into a C array getting this :
  
   unsigned char clepriv_der[] = {
   0x30, 0x81, 0xab, 0x02, 0x01, 0x00, 0x02, 0x21, 0x00, 0xdb, 
0x46, 0x81,
   0xdc, 0x1c, 0xc4, 0x6a, 0x7d, 0xa3, 0xcc, 0xc1, 0x60, 0x91, 
0x5e, 0x5a,
   0xf1, 0x79, 0x75, 0x76, 0x33, 0x73, 0x4c, 0x4d, 0xa0, 0x8e, 
0x25, 0x17,
   0xa7, 0xfb, 0x46, 0x15, 0x57, 0x02, 0x03, 0x01, 0x00, 0x01, 
0x02, 0x20,
   0x1e, 0xa9, 0x41, 0x47, 0x52, 0x0e, 0x75, 0x05, 0x94, 0x7d, 
0xf1, 0x1c,
   0x5b, 0xb7, 0x61, 0xe7, 0xd7, 0xd9, 0x1f, 0x1e, 0xd7, 0x36, 
0xf8, 0xfe,
   0xb5, 0xd3, 0xa9, 0x41, 0xc0, 0x9e, 0x48, 0xa1, 0x02, 0x11, 
0x00, 0xf2,
   0x5e, 0x7e, 0x7c, 0x81, 0xe3, 0x78, 0x93, 0x22, 0xa9, 0xd4, 
0xb7, 0x36,
   0xe6, 0x57, 0x83, 0x02, 0x11, 0x00, 0xe7, 0x9b, 0x85, 0xa0, 
0xa4, 0x25,
   0x39, 0x03, 0x9e, 0x97, 0xc7, 0xfc, 0x39, 0x5d, 0xce, 0x9d, 
0x02, 0x11,
   0x00, 0xe1, 0xe5, 0xb6, 0xe8, 0x9f, 0x3b, 0x7f, 0x97, 0x4b, 
0xb8, 0x94,
   0xdd, 0x8b, 0x1a, 0xd7, 0xb7, 0x02, 0x10, 0x6c, 0x45, 0x62, 
0xf1, 0x96,
   0xea, 0xa3, 0xbd, 0x92, 0x6d, 0x28, 0x1b, 0x3c, 0x02, 0x23, 
0x6d, 0x02,
   0x11, 0x00, 0xa4, 0x69, 0xd3, 0x20, 0x2c, 0xd4, 0x07, 0xd8, 
0x3d, 0x7a,

   0x50, 0x0f, 0xc4, 0xb3, 0x94, 0x91
   };
  
   unsigned char clepub_der[] = {
   0x30, 0x3c, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 
0xf7, 0x0d,
   0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x2b, 0x00, 0x30, 0x28, 
0x02, 0x21,
   0x00, 0xdb, 0x46, 0x81, 0xdc, 0x1c, 0xc4, 0x6a, 0x7d, 0xa3, 
0xcc, 0xc1,
   0x60, 0x91, 0x5e, 0x5a, 0xf1, 0x79, 0x75, 0x76, 0x33, 0x73, 
0x4c, 0x4d,
   0xa0, 0x8e, 0x25, 0x17, 0xa7, 0xfb, 0x46, 0x15, 0x57, 0x02, 
0x03, 0x01,

   0x00, 0x01
   };

   When I try to use them, I use this code :


   RSA *clefpub;
   RSA *clefpriv;
  
   unsigned char *pub;

   unsigned char *priv;
  
   pub=clepub_der;

   priv=clepriv_der;
  
   clefpub=d2i_RSA_PUBKEY(NULL,(const unsigned char**)pub,62);

   clefpriv=d2i_RSAPrivateKey(NULL,(const unsigned char**)priv,230);
   puts(Chargement des clés terminé);
  
   if(RSA_check_key(clefpub)!=1) {

   puts(Erreur vérification de clé publique);
   exit(-1);
   } else puts(Clé publique valide);
  
   if(RSA_check_key(clefpriv)!=1) {

   puts(Erreur vérification de clé privée);
   exit(-1);
   } else puts(Clé privée valide);

  
   During execution, there is a segmentation fault in RSA_check_key.


   I tried by initialising the RSA pointers with RSA_new and got the 
same problem and also using d2i_RSAPublicKey instead of d2i_RSA_PUBKEY.


   Thank you for your replies.

--
Florian Manach
NUMLOG
[EMAIL PROTECTED]
(+33)0130791616

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Problem with d2i functions and RSA keys in C

[Marek Marcola]

Hello,

 clefpub=d2i_RSA_PUBKEY(NULL,(const unsigned char**)pub,62);
 clefpriv=d2i_RSAPrivateKey(NULL,(const unsigned char**)priv,230);
 puts(Chargement des clés terminé);
You should check return code of this two functions, probably first
function returns NULL and in RSA_check you have crash.

Best regards,
-- 
Marek Marcola [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Problem with d2i functions and RSA keys in C

[Florian MANACH]

Hi Marek, thx for the answer

This functions return : 


804b298 and 804b0d0

That seems to be a pointer on a RSA object and that seems to mean that there is 
no error.

Regards,

--
Florian Manach
NUMLOG
[EMAIL PROTECTED]
(+33)0130791616



Marek Marcola a écrit :

Hello,
   
clefpub=d2i_RSA_PUBKEY(NULL,(const unsigned char**)pub,62);

clefpriv=d2i_RSAPrivateKey(NULL,(const unsigned char**)priv,230);
puts(Chargement des clés terminé);


You should check return code of this two functions, probably first
function returns NULL and in RSA_check you have crash.

Best regards,
  


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Problem with d2i functions and RSA keys in C

[Marek Marcola]

Hello,
 This functions return : 
 
 804b298 and 804b0d0
 
 That seems to be a pointer on a RSA object and that seems to mean that there 
 is no error.
Yes, this looks good, but after looking at documentation
for RSA_check_key() there is information that this function
checks integrity of all private key components (p,q,d ...)
and of course in public key we have only n and e so
this checking can not be performed.
But, should this function core dump in this situation ?
Probably not.

Best regards,
-- 
Marek Marcola [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Problem with d2i functions and RSA keys in C

[Florian MANACH]

The RSA_check_key doesn't core dump with the private key if I remove the 
one with the public key.


I'll try to continue in this way and I'll let you know.

Thanks a lot,

Best regards,

Marek Marcola a écrit :

Hello,
  
This functions return : 


804b298 and 804b0d0

That seems to be a pointer on a RSA object and that seems to mean that there is 
no error.


Yes, this looks good, but after looking at documentation
for RSA_check_key() there is information that this function
checks integrity of all private key components (p,q,d ...)
and of course in public key we have only n and e so
this checking can not be performed.
But, should this function core dump in this situation ?
Probably not.

Best regards,
  



--
Florian Manach
NUMLOG
[EMAIL PROTECTED]
(+33)0130791616

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Problem with d2i functions and RSA keys in C

[Florian MANACH]

My soft is running well now...

Thx a lot Marek,

Best regards,


Florian MANACH a écrit :
The RSA_check_key doesn't core dump with the private key if I remove 
the one with the public key.


I'll try to continue in this way and I'll let you know.

Thanks a lot,

Best regards,

Marek Marcola a écrit :

Hello,
 

This functions return :
804b298 and 804b0d0

That seems to be a pointer on a RSA object and that seems to mean 
that there is no error.


Yes, this looks good, but after looking at documentation
for RSA_check_key() there is information that this function
checks integrity of all private key components (p,q,d ...)
and of course in public key we have only n and e so
this checking can not be performed.
But, should this function core dump in this situation ?
Probably not.

Best regards,
  






--
Florian Manach
NUMLOG
[EMAIL PROTECTED]
(+33)0130791616

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Generating RSA keys using the Openssl's Crypto API

[A S]

Hi all,

I want to generate an RSA key pair from a c/c++ program using Openssl's API.

I saw that there is an RSA_generate_key() function, but it requires an 
initialization of the random generator.


Could anyone explain me how to initialize the random generator (on Linux)? A 
short c sample of the generation would be of a great help!


Thanks in advance.

_
Don't just search. Find. Check out the new MSN Search! 
http://search.msn.com/


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Generating RSA keys using the Openssl's Crypto API

[Marek Marcola]

Hello,
 I want to generate an RSA key pair from a c/c++ program using Openssl's API.
 
 I saw that there is an RSA_generate_key() function, but it requires an 
 initialization of the random generator.
RSA_generate_key() when generating RSA p and q primes requires probably
seeded RNG but all rand functions perform self seeding (if possible).
If RSA_generate_key() returns no error than RNG was properly self seeded
(if not seeded before). 
 
 Could anyone explain me how to initialize the random generator (on Linux)? 
Something like:
RAND_load_file(/dev/urandom, 1024);
should be enough.

 A 
 short c sample of the generation would be of a great help!
Some simple example attached.

Best regards,
-- 
Marek Marcola [EMAIL PROTECTED]
#include stdio.h

#include openssl/bn.h
#include openssl/rsa.h

int main()
{
	RSA *r;

	r = RSA_generate_key(32,656537,NULL,NULL);
	if( r==NULL ) { 
		printf(Key failed);
		exit(1);
	} else {
		printf(public modulus (n):\n);
		printf(   %s\n,BN_bn2hex(r-n));

		printf(public exponent (e):\n);
		printf(   %s\n,BN_bn2hex(r-e));

		printf(private exponent (d):\n);
		printf(   %s\n,BN_bn2hex(r-d));

		printf(secret prime factor (p):\n);
		printf(   %s\n,BN_bn2hex(r-p));
		printf(secret prime factor (q):\n);
		printf(   %s\n,BN_bn2hex(r-q));

		printf(dmp1 [ d mod (p-1) ]:\n);
		printf(   %s\n,BN_bn2hex(r-dmp1));
		printf(dmq1 [ d mod (q-1) ]:\n);
		printf(   %s\n,BN_bn2hex(r-dmq1));

		printf(iqmp [ q^-1 mod p ]:\n);
		printf(   %s\n,BN_bn2hex(r-iqmp));
	}	

	printf(RSA SIZE: %d\n, RSA_size(r));

	return(0);
}

Re: Generating RSA keys using the Openssl's Crypto API

[Marek Marcola]

Hello,
  A 
  short c sample of the generation would be of a great help!
 Some simple example attached.
Of course you should use something like:
r = RSA_generate_key(1024,RSA_F4,NULL,NULL);

There were some tests :-)

Best regards,
-- 
Marek Marcola [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Problems to sign data with encrypted RSA keys!

[Camila Moraes]

Hi!I'm having some problems to sign my data with encrypted RSA keys. I'm doing the following sequence:// Create the RSA key pair and write into PEM files   RSA *pair = RSA_generate_key(1024, 3, NULL, NULL);
 EVP_PKEY *pkey = EVP_PKEY_new(); EVP_PKEY_assign_RSA(pkey, pair); FILE *fp = fopen(rsaprivatekey.pem, w); const EVP_CIPHER *c = EVP_des_ede3_cbc(); // *encrypt with 3-des 
 string password = abc123; int klen = password.length(); unsigned char *kstr = new unsigned char[klen]; memcpy(kstr, password.c_str(), klen); PEM_write_PrivateKey(fp,pkey, c, kstr, klen, NULL, NULL); // write the private key into a file
 fclose(fp); //  Writes the public key into a file fp = fopen(rsapublickey.pem, w); PEM_write_RSAPublicKey(fp,pair);  fclose(fp);// Read the PEM files 
 string password = abc123; FILE *fp = fopen(rsaprivatekey.pem, r); int klen = password.length(); unsigned char *kstr = new unsigned char[klen];
 memcpy(kstr, password.c_str(), klen); EVP_PKEY *pkey = PEM_read_PrivateKey(fp, NULL, NULL, kstr); fclose(fp);// Try to sign the data EVP_MD_CTX ctx; EVP_MD_CTX_init(ctx);
 const EVP_MD *digest_type = EVP_sha1(); // *** I must use SHA1 as digest algorithm EVP_SignInit_ex(ctx, digest_type, NULL); EVP_SignUpdate(ctx, data, data_len); //data has some content
 unsigned char sig[EVP_PKEY_size(pkey)];  unsigned int siglen = 0; // Sign the data with RSA-SHA1 EVP_SignFinal(ctx, sig, siglen, pkey) // ** HERE I HAVE AN ERROR: ERROR: (error:0606B06E:lib(6):func(107):reason(110)) =  This means function SignFinal, reason EVP_R_WRONG_PUBLIC_KEY_TYPE.
When I try with encrypted DSA keys it works, and with unencrypted RSA keys it works too What is the problem with my encrypted RSA keys above??Thanks for the help!

Re: Loading RSA keys from file.

[Angel Martinez Gonzalez]

Hello:

I send you a function that read RSA public and 
private key from a file:

RSA *RecuperaClavesRSA(int type, char 
*pemfile){ FILE *fp; RSA *key=NULL; switch 
(type){ case READPUB: if((fp = 
fopen(pemfile,"r")) == NULL) 
{ fprintf(stderr,"Error: 
Public Key file doesn't 
exists.\n"); 
exit(EXIT_FAILURE); 
} if((key = 
PEM_read_RSAPublicKey(fp,NULL,NULL,NULL)) == NULL) 
{ fprintf(stderr,"Error: 
problems while reading Public 
Key.\n"); 
exit(EXIT_FAILURE); 
} fclose(fp); 
printf("RSA size: %d", RSA_size(key));

 return 
key; break; case 
READSEC: if((fp = fopen(pemfile,"r")) == NULL) 
{ fprintf(stderr,"Error: 
Private Key file doesn't 
exists.\n"); 
exit(EXIT_FAILURE); 
} if((key = 
PEM_read_RSAPrivateKey(fp,NULL,NULL,NULL)) == NULL) 
{ fprintf(stderr,"Error: 
problmes while reading Private Key. %d 
%s\n",type,pemfile); 
exit(EXIT_FAILURE); 
} 
fclose(fp); if(RSA_check_key(key) == -1) 
{ fprintf(stderr,"Error: 
Problems while reading RSA Private Key in 
\ '%s' 
file.\n",pemfile); 
exit(EXIT_FAILURE); } else 
if(RSA_check_key(key) == 0) 
{ fprintf(stderr,"Error: Bad 
RSA Private Key readed in '%s' 
\ 
file.\n",pemfile); 
exit(EXIT_FAILURE); 
} 
else return 
key; break; } return 
key;}
If the parameter "type" is "READPUB" it read the 
public key from the file "pemfile", and if this parameter is "READSEC", it read 
the private key.

Too, this function show RSA size 
correctly.

I hope this function solve your 
problem.

Regards.

P.D.: Your name remember me a very famous song of 
Eric Clapton ... ;-)

  - Original Message - 
  From: 
  Layla 
  
  To: openssl-users@openssl.org 
  Sent: Tuesday, May 10, 2005 3:55 PM
  Subject: Re: Loading RSA keys from 
  file.
  
  Hi Angel,
  Thank you for your response. I have changed my code with accordance to 
  your suggestion but I'm still getting a runtime error when attempting to read 
  the key from its file.
  So far I'm having trouble with 1- reading the key from file, and 2- 
  RSA_size() , this function generates a runtime error when encountered as well. 
  I can't think of anything since I'm initializing my RSA object. 
  Suggestions ? 
  Angel Martinez Gonzalez [EMAIL PROTECTED] 
  wrote:
  



Hello Layla:

Maybe, your error disapear if you will change 
the following:

apub = PEM_read_RSAPublicKey(f, NULL, NULL, NULL); 

Regards.

  - Original Message - 
  From: 
      Layla 
  To: openssl-users@openssl.org 
  
  Sent: Tuesday, May 10, 2005 9:30 
  AM
  Subject: Loading RSA keys from 
  file.
  
  I'm still not able to load the key from its file and I'm still 
  encountering an error when I use RSA_size();a run time error occured 
  when I try to print the returned size. I'm including a segment of my code 
  after modification:
  
  
  RSA *apub;
  FILE *f;
  
  
  seed_prng(); // my function for seeding PRNG
  
  //Allocating apub
  apub = RSA_new();
  
  if ( apub == NULL)
   //print error mesage
  
  //open key file
  f= fopen ("a_rsa_public","r");
  if (f == NULL)
   //print error message
  
  //Loading key
  apub = PEM_read_RSAPublicKey(f, apub, 0,0); //a run 
  time error occurs here
  if (apub == NULL)
  {
   // print error message
   return -1;
  }
  
  /* if I try the following line after the allocation of the RSA object 
  I get a runtime error as well*/
  printf("RSA size: %d", RSA_size(apub);
  ***
  I'm thankful for any help I can get.
  
  Sebastian 
  [EMAIL PROTECTED] wrote:
  Hmm,take 
a look at routines like RSA_new() to create RSA structures. As you coded 
'sizeof apub', this will return the size of a _pointer_ - assuming a 
32-bit architecture you will get round about four bytes ;-).See: 
http://www.openssl.org/docs/crypto/RSA_new.htmlThe 
runtime error is caused by calling RSA_size() with a null pointer - 
unfortnunfortunately RSA_size() doesn't like null pointers.See: 
http://www.openssl.org/docs/crypto/RSA_size.htmlGood 
luck,Sebastian Hi all,  I'm trying 
to develop a C++ application to encrypt and decrypt data  using 
RSA public key cryptography scheme. I have generated the  
public/private keys using OpenSSL command line tool. The following C++ 
 code should read a public key, encrypt data, read private key 
and  decrypt the data: 
 
#include  #include  #include 
 #include  #include 
 

Loading RSA keys from file.

[Layla]

I'm still not able to load the key from its file and I'm still encountering an error when I use RSA_size();a run time error occured when I try to print the returned size. I'm including a segment of my code after modification:


RSA *apub;
FILE *f;


seed_prng(); // my function for seeding PRNG

//Allocating apub
apub = RSA_new();

if ( apub == NULL)
 //print error mesage

//open key file
f= fopen ("a_rsa_public","r");
if (f == NULL)
 //print error message

//Loading key
apub = PEM_read_RSAPublicKey(f, apub, 0,0); //a run time error occurs here
if (apub == NULL)
{
 // print error message
 return -1;
}

/* if I try the following line after the allocation of the RSA object I get a runtime error as well*/
printf("RSA size: %d", RSA_size(apub);
***
I'm thankful for any help I can get.

Sebastian [EMAIL PROTECTED] wrote:
Hmm,take a look at routines like RSA_new() to create RSA structures. As you coded 'sizeof apub', this will return the size of a _pointer_ - assuming a 32-bit architecture you will get round about four bytes ;-).See: http://www.openssl.org/docs/crypto/RSA_new.htmlThe runtime error is caused by calling RSA_size() with a null pointer - unfortnunfortunately RSA_size() doesn't like null pointers.See: http://www.openssl.org/docs/crypto/RSA_size.htmlGood luck,Sebastian Hi all,  I'm trying to develop a C++ application to encrypt and decrypt data  using RSA public key cryptography scheme. I have generated the  public/private keys using OpenSSL command line tool. The following C++  code should read a public key, encrypt data, read private key and  decrypt the data:
 
  #include  #include  #include  #include  #includeint main() {  char *message ="Hello World!";  RSA *apub; RSA *aprivate; FILE *f; int ret; unsigned char *buf; unsigned char *e_data; unsigned char *clear_text;   //Get key f= fopen("a_rsa_public","rb"); if(f == NULL) { printf("\nError opening public key file"); return -1; } else printf("\n Public key file opened");  //load the key if ( fread(apub,sizeof apub,1,f) != 1) { printf("\nError reading public key"); return -1; } else printf("\nPublic key read");  //close the key
 file fclose(f);  buf = (unsigned char *) malloc(strlen(message));  memcpy(buf,message,strlen(message));  e_data = (unsigned char *) malloc(RSA_size(apub)); // THIS is where i  get a run time error  //encrypt data RSA_public_encrypt(strlen(message),buf, e_data, apub,  RSA_PKCS1_OAEP_PADDING);  //--decrypt //Get key f= fopen("a_rsa_private","rb"); if(f == NULL) { printf("\nError opening private key file"); return -1; } //load the key ret = fread(aprivate,sizeof(aprivate),1,f); //close the key file fclose(f);  //make sure we loaded ok if(ret != 1) { printf("\nError reading private key"); return -1; }  clear_text= (unsigned char *) malloc(strlen(message)); RSA_private_decrypt(strlen((char*)e
 _data),
 e_data, clear_text,  aprivate, RSA_PKCS1_OAEP_PADDING); return 0; }  *** At first I used to get a run time error in the RSA_public_encrypt(...);  and I figured caused I had e_data initialized as: e_data = (unsigned char *) malloc(strlen(message)*4);  So instead I used : e_data = (unsigned char *) malloc(RSA_size(apub)); and now I'm getting a run time as this line is encountered.  I'm sure someone with experience would be able to spot my mistake.  I thank you all in advance for your help.  __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
 __OpenSSL Project http://www.openssl.orgUser Support Mailing List openssl-users@openssl.orgAutomated List Manager [EMAIL PROTECTED]
		Yahoo! Mail Mobile 
Take Yahoo! Mail with you! Check email on your mobile phone.

Re: Loading RSA keys from file.

[Angel Martinez Gonzalez]

Hello Layla:

Maybe, your error disapear if you will change the 
following:

apub = PEM_read_RSAPublicKey(f, NULL, NULL, NULL); 

Regards.

  - Original Message - 
  From: 
  Layla 
  
  To: openssl-users@openssl.org 
  Sent: Tuesday, May 10, 2005 9:30 AM
  Subject: Loading RSA keys from 
file.
  
  I'm still not able to load the key from its file and I'm still 
  encountering an error when I use RSA_size();a run time error occured 
  when I try to print the returned size. I'm including a segment of my code 
  after modification:
  
  
  RSA *apub;
  FILE *f;
  
  
  seed_prng(); // my function for seeding PRNG
  
  //Allocating apub
  apub = RSA_new();
  
  if ( apub == NULL)
   //print error mesage
  
  //open key file
  f= fopen ("a_rsa_public","r");
  if (f == NULL)
   //print error message
  
  //Loading key
  apub = PEM_read_RSAPublicKey(f, apub, 0,0); //a run time 
  error occurs here
  if (apub == NULL)
  {
   // print error message
   return -1;
  }
  
  /* if I try the following line after the allocation of the RSA object I 
  get a runtime error as well*/
  printf("RSA size: %d", RSA_size(apub);
  ***
  I'm thankful for any help I can get.
  
  Sebastian [EMAIL PROTECTED] 
  wrote:
  Hmm,take 
a look at routines like RSA_new() to create RSA structures. As you coded 
'sizeof apub', this will return the size of a _pointer_ - assuming a 
32-bit architecture you will get round about four bytes ;-).See: 
http://www.openssl.org/docs/crypto/RSA_new.htmlThe runtime 
error is caused by calling RSA_size() with a null pointer - 
unfortnunfortunately RSA_size() doesn't like null pointers.See: 
http://www.openssl.org/docs/crypto/RSA_size.htmlGood 
luck,Sebastian Hi all,  I'm trying to 
develop a C++ application to encrypt and decrypt data  using RSA 
public key cryptography scheme. I have generated the  public/private 
keys using OpenSSL command line tool. The following C++  code should 
read a public key, encrypt data, read private key and  decrypt the 
data: 
 
#include  #include  #include 
 #include  #includeint main() {  char 
*message ="Hello World!";  RSA *apub; RSA *aprivate; 
FILE *f; int ret; unsigned char *buf; unsigned char 
*e_data; unsigned char *clear_text;   //Get 
key f= fopen("a_rsa_public","rb"); if(f == NULL) 
{ printf("\nError opening public key file"); return 
-1; } else printf("\n Public key file 
opened");  //load the key if ( 
fread(apub,sizeof apub,1,f) != 1) { printf("\nError 
reading public key"); return -1; } else 
printf("\nPublic key read");  //close the key file 
fclose(f);  buf = (unsigned char *) malloc(strlen(message)); 
 memcpy(buf,message,strlen(message));  e_data = 
(unsigned char *) malloc(RSA_size(apub)); // THIS is where i  get a 
run time error  //encrypt data 
RSA_public_encrypt(strlen(message),buf, e_data, apub,  
RSA_PKCS1_OAEP_PADDING);  
//--decrypt //Get key f= 
fopen("a_rsa_private","rb"); if(f == NULL) { 
printf("\nError opening private key file"); return -1; 
} //load the key ret = 
fread(aprivate,sizeof(aprivate),1,f); //close the key 
file fclose(f);  //make sure we loaded ok 
if(ret != 1) { printf("\nError reading private 
key"); return -1; }  clear_text= (unsigned 
char *) malloc(strlen(message)); RSA_private_decrypt(strlen((char*)e 
_data), e_data, clear_text,  aprivate, 
RSA_PKCS1_OAEP_PADDING); return 0; }  
*** 
At first I used to get a run time error in the RSA_public_encrypt(...); 
 and I figured caused I had e_data initialized as: e_data = 
(unsigned char *) malloc(strlen(message)*4);  So instead I 
used : e_data = (unsigned char *) malloc(RSA_size(apub)); 
and now I'm getting a run time as this line is encountered.  
I'm sure someone with experience would be able to spot my mistake. 
 I thank you all in advance for your help.   
   
__ Do You 
Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection 
around http://mail.yahoo.com 
__OpenSSL 
Project http://www.openssl.orgUser Support Mailing List 
openssl-users@openssl.orgAutomated List Manager 
  [EMAIL PROTECTED]
  
  
  Yahoo! Mail MobileTake 
  Yahoo! Mail with you! Check email on your mobile 
phone.

Re: Loading RSA keys from file.

[Layla]

Hi Angel,
Thank you for your response. I have changed my code with accordance to your suggestion but I'm still getting a runtime error when attempting to read the key from its file.
So far I'm having trouble with 1- reading the key from file, and 2- RSA_size() , this function generates a runtime error when encountered as well. I can't think of anything since I'm initializing my RSA object. 
Suggestions ? 
Angel Martinez Gonzalez [EMAIL PROTECTED] wrote:




Hello Layla:

Maybe, your error disapear if you will change the following:

apub = PEM_read_RSAPublicKey(f, NULL, NULL, NULL); 

Regards.

- Original Message - 
From: Layla 
To: openssl-users@openssl.org 
Sent: Tuesday, May 10, 2005 9:30 AM
Subject: Loading RSA keys from file.

I'm still not able to load the key from its file and I'm still encountering an error when I use RSA_size();a run time error occured when I try to print the returned size. I'm including a segment of my code after modification:


RSA *apub;
FILE *f;


seed_prng(); // my function for seeding PRNG

//Allocating apub
apub = RSA_new();

if ( apub == NULL)
 //print error mesage

//open key file
f= fopen ("a_rsa_public","r");
if (f == NULL)
 //print error message

//Loading key
apub = PEM_read_RSAPublicKey(f, apub, 0,0); //a run time error occurs here
if (apub == NULL)
{
 // print error message
 return -1;
}

/* if I try the following line after the allocation of the RSA object I get a runtime error as well*/
printf("RSA size: %d", RSA_size(apub);
***
I'm thankful for any help I can get.

Sebastian [EMAIL PROTECTED] wrote:
Hmm,take a look at routines like RSA_new() to create RSA structures. As you coded 'sizeof apub', this will return the size of a _pointer_ - assuming a 32-bit architecture you will get round about four bytes ;-).See: http://www.openssl.org/docs/crypto/RSA_new.htmlThe runtime error is caused by calling RSA_size() with a null pointer - unfortnunfortunately RSA_size() doesn't like null pointers.See: http://www.openssl.org/docs/crypto/RSA_size.htmlGood luck,Sebastian Hi all,  I'm trying to develop a C++ application to encrypt and decrypt data  using RSA public key cryptography scheme. I have generated the  public/private keys using OpenSSL command line tool. The following C++  code should read a public key, encrypt data, read private key and  decrypt the data:
 
  #include  #include  #include  #include  #includeint main() {  char *message ="Hello World!";  RSA *apub; RSA *aprivate; FILE *f; int ret; unsigned char *buf; unsigned char *e_data; unsigned char *clear_text;   //Get key f= fopen("a_rsa_public","rb"); if(f == NULL) { printf("\nError opening public key file"); return -1; } else printf("\n Public key file opened");  //load the key if ( fread(apub,sizeof apub,1,f) != 1) { printf("\nError reading public key"); return -1; } else printf("\nPublic key read");  //close the key
 file fclose(f);  buf = (unsigned char *) malloc(strlen(message));  memcpy(buf,message,strlen(message));  e_data = (unsigned char *) malloc(RSA_size(apub)); // THIS is where i  get a run time error  //encrypt data RSA_public_encrypt(strlen(message),buf, e_data, apub,  RSA_PKCS1_OAEP_PADDING);  //--decrypt //Get key f= fopen("a_rsa_private","rb"); if(f == NULL) { printf("\nError opening private key file"); return -1; } //load the key ret = fread(aprivate,sizeof(aprivate),1,f); //close the key file fclose(f);  //make sure we loaded ok if(ret != 1) { printf("\nError reading private key"); return -1; }  clear_text= (unsigned char *) malloc(strlen(message)); RSA_private_decrypt(strlen((char*)e
  _data),
 e_data, clear_text,  aprivate, RSA_PKCS1_OAEP_PADDING); return 0; }  *** At first I used to get a run time error in the RSA_public_encrypt(...);  and I figured caused I had e_data initialized as: e_data = (unsigned char *) malloc(strlen(message)*4);  So instead I used : e_data = (unsigned char *) malloc(RSA_size(apub)); and now I'm getting a run time as this line is encountered.  I'm sure someone with experience would be able to spot my mistake.  I thank you all in advance for your help.  __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
 __OpenSSL Project http://www.openssl.orgUser Support Mailing List openssl-users@openssl.orgAutomated List Manager [EMAIL PROTECTED]


Yahoo! Mail MobileTake Yahoo! Mail with you! Check email on your mobile phone.
		Yahoo! Mail Mobile 
Take Yahoo! Mail with you! Check email on your mobile phone.

Re: Loading RSA keys from file.

[El hallabi-Kettani Abderrahmane]

try 

pubKey=*PEM_read_RSA_PUBKEY(file, NULL,NULL,NULL);

in the place of PEM_read_RSAPublicKey.
if it doesn't work try to use the load_key function
with a PEM format in apps.c , i didn't remember where
you can find it , im not sure .

good luck.

Abdou,







__ 
Découvrez le nouveau Yahoo! Mail : 250 Mo d'espace de stockage pour vos mails ! 
Créez votre Yahoo! Mail sur http://fr.mail.yahoo.com/
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RSA keys file formats

[Stanislaw Findeisen]

Hello,
Where can I get the description of private and public key file formats used 
by OpenSSL for RSA (SSH2) implementation? I need to parse those files.

Thank you.
--
   http://www.nglogic.com
   Enter through the narrow gate! (Mt 7:13-14)
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: RSA keys file formats

[Dr. Stephen Henson]

On Mon, Apr 04, 2005, Stanislaw Findeisen wrote:

 Hello,
 
 Where can I get the description of private and public key file formats used 
 by OpenSSL for RSA (SSH2) implementation? I need to parse those files.
 

The manual pages.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RSA Keys Onto SmartCard ???

[Surrealistic Dreamer]

Hi ...

I'm trying to write my OpenSSL generated RSA keys onto a cryptoki (smart 
card) using PKCS#11 ... PKCS#11 requires the individual key parameters (p, 
q, d, e, n, d mod q-1, d mod p-1) in 'unsigned char*' format, or a binary 
string in general ... I'm trying to use the BigNumber library function 
BN_bn2bin to convert the RSA key parameters to binary strings ... but 
calling the PKCS#11 function (which works fine with hard-coded data values) 
throws an invalid data error ...

Can anybody help ?

Peter.

_
Get 10mb of inbox space with MSN Hotmail Extra Storage 
http://join.msn.com/?pgmarket=en-sg

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Ephemeral RSA Keys

[Joel Daniels]

From what I understand Ephemeral Keys will keep someone who steals my
private key from being able to decrypt my SSL communication.  He can still
use a man-in-the-middle attack of course.

The SSL_CTX_set_options documentation says:

SSL_OP_EPHEMERAL_RSA

Always use ephemeral (temporary) RSA key when doing RSA operations (see
SSL_CTX_set_tmp_rsa_callback(3)). According to the specifications this is
only done, when a RSA key can only be used for signature operations (namely
under export ciphers with restricted RSA keylength). By setting this option,
ephemeral RSA keys are always used. This option breaks compatibility with
the SSL/TLS specifications and may lead to interoperability problems with
clients and should therefore never be used. Ciphers with EDH (ephemeral
Diffie-Hellman) key exchange should be used instead.





I however am developing both the client and the server, are there any
reasons why I should use Ephemeral RSA vs. Ephemeral DH?


Also are there any reasons why I should not use Ephemeral Keys period?

   - Joel Daniels

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Ephemeral RSA Keys

[Lutz Jaenicke]

On Fri, May 24, 2002 at 10:14:40AM -0600, Joel Daniels wrote:
 From what I understand Ephemeral Keys will keep someone who steals my
 private key from being able to decrypt my SSL communication.  He can still
 use a man-in-the-middle attack of course.
 
 The SSL_CTX_set_options documentation says:
 
 SSL_OP_EPHEMERAL_RSA
 
 Always use ephemeral (temporary) RSA key when doing RSA operations (see
 SSL_CTX_set_tmp_rsa_callback(3)). According to the specifications this is
 only done, when a RSA key can only be used for signature operations (namely
 under export ciphers with restricted RSA keylength). By setting this option,
 ephemeral RSA keys are always used. This option breaks compatibility with
 the SSL/TLS specifications and may lead to interoperability problems with
 clients and should therefore never be used. Ciphers with EDH (ephemeral
 Diffie-Hellman) key exchange should be used instead.
 
 I however am developing both the client and the server, are there any
 reasons why I should use Ephemeral RSA vs. Ephemeral DH?
 
 Also are there any reasons why I should not use Ephemeral Keys period?

Ephemeral key improve your security due to the provided forward secrecy
you already mention. It becomes impossible for an attacker to decrypt
past communication. Future communication also stay secure as long as
the attacker can only listen. Mounting a man-in-the-middle attack may
not be too difficult, but the risk of being detected is far higher than
it is when just eavesdropping.
The price is a performance penalty.
For a discussion of ephemeral RSA vs. ephemeral DH: I don't know. When
switching from SSH-1 to SSH-2, RSA session keys were replaced with DH
ones, but that may have been for patent reasons. Maybe somebody else
can spread mor light on this point.

Best regards,
Lutz
-- 
Lutz Jaenicke [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Ephemeral RSA Keys

[Bear Giles]

 For a discussion of ephemeral RSA vs. ephemeral DH: I don't know. When
 switching from SSH-1 to SSH-2, RSA session keys were replaced with DH
 ones, but that may have been for patent reasons. Maybe somebody else
 can spread mor light on this point.

There's a bit of a discussion in _SSL and TLS_.

As I understand the issues (I just skimmed the sections), with 
ephemeral DH you can generate a new key inexpensively.  Probably 
something as simple as generating a very large random number X
and computing g^x mod p (where g and p are specified in the
DH parameter file).  This means you can generate a new key for
every session, providing maximum security (short of regenerating
the DH *parameters* every time!)

In contrast, RSA keys have to be regenerated every time.  That's
expensive, so implementations will typically cache the key and 
reuse it for a while.  This puts all of those sessions into the 
same boat, securty-wise.

There's are also some efficiency considerations since the private
and public keys in RSA tend to be about the same size, while DH
keys (I think) tend to have much smaller private keys, I think it's
a fixed size of something like 80 or 128 bits.  (I know this is the
case with DSA, but I'm not 100% sure about DH.)  This smaller
private makes some operations more efficient without compromising
security.

Bear
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: [offtopic] Importing openssl RSA keys to gnupg.

[Augusto Marcacini]

Hi,

I've already done this with PGP for Windows. It works Ok and we can see the 
certificate common 
fields.

I'd like to import X.509 certificates and private keys do gnupg also. But I think (not 
for sure) that 
gnupg doesn't support it. If anyone know how to do it and if it's possible, I also 
want to know.

regards,

Augusto Marcacini


On 23 Apr 2002 at 23:34, Kalyan Varma wrote:

 
 
 
 I have a small issue.
 
 I have couple of RSA keys ( generated by openssl ). Now I want to import
 them and use them in gnupg. I know we cant do this directly, but does
 anyone have any idea ??
 
 thanks,
 
 - kalyan
 
 
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing List[EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]
 


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

BSafe RSA keys

[abogomolov]

Hi,
I am working on putting OpenSSL into our app.
However, we are required to use RSA keys
that are produced with BSafe by another app.
Does anybody know how to get BSafe RSA Private key to work with open ssl?
I tried to use the output of B_GetKeyInfo(buffer,
obj,KI_PKCS_RSAPrivateBER)
However that does not work with d2i_RSAPrivatekey - it complains that
header is too long.
I guess that's because B_GetKeyInfo in this case returns PKCS#8
PrivateKeyInfo, which not what
open ssl expects on the input.

Could osmeone help me out?


Thank you
Alex


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: BSafe RSA keys

[Prashant Kumar]

Alex,

I guess B_GetKeyInfo(buffer, obj,KI_PKCS_RSAPrivateBER)
returns a ASN1 of PrivateKeyInfo PDU. You have to extract
RSAPrivateKey PDU from this PrivateKeyInfo PDU. Once you
get RSAPrivateKey PDU you can then use SSL_CTX_use_PrivateKey_ASN1
API to set the private key.

To do all these things I followed a very round about way. First
I store the private key (I mean the PrivateKeyInfo PDU) in the BER 
ASN1 format (I don't apply B_SetKeyInfo to convert B_KEY_OBJ). 
Next, I decode the PrivateKeyInfo PDU to extract the RSAPrivateKey
structure. Once I extract the RSAPrivateKey structure I encode this
structure to generate RSAPrivateKey PDU.

There should be a better way to do it!.

Regards,
Prashant.

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Friday, March 08, 2002 11:31 AM
To: [EMAIL PROTECTED]
Subject: BSafe RSA keys


Hi,
I am working on putting OpenSSL into our app.
However, we are required to use RSA keys
that are produced with BSafe by another app.
Does anybody know how to get BSafe RSA Private key to work with open ssl?
I tried to use the output of B_GetKeyInfo(buffer,
obj,KI_PKCS_RSAPrivateBER)
However that does not work with d2i_RSAPrivatekey - it complains that
header is too long.
I guess that's because B_GetKeyInfo in this case returns PKCS#8
PrivateKeyInfo, which not what
open ssl expects on the input.

Could osmeone help me out?


Thank you
Alex


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: BSafe RSA keys

[abogomolov]

I have more questions regarding your response since I am relatively new to
this stuff:
What's PDU?
how do you decode PrivateKeyInfo PDU to extract PrivateKeyInfo PDU struct?
and how do you then encode it?


THank you
Alex





   
  
Prashant Kumar   
  
prkumar@nortelnetwor   To: [EMAIL PROTECTED]
  
ks.com cc:
  
Sent by:Subject: RE: BSafe RSA keys
  
owner-openssl-users@o  
  
penssl.org 
  
   
  
   
  
03/08/02 12:19 PM  
  
Please respond to  
  
openssl-users  
  
   
  
   
  




Alex,

I guess B_GetKeyInfo(buffer, obj,KI_PKCS_RSAPrivateBER)
returns a ASN1 of PrivateKeyInfo PDU. You have to extract
RSAPrivateKey PDU from this PrivateKeyInfo PDU. Once you
get RSAPrivateKey PDU you can then use SSL_CTX_use_PrivateKey_ASN1
API to set the private key.

To do all these things I followed a very round about way. First
I store the private key (I mean the PrivateKeyInfo PDU) in the BER
ASN1 format (I don't apply B_SetKeyInfo to convert B_KEY_OBJ).
Next, I decode the PrivateKeyInfo PDU to extract the RSAPrivateKey
structure. Once I extract the RSAPrivateKey structure I encode this
structure to generate RSAPrivateKey PDU.

There should be a better way to do it!.

Regards,
Prashant.

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Friday, March 08, 2002 11:31 AM
To: [EMAIL PROTECTED]
Subject: BSafe RSA keys


Hi,
I am working on putting OpenSSL into our app.
However, we are required to use RSA keys
that are produced with BSafe by another app.
Does anybody know how to get BSafe RSA Private key to work with open ssl?
I tried to use the output of B_GetKeyInfo(buffer,
obj,KI_PKCS_RSAPrivateBER)
However that does not work with d2i_RSAPrivatekey - it complains that
header is too long.
I guess that's because B_GetKeyInfo in this case returns PKCS#8
PrivateKeyInfo, which not what
open ssl expects on the input.

Could osmeone help me out?


Thank you
Alex


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: RSA keys auth.

[Bear Giles]

 Jeffrey Altman wrote:
 
  A passphrase consisting of human readable/typable text provides
  approximately 2 bits of entropy per character.  
 
 English text contains approx. 3.5 bits of entropy per character.

Password half password of password normal password English password
text password is password not password the password 'password', password 
or password similar password text password.

(I know, the, a, in, of, etc.  But these extremely common 
English words are also extremely short, and are often eliminated
from these entropy counts anyway as 'semantic glue.')
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: RSA keys auth.

[David Schwartz]

Why not use simple challenge/response password authentication?

-- 
David Schwartz
[EMAIL PROTECTED]


On Sun, 6 Jan 2002 00:36:22 -0800 (PST), Vadim Zaliva wrote:
Hi!

I am trying to use OpenSSL to build secure authenticated channel between
client and server. I want server to allow connections only from certain
clients, and I want client to be sure it is connected to the right server.

I see how it could be done using certificates. However for my application
generating certificates would be to complex for end user.

The simplest way I see it would be to use RSA public/private keys: the way
SSH does. So client and server each would have private/public key pairs
generated. When, I would manually add server public key to client side and
client public key to server side (server will possibly have more that one
client key).

If there is anything wrong with the way I am planning to do it? It seems to
me that this should be pretty common usage. If somebody done this before I
would appreciate any advice. I am new to openssl and still learning basics.

Sincerely, Vadim

--
La perfection est atteinte non quand il ne reste rien a ajouter, mais quand
il ne reste rien a enlever.  (Antoine de Saint-Exupery)




__
OpenSSL Project http://www.openssl.org User
Support Mailing List[EMAIL PROTECTED] Automated
List Manager   [EMAIL PROTECTED]



__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: RSA keys auth.

[crispin]

On Sun, Jan 06, 2002 at 12:36:22AM -0800, Vadim Zaliva wrote:
 Hi!
 
 I am trying to use OpenSSL to build secure authenticated channel between
 client and server. I want server to allow connections only from certain
 clients, and I want client to be sure it is connected to the right server.
 
 I see how it could be done using certificates. However for my application
 generating certificates would be to complex for end user.
 
 The simplest way I see it would be to use RSA public/private keys: the way
 SSH does. So client and server each would have private/public key pairs
 generated. When, I would manually add server public key to client side and
 client public key to server side (server will possibly have more that one
 client key).
 
 If there is anything wrong with the way I am planning to do it? It seems
 to me that this should be pretty common usage. If somebody done this
 before I would appreciate any advice. I am new to openssl and still
 learning basics.

This seems fine. The only problem (and its a problem in ssh aswell) is the weak key 
binding. Its the warning you get in ssh when you change a host key. Warning Host key 
changed. Man in the Middle attack possible. blah blah blah. Most people just punch in 
yes and connect. How do you know its not a man in the middle attack?

If you use certificates you can change the host key, and the client knows its a 
legitimate change because the key has been signed by a known CA. Thus you never have 
such a problem. If the certificate doesn't check out, then you know for *sure* that 
something is up.

Of course if you use a strict check on your rsa host key, say that if the rsa host key 
doesn't match for that host you refuse a connection, then thats not a prob.

The other weak key binding problem is when you first connect (unknown host key, blah 
blah, should I add it to known hosts?). What if someone has set up a man-in-the-middle 
before your first connect. There is no way of knowing. A certificate removes these 
problems because if both the client and server know in advance about the CA (even if 
the CA is you, not a real CA) then on the first connect, your client can determine for 
sure if the host key is legit, or forged.

So the answer really depends on what you want to do, and how secure is secure?

Kind Regards
Crispin

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: RSA keys auth.

[Eric Rescorla]

Vadim Zaliva [EMAIL PROTECTED] writes:
 I am trying to use OpenSSL to build secure authenticated channel between
 client and server. I want server to allow connections only from certain
 clients, and I want client to be sure it is connected to the right server.
 
 I see how it could be done using certificates. However for my application
 generating certificates would be to complex for end user.
 
 The simplest way I see it would be to use RSA public/private keys: the way
 SSH does. So client and server each would have private/public key pairs
 generated. When, I would manually add server public key to client side and
 client public key to server side (server will possibly have more that one
 client key).
 
 If there is anything wrong with the way I am planning to do it? It seems
 to me that this should be pretty common usage. If somebody done this
 before I would appreciate any advice. I am new to openssl and still
 learning basics.
This can't be done with SSL exactly the way you want to do it.
The only way that SSL knows how to carry public keys is via
certificates.

Accordingly, what you need to do is use self-signed certificates.
At this point you have two authentication options:
(1) Hardwire in the certificate values (or public key values) on
either side. It's conventional to use a digest of the certificate/key
instead of the actual value.

(2) Do what SSH does for the server. When the client first connects
hope that there's no man-in-the-middle and assume that the certificate
is genuine. Write it down and from that point on check the key
the peer presents against the cached key. As Crispin points out,
this has a few security problems, but it's better than nothing.

Essentially, SSH trusts that the first time you connect you actually
get to the right host. Given the frequency of actual attacks on the
net, this isn't THAT bad an assumption. 

The traditional thing to do with SSH is for the client to get the
server's public key the first time he connects. The client then
authenticates to the server with a password. Once the client
has authenticated he puts his own public key on the server.

-Ekr

-- 
[Eric Rescorla   [EMAIL PROTECTED]]
Author of SSL and TLS: Designing and Building Secure Systems
  http://www.rtfm.com/
  
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: RSA keys auth.

[Jeffrey Altman]

Besides the fact that using raw public/private key pairs is in my
mind a disaster waiting to happen to all SSH users:

 . they have no notion of identity associated with them

 . they have no notion of trust associated with them

 . they have no notion of usage associated with them

 . they have no ability to be expired 

 . they have no ability to be revoked if compromised

private keys are stored in most cases on the disks of insecure
operating systems protected only by a passphrase chosen by a end user
that knows nothing about security.  An insecure OS is one that is
either unmanageable or one that is not properly maintained from a
security perspective.  No OS maintained by the end user is secure.

A passphrase consisting of human readable/typable text provides
approximately 2 bits of entropy per character.  Therefore, to provide 
an equivalent strength key to protect a 1024 bit private key would 
require a passphrase at least 64 characters long.  Since most
passphrases are significantly shorter, not more than an 8 character 
password, dictionary attacks to extract the private key are highly
effective.

I am simply waiting for the virus/worm that as part of its operation
steals SSH identity and known_hosts files and sends them off to be 
dictionary attacked.  

The difference between raw public/private key pairs and X.509 certs is
that the cert is a centrally managed object that can be revoked.
Something that is revoked cannot be used again by the end user.  In
other words, the end user cannot simply copy re-use their previous
generated key pair.  

If the user can generate a public/private key pair then they can with
appropriate tools provided by you generate a Certificate Signing
Request, send the CSR to your host, have it signed and installed.  Its
more work on your part not on the end users.

- Jeff

 Hi!
 
 I am trying to use OpenSSL to build secure authenticated channel between
 client and server. I want server to allow connections only from certain
 clients, and I want client to be sure it is connected to the right server.
 
 I see how it could be done using certificates. However for my application
 generating certificates would be to complex for end user.
 
 The simplest way I see it would be to use RSA public/private keys: the way
 SSH does. So client and server each would have private/public key pairs
 generated. When, I would manually add server public key to client side and
 client public key to server side (server will possibly have more that one
 client key).
 
 If there is anything wrong with the way I am planning to do it? It seems
 to me that this should be pretty common usage. If somebody done this
 before I would appreciate any advice. I am new to openssl and still
 learning basics.
 
 Sincerely,
 Vadim
 
 -- 
 La perfection est atteinte non quand il ne reste rien a ajouter, mais
 quand il ne reste rien a enlever.  (Antoine de Saint-Exupery)
 
 
 
 
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing List[EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]
 



 Jeffrey Altman * Sr.Software Designer  C-Kermit 8.0 available now!!!
 The Kermit Project @ Columbia University   includes Telnet, FTP and HTTP
 http://www.kermit-project.org/ secured with Kerberos, SRP, and 
 [EMAIL PROTECTED]OpenSSL. Interfaces with OpenSSH
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: RSA keys auth.

[Michael Sierchio]

Jeffrey Altman wrote:

 A passphrase consisting of human readable/typable text provides
 approximately 2 bits of entropy per character.  

English text contains approx. 3.5 bits of entropy per character.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: RSA keys auth.

[Eric Rescorla]

Michael Sierchio [EMAIL PROTECTED] writes:

 Jeffrey Altman wrote:
 
  A passphrase consisting of human readable/typable text provides
  approximately 2 bits of entropy per character.  
 
 English text contains approx. 3.5 bits of entropy per character.
This seems high, considering that only 6 bits are required to
render every alphanumeric message (and only a little over 5 bits
is required if you use only one case).

Schneier's estimate is even more conservative than Jeffrey's.
Ordinary English text contains 1.0-1.5 bits per character.
Schneier cites Shannon[0] and Cover[1]

Michael, perhaps you're thinking of the REDUNDANCY of English,
which is roughly 3.4 bits/character (4.7 bits is required to
render all 26 letters, so if you subtract 1.3 from 4.7...)

That said, it's not clear how these results apply to passwords.
The entropy of short chunks of text is lower. Shannon claims
about 2.3 bits/char for 8-letter chunks. OTOH, passwords which
are specifically well chosen can have very high entropies.
Memorizing strings of 8-16 random characters is quite practical [2]
and such strings (even when limited to typed text) can have
entropies as high as 6+ bits/character.

-Ekr

[0] Shannon, C.E., Predication and Entropy in Printed English

[1] Cover, T.M., King, R.C., A Convergent Gambling Estimate of the
Entropy of English, in IEEE Trans. Info. Theory., July 1978.

[2] OTOH, most people aren't willing to do this, so this is a
best case scenario for situations where users care about 
security.


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: RSA keys auth.

[Michael Sierchio]

Eric Rescorla wrote:

 That said, it's not clear how these results apply to passwords.
 The entropy of short chunks of text is lower. 

No. The entropy of short chunks of text, without syntax, is
higher.  Grammatical text is more redundant.  Frequency vocabulary
is different from dictionary vocabulary, too -- words people use
in speech are shorter.

Passphrases such as those used in S/Key

BE SIR WITH EASY RUBY RUBY
GAIL FOND FEE YANG FACE SLOG
COT KEN WIRE DARE STAY EYED
CHOU MOOD LOW ORR MAGI BILK
BEEF OWN KERR ROSY UTAH VEAL
LAIN ICON NECK HAST JEFF GRAY
BEE HAUL TUNA TERM WELT BOO
SOME PUT PEA SEEN GO TWIN
FADE GUST TIN SOME FLAG OFF
GLIB BOAR CASK SILL SIN ARTS

etc.

consist of six words chosen from a dictionary of 2048. 2048^6 = 2^66.
It gets better, of course, if you use them as one-time passwords.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: RSA keys auth.

[Eric Rescorla]

Michael Sierchio [EMAIL PROTECTED] writes:

 Eric Rescorla wrote:
 
  That said, it's not clear how these results apply to passwords.
  The entropy of short chunks of text is lower. 
 
 No. The entropy of short chunks of text, without syntax, is
 higher.
That's what I meant, higher :)

That's why my next sentence was:
Shannon claims about 2.3 bits/char for 8-letter chunks.

-Ekr


-- 
[Eric Rescorla   [EMAIL PROTECTED]]
http://www.rtfm.com/
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: RSA keys auth.

[Vadim Zaliva]

On Sun, 6 Jan 2002, David Schwartz wrote:

 Why not use simple challenge/response password authentication?

That is one of the options I am considering. I am not sure how to store
password on server side and what would be exchange sequence.

Vadim

-- 
La perfection est atteinte non quand il ne reste rien a ajouter, mais
quand il ne reste rien a enlever.  (Antoine de Saint-Exupery)


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: RSA keys auth.

[Vadim Zaliva]

On 6 Jan 2002, Eric Rescorla wrote:

I would like to thank everybody who responded to my previous messages.

 This can't be done with SSL exactly the way you want to do it. The
 only way that SSL knows how to carry public keys is via certificates.

I would love to use certificates, but my problem with them is the
following: My client installs server and client. He should be able to set
them up without requesting something from 3-rd party CA. If I understand
correctly, the only solution in this case would be to generate his own CA
and generate certificates with it. I am not sure how much secure it would
be. Also I would like to make it not too complex for end user. After
installing server and client he should not perform many complex steps to
make it work.

Another question is: where this CA would reside: it should be stored
somewhere to generate more client certificates if needed. My
application is firewall management tool (www.fwbuilder.org) and daemon
would run on firewall and used to configure certain aspects of
it. Keeping CA there does not sound like very good idea.

So I see few variants implementing this:

1. Password

Server have password and keeps either whole password of MD5 of it. Clients
establishes SSL connection (w/o certificates) and sends password. 

This is not very secure from man-in-the-middle attack.

2. Challenge-Response

I do not know yet how to implement this. Advice appreciated.

3. Certificates

After server is installed, certificate authority is generated. When
using this CA, server certificate is generated. For each client, new
certificate is generated using same authority. While establishing SSL
connection client and server certificates are exchanged. (The question
I am not completely understand yet, is how to check if they are the
right ones.  Probably I need to keep copy of server certificate on
client side and compare one received over the connection with it?)

4. RSA keys

Similar to SSH. I understand that OpenSSL protocol does not have
specific support for this, so it have to be written on top of it,
after SSL connection is established. I guess server have to send some
token signed with its key, which client have to send back signed with
its. Checking signatures would ensure identity of both.

I am new to this kind of application and would really appreciate any
advice.

Sincerely,
Vadim


-- 
La perfection est atteinte non quand il ne reste rien a ajouter, mais
quand il ne reste rien a enlever.  (Antoine de Saint-Exupery)


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: RSA keys auth.

[Rich Salz]

Use SRP (http://srp.stanford.edu) over SSL for privacy.
/r$

-- 
Zolera Systems, Securing web services (XML, SOAP, Signatures,
Encryption)
http://www.zolera.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: RSA keys auth.

[Eric Rescorla]

Vadim Zaliva [EMAIL PROTECTED] writes:

 On 6 Jan 2002, Eric Rescorla wrote:
 
 I would like to thank everybody who responded to my previous messages.
 
  This can't be done with SSL exactly the way you want to do it. The
  only way that SSL knows how to carry public keys is via certificates.
 
 I would love to use certificates, but my problem with them is the
 following: My client installs server and client. He should be able to set
 them up without requesting something from 3-rd party CA. If I understand
 correctly, the only solution in this case would be to generate his own CA
 and generate certificates with it. I am not sure how much secure it would
 be. Also I would like to make it not too complex for end user. After
 installing server and client he should not perform many complex steps to
It's trivial to have your softare automatically generate self-signed
certificates. OpenSSL knows how.

 1. Password
 
 Server have password and keeps either whole password of MD5 of it. Clients
 establishes SSL connection (w/o certificates) and sends password. 
 
 This is not very secure from man-in-the-middle attack.
Right. You need certificates on the server side to protect against
MITM.

 2. Challenge-Response
 
 I do not know yet how to implement this. Advice appreciated.
See (for instance) the mechanism in RFC 2095.

 3. Certificates
 
 After server is installed, certificate authority is generated. When
 using this CA, server certificate is generated. For each client, new
 certificate is generated using same authority. While establishing SSL
 connection client and server certificates are exchanged. (The question
 I am not completely understand yet, is how to check if they are the
 right ones.  Probably I need to keep copy of server certificate on
 client side and compare one received over the connection with it?)
Not quite. You set the CA as the root on the both sides and tell
OpenSSL to enforce certificate verification. The tricky bit is 
establishing the binding between clients and their public keys
in order to issue the correct certificates. This is often done
with passwords.

 4. RSA keys
 
 Similar to SSH. I understand that OpenSSL protocol does not have
 specific support for this, so it have to be written on top of it,
 after SSL connection is established. I guess server have to send some
 token signed with its key, which client have to send back signed with
 its. Checking signatures would ensure identity of both.
There's no point in doing this. Self-signed certificates are
equally easy.

-Ekr
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: RSA keys auth.

[David Schwartz]

2. Challenge-Response

I do not know yet how to implement this. Advice appreciated.

The short version of how you do this is that you use some sort of hashing 
scheme like MD5 or SHA1. During the installation process, you generate a 
random password (or ask the user to enter one) and you store the password on 
both the server and the client.

The authentication can go many ways, but the idea is for the server and 
client to each assure themselves that the other has the password.

Here's one possible way to do it:

1) The server generates a random challenge and sends it and the current time 
to the client. (Lets call the server's challenge Cs and the server's time 
Ts.)

2) The client generates a random challenge as well and sends it and the 
current time (as it sees it) to the server. (Let's call the client's 
challenge Cc and the client's time Tc.)

3) The server computes a response by appending Cs, Ts, the password, Tc, and 
Cc, and sends the MD5 or SHA1 hash of this response to the client.

4) The client computes a response by appending Cc, Tc, the password, Ts, and 
Cs, and sends the MD5 or SHA1 hash of this response to the server.

5) Each side verifies that the other side created the correct hash, thus 
proving that it knows the password.

This is oversimplified, I'm afraid, and is not totally secure as stated. But 
it should give you the idea.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: RSA keys auth.

[crispin]

On Sun, Jan 06, 2002 at 01:04:37PM -0800, Vadim Zaliva wrote:
 2. Challenge-Response
 
 I do not know yet how to implement this. Advice appreciated.
 
 4. RSA keys
 
 Similar to SSH. I understand that OpenSSL protocol does not have
 specific support for this, so it have to be written on top of it,
 after SSL connection is established. I guess server have to send some
 token signed with its key, which client have to send back signed with
 its. Checking signatures would ensure identity of both.

I did something like this in openSSL, but had to write basic RSA enc/dec routines. Its 
quite straight forward with the power of OpenSSL. I used a BIO to feed my own RSA key 
into an RSA struct.

from the ssh man pages

 When the user logs in, the ssh program tells the server
 which key pair it would like to use for authentication.  The server
 checks if this key is permitted, and if so, sends the user (actually the
 ssh program running on behalf of the user) a challenge, a random number,
 encrypted by the user's public key.  The challenge can only be decrypted
 using the proper private key.  The user's client then decrypts the chal­
 lenge using the private key, proving that he/she knows the private key
 but without disclosing it to the server.

Kind Regards

Crispin

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RSA keys auth.

[Vadim Zaliva]

Hi!

I am trying to use OpenSSL to build secure authenticated channel between
client and server. I want server to allow connections only from certain
clients, and I want client to be sure it is connected to the right server.

I see how it could be done using certificates. However for my application
generating certificates would be to complex for end user.

The simplest way I see it would be to use RSA public/private keys: the way
SSH does. So client and server each would have private/public key pairs
generated. When, I would manually add server public key to client side and
client public key to server side (server will possibly have more that one
client key).

If there is anything wrong with the way I am planning to do it? It seems
to me that this should be pretty common usage. If somebody done this
before I would appreciate any advice. I am new to openssl and still
learning basics.

Sincerely,
Vadim

-- 
La perfection est atteinte non quand il ne reste rien a ajouter, mais
quand il ne reste rien a enlever.  (Antoine de Saint-Exupery)




__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: RSA Keys

[Hylton Tregenza]

Alex, thanks for the responce. 

Here's a follow up question.

d2i_PublicKey has a type as the first parameter. What are they refereing
to? What do they want in this field?

Hylton


-Original Message-
From: Alexander Kuit [mailto:[EMAIL PROTECTED]]
Sent: 03 December 2001 05:21
To: [EMAIL PROTECTED]
Subject: Re: RSA Keys



On 03.12.2001 11:39:54 owner-openssl-users wrote:

Hi

Sorry for the resend.
This is a resend with the complete encoding type.


I am getting a file from a MS machine that contains an exported public
key. This data appears to be binary data. It has been exported with the
flag X509_ASN_ENCODING

Trying to read the file with PEM_read_publickkey() does not appear to
work. What is the correct function or other method to use to get this
data into a RSA * struct or a EVP_PKEY structure. Preferably EVP_PKEY
to
add to a certificate.

PEM is the ascii version of the binary ASN/DER encoding, so PEM
functions
won't work. To convert a binary (der) encoding into an internal OpenSSL
structure, use the d2i_* functions. In your case, probably the
d2i_PublicKey()
or a similar function will do. See also the FAQ for more information
about the d2i_* functions.

Alex.

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: RSA Keys

[Hylton Tregenza]

Alex, thanks for the responce. Here's a follow up question.

d2i_PublicKey has a type as the first parameter. What are they refereing
to? What do they wnt in this field?

Hylton

-Original Message-
From: Alexander Kuit [mailto:[EMAIL PROTECTED]]
Sent: 03 December 2001 05:21
To: [EMAIL PROTECTED]
Subject: Re: RSA Keys



On 03.12.2001 11:39:54 owner-openssl-users wrote:

Hi

Sorry for the resend.
This is a resend with the complete encoding type.


I am getting a file from a MS machine that contains an exported public
key. This data appears to be binary data. It has been exported with the
flag X509_ASN_ENCODING

Trying to read the file with PEM_read_publickkey() does not appear to
work. What is the correct function or other method to use to get this
data into a RSA * struct or a EVP_PKEY structure. Preferably EVP_PKEY
to
add to a certificate.

PEM is the ascii version of the binary ASN/DER encoding, so PEM
functions
won't work. To convert a binary (der) encoding into an internal OpenSSL
structure, use the d2i_* functions. In your case, probably the
d2i_PublicKey()
or a similar function will do. See also the FAQ for more information
about the d2i_* functions.

Alex.

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: RSA Keys

[Alexander Kuit]

On 03.12.2001 11:39:54 owner-openssl-users wrote:

Hi

Sorry for the resend.
This is a resend with the complete encoding type.


I am getting a file from a MS machine that contains an exported public
key. This data appears to be binary data. It has been exported with the
flag X509_ASN_ENCODING

Trying to read the file with PEM_read_publickkey() does not appear to
work. What is the correct function or other method to use to get this
data into a RSA * struct or a EVP_PKEY structure. Preferably EVP_PKEY to
add to a certificate.

PEM is the ascii version of the binary ASN/DER encoding, so PEM functions
won't work. To convert a binary (der) encoding into an internal OpenSSL
structure, use the d2i_* functions. In your case, probably the d2i_PublicKey()
or a similar function will do. See also the FAQ for more information
about the d2i_* functions.

Alex.

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Reading RSA-keys over network

[Ohrt, Anders]

Hi!

I'm doing a little hack reading RSA-keys from a network socket. I'm using
openssl, (0.9.6a) and am some problems setting things up. What I want is
just to listen to a port, read a key from it, and play with it then. I'm
using a BIO, and if I use BIO_read, I get the key, but using
PEM_read_RSAPrivateKey gives me BIO_gets: unsupported method. So, I though
I'd add a buffer-bio (bio-next_bio = BIO_new (BIO_f_buffer())), but that
made my program think it got a connection when it didn't...

I'm at a loss as to what I'm suppose to do, and why. Minimal code for what
I'm trying to achive would be nice. =)

(Oh, and yes, I know I't not very bright sending private keys unencrypted
over the network, but it's just for demo-purposes)

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Reading RSA-keys over network

[Lutz Jaenicke]

On Fri, Jul 20, 2001 at 11:05:55AM +0200, Ohrt, Anders wrote:
 I'm doing a little hack reading RSA-keys from a network socket. I'm using
 openssl, (0.9.6a) and am some problems setting things up. What I want is
 just to listen to a port, read a key from it, and play with it then. I'm
 using a BIO, and if I use BIO_read, I get the key, but using
 PEM_read_RSAPrivateKey gives me BIO_gets: unsupported method. So, I though
 I'd add a buffer-bio (bio-next_bio = BIO_new (BIO_f_buffer())), but that
 made my program think it got a connection when it didn't...

Did you try
  BIO *io;
  io=BIO_new(BIO_f_buffer());
  BIO_push(io,network_bio);
and than read from io? It does a bit more than just setting next_bio.
You may also consider to first connect to the network and only than
add the buffering layer...

Best regards,
Lutz
-- 
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus   http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik  Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus  Fax. +49 355 69-4153
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RSA keys (Repost)

[antonio . barrera]

Could anyone please help me?
I think it's not difficult, but I just can't find it.

Toni

-Original Message-
From: EXT [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: 12. December 2000 13:35
To: [EMAIL PROTECTED]
Subject: RSA keys


Hi, could someone tell me how to create a pair ob public+private RSA
keys using the openssl utilities?
Thanks!

Toni
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: RSA keys (Repost)

[Rene G. Eberhard \(keyon\)]

"openssl genrsa 1024" creates a pair according to PKCS#1

Rene

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED]]On Behalf Of
 [EMAIL PROTECTED]
 Sent: Montag, 18. Dezember 2000 08:28
 To: [EMAIL PROTECTED]
 Subject: RSA keys (Repost)
 
 
   Could anyone please help me?
 I think it's not difficult, but I just can't find it.
 
 Toni
 
 -Original Message-
 From: EXT [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
 Sent: 12. December 2000 13:35
 To: [EMAIL PROTECTED]
 Subject: RSA keys
 
 
   Hi, could someone tell me how to create a pair ob public+private RSA
 keys using the openssl utilities?
 Thanks!
 
 Toni
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing List[EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing List[EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]
 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RSA keys

[antonio . barrera]

Hi, could someone tell me how to create a pair ob public+private RSA
keys using the openssl utilities?
Thanks!

Toni
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Extra : read and write RSA keys, help

[Thijs Volders]

Hi, 

I recently posted a question about reading and writing RSA keys.
I want to write the public key to a seperate file because that file needs 
to be distributed. But when i read it, I first of all get "expecting 
public key" error from PEM_read_bio_PUBKEY(). Won't the original RSA 
structure be destroyed (so I lose the private key)??
or is it maybe possible to encrypt with an RSA key without the private 
key (I am ,obviously ,encrypting only with the given public key) inside.

Just for clearing up why I want the above construction:

I want an RSA keypair, The private and public keys should be stored to 
disk seperatly (maybe a private file with public inside, but public must 
also be alone in a file). The public key will be distributed and must be 
readable by another application to be used for encrypting data which has 
to be send back to the originator.

Maybe anybody can help with the top problem, 

Thanks,

Thijs Volders.


 


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Extra : read and write RSA keys, help

[Geoff Thorpe]

Hi there,

I think I follow your question. An RSA private key implicitly contains the
public key already[1]. So if you have generated a key-pair and saved them
to disk - you're already most of the way there. If you don't still have
the private key in memory, load the private key back up. Either way, find
your private key (an (RSA*) pointer) and use any function that outputs an
RSAPublicKey and you'll have what you want (the public key functions
simply ignore the private key components - you can test all this using
"openssl asn1parse" to see for yourself once the files are created).

As for which public key function, you have some choices;

/* Writing an RSA's public key components to an opened file, in PEM format
 * (text-based and readable). */
PEM_write_RSAPublicKey(FILE *fp, RSA *rsa);

/* Doing the same if you use BIOs to access files */
PEM_write_bio_RSAPublicKey(BIO *bio, RSA *rsa);

/* Outputing the RSA's public key components in DER format (raw binary -
 * PEM takes this and textifies this, but if you don't need text
 * readability then this can do). You need to save the resulting output to
 * a file.
 *
 * NB: Call this with pp==NULL if you want to find out how large the
 * output will be before you allocate memory.
 * NB: After calling this function (*pp) will point to the first byte
 * *after* the last byte of the output - so pass a *copy* of the original
 * pointer.[2]
 */
int i2d_RSAPublicKey(const RSA *a, unsigned char **pp);

And there's probably others too ...

Hope that helps,
Geoff

[1] It's possible for this to not be the case but never happens in reality
and would take a warped imagination to construct a reason why this
should happen in any remotely normal situation. It won't happen to you
unless you do it to yourself intentionally.

[2] Eg.
int len;
unsigned char *ptr, *copied_ptr;
FILE *fp = fopen("privatekey.der", "w"); /* Open output file */
len = i2d_RSAPublicKey(rsa, NULL); /* Figure out the length */
copied_ptr = ptr = OPENSSL_malloc(len); /* Make room */
if(i2d_RSAPublicKey(rsa, copied_ptr) != len) /* Generate output */
/* Go mad ... */
/* NB: Here we don't use copied_ptr because it was changed! */
if(fwrite(ptr, 1, len, fp) != len) /* Save output to an open file */
/* Go mad ... */
OPENSSL_free(ptr); /* Release the allocated memory */
fclose(fp); /* Close the private key file */

On Fri, 1 Dec 2000, Thijs Volders wrote:

 Hi, 
 
 I recently posted a question about reading and writing RSA keys.
 I want to write the public key to a seperate file because that file needs 
 to be distributed. But when i read it, I first of all get "expecting 
 public key" error from PEM_read_bio_PUBKEY(). Won't the original RSA 
 structure be destroyed (so I lose the private key)??
 or is it maybe possible to encrypt with an RSA key without the private 
 key (I am ,obviously ,encrypting only with the given public key) inside.
 
 Just for clearing up why I want the above construction:
 
 I want an RSA keypair, The private and public keys should be stored to 
 disk seperatly (maybe a private file with public inside, but public must 
 also be alone in a file). The public key will be distributed and must be 
 readable by another application to be used for encrypting data which has 
 to be send back to the originator.
 
 Maybe anybody can help with the top problem, 
 
 Thanks,
 
 Thijs Volders.
 
 
  
 
 
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing List[EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]
 

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Extra : read and write RSA keys, help

[Dr S N Henson]

Geoff Thorpe wrote:
 
 Hi there,
 
 I think I follow your question. An RSA private key implicitly contains the
 public key already[1]. So if you have generated a key-pair and saved them
 to disk - you're already most of the way there. If you don't still have
 the private key in memory, load the private key back up. Either way, find
 your private key (an (RSA*) pointer) and use any function that outputs an
 RSAPublicKey and you'll have what you want (the public key functions
 simply ignore the private key components - you can test all this using
 "openssl asn1parse" to see for yourself once the files are created).
 
 As for which public key function, you have some choices;
 
 /* Writing an RSA's public key components to an opened file, in PEM format
  * (text-based and readable). */
 PEM_write_RSAPublicKey(FILE *fp, RSA *rsa);
 
 /* Doing the same if you use BIOs to access files */
 PEM_write_bio_RSAPublicKey(BIO *bio, RSA *rsa);
 
 /* Outputing the RSA's public key components in DER format (raw binary -
  * PEM takes this and textifies this, but if you don't need text
  * readability then this can do). You need to save the resulting output to
  * a file.
  *
  * NB: Call this with pp==NULL if you want to find out how large the
  * output will be before you allocate memory.
  * NB: After calling this function (*pp) will point to the first byte
  * *after* the last byte of the output - so pass a *copy* of the original
  * pointer.[2]
  */
 int i2d_RSAPublicKey(const RSA *a, unsigned char **pp);
 
 And there's probably others too ...
 

Yes there are a few other options :-)

You can write directly in DER form with:

int i2d_RSAPublicKey_fp(FILE *fp,RSA *rsa);

There is also a second public key format which has RSA_PUBKEY in its
name rather than RSAPublicKey. The two are *not* compatible.

In case anyone is interested the difference between the two formats is
that the RSAPublicKey format is an RSA specific format: it is a PKCS#1
RSAPublicKey structure.

The second form is a SubjectPublicKeyInfo structure which is a generic
public key wrapper which is the same form used to represent any public
key in certificates, not just RSA. Using the RSA_PUBKEY functions uses
this form. 

If the generic form is read using the RSA_PUBKEY functions and the
public key is not RSA then an error occurs. The 'rsa' utility uses this
second form and doesn't currently have an option to use the first form:
maybe a future version of OpenSSL will have an option to do this.

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: ADD : read and write RSA keys

[Ng Pheng Siong]

On Fri, Dec 01, 2000 at 09:05:23AM +0100, [EMAIL PROTECTED] wrote:
 first when I export the public key with PEM_write_RSAPublicKey() or
 PEM_write_PUBKEY()
 it is impossible to read it in via PEM_read_bio_RSAPublickey(). I get the
 error "EXPECTING PUBLIC KEY", why ??

If you write with PEM_write_bio_RSAPublicKey(), read with
PEM_read_bio_RSAPublicKey().

If you write with PEM_write_bio_RSA_PUBKEY(), read with
PEM_read_bio_RSA_PUBKEY().

Cheers.
-- 
Ng Pheng Siong [EMAIL PROTECTED] * http://www.post1.com/home/ngps

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Problem generating RSA keys using 64-bit compile on IRIX

[Karsten Spang]

Hi Philip

Just searched the archives and found your message. I had the same problem,
and submitted a patch, not long ago. I also have another 64 bit related
patch. Both are included below
--
Karsten Spang
Senior Software Developer, Ph.D.
Belle Systems A/S
Tel.:   +45 59 44 25 00
Fax.:   +45 59 44 25 88
E-mail: [EMAIL PROTECTED]
Web:http://www.bellesystems.com/
Defining the Future of IP Services


*** rsa_gen.c.dist  Sat Feb  5 15:17:30 2000
--- rsa_gen.c   Mon May 29 15:19:31 2000
***
*** 95,101 
 * unsigned long can be larger */
for (i=0; isizeof(unsigned long)*8; i++)
{
!   if (e_value  (1i))
BN_set_bit(rsa-e,i);
}
  #else
--- 95,101 
 * unsigned long can be larger */
for (i=0; isizeof(unsigned long)*8; i++)
{
!   if (e_value  (1ULi))
BN_set_bit(rsa-e,i);
}
  #else



*** s3_clnt.c.dist  Mon Mar 27 23:28:27 2000
--- s3_clnt.c   Thu May 25 13:36:57 2000
***
*** 466,472 
p=s-s3-client_random;
Time=time(NULL);/* Time */
l2n(Time,p);
!   RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time));
  
/* Do the message type and length last */
d=p= (buf[4]);
--- 466,472 
p=s-s3-client_random;
Time=time(NULL);/* Time */
l2n(Time,p);
!   RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4);
  
/* Do the message type and length last */
d=p= (buf[4]);
*** s3_srvr.c.dist  Mon Mar 27 23:28:28 2000
--- s3_srvr.c   Thu May 25 13:36:04 2000
***
*** 837,843 
p=s-s3-server_random;
Time=time(NULL);/* Time */
l2n(Time,p);
!   RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time));
/* Do the message type and length last */
d=p= (buf[4]);
  
--- 837,843 
p=s-s3-server_random;
Time=time(NULL);/* Time */
l2n(Time,p);
!   RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4);
/* Do the message type and length last */
d=p= (buf[4]);
  
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]