RE: SSL_CTX_use_PrivateKey_file
Seems to be issue with the ceritificate and the oprivate key SSL error 0 : error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch. My bad Thanks a million Regards Darshan -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Jeffrey Walton Sent: Sunday, May 25, 2014 9:28 PM To: OpenSSL Users List Subject: Re: SSL_CTX_use_PrivateKey_file On Sun, May 25, 2014 at 11:39 AM, Viktor Dukhovni wrote: > On Sun, May 25, 2014 at 11:28:04AM -0400, Jeffrey Walton wrote: > >> > sip_trp_ssl_ctx = SSL_CTX_new( TLSv1_method() ); >> > if ( sip_trp_ssl_ctx == NULL ) { >> > ERROR("FI_init_ssl_context: SSL_CTX_new with TLSv1_method failed"); >> > return SSL_INIT_ERROR; >> > } >> >> Well, EC support was added to SSL/TLS at TLS 1.2. > > That's not the case. ECDSA and ECDHE predate TLSv1.2. Full support > for EC in OpenSSL starts in OpenSSL 1.0.0, while support for TLSv1.2 > was added in 1.0.1 IIRC. > Indeed. RFC 4492 (ECC for TLS) from May 2006 states it applies to TLS 1.0 and above. My bad. Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: SSL_CTX_use_PrivateKey_file
On Sun, May 25, 2014 at 11:39 AM, Viktor Dukhovni wrote: > On Sun, May 25, 2014 at 11:28:04AM -0400, Jeffrey Walton wrote: > >> > sip_trp_ssl_ctx = SSL_CTX_new( TLSv1_method() ); >> > if ( sip_trp_ssl_ctx == NULL ) { >> > ERROR("FI_init_ssl_context: SSL_CTX_new with TLSv1_method failed"); >> > return SSL_INIT_ERROR; >> > } >> >> Well, EC support was added to SSL/TLS at TLS 1.2. > > That's not the case. ECDSA and ECDHE predate TLSv1.2. Full support > for EC in OpenSSL starts in OpenSSL 1.0.0, while support for TLSv1.2 > was added in 1.0.1 IIRC. > Indeed. RFC 4492 (ECC for TLS) from May 2006 states it applies to TLS 1.0 and above. My bad. Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: SSL_CTX_use_PrivateKey_file
On 25/05/14 14:40, Mody, Darshan (Darshan) wrote: > I use below command > > openssl ecparam -out key.pem -name prime256v1 -genkey. I am using another 3rd > Party tool SIPp. Below is the method that sets the SSL CTX > Whilst I don't think its the cause of your problem, I would suggest adding -noout to the above command (prevents both the parameters and the key being written out separately to the key file, which is probably not what you intended). I took your code and stripped it down to just the code to load the private key. I also created a key file using the command line you provided. My code below. This works fine. What error are you seeing, and what version of openssl are you using. Matt #include #define ERROR printf #define SSL_INIT_ERROR -1 #define SSL_INIT_NORMAL 0 typedef int ssl_init_status; static char *tls_key_name = "key.pem"; ssl_init_status FI_init_ssl_context (void) { SSL_CTX *sip_trp_ssl_ctx; sip_trp_ssl_ctx = SSL_CTX_new( TLSv1_method() ); if ( sip_trp_ssl_ctx == NULL ) { ERROR("FI_init_ssl_context: SSL_CTX_new with TLSv1_method failed"); return SSL_INIT_ERROR; } if ( SSL_CTX_use_PrivateKey_file(sip_trp_ssl_ctx, tls_key_name, SSL_FILETYPE_PEM ) != 1 ) { ERROR("FI_init_ssl_context: SSL_CTX_use_PrivateKey_file failed"); return SSL_INIT_ERROR; } printf("Success\n"); return SSL_INIT_NORMAL; } int main(void) { ssl_init_status ret; SSL_load_error_strings(); OpenSSL_add_ssl_algorithms(); ret = FI_init_ssl_context(); } __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: SSL_CTX_use_PrivateKey_file
On Sun, May 25, 2014 at 11:28:04AM -0400, Jeffrey Walton wrote: > > sip_trp_ssl_ctx = SSL_CTX_new( TLSv1_method() ); > > if ( sip_trp_ssl_ctx == NULL ) { > > ERROR("FI_init_ssl_context: SSL_CTX_new with TLSv1_method failed"); > > return SSL_INIT_ERROR; > > } > > Well, EC support was added to SSL/TLS at TLS 1.2. That's not the case. ECDSA and ECDHE predate TLSv1.2. Full support for EC in OpenSSL starts in OpenSSL 1.0.0, while support for TLSv1.2 was added in 1.0.1 IIRC. $ openssl ciphers -v 'aECDSA:!TLSv1.2' ECDHE-ECDSA-AES256-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1 ECDHE-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=3DES(168) Mac=SHA1 ECDHE-ECDSA-AES128-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA1 ECDHE-ECDSA-RC4-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=RC4(128) Mac=SHA1 ECDHE-ECDSA-NULL-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=None Mac=SHA1 $ openssl ciphers -v 'aECDSA+TLSv1.2' ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256 -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: SSL_CTX_use_PrivateKey_file
> sip_trp_ssl_ctx = SSL_CTX_new( TLSv1_method() ); > if ( sip_trp_ssl_ctx == NULL ) { > ERROR("FI_init_ssl_context: SSL_CTX_new with TLSv1_method failed"); > return SSL_INIT_ERROR; > } Well, EC support was added to SSL/TLS at TLS 1.2. You did not include the error you are receiving. Jeff On Sun, May 25, 2014 at 9:40 AM, Mody, Darshan (Darshan) wrote: > I use below command > > openssl ecparam -out key.pem -name prime256v1 -genkey. I am using another 3rd > Party tool SIPp. Below is the method that sets the SSL CTX > > ssl_init_status FI_init_ssl_context (void) > { > sip_trp_ssl_ctx = SSL_CTX_new( TLSv1_method() ); > if ( sip_trp_ssl_ctx == NULL ) { > ERROR("FI_init_ssl_context: SSL_CTX_new with TLSv1_method failed"); > return SSL_INIT_ERROR; > } > > sip_trp_ssl_ctx_client = SSL_CTX_new( TLSv1_method() ); > if ( sip_trp_ssl_ctx_client == NULL) { > ERROR("FI_init_ssl_context: SSL_CTX_new with TLSv1_method failed"); > return SSL_INIT_ERROR; > } > > /* Load the trusted CA's */ > SSL_CTX_load_verify_locations(sip_trp_ssl_ctx, tls_cert_name, NULL); > SSL_CTX_load_verify_locations(sip_trp_ssl_ctx_client, tls_cert_name, > NULL); > > /* CRL load from application specified only if specified on the command > line */ > if (strlen(tls_crl_name) != 0) { > if(sip_tls_load_crls(sip_trp_ssl_ctx,tls_crl_name) == -1) { > ERROR("FI_init_ssl_context: Unable to load CRL file (%s)", > tls_crl_name); > return SSL_INIT_ERROR; > } > > if(sip_tls_load_crls(sip_trp_ssl_ctx_client,tls_crl_name) == -1) { > ERROR("FI_init_ssl_context: Unable to load CRL (client) file > (%s)", tls_crl_name); > return SSL_INIT_ERROR; > } > /* The following call forces to process the certificates with the */ > /* initialised SSL_CTX*/ > SSL_CTX_set_verify(sip_trp_ssl_ctx, >SSL_VERIFY_PEER | >SSL_VERIFY_FAIL_IF_NO_PEER_CERT, >sip_tls_verify_callback); > > SSL_CTX_set_verify(sip_trp_ssl_ctx_client, >SSL_VERIFY_PEER | >SSL_VERIFY_FAIL_IF_NO_PEER_CERT, >sip_tls_verify_callback); > } > > > /* Selection Cipher suits - load the application specified ciphers */ > SSL_CTX_set_default_passwd_cb_userdata(sip_trp_ssl_ctx, >(void *)CALL_BACK_USER_DATA ); > SSL_CTX_set_default_passwd_cb_userdata(sip_trp_ssl_ctx_client, >(void *)CALL_BACK_USER_DATA ); > SSL_CTX_set_default_passwd_cb( sip_trp_ssl_ctx, >passwd_call_back_routine ); > SSL_CTX_set_default_passwd_cb( sip_trp_ssl_ctx_client, >passwd_call_back_routine ); > > if ( SSL_CTX_use_certificate_file(sip_trp_ssl_ctx, > tls_cert_name, > SSL_FILETYPE_PEM ) != 1 ) { > ERROR("FI_init_ssl_context: SSL_CTX_use_certificate_file failed"); > return SSL_INIT_ERROR; > } > > if ( SSL_CTX_use_certificate_file(sip_trp_ssl_ctx_client, > tls_cert_name, > SSL_FILETYPE_PEM ) != 1 ) { > ERROR("FI_init_ssl_context: SSL_CTX_use_certificate_file (client) > failed"); > return SSL_INIT_ERROR; > } > if ( SSL_CTX_use_PrivateKey_file(sip_trp_ssl_ctx, > tls_key_name, > SSL_FILETYPE_PEM ) != 1 ) { > ERROR("FI_init_ssl_context: SSL_CTX_use_PrivateKey_file failed"); > return SSL_INIT_ERROR; > } > > if ( SSL_CTX_use_PrivateKey_file(sip_trp_ssl_ctx_client, > tls_key_name, > SSL_FILETYPE_PEM ) != 1 ) { > ERROR("FI_init_ssl_context: SSL_CTX_use_PrivateKey_file (client) > failed"); > return SSL_INIT_ERROR; > } > > return SSL_INIT_NORMAL; > } > > -Original Message- > From: owner-openssl-us...@openssl.org > [mailto:owner-openssl-us...@openssl.org] On Behalf Of Matt Caswell > Sent: Sunday, May 25, 2014 6:31 PM > To: openssl-users@openssl.org > Subject: Re: SSL_CTX_use_PrivateKey_file > > On 25/05/14 13:11, Mody, Darshan (Darsh
RE: SSL_CTX_use_PrivateKey_file
I use below command openssl ecparam -out key.pem -name prime256v1 -genkey. I am using another 3rd Party tool SIPp. Below is the method that sets the SSL CTX ssl_init_status FI_init_ssl_context (void) { sip_trp_ssl_ctx = SSL_CTX_new( TLSv1_method() ); if ( sip_trp_ssl_ctx == NULL ) { ERROR("FI_init_ssl_context: SSL_CTX_new with TLSv1_method failed"); return SSL_INIT_ERROR; } sip_trp_ssl_ctx_client = SSL_CTX_new( TLSv1_method() ); if ( sip_trp_ssl_ctx_client == NULL) { ERROR("FI_init_ssl_context: SSL_CTX_new with TLSv1_method failed"); return SSL_INIT_ERROR; } /* Load the trusted CA's */ SSL_CTX_load_verify_locations(sip_trp_ssl_ctx, tls_cert_name, NULL); SSL_CTX_load_verify_locations(sip_trp_ssl_ctx_client, tls_cert_name, NULL); /* CRL load from application specified only if specified on the command line */ if (strlen(tls_crl_name) != 0) { if(sip_tls_load_crls(sip_trp_ssl_ctx,tls_crl_name) == -1) { ERROR("FI_init_ssl_context: Unable to load CRL file (%s)", tls_crl_name); return SSL_INIT_ERROR; } if(sip_tls_load_crls(sip_trp_ssl_ctx_client,tls_crl_name) == -1) { ERROR("FI_init_ssl_context: Unable to load CRL (client) file (%s)", tls_crl_name); return SSL_INIT_ERROR; } /* The following call forces to process the certificates with the */ /* initialised SSL_CTX*/ SSL_CTX_set_verify(sip_trp_ssl_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, sip_tls_verify_callback); SSL_CTX_set_verify(sip_trp_ssl_ctx_client, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, sip_tls_verify_callback); } /* Selection Cipher suits - load the application specified ciphers */ SSL_CTX_set_default_passwd_cb_userdata(sip_trp_ssl_ctx, (void *)CALL_BACK_USER_DATA ); SSL_CTX_set_default_passwd_cb_userdata(sip_trp_ssl_ctx_client, (void *)CALL_BACK_USER_DATA ); SSL_CTX_set_default_passwd_cb( sip_trp_ssl_ctx, passwd_call_back_routine ); SSL_CTX_set_default_passwd_cb( sip_trp_ssl_ctx_client, passwd_call_back_routine ); if ( SSL_CTX_use_certificate_file(sip_trp_ssl_ctx, tls_cert_name, SSL_FILETYPE_PEM ) != 1 ) { ERROR("FI_init_ssl_context: SSL_CTX_use_certificate_file failed"); return SSL_INIT_ERROR; } if ( SSL_CTX_use_certificate_file(sip_trp_ssl_ctx_client, tls_cert_name, SSL_FILETYPE_PEM ) != 1 ) { ERROR("FI_init_ssl_context: SSL_CTX_use_certificate_file (client) failed"); return SSL_INIT_ERROR; } if ( SSL_CTX_use_PrivateKey_file(sip_trp_ssl_ctx, tls_key_name, SSL_FILETYPE_PEM ) != 1 ) { ERROR("FI_init_ssl_context: SSL_CTX_use_PrivateKey_file failed"); return SSL_INIT_ERROR; } if ( SSL_CTX_use_PrivateKey_file(sip_trp_ssl_ctx_client, tls_key_name, SSL_FILETYPE_PEM ) != 1 ) { ERROR("FI_init_ssl_context: SSL_CTX_use_PrivateKey_file (client) failed"); return SSL_INIT_ERROR; } return SSL_INIT_NORMAL; } Thanks in Advance Regards Darshan -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Matt Caswell Sent: Sunday, May 25, 2014 6:31 PM To: openssl-users@openssl.org Subject: Re: SSL_CTX_use_PrivateKey_file On 25/05/14 13:11, Mody, Darshan (Darshan) wrote: > Hi, > > > > When I try to read the EC Private Key file I get an error from the > openssl. > > > > Is there another way to use the Elliptic curved Private key. Please > note that I generate the Public and Private keys via the command lines > and use the public-private key in my program > I think we need a bit more to go on. Can you post the commands you used to generate your keys, the error you are getting, and the code you are using to read the private key? Thanks Matt __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org ___
Re: SSL_CTX_use_PrivateKey_file
On 25/05/14 13:11, Mody, Darshan (Darshan) wrote: > Hi, > > > > When I try to read the EC Private Key file I get an error from the > openssl. > > > > Is there another way to use the Elliptic curved Private key. Please note > that I generate the Public and Private keys via the command lines and > use the public-private key in my program > I think we need a bit more to go on. Can you post the commands you used to generate your keys, the error you are getting, and the code you are using to read the private key? Thanks Matt __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
SSL_CTX_use_PrivateKey_file
Hi, When I try to read the EC Private Key file I get an error from the openssl. Is there another way to use the Elliptic curved Private key. Please note that I generate the Public and Private keys via the command lines and use the public-private key in my program Thanks Darshan
RE: SSL_CTX_use_PrivateKey_file does not work with Elliptic Curve Private Key
http://www.openssl.org/support/faq.html#PROG6 and if you haven't loaded error strings http://www.openssl.org/support/faq.html#PROG7 From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Darshan Mody Sent: Monday, May 19, 2014 09:13 To: openssl-users@openssl.org Subject: SSL_CTX_use_PrivateKey_file does not work with Elliptic Curve Private Key Hi, I am new to openssl APIs. However I am using the current code from SIPp. Below is the code snippet for the Private Key if ( SSL_CTX_use_PrivateKey_file(sip_trp_ssl_ctx_client, tls_key_name, SSL_FILETYPE_PEM ) != 1 ) { ERROR("FI_init_ssl_context: SSL_CTX_use_PrivateKey_file (client) failed"); return SSL_INIT_ERROR; } When I provide the Elliptic Private Key it always returns an Error. -BEGIN EC PARAMETERS- -END EC PARAMETERS- -BEGIN EC PRIVATE KEY- -END EC PRIVATE KEY- My Private key looks as above Thanks Darshan
Re: SSL_CTX_use_PrivateKey_file does not work with Elliptic Curve Private Key
On 19/05/14 14:12, Darshan Mody wrote: > -BEGIN EC PARAMETERS- > > -END EC PARAMETERS- > -BEGIN EC PRIVATE KEY- > > -END EC PRIVATE KEY- > > My Private key looks as above How did you generate your private key? Try deleting the EC PARAMETERS section in the file. Matt __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
SSL_CTX_use_PrivateKey_file does not work with Elliptic Curve Private Key
Hi, I am new to openssl APIs. However I am using the current code from SIPp. Below is the code snippet for the Private Key if ( SSL_CTX_use_PrivateKey_file(sip_trp_ssl_ctx_client, tls_key_name, SSL_FILETYPE_PEM ) != 1 ) { ERROR("FI_init_ssl_context: SSL_CTX_use_PrivateKey_file (client) failed"); return SSL_INIT_ERROR; } When I provide the Elliptic Private Key it always returns an Error. -BEGIN EC PARAMETERS- -END EC PARAMETERS- -BEGIN EC PRIVATE KEY- -END EC PRIVATE KEY- My Private key looks as above Thanks Darshan
Re: How to over-ride SSL_CTX_use_PrivateKey_file() behavior with custom engine
On Wednesday, December 5, 2012, Ashok C wrote: > Hi, > Our current SSL server loads plain-text private keys using the SSL_CTX_use_PrivateKey_file() method. We are moving from this strategy to use custom encrypted private keys using the TPM concept. For this, we have an engine implemented. Now the question is this. > Does my SSL server need to change from loading private keys using SSL_CTX_use_PrivateKey_file() method to use this method --> ENGINE_load_private_key(ENGINE *e, const char *key_id, > > UI_METHOD *ui_method, void *callback_data) > > Or can this be achieved by using the SSL_CTX_use_PrivateKey_file() method itself and the openssl takes care of loading my encrypted private key with the help of my implemented engine. Basically wanted to understand if the SSL_CTX method for loading private keys has the support for loading engine specific keys. > > -- > > Ashok >
Re: How to over-ride SSL_CTX_use_PrivateKey_file() behavior with custom engine
> I'm afraid to ask where Boost is storing them. But I do have a morbid > curiosity: would you happen to know? Is this a little sense of irony ? :) From what I know Boost does not store the keys... Boost has an implementation of SSL based on OpenSSL in boost::asio::ssl. This mimics the functionality and capabilities of OpenSSL and only accepts specifying certificates and private keys stored in files (in PEM format). For security, the private keys in a PEM file can be encrypted with a password. If OpenSSL, and thus Boost, keeps the private key in some protected way (like using DPAPI on windows) after reading it from a PEM file, I really don't know and I would be curious to know too. My question was about using the OpenSSL CAPI engine because I tried to mix the "security" offered by windows certificate store (and read the certificate and PKEY from there with CAPI engine) with using Boost::asio::ssl and OpenSSL (which I'm forced to do because of the framework I use). Unfortunately OpenSSL CAPI engine does not offer all the functionality I need even in the latest 1.0.1c version - like for example loading a server certificate. It can only load a private key, but that is questionable too, because I tried to save the private key to a PEM file and read it back and it didn't work. Saving/reading to/from the PEM file was done with the API offered by OpenSSL in "pem.h" so I doubt that the API was not capable to save it correctly (even if instead of the prime numbers, the EVP_PKEY structure returned from ENGINE_load_privatekey contained some indexes, as someone mentioned in a post to this thread). Using CryptoAPI directly to export an exportable private key from windows certificate store and to encode into PEM format, worked. I even fed the obtained PEM file into OpenSSL with success. I have exported the key as a PRIVATEKEYBLOB whereas the OpenSSL CAPI engine exports it as a PUBLICKEYBLOB and then converts it to the OpenSSL EVP_PKEY structure (but only the public exponent and modulus are put in the EVP_PKEY). From: Jeffrey Walton To: openssl-users@openssl.org Sent: Friday, December 7, 2012 4:52 PM Subject: Re: How to over-ride SSL_CTX_use_PrivateKey_file() behavior with custom engine On Fri, Dec 7, 2012 at 5:05 AM, LN wrote: > > ... > >> MS CAPI has an option to mark a private key as "exportable" when you >> create or install it, which means that the private key can then be read >> anyway, but I don't know if that feature is used by the OpenSSL "CAPI >> Engine". It is almost always a good idea NOT to mark private keys as >> exportable. Note that whatever is decided when the private key is first >> stored by CAPI will be permanent (There is a 3 step workaround for making an >> exportable key non-exportable, but any ability to go the >> other way would compromise security just by being possible). > > Indeed, private keys are not exportable as long as they are not marked as > such when the certificate is imported in the windows store. Unfortunately, I > am forced to use boost::asio::ssl which (AFAIK) does not integrate with CAPI > engine so I cannot ask it to sign or decrypt communication. > Anyway, seems more secure, then, to have the private key in a file encrypted > with a password, then keeping it in the windows store, if I want to pass it > to OpenSSL (through boost::asio::ssl) :) Keys should be stored in DPAPI. See Howard and LeBlanc's "Writing Secure Code," Chapter 9 (http://www.amazon.com/Writing-Secure-Second-Michael-Howard/dp/0735617228). I'm afraid to ask where Boost is storing them. But I do have a morbid curiosity: would you happen to know? Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: How to over-ride SSL_CTX_use_PrivateKey_file() behavior with custom engine
On Fri, Dec 7, 2012 at 5:05 AM, LN wrote: > > ... > >> MS CAPI has an option to mark a private key as "exportable" when you >> create or install it, which means that the private key can then be read >> anyway, but I don't know if that feature is used by the OpenSSL "CAPI >> Engine". It is almost always a good idea NOT to mark private keys as >> exportable. Note that whatever is decided when the private key is first >> stored by CAPI will be permanent (There is a 3 step workaround for making an >> exportable key non-exportable, but any ability to go the >> other way would compromise security just by being possible). > > Indeed, private keys are not exportable as long as they are not marked as > such when the certificate is imported in the windows store. Unfortunately, I > am forced to use boost::asio::ssl which (AFAIK) does not integrate with CAPI > engine so I cannot ask it to sign or decrypt communication. > Anyway, seems more secure, then, to have the private key in a file encrypted > with a password, then keeping it in the windows store, if I want to pass it > to OpenSSL (through boost::asio::ssl) :) Keys should be stored in DPAPI. See Howard and LeBlanc's "Writing Secure Code," Chapter 9 (http://www.amazon.com/Writing-Secure-Second-Michael-Howard/dp/0735617228). I'm afraid to ask where Boost is storing them. But I do have a morbid curiosity: would you happen to know? Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: How to over-ride SSL_CTX_use_PrivateKey_file() behavior with custom engine
On 12/07/2012 11:05 AM, LN wrote: > I have a feeling it does so because I tried to save that returned > EVP_PKEY to a PEM file with PEM_write_bio_PrivateKey and then to load it > back from the same file with PEM_read_bio_PrivateKey. > Saving worked, but loading failed (with some decoding error inside > openss). The length of the base64 string in the PEM file for the key was > very small in comparision with what is usually the length for private keys. > > Often, at least for other HSM, a private key returned does not contain the real p and q values but just some index to enumerate a key in the hsm. These are normally some small numbers and not big primes. you might see this if you do openssl rsa -text yourfile
Re: How to over-ride SSL_CTX_use_PrivateKey_file() behavior with custom engine
Thanks for reply, Jakob. > Your are probably right. Microsoft CAPI essentially treats all its key > storages like physical smart cards, which means that by default, you cannot > extract the private key using any documented method (if at all), > ... It's confusing... OpenSSL provides an API that it is called ENGINE_load_private_key but which returns the PUBLIC key ?! Passing the EVP_PKEY structure returned from ENGINE_load_private_key to OpenSSL using SSL_CTX_use_PrivateKey seems to work... The server-client communication works as expected though, I guess, OpenSSL expects a private key in SSL_CTX_use_PrivateKey. Is this possible because I use a RSA key ? > ...but you (and thus the OpenSSL "CAPI Engine") can ask CAPI to use the key > to decrypt or sign something. > MS CAPI has an option to mark a private key as "exportable" when you create > or install it, which means that the private key can then be read > anyway, but I don't know if that feature is used by the OpenSSL "CAPI > Engine". It is almost always a good idea NOT to mark private keys as > exportable. Note that whatever is decided when the private key is first > stored by CAPI will be permanent (There is a 3 step workaround for making an > exportable key non-exportable, but any ability to go the > other way would compromise security just by being possible). Indeed, private keys are not exportable as long as they are not marked as such when the certificate is imported in the windows store. Unfortunately, I am forced to use boost::asio::ssl which (AFAIK) does not integrate with CAPI engine so I cannot ask it to sign or decrypt communication. Anyway, seems more secure, then, to have the private key in a file encrypted with a password, then keeping it in the windows store, if I want to pass it to OpenSSL (through boost::asio::ssl) :) From: Jakob Bohm To: openssl-users@openssl.org Sent: Thursday, December 6, 2012 12:23 PM Subject: Re: How to over-ride SSL_CTX_use_PrivateKey_file() behavior with custom engine On 12/6/2012 9:13 AM, LN wrote: > Hi, > > Somehow related to private keys but about loading them with CAPI > engine... Does someone know if the ENGINE_load_private_key() for CAPI > engine returns the PUBLIC KEY ? > I have a feeling it does so because I tried to save that returned > EVP_PKEY to a PEM file with PEM_write_bio_PrivateKey and then to load it > back from the same file with PEM_read_bio_PrivateKey. > Saving worked, but loading failed (with some decoding error inside > openss). The length of the base64 string in the PEM file for the key was > very small in comparision with what is usually the length for private keys. > > PEM_write_bio_PUBKEY and PEM_read_bio_PUBKEY worked with the returned > EVP_PKEY. > Your are probably right. Microsoft CAPI essentially treats all its key storages like physical smart cards, which means that by default, you cannot extract the private key using any documented method (if at all), but you (and thus the OpenSSL "CAPI Engine") can ask CAPI to use the key to decrypt or sign something. MS CAPI has an option to mark a private key as "exportable" when you create or install it, which means that the private key can then be read anyway, but I don't know if that feature is used by the OpenSSL "CAPI Engine". It is almost always a good idea NOT to mark private keys as exportable. Note that whatever is decided when the private key is first stored by CAPI will be permanent (There is a 3 step workaround for making an exportable key non-exportable, but any ability to go the other way would compromise security just by being possible). Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: How to over-ride SSL_CTX_use_PrivateKey_file() behavior with custom engine
On 12/6/2012 9:13 AM, LN wrote: Hi, Somehow related to private keys but about loading them with CAPI engine... Does someone know if the ENGINE_load_private_key() for CAPI engine returns the PUBLIC KEY ? I have a feeling it does so because I tried to save that returned EVP_PKEY to a PEM file with PEM_write_bio_PrivateKey and then to load it back from the same file with PEM_read_bio_PrivateKey. Saving worked, but loading failed (with some decoding error inside openss). The length of the base64 string in the PEM file for the key was very small in comparision with what is usually the length for private keys. PEM_write_bio_PUBKEY and PEM_read_bio_PUBKEY worked with the returned EVP_PKEY. Your are probably right. Microsoft CAPI essentially treats all its key storages like physical smart cards, which means that by default, you cannot extract the private key using any documented method (if at all), but you (and thus the OpenSSL "CAPI Engine") can ask CAPI to use the key to decrypt or sign something. MS CAPI has an option to mark a private key as "exportable" when you create or install it, which means that the private key can then be read anyway, but I don't know if that feature is used by the OpenSSL "CAPI Engine". It is almost always a good idea NOT to mark private keys as exportable. Note that whatever is decided when the private key is first stored by CAPI will be permanent (There is a 3 step workaround for making an exportable key non-exportable, but any ability to go the other way would compromise security just by being possible). Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: How to over-ride SSL_CTX_use_PrivateKey_file() behavior with custom engine
Hi, Somehow related to private keys but about loading them with CAPI engine... Does someone know if the ENGINE_load_private_key() for CAPI engine returns the PUBLIC KEY ? I have a feeling it does so because I tried to save that returned EVP_PKEY to a PEM file with PEM_write_bio_PrivateKey and then to load it back from the same file with PEM_read_bio_PrivateKey. Saving worked, but loading failed (with some decoding error inside openss). The length of the base64 string in the PEM file for the key was very small in comparision with what is usually the length for private keys. PEM_write_bio_PUBKEY and PEM_read_bio_PUBKEY worked with the returned EVP_PKEY. Thanks! From: Ashok C To: openssl-users@openssl.org Sent: Thursday, December 6, 2012 7:03 AM Subject: Re: How to over-ride SSL_CTX_use_PrivateKey_file() behavior with custom engine Thanks Steve and Kent for the pointers. Makes things clear for now. On Thu, Dec 6, 2012 at 4:22 AM, Dr. Stephen Henson wrote: On Wed, Dec 05, 2012, Ashok C wrote: > >> Hi, >> >> Our current SSL server loads plain-text private keys using the >> SSL_CTX_use_PrivateKey_file() >> method. We are moving from this strategy to use custom encrypted private >> keys using the TPM concept. For this, we have an engine implemented. Now >> the question is this. >> >> Does my SSL server need to change from loading private keys using >> SSL_CTX_use_PrivateKey_file() >> method to use this method --> ENGINE_load_private_key(ENGINE *e, const char >> *key_id, >> >> UI_METHOD *ui_method, void *callback_data) >> >> > >You can't use SSL_CTX_use_PrivateKey_file to load an ENGINE specific key. >Instead you use ENGINE_load_private_key() to load the key into an EVP_PKEY >structure and then pass that to SSL_CTX_use_PrivateKey(). > >Steve. >-- >Dr Stephen N. Henson. OpenSSL project core developer. >Commercial tech support now available see: http://www.openssl.org > >__ >OpenSSL Project http://www.openssl.org >User Support Mailing List openssl-users@openssl.org >Automated List Manager majord...@openssl.org >
Re: How to over-ride SSL_CTX_use_PrivateKey_file() behavior with custom engine
Thanks Steve and Kent for the pointers. Makes things clear for now. On Thu, Dec 6, 2012 at 4:22 AM, Dr. Stephen Henson wrote: > On Wed, Dec 05, 2012, Ashok C wrote: > > > Hi, > > > > Our current SSL server loads plain-text private keys using the > > SSL_CTX_use_PrivateKey_file() > > method. We are moving from this strategy to use custom encrypted private > > keys using the TPM concept. For this, we have an engine implemented. Now > > the question is this. > > > > Does my SSL server need to change from loading private keys using > > SSL_CTX_use_PrivateKey_file() > > method to use this method --> ENGINE_load_private_key(ENGINE *e, const > char > > *key_id, > > > > UI_METHOD *ui_method, void *callback_data) > > > > > > You can't use SSL_CTX_use_PrivateKey_file to load an ENGINE specific key. > Instead you use ENGINE_load_private_key() to load the key into an EVP_PKEY > structure and then pass that to SSL_CTX_use_PrivateKey(). > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org >
Re: How to over-ride SSL_CTX_use_PrivateKey_file() behavior with custom engine
On Wed, Dec 05, 2012, Ashok C wrote: > Hi, > > Our current SSL server loads plain-text private keys using the > SSL_CTX_use_PrivateKey_file() > method. We are moving from this strategy to use custom encrypted private > keys using the TPM concept. For this, we have an engine implemented. Now > the question is this. > > Does my SSL server need to change from loading private keys using > SSL_CTX_use_PrivateKey_file() > method to use this method --> ENGINE_load_private_key(ENGINE *e, const char > *key_id, > > UI_METHOD *ui_method, void *callback_data) > > You can't use SSL_CTX_use_PrivateKey_file to load an ENGINE specific key. Instead you use ENGINE_load_private_key() to load the key into an EVP_PKEY structure and then pass that to SSL_CTX_use_PrivateKey(). Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: How to over-ride SSL_CTX_use_PrivateKey_file() behavior with custom engine
Hi Ashok, On Wed, Dec 5, 2012 at 12:29 AM, Ashok C wrote: > Hi, > > Our current SSL server loads plain-text private keys using the > SSL_CTX_use_PrivateKey_file() method. We are moving from this strategy to > use custom encrypted private keys using the TPM concept. For this, we have > an engine implemented. Now the question is this. > > Does my SSL server need to change from loading private keys using > SSL_CTX_use_PrivateKey_file() method to use this method --> > ENGINE_load_private_key(ENGINE *e, const char *key_id, > > UI_METHOD *ui_method, void *callback_data) > > > Or can this be achieved by using the SSL_CTX_use_PrivateKey_file() method > itself and the openssl takes care of loading my encrypted private key with > the help of my implemented engine. Basically wanted to understand if the > SSL_CTX method for loading private keys has the support for loading engine > specific keys. Last I knew there were two ways to get your TPM key loaded through an engine. Directly in your app, using code like: ENGINE_by_id(); ENGINE_init(); ENGINE_set_default_RSA(); ENGINE_load_private_key(); ... (use key ... and indirectly by using an openssl-config enabled app, and the RSA_* APIs to load the key. Basically in this case you have a system openssl config that you've added something like: --[cut]-- openssl_conf = openssl_def [openssl_def] engines = engine_section [engine_section] foo = tpm_section [tpm_section] dynamic_path = /usr/local/ssl/lib/engines/libtpm.so engine_id = tpm default_algorithms = RAND,RSA init = 1 --[cut]-- then your app needs to be compiled with -DOPENSSL_LOAD_CONF=1, which triggers hooks in RSA_* apis which will read the config file and redirect key loading to your engine. Kent > > -- > > Ashok > > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Runtime error with SSL_CTX_use_PrivateKey_file function
On Tue, Feb 27, 2007 at 01:49:13AM -0800, Anita Kumar wrote: > static int password_callback(char *buf, int size, int rwflag, void *userdata) > { > printf("*** Callback function called\n"); > strcpy(buf, "ibmdw"); > return 1; > } > > SSL_CTX_set_default_passwd_cb(ctx, &password_callback); >From the manpage for SSL_CTX_set_default_passwd_cb: The pem_passwd_cb(), which must be provided by the application, hands back the password to be used during decryption. On invocation a pointer to userdata is provided. The pem_passwd_cb must write the password into the provided buffer buf which is of size size. The actual length of the password must be returned to the calling function. rwflag indicates whether the callback is used for reading/decryption (rwflag=0) or writ- ing/encryption (rwflag=1). Read the second-last sentence carefully. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Runtime error with SSL_CTX_use_PrivateKey_file function
Hi, I'm trying to use the encrypted private key for my test SSL server. I generated an encrypted private key cert_27.key using genrsa tool and I gave a paswd to it. I wrote a call back function as follows, which just stores my passwd into buf character buffer. static int password_callback(char *buf, int size, int rwflag, void *userdata) { /* For the purposes of this demonstration, the password is "ibmdw" */ printf("*** Callback function called\n"); strcpy(buf, "ibmdw"); return 1; } Now, I tried to load the private key in my server application as follows int main() { SSL_CTX *ctx; SSL *ssl, *ssl1; BIO *bio, *abio, *out; int p; char r[1024]; CRYPTO_malloc_init(); SSL_library_init(); SSL_load_error_strings(); ERR_load_BIO_strings(); ERR_load_SSL_strings(); OpenSSL_add_all_algorithms(); printf("Attempting to create SSL context... "); ctx = SSL_CTX_new(SSLv23_server_method()); if(ctx == NULL) { printf("Failed. Aborting.\n"); return 0; } printf("\nLoading certificates...\n"); SSL_CTX_set_default_passwd_cb(ctx, &password_callback); if(!SSL_CTX_use_certificate_file(ctx, "signedcert_27.pem", SSL_FILETYPE_PEM)) { ERR_print_errors_fp(stdout); SSL_CTX_free(ctx); return 0; } printf("\nLoading Private key...\n"); if(!SSL_CTX_use_PrivateKey_file(ctx, "cert_27.key", SSL_FILETYPE_PEM)) { ERR_print_errors_fp(stdout); SSL_CTX_free(ctx); return 0; } } when executing this application, i get the following runtime error in the function, SSL_CTX_use_PrivateKey_file OPENSSL_Uplink(100EB010,07): no OPENSSL_Applink. When I comment the SSL_CTX_set_default_passwd_cb() line. The executable is running, it asks for pem passphrase. When I enter the password, everything is fine. But, I did not want this behaviour as I need to enter the passwd from screen. I would appriciate if I get nay comments on this. Thanks and Regards, Renuga. - Access over 1 million songs - Yahoo! Music Unlimited.
SSL_CTX_use_PrivateKey_file ... noisy output
Hi, When I load the private key, using SSL_CTX_use_PrivateKey_file function, and I fail to enter the correct one, i get the following output (actually, i loop three times to ask the user to reenter the password). How can i make these error lines not appear? I use the password_cb function to output an UI, where the password is requested (UI_new, UI_construct_prompt, UI_process, ... ) 32539:error:06065064:digital envelope routines:EVP_DecryptFinal:bad decrypt:evp_enc.c:450: 32539:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c:423: 32539:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib:ssl_rsa.c:709: Enter passphrase for /usr/local/etc/private/prik.pem: Thanks in advance, C. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
SSL_CTX_use_PrivateKey_file
SSL_CTX_use_PrivateKey_file inturn uses stdio calls to read the key file. Since i want to avoid using stdio calls, Is there any other way of getting the key file to setup the context. Similarly for SSL_CTX_use_certificate_chain_file. Any help is appreciated. Thanks Vijay __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: About the function SSL_CTX_use_PrivateKey_file
On Fri, Jun 06, 2003, Terence Leung wrote: > Dear sir, > I am writing Visual C++ to create secure communication socket. > But when I use the function SSL_CTX_use_PrivateKey_file(), > it always prompt "Enter PEM pass phrase:" to input the pass phrase in the screen. > > I want to ask how can I modify the program so that the program can automatically > input the pass phrase, no need to input it in the console. > Call PEM_read_PrivateKey() and the passphrase can be entered either in the last argument or via a callback. Then pass the EVP_PKEY structure using SSL_CTX_use_PrivateKey(). Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: About the function SSL_CTX_use_PrivateKey_file
You have private key protected by password. To solve this, type: OpenSSL>rsa -in -out ?ukasz Wojcicki e-mail: [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
About the function SSL_CTX_use_PrivateKey_file
Dear sir, I am writing Visual C++ to create secure communication socket. But when I use the function SSL_CTX_use_PrivateKey_file(), it always prompt "Enter PEM pass phrase:" to input the pass phrase in the screen. I want to ask how can I modify the program so that the program can automatically input the pass phrase, no need to input it in the console. Looking forward to your reply. Your help will be much appreciated. Best Regards, Terence Leung
Re: SSL_CTX_use_PrivateKey_file
On Wed, Jan 08, 2003 at 09:40:58AM -0800, Fisk, Kevin wrote: > Okay. Right now, I call SSL_CTX_use_PrivateKey_file with the parameter > SSL_FILETYPE_PEM. What do I pass for the type PK (first parameter) to > pass this. Do I need to convert the PEM file before it can be passed as > an ASN.1 certificate? I tried only passing the private key portion as a > string, the entire thing as a string, and I tried using > SSL_CTX_use_RSAPrivateKey_ASN1 with both strings. ASN1 (in OpenSSL also referred to as DER format) is a binary representation in ASN.1 format. PEM is the base64 encoded DER format. You can use the int PEM_read(FILE *fp, char **name, char **header, unsigned char **data, long *len) or PEM_read_bio() routines. Please refer to the "pem" manual page. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: SSL_CTX_use_PrivateKey_file
Okay. Right now, I call SSL_CTX_use_PrivateKey_file with the parameter SSL_FILETYPE_PEM. What do I pass for the type PK (first parameter) to pass this. Do I need to convert the PEM file before it can be passed as an ASN.1 certificate? I tried only passing the private key portion as a string, the entire thing as a string, and I tried using SSL_CTX_use_RSAPrivateKey_ASN1 with both strings. My PEM file looks like the following: -BEGIN RSA PRIVATE KEY- MIICXQIBAAKBgQCamuFIkojgw5GQGNEsb3vazceGiflAdiHLdGnQhTX8Ihxrshpz iy2K1lWmX+YRXUXTdk+d+bVtP/a1i1tBLFssL0j6rmyt3z+WuGHinKdOIFYZ9uzU RTemcUQ3WSN/ngvK68lnA5kqdWVkGgFqdMGyP/QmdlQvvrq9vD3TmQVxhQIDAQAB AoGAFrJIAlRovb5YHzRVeNWA9DUjZm/Y5IqzGWAkrJTxwOrtCy5hTbcP34LpnfwU FVaBCrMiqwlehgRO3oXvxpiRZae8uki0RSLld2XLkyb3EoAJb+HpUgW9FbjqZwYm hKxFqVlyyrDQait352txTtlGQGTIglSaV+KFL5810ybEM50CQQDJf2WVA9J4doY9 /aRnyDix5oIRnOwS2wfwSvQ773Q0a/A+XETaXE1MGbBsr06aYOQo6AR/6yv/iD18 Bp7LhFn3AkEAxGxs9lMs5hdCQWxwlq2bMHCbStg5Uwi8rYNO93wUEOBWKhVLkwe6 LJ6rho84fq7G0zLKrw4UnslJj1Za6rzRYwJBAKJhRi2WTPDDI1+lne38zqOfDUbA XQa8+GLPJI+AYvcz3QGEPgByzd/7+886X2/NkVDd2XJ0xJpC4rmmZCXCXPUCQBCV Stm9CfRfEFPvsM232HtNdn7qJGTTPwKzLE6Opi8KkZu58oh2RYyQ1NBmdRGU9epM xnnjCXCic9hrJP/ecxsCQQCZ6E3Ww8p+R5ssVCWL5Lm4RNgqhH1Dw+KC0jHBG31B HDQFIAxi9C0Jfzx6jUFJ8xWA93SAJFkSFPw5IVVWa2BT -END RSA PRIVATE KEY- -BEGIN CERTIFICATE- MIICMTCCAZoCAQAwDQYJKoZIhvcNAQEEBQAwYTELMAkGA1UECBMCQ0ExETAPBgNV BAcTCE1vb3JwYXJrMQwwCgYDVQQKEwNWTFAxDDAKBgNVBAMTA1ZMUDEjMCEGCSqG SIb3DQEJARYUYmtvemluQGxpbmtwb2ludC5jb20wHhcNMDExMTA2MTg1MDE3WhcN MzExMTA0MTg1MDE3WjBhMQswCQYDVQQIEwJDQTERMA8GA1UEBxMITW9vcnBhcmsx DDAKBgNVBAoTA1ZMUDEMMAoGA1UEAxMDVkxQMSMwIQYJKoZIhvcNAQkBFhRia296 aW5AbGlua3BvaW50LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAmprh SJKI4MORkBjRLG972s3Hhon5QHYhy3Rp0IU1/CIca7Iac4stitZVpl/mEV1F03ZP nfm1bT/2tYtbQSxbLC9I+q5srd8/lrhh4pynTiBWGfbs1EU3pnFEN1kjf54LyuvJ ZwOZKnVlZBoBanTBsj/0JnZUL766vbw905kFcYUCAwEAATANBgkqhkiG9w0BAQQF AAOBgQAxTU7cJG7nE44VW8hMGp6/5eOtHL0K7hsBQ7U0ZO8jESipAyBjWOZuEo9i Cbfs452f4YjEPnJbqbQxJbScf0P50k1S7pMI1elBdSjPKIQXAC5qzDWJGq8gvB9/ cDc/4JOgy8AVC2B0TioKtsxE3k9t/u43oEzlHHrGkSuMRFd+BQ== -END CERTIFICATE- Thanks, Kevin __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL_CTX_use_PrivateKey_file
On Tue, Jan 07, 2003 at 04:06:34PM -0800, Fisk, Kevin wrote: > Is there any way to pass a string with the private key, instead of reading it from a >file, such as read it from a database and pass it to the function, without writing it >to disk? Please look into SSL_CTX_use_PrivateKey_ASN1(), which loads the private key from a memory region. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
SSL_CTX_use_PrivateKey_file
Is there any way to pass a string with the private key, instead of reading it from a file, such as read it from a database and pass it to the function, without writing it to disk? Kevin __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
error: SSL_CTX_use_PrivateKey_file
Hi, I encountered the following problem: STARTTLS=server, error: SSL_CTX_use_PrivateKey_file(/etc/mail/certs/MYkey.pem) failed anyone has any idea to overcome this problem? Thank you. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
about function SSL_CTX_use_PrivateKey_file(...)!
hello I meet a problem when I develop program with openssl. I was doing server program, and when I come to the function SSL_CTX_use_PrivateKey_file(...),the program consumed 100% cpu ,and this state remains for almost 7 minutes and seems to be no end. I just closed it! I do not know it is normal, or it is a error. I wonder if it is just dencrypting (I use a 1024 bit rsa key encrypted with DES-EDE3-CBC) Thank you very much! [EMAIL PROTECTED] _ ÓëÁª»úµÄÅóÓѽøÐн»Á÷£¬ÇëʹÓà MSN Messenger: http://messenger.microsoft.com/cn __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL_CTX_use_PrivateKey_file()
Try /* set callback for passphrases on private key files */ SSL_CTX_set_default_passwd_cb( context, pem_passwd_cb); before calling SSL_CTX_use_PrivateKey_file(), where pem_passwd_cb could be for non-crypted private key files /* callback for private key files passphrase */ static int pem_passwd_cb(char *buf, int size, int rwflag, void *password) { return 0; } Ales Privetivy > Hi, > > can somebody help me out. > > when i use the SSL_CTX_use_PrivateKey_file() function in my client and server >program, > both the server and client progarm asks on the command prompt to > Enter PEM pass phrase: > > I dont want the user to enter the pass phrase , how to avoid this situation. Is >there anyway ? > > biswaksen > > __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
SSL_CTX_use_PrivateKey_file()
Hi, can somebody help me out. when i use the SSL_CTX_use_PrivateKey_file() function in my client and server program, both the server and client progarm asks on the command prompt to Enter PEM pass phrase: I dont want the user to enter the pass phrase , how to avoid this situation. Is there anyway to set the pass phrase from the program only biswaksen __ Do You Yahoo!? Yahoo! Greetings - send holiday greetings for Easter, Passover http://greetings.yahoo.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
SSL_CTX_use_PrivateKey_file()
Hi, can somebody help me out. when i use the SSL_CTX_use_PrivateKey_file() function in my client and server program, both the server and client progarm asks on the command prompt to Enter PEM pass phrase: I dont want the user to enter the pass phrase , how to avoid this situation. Is there anyway ? biswaksen
Can't figure out SSL_CTX_use_PrivateKey_file
I'm trying this on a certificate file that has a known and verified private key and when it prompts me for the password, and I type it in, it always fails. I'm not sure of the problem. I tried inserting fprintf(stderr,"trace here\n"); statements and I get no output from anywhere where it seems I should. Can anyone make some suggestions. I'm completely stumped. -- Email: [EMAIL PROTECTED] (home home page: http://www.aa.net/~xeno) __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL_CTX_use_PrivateKey_file() problem
>Hmmm. Are you manually calling PKC5_pbe_set() and EVP_PBE_CipherInit()? >You shouldn't have to. This kind of thing should be automatically >handled by the PKCS#8 code when you call SSL_CTX_use_PrivateKey_file(), Dear Dr. Henson Of course you were correct, I was on a wrong track. Thank you kindly. -- Now I can initalize my connection without receiving any error messages. But then when I call SSL_write I get his error. "235:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:.\ssl\s3_pkt.c:490:" Is there any way to monitor the handshake in more detail? BTW: My server is a Java server using the JCSI library. My java client can successfully connect to the server using client authentication. Here is my connection code, maybe I am forgetting some initialization call? best regards, Ragnar Agustsson int ClientConnectionType::connectToHost() { int err = 0; struct sockaddr_in sa; X509* server_cert; char* str; SSL_METHOD *meth; /* ** *\ * Windows socket initialization * * ** */ WORD wVersionRequested; WSADATA wsaData; try { wVersionRequested = MAKEWORD( 2, 2 ); err = WSAStartup( wVersionRequested, &wsaData ); if ( err != 0 ) { throw new Exception("Could not find a usable WinSock DLL."); } /* --- */ /* Create a socket and connect to server using normal socket calls. */ m_oSocket = socket (AF_INET, SOCK_STREAM, 0); CHK_ERR(m_oSocket, "socket"); memset (&sa, '\0', sizeof(sa)); sa.sin_family = AF_INET; sa.sin_addr.s_addr = inet_addr (m_sHostName); /* Server IP */ sa.sin_port = htons(m_iPort); /* Server Port number */ err = connect(m_oSocket, (struct sockaddr*) &sa, sizeof(sa)); CHK_ERR(err, "connect"); /*Now we have TCP/IP connection, start SSL negotiations*/ if(m_iType > 1) { OpenSSL_add_all_algorithms(); meth = SSLv3_client_method(); SSL_load_error_strings(); m_pCtx = SSL_CTX_new (meth); RAND_screen(); CHK_NULL(m_pCtx); CHK_SSL(err); m_pSSL = SSL_new (m_pCtx); CHK_NULL(m_pSSL); SSL_set_fd (m_pSSL, m_oSocket); SSL_CTX_set_verify(m_pCtx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify); err = SSL_CTX_load_verify_locations(m_pCtx, m_sCACert, m_sKeyPath); if(err)ERR_print_errors_fp(stdout); if(m_iType > 2) { char cert_file[256]; strcpy(cert_file, m_sKeyPath); strcat(cert_file, m_sOwnCert); char key_file[256]; strcpy(key_file, m_sKeyPath); strcat(key_file, m_sOwnKey); if(SSL_CTX_use_certificate_file(m_pCtx,cert_file,SSL_FILETYPE_PEM) <= 0) { printf("unable to get certificate from '%s'\n",cert_file); throw new Exception("connectToHostException\n"); } SSL_CTX_set_default_passwd_cb(m_pCtx, passwProc); if(SSL_CTX_use_PrivateKey_file(m_pCtx,key_file,SSL_FILETYPE_PEM) <= 0) { ERR_print_errors_fp(stdout); printf("unable to get private key from '%s'\n",key_file); throw new Exception("connectToHostException\n"); } if(!SSL_CTX_check_private_key(m_pCtx)) { printf("Private key does not match the certificate public key\n"); throw new Exception("connectToHostException\n"); } }
Re: SSL_CTX_use_PrivateKey_file() problem
[EMAIL PROTECTED] wrote: > > > Now all I have to do is to find a way to place the correct salt into > the function. Because of this error message: > "474:error:06065064:digital envelope routines:EVP_DecryptFinal:bad > decrypt:.\cryp > to\evp\evp_enc.c:243:" > > This seems not to be doing the trick: > "X509_ALGOR *alg = PKCS5_pbe_set(NID_pbeWithMD5AndDES_CBC, /*iter*/0, > (unsigned char*)salt , saltlen); > EVP_PBE_CipherInit(alg->algorithm, /*password*/"password", > /*passwordlen*/8,alg->parameter, &ctx, 0);" > > Because this is still failing, > "SSL_CTX_use_PrivateKey_file(m_pCtx,key_file,SSL_FILETYPE_PEM)" > only now with the error previously described. > Hmmm. Are you manually calling PKC5_pbe_set() and EVP_PBE_CipherInit()? You shouldn't have to. This kind of thing should be automatically handled by the PKCS#8 code when you call SSL_CTX_use_PrivateKey_file(), the salt and interation count are part of the encoded structure. Try the openssl 'pkcs8' utility on the key: openssl pkcs8 -in key.pem and see if you get the same error. If you do then if you can send me a sample key (not an important one!) with the password I'll see if I can see what is wrong. The PKCS#8 code has been tested against a number of other implementations and it should be OK. Setting 0 for the iteration count is in any case unlikely to work because OpenSSL then uses a "reasonable" large value, 2048 by default. It doesn't follow any particular standard for that but this doesn't matter in practice. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL_CTX_use_PrivateKey_file() problem
Thank you for your quick response Dr. Henson. I thought to myself: "but I've done that!, although I call the SSLeay_add_ssl_algorithms() but it's now defined as OpenSSL_add_all_algorithms()... no wait a minute... it defined as OpenSSL_add_ssl_algorithms()". Well, a stupid mistake on my behalf. Now all I have to do is to find a way to place the correct salt into the function. Because of this error message: "474:error:06065064:digital envelope routines:EVP_DecryptFinal:bad decrypt:.\cryp to\evp\evp_enc.c:243:" This seems not to be doing the trick: "X509_ALGOR *alg = PKCS5_pbe_set(NID_pbeWithMD5AndDES_CBC, /*iter*/0, (unsigned char*)salt , saltlen); EVP_PBE_CipherInit(alg->algorithm, /*password*/"password", /*passwordlen*/8,alg->parameter, &ctx, 0);" Because this is still failing, "SSL_CTX_use_PrivateKey_file(m_pCtx,key_file,SSL_FILETYPE_PEM)" only now with the error previously described. Well I will be calling it the quits today because we're having a incredibly beautyful summerday here in Iceland, and we only have a couble of those each summer. :) cheers, Ragnar Dr Stephen Henson <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 23.06.2000 13:56 Please respond to openssl-users To: [EMAIL PROTECTED] cc: Subject: Re: SSL_CTX_use_PrivateKey_file() problem [EMAIL PROTECTED] wrote: > > Hello everybody > > I am new to working with openssl so this may seem like a stupid > question, but I just can't seem to get past this problem. > > The error that I am getting is: > 425:error:06074079:digital envelope > routines:EVP_PBE_CipherInit:unknown pbe > algorithm:.crypto\evp\evp_pbe.c:89:Type=pbeWithMD5AndDes-CBC > I think something similar is in the FAQ. You need to load OpenSSL's internal algorithm table with OpenSSL_add_all_algorithms(). Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL_CTX_use_PrivateKey_file() problem
[EMAIL PROTECTED] wrote: > > Hello everybody > > I am new to working with openssl so this may seem like a stupid > question, but I just can't seem to get past this problem. > > The error that I am getting is: > 425:error:06074079:digital envelope > routines:EVP_PBE_CipherInit:unknown pbe > algorithm:.crypto\evp\evp_pbe.c:89:Type=pbeWithMD5AndDes-CBC > I think something similar is in the FAQ. You need to load OpenSSL's internal algorithm table with OpenSSL_add_all_algorithms(). Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
SSL_CTX_use_PrivateKey_file() problem
Hello everybody I am new to working with openssl so this may seem like a stupid question, but I just can't seem to get past this problem. I have a java server that uses the JCSI library from DTSC in Australia and implements my certificates and keys with PBEandMD5andDES algorithm, PKCS#8 format. The server first sends my client the CA certificate with a regular socket protocol. Then I connect to the server using server authentication and receive my Client certificate and private key. Then when I try to connect using SSL server/client authentication I can't seem to be able load the privatekey using SSL_CTX_use_PrivateKey_file() but earlier call to SSL_CTX_use_certificate_file() returns just fine. The error that I am getting is: 425:error:06074079:digital envelope routines:EVP_PBE_CipherInit:unknown pbe algorithm:.crypto\evp\evp_pbe.c:89:Type=pbeWithMD5AndDes-CBC I have also tried this workaround using the correct salt but it resulted in the same error. --- strcpy(salt, "Hello th"); X509_ALGOR *alg = PKCS5_pbe_set(NID_pbeWithMD5AndDES_CBC, /*iter*/0, (unsigned char*)salt , saltlen); int della = EVP_PBE_CipherInit(alg->algorithm, /*password*/"password", /*passwordlen*/8,alg->parameter, &ctx, 0);//last param: 0 = decryption 1 = encryption -- One might say that I am in dire straits... all comments welcomed best regards, Ragnar Agustsson [EMAIL PROTECTED] Iceland
Trouble with SSL_CTX_use_PrivateKey_file()
SSL_CTX_use_PrivateKey_file() seems to fail for me. I am reasonably new to this. Is there any kind of error stack or description that I can look at? If it makes a difference, I have gotten a class 3 certificate from verisign, and I believe that it is in PEM format. Any help would be appreciated. I have included a section of the code that I am using below: meth = SSLv3_client_method(); myCTX = SSL_CTX_new( meth ); if( SSL_CTX_use_certificate_file( myCTX, CertPEM, X509_FILETYPE_PEM ) <= 0 ) { m_DebugLog.lfputs( "Failure: SSL_CTX_use_certificate_file( \"%s\")", CertPEM ); _socket = INVALID_SOCKET; goto Error; }else { m_DebugLog.lfputs( "Success: SSL_CTX_use_certificate_file()" ); } if( !SSL_CTX_use_PrivateKey_file( myCTX, CertPEM, X509_FILETYPE_PEM ) ) { m_DebugLog.lfputs( "Failure: SSL_CTX_use_PrivateKey_file()" ); _socket = INVALID_SOCKET; goto Error; }else { m_DebugLog.lfputs( "Success: SSL_CTX_use_PrivateKey_file()" ); } Thanks, Chris