Re: Unable to load self-signed certificate

[radiatejava]

Actually the error is:

533:error:02001002:system library:fopen:No such file or
directory:bss_file.c:175:fopen('/opt/ssl-v1.02u/ssl/cert.pem','r')
533:error:2006D080:BIO routines:BIO_new_file:no such
file:bss_file.c:182: 533:error:0B084002:x509 certificate
routines:X509_load_cert_crl_file:system lib:by_file.c:254:
533:error:0B065068:x509 certificate routines:BY_FILE_CTRL:loading
defaults:by_file.c:112:

as we are having 2 different versions of ssl on the system.
Is there anything we need to do if we have 2 different versions? I am
building my app pointing libs and includes to /opt/ssl-v1.02u

Thanks

On Wed, Jul 27, 2022 at 8:14 AM radiatejava  wrote:
>
> Hello experts
> I used to load a self-signed cert using a program like below:
>
> X509_STORE_set_verify_cb_func(lCertCtx, UserCert_cb_check_cert);
> lLookup = X509_STORE_add_lookup(lCertCtx, X509_LOOKUP_file());
> error = X509_LOOKUP_load_file(lLookup, NULL, X509_FILETYPE_DEFAULT);
>
> It was all working great till I was on openssl 1.0.2k.
> We have shifted to openssl 1.0.2u and now the call
> X509_LOOKUP_load_file(..) for self-siged cert is not working. Somehow
> it seems to be looking for a default CA certificate. This is the error
> I get:
>
> 533:error:02001002:system library:fopen:No such file or
> directory:bss_file.c:175:fopen('/usr/lib/ssl/cert.pem','r')
> 533:error:2006D080:BIO routines:BIO_new_file:no such
> file:bss_file.c:182: 533:error:0B084002:x509 certificate
> routines:X509_load_cert_crl_file:system lib:by_file.c:254:
> 533:error:0B065068:x509 certificate routines:BY_FILE_CTRL:loading
> defaults:by_file.c:112:
>
> I do not have any /usr/lib/ssl/cert.pem file on my system. I am on ubuntu 
> 20.04.
>
> Appreciate your help!
> -Satish

Unable to load self-signed certificate

[radiatejava]

Hello experts
I used to load a self-signed cert using a program like below:

X509_STORE_set_verify_cb_func(lCertCtx, UserCert_cb_check_cert);
lLookup = X509_STORE_add_lookup(lCertCtx, X509_LOOKUP_file());
error = X509_LOOKUP_load_file(lLookup, NULL, X509_FILETYPE_DEFAULT);

It was all working great till I was on openssl 1.0.2k.
We have shifted to openssl 1.0.2u and now the call
X509_LOOKUP_load_file(..) for self-siged cert is not working. Somehow
it seems to be looking for a default CA certificate. This is the error
I get:

533:error:02001002:system library:fopen:No such file or
directory:bss_file.c:175:fopen('/usr/lib/ssl/cert.pem','r')
533:error:2006D080:BIO routines:BIO_new_file:no such
file:bss_file.c:182: 533:error:0B084002:x509 certificate
routines:X509_load_cert_crl_file:system lib:by_file.c:254:
533:error:0B065068:x509 certificate routines:BY_FILE_CTRL:loading
defaults:by_file.c:112:

I do not have any /usr/lib/ssl/cert.pem file on my system. I am on ubuntu 20.04.

Appreciate your help!
-Satish

Re: Unable to load Legacy Provider

[Matt Caswell]

On 22/04/2022 08:26, Gahlot, Ashish Kumar wrote:

Hi,

I’m trying to load the Legacy Provider by following this guide here 
https://wiki.openssl.org/index.php/OpenSSL_3.0 
 using this following code:


/* Load Multiple providers into the default (NULL) library context */

    legacy = OSSL_PROVIDER_load(NULL, "legacy");

    if (legacy == NULL) {

    printf("Failed to load Legacy provider\n");

    exit(EXIT_FAILURE);

    }

But it fails to load the legacy provider. I also tried to by editing the 
configuration file but I get the same error. I’m using “OpenSSL 3.0.0 7 
sep 2021 (Library: OpenSSL 3.0.0 7 sep 2021)”.


Most likely it is not finding the legacy.so file in its default location.

The default directory for these modules is returned by:

openssl version -m

Check that directory to make sure legacy.so exists there.

If you have legacy.so in some other location you can specify it by 
setting the OPENSSL_MODULES environment variable to the alternative 
directory.


If the above doesn't help then one other thing to try is to dump out the 
OpenSSL error stack to see if you get any clues from that, e.g. by 
adding the following to your code:


ERR_print_errors_fp(stdout);

Matt



Thank you,

Ashish


Notice: This e-mail together with any attachments may contain 
information of Ribbon Communications Inc. and its Affiliates that is 
confidential and/or proprietary for the sole use of the intended 
recipient. Any review, disclosure, reliance or distribution by others or 
forwarding without express permission is strictly prohibited. If you are 
not the intended recipient, please notify the sender immediately and 
then delete all copies, including any attachments.

Unable to load Legacy Provider

[Gahlot, Ashish Kumar]

Hi,

I'm trying to load the Legacy Provider by following this guide here 
https://wiki.openssl.org/index.php/OpenSSL_3.0 using this following code:

/* Load Multiple providers into the default (NULL) library context */
   legacy = OSSL_PROVIDER_load(NULL, "legacy");
   if (legacy == NULL) {
   printf("Failed to load Legacy provider\n");
   exit(EXIT_FAILURE);
   }
But it fails to load the legacy provider. I also tried to by editing the 
configuration file but I get the same error. I'm using "OpenSSL 3.0.0 7 sep 
2021 (Library: OpenSSL 3.0.0 7 sep 2021)".

Thank you,
Ashish

Notice: This e-mail together with any attachments may contain information of 
Ribbon Communications Inc. and its Affiliates that is confidential and/or 
proprietary for the sole use of the intended recipient. Any review, disclosure, 
reliance or distribution by others or forwarding without express permission is 
strictly prohibited. If you are not the intended recipient, please notify the 
sender immediately and then delete all copies, including any attachments.

Re: Unable to load PKCS#12 with password and no MAC

[Hubert Kario]

On Thursday, 17 February 2022 10:31:40 CET, Florin Spătar wrote:

I see. Thanks for the suggested workaround.

Are there any plans for PKCS12_parse to support PKCS12 files 
without MAC or any plans to use a FIPS approved algorithm for 
PKCS12 MAC? Any of these would help dealing with PKCS12 files in 
FIPS mode.


As Tomas said, the issue is with the PKCS#12 standard.
For the MAC calculation to use FIPS approved KDF the PKCS#12 standard would
have to be updated.

That's something my colleagues and me will probably tackle, but don't know 
when.



Thanks,

Florin Spatar

On 16.02.2022 17:25, Tomas Mraz wrote:

Yes, unfortunately PKCS12_parse currently does not support PKCS12 files
without the MAC. Such support could be easily added. As a workaround
you can look at how the pkcs12 application is implemented and use these
calls instead.


--
Regards,
Hubert Kario
Senior Quality Engineer, RHEL Crypto team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic

Re: Unable to load PKCS#12 with password and no MAC

[Tomas Mraz]

On Thu, 2022-02-17 at 11:31 +0200, Florin Spătar wrote:
> I see. Thanks for the suggested workaround.
> 
> Are there any plans for PKCS12_parse to support PKCS12 files without
> MAC 

That would be a simple feature PR against master branch if anyone wants
to take it. It would require some tests of PKCS12_parse to be added,
that would be the hardest part of it I think.

> or any plans to use a FIPS approved algorithm for PKCS12 MAC? Any of 
> these would help dealing with PKCS12 files in FIPS mode.

Adding another algorithm for PKCS12 MAC would actually require changing
the standard. The problem is the non-compliant PKCS12KDF is basically
hardcoded in the PKCS12 standard as the KDF to generate the MAC key
from the password.

Tomas

> Thanks,
> 
> Florin Spatar
> 
> On 16.02.2022 17:25, Tomas Mraz wrote:
> > Yes, unfortunately PKCS12_parse currently does not support PKCS12
> > files
> > without the MAC. Such support could be easily added. As a
> > workaround
> > you can look at how the pkcs12 application is implemented and use
> > these
> > calls instead.
> > 
> > Regards,
> > 
> > Tomas Mraz, OpenSSL
> > 
> > On Wed, 2022-02-16 at 14:09 +, Florin Spatar wrote:
> > > Hi,
> > > 
> > > I am trying to use OpenSSL 3 in FIPS mode to load a PKCS#12.
> > > First, I
> > > got this error:
> > > 
> > >  [root@q032 ~]# openssl pkcs12 -nokeys -info -in agent.p12 -
> > > passin
> > > pass:opsware_admin
> > >  MAC: sha256, Iteration 2048
> > >  MAC length: 32, salt length: 8
> > >  Error verifying PKCS12 MAC; no PKCS12KDF support.
> > >  Use -nomacver if MAC verification is not required.
> > > 
> > > To my understanding, PKCS12KDF used for PKCS12 MAC is non-FIPS.
> > > On
> > > openssl-pkcs12 man page I found the following two options: "-
> > > nomac" &
> > > "-nomacver" that can be useful in FIPS mode. Used "-nomac" to re-
> > > create the PKCS#12, and "-nomacver" when loading the PKCS#12 to
> > > get
> > > rid of "Warning: MAC is absent!".
> > > 
> > > The objective is to do the same thing via PKCS12_parse API. The
> > > problem that I'm facing is that there is no API equivalent for -
> > > nomacver and the following error occurs:
> > > 
> > >  4087FE21197F:error:1180006C:PKCS12 routines:(unknown
> > > function):mac absent:crypto/pkcs12/p12_mutl.c:182:
> > >  4087FE21197F:error:11800071:PKCS12 routines:(unknown
> > > function):mac verify failure:crypto/pkcs12/p12_kiss.c:71:
> > > 
> > > The error only occurs if PKCS#12 password is not empty. If
> > > password
> > > is empty, MAC is not verified.
> > > Am I missing something, or this is actually impossible to
> > > achieve?
> > > 
> > > Thanks,
> > > 
> > > Florin Spatar

-- 
Tomáš Mráz, OpenSSL

Re: Unable to load PKCS#12 with password and no MAC

[Florin Spătar]

I see. Thanks for the suggested workaround.

Are there any plans for PKCS12_parse to support PKCS12 files without MAC 
or any plans to use a FIPS approved algorithm for PKCS12 MAC? Any of 
these would help dealing with PKCS12 files in FIPS mode.


Thanks,

Florin Spatar

On 16.02.2022 17:25, Tomas Mraz wrote:

Yes, unfortunately PKCS12_parse currently does not support PKCS12 files
without the MAC. Such support could be easily added. As a workaround
you can look at how the pkcs12 application is implemented and use these
calls instead.

Regards,

Tomas Mraz, OpenSSL

On Wed, 2022-02-16 at 14:09 +, Florin Spatar wrote:

Hi,

I am trying to use OpenSSL 3 in FIPS mode to load a PKCS#12. First, I
got this error:

     [root@q032 ~]# openssl pkcs12 -nokeys -info -in agent.p12 -passin
pass:opsware_admin
     MAC: sha256, Iteration 2048
     MAC length: 32, salt length: 8
     Error verifying PKCS12 MAC; no PKCS12KDF support.
     Use -nomacver if MAC verification is not required.

To my understanding, PKCS12KDF used for PKCS12 MAC is non-FIPS. On
openssl-pkcs12 man page I found the following two options: "-nomac" &
"-nomacver" that can be useful in FIPS mode. Used "-nomac" to re-
create the PKCS#12, and "-nomacver" when loading the PKCS#12 to get
rid of "Warning: MAC is absent!".

The objective is to do the same thing via PKCS12_parse API. The
problem that I'm facing is that there is no API equivalent for -
nomacver and the following error occurs:

     4087FE21197F:error:1180006C:PKCS12 routines:(unknown
function):mac absent:crypto/pkcs12/p12_mutl.c:182:
     4087FE21197F:error:11800071:PKCS12 routines:(unknown
function):mac verify failure:crypto/pkcs12/p12_kiss.c:71:

The error only occurs if PKCS#12 password is not empty. If password
is empty, MAC is not verified.
Am I missing something, or this is actually impossible to achieve?

Thanks,

Florin Spatar

Re: Unable to load PKCS#12 with password and no MAC

[Tomas Mraz]

Yes, unfortunately PKCS12_parse currently does not support PKCS12 files
without the MAC. Such support could be easily added. As a workaround
you can look at how the pkcs12 application is implemented and use these
calls instead.

Regards,

Tomas Mraz, OpenSSL

On Wed, 2022-02-16 at 14:09 +, Florin Spatar wrote:
> Hi, 
> 
> I am trying to use OpenSSL 3 in FIPS mode to load a PKCS#12. First, I
> got this error:
> 
>     [root@q032 ~]# openssl pkcs12 -nokeys -info -in agent.p12 -passin
> pass:opsware_admin
>     MAC: sha256, Iteration 2048 
>     MAC length: 32, salt length: 8 
>     Error verifying PKCS12 MAC; no PKCS12KDF support. 
>     Use -nomacver if MAC verification is not required. 
> 
> To my understanding, PKCS12KDF used for PKCS12 MAC is non-FIPS. On
> openssl-pkcs12 man page I found the following two options: "-nomac" &
> "-nomacver" that can be useful in FIPS mode. Used "-nomac" to re-
> create the PKCS#12, and "-nomacver" when loading the PKCS#12 to get
> rid of "Warning: MAC is absent!". 
> 
> The objective is to do the same thing via PKCS12_parse API. The
> problem that I'm facing is that there is no API equivalent for -
> nomacver and the following error occurs:
> 
>     4087FE21197F:error:1180006C:PKCS12 routines:(unknown
> function):mac absent:crypto/pkcs12/p12_mutl.c:182:
>     4087FE21197F:error:11800071:PKCS12 routines:(unknown
> function):mac verify failure:crypto/pkcs12/p12_kiss.c:71:
> 
> The error only occurs if PKCS#12 password is not empty. If password
> is empty, MAC is not verified.
> Am I missing something, or this is actually impossible to achieve? 
> 
> Thanks, 
> 
> Florin Spatar

-- 
Tomáš Mráz, OpenSSL

Unable to load PKCS#12 with password and no MAC

[Florin Spatar]

Hi,

I am trying to use OpenSSL 3 in FIPS mode to load a PKCS#12. First, I got this 
error:

[root@q032 ~]# openssl pkcs12 -nokeys -info -in agent.p12 -passin 
pass:opsware_admin
MAC: sha256, Iteration 2048
MAC length: 32, salt length: 8
Error verifying PKCS12 MAC; no PKCS12KDF support.
Use -nomacver if MAC verification is not required.

To my understanding, PKCS12KDF used for PKCS12 MAC is non-FIPS. On 
openssl-pkcs12 man page I found the following two options: "-nomac" & 
"-nomacver" that can be useful in FIPS mode. Used "-nomac" to re-create the 
PKCS#12, and "-nomacver" when loading the PKCS#12 to get rid of "Warning: MAC 
is absent!".

The objective is to do the same thing via PKCS12_parse API. The problem that 
I'm facing is that there is no API equivalent for -nomacver and the following 
error occurs:

4087FE21197F:error:1180006C:PKCS12 routines:(unknown function):mac 
absent:crypto/pkcs12/p12_mutl.c:182:
4087FE21197F:error:11800071:PKCS12 routines:(unknown function):mac 
verify failure:crypto/pkcs12/p12_kiss.c:71:

The error only occurs if PKCS#12 password is not empty. If password is empty, 
MAC is not verified.
Am I missing something, or this is actually impossible to achieve?

Thanks,

Florin Spatar

Re: Unable to load the FIPs config file OpenSSL 3.0

[Dr Paul Dale]

Our general suggestion is to keep the FIPS configuration in it's own 
file and include that -- this helps when updating.


Does a full path to the providers directory help?
Could you try a build with debugging symbols so it's possible to see 
what's going on better?

Set a breakpoint on OSSL_PROVIDER_load() and see what's happening?


Pauli

On 31/3/21 12:29 am, Bala Duvvuri via openssl-users wrote:

Hi All,

Can you kindly help me with this error while running the below program that 
tries to load the configuration which has the FIPs provider?

The program is built on build machine and to be run on linux MIPS platform and 
below error is seen:

  #include 
   main () {
   OSSL_LIB_CTX *libctx;
   libctx = OSSL_LIB_CTX_new();
   OSSL_PROVIDER_set_default_search_path(libctx, "./providers");
   if (!OSSL_LIB_CTX_load_config(libctx, "openssl.cnf")) {
   fputs("ERROR: OSSL_LIB_CTX_load_config()\n", stderr);
   ERR_print_errors_fp(stderr);
   }
   fprintf(stdout, "Version: %s\n", OpenSSL_version(OPENSSL_VERSION));
}

ERROR: OSSL_LIB_CTX_load_config()
00FFF2406000:error:12800067:DSO support routines:(unknown function):could 
not load the shared 
library:crypto/dso/dso_dlfcn.c:118:filename(./providers/fips.so): 
./providers/fips.so: cannot open shared object file: No such file or directory
00FFF2406000:error:12800067:DSO support routines:(unknown function):could 
not load the shared library:crypto/dso/dso_lib.c:162:
00FFF2406000:error:078C0105:common libcrypto routines:(unknown 
function):init fail:crypto/provider_core.c:557:name=fips
00FFF2406000:error:076D:configuration file routines:(unknown 
function):module initialization 
error:crypto/conf/conf_mod.c:242:module=providers, value=provider_sect 
retcode=-1
Version: OpenSSL 3.0.0-alpha13 11 Mar 2021

~ # ls -lrt providers/
-rwxrwxrwx1 rootroot  1748513 Mar 30 13:24 fips.so

~ # echo $LD_LIBRARY_PATH
~ #

Steps done:
1>On build machine, build OpenSSL for the target architecture, Linux MIPs, and 
copy the required binaries on the Linux MIPs box.
2>On Linux MIPs box, run ./openssl fipsinstall -out fipsmod.cnf -module fips.so
HMAC : (Module_Integrity) : Pass
SHA1 : (KAT_Digest) : Pass
SHA2 : (KAT_Digest) : Pass
SHA3 : (KAT_Digest) : Pass
TDES : (KAT_Cipher) : Pass
AES_GCM : (KAT_Cipher) : Pass
RSA : (KAT_Signature) : RNG : (Continuous_RNG_Test) : Pass
Pass
ECDSA : (KAT_Signature) : Pass
DSA : (KAT_Signature) : Pass
TLS12_PRF : (KAT_KDF) : Pass
PBKDF2 : (KAT_KDF) : Pass
SSHKDF : (KAT_KDF) : Pass
KBKDF : (KAT_KDF) : Pass
HKDF : (KAT_KDF) : Pass
SSKDF : (KAT_KDF) : Pass
X963KDF : (KAT_KDF) : Pass
X942KDF : (KAT_KDF) : Pass
HASH : (DRBG) : Pass
CTR : (DRBG) : Pass
HMAC : (DRBG) : Pass
DH : (KAT_KA) : Pass
ECDH : (KAT_KA) : Pass
RSA_Encrypt : (KAT_AsymmetricCipher) : Pass
RSA_Decrypt : (KAT_AsymmetricCipher) : Pass
RSA_Decrypt : (KAT_AsymmetricCipher) : Pass
INSTALL PASSED

~ # cat fipsmod.cnf
[fips_sect]
activate = 1
install-version = 1
conditional-errors = 1
security-checks = 1
module-mac = 
60:26:6C:C9:2D:86:A2:25:86:44:67:DC:EE:95:8F:1F:A1:84:4E:42:C4:E6:1F:6A:12:24:A3:29:72:58:A4:0E
install-mac = 
41:9C:38:C2:8F:59:09:43:2C:AA:2F:58:36:2D:D9:04:F9:6C:56:8B:09:E0:18:3A:2E:D6:CC:69:05:04:E1:11
install-status = INSTALL_SELF_TEST_KATS_RUN

3>In the build machine, modify the contents of "openssl.cnf" with above output, 
and build the test program linking with crypto library.

   cat openssl-3.0.0-alpha13/apps/openssl.cnf
   1 openssl_conf = openssl_init
   2
   3 [fips_sect]
   4 activate = 1
   5 install-version = 1
   6 conditional-errors = 1
   7 security-checks = 1
   8 module-mac = 
60:26:6C:C9:2D:86:A2:25:86:44:67:DC:EE:95:8F:1F:A1:84:4E:42:C4:E6:1F:6A:12:24:A3:29:72:58:A4:0E
   9 install-mac = 
41:9C:38:C2:8F:59:09:43:2C:AA:2F:58:36:2D:D9:04:F9:6C:56:8B:09:E0:18:3A:2E:D6:CC:69:05:04:E1:11
10 install-status = INSTALL_SELF_TEST_KATS_RUN
11
12 [openssl_init]
13 providers = provider_sect
14 alg_section = algorithm_sect
15
16 [provider_sect]
17 default = default_sect
18 fips = fips_sect
19
20 [default_sect]
21 activate = 1
22
23 [algorithm_sect]
24 default_properties = fips=yes

4>Copy the openssl.cnf to the Linux box to "/" and also executed "export 
OPENSSL_CONF=/"

4>Now on executing the test program on Linux box, observing the load error.

Do we need to set any environ variable to get the load working or is any step 
missing/wrong?

This test program has worked fine on my build machine when I build, fipsinstall 
and rebuild my test program and run the test on the build machine.

Your input will help me.

Thanks
Bala

Unable to load the FIPs config file OpenSSL 3.0

[Bala Duvvuri via openssl-users]

Hi All,

Can you kindly help me with this error while running the below program that 
tries to load the configuration which has the FIPs provider?

The program is built on build machine and to be run on linux MIPS platform and 
below error is seen:

 #include 
  main () {
  OSSL_LIB_CTX *libctx;
  libctx = OSSL_LIB_CTX_new();
  OSSL_PROVIDER_set_default_search_path(libctx, "./providers");
  if (!OSSL_LIB_CTX_load_config(libctx, "openssl.cnf")) {
  fputs("ERROR: OSSL_LIB_CTX_load_config()\n", stderr);
  ERR_print_errors_fp(stderr);
  } 
  fprintf(stdout, "Version: %s\n", OpenSSL_version(OPENSSL_VERSION));
}

ERROR: OSSL_LIB_CTX_load_config()
00FFF2406000:error:12800067:DSO support routines:(unknown function):could 
not load the shared 
library:crypto/dso/dso_dlfcn.c:118:filename(./providers/fips.so): 
./providers/fips.so: cannot open shared object file: No such file or directory
00FFF2406000:error:12800067:DSO support routines:(unknown function):could 
not load the shared library:crypto/dso/dso_lib.c:162:
00FFF2406000:error:078C0105:common libcrypto routines:(unknown 
function):init fail:crypto/provider_core.c:557:name=fips
00FFF2406000:error:076D:configuration file routines:(unknown 
function):module initialization 
error:crypto/conf/conf_mod.c:242:module=providers, value=provider_sect 
retcode=-1
Version: OpenSSL 3.0.0-alpha13 11 Mar 2021

~ # ls -lrt providers/
-rwxrwxrwx1 rootroot  1748513 Mar 30 13:24 fips.so

~ # echo $LD_LIBRARY_PATH
~ #

Steps done:
1>On build machine, build OpenSSL for the target architecture, Linux MIPs, and 
copy the required binaries on the Linux MIPs box.
2>On Linux MIPs box, run ./openssl fipsinstall -out fipsmod.cnf -module fips.so
HMAC : (Module_Integrity) : Pass
SHA1 : (KAT_Digest) : Pass
SHA2 : (KAT_Digest) : Pass
SHA3 : (KAT_Digest) : Pass
TDES : (KAT_Cipher) : Pass
AES_GCM : (KAT_Cipher) : Pass
RSA : (KAT_Signature) : RNG : (Continuous_RNG_Test) : Pass
Pass
ECDSA : (KAT_Signature) : Pass
DSA : (KAT_Signature) : Pass
TLS12_PRF : (KAT_KDF) : Pass
PBKDF2 : (KAT_KDF) : Pass
SSHKDF : (KAT_KDF) : Pass
KBKDF : (KAT_KDF) : Pass
HKDF : (KAT_KDF) : Pass
SSKDF : (KAT_KDF) : Pass
X963KDF : (KAT_KDF) : Pass
X942KDF : (KAT_KDF) : Pass
HASH : (DRBG) : Pass
CTR : (DRBG) : Pass
HMAC : (DRBG) : Pass
DH : (KAT_KA) : Pass
ECDH : (KAT_KA) : Pass
RSA_Encrypt : (KAT_AsymmetricCipher) : Pass
RSA_Decrypt : (KAT_AsymmetricCipher) : Pass
RSA_Decrypt : (KAT_AsymmetricCipher) : Pass
INSTALL PASSED

~ # cat fipsmod.cnf
[fips_sect]
activate = 1
install-version = 1
conditional-errors = 1
security-checks = 1
module-mac = 
60:26:6C:C9:2D:86:A2:25:86:44:67:DC:EE:95:8F:1F:A1:84:4E:42:C4:E6:1F:6A:12:24:A3:29:72:58:A4:0E
install-mac = 
41:9C:38:C2:8F:59:09:43:2C:AA:2F:58:36:2D:D9:04:F9:6C:56:8B:09:E0:18:3A:2E:D6:CC:69:05:04:E1:11
install-status = INSTALL_SELF_TEST_KATS_RUN

3>In the build machine, modify the contents of "openssl.cnf" with above output, 
and build the test program linking with crypto library.

  cat openssl-3.0.0-alpha13/apps/openssl.cnf
  1 openssl_conf = openssl_init
  2
  3 [fips_sect]
  4 activate = 1
  5 install-version = 1
  6 conditional-errors = 1
  7 security-checks = 1
  8 module-mac = 
60:26:6C:C9:2D:86:A2:25:86:44:67:DC:EE:95:8F:1F:A1:84:4E:42:C4:E6:1F:6A:12:24:A3:29:72:58:A4:0E
  9 install-mac = 
41:9C:38:C2:8F:59:09:43:2C:AA:2F:58:36:2D:D9:04:F9:6C:56:8B:09:E0:18:3A:2E:D6:CC:69:05:04:E1:11
10 install-status = INSTALL_SELF_TEST_KATS_RUN
11
12 [openssl_init]
13 providers = provider_sect
14 alg_section = algorithm_sect
15
16 [provider_sect]
17 default = default_sect
18 fips = fips_sect
19
20 [default_sect]
21 activate = 1
22
23 [algorithm_sect]
24 default_properties = fips=yes

4>Copy the openssl.cnf to the Linux box to "/" and also executed "export 
OPENSSL_CONF=/"

4>Now on executing the test program on Linux box, observing the load error.

Do we need to set any environ variable to get the load working or is any step 
missing/wrong?

This test program has worked fine on my build machine when I build, fipsinstall 
and rebuild my test program and run the test on the build machine.

Your input will help me.

Thanks
Bala

genrsa: unable to load provider fips

[Norman Ashley (nashley) via openssl-users]

Running apps/openssl genrsa -provider fips results in the following error …
genrsa: unable to load provider fips
C0FDC40A0100:error::common libcrypto routines:provider_activate:init 
fail:crypto/provider_core.c:503:

What am I missing?
Thanks,
Norman



perl configdata.pm --dump

Command line (with current working directory = .):

perl ./Configure darwin64-x86_64-cc --prefix=/Downloads/ossl-3-install 
--openssldir=/Downloads/ossl-3-install/ssl --debug

Perl information:

perl
5.18.4 for darwin-thread-multi-2level

Enabled features:

aria
asm
async
autoalginit
autoerrinit
autoload-config
bf
blake2
camellia
capieng
cast
chacha
cmac
cmp
cms
comp
ct
deprecated
des
dgram
dh
dsa
dso
dtls
dynamic-engine
ec
ec2m
ecdh
ecdsa
engine
err
filenames
fips
gost
idea
legacy
makedepend
md4
mdc2
module
multiblock
nextprotoneg
pinshared
ocb
ocsp
padlockeng
pic
poly1305
posix-io
psk
rc2
rc4
rdrand
rfc3779
rmd160
scrypt
secure-memory
seed
shared
siphash
siv
sm2
sm3
sm4
sock
srp
srtp
sse2
ssl
static-engine
stdio
tests
threads
tls
ts
ui-console
whirlpool
tls1
tls1-method
tls1_1
tls1_1-method
tls1_2
tls1_2-method
tls1_3
dtls1
dtls1-method
dtls1_2
dtls1_2-method

Disabled features:

afalgeng[not-linux]  OPENSSL_NO_AFALGENG
asan[default]OPENSSL_NO_ASAN
buildtest-c++   [default]
crypto-mdebug   [default]OPENSSL_NO_CRYPTO_MDEBUG
devcryptoeng[default]OPENSSL_NO_DEVCRYPTOENG
ec_nistp_64_gcc_128 [default]OPENSSL_NO_EC_NISTP_64_GCC_128
egd [default]OPENSSL_NO_EGD
external-tests  [default]OPENSSL_NO_EXTERNAL_TESTS
fuzz-libfuzzer  [default]OPENSSL_NO_FUZZ_LIBFUZZER
fuzz-afl[default]OPENSSL_NO_FUZZ_AFL
ktls[default]OPENSSL_NO_KTLS
md2 [default]OPENSSL_NO_MD2 (skip crypto/md2)
msan[default]OPENSSL_NO_MSAN
rc5 [default]OPENSSL_NO_RC5 (skip crypto/rc5)
sctp[default]OPENSSL_NO_SCTP
ssl-trace   [default]OPENSSL_NO_SSL_TRACE
trace   [default]OPENSSL_NO_TRACE
ubsan   [default]OPENSSL_NO_UBSAN
unit-test   [default]OPENSSL_NO_UNIT_TEST
uplink  [no uplink_arch] OPENSSL_NO_UPLINK
weak-ssl-ciphers[default]OPENSSL_NO_WEAK_SSL_CIPHERS
zlib[default]
zlib-dynamic[default]
ssl3[default]OPENSSL_NO_SSL3
ssl3-method [default]OPENSSL_NO_SSL3_METHOD

Config target attributes:

AR => "ar",
ARFLAGS => "r",
CC => "cc",
CFLAGS => "-g -O0 -Wall",
HASHBANGPERL => "/usr/bin/env perl",
RANLIB => "ranlib -c",
RC => "windres",
asm_arch => "x86_64",
bn_ops => "SIXTY_FOUR_BIT_LONG",
build_file => "Makefile",
build_scheme => [ "unified", "unix" ],
cflags => "-arch x86_64",
cppflags => "-D_REENTRANT",
defines => [ "OPENSSL_BUILDING_OPENSSL" ],
disable => [  ],
dso_scheme => "dlfcn",
enable => [  ],
includes => [  ],
lflags => "-Wl,-search_paths_first",
lib_cflags => "",
lib_cppflags => "-DL_ENDIAN",
lib_defines => [  ],
module_cflags => "-fPIC",
module_cxxflags => undef,
module_ldflags => "-bundle",
perl_platform => "Unix",
perlasm_scheme => "macosx",
shared_cflag => "-fPIC",
shared_defines => [  ],
shared_extension => ".\$(SHLIB_VERSION_NUMBER).dylib",
shared_ldflag => "-dynamiclib -current_version \$(SHLIB_VERSION_NUMBER) 
-compatibility_version \$(SHLIB_VERSION_NUMBER)",
shared_rcflag => "",
shared_sonameflag => "-install_name \$(INSTALLTOP)/\$(LIBDIR)/",
shared_target => "darwin-shared",
sys_id => "MACOSX",
thread_defines => [  ],
thread_scheme => "pthreads",
unistd => "",

Recorded environment:

AR =
ARFLAGS =
AS =
ASFLAGS =
BUILDFILE =
CC =
CFLAGS =
CPP =
CPPDEFINES =
CPPFLAGS =
CPPINCLUDES =
CROSS_COMPILE =
CXX =
CXXFLAGS =
HASHBANGPERL =
LD =

Re: [openssl-users] Unable to load/add a dynamic engine

[danigrosu]

Sorry for replying to this, but no one working with OpenSSL engines here?

Regards,
Dani Grosu
danigrosu wrote
> Hi. I am using the OpenSSL 1.0.1f and I built a RSA engine using CUDA
> code.
> I want to load this engine dynamically, i.e. when I type 
/
> # openssl engine
/
> , I want
> to see my engine id on the list, but all I see is this:
/
> (rsax) RSAX engine support
> (dynamic) Dynamic engine loading support
/
>  where the rsax is builtin
> 
> I have modified the openssl.cnf file by adding the following lines:
/
> openssl_conf = openssl_def
> [openssl_def]
> engines = engine_section
> 
> [engine_section]
> foo = gpu_section
> 
> [gpu_section]
> dynamic_path =
> /usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/librsax_gpu.so
> engine_id = rsax_gpu
> default_algorithms = RSA
> init = 1  
/
> 
> I tried this: 
/
> # openssl speed rsa512 -engine rsax_gpu
/
>  and everything went well.
> 
> Please tell me why I can't load dynamically the engine?





--
View this message in context: 
http://openssl.6102.n7.nabble.com/Unable-to-load-add-a-dynamic-engine-tp65563p65618.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Unable to load/add a dynamic engine

[danigrosu]

Hi. I am using the OpenSSL 1.0.1f and I built a RSA engine using CUDA code.
I want to load this engine dynamically, i.e. when I type /# openssl engine/,
I want
to see my engine id on the list, but all I see is this:
/(rsax) RSAX engine support
(dynamic) Dynamic engine loading support/ where the rsax is builtin

I have modified the openssl.cnf file by adding the following lines:
/openssl_conf = openssl_def
[openssl_def]
engines = engine_section

[engine_section]
foo = gpu_section

[gpu_section]
dynamic_path =
/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/librsax_gpu.so
engine_id = rsax_gpu
default_algorithms = RSA
init = 1/

I tried this: /# openssl speed rsa512 -engine rsax_gpu/ and everything went
well.

Please tell me why I can't load dynamically the engine?



--
View this message in context: 
http://openssl.6102.n7.nabble.com/Unable-to-load-add-a-dynamic-engine-tp65563.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: error unable to load PKCS7 object... wrong tag

[likejiujitsu]

openssl asn1parse -inform DER -in D:\thawte_info\myCert.spc
    0:d=0  hl=2 l=  45 cons: ASN1 13
Error in encoding
4048:error:0D07209B:asn1 encoding routines:ASN1_get_object:too 
long:.\crypto\asn1\asn1_lib.c:142:



 From: Dave Thompson-5 [via OpenSSL] ml-node+s6102n45886...@n7.nabble.com
To: likejiujitsu goodnewsfor...@yahoo.com 
Sent: Thursday, July 18, 2013 6:58 PM
Subject: RE: error unable to load PKCS7 object... wrong tag
 


 From: [hidden email] On Behalf Of Anil 
 Sent: Thursday, 18 July, 2013 10:51 

 Thank you for your reply. 
 I used HxD but could not find any occurrence of 0x30 followed by 0x82. 
 Anything else to try? 
 
openssl asn1parse -inform DER -in mycert.spc 

If that gives an error, your file isn't DER. Figure out what it is. 
If you can't figure out, post a hex dump and maybe someone else can; 
if it's really big, truncate to at most a few hundred bytes. 

If asn1parse succeeds post it, or if big the first say 20 lines. 


__ 
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email] 
Automated List Manager                           [hidden email] 



 
If you reply to this email, your message will be added to the discussion 
below:http://openssl.6102.n7.nabble.com/error-unable-to-load-PKCS7-object-wrong-tag-tp45859p45886.html
 
To unsubscribe from error unable to load PKCS7 object... wrong tag, click 
here.
NAML



--
View this message in context: 
http://openssl.6102.n7.nabble.com/error-unable-to-load-PKCS7-object-wrong-tag-tp45859p45894.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.

RE: error unable to load PKCS7 object... wrong tag

[Dave Thompson]

From: owner-openssl-us...@openssl.org On Behalf Of likejiujitsu
Sent: Friday, 19 July, 2013 10:26

openssl asn1parse -inform DER -in D:\thawte_info\myCert.spc
0:d=0  hl=2 l=  45 cons: ASN1 13
Error in encoding
   4048:error:0D07209B:asn1 encoding routines:ASN1_get_object:
too long:.\crypto\asn1\asn1_lib.c:142:

Okay, that's an error. See below.



   From: Dave Thompson-5 [via OpenSSL] [hidden email]
   To: likejiujitsu [hidden email] 
   Sent: Thursday, July 18, 2013 6:58 PM
   Subject: RE: error unable to load PKCS7 object... wrong tag
snip  
   openssl asn1parse -inform DER -in mycert.spc 

   If that gives an error, your file isn't DER. Figure out what it is. 
   If you can't figure out, post a hex dump and maybe someone else can;

   if it's really big, truncate to at most a few hundred bytes. 
snip

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: error unable to load PKCS7 object... wrong tag

[Anil]

Thank you for your reply.
I used HxD but could not find any occurrence of 0x30 followed by 0x82.
Anything else to try?



- Original Message -
From: Dr. Stephen Henson st...@openssl.org
To: openssl-users@openssl.org
Cc: 
Sent: Wednesday, July 17, 2013 3:14 PM
Subject: Re: error unable to load PKCS7 object... wrong tag

On Wed, Jul 17, 2013, likejiujitsu wrote:

 
 Running 
 
 openssl pkcs7 -inform DER -in mycert.spc -print_certs -out mycert.crt
 
 gives error
 
 unable to load PKCS7 object 4372:error:0D0680A8:asn1 encoding
 routines:ASN1_CHECK_TLEN:wrong tag:.\crypto\asn1\tasn_dec.c:1319:
 4372:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1
 error:.\crypto\asn1\tasn_dec.c:381:Type=PKCS7
 
 following the instructions here
 
 http://stackoverflow.com/questions/17625174/how-do-i-import-the-private-and-public-keys-pvk-spc-and-certificates-cer-int
 

One possible answer. Look at mycert.spc in a hex editor. Search for the first
occurence of 0x30 0x82 and delete everything before it, save to a new file.
Try that command again with the new file.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project                                http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                          majord...@openssl.org

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: error unable to load PKCS7 object... wrong tag

[Dave Thompson]

 From: owner-openssl-us...@openssl.org On Behalf Of Anil
 Sent: Thursday, 18 July, 2013 10:51

 Thank you for your reply.
 I used HxD but could not find any occurrence of 0x30 followed by 0x82.
 Anything else to try?
 
openssl asn1parse -inform DER -in mycert.spc 

If that gives an error, your file isn't DER. Figure out what it is.
If you can't figure out, post a hex dump and maybe someone else can;
if it's really big, truncate to at most a few hundred bytes.

If asn1parse succeeds post it, or if big the first say 20 lines.


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

error unable to load PKCS7 object... wrong tag

[likejiujitsu]

Running 

openssl pkcs7 -inform DER -in mycert.spc -print_certs -out mycert.crt

gives error

unable to load PKCS7 object 4372:error:0D0680A8:asn1 encoding
routines:ASN1_CHECK_TLEN:wrong tag:.\crypto\asn1\tasn_dec.c:1319:
4372:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1
error:.\crypto\asn1\tasn_dec.c:381:Type=PKCS7

following the instructions here

http://stackoverflow.com/questions/17625174/how-do-i-import-the-private-and-public-keys-pvk-spc-and-certificates-cer-int





--
View this message in context: 
http://openssl.6102.n7.nabble.com/error-unable-to-load-PKCS7-object-wrong-tag-tp45859.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: error unable to load PKCS7 object... wrong tag

[Dr. Stephen Henson]

On Wed, Jul 17, 2013, likejiujitsu wrote:

 
 Running 
 
 openssl pkcs7 -inform DER -in mycert.spc -print_certs -out mycert.crt
 
 gives error
 
 unable to load PKCS7 object 4372:error:0D0680A8:asn1 encoding
 routines:ASN1_CHECK_TLEN:wrong tag:.\crypto\asn1\tasn_dec.c:1319:
 4372:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1
 error:.\crypto\asn1\tasn_dec.c:381:Type=PKCS7
 
 following the instructions here
 
 http://stackoverflow.com/questions/17625174/how-do-i-import-the-private-and-public-keys-pvk-spc-and-certificates-cer-int
 

One possible answer. Look at mycert.spc in a hex editor. Search for the first
occurence of 0x30 0x82 and delete everything before it, save to a new file.
Try that command again with the new file.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Q: openssl dgst: unable to load key file error?

[Li, David]

Hi,

I am trying to sign a file using dgst but not sure why I got this unable to 
load key file.  Here is the original command:

openssl dgst -sha384 -out xyz.sig  -sign $PWD/keys/my_private.pem 
xyz.to-be-signed

The private key file my_private.pem DOES exist in the directory.

The openssl version is OpenSSL 1.0.0-fips 29 Mar 2010 on RHEL6.

Can anyone help explain this?

Thanks.

Re: Unable to load certificate

[Erwin Himawan]

First, check what type of file it is; i.e. file x509
if it is an ascii file, check the PEM header. The PEM header will tell you
what kind of information is included.

If it is a data file (binary), try to use asn1parse to parse the data.
If it is an ASN1 encoded file, it would show the structure of the data.



On Thu, Dec 1, 2011 at 2:23 PM, Hopkins, Nathan nathan.hopk...@fil.comwrote:

 I found the problem with this was it was pkcs7

 ** **

 ** **

 *From:* Hopkins, Nathan
 *Sent:* 30 November 2011 18:52
 *To:* openssl-users@openssl.org
 *Subject:* RE: Unable to load certificate

 ** **

 When I try with …-inform der I get …

 ** **

 32328:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
 tag:tasn_dec.c:1306:

 32328:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1
 error:tasn_dec.c:380:Type=X509

 ** **

 ** **

 *From:* owner-openssl-us...@openssl.org [mailto:
 owner-openssl-us...@openssl.org] *On Behalf Of *Erwin Himawan
 *Sent:* 30 November 2011 16:52
 *To:* openssl-users@openssl.org
 *Subject:* Re: Unable to load certificate

 ** **

 Try using openssl x509 -noout -text -in server.crt -inform der

 On Wed, Nov 30, 2011 at 10:28 AM, Hopkins, Nathan nathan.hopk...@fil.com
 wrote:

 Hi, please can anyone help - what could be the possible cause for the
 below - my expectation is the .crt should be in the .pem format but I'm
 getting the below?


 openssl x509 -noout -text -in server.crt
 unable to load certificate
 31237:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
 tag:tasn_dec.c:1306:
 31237:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1
 error:tasn_dec.c:380:Type=X509_CINF
 31237:error:0D08303A:asn1 encoding
 routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1
 error:tasn_dec.c:749:Field=cert_info, Type=X509
 31237:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1
 lib:pem_oth.c:83:

 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   majord...@openssl.org

 ** **

RE: Unable to load certificate

[Hopkins, Nathan]

I found the problem with this was it was pkcs7

 

 

From: Hopkins, Nathan 
Sent: 30 November 2011 18:52
To: openssl-users@openssl.org
Subject: RE: Unable to load certificate

 

When I try with ...-inform der I get ...

 

32328:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
tag:tasn_dec.c:1306:

32328:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1
error:tasn_dec.c:380:Type=X509

 

 

From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Erwin Himawan
Sent: 30 November 2011 16:52
To: openssl-users@openssl.org
Subject: Re: Unable to load certificate

 

Try using openssl x509 -noout -text -in server.crt -inform der

On Wed, Nov 30, 2011 at 10:28 AM, Hopkins, Nathan
nathan.hopk...@fil.com wrote:

Hi, please can anyone help - what could be the possible cause for the
below - my expectation is the .crt should be in the .pem format but I'm
getting the below?


openssl x509 -noout -text -in server.crt
unable to load certificate
31237:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
tag:tasn_dec.c:1306:
31237:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1
error:tasn_dec.c:380:Type=X509_CINF
31237:error:0D08303A:asn1 encoding
routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1
error:tasn_dec.c:749:Field=cert_info, Type=X509
31237:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1
lib:pem_oth.c:83:

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

 

RE: Unable to load certificate

[Hopkins, Nathan]

Hi, please can anyone help - what could be the possible cause for the
below - my expectation is the .crt should be in the .pem format but I'm
getting the below?


openssl x509 -noout -text -in server.crt
unable to load certificate
31237:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
tag:tasn_dec.c:1306:
31237:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1
error:tasn_dec.c:380:Type=X509_CINF
31237:error:0D08303A:asn1 encoding
routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1
error:tasn_dec.c:749:Field=cert_info, Type=X509
31237:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1
lib:pem_oth.c:83:

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Unable to load certificate

[Erwin Himawan]

Try using openssl x509 -noout -text -in server.crt -inform der

On Wed, Nov 30, 2011 at 10:28 AM, Hopkins, Nathan nathan.hopk...@fil.comwrote:

 Hi, please can anyone help - what could be the possible cause for the
 below - my expectation is the .crt should be in the .pem format but I'm
 getting the below?


 openssl x509 -noout -text -in server.crt
 unable to load certificate
 31237:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
 tag:tasn_dec.c:1306:
 31237:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1
 error:tasn_dec.c:380:Type=X509_CINF
 31237:error:0D08303A:asn1 encoding
 routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1
 error:tasn_dec.c:749:Field=cert_info, Type=X509
 31237:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1
 lib:pem_oth.c:83:

 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   majord...@openssl.org

Re: Unable to load certificate

[Hopkins, Nathan]

Many thanks, does the case of der matter - I tried DER without success?




From: owner-openssl-us...@openssl.org owner-openssl-us...@openssl.org 
To: openssl-users@openssl.org openssl-users@openssl.org 
Sent: Wed Nov 30 16:52:26 2011
Subject: Re: Unable to load certificate 


Try using openssl x509 -noout -text -in server.crt -inform der


On Wed, Nov 30, 2011 at 10:28 AM, Hopkins, Nathan nathan.hopk...@fil.com 
wrote:


Hi, please can anyone help - what could be the possible cause for the
below - my expectation is the .crt should be in the .pem format but I'm
getting the below?


openssl x509 -noout -text -in server.crt
unable to load certificate
31237:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
tag:tasn_dec.c:1306:
31237:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1
error:tasn_dec.c:380:Type=X509_CINF
31237:error:0D08303A:asn1 encoding
routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1
error:tasn_dec.c:749:Field=cert_info, Type=X509
31237:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1
lib:pem_oth.c:83:

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: Unable to load certificate

[Hopkins, Nathan]

When I try with ...-inform der I get ...

 

32328:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
tag:tasn_dec.c:1306:

32328:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1
error:tasn_dec.c:380:Type=X509

 

 

From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Erwin Himawan
Sent: 30 November 2011 16:52
To: openssl-users@openssl.org
Subject: Re: Unable to load certificate

 

Try using openssl x509 -noout -text -in server.crt -inform der

On Wed, Nov 30, 2011 at 10:28 AM, Hopkins, Nathan
nathan.hopk...@fil.com wrote:

Hi, please can anyone help - what could be the possible cause for the
below - my expectation is the .crt should be in the .pem format but I'm
getting the below?


openssl x509 -noout -text -in server.crt
unable to load certificate
31237:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
tag:tasn_dec.c:1306:
31237:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1
error:tasn_dec.c:380:Type=X509_CINF
31237:error:0D08303A:asn1 encoding
routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1
error:tasn_dec.c:749:Field=cert_info, Type=X509
31237:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1
lib:pem_oth.c:83:

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

 

OpenSSL unable to load certificate error

[Wang-Martin, Linda]

Hi,
I recently got the latest version of OpenSSL (1.0.0) however I now have a 
problem with one of my certificates that I didn't use to have in an older 
version. Specifically, whenever I try to do anything with this particular 
certificate I run into an:
1472:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong 
tag:.\crypto\asn1\tasn_dec.c:1319:
1472:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 
error:.\crypto\asn1\tasn_dec.c:381:Type=X509

Googling this, I noticed that there was a similar problem, where apparently the 
certificate was not in the correct format, and was fixed with this command:
 openssl base64 -d -A -in 1.cer -out 1.der .

I've tried this command on my certificate and my output was completely blank.

What I'm really trying to do right now is to get the public key in .der format 
from my certificate. However it seems that I am stumped at the first step. Any 
suggestions would be greatly appreciated.

Thanks,
Linda

Re: OpenSSL unable to load certificate error

[Dr. Stephen Henson]

On Thu, Jul 21, 2011, Wang-Martin, Linda wrote:

 Hi,
 I recently got the latest version of OpenSSL (1.0.0) however I now have a 
 problem with one of my certificates that I didn't use to have in an older 
 version. Specifically, whenever I try to do anything with this particular 
 certificate I run into an:
 1472:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong 
 tag:.\crypto\asn1\tasn_dec.c:1319:
 1472:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 
 error:.\crypto\asn1\tasn_dec.c:381:Type=X509
 
 Googling this, I noticed that there was a similar problem, where apparently 
 the certificate was not in the correct format, and was fixed with this 
 command:
  openssl base64 -d -A -in 1.cer -out 1.der .
 
 I've tried this command on my certificate and my output was completely blank.
 
 What I'm really trying to do right now is to get the public key in .der 
 format from my certificate. However it seems that I am stumped at the first 
 step. Any suggestions would be greatly appreciated.
 

Why don't you post the certificate causing the problem?

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Unable to load a Public Key

[JG Disenador Multimedia]

I'm trying to verify a signature.

 

This signature of a document is a very long hexadecimal string, is stored
alone in the signaturefile.txt

pubfirma.pem is the public key corresponding with the private key used to
sign the document

 

I used the next commands to verify the signature:

openssl rsautl -verify -in signaturefile.txt -out output.txt -inkey
pubfirma.pem -pubin

 

openssl rsautl -verify -in signaturefile.txt -inkey pubfirma.pem -pubin

 

I always receive the same answer:

 

unable to load Public Key

 

The public key is a base64encoded certificate, is only a public key, there
is not a private key in the pubfirma.pem

All the files are stored in the same directory where I use the openssl
command.

 

 

I can see the details of the x.509 certificate (the public key) using the
next command:

openssl x509 -in pubfirma.pem -text -noout

 

Any suggestion?

unable to load private key

[digitalderik]

Hi there
I've copied and pasted an rsa private key that i need to use with openssl.
However when i run any commands that use the private key like the command:
$openssl rsautl -sign -in textfile -inkey privatekey.pem -out result.txt
i get: unable to load private key
I've checked the line length of the private key and it is 64 characters.Does
this mean that it's not a problem with the base64 encoding(The key is in PEM
format: ASN.1 + DER + base64).
I'm at my wits end and can't find anything that helps on google.
Any help would be great.Thankyou for your time
regards
-- 
View this message in context: 
http://old.nabble.com/unable-to-load-private-key-tp28268474p28268474.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: unable to load private key

[Dr. Stephen Henson]

On Fri, Apr 16, 2010, digitalderik wrote:

 
 Hi there
 I've copied and pasted an rsa private key that i need to use with openssl.
 However when i run any commands that use the private key like the command:
 $openssl rsautl -sign -in textfile -inkey privatekey.pem -out result.txt
 i get: unable to load private key
 I've checked the line length of the private key and it is 64 characters.Does
 this mean that it's not a problem with the base64 encoding(The key is in PEM
 format: ASN.1 + DER + base64).
 I'm at my wits end and can't find anything that helps on google.
 Any help would be great.Thankyou for your time
 regards

What is the full error message? What do you get with:

openssl rsa -in key.pem

Does the file look like this:

-BEGIN RSA PRIVATE KEY-
base64 encoded stuff
-END RSA PRIVATE KEY-

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: Unable to load CRL

[Radha krishna Meduri -X (radmedur - HCL at Cisco)]

Hi Shane

Thankyou. This is working perfectly but why my code was failing?

I used  d2i_X509_CRL_fp api instead of d2i_X509_CRL_bio. Any idea what
is difference? Am I doing any wrong in my program?

Thanks
Radhakrishna.

-Original Message-
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Shane Steidley
Sent: Saturday, January 09, 2010 2:32 AM
To: openssl-users@openssl.org
Subject: RE: Unable to load CRL

This is straight out of the openssl verify program, and seems to be
exactly what you need:

static X509_CRL *load_crl(char *infile, int format) { X509_CRL *x=NULL;
BIO *in=NULL;

in=BIO_new(BIO_s_file());
if (in == NULL)
{
ERR_print_errors(bio_err);
goto end;
}

if (infile == NULL)
BIO_set_fp(in,stdin,BIO_NOCLOSE);
else
{
if (BIO_read_filename(in,infile) = 0)
{
perror(infile);
goto end;
}
}
if (format == FORMAT_ASN1)
x=d2i_X509_CRL_bio(in,NULL);
else if (format == FORMAT_PEM)
x=PEM_read_bio_X509_CRL(in,NULL,NULL,NULL);
else {
BIO_printf(bio_err,bad input format specified for input crl\n); goto
end; } if (x == NULL) { BIO_printf(bio_err,unable to load CRL\n);
ERR_print_errors(bio_err); goto end; }

end:
BIO_free(in);
return(x);
}
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: Unable to load CRL

[Dave Thompson]

 From: owner-openssl-us...@openssl.org On Behalf Of 
 Radha krishna Meduri -X (radmedur - HCL at Cisco)
 Sent: Friday, 08 January, 2010 01:13

 #include openssl/ssl.h
 #include stdio.h
 
Aside: it's conventional and sometimes better to 
use   format for system/std headers like stdio.h. 

 FILE* m_pfCRLFile=0;
 const char* m_pszURL;
 
 const char* m_pszCRLFile = test_pem.crl;
 
 printf(systhesized file name= %s\n, m_pszCRLFile);
 
Aside: IAYM 'synthesized' but I don't see how. Maybe 
this is leftover from other more complicated code.

 m_pfCRLFile = fopen( m_pszCRLFile , wb);
 
 if( !m_pfCRLFile )
 {
  printf(Unable to open file %s for writing, m_pszCRLFile);
  exit(0);
 }
 
You open for writing, which empties the file, but then ...

 X509_CRL *pCRL=0, *pTempCRL = 0;
 
 pCRL = d2i_X509_CRL_fp( m_pfCRLFile, pTempCRL );
 
.. try to read. That can't work.

Also: you don't need to use both the pTempCRL argument 
and the return value pCRL. Either one is sufficient.

 if( !pCRL )
 {
 printf(Unable to read using d2i_X509_CRL_fp\n);
 pCRL = PEM_read_X509_CRL(m_pfCRLFile, pTempCRL, NULL, 0);

Ditto, and ditto.

 }
 
 if( !pCRL )
 {
 printf(Unable to read CRL file\n );
 exit(0);
 }


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Unable to load CRL

[sandeep kiran p]

Krishna,

m_pfCRLFile = fopen( m_pszCRLFile , wb);

wb opens the file in write (binary) mode. But your intention is to read
the CRL. Change the mode to rb and check again.

-Sandeep

On Thu, Jan 7, 2010 at 10:12 PM, Radha krishna Meduri -X (radmedur - HCL at
Cisco) radme...@cisco.com wrote:


 Hi Experts

 I am writing simple standalone cpp program to read CRL file but could
 not. Please correct me If I miss anything in the program...I am getting
 Unable to read CRL file as in the last printf statement.

 #include openssl/ssl.h
 #include stdio.h

 int main()
 {

 FILE* m_pfCRLFile=0;
 const char* m_pszURL;

 const char* m_pszCRLFile = test_pem.crl;

 printf(systhesized file name= %s\n, m_pszCRLFile);

 m_pfCRLFile = fopen( m_pszCRLFile , wb);

 if( !m_pfCRLFile )
 {
 printf(Unable to open file %s for writing, m_pszCRLFile);
 exit(0);
 }

 X509_CRL *pCRL=0, *pTempCRL = 0;

 pCRL = d2i_X509_CRL_fp( m_pfCRLFile, pTempCRL );

 if( !pCRL )
 {
printf(Unable to read using d2i_X509_CRL_fp\n);
pCRL = PEM_read_X509_CRL(m_pfCRLFile, pTempCRL, NULL, 0);
 }

 if( !pCRL )
 {
printf(Unable to read CRL file\n );
exit(0);
 }

 Thanks
 Radhakrishna.

 -Original Message-
 From: owner-openssl-us...@openssl.org
 [mailto:owner-openssl-us...@openssl.org] On Behalf Of Radha krishna
 Meduri -X (radmedur - HCL at Cisco)
 Sent: Thursday, December 24, 2009 11:23 AM
 To: openssl-users@openssl.org
 Subject: RE: Unable to load CRL


 Hi Steve

 I guess that is not the problem as I will be able to read same CRL file
 if I place CRL file into another webserver. I am not able to post CRL
 here as this is open alias.

 BTW I want to write test program to check the CRL file. Could you please
 share the same if you have any?

 Thanks
 Radhakrishna.

 -Original Message-
 From: owner-openssl-us...@openssl.org
 [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson
 Sent: Monday, December 14, 2009 9:02 PM
 To: openssl-users@openssl.org
 Subject: Re: Unable to load CRL

 On Mon, Dec 14, 2009, Radha krishna Meduri -X (radmedur - HCL at Cisco)
 wrote:

 
  Hi Patrick
 
  We are using following code snippet to load CRL's.
 
  X509_CRL *pCRL, *pTempCRL = 0;
  pCRL = d2i_X509_CRL_fp( pfCrlFile, pTempCRL );
 
  if( !pCRL )
  {
  rewind(pfCrlFile);
  pCRL = PEM_read_X509_CRL(pfCrlFile, pTempCRL, NULL, 0); }
 
  rewind(pfCrlFile);
 
  if( !pCRL )
  {
  logEvent( MLOG_ERROR, RADIUS_C_SERVER, Unable to read CRL file );
  break; }
 
  Ultimately we are getting Unable to read CRL file if we are loading
  DER format CRL. Did you see anything wrong there?
 

 Is the fp opened in binary mode? Text mode translation on that fp will
 corrupt the CRL loading in DER mode.

 Steve.
 --
 Dr Stephen N. Henson. OpenSSL project core developer.
 Commercial tech support now available see: http://www.openssl.org
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   majord...@openssl.org
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   majord...@openssl.org
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   majord...@openssl.org

RE: Unable to load CRL

[Shane Steidley]

This is straight out of the openssl verify program, and seems to be
exactly what you need:

static X509_CRL *load_crl(char *infile, int format)
{
X509_CRL *x=NULL;
BIO *in=NULL;

in=BIO_new(BIO_s_file());
if (in == NULL)
{
ERR_print_errors(bio_err);
goto end;
}

if (infile == NULL)
BIO_set_fp(in,stdin,BIO_NOCLOSE);
else
{
if (BIO_read_filename(in,infile) = 0)
{
perror(infile);
goto end;
}
}
if (format == FORMAT_ASN1)
x=d2i_X509_CRL_bio(in,NULL);
else if (format == FORMAT_PEM)
x=PEM_read_bio_X509_CRL(in,NULL,NULL,NULL);
else {
BIO_printf(bio_err,bad input format specified for input crl\n);
goto end;
}
if (x == NULL)
{
BIO_printf(bio_err,unable to load CRL\n);
ERR_print_errors(bio_err);
goto end;
}

end:
BIO_free(in);
return(x);
}
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: Unable to load CRL

[Radha krishna Meduri -X (radmedur - HCL at Cisco)]

Hi Experts

I am writing simple standalone cpp program to read CRL file but could
not. Please correct me If I miss anything in the program...I am getting
Unable to read CRL file as in the last printf statement.

#include openssl/ssl.h
#include stdio.h

int main()
{

FILE* m_pfCRLFile=0;
const char* m_pszURL;

const char* m_pszCRLFile = test_pem.crl;

printf(systhesized file name= %s\n, m_pszCRLFile);

m_pfCRLFile = fopen( m_pszCRLFile , wb);

if( !m_pfCRLFile )
{
 printf(Unable to open file %s for writing, m_pszCRLFile);
 exit(0);
}

X509_CRL *pCRL=0, *pTempCRL = 0;

pCRL = d2i_X509_CRL_fp( m_pfCRLFile, pTempCRL );

if( !pCRL )
{
printf(Unable to read using d2i_X509_CRL_fp\n);
pCRL = PEM_read_X509_CRL(m_pfCRLFile, pTempCRL, NULL, 0);
}

if( !pCRL )
{
printf(Unable to read CRL file\n );
exit(0);
}

Thanks
Radhakrishna.

-Original Message-
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Radha krishna
Meduri -X (radmedur - HCL at Cisco)
Sent: Thursday, December 24, 2009 11:23 AM
To: openssl-users@openssl.org
Subject: RE: Unable to load CRL


Hi Steve

I guess that is not the problem as I will be able to read same CRL file
if I place CRL file into another webserver. I am not able to post CRL
here as this is open alias.

BTW I want to write test program to check the CRL file. Could you please
share the same if you have any?

Thanks
Radhakrishna.

-Original Message-
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson
Sent: Monday, December 14, 2009 9:02 PM
To: openssl-users@openssl.org
Subject: Re: Unable to load CRL

On Mon, Dec 14, 2009, Radha krishna Meduri -X (radmedur - HCL at Cisco)
wrote:

 
 Hi Patrick
 
 We are using following code snippet to load CRL's.
 
 X509_CRL *pCRL, *pTempCRL = 0;
 pCRL = d2i_X509_CRL_fp( pfCrlFile, pTempCRL );
 
 if( !pCRL )
 {
 rewind(pfCrlFile);
 pCRL = PEM_read_X509_CRL(pfCrlFile, pTempCRL, NULL, 0); }
 
 rewind(pfCrlFile);
 
 if( !pCRL )
 {
 logEvent( MLOG_ERROR, RADIUS_C_SERVER, Unable to read CRL file ); 
 break; }
 
 Ultimately we are getting Unable to read CRL file if we are loading 
 DER format CRL. Did you see anything wrong there?
 

Is the fp opened in binary mode? Text mode translation on that fp will
corrupt the CRL loading in DER mode.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Unable to load CRL

[Christian Hohnstaedt]

Hi,

On Fri, Jan 08, 2010 at 11:42:39AM +0530, Radha krishna Meduri -X (radmedur - 
HCL at Cisco) wrote:
 
 
 X509_CRL *pCRL=0, *pTempCRL = 0;
 
 pCRL = d2i_X509_CRL_fp( m_pfCRLFile, pTempCRL );
 
 if( !pCRL )
 {
 printf(Unable to read using d2i_X509_CRL_fp\n);
  
/* Filepointer is somewhere in the file. Reset it */
rewind(m_pfCRLFile);


 pCRL = PEM_read_X509_CRL(m_pfCRLFile, pTempCRL, NULL, 0);
 }

fclose(m_pfCRLFile);


 
 if( !pCRL )
 {
 printf(Unable to read CRL file\n );
 exit(0);
 }

best regards

Christian

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: Unable to load CRL

[Radha krishna Meduri -X (radmedur - HCL at Cisco)]

Hi Christian

Thankyou for your reply. I already did that but no use

-

X509_CRL *pCRL=0, *pTempCRL = 0;

pCRL = d2i_X509_CRL_fp( m_pfCRLFile, pTempCRL );

if( !pCRL )
{
printf(Unable to read using d2i_X509_CRL_fp\n);
rewind(m_pfCRLFile);
pCRL = PEM_read_X509_CRL(m_pfCRLFile, pTempCRL, NULL, 0);
}

rewind(m_pfCRLFile);



Thanks
Radhakrishna. 

-Original Message-
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Christian
Hohnstaedt
Sent: Friday, January 08, 2010 12:15 PM
To: openssl-users@openssl.org
Subject: Re: Unable to load CRL

Hi,

On Fri, Jan 08, 2010 at 11:42:39AM +0530, Radha krishna Meduri -X
(radmedur - HCL at Cisco) wrote:
 
 
 X509_CRL *pCRL=0, *pTempCRL = 0;
 
 pCRL = d2i_X509_CRL_fp( m_pfCRLFile, pTempCRL );
 
 if( !pCRL )
 {
 printf(Unable to read using d2i_X509_CRL_fp\n);
  
/* Filepointer is somewhere in the file. Reset it */
rewind(m_pfCRLFile);


 pCRL = PEM_read_X509_CRL(m_pfCRLFile, pTempCRL, NULL, 0); }

fclose(m_pfCRLFile);


 
 if( !pCRL )
 {
 printf(Unable to read CRL file\n );
 exit(0);
 }

best regards

Christian

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: Unable to load CRL

[Radha krishna Meduri -X (radmedur - HCL at Cisco)]

Hi Steve

I guess that is not the problem as I will be able to read same CRL file
if I place CRL file into another webserver. I am not able to post CRL
here as this is open alias.

BTW I want to write test program to check the CRL file. Could you please
share the same if you have any?

Thanks
Radhakrishna.

-Original Message-
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson
Sent: Monday, December 14, 2009 9:02 PM
To: openssl-users@openssl.org
Subject: Re: Unable to load CRL

On Mon, Dec 14, 2009, Radha krishna Meduri -X (radmedur - HCL at Cisco)
wrote:

 
 Hi Patrick
 
 We are using following code snippet to load CRL's.
 
 X509_CRL *pCRL, *pTempCRL = 0;
 pCRL = d2i_X509_CRL_fp( pfCrlFile, pTempCRL );
 
 if( !pCRL )
 {
 rewind(pfCrlFile);
 pCRL = PEM_read_X509_CRL(pfCrlFile, pTempCRL, NULL, 0); }
 
 rewind(pfCrlFile);
 
 if( !pCRL )
 {
 logEvent( MLOG_ERROR, RADIUS_C_SERVER, Unable to read CRL file ); 
 break; }
 
 Ultimately we are getting Unable to read CRL file if we are loading 
 DER format CRL. Did you see anything wrong there?
 

Is the fp opened in binary mode? Text mode translation on that fp will
corrupt the CRL loading in DER mode.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Unable to load CRL

[Patrick Patterson]

A couple of things:

1: You don't need pTempCRL - just set that parameter to NULL. 

2: You may want to call  ERR_get_error(3) in your if (!pCRL) statement, 
since that will tell you MUCH more interesting information about what has gone 
wrong. (Don't forget to call ERR_load_crypto_strings if you want to decode the 
errors)

Have fun.

Patrick.

On December 14, 2009 01:27:08 am Radha krishna Meduri -X (radmedur - HCL at 
Cisco) wrote:
 Hi Patrick

 We are using following code snippet to load CRL's.

 X509_CRL *pCRL, *pTempCRL = 0;
 pCRL = d2i_X509_CRL_fp( pfCrlFile, pTempCRL );

 if( !pCRL )
 {
 rewind(pfCrlFile);
 pCRL = PEM_read_X509_CRL(pfCrlFile, pTempCRL, NULL, 0);
 }

 rewind(pfCrlFile);

 if( !pCRL )
 {
 logEvent( MLOG_ERROR, RADIUS_C_SERVER, Unable to read CRL file );
 break;
 }

 Ultimately we are getting Unable to read CRL file if we are loading
 DER format CRL. Did you see anything wrong there?

 Thanks
 Radhakrishna.

 -Original Message-
 From: owner-openssl-us...@openssl.org
 [mailto:owner-openssl-us...@openssl.org] On Behalf Of Patrick Patterson
 Sent: Friday, December 11, 2009 8:32 PM
 To: openssl-users@openssl.org
 Subject: Re: Unable to load CRL

 Hi Rahhakrishna:

 Sounds like you are using PEM_read_crl(), or some such, to read in your
 CRL. Since the CRL is actually in DER format, you should probably read
 the file in, and then use the Openssl d2i_X509_CRL (look up the man page
 - there's even a form of that function that allows you to read the DER
 encoded CRL function directly from a file) functions instead.

 (of course, your application should probably detect which type of file
 it is looking at, and then do the right thing.)

 Since it looks like you're building applications to support the 787, you
 may want to also take a look at the ATA Spec42 guidance on building PKI
 applications in the air transport industry.

 Best Regards,

 Patrick Patterson
 Chief PKI Architect
 Carillon Information Security Inc.
 http://www.carillon.ca

 Radha krishna Meduri -X (radmedur - HCL at Cisco) wrote:
  Thanks for your support. Yes I have read it already. I am able to read
 
  crl file with switch -inform DER but my application is failing to
  read it while loading CRL from gui. I am trying to find out the issue.
 
  My application was using API's to read CRL's.
 
  Thanks
  Radhakrishna.
 
  -Original Message-
  From: owner-openssl-us...@openssl.org
  [mailto:owner-openssl-us...@openssl.org] On Behalf Of Eisenacher,
  Patrick
  Sent: Friday, December 11, 2009 5:37 PM
  To: 'openssl-users@openssl.org'
  Subject: RE: Unable to load CRL
 
  Hi Radhakrishna,
 
  -Original Message-
  From: owner-openssl-us...@openssl.org On Behalf Of Radhakrishna
  Meduri
 
  -X (radmedur - HCL at Cisco)
 
  Hi Patrick Eisenacher
 
  I converted this crl to PEM format which worked like charm.
  Is there any
  restriction like CRL's should be in PEM for mat only?
 
  nope, as always you can feed it in either PEM- or DER-encoded. PEM is
  openssl's default format. If your CRL is in DER-encoded (binary)
  format, you need to add -inform DER to openssl's crl command.
 
  Did you read the command options on the link below?
 
  HTH,
  Patrick Eisenacher
 
  -Original Message-
  From: owner-openssl-us...@openssl.org On Behalf Of Eisenacher,
  Patrick
 
  Hi Radhakrishna,
 
  -Original Message-
 
  From: owner-openssl-users On Behalf Of Radha krishna Meduri -X
 
  I am not able to load the crl in text format and I am getting
  following error while issuing following command openssl crl -in
 
  abcd.crl -text
 
  unable to load CRL
  28950:error:0906D06C:PEM routines:PEM_read_bio:no start
  line:pem_lib.c:642:Expecting: X509 CRL
 
  Any idea what could be issue?
 
  that means that abcd.crl has no proper PEM-encoding (base64 plus
  header and footer). The error messages states that openssl can't find
 
  the header. For more info about the header and footer, see
  http://www.openssl.org/docs/apps/crl.html#NOTES
 
  __
  OpenSSL Project http://www.openssl.org
  User Support Mailing Listopenssl-users@openssl.org
  Automated List Manager   majord...@openssl.org
  __
  OpenSSL Project http://www.openssl.org
  User Support Mailing Listopenssl-users@openssl.org
  Automated List Manager   majord...@openssl.org

 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   majord...@openssl.org
 __
 OpenSSL Project

Re: Unable to load CRL

[Dr. Stephen Henson]

On Mon, Dec 14, 2009, Radha krishna Meduri -X (radmedur - HCL at Cisco) wrote:

 
 Hi Patrick
 
 We are using following code snippet to load CRL's.
 
 X509_CRL *pCRL, *pTempCRL = 0;
 pCRL = d2i_X509_CRL_fp( pfCrlFile, pTempCRL );
 
 if( !pCRL )
 {
 rewind(pfCrlFile);
 pCRL = PEM_read_X509_CRL(pfCrlFile, pTempCRL, NULL, 0);
 }
 
 rewind(pfCrlFile);
 
 if( !pCRL )
 {
 logEvent( MLOG_ERROR, RADIUS_C_SERVER, Unable to read CRL file );
 break;
 }
 
 Ultimately we are getting Unable to read CRL file if we are loading
 DER format CRL. Did you see anything wrong there?
 

Is the fp opened in binary mode? Text mode translation on that fp will corrupt
the CRL loading in DER mode.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: unable to load Private Key: mobilefish self-CA instructions

[Dave Thompson]

 From: owner-openssl-us...@openssl.org On Behalf Of Llenlleawg
 Sent: Saturday, 12 December, 2009 15:17

 Here is a brief outline of what I'm trying to do.  I'm trying 
 to create a
 certificate signed by my own CA and private key.
 
 I followed the steps on the following site to setup my own CA. 
 
 http://www.mobilefish.com/developer/openssl/openssl_quickguide
 _create_ca.html
 
 and then followed the steps on this page to try to create the 
 certificate.
 
 http://www.mobilefish.com/developer/openssl/openssl_quickguide
 _ca_certificate.html
 
 My problem is when I get to step 7 on the second page.  I receive the
 following error when I run the command in step 7.
 
 C:\OpenSSL\binopenssl rsa  newreq.pem  newkey.pem
 unable to load Private Key
 6068:error:0906D06C:PEM routines:PEM_read_bio:no start
 line:.\crypto\pem\pem_lib.c:650:Expecting: ANY PRIVATE KEY
 

They appear to have been confused/misled and not tested.

Some older versions of 'CA.pl newreq' (and newreq-nodes), 
in particular 0.9.7d which they identify and I happen to have 
to hand on an old system, incorrectly says at the end:
  Request (and private key) is in newreq.pem

but in fact the request is in newreq.pem and the privkey 
is in newkey.pem. As they should be, because a CSR does not, 
and in general for security MUST not, contain the privkey.

If you just skip their step 7 it looks like it should work.

Aside: their description at the top of the page isn't quite 
correct. Assuming kRSA, as they apparently do, the browser
(client) doesn't choose and send the actual sessionkey, 
rather the premaster secret which is used to derive the 
sessionkeys (there are actually two, encryption and MAC).



__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

unable to load Private Key

[Llenlleawg]

Hi All,

I'm hoping someone can help me, I'm a complete newb when it comes to this
stuff so I hope someone can point me in the right direction.

Here is a brief outline of what I'm trying to do.  I'm trying to create a
certificate signed by my own CA and private key.

I followed the steps on the following site to setup my own CA. 

http://www.mobilefish.com/developer/openssl/openssl_quickguide_create_ca.html

and then followed the steps on this page to try to create the certificate.

http://www.mobilefish.com/developer/openssl/openssl_quickguide_ca_certificate.html

My problem is when I get to step 7 on the second page.  I receive the
following error when I run the command in step 7.

C:\OpenSSL\binopenssl rsa  newreq.pem  newkey.pem
unable to load Private Key
6068:error:0906D06C:PEM routines:PEM_read_bio:no start
line:.\crypto\pem\pem_lib.c:650:Expecting: ANY PRIVATE KEY

From what I can tell, I have followed the steps exactly as listed and have
even started from scratch several times all to the same result.

Any help would be appreciated.
-- 
View this message in context: 
http://old.nabble.com/unable-to-load-Private-Key-tp26760802p26760802.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: Unable to load CRL

[Radha krishna Meduri -X (radmedur - HCL at Cisco)]

Hi Patrick

We are using following code snippet to load CRL's.

X509_CRL *pCRL, *pTempCRL = 0;
pCRL = d2i_X509_CRL_fp( pfCrlFile, pTempCRL );

if( !pCRL )
{
rewind(pfCrlFile);
pCRL = PEM_read_X509_CRL(pfCrlFile, pTempCRL, NULL, 0);
}

rewind(pfCrlFile);

if( !pCRL )
{
logEvent( MLOG_ERROR, RADIUS_C_SERVER, Unable to read CRL file );
break;
}

Ultimately we are getting Unable to read CRL file if we are loading
DER format CRL. Did you see anything wrong there?

Thanks
Radhakrishna.

-Original Message-
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Patrick Patterson
Sent: Friday, December 11, 2009 8:32 PM
To: openssl-users@openssl.org
Subject: Re: Unable to load CRL

Hi Rahhakrishna:

Sounds like you are using PEM_read_crl(), or some such, to read in your
CRL. Since the CRL is actually in DER format, you should probably read
the file in, and then use the Openssl d2i_X509_CRL (look up the man page
- there's even a form of that function that allows you to read the DER
encoded CRL function directly from a file) functions instead.

(of course, your application should probably detect which type of file
it is looking at, and then do the right thing.)

Since it looks like you're building applications to support the 787, you
may want to also take a look at the ATA Spec42 guidance on building PKI
applications in the air transport industry.

Best Regards,

Patrick Patterson
Chief PKI Architect
Carillon Information Security Inc.
http://www.carillon.ca



Radha krishna Meduri -X (radmedur - HCL at Cisco) wrote:
 Thanks for your support. Yes I have read it already. I am able to read

 crl file with switch -inform DER but my application is failing to 
 read it while loading CRL from gui. I am trying to find out the issue.

 My application was using API's to read CRL's.
 
 Thanks
 Radhakrishna.
 
 -Original Message-
 From: owner-openssl-us...@openssl.org
 [mailto:owner-openssl-us...@openssl.org] On Behalf Of Eisenacher, 
 Patrick
 Sent: Friday, December 11, 2009 5:37 PM
 To: 'openssl-users@openssl.org'
 Subject: RE: Unable to load CRL
 
 Hi Radhakrishna,
 
 -Original Message-
 From: owner-openssl-us...@openssl.org On Behalf Of Radhakrishna 
 Meduri
 
 -X (radmedur - HCL at Cisco)

 Hi Patrick Eisenacher

 I converted this crl to PEM format which worked like charm.
 Is there any
 restriction like CRL's should be in PEM for mat only?
 
 nope, as always you can feed it in either PEM- or DER-encoded. PEM is 
 openssl's default format. If your CRL is in DER-encoded (binary) 
 format, you need to add -inform DER to openssl's crl command.
 
 Did you read the command options on the link below?
 
 HTH,
 Patrick Eisenacher
 
 -Original Message-
 From: owner-openssl-us...@openssl.org On Behalf Of Eisenacher, 
 Patrick

 Hi Radhakrishna,

 -Original Message-
 From: owner-openssl-users On Behalf Of Radha krishna Meduri -X

 I am not able to load the crl in text format and I am getting 
 following error while issuing following command openssl crl -in
 abcd.crl -text
 unable to load CRL
 28950:error:0906D06C:PEM routines:PEM_read_bio:no start
 line:pem_lib.c:642:Expecting: X509 CRL

 Any idea what could be issue?
 that means that abcd.crl has no proper PEM-encoding (base64 plus 
 header and footer). The error messages states that openssl can't find

 the header. For more info about the header and footer, see 
 http://www.openssl.org/docs/apps/crl.html#NOTES
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   majord...@openssl.org
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   majord...@openssl.org

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: Unable to load CRL

[Radha krishna Meduri -X (radmedur - HCL at Cisco)]

Hi Patrick Eisenacher

I converted this crl to PEM format which worked like charm. Is there any
restriction like CRL's should be in PEM for mat only?

Thanks
Radhakrishna. 

-Original Message-
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Eisenacher,
Patrick
Sent: Tuesday, December 08, 2009 5:51 PM
To: 'openssl-users@openssl.org'
Subject: RE: Unable to load CRL

Hi Radhakrishna,

-Original Message-
 From: owner-openssl-users On Behalf Of Radha krishna Meduri -X
 Sent: Tuesday, December 08, 2009 12:29 PM
 To: openssl-users@openssl.org
 Subject: Unable to load CRL

 I am not able to load the crl in text format and I am getting 
 following error while issuing following command openssl crl -in
abcd.crl -text

 unable to load CRL
 28950:error:0906D06C:PEM routines:PEM_read_bio:no start
 line:pem_lib.c:642:Expecting: X509 CRL

 Any idea what could be issue?

that means that abcd.crl has no proper PEM-encoding (base64 plus header
and footer). The error messages states that openssl can't find the
header. For more info about the header and footer, see
http://www.openssl.org/docs/apps/crl.html#NOTES

HTH,
Patrick Eisenacher
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: Unable to load CRL

[Radha krishna Meduri -X (radmedur - HCL at Cisco)]

Hi Patrick

We have one more update

[r...@acsxp-srv3 radha]# 
[r...@acsxp-srv3 radha]# /opt/CSCOacsxp/.system/openssl crl -in abcd.crl
-text
unable to load CRL
13202:error:0906D06C:PEM routines:PEM_read_bio:no start
line:pem_lib.c:642:Expecting: X509 CRL
[r...@acsxp-srv3 radha]# 
[r...@acsxp-srv3 radha]# /opt/CSCOacsxp/.system/openssl crl -inform DER
-in abcd.crl -text | more
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: /C=US/DC=COM/DC=NWA/DC=PAD/O=Northwest Airlines
Inc/OU=PAD/CN=Northwest Airlines PAD Low Assurance Issuing CA
Last Update: Sep 30 04:54:00 2009 GMT
removed lower part

If you observe first command I did not mentioned -inform switch which
failed to load but later command succeeded with that option. Why is it
so? Basically customer certificate was in DER format. If CRL was in DER
format, is it mandatory to mention -inform DER in the command line?

Thanks
Radhakrishna.


-Original Message-
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Radha krishna
Meduri -X (radmedur - HCL at Cisco)
Sent: Friday, December 11, 2009 5:19 PM
To: openssl-users@openssl.org
Subject: RE: Unable to load CRL


Hi Patrick Eisenacher

I converted this crl to PEM format which worked like charm. Is there any
restriction like CRL's should be in PEM for mat only?

Thanks
Radhakrishna. 

-Original Message-
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Eisenacher,
Patrick
Sent: Tuesday, December 08, 2009 5:51 PM
To: 'openssl-users@openssl.org'
Subject: RE: Unable to load CRL

Hi Radhakrishna,

-Original Message-
 From: owner-openssl-users On Behalf Of Radha krishna Meduri -X
 Sent: Tuesday, December 08, 2009 12:29 PM
 To: openssl-users@openssl.org
 Subject: Unable to load CRL

 I am not able to load the crl in text format and I am getting 
 following error while issuing following command openssl crl -in
abcd.crl -text

 unable to load CRL
 28950:error:0906D06C:PEM routines:PEM_read_bio:no start
 line:pem_lib.c:642:Expecting: X509 CRL

 Any idea what could be issue?

that means that abcd.crl has no proper PEM-encoding (base64 plus header
and footer). The error messages states that openssl can't find the
header. For more info about the header and footer, see
http://www.openssl.org/docs/apps/crl.html#NOTES

HTH,
Patrick Eisenacher
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: Unable to load CRL

[Eisenacher, Patrick]

Hi Radhakrishna,

 -Original Message-
 From: owner-openssl-us...@openssl.org On Behalf Of Radha krishna Meduri -X 
 (radmedur - HCL at Cisco)



 Hi Patrick

 We have one more update

 [r...@acsxp-srv3 radha]#
 [r...@acsxp-srv3 radha]# /opt/CSCOacsxp/.system/openssl crl
 -in abcd.crl
 -text
 unable to load CRL
 13202:error:0906D06C:PEM routines:PEM_read_bio:no start
 line:pem_lib.c:642:Expecting: X509 CRL
 [r...@acsxp-srv3 radha]#
 [r...@acsxp-srv3 radha]# /opt/CSCOacsxp/.system/openssl crl
 -inform DER
 -in abcd.crl -text | more
 Certificate Revocation List (CRL):
 Version 2 (0x1)
 Signature Algorithm: sha1WithRSAEncryption
 Issuer: /C=US/DC=COM/DC=NWA/DC=PAD/O=Northwest Airlines
 Inc/OU=PAD/CN=Northwest Airlines PAD Low Assurance Issuing CA
 Last Update: Sep 30 04:54:00 2009 GMT
 removed lower part

 If you observe first command I did not mentioned -inform
 switch which
 failed to load but later command succeeded with that option. Why is it
 so?

Because your CRL is DER-encoded, but you tell openssl that it is PEM-encoded 
(the default).

 Basically customer certificate was in DER format.

Only the format of your CRL is of interest here.

 If CRL was in DER
 format, is it mandatory to mention -inform DER in the command line?

That's what I wrote in my last mail. Please check again my answer and the 
documentation.

Cheers,
Patrick Eisenacher


 -Original Message-
 From: owner-openssl-us...@openssl.org On Behalf Of Radha krishna Meduri -X 
 (radmedur - HCL at Cisco)


 Hi Patrick Eisenacher

 I converted this crl to PEM format which worked like charm.
 Is there any
 restriction like CRL's should be in PEM for mat only?

 Thanks
 Radhakrishna.

 -Original Message-
 From: owner-openssl-us...@openssl.org On Behalf Of Eisenacher, Patrick

 Hi Radhakrishna,

 -Original Message-
  From: owner-openssl-users On Behalf Of Radha krishna Meduri -X
 
  I am not able to load the crl in text format and I am getting
  following error while issuing following command openssl crl -in
 abcd.crl -text
 
  unable to load CRL
  28950:error:0906D06C:PEM routines:PEM_read_bio:no start
  line:pem_lib.c:642:Expecting: X509 CRL
 
  Any idea what could be issue?

 that means that abcd.crl has no proper PEM-encoding (base64
 plus header
 and footer). The error messages states that openssl can't find the
 header. For more info about the header and footer, see
 http://www.openssl.org/docs/apps/crl.html#NOTES

 HTH,
 Patrick Eisenacher
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: Unable to load CRL

[Eisenacher, Patrick]

Hi Radhakrishna,

 -Original Message-
 From: owner-openssl-us...@openssl.org On Behalf Of Radhakrishna Meduri -X 
 (radmedur - HCL at Cisco)

 Hi Patrick Eisenacher

 I converted this crl to PEM format which worked like charm.
 Is there any
 restriction like CRL's should be in PEM for mat only?

nope, as always you can feed it in either PEM- or DER-encoded. PEM is openssl's 
default format. If your CRL is in DER-encoded (binary) format, you need to add 
-inform DER to openssl's crl command.

Did you read the command options on the link below?

HTH,
Patrick Eisenacher

 -Original Message-
 From: owner-openssl-us...@openssl.org On Behalf Of Eisenacher, Patrick

 Hi Radhakrishna,

 -Original Message-
  From: owner-openssl-users On Behalf Of Radha krishna Meduri -X
 
  I am not able to load the crl in text format and I am getting
  following error while issuing following command openssl crl -in
 abcd.crl -text
 
  unable to load CRL
  28950:error:0906D06C:PEM routines:PEM_read_bio:no start
  line:pem_lib.c:642:Expecting: X509 CRL
 
  Any idea what could be issue?

 that means that abcd.crl has no proper PEM-encoding (base64
 plus header
 and footer). The error messages states that openssl can't find the
 header. For more info about the header and footer, see
 http://www.openssl.org/docs/apps/crl.html#NOTES
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: Unable to load CRL

[Radha krishna Meduri -X (radmedur - HCL at Cisco)]

Thanks for your support. Yes I have read it already. I am able to read
crl file with switch -inform DER but my application is failing to read
it while loading CRL from gui. I am trying to find out the issue. My
application was using API's to read CRL's.

Thanks
Radhakrishna.

-Original Message-
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Eisenacher,
Patrick
Sent: Friday, December 11, 2009 5:37 PM
To: 'openssl-users@openssl.org'
Subject: RE: Unable to load CRL

Hi Radhakrishna,

 -Original Message-
 From: owner-openssl-us...@openssl.org On Behalf Of Radhakrishna Meduri

 -X (radmedur - HCL at Cisco)

 Hi Patrick Eisenacher

 I converted this crl to PEM format which worked like charm.
 Is there any
 restriction like CRL's should be in PEM for mat only?

nope, as always you can feed it in either PEM- or DER-encoded. PEM is
openssl's default format. If your CRL is in DER-encoded (binary) format,
you need to add -inform DER to openssl's crl command.

Did you read the command options on the link below?

HTH,
Patrick Eisenacher

 -Original Message-
 From: owner-openssl-us...@openssl.org On Behalf Of Eisenacher, Patrick

 Hi Radhakrishna,

 -Original Message-
  From: owner-openssl-users On Behalf Of Radha krishna Meduri -X
 
  I am not able to load the crl in text format and I am getting 
  following error while issuing following command openssl crl -in
 abcd.crl -text
 
  unable to load CRL
  28950:error:0906D06C:PEM routines:PEM_read_bio:no start
  line:pem_lib.c:642:Expecting: X509 CRL
 
  Any idea what could be issue?

 that means that abcd.crl has no proper PEM-encoding (base64 plus 
 header and footer). The error messages states that openssl can't find 
 the header. For more info about the header and footer, see 
 http://www.openssl.org/docs/apps/crl.html#NOTES
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Unable to load CRL

[Patrick Patterson]

Hi Rahhakrishna:

Sounds like you are using PEM_read_crl(), or some such, to read in your
CRL. Since the CRL is actually in DER format, you should probably read
the file in, and then use the Openssl d2i_X509_CRL (look up the man page
- there's even a form of that function that allows you to read the DER
encoded CRL function directly from a file) functions instead.

(of course, your application should probably detect which type of file
it is looking at, and then do the right thing.)

Since it looks like you're building applications to support the 787, you
may want to also take a look at the ATA Spec42 guidance on building PKI
applications in the air transport industry.

Best Regards,

Patrick Patterson
Chief PKI Architect
Carillon Information Security Inc.
http://www.carillon.ca



Radha krishna Meduri -X (radmedur - HCL at Cisco) wrote:
 Thanks for your support. Yes I have read it already. I am able to read
 crl file with switch -inform DER but my application is failing to read
 it while loading CRL from gui. I am trying to find out the issue. My
 application was using API's to read CRL's.
 
 Thanks
 Radhakrishna.
 
 -Original Message-
 From: owner-openssl-us...@openssl.org
 [mailto:owner-openssl-us...@openssl.org] On Behalf Of Eisenacher,
 Patrick
 Sent: Friday, December 11, 2009 5:37 PM
 To: 'openssl-users@openssl.org'
 Subject: RE: Unable to load CRL
 
 Hi Radhakrishna,
 
 -Original Message-
 From: owner-openssl-us...@openssl.org On Behalf Of Radhakrishna Meduri
 
 -X (radmedur - HCL at Cisco)

 Hi Patrick Eisenacher

 I converted this crl to PEM format which worked like charm.
 Is there any
 restriction like CRL's should be in PEM for mat only?
 
 nope, as always you can feed it in either PEM- or DER-encoded. PEM is
 openssl's default format. If your CRL is in DER-encoded (binary) format,
 you need to add -inform DER to openssl's crl command.
 
 Did you read the command options on the link below?
 
 HTH,
 Patrick Eisenacher
 
 -Original Message-
 From: owner-openssl-us...@openssl.org On Behalf Of Eisenacher, Patrick

 Hi Radhakrishna,

 -Original Message-
 From: owner-openssl-users On Behalf Of Radha krishna Meduri -X

 I am not able to load the crl in text format and I am getting 
 following error while issuing following command openssl crl -in
 abcd.crl -text
 unable to load CRL
 28950:error:0906D06C:PEM routines:PEM_read_bio:no start
 line:pem_lib.c:642:Expecting: X509 CRL

 Any idea what could be issue?
 that means that abcd.crl has no proper PEM-encoding (base64 plus 
 header and footer). The error messages states that openssl can't find 
 the header. For more info about the header and footer, see 
 http://www.openssl.org/docs/apps/crl.html#NOTES
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   majord...@openssl.org
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   majord...@openssl.org

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Unable to load CRL

[Radha krishna Meduri -X (radmedur - HCL at Cisco)]

Hello
 
I am not able to load the crl in text format and I am getting following
error while issuing following command openssl crl -in abcd.crl -text
 
unable to load CRL
28950:error:0906D06C:PEM routines:PEM_read_bio:no start
line:pem_lib.c:642:Expecting: X509 CRL
 
Any idea what could be issue?
 
Thanks
Radhakrishna.
 
 

RE: Unable to load CRL

[Eisenacher, Patrick]

Hi Radhakrishna,

-Original Message-
 From: owner-openssl-users On Behalf Of Radha krishna Meduri -X
 Sent: Tuesday, December 08, 2009 12:29 PM
 To: openssl-users@openssl.org
 Subject: Unable to load CRL

 I am not able to load the crl in text format and I am getting following error
 while issuing following command openssl crl -in abcd.crl -text

 unable to load CRL
 28950:error:0906D06C:PEM routines:PEM_read_bio:no start
 line:pem_lib.c:642:Expecting: X509 CRL

 Any idea what could be issue?

that means that abcd.crl has no proper PEM-encoding (base64 plus header and 
footer). The error messages states that openssl can't find the header. For more 
info about the header and footer, see 
http://www.openssl.org/docs/apps/crl.html#NOTES

HTH,
Patrick Eisenacher
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

digest verification failing due to unable to load key file

[Guy Helmer]

I have converted a Microsoft code signing key obtained from Thawte into 
a PKCS12 file, and then converted to a pair of PEM files, one with the 
private key and the other without, like this:


openssl pkcs12 -chain -in palisadesys.pfx -out palisadesys.pem
openssl pkcs12 -chain -in palisadesys.pfx -nokeys -out 
palisadesys-publiconly.pem


Then I have signed a file like this:

openssl dgst -sha1 -sign palisadesys.pem -out file.tar.gz.sha1 file.tar.gz

But when I validate the signature:

openssl dgst -sha1 -verify palisadesys-publiconly.pem -signature 
file.tar.gz.sha1 file.tar.gz


results in the message unable to load key file.  All three files 
(palisadesys-publiconly.pem, file.tar.gz.sha1, and file.tar.gz) are 
readable.


Thanks for any help,
Guy Helmer

--
Guy Helmer, Ph.D.
Chief System Architect
Palisade Systems, Inc.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Unable to load certificate!!

[Kyle Hamilton]

On Mon, Sep 8, 2008 at 10:31 PM, Shivakumar Balur
[EMAIL PROTECTED] wrote:
 openssl x509 -in req.der -noout -text

 got error:

 unable to load certificate

 29221:error:0906D06C:PEM routines:PEM_read_bio:no start
 line:pedm_lib.c:647:Expecting: TRUSTED CERTIFICATE

openssl x509 -inform DER -in req.der -noout -text

It's expecting a PEM header, but your file is in DER.

-Kyle H
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Unable to load certificate!!

[Patrick Patterson]

Kyle Hamilton wrote:
 On Mon, Sep 8, 2008 at 10:31 PM, Shivakumar Balur
 [EMAIL PROTECTED] wrote:
 openssl x509 -in req.der -noout -text

 got error:

 unable to load certificate

 29221:error:0906D06C:PEM routines:PEM_read_bio:no start
 line:pedm_lib.c:647:Expecting: TRUSTED CERTIFICATE
 
 openssl x509 -inform DER -in req.der -noout -text
 
 It's expecting a PEM header, but your file is in DER.
 
Worse than that, it is expecting an X.509 certificate, and is being told
to look at an OCSP Request.

If you want to view the request, you should do something like:

openssl ocsp -in req.der -text

Have fun.

Patrick.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Unable to load certificate!!

[Shivakumar Balur]

Hi All,

I created two certificate mycert.pem  newcert.pem with providing some 
information, using command: 
openssl req \

-x509 -nodes -days 365 \

-newkey rsa:1024 -keyout mycert.pem -out mycert.pem



openssl req \

-x509 -nodes -days 365 \

-newkey rsa:1024 -keyout newcert.pem -out newcert.pem



and created OCSP request using:

openssl ocsp -issuer mycert.pem -cert newcert.pem -reqout req.der

tried to view the created request which is written in req.der using: 

openssl x509 -in req.der -noout -text

got error:

unable to load certificate

29221:error:0906D06C:PEM routines:PEM_read_bio:no start 
line:pedm_lib.c:647:Expecting: TRUSTED CERTIFICATE



please let me know the reason and solution for above mentioned error.





Shivakumar Balur
Samsung India Software Operations
Bhagmane Tech Park
C V Raman nagar, Bangalore

Unable to load config info from

[Tan, Liao]

Folks,
 I know this a well known issue, but still didnt find a solution.
 When generating the key pair certificates, running the command 
openssl req -new -key mydomain.com.key -out mydomain.com.csr) I received and 
error message as
follows:

Unable to load config info from 
/var/empty/extlib/tmp/static/openssl-0.9.8d/ssl/openssl.cnf

so far I found that I need to check the open ssl documentation, which is not 
helpful.

Its HP-UX, APACHE WEBSERVER.

Any hints, please? Just waiting for the solution to submit.

thank you.

Ingrid Liao
Citi Markets  Banking | CMB Technology
Brazil Technology Solutions Center | Business Intelligence, Database  Support 
Services
Tel. +55-11-3741-6274 
Fax. +55-11-3741-6285
Email: [EMAIL PROTECTED]




__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Unable to load config info from

[A . L . M . Buxey]

Hi,
 Folks,
  I know this a well known issue, but still didnt find a solution.
  When generating the key pair certificates, running the command 
 openssl req -new -key mydomain.com.key -out mydomain.com.csr) I received and 
 error message as
 follows:
 
 Unable to load config info from 
 /var/empty/extlib/tmp/static/openssl-0.9.8d/ssl/openssl.cnf

when you r openssl ws compiled, this directory was the chosen
'home' for OpenSSL, its therefore looking there for the
openssl.cnf file - which contains a load of preconfigured
variables etc - you can simply grab the example .cnf file
supplied with openssl, or find the example one on your system 
and put it into place

alan
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

x509 bug? unable to load certificate

[Frank J. Iannarilli]

Hi,


I tried using both the Win32 v0.9.8g and v0.9.8h (along with Shining 
Light's Visual C++ 2008 Redistributable install) binaries, to no avail.


Here's the problem:

  openssl x509 -inform DER -in smime.p7s -text


unable to load certificate
1036:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong

tag:.\crypto\asn1\tasn_dec.c:1294:

1036:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1

error:.\crypto\asn1\tasn_dec.c:380:Type=X509_CINF

1036:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested

asn1 error:.\crypto\asn1\tasn_dec.c:749:Field=cert_inf
o, Type=X509


This failure occurs for all 3 .p7s (detached signature) files I've tried, 2 
issued by the US Government, and 1 by Verisign.


On the other hand, the following works for all 3 files:
 openssl pkcs7 -print_certs -inform DER -in smime.p7s -text

A bug in x509 or something else?  Any workarounds?  My intent is to use 
x509 to reformat one of the certs/pkcs7, so that an email program can 
better ingest it.


Regards,



Frank J. Iannarilli   [EMAIL PROTECTED]
Aerodyne Research, Inc., 45 Manning Road, Billerica, MA 01821 USA
www.aerodyne.com/cosr/cosr.html
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: x509 bug? unable to load certificate

[Thomas J. Hruska]

Frank J. Iannarilli wrote:

Hi,


I tried using both the Win32 v0.9.8g and v0.9.8h (along with Shining 
Light's Visual C++ 2008 Redistributable install) binaries, to no avail.


Here's the problem:

  openssl x509 -inform DER -in smime.p7s -text


unable to load certificate
1036:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong

tag:.\crypto\asn1\tasn_dec.c:1294:

1036:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1

error:.\crypto\asn1\tasn_dec.c:380:Type=X509_CINF

1036:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested

asn1 error:.\crypto\asn1\tasn_dec.c:749:Field=cert_inf
o, Type=X509


This failure occurs for all 3 .p7s (detached signature) files I've 
tried, 2 issued by the US Government, and 1 by Verisign.


On the other hand, the following works for all 3 files:
 openssl pkcs7 -print_certs -inform DER -in smime.p7s -text

A bug in x509 or something else?  Any workarounds?  My intent is to use 
x509 to reformat one of the certs/pkcs7, so that an email program can 
better ingest it.


Regards,



Frank J. Iannarilli   [EMAIL PROTECTED]
Aerodyne Research, Inc., 45 Manning Road, Billerica, MA 01821 USA
www.aerodyne.com/cosr/cosr.html


Your problem appears to be that you are attempting to use PKCS#7 S/MIME 
signed _signatures_ as DER _certificates_.  Two very different file 
formats, which is what the ASN.1 routines are complaining about.  In 
other words, you are using OpenSSL incorrectly.  It has nothing to do 
with what version you have installed.  What the correct command line is, 
I have no idea - I don't fiddle with S/MIME.



Side note:  The VC++ 2008 Redistributable installer is _Microsoft_'s.  I 
don't see how you could mistake the name Microsoft for Shining Light 
Productions - it is plastered all over their website.  I merely provide 
a link to the _Microsoft_ website that has the download for the 
_Microsoft_ VC++ 2008 Redistributable installer for the sake of 
convenience (and to head off the deluge of complaints from clueless 
souls about OpenSSL not working).


Separating the VC++ redistributable from the main installer is beginning 
to look like a bad idea...  People apparently don't bother reading or 
understanding (or some combination of both).


--
Thomas Hruska
Shining Light Productions

Home of BMP2AVI, Nuclear Vision, ProtoNova, and Win32 OpenSSL.
http://www.slproweb.com/


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

unable to load Private Key

[Daniela Gutierrez]

Hi there, I'm trying to create a self-signed certificate but I'm
having some troubles, the error I keep getting is:

mymachine# openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095
Error opening Private Key privkey.pem
19996:error:02001002:system library:fopen:No such file or
directory:bss_file.c:352:fopen('privkey.pem','r')
19996:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354:
unable to load Private Key

I'm kinda new with this certificates and openssl thing but I've never
had this error before,
I hope someone could help me
Thanks

(sorry for my poor english)
-- 
Daniela
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: unable to load Private Key

[Bill Colvin]

As the error message says, you are getting this because the private key
file (privkey.pem) does not exist (No such file).

If you want to use this form of the command you must first generate the
private key file.

If you want to do it all at once then a slightly different form of the
command is required (I will assume you want an RSA key - changes are
required for DSA or ECC):

openssl req -newkey rsa:2048 -keyout privkey.pem -out cacert.pem -x509
-new -days 1095

This will result in something that looks like this:

Generating a 2048 bit RSA private key
+++
..+++
writing new private key to 'privkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a
DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:



Regards
Bill

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Daniela Gutierrez
Sent: June 12, 2008 6:13 PM
To: openssl-users@openssl.org
Subject: unable to load Private Key

Hi there, I'm trying to create a self-signed certificate but I'm
having some troubles, the error I keep getting is:

mymachine# openssl req -new -x509 -key privkey.pem -out cacert.pem -days
1095
Error opening Private Key privkey.pem
19996:error:02001002:system library:fopen:No such file or
directory:bss_file.c:352:fopen('privkey.pem','r')
19996:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354:
unable to load Private Key

I'm kinda new with this certificates and openssl thing but I've never
had this error before,
I hope someone could help me
Thanks

(sorry for my poor english)
-- 
Daniela
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Unable to load private key error

[BARRY KUMRO]

 Hello,  perhaps you can advise me on this?
 
I ran openssl req -new -out certreq.arm -keyout QMNGRXXX.pem -config 
/usr/xxx/xxx/ssl/openssl.cnf
 
I then typed and retyped the pass phrase.  And recorded it for future use.
 
This created a QMNGRXXX.pem and a certreq.arm
 
I sent the certreq.arm to the CA and received a site certificate back.
 
I then concatenated the site certificate,QMNGR private key and the CA 
certificate  in just that order to create a cert.pem
 
I then attempted to create the pass phrase stash file by running: openssl 
pkcs12 -export -in cert.pem -out cert.p12 -passin pass:xx -passout  
pass:xx
   
However I receive the error unable to load private key  both the cert.p12  
and stash.sth are created. However cert.p12 is empty. 
 
Question:  Is this a bug or random error, and can I ignore it?
 
Question: Is it possible the pass phrase I created while creating the 
certreq.arm is corrupted or incorrect? 
 
Question: Could I recreate the Private key then re-concatenate the existing 
site certificate with the private key and CA certificate thus creating a new 
pass phrase?  Or would I need to resubmit the new cert.arm to the CA?
 
 
Thanks
Barry
 
 
 


This email may contain privileged and/or confidential information that is 
intended solely for the use of the addressee.  If you are not the intended 
recipient or entity, you are strictly prohibited from disclosing, copying, 
distributing or using any of the information contained in the transmission.  If 
you received this communication in error, please contact the sender immediately 
and destroy the material in its entirety, whether electronic or hard copy.  
This communication may contain nonpublic personal information about consumers 
subject to the restrictions of the Gramm-Leach-Bliley Act and the 
Sarbanes-Oxley Act.  You may not directly or indirectly reuse or disclose such 
information for any purpose other than to provide the services for which you 
are receiving the information.
There are risks associated with the use of electronic transmission.  The sender 
of this information does not control the method of transmittal or service 
providers and assumes no duty or obligation for the security, receipt, or third 
party interception of this transmission.

Re: ca server - unable to load CA private key

[Jorge Fernandez]

2007/10/30, Frank Garber [EMAIL PROTECTED]:

  Hey all,

 I'm very new to security and generating key files. I'm following the
 instructions I've found here: http://www.securityfocus.com/infocus/1677and 
 I'm having trouble generating the private / public key pair and
 certificate.

 In step 2 it asks: Enter pass phrase for C:\CA\private\CAkey.pem:. Is it
 looking for a value from a previous step?



Yes. You have to give the passphrase you used to encrypt the private key of
the CA (CAkey.pem), i.e. the one you provided when you did 'ca genca'.

Regards,


-- 
Jorge Fernandez

ca server - unable to load CA private key

[Frank Garber]

Hey all,

I'm very new to security and generating key files. I'm following the 
instructions I've found here: http://www.securityfocus.com/infocus/1677 and I'm 
having trouble generating the private / public key pair and certificate.

In step 2 it asks: Enter pass phrase for C:\CA\private\CAkey.pem:. Is it 
looking for a value from a previous step?

Any help would be greatly appreciated,

Frank
~
Here's the values entered and the error message.

C:\Program Files\OpenSSLca server

 Simple CA utility
 Written by Artur Maj ([EMAIL PROTECTED])

 Warning!
 The content of the C:\CA\temp\vnc_server directory will be removed.
 Press CTRL-C to break, or ENTER to continue...

 Step 1: Generate the keys and the certificate request


Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
.++
.++
writing new private key to 'C:\CA\temp\vnc_server\server.key'
-
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Connecticut
Locality Name (eg, city) []:Burlington
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Secure
Organizational Unit Name (eg, section) []:Labs
Common Name (eg, YOUR name) []:Frank
Email Address []:[EMAIL PROTECTED]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:walnut
An optional company name []:


 Step 2: Sign the certificate


Using configuration from C:\Progra~1\OpenSSL\openssl.conf
Loading 'screen' into random state - done
Enter pass phrase for C:\CA\private\CAkey.pem:
unable to load CA private key
8544:error:06065064:digital envelope routines:EVP_DecryptFinal:bad 
decrypt:./crypto/evp/evp_enc.c:509:
8544:error:0906A065:PEM routines:PEM_do_header:bad 
decrypt:./crypto/pem/pem_lib.c:423:

C:\Program Files\OpenSSL

Re: OpenSSL command line error: unable to load client certificate private key file

[deependra baniya]

Torsha Banerjee [EMAIL PROTECTED] wrote:  Is u r private key in a separate .pem file if it is not, first ensure that...Jeremiah Foster wrote: Hello,  I am building an OpenSSL application to process credit cards. I am testing the server implementation with the OpenSSL command line tool like this;  $ openssl s_client -connect secure.incab.se/verify/server/click:443 -cert trusted.cer  The error I receive is; unable to load client certificate private key file 9613:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:644:Expecting: ANY PRIVATE KEY  I have been unable to find information pertaining to this error message on the OpenSSL site, and Google is somewhat unhelpful since I am running
 linux and a lot of the URLs Google serves up pertain to Microsoft products. I am guessing there is something wrong with the privat key file, but I also suspect there may be issues on the server as well.   Does anyone have a tip?  Thank very much in advance,  Jeremiah__ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]__OpenSSL Project http://www.openssl.orgUser Support Mailing List openssl-users@openssl.orgAutomated List Manager [EMAIL PROTECTED] __Do You Yahoo!?Tired of spam?  Yahoo! Mail has the best spam protection around
 http://mail.yahoo.com 

OpenSSL command line error: unable to load client certificate private key file

[Jeremiah Foster]

Hello,

I am building an OpenSSL application to process credit cards. I am
testing the server implementation with the OpenSSL command line tool
like this;

$ openssl s_client -connect secure.incab.se/verify/server/click:443
-cert trusted.cer

The error I receive is;
unable to load client certificate private key file
9613:error:0906D06C:PEM routines:PEM_read_bio:no start
line:pem_lib.c:644:Expecting: ANY PRIVATE KEY

I have been unable to find information pertaining to this error message
on the OpenSSL site, and Google is somewhat unhelpful since I am running
linux and a lot of the URLs Google serves up pertain to Microsoft
products. I am guessing there is something wrong with the privat key
file, but I also suspect there may be issues on the server as well. 

Does anyone have a tip?

Thank very much in advance,

Jeremiah



__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: OpenSSL command line error: unable to load client certificate private key file

[Marek Marcola]

Hello,

 I am building an OpenSSL application to process credit cards. I am
 testing the server implementation with the OpenSSL command line tool
 like this;
 
 $ openssl s_client -connect secure.incab.se/verify/server/click:443
 -cert trusted.cer
 
 The error I receive is;
 unable to load client certificate private key file
 9613:error:0906D06C:PEM routines:PEM_read_bio:no start
 line:pem_lib.c:644:Expecting: ANY PRIVATE KEY
Add -key option.

Best regards,
-- 
Marek Marcola [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: OpenSSL command line error: unable to load client certificate private key file

[Dr. Stephen Henson]

On Mon, Jun 05, 2006, Jeremiah Foster wrote:

 Hello,
 
 I am building an OpenSSL application to process credit cards. I am
 testing the server implementation with the OpenSSL command line tool
 like this;
 
 $ openssl s_client -connect secure.incab.se/verify/server/click:443
 -cert trusted.cer
 
 The error I receive is;
 unable to load client certificate private key file
 9613:error:0906D06C:PEM routines:PEM_read_bio:no start
 line:pem_lib.c:644:Expecting: ANY PRIVATE KEY
 
 I have been unable to find information pertaining to this error message
 on the OpenSSL site, and Google is somewhat unhelpful since I am running
 linux and a lot of the URLs Google serves up pertain to Microsoft
 products. I am guessing there is something wrong with the privat key
 file, but I also suspect there may be issues on the server as well. 
 
 Does anyone have a tip?
 

If trusted.cer is a client certificate you need to include the private key.

If it is one or more trusted CAs in PEM format (only PEM will do) then you
should use the -CAfile option instead.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: OpenSSL command line error: unable to load client certificate private key file

[Torsha Banerjee]

Is u r private key in a separate .pem file if it is not, first ensure 
that...


Jeremiah Foster wrote:

Hello,

I am building an OpenSSL application to process credit cards. I am
testing the server implementation with the OpenSSL command line tool
like this;

$ openssl s_client -connect secure.incab.se/verify/server/click:443
-cert trusted.cer

The error I receive is;
unable to load client certificate private key file
9613:error:0906D06C:PEM routines:PEM_read_bio:no start
line:pem_lib.c:644:Expecting: ANY PRIVATE KEY

I have been unable to find information pertaining to this error message
on the OpenSSL site, and Google is somewhat unhelpful since I am running
linux and a lot of the URLs Google serves up pertain to Microsoft
products. I am guessing there is something wrong with the privat key
file, but I also suspect there may be issues on the server as well. 


Does anyone have a tip?

Thank very much in advance,

Jeremiah



__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

unable to load key file solution

[Ricardo Alzaga Chirino]

Dear User Support Mailing List openssl-users@openssl.org

In order to be able to fulfill the fiscal 
legislation in Mexico, I am developing a system to obtain electronic invoices, 
but up to here I have been able to advance without being able to follow 
ahead. For this reason I ask for your aid.In the last line of 
thisDOS code, you will see that the 
message is "unable to load key file". I do not know why and I cannot finish 
the process of verification of the seal. Could you help me to resolve 
it?
I appreciate your 
attention,

Ing. Ricardo Manuel 
Alzaga Chirino
Mexico 
City

Files I send:AAA010101AAA_0408021316S.key 
Private key file in (PKCS#8 format key/DER 
encoded).AAA010101AAAsd.cer 
Certificate file in DER 
encoding.fact1.xml 
Invoice file in XML format. "sello" field mean digital signing in Base 64 
format.cadena_original.xsl 
An XLS file for transforming fact1.xml and extract the string for digital 
signing.sello.xsl 
An XLS file for transforming fact1.xml and extract digital signing field within 
it.

Working platform:Microsoft Windows 2000 
[Versión 5.00.2195]  OpenSSL 0.9.7e

Rem 
-Rem 
DOS Codeopenssl pkcs8 -inform DER -in AAA010101AAA_0408021316S.key -passin 
pass:Empresa1 -out AAA010101AAA.key.pemopenssl rsa -in conllave.key.pem 
-des3 -out conllave.key.pem -passout pass:Empresa1

openssl x509 -inform DER -outform PEM -in 
AAA010101AAAsd.cer -out AAA010101AAA.cer.pem

xsltproc -output co.txt cadena_original.xsl 
fact1.xmlopenssl dgst -md5 -out sellobin -sign conllave.key.pem 
co.txtopenssl enc -base64 -A -in sellobin -out sello64.txt

xsltproc -output selloxml.txt sello.xsl 
fact1.xmlopenssl enc -base64 -d -A -in selloxml.txt -out 
sellobin

xsltproc -output coxml.txt cadena_original.xsl 
fact1.xmlopenssl dgst -md5 -verify AAA010101AAA.cer.pem -signature sellobin 
co.txtRem unable to load key file !!! Why?


AAA010101AAA_0408021316S.key
Description: Binary data


AAA010101AAAsd.cer
Description: application/x509-ca-cert
?xml version=1.0 encoding=UTF-8?
Comprobante version=1.0 serie=A folio=1 fecha=2005-09-02T16:30:00 sello=mCMuP1HLjTLGOIA91mDNo8pdJ7fPXF/BZ7R2xsr5sC+6EDF5hfHO1anVq5Ek/Owu5dC3AiYP0ZgeqNrmOuySRgdBl4ZwKUwQ8vQekW9XM4hfRdCs0dg3gXSM+SdVknjvyxV5XI14Y6DGYh448N0m2pri8ZgUVkqoSp9Czbt+/Fw= noAprobacion=1 noCertificado=1114
   Emisor rfc=ISP900909Q88 nombre = Industrias del Sur Poniente, S.A. de C.V.
  DomicilioFiscal calle=Alvaro Obregón noExterior=37 noInterior=3 colonia=Col. Roma Norte localidad=México municipio=Cuauhtémoc estado=Distrito Federal pais=México codigoPostal=06700 /
  ExpedidoEn calle=Pino Suarez noExterior=23 colonia=Centro localidad=Monterrey municipio=Monterrey estado=Nuevo Léon pais=México codigoPostal=95460 /
   /Emisor
   Receptor rfc=CAUR390312S87 nombre=Rosa María Calderón Uriegas
  Domicilio calle=Topochico noExterior=52 colonia=Jardines del Valle localidad=Monterrey municipio=Monterrey estado=Nuevo León pais=México codigoPostal=95465 /
   /Receptor
   Conceptos
  Concepto cantidad=10 unidad=Caja descripcion=Vasos decorados valorUnitario=20.00 importe=200.00 /  Concepto cantidad=1 unidad=pieza descripcion=Charola metálica valorUnitario=150.00 importe=150.00 /   /Conceptos
   Impuestos
  Traslados
 Traslado impuesto=IVA importe=52.00 /
  /Traslados
   /Impuestos
   Addenda
  Nota CadenaOriginal=||A|1|2005-09-02T16:30:00|1|ISP900909Q88|Industrias del Sur Poniente, S.A. de C.V.|Alvaro Obregón|37|3|Col. Roma Norte|México|Cuauhtémoc|Distrito Federal|México|06700|Pino Suarez|23|Centro|Monterrey|Monterrey|Nuevo Léon|México|95460|CAUR390312S87|Rosa María Calderón Uriegas|Topochico|52|Jardines del Valle|Monterrey|Monterrey|Nuevo León|México|95465|10|Caja|Vasos decorados|20.00|200.00|1|pieza|Charola metálica|150.00|150.00|IVA|52.00|| /
   /Addenda
/Comprobante
xsl:stylesheet version = '1.0'
 xmlns:xsl='http://www.w3.org/1999/XSL/Transform'

xsl:output method = text / 

xsl:template match=/
xsl:apply-templates select=//Comprobante/
xsl:apply-templates select=//Emisor/
xsl:apply-templates select=//DomicilioFiscal/
xsl:apply-templates select=//ExpedidoEn/
xsl:apply-templates select=//Receptor/
xsl:apply-templates select=//Domicilio/
xsl:apply-templates select=//Concepto/
xsl:apply-templates select=//Retencion/
xsl:apply-templates select=//Traslado/
xsl:apply-templates select=//Addenda/
/xsl:template

xsl:template match=Comprobante
  xsl:if test=@serie||xsl:value-of select=@serie//xsl:if
  xsl:if test=@folio|xsl:value-of select=@folio//xsl:if
  xsl:if test=@fecha|xsl:value-of select=@fecha//xsl:if
  xsl:if test=@noAprobacion|xsl:value-of select=@noAprobacion//xsl:if
  xsl:if test=@formaDePago|xsl:value-of select=@formaDePago//xsl:if
/xsl:template

xsl:template match=Emisor
  xsl:if test=@rfc|xsl:value-of

RES: cert extract / unable to load PKCS7 object

[Rafael]

I'm sorry. Below is the file that I'm using.


-BEGIN PKCS7-

MIII7gYJKoZIhvcNAQcCoIII3zCCCNsCAQExADALBgkqhkiG9w0BBwGgggjDMIIC
SzCCAbSgAwIB
AgIDDldsMA0GCSqGSIb3DQEBBAUAMGIxCzAJBgNVBAYTAlpBMSU
wIwYDVQQKExxUaGF3dGUgQ29u
c3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEy
NUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNz
dWluZyBDQTAeFw0wNTAzMjQxO
DE0MzdaFw0wNjAzMjQxODE0MzdaMEMxHzAdBgNVBAMTFlRoYXd0
ZSBGcmVlbWFp
bCBNZW1iZXIxIDAeBgkqhkiG9w0BCQEWEXJhZmFlbEBtdDQuY29tLmJyMIGfMA0G

CSqGSIb3DQEBAQUAA4GNADCBiQKBgQCtD7NdeG+4sx9+NEg/mg8YIa6ZXFro1DC
wMQSd0rdcpbxJ
Kxh+BYY6zpzXCt9Cj9SgKKrZl7PSSpXO2TBRSga1yQBgKkOhOw
dulsohids4TZYXarOnVBWg5t+Q
Psspc/pZe+URjQXHpsLkkfZqQ9ij8/k9htDnv
uMZuiPKo4RacwIDAQABoy4wLDAcBgNVHREEFTAT
gRFyYWZhZWxAbXQ0LmNvbS5i
cjAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBAUAA4GBAJM2WQMh
WtuiPrC6Mac
h4gEnXEstC07hHetKwjkEOEmfPvMW4wDCEHwQ09SayF8JZSG3/JMezcW/IUtp2TT
l
pbOPUe8HKAma55oeELTT4acopB68i9lSgG8hHPLoZ5Lx2T1Bsj+hGJLt4GEWTs
XLeNv504tb9kPC
GQYSg0mbDV+2MIIDPzCCAqigAwIBAgIBDTANBgkqhkiG9w0BA
QUFADCB0TELMAkGA1UEBhMCWkEx
FTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAG
A1UEBxMJQ2FwZSBUb3duMRowGAYDVQQKExFUaGF3
dGUgQ29uc3VsdGluZzEoMCY
GA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEk
MCIGA1UEAx
MbVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIENBMSswKQYJKoZIhvcNAQkBFhxwZX
Jz
b25hbC1mcmVlbWFpbEB0aGF3dGUuY29tMB4XDTAzMDcxNzAwMDAwMFoXDTEzM
DcxNjIzNTk1OVow
YjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25z
dWx0aW5nIChQdHkpIEx0ZC4xLDAq
BgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmV
lbWFpbCBJc3N1aW5nIENBMIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQDEpj
xVc1X7TrnKmVoeaMB1BHCd3+n/ox7svc31W/Iadr1/DDph8r9RzgHU
5VAKMNcCY
1osiRVwjt3J8CuFWqo/cVbLrzwLB+fxH5E2JCoTzyvV84J3PQO+K/67GD4Hv0CAA
mTX
p6a7n2XRxSpUhQ9IBH+nttE8YQRAHmQZcmC3+wIDAQABo4GUMIGRMBIGA1Ud
EwEB/wQIMAYBAf8C
AQAwQwYDVR0fBDwwOjA4oDagNIYyaHR0cDovL2NybC50aGF
3dGUuY29tL1RoYXd0ZVBlcnNvbmFs
RnJlZW1haWxDQS5jcmwwCwYDVR0PBAQDAg
EGMCkGA1UdEQQiMCCkHjAcMRowGAYDVQQDExFQcml2
YXRlTGFiZWwyLTEzODANB
gkqhkiG9w0BAQUFAAOBgQBIjNFQg+oLLswNo2asZw9/r6y+whehQ5aU
nX9MIbj4
Nh+qLZ82L8D0HFAgk3A8/a3hYWLD2ToZfoSxmRsAxRoLgnSeJVCUYsfbJ3FXJY3d
qZw5
jowgT2Vfldr394fWxghOrvbqNOUQGls1TXfjViF4gtwhGTXeJLHTHUb/XV9
lTzCCAy0wggKWoAMC
AQICAQAwDQYJKoZIhvcNAQEEBQAwgdExCzAJBgNVBAYTAl
pBMRUwEwYDVQQIEwxXZXN0ZXJuIENh
cGUxEjAQBgNVBAcTCUNhcGUgVG93bjEaM
BgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNV
BAsTH0NlcnRpZmljYXRp
b24gU2VydmljZXMgRGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJz
b25hbCB
GcmVlbWFpbCBDQTErMCkGCSqGSIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGh
hd3Rl
LmNvbTAeFw05NjAxMDEwMDAwMDBaFw0yMDEyMzEyMzU5NTlaMIHRMQswCQ
YDVQQGEwJaQTEVMBMG
A1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlI
FRvd24xGjAYBgNVBAoTEVRoYXd0ZSBD
b25zdWx0aW5nMSgwJgYDVQQLEx9DZXJ0
aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMSQwIgYD
VQQDExtUaGF3dGUgUGV
yc29uYWwgRnJlZW1haWwgQ0ExKzApBgkqhkiG9w0BCQEWHHBlcnNvbmFs
LWZyZW
VtYWlsQHRoYXd0ZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANRp19
SwlGRb
celH2AxRtupykbCEXn0tDY97Et+FJXUodDpCLGMnn5V7S+9+GYcdhuqj3
bnOlmQawhRuRKx85o/o
TQ9xH0A4pgCjh3j2+ZSGXq3qwF5269kUo11uenwMpUtV
fwYZKX+emibVars4JAhqmMex2qOYkf15
2+VaxBy5AgMBAAGjEzARMA8GA1UdEwE
B/wQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAx+ySfk74
9ZalZ2IqpPBNEWDQb4
1gWGGsJrtSNVwIzzD7qEqWih9iQiOMFw/0umScF6xHKd+dmF7SbGBxXKKs
3Hnj5
24ARx+1DSjoAp3kmv0T9KbZfLH43F8jJgmRgHPQFBveQ6mDJfLmnC8Vyv6mq4oHd
YsM3VGE
a+T40c53ooExAA==

-END PKCS7-

Thank you!

-Mensagem original-
De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Em nome de Dr. Stephen Henson
Enviada em: quinta-feira, 24 de março de 2005 19:44
Para: openssl-users@openssl.org
Assunto: Re: cert extract / unable to load PKCS7 object

On Thu, Mar 24, 2005, Rafael wrote:

 Hello all,
 
  
 
 I'm trying to get a certificate to sign e-mail in the thrawe website.
 
 After I've get the certificate in the website, I copy/paste and save it in
a
 file, but when I  do :
 
  
 
 % openssl smime -pk7out -in messagefile | openssl pkcs7 -print_certs
 
  
 
 I get the following error:
 
 unable to load PKCS7 object
 
 11638:error:0906D066:PEM routines:PEM_read_bio:bad end line:pem_lib.c:731:
 
  
 
 I'm using this instructions: 
 
 http://www.kfu.com/~nsayer/encryption/openssl.html
 
  
 
 I've tried all..with and without carriage return at the end, at the
 beggining, 
 with the -BEGIN PKCS7-, with the -* PKCS #7 SIGNED
DATA-
 
  but I keep getting the same error.
 
  
 
 Someone knows what could this be?
 
  

Why don't you post the file otherwise we'd just be guesssing?

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]



-- 
Internal Virus Database is out-of-date.
Checked by AVG Anti-Virus.
Version: 7.0.308 / Virus Database: 266.7.4 - Release Date: 18/3/2005

Re: RES: cert extract / unable to load PKCS7 object

[Nils Larsch]

Rafael wrote:
I'm sorry. Below is the file that I'm using.
-BEGIN PKCS7-
MIII7gYJKoZIhvcNAQcCoIII3zCCCNsCAQExADALBgkqhkiG9w0BBwGgggjDMIIC
SzCCAbSgAwIB
AgIDDldsMA0GCSqGSIb3DQEBBAUAMGIxCzAJBgNVBAYTAlpBMSU
wIwYDVQQKExxUaGF3dGUgQ29u
c3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEy
...
openssl doesn't like this shredded pem format. Format it
correctly (or let openssl do it) then it should work
Nils
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RES: RES: cert extract / unable to load PKCS7 object

[Rafael]

Thank you!

-Mensagem original-
De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Em nome de Nils Larsch
Enviada em: segunda-feira, 28 de março de 2005 12:29
Para: openssl-users@openssl.org
Assunto: Re: RES: cert extract / unable to load PKCS7 object

Rafael wrote:
 I'm sorry. Below is the file that I'm using.
 
 
 -BEGIN PKCS7-
 
 MIII7gYJKoZIhvcNAQcCoIII3zCCCNsCAQExADALBgkqhkiG9w0BBwGgggjDMIIC
 SzCCAbSgAwIB
 AgIDDldsMA0GCSqGSIb3DQEBBAUAMGIxCzAJBgNVBAYTAlpBMSU
 wIwYDVQQKExxUaGF3dGUgQ29u
 c3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEy
...

openssl doesn't like this shredded pem format. Format it
correctly (or let openssl do it) then it should work

Nils
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]



-- 
Internal Virus Database is out-of-date.
Checked by AVG Anti-Virus.
Version: 7.0.308 / Virus Database: 266.7.4 - Release Date: 18/3/2005


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

cert extract / unable to load PKCS7 object

[Rafael]

Hello all,



Im trying to get a certificate to sign e-mail
in the thrawe website.

After Ive get the certificate in the website,
I copy/paste and save it in a file, but when I do :



% openssl smime -pk7out -in messagefile | openssl pkcs7 -print_certs



I get the following error:

unable to load PKCS7 object

11638:error:0906D066:PEM routines:PEM_read_bio:bad
end line:pem_lib.c:731:



Im using this instructions: 

http://www.kfu.com/~nsayer/encryption/openssl.html



Ive tried all.with and without carriage return at the end, at the beggining, with the -BEGIN PKCS7-, with the -* PKCS #7 SIGNED DATA-

but I keep getting the same error.



Someone knows what could this be?



Thank you!

Re: cert extract / unable to load PKCS7 object

[Dr. Stephen Henson]

On Thu, Mar 24, 2005, Rafael wrote:

 Hello all,
 
  
 
 I'm trying to get a certificate to sign e-mail in the thrawe website.
 
 After I've get the certificate in the website, I copy/paste and save it in a
 file, but when I  do :
 
  
 
 % openssl smime -pk7out -in messagefile | openssl pkcs7 -print_certs
 
  
 
 I get the following error:
 
 unable to load PKCS7 object
 
 11638:error:0906D066:PEM routines:PEM_read_bio:bad end line:pem_lib.c:731:
 
  
 
 I'm using this instructions: 
 
 http://www.kfu.com/~nsayer/encryption/openssl.html
 
  
 
 I've tried all..with and without carriage return at the end, at the
 beggining, 
 with the -BEGIN PKCS7-, with the -* PKCS #7 SIGNED DATA-
 
  but I keep getting the same error.
 
  
 
 Someone knows what could this be?
 
  

Why don't you post the file otherwise we'd just be guesssing?

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

A problem with the installation (Unable to load private key)

[Nabil Azahaf]

umask 77 ; \
/usr/bin/openssl req -new -key /etc/httpd/conf/ssl.key/server.key -out
/etc/httpd/conf/ssl.csr/server.csr
unable to load Private Key
14854:error:0906D06C:PEM routines:PEM_read_bio:no start
line:pem_lib.c:632:Expecting: ANY PRIVATE KEY
make: *** [/etc/httpd/conf/ssl.csr/server.csr] Error 1

^^ This happens when i'm giving the command: make certreq in the
directory: /usr/share/ssl/certs using Redhat 9 Shrike as operating
system, I have generated a key which is located at
/etc/httpd/conf/ssl.key/server.key.

Can any1 help me with this problem, I never worked  with OpenSSL before.

Thanks in advance,
Nabi1
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Unable to load private key

[Dr. Stephen Henson]

On Tue, Jun 29, 2004, Pierre Sengès wrote:

 Hello
 
 I'm newbie to openSSL. I'm trying to create a pkcs12 file with Win32 OpenSSL 0.97d.
 I've generated a CSR with keytool. I got my cert file generated by a CA and a 
 private key file (generated by keytool).
 The following command :
 
 OpenSSL pkcs12 -export -inkey domain.key -in domain.crt -out domain.pkcs12
 
 make the following error : 
 
 Loading 'screen' into random state - done
 unable to load private key
 error in pkcs12
 
 Most posts i've read about this error talk about 0.96 bug. But i'm in 0.97 ...
 I've not found in openssl.cnf definition of private key location ... but i think it 
 must be in same directory that crt file ? ( {openssl-install-dir}/bin exactly ...)
 
 Can it come from a bad private key format ?
 

Yes its probably that the file domain.key isn't in the expected (PEM) format.
If that is the case you should convert it first. I believe keytool may use
PKCS#8 format in binary (DER) format in which case:

openssl pkcs8 -inform DER -nocrypto -in domain.key -out key.pem

should work.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Unable to load private key

[Pierre Sengès]

Hello

I'm newbie to openSSL. I'm trying to create a 
pkcs12 file with Win32 OpenSSL 0.97d.
I've generated a CSR with keytool. I got my cert 
file generated by a CA and a private key file (generated by 
keytool).
The following command :

OpenSSL pkcs12 -export -inkey domain.key -in 
domain.crt -out domain.pkcs12

make the following error : 

Loading 'screen' into random state - doneunable 
to load private keyerror in pkcs12

Most posts i've read about this error talk about 
0.96 bug. But i'm in 0.97 ...
I've not found in openssl.cnf definition of private 
key location ... but i think it must be in same directory that crt file ? ( 
{openssl-install-dir}/bin exactly ...)

Can it come from a bad private key format 
?

Thanks for your help ...

Pierre

Re: unable to load certificate: Expecting: TRUSTED CERTIFICATE

[Richard Levitte - VMS Whacker]

In message [EMAIL PROTECTED] on Tue, 3 Feb 2004 14:18:45 +0100 , Kohler Benjamin 
[EMAIL PROTECTED] said:

Benjamin.Kohler Hi,
Benjamin.Kohler I have problems with sign a certificate. 
Benjamin.Kohler 
Benjamin.Kohler I do it with the following command:
Benjamin.Kohler openssl ca -name CA_default -config openssl.cnf -keyfile 
private/cakey.pem
Benjamin.Kohler -in newrequests/fooreq.pem -out foocert.pem -outdir newcerts/
Benjamin.Kohler Using configuration from openssl.cnf
Benjamin.Kohler Enter pass phrase for private/cakey.pem:
Benjamin.Kohler unable to load certificate
Benjamin.Kohler 22158:error:0906D06C:PEM routines:PEM_read_bio:no start
Benjamin.Kohler line:pem_lib.c:632:Expecting: TRUSTED CERTIFICATE
Benjamin.Kohler 
Benjamin.Kohler I don't understand what the problem is, i found nothing in the ml 
archiv and
Benjamin.Kohler in google. 
Benjamin.Kohler My openssl.cnf is mostly default (only default_bits is 2048 and 
default_days
Benjamin.Kohler is 7300). 

You probably need to add the command option '-cert cacert.pem'.

-
Please consider sponsoring my work on free software.
See http://www.free.lp.se/sponsoring.html for details.

-- 
Richard Levitte   \ Tunnlandsvägen 3  \ [EMAIL PROTECTED]
[EMAIL PROTECTED]  \ S-168 36  BROMMA  \ T: +46-8-26 52 47
\  SWEDEN   \ or +46-708-26 53 44
Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/

Unsolicited commercial email is subject to an archival fee of $400.
See http://www.stacken.kth.se/~levitte/mail/ for more info.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Unable to load config info

[Sivasakthi (sakthi)]

Dear SSL Community/Dattesh,

I've downloaded the Apache SSL from the link recommended by Dattesh from a
prior mail thread.

Whilst configuring the ssl.conf, i decided to use a key and cert that i
generated for my apache ssl in linux environment. however for win32, pass
phrase is not recommended for use based on the error i received when i
configured SSLPassPhraseDialog builtin : Init: SSLPassPhraseDialog builtin
is not supported on Win32 (xx.key). Hence i decided to generate a key
and csr to make it to work. That failed as well:-
Generating the key i did opensslgenrsa -out tst.key 1024, was ok
However when i tried generating CSRopensslreq -new -key tst.key -out
tst.csr, i received the following error:-

Unable to load config info
unable to find 'distinguished_name' in config
problems making Certificate Request
2184:error:0E06D06A:configuration file routines:NCONF_get_string:no conf or
environment variable:.\crypto\conf\conf_lib.c:325:
error in req


could any of you help me out here. i'm not sure what can i do.

.sakthi

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Unable to load config info

[Sivasakthi (sakthi)]

kindly ignore this email as the problem has been resolved. sorry for any
inconvenience caused.

.sakthi
- Original Message -
From: Sivasakthi (sakthi) [EMAIL PROTECTED]
To: [EMAIL PROTECTED]; Dattesh Lotlikar [EMAIL PROTECTED]
Sent: Wednesday, December 10, 2003 12:28 PM
Subject: Unable to load config info


Dear SSL Community/Dattesh,

I've downloaded the Apache SSL from the link recommended by Dattesh from a
prior mail thread.

Whilst configuring the ssl.conf, i decided to use a key and cert that i
generated for my apache ssl in linux environment. however for win32, pass
phrase is not recommended for use based on the error i received when i
configured SSLPassPhraseDialog builtin : Init: SSLPassPhraseDialog builtin
is not supported on Win32 (xx.key). Hence i decided to generate a key
and csr to make it to work. That failed as well:-
Generating the key i did opensslgenrsa -out tst.key 1024, was ok
However when i tried generating CSRopensslreq -new -key tst.key -out
tst.csr, i received the following error:-

Unable to load config info
unable to find 'distinguished_name' in config
problems making Certificate Request
2184:error:0E06D06A:configuration file routines:NCONF_get_string:no conf or
environment variable:.\crypto\conf\conf_lib.c:325:
error in req


could any of you help me out here. i'm not sure what can i do.

.sakthi

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: cert extract / unable to load PKCS7 object

[Pierre-Philipp Braun]

Quoting Dr. Stephen Henson (Aug 21, 2003 02:06 +0200),

 On Thu, Aug 21, 2003, Pierre-Philipp Braun wrote:

  Hi all,
  i'm trying to make a certificate for use with S/MIME into Pine.
  But when i type,
 
  /usr/pkg/bin/openssl pkcs7 -in pk7 -print_certs -out cert
 
  i get,
 
  unable to load PKCS7 object
  9966:error:0906D066:PEM routines:PEM_read_bio:bad end line:pem_lib.c:762:
 
  whereas i did like explained there:
  https://www.tbs-internet.com/ssl/cert-smime-signe-unix.html
  with the -* PKCS7- formatted 'pk7' file.
  BTW i get the same error msg with -* PKCS #7 SIGNED DATA- format.
 
  FYI, I'm using openssl-0.9.6gnb2 package on NetBSD.
 
  Any advice to get around this would be appreciated.
  Thanks in advance

 The before the base64 encoded data should be:

 -BEGIN PKCS7-

 and the line  the base64 encoded stuff:

 -END PKCS7-

 make sure this is *exactly* what is there, i.e. make sure there are 5 -'s in
 there. That error message means it doesn't like the end line.

 This is assuming what you've got is base64 encoded data if it looks like
 binary then add the -inform DER switch to the command.


indeed I was aware of that. The 'pk7' file here looks like

-BEGIN PKCS7-
(...)
B0aGF3fGUuY29tMB4X
(...)
-END PKCS7-

Tryed with joe and vi, with and without carriage return at the end, no
changes, the (irrelevant) error msg stills there.

-- 
Pierre-Philipp
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: cert extract / unable to load PKCS7 object

[Dr. Stephen Henson]

On Thu, Aug 21, 2003, Pierre-Philipp Braun wrote:

 Quoting Dr. Stephen Henson (Aug 21, 2003 02:06 +0200),
 
  On Thu, Aug 21, 2003, Pierre-Philipp Braun wrote:
 
   Hi all,
   i'm trying to make a certificate for use with S/MIME into Pine.
   But when i type,
  
   /usr/pkg/bin/openssl pkcs7 -in pk7 -print_certs -out cert
  
   i get,
  
   unable to load PKCS7 object
   9966:error:0906D066:PEM routines:PEM_read_bio:bad end line:pem_lib.c:762:
  
   whereas i did like explained there:
   https://www.tbs-internet.com/ssl/cert-smime-signe-unix.html
   with the -* PKCS7- formatted 'pk7' file.
   BTW i get the same error msg with -* PKCS #7 SIGNED DATA- format.
  
   FYI, I'm using openssl-0.9.6gnb2 package on NetBSD.
  
   Any advice to get around this would be appreciated.
   Thanks in advance
 
  The before the base64 encoded data should be:
 
  -BEGIN PKCS7-
 
  and the line  the base64 encoded stuff:
 
  -END PKCS7-
 
  make sure this is *exactly* what is there, i.e. make sure there are 5 -'s in
  there. That error message means it doesn't like the end line.
 
  This is assuming what you've got is base64 encoded data if it looks like
  binary then add the -inform DER switch to the command.
 
 
 indeed I was aware of that. The 'pk7' file here looks like
 
 -BEGIN PKCS7-
 (...)
 B0aGF3fGUuY29tMB4X
 (...)
 -END PKCS7-
 
 Tryed with joe and vi, with and without carriage return at the end, no
 changes, the (irrelevant) error msg stills there.
 

Can you send me the file and I'll look at it?

Steve.
--
Dr Stephen N. Henson.
Core developer of the   OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.demon.co.uk/
Email: [EMAIL PROTECTED], PGP key: via homepage.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

cert extract / unable to load PKCS7 object

[Pierre-Philipp Braun]

Hi all,
i'm trying to make a certificate for use with S/MIME into Pine.
But when i type,

/usr/pkg/bin/openssl pkcs7 -in pk7 -print_certs -out cert

i get,

unable to load PKCS7 object
9966:error:0906D066:PEM routines:PEM_read_bio:bad end line:pem_lib.c:762:

whereas i did like explained there:
https://www.tbs-internet.com/ssl/cert-smime-signe-unix.html
with the -* PKCS7- formatted 'pk7' file.
BTW i get the same error msg with -* PKCS #7 SIGNED DATA- format.

FYI, I'm using openssl-0.9.6gnb2 package on NetBSD.

Any advice to get around this would be appreciated.
Thanks in advance
-- 
Pierre-Philipp
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: cert extract / unable to load PKCS7 object

[Dr. Stephen Henson]

On Thu, Aug 21, 2003, Pierre-Philipp Braun wrote:

 Hi all,
 i'm trying to make a certificate for use with S/MIME into Pine.
 But when i type,
 
 /usr/pkg/bin/openssl pkcs7 -in pk7 -print_certs -out cert
 
 i get,
 
 unable to load PKCS7 object
 9966:error:0906D066:PEM routines:PEM_read_bio:bad end line:pem_lib.c:762:
 
 whereas i did like explained there:
 https://www.tbs-internet.com/ssl/cert-smime-signe-unix.html
 with the -* PKCS7- formatted 'pk7' file.
 BTW i get the same error msg with -* PKCS #7 SIGNED DATA- format.
 
 FYI, I'm using openssl-0.9.6gnb2 package on NetBSD.
 
 Any advice to get around this would be appreciated.
 Thanks in advance

The before the base64 encoded data should be:

-BEGIN PKCS7-

and the line  the base64 encoded stuff:

-END PKCS7-

make sure this is *exactly* what is there, i.e. make sure there are 5 -'s in
there. That error message means it doesn't like the end line.

This is assuming what you've got is base64 encoded data if it looks like
binary then add the -inform DER switch to the command.

Steve.
--
Dr Stephen N. Henson.
Core developer of the   OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.demon.co.uk/
Email: [EMAIL PROTECTED], PGP key: via homepage.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Newbie question: unable to load Netscape SPKAC structure

[David García Aristegui]

Thank you very much for the help!!! The charriage returns (^M) 
appeared in the file because the browser was running in a MacOS X, 
there is no problem if the Netscape client is runnig in Linux, for 
example.
I have made a script to delete the charriage returns (^M).

But... when i try to sign the client certificate request

openssl ca -spkac certerq.
(...)
BEGIN CERTIFICATE-
MIIDvTCCAyagAwIBAgIBAzANBgkqhkiG9w0BAQQFADCBmjELMAkGA1UEBhMCRVMx
DzANBgNVBAgTBk1hZHJpZDEUMBIGA1UEBxMLQ2FudG9ibGFuY28xEzARBgNVBAoT
CkVNQm5ldC9DTkIxETAPBgNVBAsTCENOQi1DU0lDMRgwFgYDVQQDEw9lcmlzLmNu
Yi51YW0uZXMxIjAgBgkqhkiG9w0BCQEWE25ldGFkbWluQGNuYi51YW0uZXMwHhcN
MDMwNzE1MTQ0NzM3WhcNMDQwNzE0MTQ0NzM3WjCBgzELMAkGA1UEBhMCRVMxDzAN
BgNVBAgTBk1hZHJpZDETMBEGA1UEChMKRU1CbmV0L0NOQjERMA8GA1UECxMIQ05C
LUNTSUMxGDAWBgNVBAMTD2VyaXMuY25iLnVhbS5lczEhMB8GCSqGSIb3DQEJARYS
ZW1haWxAeW91cmhvc3QuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDH
2aA5rdIZXQVbz49/VFf8/1PK6IUsAq073uKHlT9tMwvyIQHFB6LPRbw4FoskB6jg
VXNDANqJbelNSBlLz4lg6fGu+DhNg5vqDy7IZS3TuiDZKAmgdNSiO6bfy8D/KM2I
7/8k2K0k49qJ3dysg++iI9TbVt7VnshtsZF5ECCO/wIDAQABo4IBJjCCASIwCQYD
VR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlm
aWNhdGUwHQYDVR0OBBYEFFonnvTPOSUM6uTJc4TTQhousHa/MIHHBgNVHSMEgb8w
gbyAFFIrWqlFW+S/O7gaJiqsalpsUx2joYGgpIGdMIGaMQswCQYDVQQGEwJFUzEP
MA0GA1UECBMGTWFkcmlkMRQwEgYDVQQHEwtDYW50b2JsYW5jbzETMBEGA1UEChMK
RU1CbmV0L0NOQjERMA8GA1UECxMIQ05CLUNTSUMxGDAWBgNVBAMTD2VyaXMuY25i
LnVhbS5lczEiMCAGCSqGSIb3DQEJARYTbmV0YWRtaW5AY25iLnVhbS5lc4IBADAN
BgkqhkiG9w0BAQQFAAOBgQAu1HSRQxxeQLbz/kbw9cVrOaMOHxLRRdpjIZ7NLpcV
mdjnF1IV6zvyHRV3kxNLHm0xpaXGWnfA9Ri/vzA0nqFCkUa3+Zyn/QQFtb829kdn
eZHzGMXElX3b9VGy8Jlvqi/Zvd+BQZ/j64B2rBYWrPrxqyaauuquM3pgwIh4ct5M
7Q==
-END CERTIFICATE-
Data Base Updated
Segmentation fault (core dumped)
Where can i found information about this error? Please, any ideas? 
Thank you in advanced.

Richard Levitte - VMS Whacker wrote:

I see a number of embedded charriage returns (^M).  hos need to be
removed.
Yes.  My current experimental code does this, I don't believe I
would have put it in if it were not necessary:
  } elsif ( $req=$data-{'spkac'} ) {# Netscape SPKAC

   # $$ GET SERIAL NUMBER FROM DATABASE
 $req =~ s/\s+//g;   # Delete CR  LF
.
 $req = 'SPKAC='.$req.\n.join(\n,@dn).\n;
 my $cert = spkcsign
$ENV{'UMCPCA_vault'},'ID Cert Signing Passphrase',
$ENV{'UMCPCA_OPENSSL'},$tmp,$serial,$req,
$certlife,$certmail;
   # htmlfail htmlesce certtext $cert;
   # $$ INSERT CERT INTO DATABASE
   # $$ DELIVER CERT TO CLIENT
 print Content-Type: application/x-x509-user-cert\n\n$cert;
  } else {   # Neither PKCS10 nor SPKAC

 htmlfail 'Neither PKCS10 nor SPKAC data returned...';

--
Charles B (Ben) Cranston
mailto: [EMAIL PROTECTED]
http://www.wam.umd.edu/~zben
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Newbie question: unable to load Netscape SPKAC structure

[David García Aristegui]

I'm following the CA recipe examples to do a CA setup under an AIX 5 
environment.
http://home.himolde.no/~kd/prosjekt/ca/ca.html

openssl version 0.9.7

Browsers to test the client: Mozilla 1.0 or Netscape 7.01

When i try to sign the client certificate request...

openssl ca -spkac certreq.9484 -days 365

Using configuration from /usr/local/contrib/openssl/openssl.cnf

Enter pass phrase for /usr/local/etc/httpd/conf/ca/private/cakey.pem:
unable to load Netscape SPKAC structure
19506:error:0B081076:x509 certificate 
routines:NETSCAPE_SPKI_b64_decode:base64 decode error:x509spki.c:91:
Segmentation fault (core dumped)

please, could you tell me what is wrong? sholud i modify my 
opsnssl.cnf? where? thank you very much.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Newbie question: unable to load Netscape SPKAC structure

[Charles B Cranston]

What does certreq.9484 look like?  Especially when decoded with
the openssl spkac tool?
David García Aristegui wrote:
I'm following the CA recipe examples to do a CA setup under an AIX 5 
environment.
http://home.himolde.no/~kd/prosjekt/ca/ca.html

openssl version 0.9.7

Browsers to test the client: Mozilla 1.0 or Netscape 7.01

When i try to sign the client certificate request...

openssl ca -spkac certreq.9484 -days 365

Using configuration from /usr/local/contrib/openssl/openssl.cnf

Enter pass phrase for /usr/local/etc/httpd/conf/ca/private/cakey.pem:
unable to load Netscape SPKAC structure
19506:error:0B081076:x509 certificate 
routines:NETSCAPE_SPKI_b64_decode:base64 decode error:x509spki.c:91:
Segmentation fault (core dumped)

please, could you tell me what is wrong? sholud i modify my opsnssl.cnf? 
where? thank you very much.
--
Charles B (Ben) Cranston
mailto: [EMAIL PROTECTED]
http://www.wam.umd.edu/~zben
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Newbie question: unable to load Netscape SPKAC structure

[David García Aristegui]

At first, the certreq. is

more certreq.8558

commonName = Client Example
emailAddress = [EMAIL PROTECTED]
organizationName = Org
organizationalUnitName = Unit
localityName = Madrid
stateOrProvinceName = Madrid
countryName = ES
SPKAC =
MIICUTCCATkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDIzBDKDXI3^MvflpWV
X0NTusSZbAlB6DHd4UYJoX1iD8c6odYfKFOKWVVyzYcPFaleM7JM6YT3qB^MUCU30WzWy+kwphfPO6Kl
ZwtFH6Sa7Ejeskd3j2a0rw0yBn05AP86bpW2p6wCeyHU^M40QGyw9d48zUKQQhS/7QKobscLU0Z63C4F
uHblK7SCyoqNIAD8vdzt1DO4uSTLgR^MuDRri1v5OBEI1CXCgpqbqZEiK8VmNhDP5KZIEK25YLPH3IH6
fcSbmjJnOSvPlSFs^MiZPfGS/nZiLn9ZIc7yFTgvxpWlgN1lHOWaz4IN7zFcC5VkxiSpNnSKhslxMFUZ
aQ^MZ6yybsZopdn/AgMBAAEWEWNoYWxsZW5nZVBhc3N3b3JkMA0GCSqGSIb3DQEBBAUA^MA4IBAQB8rN
FFnrq1CXD7AT0bWfFfXar/ZAu5LDCv55uqhb4Kmah9KbVe3q5cT3W/^MMCOQrfuFasmQ1mGpNUwM4b2l
YpEVWOgm6tiZHp8nfwz2a68jke5qrsfLtxO2FGEu^Mnc/EMqTs6h23PQlwDEU01E2Sqs6eovNOZYpuS0
fQtNdNBcTevMuV5sIYadUgX7S+^M673f1SnqQyJTHG3KlF7jmLpi/LyJtxFc/IvfqymHf2y4cakV0hMc
vkBV6NlfzmSg^M01wcwY2VjyZ/+5rAPArnTSi4Nxx7guaIhkxVwjaHoQOnpUbFNsia32Uu8RJpSTCz
hbvsl/kXThFgba5FGCkVbZuSJ7fy
then i use the openssl ca -spkac certreq. -days 365

more certreq.8558
commonName = Client Example
emailAddress = [EMAIL PROTECTED]
organizationName = Org
organizationalUnitName = Unit
localityName = Madrid
stateOrProvinceName = Madrid
countryName = ES
SPKAC =
MIICUTCCATkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDIzBDKDXI3^MvflpWVX0NTu
sSZbAlB6DHd4UYJoX1iD8c6odYfKFOKWVVyzYcPFaleM7JM6YT3qB^MUCU30WzWy+kwphfPO6KlZwtFH6Sa7E
jeskd3j2a0rw0yBn05AP86bpW2p6wCeyHU^M40QGyw9d48zUKQQhS/7QKobscLU0Z63C4FuHblK7SCyoqNIAD
8vdzt1DO4uSTLgR^MuDRri1v5OBEI1CXCgpqbqZEiK8VmNhDP5KZIEK25YLPH3IH6fcSbmjJnOSvPlSFs^MiZ
PfGS/nZiLn9ZIc7yFTgvxpWlgN1lHOWaz4IN7zFcC5VkxiSpNnSKhslxMFUZaQ^MZ6yybsZopdn/AgMBAAEWE
WNoYWxsZW5nZVBhc3N3b3JkMA0GCSqGSIb3DQEBBAUA^MA4IBAQB8rNFFnrq1CXD7AT0bWfFfXar/ZAu5LDCv
55uqhb4Kmah9KbVe3q5cT3W/^MMCOQrfuFasmQ1mGpNUwM4b2lYpEVWOgm6tiZHp8nfwz2a68jke5qrsfLtxO
2FGEu^Mnc/EMqTs6h23PQlwDEU01E2Sqs6eovNOZYpuS0fQtNdNBcTevMuV5sIYadUgX7S+^M673f1SnqQyJT
HG3KlF7jmLpi/LyJtxFc/IvfqymHf2y4cakV0hMcvkBV6NlfzmSg^M01wcwY2VjyZ/+5rAPArnTSi4Nxx7gua
IhkxVwjaHoQOnpUbFNsia32Uu8RJpSTCz^Mhbvsl/kXThFgba5FGCkVbZuSJ7fy
openssl spkac -in certreq.8558
Error loading SPKAC
26928:error:0B081076:x509 certificate
routines:NETSCAPE_SPKI_b64_decode:base64 decode error:x509spki.c:91:
Thank you in advanced.

What does certreq.9484 look like?  Especially when decoded with
the openssl spkac tool?
David García Aristegui wrote:
I'm following the CA recipe examples to do a CA setup under an AIX
5 environment.
http://home.himolde.no/~kd/prosjekt/ca/ca.html
openssl version 0.9.7

Browsers to test the client: Mozilla 1.0 or Netscape 7.01

When i try to sign the client certificate request...

openssl ca -spkac certreq.9484 -days 365

Using configuration from /usr/local/contrib/openssl/openssl.cnf

Enter pass phrase for /usr/local/etc/httpd/conf/ca/private/cakey.pem:
unable to load Netscape SPKAC structure
19506:error:0B081076:x509 certificate
routines:NETSCAPE_SPKI_b64_decode:base64 decode error:x509spki.c:91:
Segmentation fault (core dumped)
please, could you tell me what is wrong? sholud i modify my
opsnssl.cnf? where? thank you very much.
--
Charles B (Ben) Cranston
mailto: [EMAIL PROTECTED]
http://www.wam.umd.edu/~zben
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Newbie question: unable to load Netscape SPKAC structure

[Richard Levitte - VMS Whacker]

In message [EMAIL PROTECTED] on Mon, 14 Jul 2003 17:34:21 +0200, David García 
Aristegui [EMAIL PROTECTED] said:

david At first, the certreq. is
david 
david more certreq.8558
david 
david commonName = Client Example
david emailAddress = [EMAIL PROTECTED]
david organizationName = Org
david organizationalUnitName = Unit
david localityName = Madrid
david stateOrProvinceName = Madrid
david countryName = ES
david SPKAC = MIICUTCCATkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDIzBDKDXI3^MvflpWV
david X0NTusSZbAlB6DHd4UYJoX1iD8c6odYfKFOKWVVyzYcPFaleM7JM6YT3qB^MUCU30WzWy+kwphfPO6Kl
david ZwtFH6Sa7Ejeskd3j2a0rw0yBn05AP86bpW2p6wCeyHU^M40QGyw9d48zUKQQhS/7QKobscLU0Z63C4F
david uHblK7SCyoqNIAD8vdzt1DO4uSTLgR^MuDRri1v5OBEI1CXCgpqbqZEiK8VmNhDP5KZIEK25YLPH3IH6
david fcSbmjJnOSvPlSFs^MiZPfGS/nZiLn9ZIc7yFTgvxpWlgN1lHOWaz4IN7zFcC5VkxiSpNnSKhslxMFUZ
david aQ^MZ6yybsZopdn/AgMBAAEWEWNoYWxsZW5nZVBhc3N3b3JkMA0GCSqGSIb3DQEBBAUA^MA4IBAQB8rN
david FFnrq1CXD7AT0bWfFfXar/ZAu5LDCv55uqhb4Kmah9KbVe3q5cT3W/^MMCOQrfuFasmQ1mGpNUwM4b2l
david YpEVWOgm6tiZHp8nfwz2a68jke5qrsfLtxO2FGEu^Mnc/EMqTs6h23PQlwDEU01E2Sqs6eovNOZYpuS0
david fQtNdNBcTevMuV5sIYadUgX7S+^M673f1SnqQyJTHG3KlF7jmLpi/LyJtxFc/IvfqymHf2y4cakV0hMc
david vkBV6NlfzmSg^M01wcwY2VjyZ/+5rAPArnTSi4Nxx7guaIhkxVwjaHoQOnpUbFNsia32Uu8RJpSTCz
david hbvsl/kXThFgba5FGCkVbZuSJ7fy

I see a number of embedded charriage returns (^M).  hos need to be
removed.

-- 
Richard Levitte   \ Tunnlandsvägen 3  \ [EMAIL PROTECTED]
[EMAIL PROTECTED]  \ S-168 36  BROMMA  \ T: +46-8-26 52 47
\  SWEDEN   \ or +46-708-26 53 44
Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/

Unsolicited commercial email is subject to an archival fee of $400.
See http://www.stacken.kth.se/~levitte/mail/ for more info.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Newbie question: unable to load Netscape SPKAC structure

[Charles B Cranston]

Richard Levitte - VMS Whacker wrote:

I see a number of embedded charriage returns (^M).  hos need to be
removed.
Yes.  My current experimental code does this, I don't believe I
would have put it in if it were not necessary:
  } elsif ( $req=$data-{'spkac'} ) {# Netscape SPKAC

   # $$ GET SERIAL NUMBER FROM DATABASE
 $req =~ s/\s+//g;   # Delete CR  LF
.
 $req = 'SPKAC='.$req.\n.join(\n,@dn).\n;
 my $cert = spkcsign
$ENV{'UMCPCA_vault'},'ID Cert Signing Passphrase',
$ENV{'UMCPCA_OPENSSL'},$tmp,$serial,$req,
$certlife,$certmail;
   # htmlfail htmlesce certtext $cert;
   # $$ INSERT CERT INTO DATABASE
   # $$ DELIVER CERT TO CLIENT
 print Content-Type: application/x-x509-user-cert\n\n$cert;
  } else {   # Neither PKCS10 nor SPKAC

 htmlfail 'Neither PKCS10 nor SPKAC data returned...';

--
Charles B (Ben) Cranston
mailto: [EMAIL PROTECTED]
http://www.wam.umd.edu/~zben
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: openssl error (unable to load certificate)

[Wolfgang Ziegler]

At 22:44 06.12.2002 +0100, Richard Levitte - VMS Whacker wrote:
In message [EMAIL PROTECTED] on Fri, 06 Dec 2002 
19:51:04 +0100, Wolfgang Ziegler [EMAIL PROTECTED] said:

Wolfgang.Ziegler when trying to get the subject out of a certificate
Wolfgang.Ziegler from our local test CA I get the following error:
Wolfgang.Ziegler 
Wolfgang.Ziegler openssl x509 -noout -in usercert.pem -subject
Wolfgang.Ziegler unable to load certificate
Wolfgang.Ziegler 26416:error:0D081072:asn1 encoding 
routines:d2i_ASN1_OBJECT:expecting an object:a_object.c:217:
Wolfgang.Ziegler 26416:error:0D084070:asn1 encoding routines:d2i_ASN1_SET:error 
parsing set element:a_set.c:198:address=134815299 offset=-134815267
Wolfgang.Ziegler 26416:error:0D11D004:asn1 encoding 
routines:d2i_X509_CERT_AUX:nested asn1 error:x_x509a.c:82:address=134815295 offset=4
Wolfgang.Ziegler 26416:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 
lib:pem_lib.c:290:

Hmm, I've seen something similar.  If you do the following, what do
you get?

openssl asn1parse -i -in usercert.pem

nothing, there is no output at all

-- 
Richard Levitte   \ Spannvägen 38, II \ [EMAIL PROTECTED]
Redakteur@Stacken  \ S-168 35  BROMMA  \ T: +46-8-26 52 47
\  SWEDEN   \ or +46-708-26 53 44
Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/

Unsolicited commercial email is subject to an archival fee of $400.
See http://www.stacken.kth.se/~levitte/mail/ for more info.

--
 Fraunhofer-Institute for Algorithms and Scientific Computing (SCAI)
   Schloss Birlinghoven, D-53754 Sankt Augustin, Germany
Tel: +49 2241 14 2258Fax: +49 2241 14 2889   http://www.scai.fraunhofer.de
 Heut ist nicht so kalt wie gestern, trotzdem dass heut kaelter ist
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Unable to load DSA public key?

[Nils Larsch]

Paul L. Allen wrote:
 Nils Larsch wrote:
  Paul L. Allen wrote:
   One of our customers showed up with a certificate that OpenSSL's x509
   subcommand doesn't appear to like.  It complains about the public key:
  
   [paula@bluesky C_pdp]$ /usr/local/ssl/bin/openssl x509 -in
   HASMClient1.cer -inform der -text
   [...]
   Subject Public Key Info:
   Public Key Algorithm: dsaEncryption-old
   Unable to load Public Key
   1464:error:0D089004:asn1 encoding routines:d2i_DSAparams:nested asn1
   error:d2i_dsap.c:94:
   [...]
  
   Are there some flavors of DSA that OpenSSL doesn't grok?  Or has our
   customer got a bogus cert?  Or...?
  
   The above trace is from 0.9.6g on Linux.  I get similar results from
   0.9.6a on Solaris.  The 0.9.6b that came with my RedHat 7.2 seg faults
   right after printing the error.
 
  Does it work with 0.9.7 ? Can you give us the result of
  'openssl asn1parse -inform der -in HASMClient1.cer -i' or
  even better can you give us the certificate ?

 The asn2parse command liked the certificate fine, both on 0.9.6b and
 on 0.9.6g.  I'll have to fetch and build 0.9.7 in order to test with
 it.

 I'll have to check with my customer about releasing the certificate.
 They are an intermediary between me and a project that's too black for
 my security clearance.  I wouldn't want to reveal something that allows
 a third party to infer details of the project.

Actually it would be sufficient to show us the 'subjectPublicKeyInfo' part
of your certificate. In case of a 'normal' DSA public key it should look 
somehow like this:
nils:~ /usr/bin/openssl asn1parse -in certificates/dsa_ca.pem -i
...
155:d=2  hl=4 l= 438 cons:   SEQUENCE
159:d=3  hl=4 l= 299 cons:SEQUENCE
163:d=4  hl=2 l=   7 prim: OBJECT:dsaEncryption
172:d=4  hl=4 l= 286 cons: SEQUENCE
176:d=5  hl=3 l= 129 prim:  INTEGER
 
:BB1EEA1485EB95BD5...536A55A694729E9DB69D0BB5
308:d=5  hl=2 l=  21 prim:  INTEGER   
:998139192210D5DEC...6DE8B43C51E414D
331:d=5  hl=3 l= 128 prim:  INTEGER   
:6446E60F9DB24DFFE...9BB411E0444B69A25F9F45E9
462:d=3  hl=3 l= 132 prim:BIT STRING
...
corresponding with the ASN1 description of a normal X509 DSA
public key (see e.g. rfc 2459)
SubjectPublicKeyInfo  ::=  SEQUENCE  {
algorithmAlgorithmIdentifier,
subjectPublicKey BIT STRING  }
where AlgorithmIdentifier is defined by
AlgorithmIdentifier  ::=  SEQUENCE  {
algorithm   OBJECT IDENTIFIER,
parameters  ANY DEFINED BY algorithm OPTIONAL  }
and the parameters are in case of a DSA key
Dss-Parms  ::=  SEQUENCE  {
p INTEGER,
q INTEGER,
g INTEGER  }

Regards,
Nils


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Unable to load DSA public key?

[Paul L. Allen]

Nils Larsch wrote:
 
 Paul L. Allen wrote:
  One of our customers showed up with a certificate that OpenSSL's x509
  subcommand doesn't appear to like.  It complains about the public key:
 
  [paula@bluesky C_pdp]$ /usr/local/ssl/bin/openssl x509 -in
  HASMClient1.cer -inform der -text
  [...]
  Subject Public Key Info:
  Public Key Algorithm: dsaEncryption-old
  Unable to load Public Key
  1464:error:0D089004:asn1 encoding routines:d2i_DSAparams:nested asn1
  error:d2i_dsap.c:94:
  [...]
 
  Are there some flavors of DSA that OpenSSL doesn't grok?  Or has our
  customer got a bogus cert?  Or...?
 
  The above trace is from 0.9.6g on Linux.  I get similar results from
  0.9.6a on Solaris.  The 0.9.6b that came with my RedHat 7.2 seg faults
  right after printing the error.
 
 Does it work with 0.9.7 ? Can you give us the result of
 'openssl asn1parse -inform der -in HASMClient1.cer -i' or
 even better can you give us the certificate ?

The asn2parse command liked the certificate fine, both on 0.9.6b and
on 0.9.6g.  I'll have to fetch and build 0.9.7 in order to test with
it.

I'll have to check with my customer about releasing the certificate.
They are an intermediary between me and a project that's too black for
my security clearance.  I wouldn't want to reveal something that allows
a third party to infer details of the project.

Thanks!

Paul Allen

-- 
Boeing Phantom Works   \ Paul L. Allen, (425) 865-3297
Math  Computing Technology  \ [EMAIL PROTECTED]
POB 3707 M/S 7L-40, Seattle, WA 98124-2207 \ Prototype Systems Group
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Unable to load

[Leandro Silveira de Paula]

Hello...
I'm tryng to compile a Open SSL 0.9.6 in a AIX 4.3.3, and i received the
following message:
risc# ./openssl req -new -nodes -keyout private.key -out public.csr

Using configuration from /usr/local/ssl/openssl.cnf

unable to load 'random state'

This means that the random number generator has not been seeded

with much random data.

Generating a 1024 bit RSA private key

174970:error:02001002:system library:fopen:No such file or
directory:bss_file.c:104:fopen('//.oid','r')

174970:error:2006D002:BIO routines:BIO_new_file:system
lib:bss_file.c:106:

174970:error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not

seeded:md_rand.c:501:You need to read the OpenSSL FAQ,
http://www.openssl.org/support/faq.html

174970:error:04069003:rsa routines:RSA_generate_key:BN
lib:rsa_gen.c:182:

risc#

if anybody can help me!!!
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Unable to load

[Pavel Tsekov]

Hello Leandro,

Thursday, May 13, 2004, 10:25:39 PM, you wrote:

LSdP seeded:md_rand.c:501:You need to read the OpenSSL FAQ,
LSdP http://www.openssl.org/support/faq.html

Have you done as suggested ?

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Unable to load

[Umesh]

Try this... for a quick solution

create a file 'random_file' and type a few junk characters in it (save
it :-)).
Then...
./openssl req -new -rand random_file -nodes -keyout private.key -out
public.csr

this should solve your problem.

Regards,
Umesh

Leandro Silveira de Paula wrote:
 
 Hello...
 I'm tryng to compile a Open SSL 0.9.6 in a AIX 4.3.3, and i received the
 following message:
 risc# ./openssl req -new -nodes -keyout private.key -out public.csr
 
 Using configuration from /usr/local/ssl/openssl.cnf
 
 unable to load 'random state'
 
 This means that the random number generator has not been seeded
 
 with much random data.
 
 Generating a 1024 bit RSA private key
 
 174970:error:02001002:system library:fopen:No such file or
 directory:bss_file.c:104:fopen('//.oid','r')
 
 174970:error:2006D002:BIO routines:BIO_new_file:system
 lib:bss_file.c:106:
 
 174970:error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not
 
 seeded:md_rand.c:501:You need to read the OpenSSL FAQ,
 http://www.openssl.org/support/faq.html
 
 174970:error:04069003:rsa routines:RSA_generate_key:BN
 lib:rsa_gen.c:182:
 
 risc#
 
 if anybody can help me!!!
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing List[EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Got ERROR: unable to load Netscape SPKAC structure - HELP!

[Spiegel, Volker]

Title: Got ERROR: unable to load Netscape SPKAC structure - HELP!





Hello,


I am using Linux SuSe 7.3 with Netscape 6 (!) trying
to generate certificates request.


I have a CGI/Perl-Skript using the KEYGEN-Tag for Netscape.
The SPKAC-Request is successfully written to a file to the filesystem.


Then I tried to call openssl ca to sign the SPKAC-Request and got the
following OPENSSL-Error:


unable to load Netscape SPKAC structure 3298:error:0B081076:x509 certificate routines:NETSCAPE_SPKI_b64_decode:base64 decode error:x509spki.c:92: 

What went wrong?


Using the same Perl-Skript with Netscape 4.78 everything went ok!! 
So I think openssl cannot process Netscape 6-SPKAC-Request at the moment?!


I heard that there are some problems with the formatting of the SPKAC-Request
having extra ^M or the like. But my SPKAC is ok! 


Maybe there is a bug in Netscape 6? Or in my OPENSSL? 
I am using OPENSSL 0.9.6a which is supplied with Linux SuSe 7.3.


Thank for you help,
Volker


Volker M. Spiegel
Senior Consultant
Competence Center Enterprise Trading Portals
___
entory AG - 
ein Unternehmen der Gruppe Deutsche Börse
Office Frankfurt  
Niedenau 13-19
D-60325 Frankfurt am Main
Tel. +49 (0) 69 / 97261 -373
Fax. +49 (0) 69 / 97261 -70
Mobile +49 (0) 172 / 73 95 326 
mailto:[EMAIL PROTECTED]
http://www.entory.com


This mail and any files transmitted with it is intended to be confidential and for the use of only the individual or entity named above. If the reader of this message is not the intended recipient, you are notified that retention, dissemination, distribution or copying of this mail and files transmitted with it is strictly prohibited. If you receive this mail in error, please notify us immediately by mail or phone and delete the mail and any files transmitted with it. Thank you!

We also like to inform you that communication via mail over the internet is insecure, and third parties may have the possibility to access or manipulate the mail and any files transmitted with it.