Cheers!
In general, should I be looking to submit patches against master? Assuming
the latest stable branch was the place to go may have been presumptuous of
me. :)
Best regards,
Oscar Jacobsson
On 2014-06-26 14:40, "Hubert Kario via RT" wrote:
>- Original Message -----
&g
Hi,
xmm6 and xmm7 registers are not correctly restored on bn_scatter5 return.
The diff was generated using git HEAD.
I am using openssl-1.0.1e that contains the bug. On openssl git logs it
appears the bug is present since the first commit when bn_scatter5 was
implemented.
regards,
Oscar
ICATE-" and
footer "-END CERTIFICATE-" alone, and then just hash anything in between ?
I am having trouble trying to figure out a way to compute the hash value.
I tried so many things!
Thanks,
Oscar
Thanks Richard.
Oscar
On 4/3/06, Richard Salz <[EMAIL PROTECTED]> wrote:
If you have a command line that does what you want, then step through thesource to that command and see what it does.
/r$--SOA Appliance GroupIBM Application Integ
Thanks Joe.
Oscar
On 4/3/06, Joe Gluck <[EMAIL PROTECTED]> wrote:
You should use some thing like this:
FILE * file = NULL;
X509 * cert = NULL;
// Open the DER filefile = fopen("der_file_name", "rb");// load it into a X509 object
cert = d2i_X509_fp(file, NULL);
f
Hi,
How do I get a SHA1 or MD5 hash from a certificate in DER format through the OpenSSL API ?
And, for which would be similar to the following:
"openssl x509 -sha1 -in cert.pem -noout -fingerprint" but in a way pragmatically.
Thanks,
Oscar
Hi,
How do I convert x509 der to x509 pem using OpenSSL API ?
And, for which would be similar to the following:
"openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER " but in a way pragmatically.
Thanks,
Oscar
X.500 order" at
all, rendering the correctness issue moot, since X.500 (AFAIK) never
uses string representations of DNs.
The only standardized mechanism for string encoding DNs I am aware of is
that of RFC 2253, or LDAP. OpenSSL currently does not conform to it.
//oscar
Howard Chu wrote:
>
Just my two hundredths of a crown:
(and I really hope I get the ordering right.)
"O=McDonalds, L=Tampa, ST=FL, C=US"
This does break the naming recommendations given in X.521 Annex B
though, which don't allow for a stateOrProvinceName.
Best regards,
//oscar
David Lyon wrote:
l the function like this:
FILE
*fp;
RSA
*privatekeys;
fp = fopen
("key.pem", "rb");
PEM_read_RSAPrivateKey(fp, &privatekey, NULL, NULL);
What's
wrong?
Thanks,
Oscar
Thanks for clearing this out.
Best regards,
//oscar
__
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager
r 2002 17:26:05 -
@@ -13,6 +13,10 @@
#endif
#include
+/* MSVC only defines SSIZE_MAX when building for Posix compatibility */
+#if defined(WIN32)
+# define _POSIX_
+#endif
#include
#include
#include
Sorry about the confusion,
//oscar
__
Unfortunately, the engine version of 0.9.6c doesn't build cleanly with
MSVC. Would you mind terribly using a current snapshot of the stable
engine branch instead, until there's an official release that addresses
this issue?
Best regards
Hi!
More MSVC fixes.
The little path below is required to get crypto/engine/hw_aep.c to
compile with MSVC.
Best regards,
//oscar
diff -u -r1.1.2.4 hw_aep.c
--- hw_aep.c7 Feb 2002 22:04:27 - 1.1.2.4
+++ hw_aep.c23 Feb 2002 10:20:39 -
@@ -82,8 +82,8 @@
#endif
-static
);
// Create a vector to hold our DER data and reserve memory
vector encBuffer;
encBuffer.reserve(encLength);
// Put the DER data in our vector
i2d_X509(cert, &encBuffer;[0]);
//oscar
> Jaime Vizán González wrote:
>
> Hi folks!
>
> I need to convert a certificate in PEM format stor
id, not X500 unique id" from late November last year if you
care to search the archives.
Best regards,
//oscar
Dan Lanz wrote:
>
> The patch below fixes a bug in the objects list
> where the UID object shortname is incorrectly
> specified to be identical to its longname
> (&
x27;t get defined unless one defines _POSIX_. Should this
definition go into e_os.h or is it ok to simply insert it here prior to
the inclusion of limits.h?
Best regards,
//oscar
__
OpenSSL Project
examples however,
I'm sure I should be able to throw something together.
Best regards,
//oscar
__
OpenSSL Project http://www.openssl.org
Development Mailing List
clare Function X509_verify Lib "std_libeay32" Alias std_X509_verify _
(ByVal a As Long, r As Long) As Integer
Hope this gives you a few ideas on how to proceed. I might be able to
find some time to look into making OpenSSL VB-friendly, but I can't make
any promises at present. :-/
B
. Is that true in the Windowsly environment as well?
Should be. The VC help states that memset is available through either
memory.h or string.h, so both should work. Lacking easy access to a
standard library reference, I simply grabbed the prior.
> I just commited a patch to fix this.
n the debug build of crypto/des/read2pwd.c, memset
hasn't been defined, so a quick include of memory.h did the trick. I'm
sure there's more to the issue than this though. :-)
Once the stuff gets built, everything tests out ok.
Best regards,
//oscar
Richard Levitte - VMS Whacker wrot
well as
an embedded DB, a directory server or an RDBMS.
KISS is indeed a noble goal, and an important part of it is the striving
towards interface minimalism, consistency and independency IMHO.
Best regards,
//oscar
__
OpenS
ier today
have made it clear where I stand on the issue.
> > From a storage
> > point of view, a smart card (or an nCipher box!) can very well be
> > viewed as a limited database. That it also has functionality like
> > symmetric ciphers, digests
d pears.
I think the easiest way of making sure apples and pears aren't mixed is
to keep, and treat them separately. The Repository IS-NOT-A (to
paraphrase Liskov) KeyStore, which in turn IS-NOT-A Database. A smart
card or a piece of cryptographic hardware might implement all three
for a full-blown PKI repository, which I honestly thought
was what we were discussing, should probably include: find me the issuer
of this, give me the status of this, enumerate all my revoked
certificates. None of these would make much sense to the humble 8k card.
Best
le to go back and prove/disprove the validity of
old transactions.
And yes, while they're quite handy for protecting and storing an
end-entity's keys and certificates, a smart card certainly wouldn't be
the ideal candidate for a PKI repository. I definitel
ia?
>
> Depending on who you listen to, one could say it's the subject, others
> will say it's issuer+serial. It all depends on if you want to keep
> the history of a specific subject or not. This is of course taken
> from a X.500 directory perspective (where things wer
ve this:
http://www.openssl.org/support/faq.html#PROG2
Cheers,
//oscar
[EMAIL PROTECTED] wrote:
>
> Hi,
>
> I have a executable that makes a https call to a IBM websphere application server
>running a java servlet. The IBM application server uses the Apache web server and it
>uses mod_
that problem, one should run VCVARS32.BAT which is found in
the 'bin' subdirectory of the VC++ installation directory (somewhere
under 'Program Files'). This needs to be done prior to running NMAKE,
and the changes are only valid for the current DOS session.
//oscar
Hmm. Seems to have gotten lost on the way. Resending.
//oscar
--- Begin Message ---
Please find attached the patches required to get the trunk (as of last
night) to compile with visual c++ using the standard build procedure.
Best regards,
//oscar
Index: crypto/aes/Makefile.ssl
Please find attached the patches required to get the trunk (as of last
night) to compile with visual c++ using the standard build procedure.
Best regards,
//oscar
Index: crypto/aes/Makefile.ssl
===
RCS file: /usr/local/cvsroot
ess to the card, and only have the certificate
itself available, I'm afraid you won't be able to get all the way, as
there will by definition be no private key in the certificate (hence:
public-key certificate) for you to get.
Please provide more info and I'll try to help you out.
Works like a charm. Thanks!
//oscar
Richard Levitte - VMS Whacker wrote:
> Thanks for finding that. I've a patch that I'm going to commit as
> soon as I see that it compiles. Wanna try it? Expect it withi
Richard Levitte - VMS Whacker wrote:
> Thanks for finding that. I've a patch that I'm going to commit as
> soon as I see that it compiles. Wanna try it? Expect it within half
> an hour.
Cheers! I'll try rsync:ing my repository copy
g 'cvs -q update -j1.57 -j1.56 pkcs12.c' seems
to work for me.
Cheers!
//oscar
__
OpenSSL Project http://www.openssl.org
Development Mailing List
I've used DC-based naming (RFC 2377?) for a while now, and can't really
remember running in to any particular problems.
I generate the certificates using the OpenSSL command line apps using a
configuration like this:
[ OJ_req_distinguished_name ]
0.domainComponent = TLD component (
he PFX you create
('user.pfx') using the pkcs12 command will. The phrase "if I need the
[certificate] in pkcs12 format" is a bit misleading, as pkcs12 isn't a
certificate format per se, but rather a format used to transport and
store both private keys and certificates.
//o
tion are:
X509* d2i_X509(X509*, unsigned char**, int);
int i2d_X509(X509*, unsigned char**);
Please find below a quick sample snippet.
Regards,
//oscar
#include "openssl/x509.h"
#include
#include
// generated using 'openssl x509 -C -noout'
unsigned c
uld just like to say that I really like this suggestion as it both
clearly differentiates between the possible targets (with the possible
exception of the win16/dos builds, of which I've no experience) and
provides us with a mnemonically sound (I hope I'm ge
#x27;m not sure how one
should tell them apart either, if necessary. Perhaps by appending an 's'
to the static library builds, much like a 'd' would be to the debug
builds?
Richard Levitte - VMS Whacker wrote:
>
> From: Oscar Jacobsson <[EMAIL PROTECTED]>
>
>
l anyway.
Might I recommend having your application code catch this error and then
attempt a second connection without TLS? I think this is the way MSIE
does it, even though they still apparently ship with TLSv1 disabled.
//oscar
Fabrice Mougin wrote:
>
> Hello,
>
> I noticed some t
, as well as 'd' when it's a debug build):
Might I also request some kind of additional identifier that would help
differing between actual static libraries and dll import libraries? I'm
not too fussy about how to actually name the stuff, as long as a
makefile
inaries depending on the type of build: libeay32d.lib for a debug build,
ssleay32s.lib for static crt linkage etc? I really do feel this is a bit of an
issue here, since debug/release static/dynamic single-/multithreaded (and
probably etc.) builds will directly affect which CRT
file.
//oscar
Julio Kriger wrote:
>
> Hi,
> I'm newby, so I hope not to bother you with some stupid question or
> misunderstud concepts.
> I have been reading information of how to verify server certificate
> signed by a root CA in a client.
> Form w
aPath isn't going to work,
unfortunately, as OpenSSL will not be able to locate it.
Please see my post yesterday for a quick run-down on how to rename your
certificate without the c_rehash utility.
Regards,
//oscar
Glenn wrote:
>
> Thanks for all the reply. One point to note is that
ads more to it, of course. Revocation checking, for example. But Rome
wasn't burned in a day...
Regards,
//oscar
Julio Kriger wrote:
>
> Hi,
> I'm newbye. I have done a SSL client that connect to some HTTPS server.
> The server have Verisign as CA root.
>
indows, using standard file copies instead of
soft links.
//oscar
__
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List M
user.crt
user.crt: OK
Then we need to generate the subject name hash which is looked for the lookup:
> openssl x509 -hash -noout < ca.crt
b58aa201
We rename our ca file to work with the hash lookup method:
> ren ca.crt b58aa201.0
And finally:
> openssl verify -CApath . user.crt
ng some form of padding unless you're absolutely
positive you can create a secure padding mechanism in your own application code,
because raw RSA signatures simply aren't secure.
I've thrown together a quick demo of RSA encrypt/decrypt using a pre-stored
digest below:
Regards,
rds,
//oscar
Glenn wrote:
>
> I have a trusted cert, say "c:\path\file.pem" on
> Windows FAT32. Using
> SSL_CTX_load_verify_locations(ctx,"c:\\path\\file.pem",NULL),
> I managed to verify the peer cert correctly.
>
> However, using
> SSL_CTX_load
a new parameter
specifically for string encodings. Objects for which there were no such
parameter given would simply use the dotted decimal, which would still be legal.
//oscar
__
OpenSSL Project
names" appear to be used when string encoding distinguished names.
Perhaps clearing up this ambiguity by adding a new, optional, string encoding
parameter (along with macros/functions etc.) for objects would be best?
//oscar
Jean-Marc Desperrier wrote:
>
> Richard Levitte - VMS Whacker
Just a quick hack to dump a private key to an unsigned char[]. Basically copied
and pasted the equivalent bit from x509.c. Seems to work ok (famous last words
aside.)
Cheers,
//oscar
diff -r1.31 rsa.c
82a83
> * -C - print out C code forms
99c100
< int informat,outformat,
Oscar Jacobsson wrote:
> Also, would it be possible to add *.out to ms/.cvsignore so that these
> files can actually be overwritten as required by the test process?
And could ms/*.out then also please be removed from the repository in the first
place?
Cheers,
/
2->tmp.clear+i !=
---
> || (is_export && ((i != ek) || ((int)s->s2->tmp.clear+i !=
Also, would it be possible to add *.out to ms/.cvsignore so that these
files can actually be overwritten as required by the test process?
Cheers,
//oscar
From: [EMAIL PROTECTED]
mark> Log:
mark> Back-port of Broadcom engine code from 0.9.7 to 0.9.6, but with a few
mark> patches taken from Red Hat Linux 7.2. Original code from Broadcom with
mark> patches and backport by Nalin, more backport to fix warnings and const
mark> changes by Mark
)
Best regards,
//oscar
--- rand_lcl.h.org Tue Oct 16 04:02:03 2001
+++ rand_lcl.h Wed Oct 24 15:18:01 2001
@@ -130,28 +130,29 @@
#endif
#include
+#include
#define MD_Update(a,b,c) EVP_DigestUpdate(a,b,c)
#defineMD_Final(a,b) EVP_DigestFinal_ex(a,b,NULL)
#if defin
Hi again!
I'll attempt to answer the questions you have in-line below. I hope it's
ok if I try to keep things as simple as possible right now, referring to
the OpenSSL command-line tools as much as possible.
PS. I hope to be able to start work on the tutorial during the day.
//os
currently working on, so I guess I could hack up a quick
tutorial document if you're interested. I haven't really played around
with any CA products as of late, however, so I can't comment on how
interoprable the stuff I can whip up with OpenSSL is.
//oscar
"Ravi Prakash B.V.&qu
tricking clients into downgrading to SSLv3 anyway, so such a
workaround shouldn't cause too much harm IMHO.
//oscar
Amnon Cohen wrote:
>
> Hi Oscar
>
> Thanks for the reply!
>
> How do browsers manage to connect to these defective ser
7;s even a couple of books available detailing the toolkit and the
underlying design patterns.
//oscar
Michael McTernan wrote:
> So I ask, will there be as simplified API for people like me who want to
> add SSL into an app without spending more than a day working it out?
>
> Someth
worked around.
I'd better apologize in advance in case I've got this wrong. :-)
//oscar
Amnon Cohen wrote:
>
> Hi,
>
> I am having trouble performing a SSLv23 handshake to a large number of
> servers
> e.g.
>
> OpenSSL> s_client -connect commerce.www.ibm.c
of the popular PKI
> products out there.
Is it legal for a self-signed certificate to include the keyUsage
extension without having the keyCertSign bit asserted? Would its
self-signature verify if its key is asserted only for verifying CRL
signatures?
//oscar
___
nSSL, IIRC, has the ability to introduce a 'maximum allowable path
length' into the path validation algorithm, but I'm unfortunately not
familiar with other toolkits.
//oscar
__
OpenSSL Project
Hi!
If you were wondering how to get this policy OID into a CA certificate
using OpenSSL in the first place, the easiest way would be to use the
following line in the CA certificate extension section of your
configuration file:
certificatePolicies=0.4.0.1456.1.1
Best regards,
//oscar
Bahram
correctly.
As pointed out by Dr. Henson earlier on however, the certificates
supplied in the tarball are insufficient to validate them.
//oscar
__
OpenSSL Project http://www.openssl.org
D
czyk et al):
http://citeseer.nj.nec.com/black99umac.html
//oscar
Jamshid Shoghli wrote:
>
> Multi-linear Modular Hash. Here is a refernce for mmh. (I was under the same
> impression that openssl has nothing to do with mmh):
>
> MMH: Software Message Authentication in Gbit/sec
far.
//oscar
Richard Levitte - VMS Whacker wrote:
>
> Please try the snapshots that will show up later today (or whatever
> shows up during the weekend) and report back to openssl-dev if you
> find any problem:
>
> ftp://ftp.openssl.org/snapshot/:
>
> openssl-0.9.6-sta
structure. The resulting certificate would then warrant
verification, as validation information could then be carried in-band.
I guess I'm simply more comfortable trusting certificates than public
keys.
//oscar
__
OpenSSL Pro
, IIRC, is one where the
responder gets his public key signed by the CA in question (thus
"designated") in order to prove that he is trusted to respond to these
queries.
//oscar
__
OpenSSL Project
bles themselves, since I've experienced
debugging problems similar-ish to yours in the past stemming from the
fact that Visual Studio has been unable to locate the PDB files, and
thus the debug symbols.
Cheers!
//oscar
_
Ow. Sorry list! Private mail gone awry. Fell victim to the reply-to
header.
//oscar
Oscar Jacobsson wrote:
>
> Richard Levitte - VMS Whacker wrote:
> > Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
>
> Är mitt antagande att "ex", likt tyska
Richard Levitte - VMS Whacker wrote:
> Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
Är mitt antagande att "ex", likt tyskans motsvarighet "aus", är en
dativbildande preposition riktig, månne?
//oscar, ständigt på jakt efter
data value shall be
obtained by applying the Basic Encoding Rules defined in ITU-T Rec. X.690
(1997) | ISO/IEC 8825 :1998, with the following restrictions:
[...]
e) the components of a Set-of type shall be encoded in ascending order of
their octet value;
[...]
//oscar
> -Original Mess
ode Limited,C=GB
Here is an example name containing three RDNs, in which the first RDN is
multi-valued:
OU=Sales+CN=J. Smith,O=Widget Inc.,C=US
DCs are IIRC encoded as separate RelativeDistinguishedNames, at least
that's how my directories have been designed. Please set me right if I'm
wrong about this.
//oscar
smime.p7s
uire that OpenSSL were made a full-fledged ASN.1
compiler.
As for the issue currently at hand however, the string representations
that is, I guess we'd need some kind of BNF encoding/parsing lib as well,
seeing as that's the mechanism employed in RFC 2256. :-/
Just a thought,
//oscar
smime.p7s
#x27; is to my
knowledge *not* an acknowledged alternative string encoding of the
attribute type. I can't find any mention of it in 2256, anyway.
//oscar
smime.p7s
opy.
The quick and dirty way around this is probably to follow the
suggestions and set $RANDFILE containing suitably random data.
Please see OpenSSL Frequently Asked Question #6 for further information:
http://www.openssl.org/support/faq.html#6
//oscar
_
l_algorithms is defined in ssl.h as:
#define SSLeay_add_ssl_algorithms() SSL_library_init()
SSL_library_init() is in the ssleay32 library, so including ssl.h and
linking with ssleay32.lib should do it.
//oscar
S/MIME Cryptographic Signature
f which (NO_SYSLOG) we might hopefully be able to remove
now that we've moved the winNT checking into runtime.
The other WINNT-related define is WIN_CONSOLE_BUG, which is checked in
crypto\des\read_pwd.c, which might also require some run-time lookup
instead of pre-processor hacking.
//oscar
S/MIME Cryptographic Signature
ork with Borland's BC++ 5.5 free compiler tools.
I'm afraid I don't have access to a Borland compiler, so I don't know if
I can be os much help here, unfortunately. :-(
> Release/debug DLL configs will be nice. Maybe standardise the
> calling convention (cdecl, fastcall,
are a number of "issues"
related to linking object code on win32 that have to be addressed by
generating different OpenSSL builds, such as debug/release builds,
single-/multithreaded builds, static-/dynamic builds, static-/dynamic
CRT linkage builds etc
Oscar Jacobsson wrote:
> Keon should probably take part of the blame for failing to set Version,
> as required by RFC 2459:
>
> 5.1.2.1 Version
>
>This optional field describes the version of the encoded CRL. When
>extensions are used, as required by this profil
andle CRL's that used extensions
without specifying the correct version number.
//oscar
S/MIME Cryptographic Signature
gt; *> 116:d=5 hl=2 l= 8 prim: OCTET STRING
This sure looks like crlExtrensions to me (as in a RFC-2459 X509v2 CRL),
which is EXPLICIT OPTIONAL, which I don't really know what that
implies...
//oscar
S/MIME Cryptographic Signature
Hi!
When trying to make a debug win32 link with a MASM 6.11-generated
s1-win32.obj I get the following warning:
libeay32.lib(s1-win32.obj) : warning LNK4200: corrupt line number
information in object file; ignored
NASM-0.98 apperars to have no problems though.
Cheers,
//oscar
S/MIME
Does anybody knows what does idx means here:
PKCS7_ISSUER_AND_SERIAL *
PKCS7_get_issuer_and_serial(PKCS7 *p7, int idx)
I have to use it but i don't do it ok because I don't understand.
Thank's
__
OpenSSL Project
87 matches
Mail list logo