How to Create certification timestamp on OpenSSL patched OpenTSA

2011-03-30 Thread hoang tan
Hi! I'm from Vietnamese, my name Bin. I install openTSA complete but when I was editing tsa.conf file. I can't know how to create TSACertificate, TSACertificateChain, TSAKey files. I'm newbize. pls help me create then with openssl ts! Thank You very much! Sorry for spoor my English. -- #cat

Re: Truststore or Cacerts file?

2011-03-30 Thread Tomas Gustavsson
CA certificates, i.e. root.crt goes in to the cacerts file. Cheers, Tomas http://www.ejbca.org/ On 03/29/2011 09:26 PM, David Patricola wrote: I’ve found plenty of google results but I am having a disconnect with the install. My server has it’s own server.crt, server.key and root.crt

Re: how to retrieve RSA param from SSL_CTX

2011-03-30 Thread ikuzar
Ok thanks. It works now. I use these functions : -- to obain public key : X509 *myCert = SSL_get_certificate(cli_ssl); EVP_PKEY *pubkey = X509_get_pubkey(myCert); -- to obtain private key : EVP_PKEY *privkey = SSL_get_privatekey(cli_ssl); Then to sign and verify: RSA_sign(NID_sha1, md1,

Re: how to retrieve RSA param from SSL_CTX

2011-03-30 Thread ikuzar
I 'd like to know to if these calls are correct : RSA_sign(NID_sha1, md1, md1_len, u_sigret, siglen, privkey-pkey.rsa) RSA_verify(NID_sha1, md1, md1_len, u_sigret, siglen, pubkey-pkey.rsa) knowing that : int RSA_sign(int type, unsigned char *m, unsigned int m_len, unsigned char *sigret, unsigned

Re: Cert chain verification failures

2011-03-30 Thread Crypto Sal
On 03/29/2011 01:16 PM, David Coulson wrote: On 3/29/11 12:58 PM, Bruce Stephens wrote: Add the -showcerts option to the s_client commands and you'll see the first server returns a chain of certificates where the second offers only the end server certificate. Okay, I see that - Makes sense.

RE: Truststore or Cacerts file?

2011-03-30 Thread David Patricola
Do the other two stay in the same folder as root.crt, but only root.crt actually gets installed in the cacerts file? -Original Message- From: Tomas Gustavsson [mailto:to...@primekey.se] Sent: Wednesday, March 30, 2011 3:49 AM To: openssl-users@openssl.org Cc: David Patricola Subject: Re:

Re: Truststore or Cacerts file?

2011-03-30 Thread Lou Picciano
David, You may get some ambiguous answers to - ultimately - a PG question on the SSL list... Yes, in a _standard_ PostgreSQL SSL setting, in which libpq is reading the certs from _default_ positions, the root.crt, postgresql.crt and postgresql.key are all in the same 'folder'. (I believce

RE: Truststore or Cacerts file?

2011-03-30 Thread David Patricola
Ha, flex-fuel! The postgres side of this is 100% functional, so I'm not concerned about this side anymore (thankfully). As Tomas mentioned, only the root.crt file should go in, and I hope this is it. If not then it looks like I'm going to find some Java-based message lists to subscribe to!

DH: safe prime issue

2011-03-30 Thread ikuzar
Hi, I 'd like to know if it is a security issue when p ( a DH param ) is not a safe prime ? is it more easier to attack DH algorithm with a non safe prime ... ? Thanks for your help

RE: Truststore or Cacerts file?

2011-03-30 Thread David Patricola
Ok, I've modified my import as follows: E:\JRun4\jre\binkeytool -importcert -alias dca -file E:\Jrun4\jre\lib\security\root.crt -keystore E:\Jrun4\jre\lib\security\cacerts But I still get a failed connection connecting: org.postgresql.util.PSQLException: The connection attempt failed.

Re: Truststore or Cacerts file?

2011-03-30 Thread Lou Picciano
Sure, at that point you've only handled one half of the handshake. You gotta find the corresponding command to install or 'present' the client cert now... - Original Message - From: David Patricola david.patric...@jefferson.edu To: openssl-users@openssl.org Sent: Wednesday, March 30,

RE: Truststore or Cacerts file?

2011-03-30 Thread David Patricola
So what, or where, is the other half? All sites that explain this for ColdFusion say that this is all you need to do! I restarted the java service and tested the ssl connection. _ From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Lou

codes value in DH_check(dh, codes)

2011-03-30 Thread ikuzar
Hi, I 'd like to know if there are other values of codes in DH_check(dh, codes) ? This program prints Other result of check : int codes = 0; dh_check_ret = DH_check(dh, codes); if(dh_check_ret == 1){ if(codes == DH_CHECK_P_NOT_SAFE_PRIME) printf(\nDH_CHECK_P_NOT_SAFE_PRIME\n);

Re: Cert chain verification failures

2011-03-30 Thread David Coulson
On 3/30/11 8:33 AM, Crypto Sal wrote: David: Firefox caches that information, so that it can use them later if you view a similar certificate hierarchy. If you view the Firefox Certificate Manager you should see Software Security Device vs. that of Built in Object next to each of the

Verify signed text

2011-03-30 Thread luis hernandez
Hi all, i get a file with a signed base64 string produced using the following commands: openssl dgs -md5 -sign key.pem stringtosign.txt | openssl enc -base64 -A signedbase64string.txt that signed string is part of a text file that includes the certificate in pem format without the public

Re: Verify signed text

2011-03-30 Thread Wim Lewis
On 30 Mar 2011, at 9:59 AM, luis hernandez wrote: i get a file with a signed base64 string produced using the following commands: openssl dgs -md5 -sign key.pem stringtosign.txt | openssl enc -base64 -A signedbase64string.txt that signed string is part of a text file that includes

Re: DH: safe prime issue

2011-03-30 Thread Wim Lewis
On 30 Mar 2011, at 6:19 AM, ikuzar wrote: I 'd like to know if it is a security issue when p ( a DH param ) is not a safe prime ? is it more easier to attack DH algorithm with a non safe prime ... ? Yes. If p-1 does not have large factors, then it is easier to compute the discrete logarithm

RE: Verify signed text

2011-03-30 Thread luis hernandez
Thanks Wim, i know that cer pem files have the public key in it like: -BEGIN PUBLIC KEY- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDD0ltQNthUNUfzq0t1GpIyapjz... -END PUBLIC KEY- -BEGIN CERTIFICATE- MIIE/TCCA+WgAwIBAgIUMzAwMDEwMDAwMDAxMDAwMDA4MDAwDQYJKoZIhvcNAQEF...

Re: Verify signed text

2011-03-30 Thread Wim Lewis
On 30 Mar 2011, at 12:02 PM, luis hernandez wrote: Thanks Wim, i know that cer pem files have the public key in it like: -BEGIN PUBLIC KEY- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDD0ltQNthUNUfzq0t1GpIyapjz... -END PUBLIC KEY- -BEGIN CERTIFICATE-

RE: Verify signed text

2011-03-30 Thread luis hernandez
OK thanks a lot Subject: Re: Verify signed text From: w...@omnigroup.com Date: Wed, 30 Mar 2011 14:01:24 -0700 To: openssl-users@openssl.org On 30 Mar 2011, at 12:02 PM, luis hernandez wrote: Thanks Wim, i know that cer pem files have the public key in it like: -BEGIN