I have been having some problems with this too, and here is what you need to
check.
- Use Outlook Express 5.x (on some 4.x installations I haven't been able to
make it work)
- Make sure that your root (CA) certificate is installed in Windows (listed
in the Certification authorities tab in the sec
Two suggestions:
1) The IIS expects the certificate to be PEM encoded (DER is not accepted).
2) I'm not sure on this one, but I think that your Windows NT must know the
root certificate of the CA that signed the certificate, before you can store
the certificate in the IIS.
Regards,
Kim hellan
KMD
Sorry... I haven't been following this discussion, so forgive me if this is
totally irrelevant.
But I'll let you know what my experience with MS IIS and client certificates
is.
The root certificate must be installed on the server in a special way.
Otherwise the MS IE clients fail to show your per
It's a Visual Studio common file
Normally it is located in:
c:\Program Files\Microsoft Visual Studio\Common\MSDev98\Bin\MSPDB60.DLL
Are you sure that your PATH includes this directory for VC++ binaries?
Kim Hellan
KMD / KMD-CA
http://www.kmd-ca.dk
Mailto:[EMAIL PROTECTED]
-Oprindelig medde
You should use a DER encoded certificate.
Kim Hellan
-Oprindelig meddelelse-
Fra: Michael David [mailto:[EMAIL PROTECTED]]
Sendt: 27. september 2000 23:10
Til: [EMAIL PROTECTED]
Emne: Certificate form for LDAP userCertificate
In a LDAP directory, certificates can be stored as binary
da
After you create the base 64 BIO, set the following flag,
BIO_set_flags(b64, BIO_FLAGS_BASE64_NO_NL);
to parse the input without linefeed.
It doesn't seem to work. Basically what I have is:
1: BIO* bioIndata = NULL;
2: BIO* spBio = BIO_new_file((char*) mySMIMEfile, "rb");
3: PKCS7* p7 = SMIME_re
> But in a test environment, it would be nice to be able to extract the text
> from any PKCS#7 structure without having to worry about loading the right
CA
> certificates.
Well you can do this using PKCS7_verify() and passing the appropriate
flags. If you set the PKCS7_NOVERIFY flag it wont verif
Is it possible to also include attachments in an S/MIME message created by
OpenSSL?
I can only find code to add plain text.
Med venlig hilsen / Best regards
Kim Hellan
KMD / KMD-CA
http://www.kmd-ca.dk
Mailto:[EMAIL PROTECTED]
___
> Is it possible to also include attachments in an S/MIME message created by
> OpenSSL?
> I can only find code to add plain text.
Attachments _are_ plain text, once encoded, so there's no problem. Just
be sure to include proper MIME headers in the beginning of the file.
You can create the enco
Hi
I'm having a strange problem with PEM_X509_INFO_read_bio().
I using the some code in apps.c ( load_certs() ) to load a list of
certificates.
At some points in load_certs() there is the line:
allcerts = PEM_X509_INFO_read_bio(bioCerts, NULL, NULL, NULL);
Until recently this has all worked ju
I have a certificate with an X509v3 Certificate Policies extension.
That extension contains a PolicyIdentifier "field" from which I want to
extract the value.
OpenSSL sees the X509v3 Certificate Policies extension as a "raw" extension,
but how do I extract "field" values (like PolicyIdentifier or
"Hellan,Kim KHE" wrote:
>
> OpenSSL sees the X509v3 Certificate Policies extension as a "raw"
extension,
> but how do I extract "field" values (like PolicyIdentifier or UserNotice)
> from such an extension?
You do this the same as any other extensio
It doesn't return a POLICYINFO pointer. It returns a
STACK_OF(POLICYINFO) pointer.
Sorry.
You're right, off course, so now it works just fine.
I guess when you get more experienced with OpenSSL/extension it will be more
obvious what type is returned from X509_get_ext_d2i().
Thanks a lot!
K
I have been asked what standards the OpenSSL RSA key generation observe.
In particular the RSA_generate_key() function.
Any comments welcome!
TIA
Kim Hellan
Mailto:[EMAIL PROTECTED]
__
OpenSSL Project
I need to find out what characters are allowed in the following ASN.1 string
types:
PRINTABLESTRING (I already know this one)
IA5STRING
T61STRING
Can anyone give me a hint to where these strings are defined?
TIA
Kim Hellan
KMD / KMD-CA
http://www.kmd-ca.dk
Mailto:[EMAIL PROTECTED]
_
Hi
I'm trying to make a CA signed certificate. I already have composed/loaded
all of the following "parts" for the certificate:
EVP_PKEY* pCAKey; /* CA private key */
X509* pCACert; /* CA root certificate */
X509_NAME* pX509Subject;/* Certificate subject */
EVP_PKEY* pPubK
When OpenSSL saves text files (like PEM files) it only adds a at the
end of each line.
Is there any way to change this default behaviour to instead?
The reason is, that this is what Windows normally uses.
TIA
Kim Hellan
KMD / KMD-CA
http://www.kmd-ca.dk
Mailto:[EMAIL PROTECTED]
___
>You supply the relevant certificate(s) or requests in the X509V3_CTX
>structure using X509V3_set_ctx().
Works great and I finally found out what X509V3_CTX is for :-)
A small "practical" problem:
When creating a CA certificate I'm not sure how to add
authorityKeyIdentifier to this cert, sin
>-Oprindelig meddelelse-
>Fra: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
>I'm runnig a Microsoft IIS 4.0 on NT 4.0 and I want to install keys
>which I generated with openssl 0.9.6.
>I used the keys in NET or unformatted TXT format. But when I enter the
>password the IIS requires I get
X509*
pCert;
X509_gmtime_adj(X509_get_notBefore(pCert), 0); // Start
nowX509_gmtime_adj(X509_get_notAfter(pCert), (long)
60*60*24*ulDaysValid);
Kim Hellan
KMD /
KMD-CA
-Oprindelig meddelelse-Fra: Pablo Millet
[mailto:[EMAIL PROTECTED]]Sendt: 1. marts 2001
14:24
Hard
to say without the "mail.eml" file.
What
is the e-mail address in the my_signature.pem certificate?
You
are welcome to send me the mail.eml file and I will do some
checking.
Best regards
Kim
Hellan KMD /
KMD-CA http://www.kmd-ca.dk
Mailto:[EMAIL PROTECTED]
-Oprindelig
Greg Stark
Ethentica, Inc.
[EMAIL PROTECTED]
_____________
- Original Message -
From: "Hellan,Kim KHE" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, March 15, 2001 6:33 AM
Subject: VS: How to redu
meddelelse-----
Fra: Hellan,Kim KHE
Hi all
Greg Stark: I'm sure that you gave the right solution, so I tried doing as
you said.
For starters I just added "no-dh no-dsa" to remove DH and DSA asymmetric
ciphers.
Unfortunately when compiling, this gave the following error:
cl /Fo
I'm wrapping some OpenSSL functionality into C++ classes, and I have run
into a slight problem.
I need to duplicate an EVP_PKEY. Is that possible?
There is an X509_dup(), but there is no EVP_PKEY_dup().
I checked the mailing archives and 2000-02-12 (in OpenSSL-Users), Dr. Henson
answered the exac
>>"Hellan,Kim KHE" wrote:
>>
>> I need to duplicate an EVP_PKEY. Is that possible?
>> There is an X509_dup(), but there is no EVP_PKEY_dup().
>>
>Ooops, I forgot about that.
I guess this means that this function will be in later versions of OpenSS
>>
>> Well... actually there is no RSA_dup() either :-).. but the following
>> should works as well:
>>
>> EVP_PKEY* pDupKey = EVP_PKEY_new();
>> RSA* pRSA = EVP_PKEY_get1_RSA(pKey);
>> EVP_PKEY_set1_RSA(pDupKey, pRSA);
>> RSA_free(pRSA);
>> return(pDupKey);
>>
>Well that will just end
>> But anyway.
>> Do you have any suggestions, how to properly implement the RSA_dup()
>> function you suggested earlier, assuming that we are only talking
software
>> keys?
>Well it depends on what you want to actually do. If you have an EVP_PKEY
>structure and you want to be able to pass i
Below is an PKCS#10 request generated by a MS IIS 5 webserver.
This request crashes OpenSSL (0.9.6) with an access violation on a Windows
2000 platform.
I'm using:
openssl req -inform PEM -in myreq.req -text
I think I have an idea of what the problem is.
This request contains an ST object in th
I'm trying to use OpenSSL (0.9.6) to read an RSA public key (PKCS#1, DER
encoded).
I use the following command:
openssl rsa -inform DER -in publickey.der -pubin
This gives the following errors:
unable to load key
1404:error:0D0A0007:asn1 encoding routines:d2i_X509_ALGOR:expecting an asn1
seque
>> I'm trying to use OpenSSL (0.9.6) to read an RSA public key (PKCS#1, DER
>> encoded).
>> I use the following command:
>> openssl rsa -inform DER -in publickey.der -pubin
>>
>The PKCS#1 RSA public key format isn't supported on the command line.
>There are however various functions that suppo
Hi
>> Obviously I can't sign the request when I don't have the private key.
>> So the (maybe stupid) question is:
>> Is it at all possible somehow to make a PKCS#10 without a private key?
>Sorry maybe I'm stupid but why can't sign request ?
>Are you using RSA or memory smartcard ?
The problem i
Simple question.
Does anyone know what format the key backup file from a MS IIS webserver is?
If yes...anyone know of a tool to parse/create such a file?
The binary backup file contains both the private key and the belonging
certificate, but it is not PKCS#12.
My guess is, that the key pr
>>"Hellan,Kim KHE" wrote:
>>
>> Does anyone know what format the key backup file from a MS IIS webserver
is?
>The exported stuff is NET format with some extra rubbish in there. Check
>out the 'rsa' manual page for some hints on extracting the priv
I'm looking for an example of a "RSA Digital Signature Using Hash Function"
(text followed by the signature).
Does anyone know where to find a more technical description of such a
signature (like the ASN.1 syntax) ?
Does anyone have a sample of such a signature including the public key to
verify
I have a PKCS#7 of the type NID_pkcs7_enveloped.
As far as I can see, this type covers both a "signed and encrypted" PKCS#7
and a PKCS#7 that just contains encrypted text (not signed).
In my app. I do a:
int iStatus = PKCS7_decrypt(p7, pKeyCopy, pCertCopy, bioNewP7, iFlags);
This works fine...
Hi
If I have a PKCS#7 that is only encrypted (pkcs7_enveloped) , how can I then
be sure of the integrity of the data?
With a signed PKCS#7 you can verify the signature, but what if there is no
signature. Does the PKCS#7 format itself make it impossible to tamper with
such an encrypted "blob" or i
Hi
I have an RSA private key in a EVP_PKEY structure.
I need to get the RSA "blob" out of the EVP_PKEY, encrypt it
(EVP_des_ede3_cbc) and Base64 encode it.
Basically I need something like what the PEM_write_PrivateKey() function
does, except my destination is memory, not a file and I don't want t
Hi
I have a certificate with a crlDistributionPoint extension. Using OpenSSL
terms, the extension consists of two DIST_POINT*.one of the type
GEN_DIRNAME and the other of the type GEN_URI.
In my code I have "parsed" these DIST_POINT* and what I end up with is a
GENERAL_NAME* for each distribu
on to return the text?
Thanks,
Kim
-Oprindelig meddelelse-
Fra: Dr S N Henson [mailto:[EMAIL PROTECTED]]
Sendt: 13. februar 2002 14:36
Til: [EMAIL PROTECTED]
Emne: Re: crlDistributionPointshow to get values?
"Hellan,Kim KHE" wrote:
>
> Hi
>
> I have a c
Building on Win2000 with Visual Studio 6 SP5.
Building with the latest snapshot: openssl-0.9.7-stable-SNAP-20020218.tar.gz
-
ms/do_nasm.bat produces warnings:
>perl util\mkdef.pl 16 libeay > ms\libeay16.def
Warning: AES_cfb128_encrypt does not
Sendt: 29. maj 2002 17:03
Til: OpenSSL Users
Emne: Re: Format of RSA public key ?
hi Kim,
On Wed, 29 May 2002, Hellan,Kim KHE wrote:
> Hi
>
> When I use OpenSSL to extract 1024 bit RSA public keys to a binary file, I get a 162
>byte file with the following ASN.1 structure:
>
>
c key ?
On Thu, May 30, 2002 at 08:59:59AM +0200, Hellan,Kim KHE wrote:
> Hi Vadim
>
> I should have been more specific.
> I know it is modulus and public exponent, but what I'm looking for is some OpenSSL
>function to load this key into a EVP_PKEY structure.
>
> Any
> Great!
> It works fine. When I got your mail I was just getting ready to test this function.
> This public key I have loaded, shall be used to verify a signature.
> I have the signature as a 128 byte binary blob.
>
> I have been looking at the RSA_public_decrypt() function, but I'm not quite su
>RSA_public_decrypt() does return 35 bytes of something that I don't
>know what is. Maybe a hash and some information about the hash algorithm?
>I don't know how to "decode" this returned binary blob?
>One should know signature details. It's hard to guess what
>is 35-bytes-size object. It's not S
For whatever stupid reason, MS has decided that a "renew certificate" on a MS IIS5,
Windows 2000 SP1, should result in a request in PKCS#7 format.
It looks like a normal PKCS#10 request in PEM with
- BEGIN NEW CERTIFICATE REQUEST -
.
.
- END NEW CERTIFICATE REQUEST -
heade
--
Fra: Mariusz Jedrzejewski [mailto:[EMAIL PROTECTED]]
Sendt: 12. august 2002 16:02
Til: Hellan,Kim KHE
Emne: Re: 3DES encryption...newbie
On Mon, Aug 12, 2002 at 03:39:13PM +0200, Hellan,Kim KHE wrote:
> Hi
Hi,
>
> I haven't worked with symmetric encryption, so this may be a simple proble
In MS .NET, an RSA key can be saved to an XML file like this:
7M85MCazFZv2ro3mqje85mEsh6mb.
AQAB
M85MCazFZv..
I have no problem in creating such an XML format from an OpenSSL RSA* structure.
But how do I create an RSA* from this XML?
I can easily load the XML, strip the Base64 en
Thanks,
That's the standard I have been looking for.
If anyone has any sample code (C/C++) that implements a "GetKeyAndIVFromPassword()"
function, please let me know.
TIA,
Kim Hellan
-Oprindelig meddelelse-
Fra: Martin Witzel [mailto:[EMAIL PROTECTED]]
Sendt: 26. november 2002 14:09
Ti
48 matches
Mail list logo
