had to implement the interface...).
Thank you for your help and have a wonderful day!
Cheers,
Max
--
Best Regards,
Massimiliano Pala, Ph.D.
OpenCA Labs Director
OpenCA Logo
) ?
Is there a way to list the ciphers supported when using EnvelopedData ?
Cheers,
Max
--
Best Regards,
Massimiliano Pala, Ph.D.
OpenCA Labs Director
OpenCA Logo
the encryption
algorithm from the EnvelopedData/EncryptedContentInfo (I can not find
the helper function...) ?
Cheers,
Max
--
Best Regards,
Massimiliano Pala, Ph.D.
OpenCA Labs Director
OpenCA Logo
for any help for understanding all these details... :D
Cheers,
Max
--
Best Regards,
Massimiliano Pala, Ph.D.
OpenCA Labs Director
OpenCA Logo
smime.p7s
Description: S/MIME Cryptographic Signature
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl
the same values that does not depend on the type or size of the
keys ? Is the 24 Bytes a constant size or ... ? Is there any
documentation that would help me... ?
Cheers,
Max
--
Best Regards,
Massimiliano Pala, Ph.D.
OpenCA Labs Director
OpenCA Logo
--
openssl-users mailing list
To unsubscribe
Hi Jan,
not sure if this might help you, I solved the problem by using
X509_PUBKEY + i2d_X509_PUBKEY. Here's an example:
https://github.com/openca/libpki/blob/b87b647170cb5f71e00baffe609f5a02edfa3845/src/openssl/pki_keypair.c#L307
I hope that helps,
Cheers,
Max
On 3/21/18 1:42 PM, Jan
Hi Victor,
A... that is why :D I wrongly assumed that the newly created
parameters would hold the same initialization. This approach works!
Thanks again!
Cheers,
Max
On 12/11/17 5:45 PM, Viktor Dukhovni wrote:
On Dec 11, 2017, at 7:35 PM, Dr. Pala <madw...@openca.org>
Hi Victor,
does it matter that we are not in the TLS case (maybe the code is
different in the SSL_CTX ) ? I am just trying to validate the chain with
the TA set to the SubCA... :D
IMHO, the correct (or, better, the expected) behavior (from a
developer's standpoint) would be to trust keys in
Hi Victor,
On 12/11/17 4:18 PM, Viktor Dukhovni wrote:
[...]
Perhaps you ended up creating a parameter structure with a
depth limit that's too small. Just configuring partial
chains will never yield a chain that is longer than it
otherwise would be. In fact you generally get shorter
chains.
code
yet...
... any suggestion on how to fix this ? Do you think it is actually a
bug ? ... or am I missing some other configs / setting I should have
done for the verify param ?
Cheers,
Max
On 12/11/17 3:18 PM, Viktor Dukhovni wrote:
On Dec 11, 2017, at 5:06 PM, Dr. Pala <di
rusted stack or not...
Maybe there are flags / trust settings that can be used instead ?
Cheers,
Max
--
Best Regards,
Massimiliano Pala, Ph.D.
OpenCA Labs Director
OpenCA Logo
smime.p7s
Description: S/MIME Cryptographic Signature
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Hi all,
does anybody know if there are downloadable binaries of openssl-fips
and/or openssl-fips-ecp (2.0.16 or earlier) for Windows ?
Cheers,
Max
--
Best Regards,
Massimiliano Pala, Ph.D.
OpenCA Labs Director
OpenCA Logo
smime.p7s
Description: S/MIME Cryptographic Signature
--
openssl
the
envisioned approach (maybe introducing an intermediate data structure of
some kind..?) or use the ASN1_ANY approach.
Cheers,
Max
On 12/2/17 4:54 AM, Richard Levitte wrote:
In message <d1eeba62-f25f-c984-dc77-94a150cf7...@openca.org> on Fri, 1 Dec 2017 20:22:09 -0700,
"Dr.
:14:54 -0700,
"Dr. Pala" <direc...@openca.org> said:
director> I am trying to define an ASN1 structure similar to this:
director>
director> ASN1_SEQUENCE(TEST) = {
director> ASN1_SIMPLE(TEST, version, ASN1_INTEGER),
director> ASN1_EXP_SEQUENCE_OF_OP
egards,
Massimiliano Pala, Ph.D.
OpenCA Labs Director
OpenCA Logo
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
plaintext before
encrypting it (e.g., XOR with the block number ?).
Thanks,
Max
P.S.: I am cross-posting the message also to dev as this might have
better chances to get an answer there... ?
On 4/6/16 10:54 AM, Dr. Pala wrote:
Hi all,
I am trying to solve a particular problem related t
Pala, PhD
Director at OpenCA Labs
twitter: @openca
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
effort.
Any comments and feedback are welcome (positive and negative alike).
Cheers,
Max
Forwarded Message
Subject:[saag] Standard Crypto API + Symmetric Crypto At Rest
Date: Sat, 7 Nov 2015 22:30:35 +0900
From: Massimiliano Pala <direc...@openca.org>
Organi
r solution will be indexed and pop right up on search engines in the future.
Thanks!
Sent from my mobile
On Aug 31, 2015, at 7:10 PM, Massimiliano Pala <direc...@openca.org> wrote:
Hi all,
I actually figured it out, if anybody is curious about the solution for parsing
this CRYPTLIB signature envelo
Hi all,
I actually figured it out, if anybody is curious about the solution for
parsing this CRYPTLIB signature envelope (in this case DSA) - write to
me directly, I will be happy to share the solution.
Cheers,
Max
On 8/29/15 6:56 PM, Massimiliano Pala wrote:
Hi all,
I am trying to parse
Hi all,
I am trying to parse a sequence that has, after an integer, a 'private'
(xclass) item. I was wondering what is the right templates / macros to
be able to generate the ASN1 functions with the usual macro. An example
of the structure I have to parse (B64 - DER), is the following:
Hi all,
I am working on an application that would use DH to allow exchanging
symmetric keys (not a TLS app), and we noticed that we could use two
different approaches to generate the parameters.
The first option is to use the DH_generate_parameters_ex() +
DH_generate_key() - but that takes
instead of pthread ones?)
--
Best Regards,
Massimiliano Pala
--o
Massimiliano Pala [OpenCA Project Manager] ope...@acm.org
project.mana
().
What I would expect is that, in the second case, I would get
notified that the certificate is not trusted...
Cheers,
Max
On 06/18/2010 05:04 PM, Peter Sylvester wrote:
On 06/18/2010 01:57 AM, Massimiliano Pala wrote:
Hi all,
I have two issues when I am trying to verify the certificates from
,
Massimiliano Pala
--o
Massimiliano Pala [OpenCA Project Manager] ope...@acm.org
project.mana...@openca.org
Dartmouth Computer Science Dept
Regards,
Massimiliano Pala
--o
Massimiliano Pala [OpenCA Project Manager] ope...@acm.org
project.mana...@openca.org
Dartmouth Computer Science Dept
,
Massimiliano Pala
--o
Massimiliano Pala [OpenCA Project Manager] ope...@acm.org
project.mana...@openca.org
Dartmouth Computer Science Dept Home
Regards,
Massimiliano Pala
--o
Massimiliano Pala [OpenCA Project Manager] ope...@acm.org
project.mana...@openca.org
Dartmouth Computer Science Dept
() ???
--
Best Regards,
Massimiliano Pala
--o
Massimiliano Pala [OpenCA Project Manager] ope...@acm.org
project.mana...@openca.org
Dartmouth Computer Science
Hi Sander,
I definitely did - now I do initialize all the static locks in OpenSSL *and* the
dynamic functions. But they are never called by the chil - the assert fails and
the SIGABRT is sent to my daemon forcing it to exit.
For some reason it seems the dynamic locking functions do not function
.. :D
I just installed the patched version - but no changes in the behavior.. I
will try to inspect the `disable_mutex_callbacks`.. but if that is the case,
how shall I fix it ???
Later,
Max
--
Best Regards,
Massimiliano Pala
--o
file with
the code for OpenSSL and pthreads, both static and dynamic locks..
Shall we include it into OpenSSL ?
void OpenSSL_pthread_init( void );
.. that would make it more usable for the average developer! :D
Later,
Max
Sander Temme wrote:
On Nov 21, 2008, at 8:50 AM, Max Pala
,
Massimiliano Pala
--o
Massimiliano Pala [OpenCA Project Manager] [EMAIL PROTECTED]
[EMAIL PROTECTED]
Dartmouth Computer Science Dept Home Phone: +1 (603) 369
]
--
Best Regards,
Massimiliano Pala
--o
Massimiliano Pala [OpenCA Project Manager] [EMAIL PROTECTED]
[EMAIL PROTECTED]
Dartmouth Computer Science Dept
-users@openssl.org Automated List Manager
[EMAIL PROTECTED]
--
Best Regards,
Massimiliano Pala
--o
Massimiliano Pala [OpenCA Project Manager] [EMAIL PROTECTED
Hello Przemek,
thanks for the advice - I already tried to use a mutex to protect the
OCSP_basic_sign(),
but I wanted to avoid it as this will just use only one thread at a time. It
seems that
nCipher is best used with a simple fork() daemon... if it wasn't for the shared
memories,
still today
Hi Sander,
I definitely did - now I do initialize all the static locks in OpenSSL *and* the
dynamic functions. But they are never called by the chil - the assert fails and
the SIGABRT is sent to my daemon forcing it to exit.
For some reason it seems the dynamic locking functions do not function
:33 Massimiliano Pala wrote:
Hi David,
that is really nice.. although.. after I gave it a try... it does not
really work :(
Actually, it seems that the dynamic functions are never called... :(
Investigating...
The attached example seems to work. I put it in the top-level directory
of the (built
Sander Temme wrote:
/opt/nfast/toolkits/openssl/openssl098e-patch.txt
I found a 'openssl098-patch.txt' is that ok ?
Should apply cleanly to newer versions of OpenSSL, with patch -p1. It
creates a static lock for CHIL to use so it doesn't need the dynamic
ones available.
It did.
I
file with
the code for OpenSSL and pthreads, both static and dynamic locks..
Shall we include it into OpenSSL ?
void OpenSSL_pthread_init( void );
.. that would make it more usable for the average developer! :D
Later,
Max
Sander Temme wrote:
On Nov 21, 2008, at 8:50 AM, Max Pala
0x08085558 in ?? ()
#31 0x0010 in ?? ()
#32 0x in ?? ()
Any Idea ???
Later,
Max
Sander Temme wrote:
On Nov 19, 2008, at 11:24 PM, Max Pala wrote:
The software that I am writing is a multi-threaded OCSP responder.
Please make sure you initialize the engine correctly, and set up
to do that by using pthreads ?
Ciao,
Max
Sander Temme wrote:
On Nov 19, 2008, at 11:24 PM, Max Pala wrote:
The software that I am writing is a multi-threaded OCSP responder.
Please make sure you initialize the engine correctly, and set up your
locking callbacks before you actually
[remember].inuse 0' failed.
Anybody has experienced problems with this HSM on Linux + pThread ?
Cheers,
Max
--
Best Regards,
Massimiliano Pala
--o
Massimiliano Pala [OpenCA Project Manager] [EMAIL PROTECTED
Hello Sande,
The software that I am writing is a multi-threaded OCSP responder.
Sander Temme wrote:
What software are you running that makes he calls into OpenSSL?
--
Best Regards,
Massimiliano Pala
--o
No docs, but there is working code here:
https://www.openca.org/projects/ocspd/
Best,
Max
Quoting Brian Smith [EMAIL PROTECTED]:
Does anyone know of any substantial documentation/coding examples that may
be available (similar to the Networking with OpenSSL book) for using OpenSSL
as an
in a smartcard) but with the public
key only?
--
Best Regards,
Massimiliano Pala
--o
Massimiliano Pala [OpenCA Project Manager][EMAIL PROTECTED]
[EMAIL
Hello,
thanks :) That was the problem.. I was initializing the library on the
server but not on the client.
Thanks again!
Later,
Max
Marek Marcola wrote:
Do you have OpenSSL library initialized ?
Look at man page for SSL_library_init.
smime.p7s
Description: S/MIME Cryptographic
)
at prqp_bio.c:92
=
Anyone can help me ? It is quite strange behavior -- I am missing something,
but I have no idea *what* am I missing
Later,
Max
--
Best Regards,
Massimiliano Pala
--o
Massimiliano
8otOQZ1gzPDDK53cIbF609hFMoaWmq2e36rIGUHWOl126xu0iKKe8H7HcsqZARf/
NJP9RLofeibFp7gOhO7YjgD6z5ioAjAA
-END PRQP RESPONSE-
MMm... another error in the ASN1 definition ? Any idea ?
Later,
Max
--
Best Regards,
Massimiliano Pala
--o
the X509_signature_print() I get no errors on both the
server and the client...
--
Best Regards,
Massimiliano Pala
--o
Massimiliano Pala [OpenCA Project Manager][EMAIL PROTECTED
for serving up CRL's of
this size and bigger? Is there anyone doing this succesfully?
There is no problem with CRLs that size, indeed we successfully use OpenLDAP
with CRLs which are 50MB+ in size...
--
Best Regards,
Massimiliano Pala
--o
folder.
--
Best Regards,
Massimiliano Pala
--o
Massimiliano Pala [OpenCA Project Manager] [EMAIL PROTECTED]
Tel.: +39 (0)11 564 7081
http://security.polito.it
is
always 0. Any thoughts?
If this is the case, use the '-set_serial' option.
--
Best Regards,
Massimiliano Pala
--o
Massimiliano Pala [OpenCA Project Manager] [EMAIL PROTECTED
more info ?
Thank you, bye.
--
C'you,
Massimiliano Pala
--o
Massimiliano Pala [OpenCA Project Manager] [EMAIL PROTECTED]
Tel.: +39 (0)59 270 094
http
recently with all major email clients available
gave completely different results. Multiple emailAddress entries were not
supported while multiple email within subjectAltName usage was supported
(not by M$ client).
--
C'you,
Massimiliano Pala
--o
in the subjectAltName extension.
Multiple emailAddress, anyway, within the DN should be avoided as this
format is against the standard and does not add any value over the subjAltName
extension usage :-D
--
C'you,
Massimiliano Pala
--o
/
--
C'you,
Massimiliano Pala
--o-
Dr. Massimiliano Pala [OpenCA Project Manager][EMAIL PROTECTED]
Tel.: +39 (0)59 270 094
http://www.openca.org
pieces for its verification.
Usually there is no preferred format because once loaded you actually use
its internal rappresentation of the certificate ... my suggestion: if you
have DER just use it and forget the PKCS7 - you don't need it to simply
manage a certificate.
--
C'you,
Massimiliano Pala
.
The easiest way, and most supported by current clients, is to establish a
Root CA issuing certificates for sub CAs (hierarchy). It will be possible
to recognize and validate sig/certs from the whole chain as the same root
is trusted.
--
C'you,
Massimiliano Pala
--o
but you can sign the request, in this case, for later verification.
--
C'you,
Massimiliano Pala
--o-
Massimiliano Pala [OpenCA Project Manager] [EMAIL PROTECTED
within the request.
This is also logical because if you alter the request then it is no more
valid to verification and you cannot state the authenticity of the request.
--
C'you,
Massimiliano Pala
--o-
Massimiliano
it is usually a .pem formatted file
(certificate).
C'you,
Massimiliano Pala ([EMAIL PROTECTED])
S/MIME Cryptographic Signature
Deepak Taneja wrote:
Hello ,
Anybody can tell me that which algo is used to generate
client public and private key.?
Usually RSA with md5, anyway you can try the DSA as well.
C'you,
Massimiliano Pala ([EMAIL PROTECTED])
S/MIME Cryptographic Signature
file changing the 'R' into 'E' - setting it to expired
instead of revoked.
C'you,
Massimiliano Pala ([EMAIL PROTECTED])
S/MIME Cryptographic Signature
correctly import it
and recognize it is the same certificate (try to display it and you'll
get an idea of what I am saying).
C'you,
Massimiliano Pala ([EMAIL PROTECTED])
S/MIME Cryptographic Signature
. This almost depends on the
crypto layer you are using and policies you are following.
If you simply renew the same key-pair just use the old request, but
keep in mind that it is a good policy to renew all keys in a 2 years
period...
C'you,
Massimiliano Pala ([EMAIL PROTECTED])
S/MIME
en I get
some spare time, I will re-post some messages to the ietf-pkix working group -
hopefully I have enought time to submit an rfc... (??) - who knows ...
C'you,
Massimiliano Pala ([EMAIL PROTECTED])
S/MIME Cryptographic Signature
a certificate expiring after 30 days. If you still
want to use it, simply renew it...
C'you,
Massimiliano Pala ([EMAIL PROTECTED])
S/MIME Cryptographic Signature
routines:SSL3_READ_BYTES:sslv3 alert bad certificate [Hint: Subject CN in
certificate not server name or identical to CA!?]
Do you use the CA certificate for your server ??? Did you set the CN= field
in Subject equal to the server address (i.e. www.yoursite.com).
C'you,
Massimiliano Pala
I think the discussion should be continued on another mailing list :-D This is
really OT, here (sorry people) ...
If you can/want to continue discussing it, please subscribe to
[EMAIL PROTECTED]
C'you,
Massimiliano Pala ([EMAIL PROTECTED])
S/MIME Cryptographic Signature
e projects... :-D
I know they are rebuilding the hierarchy's root keys... we are waiting to get
one CA key to use... :-D
C'you,
Massimiliano Pala ([EMAIL PROTECTED])
S/MIME Cryptographic Signature
es/CAs/etc...
Another way of avoiding the problem is: before applying for a request, the
user is asked to import the certificate just before submitting data (required).
C'you,
Massimiliano Pala ([EMAIL PROTECTED])
S/MIME Cryptographic Signature
.)
I think you got the point (not only for free CAs): real problems, by now, are
the Policies definitions and organizational realted rather than crypto/software
related.
C'you,
Massimiliano Pala ([EMAIL PROTECTED])
S/MIME Cryptographic Signature
"James B. Huber" wrote:
Yes,
But I've never been able to do https with it.
Please, try now.
C'you,
Massimiliano Pala ([EMAIL PROTECTED])
S/MIME Cryptographic Signature
of it is the knowledge of the CA's password, simply ask for
it once, then the program will use that in every "challenge" section
(see the ca command about the challenge function... ).
C'you,
Massimiliano Pala ([EMAIL PROTECTED])
S/MIME Cryptographic Signature
to trust or not the connection: I mean they are not presented with
wornings and so on...
You should report as a bug to the Netscape people.
C'you,
Massimiliano Pala ([EMAIL PROTECTED])
__
OpenSSL Project
ed CRLs ...
I don't know if I got your point, I hope so.
C' you,
Massimiliano Pala ([EMAIL PROTECTED])
__
OpenSSL Project http://www.openssl.org
User Support Mailing List
. Anyway I don't think it could be not very wise
allowing anyone to mark certificates as revoked. Patchin the code does
not require much work, but I don't think it should be done.
This is my opinion, what the other OpenSSL people think about this ???
C'you,
Massimiliano Pala ([EMAIL
be able do revoke certificates.
C'you,
Massimiliano Pala ([EMAIL PROTECTED])
S/MIME Cryptographic Signature
to most of the available applications.
I suggest you to consider some other form of certificate validity such as
OCSP, SCVP available on the ietf pages (and mailing lists) (www.ietf.org).
C'you,
Massimiliano Pala ([EMAIL PROTECTED])
S/MIME Cryptographic Signature
visit our web site where you will find any information on
how to send your comments to us.
Massimiliano Pala
([EMAIL PROTECTED])
S/MIME Cryptographic Signature
,
Massimiliano Pala ([EMAIL PROTECTED])
S/MIME Cryptographic Signature
, please visit our web site where you will find any information on
how to send your comments to us.
Massimiliano Pala
([EMAIL PROTECTED])
S/MIME Cryptographic
s personal and may not be shared.
C'you,
Massimiliano Pala ([EMAIL PROTECTED])
S/MIME Cryptographic Signature
,
Massimiliano Pala ([EMAIL PROTECTED])
openssl-SNAP-19990907-ocsp.tar.gz
S/MIME Cryptographic Signature
? Cout that be
the public key itself contained in the SPKAC ?
Again, thank you for making it public, it's a great help :)
Are you kiddin' ?? First rule of the Net: you give one and get 100 in return!
I'm happy if I can share my (poor) knoledge with someone else...
C'you,
Massimiliano Pala
$ ./createindex $index_file_name $number_of_entries
Then to check it simple use:
$ openssl ca -status $hex_serial_num_of_a_certificate
The ca program should work fine. Try it and please report any
bug in the patches. Thanks.
C'you,
Massimiliano Pala ([EMAIL PROTECTED])
#!/usr/bin/perl
my
Dr Stephen Henson wrote:
The people at OpenCA has developed a patch to ca that enables this behavior,
but there is no oficial 0.9.4 patch :-(
The patches are available now for the 0.9.4.
More info on http://www.openca.org
C'you,
Massimiliano Pala ([EMAIL PROTECTED])
S/MIME
(because it is necessary
only when used) without this patch you should set it or
you get an error (either if it is not used). This patch
fix this behaviour;
Enjoy the patches.
C'you,
Massimiliano Pala ([EMAIL PROTECTED])
Patches to OpenSSL
and Sergio Tabanelli. I have repost this program at the end
of march (jfi).
If it would be useful i can repost it with the "chkdb"-patches.
Sure.
As I modified the ca.c file to include a "updated" version of the revoke
utility that has been included in the release, i
ape checks it for the CN
(Common Name) to be the same as the URL used. For example, if your server's
address is:
http://www.mydomain.com
then you have to issue a certificate with:
CN=www.mydomain.com, ..., C=IT
It should resolve your problem.
See you,
Massimiliano Pala ([EMAIL
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
On www.OpenCA.org when will be available...
See you,
Massimiliano Pala.
S
92 matches
Mail list logo
