Plans for DANE TLSA (RFC 6698) support in 1.0.2?

2013-07-03 Thread Viktor Dukhovni
On the IETF dane mailing list I reported some issues with the initial DANE TLSA implementation in the OpenSSL 1.0.2 development branch. Are there any plans to address these? Who should I reach out to move this forward? http://www.ietf.org/mail-archive/web/dane/current/threads.html#05712 --

New engine - remote PKCS#11 (remote smartcard)

2013-07-03 Thread Roberto Spadim
Hi guys, i want to develop a new engine... maybe it exists and i don't know... here the description of project (not low level description, just raw idea): (1) a client side program, that configure what smart cart will be used, the remote server to connect (2) a server side program that will listen

Re: bn_mul_mont_fpu multiply-defined error

2013-07-03 Thread Zeke Evans
I built the FIPS module as specified in the User Guide (only using ./config). The 'bn_mul_mont_fpu' multiply-defined error only occurs when building the fips capable code when using the 'shared' option (I only tested 1.0.1e and 1.0.1c). I don't think there is anything wrong with the FIPS module b

RE: bn_mul_mont_fpu multiply-defined error

2013-07-03 Thread Porter, Andrew
>From the User Guide for the OpenSSL FIPS Object Module v2.0, section 3.2: "note the ./config 'shared' option is forbidden by the terms of the validation when building a FIPS validated module, but the fipscanister.o object module can be used in a shared library." -Original Message- From

bn_mul_mont_fpu multiply-defined error

2013-07-03 Thread Zeke Evans
I get an error building a fips capable shared object on sparc64. ./config fips shared make depend make ld: fatal: symbol 'bn_mul_mont_fpu' is multiply-defined: (file /usr/local/ssl/fips-2.0/lib//fipscanister.o type=FUNC; file libcrypto.a(sparcv9a-mont.o) type=FUNC); ld: fatal: file processing err

bn_mul_mont_fpu multiply-defined error building sparc64 fips capable shared object

2013-07-03 Thread Zeke Evans
I get an error building a fips capable shared object on sparc64. ./config fips shared make depend make ld: fatal: symbol 'bn_mul_mont_fpu' is multiply-defined: (file /usr/local/ssl/fips-2.0/lib//fipscanister.o type=FUNC; file libcrypto.a(sparcv9a-mont.o) type=FUNC); ld: fatal: file proce

Convert raw format ecdsa sha384 csr signature into ASN1 format

2013-07-03 Thread Lamhaut Philippe-BPL002
I have a 96 bytes long ecdsa signature created with sha384 algorithm by a smart card in raw format.It is composed of two 48 bytes long integers r and s. The ecdsa signature is in a buffer pointed to by sign_ptr. I'm converting the raw format signature into buf_out in ASN1 format with this functi

Error "already loaded" when starting an Apache with a nCipher "CHIL" hardware

2013-07-03 Thread Clement Sudron
Hi everybody, I want to use Apache (v1.3.39), mod_ssl (v2.8.30), OpenSSL (v0.9.8y) with a nCipher card but when I start it, I have the following error message: [error] OpenSSL: error:81067064:CHIL engine:HWCRHK_INIT:already loaded [error] OpenSSL: error:260B806D:engine routines:ENGINE_TABLE_REGIS

Re: Convert raw format ecdsa sha384 csr signature into ASN1 format

2013-07-03 Thread Dr. Stephen Henson
On Wed, Jul 03, 2013, phildoch wrote: > I have a 96 bytes long ecdsa signature created with sha384 algorithm by a > smart card in raw format.It is composed of two 48 bytes long integers r and > s. The ecdsa signature is in a buffer pointed to by sign_ptr. I'm converting > the raw format signature

Re: openssl produces invalid signature when run as www-data!

2013-07-03 Thread Lukas Haase
On 2013-07-02 21:43, Dave Thompson wrote: >> From: owner-openssl-us...@openssl.org On Behalf Of Lukas Haase >> Sent: Monday, 01 July, 2013 09:40 > >> I am facing a very strange problem here: openssl successfully creates >> signatures but when run by www-data, the signatures are invalid! All >> fil

need to modifying the CN field of CERT subject name

2013-07-03 Thread Sanjay Kumar (sanjaku5)
Hi All, I have a requirement to get unique certificate for each user. To achieve that I am modifying the CN field of CERT subject name by appending the user index to CN field. Eg. If CN=sanjay For userIndex 1, I want to modify it like CN=sanjay01, considering the user count to 1

Re: KDF algorithms

2013-07-03 Thread Matthew Donald
Ansi X9.63 is pretty trivial to implement using the OpenSSL libraries - less than a days work. The algorithm is defined in SEC1 ยง3.6.1. >From memory, the main logic was only around 50LOC, with another 50-100LOC wrapping various library calls. There's not m

KDF algorithms

2013-07-03 Thread Aaron
Hi All, I am working on a product using Certicom KDF function. In fact, we use HU_KDF_IEEE_KDF1_SHA1 and HU_KDF_ANSI_SHA256 only. The function hu_KDFDerive() has an argument specifying which KDF algorithm to use to compute a cryptographic key. This is referred to as a key derivation algorithm

Convert raw format ecdsa sha384 csr signature into ASN1 format

2013-07-03 Thread phildoch
I have a 96 bytes long ecdsa signature created with sha384 algorithm by a smart card in raw format.It is composed of two 48 bytes long integers r and s. The ecdsa signature is in a buffer pointed to by sign_ptr. I'm converting the raw format signature into buf_out in ASN1 format with this function