[openssl-users] Ed25519 and X.509

Hi all, Are there yet OIDs for Ed25519-signed X.509? I know about the drafts for the key format but am not aware of actual OIDs to identify the signature hash algorithm. Thank you! -F -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openss

Re: [openssl-users] request for TLBleed information / non-constant-time vulnerabilities

On 07/27/2018 01:44 PM, Michael Wojcik wrote: From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of Jakob Bohm Sent: Friday, July 27, 2018 11:52 And once you have done all that work to protect the cryptographic library, the CPU vulnerability still allows the attacker to o

Re: [openssl-users] Errors on EndEntity cert generation

On 07/27/2018 01:26 PM, Viktor Dukhovni wrote: On Jul 27, 2018, at 1:20 PM, Robert Moskowitz wrote: On 07/27/2018 01:14 PM, Viktor Dukhovni wrote: On Jul 27, 2018, at 1:07 PM, Robert Moskowitz wrote: Error Loading extension section server_cert 3065065488:error:0E06D06C:configuration file r

Re: [openssl-users] request for TLBleed information / non-constant-time vulnerabilities

> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf > Of Jakob Bohm > Sent: Friday, July 27, 2018 11:52 > > And once you have done all that work to protect the cryptographic > library, the CPU vulnerability still allows the attacker to observer > the non-cryptographic applica

Re: [openssl-users] request for TLBleed information / non-constant-time vulnerabilities

On 27/07/2018 16:20, Michael R. Hines via openssl-users wrote: On 07/27/2018 09:12 AM, Michael Wojcik wrote: We're trying to decide if we can avoid disabling hyperthreading, as our measurements show that the performance losses (even with integer workloads) are significant. Might anyone be ab

Re: [openssl-users] Errors on EndEntity cert generation

On Jul 27, 2018, at 1:20 PM, Robert Moskowitz wrote: > > On 07/27/2018 01:14 PM, Viktor Dukhovni wrote: >> >>> On Jul 27, 2018, at 1:07 PM, Robert Moskowitz wrote: >>> >>> Error Loading extension section server_cert >>> 3065065488:error:0E06D06C:configuration file routines:NCONF_get_string:no

Re: [openssl-users] Errors on EndEntity cert generation

On 07/27/2018 01:14 PM, Viktor Dukhovni wrote: On Jul 27, 2018, at 1:07 PM, Robert Moskowitz wrote: Error Loading extension section server_cert 3065065488:error:0E06D06C:configuration file routines:NCONF_get_string:no value:crypto/conf/conf_lib.c:275:group=CA_default name=email_in_dn 30650

Re: [openssl-users] Errors on EndEntity cert generation

> On Jul 27, 2018, at 1:07 PM, Robert Moskowitz wrote: > > Error Loading extension section server_cert > 3065065488:error:0E06D06C:configuration file routines:NCONF_get_string:no > value:crypto/conf/conf_lib.c:275:group=CA_default name=email_in_dn > 3065065488:error:0E06D06C:configuration fi

[openssl-users] Errors on EndEntity cert generation

The hits just keep on coming.  Made my cert req,    openssl req -config $dir/openssl-intermediate.cnf\    -key $dir/private/$serverfqdn.key.$format \    -subj "$DN" -new -out $dir/csr/$serverfqdn.csr.$format DN='/C=US/ST=MI/L=Oak Park/O=HTT Consulting' then tried to make the cert with:

Re: [openssl-users] Intermediate cert file failure

On 07/27/2018 12:35 PM, Viktor Dukhovni wrote: On Jul 27, 2018, at 11:25 AM, Robert Moskowitz wrote: 3064446992:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:79: variable lookup failed for CA_default::default_md 3064446992:error:0E06D06C:configuration file rou

Re: [openssl-users] Intermediate cert file failure

> On Jul 27, 2018, at 11:25 AM, Robert Moskowitz wrote: > > 3064446992:error:2006D080:BIO routines:BIO_new_file:no such > file:crypto/bio/bss_file.c:79: > variable lookup failed for CA_default::default_md > 3064446992:error:0E06D06C:configuration file routines:NCONF_get_string:no > value:cry

[openssl-users] Intermediate cert file failure

on a default_md error:    openssl req -config $cadir/openssl-root.cnf\    -key $dir/private/intermediate.key.$format \    -keyform $format -outform $format -subj "$DN" -new\    -out $dir/csr/intermediate.csr.$format format=pem    openssl rand -hex $sn > $dir/serial # hex 8 is minimu

Re: [openssl-users] ed25519 self-signed root cert

On 07/27/2018 10:43 AM, Viktor Dukhovni wrote: On Jul 27, 2018, at 10:36 AM, Robert Moskowitz wrote: nyway error on the next step: # openssl req -config $dir/openssl-root.cnf\ -set_serial 0x$(openssl rand -hex $sn)\ -keyform pem -outform pem\ -key $dir/private/ca.key.pem

Re: [openssl-users] ed25519 self-signed root cert

> On Jul 27, 2018, at 10:36 AM, Robert Moskowitz wrote: > > nyway error on the next step: > > # openssl req -config $dir/openssl-root.cnf\ > > -set_serial 0x$(openssl rand -hex $sn)\ > > -keyform pem -outform pem\ > > -key $dir/private/ca.key.pem -subj "$DN"\ > > -new -x50

[openssl-users] ed25519 self-signed root cert

genpkey worked without those options.  I am going to have to look at the RFC again, as there are different types of ed25519 certs, but how will that work out in openssl?  I will have to remember back to a conversation at had at IETF 100... Anyway error on the next step: # openssl req -config

Re: [openssl-users] request for TLBleed information / non-constant-time vulnerabilities

On 07/27/2018 09:12 AM, Michael Wojcik wrote: We're trying to decide if we can avoid disabling hyperthreading, as our measurements show that the performance losses (even with integer workloads) are significant. Might anyone be able to comment on this particular type of attack in OpenSSL? Ce

Re: [openssl-users] request for TLBleed information / non-constant-time vulnerabilities

> From: Michael R. Hines [mailto:mrhi...@digitalocean.com] > Sent: Friday, July 27, 2018 07:48 > > > On 07/27/2018 08:35 AM, Michael Wojcik wrote: > > > > (I'm only commenting on TLBleed here because I'm not sure what you > > mean by "non-constant-time attack". TLBleed isn't a timing side channel,

Re: [openssl-users] genpkey for ed25519

On Fri, 2018-07-27 at 09:44 -0400, Robert Moskowitz wrote: > Here we go again with figuring out what to put in the command > lines. > Dr. Google is not giving up enough answers. > > For ecdsa I started with: > > openssl genpkey -aes256 -algorithm ec\ > -pkeyopt ec_paramgen_curve:prime256v1\ >

Re: [openssl-users] request for TLBleed information / non-constant-time vulnerabilities

On 07/27/2018 08:35 AM, Michael Wojcik wrote: Our team is trying to get an accurate understanding of whether or not cryptographic libraries are vulnerable to the kind of non-constant-time attack used by exploits such as the one recently documented here: https://www.vusec.net/wp-content/uploads/

[openssl-users] genpkey for ed25519

Here we go again with figuring out what to put in the command lines.  Dr. Google is not giving up enough answers. For ecdsa I started with: openssl genpkey -aes256 -algorithm ec\  -pkeyopt ec_paramgen_curve:prime256v1\  -outform pem -pkeyopt ec_param_enc:named_curve\  -out $dir/private/ca.key.p

Re: [openssl-users] request for TLBleed information / non-constant-time vulnerabilities

> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf > Of Michael R. Hines via openssl-users > Sent: Thursday, July 26, 2018 14:49 > > Our team is trying to get an accurate understanding of whether or not > cryptographic libraries are vulnerable to the kind of non-constant-tim

Re: [openssl-users] EDDSA support yet?

On 07/26/2018 11:59 AM, Tomas Mraz wrote: On Thu, 2018-07-26 at 10:33 -0400, Robert Moskowitz wrote: On 07/26/2018 10:19 AM, Tomas Mraz wrote: On Thu, 2018-07-26 at 10:10 -0400, Robert Moskowitz wrote: On 07/26/2018 10:07 AM, Viktor Dukhovni wrote: On Jul 26, 2018, at 9:01 AM, Robert Moskow

[openssl-users] pkcs11 engine private key loading

I've already post this to opensc mailing list but I'm not really sure where the problem is. So I also try my luck here. I'm writing application which decrypts SMIME messages using smart card. I used source code of openssl cms command as reference. I'm able to decrypt already however I face the fol