On 25 May 2022, at 09:16,
wrote:
> I’ve a server application and need to support RSA and ECC clients at the same
> time.
> I don’t know which certificate from my local keystore I have to send to the
> client, btw I have a rsa and a ecc certificate in my keystore already.
> I don’t know with w
On 24 Aug 2021, at 09:47, murugesh pitchaiah
wrote:
>
> Hi,
>
> I am working on generating the x509v3 certificates for ssh user. I see
> with the default_md as 'sha256', in openssl.cnf file, the
> key/certificate is generated with algorithm type as 'x509v3-sign-rsa'.
>
> I see its signature al
> On 5 Aug 2021, at 02:54, Michael Richardson wrote:
>
>
> Dirk-Willem van Gulik wrote:
>> I have very large globs of on the fly generated data that are to be
>> signed and output as a base64 payload followed by a separate PKCS#7
>> package with a detach
I have very large globs of on the fly generated data that are to be signed and
output as a base64 payload followed by a separate PKCS#7 package with a
detached signature at the end of the transmission[1].
I’d like to avoid CMS_sign/CMS_final having to rely on a BIO_s_mem(),
disk-storage or sim
Try sending that block to
pbpaste| xxd -r -p | openssl asn1parse -inform DER
0:d=0 hl=3 l= 190 cons: SEQUENCE
3:d=1 hl=2 l= 52 cons: cont [ 1 ]
5:d=2 hl=2 l= 50 cons: SEQUENCE
7:d=3 hl=2 l= 11 cons: SET
9:d=4 hl=2 l= 9 cons
I am hitting a head end and must be missing something obvious.
Below is the code - it verifies a signature. And it segfaults regularly on the
PKCS7_free(p7);
And I fail to understand why - and suspect it is very obvious !
Any and all help appreciated.
Dw
#define EXITOUT(args...) { EOUT(args);
I am converting an unsigned integer (P,Q of an ECDSA 256 bit curve) from a 32
byte array (as provided by Microsoft its .NET cryptographic framework) to an
ANS1_INTEGER.
The steps taken are:
unsigned char in[32] = ..
r = BN_bin2bn(in, 32, NULL);
BN_to_ASN1_INTEGER(r, as
Answering my own question - I forgot the END of sequence in the marco.
Functional code below.
Dw.
> On 28 Aug 2020, at 15:49, Dirk-Willem van Gulik wrote:
>
> I've got a very simple sequence of to integers that I am trying to convert to
> DER.
>
> Bt I am getting an e
I've got a very simple sequence of to integers that I am trying to convert to
DER.
Bt I am getting an error or segfault in the final i2d step (lengt -1 for
i2d_X9_62).
Any advice on what is going wrong here ?
With kind regards,
Dw.
#include
#include
#include
#include
#include
#includ
so3L7xuXAoSxy
> vkuhRAK7CppRPgfI+BcUT0TSvU+JZsLpsaRLboy6C44GnnZf0f3P41LMzg==
> -----END PUBLIC KEY-
>
>
> On Fri, 2020-08-07 at 19:07 +0200, Dirk-Willem van Gulik wrote:
>> Below CSR gives me an odd error with the standard openssl REQ
>> command:
>>
>>
Below CSR gives me an odd error with the standard openssl REQ command:
openssl req -inform DER -noout -pubkey
Error getting public key
140673482679616:error:10067066:elliptic curve
routines:ec_GFp_simple_oct2point:invalid encoding:../crypto/ec/ecp_oct.c:312:
1406
On 25 Jun 2020, at 17:14, Tom Browder wrote:
> Can anyone tell me how to generate an acceptable client cert for an iPad?
>
> I have so far been unable to find out the file format needed.
>
> I generated client cert files for my classmates over seven years ago in p12
> format and they still wor
I am trying to implement a bit of Rust / Zenroom (the context is performance
testing on very small devices for DP-3T privacy preserving content tracking[3]):
Rust (i is 0 .. 10)
let mut iv = [0u8; 16];
iv[12..16].copy_from_slice(&i.to_be_bytes());
let mut block = GenericAr
> On 20 Mar 2020, at 22:12, Salz, Rich via openssl-users
> wrote:
>
> The doc/man5/config.pod file says to use
> 1.OU = “My first OU”
> 2.OU = “My second OU”
>
> But doc/man5/x509v3_config.pod says to append the numeric, as in
> email.1 = stev
I'd like to use the
crl_reasons
table in v3_enums.c as the single source of truth (as opposed to building this
list into other tooling - because; as it skips the number 7 - is very easy to
get wrong & some opensource tools do get it wrong).
Now there is a i2s_ASN1_ENUMERATED_TABLE() -
> On 20 Feb 2020, at 08:43, Dirk-Willem van Gulik wrote:
>> On 20 Feb 2020, at 08:38, Estefania wrote:
>> I would like to ask if it is possible to create a p12 just with a .pem with
>> private key but not certificate.
>
> Try
>
> openssl req -x509 -subj
> On 20 Feb 2020, at 08:38, Estefania wrote:
>
> Hi guys.
>
> I would like to ask if it is possible to create a p12 just with a .pem with
> private key but not certificate.
Try
openssl req -x509 -subj /CN=foo -keyout /dev/null -nodes | openssl
pkcs12 -out sample.p12 -export -certs
On 31 Jan 2020, at 01:25, Douglas Morris mailto:dougbmor...@yahoo.com>> wrote:
> Interesting. I think I misunderstood this explanation about the -signkey
> option: "This option causes the input file to be self signed using the
> supplied private key."
>
> Your input has me thinking that a cer
> On 30 Jan 2020, at 21:38, Douglas Morris via openssl-users
> wrote:
>
> I am trying to implement automated domain certificate renewal. A certificate
> signing request is sent to an ACME server and on success a certificate is
> returned. I'd like to be able to call OpenSSL to make a new key
> On 27 Sep 2017, at 20:02, Michael Wojcik
> wrote:
>
>> What is the most natural way to generate private keys using openssl but
>> store them on a specific hardware tokens?
>> Reading/writing is implemented via engine mechanism.
>
> The tokens / HSMs I've used don't let you generate a key s
On 27 Sep 2017, at 14:22, Dmitry Belyavsky wrote:
> What is the most natural way to generate private keys using openssl but store
> them on a specific hardware tokens? Reading/writing is implemented via engine
> mechanism.
>
> I suppose that it should be added support of -outform ENGINE to the
Op 9 jul. 2014, om 02:33 heeft Jeffrey Walton het volgende
geschreven:
> On Tue, Jul 8, 2014 at 7:00 PM, Dave Thompson wrote:
>>> From: owner-openssl-us...@openssl.org On Behalf Of Jeffrey Walton
>>> Sent: Tuesday, July 08, 2014 16:20
>> ...
>>> Not sure if this is any consolation, but country
Op 4 jun. 2014, om 10:41 heeft Dirk-Willem van Gulik het
volgende geschreven:
> What is the right syntax in IdentityFIle to specify a specific PKCS#11
> provider or, even better, a
> specific slot or key ?
>
> I am failing to trigger below code :) i.e. getting key
Folks,
What is the right syntax in IdentityFIle to specify a specific PKCS#11 provider
or, even better, a
specific slot or key ?
I am failing to trigger below code :) i.e. getting key populated right.
Thanks,
Dw.
/* Prefer PKCS11 keys that are explicitly listed */
TAILQ_FO
Repost; updated for HEAD and tested on ubuntu as well.
Dw.
Folks,
Find below a minor patch to allow the use of smartcards in readers that have
their own
PIN entry keypads (Secure PIN entry) such as the SPR332 and most german/medical
chipcard devices.
Tested on Solaris, FreeBSD, Linux and MacOS
On 28 Oct 2013, at 11:56, redpath wrote:
> I would like to know why the openssl CA command to revoke a cert
> (myfiletorevoke)
> needs the CA cert other than the cert I want to revoke.
>
> openssl ca -revoke myfiletorevoke -keyfile cakey -cert cacert -passin
> pass:CApass -config myconfig
A simple
echo foo | openssl smime -encrypt/sign | openssl smime -decrypt/verify
works dandy. But was surprized to find that the verify breaks when '-binary' is
used.
Canonical example below.
Would like to understand why,
Thanks,
Dw.
#!/bin/sh
# Generate a self signed cert to use f
On 4 mrt. 2013, at 08:47, ashish2881 wrote:
> Hi ,
> I want to create a certificate chain ( self signed root ca
> cert+intermediate cert + server-cert).
> Please let me know openssl commands and the configuration required to create
> root-ca ,intermediate cert signed by root-ca and server c
> Will keep an eye on it,
> as this functionality would long term be useful to put into the 'openssl
> smime'
> apps command.
For the time being - put a version at
https://github.com/dirkx/smime-add-encryption-for-recipient
along with a small test.sh file
https://github.com
On 26 Feb 2013, at 15:26, Dr. Stephen Henson wrote:
..
>> Note that we had to pull in some non-exposed functions from pk7_lib/doit.c -
>> so perhaps longer term it would be nice to see such as part of the API.
>>
>
> When I first looked at this I'd hoped that you could do it cleanly using the
Folks,
I am struggling to find a clean way to add a pub-key to encrypt against to an
existing pkcs7/smime file. Without having to change the existing entries.
The use case is that of a key rollover (on for example a very long term backup)
where one would want to add an extra decryption key (yea
On 14 nov. 2012, at 19:58, "Dr. Stephen Henson" wrote:
> On Wed, Nov 14, 2012, Dirk-Willem van Gulik wrote:
>
>> Folks,
>>
>> Have a CA (created by certtool, validates in openssl as self signed just
>> fine) and a server cert (created with certtool
On 14 nov. 2012, at 18:42, Dirk-Willem van Gulik wrote:
> Have a CA (created by certtool, validates in openssl as self signed just
> fine) and a server cert (created with certtool, signed with certool) which
> des NOT validate in openssl.
>
> However the signature (when
Folks,
Have a CA (created by certtool, validates in openssl as self signed just fine)
and a server cert (created with certtool, signed with certool) which des NOT
validate in openssl.
However the signature (when extracted with openssl its asn1parse; openssl its
rsautl and openssl its sha256) l
On 7 Nov 2012, at 14:35, Graham Leggett wrote:
> I would like to know how long a CRL has until it expires in seconds (or milli
> or microseconds, don't care, I can convert), and am struggling to find a
> formally supported way to do this.
>
> What I would like to do is return the difference be
?
Thanks,
Dw.
#!/bin/sh
#
# Copyright 2012 Dirk-Willem van Gulik WebWeaving.org, All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# Create config file
#
cat > ./opens
Gentle people,
I am encoding some extra fields in the request (and the signed cert). And have
two related puzzels:
1) I had naively expected below construct to create a single sequence of
two object/integers under a single object:
# openssl.cnf snippet.
[v
Op 11 May 2012, om 00:48 heeft Dr. Stephen Henson het volgende geschreven:
> On Thu, May 10, 2012, Dirk-Willem van Gulik wrote:
>
>>
>> On 10 mei 2012, at 18:59, "Dr. Stephen Henson" wrote:
>>
>>
>> Nets me
>>
>>365:
On 10 mei 2012, at 18:59, "Dr. Stephen Henson" wrote:
> On Thu, May 10, 2012, Dirk-Willem van Gulik wrote:
>
>>int nid1 = OBJ_create("1.3.6.1.4.1.2692.99.1", "geoLat",
>> "Latitude(WGS84) of device calculating
Folks,
Struggling with x509v3 extensions from a programmatic interface. Found that
simply stuffing ascii strings into an extension works fine:
int nid2 = OBJ_create("1.3.6.1.4.1.2692.99.2", "geoLon",
"Longitude(WGS84) of device calculating CSR");
ASN1_OBJECT* obj2 = OBJ_nid2obj(
40 matches
Mail list logo
