stly
because I have never had to implement the interface...).
Thank you for your help and have a wonderful day!
Cheers,
Max
--
Best Regards,
Massimiliano Pala, Ph.D.
OpenCA Labs Director
OpenCA Logo
a way to list the ciphers supported when using EnvelopedData ?
Cheers,
Max
--
Best Regards,
Massimiliano Pala, Ph.D.
OpenCA Labs Director
OpenCA Logo
encryption
algorithm from the EnvelopedData/EncryptedContentInfo (I can not find
the helper function...) ?
Cheers,
Max
--
Best Regards,
Massimiliano Pala, Ph.D.
OpenCA Labs Director
OpenCA Logo
tion) ?
Thanks for any help for understanding all these details... :D
Cheers,
Max
--
Best Regards,
Massimiliano Pala, Ph.D.
OpenCA Labs Director
OpenCA Logo
smime.p7s
Description: S/MIME Cryptographic Signature
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/l
btain the same values that does not depend on the type or size of the
keys ? Is the 24 Bytes a constant size or ... ? Is there any
documentation that would help me... ?
Cheers,
Max
--
Best Regards,
Massimiliano Pala, Ph.D.
OpenCA Labs Director
OpenCA Logo
--
openssl-users mailing list
To unsubs
Hi Jan,
not sure if this might help you, I solved the problem by using
X509_PUBKEY + i2d_X509_PUBKEY. Here's an example:
https://github.com/openca/libpki/blob/b87b647170cb5f71e00baffe609f5a02edfa3845/src/openssl/pki_keypair.c#L307
I hope that helps,
Cheers,
Max
On 3/21/18 1:42 PM, Jan Dan
Hi Victor,
A... that is why :D I wrongly assumed that the newly created
parameters would hold the same initialization. This approach works!
Thanks again!
Cheers,
Max
On 12/11/17 5:45 PM, Viktor Dukhovni wrote:
On Dec 11, 2017, at 7:35 PM, Dr. Pala wrote:
Perhaps you ended up
Hi Victor,
does it matter that we are not in the TLS case (maybe the code is
different in the SSL_CTX ) ? I am just trying to validate the chain with
the TA set to the SubCA... :D
IMHO, the correct (or, better, the expected) behavior (from a
developer's standpoint) would be to trust keys in
Hi Victor,
On 12/11/17 4:18 PM, Viktor Dukhovni wrote:
[...]
Perhaps you ended up creating a parameter structure with a
depth limit that's too small. Just configuring partial
chains will never yield a chain that is longer than it
otherwise would be. In fact you generally get shorter
chains.
code
yet...
... any suggestion on how to fix this ? Do you think it is actually a
bug ? ... or am I missing some other configs / setting I should have
done for the verify param ?
Cheers,
Max
On 12/11/17 3:18 PM, Viktor Dukhovni wrote:
On Dec 11, 2017, at 5:06 PM, Dr. Pala wrote:
Hi all
in the trusted stack or not...
Maybe there are flags / trust settings that can be used instead ?
Cheers,
Max
--
Best Regards,
Massimiliano Pala, Ph.D.
OpenCA Labs Director
OpenCA Logo
smime.p7s
Description: S/MIME Cryptographic Signature
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Hi all,
does anybody know if there are downloadable binaries of openssl-fips
and/or openssl-fips-ecp (2.0.16 or earlier) for Windows ?
Cheers,
Max
--
Best Regards,
Massimiliano Pala, Ph.D.
OpenCA Labs Director
OpenCA Logo
smime.p7s
Description: S/MIME Cryptographic Signature
--
openssl
er, I guess I will have to either change the
envisioned approach (maybe introducing an intermediate data structure of
some kind..?) or use the ASN1_ANY approach.
Cheers,
Max
On 12/2/17 4:54 AM, Richard Levitte wrote:
In message on Fri, 1 Dec 2017 20:22:09 -0700,
"Dr. Pala" said:
17 12:14:54 -0700,
"Dr. Pala" said:
director> I am trying to define an ASN1 structure similar to this:
director>
director> ASN1_SEQUENCE(TEST) = {
director> ASN1_SIMPLE(TEST, version, ASN1_INTEGER),
director> ASN1_EXP_SEQUENCE_OF_OPT(TEST, otherTests, TEST, 0
est Regards,
Massimiliano Pala, Ph.D.
OpenCA Labs Director
OpenCA Logo
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
re ? Am I supposed to, somehow, modify the plaintext before
encrypting it (e.g., XOR with the block number ?).
Thanks,
Max
P.S.: I am cross-posting the message also to dev as this might have
better chances to get an answer there... ?
On 4/6/16 10:54 AM, Dr. Pala wrote:
Hi all,
I am trying
Pala, PhD
Director at OpenCA Labs
twitter: @openca
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
effort.
Any comments and feedback are welcome (positive and negative alike).
Cheers,
Max
Forwarded Message
Subject:[saag] Standard Crypto API + Symmetric Crypto At Rest
Date: Sat, 7 Nov 2015 22:30:35 +0900
From: Massimiliano Pala
Organization: OpenCA Labs
To
n
the same path :)
Your solution will be indexed and pop right up on search engines in the future.
Thanks!
Sent from my mobile
On Aug 31, 2015, at 7:10 PM, Massimiliano Pala wrote:
Hi all,
I actually figured it out, if anybody is curious about the solution for parsing
this CRYPTLIB signat
Hi all,
I actually figured it out, if anybody is curious about the solution for
parsing this CRYPTLIB signature envelope (in this case DSA) - write to
me directly, I will be happy to share the solution.
Cheers,
Max
On 8/29/15 6:56 PM, Massimiliano Pala wrote:
Hi all,
I am trying to parse
Hi all,
I am trying to parse a sequence that has, after an integer, a 'private'
(xclass) item. I was wondering what is the right templates / macros to
be able to generate the ASN1 functions with the usual macro. An example
of the structure I have to parse (B64 - DER), is the following:
MGICA
Hi all,
I am working on an application that would use DH to allow exchanging
symmetric keys (not a TLS app), and we noticed that we could use two
different approaches to generate the parameters.
The first option is to use the DH_generate_parameters_ex() +
DH_generate_key() - but that takes q
Hi all,
I have a question for Win coders.. I am porting LibPKI, which is based on
OpenSSL, to Win OSes. On UNiX OSes we used pthread to initialize support
for threads in OpenSSL.
What is the best practice for Win OS ? Does anybody have some sample code
around ? In particular, I am referring to t
via the X509_STORE_add_cert().
What I would expect is that, in the second case, I would get
notified that the certificate is not trusted...
Cheers,
Max
On 06/18/2010 05:04 PM, Peter Sylvester wrote:
On 06/18/2010 01:57 AM, Massimiliano Pala wrote:
Hi all,
I have two issues when I am trying
Regards,
Massimiliano Pala
--o
Massimiliano Pala [OpenCA Project Manager] ope...@acm.org
project.mana...@openca.org
Dartmouth Computer Science Dept
,
Massimiliano Pala
--o
Massimiliano Pala [OpenCA Project Manager] ope...@acm.org
project.mana...@openca.org
Dartmouth Computer Science Dept
() ???
--
Best Regards,
Massimiliano Pala
--o
Massimiliano Pala [OpenCA Project Manager] ope...@acm.org
project.mana...@openca.org
Dartmouth Computer Science
Regards,
Massimiliano Pala
--o
Massimiliano Pala [OpenCA Project Manager] ope...@acm.org
project.mana...@openca.org
Dartmouth Computer Science Dept
,
Massimiliano Pala
--o
Massimiliano Pala [OpenCA Project Manager] ope...@acm.org
project.mana...@openca.org
Dartmouth Computer Science Dept Home
nd HEAD.
Cheers,
Geoff
--
Best Regards,
Massimiliano Pala
--o----
Massimiliano Pala [OpenCA Project Manager] [EMAIL PROTECTED]
[EMAIL PROTECTED]
Dartmouth Computer Scienc
I have a single file with
the code for OpenSSL and pthreads, both static and dynamic locks..
Shall we include it into OpenSSL ?
void OpenSSL_pthread_init( void );
.. that would make it more usable for the average developer! :D
Later,
Max
Sander Temme wrote:
On Nov 21, 2008, at 8:
s would be nice.. :D
I just installed the patched version - but no changes in the behavior.. I
will try to inspect the `disable_mutex_callbacks`.. but if that is the case,
how shall I fix it ???
Later,
Max
--
Best Regards,
Massimi
Hi Sander,
I definitely did - now I do initialize all the static locks in OpenSSL *and* the
dynamic functions. But they are never called by the chil - the assert fails and
the SIGABRT is sent to my daemon forcing it to exit.
For some reason it seems the dynamic locking functions do not function
I have a single file with
the code for OpenSSL and pthreads, both static and dynamic locks..
Shall we include it into OpenSSL ?
void OpenSSL_pthread_init( void );
.. that would make it more usable for the average developer! :D
Later,
Max
Sander Temme wrote:
On Nov 21, 2008, at 8:
Sander Temme wrote:
/opt/nfast/toolkits/openssl/openssl098e-patch.txt
I found a 'openssl098-patch.txt' is that ok ?
Should apply cleanly to newer versions of OpenSSL, with patch -p1. It
creates a static lock for CHIL to use so it doesn't need the dynamic
ones available.
It did.
I persona
,
Max
Geoff Thorpe wrote:
On Friday 21 November 2008 03:01:33 Massimiliano Pala wrote:
Hi David,
that is really nice.. although.. after I gave it a try... it does not
really work :(
Actually, it seems that the dynamic functions are never called... :(
Investigating...
The attached example seem
Hi Sander,
I definitely did - now I do initialize all the static locks in OpenSSL *and* the
dynamic functions. But they are never called by the chil - the assert fails and
the SIGABRT is sent to my daemon forcing it to exit.
For some reason it seems the dynamic locking functions do not function
Hello Przemek,
thanks for the advice - I already tried to use a mutex to protect the
OCSP_basic_sign(),
but I wanted to avoid it as this will just use only one thread at a time. It
seems that
nCipher is best used with a simple fork() daemon... if it wasn't for the shared
memories,
still today
enssl-users@openssl.org Automated List Manager
[EMAIL PROTECTED]
--
Best Regards,
Massimiliano Pala
--o
Massimiliano Pala [OpenCA Project Manager] [EMAIL PROT
t Manager [EMAIL PROTECTED]
--
Best Regards,
Massimiliano Pala
--o
Massimiliano Pala [OpenCA Project Manager] [EMAIL PROTECTED]
[EMAIL P
to do that by using pthreads ?
Ciao,
Max
Sander Temme wrote:
On Nov 19, 2008, at 11:24 PM, Max Pala wrote:
The software that I am writing is a multi-threaded OCSP responder.
Please make sure you initialize the engine correctly, and set up your
locking callbacks before you actually
efc in ?? ()
#29 0x0807eed8 in ?? ()
#30 0x08085558 in ?? ()
#31 0x0010 in ?? ()
#32 0x in ?? ()
Any Idea ???
Later,
Max
Sander Temme wrote:
On Nov 19, 2008, at 11:24 PM, Max Pala wrote:
The software that I am writing is a multi-threaded OCSP responder.
Please make sure you initia
Hello Sande,
The software that I am writing is a multi-threaded OCSP responder.
Sander Temme wrote:
What software are you running that makes he calls into OpenSSL?
--
Best Regards,
Massimiliano Pala
--o
tas[remember].inuse > 0' failed.
Anybody has experienced problems with this HSM on Linux + pThread ?
Cheers,
Max
--
Best Regards,
Massimiliano Pala
--o
Massimiliano Pala [OpenCA Project Manager] [EMAI
No docs, but there is working code here:
https://www.openca.org/projects/ocspd/
Best,
Max
Quoting Brian Smith <[EMAIL PROTECTED]>:
Does anyone know of any substantial documentation/coding examples that may
be available (similar to the Networking with OpenSSL book) for using OpenSSL
as an OC
ed in a smartcard) but with the public
key only?
--
Best Regards,
Massimiliano Pala
--o
Massimiliano Pala [OpenCA Project Manager][EMAIL PROTECTED]
[
Hello,
thanks :) That was the problem.. I was initializing the library on the
server but not on the client.
Thanks again!
Later,
Max
Marek Marcola wrote:
Do you have OpenSSL library initialized ?
Look at man page for SSL_library_init.
smime.p7s
Description: S/MIME Cryptographic Signatur
the X509_signature_print() I get no errors on both the
server and the client...
--
Best Regards,
Massimiliano Pala
--o
Massimiliano Pala [OpenCA Project Manager][EMAIL PROTEC
nzC/i
8otOQZ1gzPDDK53cIbF609hFMoaWmq2e36rIGUHWOl126xu0iKKe8H7HcsqZARf/
NJP9RLofeibFp7gOhO7YjgD6z5ioAjAA
-END PRQP RESPONSE-
MMm... another error in the ASN1 definition ? Any idea ?
Later,
Max
--
Best Regards,
Massimiliano Pala
EM_ASN1_write_bio () from /lib/libcrypto.so.6
#11 0xb7faeecb in PEM_write_bio_PRQP_RESP (bp=0x8088938, o=0x805f6a0)
at prqp_bio.c:92
=
Anyone can help me ? It is quite strange behavior -- I am missing something,
but I have no
th. Is openldap suitable for serving up CRL's of
this size and bigger? Is there anyone doing this succesfully?
There is no problem with CRLs that size, indeed we successfully use OpenLDAP
with CRLs which are 50MB+ in size...
--
Best Regards,
M
the library in the system folder.
--
Best Regards,
Massimiliano Pala
--o----
Massimiliano Pala [OpenCA Project Manager] [EMAIL PROTECTED]
Tel.: +39 (0)11 564 7081
numbers in the certificates is
always 0. Any thoughts?
If this is the case, use the '-set_serial' option.
--
Best Regards,
Massimiliano Pala
--o----
Massimiliano Pala [OpenCA Project Manag
more info ?
Thank you, bye.
--
C'you,
Massimiliano Pala
--o
Massimiliano Pala [OpenCA Project Manager] [EMAIL PROTECTED]
Tel.: +39 (0)59 270 094
made recently with all major email clients available
gave completely different results. Multiple emailAddress entries were not
supported while multiple email within subjectAltName usage was supported
(not by M$ client).
--
C'you,
Massimiliano
reported
in the subjectAltName extension.
Multiple emailAddress, anyway, within the DN should be avoided as this
format is against the standard and does not add any value over the subjAltName
extension usage :-D
--
C'you,
Ma
pub/openca/snapshots/
--
C'you,
Massimiliano Pala
--o-----
Dr. Massimiliano Pala [OpenCA Project Manager][EMAIL PROTECTED]
Tel.: +39 (0)59 270
and needed pieces for its verification.
Usually there is no preferred format because once loaded you actually use
its internal rappresentation of the certificate ... my suggestion: if you
have DER just use it and forget the PKCS7 - you don't need it to simply
manage a certificate.
--
C'you,
l those, i repeate, technically.
The easiest way, and most supported by current clients, is to establish a
Root CA issuing certificates for sub CAs (hierarchy). It will be possible
to recognize and validate sig/certs from the whole chain as the same root
is trusted.
--
C'you,
has only a key challenge
but you can sign the request, in this case, for later verification.
--
C'you,
Massimiliano Pala
--o-----
Massimiliano Pala [OpenCA Project Manager]
dified dn () instead of the one
within the request.
This is also logical because if you alter the request then it is no more
valid to verification and you cannot state the authenticity of the request.
--
C'you,
tool which can do the same.
You can simply remove the password by using:
$ openssl rsa -in key.pem -out new-key.pem -passin
this should remove the password. Take a look to the rsa tool
anyway to check the options...
C'you,
Massimiliano Pala ([EMAIL PROTECTED])
S/MIME Cryptographic Signature
Deepak Taneja wrote:
>
> Hello ,
>Anybody can tell me that which algo is used to generate
> client public and private key.?
Usually RSA with md5, anyway you can try the DSA as well.
C'you,
Massimiliano Pala ([EMAIL PROTECTED])
S/MIME Cryptographic Signature
e above... anyway it is usually a .pem formatted file
(certificate).
C'you,
Massimiliano Pala ([EMAIL PROTECTED])
S/MIME Cryptographic Signature
to be present in the CRL till its
validity period expiration.
If you want to remove the certificate from the crl, simply modify
the index.txt file changing the 'R' into 'E' - setting it to expired
instead of revoked.
C'you,
Massimiliano Pala ([EMAIL PROTECTED])
S/MIME Cryptographic Signature
erent. Netscape will correctly import it
and recognize it is the same certificate (try to display it and you'll
get an idea of what I am saying).
C'you,
Massimiliano Pala ([EMAIL PROTECTED])
S/MIME Cryptographic Signature
our original request and issue a new
certificate with a new validity period. This almost depends on the
crypto layer you are using and policies you are following.
If you simply renew the same key-pair just use the old request, but
keep in mind that it is a good policy to renew all keys in a 2
actly) reason.
I continue to think that a suspension list can be very useful, and, when I get
some spare time, I will re-post some messages to the ietf-pkix working group -
hopefully I have enought time to submit an rfc... (??) - who knows ...
C'you,
Massimiliano Pala ([EMAIL PROTECTED])
S/MIME Cryptographic Signature
arning)?
You could simple use a certificate expiring after 30 days. If you still
want to use it, simply renew it...
C'you,
Massimiliano Pala ([EMAIL PROTECTED])
S/MIME Cryptographic Signature
C'you,
Massimiliano Pala ([EMAIL PROTECTED])
S/MIME Cryptographic Signature
by issuing new certificates:
sorry... is one of the projects... :-D
I know they are rebuilding the hierarchy's root keys... we are waiting to get
one CA key to use... :-D
C'you,
Massimiliano Pala ([EMAIL PROTECTED])
S/MIME Cryptographic Signature
I think the discussion should be continued on another mailing list :-D This is
really OT, here (sorry people) ...
If you can/want to continue discussing it, please subscribe to
[EMAIL PROTECTED]
C'you,
Massimiliano Pala ([EMAIL PROTECTED])
S/MIME Cryptographic Signature
"James B. Huber" wrote:
> Yes,
> But I've never been able to do https with it.
Please, try now.
C'you,
Massimiliano Pala ([EMAIL PROTECTED])
S/MIME Cryptographic Signature
utions offer such service.)
I think you got the point (not only for free CAs): real problems, by now, are
the Policies definitions and organizational realted rather than crypto/software
related.
C'you,
Massimiliano Pala ([EMAIL PROTECTED])
S/MIME Cryptographic Signature
ect about security/certificates/CAs/etc...
Another way of avoiding the problem is: before applying for a request, the
user is asked to import the certificate just before submitting data (required).
C'you,
Massimiliano Pala ([EMAIL PROTECTED])
S/MIME Cryptographic Signature
th the outworld... we are
currently working on it (but we have to wait for the network
responsables... *GRIN*).
Sorry for the inconvenience. Hope to be on soon. If you want,
anyway, you can download the software from any of the mirrors:
ftp://sunsite.cnlab-switch.ch
C'you,
authorization level to actually revoke certificates
and proof of it is the knowledge of the CA's password, simply ask for
it once, then the program will use that in every "challenge" section
(see the ca command about the challenge function... ).
C'you,
Massimiliano Pala ([EMAIL PROTECTED])
S/MIME Cryptographic Signature
.
I can see your point, now. Anyway I don't think it could be not very wise
allowing anyone to mark certificates as revoked. Patchin the code does
not require much work, but I don't think it should be done.
This is my opinion, what the other OpenSSL people think about this ???
C'y
e
encryption password). So if you don't know the protection password of the
CA key you can not issued CRLs ...
I don't know if I got your point, I hope so.
C' you,
Massimiliano Pala ([EMAIL PROTECTED])
__
[EMAIL PROTECTED]
That could be a VERY BIG problem for the Win people because they can not
choose to trust or not the connection: I mean they are not presented with
wornings and so on...
You should report as a bug to the Netscape people.
C'you,
Massimiliano
knows the
ca key passwd should be able do revoke certificates.
C'you,
Massimiliano Pala ([EMAIL PROTECTED])
S/MIME Cryptographic Signature
l change soon (1 year) as the LDAP
support will be added to most of the available applications.
I suggest you to consider some other form of certificate validity such as
OCSP, SCVP available on the ietf pages (and mailing lists) (www.ietf.org).
C'you,
Massimiliano Pala ([EMAIL PROTECTED])
S/MIME Cryptographic Signature
Contacts
To contact us, please visit our web site where you will find any information on
how to send your comments to us.
Massimiliano Pala
([EMAIL PROTECTED])
S/MIME Cryptographic Signature
,
Massimiliano Pala ([EMAIL PROTECTED])
S/MIME Cryptographic Signature
where you will find any information on
how to send your comments to us.
Massimiliano Pala
([EMAIL PROTECTED])
S/MIME Cryptographic Signature
To contact us, please visit our web site where you will find any information on
how to send your comments to us.
Massimiliano Pala
([EMAIL PROTECTED])
S/MIM
This is theft. It is just a non-sense.
But I admit, this is MY opinion wich is personal and may not be shared.
C'you,
Massimiliano Pala ([EMAIL PROTECTED])
S/MIME Cryptographic Signature
7;you,
Massimiliano Pala ([EMAIL PROTECTED])
openssl-SNAP-19990907-ocsp.tar.gz
S/MIME Cryptographic Signature
rity category, and
> that will contain a "how-to-build your own ca using openssl", and how to
> build it in such a way it will be certified by the SURFnet Policy
> Certification Authority. It's all lots of fun :)
>
> Jan
Please subscribe to openca mailing lists and c
First rule of the Net: you give one and get 100 in return!
I'm happy if I can share my (poor) knoledge with someone else...
C'you,
Massimiliano Pala ([EMAIL PROTECTED])
S/MIME Cryptographic Signature
to_ssl_dir
$ ./createindex $index_file_name $number_of_entries
Then to check it simple use:
$ openssl ca -status $hex_serial_num_of_a_certificate
The ca program should work fine. Try it and please report any
bug in the patches. Thanks.
C'you,
Massimiliano Pala ([EMAIL PROTECTED])
#!/u
Dr Stephen Henson wrote:
> > The people at OpenCA has developed a patch to ca that enables this behavior,
> > but there is no oficial 0.9.4 patch :-(
The patches are available now for the 0.9.4.
More info on http://www.openca.org
C'you,
Massimiliano Pala ([EMAIL PR
n your env (because it is necessary
only when used) without this patch you should set it or
you get an error (either if it is not used). This patch
fix this behaviour;
Enjoy the patches.
C'you,
Massimiliano Pala ([EMAIL PROTECTED])
Pat
SL on various system, dependent on stdio implementation.
>
I don't know wich version you tryed out, but I am using a SNAP of the 10th
of May and sucessfully compiled it on 2 different RH6.0 platforms (with
make test).
Did you tryed one of latests SNAP ??
C'you,
(not
Openssl. If you do not want to risk just to see a very (indeed)
GUI, don't install the 6.0 bu use the 5.2.
C'you,
Massimiliano Pala ([EMAIL PROTECTED])
__
OpenSSL Project
certificate?
>
If you use a certificate for a web server, netscape checks it for the CN
(Common Name) to be the same as the URL used. For example, if your server's
address is:
http://www.mydomain.com
then you have to issue a certificate with:
CN=www.mydomain.com, ..
$ openssl ca -updatedb
a bit longer, but more readable... (I think... )
> I have patched this functionality in the "revoke.c"-file originally
> posted long ago by "[EMAIL PROTECTED]" (sorry, can't find his
> real name) and
OpenCA.org when will be available...
See you,
Massimiliano Pala.
S/MIME Cryptographic Signature
h a
> special option (-spkac).
>
> All this is described in the docs (go to the doc/ directory, and look for
> a ns-ca.doc file...
Thank you for your help...
If you want to follow any result... just browse www.openca.org.
Th
99 matches
Mail list logo
