On Mon, Oct 17, 2022 at 10:28:45AM +0200, Tim Meusel wrote:
> Hi!
> I maintain a Ruby script that does PKCS#7 signing and afterwards some
> enryption with AES-128-CFB. A trimmed down version:
>
> certpath = '/tmp/cert.pem'
> keypath = '/tmp/key/pem'
> data = 'teststring'
> key = OpenSSL::PKey::RS
Hello,
I have a small update in order to close this issue.
The identity provider that produced the invalid signatures have fixed their
signatures so that we can verify them using the latest LTS version of
OpenSSL. We use Bouncy Castle in some products and it does not catch the
invalid signatures
Hello,
I think the person I spoke with might have thought about another set of
signatures for an in-house identity provider. If that is the case then
those signatures were probably generated by OpenSSL 1.0.2 and are OK. I
heard from another person today that the bad files were produced by the
othe
On 02/04/2019 17:34, Steffen wrote:
> Hello,
>
>> What had produced the signatures?
>
> I received word from my end that the signatures may have been produced by
> OpenSSL 1.0.2 (no idea which letter release) in the Cygwin environment but I
> cannot confirm this.
>
If that's the case, I'd re
Hello,
> What had produced the signatures?
I received word from my end that the signatures may have been produced by
OpenSSL 1.0.2 (no idea which letter release) in the Cygwin environment but
I cannot confirm this.
Matt Caswell wrote:
> Using the cert/data files you provided me off-list (thanks), I was able to
> confirm the above and narrow it down further to the following commit:
What had produced the signatures?
> In some cases, the damage is permanent and the spec deviation and
> securi
On 02/04/2019 10:44, Matt Caswell wrote:
On 01/04/2019 22:23, Steffen wrote:
Hello,
I believe that I have narrowed the problem down to one specific version of
OpenSSL. Version 1.1.0b works as expected while OpenSSL 1.1.0c does not.
Using the cert/data files you provided me off-list (thanks),
Hello Matt,
Thank you for looking into this!
So it seems like I have to figure out why the signatures are incorrectly
formatted and then fix it at every source if possible, or convert the
structures somehow if it can be done correctly. The only immediate solution
I can see is to downgrade to Open
On 01/04/2019 22:23, Steffen wrote:
> Hello,
>
> I believe that I have narrowed the problem down to one specific version of
> OpenSSL. Version 1.1.0b works as expected while OpenSSL 1.1.0c does not.
Using the cert/data files you provided me off-list (thanks), I was able to
confirm the above an
Hello,
I believe that I have narrowed the problem down to one specific version of
OpenSSL. Version 1.1.0b works as expected while OpenSSL 1.1.0c does not.
I have currently only verified this using PKCS7_verify and CMS_verify since
I have no CLI at hand for these versions.
The changelog for 1.1.0
Hello Matt,
Thank you for your reply!
I am not quite sure if I should do something more but specifying "-binary"
alone does not seem to help:
# 1.0.2r
$ /usr/local/opt/openssl/bin/openssl cms -verify -inform der -in test.der
-content test-data.bin -noverify -binary > /dev/null
Verification succe
On 01/04/2019 14:46, Steffen wrote:
> Hello,
>
> I am struggling with using OpenSSL 1.1.1 to verify a PKCS #7/CMS structure.
> Verification succeeds when I use OpenSSL 1.0.2, but 1.1.0 and 1.1.1 fails with
> "bad signature". I initially had this problem when using the OpenSSL library
> but
> I
On Thu, Dec 15, 2011, Pietro Romanazzi wrote:
> Hi,
> afraid this question has been already issued but I did not find any solution
> surfing the web.
> I need to sign data with a RSA private key and obtain a pkcs#7 envelope with
> data, signature
> and certificate.
> In the past I remember I fo
* Eisenacher, Patrick wrote on Tue, Feb 23, 2010 at 12:30 +0100:
[...]
> "The selection of a trust anchor is a matter of policy: it
>could be the top CA in a hierarchical PKI, the CA that
>issued the verifier's own certificate(s), or any other CA in
>a network PKI."
>
> And no, I don
On Mon, Feb 22, 2010, Eisenacher, Patrick wrote:
>
> Unfortunately, the perceived verification algorithm is a limitation in
> openssl, which always wants to do path validation up to a self signed cert,
> even if no revocation checking is requested. And no, there's no way to
> modify its verificat
Hi Patrick,
sorry for the bad line-breaking, but I'm stuck here with a poor msa.
> -Original Message-
> From: Patrick Patterson
>
> On February 22, 2010 09:18:25 am Eisenacher, Patrick wrote:
> > > -Original Message-
> > > From: Patrick Patterson
> > >
> > > On 12/02/10 8:51 AM, s
On February 22, 2010 09:18:25 am Eisenacher, Patrick wrote:
> > -Original Message-
> > From: Patrick Patterson
> >
> > On 12/02/10 8:51 AM, skillz...@gmail.com wrote:
> > > Is there a way (via the API rather than the tool) to tell
> >
> > OpenSSL that
> >
> > > the sub-CA certificate is tru
> -Original Message-
> From: Patrick Patterson
>
> On 12/02/10 8:51 AM, skillz...@gmail.com wrote:
> > Is there a way (via the API rather than the tool) to tell
> OpenSSL that
> > the sub-CA certificate is trusted and it doesn't need to
> walk further
> > up the chain? For my case, I embed
On 12/02/10 8:51 AM, skillz...@gmail.com wrote:
> Is there a way (via the API rather than the tool) to tell OpenSSL that
> the sub-CA certificate is trusted and it doesn't need to walk further
> up the chain? For my case, I embed the sub-CA certificate in my code
> and I'm space constrained so I'd
On Thu, Feb 11, 2010 at 1:31 PM, wrote:
> I have a DER-encoded PKCS#7 file that I'd like to extract the
> certificate from, verify that certificate against a specific sub-CA
> certificate, then use the certificate's public key to verify a
> signature.
>
> I looked at the code for the pkcs7 tool a
On Tue, Jan 12, 2010, Douglas Gemignani wrote:
> This looks like a recent change in the v1.0.0 beta
> *) Update PKCS#7 enveloped data routines to use new API. This is now
> supported by any public key method supporting the encrypt operation. A
> ctrl is added to allow the public key al
This looks like a recent change in the v1.0.0 beta
*) Update PKCS#7 enveloped data routines to use new API. This is now
supported by any public key method supporting the encrypt operation. A
ctrl is added to allow the public key algorithm to examine or modify
the PKCS#7 RecipientIn
On Tue, Jan 12, 2010, Douglas Gemignani wrote:
> Hello,
>
> I need to generate a pkcs#7 certificate with a enveloped message
> inside it. As far as I understand this message (X509) will be
> encrypted with a random generated TDES key.
> This is my snippet, but it is still incomplete and some comm
Hi Patrick ,
ThanQ for your information , my intention also to use pkcs funtions only ,
but the problem is I am not understanding how to use them.
for that only i am asking for any application program that will do the
signing and verification . and there is no clearity in those funtions which
algor
Hi Shankar:
The functions in pkcs7.h look rather straightforward - I think the hint
you need is to not sign the data outside of the PKCS7 functions (don't
use RSA_sign), but instead, try using just the functions in pkcs7.h to
do what you want.
(I've never done what you're trying to do, so don't a
[EMAIL PROTECTED] wrote:
I've a problem. I need to cypher a buffer of bytes with pkcs7 format but
I can't use certificates,i need encrypt using only a key or password.
I have searched but I do not find anything to do it.
Read the syntax for PKCS#7:
ftp://ftp.rsasecurity.com/pub/pkcs
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[EMAIL PROTECTED] schrieb:
> Hello all!!
Hello Lidia,
> I've a problem. I need to cypher a buffer of bytes with pkcs7 format but
> I can't use certificates,i need encrypt using only a key or password.
Are you really sure PKCS#7 supports encrypting of
2007/10/17, [EMAIL PROTECTED] <[EMAIL PROTECTED]
>:
>
> Hello all!!
>
> I've a problem. I need to cypher a buffer of bytes with pkcs7 format
> but I can't use certificates,i need encrypt using only a key or
> password.
>
> I have searched but I do not find anything to do it.
>
> I work with c, and
Bernhard Froehlich wrote:
[EMAIL PROTECTED] wrote:
Hi!
I need to convert PKCS#7 attached signatures to PKCS#7 detached
signatures.
Is it possibly? Is there any example?
Thanks anyway!
Since noone else answered I'll thay the little I believe to know about
the subject... ;)
I don't
On Tue, Jan 17, 2006, Bernhard Froehlich wrote:
> [EMAIL PROTECTED] wrote:
>
> >
> >Hi!
> >
> >I need to convert PKCS#7 attached signatures to PKCS#7 detached
> >signatures.
> >
> >Is it possibly? Is there any example?
> >
> >Thanks anyway!
>
> I don't think doing this is possible using the op
[EMAIL PROTECTED] wrote:
Hi!
I need to convert PKCS#7 attached signatures to PKCS#7 detached
signatures.
Is it possibly? Is there any example?
Thanks anyway!
Since noone else answered I'll thay the little I believe to know about
the subject... ;)
I don't think doing this is possible
On Wed, Jul 20, 2005, Thomas J. Hruska wrote:
>
> As I said, their solution to the "problem" seemed hack'ish. As to the
> signing time, I just tried rolling my system clock back to the timeframe
> where I was having problems and it still works fine. Again, I seriously
> doubted this would af
Dr. Stephen Henson wrote:
On Wed, Jul 20, 2005, Thomas J. Hruska wrote:
Dr. Stephen Henson wrote:
On Wed, Jul 20, 2005, Thomas J. Hruska wrote:
Well an indication of the error codes would help. Something just "not
working" doesn't help much...
I don't have access to PayPal's internal sy
On Wed, Jul 20, 2005, Thomas J. Hruska wrote:
> Dr. Stephen Henson wrote:
> >On Wed, Jul 20, 2005, Thomas J. Hruska wrote:
> >
> >
> >Well an indication of the error codes would help. Something just "not
> >working" doesn't help much...
> >
>
> I don't have access to PayPal's internal systems and
Dr. Stephen Henson wrote:
On Wed, Jul 20, 2005, Thomas J. Hruska wrote:
Suggestions? I could try hammering PayPal's service with an automated
script that generates an encrypted and signed block and then submits it
until I get one that is deemed bogus, but I don't think they would
appreciate
On Wed, Jul 20, 2005, Thomas J. Hruska wrote:
>
> Suggestions? I could try hammering PayPal's service with an automated
> script that generates an encrypted and signed block and then submits it
> until I get one that is deemed bogus, but I don't think they would
> appreciate that.
>
Well an
Thanks for your help. With this I have solved the problem.
Dr. Stephen Henson wrote:
On Thu, Feb 19, 2004, Manuel Sánchez Cuenca wrote:
But, how can I do it in a C program.
Unfortunately there isn't a function to do this so you'll have to do it the
"ugly way" which involves accessing th
Thaks for your help, I have solved the problem by myself.
Dr. Stephen Henson wrote:
On Thu, Feb 19, 2004, Manuel Sánchez Cuenca wrote:
PKCS7_verify return 0.
What error message do you get from ERR_print_errors_fp(stderr)?
Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see
On Thu, Feb 19, 2004, Manuel Sánchez Cuenca wrote:
> But, how can I do it in a C program.
>
Unfortunately there isn't a function to do this so you'll have to do it the
"ugly way" which involves accessing the structures directly.
Have a look at the print_certs code in apps/pkcs7.c
Steve.
--
Dr
On Thu, Feb 19, 2004, Manuel Sánchez Cuenca wrote:
> PKCS7_verify return 0.
>
What error message do you get from ERR_print_errors_fp(stderr)?
Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details
But, how can I do it in a C program.
Dr. Stephen Henson wrote:
On Thu, Feb 19, 2004, Manuel Sánchez Cuenca wrote:
Hello all,
Anybody can tell me how can I get all the certificates enclosed in a
PKCS#7 structure.
I may have misread your query. If you want to *pack* certificates into a
How can I get additional certificates?
Dr. Stephen Henson wrote:
On Thu, Feb 19, 2004, Andrzej Posiadala wrote:
When you've already read a PKCS#7 message into memory and you have it
under
PKCS7 * p7 pointer , try this:
STACK_OF(X509) *certs;
X509 * tmpCert;
certs = PKCS7_get0_signers(p7,
PKCS7_verify return 0.
Dr. Stephen Henson wrote:
On Thu, Feb 19, 2004, Manuel Sánchez Cuenca wrote:
Hello all,
Know anybody why PKCS7_sign only works ok when I don't put any
additional cert in the "STACK_OF(X509) * certs" param?
How can I add some certificates that I need to verify the PK
But I want to get all the certificates that I have put in the certs
param of PKCS7_sign, not only the signers.
Andrzej Posiadala wrote:
When you've already read a PKCS#7 message into memory and you have it
under
PKCS7 * p7 pointer , try this:
STACK_OF(X509) *certs;
X509 * tmpCert;
certs = PK
On Thu, Mar 27, 2003, marek cervenka wrote:
> > > > > i have a single file in PKCS#7 format
> > > > > can i decrypt this file with openssl?
> > > > >
> > > > > i try this
> > > > > [EMAIL PROTECTED] cp]# openssl smime -decrypt -inform der -in pkcs7.enc
> > > > > -recip test.pem -inkey key.pem
>
> > > > i have a single file in PKCS#7 format
> > > > can i decrypt this file with openssl?
> > > >
> > > > i try this
> > > > [EMAIL PROTECTED] cp]# openssl smime -decrypt -inform der -in pkcs7.enc -recip
> > > > test.pem -inkey key.pem
> > > > Enter PEM pass phrase:
> > > > Error decrypting PKC
On Wed, Mar 26, 2003, marek cervenka wrote:
> > > i have a single file in PKCS#7 format
> > > can i decrypt this file with openssl?
> > >
> > > i try this
> > > [EMAIL PROTECTED] cp]# openssl smime -decrypt -inform der -in pkcs7.enc -recip
> > > test.pem -inkey key.pem
> > > Enter PEM pass phras
> > i have a single file in PKCS#7 format
> > can i decrypt this file with openssl?
> >
> > i try this
> > [EMAIL PROTECTED] cp]# openssl smime -decrypt -inform der -in pkcs7.enc -recip
> > test.pem -inkey key.pem
> > Enter PEM pass phrase:
> > Error decrypting PKCS#7 structure
> > 3428:error:210
On Wed, Mar 26, 2003, marek cervenka wrote:
> hi,
>
> i have a single file in PKCS#7 format
> can i decrypt this file with openssl?
>
> i try this
> [EMAIL PROTECTED] cp]# openssl smime -decrypt -inform der -in pkcs7.enc -recip
> test.pem -inkey key.pem
> Enter PEM pass phrase:
> Error decrypti
Stephen,
Thank you for a reply.
> openssl verify -CAfile rootca.pem -untrusted othercas.pem signer.pem
This is what I did:
$ openssl verify -CAfile root_ca.cert -untrusted ca.cert sign.cert
sign.cert: OK
As you see, signer certificate is OK, however, ca.cert is not being verified
at all.
A
On Mon, Aug 26, 2002, Michael Shmulevich wrote:
> Hello,
>
> I am sorry for troubling you with a (quite standard) question, but I cannot
> figure out my problem alone, and man page doesn't relly help me to solve a
> problem.
>
> I try to transfer an application in a secure way with PKCS#7 attac
Miguel Rodríguez wrote:
>
> Hi,
> I have problems setting the signing time of a PKCS# Signed Data object.
> I don't want to use local time because this code is running on a client
> system and I can't trust on it. I use a SNTP server to get the right
> time.
> Let "sign_time" the date obtained
On Thu, Oct 18, 2001 at 07:54:28AM +1000, Mark Strong wrote:
> How would I do something like this from perl
>
> openssl smime -sign -in message.unsigned -signer my.pem -inkey my.key -out
> message.signed -outform DER -nodetach
>
> can I use Net::SSLeay ? Or is there another perl module to inter
On Fri, 3 Aug 2001, Frank Geck wrote:
> I have the same issue. I used the openssl rand -out randfile 1024. this created
> the random bit file. I pointed RANDFILE to this file and get the same error
> PRNG not seeded.
>
> By the response below do I take it that the supplied enc.c program is wr
have u rand the seed with RAND_seed() ?
Mars Lin
-Original Message-
From: long.chiang [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 02, 2001 11:58 AM
To: [EMAIL PROTECTED]
Subject: PKCS#7 enveloped message problem
Hi,
I am using pkcs7/enc.c for creating a PKCS#7 envepoed message.
On Mon, 9 Jul 2001, Alexander op de Weegh wrote:
> Hi all,
> I have padding question.
> I am using the following code for creating a PKCS#7
> signed and enveloped message:
>
> X509 *signer, *recipient;
> RSA *signkey;
> p7 = PKCS7_new();
> PKCS7_set_type(p7, NID_pkcs7_signedAndEnveloped);
> PKC
> Alexander op de Weegh wrote:
>
> Hi all,
> if I use the following code to generate a PKCS#7 signed and enveloped
> message, I think the message created is not valid.
>
> X509 *signer, *recipient;
> RSA *signkey;
> p7 = PKCS7_new();
> PKCS7_set_type(p7, NID_pkcs7_signedAndEnveloped);
> PKCS7_
Hi,
No I'm looking for some the docs of pkcs#7 functions exported by openssl.
Thanks any way..
Aslam
-Original Message-
From: Oliver Bode [mailto:[EMAIL PROTECTED]]
Sent: Friday, April 27, 2001 12:30 PM
To: [EMAIL PROTECTED]
Subject: Re: PKCS#7 support in openssl-0.9.6a
Aslam
Aslam,
Is this what you are looking for?
http://www.openssl.org/docs/apps/pkcs7.html#
- Original Message -
From: "Aslam" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Saturday, April 28, 2001 1:08 AM
Subject: PKCS#7 support in openssl-0.9.6a
> Hi,
>
> Is there any documentation
Jean-Marc Desperrier wrote:
> Any large-scale commercial use of cryptlib requires a license.
> "Large-scale commercial use" means any
> revenue-generating purpose such as use for company-internal purposes, or
> use of cryptlib in an application or product,
> with a total gross revenue of over US$
"A. Konigsdorfer" wrote:
> 'Free' means something different in my eyes:
>
> 1.2 The period of this license is a hundred eighty days (180 days)
> from the moment the userdownloads the Software from Safelayer's
> web (www.safelayer.com). The use beyond this time is not permitted.
>
> The original p
Title: RE: PKCS #7 in OpenSsl?
> Hello Ald,
>
> take a look at http://www.safelayer.com There you can find a
> free toolkit
> for developers that provides X.509, PKCS (including #7),
> S/MIME and SSL
> functionality with strong cryptography. I have downloaded it
Hello Ald,
take a look at http://www.safelayer.com There you can find a free toolkit
for developers that provides X.509, PKCS (including #7), S/MIME and SSL
functionality with strong cryptography. I have downloaded it (it is very
light, only 700 Kbytes of distribution) and seems to me very easy t
"Hellan,Kim KHE" wrote:
>
> I have succeeded in loading a MIME file by using the following commands:
>
> BIO* bioIndata;
> PKCS7* p7 = SMIME_read_PKCS7(spBio, &bioIndata);
>
> I am able to extract signers certificate, but how do I extract the signed
> text?
> I have tried looking in the
Rodney Thayer wrote:
>
>
> Anyway, these S/MIME vendors seem to all think something called
> a '.p7c' file is the way to store certs and such. It appears to
> be a PKCS-7 Data object (i.e. not encrypted, not signed, just
> enveloped). I'm not entirely sure of that as I haven't gotten
> openssl
65 matches
Mail list logo
