> padding = 3 means "no padding" indicating that the data for signature is
> already padded. That's why the data size (flen) is 256 (hashed data padded to
> the rsa key size of 2048 bits, I guess). If you are using OpenSSL 1.1.1, this
> could be due to PSS padding in which case current implement
Hi,
On Wed, Apr 10, 2019 at 10:11 AM Francois Gelis
wrote:
> Hi all,
>
> I have a working openvpn setup with client certificate and private key
> stored on my laptop. Then, I have loaded them into a smartcard (Yubico 5
> NFC), and modified accordingly the openvpn client config.
Hi all,
I have a working openvpn setup with client certificate and private key
stored on my laptop. Then, I have loaded them into a smartcard (Yubico 5
NFC), and modified accordingly the openvpn client config. But running the
openvpn client now fails with an error that seems to originate inside
On 1/31/19, 09:19, "openssl-users on behalf of Antonio Iacono"
wrote:
> Does anybody know how to use the smartcard to encrypt and decrypt files?
Smartcard performs public-key crypto operations, which aren't suitable for bulk
processing, such as file encryption/decr
> Does anybody know how to use the smartcard to encrypt and decrypt files?
Hi Boyd,
there are many ways to encrypt/decrypto with smartcard but since you
wrote to the list of OpenSSL I answer you how to do with OpenSSL.
In the meantime you need two other software, in addition to openssl,
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
> Boyd Ako
> Sent: Wednesday, January 30, 2019 18:08
> Does anybody know how to use the smartcard to encrypt and decrypt files?
This may depend somewhat on the type of smartcard. While PKCS#11 is a stan
Does anybody know how to use the smartcard to encrypt and decrypt files?
I was able to encrypt a file using the cert on the smartcard. However, I
couldn't decrypt it. I think it's mainly because I don't know how to get
the Private Key on the token to decrypt it. I've tried
:06065064:digital envelope
routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:516:
4
#v-
Of course smime.p7m file and smartcard are the same. Machines differs
but smartcard reader on the new machine seams to work fine, for
example I can access smartcard data:
#v+
[new]$ pkcs11-dump dump /usr/lib/libeT
nc.c:516:
4
#v-
Of course smime.p7m file and smartcard are the same. Machines differs
but smartcard reader on the new machine seams to work fine, for
example I can access smartcard data:
#v+
[new]$ pkcs11-dump dump /usr/lib/libeTPkcs11.so 0 | grep -1
CKA_ID:
Repost; updated for HEAD and tested on ubuntu as well.
Dw.
Folks,
Find below a minor patch to allow the use of smartcards in readers that have
their own
PIN entry keypads (Secure PIN entry) such as the SPR332 and most german/medical
chipcard devices.
Tested on Solaris, FreeBSD, Linux and MacOS
clients will connect to the server and wait events
# when someone at server side (2) using openssl execute a sign, or
request a https for example, openssl will contact server (2) via
engine
# server (2) will check if the cert exists, client (1) is connected or not
# if no, return something like (no
-openssl version 0.9.8a-
OS:SuSE Linux Enterprise (SLED_10_SP3)
CardMan 3021 OmneyKey
BuyPass smartcard, http://buypass.no
I am trying to have a --crypto switch with xmlsec1 working for a necessary
signature
The setup for a key-file is like this:
xmlsec1 sign --privkey key.pem --output
challenge
>>> something
>>> that seems a bit more advanced, so I was hoping I might be able to get
>>> some
>>> help from the more experienced and knowledgeable folks on this board.
>>>
>>> I need to generate a certificate that can be used f
rtunately I picked as a first challenge
>> something
>> that seems a bit more advanced, so I was hoping I might be able to get
>> some
>> help from the more experienced and knowledgeable folks on this board.
>>
>> I need to generate a certificate that c
, so I was hoping I might be able to get some
> help from the more experienced and knowledgeable folks on this board.
>
> I need to generate a certificate that can be used for windows logon with a
> smartcard, and having tried to follow about half a dozen different
> fragmentary
with a
smartcard, and having tried to follow about half a dozen different
fragmentary forum threads, I am stuck with the following, not sure how to
move forward.
To my /etc/ssl/openssl.cnf file I added the following section:
__
[smart_cert]
basicConstraints=CA:FALSE
key
programa\Smart card
bundle\UsrPkcs11.dll, a module provided for a spanish authority, who
provides my smartcard. With this module i can do some operations like
list objects and so on. Under linux, was enough to put opensc-pkcs11.so
because opensc has specific drivers to my smartcard, but not under
Carles Fernandez i Julia wrote:
En/na Nils Larsch ha escrit:
Carles Fernandez i Julia wrote:
...
That's the point : I have the private key certificate stored in the
smartcard, not located in a plain file. That's why I commented the line
above.
the engine doesn't support usi
En/na Nils Larsch ha escrit:
> Carles Fernandez i Julia wrote:
> ...
>> That's the point : I have the private key certificate stored in the
>> smartcard, not located in a plain file. That's why I commented the line
>> above.
>
> the engine doesn't sup
Carles Fernandez i Julia wrote:
...
That's the point : I have the private key certificate stored in the
smartcard, not located in a plain file. That's why I commented the line
above.
the engine doesn't support using certificates stored on smart cards
(and I don't even thin
En/na Marek Marcola ha escrit:
> Hello,
>
>> I'm currently trying to authenticate using EAP-TLS using smartcard with
>> wpa_supplicant and I get this error:
>>
>> OpenSSL: tls_connection_engine_private_key - Private key failed
>> verification error:140A3
Hello,
> I'm currently trying to authenticate using EAP-TLS using smartcard with
> wpa_supplicant and I get this error:
>
> OpenSSL: tls_connection_engine_private_key - Private key failed
> verification error:140A30B1:SSL routines:SSL_check_private_key:no
> certificate a
Hi
I'm currently trying to authenticate using EAP-TLS using smartcard with
wpa_supplicant and I get this error:
OpenSSL: tls_connection_engine_private_key - Private key failed
verification error:140A30B1:SSL routines:SSL_check_private_key:no
certificate assigned
I got some messages "Er
ive to him. No problems so far.
But now I want two things:1.I would like to write the certificate on a Smartcard, so the user can insertthis smartcard and tip a PIN to authenticate on the server, instead of thefile-based-variant above.
I read a few websites, e.g. about the OpenSC-project, but I
Hello,
At the moment I have a site, where a user can login with a certificate I
create and give to him. No problems so far.
But now I want two things:
1.
I would like to write the certificate on a Smartcard, so the user can insert
this smartcard and tip a PIN to authenticate on the server
Oh, yes.
I'm sorry, because my sentence "...to move the private key..." wasn't
exact.
We can start with any new private key.
>
> francesco.gennai+openssl> We could use also an expensive solution,
> francesco.gennai+openssl> like an HSM, but we would know about
>
an HSM, but we would know about
francesco.gennai+openssl> existing experiences, and about products:
francesco.gennai+openssl> SmartCard models and producers and/or HSM
francesco.gennai+openssl> models and producers that have been already
francesco.gennai+openssl> used in OpenSSL/OpenVMS e
> environment by a signing device (SmartCard,
> francesco.gennai+openssl> HSM, other...)
> francesco.gennai+openssl>
> francesco.gennai+openssl> Is there any solution to use a signing
> francesco.gennai+openssl> device with OpenSSL in OpenVMS environment?
>
> Yes, you nee
In message <[EMAIL PROTECTED]> on Sun, 26 Mar 2006 00:51:54 +0100, Francesco
Gennai <[EMAIL PROTECTED]> said:
francesco.gennai+openssl> I need to sign e-mail messages in OpenVMS
francesco.gennai+openssl> environment by a signing device (SmartCard,
francesco.gennai+o
I need to sign e-mail messages in OpenVMS environment
by a signing device (SmartCard, HSM, other...)
Is there any solution to use a signing device with OpenSSL in
OpenVMS environment ?
Regards,
Francesco
__
OpenSSL Project
On So, 19 Feb 2006, Kyle Hamilton wrote:
> Incidentally: I have no idea what the concept of "serial number" that
> Deutsche Post is using, but those aren't serial number 1 or 2, no
> matter what the website OCSP responder says. I don't speak or read
> German, which makes it difficult for me to re
Incidentally: I have no idea what the concept of "serial number" that
Deutsche Post is using, but those aren't serial number 1 or 2, no
matter what the website OCSP responder says. I don't speak or read
German, which makes it difficult for me to read the CPS they've got,
especially as regards the
Okay. :)
Anyway, the files that I got were perfectly fine PEM. It was having
trouble with the postal address, but asn1parse was able to handle them
fine.
Now, to try to import them into Firefox and see if they can be
handled... and it looks like they can't. Time to head over to the
dev-tech-cry
On Sun, Feb 19, 2006, Kyle Hamilton wrote:
> Georg,
>
> would you mind if I forwarded the certificates to Dr. Henson? (I
> believe he's in the UK, which has stricter privacy laws. ;) )
>
No need. I pulled the certificate out of that OCSP response and I've applied a
fix to OpenSSL to tolerate i
Hi Stephen,
On So, 19 Feb 2006, Dr. Stephen Henson wrote:
> On Sun, Feb 19, 2006, Georg Lohrer wrote:
>
> >
> > I have just sent an email to Kyle giving him the certificates for
> > scrutinizing. So I'm very excited seeing any output.
> >
>
> Your initial suspicion was correct about postal
Georg,
would you mind if I forwarded the certificates to Dr. Henson? (I
believe he's in the UK, which has stricter privacy laws. ;) )
-Kyle
On 2/19/06, Georg Lohrer <[EMAIL PROTECTED]> wrote:
> Hi Stephen,
>
> thank you for coming back on my questions.
>
> On So, 19 Feb 2006, Dr. Stephen Henson
On Sun, Feb 19, 2006, Georg Lohrer wrote:
>
> I have just sent an email to Kyle giving him the certificates for
> scrutinizing. So I'm very excited seeing any output.
>
Your initial suspicion was correct about postal address. When OpenSSL is
patched to tolerate it it will parse the certifiate j
Hi Stephen,
thank you for coming back on my questions.
On So, 19 Feb 2006, Dr. Stephen Henson wrote:
> On Sun, Feb 19, 2006, Georg Lohrer wrote:
>
> >
> > Unfortunately I cannot get the contents of a certificate with:
> >
> > > pkcs15-tool --read-certificate 01 | openssl x509 -text -noo
On 2/19/06, Georg Lohrer <[EMAIL PROTECTED]> wrote:
> Hi Kyle,
>
> thank you for your explanation. Now the fog begins to vanish.
>
> Asymetric cryptography is well known but not the way it will be done with
> SmartCard, or better with my SmartCard.
> I was disturbed,
On Sun, Feb 19, 2006, Georg Lohrer wrote:
> Hi Kyle,
>
> On So, 19 Feb 2006, Kyle Hamilton wrote:
>
> Asymetric cryptography is well known but not the way it will be done with
> SmartCard, or better with my SmartCard.
If it has a public, private key pait it will use asy
Hi Kyle,
On So, 19 Feb 2006, Kyle Hamilton wrote:
> How these things work is by a process called "Asymmetric
> cryptography", or "public/private key cryptography". Your smartcard
> has both a public and a private key stored on it. The private key
> will neve
How these things work is by a process called "Asymmetric
cryptography", or "public/private key cryptography". Your smartcard
has both a public and a private key stored on it. The private key
will never leave the card, but the public key is embedded in the
certificate, and t
aps I might be wrong, but does using this certificate not break any
security issues? Do I have to have the SmartCard available in case
of using this certificate? Or will anybody holding this certificate be able
to sign documents pretending to be myself?
I am a little bit puzzled, because I already
t, Feb 18, 2006, Georg Lohrer wrote:
> >
> [snipped]
> > >
> > > Is there a way to let the 'smime' command know that it should not use a
> > > file
> > > '0:1' ('-signer' option), but use something out of the engine.
> >
mething out of the engine.
> > Or do I have to extract the certificate from the SmartCard to use it?
> >
>
> Yes currently you have to extract the certificate into a file to use it. There
> is no equivalent function in the ENGINE at present to extract the certificate.
>
N=Georg Lohrer"
> >
> > to get a self-signed certificate.
> > The card-pin will be requested correctly, so the communication between
> > engine_pkcs11.so and the GemPC Twin reader runs successfully.
> >
> > Now, I want to sign a text using the
t req.pem -text -x509
> > -subj "/CN=Georg Lohrer"
>
> to get a self-signed certificate.
> The card-pin will be requested correctly, so the communication between
> engine_pkcs11.so and the GemPC Twin reader runs successfully.
>
> Now, I want to sign a text usi
ill be requested correctly, so the communication between
engine_pkcs11.so and the GemPC Twin reader runs successfully.
Now, I want to sign a text using the certificates on the SmartCard. Therefore
I thought of something like:
$ openssl
> engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_
Hi,
I'm trying to use certificates generated with openssl to log in to a
wireless network. We use EAP-TLS and a Radius server. The WLAN base station
is a D-Link DWL-7000AP and the wireless card D-Link DWL-AG650.
We have got this system to work on Windows XP, although it is a bit
instabile, and f
I'm trying to use certificates generated with openssl to log in to a
wireless network. We use EAP-TLS and a Radius server. The WLAN base
station is a D-Link DWL-7000AP and the wireless card D-Link DWL-AG650.
We have got this system to work on Windows XP, although it is a bit
instabile, and far f
Dear readers
I'm trying to create certificates with OpenSSL that can be used to log into a Windows
Domain. I've read the Microsoft Knowledge Base Article 281245 and the discussions on
this list in the past. I'm using OpenSSL 0.9.8-dev from Snapshot 2004-09-23.
First I set
extendedKeyUsage = cl
Hi ...
I'm trying to write my OpenSSL generated RSA keys onto a cryptoki (smart
card) using PKCS#11 ... PKCS#11 requires the individual key parameters (p,
q, d, e, n, d mod q-1, d mod p-1) in 'unsigned char*' format, or a binary
string in general ... I'm trying to use the BigNumber library func
On Sun, Nov 16, 2003, Ñëåïíåâ Âëàäèìèð wrote:
> Thanks for the concise answer, although I had hoped for something more
> reassuring... Unfortunately, implementing a PKCS#11 interface to our
> card/applet, as well as writing an ENGINE or a Windows CSP for it, are
> all tasks a little out of our
Thanks for the concise answer, although I had hoped for something more
reassuring... Unfortunately, implementing a PKCS#11 interface to our
card/applet, as well as writing an ENGINE or a Windows CSP for it, are
all tasks a little out of our time frame for the project. And the
problem seems a ty
On Fri, Nov 14, 2003, Tobi Anton wrote:
> Hi,
>
> well I don't want to use Microsofts CA (!), we run our own based on
> OpenSSL. MS says that they don't give support, but Dr. Stephen Henson
> posted a few weeks ago, that he got it to work to logon by smartcard to
Hi,
well I don't want to use Microsofts CA (!), we run our own based on
OpenSSL. MS says that they don't give support, but Dr. Stephen Henson
posted a few weeks ago, that he got it to work to logon by smartcard to
w2k with a certificate generated by 0.9.8-dev...
@Stephen He
kind regards,
Bas Hendriks
[EMAIL PROTECTED]
Pinkroccade, PRInS, TES, Webhosting
Fauststraat 1
Apeldoorn
+31(0) 55577 8062
+31(0) 62952 6542
-Original Message-
From: Tobi Anton [mailto:[EMAIL PROTECTED]
Sent: donderdag 13 november 2003 11:25
To: [EMAIL PROTECTED]
Subject: Win 2000 Smartcard
Hi,
I'm trying to logon to my Win 2000 server by using smartcard logon. It
doesn't work yet and I don't know how to go on. This is what I got:
I generated a client certificate with 0.9.8-dev. The openssl.conf looks
like this:
...
# PKIX recommendations harmless if
Martin Plenk wrote:
subject Alternate Name with the Microsoft Universal
Principal Name
I generated certificates with a Microsoft CA and used
the ASN1-parser to get the Strings. I attached a
sample File. The problem is, that the length is
encoded. So you can change the text in the attached
fil
FYI. Right now openCryptoki does not contain any smart card token
support. We'd be glad to have you work on that with us...
Bruce Cartland wrote:
I am using PKCS#11 libraries supplied by vendors (although I'm
starting to look at openCryptoki) to generate oncard keypairs and sign
data for
On Sat, Nov 09, 2002, Bruce Cartland wrote:
> I'm not using OpenSSL for the signing only for the verification on the server. On
>the client (MS workstation) I am currently using PKCS#11 DLLs/drivers supplied by the
>relevant vendors.
>
> It's the OpenSSL (0.9.6) verification that is failing fo
- Original Message -
From:
Hotmail
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Saturday, November 09, 2002 12:22
AM
Subject: Re: PKCS#11 and the Schlumberger
smartcard
I'would be interested in how you can generate
oncard keypairs and sign data for auth
I am using PKCS#11 libraries supplied by vendors
(although I'm starting to look at openCryptoki) to generate oncard keypairs and
sign data for authentication (non cert based).
However, when I then run the
resulting signature through OpenSSL 0.9.6 RSA_public_decrypt() with padding type
of R
>From other discussions on this list over the last few weeks it sounds like
the modulus read from the smartcard can be byte reversed. If the 1024-bit
modulus is 0x87..43 but your smartcard is giving it to you byte reversed
then you could be trying to use the modulus 0x43.87 which wo
Michael Wohlwend wrote:
>
> Hi there,
>
> I'm new to openssl and want to implement a client/server SSL connection. The
>difficulty is that the private key is on a smartcard ( it never leaves the card) so
>SSL should delegate all signing to the card.
> Is this poss
>
> What is causing the difference in the BN_num_bits result?
I think that the RSA key generated by your smartcard is really a 1023 bits
one. That means that one of the 2 random primes used to compose the
modulus is not 512 bits long, but 511 bits.
There's nothing OpenSSL can do
I am trying to import the public RSA key (modulus) created on a
Smart Card into an OpenSSL/OpenSSH key structure. The size of
the Smart Card public/private key pair is 1024 bits, and the key pair
was generated onboard the Smart Card.
I use the following code:
Key *k;
k = key_new(KEY_RSA);
if
he private key is on a smartcard ( it never leaves
>the card) so SSL should delegate all signing to the card.
>Is this possible at the moment ?
>
>thank you for answering
> Michael
>
>__
>Di
Bodo Moeller wrote:
> In principle, X.509v3 name constraints could
> be used to let a client act as a CA for itself, but I've never heard
> of anyone implementing temporary keys that way.
>
That's exactly what we do in Globus! See http://www.globus.org
They are called proxy certificates. The su
e keys larger than 512 bits but they can be imported and
used for S/MIME and SSL clients but it uses epemeral RSA for server keys
larger than 512 bits.
In smartcard terms it wont send a PKCS#11 request to generate a key
larger than 512 bits but it will use one if it already exists.
Similarly it won
in for the signing by Microsoft and can't get out
anymore in their strong crypto form.
IMO the best solution for a 'general' IE4/Netscape solution would
be to use personal strong proxy's (Celocom web, C2Net SafePassage,
etc.) based on SSLeay/OpenSSL or the commercial RSA derivat
p://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
Thanks to all for the reply to my simple (maybe not ? :-) request on
smartcards.
The world around this objects is too complex and unknown also to the
smartcard vend
Heiko,
Question in line.
Heiko Nardmann wrote:
>
> Erwann ABALEA wrote:
> >
> > On Wed, 24 Feb 1999, Sergio Rabellino wrote:
> >
> > > Hi,
> > > anyone has used the ssleay/openssl certificates with smartcards
> > > (tokens)
> > > 1024bits key enabled, inside the browsers like Netscape or IE/
Erwann ABALEA wrote:
>
> On Wed, 24 Feb 1999, Sergio Rabellino wrote:
>
> > Hi,
> > anyone has used the ssleay/openssl certificates with smartcards
> > (tokens)
> > 1024bits key enabled, inside the browsers like Netscape or IE/Outlook ?
>
> We work with Gemplus, who sells crypto smartcards t
> anyone has used the ssleay/openssl certificates with >smartcards
>(tokens)
> 1024bits key enabled, inside the browsers like >Netscape or IE/Outlook ?
We're using SSLeay0.9.1 with Chrysalis LunaCA-2 cards
and 1024 keys. Chrsyalis provides a PKCS11 interface,
upon which we built our own library.
On Wed, 24 Feb 1999, Sergio Rabellino wrote:
> Hi,
> anyone has used the ssleay/openssl certificates with smartcards
> (tokens)
> 1024bits key enabled, inside the browsers like Netscape or IE/Outlook ?
We work with Gemplus, who sells crypto smartcards to be used with IE4 and
Netscape 4.04+.
Sergio Rabellino wrote:
>
> Hi,
> anyone has used the ssleay/openssl certificates with smartcards
> (tokens)
> 1024bits key enabled, inside the browsers like Netscape or IE/Outlook ?
>
> Thanks for any reply...
I asume that you mean that the smartcard has an 1024bit
Hi,
anyone has used the ssleay/openssl certificates with smartcards
(tokens)
1024bits key enabled, inside the browsers like Netscape or IE/Outlook ?
Thanks for any reply...
--
Dott. Sergio Rabellino
Technical Staff
Department of Computer Science
University of Torino (Italy)
http://www.
78 matches
Mail list logo
