I have an X509 object with the usual public components filled in (subject
validity issuer algorithm public key), I want to serialize the data to be
hashed and signed.
Is i2d_X509() the proper way?
It doesn't seem to work. I sign and add the signature to the x509 object,
but it doesn't
AL] Re: Alternative for structure opaque X509 &
X509_STORE_CTX
On 08/10/2021 11:07, Shivakumar Poojari wrote:
> HI Matt,
>
> For below error i tried your suggestion but return type are different,
> so facing issue in replacing, remaining suggestion are worked absolutely
> fine
ee,
Debapriyo (c)
*Subject:* [EXTERNAL] Re: Alternative for structure opaque X509 &
X509_STORE_CTX
On 05/10/2021 05:24, Shivakumar Poojari wrote:
:error: invalid use of incomplete type 'X509' {aka 'struct x509_st'}
if (x->ocsp && x->ocsp->ocsp_url)
ttacharjee, Debapriyo (c)
Subject: [EXTERNAL] Re: Alternative for structure opaque X509 & X509_STORE_CTX
On 05/10/2021 05:24, Shivakumar Poojari wrote:
> :error: invalid use of incomplete type 'X509' {aka 'struct x509_st'}
> if (x->ocsp && x->ocs
] Re: Alternative for structure opaque X509 & X509_STORE_CTX
On 05/10/2021 05:24, Shivakumar Poojari wrote:
> :error: invalid use of incomplete type 'X509' {aka 'struct x509_st'}
> if (x->ocsp && x->ocsp->ocsp_url)
Strangely there is no ocsp f
On 05/10/2021 05:24, Shivakumar Poojari wrote:
:error: invalid use of incomplete type 'X509' {aka 'struct x509_st'}
if (x->ocsp && x->ocsp->ocsp_url)
Strangely there is no ocsp field in an x509_st even in 1.0.2 that I can see.
:error: inval
Hi Matt,
Seen this comment in GitHub
OpenSSL 1.1.0 made many structures opaque. You cannot directly access the
fields inside the X509 structure any more. Instead you must use accessor
functions. In this case, as @slontis<https://github.com/slontis> says, you must
use the fu
On 8/20/2021 7:19 PM, Thomas Dwyer III wrote:
1.0.2 has X509_PUBKEY_get() (without the zero) which I believe increases the
reference count on the EVP_PKEY.
Perfect!
It was not in the 1.0.2 man page, but it seems to be portable across
1.0.1, 1.1.1, 3.0.0.
1.0.2 has X509_PUBKEY_get() (without the zero) which I believe increases
the reference count on the EVP_PKEY.
Tom.III
On Fri, Aug 20, 2021 at 3:31 PM Ken Goldman wrote:
> I have an X509_PUBKEY structure holding the algorithm and public key.
> I want to set it in the X509 structure.
I have an X509_PUBKEY structure holding the algorithm and public key.
I want to set it in the X509 structure.
In 1.1.1 and up, I can use
evpPubkey = X509_PUBKEY_get0(addToCert->key);/* X509_PUBKEY */
X509_set_pubkey(x509Certificate, evpPubkey);
However, 1.0.2 does
elow error
>
> error:0B080074:x509 certificate routines:X509_check_private_key:key values
> mismatch
>
> We have confirmed that there are no issues with certificate and private key
> by checking the certificate key hashes.
>
> Have any one encountered this issue when certific
Hi All,
We are trying to integrate OpenSSL 1.1.1i on our device that runs on the
ARM platform. Device boots to ready
state with OpenSSL 1.1.1i. However when we try to access the device EWS, we
are getting below error
error:0B080074:x509 certificate routines:X509_check_private_key:key values
Hi,
Which header file I need to include for X509 OCSP Certificate Verification. I
am getting compilation error for different structures and macros. Although, I
am including following files-
// #include
#include
#include
#include
#include
// #include
#include
> below)
> >
> > Perhaps there is something wrong, but to detect this, I will use
> > the validation, but it cannot load the certificate to validate it:
> >
> > >> openssl x509 -in test_certificate.pem -text
> > unable to load certificate
> > 14018022
is fine
I create a certifcate via this reqeust and store it with
"PEM_write_bio_X509(out, crt);" like the others. (some more code below)
Perhaps there is something wrong, but to detect this, I will use the
validation, but it cannot load the certificate to validate it:
>> o
On Fri, 2020-10-23 at 14:39 +0530, shiva kumar wrote:
> Hi,
>
> Compared to OpenSSL 1.0.2 and 1.1.0 and above, in struct
> x509_st , char *name field has been removed, what is the alternative
> for it and what is the impact? can anyone please answer the query?
Hi,
although the name field was pr
Hi,
Compared to OpenSSL 1.0.2 and 1.1.0 and above, in struct x509_st , char
*name field has been removed, what is the alternative for it and what is
the impact? can anyone please answer the query?
Thanks and regards
Shivakumar
On Fri, Jul 10, 2020 at 05:46:44PM +0530, Varun Rapelly wrote:
> I would like to create a self signed certificate with X509 version 2.
Why exactly "version 2". Are you per chance confused by the wire
encoding of X509 versions?
X.509 version 1 <-> 0 in certificate version
Hi,
I would like to create a self signed certificate with X509 version 2.
I know that we need to configure "Issuer and subject unique identifiers"
for X509 v2 format certificate, but not able to find the configuration
required (in openssl.conf) to enable it.
Please let me know how to
but to detect this, I will use the
validation, but it cannot load the certificate to validate it:
>> openssl x509 -in test_certificate.pem -text
unable to load certificate
14018039872:error:0D07209B:asn1 encoding
routines:ASN1_get_object:too long:../crypto/asn1/asn1_lib.c:91:
14018022
On Fri, Oct 04, 2019 at 07:28:20PM +0530, Kalyan Kumar wrote:
> We are trying to qualify a feature which can consume ca signed certificate
> . Part of this we verified X509 v3 and v1 but unable to get the actual
> attributes for v2 creation.
>
> Is this feasible in openssl a
Hi,
We are trying to qualify a feature which can consume ca signed certificate
. Part of this we verified X509 v3 and v1 but unable to get the actual
attributes for v2 creation.
Is this feasible in openssl and also whether standard supports ?
Thanks
signature supplied to me as R and S byte arrays and
> >> lengths (from an HSM).
> >>
> >> How do I add them to the X509 structure?
> >>
> >> Is there an API, a set of calls, or do you have any hints?
> >
> > You might be looking for EC
On 8/17/2019 5:35 AM, Billy Brumley wrote:
Hey Ken,
I have an ECDSA signature supplied to me as R and S byte arrays and
lengths (from an HSM).
How do I add them to the X509 structure?
Is there an API, a set of calls, or do you have any hints?
You might be looking for ECDSA_SIG_set0:
https
Hey Ken,
> I have an ECDSA signature supplied to me as R and S byte arrays and
> lengths (from an HSM).
>
> How do I add them to the X509 structure?
>
> Is there an API, a set of calls, or do you have any hints?
You might be looking for ECDSA_SIG_set0:
https://www.openssl.org/
I have an ECDSA signature supplied to me as R and S byte arrays and
lengths (from an HSM).
How do I add them to the X509 structure?
Is there an API, a set of calls, or do you have any hints?
~~
For RSA, I simply filled in the ASN1_BIT_STRING length, data, and flags,
but an RSA signature is
This use case is that I have an HSM that internally forms an X509
certificate and returns the signature. I have to reconstruct the X509
structure externally.
I have everything but the signature and its algorithm.
How can I programmatically set these values?
What I do now is
It was great to see you last week.
You and the entire “Russian crypto cohort” :)
From: Dmitry Belyavsky
Reply-To: openssl-users
Date: Sunday, November 11, 2018 at 6:34 AM
To: openssl-users
Subject: Re: [openssl-users] x509 manual
Hello,
https://github.com/openssl/openssl/pull/7614<ht
Hello,
https://github.com/openssl/openssl/pull/7614
On Thu, Nov 8, 2018 at 4:57 PM Dmitry Belyavsky wrote:
>
>
> On Thu, Nov 8, 2018 at 4:02 PM Matt Caswell wrote:
>
>>
>>
>> On 08/11/2018 12:44, Dmitry Belyavsky wrote:
>> > Hello,
>> >
>> > can anybody clarify what for the abbreviations AVA a
On Thu, Nov 8, 2018 at 4:02 PM Matt Caswell wrote:
>
>
> On 08/11/2018 12:44, Dmitry Belyavsky wrote:
> > Hello,
> >
> > can anybody clarify what for the abbreviations AVA and RDN stand for?
>
> RDN == Relative Distinguised Name
> AVA == Attribute Value Assertion
>
> An RDN consists of an unorder
On 08/11/2018 12:44, Dmitry Belyavsky wrote:
> Hello,
>
> can anybody clarify what for the abbreviations AVA and RDN stand for?
RDN == Relative Distinguised Name
AVA == Attribute Value Assertion
An RDN consists of an unordered set of AVAs (but most frequently an RDN
is made up of exactly one
Hello,
can anybody clarify what for the abbreviations AVA and RDN stand for?
sep_comma_plus, sep_comma_plus_space, sep_semi_plus_space, sep_multiline
These options determine the field separators. The first character is
between RDNs and the second between multiple AVAs (multiple AVAs
> > On Aug 14, 2018, at 4:55 PM, Stephane van Hardeveld
> wrote:
> >
> > If I would try this endeavour, what would be the best interface to set
this?
> > For creation, use the EVP_PKEY type with the EVP_PKEY_CTX, and set
> > attributes there?
>
> You'll need a new EVP_PKEY type that is mostly lik
> On Aug 14, 2018, at 4:55 PM, Stephane van Hardeveld
> wrote:
>
> If I would try this endeavour, what would be the best interface to set this?
> For creation, use the EVP_PKEY type with the EVP_PKEY_CTX, and set
> attributes there?
You'll need a new EVP_PKEY type that is mostly like RSA, bu
>
> > On Aug 9, 2018, at 3:21 PM, Stephane van Hardeveld
> wrote:
> >
> > The certificate is signed with PSS. However, I try to indicate that the
> > public key enclosed IN the certificate should be used with the OAEP
> padding
> > mode while decrypting a separate message
>
> Keys in X.509 certi
On Thursday, 9 August 2018 22:01:25 CEST Viktor Dukhovni wrote:
> > On Aug 9, 2018, at 3:21 PM, Stephane van Hardeveld
> > wrote:
> >
> > The certificate is signed with PSS. However, I try to indicate that the
> > public key enclosed IN the certificate should be used with the OAEP
> > padding
> >
>
> Keys in X.509 certiificates are mostly used for signing (e.g. TLS with
> DHE or ECDHE key agreement). But I guess you could mint an encryption-
> only
> certificate that is not useful for signing, and use it exclusively for
> key wrapping.
That is exactly the use case ;-)
I don't know whe
> On Aug 9, 2018, at 3:21 PM, Stephane van Hardeveld
> wrote:
>
> The certificate is signed with PSS. However, I try to indicate that the
> public key enclosed IN the certificate should be used with the OAEP padding
> mode while decrypting a separate message
Keys in X.509 certiificates are m
> -Original Message-
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf
> Of Viktor Dukhovni
> Sent: donderdag 9 augustus 2018 21:05
> To: openssl-users@openssl.org
> Subject: Re: [openssl-users] rsaOAEP OID in X509 certificate
>
>
>
> On Aug 8, 2018, at 12:01 PM, Stephane van Hardeveld
> wrote:
>
> By default, if I create an X 509 certificate with a public key in it, the
> object identifier is rsaEncyption (1.2.840.113549.1.1.1). Is it possible to
> specify a different object identifier, e.g. rsaOAEP (1.2.840.113549.1.1.
> -Original Message-
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf
> Of Ken Goldman
> Sent: donderdag 9 augustus 2018 18:52
> To: openssl-users@openssl.org
> Subject: Re: [openssl-users] rsaOAEP OID in X509 certificate
>
> On 8/9/201
algorithm (which is correct, since only rsaEncryption OID is
recognized). Java I did not try yet, but the online ASN.1 parsers were also
capable of decoding it, see enclosed png.
I understand that the X509 standard permits it.
However, I'm looking at the practical side - crypto libraries
> -Original Message-
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf
> Of Ken Goldman
> Sent: donderdag 9 augustus 2018 14:56
> To: openssl-users@openssl.org
> Subject: Re: [openssl-users] rsaOAEP OID in X509 certificate
>
> On 8/9/20
On 8/9/2018 4:14 AM, Stephane van Hardeveld wrote:
Hi Ken,
I am trying to do two thing:
1: Generate X 509 certificates, with RSA-PSS signing, with different Hashing
and Masking (SHA1 and SHA256), including an RSA Public key as content. This
RSA 'content key' should specify it will be used for RS
> To: openssl-users@openssl.org
> Subject: Re: [openssl-users] rsaOAEP OID in X509 certificate
>
> 1 - If you are trying to extract the public key, X509_get_pubkey() won't
> work. I have sample code to do it. Let me know if you want the
> complete function.
>
>
1 - If you are trying to extract the public key, X509_get_pubkey() won't
work. I have sample code to do it. Let me know if you want the
complete function.
Basically:
X509_get_X509_PUBKEY
X509_PUBKEY_get0_param
d2i_RSAPublicKey
2 - If you are trying to verify a certif
Hello all,
By default, if I create an X 509 certificate with a public key in it, the
object identifier is rsaEncyption (1.2.840.113549.1.1.1). Is it possible to
specify a different object identifier, e.g. rsaOAEP (1.2.840.113549.1.1.7)?
I looked into the various EVP_PKEY and EVP_PKEY_CTX functions
anyone please help to find what I am doing wrong ?
root@Ubuntu:~/new#
root@Ubuntu:~/new# /usr/bin/openssl req -engine pkcs11 -new -key
"pkcs11:model=;manufacturer=ABC;serial=1;token=ABC_TOKEN;id=%01%00%00%00;object=Device_Key;type=private"
-keyform engine -out req.pem -text -x509 -sub
On 27/04/18 15:01, Ken Goldman wrote:
> That was it! What threw me off is that the documentation says:
>
> TYPE *d2i_TYPE(TYPE **a, unsigned char **ppin, long length);
>
> but RSAPublicKey isn't a type. So the pattern of TYPE being a structure
> name didn't hold.
Ahh. Interesting. In mo
the pattern of TYPE being a structure
name didn't hold.
(There is a d2i_RSAPublicKey() function, so I didn't need the BIO.)
For the record. here's the resulting set of calls:
X509 * = d2i_X509()
X509_PUBKEY * = X509_get_X509_PUBKEY()
X509_PUBKEY_get0_param()
RSA * = d2i_RS
On 26/04/18 23:48, Ken Goldman wrote:
> On 04/26/18 16:37, Matt Caswell wrote:
>>
>>
>> On 26/04/18 21:17, Ken Goldman wrote:
>>> I have to get the raw public modulus, but I cannot X509_get_pubkey()
>>> because of a non-standard object identifier.
>>>
>>> I can use X509_get_X509_PUBKEY() to get p
On 04/26/18 16:37, Matt Caswell wrote:
On 26/04/18 21:17, Ken Goldman wrote:
I have to get the raw public modulus, but I cannot X509_get_pubkey()
because of a non-standard object identifier.
I can use X509_get_X509_PUBKEY() to get part way there. I see the DER
wrapped key in the public_key.d
On 26/04/18 21:17, Ken Goldman wrote:
> I have to get the raw public modulus, but I cannot X509_get_pubkey()
> because of a non-standard object identifier.
>
> I can use X509_get_X509_PUBKEY() to get part way there. I see the DER
> wrapped key in the public_key.data element, but I don't know an
I have to get the raw public modulus, but I cannot X509_get_pubkey()
because of a non-standard object identifier.
I can use X509_get_X509_PUBKEY() to get part way there. I see the DER
wrapped key in the public_key.data element, but I don't know an API to
get to that element.
Am I on the rig
rithm, which has a
nid of 919. I've included both the openssl and dumpasn1 dump of the
X509 certificate. Am I doing something wrong in openssl, or is there
a problem with the certificate? I tried certificates from two
vendors, and they both fail at the same point.
Well the problem is th
On 04/03/18 02:22, Adam Shannon wrote:
> Was there a change included in the 1.1.0 series which prints names
> differently? I've looked, but been unable to narrow down what in
> specific changed.
This was changed by commit f1cece554d.
The default "nameopt" setting for
Was there a change included in the 1.1.0 series which prints names
differently? I've looked, but been unable to narrow down what in specific
changed.
$ /usr/local/opt/openssl/bin/openssl version
OpenSSL 1.0.2n 7 Dec 2017
$ /usr/local/opt/openssl/bin/openssl x509 -in thawte.pem -noout
You can do something like the following.
>>
>> First make a type corresponding to a stack of x509 attributes:
>>
>> typedef STACK_OF(X509_ATTRIBUTE) SEQ_X509_ATTRIBUTE;
>> DECLARE_ASN1_FUNCTIONS(SEQ_X509_ATTRIBUTE);
>>
>> Then make an asn1 template
(attrs);
Looks working.
Regards,
Libor
On 2017-11-15 15:31, Dave Coombs wrote:
> Hello,
>
> You can do something like the following.
>
> First make a type corresponding to a stack of x509 attributes:
>
> typedef STACK_OF(X509_ATTRIBUTE) SEQ_X509_ATTRIBUTE;
>
Hello,
You can do something like the following.
First make a type corresponding to a stack of x509 attributes:
typedef STACK_OF(X509_ATTRIBUTE) SEQ_X509_ATTRIBUTE;
DECLARE_ASN1_FUNCTIONS(SEQ_X509_ATTRIBUTE);
Then make an asn1 template that specifies how the stack should be
Hello,
I would like to parse DER encoded x509 attributes and have no clue how
to use d2i_ASN1_SET_OF_X509_ATTRIBUTE. There are params that cannot find
what to pass like free_func.
I am trying to uderstand by collecting pieces of known code, looking
into openssl sources but
Since I tried all that and it crashes, I am going ahead and giving you the
more details on how I created *cert/evp_pkey* objects.
*X509 *cert = PEM_read_bio_X509_AUX(cert_bio, NULL, NULL, NULL);*
*EVP_PKEY *evp_pkey = PEM_read_bio_PrivateKey(key_bio, NULL, NULL, NULL);*
I tried freeing both
I thought this had become documented recently (i.e., in master only, not
even in 1.1.0), but can't find any evidence of such documentation.
SSL_CTX_use_PrivateKey() takes a reference on its pkey argument in the
same way as SSL_CTX_use_certificate(); it is safe for the local code to
free its local
Is this documented some where?
Also is the same true - with SSL_CTX_use_PrivateKey(ctx, evp_pkey) ? where
I can free evp_pkey with EVP_PKEY_free()?
Thanks
Adi
On Tue, Oct 17, 2017 at 9:50 AM, Benjamin Kaduk wrote:
> On 10/17/2017 11:27 AM, Adi Mallikarjuna Reddy V wrote:
>
> I am only worried
On 10/17/2017 11:27 AM, Adi Mallikarjuna Reddy V wrote:
>> I am only worried about the following line.
>>
>> SSL_CTX_use_certificate(ctx, cert)
>>
>> After this line is it safe to free cert object while ctx is still
>> used later on?
>>
SSL_CTX_use_certificate(ctx, cert), on successful return, ta
I am only worried about the following line.
SSL_CTX_use_certificate(ctx, cert)
After this line is it safe to free cert object while ctx is still used
later on?
Thanks
Adi
On Tue, Oct 17, 2017 at 9:21 AM Benjamin Kaduk wrote:
> You only asked about freeing the X509, which is safe in t
You only asked about freeing the X509, which is safe in this situation.
It is not safe to free the SSL_CTX if you want to use it again later --
remove this SSL_CTX_free(ctx) call and put one in your program's cleanup
instead.
-Ben
On 10/17/2017 11:08 AM, Adi Mallikarjuna Reddy V wrote:
>
;
> Hi,
>
> If I have an X509 object and is created using PEM_read_bio_X509_AUX(),
> then Can I free X509 right after the completion of PEM_read_bio_X509_AUX()?
>
>BIO *cert_bio = BIO_new(BIO_s_mem());
>
On 10/17/2017 08:39 AM, Adi Mallikarjuna Reddy V wrote:
> Hi,
>
> If I have an X509 object and is created using PEM_read_bio_X509_AUX(),
> then Can I free X509 right after the completion
> of PEM_read_bio_X509_AUX()?
>
> BIO *cert_bi
Hi,
If I have an X509 object and is created using PEM_read_bio_X509_AUX(), then
Can I free X509 right after the completion of PEM_read_bio_X509_AUX()?
BIO *cert_bio = BIO_new(BIO_s_mem());
X509 *cert = X509_new
On 08/30/2017 09:22 PM, Michael Richardson wrote:
Viktor Dukhovni wrote:
> So indeed, you'd not be the first to consider a special-purpose
> concise format. It is somewhat surprising that the applications
> you're considering use X.509 certificates at all, rather than just
Viktor Dukhovni wrote:
> So indeed, you'd not be the first to consider a special-purpose
> concise format. It is somewhat surprising that the applications
> you're considering use X.509 certificates at all, rather than just
I meant to add in my previous email, that the reason to use
Viktor Dukhovni wrote:
> So indeed, you'd not be the first to consider a special-purpose
> concise format. It is somewhat surprising that the applications
> you're considering use X.509 certificates at all, rather than just
> raw public keys. With expiration times in the year "9
Viktor Dukhovni wrote:
> The openssl ca(1) program is to some extent just a demo, that meets
I'd actually suggest that it be either:
1) ripped out of the source code, and turned into a seperate "application".
2) pushed internal to the source code (not installed), and used only for
ru
On 08/30/2017 10:33 AM, Viktor Dukhovni wrote:
On Wed, Aug 30, 2017 at 06:03:03AM -0400, Robert Moskowitz wrote:
I woke up a little clearer head, and realized, that a truly
constrained device won't even bother with DER, but just store the raw
keypair.
FWIW, Apple's boot firmware stores the s
On Wed, Aug 30, 2017 at 06:03:03AM -0400, Robert Moskowitz wrote:
> I woke up a little clearer head, and realized, that a truly
> constrained device won't even bother with DER, but just store the raw
> keypair.
FWIW, Apple's boot firmware stores the signature key as the raw
RSA key bits in little
Viktor,
On 08/30/2017 12:59 AM, Viktor Dukhovni wrote:
On Wed, Aug 30, 2017 at 12:17:09AM -0400, Robert Moskowitz wrote:
So back to openssl ca and deal with no way to directly create a DER
formatted cert.
Definitely a deficiency.
Not really a deficiency, as the certificates in question need
On Wed, Aug 30, 2017 at 12:17:09AM -0400, Robert Moskowitz wrote:
> So back to openssl ca and deal with no way to directly create a DER
> formatted cert.
>
> Definitely a deficiency.
Not really a deficiency, as the certificates in question need to
be squirreled away in PEM format in the CA's "ce
Viktor,
thanks for the explanation. Obviously I read more into the man that was
really there:
https://www.openssl.org/docs/man1.1.0/apps/x509.html
So back to openssl ca and deal with no way to directly create a DER
formatted cert.
Definitely a deficiency.
On 08/29/2017 07:25 PM, Viktor
On Tue, Aug 29, 2017 at 05:36:34PM -0400, Robert Moskowitz wrote:
> Another problem. It is almost like it is not reading the CA selction?
Not "almost", but actually as expected, since "openssl x509 -req"
is not the ca(1) application.
>openssl x509 -req -extfi
# per IEEE 802.1AR
to produce:
Not Before: Aug 29 21:19:33 2017 GMT
Not After : Dec 31 23:59:59 GMT
But
openssl x509 -req -extfile $dir/openssl-8021AR.cnf\
-extensions 8021ar_idevid -days 365 -sha256\
-set_serial 0x$(openssl rand -hex $sn
a
Fedora-arm 26 system (on a Cubieboard2) and it has openssl version
1.1.0f
I built my DER root cert (and private key) no problem.
I built my DER Intermediate cert private key and CSR no problem.
For the following command:
sn=8
format=der
dir=/root/ca3
cadir=/root/ca3
openssl x509 -req
my DER Intermediate cert private key and CSR no problem.
For the following command:
sn=8
format=der
dir=/root/ca3
cadir=/root/ca3
openssl x509 -req -days 3650 -extfile $cadir/openssl-root.cnf
-extensions v3_intermediate_ca\
-sha256 -set_serial 0x$(openssl rand -hex $sn)\
-inform $format -in
no problem.
For the following command:
sn=8
format=der
dir=/root/ca3
cadir=/root/ca3
openssl x509 -req -days 3650 -extfile $cadir/openssl-root.cnf
-extensions v3_intermediate_ca\
-sha256 -set_serial 0x$(openssl rand -hex $sn)\
-inform $format -in $dir/csr/intermediate.csr.$format\
-outform
PM, Robert Moskowitz wrote:
openssl x509 -req -days 3650 -extensions v3_intermediate_ca -inform $format\
-in $dir/csr/intermediate.csr.$format -outform $format -out
$dir/certs/intermediate.cert.$format\
-CAkeyform $format -CAkey $cadir/private/ca.key.$format -CAform $format\
-CA $cadir/certs/ca.ce
format=der
dir=/root/ca3
cadir=/root/ca3
openssl x509 -req -days 3650 -extfile $cadir/openssl-root.cnf
-extensions v3_intermediate_ca\
-sha256 -set_serial 0x$(openssl rand -hex $sn)\
-inform $format -in $dir/csr/intermediate.csr.$format\
-outform $format -out $dir/certs/intermediate.cert
> And the manpages should say things like “any supported digest” and such.
The picture is a lot more complex I'm sorry to say...
You’re right. Thanks.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
gest” and such.
I was going by:
https://www.openssl.org/docs/man1.0.2/apps/x509.html
Which has a very short list. And not SHA256.
Bob
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
> On Aug 22, 2017, at 10:53 AM, Salz, Rich via openssl-users
> wrote:
>
> Fixed in 1.1.0 and later; “list—digest-algorithms” command.
For the record: "openssl list -digest-algorithms", the "ndash" above
is a typo of some sort...
It is not clear to me how to get a list of digest algorithms tha
> > SHA256 is not listed as a valid hash.
>Many more X.509 digest algorithms are supported in this context
>than (sadly) are listed in the manpage. Perhaps there should
> be a command that lists all supported x.509 hash algorithms,
>and the documentation for commands that take
> On Aug 21, 2017, at 9:02 PM, Robert Moskowitz wrote:
>
> openssl x509 -req -days 3650 -extensions v3_intermediate_ca -inform $format\
> -in $dir/csr/intermediate.csr.$format -outform $format -out
> $dir/certs/intermediate.cert.$format\
> -CAkeyform $format -CAkey $ca
I had a frustrating day. I looked at the documentation at:
https://www.openssl.org/docs/man1.0.2/apps/x509.html
My Fedora24 reports that I am at version 1.0.2k
I made the following comand:
openssl x509 -req -days 3650 -extensions v3_intermediate_ca -inform $format\
-in $dir/csr
> Does your response mean, that RSA-PSS meanhile _is_ fully supported in 1.1.0?
I hesitate to say fully, because there are no doubt parts that don't work.
But RSAPSS signatures are supported.
But more importantly, 1.1.1 not 1.1.0
> Any estimations about how much work has to be done for adoptin
Am 27.06.2017 um 14:18 schrieb Salz, Rich via openssl-users:
1.0.2 does not have full RSA-PSS support; you can’t use it.
Thanks Rich, in my case it works, because we partially do the
verification (and algo selection) work externally.
We just need to access the public key which is rsa in bot
1.0.2 does not have full RSA-PSS support; you can’t use it.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Am 26.06.2017 um 22:30 schrieb Benjamin Kaduk:
On 06/25/2017 03:06 PM, we...@infotech.de wrote:
Dear OpenSSSL users,
we recently came across a certificate with OID: id-RSASSA-PSS aka
rsassaPss in x509 subjects public key AlgorithmIdentifier.
According to rfc4056 it is legitimate to use
On 06/25/2017 03:06 PM, we...@infotech.de wrote:
> Dear OpenSSSL users,
>
> we recently came across a certificate with OID: id-RSASSA-PSS aka
> rsassaPss in x509 subjects public key AlgorithmIdentifier.
>
> According to rfc4056 it is legitimate to use rsaEncryption or
> id-
Dear OpenSSSL users,
we recently came across a certificate with OID: id-RSASSA-PSS aka
rsassaPss in x509 subjects public key AlgorithmIdentifier.
According to rfc4056 it is legitimate to use rsaEncryption or
id-RSASSA-PSS as OID for the subject public key.
But when listing the certs&#
On 3/28/2017 5:25 AM, Christian Adja via openssl-users wrote:
Someone can tell me what function is called for retrieve public key from
x509 cert? in the case of EC public key?
X509_get_pubkey()
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl
Dear friends,
Someone can tell me what function is called for retrieve public key from x509
cert? in the case of EC public key?
Best regards.
Il Lunedì 27 Marzo 2017 10:26, "openssl-users-requ...@openssl.org"
ha scritto:
Send openssl-users mailing list submissions to
1 - 100 of 970 matches
Mail list logo
