Re: PKCS12 - Why Encrypted?

PKCS doc., including PKCS12 http://www.rsa.com/rsalabs/node.asp?id=2124 On Wed, Apr 20, 2011 at 5:03 PM, Patrick Rutkowski wrote: > I'm pretty new to this PKI stuff, but I'm very confused about why pkcs12 > files are encrypted. > > As I understand i

Bug in EVP_DigestFinal_ex() in version 1.0.0d?

Hi All, I am trying out the example in this http://www.openssl.org/docs/crypto/EVP_DigestInit.html. When I build this example using ver 1.0.0d, the example crashes at E VP_DigestFinal_ex. When I build this example using previous version , the example works as expected. Any thoughts or comments w

Re: Bug in EVP_DigestFinal_ex() in version 1.0.0d?

configuration). On Mon, Jun 6, 2011 at 4:10 PM, Victor Duchovni < victor.ducho...@morganstanley.com> wrote: > On Mon, Jun 06, 2011 at 03:18:12PM -0500, Erwin Himawan wrote: > > > I am trying out the example in this > > http://www.openssl.org/docs/crypto/EVP_DigestI

Re: Bug in EVP_DigestFinal_ex() in version 1.0.0d?

: OPENSSL_VERSION_NUMBER: 9470255 SSLeay(): 9470255 Do the OPENSSL_VERSION_NUMBER and SSLeay() supposed to be the same? Thanks, Erwin On Mon, Jun 6, 2011 at 7:52 PM, Victor Duchovni < victor.ducho...@morganstanley.com> wrote: > On Mon, Jun 06, 2011 at 06:22:53PM -0500, Erwin Himawan wrote: > > >

Re: Bug in EVP_DigestFinal_ex() in version 1.0.0d?

Viktor, Thanks for your help. Once I fix my compilation environment, everything works ok. Thanks again. Regards, Erwin On Tue, Jun 7, 2011 at 10:22 AM, Victor Duchovni < victor.ducho...@morganstanley.com> wrote: > On Tue, Jun 07, 2011 at 10:05:19AM -0500, Erwin Himawan wrote:

Converting ECC public key point-compressed and uncompressed

Hi All, I would like to know whether openssl API has function call for generating ECC point-compression given that only the uncompressed ECC public key. Likewise, given the point-compressed ECC Key, I would also like to recover the uncompressed ECC key. Thanks for the help Regards, Erwin

Re: Converting ECC public key point-compressed and uncompressed

understanding is that to convert the form of ecc key from compressed to uncompressed and from uncompressed to compressed require the knowledge of the ECC private key. Is my understanding correct? Thanks in advance Erwin On Fri, Jul 15, 2011 at 9:06 PM, Erwin Himawan wrote: > Hi All, > > I w

Re: Converting ECC public key point-compressed and uncompressed

Marti, thanks for your response. Erwin -- From: "Martin Boßlet" Sent: Sunday, July 17, 2011 7:21 AM To: Subject: Re: Converting ECC public key point-compressed and uncompressed My understanding is that to convert the form of ecc key from compres

Re: Converting ECC public key point-compressed and uncompressed

I am able to convert the ECC key from compressed to uncompressed (and vice versa) using the "EC_KEY_set_conv_form" call . On Sun, Jul 17, 2011 at 10:30 AM, Erwin Himawan wrote: > Marti, thanks for your response. > > Erwin > > --**---

Openssl API: Extracting Public Key Algorithm

Hi All, I would like to get each of the field and value of the public key info from the certificate using the API: - public key algo: id-ecPublicKey - Size of the pub key (256 bit). - pub: 02:1d:7d:69:c5:7e:ef:15:f0:76:6a:60:5a:9e:1e: 68:1f:33:6c:ca:10:62:5a:21:6e:ab:4f:d

Re: X509 verify

The way I would verify this is by writting the original X509 object into PEM file and dumping the X509 object resulted from d2i_x509() into another PEM file and compares both files using the openssl ; either using asnparse or x509 command. On Wed, Jul 27, 2011 at 9:46 AM, Andrea Saracino wrote:

Re: X509 verify

ng in this code? Thanks in advance. Best Regards Andrea Saracino 2011/7/27 Erwin Himawan The way I would verify this is by writting the original X509 object into PEM file and dumping the X509 object resulted from d2i_x509() into another PEM file and compares both files using the openssl ; eith

Re: X509 verify

/BIO_write/osx-10.3.php erwin On Wed, Jul 27, 2011 at 8:20 PM, Erwin Himawan wrote: > ** > I would not use the X509_print_fp(), since it does not give you the PEM or > DER file. > Use intead PEM_write_bio or write_bio() for PEM and DER respectively. > Also check for error for the stat

Re: Handshake question

You metion that: Server loads its server certificate and private key ( self-signed by a CA that I created). I would liem to clarify: the server cert is a self signed cert? or the CA cert is a self signed cert? If the server cert is a self signed cert, the server is actually the ca, which in this c

Re: howto be my own CA for my new certificates

When you are creating a CA and issuing certificate you are building a PKI (Public Key Infrastructure). In operating a PKI, you might want to consider crafting a certification policy, specifying the process for managing the lifecycle of your certificates, securing the CA's private key, securing th

How to Check Whether the resources of X509 has been freed when it is freed by X509_free()

Hi All, I have several questions associated with freeing resources of X509 struct. snippet of my code: X509 *x509Cert = X509_new(); if (x509Cert == NULL) printf("Error instantiating X509 object\n"); /* do some processing with my x509Cert object */ /* Cleaning up resources of x509Cert */ if(x509

Re: How to Check Whether the resources of X509 has been freed when it is freed by X509_free()

X509_free() On 9/9/2011 5:21 AM, Erwin Himawan wrote: Hi All, I have several questions associated with freeing resources of X509 struct. snippet of my code: X509 *x509Cert = X509_new(); if (x509Cert == NULL) printf("Error instantiating X509 object\n"); /* do some processing wit

Reading Private and Public Key Pair DER files into EVP_PKEY

Hi All, I would like to confirm whether my approach is correct in initializing EVP_PKEY from public key DER file and private key DER file. My question is: This is the scenario, I have two files; private key files and public key files. These files are in DER. I would like to initialize the EVP_PKE

openssl s_client -dtls1 and ECC key

Hi, Does anybody know whether openssl s_client and s_server support the use of -dtls1 option while the server uses ECC key? The issuing CA and root CA use ECC keypair. These are my openssl s_server and s_client options: openssl s_server -accept 12000 -cert server.pem -certform pem -key server_key

Re: openssl s_client -dtls1 and ECC key

I forgot to mention, I am using openssl 1.0.0d The server ecc key spec is prime256v1. On Wed, Oct 12, 2011 at 4:33 PM, Erwin Himawan wrote: > Hi, > > Does anybody know whether openssl s_client and s_server support the use of > -dtls1 option while the server uses ECC key? > The

Re: openssl s_client -dtls1 and ECC key

Hi Erwin, > > The patch is for the current release 1.0.0e but should work with 1.0.0d as > well. However, I recommend using 1.0.0e anyway because several bugs have > been fixed in this version, as you might have seen on our website. > > Robin > > > On 21.10.2011, at 17:

Re: openssl 1.0.0 d2i_X509() error ASN1_R_WRONG_TAG

A quick observation. If I my understanding is correct, d2i_X509() function is only for DER-encoded X509. Could you make sure that your 0.9.8's cert is DER-encoded, not PEM's encoded. The cert file you are attaching is PEM's encoded file. On Tue, Oct 25, 2011 at 9:41 AM, Nan Luo wrote: > Hi,

Re: openssl 1.0.0 d2i_X509() error ASN1_R_WRONG_TAG

This is a snippet of my code that converts DER encoded X509 into OPENSSL X509 /* Convert X509 from DER to openssl X509 struct */ X509 *x509CertificateTemp = NULL; const unsigned char *x509CertificateDERNext; x509CertificateDERNext = x509CertificateDER; if(d

Re: certificates stored in ldap

Although, this doc is outdated, I find that this doc is helpful: http://vandervlies.xs4all.nl/~andre/Docs/pkildap.html On Mon, Nov 21, 2011 at 7:53 AM, prabhu kalyan rout wrote: > Hi, > I am trying to store user certificates to ldap. But i dont know how to do > it. > > Can anybody please tell m

Re: Unable to load certificate

Try using openssl x509 -noout -text -in server.crt -inform der On Wed, Nov 30, 2011 at 10:28 AM, Hopkins, Nathan wrote: > Hi, please can anyone help - what could be the possible cause for the > below - my expectation is the .crt should be in the .pem format but I'm > getting the below? > > > open

Re: Unable to load certificate

tasn_dec.c:380:Type=X509 > > ** ** > > ** ** > > *From:* owner-openssl-us...@openssl.org [mailto: > owner-openssl-us...@openssl.org] *On Behalf Of *Erwin Himawan > *Sent:* 30 November 2011 16:52 > *To:* openssl-users@openssl.org > *Subject:* Re: Unable to l

LDAP Server Supporting Component Matching

Hi All, I am aware that this is not the right forum. However, I just wodering whether anybody knows any LDAP server (commercial or opensource) that supports searching certificate using component matching. Thanks, Erwin

Can EVP_cleanup() corrupt memory?

Hi All, I have a function which add a list of EVP_digest that I want to look up to. Later on, I would like to free these digest from this look up table. Below is a snipet of the function that add these digest into the openssl's lookup table: /* Add EVP_MD digest into a lookup table */ i

s_server supporting multiple clients

Hi folks, Can the s_server support multiple clients connections? Thanks, Erwin

openssl smime CLI using password for encryption

Hi All, Does openssl smime CLI supports encryption using password, instead of using recepient certificate? Thanks, Erwin

Re: expired ssl certificate

Reading Nou's proposal, I have the impression that the client needs to be modified to accept expired server's certificate. Is my understanding correct? If my understanding is corrrect, the client needs to be updated. If the client needs to be updated, In my opinion, it is simpler to update the cl

Re: expired ssl certificate

openssl-us...@openssl.org] On Behalf Of Erwin Himawan Sent: Wednesday, April 11, 2012 2:57 PM To: openssl-users@openssl.org Subject: Re: expired ssl certificate Reading Nou's proposal, I have the impression that the client needs to be modified to accept expired server's certificate.

Re: Exchange information without SSL

I have the impression you want to protect (providing message integrity, message authentication, and confidentiality) messages between a client and a server. The options are: 1. Protect individual message with known techniques such as S/MIME, CMS and send it in unprotected connection. 2. Protect th

Re: X509 - extract remote peer certificate chain to a file

You can use PEM_write_bio_X509 or PEM_write_X509 to save X509 into a FILE. You can use PEM_read to read this PEM file when you need it. On Sun, May 6, 2012 at 10:36 PM, Josh wrote: I have a very simple query: as a result of SSL/TLS negotiation I know I > could retrieve a pointer to the remote

Re: openssl ca vs openssl x509

In general, probably look for PKI tutorial; there should be concepts associated with CA, x509 (digital certificate) Erwin On Fri, Jun 1, 2012 at 9:34 AM, Stephen More wrote: > Is there a doc somewhere that explains the differences between ca and x509 > ? > > I was signing client side certificat

Re: Elliptic Curve key generation help

Last time I learnt how to generate ECC key, I use apps/ecparam.c as a reference. To get a feel on what the code is doing, I played with the openssl ecparam utility. Using the utility, I also created CSR (PKCS10), created self-signed certificate, etc. I hope this is helpful. Erwin On Tue, Aug 1

Re: Does CSR need to be signed with matching private key?

The role of the private key in the CSR is for a proof of possession (POP). You can use crypto and non-crypto methods to provide a proof of possession of private key to a CA. Without a crypto method, I am not sure whether you can provide a POP without disclosing the private key to the CA. If the