Menu
  • HOME
  • TAGS

Should I upgrade the version installed with OS X Yosemite?

openssl

You should definitely not upgrade the system provided version of OpenSSL, because it can break all applications depending on the exact version provided (ABI included). I don't know what you mean by user (the command line tool or the library), but if you need an updated version of OpenSSL (or...

Client Certificate Authentication and User Enrollment

openssl,worklight,worklight-adapters,worklight-server,worklight-security

The user authentication feature is it's own separate security realm. It allows you to specify a dependent user auth realm that is used when an x509 certificate is not provided by the client. The dependent realm is basically used to enroll the device/user/app into your PKI. The dependent realm can...

Generate nonce c++

c++,openssl,cryptography,crypto++,nonce

I am wondering if there is a way to generate a cryptographic nonce using OpenSSL or Crypto++ libraries. Crypto++: SecByteBlock nonce(16); AutoSeededRandomPool prng; prng.GenerateBlock(nonce, nonce.size()); OpenSSL: unsigned char nonce[16]; int rc = RAND_bytes(nonce, sizeof(nonce)); unsigned long err = ERR_get_error(); if(rc != 1) { /* RAND_bytes failed */ /* `err`...

AES_encrypt/AES_decrypt only returns part of a message

openssl,jni

AES_encrypt((const unsigned char *)origin, (unsigned char *)out, &aesKey); AES_encrypt operates on 16-byte blocks. 16 is the block size of AES. Effectively, you truncated your message. AES_decrypt(pout, outout, &aesKey); Here, you only decrypted 16 byes. The remainder of the buffer was back filled with 0. The 0 served as the...

FIPS integrity verification test failed when iniating SSH session

ssh,openssl,centos,centos6,fips

The session continues and I am able to connect to the remote server. Is the connection still secure? Yes. OpenSSL is known as FIPS Capable. The FIPS Capable version of the library can use validated cryptography. If FIPS_mode_set is not called, then the module is using non-validated cryptography. If...

OpenSSL's rsautl cannot load public key created with PEM_write_RSAPublicKey

c++,openssl,pem

int err = PEM_write_RSAPublicKey(pubwriter, key); PEM_write_RSAPublicKey writes just the public key. You can make the command work using PEM_write_PUBKEY. The various *_PUBKEY routines write the SubjectPublicKeyInfo, which includes the algorithm OID and public key. When you write the SubjectPublicKeyInfo, OpenSSL calls it "traditional" format. It will also have the...

OpenSSL CSR signing not including Locality

openssl

The solution is easy. I missed the localityName in my policy and obviously it won't get included then. This is a working example: [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional ...

Update Android app to latest version of OpenSSL

android,openssl

I would like to know how to update open SSL to the latest supported version in my Android application. Download OpenSSL 1.0.2a from OpenSSL: Source, Tarballs Cross-compile OpenSSL for Android Rebuild your app, linking against the cross-compiled library Note: you have to use static linking against OpenSSL. You cannot...

Load RSA private key to EVP_PKEY

ios,objective-c,c,openssl,privatekey

Since OpenSSL version, 1.0.0 , the routines like PEM_write_PrivateKey defaults to PKCS8 format which has header and footers like: -----BEGIN PRIVATE KEY----- -----END PRIVATE KEY----- If you want to write in traditional formats in releases later than 1.0.0 call secifically the read and write routines like PEM_read_RSAPrivateKey and PEM_write_RSAPrivateKey Traditional...

Statically link OpenSSL in XCode

xcode,openssl,static-linking,dylib

Why does it look for dylib when I am linking it statically? How can this be fixed? Apple's linker uses the dylib or share object if its available, regardless of of your linker flags like -rpath and -Bstatic. They even do it on iOS, where dylib's are not allowed!...

Android NDK OpenSSL error cross-compiling

c,windows,android-ndk,openssl,cross-compiling

Using this guide and modifying the file setenv-android.sh you can easy compile openssl for arm, x86 and mips. You just have to modify _ANDROID_NDK _ANDROID_ARCH _ANDROID_EABI _ANDROID_API parameters note: for mips you'll have to add some lines in the file around around line 120: arch-mips) ANDROID_TOOLS="mipsel-linux-android-gcc mipsel-linux-android-ranlib mipsel-linux-android-ld" ;; around...

What is special for a private key to be PEM-formatted?

python,openssl,public-key-encryption,jwt

Having examined the PyJWT source code, it is apparent that the library expects the PEM data to be a string type, but you are providing a bytestring (evident in your question by the b'...' literal). The offending function is prepare_key, along with the definition of acceptable string types. You must...

Ruby OpenSSL Errors - Missing CA Certs (Who is Justin?)

ruby,windows,ssl,https,openssl

RubyInstaller issue #153 OpenSSL::X509::DEFAULT_CERT_FILE with personal hardcoded path The problem is OpenSSL that has hardcoded values. Search to closed issues and also RubyInstaller group and will see this happens from time to time. OpenSSL needs to be fixed, but no patch to solve this issue has proposed to OpenSSL itself....

AES decryption only works for first 16 characters

c++,encryption,openssl,aes

AES_decrypt just decrypts one block of 16 bytes of AES data. I believe it is a lower level function than what you want. You're much better off using the EVP_* level functions instead. You can find a pretty complete example of how to use these on the openssl wiki -...

Android NDK OpenSSL

android,windows,android-studio,android-ndk,openssl

I resolve partially my problem but it's not completely answer, I did compile openssl for android x86 and arm architecture in this link I post my advances. I'm not going to mark this answer as correct till I'll compile openssl for all architectures EDIT: I post the answer in this...

Create OpenSSL certificates signed by myself

c++,ssl,boost,openssl,ssl-certificate

Your signing certificate has no rights to sign, because it has not the CA flag set. Signing will still work, but verification will fail. Since there are already lots of guides on the internet which will show in detail how to do it right so you might just look here...

OpenSSL or LibreSSL C++ sample for client TLS connection

c++,openssl,libressl

I am searching for a client TLS connection example in C++. I think there are a couple of ports of OpenSSL to C++. They try to do the full class wrapper thing. See openssl++ class on Google. When I use it in C++, I use unique pointers for cleanup....

What causes 'error:1408D172:SSL routines:SSL3_GET_KEY_EXCHANGE:wrong signature type' SSL error?

php,ssl,curl,soap,openssl

Answering just for completeness, TLSv1.2 started working the next day after I raised it with the vendor, they later confirmed it was server side problem.

SSLv3 certificate verify failure when TLSv1 was specified?

ruby,openssl

OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed... Why is it complaining about SSLv3, if I am specifying TLSv1? Its an artifact of the error messages in OpenSSL. Don't worry too much about it (other than the take away of "verification failed"). You did not...

Undefined symbols for architecture x86_64 on OS X with fat library

c++,c,xcode,osx,openssl

It looks to be a bug in the code generator for x64 in the static library case. The easiest, non patch openssl change workaround is to add a reference to OPENSSL_cleanse somewhere in your code, even if it's not used. That will fix up the link-time reference. What's actually happening...

OpenSSL causing very slow Rails boot time on Windows

ruby-on-rails,ruby,ruby-on-rails-4,openssl

Edit-2: I ran ruby-prof on Rails.application.initialize and found the culprit. A process was taking up 85% of the run time: <Module::SecureRandom>#random_bytes <Module::OpenSSL::Random>#random_bytes Yeah, the OpenSSL code for seeding the random number generator is problematic on Windows. See Random Numbers and Windows Issues on the OpenSSL wiki. return OpenSSL::Random.random_bytes(n) So...

Validating that an uploaded file is a valid PEM file

php,openssl,php-openssl

Use "openssl rsa" and parse its output Wrong file: $ openssl rsa -noout -modulus -in ./wrong.pem unable to load Private Key 140324790638432:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: ANY PRIVATE KEY Proper key $ openssl rsa -noout -modulus -in ../proper.pem...

RSA decrypt message [closed]

c++,c,openssl,cryptography,rsa

I found the problem. After adding errors checks, I've got error "3132:error:0906D06C:lib(9):func(109):reason(108):.\crypto\pem\pem_lib.c:703:Expe cting: ANY PRIVATE KEY". After googling and reading the manuals, I understood that my private key was initialized wrong. I needed to add \n after each line in private key (after each 64th symbol). So the key in...

How to sign a certificate request using openssl?

openssl,certificate,signing,pki

Most probably your OpenSSL config is based on the default config file (openssl.cnf) which restricts the value of the organizationName DN component. In the CA section find the policy=<section_name> entry and change organizationName=match to organizationName=supplied as in: [ policy_match ] organizationName = supplied ...

Updating Openssl in os x yosemite

osx,openssl,homebrew,macports,brew

Okay, So i solve the problem, i was using http://ohmyz.sh and updating "PATH" in zsh is a mess. After uninstalling the zsh and reinstalling everything with "brew" solve the problem. Everything works perfectly now :)

Windows alternative to zeus and spring for rails

ruby-on-rails,ruby,openssl

You can use spork as alternative to spring https://github.com/sporkrb/spork

Create a base64 md5 hash in nodejs equivalent to this openssl command

node.js,openssl

Done var mysecretkey = "secret"; var path = "/s/link"; var ip = '127.0.0.1'; var time = '2147483647'; var path = time + path + ip + ' ' + mysecretkey; var crypto = require('crypto'); var md5sum = crypto.createHash('md5'); var d = md5sum.update(path).digest('base64'); //#echo -n '2147483647/s/link127.0.0.1 secret' | openssl md5 -binary...

Working with EVP and OpenSSL, coding in C

c,encryption,openssl,digital-signature,evp-cipher

For the sign/unsign key part I need further information, how is this signature done? For example, is this signature an X byte length at the end of the file and can then easily be removed? For items 2-5 in your list the following code will surely assist, it is based...

ProcessBuilder and running OpenSSL command which contains spaces

java,openssl

cmdGetAlgorithm[0] = "openssl x509 -in"; ... As @immibis stated in the comments, arg[0] is the program name. So the vector should look something like: cmdArg[0] = "/usr/local/ssl/bin/openssl"; cmdArg[1] = "x509"; cmdArg[2] = "-in"; cmdArg[3] = certFilePAth; cmdArg[4] = "-noout" cmdArg[5] = "-text"; cmdArg[6] = "-certopt"; cmdArg[7] = "no_subject,no_header,no_version,no_serial,no_validity," +...

OpenSSL error alert handshake failure

openssl

The client software works with nearly all sites but there are a few that give this error. As commented by jww - you don't get this error if you use SNI. SNI is supported by all modern browsers, but outside of this it is not supported with older versions...

No module named OpenSSL in kivy app

python,openssl,kivy,autobahn

openssl is the recipe which builds the openssl C library, not a Python module. You need the C library as well, but to get the Python module add pyopenssl to your requirements.

Failing mutual auth on Android w/ javax.net.ssl.SSLHandshakeException: Handshake failed

java,android,ssl,openssl,mutual-authentication

I never put the client cert in the KeyManager: KeyManagerFactory kmf = KeyManagerFactory.getInstance("X509"); kmf.init(keystore, "password".toCharArray()); sslContext.init(kmf.getKeyManagers(), new TrustManager[]{tm}, null); ...

ERROR: While executing gem … (OpenSSL::X509::StoreError)

ruby-on-rails,ruby,openssl

TRy this in your command line ruby -ropenssl -e 'puts OpenSSL::X509::DEFAULT_CERT_FILE' Also see OpenSSL::X509::StoreError: cert already in hash table? and SSL Error When installing rubygems, Unable to pull data from 'https://rubygems.org/....

mixing openssl API and BSD sockets API

c,sockets,unix,openssl,portability

What you describe is the traditional API model for using OpenSSL. An SSL object owns the socket and performs all I/O on it, so you have to use the SSL_read() and SSL_write() functions when performing secure I/O. OpenSSL also has a newer API model using BIO structures instead. You can...

SoapClient in PHP 5.6 when using HTTPS emits warning with “key values mismatch”

php,soap,openssl,php-5.6

I've confirmed that this is PHP bug, and was introduced in PHP 5.6.7, in commit fd4641696cc67fedf494717b5e4d452019f04d6f. The workaround is to call openssl_error_string() after openssl_pkcs12_read(). Update A pull request has been submitted to address this issue....

OpenSSL::X509::Certificate Showing Certificate for Wrong Domain

ruby,osx,sockets,openssl,ssl-certificate

however, there is one domain that does not report correctly - myproair.com, which reports a certificate for parkinsonsed.com - any ideas? It looks like shared hosting combined with SSL is the culprit. Apparently, parkinsonsed.com is the default site for the server. You should use SNI to overcome the limitations....

node.js crypto signature and openssl signature does not match

node.js,openssl,rsa,digital-signature,sha256

When you supply an input to a signature program, it might assume that the input is not yet hashed, and will hash it before signing. The problem here is that Node is (re-)hashing the input, while rsautl is using the input as-is. (Note that even if you separately re-hash the...

How to check OpenSSL library version of android application

android,windows,openssl

I have resolved the issue which I was facing i.e. was unable to run the command $ unzip -p YourApp.apk | strings | grep "OpenSSL" I installed Unzip Package in Cygwin by opening the setup of Cygwin and then It shows all the packages available for Cygwin, selected Unzip package...

Using Security Transforms to verify an RSA signature created with Ruby/OpenSSL

ruby,cocoa,openssl,licensing,rsa

In short you're mixing up some key concepts. Here's a quick primer on how this works. A document (your license data/email) is hashed with a digest (SHA256) Private key encrypts the hash. This is the binary signature. The binary signature needs to be encoded into a format convenient for transport,...

How to specify CA private key password for client certificate creation using OpenSSL

command-line,openssl,x509,ca

Use -passin pass as shown below. openssl x509 -req -in client.csr -signkey client.key -passin pass:clientPK -CA client-ca.crt -CAkey client-ca.key -passin pass:secret <-- try this -CAcreateserial -out client.crt -days 365 ...

Convert a big number given as a string to an OpenSSL BIGNUM

c,openssl,bignum

unsigned char *p_str = "82019154470699086128524248488673846867876336512717"; BIGNUM *p = BN_bin2bn(p_str, sizeof(p_str), NULL); Use int BN_dec2bn(BIGNUM **a, const char *str) instead. You would use BN_bin2bn when you have an array of bytes (and not a NULL terminated ASCII string). The man pages are located at BN_bin2bn(3). The correct code would look...

Compile with linking against static and dynamic library for OpenSSL

ubuntu,openssl

g++ test.cpp -lcrypto -o test Try: g++ test.cpp -o test -lcrypto -ldl Order and placement of the library matter. For my purpose it is necessary to link the library statically. My bad. I missed this earlier. For this, its easiest to perform: g++ test.cpp /usr/lib/x86_64-linux-gnu/libcrypto.a /usr/lib/x86_64-linux-gnu/libssl.a -o test -ldl...

issues in creating c linux library

java,c,openssl,jni,shared-libraries

BIO_new_mem_buf is in the openssl library. You have to link your library with -lcrypto (lower case L) or with what pkg-config --libs openssl gives you.

Server with ECDHE key and cert not working

c,openssl,ca

as described here: Elliptic Curve CA Guide... This page has so many errors and omissions I would discard it. The first red flag is the white text and black background. That tells me someone less experienced is providing the page... From the page: openssl ecparam -list-curves This should be...

Rails Base64 decoding

ruby-on-rails,openssl,base64

You may have run into this bug which prevents you storing data with embedded nulls. I would just store the key as-is (ie. in Base64 format) as this will have no nulls. Then... when you need the key for a crypto operation just Base64.decode64(@user.privkey_user_enc) before use. Base64 is just a...

Not able to strip password from private key

ios,osx,openssl,apple-push-notifications,mdm

I pressed enter without passphrase, is this the reason for this error. Yes, you are correct — since you didn't use a passphrase there's nothing to strip out in that step. Unfortunately the tutorial failed to mention anything about that before you arrived at your conclusion. A passphrase shouldn't...

invalid private key on decrypt data in PHP

php,encryption,openssl,rsa

You need to remove base64_encode function in the first line. $privateKey = openssl_get_privatekey ('----- BEGIN RSA PRIVATE KEY ----- ... ... ... ----- END RSA PRIVATE KEY ----- '); ...

Code Signing Certificate - Creating a PFX from a godaddy SPC & Key File

openssl,ssl-certificate,code-signing-certificate

While many had success using visual studio toolkits, IE, etc, - all errored out for me. The best way to do this was to use the OPENSSL functions used to create the key & crt 1) Convert my KEY file (text) into a PVK file (binary) openssl rsa -in EXAMPLE.key...

Compilation of OpenSSL: No reference to BIO-functions

c,linux,ssl,compilation,openssl

I managed to compile your function by using : gcc main.c -o main -I /usr/local/ssl/include -L /usr/local/ssl/lib -lssl -lcrypto -Wall More explainations : -I /usr/local/ssl/include adds /usr/local/ssl/include to the include search path. -L /usr/local/ssl/lib adds /usr/local/ssl/lib to the library search path. -lssl -lcrypto links libraries libcrypto and libssl Wall enables...

“tlsv1 alert internal error” during handshake

php,ssl,openssl

These two are a bad combination: -cipher ECDHE-ECDSA-AES128-GCM-SHA256 And: error:/SourceCache/OpenSSL098/OpenSSL098-50/src/ssl/s23_clnt.c OpenSSL 0.9.8 does not have full EC support. And it does not support TLS 1.1 or 1.2. To get the AEAD cipher suites, you need to use TLS 1.2. That means you need OpenSSL 1.0.0 or above (IIRC). OpenSSL 1.0.1...

SSL operation failed with code 1: dh key too small

php,codeigniter,ssl,mysqli,openssl

... error:14082174:SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small The error number you are interested in is the OpenSSL error 0x14082174. The SSL3_CHECK_CERT_AND_ALGORITHM is usually seen when enabling export grade ciphers. It may be showing up again in non-export grade negotiations due to Logjam (see below). I'm assuming DH Key is too...

Configuring gnus with gmail imap

emacs,openssl,imap,gnus

My guess would be that Emacs on Windows doesn't come with the required libraries, hence (gnutls-available-p) returns nil for you. You'll have to install gnutls somewhere so that your Emacs will be able to find it, cf. the GnuTLS homepage. You probably have to put the downloaded Windows library into...

Use PHP to generate a public/private key pair and export public key as a .der encoded string

php,openssl,cryptography

Reading the API of openssl_pkey_new()you should try this with openssl_pkey_get_public() even if the key pair isn't a certificate (which is speculated by the method description of openssl_pkey_get_public()): openssl_pkey_new() generates a new private and public key pair. The public component of the key can be obtained using openssl_pkey_get_public(). You don't have...

What is the proper way of clearing OpenSSL secrets?

c,security,openssl

In other words, what is the proper way in OpenSSL to remove secrets from memory? OPENSSL_cleanse. $ cd openssl-1.0.2a $ grep -R OPENSSL_cleanse * ... apps/apps.c: OPENSSL_cleanse(buff, (unsigned int)bufsiz); apps/apps.c: OPENSSL_cleanse(buf, (unsigned int)bufsiz); apps/apps.c: OPENSSL_cleanse(buf, (unsigned int)bufsiz); apps/ca.c: OPENSSL_cleanse(key, strlen(key)); apps/dgst.c: OPENSSL_cleanse(buf, BUFSIZE); apps/enc.c: OPENSSL_cleanse(str, SIZE); apps/enc.c: OPENSSL_cleanse(str, strlen(str));...

Undefined symbols for architecture x86_64 (clang)

c,osx,openssl,clang,llvm

#include <openssl/evp.h> ... unsigned char outHash[20]; hash("SHA1","abcd", 20, outHash); OpenSSL does not have a int hash(...) or char* hash(...) function. $ cat /usr/include/openssl/evp.h | grep hash returns 0 hits. man 3 hash returns BSD's "hash database access method". Undefined symbols for architecture x86_64: "_hash", referenced from: _getRandomSHA1 in main-68ccd6.o...

How to get the same result with Node.js and PHP-mcrypt using TripleDES encryption?

php,node.js,encryption,openssl,mcrypt

There are multiple issues with your code. crypto.createCipher(algorithm, password) uses a password not a key. The actual key will be derived from that password. It seems that you want to use a key instead of a password, so you need to use crypto.createCipheriv(algorithm, key, iv). PHP's mcrypt module only applies...

'NoneType' object has no attribute '_app_data' in scrapy\twisted\openssl

python,openssl,scrapy,twisted,pyopenssl

At first glance, it appears as though this is due to a bug in scrapy. Scrapy defines its own Twisted "context factory": https://github.com/scrapy/scrapy/blob/ad36de4e6278cf635509a1ade30cca9a506da682/scrapy/core/downloader/contextfactory.py#L21-L28 This code instantiates ClientTLSOptions with the context it intends to return. A side-effect of instantiating this class is that an "info callback" is installed on the context...

Should I BIO_flush() after BIO_read()-ing?

openssl,base64,decode,flush,decoder

You don't need to. BIO_flush tells the writer that there's no more data coming, so it can write the equals signs at the end to pad out the result, if necessary. You don't need this when reading.

PHP Websocket SSL Stunnel “bad certificate” with OpenSSL signed certificate

php,ssl,websocket,openssl,stunnel

i've also tried the openssl client connection ... and it works! It is not clear what is working: probably the connection and the SSL handshake is working. And if the trust chain is working to you get Verify return code: 0 (ok). But openssl s_client does not do any...

compilation of Qt 5 fails under make in debian64

c++,qt,openssl,qtnetwork,qsslsocket

To link a static library into a shared library on x86_64, the static library needs to be compiled with -fPIC. You could now build OpenSSL manually with -fPIC set, but that'd be a bit of a hassle. I'd suggest to configure Qt with -openssl instead of -openssl-linked. Then SSL won't...

Segmentation fault when signing a message using OpenSSL, SWIG, and Perl

c,perl,openssl,swig,ecdsa

The answer to this question is: we were calling the arguments in the wrong order. Seriously. The line: $signature = key_utils::mysignMessageWithPem($pem, $message); needed to be: $signature = key_utils::mysignMessageWithPem($message, $pem); We were in fact doing something wrong. I was tempted to remove the question, but maybe the answer can serve as...

Configuring SQLCipher on Ubuntu 14.10

linux,openssl,configure,sqlcipher,ubuntu-14.10

My problem solved! sudo apt-get update sudo apt-get install sqlcipher thanks to Diego

Link error when using AES256 example with OpenSSL

c,linker,openssl

Ciphers, such as AES256, and other encryption utilities are part of the libcrypto library; libssl is primarily concerned with the SSL/TLS protocol. Link with -lcrypto instead of -lssl3.

Error while creating iOS Developer CSR for iOS

ios,openssl,certificate

The way you have formated your request is incorrect. Use / to separate subject information. Use ' instead of " openssl req -new -key serverkey.pem -out CertificateSigningRequest.certSigningRequest -subj '/[email protected]/CN=MyAccountName/C=US'...

How to verify server hostname

delphi,ssl,openssl,certificate,indy

Unfortunately I have to stick to XE2-Indy and OpenSSL V1.0.1m due to internal specifications. To verify the hostname against the Subject CN and Subject Alternate Names, I've done the following (using the approach cURL's implementation): 1. At application startup, I'm trying once to extend the access to methods within the...

What counts as a self-signed SSL certificate?

ssl,openssl,self-signed,certificate-authority

According to Wikipedia, a self-signed certificate is one signed with its own private key. That is, its creation does not require the signing of a certificate request by a certificate authority. And thus it does not matter whether or not the CA certificate is trusted on the local machine. EDIT...

AES/CBC/PKCS5Padding different results in JAVA and JNI

java,android,encryption,android-ndk,openssl

You've zero padded your plaintext in your JNI code: const size_t encs_length = ((srcLen + AES_BLOCK_SIZE) / AES_BLOCK_SIZE) * AES_BLOCK_SIZE; unsigned char enc_data[encs_length]; memset(enc_data, 0, sizeof(enc_data)); But your Java code is using PKCS #7 padding. One of these will need to change. Note: I think (based on some research) that...

how to handle low_entropy exception of crypto:strong_rand_bytes(N)?

openssl,erlang

how to handle low_entropy exception of crypto:strong_rand_bytes(N)? Handle it by not getting into the bad state in the first place. You avoid it by seeding the generator. You should explicitly seed the generator on startup. This avoids some of the problems with calling RAND_poll. For some of the problems,...

Verify a RSA public key in OpenSSL?

c++,c,openssl

With the help of @jww in this answer http://stackoverflow.com/a/29885771/2692914. I came up with this solution, I hope it is ok: bool isValidPublicKeyOnly(EVP_PKEY *pkey) { //EVP_PKEY_get_type from http://stackoverflow.com/a/29885771/2692914 int type = EVP_PKEY_get_type(pkey); //checks nullptr if (type != EVP_PKEY_RSA && type != EVP_PKEY_RSA2) { //not RSA return false; } RSA *rsa =...

Replicating request to Chef with Python RSA

python,openssl,rsa,chef

From Chef Authentication and Authorization with cURL, timestamp=$(date -u "+%Y-%m-%dT%H:%M:%SZ") time is in UTC, so in Python, it has to be timestamp = datetime.datetime.now(datetime.timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ") openssl equivalent of Python, dummy_sign = base64.b64encode(rsa.sign("hello".encode(), privkey, "SHA-1")) is echo -n hello|openssl dgst -sha1 -sign ~/.chef/anton.pem -keyform PEM|openssl enc -base64 In Python code, you're signing...

Git Clone Fails with sslRead() error on OS X Yosemite

git,curl,openssl,osx-yosemite,gitlab

Javabrett's link got me to the answer, it revolves around Yosemite using an incorrect SSL dependency, which Git ends up using. Installing Git via homebrew with these flags works: brew install git --with-brewed-curl --with-brewed-openssl ...

Get x509 certificate hash with openssl library

c,hash,openssl,x509,libcrypto

But actually my output is a different one. Has anybody an idea what am I doing wrong ? Here's how OpenSSL uses it... $ cd openssl-1.0.2-src $ grep -R X509_subject_name_hash * apps/x509.c: BIO_printf(STDout, "%08lx\n", X509_subject_name_hash(x)); apps/x509.c: BIO_printf(STDout, "%08lx\n", X509_subject_name_hash_old(x)); crypto/x509/x509.h:unsigned long X509_subject_name_hash(X509 *x); crypto/x509/x509.h:unsigned long X509_subject_name_hash_old(X509 *x); crypto/x509/x509_cmp.c:unsigned long...

Whats is the Java name for openssl's “aes-256-cfb”?

java,node.js,encryption,openssl,cryptography

It was a find/replace error - the two plainTexts differ after the first nine bytes. Java's name for OpenSSL's aes-256-cfb is AES/CFB/NoPadding....

OpenSSL trouble python

python,windows,openssl,web.py,m2crypto

Turns out the problem was a missing Server.crt file in the project directory.

getSession closes Socket

java,android,sockets,openssl

The native code at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake is checking the provided FileDescriptor from the underlying SocketImpl of the Socket class. As it is not easily possible to fake this I had to implement the use of LocalSockets to make it work. import android.net.LocalServerSocket; import android.net.LocalSocket; import android.net.LocalSocketAddress; import org.silvertunnel_ng.netlib.layer.tor.util.TorException; import org.slf4j.Logger; import...

Pass connected SSL Socket to another Process

python,network-programming,openssl,m2crypto

The only way you can do this is by cloning the full user space part of the SSL socket, which is spread over multiple internal data structures. Since you don't have access to all the structures from python you can only do this by cloning the process, i.e. use fork....

How to fix invalid key size when decrypting data in C# that was encrypted in php

c#,php,encryption,openssl

There are obviously problems with the key size. The code between PHP and C# seem to match. The problem seems to be that the code is wrong in both cases. Let's see how long the key actually is: Start with a 32 byte key (non-encoded). Hash the key with SHA-256:...

Use OpenSSL RSA key with .Net

c++,.net,openssl,rsa

I am using openssl 0.9.6g and I have created public/private keypair using RSA_generate_key(). It gives me keys like: -----BEGIN RSA PUBLIC KEY----- ... -----END RSA PUBLIC KEY----- I think what I am looking for is "how to convert rsa public key from pkcs#1 to x509 format. Yeah, .Net can...

Run 'openssl req' command in Java?

java,openssl

Use exec(String[]) rather than exec(String) to invoke Openssl command. A safe way is to list each argument in separate strings.

Base64 encode/decode issue

openssl,hex,base64,ocaml

openssl is writing the base64 text with embedded newlines every 64 chars. That means that your input to echo -n inside decode_base64 has newlines in it. This gives you the "Unterminated quoted string" message. This is a crazy way to be doing base64 encoding in OCaml anyway. Check out https://github.com/mirage/ocaml-base64...

Getting google search ssl pem certificate

c++,c,https,openssl,libressl

now I search for the certificate of google search. Where can I get it? Try Google's Certificate Authority at Google Internet Authority G2. Google runs an unconstrained subordinate CA. The certifying authority is GeoTrust Global CA. You can use their CA certificate too. GeoTrust was purchased by Equifax. So...

Secure unsubscribe link - How much encryption is enough?

php,encryption,openssl,unsubscribe

Simpler method is a random string of a specific length (e.g. 30 chars) stored in a table with a unique constraint on that field. That random value has no meaning apart from the db and cannot be decrypted because there is no information in it. It only means anything when...

Use Client Cert and TLS_RSA_WITH_AES_256_CBC_SHA256 cipher suite

ruby,openssl

According to openssl, this is also called "AES256-SHA256". According to Ruby lang, AES256-SHA256 is considered insecure and therefor disabled. The link contains a "patch" to re-enable the insecure ciphers. You may want to seek advise from a security pro about the risks involved for your organisation. (Edit) The error "self...

OpenSSL socket: Select always returns 0

c++,sockets,select,openssl,server

I think you meant to select on the client socket that you just accepted, not the _serverSocket that you're accepting connections on.

Ruby OpenSSL AES-128-CTR

ruby,openssl,cryptography,aes

No, you're not missing something small, you are missing something huge. Instead of using the same IV as used for encryption, you are generating a new one. For CTR, if the IV is random then each counter value is different, resulting in random looking output. Often the IV (or nonce...

Decrypt the content of a signed CMS_ContentInfo*

c,openssl,libcrypto

I have found my solution. Here is the piece of code I have used : BIO* output = BIO_new(BIO_s_mem()); if (CMS_verify(cms, stack, store, dcont, nullptr, CMS_NOINTERN)) { CMS_ContentInfo* cms2 = SMIME_read_CMS(dcont, nullptr); } Apparently, it is the dcont BIO that holds the SignedData and I can properly decrypt it afterwards...

How to increment the value of an unsigned char * (C)

c++,c,openssl,byte,sha1

I am assuming your pointer refers to 20 bytes, for the 160 bit value. (An alternative may be text characters representing hex values for the same 160 bit meaning, but occupying more characters) You can declare a class for the data, and implement a method to increment the low order...

get Subject Key Identifier of certificate with openssl commands [closed]

linux,mono,openssl,certificate

Since you mentioned you need to find X.509 extensions via command line: openssl x509 -in cert.pem -noout -text You should see that extensions are printed as shown here: X509v3 extensions: X509v3 Basic Constraints: CA:TRUE X509v3 Key Usage: Certificate Sign, CRL Sign Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier:...

How to do two-way authentication on tomcat?

tomcat,openssl,client-certificates,self-signed,mutual-authentication

I could able to identify solution after many days of search. Steps below explains, two-way authentication using openssl self signed certificate on tomcat. Server Key Generation: generate server private key : `openssl ecparam -name prime256v1 -out serverKey.pem -genkey` generate the self-signed certificate for the server, `openssl req -new -x509 -key...

Get RSA keys in a “simple” form

c++,c,encryption,openssl,rsa

This is the simple form - including the header and footer and extra newlines. Most certificate programs can handle this form just fine.

Segmentation fault with generating an RSA and saving in ASN.1/DER?

c,openssl,cryptography,rsa

pub_l = malloc(sizeof(pub_l)); is simply not needed. Nor is priv_l = malloc(sizeof(priv_l));. Remove them both from your function. You should be populating your out-parameters; instead you're throwing out the caller's provided addresses to populate and (a) populating your own, then (b) leaking the memory you just allocated. The result is...

Open Pegasus 2.14.1 client connection issue

c++,openssl,gnu-make,wbem

I got response from Open Pegasus dev team. They created bug for the issue with "magic" constant. Also they recommending in my case to use sslBackwardCompatibility = true configuration for the build. This setting helped me partially. For some Storage Arrays the SSL communication started work. But for some it...

Subject Alternative Name not present in certificate

ssl,openssl,ssl-certificate

You can use: copy_extensions = copy under your CA_default section in your openssl.cnf. but only when you're sure that you can trust the extensions in the CSR as pointed out in this thread: http://openssl.6102.n7.nabble.com/subjectAltName-removed-from-CSR-when-signing-td26928.html See also: How can I generate a self-signed certificate with SubjectAltName using OpenSSL?...

Can't set public/private key in OpenSSL

c++,c,encryption,openssl,rsa

The private key you're passing is invalid; it's missing newlines. There needs to be one right after the -----BEGIN PRIVATE KEY----- header, another one before the corresponding footer, and one after every 64 characters in the body, e.g. std::string privateKey = "-----BEGIN RSA PRIVATE KEY-----\n" "MIIEogIBAAKCAQEAris+hDVFJ4l1PQnpToA+qE5ZpMT1maGngVFVy8JYdmhOALP/\n" "ETGiKU7MavTPFJmOy+vRlR6OdfsJgAq1tX7RGt0ua1S0bjq8BTWBi1Ja244uIbg+\n" /* ... */...