PRIVACY-ENHANCED MESSAGE RFC 1421, 1422, 1423, 1424

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

PRIVACY-ENHANCED MESSAGE RFC 1421, 1422, 1423, 1424

Martin-26
Nachricht
 
 
 
HI there,
 
 
I'm a newbie to openssl. Here is my question :
How can I create a  "PRIVACY-ENHANCED MESSAGE" according to RFC 1421, 1422, 1423, 1424 ?
 
 
thanks in advance
  Martin
 
 
Reply | Threaded
Open this post in threaded view
|

Re: PRIVACY-ENHANCED MESSAGE RFC 1421, 1422, 1423, 1424

Goetz Babin-Ebell
Martin wrote:
> HI there,

Hello Martin,

> I'm a newbie to openssl. Here is my question :
> How can I create a  "PRIVACY-ENHANCED MESSAGE" according to RFC 1421,
> 1422, 1423, 1424 ?

One can use the basic signing / encrypting functionallity of OpenSSL
to create the signature and build the signed message by hand.

I did that some years ago.

But I fear this is something out of the range for a newbie.

But since the PEM mail format is practically dead,
I recommend it's official successor PKCS#7.

Bye

Goetz

--
DMCA: The greed of the few outweighs the freedom of the many

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

AW: PRIVACY-ENHANCED MESSAGE RFC 1421, 1422, 1423, 1424

Martin-26
Hello Goetz,

thank you very much for this information.
My problem is that the german health insurance companies expect PEM mail.
So I have no choice.
It would be very helpful to know how to create Pem mails.
Otherwise how do I create PKCS#7 mailformat?

P.S. Meanwhile I'm able to compile and debug openssl.

Bye

Martin




Martin wrote:
> HI there,

Hello Martin,

> I'm a newbie to openssl. Here is my question :
> How can I create a  "PRIVACY-ENHANCED MESSAGE" according to RFC 1421,
> 1422, 1423, 1424 ?

One can use the basic signing / encrypting functionallity of OpenSSL
to create the signature and build the signed message by hand.

I did that some years ago.

But I fear this is something out of the range for a newbie.

But since the PEM mail format is practically dead,
I recommend it's official successor PKCS#7.

Bye

Goetz

--
DMCA: The greed of the few outweighs the freedom of the many

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: AW: PRIVACY-ENHANCED MESSAGE RFC 1421, 1422, 1423, 1424

Goetz Babin-Ebell
[hidden email] wrote:
> Hello Goetz,
Hello Martin,

> thank you very much for this information.
> My problem is that the german health insurance companies expect PEM mail.
> So I have no choice.
> It would be very helpful to know how to create Pem mails.

As I said: you can do the signing manually, pick the data and
create a PEM message around it.

I think the best way to start that is to look in apps/dgst.c

After you have a basic understanding to that code,
building a PEM message is straight forward (but still work)...

>From the shell you could call that command, get the signature
and tweak it until it fits into the PEM header.

(But don't forget to translate the \n to \r\n before signing...)

> Otherwise how do I create PKCS#7 mailformat?

For a first impression look at openssl smime...

> P.S. Meanwhile I'm able to compile and debug openssl.

OK that's a first step.

My recommendation is to have a look in selected modules in apps/ and try
to get a basic feeling whats happening there...

>From time to time you should look in the headers and the man pages.
(but be warned: in the headers are some black pre processor magics...)

>>I'm a newbie to openssl. Here is my question :
>>How can I create a  "PRIVACY-ENHANCED MESSAGE" according to RFC 1421,
>>1422, 1423, 1424 ?
>
> One can use the basic signing / encrypting functionallity of OpenSSL
> to create the signature and build the signed message by hand.

Bye

Goetz

--
DMCA: The greed of the few outweighs the freedom of the many

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

RE: PRIVACY-ENHANCED MESSAGE RFC 1421, 1422, 1423, 1424

Martin-26
Hello Goetz,

your hint to bother about apps/dgst.c at first was great.
It took me two days but now im able to create a PEM-message
for a Certificate-Request which works.
My next problem is to create a complete PEM-message
as shown below :
-----BEGIN PRIVACY-ENHANCED MESSAGE-----
Proc-Type: 4,ENCRYPTED
Content-Domain: RFC822
DEK-Info: DES-CBC,<dekinfo> [openssl ??? ...]
Originator-Certificate:
 <my own certificate>
Key-Info: RSA,
 <keyinfo 1> [openssl ???  .... ]
Issuer-Certificate:
 <issuercert>
MIC-Info: RSA-MD5,RSA,
 <signature on text with my privatekey>
Recipient-ID-Asymmetric:
 <asymmid> [openssl ???  .... ]
Key-Info: RSA,
 <keyinfo 2> [openssl ???  .... ]

base64(    encrypt(<text>) [openssl ??? ...]        )
-----END PRIVACY-ENHANCED MESSAGE-----

I've no idea how to fill the gaps which are marked with [openssl ??? ...].
Can you give me some hints what sequence of commands could fill these gaps?



Bye Martin


-----Urspr√ľngliche Nachricht-----
Von: [hidden email]
[mailto:[hidden email]]Im Auftrag von Goetz Babin-Ebell
Gesendet: Samstag, 3. September 2005 23:59
An: [hidden email]
Betreff: Re: AW: PRIVACY-ENHANCED MESSAGE RFC 1421, 1422, 1423, 1424


[hidden email] wrote:
> Hello Goetz,
Hello Martin,

> thank you very much for this information.
> My problem is that the german health insurance companies expect PEM mail.
> So I have no choice.
> It would be very helpful to know how to create Pem mails.

As I said: you can do the signing manually, pick the data and
create a PEM message around it.

I think the best way to start that is to look in apps/dgst.c

After you have a basic understanding to that code,
building a PEM message is straight forward (but still work)...

>From the shell you could call that command, get the signature
and tweak it until it fits into the PEM header.

(But don't forget to translate the \n to \r\n before signing...)

> Otherwise how do I create PKCS#7 mailformat?

For a first impression look at openssl smime...

> P.S. Meanwhile I'm able to compile and debug openssl.

OK that's a first step.

My recommendation is to have a look in selected modules in apps/ and try
to get a basic feeling whats happening there...

>From time to time you should look in the headers and the man pages.
(but be warned: in the headers are some black pre processor magics...)

>>I'm a newbie to openssl. Here is my question :
>>How can I create a  "PRIVACY-ENHANCED MESSAGE" according to RFC 1421,
>>1422, 1423, 1424 ?
>
> One can use the basic signing / encrypting functionallity of OpenSSL
> to create the signature and build the signed message by hand.

Bye

Goetz

--
DMCA: The greed of the few outweighs the freedom of the many

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Encrypting data using X509 cert...

C Wegrzyn
I have a problem that I am working on. I am certain there must be a
simple way to do it but I haven't yet discovered it in the docs yet. I
am hoping someone can point me in the correct direction.

BTW, this is a programming issue so using a command line function isn't
useful. I have an X509 certificate and a pointer to a data buffer. Using
the X509 cert and given a pre-determined block-chaining cipher (from the
Openssl collection) I need to encrypt and decrypt the contents of the
buffer. Can anyone assist me?

Thanks in advance,
Chuck
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: PRIVACY-ENHANCED MESSAGE RFC 1421, 1422, 1423, 1424

Goetz Babin-Ebell
In reply to this post by Martin-26
[hidden email] wrote:
> Hello Goetz,
>
> your hint to bother about apps/dgst.c at first was great.
> It took me two days but now im able to create a PEM-message
> for a Certificate-Request which works.
> My next problem is to create a complete PEM-message
> as shown below :

I fear creating a complete PEM message is beyond the
OpenSSL command line interface.

You will have to do OpenSSL programming.

I recommend the following steps:

1. Have a really good look at RFC-1421.
   (You have to know what the different header fields contain.)
2. Look into apps/dgst.h
3. Look into include/openssl/pem.h and include/openssl/evp.h
   (And don't let you scare away by the pre processor magic !)

Especially I recommend a good look at
PEM_SealInit(), -Update() and -Final()
A good look at EVP_SealInit() might help...

A hint: you build the pubk array by iterating over
all certificates and doing X509_get_pubkey().

> -----BEGIN PRIVACY-ENHANCED MESSAGE-----
> Proc-Type: 4,ENCRYPTED
> Content-Domain: RFC822
> DEK-Info: DES-CBC,<dekinfo> [openssl ??? ...]

The iv you get from the _Init() function.

> Originator-Certificate:
>  <my own certificate>
> Key-Info: RSA,
>  <keyinfo 1> [openssl ???  .... ]

the ek[idx] entry from the _Init() function.

> Issuer-Certificate:
>  <issuercert>
> MIC-Info: RSA-MD5,RSA,
>  <signature on text with my privatekey>

But remember: the signature is encrypted with
the same encryption params than the message...

> Recipient-ID-Asymmetric:
>  <asymmid> [openssl ???  .... ]

X509_get_issuer_name() -> i2d_X509_NAME() -> Base 64 encoded ","
X509_get_serialNumber() -> ASN1_STRING_print()

> Key-Info: RSA,
>  <keyinfo 2> [openssl ???  .... ]

the ek[idx] entry from the _Init() function.

>
> base64(    encrypt(<text>) [openssl ??? ...]        )

the out params from the PEM_/EVP_SealUpdate() / _SealFinal()
function (eventually base64 encoded

> -----END PRIVACY-ENHANCED MESSAGE-----
>
> I've no idea how to fill the gaps which are marked with [openssl ??? ...].
> Can you give me some hints what sequence of commands could fill these gaps?

As I said: no commands but called functions.

The most important functions are
PEM_SealInit() / PEM_SealUpdate() and PEM_SealFinal().
The in them generated data you have to Base64 encode.

You only have to know which data you have to put where
in the PEM message...

Please bear with me, it's 7 years ago I did that...


Bye

Goetz

--
DMCA: The greed of the few outweighs the freedom of the many

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Encrypting data using X509 cert...

Goetz Babin-Ebell
In reply to this post by C Wegrzyn
C Wegrzyn wrote:

> BTW, this is a programming issue so using a command line function isn't
> useful. I have an X509 certificate and a pointer to a data buffer. Using
> the X509 cert and given a pre-determined block-chaining cipher (from the
> Openssl collection) I need to encrypt and decrypt the contents of the
> buffer. Can anyone assist me?

X509_get_pubkey(),
EVP_EncryptInit()/Update()/Final()
EVP_DecryptInit()/Update()/Final()

Bye

Goetz

--
DMCA: The greed of the few outweighs the freedom of the many

smime.p7s (4K) Download Attachment