Problem W/ Cert

classic Classic list List threaded Threaded
38 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Re: Problem W/ Cert

beno-4
Marek Marcola wrote:
> Use something like:
>
>  
server167# openssl base64 -d -in private.key_BAK | openssl rsa -inform
der > mrtablecloth-vi.com.crt
writing RSA key
server167# rm mrtablecloth-vi.com.crt.pem
server167# openssl base64 -d -in mrtablecloth-vi.com.crt | openssl x509
-inform der >> mrtablecloth-vi.com.crt.pem
unable to load certificate
96604:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
tag:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/asn1/tasn_dec.c:946:
96604:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1
error:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/asn1/tasn_dec.c:304:Type=X509_CINF
96604:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_D2I:nested
asn1
error:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/asn1/tasn_dec.c:566:Field=cert_info,
Type=X509


TIA,
beno
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Problem W/ Cert

Marek.Marcola
Hello,
> server167# openssl base64 -d -in private.key_BAK | openssl rsa -inform
> der > mrtablecloth-vi.com.crt
> writing RSA key
My mistake, should be of course to mrtablecloth-vi.com.crt.pem

> server167# rm mrtablecloth-vi.com.crt.pem
Do not run this command now.

> server167# openssl base64 -d -in mrtablecloth-vi.com.crt | openssl x509
> -inform der >> mrtablecloth-vi.com.crt.pem
Recover base64 encoded DER certificate to mrtablecloth-vi.com.crt
 and run this again.

Best regards,
--
Marek Marcola <[hidden email]>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Problem W/ Cert

Marek.Marcola
In reply to this post by beno-4
Hello,
> server167# openssl base64 -d -in private.key_BAK | openssl rsa -inform
> der > mrtablecloth-vi.com.crt
> writing RSA key
My mistake, should be of course to mrtablecloth-vi.com.crt.com

> server167# rm mrtablecloth-vi.com.crt.pem
Do not run this command now.

> server167# openssl base64 -d -in mrtablecloth-vi.com.crt | openssl x509
> -inform der >> mrtablecloth-vi.com.crt.pem
> unable to load certificate
Restore base64 encoded DER certificate to mrtablecloth-vi.com.crt
and run this command again.

Best regards,
--
Marek Marcola <[hidden email]>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Problem W/ Cert

beno-4
Marek Marcola wrote:
> My mistake, should be of course to mrtablecloth-vi.com.crt.com
I assume you mean *.pem, not *.com but at any rate the results were the
same :(
> Restore base64 encoded DER certificate to mrtablecloth-vi.com.crt
> and run this command again.
>  
server167# openssl base64 -d -in private.key_BAK | openssl rsa -inform
der > mrtablecloth-vi.com.crt.pem
writing RSA key
server167# openssl base64 -d -in mrtablecloth-vi.com.crt | openssl x509
-inform der >> mrtablecloth-vi.com.crt.pem
unable to load certificate
97274:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
tag:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/asn1/tasn_dec.c:946:
97274:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1
error:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/asn1/tasn_dec.c:304:Type=X509_CINF
97274:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_D2I:nested
asn1
error:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/asn1/tasn_dec.c:566:Field=cert_info,
Type=X509

TIA,
beno
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Problem W/ Cert

Marek.Marcola
Hello,
> server167# openssl base64 -d -in private.key_BAK | openssl rsa -inform
> der > mrtablecloth-vi.com.crt.pem
> writing RSA key
ok
> server167# openssl base64 -d -in mrtablecloth-vi.com.crt | openssl x509
> -inform der >> mrtablecloth-vi.com.crt.pem
> unable to load certificate
looks like bad recovered certificate, you should put in this file
certificate with contents from attached file.

Best regards,
--
Marek Marcola <[hidden email]>

cert.b64 (1K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Problem W/ Cert

beno-4
Marek Marcola wrote:

I assume you mean substitute the current file for the one you sent. I
did that and the command executed successfully :)
However...

server167# /usr/local/sbin/lighttpd -f
/usr/ports/www/lighttpd/doc/lighttpd.conf
2006-11-14 16:55:06: (network.c.358) SSL:
error:00000000:lib(0):func(0):reason(0)
/etc/ssl/certs/mrtablecloth-vi.com.crt

This is where I started, but I believe that was before we began interacting,
TIA,
beno


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Problem W/ Cert

Marek.Marcola
Hello,

> I assume you mean substitute the current file for the one you sent. I
> did that and the command executed successfully :)
> However...
>
> server167# /usr/local/sbin/lighttpd -f
> /usr/ports/www/lighttpd/doc/lighttpd.conf
> 2006-11-14 16:55:06: (network.c.358) SSL:
> error:00000000:lib(0):func(0):reason(0)
> /etc/ssl/certs/mrtablecloth-vi.com.crt
>
> This is where I started, but I believe that was before we began interacting,
I think you get this error because you specified in config file:
        ssl.ca-file="/etc/ssl/certs/mrtablecloth-vi.com.crt"
This file should be PEM file from Verisign temporary CA,
you should get it from Verisign, eventually convert to PEM
save to file and point in this directive.

--
Marek Marcola <[hidden email]>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Problem W/ Cert

beno-4
Marek Marcola wrote:
> I think you get this error because you specified in config file:
> ssl.ca-file="/etc/ssl/certs/mrtablecloth-vi.com.crt"
> This file should be PEM file from Verisign temporary CA,
> you should get it from Verisign, eventually convert to PEM
> save to file and point in this directive.
>  
First, my correction...I got that error when I tried to install a
CACert...I got the other error from the Verisign cert.
I got no pem file from CACert. Verisign says I can test what they've
given me and it should all work. The client wants to see that test work
before they pay them $400. I tried using mrtablecloth-vi.com.pem but
that gave the same error. Please clear up this confusion for me.
TIA,
beno

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Problem W/ Cert

Marek.Marcola
Hello,
> First, my correction...I got that error when I tried to install a
> CACert...I got the other error from the Verisign cert.
> I got no pem file from CACert. Verisign says I can test what they've
> given me and it should all work. The client wants to see that test work
> before they pay them $400. I tried using mrtablecloth-vi.com.pem but
> that gave the same error. Please clear up this confusion for me.
Your certificate is issued by:

$ openssl x509 -in cert.pem -issuer -noout
issuer= /C=US/O=VeriSign, Inc./OU=For Test Purposes Only.  No
assurances./OU=Terms of use at https://www.verisign.com/cps/testca
(c)05/CN=VeriSign Trial Secure Server Test CA

You should get CA cert from Verisign (or something) which subject
will equal to this issuer.
In other word command:

$ openssl x509 -in CA.pem -subject -noout

will give you the same output.

Best regards,
--
Marek Marcola <[hidden email]>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Problem W/ Cert

beno-4
Marek Marcola wrote:
> You should get CA cert from Verisign (or something) which subject
> will equal to this issuer.
>  
Then maybe my problem was at the start. I received an email from
Verisign at the beginning telling me to load this trial CA cert from
this page:
http://www.verisign.com/support/verisign-intermediate-ca/trial-secure-server-intermediate/index.html
Now, not knowing better (and still not), I assumed that was the *.crt
Please correct me if I'm wrong.
TIA,
beno

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Problem W/ Cert

Marek.Marcola
Hello,
> Then maybe my problem was at the start. I received an email from
> Verisign at the beginning telling me to load this trial CA cert from
> this page:
> http://www.verisign.com/support/verisign-intermediate-ca/trial-secure-server-intermediate/index.html
> Now, not knowing better (and still not), I assumed that was the *.crt
> Please correct me if I'm wrong.
Great, save contents of this certificate (in window) to lets say
vs_inter_ca.pem.
Next download Root certificate from:
http://www.verisign.com/support/verisign-intermediate-ca/Trial_Secure_Server_Root/index.html
and save to lets say vs_root_ca.pem

Then do first check:
$ openssl verify -CAfile vs_root_ca.pem vs_inter_ca.pem
vs_inter_ca.pem: OK

If this works, then build cert "chain":
$ cat vs_root_ca.pem vs_inter_ca.pem > vs_ca.pem

Next verify your certificate:
$ openssl verify -CAfile vs_ca.pem cert.pem
cert.pem: OK

(in your situation change cert.pem to mrtablecloth-vi.com.crt.pem)

If, and only if, this will succeed, use vs_ca.pem as ssl.ca-file.

Best regards,
--
Marek Marcola <[hidden email]>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Problem W/ Cert

beno-4
Marek Marcola wrote:
> Great, save contents of this certificate (in window) to lets say
> vs_inter_ca.pem.
> Next download Root certificate from:
> http://www.verisign.com/support/verisign-intermediate-ca/Trial_Secure_Server_Root/index.html
> and save to lets say vs_root_ca.pem
>  
Done.
> Then do first check:
> $ openssl verify -CAfile vs_root_ca.pem vs_inter_ca.pem
> vs_inter_ca.pem: OK
>  
server167# openssl verify -CAfile vs_root_ca.pem vs_inter_ca.pem
vs_inter_ca.pem: OK
vs_inter_ca.pem: OK
Error opening certificate file vs_inter_ca.pem:
8270:error:02001002:system library:fopen:No such file or
directory:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:278:fopen('vs_inter_ca.pem:','r')
8270:error:20074002:BIO routines:FILE_CTRL:system
lib:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:280:
unable to load certificate
Error opening certificate file OK
8270:error:02001002:system library:fopen:No such file or
directory:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:278:fopen('OK','r')
8270:error:20074002:BIO routines:FILE_CTRL:system
lib:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:280:
unable to load certificate

TIA,
beno

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Problem W/ Cert

beno-4
In reply to this post by Marek.Marcola
Wait! I misunderstood...

server167# openssl verify -CAfile vs_root_ca.pem vs_inter_ca.pem
vs_inter_ca.pem: OK
server167# cat vs_root_ca.pem vs_inter_ca.pem > vs_ca.pem
server167# openssl verify -CAfile vs_ca.pem mrtablecloth-vi.com.crt.pem
mrtablecloth-vi.com.crt.pem: OK
server167#  /usr/local/sbin/lighttpd -f
/usr/ports/www/lighttpd/doc/lighttpd.conf
2006-11-14 22:13:49: (network.c.358) SSL:
error:00000000:lib(0):func(0):reason(0)
/etc/ssl/certs/mrtablecloth-vi.com.pem

where the mrtablecloth-vi.com.pem file is the ssl.ca-file
TIA,
beno

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Problem W/ Cert

Marek.Marcola
In reply to this post by beno-4
Hello,

> > Then do first check:
> > $ openssl verify -CAfile vs_root_ca.pem vs_inter_ca.pem
> > vs_inter_ca.pem: OK
> >  
> server167# openssl verify -CAfile vs_root_ca.pem vs_inter_ca.pem
> vs_inter_ca.pem: OK
> vs_inter_ca.pem: OK
> Error opening certificate file vs_inter_ca.pem:
> 8270:error:02001002:system library:fopen:No such file or
> directory:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:278:fopen('vs_inter_ca.pem:','r')
> 8270:error:20074002:BIO routines:FILE_CTRL:system
> lib:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:280:
> unable to load certificate
> Error opening certificate file OK
> 8270:error:02001002:system library:fopen:No such file or
> directory:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:278:fopen('OK','r')
> 8270:error:20074002:BIO routines:FILE_CTRL:system
> lib:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:280:
> unable to load certificate
I do not understand this, you should check this command, this looks
like more inter_ca files was specified on command line.
vs_ca.pem file attached (just in case).
Do last check (with your certificate) and try in lighttpd.

Best regards,
--
Marek Marcola <[hidden email]>

vs_ca.pem (2K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Problem W/ Cert

Marek.Marcola
In reply to this post by beno-4
Hello,

> Wait! I misunderstood...
>
> server167# openssl verify -CAfile vs_root_ca.pem vs_inter_ca.pem
> vs_inter_ca.pem: OK
> server167# cat vs_root_ca.pem vs_inter_ca.pem > vs_ca.pem
> server167# openssl verify -CAfile vs_ca.pem mrtablecloth-vi.com.crt.pem
> mrtablecloth-vi.com.crt.pem: OK
> server167#  /usr/local/sbin/lighttpd -f
> /usr/ports/www/lighttpd/doc/lighttpd.conf
> 2006-11-14 22:13:49: (network.c.358) SSL:
> error:00000000:lib(0):func(0):reason(0)
> /etc/ssl/certs/mrtablecloth-vi.com.pem
>
> where the mrtablecloth-vi.com.pem file is the ssl.ca-file
Change ssl.ca-file directive to vs_ca.pem.

Best regards,
--
Marek Marcola <[hidden email]>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Problem W/ Cert

beno-4
Marek Marcola wrote:
> Change ssl.ca-file directive to vs_ca.pem.
>  
IT WORKED! IT WORKED! HALLELUJAH IT WORKED!!
Thank you SO MUCH for your help! Now, I'll review our million messages
and try to make sense of them, and put together a how-to if that seems
appropriate.
Thanks again :))
beno

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

(3,5) Shamir Secret Sharing

Rafael Cividanes
In reply to this post by Rafael Cividanes
 
  Hi,
 
    I've implemented (in C++) a simple form of shamir secret sharing for the particular case (3,5). One function receives a BIGNUM A0 an generates the 5 secrets. Another function, receives 3 secrets and generates the recover BIGNUM A0. It's working fine.
 
    The problem is that I need to convert a RSA private key into a BIGNUM A0, and I'm having trouble with this.
 
     I was trying to do this (part of my code):
 
        RSA *Ch_Ap
        unsigned char *buffer, *next;
        BIGNUM *sec_BN = BN_new();
        Ch_Ap = RSA_generate_key(2048, RSA_F4, NULL, 0);
        int size = i2d_RSAPrivateKey(Ch_Ap, 0);
        buffer = next =(unsigned char *)malloc(size);
        i2d_RSAPrivateKey(Ch_Ap, &next);
        BN_bin2bn(buffer, size, sec_BN); 
 
     However, when I use sec_BN in my functions, the recovered BIGNUM is not the same as sec_BN. When I pass another BIGNUM, for example using the function BN_rand_range(), then the recovered BIGNUM is equal (proving that my secret sharing functions is ok).
 
      I think it can be something about Big-Endian conversion in sec_BN, but I didn't find a way to do this conversion and I don't know if it is necessary too.
 
 
       Thanks in advance,
 
 
                Rafael Cividanes.


Novidade no Yahoo! Mail: receba alertas de novas mensagens no seu celular. Registre seu aparelho agora!
Reply | Threaded
Open this post in threaded view
|

Re: (3,5) Shamir Secret Sharing

Nils Larsch
Rafael Cividanes wrote:

>  
>   Hi,
>  
>     I've implemented (in C++) a simple form of shamir secret sharing for
> the particular case (3,5). One function receives a BIGNUM A0 an
> generates the 5 secrets. Another function, receives 3 secrets and
> generates the recover BIGNUM A0. It's working fine.
>  
>     The problem is that I need to convert a RSA private key into a
> BIGNUM A0, and I'm having trouble with this.
>  
>      I was trying to do this (part of my code):
>  
>         RSA *Ch_Ap
>         unsigned char *buffer, *next;
>         BIGNUM *sec_BN = BN_new();
>         Ch_Ap = RSA_generate_key(2048, RSA_F4, NULL, 0);
>         int size = i2d_RSAPrivateKey(Ch_Ap, 0);
>         buffer = next =(unsigned char *)malloc(size);
>         i2d_RSAPrivateKey(Ch_Ap, &next);
>         BN_bin2bn(buffer, size, sec_BN);

are you sure that you want to put the DER encoded private key
object into a BIGNUM (instead of rsa->d) ?

Cheers,
Nils
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
12