From cryptlib@mbsks.franken.de Tue May 1 07:21:45 2001 From: cryptlib@mbsks.franken.de (Peter Gutmann) Date: Tue, 1 May 2001 06:21:45 (NZST) Subject: [Cryptlib] Fix for Xyzzy certificates Message-ID: <98865490527309@kahu.cs.auckland.ac.nz> Wolgang Gothier has pointed out a problem with these (the universal permissions weren't quite universal enough), they require one small code update to work correctly for all possible key usage types, in keymgmt/certcomp.c, line 452, change the keyUsage line to: const int keyUsage = CRYPT_KEYUSAGE_DIGITALSIGNATURE | \ CRYPT_KEYUSAGE_NONREPUDIATION | \ CRYPT_KEYUSAGE_KEYENCIPHERMENT | \ CRYPT_KEYUSAGE_KEYCERTSIGN | \ CRYPT_KEYUSAGE_CRLSIGN; Peter. From cryptlib@mbsks.franken.de Wed May 2 15:07:35 2001 From: cryptlib@mbsks.franken.de (Victor Gimeno) Date: Wed, 2 May 2001 09:07:35 -0500 Subject: [Cryptlib] client certificate was not comparible with IE5 and IIS5 In-Reply-To: <004201c0d091$27aa2030$0dccfea9@free> Message-ID: This is a multi-part message in MIME format. ------=_NextPart_000_0004_01C0D2E7.541B5690 Content-Type: text/plain; charset="gb2312" Content-Transfer-Encoding: 7bit You include this field inside the CA Certificate [1]CRL Distribution Point Distribution Point Name: Full Name: URL=http://www.ca365.com/root.crl so IIS is trying to get it to verify the Client Certificate, you have to generate a CRL and create a link to it on http://www.ca365.com/root.crl -----Mensaje original----- De: cryptlib-admin@mbsks.franken.de [mailto:cryptlib-admin@mbsks.franken.de]En nombre de xli Enviado el: Domingo, 29 de Abril de 2001 04:46 a.m. Para: cryptlib@mbsks.franken.de Asunto: [Cryptlib] client certificate was not comparible with IE5 and IIS5 Dear All: I have create a client certificate with cryptlib and setup SSL conection to IIS5.0 in win2000, but when I select my certiticate in the certificates selection dialog box of IE5, I always got the error of my client certificate is not effective. What is wrong! I attach my CA certificate and the client certificate in this letter. Who can help me? thank you very much! thanks! lixin ------=_NextPart_000_0004_01C0D2E7.541B5690 Content-Type: text/html; charset="gb2312" Content-Transfer-Encoding: quoted-printable
You=20 include this field inside the CA Certificate
 
[1]CRL Distribution=20 Point
Distribution Point = Name:
Full Name:
URL=3Dhttp://www.ca365.com/root.crl
 
 
so IIS=20 is trying to get it to verify the Client = Certificate,
 
you=20 have to generate a CRL and create a link to it on http://www.ca365.com/root.crl<= /FONT>
 
 
 
-----Mensaje original-----
De:=20 cryptlib-admin@mbsks.franken.de = [mailto:cryptlib-admin@mbsks.franken.de]En=20 nombre de xli
Enviado el: Domingo, 29 de Abril de 2001 = 04:46=20 a.m.
Para: cryptlib@mbsks.franken.de
Asunto: = [Cryptlib]=20 client certificate was not comparible with IE5 and = IIS5

Dear All:

I have create a = client=20 certificate with cryptlib and setup SSL conection to
IIS5.0 in=20 win2000, but when I select my certiticate in the=20 certificates
selection dialog box of IE5, I always got the error of = my=20 client certificate is not effective. What is = wrong!

I attach my CA certificate and = the client=20 certificate in this letter. Who can help me? thank you very=20 = much!

thanks!

lixin
------=_NextPart_000_0004_01C0D2E7.541B5690-- From cryptlib@mbsks.franken.de Wed May 2 19:06:30 2001 From: cryptlib@mbsks.franken.de (cryptlib) Date: Wed, 2 May 2001 19:06:30 +0100 Subject: [Cryptlib] Windows Compiled Help File for cryptlib V3.0 Beta 5 now available Message-ID: <000e01c0d332$ac52b1a0$cb169fd4@Kelvin> I have now converted the manual for cryptlib V3.0 Beta 5 to Windows Compiled Help format. You may find it at: http://www.kelvin.free-online.co.uk/cryptlib_help_files/cindex.html Thanks to Peter for making the original available. David Kelvin From cryptlib@mbsks.franken.de Thu May 3 14:14:54 2001 From: cryptlib@mbsks.franken.de (Ratti Marcelo) Date: Thu, 3 May 2001 10:14:54 -0300 Subject: [Cryptlib] Example code Message-ID: <12ED5015041BD411BCA700AA00B182E9015947F5@correo.nec.com.ar> Hello my friends: Somebody have any GOOD example in Visual Basic using CRYPTLIB v3.0? Anything will be appreciated? Thanks a lot and greetings from Argentina. Marcelo Ratti ICQ #12470503 From cryptlib@mbsks.franken.de Thu May 3 17:01:08 2001 From: cryptlib@mbsks.franken.de (Fidel Liberal Malaina) Date: Thu, 3 May 2001 18:01:08 +0200 (CEST) Subject: [Cryptlib] Error in mysql support??? Message-ID: Hello everybody, Trying to compile cryptlib 3.0 beta 5 with mysql keyset support gcc gives many errors related to "dbmsInfo->connection " Looking at mysql.h and misc/keyset.h I think there's an error with "connection" data type in DBMS_STATE_INFO structure or with all function references. "pseudo diff" format -------misc/keyset.h------- #ifdef DBX_MYSQL ++++ MYSQL *connection; ---- MYSQL connection; With this change cryptlib compiles successfully with -DDBX_MYSQL gcc flag but I always get a core dumped while trying to use cryptKeysetOpen with CRYPT_KEYSET_MYSQL keysets (because of a free() in my_no_flags_free() in libmysqlclient....(not quite useful info :-(()). Any idea? Has anybody else tried to use mysql-database-based keyset in Linux? Thanks in advance. Fidel Liberal Malaina ETSI Bilbao (Spain) From cryptlib@mbsks.franken.de Thu May 3 20:00:16 2001 From: cryptlib@mbsks.franken.de (Bing Zhu) Date: Thu, 3 May 2001 12:00:16 -0700 Subject: [Cryptlib] Windows Compiled Help File for cryptlib V3.0 Beta 5 now available Message-ID: Hi david, How I can print the manual out but don't navigate all the subtopics? Bing -----Original Message----- From: cryptlib [mailto:cryptlib@kelvin.idps.co.uk] Sent: Wednesday, May 02, 2001 11:07 AM To: cryptlib@mbsks.franken.de Subject: [Cryptlib] Windows Compiled Help File for cryptlib V3.0 Beta 5 now available I have now converted the manual for cryptlib V3.0 Beta 5 to Windows Compiled Help format. You may find it at: http://www.kelvin.free-online.co.uk/cryptlib_help_files/cindex.html Thanks to Peter for making the original available. David Kelvin _______________________________________________ Cryptlib mailing list Cryptlib@mbsks.franken.de From cryptlib@mbsks.franken.de Thu May 3 20:06:50 2001 From: cryptlib@mbsks.franken.de (cryptlib@mbsks.franken.de) Date: Thu, 3 May 2001 21:06:50 +0200 Subject: [Cryptlib] Windows Compiled Help File for cryptlib V3.0 Beta 5 now available In-Reply-To: ; from BZhu@vpnet.com on Thu, May 03, 2001 at 12:00:16PM -0700 References: Message-ID: <20010503210650.C2641@mbsks.franken.de> Mahlzeit On Thu, May 03, 2001 at 12:00:16PM -0700, Bing Zhu wrote: > How I can print the manual out but don't navigate all the subtopics? By downloading the original pdf version and printing it. Mahlzeit endergone Zwiebeltuete From cryptlib@mbsks.franken.de Fri May 4 15:15:04 2001 From: cryptlib@mbsks.franken.de (Peter Gutmann) Date: Fri, 4 May 2001 14:15:04 (NZST) Subject: [Cryptlib] Error in mysql support??? Message-ID: <98894250412495@kahu.cs.auckland.ac.nz> Fidel Liberal Malaina writes: >Trying to compile cryptlib 3.0 beta 5 with mysql keyset support gcc gives many >errors related to "dbmsInfo->connection " I don't use MySQL much :-). >Looking at mysql.h and misc/keyset.h I think there's an error with >"connection" data type in DBMS_STATE_INFO structure or with all function >references. Thanks, it'll be fixed in the next release. >With this change cryptlib compiles successfully with -DDBX_MYSQL gcc flag but >I always get a core dumped while trying to use cryptKeysetOpen with >CRYPT_KEYSET_MYSQL keysets (because of a free() in my_no_flags_free() in >libmysqlclient....(not quite useful info :-(()). Could you step through the code to see where the problem is? The keyset open does quite a bit of work, if you start with initKeysetFunction() in lib_dbms.c that'll go through all of the code which is called on startup. Peter. From cryptlib@mbsks.franken.de Fri May 4 02:31:40 2001 From: cryptlib@mbsks.franken.de (cryptlib@mbsks.franken.de) Date: Fri, 4 May 2001 9:31:40 +0800 Subject: [Cryptlib] Example code in Delphi Message-ID: Hello my friends: Somebody have and good example in Delphi using CRYPTLIB v3.0? Anything will beg appreciated. Jian Jiang oicq:19222280 freetopcn@hotmail.com From cryptlib@mbsks.franken.de Fri May 4 09:34:44 2001 From: cryptlib@mbsks.franken.de (Roeland Arnold) Date: Fri, 4 May 2001 10:34:44 +0200 Subject: [Cryptlib] Example code in Delphi Message-ID: <39DCDDFD014ED21185C300104BB3F99F0CB082@NL-ARN-MAIL01> Hi, I'm just trying some things. As soon as it's of any use I will send it. Roeland. Roeland Arnold CMG OOST-NEDERLAND B.V. Divisie Advanced Technologie Velperweg 27 6824 BE Arnhem Postbus 7015 6801 HA Arnhem The Netherlands tel: +31 26 3544 544 fax: +31 26 3522 900 The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. -----Original Message----- From: Mortimer.Jiang [mailto:freetop@163.net] Sent: vrijdag 4 mei 2001 3:32 To: cryptlib@mbsks.franken.de Subject: [Cryptlib] Example code in Delphi Hello my friends: Somebody have and good example in Delphi using CRYPTLIB v3.0? Anything will beg appreciated. Jian Jiang oicq:19222280 freetopcn@hotmail.com _______________________________________________ Cryptlib mailing list Cryptlib@mbsks.franken.de Administration via Mail: cryptlib-request@mbsks.franken.de From cryptlib@mbsks.franken.de Fri May 4 12:35:07 2001 From: cryptlib@mbsks.franken.de (Liberal Malaina Fidel) Date: Fri, 4 May 2001 13:35:07 +0200 (CEST) Subject: [Cryptlib] Error in mysql support??? In-Reply-To: <98894250412495@kahu.cs.auckland.ac.nz> Message-ID: On Fri, 4 May 2001, Peter Gutmann wrote: > Fidel Liberal Malaina writes: > > >Trying to compile cryptlib 3.0 beta 5 with mysql keyset support gcc gives many > >errors related to "dbmsInfo->connection " > > I don't use MySQL much :-). > > >Looking at mysql.h and misc/keyset.h I think there's an error with > >"connection" data type in DBMS_STATE_INFO structure or with all function > >references. > > Thanks, it'll be fixed in the next release. > > > Could you step through the code to see where the problem is? The keyset open > does quite a bit of work, if you start with initKeysetFunction() in lib_dbms.c > that'll go through all of the code which is called on startup. > > Peter. > Well surfing into the mysql support code I think the error that causes the segmentation fault is: pseudo diff format: misc/dbmmysql.c line 134 ---- dbmsInfo->connection = mysql_real_connect (&mysql ....... ^ ++++ dbmsInfo->connection = mysql_real_connect (mysql ...... Applyng this "patch" and the one from my previous message the program compiles and run successfully. Just one question, by using CRYPT_KEYOPT_CREATE option in crypKeysetOpen a new database with proper tables are supposed to be created or not? Fidel Liberal Malaina ETSI Bilbao (Spain) From cryptlib@mbsks.franken.de Sat May 5 06:49:51 2001 From: cryptlib@mbsks.franken.de (Peter Gutmann) Date: Sat, 5 May 2001 05:49:51 (NZST) Subject: [Cryptlib] Error in mysql support??? Message-ID: <98899859114763@kahu.cs.auckland.ac.nz> Liberal Malaina Fidel writes: >Well surfing into the mysql support code I think the error that causes the >segmentation fault is: Ahh, that must have been a post-release change I made, the code should be: -- Snip -- static int openDatabase( DBMS_STATE_INFO *dbmsInfo, const char *name, const char *host, const char *user, const char *password, const int options, int *hasBinaryBlobs ) { MYSQL *mysql; char *hostNamePtr = ( char * ) host; int status = -1; UNUSED( options ); /* Connect to the MySQL server and select the database */ if( host == NULL ) hostNamePtr = "localhost"; /* Connect to default host */ mysql = mysql_init( NULL ); dbmsInfo->connection = mysql_real_connect( &mysql, hostNamePtr, user, password, name, 0, NULL, 0 ); if( dbmsInfo->connection == NULL ) { dbmsInfo->connection = mysql; getErrorInfo( dbmsInfo, CRYPT_ERROR_OPEN ); dbmsInfo->connection = NULL; mysql_close( mysql ); /* Free the MYSQL structure */ return( CRYPT_ERROR_OPEN ); } -- Snip -- >Just one question, by using CRYPT_KEYOPT_CREATE option in crypKeysetOpen a new >database with proper tables are supposed to be created or not? cryptlib starts with CREATE TABLE ..., if there's anything below that level you need to do it yourself (under Windows, set up an ODBC data source, with MySQL create the database to create the tables inside). Peter. From cryptlib@mbsks.franken.de Fri May 4 23:20:19 2001 From: cryptlib@mbsks.franken.de (OBrien, Patrick W.) Date: Fri, 4 May 2001 18:20:19 -0400 Subject: [Cryptlib] Example code in Delphi Message-ID: I used Cryptlib 2.0 to write a file encrypt/decrypt utility in Delphi 5. I can't quite remember who gave me some of the translations for the API's. Anyway, it works like a champ. Should not be difficult to upgrade to 3.0 if you want the source. Patrick -----Original Message----- From: Roeland Arnold [mailto:roeland.arnold@cmg.nl] Sent: Friday, May 04, 2001 4:35 AM To: 'cryptlib@mbsks.franken.de' Subject: RE: [Cryptlib] Example code in Delphi Hi, I'm just trying some things. As soon as it's of any use I will send it. Roeland. Roeland Arnold CMG OOST-NEDERLAND B.V. Divisie Advanced Technologie Velperweg 27 6824 BE Arnhem Postbus 7015 6801 HA Arnhem The Netherlands tel: +31 26 3544 544 fax: +31 26 3522 900 The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. -----Original Message----- From: Mortimer.Jiang [mailto:freetop@163.net] Sent: vrijdag 4 mei 2001 3:32 To: cryptlib@mbsks.franken.de Subject: [Cryptlib] Example code in Delphi Hello my friends: Somebody have and good example in Delphi using CRYPTLIB v3.0? Anything will beg appreciated. Jian Jiang oicq:19222280 freetopcn@hotmail.com _______________________________________________ Cryptlib mailing list Cryptlib@mbsks.franken.de Administration via Mail: cryptlib-request@mbsks.franken.de _______________________________________________ Cryptlib mailing list Cryptlib@mbsks.franken.de Administration via Mail: cryptlib-request@mbsks.franken.de From cryptlib@mbsks.franken.de Sat May 5 11:00:37 2001 From: cryptlib@mbsks.franken.de (xli) Date: Sat, 5 May 2001 18:00:37 +0800 Subject: [Cryptlib] How to add two CRL distributed point extensions with Cryptlib Message-ID: <000e01c0d54a$3c4dc600$0dccfea9@free> This is a multi-part message in MIME format. ------=_NextPart_000_000B_01C0D58D.49EF2BD0 Content-Type: text/plain; charset="gb2312" Content-Transfer-Encoding: base64 RGVhciBBbGw6DQoNCkhvdyB0byBhZGQgdHdvIENSTCBkaXN0cmlidXRlZCBwb2ludCBleHRlbnNp b25zIGludG8gYSBjZXJ0aWZpY2F0ZSB3aXRoIENyeXB0bGliPw0KDQp0aGFua3MhDQoNCkxpeGlu DQo= ------=_NextPart_000_000B_01C0D58D.49EF2BD0 Content-Type: text/html; charset="gb2312" Content-Transfer-Encoding: base64 PCFET0NUWVBFIEhUTUwgUFVCTElDICItLy9XM0MvL0RURCBIVE1MIDQuMCBUcmFuc2l0aW9uYWwv L0VOIj4NCjxIVE1MPjxIRUFEPg0KPE1FVEEgaHR0cC1lcXVpdj1Db250ZW50LVR5cGUgY29udGVu dD0idGV4dC9odG1sOyBjaGFyc2V0PWdiMjMxMiI+DQo8TUVUQSBjb250ZW50PSJNU0hUTUwgNS41 MC40MTM0LjYwMCIgbmFtZT1HRU5FUkFUT1I+DQo8U1RZTEU+PC9TVFlMRT4NCjwvSEVBRD4NCjxC T0RZIGJnQ29sb3I9I2ZmZmZmZj4NCjxESVY+PEZPTlQgc2l6ZT0yPkRlYXIgQWxsOjwvRk9OVD48 L0RJVj4NCjxESVY+PEZPTlQgc2l6ZT0yPjwvRk9OVD4mbmJzcDs8L0RJVj4NCjxESVY+PEZPTlQg c2l6ZT0yPkhvdyB0byBhZGQgdHdvIENSTCBkaXN0cmlidXRlZCBwb2ludCBleHRlbnNpb25zIGlu dG8gYSANCmNlcnRpZmljYXRlJm5ic3A7d2l0aCBDcnlwdGxpYj88L0ZPTlQ+PC9ESVY+DQo8RElW PjxGT05UIHNpemU9Mj48L0ZPTlQ+Jm5ic3A7PC9ESVY+DQo8RElWPjxGT05UIHNpemU9Mj50aGFu a3MhPC9GT05UPjwvRElWPg0KPERJVj48Rk9OVCBzaXplPTI+PC9GT05UPiZuYnNwOzwvRElWPg0K PERJVj48Rk9OVCBzaXplPTI+TGl4aW48L0ZPTlQ+PC9ESVY+PC9CT0RZPjwvSFRNTD4NCg== ------=_NextPart_000_000B_01C0D58D.49EF2BD0-- From cryptlib@mbsks.franken.de Sat May 5 12:16:19 2001 From: cryptlib@mbsks.franken.de (Fidel Liberal Malaina) Date: Sat, 05 May 2001 13:16:19 +0200 Subject: [Cryptlib] Error in mysql support??? References: <98899859114763@kahu.cs.auckland.ac.nz> Message-ID: <3AF3E103.568337CE@euskalnet.net> Peter Gutmann wrote: > > Liberal Malaina Fidel writes: > > > Ahh, that must have been a post-release change I made, the code should be: > > -- Snip -- > > static int openDatabase( DBMS_STATE_INFO *dbmsInfo, const char *name, > const char *host, const char *user, > const char *password, const int options, > int *hasBinaryBlobs ) > { > MYSQL *mysql; > char *hostNamePtr = ( char * ) host; > int status = -1; > > UNUSED( options ); > > /* Connect to the MySQL server and select the database */ > if( host == NULL ) > hostNamePtr = "localhost"; /* Connect to default host */ > mysql = mysql_init( NULL ); > dbmsInfo->connection = mysql_real_connect( &mysql, hostNamePtr, user, > ^^^^^^ password, name, 0, NULL, 0 ); I think the error remains there... from cryptlib.h=> mysql_real_connect(MYSQL *mysql...., so the function call should be mysql_real_connect (mysql because "mysql" is already defined as "MYSQL *" Now I compile mysql support and start using mysql database based keysets properly. Just another bug I think I found in mysql support: First of all I must admit I don't know anything about BLOBS but in function convertQuery in misc/dbxmysql.c line 49 +o- --- strcpy (blobName, " TEXT "); +++ memcpy (blobName, " TEXT ", strlen(" TEXT ")); I think strcpy's common behaviour consists on copying second string including final '\0' character so CREATE TABLE ......cert BLOB NOT NULL) would be changed by CREATE TABLE ... cert TEXT, causing an error from mysql server; Is it correct? I'll go on testing mysql support, if anybody else has more information it would be appreciated... Fidel Liberal Malaina ETSI Bilbao (Spain) From cryptlib@mbsks.franken.de Sat May 5 14:55:18 2001 From: cryptlib@mbsks.franken.de (Wolfgang Gothier) Date: Sat, 5 May 2001 15:55:18 +0200 Subject: [Cryptlib] Example code in Delphi In-Reply-To: Message-ID: <000401c0d56b$04e5f450$0301a8c0@sogot2k> > Hello my friends: > Somebody have and good example in Delphi using CRYPTLIB v3.0? > Anything will beg appreciated. > I wrote a Delphi style objectoriented wrapper for cryptlib. There are 9 objects handling the (high level) functions of cryptlib. Some additional exception objects are defined for error handling. A code example for encrypting a stream of arbitrary length with conventional encryption is: with TCryptEnvelope.Create(CRYPT_FORMAT_SMIME) do begin Password := 'My Password'; StreamIO(InputStream, OutputStream); Free; end; Another example for creating a 2048 bit all purpose RSA key pair with a selfsigned certificate stored in a cryptlib key file is: var MyKey: TCryptKey; MyKeyset: TCryptKeyset; MyCert: TCryptCert; begin MyKey := TCryptKey.Create(CRYPT_ALGO_RSA); MyKey.Labeled := 'My Label'; MyKey.GenerateKey(2048 div 8); MyCert := TCryptCert.Create(CRYPT_CERTTYPE_CERTIFICATE); with MyCert do begin SimpleGenCert := true; { this is CRYPT_CERTINFO_XYZZY } AddPublicKey(MyKey); CommonName := 'Wolfgang Gothier'; Organisation := 'SoGot'; EMail := 'hwg@gmx.net'; URL := 'www.sogot.de/cryptlib'; SignWith(MyKey); end; MyKeyset := TCryptKeyset.Create(CRYPT_KEYSET_FILE, 'Keyfile.p15', CRYPT_KEYOPT_CREATE); MyKeyset.AddPrivateKey(MyKey, 'My Password'); MyKeyset.AddPublicKey(MyCert); MyKey.Free; MyCert.Free; MyKeyset.Free; end; This project is not yet finished. Especially there is yet no documentation available except the source code. When it is completed and tested the source will be published on my home page http://www.sogot.de/cryptlib. If you need a preliminary version of the source and some examples (at your own risc and without any support), leave a message at mailto:cryptlib@sogot.de (Please DO NOT USE cryptlib@mbsks.franken.de) Wolfgang Gothier From cryptlib@mbsks.franken.de Sun May 6 08:19:33 2001 From: cryptlib@mbsks.franken.de (Peter Gutmann) Date: Sun, 6 May 2001 07:19:33 (NZST) Subject: [Cryptlib] Example code in Delphi Message-ID: <98909037316702@kahu.cs.auckland.ac.nz> Chris Wedgwood writes: >Peter, if you don't want to put these up anywhere (perhaps linked of the >CryptLib pages) I can arrange something I'm sure. The idea of a /contrib directory has been suggested, although that was more for third-party additions to cryptlib itself rather than external code. I could put a link to some external location for other people's code on the download page, although I don't know how uploads would be managed (perhaps via a widely- known secret password for FTP or something). Peter. From cryptlib@mbsks.franken.de Sun May 6 07:38:15 2001 From: cryptlib@mbsks.franken.de (Thomas Schoessow) Date: Sun, 6 May 2001 08:38:15 +0200 Subject: [Cryptlib] Example code in Delphi References: <98909037316702@kahu.cs.auckland.ac.nz> Message-ID: <004001c0d5f7$8a225c80$0a000082@home.schoessow.de> Peter, why not creating a "club" at Yahoo ?. Beside from the nasty banner = advertisement, there is a space of 20 MB for each club and every member could upload files.. Regards Thomas -------------------------------------------------------------- Softwareentwicklung Thomas Schoessow http://www.tschoessow.de http://www.schoessow.de EMail: feedback@tschoessow.de -------------------------------------------------------------- -----Urspr=FCngliche Nachricht-----=20 Von: "Peter Gutmann" An: Gesendet: Sonntag, 6. Mai 2001 07:19 Betreff: Re: [Cryptlib] Example code in Delphi > Chris Wedgwood writes: >=20 > >Peter, if you don't want to put these up anywhere (perhaps linked of = the > >CryptLib pages) I can arrange something I'm sure. >=20 > The idea of a /contrib directory has been suggested, although that was = more for > third-party additions to cryptlib itself rather than external code. I = could > put a link to some external location for other people's code on the = download > page, although I don't know how uploads would be managed (perhaps via = a widely- > known secret password for FTP or something). >=20 > Peter. >=20 >=20 > _______________________________________________ > Cryptlib mailing list > Cryptlib@mbsks.franken.de > Administration via Mail: cryptlib-request@mbsks.franken.de >=20 From cryptlib@mbsks.franken.de Sun May 6 12:17:33 2001 From: cryptlib@mbsks.franken.de (cryptlib@mbsks.franken.de) Date: Sun, 6 May 2001 13:17:33 +0200 Subject: [Cryptlib] Example code in Delphi In-Reply-To: <20010506215722.B31909@metastasis.f00f.org>; from cw@f00f.org on Sun, May 06, 2001 at 09:57:22PM +1200 References: <98909037316702@kahu.cs.auckland.ac.nz> <004001c0d5f7$8a225c80$0a000082@home.schoessow.de> <20010506215722.B31909@metastasis.f00f.org> Message-ID: <20010506131733.C2641@mbsks.franken.de> Mahlzeit On Sun, May 06, 2001 at 09:57:22PM +1200, Chris Wedgwood wrote: > Now, if someone else has a better idea then by all means speak up, > I'm only offering to do this because nobody else has... There is a incoming folder (which should now work) at ftp.franken.de/pub/crypt/incoming. If someone puts something cryptlib related there, I can move it to /pub/crypt/cryptlib/... Mahlzeit endergone Zwiebeltuete From cryptlib@mbsks.franken.de Mon May 7 15:58:41 2001 From: cryptlib@mbsks.franken.de (Bradley Aaron Morgan) Date: Mon, 7 May 2001 10:58:41 -0400 (EDT) Subject: [Cryptlib] (no subject) Message-ID: <3AF6B820.246E@smtpserver2.Princeton.EDU> Cryptography is Fun!!!!! I love it!!! From cryptlib@mbsks.franken.de Mon May 7 23:26:25 2001 From: cryptlib@mbsks.franken.de (Luciano Benetti) Date: Mon, 7 May 2001 23:26:25 +0100 Subject: R: [Cryptlib] (no subject) References: <3AF6B820.246E@smtpserver2.Princeton.EDU> Message-ID: <01ce01c0d744$c09d82f0$05c8a8c0@dummy.net> I think equal :) -----Messaggio Originale----- Da: Bradley Aaron Morgan A: Cc: Data invio: lunedì 7 maggio 2001 15.58 Oggetto: [Cryptlib] (no subject) > > Cryptography is Fun!!!!! I love it!!! > > > > _______________________________________________ > Cryptlib mailing list > Cryptlib@mbsks.franken.de > Administration via Mail: cryptlib-request@mbsks.franken.de > From cryptlib@mbsks.franken.de Tue May 8 08:45:55 2001 From: cryptlib@mbsks.franken.de (Susanna Bessone) Date: Tue, 8 May 2001 09:45:55 +0200 Subject: [Cryptlib] CA References: <00dd01c0cf1c$1ecf4d30$0dccfea9@free> Message-ID: <004801c0d792$eb29b4f0$2d07020a@sirio> Messaggio in formato MIME composto da più parti. ------=_NextPart_000_0045_01C0D7A3.AD9AD360 Content-Type: text/plain; charset="GB2312" Content-Transfer-Encoding: quoted-printable Hi, can someone tell me how to create a CA with cryptlib and if the SSL = session work? (I'm working with cryptlib 3.0 beta 5) Thanks Susanna ------=_NextPart_000_0045_01C0D7A3.AD9AD360 Content-Type: text/html; charset="GB2312" Content-Transfer-Encoding: quoted-printable
Hi, can someone tell me how to create a = CA with=20 cryptlib and if the SSL session work?
(I'm working with cryptlib 3.0 beta = 5)
 
Thanks
Susanna
------=_NextPart_000_0045_01C0D7A3.AD9AD360-- From cryptlib@mbsks.franken.de Tue May 8 18:01:24 2001 From: cryptlib@mbsks.franken.de (Fidel Liberal Malaina) Date: Tue, 8 May 2001 19:01:24 +0200 (CEST) Subject: [Cryptlib] error establishing CMP session (connection) Message-ID: Hello everybody! I'm trying to create a CMP request and send it. Following instructions in the manual I can't establish the session: page 134 from manual: .... cryptSetAttribute (cryptCMPRequest, CRYPT_SESSINFO_CMP_CACERTIFICATE,crypCACert); I get a CRYPT_ERROR_PARAM1 error => I think the right instruction should be cryptSetAttribute (cryptSession.... Well, after that it gives no parameter parsing relating errors but an assert instruction forces program to exit CMP request test included with the library gives also the same result. After recompiling library with debug options and diving with gdb into its sources I finally found where exists: crypacm.h line 540 I suppose acm stands for access control or something like that, but I don't know enough about library internals to say why it exits. Does anybody know how to set the session up correctly? BTW is there any paper or doc that explains library core or structure? Thanks in advance Fidel Liberal Malaina ETSI Bilbao (Spain) From cryptlib@mbsks.franken.de Tue May 8 19:02:47 2001 From: cryptlib@mbsks.franken.de (Gabriel Praino) Date: Tue, 08 May 2001 15:02:47 -0300 Subject: [Cryptlib] CA Message-ID: I've created a CA which stores requests and certificates in database, but I'm distributing certificates and keys manually by files. Is this what you need? What do you need to know? Be carefull I've found some bugs related to CA usage, for example, testing a CA signed certificate without CA key causes assertion. I've notified this bugs to Peter Gutmann, who sent me the fixes. Do you want me to forward you this mails? >From: "Susanna Bessone" >Reply-To: cryptlib@mbsks.franken.de >To: >Subject: [Cryptlib] CA >Date: Tue, 8 May 2001 09:45:55 +0200 > >Hi, can someone tell me how to create a CA with cryptlib and if the SSL >session work? >(I'm working with cryptlib 3.0 beta 5) > >Thanks >Susanna _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. From cryptlib@mbsks.franken.de Wed May 9 13:35:39 2001 From: cryptlib@mbsks.franken.de (Peter Gutmann) Date: Wed, 9 May 2001 12:35:39 (NZST) Subject: [Cryptlib] error establishing CMP session (connection) Message-ID: <98936853927482@kahu.cs.auckland.ac.nz> Fidel Liberal Malaina writes: >I'm trying to create a CMP request and send it. Where are you trying to send it to? Only the Certicom test responder is still up and running correctly AFAIK. >I think the right instruction should be cryptSetAttribute (cryptSession.... Thanks, I've fixed that. >Well, after that it gives no parameter parsing relating errors but an assert >instruction forces program to exit That's because there were no test CAs running when I rewrote the ASN.1 library, so I couldn't test the new code against anything. There was a CMP interop the week before last so everything's fixed up again now. >I suppose acm stands for access control or something like that, but I don't >know enough about library internals to say why it exits. Access control rules for crypto and keyset mechanisms. >Does anybody know how to set the session up correctly? You'd have to wait until the next beta which contains all the fixes (it'll also contain a CMP server for anyone who wants to play with that). >BTW is there any paper or doc that explains library core or structure? Yup, it's documented fairly exhaustively at http://www.cs.auckland.ac.nz/~pgut001/pubs/thesis.html. Peter. From cryptlib@mbsks.franken.de Wed May 9 02:00:25 2001 From: cryptlib@mbsks.franken.de (dss) Date: Wed, 9 May 2001 09:00:25 +0800 (CST) Subject: [Cryptlib] CA Message-ID: <3AF896A9.04358@mta1> I'm a beginner of cryptlib and interested in your CA program,can you give it to me for reference? Thanks, Andy >I've created a CA which stores requests and certificates in database, but >I'm distributing certificates and keys manually by files. >Is this what you need? What do you need to know? >Be carefull I've found some bugs related to CA usage, for example, >testing a CA signed certificate without CA key causes assertion. >I've notified this bugs to Peter Gutmann, who sent me the fixes. >Do you want me to forward you this mails? > > _____________________________________________ »¯×±Æ·ÈÈÂô£¬ÊçŮҲ·è¿ñ http://shopping.263.net/category04.htm ¾«Æ·MP3¡¢ËæÉíÌý£¬¼Û¸ñÕ𺳠http://shopping.263.net/fs/81shop/ From cryptlib@mbsks.franken.de Wed May 9 08:09:10 2001 From: cryptlib@mbsks.franken.de (Roeland Arnold) Date: Wed, 9 May 2001 09:09:10 +0200 Subject: [Cryptlib] CA Message-ID: <39DCDDFD014ED21185C300104BB3F99F0CB094@NL-ARN-MAIL01> please forward to the list! Roeland -----Original Message----- From: Gabriel Praino [mailto:gabriel_praino@hotmail.com] Sent: dinsdag 8 mei 2001 20:03 To: cryptlib@mbsks.franken.de Subject: Re: [Cryptlib] CA I've created a CA which stores requests and certificates in database, but I'm distributing certificates and keys manually by files. Is this what you need? What do you need to know? Be carefull I've found some bugs related to CA usage, for example, testing a CA signed certificate without CA key causes assertion. I've notified this bugs to Peter Gutmann, who sent me the fixes. Do you want me to forward you this mails? >From: "Susanna Bessone" >Reply-To: cryptlib@mbsks.franken.de >To: >Subject: [Cryptlib] CA >Date: Tue, 8 May 2001 09:45:55 +0200 > >Hi, can someone tell me how to create a CA with cryptlib and if the SSL >session work? >(I'm working with cryptlib 3.0 beta 5) > >Thanks >Susanna _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. _______________________________________________ Cryptlib mailing list Cryptlib@mbsks.franken.de Administration via Mail: cryptlib-request@mbsks.franken.de From cryptlib@mbsks.franken.de Wed May 9 08:10:28 2001 From: cryptlib@mbsks.franken.de (Susanna Bessone) Date: Wed, 9 May 2001 09:10:28 +0200 Subject: R: [Cryptlib] CA References: Message-ID: <000b01c0d857$22d80270$2d07020a@sirio> > I've created a CA which stores requests and certificates in database, but > I'm distributing certificates and keys manually by files. > Is this what you need? What do you need to know? yes I need this. If you have time to write it down, you'd be very kind! > Be carefull I've found some bugs related to CA usage, for example, > testing a CA signed certificate without CA key causes assertion. > I've notified this bugs to Peter Gutmann, who sent me the fixes. > Do you want me to forward you this mails? > Yes thank you! Susanna From cryptlib@mbsks.franken.de Wed May 9 19:12:38 2001 From: cryptlib@mbsks.franken.de (Gabriel Praino) Date: Wed, 09 May 2001 15:12:38 -0300 Subject: [Cryptlib] !!!BUG FIXES in CRYPTLIB 3.0 Beta 5!!! Message-ID: Here are some bug I found in CryptLib 3 Beta 5, with their corresponding fixes, by Peter Gutmann. Note that the reported line numbers don't match exactly with library lines, in all cases. >BUG >If you try to insert a duplicate Certificate Request into a CA Keyset >(which returns error CRYPT_ERROR_DUPLICATE), next call to cryptKeysetOpen() >does not return. >BUG - cryptCAAddRequest() >Trying to insert a certificate request to a CA Keyset which does not >include all necessary attributes (Country, Name, >Company, etc), unhandled exception. ----------------- FIX To the above bugs, by Peter Gutmann --------------- Hi, Thanks for the info, now I've managed to reproduce the problem, the fixes are included below. In misc/keyset.h at line 210 for DBMS_INFO add: In misc/keyset.h at line 210 for DBMS_INFO add: BOOLEAN updateActive; /* Whether there's an update active */ In lib_dbms.c, line 391 in performUpdate() add: /* If we're trying to abort a transaction which was never begun, don't do anything */ if( updateType == DBMS_UPDATE_ABORT && !dbmsInfo->updateActive ) return( CRYPT_OK ); In line 431, add/change: if( cryptStatusError( status ) ) performErrorQuery( dbmsInfo ); else { /* If we're starting or ending an update, record the update state */ if( updateType == DBMS_UPDATE_BEGIN ) dbmsInfo->updateActive = TRUE; if( updateType == DBMS_UPDATE_COMMIT || \ updateType == DBMS_UPDATE_ABORT ) dbmsInfo->updateActive = FALSE; } In line 1450, change: if( isCert && ( cryptStatusOK( status ) || \ status == CRYPT_ERROR_NOTFOUND ) ) { setResourceData( &msgData, &boundDate, sizeof( time_t ) ); status = krnlSendMessage( iCryptHandle, RESOURCE_IMESSAGE_GETATTRIBUTE_S, &msgData, CRYPT_CERTINFO_VALIDTO ); } else if( status == CRYPT_ERROR_NOTFOUND ) status = CRYPT_OK; Peter. ----------------------------------------------------------------------- >BUG >A certificate generated with CRYPT_CERTINFO_XYZZY attribute can't >be used to export a key, that is: > >status = cryptExportKey (NULL, &encryptedKeyLength, cryptCert, >SessionKeyCtx); >returns -3. ----------------- FIX To the above bug, by Peter Gutmann --------------- Thanks for finding this, in cryptapi.c, line 2376, change the start of the function to: C_RET cryptCheckCert( C_IN CRYPT_HANDLE certificate, C_IN CRYPT_HANDLE sigCheckKey ) { static const COMMAND_INFO cmdTemplate = \ { COMMAND_CERTCHECK, COMMAND_FLAG_NONE, 2, 0 }; static const ERRORMAP errorMap[] = \ { ARG_O, ARG_V, ARG_LAST }; ------------------------------------------------------------------------ >BUG - cryptCheckCert() >Checking a signed certificate without CA Key causes unhandled exception, >even if cert import returns OK: ----------------- FIX To the above bug, by Peter Gutmann --------------- I posted a comment about this to the cryptlib list last week, details on the fix are also available from the cryptlib download page. Update: The new Xyzzy certificate type requires one small code update to work correctly for all possible key usage types, in keymgmt/certcomp.c, line 452, change the keyUsage line to: const int keyUsage = CRYPT_KEYUSAGE_DIGITALSIGNATURE | \ CRYPT_KEYUSAGE_NONREPUDIATION | \ CRYPT_KEYUSAGE_KEYENCIPHERMENT | \ CRYPT_KEYUSAGE_KEYCERTSIGN | \ CRYPT_KEYUSAGE_CRLSIGN; That's taken straight from http://www.cs.auckland.ac.nz/~pgut001/cryptlib/. ------------------------------------------------------------------------ _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. From cryptlib@mbsks.franken.de Thu May 10 07:41:42 2001 From: cryptlib@mbsks.franken.de (Fredrik Thelandersson) Date: Thu, 10 May 2001 08:41:42 +0200 Subject: [Cryptlib] Library size Message-ID: Hello!! I've managed to compile and use cryptlib in a pocket pc environment. I have also tried to minimize the size of the library, but without much success. Currently, the size of the static lib is a bit above 2000k. What can I do to make a smaller lib as I think this is too big? I've read comments in the code about embedded systems, so it _must_ be possible to make it smaller, but how?? FYI: I've compiled cryptlib as CRYPTLIB_LITE, disabled algorithms and stuff not usable to me, and OBJECT_TABLE_ALLOCSIZE is 128. Regards, Fredrik Thelandersson From cryptlib@mbsks.franken.de Thu May 10 10:21:51 2001 From: cryptlib@mbsks.franken.de (Fredrik Thelandersson) Date: Thu, 10 May 2001 11:21:51 +0200 Subject: [Cryptlib] lfsr Message-ID: Hello!! Since I changed OBJECT_TABLE_ALLOCSIZE to a smaller value in cryptkrn.c I found out that the LFSR polynomial is hard-coded in the objectStateTemplate to 0x409. This polynomial doesn't work with other values of OBJECT_TABLE_ALLOCSIZE than 0x400. Have anyone made a fix for this? /Fredrik From cryptlib@mbsks.franken.de Fri May 11 15:28:42 2001 From: cryptlib@mbsks.franken.de (Peter Gutmann) Date: Fri, 11 May 2001 14:28:42 (NZST) Subject: [Cryptlib] Re: Begging: please help in Diffie-Helman key exchange Message-ID: <98954812207035@kahu.cs.auckland.ac.nz> Toth Csaba writes: >What is your opinion about this Needham-Scrhoeder PK KA? I've looked it up >in the Handbook of Applied Cryptography. There's a rather nice analysis of various aspects of Needham-Schroeder in the paper presented by Catherine Meadows at ESORICS'96, this should be in the Springer-Verlag LNCS series somewhere around the 1200 mark. Peter. From cryptlib@mbsks.franken.de Fri May 11 07:13:56 2001 From: cryptlib@mbsks.franken.de (Fidel Liberal Malaina) Date: Fri, 11 May 2001 08:13:56 +0200 (CEST) Subject: [Cryptlib] Dallas iButton support? Message-ID: Hello everybody. I've seen references talking about using Dallas iButton with cryptlib both in manual and mailing list file but I can't find any info about it. Is there any existing project to provide iButton support in cryptlib or a special driver (only for Windows....) is needed, as I suspect? I'm THINKING about trying to do so under a Linux box with a Java crypto iButton.... but I don't know what to begin with.... I suppose the simplest way should be using the structure for pkcs11 devices and writing related functions (and assigning then to pointers as in dev_pkcs11.c). Is there any pkcs11 driver with source code to have an example to start with? Thanks in advance. Fidel Liberal Malaina Bilbao ETSI (Spain) From cryptlib@mbsks.franken.de Fri May 11 11:58:48 2001 From: cryptlib@mbsks.franken.de (Peter Gutmann) Date: Fri, 11 May 2001 10:58:48 (NZST) Subject: [Cryptlib] Library size Message-ID: <98953552806534@kahu.cs.auckland.ac.nz> "Fredrik Thelandersson" writes: >I've managed to compile and use cryptlib in a pocket pc environment. I have >also tried to minimize the size of the library, but without much success. >Currently, the size of the static lib is a bit above 2000k. What can I do to >make a smaller lib as I think this is too big? I've read comments in the code >about embedded systems, so it _must_ be possible to make it smaller, but how?? It looks like you've got all of libc (and who knows what else) linked in statically as well, I've just looked at the (unstripped) testlib executable (which is cryptlib and all the test code) under Solaris and it's 800K. I've run the cut-down version on a system with 512K memory total, but that was about 1 1/2 years ago, I don't know how much it'll shrink down to now. Peter. From cryptlib@mbsks.franken.de Fri May 11 10:17:41 2001 From: cryptlib@mbsks.franken.de (cryptlib@mbsks.franken.de) Date: Fri, 11 May 2001 11:17:41 +0200 Subject: [Cryptlib] Dallas iButton support? In-Reply-To: ; from jtblimaf@aintel.bi.ehu.es on Fri, May 11, 2001 at 08:13:56AM +0200 References: Message-ID: <20010511111740.M22013@mbsks.franken.de> Mahlzeit On Fri, May 11, 2001 at 08:13:56AM +0200, Fidel Liberal Malaina wrote: > Is there any pkcs11 driver with source code to have an example to start > with? Yes, either gpkcs11 or the pkcs11 driver for the iButton. Mahlzeit endergone Zwiebeltuete From cryptlib@mbsks.franken.de Fri May 11 14:04:02 2001 From: cryptlib@mbsks.franken.de (Antonio Cesa da Silveira Jr.) Date: Fri, 11 May 2001 10:04:02 -0300 Subject: [Cryptlib] Signing via Digital Certificate installed in Windows.... Message-ID: <003101c0da1a$db529080$0f000080@silveira> Hello, i am newbie in cryptlib and have a question in use of this library. There are some manner to get the private key of a certificate installed in windows registry ( that are view in Internet Explorer - options - security menu ) and use it for sign messages via cryptlib functions? From cryptlib@mbsks.franken.de Sat May 12 05:38:25 2001 From: cryptlib@mbsks.franken.de (Peter Gutmann) Date: Sat, 12 May 2001 04:38:25 (NZST) Subject: [Cryptlib] Signing via Digital Certificate installed in Windows.... Message-ID: <98959910508462@kahu.cs.auckland.ac.nz> "Antonio Cesa da Silveira Jr." writes: >There are some manner to get the private key of a certificate installed in >windows registry ( that are view in Internet Explorer - options - security >menu ) and use it for sign messages via cryptlib functions? You can't do this for two reasons, firstly cryptlib doesn't allow the export of private keys for security reasons, and secondly even if it did the Windows key storage mechanisms are completely undocumented so there's no way to get a key to where Windows wants it. Peter. From cryptlib@mbsks.franken.de Sat May 12 04:37:30 2001 From: cryptlib@mbsks.franken.de (Geoff Thorpe) Date: Fri, 11 May 2001 20:37:30 -0700 (PDT) Subject: [Cryptlib] Signing via Digital Certificate installed in Windows.... In-Reply-To: <98959910508462@kahu.cs.auckland.ac.nz> Message-ID: On Sat, 12 May 2001, Peter Gutmann wrote: > You can't do this for two reasons, firstly cryptlib doesn't allow the export of > private keys for security reasons, and secondly even if it did the Windows key > storage mechanisms are completely undocumented so there's no way to get a key > to where Windows wants it. Which is probably for the best - if you could get a private key there, you're half way to getting it leaked via the first activex control (or VBScript for that matter) you accidently download and run. Not that I have anything against windows security mind you, that would be like having something against honest well-meaning politicians ... now if only we could find either of these precious things ... Sorry, I feel better now. :-) Cheers, Geoff From cryptlib@mbsks.franken.de Sat May 12 14:38:47 2001 From: cryptlib@mbsks.franken.de (xli) Date: Sat, 12 May 2001 21:38:47 +0800 Subject: [Cryptlib] How to add two CRL distribute point extensions Message-ID: <00e401c0dae8$df69bad0$9f3fe29f@free> This is a multi-part message in MIME format. ------=_NextPart_000_00E1_01C0DB2B.ED6B4200 Content-Type: text/plain; charset="gb2312" Content-Transfer-Encoding: base64 RGVhciBBbGw6DQoNCkhvdyB0byBhZGQgdHdvIENSTCBkaXN0cmlidXRlIHBvaW50IGV4dGVuc2lv bnMgaW4gYSBjZXJ0aWZpY2F0aW9uPw0KDQp0aGFua3MNCg0KeW91cnMsIExpeGluDQoNCg0KDQo= ------=_NextPart_000_00E1_01C0DB2B.ED6B4200 Content-Type: text/html; charset="gb2312" Content-Transfer-Encoding: base64 PCFET0NUWVBFIEhUTUwgUFVCTElDICItLy9XM0MvL0RURCBIVE1MIDQuMCBUcmFuc2l0aW9uYWwv L0VOIj4NCjxIVE1MPjxIRUFEPg0KPE1FVEEgaHR0cC1lcXVpdj1Db250ZW50LVR5cGUgY29udGVu dD0idGV4dC9odG1sOyBjaGFyc2V0PWdiMjMxMiI+DQo8TUVUQSBjb250ZW50PSJNU0hUTUwgNS41 MC40MTM0LjYwMCIgbmFtZT1HRU5FUkFUT1I+DQo8U1RZTEU+PC9TVFlMRT4NCjwvSEVBRD4NCjxC T0RZIGJnQ29sb3I9I2ZmZmZmZj4NCjxESVY+PEZPTlQgc2l6ZT0yPkRlYXIgQWxsOjwvRk9OVD48 L0RJVj4NCjxESVY+PEZPTlQgc2l6ZT0yPjwvRk9OVD4mbmJzcDs8L0RJVj4NCjxESVY+PEZPTlQg c2l6ZT0yPkhvdyB0byBhZGQgdHdvIENSTCBkaXN0cmlidXRlIHBvaW50IGV4dGVuc2lvbnMgaW4g YSANCmNlcnRpZmljYXRpb24/PC9GT05UPjwvRElWPg0KPERJVj48Rk9OVCBzaXplPTI+PC9GT05U PiZuYnNwOzwvRElWPg0KPERJVj48Rk9OVCBzaXplPTI+dGhhbmtzPC9GT05UPjwvRElWPg0KPERJ Vj48Rk9OVCBzaXplPTI+PC9GT05UPiZuYnNwOzwvRElWPg0KPERJVj48Rk9OVCBzaXplPTI+eW91 cnMsIExpeGluPC9GT05UPjwvRElWPg0KPERJVj48Rk9OVCBzaXplPTI+PC9GT05UPiZuYnNwOzwv RElWPg0KPERJVj48Rk9OVCBzaXplPTI+PC9GT05UPiZuYnNwOzwvRElWPg0KPERJVj48Rk9OVCBz aXplPTI+PC9GT05UPiZuYnNwOzwvRElWPjwvQk9EWT48L0hUTUw+DQo= ------=_NextPart_000_00E1_01C0DB2B.ED6B4200-- From cryptlib@mbsks.franken.de Sat May 12 23:30:45 2001 From: cryptlib@mbsks.franken.de (Samim Konjicija) Date: Sun, 13 May 2001 00:30:45 +0200 Subject: [Cryptlib] Signing via Digital Certificate installed in Windows.... References: <98959910508462@kahu.cs.auckland.ac.nz> Message-ID: <001501c0db33$310ca060$07010a0a@Samim> Hello, Another similar question. Is there a way to use certificates from some of Windows stores in cryptlib? Samim ----- Original Message ----- From: "Peter Gutmann" To: Sent: Saturday, May 12, 2001 4:38 AM Subject: Re: [Cryptlib] Signing via Digital Certificate installed in Windows.... > "Antonio Cesa da Silveira Jr." writes: > > >There are some manner to get the private key of a certificate installed in > >windows registry ( that are view in Internet Explorer - options - security > >menu ) and use it for sign messages via cryptlib functions? > > You can't do this for two reasons, firstly cryptlib doesn't allow the export of > private keys for security reasons, and secondly even if it did the Windows key > storage mechanisms are completely undocumented so there's no way to get a key > to where Windows wants it. > > Peter. > > > _______________________________________________ > Cryptlib mailing list > Cryptlib@mbsks.franken.de > Administration via Mail: cryptlib-request@mbsks.franken.de > From cryptlib@mbsks.franken.de Mon May 14 07:57:00 2001 From: cryptlib@mbsks.franken.de (Fredrik Thelandersson) Date: Mon, 14 May 2001 08:57:00 +0200 Subject: [Cryptlib] Library size In-Reply-To: <98953552806534@kahu.cs.auckland.ac.nz> Message-ID: > >I've managed to compile and use cryptlib in a pocket pc > environment. I have > >also tried to minimize the size of the library, but without much success. > >Currently, the size of the static lib is a bit above 2000k. What > can I do to > >make a smaller lib as I think this is too big? I've read > comments in the code > >about embedded systems, so it _must_ be possible to make it > smaller, but how?? > > It looks like you've got all of libc (and who knows what else) linked in > statically as well, I've just looked at the (unstripped) testlib > executable > (which is cryptlib and all the test code) under Solaris and it's > 800K. I've > run the cut-down version on a system with 512K memory total, but > that was about > 1 1/2 years ago, I don't know how much it'll shrink down to now. > > Peter. > Hi!! Nope, that wasn't the case, thanks anyway for your answer. You gave me new hope, and I did find the problem... :) I didn't realize that building the debug-version made a library three times bigger in size... Maybe this posting will stop others from making my stupid mistake over again. I'm down to 764K now :) /Fredrik From cryptlib@mbsks.franken.de Mon May 14 13:41:38 2001 From: cryptlib@mbsks.franken.de (Ratti Marcelo) Date: Mon, 14 May 2001 09:41:38 -0300 Subject: [Cryptlib] Example code (AGAIN !!!) Message-ID: <12ED5015041BD411BCA700AA00B182E90164D944@correo.nec.com.ar> Hi Somebody have any example in Visual Basic using CRYPTLIB v3.0? Anything will be appreciated? Thanks a lot and greetings from Argentina. Marcelo Ratti ICQ #12470503 _______________________________________________ Cryptlib mailing list Cryptlib@mbsks.franken.de From cryptlib@mbsks.franken.de Mon May 14 23:50:37 2001 From: cryptlib@mbsks.franken.de (Luciano Benetti) Date: Mon, 14 May 2001 23:50:37 +0100 Subject: R: [Cryptlib] Example code (AGAIN !!!) References: <12ED5015041BD411BCA700AA00B182E90164D944@correo.nec.com.ar> Message-ID: <009f01c0dcc8$4b8bb1b0$05c8a8c0@dummy.net> Ciao per caso parli Italiano visto il nome :) Io sviluppo in dlephi se ti serve ti posso mandare dei spezzoni del mio codice. Che cosa stai sviluppando con la cryptolib ? Luciano -----Messaggio Originale----- Da: Ratti Marcelo A: Data invio: lunedì 14 maggio 2001 13.41 Oggetto: [Cryptlib] Example code (AGAIN !!!) > > Hi > > Somebody have any example in Visual Basic using CRYPTLIB v3.0? Anything > will be appreciated? > > Thanks a lot and greetings from Argentina. > > > Marcelo Ratti > ICQ #12470503 > > _______________________________________________ > Cryptlib mailing list > Cryptlib@mbsks.franken.de > > _______________________________________________ > Cryptlib mailing list > Cryptlib@mbsks.franken.de > Administration via Mail: cryptlib-request@mbsks.franken.de > From cryptlib@mbsks.franken.de Tue May 15 08:50:54 2001 From: cryptlib@mbsks.franken.de (Sean Richardson) Date: Tue, 15 May 2001 03:50:54 -0400 Subject: [Cryptlib] CA databases... Message-ID: <20010515035054.R17476@wild-karrde.dartmouth.edu> I am trying to set up a CA for a exp. project... and I was just wondering which db is recommended? I know I need a db with transactions, so mysql is out, and I was planning on using postgres (or if forced to oracle). However, two things caught my attention. 1) the code for supporting both dbs says that its only 98% complete at the top 2) I tried compiling crytlib with postgres support and I got the following errors: misc/dbxpostg.c: In function `openDatabase': misc/dbxpostg.c:122: warning: assignment of read-only location In file included from misc/dbxpostg.c:253: misc/dbx_rpc.c: In function `cmdQuery': misc/dbx_rpc.c:98: warning: left shift count >= width of type misc/dbx_rpc.c:103: too many arguments to function `performQuery' misc/dbx_rpc.c: In function `cmdUpdate': misc/dbx_rpc.c:138: warning: left shift count >= width of type misc/dbx_rpc.c:148: too many arguments to function `performUpdate' make[2]: *** [static-obj/dbxpostg.o] Error 1 make[2]: Leaving directory `/home/ghent/cryptlib/thelib' make[1]: *** [Linux] Error 2 make[1]: Leaving directory `/home/ghent/cryptlib/thelib' make: *** [default] Error 2 Since its clear that postgres isn't the db that everyone is using with their CA's (since the beta release doesn't support it, kinda like mysql) I wanted to know what people where actually using. I am on a somewhat limited time scale here and just need to get cryptlib up and running so I can start the real development i need to do. I would prefer to not need a windows box for this project, but if thats necessary for the db I will do it. Thanks in advance -sean From cryptlib@mbsks.franken.de Tue May 15 15:26:52 2001 From: cryptlib@mbsks.franken.de (Andrey Maksimovich) Date: Tue, 15 May 2001 17:26:52 +0300 Subject: [Cryptlib] Problems with new algorithm Message-ID: <018101c0dd4b$1642dbe0$f16fa8c0@belcaf.minsk.by> Hello, Peter. I need to incorporate the new symmetric algorithm(Rijndael) with cryptlib, especially with its enveloping mechanism. I did everything with regard to cryptlib manual, like CRYPT_ALGO_VENDOR1, vendalgo.c and so on. But it doesn't work that is cryptSetAttribute(CRYPT_UNUSED,CRYPT_OPTION_ENCR_ALGO,CRYPT_ALGO_VENDOR1); ... cryptSetAttributeString(env, CRYPT_ENVINFO_PASSWORD, "123", 3); ... cryptPushData(env, buffer, bufferCount, &bytesCopied); cryptPopData(env, buffer, bufferCount, &bytesCopied); ... And buffer was encoded by 3DES default algorithm. Could you give a solution of my problem. thanks for any help. From cryptlib@mbsks.franken.de Tue May 15 18:58:59 2001 From: cryptlib@mbsks.franken.de (Greg Sergeant) Date: Tue, 15 May 2001 12:58:59 -0500 Subject: [Cryptlib] How to get off list. Message-ID: <3B016E63.49261A4B@bigfoot.com> Sorry to be a bother. But can someone give me instructions for removing myself from this list. I sent a mail with "unsubscribe myemailaddress" in the body (without the quotes) and I got a reply that I gave the wrong password. I must have forgotten my password if I ever had one. Can you help me? Thanks again Greg From cryptlib@mbsks.franken.de Tue May 15 21:14:40 2001 From: cryptlib@mbsks.franken.de (cryptlib@mbsks.franken.de) Date: Tue, 15 May 2001 22:14:40 +0200 Subject: [Cryptlib] Signing via Digital Certificate installed in Windows.... Message-ID: <3b018e30.40.0@nextra.at> Hello, Use crytlib to generate a RSA-keypair with F4 as public exponent (Bill uses an DWORD for the public exponent). Use cryptlib to create an selfsigned certifcate (using the generated key). Use cryptlib to export the created certifcate. Extract the modulus out of the certificate (using cryptlib?). Fill the modulus and the public exponent in a public key blob. Import the key blob using MSCryptoAPI function CryptImportKey. Export the wanted private key using the MSCryptoAPI function CryptExportKey and the import (transport) key. Use cryptlib to import the wanted private key. Or easier: Use the MSCryptoAPI function CryptGetUserKey (this function opens a dialog, if you own more than one "signature" certificates). Use the MSCryptoAPI function CryptHashData and CryptSignHash to sign. But I have not tried it. Robert >Hello, > >Another similar question. Is there a way to use certificates from some of >Windows stores in cryptlib? > >Samim > >----- Original Message ----- >From: "Peter Gutmann" >To: >Sent: Saturday, May 12, 2001 4:38 AM >Subject: Re: [Cryptlib] Signing via Digital Certificate installed in >Windows.... > > >> "Antonio Cesa da Silveira Jr." writes: >> >> >There are some manner to get the private key of a certificate installed >in >> >windows registry ( that are view in Internet Explorer - options - >security >> >menu ) and use it for sign messages via cryptlib functions? >> >> You can't do this for two reasons, firstly cryptlib doesn't allow the >export of >> private keys for security reasons, and secondly even if it did the Windows >key >> storage mechanisms are completely undocumented so there's no way to get a >key >> to where Windows wants it. >> >> Peter. >> >> >> _______________________________________________ >> Cryptlib mailing list >> Cryptlib@mbsks.franken.de >> Administration via Mail: cryptlib-request@mbsks.franken.de >> > > >_______________________________________________ >Cryptlib mailing list >Cryptlib@mbsks.franken.de >Administration via Mail: cryptlib-request@mbsks.franken.de > > From cryptlib@mbsks.franken.de Wed May 16 10:52:49 2001 From: cryptlib@mbsks.franken.de (Peter Gutmann) Date: Wed, 16 May 2001 09:52:49 (NZST) Subject: [Cryptlib] Problems with new algorithm Message-ID: <98996356921668@kahu.cs.auckland.ac.nz> "Andrey Maksimovich" writes: >I need to incorporate the new symmetric algorithm(Rijndael) with cryptlib, >especially with its enveloping mechanism. You can't do that because there's no official object identifier or algorithm identifier defined for it, so there's no way to use it with anything which needs these values (envelopes, secure sessions, most types of key export/import, etc etc). >And buffer was encoded by 3DES default algorithm. cryptlib has found that the algorithm can't be used with envelopes (or anything else for that matter) and has fallen back to the default safe algorithm 3DES (it'll always fail safe, which in the case of crypto algorithms means 3DES). Peter. From cryptlib@mbsks.franken.de Wed May 16 11:06:12 2001 From: cryptlib@mbsks.franken.de (Peter Gutmann) Date: Wed, 16 May 2001 10:06:12 (NZST) Subject: [Cryptlib] CA databases... Message-ID: <98996437221756@kahu.cs.auckland.ac.nz> Sean Richardson writes: >I know I need a db with transactions, so mysql is out, MySQL has pseudo-transactions which should be OK, you just won't get the full reliability level you'd have with proper transaction handling. >1) the code for supporting both dbs says that its only 98% complete at the top .. and that was in about 1997 when I last worked on it (I've just made minor maintenance changes since then). >Since its clear that postgres isn't the db that everyone is using with their >CA's (since the beta release doesn't support it, kinda like mysql) I wanted to >know what people where actually using. As far as I can tell it's MS SQL Server (which says scary things about CAs if that's what people are running them on). When I test it under Windows I just use the Access DB via the Jet driver (which is even scarier than SQL Server, and has some silly misfeatures such as only pretending to support NOT NULL, which makes catching problems which rely on the ability to detect NULL entries tricky). >I would prefer to not need a windows box for this project, but if thats >necessary for the db I will do it. Well, if you don't want to work on the Postgres or MySQL code I guess you'd have to use Windows. Peter. From cryptlib@mbsks.franken.de Wed May 16 15:19:22 2001 From: cryptlib@mbsks.franken.de (Alex Saratow) Date: Wed, 16 May 2001 16:19:22 +0200 Subject: [Cryptlib] Public Keys Message-ID: <001a01c0de13$34377b10$f945ccd4@MARCOM.local> This is a multi-part message in MIME format. ------=_NextPart_000_0017_01C0DE23.F7AAC740 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi, i'm a novice in cryptography. And i have a (second) problem. Can anybody = give me an code example on how to exchange public keys. The problem is = following: I have a server and clients with default private/public key pairs on = them. From time to time it is required to change the keys and send the = public part to the other side. In the cryptlib (3.0 beta 4) documentation under "Exporting a Key" it is = assumed, that side A already have the public key from side B. But how = side A gets the public key from side B? Is there a mail archive of this list? Alex ------=_NextPart_000_0017_01C0DE23.F7AAC740 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Hi,
i'm a novice in cryptography. And i = have a (second)=20 problem. Can anybody give me an code example on how to exchange public = keys. The=20 problem is following:
I have a server and clients = with default=20 private/public key pairs on them. From time to time it is required to = change the=20 keys and send the public part to the other side.
In the cryptlib (3.0 beta = 4) documentation=20 under "Exporting a Key" it is assumed, that side A already have the = public key=20 from side B. But how side A gets the public key from side = B?
Is there a mail archive of this = list?
Alex
 
------=_NextPart_000_0017_01C0DE23.F7AAC740-- From cryptlib@mbsks.franken.de Wed May 16 16:08:59 2001 From: cryptlib@mbsks.franken.de (cryptlib@mbsks.franken.de) Date: Wed, 16 May 2001 17:08:59 +0200 Subject: [Cryptlib] Public Keys In-Reply-To: <001a01c0de13$34377b10$f945ccd4@MARCOM.local>; from asaratow@marcom.de on Wed, May 16, 2001 at 04:19:22PM +0200 References: <001a01c0de13$34377b10$f945ccd4@MARCOM.local> Message-ID: <20010516170859.M9606@mbsks.franken.de> Mahlzeit On Wed, May 16, 2001 at 04:19:22PM +0200, Alex Saratow wrote: > Is there a mail archive of this list? At ftp://ftp.franken.de/pub/crypt/cryptlib is a zip file of the mailing list archive, which is a few weeks old. Mahlzeit endergone Zwiebeltuete From cryptlib@mbsks.franken.de Wed May 16 22:13:20 2001 From: cryptlib@mbsks.franken.de (cryptlib@mbsks.franken.de) Date: Wed, 16 May 2001 23:13:20 +0200 Subject: [Cryptlib] CAPI.bas interface for Cryptlib Message-ID: <001e01c0de4d$2388a660$cb77fea9@ginfotech> This is a multi-part message in MIME format. ------=_NextPart_000_000F_01C0DE5D.CC339030 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Attached find CAPI.bas, a VB module for interfacing with Cryptlib = version 3 beta 5. I have tested most of the functions and they are working fine. If however users find any functions generating errors in VB, please let = me know by e-mail. Regards Leon van Zyl lvz@global.co.za ------=_NextPart_000_000F_01C0DE5D.CC339030 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Attached find CAPI.bas, a VB module for = interfacing=20 with Cryptlib version 3 beta 5.
 
I have tested most of the functions and = they are=20 working fine.
 
If however users find any functions = generating=20 errors in VB, please let me know by e-mail.
 
Regards
 
Leon van Zyl
 
lvz@global.co.za
 
------=_NextPart_000_000F_01C0DE5D.CC339030-- From cryptlib@mbsks.franken.de Wed May 16 23:37:01 2001 From: cryptlib@mbsks.franken.de (cryptlib@mbsks.franken.de) Date: Thu, 17 May 2001 00:37:01 +0200 Subject: [Cryptlib] CAPI.bas interface for Cryptlib In-Reply-To: <001e01c0de4d$2388a660$cb77fea9@ginfotech>; from lvz@global.co.za on Wed, May 16, 2001 at 11:13:20PM +0200 References: <001e01c0de4d$2388a660$cb77fea9@ginfotech> Message-ID: <20010517003701.S9606@mbsks.franken.de> On Wed, May 16, 2001 at 11:13:20PM +0200, lvz@global.co.za wrote: > Attached find CAPI.bas, a VB module for interfacing with Cryptlib version 3 beta 5. I put this at ftp://ftp.franken.de/pub/crypt/cryptlib/contrib/CAPI.bas. From cryptlib@mbsks.franken.de Thu May 17 02:14:56 2001 From: cryptlib@mbsks.franken.de (Christopher Johnson) Date: Wed, 16 May 2001 18:14:56 -0700 (PDT) Subject: [Cryptlib] Storing public/private keys in a file Message-ID: I'm having a hard time understanding the documentation on public/private keys and storing them in a cryptlib keyset file. The docs talk about creating a keyset object and then generating a key with something like: int main() { CRYPT_KEYSET privKeyset; CRYPT_CONTEXT privKeyContext; char *label = "Wally Western"; char *passwd = "heplLoopy"; cryptInit(); cryptAddRandom(NULL, CRYPT_RANDOM_SLOWPOLL); /* Open keyset. */ cryptKeysetOpen(&privKeyset, CRYPT_UNUSED, CRYPT_KEYSET_FILE, "privkey.p15", CRYPT_KEYOPT_CREATE); /* Create private key. */ cryptCreateContext(&privKeyContext, CRYPT_UNUSED, CRYPT_ALGO_SOMEALGO); cryptSetAttributeString(privKeyContext, CRYPT_CTXINFO_LABEL, label, strlen(label)); cryptGenerateKey(privKeyContext); /* Add the key. */ cryptAddPrivateKey(privKeyset, privKeyContext, passwd); cryptKeysetClose(privKeyset); /* Clean up. */ cryptDestroyContext(privKeyContext); cryptEnd(); return 0; } Everything appears to work well, except that cryptAddPrivateKey() expects a CRYPT_HANDLE, and the documentation only mentions generating a key for a CRYPT_CONTEXT. I've tried casting it as a CRYPT_HANDLE and it's still not working. What am I missing? (There may be another reason I keep getting NEXUS_ERROR_PARAM2 with the above code, I'd be happy to hear it.) Chris Johnson cjohnson@wcug.wwu.edu A successful [software] tool is one that was used to do something undreamed of by its author. -- S. C. Johnson From cryptlib@mbsks.franken.de Thu May 17 04:26:55 2001 From: cryptlib@mbsks.franken.de (=?ISO-8859-1?Q?=D6=D8=C7=EC=B4=F3=D1=A7=D6=C7=C4=DC=BD=E1=B9=B9=D6=D0=D0=C4?=) Date: Thu, 17 May 2001 11:26:55 +0800 Subject: [Cryptlib] CAPI.bas interface for Cryptlib Message-ID: <0GDG002OIMYBAH@mail.cqu.edu.cn> Dear lvz: I use Delphi,where to download delphi interfacing with= Cryptlib version 3 beta 5? =D4=DA 2001/5/16 =CF=C2=CE=E7 11:13:00 =C4=FA=D0=B4=B5=C0=A3=BA >Attached find CAPI.bas, a VB module for interfacing with= Cryptlib version 3 beta 5. > >I have tested most of the functions and they are working fine. > >If however users find any functions generating errors in VB,= please let me know by e-mail. > >Regards > >Leon van Zyl > >lvz@global.co.za =D6=C2 =C0=F1=A3=A1 =D6=D8=C7=EC=B4=F3=D1=A7=D6=C7=C4=DC=BD=E1=B9=B9=D6=D0=D0=C4 wmchen@cqu.edu.cn From cryptlib@mbsks.franken.de Thu May 17 06:04:47 2001 From: cryptlib@mbsks.franken.de (madhura) Date: Thu, 17 May 2001 10:34:47 +0530 Subject: [Cryptlib] How to convert from PKCS12 to PKCS15 format Message-ID: <006201c0de8e$e620b780$0200a8c0@E2ESYSTEMS> This is a multi-part message in MIME format. ------=_NextPart_000_005F_01C0DEBC.FED406A0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable I am building an interface between cryptlib v3.0 and Openssl library = functions I have my PKCS12 genarated data from OpenSSL how can i convert it to = PKCS15 format using cryptlib can cnyone help me with this plz thank u madhura ------=_NextPart_000_005F_01C0DEBC.FED406A0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
I am building an interface between = cryptlib v3.0=20 and Openssl library functions
I have my PKCS12 genarated data from = OpenSSL how=20 can i convert it to PKCS15 format using cryptlib
 
can cnyone help me with this = plz
 
thank u
madhura
------=_NextPart_000_005F_01C0DEBC.FED406A0-- From cryptlib@mbsks.franken.de Thu May 17 13:16:02 2001 From: cryptlib@mbsks.franken.de (Wolfgang Gothier) Date: Thu, 17 May 2001 14:16:02 +0200 Subject: [Cryptlib] CAPI.bas interface for Cryptlib In-Reply-To: <0GDG002OIMYBAH@mail.cqu.edu.cn> Message-ID: <000001c0decb$23a0c500$0301a8c0@sogot2k> > Dear lvz: > I use Delphi,where to download delphi interfacing with > Cryptlib version 3 beta 5? > Use cryptlib.pas included in cl30beta05.zip, it works! There are only 2 minor changes in cryptlib.h that are not included in cryptlib.pas: CRYPT_DEVINFO_LOGGEDON and CRYPT_DEVINFO_LABEL were defined after I translated cryptlib.h into cryptlib.pas. If you need these two symbols, download the latest cryptlib.pas from http://www.sogot.de/cryptlib Wolfgang Gothier From cryptlib@mbsks.franken.de Thu May 17 13:46:56 2001 From: cryptlib@mbsks.franken.de (Wolfgang Gothier) Date: Thu, 17 May 2001 14:46:56 +0200 Subject: [Cryptlib] Storing public/private keys in a file In-Reply-To: Message-ID: <000001c0decf$74e2efc0$0301a8c0@sogot2k> > I'm having a hard time understanding the documentation on public/private > keys and storing them in a cryptlib keyset file. > Why don't you simply copy the sample code from the dokumentation ? See page 133 "The certification process" > The docs talk about creating a keyset object and then generating a key > with something like: > snip... > If you use CRYPT_ALGO_RSA for CRYPT_ALGO_SOMEALGO, it will work. (You can't create a keyfile for a non PKC key). And remember, to use the keyfile, you have to create a signed certificate that must be stored in the keyfile. Here is a logfile printing from a simple program to generate a sample keyfile (it's a cryptlib call log, NOT C-sourcecode!) cryptInit(); cryptCreateContext(&cryptContext, CRYPT_UNUSED, CRYPT_ALGO_RSA); cryptSetAttributeString(cryptContext, CRYPT_CTXINFO_LABEL, "MyKey", 5); cryptGenerateKey(cryptContext); cryptCreateCert(&certificate, CRYPT_UNUSED, CRYPT_CERTTYPE_CERTIFICATE); cryptSetAttribute(certificate, CRYPT_CERTINFO_XYZZY, 1); cryptSetAttribute(certificate, CRYPT_CERTINFO_SUBJECTPUBLICKEYINFO, cryptContext); cryptSetAttributeString(certificate, CRYPT_CERTINFO_COMMONNAME, "Max Mustermann", 14); cryptSetAttributeString(certificate, CRYPT_CERTINFO_RFC822NAME, "MaxMust@gmx.de", 14); cryptSignCert(certificate, cryptContext); cryptKeysetOpen(&keyset, CRYPT_UNUSED, CRYPT_KEYSET_FILE, "TestKey.p15", CRYPT_KEYOPT_CREATE); cryptAddPrivateKey(keyset, cryptContext, "MyPassword"); cryptAddPublicKey(keyset, certificate); cryptKeysetClose(keyset); cryptDestroyContext(cryptContext); cryptEnd(); Hope this will help you Wolfgang Gothier From cryptlib@mbsks.franken.de Fri May 18 05:37:53 2001 From: cryptlib@mbsks.franken.de (Peter Gutmann) Date: Fri, 18 May 2001 04:37:53 (NZST) Subject: [Cryptlib] How to convert from PKCS12 to PKCS15 format Message-ID: <99011747327615@kahu.cs.auckland.ac.nz> "madhura" writes: >I am building an interface between cryptlib v3.0 and Openssl library functions >I have my PKCS12 genarated data from OpenSSL how can i convert it to PKCS15 >form at using cryptlib > >can cnyone help me with this plz You'd have to load the key components by setting the CRYPT_PKCINFO_RSA or CRYPT_PKCINFO_DLP values and loading them into a context, then writing them to a private-key keyset. (Just out of interest, why do you need to do this given that it'd be much easier to generate the keys directly in cryptlib?). Peter. From cryptlib@mbsks.franken.de Fri May 18 14:45:12 2001 From: cryptlib@mbsks.franken.de (=?ISO-8859-1?Q?=D6=D8=C7=EC=B4=F3=D1=A7=D6=C7=C4=DC=BD=E1=B9=B9=D6=D0=D0=C4?=) Date: Fri, 18 May 2001 21:45:12 +0800 Subject: [Cryptlib] CAPI.bas interface for Cryptlib Message-ID: <0GDJ007UWA8MND@mail.cqu.edu.cn> Dear lvz: I use Delphi,where to download delphi interfacing with= Cryptlib version 3 beta 5? =D4=DA 2001/5/16 =CF=C2=CE=E7 11:13:00 =C4=FA=D0=B4=B5=C0=A3=BA >Attached find CAPI.bas, a VB module for interfacing with= Cryptlib version 3 beta 5. > >I have tested most of the functions and they are working fine. > >If however users find any functions generating errors in VB,= please let me know by e-mail. > >Regards > >Leon van Zyl > >lvz@global.co.za =D6=C2 =C0=F1=A3=A1 =D6=D8=C7=EC=B4=F3=D1=A7=D6=C7=C4=DC=BD=E1=B9=B9=D6=D0=D0=C4 wmchen@cqu.edu.cn From cryptlib@mbsks.franken.de Sat May 19 17:14:26 2001 From: cryptlib@mbsks.franken.de (Liberal Malaina Fidel) Date: Sat, 19 May 2001 18:14:26 +0200 (CEST) Subject: [Cryptlib] PARAM3 error inserting private - key parameters Message-ID: Hello everybody! I'm developing a tool to allow cryptlib to understand OpenSSH private keys files (to develop a SSH client compatible with these keys). I extract information from the file correctly but I don't know CRYPT_PCKINFO_RSA parameters format. If I insert n,e,d,p,q,u,e1 and e2 values as BIGNUM I obtain a SEGFAULT and if I insert them as binary format (instead of doing BN_bin2bn) I get the following result:_ status=cryptSetAttributeString(privContext,\ CRYPT_CTXINFO_KEY_COMPONENTS,\ privKey, sizeof(CRYPT_PKCINFO_RSA)); if(cryptStatusError(status)) { printf("Error %d adding privKey %d: %s\n",\ status, __LINE__, CRYPTLIB_ERRORS[-status%50]); return(FALSE); } RESULT: Error -3 adding privKey 550: CRYPT_ERROR_PARAM3 Any idea?, is there any internal check giving this error? I've tried to look at the library source but I get lost in dispatchcommand, server and kernel messages ... but I think-3 error is related with ACL and original error code before mapping is -1012 I've probed the same code with 1024testRSAKey and it works correcty Setting only d parameter in privKey doesn't help. Another question: OpenSSH uses 3DES to encrypt private part in keys files. They use a passphrase as 3DES key but they initialise IV to NULL, what means that later on des_1_IV=des_2_IV without any other initialization. If you assign a value != NULL and call the function it initialise des_1_IV=passed_valued; I suppose that previous vars correspond to IV for 1st and 2nd 3DES stages but I don't know anything about specific algorithm details so.... I've tried to do the same by invocating : status=cryptSetAttributeString(des3Context,\ CRYPT_CTXINFO_IV,zeroes,8); where zeroes is an array contatinig 8 zeroes but only decrypted first byte is the same that obtained by OpenSSH. Any idea? Thanks in advance Fidel Liberal Malaina ETSI Bilbao (Spain) From cryptlib@mbsks.franken.de Sat May 19 20:26:52 2001 From: cryptlib@mbsks.franken.de (cryptlib@mbsks.franken.de) Date: Sat, 19 May 2001 21:26:52 +0200 Subject: [Cryptlib] CAPI.bas interface for Cryptlib References: <0GDJ007UWA8MND@mail.cqu.edu.cn> Message-ID: <000901c0e099$ac1f89a0$cb77fea9@ginfotech> Sorry I don't know Delphi at all. Regards lvz@global.co.za ----- Original Message ----- From: "=C3=96=C3=98=C3=87=C3=AC=C2=B4=C3=B3=C3=91=C2=A7=C3=96=C3=87=C3=84= =C3=9C=C2=BD=C3=A1=C2=B9=C2=B9=C3=96=C3=90=C3=90=C3=84" To: Sent: Friday, May 18, 2001 3:45 PM Subject: Re: [Cryptlib] CAPI.bas interface for Cryptlib Dear lvz: I use Delphi,where to download delphi interfacing with Cryptlib versi= on 3 beta 5? =E5=9C=A8 2001/5/16 =E4=B8=8B=E5=8D=88 11:13:00 =E6=82=A8=E5=86=99=E9=81=93= =EF=BC=9A >Attached find CAPI.bas, a VB module for interfacing with Cryptlib versio= n 3 beta 5. > >I have tested most of the functions and they are working fine. > >If however users find any functions generating errors in VB, please let = me know by e-mail. > >Regards > >Leon van Zyl > >lvz@global.co.za =E8=87=B4 =E7=A4=BC=EF=BC=81 =E9=87=8D=E5=BA=86=E5=A4=A7=E5=AD=A6=E6=99=BA=E8=83=BD=E7=BB=93= =E6=9E=84=E4=B8=AD=E5=BF=83 wmchen@cqu.edu.cn _______________________________________________ Cryptlib mailing list Cryptlib@mbsks.franken.de Administration via Mail: cryptlib-request@mbsks.franken.de From cryptlib@mbsks.franken.de Sun May 20 09:48:49 2001 From: cryptlib@mbsks.franken.de (Peter Gutmann) Date: Sun, 20 May 2001 08:48:49 (NZST) Subject: [Cryptlib] PARAM3 error inserting private - key parameters Message-ID: <99030532903026@kahu.cs.auckland.ac.nz> Liberal Malaina Fidel writes: >I extract information from the file correctly but I don't know >CRYPT_PCKINFO_RSA parameters format. The key component format is documented in "Working with Public/Private Keys" in the manual. >I suppose that previous vars correspond to IV for 1st and 2nd 3DES stages but >I don't know anything about specific algorithm details so.... If it's the same 3DES as the one in the original SSH then it's not normal 3DES, it's a weird nonstandard mode (inner-CBC) which you have to synthesise yourself using three lots of single DES-CBC. Peter. From cryptlib@mbsks.franken.de Sun May 20 11:10:28 2001 From: cryptlib@mbsks.franken.de (Liberal Malaina Fidel) Date: Sun, 20 May 2001 12:10:28 +0200 (CEST) Subject: [Cryptlib] PARAM3 error inserting private - key parameters In-Reply-To: <99030532903026@kahu.cs.auckland.ac.nz> Message-ID: On Sun, 20 May 2001, Peter Gutmann wrote: > Liberal Malaina Fidel writes: > > >I extract information from the file correctly but I don't know > >CRYPT_PCKINFO_RSA parameters format. > > The key component format is documented in "Working with Public/Private Keys" in > the manual. > > >I suppose that previous vars correspond to IV for 1st and 2nd 3DES stages but > >I don't know anything about specific algorithm details so.... > > If it's the same 3DES as the one in the original SSH then it's not normal 3DES, > it's a weird nonstandard mode (inner-CBC) which you have to synthesise yourself > using three lots of single DES-CBC. > > Peter. > > > _______________________________________________ > Cryptlib mailing list > Cryptlib@mbsks.franken.de > Administration via Mail: cryptlib-request@mbsks.franken.de > Hello again, Thanks for your previous comments, I've been able to solve 3DES problems and know my program extracts private components from the encrypted OpenSSH file correctly. But I've still have some problems when loading CRYPT_PKCINFO_RSA structure into the context (-3 error I explained in my previous message). After having read "Loading Multibyte Integers" section in the manual again I don't know exactly how format the parameters. Are n,e,d,q,p,u,e1,e2 "(BIGNUM *)->d" vars, with OpenSSL (SSLeay) bignum format (as in bn/bn.h include file) or the format explained in the manual is what SSLeay calls "bin" format? I'll try to make myself understood: my program: Initialise and allocate space for Bignums, rsa key etc...... Extract n,e,d,q,p,u,e1,e2 correctly --AS BIGNUM * VARS--- and get their lengths in bits. I've compared each component with those extracted by OpenSSH's ssh and they are CORRECT. ------------------------------ TRY 1 -------------------------------------- Assign each component as follows cryptInitComponents(privKey); cryptSetComponent(privKey->n,\ (u_char *)(n->d), nLen); cryptSetComponent(privKey->e,\ (u_char *)(e->d), eLen); .............. status=cryptSetAttributeString(privContext,\ CRYPT_CTXINFO_KEY_COMPONENTS,\ privKey, sizeof(CRYPT_PKCINFO_RSA)); if(cryptStatusError(status)) { printf("Error %d adding privKey line %d: %s\n",\ status, __LINE__, CRYPTLIB_ERRORS[-status%50]); return(FALSE); } I get -3 ERROR (but first parameter checking succeeds ( I think it's related with -1012 error after sending command to be processed) Length of each component: nLen: 1024 eLen: 6 dLen: 1022 qLen: 512 pLen: 512 iqmpLen: 510 (u Length) e1Len: 512 e2Len: 512 Are these length possible for a 1024 bits key? ------------------------------ TRY 2 -------------------------------------- Looking at lib_rsa.c source code file from Cryptlib I find in rsaInitKey function that,to assign parameters from a PKCINFO_RSA structure to CRYPT_PKCINFO it calls BN_bin2bn function with rsaKey's components as argument, so, should I assume that PKCINFO_RSA components' format is what SSLeay calls bin format? Well, as I DID know that my BIGNUM * vars were correct I tried to make the reverse operation over them before asigning to privKey. Modification: u_char *ntemp, *etemp .......; all elements allocate size for them for each component do: BN_bn2bin(component, component_temp_buffer) So I must assume I've got all component buffers in binary format and they're correct, as I extracted them from correct BIGNUM vars. cryptInitComponents(privKey); cryptSetComponent(privKey->n,\ ntemp, nLen); cryptSetComponent(privKey->e,\ etemp, eLen); ............................ But I get the -3 error again....... ----------------------------- TRY 3 --------------------------------------- Extract raw binary data from file into each component.... the same result. Which of these aproacches is correct? Any idea about what I'm doing wrong? Thanks in advance. Fidel Liberal Malaina ETSI Bilbao (Spain) From cryptlib@mbsks.franken.de Sun May 20 16:25:19 2001 From: cryptlib@mbsks.franken.de (Liberal Malaina Fidel) Date: Sun, 20 May 2001 17:25:19 +0200 (CEST) Subject: [Cryptlib] PARAM3 error inserting private - key parameters In-Reply-To: Message-ID: BTW, could error be related with "e" parameter not being a prime number or p and q swapping? I say that because of the checkPrivateKeyComponents funcion in lib_rsa.c that seemed to check whether "e" is a small prime and return false if it isn't. All OpenSSH keys I've generated had a "e" component == 35 (length 6) is it a broken implementation? Thanks in advance. Fidel Liberal Malaina ETSI Bilbao (Spain) From cryptlib@mbsks.franken.de Sun May 20 17:54:07 2001 From: cryptlib@mbsks.franken.de (cryptlib@mbsks.franken.de) Date: Sun, 20 May 2001 18:54:07 +0200 Subject: [Cryptlib] -2 error code returned when attempting to sign certificate with CA private key Message-ID: <001e01c0e14d$aacb1060$c686ef9b@ginfotech> This is a multi-part message in MIME format. ------=_NextPart_000_0017_01C0E15E.3F6F5450 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable The moment I try to sign a certificate with the CA private key, Cryptlib = returns an error of -2 (indicating that the second paramater passed to = cryptSignCert is wrong). The code I use follows beneath. I have checked the code but cannot = ascertain why the error is returned. Anyone able to help? Dim cryptCert As Long, cryptCertRequest As Long, cert As String, = certLength As Long Dim certRequest As String, certRequestLength As Long, cryptUser As Long, = caPrivateKey As Long cryptUser =3D CRYPT_UNUSED a =3D cryptCreateContext(caPrivateKey, cryptUser, CRYPT_ALGO_DSA) a =3D cryptSetAttributeString(caPrivateKey, CRYPT_CTXINFO_LABEL, "Leon", = 4) a =3D cryptGenerateKey(caPrivateKey) 'Import the certification request and check its validity Open "certrequest.der" For Binary As #3 certRequest =3D String(LOF(3), 0) Get #3, , certRequest Close #3 certRequestLength =3D Len(certRequest) a =3D cryptImportCert(certRequest, certRequestLength, cryptUser, = cryptCertRequest) a =3D cryptCheckCert(cryptCertRequest, CRYPT_UNUSED) 'Create a certificate and add the information from the certification = request to it a =3D cryptCreateCert(cryptCert, cryptUser, CRYPT_CERTTYPE_CERTIFICATE) a =3D cryptSetAttribute(cryptCert, CRYPT_CERTINFO_CERTREQUEST, = cryptCertRequest) a =3D cryptSetAttribute(cryptCert, CRYPT_CERTINFO_KEYUSAGE, = CRYPT_KEYUSAGE_DIGITALSIGNATURE Or CRYPT_KEYUSAGE_KEYENCIPHERMENT) 'Sign the certificate with the CA's private key and export it a =3D cryptSignCert(cryptCert, caPrivateKey) a =3D cryptExportCert(vbNullString, certLength, = CRYPT_CERTFORMAT_CERTIFICATE, cryptCert) cert =3D String(certLength, 0) a =3D cryptExportCert(cert, certLength, CRYPT_CERTFORMAT_CERTIFICATE, = cryptCert) 'Produce output file Open "cert.der" For Binary As #3 Put #3, , cert Close #3 'Destroy the certificate and certification request a =3D cryptDestroyCert(cryptCert) a =3D cryptDestroyCert(cryptCertRequest) a =3D cryptDestroyContext(caPrivateKey) ------=_NextPart_000_0017_01C0E15E.3F6F5450 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
The moment I try to sign a certificate = with the CA=20 private key, Cryptlib returns an error of -2 (indicating that the second = paramater passed to cryptSignCert is wrong).
 
The code I = use follows beneath. I have=20 checked the code but cannot ascertain why the error is = returned.
 
Anyone able to help?
 
Dim cryptCert As Long, = cryptCertRequest As=20 Long, cert As String, certLength As Long
Dim certRequest As String,=20 certRequestLength As Long, cryptUser As Long, caPrivateKey As=20 Long
 
cryptUser =3D = CRYPT_UNUSED
 
a =3D = cryptCreateContext(caPrivateKey, cryptUser,=20 CRYPT_ALGO_DSA)
a =3D cryptSetAttributeString(caPrivateKey,=20 CRYPT_CTXINFO_LABEL, "Leon", 4)
a =3D=20 cryptGenerateKey(caPrivateKey)
 
'Import the certification request = and check its=20 validity
Open "certrequest.der" For Binary As = #3
   =20 certRequest =3D String(LOF(3), 0)
    Get #3, ,=20 certRequest
Close #3
 
certRequestLength =3D = Len(certRequest)
a =3D=20 cryptImportCert(certRequest, certRequestLength, cryptUser,=20 cryptCertRequest)
a =3D cryptCheckCert(cryptCertRequest,=20 CRYPT_UNUSED)
 
'Create a certificate and add the = information=20 from the certification request to it
a =3D cryptCreateCert(cryptCert, = cryptUser, CRYPT_CERTTYPE_CERTIFICATE)
 
a =3D cryptSetAttribute(cryptCert,=20 CRYPT_CERTINFO_CERTREQUEST, cryptCertRequest)
 
a =3D cryptSetAttribute(cryptCert,=20 CRYPT_CERTINFO_KEYUSAGE, CRYPT_KEYUSAGE_DIGITALSIGNATURE Or=20 CRYPT_KEYUSAGE_KEYENCIPHERMENT)
 
'Sign the certificate with the CA's = private key=20 and export it
a =3D cryptSignCert(cryptCert, caPrivateKey)
a =3D=20 cryptExportCert(vbNullString, certLength, CRYPT_CERTFORMAT_CERTIFICATE,=20 cryptCert)
cert =3D String(certLength, 0)
a =3D = cryptExportCert(cert,=20 certLength, CRYPT_CERTFORMAT_CERTIFICATE, cryptCert)
 
'Produce output file
Open = "cert.der" For=20 Binary As #3
    Put #3, , cert
Close = #3
 
'Destroy the certificate and = certification=20 request
a =3D cryptDestroyCert(cryptCert)
a =3D=20 cryptDestroyCert(cryptCertRequest)
a =3D=20 cryptDestroyContext(caPrivateKey)
------=_NextPart_000_0017_01C0E15E.3F6F5450-- From cryptlib@mbsks.franken.de Sun May 20 20:26:54 2001 From: cryptlib@mbsks.franken.de (cryptlib@mbsks.franken.de) Date: Sun, 20 May 2001 21:26:54 +0200 Subject: [Cryptlib] Re: -2 error code returned when attempting to sign certificate with CA private key Message-ID: <000a01c0e162$d4d99dd0$2985ef9b@ginfotech> This is a multi-part message in MIME format. ------=_NextPart_000_0007_01C0E173.975A2590 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sorry. I found the answer in the Cryptlib manual. lvz@global.co.za ----- Original Message -----=20 From: lvz@global.co.za=20 To: cryptlib@mbsks.franken.de=20 Sent: Sunday, May 20, 2001 6:54 PM Subject: -2 error code returned when attempting to sign certificate = with CA private key The moment I try to sign a certificate with the CA private key, = Cryptlib returns an error of -2 (indicating that the second paramater = passed to cryptSignCert is wrong). The code I use follows beneath. I have checked the code but cannot = ascertain why the error is returned. Anyone able to help? Dim cryptCert As Long, cryptCertRequest As Long, cert As String, = certLength As Long Dim certRequest As String, certRequestLength As Long, cryptUser As = Long, caPrivateKey As Long cryptUser =3D CRYPT_UNUSED a =3D cryptCreateContext(caPrivateKey, cryptUser, CRYPT_ALGO_DSA) a =3D cryptSetAttributeString(caPrivateKey, CRYPT_CTXINFO_LABEL, = "Leon", 4) a =3D cryptGenerateKey(caPrivateKey) 'Import the certification request and check its validity Open "certrequest.der" For Binary As #3 certRequest =3D String(LOF(3), 0) Get #3, , certRequest Close #3 certRequestLength =3D Len(certRequest) a =3D cryptImportCert(certRequest, certRequestLength, cryptUser, = cryptCertRequest) a =3D cryptCheckCert(cryptCertRequest, CRYPT_UNUSED) 'Create a certificate and add the information from the certification = request to it a =3D cryptCreateCert(cryptCert, cryptUser, = CRYPT_CERTTYPE_CERTIFICATE) a =3D cryptSetAttribute(cryptCert, CRYPT_CERTINFO_CERTREQUEST, = cryptCertRequest) a =3D cryptSetAttribute(cryptCert, CRYPT_CERTINFO_KEYUSAGE, = CRYPT_KEYUSAGE_DIGITALSIGNATURE Or CRYPT_KEYUSAGE_KEYENCIPHERMENT) 'Sign the certificate with the CA's private key and export it a =3D cryptSignCert(cryptCert, caPrivateKey) a =3D cryptExportCert(vbNullString, certLength, = CRYPT_CERTFORMAT_CERTIFICATE, cryptCert) cert =3D String(certLength, 0) a =3D cryptExportCert(cert, certLength, CRYPT_CERTFORMAT_CERTIFICATE, = cryptCert) 'Produce output file Open "cert.der" For Binary As #3 Put #3, , cert Close #3 'Destroy the certificate and certification request a =3D cryptDestroyCert(cryptCert) a =3D cryptDestroyCert(cryptCertRequest) a =3D cryptDestroyContext(caPrivateKey) ------=_NextPart_000_0007_01C0E173.975A2590 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Sorry. I found the answer in the = Cryptlib=20 manual.
 
lvz@global.co.za
 
----- Original Message -----
From:=20 lvz@global.co.za=20
Sent: Sunday, May 20, 2001 6:54 = PM
Subject: -2 error code returned = when=20 attempting to sign certificate with CA private key

The moment I try to sign a = certificate with the=20 CA private key, Cryptlib returns an error of -2 (indicating that the = second=20 paramater passed to cryptSignCert is wrong).
 
The code I = use follows beneath. I have=20 checked the code but cannot ascertain why the error is = returned.
 
Anyone able to help?
 
Dim cryptCert As Long, = cryptCertRequest As=20 Long, cert As String, certLength As Long
Dim certRequest As String, = certRequestLength As Long, cryptUser As Long, caPrivateKey As=20 Long
 
cryptUser =3D = CRYPT_UNUSED
 
a =3D = cryptCreateContext(caPrivateKey,=20 cryptUser, CRYPT_ALGO_DSA)
a =3D = cryptSetAttributeString(caPrivateKey,=20 CRYPT_CTXINFO_LABEL, "Leon", 4)
a =3D=20 cryptGenerateKey(caPrivateKey)
 
'Import the certification request = and check=20 its validity
Open "certrequest.der" For Binary As = #3
   =20 certRequest =3D String(LOF(3), 0)
    Get #3, ,=20 certRequest
Close #3
 
certRequestLength =3D = Len(certRequest)
a =3D=20 cryptImportCert(certRequest, certRequestLength, cryptUser,=20 cryptCertRequest)
a =3D cryptCheckCert(cryptCertRequest,=20 CRYPT_UNUSED)
 
'Create a certificate and add the = information=20 from the certification request to it
a =3D = cryptCreateCert(cryptCert,=20 cryptUser, CRYPT_CERTTYPE_CERTIFICATE)
 
a =3D = cryptSetAttribute(cryptCert,=20 CRYPT_CERTINFO_CERTREQUEST, cryptCertRequest)
 
a =3D = cryptSetAttribute(cryptCert,=20 CRYPT_CERTINFO_KEYUSAGE, CRYPT_KEYUSAGE_DIGITALSIGNATURE Or=20 CRYPT_KEYUSAGE_KEYENCIPHERMENT)
 
'Sign the certificate with the = CA's private=20 key and export it
a =3D cryptSignCert(cryptCert, caPrivateKey)
a = =3D=20 cryptExportCert(vbNullString, certLength, = CRYPT_CERTFORMAT_CERTIFICATE,=20 cryptCert)
cert =3D String(certLength, 0)
a =3D = cryptExportCert(cert,=20 certLength, CRYPT_CERTFORMAT_CERTIFICATE, cryptCert)
 
'Produce output file
Open = "cert.der" For=20 Binary As #3
    Put #3, , cert
Close=20 #3
 
'Destroy the certificate and = certification=20 request
a =3D cryptDestroyCert(cryptCert)
a =3D=20 cryptDestroyCert(cryptCertRequest)
a =3D=20 = cryptDestroyContext(caPrivateKey)
------=_NextPart_000_0007_01C0E173.975A2590-- From cryptlib@mbsks.franken.de Sun May 20 19:05:23 2001 From: cryptlib@mbsks.franken.de (Liberal Malaina Fidel) Date: Sun, 20 May 2001 20:05:23 +0200 (CEST) Subject: [SOLVED] Re: [Cryptlib] PARAM3 error inserting private - key parameters In-Reply-To: Message-ID: Hello everybody!!!!! After a lot of work I've finally made my program work :-))) The error was that OpenSSH's RSA exponent IS HARDCODED (35) so that all key generations have the same exponent. I've read that if RSA exponent is a prime resulting key is stronger against some kind of attacks, that's why I don't understand why 35 value? Cryplib checks RSA exponent in private keys so that it doesn't accept key loading when its exponent is not one of certain small primes , there's where all my problems came from. By commenting this section of code and recompiling my program works fine, with both encrypted or clear OpenSSH key files :-) Thanks Peter for your help and everybody else for being so patient even after so many questions/answers Fidel Liberal Malaina ETSI Bilbao (Spain) From cryptlib@mbsks.franken.de Sun May 20 21:29:58 2001 From: cryptlib@mbsks.franken.de (Toth Csaba) Date: Sun, 20 May 2001 22:29:58 +0200 (MET DST) Subject: [Cryptlib] PARAM3 error inserting private - key parameters In-Reply-To: Message-ID: hi! On Sun, 20 May 2001, Liberal Malaina Fidel wrote: >BTW, could error be related with "e" parameter not being a prime number or >p and q swapping? It's not an error if "e" is not prime. "e" should only be relative prime to fi(m): (e,fi(m))=1, where m is the modulus. p and q swapping shouldn't be an error issue in theory. >All OpenSSH keys I've generated had a "e" component == 35 (length 6) Small e values could brake your security. I think 257 or 32769 would be better (their weight is 2 too, they contain 1 bit only on the MSB and LSB). Bye! -- tocsa ------------------------------------------------------------- | email: s8217tot@hszk.bme.hu, tocsa@inf.bme.hu | | homepage: www.hszk.bme.hu/~s8217tot, www.inf.bme.hu/~tocsa | ------------------------------------------------------------- From cryptlib@mbsks.franken.de Sun May 20 21:33:11 2001 From: cryptlib@mbsks.franken.de (Toth Csaba) Date: Sun, 20 May 2001 22:33:11 +0200 (MET DST) Subject: [Cryptlib] PARAM3 error inserting private - key parameters In-Reply-To: Message-ID: hi! On Sun, 20 May 2001, Liberal Malaina Fidel wrote: >Are n,e,d,q,p,u,e1,e2 "(BIGNUM *)->d" vars, with OpenSSL (SSLeay) bignum >format (as in bn/bn.h include file) or the format explained in the manual >is what SSLeay calls "bin" format? I don't exactly know these formats, but I suggest you take a look at the libtest.c (or testlib.c?) test code source. There is an RSA key defined somewhere in the header files for testing. Maybe it will helpl you to guess the format. Bye! -- tocsa ------------------------------------------------------------- | email: s8217tot@hszk.bme.hu, tocsa@inf.bme.hu | | homepage: www.hszk.bme.hu/~s8217tot, www.inf.bme.hu/~tocsa | ------------------------------------------------------------- From cryptlib@mbsks.franken.de Mon May 21 20:25:52 2001 From: cryptlib@mbsks.franken.de (Luciano Benetti) Date: Mon, 21 May 2001 20:25:52 +0100 Subject: [Cryptlib] Encrypted enveloping Message-ID: <003901c0e22b$d9d3ee70$08c8a8c0@dummy.net> I have the X.509 certificate to recipient and I encrypted the envelope S/MIME with the public key on certificate AssignFile(Fb,fcertificato_cifra); Reset(Fb); SetLength(bufferb,Filesize(Fb)); i := 0; While not Eof(Fb) do begin Read(Fb,bufferb[i]); Inc(i); end; CloseFile(Fb); status := cryptImportCert(bufferb,i,CRYPT_UNUSED,certificate); Finalize(bufferb); // make envelope status := CryptCreateEnvelope(cryptEnvelope,CRYPT_UNUSED ,CRYPT_FORMAT_SMIME); status := cryptSetAttribute( cryptEnvelope, CRYPT_ENVINFO_PUBLICKEY, certificate ); Cryptlib returns an error of -3 why ? thanks Luciano Benetti From cryptlib@mbsks.franken.de Tue May 22 08:26:30 2001 From: cryptlib@mbsks.franken.de (Peter Gutmann) Date: Tue, 22 May 2001 07:26:30 (NZST) Subject: [Cryptlib] PARAM3 error inserting private - key parameters Message-ID: <99047319009036@kahu.cs.auckland.ac.nz> Liberal Malaina Fidel writes: >All OpenSSH keys I've generated had a "e" component == 35 (length 6) > >is it a broken implementation? It's not broken, but it's not necessarily very nice either. The reason cryptlib does the checks is to prevent attacks like the Klima-Rosa ones (having e prime is required to make a later check (much) more efficient, in fact there's no requirement that e is prime but it's certainly slightly suspicious if e isn't prime). Given the odd value of e (three 1 bits instead of two for 257 or F4, so it's actually slower than the larger and more secure values) I suspect that value is some sort of implementation mistake (that is, it's both suboptimal and unusual, which means there'd have to be some very good reason for deliberately using it). Peter. From cryptlib@mbsks.franken.de Tue May 22 08:33:22 2001 From: cryptlib@mbsks.franken.de (Peter Gutmann) Date: Tue, 22 May 2001 07:33:22 (NZST) Subject: [Cryptlib] PARAM3 error inserting private - key parameters Message-ID: <99047360209165@kahu.cs.auckland.ac.nz> Toth Csaba writes: >p and q swapping shouldn't be an error issue in theory. I've found some PKCS #11 modules which fail if you do this. Peter. From cryptlib@mbsks.franken.de Tue May 22 10:47:45 2001 From: cryptlib@mbsks.franken.de (Bodo Moeller) Date: Tue, 22 May 2001 11:47:45 +0200 (CEST) Subject: [Cryptlib] PARAM3 error inserting private - key parameters In-Reply-To: <99047319009036@kahu.cs.auckland.ac.nz> References: <99047319009036@kahu.cs.auckland.ac.nz> Message-ID: Peter Gutmann : > Liberal Malaina Fidel : >> [...] "e" component == 35 (length 6) >> is it a broken implementation? > [...] Given the odd value of e (three 1 bits instead of two for > 257 or F4, so it's actually slower than the larger and more secure values) I > suspect that value is some sort of implementation mistake (that is, it's both > suboptimal and unusual, which means there'd have to be some very good reason > for deliberately using it). PGP (at least 2.x) generates RSA keys by searching, after primes p and q have been selected, for the least odd e that has the requested bitlenght (4 by default) and has no common divisors with p-1 or q-1. Thus, assuming that the default bitlength is used, usually e is 17, but for some proportion of keys it will be 19 or 21 or more. Of course, fixing e = 35 doesn't make too much sense. Note that RSA public key operations using e = 35 should not be slower than for e = 257 because efficiency is influenced not only by the Hamming weight, but also by the length: Eight squarings and one general multiplication are required for e = 257, five squarings and two general multiplications for e = 35. (Squarings are faster than other multiplications, but only around 10 percent.) From cryptlib@mbsks.franken.de Thu May 24 09:20:13 2001 From: cryptlib@mbsks.franken.de (cryptlib@mbsks.franken.de) Date: Thu, 24 May 2001 16:20:13 +0800 (CST) Subject: [Cryptlib] cryptCAAddRequest() Message-ID: CFileDialog filedg(TRUE); CRYPT_CERTIFICATE cryptCertRequest; CRYPT_KEYSET cryptCertStore; int status; if(filedg.DoModal()==IDOK) { CString filename; filename=filedg.GetFileName(); status=importCertFile ( &cryptCertRequest,filename); status=cryptCheckCert(cryptCertRequest, CRYPT_UNUSED); if(cryptStatusOK(status)) { status = cryptKeysetOpen( &cryptCertStore, CRYPT_UNUSED, CRYPT_KEYSET_ODBC, "testcertstore", CRYPT_KEYOPT_CREATE_CERTSTORE ); if(status=CRYPT_ERROR_DUPLICATE) { status=cryptKeysetOpen( &cryptCertStore, CRYPT_UNUSED, CRYPT_KEYSET_ODBC, "testcertstore", CRYPT_KEYOPT_NONE ); } status=cryptCAAddRequest(cryptCertStore,cryptCertRequest); the status code is -44 if(cryptStatusOK(status)) AfxMessageBox("add certificate request to the certStore succed!"); } } ---------------------------------------------- ¾¢±¬ÏÂÔØ--ˬ¿ì! http://download.21cn.com ÄãµÄÓÊÏäÐèÒªÉý¼¶Â𣿠http://service.21cn.com/feemail/ Ó¢¹úÖ°Òµ½ÌÓýÕ¹¶þ£°£°Ò» http://learning.21cn.com/ad/01.html From cryptlib@mbsks.franken.de Thu May 24 17:09:58 2001 From: cryptlib@mbsks.franken.de (Michael Hackett) Date: Thu, 24 May 2001 13:09:58 -0300 Subject: [Cryptlib] Porting 2.1 DH code to Mac Message-ID: Hi all, I'm involved in a port of a Windows program to Mac OS, one which uses cryptlib 2.1. What I've learned so far is that there appears to have been no real attempt to port cryptlib to the Mac until about a year ago, with v3.0b1. So, although our client really wants us to use v2.1, and will continue to use it in their Windows client and server software, it seems to me that starting with 3.0b5 would be a whole lot less work for us on the Mac client. However, Peter has mentioned that the DH code in 3.0 is based on X9.42 (which he refers to as "brandamaged and broken" :-) ) and will not interoperate with the 2.1 DH code (or so is my interpretation of his comments). Is this true? As we cannot change what the other clients and server use, that would mean moving to the 2.1 code. However, bringing the whole 2.1 library to the Mac looks like a big job, especially for someone not familiar with either the library or cryptography, so I was wondering if I might be able to just bring forward the 2.1 DH module and use it with the rest of the 3.0 code. Do you think this would work, and is there anything else I'd need to change or bring with it? Alternately, if I am going to have to bring the whole 2.1 library to Mac OS, does anyone have any tips on what specifically needs to be created or could be brought back from 3.0 to pull this off? Just as something to get me started. Any help would be greatly appreciated. Thanks! -- Michael Hackett Developer, Pictorius Inc. From cryptlib@mbsks.franken.de Fri May 25 09:08:27 2001 From: cryptlib@mbsks.franken.de (Peter Gutmann) Date: Fri, 25 May 2001 08:08:27 (NZST) Subject: [Cryptlib] cryptCAAddRequest() Message-ID: <99073490723077@kahu.cs.auckland.ac.nz> zhong_duhang@21cn.com writes: >[large pile of other code deleted] > >status=cryptCAAddRequest(cryptCertStore,cryptCertRequest); > the status code is -44 This is a standard error code (and a quite normal return value for cryptCAAddRequest()), look it up in the manual. Peter. From cryptlib@mbsks.franken.de Fri May 25 01:34:11 2001 From: cryptlib@mbsks.franken.de (cryptlib@mbsks.franken.de) Date: Fri, 25 May 2001 08:34:11 +0800 (CST) Subject: [Cryptlib] cryptCAAddrequest Message-ID: my program is as follows: CFileDialog filedg(TRUE); CRYPT_CERTIFICATE cryptCertRequest,cryptNewCertRequest; CRYPT_KEYSET cryptCertStore; int status; if(filedg.DoModal()==IDOK) { CString filename; filename=filedg.GetFileName(); status=importCertFile(&cryptCertRequest,filename); status=cryptCheckCert(cryptCertRequest, CRYPT_UNUSED); //succeed if(cryptStatusOK(status)) { status = cryptKeysetOpen( &cryptCertStore, CRYPT_UNUSED, CRYPT_KEYSET_ODBC, "testcertstore", CRYPT_KEYOPT_CREATE_CERTSTORE ); if(status=CRYPT_ERROR_DUPLICATE) { status=cryptKeysetOpen( &cryptCertStore, CRYPT_UNUSED, CRYPT_KEYSET_ODBC, "testcertstore", CRYPT_KEYOPT_NONE ); }//succeed status=cryptCAAddRequest(cryptCertStore,cryptCertRequest); wrong! the status code is -44,why?? if(cryptStatusOK(status)) AfxMessageBox("add certificate request to the certStore succed!"); } } ---------------------------------------------- ¾¢±¬ÏÂÔØ--ˬ¿ì! http://download.21cn.com ÄãµÄÓÊÏäÐèÒªÉý¼¶Â𣿠http://service.21cn.com/feemail/ Ó¢¹úÖ°Òµ½ÌÓýÕ¹¶þ£°£°Ò» http://learning.21cn.com/ad/01.html From cryptlib@mbsks.franken.de Fri May 25 06:55:58 2001 From: cryptlib@mbsks.franken.de (cryptlib@mbsks.franken.de) Date: Fri, 25 May 2001 13:55:58 +0800 (CST) Subject: [Cryptlib] certID Message-ID: Hi ,everyone! I want to get the certID from the cert request (pkcs#10)object,how should i do? ---------------------------------------------- ¾¢±¬ÏÂÔØ--ˬ¿ì! http://download.21cn.com ÄãµÄÓÊÏäÐèÒªÉý¼¶Â𣿠http://service.21cn.com/feemail/ Ó¢¹úÖ°Òµ½ÌÓýÕ¹¶þ£°£°Ò» http://learning.21cn.com/ad/01.html From cryptlib@mbsks.franken.de Thu May 24 19:42:25 2001 From: cryptlib@mbsks.franken.de (Gila Sheftel) Date: Thu, 24 May 2001 14:42:25 -0400 Subject: [Cryptlib] New User, Errors with "make" Message-ID: <3B0D5611.EBAEABF3@gemplus.com> Hi, I am exceedingly new to this list and to cryptlib so please pardon my ignorance. I have just downloaded the Beta 5 source code and unzipped it, but can't seem to find any installation instructions or readme files, so I tried the obvious -- doing a "make" since there is a makefile but not configure file. make Linux returns a whole slew of errors, does anyone know what they mean? Perhaps I have a conflict with my SC reader (GCR410), my version of PCSC (PCSC-lite 0.9.1), my OpenSSL distribution (openssl-engine-0.9.6.a and openssl-0.9.6) or my OS kernel? (Redhat Linux 7, 2.4.2 kernel) Here are the make messages, I hope somebody recognizes them...: [root@monstre cryptlib]# make Linux make[1]: Entering directory `/usr/local/src/cryptlib' make[2]: Entering directory `/usr/local/src/cryptlib' make[2]: Leaving directory `/usr/local/src/cryptlib' make[2]: Entering directory `/usr/local/src/cryptlib' make[2]: Leaving directory `/usr/local/src/cryptlib' make[2]: Entering directory `/usr/local/src/cryptlib' make[2]: Leaving directory `/usr/local/src/cryptlib' make[2]: Entering directory `/usr/local/src/cryptlib' make[2]: Leaving directory `/usr/local/src/cryptlib' make[2]: Entering directory `/usr/local/src/cryptlib' make[2]: Leaving directory `/usr/local/src/cryptlib' make[2]: Entering directory `/usr/local/src/cryptlib' make[2]: Leaving directory `/usr/local/src/cryptlib' make[2]: Entering directory `/usr/local/src/cryptlib' make[2]: Leaving directory `/usr/local/src/cryptlib' make[2]: Entering directory `/usr/local/src/cryptlib' hash/rmd160cp.S:1971:1: warning: no newline at end of file {standard input}: Assembler messages: {standard input}:1974: Error: Rest of line ignored. First ignored character valued 0x1a. make[2]: *** [asm_ripemd] Error 1 make[2]: Leaving directory `/usr/local/src/cryptlib' make[1]: *** [asm_targets] Error 2 make[1]: Leaving directory `/usr/local/src/cryptlib' make[1]: Entering directory `/usr/local/src/cryptlib' cc -c -D__UNIX__ -DNDEBUG -I. -fomit-frame-pointer -O3 -DASM_X86 bn/bn_add.c -o ./static-obj/bn_add.o In file included from bn/bn_lcl.h:65, from bn/bn_add.c:67: bn/bn.h:421:1: warning: no newline at end of file In file included from bn/bn_add.c:67: bn/bn_lcl.h:197:1: warning: no newline at end of file In file included from bn/bn_lcl.h:66, from bn/bn_add.c:68: bn/bn.h:421: parse error before character 032 bn/bn_add.c:75: parse error before `{' bn/bn_add.c:84: parse error before `if' bn/bn_add.c:88: conflicting types for `a' bn/bn_add.c:73: previous declaration of `a' bn/bn_add.c:88: warning: initialization makes integer from pointer without a cast bn/bn_add.c:88: initializer element is not constant bn/bn_add.c:88: warning: data definition has no type or storage class bn/bn_add.c:88: conflicting types for `b' bn/bn_add.c:74: previous declaration of `b' bn/bn_add.c:88: warning: initialization makes integer from pointer without a cast bn/bn_add.c:88: initializer element is not constant bn/bn_add.c:88: warning: data definition has no type or storage class bn/bn_add.c:88: parse error before `}' bn/bn_add.c:95: warning: parameter names (without types) in function declarationbn/bn_add.c:95: conflicting types for `bn_qsub' bn/bn.h:305: previous declaration of `bn_qsub' bn/bn_add.c:95: warning: data definition has no type or storage class bn/bn_add.c:96: parse error before `->' bn/bn_add.c:101: warning: parameter names (without types) in function declaration bn/bn_add.c:101: warning: data definition has no type or storage class bn/bn_add.c:102: parse error before `->' bn/bn_add.c:112: invalid type argument of `->' bn/bn_add.c:112: invalid type argument of `->' bn/bn_add.c:112: warning: data definition has no type or storage class bn/bn_add.c:114: parse error before `if' bn/bn_add.c:117: warning: parameter names (without types) in function declaration bn/bn_add.c:117: conflicting types for `bn_qadd' bn/bn.h:306: previous declaration of `bn_qadd' bn/bn_add.c:117: warning: data definition has no type or storage class bn/bn_add.c:118: parse error before `}' bn/bn_add.c:122: warning: parameter names (without types) in function declaration bn/bn_add.c:122: warning: data definition has no type or storage class bn/bn_add.c:123: parse error before `}' bn/bn_add.c:129: conflicting types for `bn_qadd' bn/bn_add.c:122: previous declaration of `bn_qadd' make[1]: *** [static-obj/bn_add.o] Error 1 make[1]: Leaving directory `/usr/local/src/cryptlib' make: *** [Linux] Error 2 I would sincerely appreciate any help! Thank you! --=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=-- Gila Monstre gila.sheftel@gemplus.com Fearless Geek (514)732-2459 Advanced Projects Group Gemplus Software The only reason some people get lost in thought is because it's unfamiliar territory. -- Paul Fix From cryptlib@mbsks.franken.de Fri May 25 11:03:51 2001 From: cryptlib@mbsks.franken.de (Liberal Malaina Fidel) Date: Fri, 25 May 2001 12:03:51 +0200 (CEST) Subject: [Cryptlib] 2 questions: sockets and getting key parameters Message-ID: Hello everybody! A while ago I made a question about blocking alternatives to cryptPushData and cryptPopData. Somebody told me about the possibility of using "select" with sessions' sockets. But is there indeed any method to externally access this info (socket number)? I suppose it's stored in "SESSION_INFO_object".stream.netSocket but how can I access this "SESSION_INFO_object" if CRYPT_SESSION is just a handle, it is not a structure? Another question: I need to extract components from public keys ("n" component to process SSH RSA auth) but if I try to use cryptGetAttributeString(pubContext, CRYPT_CTXINFO_COMPONENTS, pubKey, &length), where pubkey=(CRYPT_PKCINFO_RSA *), I get a "-21" error (WRONG_KEY) This error code has to do with access control, because it's generated when cryptlib checks ACL restrictions (code "says" something about trying to access visible internal parameters externally?) Thanks in advance. Fidel Liberal Malaina ETSI Bilbao (Spain) From cryptlib@mbsks.franken.de Fri May 25 12:28:44 2001 From: cryptlib@mbsks.franken.de (Matthias Bruestle) Date: Fri, 25 May 2001 13:28:44 +0200 Subject: [Cryptlib] New User, Errors with "make" In-Reply-To: <3B0D5611.EBAEABF3@gemplus.com>; from Gila.SHEFTEL@gemplus.com on Thu, May 24, 2001 at 02:42:25PM -0400 References: <3B0D5611.EBAEABF3@gemplus.com> Message-ID: <20010525132844.K5748@mbsks.franken.de> Mahlzeit On Thu, May 24, 2001 at 02:42:25PM -0400, Gila Sheftel wrote: > I have just downloaded the Beta 5 source code and unzipped it, but can't > seem to find any installation instructions or readme files, so I tried > the obvious -- doing a "make" since there is a makefile but not > configure file. > > make Linux returns a whole slew of errors, does anyone know what they > mean? How did you unzip it? With "unzip -a -L"? Or with plain unzip? Mahlzeit endergone Zwiebeltuete From cryptlib@mbsks.franken.de Fri May 25 16:40:07 2001 From: cryptlib@mbsks.franken.de (Gila Sheftel) Date: Fri, 25 May 2001 11:40:07 -0400 Subject: [Cryptlib] New User, Errors with "make" References: <3B0D5611.EBAEABF3@gemplus.com> <20010525132844.K5748@mbsks.franken.de> Message-ID: <3B0E7CD7.135672F6@gemplus.com> Matthias Bruestle wrote: > Mahlzeit Mahlzeit? Meal? I'm not sure I understand. > How did you unzip it? With "unzip -a -L"? Or with plain unzip? Oh dear. Thank you very much, I feel very silly now. Not accustomed to using unzip... Sorry for the stupid question! --=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=-- Gila Monstre gila.sheftel@gemplus.com Fearless Geek (514)732-2459 Advanced Projects Group Gemplus Software Can anything be sadder than work left unfinished? Yes, work never begun. From cryptlib@mbsks.franken.de Sat May 26 15:26:14 2001 From: cryptlib@mbsks.franken.de (Peter Gutmann) Date: Sat, 26 May 2001 14:26:14 (NZST) Subject: [Cryptlib] 2 questions: sockets and getting key parameters Message-ID: <99084397426857@kahu.cs.auckland.ac.nz> Liberal Malaina Fidel writes: >A while ago I made a question about blocking alternatives to cryptPushData and >cryptPopData. Somebody told me about the possibility of using "select" with >sessions' sockets. > >But is there indeed any method to externally access this info (socket number)? There's no way you can get to it. I was going to look at it a bit more, but since no-one commented on it I figured there wasn't much interest in it so I went back to fiddling with certificate management. >I need to extract components from public keys ("n" component to process SSH >RSA auth) but if I try to use cryptGetAttributeString(pubContext, >CRYPT_CTXINFO_COMPONENTS, pubKey, &length), where pubkey=(CRYPT_PKCINFO_RSA >*), I get a "-21" error (WRONG_KEY) Actually it's CRYPT_ERROR_PERMISSION, (ie you can't do that). >This error code has to do with access control, because it's generated when >cryptlib checks ACL restrictions (code "says" something about trying to access >visible internal parameters externally?) You can't get at the components because they're not present in any useful form. In fact even if you disable the ACL check, nothing will happen because there's no code present to read a key out (except when it's encoded in some standard form like a certificate). It would be much easier to make the modifications you need to cryptlib's ssh implementation rather than trying to do all this yourself, you've got everything you need already in there. Peter. From cryptlib@mbsks.franken.de Sun May 27 11:45:03 2001 From: cryptlib@mbsks.franken.de (Liberal Malaina Fidel) Date: Sun, 27 May 2001 12:45:03 +0200 (CEST) Subject: [Cryptlib] 2 questions: sockets and getting key parameters In-Reply-To: <99084397426857@kahu.cs.auckland.ac.nz> Message-ID: On Sat, 26 May 2001, Peter Gutmann wrote: > Liberal Malaina Fidel writes: > > >A while ago I made a question about blocking alternatives to cryptPushData and > >cryptPopData. Somebody told me about the possibility of using "select" with > >sessions' sockets. > > > >But is there indeed any method to externally access this info (socket number)? > > There's no way you can get to it. I was going to look at it a bit more, but > since no-one commented on it I figured there wasn't much interest in it so I > went back to fiddling with certificate management. Well, I suppose I should have insisted on it a bit more, because my ssh-client eats nearly 100% cpu time :-))). I know I can add some delays to improve this but I made it with test-purposes only, so it doesn't matter too much. I am quite interested on blocking alternatives to high level cryptPop and cryptPush and I suppose anyone who wants to use cryptlib to develop network applications with many data packets should be too, but when I mentioned it a month ago Peter asked about which alternative would be better, pure blocking, timed blocking..... I'm not a "programming master", that's not my job (probably because I'm when a student, so no jobs..), so I have not enough programming experience as to answer him in a "reasonable" way..... I'll be happy if I could access sockets in some way (enough to call a "simple" select on them), something that I suppose won't need too much additional code. > You can't get at the components because they're not present in any useful form. > In fact even if you disable the ACL check, nothing will happen because there's > no code present to read a key out (except when it's encoded in some standard > form like a certificate). > > It would be much easier to make the modifications you need to cryptlib's ssh > implementation rather than trying to do all this yourself, you've got > everything you need already in there. > > Peter. > > About the other topic, related to ssh implementation, in cryptlib 3beta5 I don't see ssh 1.5 RSA authentication anywhere... so, what do you mean when you say I've got everything I need already in there? BTW actually I was adding RSA authentication to Cryptlib's ssh code (session/ssh.c) and now IT WORKS. I included necessary code into ssh.c file and a couple of additional functions in another two files, to manage reading OpenSSH keys files (because that is the server implementation I tested my code with). I don't know if somebody would be interested on it, should I post it to the group or anywhere else? Firs of all I must admit my programming style is "quite heteredox", and somebody would think that I don't know programming at all (they wouldn't be too wrong :-)) but maybe my code would help Peter to add RSA authentication support in a portable and "standard" way. I thought about using SESSION_INFO's cryptKeyset or privateKey (unused in SSH) to store crypto data to RSA authentication but as I mentioned in my previous message, I had a problem when trying to extract "n" element from a context or keyset. If there were any way to do this I think implementation would be much easier, perhaps adding a FLAG to indicate cryptlib to try to use RSA auth...., by now I use #ifdefs to change traditional login-password scheme into RSA auth (and therefore forcing it... now you understand what "heterodox style" means ), and I read keys directly from OpenSSH files (so not quite portable) into ssh.c vars. Well, Peter and others, any comments will be appreciated... Fidel Liberal Malaina ETSI Bilbao Spain From cryptlib@mbsks.franken.de Sun May 27 13:54:53 2001 From: cryptlib@mbsks.franken.de (Matthias Bruestle) Date: Sun, 27 May 2001 14:54:53 +0200 Subject: [Cryptlib] 2 questions: sockets and getting key parameters In-Reply-To: ; from jtalimaf@aintel.bi.ehu.es on Sun, May 27, 2001 at 12:45:03PM +0200 References: <99084397426857@kahu.cs.auckland.ac.nz> Message-ID: <20010527145453.O5748@mbsks.franken.de> Mahlzeit On Sun, May 27, 2001 at 12:45:03PM +0200, Liberal Malaina Fidel wrote: > BTW actually I was adding RSA authentication to Cryptlib's ssh code > (session/ssh.c) and now IT WORKS. I included necessary code into ssh.c > file and a couple of additional functions in another two files, to manage > reading OpenSSH keys files (because that is the server implementation I > tested my code with). > > I don't know if somebody would be interested on it, should I post it to > the group or anywhere else? You can upload it to ftp://ftp.franken.de/pub/crypt/incoming/. Mahlzeit endergone Zwiebeltuete From cryptlib@mbsks.franken.de Sun May 27 17:40:31 2001 From: cryptlib@mbsks.franken.de (Liberal Malaina Fidel) Date: Sun, 27 May 2001 18:40:31 +0200 (CEST) Subject: [Cryptlib] 2 questions: sockets and getting key parameters In-Reply-To: <20010527145453.O5748@mbsks.franken.de> Message-ID: On Sun, 27 May 2001, Matthias Bruestle wrote: > Mahlzeit > > > On Sun, May 27, 2001 at 12:45:03PM +0200, Liberal Malaina Fidel wrote: > > BTW actually I was adding RSA authentication to Cryptlib's ssh code > > (session/ssh.c) and now IT WORKS. I included necessary code into ssh.c > > file and a couple of additional functions in another two files, to manage > > reading OpenSSH keys files (because that is the server implementation I > > tested my code with). > > > > I don't know if somebody would be interested on it, should I post it to > > the group or anywhere else? > > You can upload it to ftp://ftp.franken.de/pub/crypt/incoming/. > Well, before doing so I'll wait for Peter's answer about rewriting it in a more portable way and integrating into cryptlib, so that it doesn't look too shameful :-))) Besides full project consists of making RSA authentication with Dallas Semiconductor's java crypto iButton, so it isn't finished yet. BTW has someone any experience about using ibutton PKCS11 driver with cryptlib or is there any related document? Fidel Liberal Malaina ETSI Bilbao (Spain) From cryptlib@mbsks.franken.de Sun May 27 17:54:49 2001 From: cryptlib@mbsks.franken.de (Matthias Bruestle) Date: Sun, 27 May 2001 18:54:49 +0200 Subject: [Cryptlib] 2 questions: sockets and getting key parameters In-Reply-To: ; from jtalimaf@aintel.bi.ehu.es on Sun, May 27, 2001 at 06:40:31PM +0200 References: <20010527145453.O5748@mbsks.franken.de> Message-ID: <20010527185449.C22406@mbsks.franken.de> Mahlzeit On Sun, May 27, 2001 at 06:40:31PM +0200, Liberal Malaina Fidel wrote: > BTW has someone any experience about using ibutton PKCS11 driver with > cryptlib or is there any related document? 0.94 did not work. It had to many bugs. I have no experiance with 0.95. Maybe this is better. Mahlzeit endergone Zwiebeltuete From cryptlib@mbsks.franken.de Sun May 27 18:28:09 2001 From: cryptlib@mbsks.franken.de (Geoff Thorpe) Date: Sun, 27 May 2001 10:28:09 -0700 (PDT) Subject: [Cryptlib] 2 questions: sockets and getting key parameters In-Reply-To: Message-ID: Hi there, On Sun, 27 May 2001, Liberal Malaina Fidel wrote: > On Sat, 26 May 2001, Peter Gutmann wrote: > > > Liberal Malaina Fidel writes: > > > > >A while ago I made a question about blocking alternatives to cryptPushData and > > >cryptPopData. Somebody told me about the possibility of using "select" with > > >sessions' sockets. > > > > > >But is there indeed any method to externally access this info (socket number)? > > > > There's no way you can get to it. I was going to look at it a bit more, but > > since no-one commented on it I figured there wasn't much interest in it so I > > went back to fiddling with certificate management. :-) I mentioned one or two things about it, but I think my thoughts were a little outside the scope (and off the track) of what Peter wanted in the cryptlib API, at least in terms of its standard behaviour. > Well, I suppose I should have insisted on it a bit more, because my > ssh-client eats nearly 100% cpu time :-))). I know I can add some delays > to improve this but I made it with test-purposes only, so it doesn't > matter too much. Yeah, using delays, idle-time processing, etc. It's all seriously evil. > I am quite interested on blocking alternatives to high level cryptPop > and cryptPush and I suppose anyone who wants to use cryptlib to develop > network applications with many data packets should be too, but when I > mentioned it a month ago Peter asked about which alternative would be better, > pure blocking, timed blocking..... I'm not a "programming master", that's > not my job (probably because I'm when a student, so no jobs..), so I have > not enough programming experience as to answer him in a "reasonable" > way..... > > > I'll be happy if I could access sockets in some way (enough to call a > "simple" select on them), something that I suppose won't need too much > additional code. I think maybe the easiest way to keep the API much as it is now, but also support those who want to be able to take control of the I/O, would be for the Cryptlib API to support an I/O override on the ssh/ssl/tls/whatever contexts. Eg. cryptSessionGetIO(CRYPT_SESSION sess, CRYPT_SESSION *streamIO); or something like that. Ie. after calling this, Cryptlib doesn't do any TCP/IP work - it simply assumes you (using 'streamIO') would provide all encrypted traffic to cryptlib via "push"es and would deliver all encrypted traffic from cryptlib via "pop"s. On *nix, this would make it way easier for example to write an ssh shell - you could select on stdin/stdout for push/pop of the plaintext side of the session as per-usual, and could select on sockets (or whatever it is you're communicating with/through) for passing encrypted stream-traffic to/from the otherside of the cryptlib "session". This would provide a deterministic way to genuinely "block" (without using CPU) when there's no activity, but to be able to awake on any event that could progress the session state. Unlike delays, idle-time processing - it would result in lower latency when I/O events take place, and no CPU time is taken up repeatedly retrying operations in the mean time. Cheers, Geoff From cryptlib@mbsks.franken.de Mon May 28 10:19:01 2001 From: cryptlib@mbsks.franken.de (Luciano Benetti) Date: Mon, 28 May 2001 10:19:01 +0100 Subject: [Cryptlib] Keyset and X.509 Message-ID: <006c01c0e757$3c5aab80$08c8a8c0@dummy.net> This is a multi-part message in MIME format. ------=_NextPart_000_0069_01C0E75F.9D758D10 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable I have to cipher an envelope s/mime with the public key of the = recipient. I have the recipient certificate and I have to recover his private key. What can I do to associate to a keyset the public key contained in a = X-509 certificate?=20 Luciano. ------=_NextPart_000_0069_01C0E75F.9D758D10 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
I have to cipher an envelope s/mime with the = public key of=20 the recipient.
I have the recipient certificate and I have to = recover his=20 private key.
What can I do to associate to a keyset the = public key=20 contained in a X-509 certificate?
 
Luciano.
------=_NextPart_000_0069_01C0E75F.9D758D10-- From cryptlib@mbsks.franken.de Mon May 28 16:54:35 2001 From: cryptlib@mbsks.franken.de (Liberal Malaina Fidel) Date: Mon, 28 May 2001 17:54:35 +0200 (CEST) Subject: [Cryptlib] 2 questions: sockets and getting key parameters In-Reply-To: Message-ID: On Sun, 27 May 2001, Geoff Thorpe wrote: > Hi there, > > > I think maybe the easiest way to keep the API much as it is now, but also > support those who want to be able to take control of the I/O, would be for the > Cryptlib API to support an I/O override on the ssh/ssl/tls/whatever contexts. > Eg. cryptSessionGetIO(CRYPT_SESSION sess, CRYPT_SESSION *streamIO); or something > like that. Ie. after calling this, Cryptlib doesn't do any TCP/IP work - it > simply assumes you (using 'streamIO') would provide all encrypted traffic to > cryptlib via "push"es and would deliver all encrypted traffic from cryptlib via > "pop"s. On *nix, this would make it way easier for example to write an ssh shell > - you could select on stdin/stdout for push/pop of the plaintext side of the > session as per-usual, and could select on sockets (or whatever it is you're > communicating with/through) for passing encrypted stream-traffic to/from the > otherside of the cryptlib "session". This would provide a deterministic way to > genuinely "block" (without using CPU) when there's no activity, but to be able > to awake on any event that could progress the session state. Unlike delays, > idle-time processing - it would result in lower latency when I/O events take > place, and no CPU time is taken up repeatedly retrying operations in the mean > time. > > Cheers, > Geoff > Well, I think I've found the way to do somethink like this. In fact, there EXISTS a function to do so (it's a macro), so that I think Peter will find it easy to include a similar function to cryptlib's api. In cryptses.c sessionMessageFunction.....: ------------------------------------------------------------ SESSION_INFO *sessionInfoPtr; getCheckInternalResource( cryptSession, sessionInfoPtr, OBJECT_TYPE_SESSION ); ------------------------------------------------------------ By using this macro it could be possible to access SESSION_INFO structure and block readings from network I've done this in quite a tricky way but it works (when you're using only one session, so it's only a temporal patch...) I've added extern int globalSocket; to cryptses.c and globalSocket=sessionInfoPtr->stream.netSocket; to cryptses.c sessionMessageFunction Then in my ssh_client : int globalSocket; And in listening function: while(1) { while(read_bytes<=0) cryptPopData(cryptSession, buffer,2500,&read_bytes); buffer[read_bytes]='\0'; read_bytes=0; printf("%s",buffer); fflush(stdout); if(globalSocket >0) { FD_ZERO(&rfds); FD_SET(globalSocket,&rfds); select(globalSocket+1,&rfds ,NULL ,NULL ,NULL); } } Fidel Liberal Malaina ETSI Bilbao (Spain) From cryptlib@mbsks.franken.de Wed May 30 16:46:38 2001 From: cryptlib@mbsks.franken.de (Sunil Iyengar) Date: Wed, 30 May 2001 16:46:38 +0100 Subject: [Cryptlib] ssl connection Message-ID: <3B1515DE.CD0A8B15@eim.surrey.ac.uk> Hi Everyone, I would like to connect to a ssl server but i get error -40 (error not open) , could someone please help me with what is required in order to connect to an ssl server. Thanks Sunny -- *********************************************************** Sunil Iyengar, Research Fellow, Networks Group, Centre For Communication And Systems Research(CCSR), School of Electronics, Computing & Mathematics, University Of Surrey, Guildford GU2 7XH, Surrey, England, United Kingdom. Office: +44 (0)1483 876008 http://www.ee.surrey.ac.uk/Personal/S.Iyengar *********************************************************** From cryptlib@mbsks.franken.de Wed May 30 17:53:00 2001 From: cryptlib@mbsks.franken.de (Matthias Bruestle) Date: Wed, 30 May 2001 18:53:00 +0200 Subject: [Cryptlib] ssl connection In-Reply-To: <3B1515DE.CD0A8B15@eim.surrey.ac.uk>; from s.iyengar@eim.surrey.ac.uk on Wed, May 30, 2001 at 04:46:38PM +0100 References: <3B1515DE.CD0A8B15@eim.surrey.ac.uk> Message-ID: <20010530185300.C16102@mbsks.franken.de> Mahlzeit On Wed, May 30, 2001 at 04:46:38PM +0100, Sunil Iyengar wrote: > I would like to connect to a ssl server but i get error -40 (error not > open) , could someone please help me with what is required in order to > connect to an ssl server. This is currently in the process of being fixed. I hope it works until the end of the week or the begining of the next. Mahlzeit endergone Zwiebeltuete