Nicola, Brilliant - that sorted it. I have produced a public key this way and successfully compared it with the public key in the original key pair. You may want to update the wiki page to add that step into the sample code Regards John -----Original Message----- From: openssl-users [mailto:openssl-users-bounces@xxxxxxxxxxx] On Behalf Of openssl-users-request@xxxxxxxxxxx Sent: 08 October 2018 08:36 To: openssl-users@xxxxxxxxxxx Subject: openssl-users Digest, Vol 47, Issue 8 Send openssl-users mailing list submissions to openssl-users@xxxxxxxxxxx To subscribe or unsubscribe via the World Wide Web, visit https://mta.openssl.org/mailman/listinfo/openssl-users or, via email, send a message with subject or body 'help' to openssl-users-request@xxxxxxxxxxx You can reach the person managing the list at openssl-users-owner@xxxxxxxxxxx When replying, please edit your Subject line so it is more specific than "Re: Contents of openssl-users digest..." Today's Topics: 1. Re: Wiki misleading Enc (Richard Levitte) 2. Re: osf-contact Latest Openssl Issue with Bind 9.12.2-P2 on RHEL 7.5 (aakash.kumar@xxxxxxxxxx) 3. Re: Incompatible Object error from EC_POINT_mul (Nicola) ---------------------------------------------------------------------- Message: 1 Date: Mon, 08 Oct 2018 07:03:34 +0200 (CEST) From: Richard Levitte <levitte@xxxxxxxxxxx> To: paul@xxxxxx Cc: openssl-users@xxxxxxxxxxx Subject: Re: Wiki misleading Enc Message-ID: <20181008.070334.1188127225315146424.levitte@xxxxxxxxxxx> Content-Type: Text/Plain; charset=us-ascii Fixed. Thanks. In message <1df7e534-d4f0-7ac1-4de5-4cb8fb37d9e0@xxxxxx> on Sat, 6 Oct 2018 22:48:01 +0200, Paul Zillmann <paul@xxxxxx> said: > Hello, > > the wiki page [1] is wrong about the pass parameter. > According to [2] the parameter for a keyfile is -pass file:path and > not -pass pass:path > > - Paul > > 1: https://wiki.openssl.org/index.php/Enc > 2: https://www.openssl.org/docs/man1.0.2/apps/openssl.html > ------------------------------ Message: 2 Date: Mon, 8 Oct 2018 05:50:40 +0000 From: <aakash.kumar@xxxxxxxxxx> To: "openssl-users@xxxxxxxxxxx" <openssl-users@xxxxxxxxxxx> Cc: "osf-contact@xxxxxxxxxxx" <osf-contact@xxxxxxxxxxx> Subject: Re: osf-contact Latest Openssl Issue with Bind 9.12.2-P2 on RHEL 7.5 Message-ID: <14773_1538977844_5BBAF034_14773_368_1_D9E1007BEB274445807B4DF1046EDA2711076 38A@OPEXCSINM91.corporate.adroot.infra.ftgroup> Content-Type: text/plain; charset="iso-2022-jp" Hi Team, Please find below error in text format. [root@g3r1 ~]# systemctl status bind -l ? bind.service - LSB: DNS Daemon Loaded: loaded (/etc/rc.d/init.d/bind) Active: active (exited) since Fri 2018-10-05 13:31:09 CEST; 2 days ago Docs: man:systemd-sysv-generator(8) Process: 32417 ExecStop=/etc/rc.d/init.d/bind stop (code=exited, status=0/SUCCESS) Process: 32421 ExecStart=/etc/rc.d/init.d/bind start (code=exited, status=0/SUCCESS) Oct 05 13:31:09 g3r1 named[32429]: ---------------------------------------------------- Oct 05 13:31:09 g3r1 named[32429]: adjusted limit on open files from 4096 to 1048576 Oct 05 13:31:09 g3r1 named[32429]: found 1 CPU, using 1 worker thread Oct 05 13:31:09 g3r1 named[32429]: using 1 UDP listener per interface Oct 05 13:31:09 g3r1 named[32429]: using up to 4096 sockets Oct 05 13:31:09 g3r1 named[32429]: openssl_link.c:296: fatal error: Oct 05 13:31:09 g3r1 named[32429]: OpenSSL pseudorandom number generator cannot be initialized (see the `PRNG not seeded' message in the OpenSSL FAQ) Oct 05 13:31:09 g3r1 named[32429]: exiting (due to fatal error in library) Oct 05 13:31:09 g3r1 bind[32421]: [13B blob data] Oct 05 13:31:09 g3r1 systemd[1]: Started LSB: DNS Daemon. [root@g3r1 ~]# tail /var/log/message Oct 5 13:31:09 g3r1 systemd: Starting LSB: DNS Daemon... Oct 5 13:31:09 g3r1 bind: /etc/rc.d/init.d/bind: line 36: log_info_msg: command not found Oct 5 13:31:09 g3r1 named[32429]: starting BIND 9.12.2-P2 <id:b2bf278> Oct 5 13:31:09 g3r1 named[32429]: running on Linux x86_64 3.10.0-327.13.1.el7.x86_64 #1 SMP Mon Feb 29 13:22:02 EST 2016 Oct 5 13:31:09 g3r1 named[32429]: built with '--prefix=/usr' '--sysconfdir=/etc' '--localstatedir=/var' 'mandir=/usr/share/man' '--enable-threads' '--with-libtool' '--with-openssl=/usr/local/ssl' '--disable-static' '--with-randomdev=/dev/urandom' Oct 5 13:31:09 g3r1 named[32429]: running as: named -u named -t /srv/named -c /etc/named.conf Oct 5 13:31:09 g3r1 named[32429]: compiled by GCC 4.8.5 20150623 (Red Hat 4.8.5-28) Oct 5 13:31:09 g3r1 named[32429]: compiled with OpenSSL version: OpenSSL 1.0.2p 14 Aug 2018 Oct 5 13:31:09 g3r1 named[32429]: linked to OpenSSL version: OpenSSL 1.0.2p 14 Aug 2018 Oct 5 13:31:09 g3r1 named[32429]: compiled with zlib version: 1.2.7 Oct 5 13:31:09 g3r1 named[32429]: linked to zlib version: 1.2.7 Oct 5 13:31:09 g3r1 named[32429]: threads support is enabled Oct 5 13:31:09 g3r1 named[32429]: ---------------------------------------------------- Oct 5 13:31:09 g3r1 named[32429]: BIND 9 is maintained by Internet Systems Consortium, Oct 5 13:31:09 g3r1 named[32429]: Inc. (ISC), a non-profit 501(c)(3) public-benefit Oct 5 13:31:09 g3r1 named[32429]: corporation. Support and training for BIND 9 are Oct 5 13:31:09 g3r1 named[32429]: available at https://www.isc.org/support Oct 5 13:31:09 g3r1 named[32429]: ---------------------------------------------------- Oct 5 13:31:09 g3r1 named[32429]: adjusted limit on open files from 4096 to 1048576 Oct 5 13:31:09 g3r1 named[32429]: found 1 CPU, using 1 worker thread Oct 5 13:31:09 g3r1 named[32429]: using 1 UDP listener per interface Oct 5 13:31:09 g3r1 named[32429]: using up to 4096 sockets Oct 5 13:31:09 g3r1 named[32429]: openssl_link.c:296: fatal error: Oct 5 13:31:09 g3r1 named[32429]: OpenSSL pseudorandom number generator cannot be initialized (see the `PRNG not seeded' message in the OpenSSL FAQ) Thanks & Regards, Aakash kumar ITE - India Tower B, 8th Floor, DLF Infinity Towers, DLF Cyber City Phase - II Gurgaon - 122002, Haryana, INDIA Aakash.kumar@xxxxxxxxxx Mobile: +91-8527288977 CVS: 7357 3706 -----Original Message----- From: Viktor Dukhovni [mailto:openssl-users@xxxxxxxxxxxx] Sent: 05 October 2018 21:23 To: KUMAR Aakash IMT/OINIS Cc: osf-contact@xxxxxxxxxxx; SRIVASTAVA Himanshu IMT/OINIS; VARSHNEY Praveen IMT/OINIS Subject: Re: osf-contact Latest Openssl Issue with Bind 9.12.2-P2 on RHEL 7.5 Please try to send the text of error reports, not pictures. > I am getting below error while starting the bind service. > > <image002.png> If you ask on the openssl-users list, someone else may have seen the same issue, and may have useful advice to share. NOTE!!!: I've set the Reply-To: address to <openssl-users@xxxxxxxxxxx>. If you just hit "Reply", your answer may go to the list, though you'd need to join the list first to be able to post... Does the error still happen when you disable "chroot" in BIND? Perhaps BIND is doing late initialization of the PRNG after entering the chroot jail, and maybe trying to use "/dev/urandom", which not be in the jail? That's a wild guess. You'd need to trace system calls to see what it is actually doing... -- Viktor. ____________________________________________________________________________ _____________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20181008/9a4c315 f/attachment-0001.html> ------------------------------ Message: 3 Date: Mon, 8 Oct 2018 10:35:33 +0300 From: Nicola <nic.tuv@xxxxxxxxx> To: openssl-users@xxxxxxxxxxx Subject: Re: Incompatible Object error from EC_POINT_mul Message-ID: <CANm5x_NZ7Xwtgy8sfWYWPjcEvYktFY6apBKXp=_222F7K7Qv9g@xxxxxxxxxxxxxx> Content-Type: text/plain; charset="utf-8" Hi, I did not run this in the debugger, but one issue is that you are not initializing `pub` before calling EC_POINT_mul : try adding pub = EC_POINT_new(curve); (and check for errors making sure pub is not null afterwards). Hope this helps! Best regards, Nicola On Mon, Oct 8, 2018, 00:31 John Hughes <john.hughes@xxxxxxxxxxx> wrote: > I'm trying to generate a public key from a private key generated on a > HSM (and obtained by calling PKCS#11). Everything works fine until I > call EC_POINT_mul - at which point I get the error message: > > error:100BB065:elliptic curve routines:ec_wNAF_mul:incompatible > objects > > I have checked the BIGNUM conversion - and that seems to be fine. The > key pair on the HSM is also generated using brainpoolP256r1. > > The basis of the code can be found at the end of the email. I'm > basically trying to follow the example provided in: > https://wiki.openssl.org/index.php/Elliptic_Curve_Cryptography. > > I'm using openssl 1.10h > > Any pointers or help would be appreciated. > > > John > > --------------------------------------------------------------- > > > BN_CTX *ctx; > ctx = BN_CTX_new(); > if(!ctx) { > outputInfo("unable to create openssl BN_CTX"); > return; > } > > EC_GROUP *curve; > > outputInfo("about to create EC_GROUP_new_by_curve_name"); > if(NULL == (curve = > EC_GROUP_new_by_curve_name(NID_brainpoolP256r1))) { > outputERRORmess("unable to setup curve"); > } > > outputInfo("about to create EC_KEY_new_by_curve_name"); > EC_KEY *key; > if(NULL == (key = EC_KEY_new_by_curve_name(NID_brainpoolP256r1))) { > outputERRORmess("unable to setup EC_KEY"); > } > > // now get the private key contained in CKA_VALUE via PKCS#111 > and place in *attrPrivate.pValue > > .......... (handle error) > > EC_POINT *pub; > > > BIGNUM *prv = BN_bin2bn((unsigned char*)attrPrivate.pValue, > attrPrivate.ulValueLen, NULL); > if (prv == NULL) { > > ...... (handle error) > } > > if (1 != EC_KEY_set_private_key(key, prv)) { > > ........ (handle error) > } > > if (1 != EC_POINT_mul(curve, pub, prv, NULL, NULL, ctx)) { > outputInfo("unable to calculate the public key from > the HSM's private key using EC_POINT_mul"); > (handle error) > > } > > > > > > > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20181008/bcd9871 5/attachment.html> ------------------------------ Subject: Digest Footer _______________________________________________ openssl-users mailing list openssl-users@xxxxxxxxxxx https://mta.openssl.org/mailman/listinfo/openssl-users ------------------------------ End of openssl-users Digest, Vol 47, Issue 8 ******************************************** -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
