How to set the option -dateopt for the openssl properly?
An example of a self signed certificate generation:
openssl req \
-x509 \
-days 10 \
-nodes \
-newkey rsa:2048 \
-keyout "$PWD/self.key" \
-out "$PWD/self.crt" \
-subj "/C=US/ST=STATE/L=CITY/O=ORG_NAME/OU=OU_NAME/CN=CN_OR_FQDN_OR_SERVER_NAME"
gives me two files in the current directory:
self.key
self.crt
To check the end date of the self.crt i run:
openssl x509 -enddate -noout -in "$PWD/self.crt"
that returns the proper result:
notAfter=Oct 4 16:05:59 2022 GMT
but if I use the -dateopt switch documentation:
-dateopt. Specify the date output format. Values are: rfc_822 and iso_8601. Defaults to rfc_822.
this way:
openssl x509 -enddate -dateopt iso_8601 -noout -in "$PWD/self.crt"
I get the error (ec=1):
Invalid date format: iso_8601
Perhaps the reason is somewhere around these lines here:
case OPT_DATEOPT:
if (!set_dateopt(&dateopt, opt_arg())) {
BIO_printf(bio_err,
"Invalid date format: %s\n", opt_arg());
goto err;
}
break;
or here:
int set_dateopt(unsigned long *dateopt, const char *arg)
{
if (strcasecmp(arg, "rfc_822") == 0)
*dateopt = ASN1_DTFLGS_RFC822;
else if (strcasecmp(arg, "iso_8601") == 0)
*dateopt = ASN1_DTFLGS_ISO8601;
return 0;
}
or maybe it is related to the issue:
-dateopt option only affects x509 -dates option output
I would like to ask how to set the -dateopt properly in order to get the -enddate in the ISO 8601 date format?
I tried: iso_8601, ISO_8601, "iso 8601", ISO 8601, iso8601, ISO8601, iso8601 but none of them worked.
My:
openssl version
is: OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
The relevant function was broken in openssl 3.0.3 and lower since the function set_dateopt (which you quote) always returned 0:
int set_dateopt(unsigned long *dateopt, const char *arg)
{
if (OPENSSL_strcasecmp(arg, "rfc_822") == 0)
*dateopt = ASN1_DTFLGS_RFC822;
else if (OPENSSL_strcasecmp(arg, "iso_8601") == 0)
*dateopt = ASN1_DTFLGS_ISO8601;
return 0;
}
This seems to be fixed in openssl 3.0.4. See issue #18553 for bug report and issue #18554 for fix.
Related
I needed to create a jave keystore and so I downloaded the latest version of openssl but kept getting:
keytool error: java.io.IOException: keystore password was incorrect
As well as windows telling me I had the wrong password if I tried to import the .p12. After hours of trying to get things to work I finally downloaded v1.1.1 and POW things just worked!
Problem solved! but why - why does OpenSSL v3.0.0 not work like v1.1.1?
C:\openssl3> openssl pkcs12 -export -name tomcat -in cert.cer -inkey key -out ks300.p12
C:\openssl3> openssl pkcs12 -info -in ks300.p12
Enter Import Password:
<works fine>
...
</works fine>
C:\openssl3> keytool -list -v -keystore ks300.p12
Enter keystore password:
keytool error: java.io.IOException: keystore password was incorrect
java.io.IOException: keystore password was incorrect
...
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
... 6 more
then:
C:\openssl1.1.1> openssl pkcs12 -export -name tomcat -in cert.cer -inkey key -out ks111.p12
C:\openssl1.1.1> openssl pkcs12 -info -in ks111.p12
<works fine />
C:\openssl1.1.1> keytool -list -v -keystore ks111.p12
Enter keystore password:
<works fine />
C:\openssl1.1.1> C:\openssl3\openssl pkcs12 -info -in ks111.p12
Enter Import Password:
MAC: sha1, Iteration 2048
MAC length: 20, salt length: 8
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Error outputting keys and certificates
5C200000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto\evp\evp_fetch.c:346:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()
C:\openssl1.1.1>openssl pkcs12 -info -in ks300.p12
<works fine>
Now that last one surprised me as I was collecting the output for this post, but yes the openssl1.1.1 read the openssl3 .p12 file fine but not the other way (openssl3 cannot read the openssl1.1.1 .p12). The keytool and windows kept complaining about the password for the openssl3 .p12 -- but COULD read the v1.1.1 one.
Is there some downward compatibility option I missed.
I seem to be the only person on the internet to run into this issue which usually means that I did something wrong.
some other data points:
C:\> Java --version
openjdk 11.0.2 2019-01-15
OpenJDK Runtime Environment 18.9 (build 11.0.2+9)
OpenJDK 64-Bit Server VM 18.9 (build 11.0.2+9, mixed mode)
C:\openssl3>openssl version
OpenSSL 3.0.0 7 sep 2021 (Library: OpenSSL 3.0.0 7 sep 2021)
C:\openssl1.1.1>openssl version
OpenSSL 1.1.1l 24 Aug 2021
When I try to generate a key from a pfx certificate file, it creates an empty file
openssl pkcs12 -in test.pfx -nocerts -out test.key -nodes
I executed the command on git bash, Windows server 2019. The command seems to run without stoping because I can't type.
Thanks
I am trying to generate self signed certificates using openSSL as part of internal feature testing. The intention is to have new certs (short lived) generated for every round of testing.
For the build procedure I have added custom targets to my CMakeLists.txt like so:
add_custom_target(ca_rsa
COMMAND mkdir -p ${INSTALL_LOCATION}/security_context/ca/cert
COMMAND mkdir -p ${INSTALL_LOCATION}/security_context/ca/private
COMMAND ${OPENSSL} req -nodes -x509 -days 30 -text -sha256 -newkey
rsa:2048 -keyout ${INSTALL_LOCATION}/security_context/ca/private/rsa_key.pem
-out ${INSTALL_LOCATION}/security_context/ca/cert/rsa_cert.pem
-config ./openssl_rsa.cnf)
ca_rsa is added as a dependency for the target executable for the project.
When I run the build I get the following error :
/bin/sh: req not found
recipe for target ca_rsa failed
I tried running the command by itself and it works fine.
Edit:
${OPENSSL} is set as follows:
set(OPENSSL ${OPENSSL_INSTALL_LOCATION}/bin/openssl)
You can see this error in console under this text. How to solve ssl error 02001003 ? i'm trying to update npm but it's not working...
http://imgur.com/a/AvW4J
Download and install Win64 OpenSSL v1.1.0e on https://slproweb.com/products/Win32OpenSSL.html
after install, go in this directory : C:\OpenSSL-Win64\bin
open cmd (command line) and type this line :
Set OPENSSL=C:\OpenSSL-Win64\bin\openssl.cfg
and finally type this :
openssl req -x509 -nodes -days 9999 -newkey rsa:2048 -keyout pri.pen -out pub.pen
reply questions to generate certificates public and private
You can watch this tutorial : https://www.youtube.com/watch?v=H8GxM9ApkYc
The documentation says The signature is a PKCS #7 detached signature of the manifest file but how does one do that with openssl?
For Passbook I found these commands:
openssl pkcs12 -passin pass:test -in ./Certificates.p12 -clcerts -nokeys -out ./certificate.pem
openssl pkcs12 -passin pass:test -in ./Certificates.p12 -nocerts -out ./key.pem
openssl smime -passin pass:test -binary -sign -signer ./certificate.pem -inkey ./key.pem -in ./pushPackage.raw/manifest.json -out ./pushPackage.raw/signature xs-outform DER
Also tried with the WWDR certificate:
openssl smime -passin pass:test -binary -sign -certfile ~/Downloads/AppleWWDRCA.cer -signer ./certificate.pem -inkey ./key.pem -in ./pushPackage.raw/manifest.json -out ./pushPackage.raw/signature xs-outform DER
And zip it with:
zip -r ../example.zip . -x '*.DS_Store'
But I still get "Signature verification of push package failed".
I've also encounter such problem. After trying, I figured out the different openssl version will result in different size of signature for the same manifest file.
Originally, I was using openssl 1.0.2, 1.0.3 but with no luck, but after I downgrade my openssl version to 0.9.8zf 19 Mar 2015 then everything works fine, and my safari can recognize the push package (my safari version is 8.0.7 (10600.7.12), MAC OS: 10.10.4(14E46))
my openssl command is:
openssl smime -sign -in manifest.json -out signature -signer push.pem -certfile AppleWWDRCA.pem -binary -inkey push.key -outform der