[openssl-users] Incompatible Object error from EC_POINT_mul (Nicola)
John Hughes
john.hughes at secid.co.uk
Mon Oct 8 17:21:53 UTC 2018
Nicola,
Brilliant - that sorted it. I have produced a public key this way and
successfully compared it with the public key in the original key pair.
You may want to update the wiki page to add that step into the sample code
Regards
John
-----Original Message-----
From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of
openssl-users-request at openssl.org
Sent: 08 October 2018 08:36
To: openssl-users at openssl.org
Subject: openssl-users Digest, Vol 47, Issue 8
Send openssl-users mailing list submissions to
openssl-users at openssl.org
To subscribe or unsubscribe via the World Wide Web, visit
https://mta.openssl.org/mailman/listinfo/openssl-users
or, via email, send a message with subject or body 'help' to
openssl-users-request at openssl.org
You can reach the person managing the list at
openssl-users-owner at openssl.org
When replying, please edit your Subject line so it is more specific than
"Re: Contents of openssl-users digest..."
Today's Topics:
1. Re: Wiki misleading Enc (Richard Levitte)
2. Re: osf-contact Latest Openssl Issue with Bind 9.12.2-P2 on
RHEL 7.5 (aakash.kumar at orange.com)
3. Re: Incompatible Object error from EC_POINT_mul (Nicola)
----------------------------------------------------------------------
Message: 1
Date: Mon, 08 Oct 2018 07:03:34 +0200 (CEST)
From: Richard Levitte <levitte at openssl.org>
To: paul at zil.li
Cc: openssl-users at openssl.org
Subject: Re: [openssl-users] Wiki misleading Enc
Message-ID: <20181008.070334.1188127225315146424.levitte at openssl.org>
Content-Type: Text/Plain; charset=us-ascii
Fixed. Thanks.
In message <1df7e534-d4f0-7ac1-4de5-4cb8fb37d9e0 at zil.li> on Sat, 6 Oct 2018
22:48:01 +0200, Paul Zillmann <paul at zil.li> said:
> Hello,
>
> the wiki page [1] is wrong about the pass parameter.
> According to [2] the parameter for a keyfile is -pass file:path and
> not -pass pass:path
>
> - Paul
>
> 1: https://wiki.openssl.org/index.php/Enc
> 2: https://www.openssl.org/docs/man1.0.2/apps/openssl.html
>
------------------------------
Message: 2
Date: Mon, 8 Oct 2018 05:50:40 +0000
From: <aakash.kumar at orange.com>
To: "openssl-users at openssl.org" <openssl-users at openssl.org>
Cc: "osf-contact at openssl.org" <osf-contact at openssl.org>
Subject: Re: [openssl-users] osf-contact Latest Openssl Issue with
Bind 9.12.2-P2 on RHEL 7.5
Message-ID:
<14773_1538977844_5BBAF034_14773_368_1_D9E1007BEB274445807B4DF1046EDA2711076
38A at OPEXCSINM91.corporate.adroot.infra.ftgroup>
Content-Type: text/plain; charset="iso-2022-jp"
Hi Team,
Please find below error in text format.
[root at g3r1 ~]# systemctl status bind -l
? bind.service - LSB: DNS Daemon
Loaded: loaded (/etc/rc.d/init.d/bind)
Active: active (exited) since Fri 2018-10-05 13:31:09 CEST; 2 days ago
Docs: man:systemd-sysv-generator(8)
Process: 32417 ExecStop=/etc/rc.d/init.d/bind stop (code=exited,
status=0/SUCCESS)
Process: 32421 ExecStart=/etc/rc.d/init.d/bind start (code=exited,
status=0/SUCCESS)
Oct 05 13:31:09 g3r1 named[32429]:
----------------------------------------------------
Oct 05 13:31:09 g3r1 named[32429]: adjusted limit on open files from 4096 to
1048576
Oct 05 13:31:09 g3r1 named[32429]: found 1 CPU, using 1 worker thread
Oct 05 13:31:09 g3r1 named[32429]: using 1 UDP listener per interface
Oct 05 13:31:09 g3r1 named[32429]: using up to 4096 sockets
Oct 05 13:31:09 g3r1 named[32429]: openssl_link.c:296: fatal error:
Oct 05 13:31:09 g3r1 named[32429]: OpenSSL pseudorandom number generator
cannot be initialized (see the `PRNG not seeded' message in the OpenSSL FAQ)
Oct 05 13:31:09 g3r1 named[32429]: exiting (due to fatal error in library)
Oct 05 13:31:09 g3r1 bind[32421]: [13B blob data]
Oct 05 13:31:09 g3r1 systemd[1]: Started LSB: DNS Daemon.
[root at g3r1 ~]# tail /var/log/message
Oct 5 13:31:09 g3r1 systemd: Starting LSB: DNS Daemon...
Oct 5 13:31:09 g3r1 bind: /etc/rc.d/init.d/bind: line 36: log_info_msg:
command not found
Oct 5 13:31:09 g3r1 named[32429]: starting BIND 9.12.2-P2 <id:b2bf278>
Oct 5 13:31:09 g3r1 named[32429]: running on Linux x86_64
3.10.0-327.13.1.el7.x86_64 #1 SMP Mon Feb 29 13:22:02 EST 2016
Oct 5 13:31:09 g3r1 named[32429]: built with '--prefix=/usr'
'--sysconfdir=/etc' '--localstatedir=/var' 'mandir=/usr/share/man'
'--enable-threads' '--with-libtool' '--with-openssl=/usr/local/ssl'
'--disable-static' '--with-randomdev=/dev/urandom'
Oct 5 13:31:09 g3r1 named[32429]: running as: named -u named -t /srv/named
-c /etc/named.conf
Oct 5 13:31:09 g3r1 named[32429]: compiled by GCC 4.8.5 20150623 (Red Hat
4.8.5-28)
Oct 5 13:31:09 g3r1 named[32429]: compiled with OpenSSL version: OpenSSL
1.0.2p 14 Aug 2018
Oct 5 13:31:09 g3r1 named[32429]: linked to OpenSSL version: OpenSSL 1.0.2p
14 Aug 2018
Oct 5 13:31:09 g3r1 named[32429]: compiled with zlib version: 1.2.7
Oct 5 13:31:09 g3r1 named[32429]: linked to zlib version: 1.2.7
Oct 5 13:31:09 g3r1 named[32429]: threads support is enabled
Oct 5 13:31:09 g3r1 named[32429]:
----------------------------------------------------
Oct 5 13:31:09 g3r1 named[32429]: BIND 9 is maintained by Internet Systems
Consortium,
Oct 5 13:31:09 g3r1 named[32429]: Inc. (ISC), a non-profit 501(c)(3)
public-benefit
Oct 5 13:31:09 g3r1 named[32429]: corporation. Support and training for
BIND 9 are
Oct 5 13:31:09 g3r1 named[32429]: available at https://www.isc.org/support
Oct 5 13:31:09 g3r1 named[32429]:
----------------------------------------------------
Oct 5 13:31:09 g3r1 named[32429]: adjusted limit on open files from 4096 to
1048576
Oct 5 13:31:09 g3r1 named[32429]: found 1 CPU, using 1 worker thread
Oct 5 13:31:09 g3r1 named[32429]: using 1 UDP listener per interface
Oct 5 13:31:09 g3r1 named[32429]: using up to 4096 sockets
Oct 5 13:31:09 g3r1 named[32429]: openssl_link.c:296: fatal error:
Oct 5 13:31:09 g3r1 named[32429]: OpenSSL pseudorandom number generator
cannot be initialized (see the `PRNG not seeded' message in the OpenSSL FAQ)
Thanks & Regards,
Aakash kumar
ITE - India
Tower B, 8th Floor, DLF Infinity Towers,
DLF Cyber City Phase - II
Gurgaon - 122002, Haryana, INDIA
Aakash.kumar at orange.com
Mobile: +91-8527288977
CVS: 7357 3706
-----Original Message-----
From: Viktor Dukhovni [mailto:openssl-users at dukhovni.org]
Sent: 05 October 2018 21:23
To: KUMAR Aakash IMT/OINIS
Cc: osf-contact at openssl.org; SRIVASTAVA Himanshu IMT/OINIS; VARSHNEY Praveen
IMT/OINIS
Subject: Re: osf-contact Latest Openssl Issue with Bind 9.12.2-P2 on RHEL
7.5
Please try to send the text of error reports, not pictures.
> I am getting below error while starting the bind service.
>
> <image002.png>
If you ask on the openssl-users list, someone else may have seen
the same issue, and may have useful advice to share.
NOTE!!!: I've set the Reply-To: address to <openssl-users at openssl.org>.
If you just hit "Reply", your answer may go to the list, though you'd
need to join the list first to be able to post...
Does the error still happen when you disable "chroot" in BIND?
Perhaps BIND is doing late initialization of the PRNG after
entering the chroot jail, and maybe trying to use "/dev/urandom",
which not be in the jail? That's a wild guess. You'd need to
trace system calls to see what it is actually doing...
--
Viktor.
____________________________________________________________________________
_____________________________________________
Ce message et ses pieces jointes peuvent contenir des informations
confidentielles ou privilegiees et ne doivent donc pas etre diffuses,
exploites ou copies sans autorisation. Si vous avez recu ce message par
erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les
pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou
falsifie. Merci.
This message and its attachments may contain confidential or privileged
information that may be protected by law; they should not be distributed,
used or copied without authorisation.
If you have received this email in error, please notify the sender and
delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been
modified, changed or falsified.
Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://mta.openssl.org/pipermail/openssl-users/attachments/20181008/9a4c315
f/attachment-0001.html>
------------------------------
Message: 3
Date: Mon, 8 Oct 2018 10:35:33 +0300
From: Nicola <nic.tuv at gmail.com>
To: openssl-users at openssl.org
Subject: Re: [openssl-users] Incompatible Object error from
EC_POINT_mul
Message-ID:
<CANm5x_NZ7Xwtgy8sfWYWPjcEvYktFY6apBKXp=_222F7K7Qv9g at mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Hi,
I did not run this in the debugger, but one issue is that you are not
initializing `pub` before calling EC_POINT_mul : try adding
pub = EC_POINT_new(curve);
(and check for errors making sure pub is not null afterwards).
Hope this helps!
Best regards,
Nicola
On Mon, Oct 8, 2018, 00:31 John Hughes <john.hughes at secid.co.uk> wrote:
> I'm trying to generate a public key from a private key generated on a
> HSM (and obtained by calling PKCS#11). Everything works fine until I
> call EC_POINT_mul - at which point I get the error message:
>
> error:100BB065:elliptic curve routines:ec_wNAF_mul:incompatible
> objects
>
> I have checked the BIGNUM conversion - and that seems to be fine. The
> key pair on the HSM is also generated using brainpoolP256r1.
>
> The basis of the code can be found at the end of the email. I'm
> basically trying to follow the example provided in:
> https://wiki.openssl.org/index.php/Elliptic_Curve_Cryptography.
>
> I'm using openssl 1.10h
>
> Any pointers or help would be appreciated.
>
>
> John
>
> ---------------------------------------------------------------
>
>
> BN_CTX *ctx;
> ctx = BN_CTX_new();
> if(!ctx) {
> outputInfo("unable to create openssl BN_CTX");
> return;
> }
>
> EC_GROUP *curve;
>
> outputInfo("about to create EC_GROUP_new_by_curve_name");
> if(NULL == (curve =
> EC_GROUP_new_by_curve_name(NID_brainpoolP256r1))) {
> outputERRORmess("unable to setup curve");
> }
>
> outputInfo("about to create EC_KEY_new_by_curve_name");
> EC_KEY *key;
> if(NULL == (key = EC_KEY_new_by_curve_name(NID_brainpoolP256r1)))
{
> outputERRORmess("unable to setup EC_KEY");
> }
>
> // now get the private key contained in CKA_VALUE via PKCS#111
> and place in *attrPrivate.pValue
>
> .......... (handle error)
>
> EC_POINT *pub;
>
>
> BIGNUM *prv = BN_bin2bn((unsigned char*)attrPrivate.pValue,
> attrPrivate.ulValueLen, NULL);
> if (prv == NULL) {
>
> ...... (handle error)
> }
>
> if (1 != EC_KEY_set_private_key(key, prv)) {
>
> ........ (handle error)
> }
>
> if (1 != EC_POINT_mul(curve, pub, prv, NULL, NULL, ctx)) {
> outputInfo("unable to calculate the public key from
> the HSM's private key using EC_POINT_mul");
> (handle error)
>
> }
>
>
>
>
>
>
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://mta.openssl.org/pipermail/openssl-users/attachments/20181008/bcd9871
5/attachment.html>
------------------------------
Subject: Digest Footer
_______________________________________________
openssl-users mailing list
openssl-users at openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-users
------------------------------
End of openssl-users Digest, Vol 47, Issue 8
********************************************
More information about the openssl-users
mailing list