HP Open Source Security for OpenVMS Volume 2: HP SSL for ...

More documents

Recommendations

Info

Using the Certificate Tool Hash Certificate Revocations 50
4 SSL Programming Concepts SSL Programming Concepts HP SSL Data Structures This chapter discusses how to write application programs using HP SSL on OpenVMS. The SSL library provides APIs supporting three SSL protocols: SSL Version 2 (SSLv2), SSL Version 3 (SSLv3), and TLS Version 1 (TLSv1). You can write an HP SSL application program in C or C++. This chapter provides the following information: A description of the seven HP SSL data structures How to configure and obtain certificates An HP SSL programming tutorial that shows the implementation of a simple HP SSL client and server program using HP SSL APIs 4.1 HP SSL Data Structures Before you start SSL application development, you should understand the data structures used for SSL APIs, and the relationships between the data structures. SSL APIs use data structures to hold various types of information about SSL sessions and connections. The most important structures are SSL_CTX and SSL. Usually, one SSL_CTX structure exists per SSL application program, and an SSL structure is created every time a new SSL connection is created. An SSL structure inherits configuration information from the SSL_CTX structure when it is created. Table 4-1 shows the APIs commonly used for creating and deallocating data structures. Table 4-1 APIs for Data Structure Creation and Deallocation Data Structure API for Creation API for Deallocation SSL_CTX SSL_CTX_new() SSL_CTX_free() SSL SSL_new() SSL_free() SSL_SESSION SSL_SESSION_new() SSL_SESSION_free() BIO BIO_new() BIO_free() X509 X509_new() X509_free() RSA RSA_new() RSA_free() DH DH_new() DH_free() 51
Page 1 and 2: HP Open Source Security for OpenVMS
Page 3 and 4: Contents 1. Installation and Releas
Page 5 and 6: Contents 4.3.2 Creating and Setting
Page 7 and 8: Tables Table 4-1. APIs for Data Str
Page 9 and 10: Figures Figure 3-1. Certificate Too
Page 11 and 12: Preface The HP Open Source Security
Page 13: Convention Meaning [ ] In command f
Page 16 and 17: Installation and Release Notes Open
Page 18 and 19: Installation and Release Notes Down
Page 20 and 21: Installation and Release Notes Down
Page 22 and 23: Installation and Release Notes HP S
Page 24 and 25: Installation and Release Notes Rele
Page 32 and 33: Overview of SSL The SSL Handshake T
Page 34 and 35: Overview of SSL Cipher Suite The ce
Page 36 and 37: Overview of SSL Digital Signatures
Page 38 and 39: Using the Certificate Tool Viewing
Page 40 and 41: Using the Certificate Tool Create a
Page 46 and 47: Using the Certificate Tool Sign a C
Page 48 and 49: Using the Certificate Tool Hash Cer
Page 52 and 53: SSL Programming Concepts HP SSL Dat
Page 54 and 55: SSL Programming Concepts Certificat
Page 60 and 61: SSL Programming Concepts SSL Progra
Page 74 and 75: Example Programs Template for Creat
Page 76 and 77: Example Programs Template for Creat
Page 78 and 79: Example Programs Simple SSL Client
Page 84 and 85: Example Programs Simple SSL Server
Page 90 and 91: OpenSSL Command Line Interface Stan
Page 92 and 93: OpenSSL Command Line Interface Mess
Page 94 and 95: OpenSSL Command Line Interface Enco
Page 96 and 97: OpenSSL Command Line Interface Crea
Page 98 and 99: asn1parse NAME Synopsis 98 asn1pars
Page 100 and 101:
ca NAME Synopsis 100 ca - sample mi
Page 102 and 103:
102 The DN of a certificate can con
Page 104 and 105:
104 default_days the same as the -d
Page 106 and 107:
Certify a Netscape SPKAC: openssl c
Page 108 and 109:
It is advisable to also include val
Page 110 and 111:
Lists of cipher suites can be combi
Page 112 and 113:
112 cipher suites using DES (not tr
Page 114 and 115:
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
Page 116 and 117:
1.OU="My first OU" 2.OU="My Second
Page 118 and 119:
118 verify the signature on a CRL b
Page 120 and 121:
NOTES The output file is a PKCS#7 s
Page 122 and 123:
122 file... file or files to digest
Page 124 and 125:
124 this option specifies that a pa
Page 126 and 127:
126 -des|-des3|-idea These options
Page 128 and 129:
dsaparam NAME Synopsis 128 dsaparam
Page 130 and 131:
enc NAME Synopsis 130 enc - symmetr
Page 132 and 133:
All the block ciphers normally use
Page 134 and 135:
gendsa NAME Synopsis 134 gendsa - g
Page 136 and 137:
Because key generation is a random
Page 138 and 139:
ocsp NAME Synopsis 138 ocsp - Onlin
Page 140 and 141:
140 -no_cert_verify don't verify th
Page 142 and 143:
EXAMPLES Create an OCSP request and
Page 144 and 145:
144 crl2pkcs7 CRL to PKCS#7 Convers
Page 146 and 147:
146 sha1 SHA-1 Digest ENCODING AND
Page 148 and 149:
passwd NAME Synopsis 148 passwd - c
Page 150 and 151:
pkcs12 NAME Synopsis 150 pkcs12 - P
Page 152 and 153:
152 -pass arg, -passout arg the PKC
Page 154 and 155:
old-openssl -in bad.p12 -out keycer
Page 156 and 157:
NOTES The PEM PKCS#7 format uses th
Page 158 and 159:
158 -nocrypt PKCS#8 keys generated
Page 160 and 161:
STANDARDS Test vectors from this PK
Page 162 and 163:
eq NAME Synopsis 162 req - PKCS#10
Page 164 and 165:
164 -x509 this option outputs a sel
Page 166 and 167:
166 It can be set to several values
Page 168 and 169:
countryName_default= AU countryName
Page 170 and 171:
SEE ALSO x509(1), ca (1), genrsa (1
Page 172 and 173:
172 -des|-des3|-idea These options
Page 174 and 175:
sautl NAME Synopsis 174 rsautl - RS
Page 176 and 177:
The certificate public key can be e
Page 178 and 179:
178 -showcerts display the whole se
Page 180 and 181:
The -prexit option is a bit of a ha
Page 182 and 183:
182 -dhparam filename the DH parame
Page 184 and 185:
184 Q end the current SSL connectio
Page 186 and 187:
186 -new performs the timing test u
Page 188 and 189:
sess_id NAME Synopsis 188 sess_id -
Page 190 and 191:
SEE ALSO ciphers (1), s_server (1)
Page 192 and 193:
192 -out filename the message text
Page 194 and 195:
NOTES The MIME message must be sent
Page 196 and 197:
The current code can only handle S/
Page 198 and 199:
spkac NAME Synopsis 198 spkac - SPK
Page 200 and 201:
verify NAME Synopsis 200 verify - U
Page 202 and 203:
The first line contains the name of
Page 204 and 205:
204 30 X509_V_ERR_AKID_SKID_MISMATC
Page 206 and 207:
x509 NAME Synopsis 206 x509 - Certi
Page 208 and 209:
208 -C this outputs the certificate
Page 210 and 211:
210 The default filename consists o
Page 212 and 213:
TEXT OPTIONS As well as customising
Page 214 and 215:
it will also handle files containin
Page 216 and 217:
There should be options to explicit
Page 218 and 219:
ASN1_OBJECT_new NAME Synopsis 218 A
Page 220 and 221:
RETURN VALUES None. SEE ALSO ERR_ge
Page 222 and 223:
ASN1_STRING_print_ex NAME Synopsis
Page 224 and 225:
io NAME Synopsis 224 bio - I/O abst
Page 226 and 227:
BIO_set_close() sets the BIO b clos
Page 228 and 229:
io = BIO_push(b64, bio); while((inl
Page 230 and 231:
BIO_set_read_buffer_size(), BIO_set
Page 232 and 233:
EXAMPLES None. SEE ALSO None. 232
Page 234 and 235:
BIO *bio, *mdtmp; char message[] =
Page 236 and 237:
BIO_f_null NAME Synopsis 236 BIO_f_
Page 238 and 239:
BIO_set_ssl_renegotiate_bytes() set
Page 240 and 241:
BIO *sbio, *bbio, *acpt, *out; int
Page 242 and 243:
BIO_find_type NAME Synopsis 242 BIO
Page 244 and 245:
BIO_new NAME Synopsis 244 BIO_new,
Page 246 and 247:
BIO_push NAME Synopsis 246 BIO_push
Page 248 and 249:
BIO_read NAME Synopsis 248 BIO_read
Page 250 and 251:
BIO_set_accept_bios() can be used t
Page 252 and 253:
BIO_s_bio NAME Synopsis 252 BIO_s_b
Page 254 and 255:
EXAMPLE The BIO pair can be used to
Page 256 and 257:
BIO_set_conn_int_port() sets the po
Page 258 and 259:
BIO_s_fd NAME Synopsis 258 BIO_s_fd
Page 260 and 261:
BIO_s_file NAME Synopsis 260 BIO_s_
Page 262 and 263:
Restrictions BIO_reset() and BIO_se
Page 264 and 265:
NOTES Writes to memory BIOs will al
Page 266 and 267:
BIO_s_socket NAME Synopsis 266 BIO_
Page 268 and 269:
268 callback(b, BIO_CB_READ, out, o
Page 270 and 271:
NOTES If BIO_should_retry() returns
Page 272 and 273:
BF_cfb64_encrypt() is the CFB mode
Page 274 and 275:
int BN_rand(BIGNUM *rnd, int bits,
Page 276 and 277:
BN_add NAME Synopsis 276 BN_add, BN
Page 278 and 279:
BN_add_word NAME Synopsis 278 BN_ad
Page 280 and 281:
BN_bn2hex() and BN_bn2dec() return
Page 282 and 283:
BN_copy NAME Synopsis 282 BN_copy,
Page 284 and 285:
BN_CTX_start NAME Synopsis 284 BN_C
Page 286 and 287:
The error codes can be obtained by
Page 288 and 289:
The BIGNUM structure typedef struct
Page 290 and 291:
BN_mod_inverse NAME Synopsis 290 BN
Page 292 and 293:
BN_to_montgomery() is a macro. RETU
Page 294 and 295:
SEE ALSO bn (3), ERR_get_error (3),
Page 296 and 297:
BN_num_bits NAME Synopsis 296 BN_nu
Page 298 and 299:
BN_set_bit NAME Synopsis 298 BN_set
Page 300 and 301:
BN_zero NAME Synopsis 300 BN_zero,
Page 302 and 303:
HISTORY BUF_MEM_new(), BUF_MEM_free
Page 304 and 305:
CONF_modules_load_file NAME Synopsi
Page 306 and 307:
SEE ALSO openssl (1), ssl (3) 306
Page 308 and 309:
d2i_ASN1_OBJECT NAME Synopsis 308 d
Page 310 and 311:
d2i_DSAPublicKey NAME Synopsis 310
Page 312 and 313:
d2i_PKCS8PrivateKey_bio NAME Synops
Page 314 and 315:
d2i_X509 NAME Synopsis 314 d2i_X509
Page 316 and 317:
* Something to setup buf and len */
Page 318 and 319:
d2i_X509_ALGOR NAME Synopsis 318 d2
Page 320 and 321:
d2i_X509_NAME NAME Synopsis 320 d2i
Page 322 and 323:
d2i_X509_SIG NAME Synopsis 322 d2i_
Page 324 and 325:
DES_key_schedule *ks1, DES_key_sche
Page 326 and 327:
DES_cbc_cksum() produces an 8 byte
Page 328 and 329:
Modes NAME 328 Modes, of, DES - the
Page 330 and 331:
NOTES This text was been written in
Page 332 and 333:
SEE ALSO dhparam (1), bn (3), dsa (
Page 334 and 335:
DH_generate_parameters NAME Synopsi
Page 336 and 337:
DH_get_ex_new_index NAME Synopsis 3
Page 338 and 339:
DH_set_default_method NAME Synopsis
Page 340 and 341:
DH_size NAME Synopsis 340 DH_size -
Page 342 and 343:
The DSA structure consists of sever
Page 344 and 345:
DSA_dup_DH NAME Synopsis 344 DSA_du
Page 346 and 347:
DSA_generate_parameters NAME Synops
Page 348 and 349:
DSA_get_ex_new_index NAME Synopsis
Page 350 and 351:
DSA_set_default_method NAME Synopsi
Page 352 and 353:
DSA_set_default_openssl_method() an
Page 354 and 355:
DSA_sign NAME Synopsis 354 DSA_sign
Page 356 and 357:
engine NAME Synopsis 356 engine - E
Page 358 and 359:
ENGINE_LOAD_KEY_PTR ENGINE_get_load
Page 360 and 361:
egistered into these tables to make
Page 362 and 363:
if(!ENGINE_set_default_RSA(e)) /* T
Page 364 and 365:
#define ENGINE_HAS_CTRL_FUNCTION10
Page 366 and 367:
err NAME Synopsis 366 err - error c
Page 368 and 369:
* Macros, structures and function p
Page 370 and 371:
ERR_error_string NAME Synopsis 370
Page 372 and 373:
HISTORY ERR_get_error(), ERR_peek_e
Page 374 and 375:
ERR_load_crypto_strings NAME Synops
Page 376 and 377:
ERR_print_errors NAME Synopsis 376
Page 378 and 379:
ERR_remove_state NAME Synopsis 378
Page 380 and 381:
EVP_BytesToKey NAME Synopsis 380 EV
Page 382 and 383:
EVP_MD_CTX_init NAME Synopsis 382 E
Page 384 and 385:
RETURN VALUES EVP_DigestInit_ex(),
Page 386 and 387:
EVP_CIPHER_CTX_init NAME Synopsis 3
Page 388 and 389:
EVP_DecryptInit_ex(), EVP_DecryptUp
Page 390 and 391:
390 Null cipher: does nothing. EVP_
Page 392 and 393:
* Bogus key and IV: we'd normally s
Page 394 and 395:
EVP_OpenInit NAME Synopsis 394 EVP_
Page 396 and 397:
EVP_PKEY_set1_RSA NAME Synopsis 396
Page 398 and 399:
EVP_SealInit NAME Synopsis 398 EVP_
Page 400 and 401:
EVP_SignInit NAME Synopsis 400 EVP_
Page 402 and 403:
EVP_VerifyInit NAME Synopsis 402 EV
Page 404 and 405:
HMAC NAME Synopsis 404 HMAC, HMAC_I
Page 406 and 407:
lh_stats NAME Synopsis 406 lh_stats
Page 408 and 409:
#define DECLARE_LHASH_DOALL_FN(f_na
Page 410 and 411:
As an example, a hash table may be
Page 412 and 413:
MD2 NAME Synopsis 412 MD2, MD4, MD5
Page 414 and 415:
MDC2 NAME Synopsis 414 MDC2, MDC2_I
Page 416 and 417:
NOTES Objects in OpenSSL can have a
Page 418 and 419:
OpenSSL_add_all_algorithms NAME Syn
Page 420 and 421:
RETURN VALUES Neither OPENSSL_confi
Page 422 and 423:
OPENSSL_VERSION_NUMBER NAME Synopsi
Page 424 and 425:
PEM NAME Synopsis 424 PEM - PEM rou
Page 426 and 427:
PEM_write_bio_PKCS8PrivateKey_nid()
Page 428 and 429:
Write a private key (using traditio
Page 430 and 431:
PKCS12_create NAME Synopsis 430 PKC
Page 432 and 433:
PKCS7_decrypt NAME Synopsis 432 PKC
Page 434 and 435:
HISTORY PKCS7_decrypt() was added t
Page 436 and 437:
When the signed data is not detache
Page 438 and 439:
NOTES One application of PKCS7_NOIN
Page 440 and 441:
440 1 A good hashing algorithm to m
Page 442 and 443:
RAND_add NAME Synopsis 442 RAND_add
Page 444 and 445:
RAND_bytes NAME Synopsis 444 RAND_b
Page 446 and 447:
RAND_egd NAME Synopsis 446 RAND_egd
Page 448 and 449:
RAND_load_file NAME Synopsis 448 RA
Page 450 and 451:
NOTES As of version 0.9.7, RAND_MET
Page 452 and 453:
RIPEMD160 NAME Synopsis 452 RIPEMD1
Page 454 and 455:
The RSA structure consists of sever
Page 456 and 457:
RSA_check_key NAME Synopsis 456 RSA
Page 458 and 459:
RSA_generate_key NAME Synopsis 458
Page 460 and 461:
value returned by RSA_get_ex_new_in
Page 462 and 463:
RSA_padding_add_PKCS1_type_1 NAME S
Page 464 and 465:
RSA_print NAME Synopsis 464 RSA_pri
Page 466 and 467:
RSA_public_encrypt NAME Synopsis 46
Page 468 and 469:
RSA_set_default_method NAME Synopsi
Page 470 and 471:
} RSA_METHOD; 470 unsigned char *si
Page 472 and 473:
RSA_sign_ASN1_OCTET_STRING NAME Syn
Page 474 and 475:
SHA1 NAME Synopsis 474 SHA1, SHA1_I
Page 476 and 477:
HISTORY SMIME_read_PKCS7() was adde
Page 478 and 479:
CRYPTO_set_locking_callback NAME Sy
Page 480 and 481:
HISTORY CRYPTO_set_locking_callback
Page 482 and 483:
const UI_METHOD *UI_get_method(UI *
Page 484 and 485:
des_read_password NAME Synopsis 484
Page 486 and 487:
EXAMPLES Create an X509_NAME struct
Page 488 and 489:
RETURN VALUES None. SEE ALSO ERR_ge
Page 490 and 491:
for (i = 0; i < X509_NAME_entry_cou
Page 492 and 493:
The fields XN_FLAG_FN_SN, XN_FLAG_F
Page 494 and 495:
494
Page 496 and 497:
d2i_SSL_SESSION NAME Synopsis 496 d
Page 498 and 499:
498 ssl.h That's the common header
Page 500 and 501:
500 int SSL_CTX_get_ex_new_index(lo
Page 502 and 503:
502 int SSL_CTX_use_certificate(SSL
Page 504 and 505:
504 int SSL_get_state(SSL *ssl); lo
Page 506 and 507:
SEE ALSO openssl (1), crypto (3), S
Page 508 and 509:
SSL_alert_type_string NAME Synopsis
Page 510 and 511:
510 "DE"/"decode error" A message c
Page 512 and 513:
512 Encryption method with number o
Page 514 and 515:
SSL_COMP_add_compression_method NAM
Page 516 and 517:
SSL_connect NAME Synopsis 516 SSL_c
Page 518 and 519:
SSL_CTX_add_session NAME Synopsis 5
Page 520 and 521:
SSL_CTX_ctrl NAME Synopsis 520 SSL_
Page 522 and 523:
SSL_CTX_free NAME Synopsis 522 SSL_
Page 524 and 525:
SSL_CTX_get_verify_mode NAME Synops
Page 526 and 527:
WARNINGS If several CA certificates
Page 528 and 529:
RETURN VALUES The following return
Page 530 and 531:
SSL_CTX_sess_cache_full() returns t
Page 532 and 533:
SSL_CTX_sess_set_new_cb NAME Synops
Page 534 and 535:
SSL_CTX_sessions NAME Synopsis 534
Page 536 and 537:
SSL_CTX_set_cert_verify_callback NA
Page 538 and 539:
SSL_CTX_set_cipher_list NAME Synops
Page 540 and 541:
540 0 A failure while manipulating
Page 542 and 543:
chain (with the option to leave out
Page 544 and 545:
int pem_passwd_cb(char *buf, int si
Page 546 and 547:
is not resolved, the handshake will
Page 548 and 549:
SSL_CTX_set_info_callback NAME Syno
Page 550 and 551:
BIO_printf(bio_err,"%s:failed in %s
Page 552 and 553:
SEE ALSO ssl (3), SSL_new (3), SSL_
Page 554 and 555:
SEE ALSO ssl (3), SSL_read (3), SSL
Page 556 and 557:
556 The user-defined argument optio
Page 558 and 559:
558 Netscape-Enterprise/2.01 (https
Page 560 and 561:
HISTORY SSL_OP_CIPHER_SERVER_PREFER
Page 562 and 563:
SSL_CTX_set_session_cache_mode NAME
Page 564 and 565:
SSL_CTX_set_session_id_context NAME
Page 566 and 567:
SSL_CTX_set_ssl_version NAME Synops
Page 568 and 569:
SSL_CTX_set_tmp_dh_callback NAME Sy
Page 570 and 571:
} 570 switch (keylength) { case 512
Page 572 and 573:
Using ephemeral RSA key exchange yi
Page 574 and 575:
SSL_CTX_set_verify NAME Synopsis 57
Page 576 and 577:
The certificate verification depth
Page 578 and 579:
} 578 if (SSL_get_verify_result(ssl
Page 580 and 581:
SSL_CTX_use_certificate_ASN1() load
Page 582 and 583:
SSL_do_handshake NAME Synopsis 582
Page 584 and 585:
SSL_free NAME Synopsis 584 SSL_free
Page 586 and 587:
SSL_get_client_CA_list NAME Synopsi
Page 588 and 589:
SSL_get_default_timeout NAME Synops
Page 590 and 591:
590 The operation did not complete;
Page 592 and 593:
SSL_get_ex_new_index NAME Synopsis
Page 594 and 595:
SSL_get_peer_cert_chain NAME Synops
Page 596 and 597:
SSL_get_rbio NAME Synopsis 596 SSL_
Page 598 and 599:
SSL_get_SSL_CTX NAME Synopsis 598 S
Page 600 and 601:
SSL_get_version NAME Synopsis 600 S
Page 602 and 603:
SSL_load_client_CA_file NAME Synops
Page 604 and 605:
SSL_pending NAME Synopsis 604 SSL_p
Page 606 and 607:
Page 608 and 609:
SSL_SESSION_free NAME Synopsis 608
Page 610 and 611:
SSL_SESSION_get_time NAME Synopsis
Page 612 and 613:
SSL_set_bio NAME Synopsis 612 SSL_s
Page 614 and 615:
SSL_set_fd NAME Synopsis 614 SSL_se
Page 616 and 617:
SSL_set_shutdown NAME Synopsis 616
Page 618 and 619:
SSL_shutdown NAME Synopsis 618 SSL_
Page 620 and 621:
SSL_state_string NAME Synopsis 620
Page 622 and 623:
SEE ALSO ssl (3), err (3), SSL_get_
Page 624 and 625:
Page 626 and 627:
Data Structures and Header Files SS
Page 628 and 629:
Page 630 and 631:
Page 632 and 633:
Page 634 and 635:
Data Structures and Header Files BI
Page 636 and 637:
Data Structures and Header Files X5
Page 638 and 639:
New and Changed APIs in OpenSSL 0.9
Page 640 and 641:
New and Changed APIs in OpenSSL 0.9
Page 642 and 643:
Open Source Notices Original SSLeay
Page 644 and 645:
Index DH_new function, 337 DH_set_d
Page 646:
Index SSL_set_verify_result functio
show all

HP Open Source Security for OpenVMS Volume 2: HP SSL for ...

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?