Okay, I got trace information out of gskkyman. What do you make of this?
INFO crypto_des3_encrypt_ctx(): Clear key DES3 encryption performed for 8 bytes
INFO crypto_des3_decrypt_ctx(): Clear key DES3 decryption performed for 8 bytes
INFO crypto_des3_encrypt_ctx_alet(): Clear key DES3 encryption performed for 8
bytes
INFO crypto_des3_decrypt_ctx_alet(): Clear key DES3 decryption performed for 8
bytes
INFO crypto_aes_encrypt_ctx(): Clear key AES 128-bit encryption performed for
16 bytes
INFO crypto_aes_decrypt_ctx(): Clear key AES 128-bit decryption performed for
16 bytes
INFO crypto_aes_encrypt_ctx_alet(): Clear key AES 128-bit encryption performed
for 16 bytes
INFO crypto_aes_decrypt_ctx_alet(): Clear key AES 128-bit decryption performed
for 16 bytes
INFO crypto_aes_encrypt_ctx(): Clear key AES 256-bit encryption performed for
16 bytes
INFO crypto_aes_decrypt_ctx(): Clear key AES 256-bit decryption performed for
16 bytes
INFO crypto_aes_encrypt_ctx_alet(): Clear key AES 256-bit encryption performed
for 16 bytes
INFO crypto_aes_decrypt_ctx_alet(): Clear key AES 256-bit decryption performed
for 16 bytes
INFO crypto_rsa_public_encrypt(): RSA modulus is 2048 bits
INFO crypto_rsa_public_encrypt(): Software RSA public key encryption performed
INFO crypto_rsa_private_decrypt(): Using PKCS private key
INFO crypto_rsa_private_decrypt(): RSA modulus is 2048 bits
INFO crypto_rsa_private_decrypt(): Software RSA private key decryption
performed
INFO open_kdb_check_filedata(): Record size 5000, Record count 12
INFO gsk_build_issuer_chains(): Record 'Equifax Secure Certificate Authority'
is self-signed
INFO gsk_build_issuer_chains(): Record 'Equifax Secure eBusiness CA-2' is
self-signed
INFO gsk_build_issuer_chains(): Record 'VeriSign Class 1 Public Primary CA -
G2' is self-signed
INFO gsk_build_issuer_chains(): Record 'VeriSign Class 2 Public Primary CA -
G2' is self-signed
INFO gsk_build_issuer_chains(): Record 'VeriSign Class 3 Public Primary CA -
G2' is self-signed
INFO gsk_build_issuer_chains(): Record 'VeriSign Class 4 Public Primary CA -
G2' is self-signed
INFO gsk_build_issuer_chains(): Record 'VeriSign Class 1 Public Primary CA -
G3' is self-signed
INFO gsk_build_issuer_chains(): Record 'VeriSign Class 2 Public Primary CA -
G3' is self-signed
INFO gsk_build_issuer_chains(): Record 'VeriSign Class 3 Public Primary CA -
G3' is self-signed
INFO gsk_build_issuer_chains(): Record 'VeriSign Class 4 Public Primary CA -
G3' is self-signed
INFO gsk_build_issuer_chains(): Record 'VeriSign Class 3 Public Primary CA -
G5' is self-signed
INFO gsk_build_issuer_chains(): Record 'CMC_root_Exp_2024a' is self-signed
INFO open_kdb_check_filedata(): Record size 5000, Record count 0
ERROR crypto_pbe_decrypt_data(): Algorithm 36 is not supported for PBE
ERROR import_pkcs12v3(): Unable to decrypt EncryptedData message: Error
0x03353003
ERROR gsk_decode_import_key(): Unable to import PKCS12 V3: Error 0x03353003
ERROR gsk_import_key(): Unable to decode subject certificate or chain: Error
0x03353003
Algorithm 36 (cipher suite 36?) is TLS_DH_DSS_WITH_AES_256_CBC_SHA. Where does
that come into the picture? What is PBE?
Charles
-----Original Message-----
From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf
Of Charles Mills
Sent: Monday, November 6, 2017 5:00 PM
To: [email protected]
Subject: Re: What cryptographic algorithm is not supported?
David, thanks. I had not parsed "cryptographic" that finely. Isn't SHA512 a
*cryptographic* hash? Who knows if IBM is being that precise? Good thought.
I'm looking at https://ibm.co/2AqCDam (I'm running on V2R2.) It looks to me
like SHA-512 and RSA 2048 are supported in FIPS mode.
Could it be something in the CA certificate? It looks like it is SHA-256 RSA
2048, so it should be good also.
Grrr. Is there any way to get more diagnostic information out of gskkyman? Hmmm
-- I see the GSK trace. I will try that.
I hate obscure error messages. Tell me what you are objecting to, darn it!
Charles
-----Original Message-----
From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf
Of David W Noon
Sent: Monday, November 6, 2017 4:04 PM
To: [email protected]
Subject: Re: What cryptographic algorithm is not supported?
On Mon, 6 Nov 2017 14:32:01 -0800, Charles Mills ([email protected]) wrote about
"What cryptographic algorithm is not supported?" (in
<[email protected]>):
> I am trying to load a certificate and key into a FIPS-140 GSK
> database. I am getting Status 0x03353003 - Cryptographic algorithm is
> not supported. How would I know exactly what algorithm it is
> complaining about? Here's an extract from the certificate and key:
You have 2 lines that mention algorithms:
> Signature Algorithm: sha512WithRSAEncryption
> Public Key Algorithm: rsaEncryption
(There is actually a 3rd one, but it is the same as the first.)
Now, SHA512 is a hashing algorithm, so that leaves RSA as your crypto algorithm.
I don't know why RSA would be unsupported, as it has been around since the late
1970's. I can only infer that it has been dropped.
--
Regards,
Dave [RLU #314465]
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
[email protected] (David W Noon)
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send email to
[email protected] with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send email to
[email protected] with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
