Heiko Nardmann wrote:
>
> Dr Stephen Henson wrote:
> [...]
> > If there are only a few possible OIDs then this might work if you add
> > appropriate aliases as well to NID_ripemd160WithRSA.
> >
> > Using OIDs like that is evil, what should really be done is to add
> > appropriate structure to the AlgorithmIdentifier instead.
> >
> > Thats an odd exponent restriction, the usual public exponent is 65537
> > which is 17 bits.
> >
> As you can see from my previous mail it was my fault: taking the 11 as
> decimal instead of hex.
>
> Now I have a patched objects.h but I seem to have to go deeper.
> These algorithms are able to do RSA, aren't they?
> Do I have to change crypto/evp/p_lib.c, too?
> There is this function EVP_PKEY_type() which returns whether such
> a certificates algorithm can do RSA, DSA or DH.
> Is it ok to add the new types to the RSA case?
> I assume yes so I have changed the file and attached the patch.
>
No. What you need to do is alias all the new objects to the 'official'
one: NID_ripemd160WithRSA. The aliasing is currently done in
crypto/evp/c_all.c, for example:
EVP_add_digest_alias(SN_ripemd160WithRSA,SN_other_ripemd_RSA);
You'd have one of these for each OID.
Do you have any sample certificate chains signed like this?
However the "official" OID will still be used when you, for example,
create a certificate. If you need to change that it involves more work.
Steve.
--
Dr Stephen N. Henson. UK based freelance Cryptographic Consultant.
For info see homepage at http://www.drh-consultancy.demon.co.uk/
Email: [EMAIL PROTECTED]
NOTE NEW (13/12/98) PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
