Hi,
TeleSec has founded the first PKI in Germany that works by the rules of
the german signatur law. They prvide users with smartcards and offer
the certificates in files on the web.
(http://srv15.telesec.de/verzeichnisdienst/index.htm)
However OpenSSL doesn't seem to be able to extract the correct RSA keys
from that certfificate.
-----BEGIN CERTIFICATE-----
MIICjTCCAfmgAwIBAgIEOwrADTAKBgYrJAMDAQIFADB/MQswCQYDVQQGEwJERTEc
MBoGA1UEChQTRGV1dHNjaGUgVGVsZWtvbSBBRzEfMB0GA1UECxQWUHJvZHVrdHpl
bnRydW0gVGVsZVNlYzExMAwGBwKCBgEKBxQTATEwIQYDVQQDFBpUZWxlU2VjIFBL
UyBTaWdHIENBIDEgMTpQTjAiGA8xOTk5MDMxNzEzMzc0NFoYDzIwMDIwMzE3MTMz
NzQ0WjA3MQswCQYDVQQGEwJERTEoMAwGBwKCBgEKBxQTATEwGAYDVQQDFBFFaWds
bWFpZXIsIFJvYmVydDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYCF/PQP7XgO
O0leM+hJBHcx4waePwnah5ATmKaAZ35jsEirmtI/WOOzwvqYQ4zIGXezsyXv/hRd
4AUauBpuev77Jlx+FboqgHcFoQaMCjfbyYMcCtTa19UUWBxaTAnl67NSX3wXWqbM
bfkoer8tty+HSBTPHZvBS75f4uoQyL0zBQIEwAAAAaNgMF4wDgYDVR0PAQH/BAQD
AgbAMEwGA1UdEQRFMEOgIQYHAoIGAQoDAKAWMBQxEjAQBgNVBAQUCUVpZ2xtYWll
cqAeBgcCggYBCgMAoBMwETEPMA0GA1UEKhQGUm9iZXJ0MAoGBiskAwMBAgUAA4GB
AHEhJ41u/EyoOpLWJhCGavSrLscL4/yC3vdT6d5iN27ia387eubwFKqVjfY6PxBo
q7JcQRq6RUKwAa6WkMuHjbt4t1S1Qjtrcmet95fdtp/wRJ7fEY2CBADfkI1wHSpe
oELSz8DDTVV2eMv+bnMSC7l0jNmuln++Bb5K2wzcnLPq
-----END CERTIFICATE-----
The correct public modulus N is:
85 FC F4 0F ED 78 0E 3B 49 5E 33 E8 49 04 77 31
E3 06 9E 3F 09 DA 87 90 13 98 A6 80 67 7E 63 B0
48 AB 9A D2 3F 58 E3 B3 C2 FA 98 43 8C C8 19 77
B3 B3 25 EF FE 14 5D E0 05 1A B8 1A 6E 7A FE FB
26 5C 7E 15 BA 2A 80 77 05 A1 06 8C 0A 37 DB C9
83 1C 0A D4 DA D7 D5 14 58 1C 5A 4C 09 E5 EB B3
52 5F 7C 17 5A A6 CC 6D F9 28 7A BF 2D B7 2F 87
48 14 CF 1D 9B C1 4B BE 5F E2 EA 10 C8 BD 33 05
The public exponent is:
C0 00 00 01
openssl x509 -text finds:
RSA Public Key: (1023 bit)
Modulus (1023 bit):
7b:04:0c:f1:13:88:f2:c5:b7:a2:cd:18:b7:fc:89:
cf:1d:fa:62:c1:f7:26:79:70:ed:68:5a:80:99:82:
9d:50:b8:55:66:2e:c1:a8:1d:4d:3e:06:68:bd:74:
38:e7:89:4d:4d:db:11:02:ec:a3:20:fb:e6:48:e6:
92:86:02:05:da:a4:82:eb:46:d6:80:89:fb:5f:fa:
74:f6:c9:25:37:7d:e4:f6:2c:26:29:2b:ec:a8:e4:
a6:b4:f7:1b:15:4d:ae:a1:84:e9:a6:5a:34:93:07:
d8:86:41:d3:49:d1:79:b8:ec:31:e3:65:3f:b5:42:
a1:1e:16:f0:38:43:cd:fb
Exponent: 1073742079 (0x400000ff)
What is interesting is that asn1parse interpretes the
integers as negative:
openssl asn1parse -offset 275
3:d=1 hl=3 l= 128 prim: INTEGER :-7B040CF11388F2C5
B7A2CD18B7FC89CF1DFA62C1F7267970ED685A8099829D50B855662EC1A81D4D3
E0668BD7438E7894D4DDB1102ECA320FBE648E692860205DAA482EB46D68089FB
5FFA74F6C925377DE4F62C26292BECA8E4A6B4F71B154DAEA184E9A65A349307D
88641D349D179B8EC31E3653FB542A11E16F03843CDFB
134:d=1 hl=2 l= 4 prim: INTEGER :-400000FF
But those numbers are not the complements of the correct values.
BTW: I am able to decode the correct values from the certificate
and put them into an RSA struct and verify signatures. However
I would prefer to use the standard functions provided by openSSL.
So is this a bug? Has anyone experienced similar problems???
Robert
---------------------------------------------
Robert Eiglmaier
iXOS Software AG
Tel +49 89 4629-1526
Fax +49 89 4629-331526
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
