Robert Eiglmaier wrote:
>
> Hi,
>
> TeleSec has founded the first PKI in Germany that works by the rules of
> the german signatur law. They prvide users with smartcards and offer
> the certificates in files on the web.
> (http://srv15.telesec.de/verzeichnisdienst/index.htm)
> However OpenSSL doesn't seem to be able to extract the correct RSA keys
> from that certfificate.
>
>
The ASN1 INTEGERs in that certificate are improperly encoded. If the
first octet has the MSB set it is negative. They should have a leading
00. OpenSSL could be hacked to work around this but it looks like a
certificate encoding error. dumpasn1 also flags this as an error.
Also the validity periods are encoded as GeneralizedTime. This is
contrary to PKIX (RFC2459) which says UTCTime should be used for years
before 2050.
There are a few unusual extensions in that certificate as well but all
perfectly legal.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
