Re: I am starting to wonder if it works at all.

[Dr Stephen Henson]

Scott Pasnikowsiki wrote:
> 
> 
> Be that as it may, it still does not work.  Without a -rand param for req,
> the win32
> side won't gen a cert.  (or am I incorrect ?)  It gives PRNG not seeded.
> Even if I give it the key
> that was created with gendsa. The thought was to not generate a key with req
> and avoid this error.   However it is clear that leaving the -new off had
> nothing
> to do with the problem.
> 
> That sort of points to the idea that the Win32 side is not being tested
> much.
> If I can confirm this is the case (that -rand is needed on Win32 to gen a
> cert)
> then I have my answer.  (use a commercial product)
> 

Yes there is indeed a problem. My appologies. It's hard to see a genuine
PRNG problem because there is so much 'noise' from bogus ones :-) 

Anyway the problem isn't just the lack of a -rand option (which has been
added to the latest snapshot).

'req' doesn't seed the PRNG if it doesn't have to.

It will seed it if it generates a new private key but it wont if it
signs with an already existing key. That is the problem: RSA signing
doesn't use the PRNG but DSA signing does. Hence the error. If it is any
consolation this doesn't just affect Win32.

If you supply the random file via the config file and use the -newkey
option instead of -new, e.g. -newkey dsa:dsaparamfile.pem it should
work. If however you really want to use an existing key then you can
patch apps\req.c

at around line 531 we have:

                        {
                        BIO_printf(bio_err,"bad input format specified for X509 
request\n");
                        goto end;
                        }

                if (pkey == NULL)
                        {
                        BIO_printf(bio_err,"unable to load Private key\n");
                        goto end;
                        }
-->             if(EVP_PKEY_type(pkey->type) == EVP_PKEY_DSA)
-->                     {
-->                     char *randfile = CONF_get_string(req_conf,SECTION,"RANDFILE");
-->                     app_RAND_load_file(randfile, bio_err, 0);
-->                     }
                }

if you add the five lines indicated it should fix the problem. This fix
will be in future versions of OpenSSL.

If that doesn't work please let me know.

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]