Paul L. Allen wrote:
> Nils Larsch wrote:
> > Paul L. Allen wrote:
> > > One of our customers showed up with a certificate that OpenSSL's x509
> > > subcommand doesn't appear to like.  It complains about the public key:
> > >
> > > [paula@bluesky C_pdp]$ /usr/local/ssl/bin/openssl x509 -in
> > > HASMClient1.cer -inform der -text
> > > [...]
> > >         Subject Public Key Info:
> > >             Public Key Algorithm: dsaEncryption-old
> > >             Unable to load Public Key
> > > 1464:error:0D089004:asn1 encoding routines:d2i_DSAparams:nested asn1
> > > error:d2i_dsap.c:94:
> > > [...]
> > >
> > > Are there some flavors of DSA that OpenSSL doesn't grok?  Or has our
> > > customer got a bogus cert?  Or...?
> > >
> > > The above trace is from 0.9.6g on Linux.  I get similar results from
> > > 0.9.6a on Solaris.  The 0.9.6b that came with my RedHat 7.2 seg faults
> > > right after printing the error.
> >
> > Does it work with 0.9.7 ? Can you give us the result of
> > 'openssl asn1parse -inform der -in HASMClient1.cer -i' or
> > even better can you give us the certificate ?
>
> The asn2parse command liked the certificate fine, both on 0.9.6b and
> on 0.9.6g.  I'll have to fetch and build 0.9.7 in order to test with
> it.
>
> I'll have to check with my customer about releasing the certificate.
> They are an intermediary between me and a project that's too black for
> my security clearance.  I wouldn't want to reveal something that allows
> a third party to infer details of the project.

Actually it would be sufficient to show us the 'subjectPublicKeyInfo' part
of your certificate. In case of a 'normal' DSA public key it should look 
somehow like this:
nils:~> /usr/bin/openssl asn1parse -in certificates/dsa_ca.pem -i
...
        155:d=2  hl=4 l= 438 cons:   SEQUENCE
        159:d=3  hl=4 l= 299 cons:    SEQUENCE
        163:d=4  hl=2 l=   7 prim:     OBJECT            :dsaEncryption
        172:d=4  hl=4 l= 286 cons:     SEQUENCE
        176:d=5  hl=3 l= 129 prim:      INTEGER                                        
 
:BB1EEA1485EB95BD5...536A55A694729E9DB69D0BB5
        308:d=5  hl=2 l=  21 prim:      INTEGER           
:998139192210D5DEC...6DE8B43C51E414D
        331:d=5  hl=3 l= 128 prim:      INTEGER           
:6446E60F9DB24DFFE...9BB411E0444B69A25F9F45E9
        462:d=3  hl=3 l= 132 prim:    BIT STRING
...
corresponding with the ASN1 description of a normal X509 DSA
public key (see e.g. rfc 2459)
        SubjectPublicKeyInfo  ::=  SEQUENCE  {
                algorithm            AlgorithmIdentifier,
                subjectPublicKey     BIT STRING  }
where AlgorithmIdentifier is defined by
        AlgorithmIdentifier  ::=  SEQUENCE  {
                algorithm               OBJECT IDENTIFIER,
                parameters              ANY DEFINED BY algorithm OPTIONAL  }
and the parameters are in case of a DSA key
        Dss-Parms  ::=  SEQUENCE  {
                    p             INTEGER,
                    q             INTEGER,
                    g             INTEGER  }

Regards,
Nils


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to