Paul L. Allen wrote: > Nils Larsch wrote: > > Paul L. Allen wrote: > > > One of our customers showed up with a certificate that OpenSSL's x509 > > > subcommand doesn't appear to like. It complains about the public key: > > > > > > [paula@bluesky C_pdp]$ /usr/local/ssl/bin/openssl x509 -in > > > HASMClient1.cer -inform der -text > > > [...] > > > Subject Public Key Info: > > > Public Key Algorithm: dsaEncryption-old > > > Unable to load Public Key > > > 1464:error:0D089004:asn1 encoding routines:d2i_DSAparams:nested asn1 > > > error:d2i_dsap.c:94: > > > [...] > > > > > > Are there some flavors of DSA that OpenSSL doesn't grok? Or has our > > > customer got a bogus cert? Or...? > > > > > > The above trace is from 0.9.6g on Linux. I get similar results from > > > 0.9.6a on Solaris. The 0.9.6b that came with my RedHat 7.2 seg faults > > > right after printing the error. > > > > Does it work with 0.9.7 ? Can you give us the result of > > 'openssl asn1parse -inform der -in HASMClient1.cer -i' or > > even better can you give us the certificate ? > > The asn2parse command liked the certificate fine, both on 0.9.6b and > on 0.9.6g. I'll have to fetch and build 0.9.7 in order to test with > it. > > I'll have to check with my customer about releasing the certificate. > They are an intermediary between me and a project that's too black for > my security clearance. I wouldn't want to reveal something that allows > a third party to infer details of the project.
Actually it would be sufficient to show us the 'subjectPublicKeyInfo' part of your certificate. In case of a 'normal' DSA public key it should look somehow like this: nils:~> /usr/bin/openssl asn1parse -in certificates/dsa_ca.pem -i ... 155:d=2 hl=4 l= 438 cons: SEQUENCE 159:d=3 hl=4 l= 299 cons: SEQUENCE 163:d=4 hl=2 l= 7 prim: OBJECT :dsaEncryption 172:d=4 hl=4 l= 286 cons: SEQUENCE 176:d=5 hl=3 l= 129 prim: INTEGER :BB1EEA1485EB95BD5...536A55A694729E9DB69D0BB5 308:d=5 hl=2 l= 21 prim: INTEGER :998139192210D5DEC...6DE8B43C51E414D 331:d=5 hl=3 l= 128 prim: INTEGER :6446E60F9DB24DFFE...9BB411E0444B69A25F9F45E9 462:d=3 hl=3 l= 132 prim: BIT STRING ... corresponding with the ASN1 description of a normal X509 DSA public key (see e.g. rfc 2459) SubjectPublicKeyInfo ::= SEQUENCE { algorithm AlgorithmIdentifier, subjectPublicKey BIT STRING } where AlgorithmIdentifier is defined by AlgorithmIdentifier ::= SEQUENCE { algorithm OBJECT IDENTIFIER, parameters ANY DEFINED BY algorithm OPTIONAL } and the parameters are in case of a DSA key Dss-Parms ::= SEQUENCE { p INTEGER, q INTEGER, g INTEGER } Regards, Nils ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]