Paul L. Allen wrote:
> Nils Larsch wrote:
> > Paul L. Allen wrote:
> > > One of our customers showed up with a certificate that OpenSSL's x509
> > > subcommand doesn't appear to like. It complains about the public key:
> > >
> > > [paula@bluesky C_pdp]$ /usr/local/ssl/bin/openssl x509 -in
> > > HASMClient1.cer -inform der -text
> > > [...]
> > > Subject Public Key Info:
> > > Public Key Algorithm: dsaEncryption-old
> > > Unable to load Public Key
> > > 1464:error:0D089004:asn1 encoding routines:d2i_DSAparams:nested asn1
> > > error:d2i_dsap.c:94:
> > > [...]
> > >
> > > Are there some flavors of DSA that OpenSSL doesn't grok? Or has our
> > > customer got a bogus cert? Or...?
> > >
> > > The above trace is from 0.9.6g on Linux. I get similar results from
> > > 0.9.6a on Solaris. The 0.9.6b that came with my RedHat 7.2 seg faults
> > > right after printing the error.
> >
> > Does it work with 0.9.7 ? Can you give us the result of
> > 'openssl asn1parse -inform der -in HASMClient1.cer -i' or
> > even better can you give us the certificate ?
>
> The asn2parse command liked the certificate fine, both on 0.9.6b and
> on 0.9.6g. I'll have to fetch and build 0.9.7 in order to test with
> it.
>
> I'll have to check with my customer about releasing the certificate.
> They are an intermediary between me and a project that's too black for
> my security clearance. I wouldn't want to reveal something that allows
> a third party to infer details of the project.
Actually it would be sufficient to show us the 'subjectPublicKeyInfo' part
of your certificate. In case of a 'normal' DSA public key it should look
somehow like this:
nils:~> /usr/bin/openssl asn1parse -in certificates/dsa_ca.pem -i
...
155:d=2 hl=4 l= 438 cons: SEQUENCE
159:d=3 hl=4 l= 299 cons: SEQUENCE
163:d=4 hl=2 l= 7 prim: OBJECT :dsaEncryption
172:d=4 hl=4 l= 286 cons: SEQUENCE
176:d=5 hl=3 l= 129 prim: INTEGER
:BB1EEA1485EB95BD5...536A55A694729E9DB69D0BB5
308:d=5 hl=2 l= 21 prim: INTEGER
:998139192210D5DEC...6DE8B43C51E414D
331:d=5 hl=3 l= 128 prim: INTEGER
:6446E60F9DB24DFFE...9BB411E0444B69A25F9F45E9
462:d=3 hl=3 l= 132 prim: BIT STRING
...
corresponding with the ASN1 description of a normal X509 DSA
public key (see e.g. rfc 2459)
SubjectPublicKeyInfo ::= SEQUENCE {
algorithm AlgorithmIdentifier,
subjectPublicKey BIT STRING }
where AlgorithmIdentifier is defined by
AlgorithmIdentifier ::= SEQUENCE {
algorithm OBJECT IDENTIFIER,
parameters ANY DEFINED BY algorithm OPTIONAL }
and the parameters are in case of a DSA key
Dss-Parms ::= SEQUENCE {
p INTEGER,
q INTEGER,
g INTEGER }
Regards,
Nils
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
