Dr. Stephen Henson wrote:
On Thu, Apr 01, 2004, Lutz Feldgen wrote:
Hi,
I try to figure out openssls handling of keys with negative exponent (to be exact, the exponent of 1024 bit key seems to be missing the first byte.) It also seems that openssl is then automatically adding this null-byte as there are no negative exponents...and my codec is not. Am I right with this guess?
The problem is that my ocspresponder takes the rawkey of a certificate for hashing and comparing to the keyhash of an ocsprequest.
Somehow openssl calculates another keyhash than me if the key is like I described above.
Can anybode help me in this case a little?
The key will be interpreted as positive by effectively inserting the missing leading zero as you said.
Ok.
The hash however should be based on the encoded format (as specified by the RFC) and if that doesn't include the leading zero it will hash without it.
The problem is that I tried with the encoded key but the hashs of the correct certificates respectively the correct keys were different from the ones the ISIS-MTT-Testbed built. When I switched to digest the rawkey everything went fine except the certificates with the "bad" keys...
You might try reencoding the key using the openssl utilities and calculating the hash manually to see if that matches the expected value.
I will try this to checkout whether this could solve my problem, but unfortunately this will not really help at all as the issue is with already existing keys and certificates I can not reencode and resign ;(
Thanks for the quick answer,
regards,
Lutz Feldgen
-- PGP-Key available at
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x42D78987
smime.p7s
Description: S/MIME Cryptographic Signature
