Hi *, Sorry for having annoyed you. When I looked at my cert by openssl-means I saw the appropriate GOST R 34.11-94 hash algorithm in all my certs. So what I observed is a bug in the M$ certificate viewer.
They just should not say "it's sha1", if they don't know the object identifier. Regards André ________________________________ From: André Ziermann Sent: Mittwoch, 8. August 2007 12:44 To: 'openssl-users@openssl.org' Subject: FW: Wrong hash algorithm displayed in GOST-Certificates Hi, Playing with GOST engine in opnessl 0.9.9. I cannot get a certificate with a GOST hash in it. I tried several versions of the command line x509 [(-md5|-md2|-md_gost94|-sha1)] -days 7300 -signkey /home/ziermann/gostpki/rootca/private/cakey.pem -in /home/ziermann/gostpki/rootca/cacert.csr -req -out /home/ziermann/gostpki/rootca/ca2.crt Specifying no hash-alg, results in a certificate, where you see sha1 as hash algorithm. (Looked at it using M$ certificate viewer on WinXP) Specifying -md_gost94 hash-alg, results in a certificate, where you see sha1 as hash algorithm. Specifying sha1 as hash-alg results in an error message saying 29391:error:0D0C30C6:asn1 encoding routines:ASN1_item_sign:digest and key type n ot supported:a_sign.c:245: error in x509 Specifying any other hash-alg proposed by what you get if you type "openssl x509 --help" results in an error message saying 29391:error:0606B06E:digital envelope routines:EVP_SignFinal:wrong public key ty pe:p_sign.c:125: 29391:error:0D0C3006:asn1 encoding routines:ASN1_item_sign:EVP lib:a_sign.c:279: Is this a bug? What should I type to get a GOST compliant certificate? Is the use of sha1 in certificates GOST compliant? Where should I submit the report, if this turns out to be a bug? Thank you very much for advice. PS: Thanks to Andrej Kol'tsov for having helped with GOST key generation. :-) André Ziermann Senior Solution Engineer SECUDE IT Security GmbH Goebelstrasse 21 64293 Darmstadt / Germany Tel. : +49 (0)6151 82897 21 Fax : +49 (0)6151 82897 26 Mobile : +49 (0) 170 987 81 73 [EMAIL PROTECTED] www.secude.com <http://www.secude.com/> Handelsregister Darmstadt: HRB 9081 Geschäftsführer: Dr. Heiner Kromer
