DSA_verify error on Solaris using 0.9.8a

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

DSA_verify error on Solaris using 0.9.8a

Bob Mearns
I have code which successfully signs
and verifies documents on Redhat9, but
fails on Solaris 8.  Specifically, the failure
is reported in DSA_verify().  Errors strings
are as follows:

error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
wrong tag
error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
nested asn1 error

This seems to point to the encoding/decoding of the
public key used in the verification.  Here are the essentials
of the code used to generate, encode, decode, and
use the public key.  The error checks don't indicate
any problems until the verify step.  For what it's worth,
this is 32-bit compiled.  Also, FWIW, I've seeded the PRNG
sufficiently before the key generation step and the
signing step, according to RAND_status().

genkeys() {
        DSA *dsa;
        unsigned char encodedPubKey[MAX];
        int pubLen, genstat;
        dsa = DSA_generate_parameters(...);
        /* error check*/
        genStat = DSA_generate_key(dsa);
        /* error check */
        pubLen = i2d_DSA_PUBKEY(dsa, &encodedPubKey);
        /* error check */
}

verify(const unsigned char *encodedKeyPtr, long encodedKeyLen, ...) {
        DSA *pPubKey;
        int vStat;
        pPubKey =DSA_new();
        /* error check */
        pPubKey = d2i_DSA_PUBKEY(&pPubKey,
                 &encodedKeyPtr, encodedKeyLen);
        /* error check */
        vStat = DSA_verify(..., pPubKey);
        /* error check */
}

Any help appreciated.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: DSA_verify error on Solaris using 0.9.8a

Dr. Stephen Henson
On Thu, Feb 09, 2006, Bob Mearns wrote:

>
> genkeys() {
> DSA *dsa;
> unsigned char encodedPubKey[MAX];
> int pubLen, genstat;
> dsa = DSA_generate_parameters(...);
> /* error check*/
> genStat = DSA_generate_key(dsa);
> /* error check */
> pubLen = i2d_DSA_PUBKEY(dsa, &encodedPubKey);
> /* error check */
> }
>
> verify(const unsigned char *encodedKeyPtr, long encodedKeyLen, ...) {
> DSA *pPubKey;
> int vStat;
> pPubKey =DSA_new();
> /* error check */
> pPubKey = d2i_DSA_PUBKEY(&pPubKey,
>                 &encodedKeyPtr, encodedKeyLen);
> /* error check */
> vStat = DSA_verify(..., pPubKey);
> /* error check */
> }
>
> Any help appreciated.
>

The correct way to use the i2d functions is mentioned in the FAQ. Don't *ever*
assume that it will be a maximum size because that can result in buffer
overrun attacks.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]