OpenSSL OpenSSL - User

X509 certificate algorithm

classic Classic list List threaded Threaded
3 messages Options
Ken Goldman-2
Reply | Threaded
Open this post in threaded view
|

X509 certificate algorithm

Ken Goldman-2
I call these:

d2i_X509()
X509_print_fp()

which calls
        pkey_set_type()
                EVP_PKEY_asn1_find()
and that call fails.

I've traced the following error down to the rsaOAEP algorithm, which has a
nid of 919.  I've included both the openssl and dumpasn1 dump of the
X509 certificate.  Am I doing something wrong in openssl, or is there
a problem with the certificate?  I tried certificates from two
vendors, and they both fail at the same point.


X509_print_fp() gives

       Subject Public Key Info:
            Public Key Algorithm: rsaesOaep
            Unable to load Public Key
140243704706728:error:0609E09C:lib(6):func(158):reason(156):p_lib.c:239:
140243704706728:error:0B07706F:lib(11):func(119):reason(111):x_pubkey.c:155:


~~

dumpasn1 gives ()

152   0: . . SEQUENCE {}
154 351: . . SEQUENCE {
158  74: . . . SEQUENCE {
160   9: . . . . OBJECT IDENTIFIER rsaOAEP (1 2 840 113549 1 1 7)
       : . . . . . (PKCS #1)
171  61: . . . . SEQUENCE {
173  11: . . . . . [0] {
175   9: . . . . . . SEQUENCE {
177   5: . . . . . . . OBJECT IDENTIFIER sha1 (1 3 14 3 2 26)
       : . . . . . . . . (OIW)
184   0: . . . . . . . NULL
       : . . . . . . . }
       : . . . . . . }
186  24: . . . . . [1] {
188  22: . . . . . . SEQUENCE {
190   9: . . . . . . . OBJECT IDENTIFIER pkcs1-MGF (1 2 840 113549 1 1 8)
       : . . . . . . . . (PKCS #1)
201   9: . . . . . . . SEQUENCE {
203   5: . . . . . . . . OBJECT IDENTIFIER sha1 (1 3 14 3 2 26)
       : . . . . . . . . . (OIW)
210   0: . . . . . . . . NULL
       : . . . . . . . . }
       : . . . . . . . }
       : . . . . . . }
212  20: . . . . . [2] {
214  18: . . . . . . SEQUENCE {
216   9: . . . . . . . OBJECT IDENTIFIER
       : . . . . . . . . rsaOAEP-pSpecified (1 2 840 113549 1 1 9)
       : . . . . . . . . (PKCS #1)
227   5: . . . . . . . OCTET STRING 54 43 50 41 00             TCPA.
       : . . . . . . . }
       : . . . . . . }
       : . . . . . }
       : . . . . }
234 271: . . . BIT STRING, encapsulates {
239 266: . . . . SEQUENCE {
243 257: . . . . . INTEGER    
       : . . . . . . 00 FB FD F9 09 63 15 A4    .....c..
       : . . . . . . 62 5F 79 C7 A9 E2 F8 FF    b_y.....
       : . . . . . . B4 C9 68 2F 32 F0 D4 3A    ..h/2..:
       : . . . . . . 78 AF A3 51 D1 95 DF E3    x..Q....
       : . . . . . . 83 BE BF 74 D2 61 03 F6    ...t.a..
       : . . . . . . 82 8C D6 3C C6 86 1A 73    ...<...s
       : . . . . . . 09 5A A5 9E 5D 1B D6 D8    .Z..]...
       : . . . . . . 72 50 BE 02 D7 0A 8B 8C    rP......
       : . . . . . . BC BF 92 CF 7D 25 62 E0    ....}%b.
       : . . . . . . D5 96 4D 04 96 95 83 24    ..M....$
       : . . . . . . A5 23 1E 10 21 06 16 06    .#..!...
       : . . . . . . BF 33 99 F7 D1 F0 BF 18    .3......
       : . . . . . . 7C B3 1E B6 D2 20 F6 DF    |.... ..
       : . . . . . . 09 52 F5 2C 3E D0 2D 82    .R.,>.-.
       : . . . . . . D8 AB A6 6A 34 73 8E 9E    ...j4s..
       : . . . . . . D8 B7 7B 4B 5F DE 4B 9F    ..{K_.K.
       : . . . . . . 31 4A 7D C4 EC 81 EC 23    1J}....#
       : . . . . . . 79 AD E4 78 DA 52 41 BB    y..x.RA.
       : . . . . . . 03 6B 1A 3F 9C A6 E5 7F    .k.?....
       : . . . . . . 3F B9 62 03 55 01 E7 44    ?.b.U..D
       : . . . . . . C9 88 B5 90 A8 CE 3E E3    ......>.
       : . . . . . . 62 D2 34 56 E8 02 C2 F4    b.4V....
       : . . . . . . 09 4E 58 71 32 29 D4 DF    .NXq2)..
       : . . . . . . 05 8B 37 58 06 66 9A 91    ..7X.f..
       : . . . . . . 1A 20 B2 3A 0A 5F 35 F2    . .:._5.
       : . . . . . . 9E 7A 39 79 EA 97 1D B0    .z9y....
       : . . . . . . 39 2B AA 93 BB 94 8F 15    9+......
       : . . . . . . 30 03 C5 38 28 53 1D 61    0..8(S.a
       : . . . . . . 3E EB AB 3B E7 98 96 A1    >..;....
       : . . . . . . D2 35 0E 3D 37 26 F9 D0    .5.=7&..
       : . . . . . . 93 05 99 B3 0C 4C B7 FA    .....L..
       : . . . . . . C4 36 BB 52 D1 B6 D5 9E    .6.R....
       : . . . . . . D7                         .
504   3: . . . . . INTEGER 65537
       : . . . . . }
       : . . . . }
       : . . . }

--
Ken Goldman   [hidden email]  
914-784-7646 (863-7646)
Dr. Stephen Henson
Reply | Threaded
Open this post in threaded view
|

Re: X509 certificate algorithm

Dr. Stephen Henson
On Thu, Aug 16, 2012, Kenneth Goldman wrote:

> I call these:
>
> d2i_X509()
> X509_print_fp()
>
> which calls
>         pkey_set_type()
>                 EVP_PKEY_asn1_find()
> and that call fails.
>
> I've traced the following error down to the rsaOAEP algorithm, which has a
> nid of 919.  I've included both the openssl and dumpasn1 dump of the
> X509 certificate.  Am I doing something wrong in openssl, or is there
> a problem with the certificate?  I tried certificates from two
> vendors, and they both fail at the same point.
>
>

Well the problem is that OpenSSL doesn't currently support OAEP certificates.
I've never come across one so if you could send an example that would be
useful.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Ken Goldman-2
Reply | Threaded
Open this post in threaded view
|

Re: X509 certificate algorithm

Ken Goldman-2
On 08/16/12 09:33, Dr. Stephen Henson wrote:

> On Thu, Aug 16, 2012, Kenneth Goldman wrote:
>
>> I call these:
>>
>> d2i_X509()
>> X509_print_fp()
>>
>> which calls
>>          pkey_set_type()
>>                  EVP_PKEY_asn1_find()
>> and that call fails.
>>
>> I've traced the following error down to the rsaOAEP algorithm, which has a
>> nid of 919.  I've included both the openssl and dumpasn1 dump of the
>> X509 certificate.  Am I doing something wrong in openssl, or is there
>> a problem with the certificate?  I tried certificates from two
>> vendors, and they both fail at the same point.
>>
>>
>
> Well the problem is that OpenSSL doesn't currently support OAEP certificates.
> I've never come across one so if you could send an example that would be
> useful.

I'm back working with these certificates and find that it still fails
with the latest openssl.

Another user has apparently hit the same issue.

https://github.com/openssl/openssl/pull/1441

Is there any chance of rsaOAEP being supported?

These are TPM 1.2 endorsement key certificates and there are
(unfortunately) 100M's of them shipped.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Free forum by Nabble Edit this page