Masanori Satake wrote: > > I tried parsing the PFX file attached(passphrase:test) using PKCS12_parse() > function. > However I cannot get the right value of DSA private key parameter x. > > And I tried executing open-ssl command following > "openssl -in target.pfx -out target.key -nocerts -nodes". > I found that this case also resulted in that target.key outputfile has wrong > private key parameter x. > > I suppose that wrong parameter x is outputted only when MSB of parameter x > is ON. > > If there are any information on this issue, please let me know. > Thank you in advance, >
Thanks for the file. I've analysed it and its yet another broken DSA key format. What it is doing is as I suspected. It is incorrectly encoding the ASN1 integer by not including an additional zero if the MSB is set. Without the zero its a negative integer. You can see this for yourself if you enable the DEBUG_DECRYPT option in p12_decr.c then dumpasn1 or asn1parse (with -strparse option ) the DER1 file. The key component shows as negative. You can make OpenSSL tolerate this broken format (which I'll add to OpenSSL core code: it tolerates all manner of other broken ones too) by changing line 162 (or thereabouts) in evp_pkey.c: } else { ----------> if (!(privkey=d2i_ASN1_INTEGER (NULL, &p, pkeylen))) { EVPerr(EVP_F_EVP_PKCS82PKEY, EVP_R_DECODE_ERROR); goto dsaerr; } param = p8->pkeyalg->parameter; } change the d2i_ASN1_INTEGER to d2i_ASN1_UINTEGER. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]