Masanori Satake wrote:
>
> I tried parsing the PFX file attached(passphrase:test) using PKCS12_parse()
> function.
> However I cannot get the right value of DSA private key parameter x.
>
> And I tried executing open-ssl command following
> "openssl -in target.pfx -out target.key -nocerts -nodes".
> I found that this case also resulted in that target.key outputfile has wrong
> private key parameter x.
>
> I suppose that wrong parameter x is outputted only when MSB of parameter x
> is ON.
>
> If there are any information on this issue, please let me know.
> Thank you in advance,
>
Thanks for the file. I've analysed it and its yet another broken DSA key
format. What it is doing is as I suspected. It is incorrectly encoding
the ASN1 integer by not including an additional zero if the MSB is set.
Without the zero its a negative integer.
You can see this for yourself if you enable the DEBUG_DECRYPT option in
p12_decr.c then dumpasn1 or asn1parse (with -strparse option ) the DER1
file. The key component shows as negative.
You can make OpenSSL tolerate this broken format (which I'll add to
OpenSSL core code: it tolerates all manner of other broken ones too) by
changing line 162 (or thereabouts) in evp_pkey.c:
} else {
----------> if (!(privkey=d2i_ASN1_INTEGER (NULL, &p, pkeylen))) {
EVPerr(EVP_F_EVP_PKCS82PKEY,
EVP_R_DECODE_ERROR);
goto dsaerr;
}
param = p8->pkeyalg->parameter;
}
change the d2i_ASN1_INTEGER to d2i_ASN1_UINTEGER.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Gemplus: http://www.gemplus.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
