Okay, I got trace information out of gskkyman. What do you make of this? INFO crypto_des3_encrypt_ctx(): Clear key DES3 encryption performed for 8 bytes INFO crypto_des3_decrypt_ctx(): Clear key DES3 decryption performed for 8 bytes INFO crypto_des3_encrypt_ctx_alet(): Clear key DES3 encryption performed for 8 bytes INFO crypto_des3_decrypt_ctx_alet(): Clear key DES3 decryption performed for 8 bytes INFO crypto_aes_encrypt_ctx(): Clear key AES 128-bit encryption performed for 16 bytes INFO crypto_aes_decrypt_ctx(): Clear key AES 128-bit decryption performed for 16 bytes INFO crypto_aes_encrypt_ctx_alet(): Clear key AES 128-bit encryption performed for 16 bytes INFO crypto_aes_decrypt_ctx_alet(): Clear key AES 128-bit decryption performed for 16 bytes INFO crypto_aes_encrypt_ctx(): Clear key AES 256-bit encryption performed for 16 bytes INFO crypto_aes_decrypt_ctx(): Clear key AES 256-bit decryption performed for 16 bytes INFO crypto_aes_encrypt_ctx_alet(): Clear key AES 256-bit encryption performed for 16 bytes INFO crypto_aes_decrypt_ctx_alet(): Clear key AES 256-bit decryption performed for 16 bytes INFO crypto_rsa_public_encrypt(): RSA modulus is 2048 bits INFO crypto_rsa_public_encrypt(): Software RSA public key encryption performed INFO crypto_rsa_private_decrypt(): Using PKCS private key INFO crypto_rsa_private_decrypt(): RSA modulus is 2048 bits INFO crypto_rsa_private_decrypt(): Software RSA private key decryption performed INFO open_kdb_check_filedata(): Record size 5000, Record count 12 INFO gsk_build_issuer_chains(): Record 'Equifax Secure Certificate Authority' is self-signed INFO gsk_build_issuer_chains(): Record 'Equifax Secure eBusiness CA-2' is self-signed INFO gsk_build_issuer_chains(): Record 'VeriSign Class 1 Public Primary CA - G2' is self-signed INFO gsk_build_issuer_chains(): Record 'VeriSign Class 2 Public Primary CA - G2' is self-signed INFO gsk_build_issuer_chains(): Record 'VeriSign Class 3 Public Primary CA - G2' is self-signed INFO gsk_build_issuer_chains(): Record 'VeriSign Class 4 Public Primary CA - G2' is self-signed INFO gsk_build_issuer_chains(): Record 'VeriSign Class 1 Public Primary CA - G3' is self-signed INFO gsk_build_issuer_chains(): Record 'VeriSign Class 2 Public Primary CA - G3' is self-signed INFO gsk_build_issuer_chains(): Record 'VeriSign Class 3 Public Primary CA - G3' is self-signed INFO gsk_build_issuer_chains(): Record 'VeriSign Class 4 Public Primary CA - G3' is self-signed INFO gsk_build_issuer_chains(): Record 'VeriSign Class 3 Public Primary CA - G5' is self-signed INFO gsk_build_issuer_chains(): Record 'CMC_root_Exp_2024a' is self-signed INFO open_kdb_check_filedata(): Record size 5000, Record count 0 ERROR crypto_pbe_decrypt_data(): Algorithm 36 is not supported for PBE ERROR import_pkcs12v3(): Unable to decrypt EncryptedData message: Error 0x03353003 ERROR gsk_decode_import_key(): Unable to import PKCS12 V3: Error 0x03353003 ERROR gsk_import_key(): Unable to decode subject certificate or chain: Error 0x03353003
Algorithm 36 (cipher suite 36?) is TLS_DH_DSS_WITH_AES_256_CBC_SHA. Where does that come into the picture? What is PBE? Charles -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Charles Mills Sent: Monday, November 6, 2017 5:00 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: What cryptographic algorithm is not supported? David, thanks. I had not parsed "cryptographic" that finely. Isn't SHA512 a *cryptographic* hash? Who knows if IBM is being that precise? Good thought. I'm looking at https://ibm.co/2AqCDam (I'm running on V2R2.) It looks to me like SHA-512 and RSA 2048 are supported in FIPS mode. Could it be something in the CA certificate? It looks like it is SHA-256 RSA 2048, so it should be good also. Grrr. Is there any way to get more diagnostic information out of gskkyman? Hmmm -- I see the GSK trace. I will try that. I hate obscure error messages. Tell me what you are objecting to, darn it! Charles -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of David W Noon Sent: Monday, November 6, 2017 4:04 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: What cryptographic algorithm is not supported? On Mon, 6 Nov 2017 14:32:01 -0800, Charles Mills (charl...@mcn.org) wrote about "What cryptographic algorithm is not supported?" (in <210a01d3574f$11063a10$3312ae30$@mcn.org>): > I am trying to load a certificate and key into a FIPS-140 GSK > database. I am getting Status 0x03353003 - Cryptographic algorithm is > not supported. How would I know exactly what algorithm it is > complaining about? Here's an extract from the certificate and key: You have 2 lines that mention algorithms: > Signature Algorithm: sha512WithRSAEncryption > Public Key Algorithm: rsaEncryption (There is actually a 3rd one, but it is the same as the first.) Now, SHA512 is a hashing algorithm, so that leaves RSA as your crypto algorithm. I don't know why RSA would be unsupported, as it has been around since the late 1970's. I can only infer that it has been dropped. -- Regards, Dave [RLU #314465] *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* david.w.n...@googlemail.com (David W Noon) *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN