Pawe� Krawczyk wrote:
>
> Hello, here's the story started at [EMAIL PROTECTED] list several
> weeks ago. To summarize, the following certificate was generated
> by Microsoft software and, when dumped by OpenSSL 0.9.5a, its
> modulus seems to be completely broken.
>
> Also take a look at the length of
> the modulus in bits. Nominally it should be 512 bits, while OpenSSL
> shows only 510 bits. The problem seems to be that the high bit is
> set
>
> First I include the original certificate, its dump by `openssl x509',
> and then forwarded message from Matt Thomlinson (Microsoft) explaining
> the problem.
>
> My question is if this is a bug in MS software (it shouldn't be
> generating such certs), or OpenSSL is getting this wrong as a signed
> number?
The bug is in MS - they are encoding a top-bit-set number without
inserting a leading zero, so OpenSSL (correctly) sees it as negative.
Cheers,
Ben.
>
> -----BEGIN CERTIFICATE-----
> MIIBSzCB/AIEN5gYKTAHBgUrDgMCAzAeMQswCQYDVQQGEwJQTDEPMA0GA1UEChMG
> b2ktd2JkMCYXETAwMDYxMzA5NTQwMy0wMTAwFxEwMTEyMTQwOTU0MDMtMDEwMDBI
> MQ8wDQYDVQQDEwZrdXJzMTAxEzARBgNVBAMTCnJlY2lwaWVudHMxDzANBgNVBAsT
> Bm9pLXdiZDEPMA0GA1UEChMGb2ktd2JkMFkwCwYJKoZIhvcNAQEBA0oAMEcCQN+q
> oPQMo4U+aULJjaw/EldK21DLJj+Z4KkiEWbNHpWcNO+8ZoTf4/c8YvawfSD+iTtS
> hG/dIeCZwYeh4/4bFMMCAwEAATAHBgUrDgMCAwNBAIUwzaEwGZVC98cd+Bu/DsYv
> 9YAF7QQHPDSWyARgOqMzkGXJUCfBT3MWY8ir5pFxSnoJiOCtOiqE+UMPv+8tRhw=
> -----END CERTIFICATE-----
>
> Certificate:
> Data:
> Version: 1 (0x0)
> Serial Number: 932714537 (0x37981829)
> Signature Algorithm: md5WithRSA
> Issuer: C=PL, O=oi-wbd
> Validity
> Not Before: Jun 13 09:54:03 2000
> Not After : Dec 14 09:54:03 2001
> Subject: CN=kurs10, CN=recipients, OU=oi-wbd, O=oi-wbd
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> RSA Public Key: (510 bit)
> Modulus (510 bit):
> 20:55:5f:0b:f3:5c:7a:c1:96:bd:36:72:53:c0:ed:
> a8:b5:24:af:34:d9:c0:66:1f:56:dd:ee:99:32:e1:
> 6a:63:cb:10:43:99:7b:20:1c:08:c3:9d:09:4f:82:
> df:01:76:c4:ad:7b:90:22:de:1f:66:3e:78:5e:1c:
> 01:e4:eb:3d
> Exponent: 65537 (0x10001)
> Signature Algorithm: md5WithRSA
> 85:30:cd:a1:30:19:95:42:f7:c7:1d:f8:1b:bf:0e:c6:2f:f5:
> 80:05:ed:04:07:3c:34:96:c8:04:60:3a:a3:33:90:65:c9:50:
> 27:c1:4f:73:16:63:c8:ab:e6:91:71:4a:7a:09:88:e0:ad:3a:
> 2a:84:f9:43:0f:bf:ef:2d:46:1c
>
> ----- Forwarded message from Matt Thomlinson <[EMAIL PROTECTED]> -----
>
> Subject: RE: outlook certs - solved
> From: "Matt Thomlinson" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>,
> "Pawel Krawczyk" <[EMAIL PROTECTED]>,
> "Markku-Juhani Saarinen" <[EMAIL PROTECTED]>
> Cc: <[EMAIL PROTECTED]>
>
> I now believe you've decoded the below incorrectly because the leading
> bit is set, making this a signed number which may have made some of your
> tools croak. Decoding by hand, I get the following mod/exp:
>
> 3047 0240 (asn, len, int tag, length of 40)
>
> modulus:
> DFAA A0F4 0CA3 853E 6942 C98D AC3F 1257 4ADB 50CB 263F 99E0 A922 1166
> CD1E 959C 34EF BC66 84DF E3F7 3C62 F6B0 7D20 FE89 3B52 846F DD21 E099
> C187 A1E3 FE1B 14C3
>
> 0203 (int tag, length of 3)
> exponent:
> 0100 01
>
> note that the complement of DF = 20, AA = 55, which begins to look a lot
> like the number you 'decoded' below.
>
> BTW, I've had our research team check the above modulus (DFAA...) for
> trivial factors. We found no prime divisors below 10 million.
>
> --
> Pawe� Krawczyk <http://ceti.pl/~kravietz/>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> Development Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
--
http://www.apache-ssl.org/ben.html
Coming to ApacheCon Europe 2000? http://apachecon.com/
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
