Re: Applying the RSASSA-PSS patch

Thu, 25 Feb 2010 08:44:57 -0800 

On Thu, Feb 25, 2010, Erwann ABALEA wrote:

> Bonjour,
> 
> I need to be able to verify different "real world" certificates, some
> of them signed using sha{1,256}withRSA, some using
> ecdsa-with-SHA{1,256}, and some using rsassaPss.
> 
> For the "sha*withRSA" ones, the stable branch is OK.
> For the "ecdsa-with-SHA256" ones, I needed to download a development
> version (0.9.8 branch doesn't support it).
> And, for the "rsassaPss" ones, I needed to export a version dated "7
> Feb 2010" version, and apply the proposed patch (I don't remember the
> RT number). I performed a checkout from my local mirror of the OpenSSL
> CVS repository (cvs co -D "7 feb 2010" external/openssl).
> 
> Applying the patch resulted in a positive and a negative effect:
>  - I was able to verify the rsassaPss certificates
>  - I wasn't able to verify ecdsa-with-SHA{1,256} certificates (yes,
>    even SHA1 ones)
> 
> The error I get is the following:
> 
> error 7 at 0 depth lookup:certificate signature failure
> 3085249240:error:1009107F:elliptic curve 
> routines:d2i_ECPKParameters:pkparameters2group failure:ec_asn1.c:1067:
> 3085249240:error:10090010:elliptic curve routines:d2i_ECParameters:EC 
> lib:ec_asn1.c:1355:
> 3085249240:error:100D4010:elliptic curve routines:ECKEY_PARAM_DECODE:EC 
> lib:ec_ameth.c:528:
> 
> I can provide certificates if necessary (those are passport
> certificates from different countries)
> 

I haven't had time to review the patch in much detail but I suspected some
things like that might happen due to the way some AlgorithmIdentifiers were
handled. I'm fairly sure it wouldn't work with a PSS only key too (which is
treated as a different public key algorithm).

If you can send some PSS certificates that would be great. I'm always happier
if I've some data to interop test with.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [email protected]
Automated List Manager                           [email protected]

Reply via email to