Hi Erwann, thanks for testing my patch and giving feedback.
Thus wrote Erwann ABALEA ([email protected]): > I need to be able to verify different "real world" certificates, some > of them signed using sha{1,256}withRSA, some using > ecdsa-with-SHA{1,256}, and some using rsassaPss. > For the "sha*withRSA" ones, the stable branch is OK. > For the "ecdsa-with-SHA256" ones, I needed to download a development > version (0.9.8 branch doesn't support it). > And, for the "rsassaPss" ones, I needed to export a version dated "7 > Feb 2010" version, and apply the proposed patch (I don't remember the > RT number). I performed a checkout from my local mirror of the OpenSSL > CVS repository (cvs co -D "7 feb 2010" external/openssl). > Applying the patch resulted in a positive and a negative effect: > - I was able to verify the rsassaPss certificates > - I wasn't able to verify ecdsa-with-SHA{1,256} certificates (yes, > even SHA1 ones) > The error I get is the following: > error 7 at 0 depth lookup:certificate signature failure > 3085249240:error:1009107F:elliptic curve > routines:d2i_ECPKParameters:pkparameters2group failure:ec_asn1.c:1067: > 3085249240:error:10090010:elliptic curve routines:d2i_ECParameters:EC > lib:ec_asn1.c:1355: > 3085249240:error:100D4010:elliptic curve routines:ECKEY_PARAM_DECODE:EC > lib:ec_ameth.c:528: > I can provide certificates if necessary (those are passport > certificates from different countries) I've just downloaded the pss certificates you provided and confirmed that they verify ok. Could you by any chance send me the ecdsa certificates that cause problems with the patch? I guess I'll have some time middle of next week to look into this. Best regards, Martin ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
