Well, I'm creating my CA certificate with a DSA key, that's easy and simple.
Then I create an end entitiy cert with a DSA key to make sure I'm doing
everything correctly, that works fine. Then I basically call these
functions:
dh = DH_generate_parameters (64 , DH_GENERATOR_5 , NULL , NULL);
DH_generate_key (dh);
Pkey -> type = EVP_PKEY_DH;
Pkey -> pkey.dh = dh;
ASN1_INTEGER_set (Request -> req_info -> version , 2L);
then I set up the DN here with C, ST, O, OU, and CN entries.
X509_REQ_set_pubkey (Request , Pkey);
I don't sign the request, because that call was failing :)
X509_set_version (Certificate -> cert_info , 2L);
I set the serial number and validity here
X509_set_pubkey (Certificate , X509_REQ_get_pubkey (Request));
then I add a subjectAltName extension
X509_sign (Certificate , CAkey , digest);
The CAkey in the previous call is the DSA key from the CA certificate.
Then I output the cert in PEM format:
PEM_write_bio_X509 (out , Certificate);
Now I have a separate library with PEM_write_bio_DHPublicKey defined that I
got from another project, so I'm not sure if PEM_write_bio_X509 is calling
that function or not, but that's all I'm doing. None of the library calls
complain and the certificate appears to have been created. When I execute
"x509 -text -in endkeyx.out" x509 segfaults after displaying "Public Key
Algorithm: dhKeyAgreement"
Looking at the OIDs, they are correct, I have another utility that will
display the certificate when I output it in ASN1 format and the Algorithm
oid is pkcs3-dhKeyAgreement. So as far as I can tell, everything seems to
have been created correctly, it's just a matter of OpenSSL not being able to
read/write/parse the DH public key (at least I think).
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Ben Laurie
> Sent: Monday, January 04, 1999 5:37 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Are x509v3 certificates with Diffie-Helman public keys
> possible?
>
>
> wgriffin wrote:
> >
> > I've been trying to create them, and I can create the
> request, as long as I
> > don't sign it. I can also sign the request with the CA's DSA key and
> > everything appears to work okay. When I use the x509 cl
> program to view the
> > certificate with x509 -text -in endkeyx.out however, it
> segfaults trying to
> > display the Subject Public Key Info. Are there any patches
> available that I
> > could use to get this to work? Thanks in advance.
>
> Got a recipe to reproduce this?
>
> Cheers,
>
> Ben.
>
> --
> http://www.apache-ssl.org/ben.html
>
> "My grandfather once told me that there are two kinds of people: those
> who work and those who take the credit. He told me to try to be in the
> first group; there was less competition there."
> - Indira Ghandi
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
