wgriffin wrote:
>
> Well, I'm creating my CA certificate with a DSA key, that's easy and simple.
> Then I create an end entitiy cert with a DSA key to make sure I'm doing
> everything correctly, that works fine. Then I basically call these
> functions:
>
> dh = DH_generate_parameters (64 , DH_GENERATOR_5 , NULL , NULL);
> DH_generate_key (dh);
> Pkey -> type = EVP_PKEY_DH;
> Pkey -> pkey.dh = dh;
>
> ASN1_INTEGER_set (Request -> req_info -> version , 2L);
> then I set up the DN here with C, ST, O, OU, and CN entries.
> X509_REQ_set_pubkey (Request , Pkey);
> I don't sign the request, because that call was failing :)
>
> X509_set_version (Certificate -> cert_info , 2L);
> I set the serial number and validity here
> X509_set_pubkey (Certificate , X509_REQ_get_pubkey (Request));
> then I add a subjectAltName extension
> X509_sign (Certificate , CAkey , digest);
>
> The CAkey in the previous call is the DSA key from the CA certificate.
> Then I output the cert in PEM format:
> PEM_write_bio_X509 (out , Certificate);
>
> Now I have a separate library with PEM_write_bio_DHPublicKey defined that I
> got from another project, so I'm not sure if PEM_write_bio_X509 is calling
> that function or not, but that's all I'm doing. None of the library calls
> complain and the certificate appears to have been created. When I execute
> "x509 -text -in endkeyx.out" x509 segfaults after displaying "Public Key
> Algorithm: dhKeyAgreement"
> Looking at the OIDs, they are correct, I have another utility that will
> display the certificate when I output it in ASN1 format and the Algorithm
> oid is pkcs3-dhKeyAgreement. So as far as I can tell, everything seems to
> have been created correctly, it's just a matter of OpenSSL not being able to
> read/write/parse the DH public key (at least I think).
That doesn't sound like a recipe I can easily use to reproduce the bug
(if it is one). How about some code that actually does it, or, failing
that, a certificate that fails?
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He told me to try to be in the
first group; there was less competition there."
- Indira Ghandi
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
