Actually, I've gotten it to work. I added some code to handle the DH keys in
the ASN1 calls and I can now create and verify X509 certs with DH keys. So
that you can look at it, here is the PEM encoded certificate that was giving
me problems -
-----BEGIN CERTIFICATE-----
MIIBqjCCAWigAwIBAgIBAjALBgcqhkjOOAQDBQAwVDELMAkGA1UEBhMCVVMxCzAJ
BgNVBAgTAk1EMRcwFQYDVQQDEw5XZXNsZXkgR3JpZmZpbjEfMB0GCSqGSIb3DQEJ
ARYQd2dyaWZmaW5AdGlzLmNvbTAeFw05OTAxMDUyMzU5MDRaFw05OTAxMDYwNTMy
MjRaMIGEMQswCQYDVQQGEwJVUzELMAkGA1UECBMCTUQxGzAZBgNVBAoTEk5ldHdv
cmsgQXNzb2NpYXRlczERMA8GA1UECxMIVElTIExhYnMxFzAVBgNVBAMTDldlc2xl
eSBHcmlmZmluMR8wHQYJKoZIhvcNAQkBFhB3Z3JpZmZpbkB0aXMuY29tMDowGwYJ
KoZIhvcNAQMBMA4CCQDX6W4DbFI4RwIBBQMbADAYAghY35k4Nv03RQIJANfpbgNs
UjhHAgEFoxgwFjAUBgNVHREEDQQLMTAuMzMuMzAuNTEwCwYHKoZIzjgEAwUAAy8A
MCwCFHdkFgq2E7YkkL/2WbAmKeZQpGljAhQYGcLzYS5gChEtBWrmbLmb24KOtw==
-----END CERTIFICATE-----
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Ben Laurie
> Sent: Tuesday, January 05, 1999 1:48 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Are x509v3 certificates with Diffie-Helman public keys
> possible?
>
>
> wgriffin wrote:
> >
> > Well, I'm creating my CA certificate with a DSA key, that's
> easy and simple.
> > Then I create an end entitiy cert with a DSA key to make
> sure I'm doing
> > everything correctly, that works fine. Then I basically call these
> > functions:
> >
> > dh = DH_generate_parameters (64 , DH_GENERATOR_5 , NULL , NULL);
> > DH_generate_key (dh);
> > Pkey -> type = EVP_PKEY_DH;
> > Pkey -> pkey.dh = dh;
> >
> > ASN1_INTEGER_set (Request -> req_info -> version , 2L);
> > then I set up the DN here with C, ST, O, OU, and CN entries.
> > X509_REQ_set_pubkey (Request , Pkey);
> > I don't sign the request, because that call was failing :)
> >
> > X509_set_version (Certificate -> cert_info , 2L);
> > I set the serial number and validity here
> > X509_set_pubkey (Certificate , X509_REQ_get_pubkey (Request));
> > then I add a subjectAltName extension
> > X509_sign (Certificate , CAkey , digest);
> >
> > The CAkey in the previous call is the DSA key from the CA
> certificate.
> > Then I output the cert in PEM format:
> > PEM_write_bio_X509 (out , Certificate);
> >
> > Now I have a separate library with
> PEM_write_bio_DHPublicKey defined that I
> > got from another project, so I'm not sure if
> PEM_write_bio_X509 is calling
> > that function or not, but that's all I'm doing. None of the
> library calls
> > complain and the certificate appears to have been created.
> When I execute
> > "x509 -text -in endkeyx.out" x509 segfaults after
> displaying "Public Key
> > Algorithm: dhKeyAgreement"
> > Looking at the OIDs, they are correct, I have another
> utility that will
> > display the certificate when I output it in ASN1 format and
> the Algorithm
> > oid is pkcs3-dhKeyAgreement. So as far as I can tell,
> everything seems to
> > have been created correctly, it's just a matter of OpenSSL
> not being able to
> > read/write/parse the DH public key (at least I think).
>
> That doesn't sound like a recipe I can easily use to reproduce the bug
> (if it is one). How about some code that actually does it, or, failing
> that, a certificate that fails?
>
> Cheers,
>
> Ben.
>
> --
> http://www.apache-ssl.org/ben.html
>
> "My grandfather once told me that there are two kinds of people: those
> who work and those who take the credit. He told me to try to be in the
> first group; there was less competition there."
> - Indira Ghandi
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
