Re: Failure decoding X.509 Certificate / negative BN's ??

Tue, 11 May 1999 09:29:18 -0700 

Robert,

> TeleSec has founded the first PKI in Germany that works by the rules of
> the german signatur law. They prvide users with smartcards and offer
> the certificates in files on the web.
> (http://srv15.telesec.de/verzeichnisdienst/index.htm)
> However OpenSSL doesn't seem to be able to extract the correct RSA keys
> from that certfificate.
>
> -----BEGIN CERTIFICATE-----
> MIICjTCCAfmgAwIBAgIEOwrADTAKBgYrJAMDAQIFADB/MQswCQYDVQQGEwJERTEc
[..].
> oELSz8DDTVV2eMv+bnMSC7l0jNmuln++Bb5K2wzcnLPq
> -----END CERTIFICATE-----

Where did you get the base64 format of the certificate from? TeleSec doesn't
provide this format, instead they use a proprietary "transport" format which
wraps several layers around the certificate itself. Did you extract the
certificate by using a special offset?

> BTW: I am able to decode the correct values from the certificate
> and put them into an RSA struct and verify signatures. However
> I would prefer to use the standard functions provided by openSSL.
> So is this a bug? Has anyone experienced similar problems???

This is a problem with the TeleSec certificates. I'm not sure about the
details but I've spoken to both TeleSec and the BSI ("Bundesamt fuer
Sicherheit in der Informationstechnik" www.bsi.de) about this problem.
They are aware of the bug but I don't think they'll change anything because
of the changes to their (evaluated) software that would be necessary.

I, too, would like to be able to look at the certificates w/ OpenSSL or
other tools but I think we'll have to wait for other CAs being operated
under the german signature law. They might do better...

Cheers,

        Stefan.

______________________________________________________________________________
Stefan Kelm            PGP key: "finger [EMAIL PROTECTED]" or via key server
DFN-PCA                                                      <[EMAIL PROTECTED]>
Vogt-Koelln-Str. 30                               http://www.pca.dfn.de/~kelm/
22527 Hamburg (Germany)                   Tel: +49 40 428 83-2262 / Fax: -2241
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to