Re: Displaying cert with ecdsa

Fri, 16 Aug 2013 11:16:41 -0700 


On 08/14/2013 05:37 PM, Dave Thompson wrote:

From: owner-openssl-us...@openssl.org On Behalf Of Robert Moskowitz
Sent: Wednesday, 14 August, 2013 15:49
I have a CA cert in pem format that uses ecdsa.  I have tried
to display the contents with:

openssl x509 -in x509-ca.pem -text -nameopt multiline -noout

I get errors:

          Subject Public Key Info:
              Public Key Algorithm: id-ecPublicKey
              Unable to load Public Key
140661212006240:error:0609E09C:digital envelope
routines:PKEY_SET_TYPE:unsupported algorithm:p_lib.c:239:
140661212006240:error:0B07706F:x509 certificate
routines:X509_PUBKEY_get:unsupported algorithm:x_pubkey.c:155:

Is there an option I need to add?  Is there something special
with this cert's Public Key Algorithm?

I'm pretty sure not. OpenSSL versions before 1.0.0 needed a
cipherstring option to use ECC suites *in SSL/TLS protocol*,
but local operations have worked as long as I remember.

What version of OpenSSL are you running, and how was it built?
In particular was it from official source, or patched?
I am running Fedora 16, standard biuld stuff. Yes, I know it is time to upgrade...
Openssl seems to be 1.0.0.k-1 per the yum log (I tried a -v option, but that does not seem to be supporte, nor --version).
The fellow that sent me the .pem has 1.0.1c-10 and was able to send me the dump of the cert and the PK algorithm is id-ecPublicKey and the ASN1 OID: prime256v1
So now at least I can move forward reviewing what they are doing with this cert, but it would be nice to be able to display it myself. 



A couple of remote possibilities: do you have your openssl.cnf
set (editted) to load an "engine", which doesn't support ECC?
I didn't think this level of parsing goes to an engine, but
I could be wrong. Do you have a FIPS-capable build and a
setting to force FIPS mode? FIPS should allow ECC (it is
NIST "Approved"), but something might be broken.

Can you try the same file with a different OpenSSL version
or build -- often easiest by using a different system?


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to