> On Jul 25, 2018, at 4:50 PM, Ken Goldman <kgold...@us.ibm.com> wrote:
>
> For background, this is the TPM 1.2 endorsement key certificate. I.e., this
> is a real application with millions of certificates issued. The key is an
> RSA-2048 key.
>
> The TCG (for a while) specified
>
> Public Key Algorithm: rsaesOaep
>
> rather than the commonly used
>
> Public Key Algorithm: rsaEncryption
>
> because the key is an encryption key rather than a signing key.
> The X509 certificate parser fails to get the public key.
>
> ~~~~~~~~~~~~~~~~~~~~~~~~
>
> An alternative fix (I got a patch for 098 from an openssl maintainer)
> that accepts rsaOaep would also fix the issue.
Or perhaps both. It is not clear that my choice of rejecting
unsupported key algorithms at security level 0 is the right one,
but it would of course be best if the key algorithm were supported
if it has non-negligible "legitimate" use.
Perhaps open an issue (or PR) on github proposing (or implementing)
a change to the check_key_level() logic and see whether there is
support for it?
--
Viktor.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
