Question about development path - Openssl

This is a discussion on Question about development path - Openssl ; We use Verisign certs for signing and encrypting our email. This year Verisign changed the algorithm used for their certs from md5RSA to sha1RSA. Now all my unix and mac clients can no longer import their certs because openssl apparently ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: Question about development path

  1. Question about development path

    We use Verisign certs for signing and encrypting our email. This year Verisign
    changed the algorithm used for their certs from md5RSA to sha1RSA. Now all my
    unix and mac clients can no longer import their certs because openssl
    apparently doesn't understand that algorithm.

    This is the result of the following command for an md5RSA cert - openssl pkcs12
    -in certname:

    Bag Attributes:
    subject=/O=The University of Texas System/OU=VeriSign Trust Network/OU=Terms of
    use at https://www.verisign.com/rpa (c)99/OU=Class 2 CA - OnSite Individual
    Subscriber/CN=The University of Texas at Dallas CA
    issuer=/C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority
    - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust
    Network

    This is the result of the same command for a sha1RSA cert:

    88566:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
    tag:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/asn1/tasn_dec.c:1294:
    88566:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1
    error:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/asn1/tasn_dec.c:380:Type=PKCS12

    Is there a roadmap in the development plan for including sha1RSA in the
    algorithms that openssl understands?

    --
    Paul Schmehl
    As if it wasn't already obvious,
    my opinions are my own and not
    those of my employer.

    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  2. Re: Question about development path

    On Wed, May 28, 2008, Paul Schmehl wrote:

    > We use Verisign certs for signing and encrypting our email. This year
    > Verisign changed the algorithm used for their certs from md5RSA to sha1RSA.
    > Now all my unix and mac clients can no longer import their certs because
    > openssl apparently doesn't understand that algorithm.
    >
    > This is the result of the following command for an md5RSA cert - openssl
    > pkcs12 -in certname:
    >
    > Bag Attributes:
    > subject=/O=The University of Texas System/OU=VeriSign Trust
    > Network/OU=Terms of use at https://www.verisign.com/rpa (c)99/OU=Class 2 CA
    > - OnSite Individual Subscriber/CN=The University of Texas at Dallas CA
    > issuer=/C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification
    > Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use
    > only/OU=VeriSign Trust Network
    >
    > This is the result of the same command for a sha1RSA cert:
    >
    > 88566:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
    > tag:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/asn1/tasn_dec.c:1294:
    > 88566:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1
    > error:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/asn1/tasn_dec.c:380:Type=PKCS12
    >
    > Is there a roadmap in the development plan for including sha1RSA in the
    > algorithms that openssl understands?
    >


    OpenSSL has supported sha1+RSA from the very beginning. You wouldn't expect
    that error if it didn't recognize the algorithm.... even for totally
    unsupported algorithms OpenSSL will still parse the certificates.

    I'd say that whatever you are feeding into 'openssl pkcs12' is not in PKCS#12
    format.

    Steve.
    --
    Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
    OpenSSL project core developer and freelance consultant.
    Homepage: http://www.drh-consultancy.demon.co.uk
    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  3. Re: Question about development path

    --On Wednesday, May 28, 2008 18:09:06 +0200 "Dr. Stephen Henson"
    wrote:
    >
    > OpenSSL has supported sha1+RSA from the very beginning. You wouldn't expect
    > that error if it didn't recognize the algorithm.... even for totally
    > unsupported algorithms OpenSSL will still parse the certificates.
    >
    > I'd say that whatever you are feeding into 'openssl pkcs12' is not in PKCS#12
    > format.
    >


    Hmmm....I have no doubt that you know exactly what you're talking about.
    However, both certs were both exported from IE on Windows and then parsed by
    openssl. According to Windows they are exported in pkcs12 format. AFAIK, the
    only thing that's changed is the encryption algorithm used by Verisign.

    Is there some way I can use openssl to see what's inside the cert that doesn't
    work? If I sent the certs to you, could you determine what's changed?

    --
    Paul Schmehl
    As if it wasn't already obvious,
    my opinions are my own and not
    those of my employer.

    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  4. Re: Question about development path

    --On Wednesday, May 28, 2008 12:19:25 -0500 Paul Schmehl
    wrote:

    > --On Wednesday, May 28, 2008 18:09:06 +0200 "Dr. Stephen Henson"
    > wrote:
    >>
    >> OpenSSL has supported sha1+RSA from the very beginning. You wouldn't expect
    >> that error if it didn't recognize the algorithm.... even for totally
    >> unsupported algorithms OpenSSL will still parse the certificates.
    >>
    >> I'd say that whatever you are feeding into 'openssl pkcs12' is not in PKCS#12
    >> format.
    >>

    >
    > Hmmm....I have no doubt that you know exactly what you're talking about.
    > However, both certs were both exported from IE on Windows and then parsed by
    > openssl. According to Windows they are exported in pkcs12 format. AFAIK,
    > the only thing that's changed is the encryption algorithm used by Verisign.
    >
    > Is there some way I can use openssl to see what's inside the cert that
    > doesn't work? If I sent the certs to you, could you determine what's changed?


    Following up on my own response.....your answer led me to the resolution of the
    problem. Since I couldn't do anything with that cert using openssl, I looked
    at it with strings.

    Type:This file is encrypted with SafeBoot Content Encryption - If you see this
    message you must not edit or save this file, doing so will irretrievably
    corrupt the data

    )_(*&)(*&_*&_*&

    I exported another copy to a location I knew to not be encrypted with Safeboot,
    and openssl parses it just fine.

    Thanks for pointing me in the right direction. Wish I thought of this months
    ago.

    --
    Paul Schmehl
    As if it wasn't already obvious,
    my opinions are my own and not
    those of my employer.

    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


+ Reply to Thread