Thanks for adding the key generation documentation and showing me an example, but I still have no luck.
If anyone could generate a CA, then sign DSA key with it, and then connect gnutls-cli and gnutls-serv using that key verified by CA... would he please post a complete command sentence needed to achieve it? Because all my attempts still fail on the same error: For each failed client attempt, server says: ...... |<7>| READ: -1 returned from 5, errno=11 gerrno=0 |<2>| ASSERT: gnutls_buffers.c:360 |<2>| ASSERT: gnutls_buffers.c:1151 |<2>| ASSERT: gnutls_handshake.c:1045 |<7>| READ: -1 returned from 5, errno=104 gerrno=0 |<2>| ASSERT: gnutls_buffers.c:368 |<2>| ASSERT: gnutls_buffers.c:623 |<2>| ASSERT: gnutls_record.c:909 |<2>| ASSERT: gnutls_buffers.c:1151 |<2>| ASSERT: gnutls_handshake.c:1045 |<2>| ASSERT: gnutls_handshake.c:2647 |<6>| BUF[HSK]: Cleared Data from buffer Error in handshake Error: A TLS packet with unexpected length was received. |<4>| REC: Sending Alert[2|22] - Record overflow |<4>| REC[64c780]: Sending Packet[5] Alert(21) with length: 2 |<2>| ASSERT: gnutls_cipher.c:204 |<7>| WRITE: Will write 7 bytes to 5. |<2>| ASSERT: gnutls_buffers.c:834 |<2>| ASSERT: gnutls_record.c:461 |<2>| ASSERT: gnutls_record.c:262 .... And client dies on: .... |<7>| RB: Have 5 bytes into buffer. Adding 279 bytes. |<7>| RB: Requested 284 bytes |<2>| ASSERT: gnutls_cipher.c:204 |<4>| REC[64aaa0]: Decrypted Packet[2] Handshake(22) with length: 279 |<6>| BUF[HSK]: Inserted 279 bytes of Data(22) |<6>| BUF[REC][HD]: Read 1 bytes of Data(22) |<6>| BUF[REC][HD]: Read 3 bytes of Data(22) |<3>| HSK[64aaa0]: SERVER KEY EXCHANGE was received [279 bytes] |<6>| BUF[REC][HD]: Read 275 bytes of Data(22) |<6>| BUF[HSK]: Peeked 1941 bytes of Data |<6>| BUF[HSK]: Emptied buffer |<6>| BUF[HSK]: Inserted 4 bytes of Data |<6>| BUF[HSK]: Inserted 275 bytes of Data |<2>| ASSERT: pk-libgcrypt.c:519 |<2>| ASSERT: gnutls_pk.c:515 |<2>| ASSERT: gnutls_sig.c:347 |<2>| ASSERT: gnutls_sig.c:506 |<2>| ASSERT: auth_dhe.c:232 |<2>| ASSERT: gnutls_kx.c:415 |<2>| ASSERT: gnutls_handshake.c:2386 |<6>| BUF[HSK]: Cleared Data from buffer *** Fatal error: Public key signature verification has failed. *** Handshake has failed GNUTLS ERROR: Public key signature verification has failed. On Mon, Apr 20, 2009 at 4:14 PM, Simon Josefsson <[email protected]> wrote: > Miroslav Kratochvil <[email protected]> writes: > >> Hi everyone, >> >> well, after I solved the problem at [1], I got to real problems problems: >> >> I want gnutls to negotiate encrypted connection using DSA keys. I >> realized that I will have to use DHE_DSS algorithm, but I have no idea >> how to generate a certificate for one. Googling failed, and >> documentation says only that "DHE_DSS uses DSA keys in certificates." >> >> In OpenSSL world (from where I'm migrating) it was easy, one just >> appended "-dsa" to key generating parameters, and it was done. >> Nevertheless; with gnutls and --dsa option; I'm getting error -89 >> (Public key signature verification has failed.). RSA alternative >> (--rsa with the same commands) works ok. >> >> So, is there any tutorial or howto on generating suitable DSA keys for >> use with encryption? Ideally with a complete certtool script for >> generating one selfsigned CA keypair and other that-ca-signed keypair. > > Check the manual: > > http://www.gnu.org/software/gnutls/manual/html_node/Invoking-certtool.html > > Generating a certificate using those instructions seems to work fine > here, see log below. > > You are right that the manual doesn't give an example for DSA keys, so I > added one: > > http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=7ffeba022859b2b9d909bc3fb8a89057a309ae06 > > Can you explain exactly what you did to get the -89 error? > > /Simon > > j...@mocca:~$ certtool --generate-privkey --outfile key.pem --dsa > Generating a 2048 bit DSA private key... > j...@mocca:~$ cat key.pem > -----BEGIN DSA PRIVATE KEY----- > MIIDGQIBAAKCAQEAw8xAilE8wNbdQZJVRGpOjEYdibjT3N5vpDMmsqf4unH1Mlht > w/ZPmkUs5vww+XpTCs64QKfJmBSmoXFAFJMiKm8J8yacnd7PdYBmSFIizZJ9S+BJ > SDY+SAb0lz9F/De/jJNZg9cIAtpcD7oDduoD9pS/rI74JFpwO8v48BuQYnuBb+0y > h95rKGkFSy2yEgQcRjb8H+utddMV57U/w9j80NGJABYevEpzIFttnREpdoXmEk9j > 5aqg/eh33fCXXsknhVEq/onojmswXE3zUfyGOxcuTzhaUWU9edN9c28+RusBJFsH > u9E9VJEeNYd2zj4/vxixQZtVRbzfNJuVlXZlOQIDAQABAoIBAEJQysdOTopt+9B6 > tKCQdPwzv0tnK3LSb/OoU4INPERB1q9vnfXSVhHFPjkZz6if0sKFU4iqi7ATxoBF > sFOHpfnDVBZjzIX38kI08++oyhrgc8mgNJHdtWiF2o/joVuUsi71tUrfKNp2hNna > wdOj3SXGKclTPx5o9zx5kF4ap+OConIh9t1q1cNntF+slzGh2X8FIJQOV20NrSrm > nsi3O6uLzu6Mg+9j2d9kLF8tph9JhtbV88BsoQVAALwpXsWYEQ4/7FVZfYPr2HNM > sGbm7SKMsYNaDTUB6608Tt6kPUh1b7E8OD2UtE/abtqnM7SW+1Uop8E98ePYPBG+ > pYVyc3UCgYEAxYo5RbY5gP9zszToGFNM6/X1wNUsWp5QDFA4qKiy9ZExAhTDnxtL > KIbVHW509LuQnDWES+XmM3KmjIPdKHSb2pgGqCwSShd4xbdUfsy+XDuWCPcsQG+M > geZSZNtYT6a3Y72vWEZrFO71jNaHi2NZrVvY8ekrWY1lc6S7DKBzB0MCgYEA/b4M > Hl9JGQEv0axXQl4jEVlBRVXO+t/ZXyM2Z0wp+s6QCm1LhuhJJXLmWhumSE19eER3 > eNmB9SPRIy6Ar96ZfxebMJaLGZZQEpCGT+5CZXIWc9liZZK9W1ef6UkztUOAeyy0 > 010Hv8kMhryRJtOvpbogv1uxd3YGV/HI5o7949M= > -----END DSA PRIVATE KEY----- > j...@mocca:~$ certtool --generate-certificate --load-privkey key.pem > --outfile cert.pem --load-ca-certificate > ~/src/www-gnutls/test-credentials/x509-ca.pem --load-ca-privkey > ~/src/www-gnutls/test-credentials/x509-ca-key.pem > Generating a signed certificate... > Please enter the details of the certificate's distinguished name. Just press > enter to ignore a field. > Country name (2 chars): SE > Organization name: > Organizational unit name: > Locality name: > State or province name: > Common name: foo.bar.com > UID: > This field should not be used in new certificates. > E-mail: > Enter the certificate's serial number in decimal (default: 1240236605): > > > Activation/Expiration time. > The certificate will expire in (days): > The certificate will expire in (days): 180 > > > Extensions. > Does the certificate belong to an authority? (y/N): > Is this a TLS web client certificate? (y/N): y > Is this also a TLS web server certificate? (y/N): y > Enter the dnsName of the subject of the certificate: foo.bar.com > Enter the dnsName of the subject of the certificate: > X.509 Certificate Information: > Version: 3 > Serial Number (hex): 49ec823d > Validity: > Not Before: Mon Apr 20 14:10:06 UTC 2009 > Not After: Sat Oct 17 14:10:08 UTC 2009 > Subject: C=SE,CN=foo.bar.com > Subject Public Key Algorithm: DSA > Public key (bits 1024): > c5:8a:39:45:b6:39:80:ff:73:b3:34:e8:18:53:4c:eb > f5:f5:c0:d5:2c:5a:9e:50:0c:50:38:a8:a8:b2:f5:91 > 31:02:14:c3:9f:1b:4b:28:86:d5:1d:6e:74:f4:bb:90 > 9c:35:84:4b:e5:e6:33:72:a6:8c:83:dd:28:74:9b:da > 98:06:a8:2c:12:4a:17:78:c5:b7:54:7e:cc:be:5c:3b > 96:08:f7:2c:40:6f:8c:81:e6:52:64:db:58:4f:a6:b7 > 63:bd:af:58:46:6b:14:ee:f5:8c:d6:87:8b:63:59:ad > 5b:d8:f1:e9:2b:59:8d:65:73:a4:bb:0c:a0:73:07:43 > P: > c3:cc:40:8a:51:3c:c0:d6:dd:41:92:55:44:6a:4e:8c > 46:1d:89:b8:d3:dc:de:6f:a4:33:26:b2:a7:f8:ba:71 > f5:32:58:6d:c3:f6:4f:9a:45:2c:e6:fc:30:f9:7a:53 > 0a:ce:b8:40:a7:c9:98:14:a6:a1:71:40:14:93:22:2a > 6f:09:f3:26:9c:9d:de:cf:75:80:66:48:52:22:cd:92 > 7d:4b:e0:49:48:36:3e:48:06:f4:97:3f:45:fc:37:bf > 8c:93:59:83:d7:08:02:da:5c:0f:ba:03:76:ea:03:f6 > 94:bf:ac:8e:f8:24:5a:70:3b:cb:f8:f0:1b:90:62:7b > 81:6f:ed:32:87:de:6b:28:69:05:4b:2d:b2:12:04:1c > 46:36:fc:1f:eb:ad:75:d3:15:e7:b5:3f:c3:d8:fc:d0 > d1:89:00:16:1e:bc:4a:73:20:5b:6d:9d:11:29:76:85 > e6:12:4f:63:e5:aa:a0:fd:e8:77:dd:f0:97:5e:c9:27 > 85:51:2a:fe:89:e8:8e:6b:30:5c:4d:f3:51:fc:86:3b > 17:2e:4f:38:5a:51:65:3d:79:d3:7d:73:6f:3e:46:eb > 01:24:5b:07:bb:d1:3d:54:91:1e:35:87:76:ce:3e:3f > bf:18:b1:41:9b:55:45:bc:df:34:9b:95:95:76:65:39 > Q: > 01:00:01 > G: > 42:50:ca:c7:4e:4e:8a:6d:fb:d0:7a:b4:a0:90:74:fc > 33:bf:4b:67:2b:72:d2:6f:f3:a8:53:82:0d:3c:44:41 > d6:af:6f:9d:f5:d2:56:11:c5:3e:39:19:cf:a8:9f:d2 > c2:85:53:88:aa:8b:b0:13:c6:80:45:b0:53:87:a5:f9 > c3:54:16:63:cc:85:f7:f2:42:34:f3:ef:a8:ca:1a:e0 > 73:c9:a0:34:91:dd:b5:68:85:da:8f:e3:a1:5b:94:b2 > 2e:f5:b5:4a:df:28:da:76:84:d9:da:c1:d3:a3:dd:25 > c6:29:c9:53:3f:1e:68:f7:3c:79:90:5e:1a:a7:e3:82 > a2:72:21:f6:dd:6a:d5:c3:67:b4:5f:ac:97:31:a1:d9 > 7f:05:20:94:0e:57:6d:0d:ad:2a:e6:9e:c8:b7:3b:ab > 8b:ce:ee:8c:83:ef:63:d9:df:64:2c:5f:2d:a6:1f:49 > 86:d6:d5:f3:c0:6c:a1:05:40:00:bc:29:5e:c5:98:11 > 0e:3f:ec:55:59:7d:83:eb:d8:73:4c:b0:66:e6:ed:22 > 8c:b1:83:5a:0d:35:01:eb:ad:3c:4e:de:a4:3d:48:75 > 6f:b1:3c:38:3d:94:b4:4f:da:6e:da:a7:33:b4:96:fb > 55:28:a7:c1:3d:f1:e3:d8:3c:11:be:a5:85:72:73:75 > Extensions: > Basic Constraints (critical): > Certificate Authority (CA): FALSE > Key Purpose (not critical): > TLS WWW Client. > TLS WWW Server. > Subject Alternative Name (not critical): > DNSname: foo.bar.com > Key Usage (critical): > Digital signature. > Subject Key Identifier (not critical): > e9e00d4ee9ccf3c9ecd6ca2aa988077628a0d75f > Authority Key Identifier (not critical): > e93c1cfbad926ee606a4562ca2e1c05327c8f295 > Other Information: > Public Key Id: > e9e00d4ee9ccf3c9ecd6ca2aa988077628a0d75f > > Is the above information ok? (Y/N): y > > > Signing certificate... > j...@mocca:~$ certtool -v > certtool (GnuTLS) 2.6.5 > Copyright (C) 2008 Free Software Foundation, Inc. > License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> > This is free software: you are free to change and redistribute it. > There is NO WARRANTY, to the extent permitted by law. > > Written by Nikos Mavrogiannopoulos and Simon Josefsson. > j...@mocca:~$ > _______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
