Its not the worst diagnostic situation that I have seen on z/OS ( that award would go to the C-library OS I/O stuff IMO).
In this case, the external API that failed is gsk_decode_import_key(), and if you look it up the error that you are getting is documented: https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.3.0/com.ibm.zos.v2r3.gska100/msg34.htm The algorithm codes can be found in /usr/include gskcms.h x509_alg_pbeWithSha1And40BitRc2Cbc = 36, /* 1.2.840.113549.1.12.1.6 */ Kirk Wolf Dovetailed Technologies http://dovetail.com PS> If you want some "fun", take you X.509 cert and load it into a ASN.1 tool that displays the whole ugly thing On Mon, Nov 6, 2017 at 7:55 PM, Charles Mills <charl...@mcn.org> wrote: > Got it! The only password encryption algorithm (PBE) supported for FIPS > mode is pbeWithSha1And3DesCbc. > > In OpenSSL PCKS12, I needed to add -certpbe PBE-SHA1-3DES > > Sheesh! Would a more specific error message kill them? > > Charles > > > -----Original Message----- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On > Behalf Of Charles Mills > Sent: Monday, November 6, 2017 5:41 PM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: What cryptographic algorithm is not supported? > > Okay, I got trace information out of gskkyman. What do you make of this? > > INFO crypto_des3_encrypt_ctx(): Clear key DES3 encryption performed for 8 > bytes > INFO crypto_des3_decrypt_ctx(): Clear key DES3 decryption performed for 8 > bytes > INFO crypto_des3_encrypt_ctx_alet(): Clear key DES3 encryption performed > for 8 bytes > INFO crypto_des3_decrypt_ctx_alet(): Clear key DES3 decryption performed > for 8 bytes > INFO crypto_aes_encrypt_ctx(): Clear key AES 128-bit encryption performed > for 16 bytes > INFO crypto_aes_decrypt_ctx(): Clear key AES 128-bit decryption performed > for 16 bytes > INFO crypto_aes_encrypt_ctx_alet(): Clear key AES 128-bit encryption > performed for 16 bytes > INFO crypto_aes_decrypt_ctx_alet(): Clear key AES 128-bit decryption > performed for 16 bytes > INFO crypto_aes_encrypt_ctx(): Clear key AES 256-bit encryption performed > for 16 bytes > INFO crypto_aes_decrypt_ctx(): Clear key AES 256-bit decryption performed > for 16 bytes > INFO crypto_aes_encrypt_ctx_alet(): Clear key AES 256-bit encryption > performed for 16 bytes > INFO crypto_aes_decrypt_ctx_alet(): Clear key AES 256-bit decryption > performed for 16 bytes > INFO crypto_rsa_public_encrypt(): RSA modulus is 2048 bits > INFO crypto_rsa_public_encrypt(): Software RSA public key encryption > performed > INFO crypto_rsa_private_decrypt(): Using PKCS private key > INFO crypto_rsa_private_decrypt(): RSA modulus is 2048 bits > INFO crypto_rsa_private_decrypt(): Software RSA private key decryption > performed > INFO open_kdb_check_filedata(): Record size 5000, Record count 12 > INFO gsk_build_issuer_chains(): Record 'Equifax Secure Certificate > Authority' is self-signed > INFO gsk_build_issuer_chains(): Record 'Equifax Secure eBusiness CA-2' is > self-signed > INFO gsk_build_issuer_chains(): Record 'VeriSign Class 1 Public Primary CA > - G2' is self-signed > INFO gsk_build_issuer_chains(): Record 'VeriSign Class 2 Public Primary CA > - G2' is self-signed > INFO gsk_build_issuer_chains(): Record 'VeriSign Class 3 Public Primary CA > - G2' is self-signed > INFO gsk_build_issuer_chains(): Record 'VeriSign Class 4 Public Primary CA > - G2' is self-signed > INFO gsk_build_issuer_chains(): Record 'VeriSign Class 1 Public Primary CA > - G3' is self-signed > INFO gsk_build_issuer_chains(): Record 'VeriSign Class 2 Public Primary CA > - G3' is self-signed > INFO gsk_build_issuer_chains(): Record 'VeriSign Class 3 Public Primary CA > - G3' is self-signed > INFO gsk_build_issuer_chains(): Record 'VeriSign Class 4 Public Primary CA > - G3' is self-signed > INFO gsk_build_issuer_chains(): Record 'VeriSign Class 3 Public Primary CA > - G5' is self-signed > INFO gsk_build_issuer_chains(): Record 'CMC_root_Exp_2024a' is self-signed > INFO open_kdb_check_filedata(): Record size 5000, Record count 0 > ERROR crypto_pbe_decrypt_data(): Algorithm 36 is not supported for PBE > ERROR import_pkcs12v3(): Unable to decrypt EncryptedData message: Error > 0x03353003 > ERROR gsk_decode_import_key(): Unable to import PKCS12 V3: Error 0x03353003 > ERROR gsk_import_key(): Unable to decode subject certificate or chain: > Error 0x03353003 > > Algorithm 36 (cipher suite 36?) is TLS_DH_DSS_WITH_AES_256_CBC_SHA. Where > does that come into the picture? What is PBE? > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
