Hi, I was not able to reproduce your problem using the same snapshot. I run your commands a dozen times with no error. Tested under Linux 32-bit (Centos 5, gcc 4.1.2) and Linux 64-bit (Debian 5, gcc 4.3.2). What platform/compiler are you using? How does your openssl.cnf look like? In my tests, I use the one installed by the snapshot build.
Is anyone else able to reproduce this problem? -- Mounir IDRASSI IDRIX http://www.idrix.fr On 8/8/2010 9:40 PM, Hanno Boeck via RT wrote: > It seems that openssl has a problem with pss certificates and uncommon rsa key > sizes. For all keysizes with "keysize mod 8 = 1" (or keysize = n*8+1), > verification of a self-signed test cert fails. > > I've not yet investigated if it's the generation or the verification code that > is wrong, it's probably related to the emBits variable from the emsa-pss- > verify/encode-code. > > Check with this: > openssl genrsa 2007> test.key > openssl req -batch -new -x509 -sigopt rsa_padding_mode:pss -nodes -days 99999 > -key test.key> test.crt > openssl verify -check_ss_sig -CAfile test.crt test.crt > > Output of the last command is: > 139831192893096:error:0407E06D:rsa routines:RSA_verify_PKCS1_PSS:data too > large:rsa_pss.c:127: > 139831192893096:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP > lib:a_verify.c:215: > > > Tested with openssl-SNAP-20100808. > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List [email protected] > Automated List Manager [email protected] ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
