Re: What cryptographic algorithm is not supported?

2017-11-08 Thread Donald J
I notice your cert display did not list a "Key Usage" section.  

X509v3 Key Usage: critical
Digital Signature, Key Encipherment, Data Encipherment

Digital Signature and Data Encipherment are defaults, but
KeY Encipherment does not default and needs to be specified
in Key Usage.

X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
Netscape Comment:
OpenSSL Generated Certificate
82:7D:1F:EF:53:DB:3D:E1:14:62:03:49:34:16:A2:92:D9:46:51:1E

> Sent: Tuesday, November 07, 2017 at 10:40 AM
> From: "Charles Mills" 
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: What cryptographic algorithm is not supported?
>
> That could be another thread "most useless diagnostic ever."
> 
> Right, that is the API call (apparently) that failed, but I don't think one 
> knows that just from the error message. As I said, I got the same error 
> message for presenting a certificate with a SHA-1 digest (I think). 
> Presumably a different CMS API call but the same external message. Different 
> action for the user.
> 
> I display certificates all the time. My script that issues OpenSSL 
> certificates displays them at the end.
> 
> Charles
> 
> 
> -Original Message-
> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On 
> Behalf Of Kirk Wolf
> Sent: Tuesday, November 7, 2017 8:07 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: What cryptographic algorithm is not supported?
> 
> Its not the worst diagnostic situation that I have seen on z/OS ( that award 
> would go to the C-library OS I/O stuff IMO).
> 
> In this case, the external API that failed is gsk_decode_import_key(), and if 
> you look it up the error that you are getting is documented:
> https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.3.0/com.ibm.zos.v2r3.gska100/msg34.htm
> 
> The algorithm codes can be found in /usr/include gskcms.h
> x509_alg_pbeWithSha1And40BitRc2Cbc  = 36,  /* 1.2.840.113549.1.12.1.6   */
> 
> Kirk Wolf
> Dovetailed Technologies
> http://dovetail.com
> 
> PS>  If you want some "fun", take you X.509 cert and load it into a 
> PS> ASN.1
> tool that displays the whole ugly thing
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: What cryptographic algorithm is not supported?

2017-11-07 Thread Charles Mills
That could be another thread "most useless diagnostic ever."

Right, that is the API call (apparently) that failed, but I don't think one 
knows that just from the error message. As I said, I got the same error message 
for presenting a certificate with a SHA-1 digest (I think). Presumably a 
different CMS API call but the same external message. Different action for the 
user.

I display certificates all the time. My script that issues OpenSSL certificates 
displays them at the end.

Charles


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Kirk Wolf
Sent: Tuesday, November 7, 2017 8:07 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: What cryptographic algorithm is not supported?

Its not the worst diagnostic situation that I have seen on z/OS ( that award 
would go to the C-library OS I/O stuff IMO).

In this case, the external API that failed is gsk_decode_import_key(), and if 
you look it up the error that you are getting is documented:
https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.3.0/com.ibm.zos.v2r3.gska100/msg34.htm

The algorithm codes can be found in /usr/include gskcms.h
x509_alg_pbeWithSha1And40BitRc2Cbc  = 36,  /* 1.2.840.113549.1.12.1.6   */

Kirk Wolf
Dovetailed Technologies
http://dovetail.com

PS>  If you want some "fun", take you X.509 cert and load it into a 
PS> ASN.1
tool that displays the whole ugly thing

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: What cryptographic algorithm is not supported?

2017-11-07 Thread Kirk Wolf
Its not the worst diagnostic situation that I have seen on z/OS ( that
award would go to the C-library OS I/O stuff IMO).

In this case, the external API that failed is gsk_decode_import_key(), and
if you look it up the error that you are getting is documented:
https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.3.0/com.ibm.zos.v2r3.gska100/msg34.htm

The algorithm codes can be found in /usr/include gskcms.h
x509_alg_pbeWithSha1And40BitRc2Cbc  = 36,  /* 1.2.840.113549.1.12.1.6   */

Kirk Wolf
Dovetailed Technologies
http://dovetail.com

PS>  If you want some "fun", take you X.509 cert and load it into a ASN.1
tool that displays the whole ugly thing

On Mon, Nov 6, 2017 at 7:55 PM, Charles Mills  wrote:

> Got it! The only password encryption algorithm (PBE) supported for FIPS
> mode is pbeWithSha1And3DesCbc.
>
> In OpenSSL PCKS12, I needed to add -certpbe PBE-SHA1-3DES
>
> Sheesh! Would a more specific error message kill them?
>
> Charles
>
>
> -Original Message-
> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
> Behalf Of Charles Mills
> Sent: Monday, November 6, 2017 5:41 PM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: What cryptographic algorithm is not supported?
>
> Okay, I got trace information out of gskkyman. What do you make of this?
>
> INFO crypto_des3_encrypt_ctx(): Clear key DES3 encryption performed for 8
> bytes
> INFO crypto_des3_decrypt_ctx(): Clear key DES3 decryption performed for 8
> bytes
> INFO crypto_des3_encrypt_ctx_alet(): Clear key DES3 encryption performed
> for 8 bytes
> INFO crypto_des3_decrypt_ctx_alet(): Clear key DES3 decryption performed
> for 8 bytes
> INFO crypto_aes_encrypt_ctx(): Clear key AES 128-bit encryption performed
> for 16 bytes
> INFO crypto_aes_decrypt_ctx(): Clear key AES 128-bit decryption performed
> for 16 bytes
> INFO crypto_aes_encrypt_ctx_alet(): Clear key AES 128-bit encryption
> performed for 16 bytes
> INFO crypto_aes_decrypt_ctx_alet(): Clear key AES 128-bit decryption
> performed for 16 bytes
> INFO crypto_aes_encrypt_ctx(): Clear key AES 256-bit encryption performed
> for 16 bytes
> INFO crypto_aes_decrypt_ctx(): Clear key AES 256-bit decryption performed
> for 16 bytes
> INFO crypto_aes_encrypt_ctx_alet(): Clear key AES 256-bit encryption
> performed for 16 bytes
> INFO crypto_aes_decrypt_ctx_alet(): Clear key AES 256-bit decryption
> performed for 16 bytes
> INFO crypto_rsa_public_encrypt(): RSA modulus is 2048 bits
> INFO crypto_rsa_public_encrypt(): Software RSA public key encryption
> performed
> INFO crypto_rsa_private_decrypt(): Using PKCS private key
> INFO crypto_rsa_private_decrypt(): RSA modulus is 2048 bits
> INFO crypto_rsa_private_decrypt(): Software RSA private key decryption
> performed
> INFO open_kdb_check_filedata(): Record size 5000, Record count 12
> INFO gsk_build_issuer_chains(): Record 'Equifax Secure Certificate
> Authority' is self-signed
> INFO gsk_build_issuer_chains(): Record 'Equifax Secure eBusiness CA-2' is
> self-signed
> INFO gsk_build_issuer_chains(): Record 'VeriSign Class 1 Public Primary CA
> - G2' is self-signed
> INFO gsk_build_issuer_chains(): Record 'VeriSign Class 2 Public Primary CA
> - G2' is self-signed
> INFO gsk_build_issuer_chains(): Record 'VeriSign Class 3 Public Primary CA
> - G2' is self-signed
> INFO gsk_build_issuer_chains(): Record 'VeriSign Class 4 Public Primary CA
> - G2' is self-signed
> INFO gsk_build_issuer_chains(): Record 'VeriSign Class 1 Public Primary CA
> - G3' is self-signed
> INFO gsk_build_issuer_chains(): Record 'VeriSign Class 2 Public Primary CA
> - G3' is self-signed
> INFO gsk_build_issuer_chains(): Record 'VeriSign Class 3 Public Primary CA
> - G3' is self-signed
> INFO gsk_build_issuer_chains(): Record 'VeriSign Class 4 Public Primary CA
> - G3' is self-signed
> INFO gsk_build_issuer_chains(): Record 'VeriSign Class 3 Public Primary CA
> - G5' is self-signed
> INFO gsk_build_issuer_chains(): Record 'CMC_root_Exp_2024a' is self-signed
> INFO open_kdb_check_filedata(): Record size 5000, Record count 0
> ERROR crypto_pbe_decrypt_data(): Algorithm 36 is not supported for PBE
> ERROR import_pkcs12v3(): Unable to decrypt EncryptedData message: Error
> 0x03353003
> ERROR gsk_decode_import_key(): Unable to import PKCS12 V3: Error 0x03353003
> ERROR gsk_import_key(): Unable to decode subject certificate or chain:
> Error 0x03353003
>
> Algorithm 36 (cipher suite 36?) is TLS_DH_DSS_WITH_AES_256_CBC_SHA. Where
> does that come into the picture? What is PBE?
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: What cryptographic algorithm is not supported?

2017-11-07 Thread Paul Gilmartin
On Tue, 7 Nov 2017 08:53:48 -0600, Edward Gould wrote:
>
>May I make an observation, please?
>
>... IBM standards which indicate e,s,i etc at the end to indicate severity ...
> 
Oh, come on!  As long as I can remember, various fatal JCL and excution error
messages have had an "I" suffix.  This seems counterintuitive to me, but I 
expect
true blue readers of this form to rationalize it.

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: What cryptographic algorithm is not supported?

2017-11-07 Thread Edward Gould
> On Nov 6, 2017, at 7:55 PM, Charles Mills  wrote:
> 
> Got it! The only password encryption algorithm (PBE) supported for FIPS mode 
> is pbeWithSha1And3DesCbc.
> 
> In OpenSSL PCKS12, I needed to add -certpbe PBE-SHA1-3DES
> 
> Sheesh! Would a more specific error message kill them?
> 
> Charles

Charles:

May I make an observation, please?

Somewhere around the 1992-95 time frame, IBM went south as to documenting 
information that was critical, *I THINK* it was around the time that the UNIX 
people came in.
Messages that were easy to understand became pretty well gibberish with TCP, 
especially when it came time for TCP and the UNIX. The TCP people would put out 
a message and in the message was a rc. The RC never seemed to be documented in 
the message and as a result would require a call to the support line for help 
adding sometimes days (sometimes minutes though) to get an answer. OK then once 
you have that, sometimes that didn’t help as you had no idea what they were 
referencing, which started a new call to the support center. Problem 
determination seemed to take forever. If you were lucky the guy on the other 
end actually had an idea what the problem was and would give you a nudge, then 
there was the call back from level 2/3 and they (to me anyway) were talking 
about items that I did not have a clue on. Sometimes you were really unlucky 
and got two rc’s and then that was an automatic call.
I don’t know if any one else noticed that the TCP messages did not follow IBM 
standards which indicate e,s,i etc at the end to indicate severity and that the 
length of the messaged changed.. Then you pick up the TCP book on error 
messages and for a lot of them. The message was just reworded and echo’s back 
at you. I just hated TCP issues as they were like talking to a wall and add to 
the fact that they seem to be talking a different language than IBM used to 
talk and you were used to did  not help out a bit. Also, it seemed that none of 
the RC’s were documented.

After the initial brush with TCP I refused to go near it again. The damn TCP 
error message book was like a wooden stick to my heart. I tried to palm off any 
tcp issues to someone else as I got frustrated to the point of asking the boss 
to hire someone that was an expert as I never wanted to see another TCP message 
again.

Ed


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: What cryptographic algorithm is not supported?

2017-11-07 Thread Steve Smith
I see what you did there ;-)

On Tue, Nov 7, 2017 at 1:34 AM, Timothy Sipples  wrote:

> However, it'd be lovely if you would submit a RFE (not PMR) to IBM to
> expand that PBE-related GSK error message handling in some reasonable way
> PDQ, possibly resulting in a PTF that you'd install in zFS via a TSO login.
> BTW, RFC standards like TLS and SSL with their SHA, RSA, DES, PKI, CBC,
> XTS, and other characteristics can sometimes be a PITA.
>
> http://www.ibm.com/developerworks/rfe
>
> Thx. :-)
>
> 
> Timothy Sipples
> IT Architect Executive, Industry Solutions, IBM Z and LinuxONE, AP/GCG/MEA
> E-Mail: sipp...@sg.ibm.com

sas

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: What cryptographic algorithm is not supported?

2017-11-06 Thread Timothy Sipples
In fairness, "PBE" (Password-Based Encryption) is a common term of art in
cryptography. OpenSSL and LibreSSL are among the many tools that use the
same TLA (three letter acronym) copiously.

However, it'd be lovely if you would submit a RFE (not PMR) to IBM to
expand that PBE-related GSK error message handling in some reasonable way
PDQ, possibly resulting in a PTF that you'd install in zFS via a TSO login.
BTW, RFC standards like TLS and SSL with their SHA, RSA, DES, PKI, CBC,
XTS, and other characteristics can sometimes be a PITA.

http://www.ibm.com/developerworks/rfe

Thx. :-)


Timothy Sipples
IT Architect Executive, Industry Solutions, IBM Z and LinuxONE, AP/GCG/MEA
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: What cryptographic algorithm is not supported?

2017-11-06 Thread Charles Mills
Got it! The only password encryption algorithm (PBE) supported for FIPS mode is 
pbeWithSha1And3DesCbc.

In OpenSSL PCKS12, I needed to add -certpbe PBE-SHA1-3DES

Sheesh! Would a more specific error message kill them?

Charles


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Charles Mills
Sent: Monday, November 6, 2017 5:41 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: What cryptographic algorithm is not supported?

Okay, I got trace information out of gskkyman. What do you make of this?

INFO crypto_des3_encrypt_ctx(): Clear key DES3 encryption performed for 8 bytes 
  
INFO crypto_des3_decrypt_ctx(): Clear key DES3 decryption performed for 8 bytes 
  
INFO crypto_des3_encrypt_ctx_alet(): Clear key DES3 encryption performed for 8 
bytes  
INFO crypto_des3_decrypt_ctx_alet(): Clear key DES3 decryption performed for 8 
bytes  
INFO crypto_aes_encrypt_ctx(): Clear key AES 128-bit encryption performed for 
16 bytes
INFO crypto_aes_decrypt_ctx(): Clear key AES 128-bit decryption performed for 
16 bytes
INFO crypto_aes_encrypt_ctx_alet(): Clear key AES 128-bit encryption performed 
for 16 bytes   
INFO crypto_aes_decrypt_ctx_alet(): Clear key AES 128-bit decryption performed 
for 16 bytes   
INFO crypto_aes_encrypt_ctx(): Clear key AES 256-bit encryption performed for 
16 bytes
INFO crypto_aes_decrypt_ctx(): Clear key AES 256-bit decryption performed for 
16 bytes
INFO crypto_aes_encrypt_ctx_alet(): Clear key AES 256-bit encryption performed 
for 16 bytes   
INFO crypto_aes_decrypt_ctx_alet(): Clear key AES 256-bit decryption performed 
for 16 bytes   
INFO crypto_rsa_public_encrypt(): RSA modulus is 2048 bits  
  
INFO crypto_rsa_public_encrypt(): Software RSA public key encryption performed  
  
INFO crypto_rsa_private_decrypt(): Using PKCS private key   
  
INFO crypto_rsa_private_decrypt(): RSA modulus is 2048 bits 
  
INFO crypto_rsa_private_decrypt(): Software RSA private key decryption 
performed  
INFO open_kdb_check_filedata(): Record size 5000, Record count 12   
  
INFO gsk_build_issuer_chains(): Record 'Equifax Secure Certificate Authority' 
is self-signed  
INFO gsk_build_issuer_chains(): Record 'Equifax Secure eBusiness CA-2' is 
self-signed 
INFO gsk_build_issuer_chains(): Record 'VeriSign Class 1 Public Primary CA - 
G2' is self-signed   
INFO gsk_build_issuer_chains(): Record 'VeriSign Class 2 Public Primary CA - 
G2' is self-signed   
INFO gsk_build_issuer_chains(): Record 'VeriSign Class 3 Public Primary CA - 
G2' is self-signed   
INFO gsk_build_issuer_chains(): Record 'VeriSign Class 4 Public Primary CA - 
G2' is self-signed   
INFO gsk_build_issuer_chains(): Record 'VeriSign Class 1 Public Primary CA - 
G3' is self-signed   
INFO gsk_build_issuer_chains(): Record 'VeriSign Class 2 Public Primary CA - 
G3' is self-signed   
INFO gsk_build_issuer_chains(): Record 'VeriSign Class 3 Public Primary CA - 
G3' is self-signed   
INFO gsk_build_issuer_chains(): Record 'VeriSign Class 4 Public Primary CA - 
G3' is self-signed   
INFO gsk_build_issuer_chains(): Record 'VeriSign Class 3 Public Primary CA - 
G5' is self-signed   
INFO gsk_build_issuer_chains(): Record 'CMC_root_Exp_2024a' is self-signed  
  
INFO open_kdb_check_filedata(): Record size 5000, Record count 0
  
ERROR crypto_pbe_decrypt_data(): Algorithm 36 is not supported for PBE  
  
ERROR import_pkcs12v3(): Unable to decrypt EncryptedData message: Error 
0x03353003
ERROR gsk_decode_import_key(): Unable to import PKCS12 V3: Error 0x03353003 
  
ERROR gsk_import_key(): Unable to decode subject certificate or chain: Error 
0x03353003   

Algorithm 36 (cipher suite 36?) is TLS_DH_DSS_WITH_AES_256_CBC_SHA. Where does 
that come into the picture? What is PBE?

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: What cryptographic algorithm is not supported?

2017-11-06 Thread Charles Mills
Okay, I got trace information out of gskkyman. What do you make of this?

INFO crypto_des3_encrypt_ctx(): Clear key DES3 encryption performed for 8 bytes 
  
INFO crypto_des3_decrypt_ctx(): Clear key DES3 decryption performed for 8 bytes 
  
INFO crypto_des3_encrypt_ctx_alet(): Clear key DES3 encryption performed for 8 
bytes  
INFO crypto_des3_decrypt_ctx_alet(): Clear key DES3 decryption performed for 8 
bytes  
INFO crypto_aes_encrypt_ctx(): Clear key AES 128-bit encryption performed for 
16 bytes
INFO crypto_aes_decrypt_ctx(): Clear key AES 128-bit decryption performed for 
16 bytes
INFO crypto_aes_encrypt_ctx_alet(): Clear key AES 128-bit encryption performed 
for 16 bytes   
INFO crypto_aes_decrypt_ctx_alet(): Clear key AES 128-bit decryption performed 
for 16 bytes   
INFO crypto_aes_encrypt_ctx(): Clear key AES 256-bit encryption performed for 
16 bytes
INFO crypto_aes_decrypt_ctx(): Clear key AES 256-bit decryption performed for 
16 bytes
INFO crypto_aes_encrypt_ctx_alet(): Clear key AES 256-bit encryption performed 
for 16 bytes   
INFO crypto_aes_decrypt_ctx_alet(): Clear key AES 256-bit decryption performed 
for 16 bytes   
INFO crypto_rsa_public_encrypt(): RSA modulus is 2048 bits  
  
INFO crypto_rsa_public_encrypt(): Software RSA public key encryption performed  
  
INFO crypto_rsa_private_decrypt(): Using PKCS private key   
  
INFO crypto_rsa_private_decrypt(): RSA modulus is 2048 bits 
  
INFO crypto_rsa_private_decrypt(): Software RSA private key decryption 
performed  
INFO open_kdb_check_filedata(): Record size 5000, Record count 12   
  
INFO gsk_build_issuer_chains(): Record 'Equifax Secure Certificate Authority' 
is self-signed  
INFO gsk_build_issuer_chains(): Record 'Equifax Secure eBusiness CA-2' is 
self-signed 
INFO gsk_build_issuer_chains(): Record 'VeriSign Class 1 Public Primary CA - 
G2' is self-signed   
INFO gsk_build_issuer_chains(): Record 'VeriSign Class 2 Public Primary CA - 
G2' is self-signed   
INFO gsk_build_issuer_chains(): Record 'VeriSign Class 3 Public Primary CA - 
G2' is self-signed   
INFO gsk_build_issuer_chains(): Record 'VeriSign Class 4 Public Primary CA - 
G2' is self-signed   
INFO gsk_build_issuer_chains(): Record 'VeriSign Class 1 Public Primary CA - 
G3' is self-signed   
INFO gsk_build_issuer_chains(): Record 'VeriSign Class 2 Public Primary CA - 
G3' is self-signed   
INFO gsk_build_issuer_chains(): Record 'VeriSign Class 3 Public Primary CA - 
G3' is self-signed   
INFO gsk_build_issuer_chains(): Record 'VeriSign Class 4 Public Primary CA - 
G3' is self-signed   
INFO gsk_build_issuer_chains(): Record 'VeriSign Class 3 Public Primary CA - 
G5' is self-signed   
INFO gsk_build_issuer_chains(): Record 'CMC_root_Exp_2024a' is self-signed  
  
INFO open_kdb_check_filedata(): Record size 5000, Record count 0
  
ERROR crypto_pbe_decrypt_data(): Algorithm 36 is not supported for PBE  
  
ERROR import_pkcs12v3(): Unable to decrypt EncryptedData message: Error 
0x03353003
ERROR gsk_decode_import_key(): Unable to import PKCS12 V3: Error 0x03353003 
  
ERROR gsk_import_key(): Unable to decode subject certificate or chain: Error 
0x03353003   

Algorithm 36 (cipher suite 36?) is TLS_DH_DSS_WITH_AES_256_CBC_SHA. Where does 
that come into the picture? What is PBE?

Charles


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Charles Mills
Sent: Monday, November 6, 2017 5:00 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: What cryptographic algorithm is not supported?

David, thanks. I had not parsed "cryptographic" that finely. Isn't SHA512 a 
*cryptographic* hash? Who knows if IBM is being that precise? Good thought.

I'm looking at https://ibm.co/2AqCDam (I'm running on V2R2.) It looks to me 
like SHA-512 and RSA 2048 are supported in FIPS mode.

Could it be something in the CA certificate? It looks like it is SHA-256 RSA 
2048, so it should be good also.

Grrr. Is there any way to get more diagnostic information out of gskkyman? Hmmm 
-- I see the GSK trace. I will try that.

I hate obscure error messages. Tell me what you are objecting to, darn it!

Charles


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of David W Noon
Sent: Monday, November 6, 2017 4:04 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: What cryptographic algorithm is not supported?

On Mon, 6 Nov 2017 14:32:01 -

Re: What cryptographic algorithm is not supported?

2017-11-06 Thread Charles Mills
David, thanks. I had not parsed "cryptographic" that finely. Isn't SHA512 a 
*cryptographic* hash? Who knows if IBM is being that precise? Good thought.

I'm looking at https://ibm.co/2AqCDam (I'm running on V2R2.) It looks to me 
like SHA-512 and RSA 2048 are supported in FIPS mode.

Could it be something in the CA certificate? It looks like it is SHA-256 RSA 
2048, so it should be good also.

Grrr. Is there any way to get more diagnostic information out of gskkyman? Hmmm 
-- I see the GSK trace. I will try that.

I hate obscure error messages. Tell me what you are objecting to, darn it!

Charles


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of David W Noon
Sent: Monday, November 6, 2017 4:04 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: What cryptographic algorithm is not supported?

On Mon, 6 Nov 2017 14:32:01 -0800, Charles Mills (charl...@mcn.org) wrote about 
"What cryptographic algorithm is not supported?" (in
<210a01d3574f$11063a10$3312ae30$@mcn.org>):

> I am trying to load a certificate and key into a FIPS-140 GSK 
> database. I am getting Status 0x03353003 - Cryptographic algorithm is 
> not supported. How would I know exactly what algorithm it is 
> complaining about? Here's an extract from the certificate and key:

You have 2 lines that mention algorithms:

> Signature Algorithm: sha512WithRSAEncryption

> Public Key Algorithm: rsaEncryption

(There is actually a 3rd one, but it is the same as the first.)

Now, SHA512 is a hashing algorithm, so that leaves RSA as your crypto algorithm.

I don't know why RSA would be unsupported, as it has been around since the late 
1970's. I can only infer that it has been dropped.
--
Regards,

Dave  [RLU #314465]
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
david.w.n...@googlemail.com (David W Noon)
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

 

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: What cryptographic algorithm is not supported?

2017-11-06 Thread David W Noon
On Mon, 6 Nov 2017 14:32:01 -0800, Charles Mills (charl...@mcn.org)
wrote about "What cryptographic algorithm is not supported?" (in
<210a01d3574f$11063a10$3312ae30$@mcn.org>):

> I am trying to load a certificate and key into a FIPS-140 GSK database. I am
> getting Status 0x03353003 - Cryptographic algorithm is not supported. How
> would I know exactly what algorithm it is complaining about? Here's an
> extract from the certificate and key:

You have 2 lines that mention algorithms:

> Signature Algorithm: sha512WithRSAEncryption

> Public Key Algorithm: rsaEncryption

(There is actually a 3rd one, but it is the same as the first.)

Now, SHA512 is a hashing algorithm, so that leaves RSA as your crypto
algorithm.

I don't know why RSA would be unsupported, as it has been around since
the late 1970's. I can only infer that it has been dropped.
-- 
Regards,

Dave  [RLU #314465]
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
david.w.n...@googlemail.com (David W Noon)
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN