Re: What cryptographic algorithm is not supported?
I notice your cert display did not list a "Key Usage" section. X509v3 Key Usage: critical Digital Signature, Key Encipherment, Data Encipherment Digital Signature and Data Encipherment are defaults, but KeY Encipherment does not default and needs to be specified in Key Usage. X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication Netscape Comment: OpenSSL Generated Certificate 82:7D:1F:EF:53:DB:3D:E1:14:62:03:49:34:16:A2:92:D9:46:51:1E > Sent: Tuesday, November 07, 2017 at 10:40 AM > From: "Charles Mills" > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: What cryptographic algorithm is not supported? > > That could be another thread "most useless diagnostic ever." > > Right, that is the API call (apparently) that failed, but I don't think one > knows that just from the error message. As I said, I got the same error > message for presenting a certificate with a SHA-1 digest (I think). > Presumably a different CMS API call but the same external message. Different > action for the user. > > I display certificates all the time. My script that issues OpenSSL > certificates displays them at the end. > > Charles > > > -Original Message- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On > Behalf Of Kirk Wolf > Sent: Tuesday, November 7, 2017 8:07 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: What cryptographic algorithm is not supported? > > Its not the worst diagnostic situation that I have seen on z/OS ( that award > would go to the C-library OS I/O stuff IMO). > > In this case, the external API that failed is gsk_decode_import_key(), and if > you look it up the error that you are getting is documented: > https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.3.0/com.ibm.zos.v2r3.gska100/msg34.htm > > The algorithm codes can be found in /usr/include gskcms.h > x509_alg_pbeWithSha1And40BitRc2Cbc = 36, /* 1.2.840.113549.1.12.1.6 */ > > Kirk Wolf > Dovetailed Technologies > http://dovetail.com > > PS> If you want some "fun", take you X.509 cert and load it into a > PS> ASN.1 > tool that displays the whole ugly thing > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: What cryptographic algorithm is not supported?
That could be another thread "most useless diagnostic ever." Right, that is the API call (apparently) that failed, but I don't think one knows that just from the error message. As I said, I got the same error message for presenting a certificate with a SHA-1 digest (I think). Presumably a different CMS API call but the same external message. Different action for the user. I display certificates all the time. My script that issues OpenSSL certificates displays them at the end. Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Kirk Wolf Sent: Tuesday, November 7, 2017 8:07 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: What cryptographic algorithm is not supported? Its not the worst diagnostic situation that I have seen on z/OS ( that award would go to the C-library OS I/O stuff IMO). In this case, the external API that failed is gsk_decode_import_key(), and if you look it up the error that you are getting is documented: https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.3.0/com.ibm.zos.v2r3.gska100/msg34.htm The algorithm codes can be found in /usr/include gskcms.h x509_alg_pbeWithSha1And40BitRc2Cbc = 36, /* 1.2.840.113549.1.12.1.6 */ Kirk Wolf Dovetailed Technologies http://dovetail.com PS> If you want some "fun", take you X.509 cert and load it into a PS> ASN.1 tool that displays the whole ugly thing -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: What cryptographic algorithm is not supported?
Its not the worst diagnostic situation that I have seen on z/OS ( that award would go to the C-library OS I/O stuff IMO). In this case, the external API that failed is gsk_decode_import_key(), and if you look it up the error that you are getting is documented: https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.3.0/com.ibm.zos.v2r3.gska100/msg34.htm The algorithm codes can be found in /usr/include gskcms.h x509_alg_pbeWithSha1And40BitRc2Cbc = 36, /* 1.2.840.113549.1.12.1.6 */ Kirk Wolf Dovetailed Technologies http://dovetail.com PS> If you want some "fun", take you X.509 cert and load it into a ASN.1 tool that displays the whole ugly thing On Mon, Nov 6, 2017 at 7:55 PM, Charles Mills wrote: > Got it! The only password encryption algorithm (PBE) supported for FIPS > mode is pbeWithSha1And3DesCbc. > > In OpenSSL PCKS12, I needed to add -certpbe PBE-SHA1-3DES > > Sheesh! Would a more specific error message kill them? > > Charles > > > -Original Message- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On > Behalf Of Charles Mills > Sent: Monday, November 6, 2017 5:41 PM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: What cryptographic algorithm is not supported? > > Okay, I got trace information out of gskkyman. What do you make of this? > > INFO crypto_des3_encrypt_ctx(): Clear key DES3 encryption performed for 8 > bytes > INFO crypto_des3_decrypt_ctx(): Clear key DES3 decryption performed for 8 > bytes > INFO crypto_des3_encrypt_ctx_alet(): Clear key DES3 encryption performed > for 8 bytes > INFO crypto_des3_decrypt_ctx_alet(): Clear key DES3 decryption performed > for 8 bytes > INFO crypto_aes_encrypt_ctx(): Clear key AES 128-bit encryption performed > for 16 bytes > INFO crypto_aes_decrypt_ctx(): Clear key AES 128-bit decryption performed > for 16 bytes > INFO crypto_aes_encrypt_ctx_alet(): Clear key AES 128-bit encryption > performed for 16 bytes > INFO crypto_aes_decrypt_ctx_alet(): Clear key AES 128-bit decryption > performed for 16 bytes > INFO crypto_aes_encrypt_ctx(): Clear key AES 256-bit encryption performed > for 16 bytes > INFO crypto_aes_decrypt_ctx(): Clear key AES 256-bit decryption performed > for 16 bytes > INFO crypto_aes_encrypt_ctx_alet(): Clear key AES 256-bit encryption > performed for 16 bytes > INFO crypto_aes_decrypt_ctx_alet(): Clear key AES 256-bit decryption > performed for 16 bytes > INFO crypto_rsa_public_encrypt(): RSA modulus is 2048 bits > INFO crypto_rsa_public_encrypt(): Software RSA public key encryption > performed > INFO crypto_rsa_private_decrypt(): Using PKCS private key > INFO crypto_rsa_private_decrypt(): RSA modulus is 2048 bits > INFO crypto_rsa_private_decrypt(): Software RSA private key decryption > performed > INFO open_kdb_check_filedata(): Record size 5000, Record count 12 > INFO gsk_build_issuer_chains(): Record 'Equifax Secure Certificate > Authority' is self-signed > INFO gsk_build_issuer_chains(): Record 'Equifax Secure eBusiness CA-2' is > self-signed > INFO gsk_build_issuer_chains(): Record 'VeriSign Class 1 Public Primary CA > - G2' is self-signed > INFO gsk_build_issuer_chains(): Record 'VeriSign Class 2 Public Primary CA > - G2' is self-signed > INFO gsk_build_issuer_chains(): Record 'VeriSign Class 3 Public Primary CA > - G2' is self-signed > INFO gsk_build_issuer_chains(): Record 'VeriSign Class 4 Public Primary CA > - G2' is self-signed > INFO gsk_build_issuer_chains(): Record 'VeriSign Class 1 Public Primary CA > - G3' is self-signed > INFO gsk_build_issuer_chains(): Record 'VeriSign Class 2 Public Primary CA > - G3' is self-signed > INFO gsk_build_issuer_chains(): Record 'VeriSign Class 3 Public Primary CA > - G3' is self-signed > INFO gsk_build_issuer_chains(): Record 'VeriSign Class 4 Public Primary CA > - G3' is self-signed > INFO gsk_build_issuer_chains(): Record 'VeriSign Class 3 Public Primary CA > - G5' is self-signed > INFO gsk_build_issuer_chains(): Record 'CMC_root_Exp_2024a' is self-signed > INFO open_kdb_check_filedata(): Record size 5000, Record count 0 > ERROR crypto_pbe_decrypt_data(): Algorithm 36 is not supported for PBE > ERROR import_pkcs12v3(): Unable to decrypt EncryptedData message: Error > 0x03353003 > ERROR gsk_decode_import_key(): Unable to import PKCS12 V3: Error 0x03353003 > ERROR gsk_import_key(): Unable to decode subject certificate or chain: > Error 0x03353003 > > Algorithm 36 (cipher suite 36?) is TLS_DH_DSS_WITH_AES_256_CBC_SHA. Where > does that come into the picture? What is PBE? > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: What cryptographic algorithm is not supported?
On Tue, 7 Nov 2017 08:53:48 -0600, Edward Gould wrote: > >May I make an observation, please? > >... IBM standards which indicate e,s,i etc at the end to indicate severity ... > Oh, come on! As long as I can remember, various fatal JCL and excution error messages have had an "I" suffix. This seems counterintuitive to me, but I expect true blue readers of this form to rationalize it. -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: What cryptographic algorithm is not supported?
> On Nov 6, 2017, at 7:55 PM, Charles Mills wrote: > > Got it! The only password encryption algorithm (PBE) supported for FIPS mode > is pbeWithSha1And3DesCbc. > > In OpenSSL PCKS12, I needed to add -certpbe PBE-SHA1-3DES > > Sheesh! Would a more specific error message kill them? > > Charles Charles: May I make an observation, please? Somewhere around the 1992-95 time frame, IBM went south as to documenting information that was critical, *I THINK* it was around the time that the UNIX people came in. Messages that were easy to understand became pretty well gibberish with TCP, especially when it came time for TCP and the UNIX. The TCP people would put out a message and in the message was a rc. The RC never seemed to be documented in the message and as a result would require a call to the support line for help adding sometimes days (sometimes minutes though) to get an answer. OK then once you have that, sometimes that didn’t help as you had no idea what they were referencing, which started a new call to the support center. Problem determination seemed to take forever. If you were lucky the guy on the other end actually had an idea what the problem was and would give you a nudge, then there was the call back from level 2/3 and they (to me anyway) were talking about items that I did not have a clue on. Sometimes you were really unlucky and got two rc’s and then that was an automatic call. I don’t know if any one else noticed that the TCP messages did not follow IBM standards which indicate e,s,i etc at the end to indicate severity and that the length of the messaged changed.. Then you pick up the TCP book on error messages and for a lot of them. The message was just reworded and echo’s back at you. I just hated TCP issues as they were like talking to a wall and add to the fact that they seem to be talking a different language than IBM used to talk and you were used to did not help out a bit. Also, it seemed that none of the RC’s were documented. After the initial brush with TCP I refused to go near it again. The damn TCP error message book was like a wooden stick to my heart. I tried to palm off any tcp issues to someone else as I got frustrated to the point of asking the boss to hire someone that was an expert as I never wanted to see another TCP message again. Ed -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: What cryptographic algorithm is not supported?
I see what you did there ;-) On Tue, Nov 7, 2017 at 1:34 AM, Timothy Sipples wrote: > However, it'd be lovely if you would submit a RFE (not PMR) to IBM to > expand that PBE-related GSK error message handling in some reasonable way > PDQ, possibly resulting in a PTF that you'd install in zFS via a TSO login. > BTW, RFC standards like TLS and SSL with their SHA, RSA, DES, PKI, CBC, > XTS, and other characteristics can sometimes be a PITA. > > http://www.ibm.com/developerworks/rfe > > Thx. :-) > > > Timothy Sipples > IT Architect Executive, Industry Solutions, IBM Z and LinuxONE, AP/GCG/MEA > E-Mail: sipp...@sg.ibm.com sas -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: What cryptographic algorithm is not supported?
In fairness, "PBE" (Password-Based Encryption) is a common term of art in cryptography. OpenSSL and LibreSSL are among the many tools that use the same TLA (three letter acronym) copiously. However, it'd be lovely if you would submit a RFE (not PMR) to IBM to expand that PBE-related GSK error message handling in some reasonable way PDQ, possibly resulting in a PTF that you'd install in zFS via a TSO login. BTW, RFC standards like TLS and SSL with their SHA, RSA, DES, PKI, CBC, XTS, and other characteristics can sometimes be a PITA. http://www.ibm.com/developerworks/rfe Thx. :-) Timothy Sipples IT Architect Executive, Industry Solutions, IBM Z and LinuxONE, AP/GCG/MEA E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: What cryptographic algorithm is not supported?
Got it! The only password encryption algorithm (PBE) supported for FIPS mode is pbeWithSha1And3DesCbc. In OpenSSL PCKS12, I needed to add -certpbe PBE-SHA1-3DES Sheesh! Would a more specific error message kill them? Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Charles Mills Sent: Monday, November 6, 2017 5:41 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: What cryptographic algorithm is not supported? Okay, I got trace information out of gskkyman. What do you make of this? INFO crypto_des3_encrypt_ctx(): Clear key DES3 encryption performed for 8 bytes INFO crypto_des3_decrypt_ctx(): Clear key DES3 decryption performed for 8 bytes INFO crypto_des3_encrypt_ctx_alet(): Clear key DES3 encryption performed for 8 bytes INFO crypto_des3_decrypt_ctx_alet(): Clear key DES3 decryption performed for 8 bytes INFO crypto_aes_encrypt_ctx(): Clear key AES 128-bit encryption performed for 16 bytes INFO crypto_aes_decrypt_ctx(): Clear key AES 128-bit decryption performed for 16 bytes INFO crypto_aes_encrypt_ctx_alet(): Clear key AES 128-bit encryption performed for 16 bytes INFO crypto_aes_decrypt_ctx_alet(): Clear key AES 128-bit decryption performed for 16 bytes INFO crypto_aes_encrypt_ctx(): Clear key AES 256-bit encryption performed for 16 bytes INFO crypto_aes_decrypt_ctx(): Clear key AES 256-bit decryption performed for 16 bytes INFO crypto_aes_encrypt_ctx_alet(): Clear key AES 256-bit encryption performed for 16 bytes INFO crypto_aes_decrypt_ctx_alet(): Clear key AES 256-bit decryption performed for 16 bytes INFO crypto_rsa_public_encrypt(): RSA modulus is 2048 bits INFO crypto_rsa_public_encrypt(): Software RSA public key encryption performed INFO crypto_rsa_private_decrypt(): Using PKCS private key INFO crypto_rsa_private_decrypt(): RSA modulus is 2048 bits INFO crypto_rsa_private_decrypt(): Software RSA private key decryption performed INFO open_kdb_check_filedata(): Record size 5000, Record count 12 INFO gsk_build_issuer_chains(): Record 'Equifax Secure Certificate Authority' is self-signed INFO gsk_build_issuer_chains(): Record 'Equifax Secure eBusiness CA-2' is self-signed INFO gsk_build_issuer_chains(): Record 'VeriSign Class 1 Public Primary CA - G2' is self-signed INFO gsk_build_issuer_chains(): Record 'VeriSign Class 2 Public Primary CA - G2' is self-signed INFO gsk_build_issuer_chains(): Record 'VeriSign Class 3 Public Primary CA - G2' is self-signed INFO gsk_build_issuer_chains(): Record 'VeriSign Class 4 Public Primary CA - G2' is self-signed INFO gsk_build_issuer_chains(): Record 'VeriSign Class 1 Public Primary CA - G3' is self-signed INFO gsk_build_issuer_chains(): Record 'VeriSign Class 2 Public Primary CA - G3' is self-signed INFO gsk_build_issuer_chains(): Record 'VeriSign Class 3 Public Primary CA - G3' is self-signed INFO gsk_build_issuer_chains(): Record 'VeriSign Class 4 Public Primary CA - G3' is self-signed INFO gsk_build_issuer_chains(): Record 'VeriSign Class 3 Public Primary CA - G5' is self-signed INFO gsk_build_issuer_chains(): Record 'CMC_root_Exp_2024a' is self-signed INFO open_kdb_check_filedata(): Record size 5000, Record count 0 ERROR crypto_pbe_decrypt_data(): Algorithm 36 is not supported for PBE ERROR import_pkcs12v3(): Unable to decrypt EncryptedData message: Error 0x03353003 ERROR gsk_decode_import_key(): Unable to import PKCS12 V3: Error 0x03353003 ERROR gsk_import_key(): Unable to decode subject certificate or chain: Error 0x03353003 Algorithm 36 (cipher suite 36?) is TLS_DH_DSS_WITH_AES_256_CBC_SHA. Where does that come into the picture? What is PBE? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: What cryptographic algorithm is not supported?
Okay, I got trace information out of gskkyman. What do you make of this? INFO crypto_des3_encrypt_ctx(): Clear key DES3 encryption performed for 8 bytes INFO crypto_des3_decrypt_ctx(): Clear key DES3 decryption performed for 8 bytes INFO crypto_des3_encrypt_ctx_alet(): Clear key DES3 encryption performed for 8 bytes INFO crypto_des3_decrypt_ctx_alet(): Clear key DES3 decryption performed for 8 bytes INFO crypto_aes_encrypt_ctx(): Clear key AES 128-bit encryption performed for 16 bytes INFO crypto_aes_decrypt_ctx(): Clear key AES 128-bit decryption performed for 16 bytes INFO crypto_aes_encrypt_ctx_alet(): Clear key AES 128-bit encryption performed for 16 bytes INFO crypto_aes_decrypt_ctx_alet(): Clear key AES 128-bit decryption performed for 16 bytes INFO crypto_aes_encrypt_ctx(): Clear key AES 256-bit encryption performed for 16 bytes INFO crypto_aes_decrypt_ctx(): Clear key AES 256-bit decryption performed for 16 bytes INFO crypto_aes_encrypt_ctx_alet(): Clear key AES 256-bit encryption performed for 16 bytes INFO crypto_aes_decrypt_ctx_alet(): Clear key AES 256-bit decryption performed for 16 bytes INFO crypto_rsa_public_encrypt(): RSA modulus is 2048 bits INFO crypto_rsa_public_encrypt(): Software RSA public key encryption performed INFO crypto_rsa_private_decrypt(): Using PKCS private key INFO crypto_rsa_private_decrypt(): RSA modulus is 2048 bits INFO crypto_rsa_private_decrypt(): Software RSA private key decryption performed INFO open_kdb_check_filedata(): Record size 5000, Record count 12 INFO gsk_build_issuer_chains(): Record 'Equifax Secure Certificate Authority' is self-signed INFO gsk_build_issuer_chains(): Record 'Equifax Secure eBusiness CA-2' is self-signed INFO gsk_build_issuer_chains(): Record 'VeriSign Class 1 Public Primary CA - G2' is self-signed INFO gsk_build_issuer_chains(): Record 'VeriSign Class 2 Public Primary CA - G2' is self-signed INFO gsk_build_issuer_chains(): Record 'VeriSign Class 3 Public Primary CA - G2' is self-signed INFO gsk_build_issuer_chains(): Record 'VeriSign Class 4 Public Primary CA - G2' is self-signed INFO gsk_build_issuer_chains(): Record 'VeriSign Class 1 Public Primary CA - G3' is self-signed INFO gsk_build_issuer_chains(): Record 'VeriSign Class 2 Public Primary CA - G3' is self-signed INFO gsk_build_issuer_chains(): Record 'VeriSign Class 3 Public Primary CA - G3' is self-signed INFO gsk_build_issuer_chains(): Record 'VeriSign Class 4 Public Primary CA - G3' is self-signed INFO gsk_build_issuer_chains(): Record 'VeriSign Class 3 Public Primary CA - G5' is self-signed INFO gsk_build_issuer_chains(): Record 'CMC_root_Exp_2024a' is self-signed INFO open_kdb_check_filedata(): Record size 5000, Record count 0 ERROR crypto_pbe_decrypt_data(): Algorithm 36 is not supported for PBE ERROR import_pkcs12v3(): Unable to decrypt EncryptedData message: Error 0x03353003 ERROR gsk_decode_import_key(): Unable to import PKCS12 V3: Error 0x03353003 ERROR gsk_import_key(): Unable to decode subject certificate or chain: Error 0x03353003 Algorithm 36 (cipher suite 36?) is TLS_DH_DSS_WITH_AES_256_CBC_SHA. Where does that come into the picture? What is PBE? Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Charles Mills Sent: Monday, November 6, 2017 5:00 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: What cryptographic algorithm is not supported? David, thanks. I had not parsed "cryptographic" that finely. Isn't SHA512 a *cryptographic* hash? Who knows if IBM is being that precise? Good thought. I'm looking at https://ibm.co/2AqCDam (I'm running on V2R2.) It looks to me like SHA-512 and RSA 2048 are supported in FIPS mode. Could it be something in the CA certificate? It looks like it is SHA-256 RSA 2048, so it should be good also. Grrr. Is there any way to get more diagnostic information out of gskkyman? Hmmm -- I see the GSK trace. I will try that. I hate obscure error messages. Tell me what you are objecting to, darn it! Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of David W Noon Sent: Monday, November 6, 2017 4:04 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: What cryptographic algorithm is not supported? On Mon, 6 Nov 2017 14:32:01 -
Re: What cryptographic algorithm is not supported?
David, thanks. I had not parsed "cryptographic" that finely. Isn't SHA512 a *cryptographic* hash? Who knows if IBM is being that precise? Good thought. I'm looking at https://ibm.co/2AqCDam (I'm running on V2R2.) It looks to me like SHA-512 and RSA 2048 are supported in FIPS mode. Could it be something in the CA certificate? It looks like it is SHA-256 RSA 2048, so it should be good also. Grrr. Is there any way to get more diagnostic information out of gskkyman? Hmmm -- I see the GSK trace. I will try that. I hate obscure error messages. Tell me what you are objecting to, darn it! Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of David W Noon Sent: Monday, November 6, 2017 4:04 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: What cryptographic algorithm is not supported? On Mon, 6 Nov 2017 14:32:01 -0800, Charles Mills (charl...@mcn.org) wrote about "What cryptographic algorithm is not supported?" (in <210a01d3574f$11063a10$3312ae30$@mcn.org>): > I am trying to load a certificate and key into a FIPS-140 GSK > database. I am getting Status 0x03353003 - Cryptographic algorithm is > not supported. How would I know exactly what algorithm it is > complaining about? Here's an extract from the certificate and key: You have 2 lines that mention algorithms: > Signature Algorithm: sha512WithRSAEncryption > Public Key Algorithm: rsaEncryption (There is actually a 3rd one, but it is the same as the first.) Now, SHA512 is a hashing algorithm, so that leaves RSA as your crypto algorithm. I don't know why RSA would be unsupported, as it has been around since the late 1970's. I can only infer that it has been dropped. -- Regards, Dave [RLU #314465] *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* david.w.n...@googlemail.com (David W Noon) *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: What cryptographic algorithm is not supported?
On Mon, 6 Nov 2017 14:32:01 -0800, Charles Mills (charl...@mcn.org) wrote about "What cryptographic algorithm is not supported?" (in <210a01d3574f$11063a10$3312ae30$@mcn.org>): > I am trying to load a certificate and key into a FIPS-140 GSK database. I am > getting Status 0x03353003 - Cryptographic algorithm is not supported. How > would I know exactly what algorithm it is complaining about? Here's an > extract from the certificate and key: You have 2 lines that mention algorithms: > Signature Algorithm: sha512WithRSAEncryption > Public Key Algorithm: rsaEncryption (There is actually a 3rd one, but it is the same as the first.) Now, SHA512 is a hashing algorithm, so that leaves RSA as your crypto algorithm. I don't know why RSA would be unsupported, as it has been around since the late 1970's. I can only infer that it has been dropped. -- Regards, Dave [RLU #314465] *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* david.w.n...@googlemail.com (David W Noon) *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
What cryptographic algorithm is not supported?
X-Posted IBM-MAIN and MVS-OE. I am trying to load a certificate and key into a FIPS-140 GSK database. I am getting Status 0x03353003 - Cryptographic algorithm is not supported. How would I know exactly what algorithm it is complaining about? Here's an extract from the certificate and key: Certificate: Data: Version: 3 (0x2) Serial Number: 33 (0x21) Signature Algorithm: sha512WithRSAEncryption Validity Not Before: Nov 6 22:23:23 2017 GMT Not After : Nov 6 22:23:23 2018 GMT Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication Netscape Comment: OpenSSL Generated Certificate 82:7D:1F:EF:53:DB:3D:E1:14:62:03:49:34:16:A2:92:D9:46:51:1E Signature Algorithm: sha512WithRSAEncryption It loads into a non-FIPS-140 certificate database, so everything about the format and so forth is fine - it's just that some algorithm is out of date. Thanks, Charles -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
