Re: [openssl-users] Re: Displaying cert with ecdsa
Le 16/08/2013 20:10, Robert Moskowitz a écrit : On 08/14/2013 05:37 PM, Dave Thompson wrote: From: owner-openssl-us...@openssl.org On Behalf Of Robert Moskowitz Sent: Wednesday, 14 August, 2013 15:49 I have a CA cert in pem format that uses ecdsa. I have tried to display the contents with: openssl x509 -in x509-ca.pem -text -nameopt multiline -noout I get errors: Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Unable to load Public Key 140661212006240:error:0609E09C:digital envelope routines:PKEY_SET_TYPE:unsupported algorithm:p_lib.c:239: 140661212006240:error:0B07706F:x509 certificate routines:X509_PUBKEY_get:unsupported algorithm:x_pubkey.c:155: Is there an option I need to add? Is there something special with this cert's Public Key Algorithm? I'm pretty sure not. OpenSSL versions before 1.0.0 needed a cipherstring option to use ECC suites *in SSL/TLS protocol*, but local operations have worked as long as I remember. What version of OpenSSL are you running, and how was it built? In particular was it from official source, or patched? I am running Fedora 16, standard biuld stuff. Yes, I know it is time to upgrade... Fedora, an ECC certificate. This can't work, for legal reasons. Blame RedHat. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Displaying cert with ecdsa
On 08/14/2013 05:37 PM, Dave Thompson wrote: From: owner-openssl-us...@openssl.org On Behalf Of Robert Moskowitz Sent: Wednesday, 14 August, 2013 15:49 I have a CA cert in pem format that uses ecdsa. I have tried to display the contents with: openssl x509 -in x509-ca.pem -text -nameopt multiline -noout I get errors: Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Unable to load Public Key 140661212006240:error:0609E09C:digital envelope routines:PKEY_SET_TYPE:unsupported algorithm:p_lib.c:239: 140661212006240:error:0B07706F:x509 certificate routines:X509_PUBKEY_get:unsupported algorithm:x_pubkey.c:155: Is there an option I need to add? Is there something special with this cert's Public Key Algorithm? I'm pretty sure not. OpenSSL versions before 1.0.0 needed a cipherstring option to use ECC suites *in SSL/TLS protocol*, but local operations have worked as long as I remember. What version of OpenSSL are you running, and how was it built? In particular was it from official source, or patched? I am running Fedora 16, standard biuld stuff. Yes, I know it is time to upgrade... Openssl seems to be 1.0.0.k-1 per the yum log (I tried a -v option, but that does not seem to be supporte, nor --version). The fellow that sent me the .pem has 1.0.1c-10 and was able to send me the dump of the cert and the PK algorithm is id-ecPublicKey and the ASN1 OID: prime256v1 So now at least I can move forward reviewing what they are doing with this cert, but it would be nice to be able to display it myself. A couple of remote possibilities: do you have your openssl.cnf set (editted) to load an "engine", which doesn't support ECC? I didn't think this level of parsing goes to an engine, but I could be wrong. Do you have a FIPS-capable build and a setting to force FIPS mode? FIPS should allow ECC (it is NIST "Approved"), but something might be broken. Can you try the same file with a different OpenSSL version or build -- often easiest by using a different system? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Displaying cert with ecdsa
> From: owner-openssl-us...@openssl.org On Behalf Of Robert Moskowitz > Sent: Wednesday, 14 August, 2013 15:49 > I have a CA cert in pem format that uses ecdsa. I have tried > to display the contents with: > > openssl x509 -in x509-ca.pem -text -nameopt multiline -noout > > I get errors: > > Subject Public Key Info: > Public Key Algorithm: id-ecPublicKey > Unable to load Public Key > 140661212006240:error:0609E09C:digital envelope > routines:PKEY_SET_TYPE:unsupported algorithm:p_lib.c:239: > 140661212006240:error:0B07706F:x509 certificate > routines:X509_PUBKEY_get:unsupported algorithm:x_pubkey.c:155: > > Is there an option I need to add? Is there something special > with this cert's Public Key Algorithm? I'm pretty sure not. OpenSSL versions before 1.0.0 needed a cipherstring option to use ECC suites *in SSL/TLS protocol*, but local operations have worked as long as I remember. What version of OpenSSL are you running, and how was it built? In particular was it from official source, or patched? A couple of remote possibilities: do you have your openssl.cnf set (editted) to load an "engine", which doesn't support ECC? I didn't think this level of parsing goes to an engine, but I could be wrong. Do you have a FIPS-capable build and a setting to force FIPS mode? FIPS should allow ECC (it is NIST "Approved"), but something might be broken. Can you try the same file with a different OpenSSL version or build -- often easiest by using a different system? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org