Problem with DSA key signed CSRs

Nikos Mavrogiannopoulos nmav at gnutls.org
Mon Jun 28 18:28:46 CEST 2010


Timo Gerke wrote:
> Dear List,
> 
> I think I've discoverd an other bug.
> Then I generate a CSR signed with an DSA key an verify the request
> with openssl the verification fails.
> I did:
> 
> a.1) certtool -p --dsa --disable-quick-random --outfile dsakey.pem
> a.2) certtool --to-p8  --pkcs-cipher aes-256 --load-privkey dsakey.pem --outfile dsakey.p8
> b) certtool -8q --load-privkey --load-privkey dsakey.pem --outfile newreq.pem 
> c) openssl req -verify -noout -in newreq.csr
> 
> Error message is:
> 2936:error:0A071066:dsa routines:DSA_do_verify:bad q value:dsa_ossl.c:309:
> 2936:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP
> lib:a_verify.c:168:

Hello,
 It seems openssl doesn't support DSA keys of size more than 1024 bits.
Use --bits 1024 on your first command and it will work.

> BTW the format autodectetion of certtool seems not to work properly.

Does it have autodetection? :)


regardsm
Nikos




More information about the Gnutls-help mailing list