Fwd: gpgsm with elliptic curve algo (Re: SHAxxxWithECDSA)

Thu Jun 20 19:47:01 CEST 2013

Could it be possible to know, how the following error has been handled?:
It appears while importing Thawte certificates bundle.

Seiji Ariga ariga at khaotic.net
Thu May 17 15:40:47 CEST 2012

Hi.

On Thu, 17 May 2012 10:26:20 +0200,
Werner Koch <wk at gnupg.org> wrote,

> > libgcrypt does not support, say, SHA384WithECDSA (*1) ? (OID is
> > 1.2.840.10045.4.3.3)
> Please try adding this OID to libgcrypt/cipher/sha512.c,
> oid_spec_sha384.

gpgpsm stopped showing "unknown hash algorithm". :-)

Now it's producing different error.
----
$ gpgsm --debug-level guru --status-fd 1 --import cert.pem
gpgsm: enabled debug flags: x509 mpi crypto memory cache memstat hashing assuan
gpgsm: DBG: signature value: 28 37 3A 73 69 67 2D 76 61 6C 28 35 3A 65
63 64 73 61 28 31 3A 72 34 38 3A 66 21 0C 18 26 60 5A 38 7B 56 42 E0
A7 FC 36 84 51 91 20 2C 76 4D 43 3D C4 1D 84 23 D0 AC D6 7C 35 06 CE
CD 69 BD 90 0D DB 6C 48 42 1D 0E AA 42 29 28 31 3A 73 34 39 3A 00 9C
3D 48 39 23 39 58 1A 15 12 59 6A 9E EF D5 59 B2 1D 52 2C 99 71 CD C7
29 DF 1B 2A 61 7B 71 D1 DE F3 C0 E5 0D 3A 4A AA 2D A7 D8 86 2A DD 2E
10 29 29 28 34 3A 68 61 73 68 36 3A 73 68 61 33 38 34 29 29
gpgsm: DBG: encoded hash: 28 AC 5A D9 30 27 8C BD 27 6E ED 75 21 4D BA
04 EC 8B 1E 19 E6 3E 30 32 4F A1 BD A0 E9 E8 3B F8 E0 78 6E B8 79 2B
E4 A7 5B 20 A6 93 B9 F6 21 EF
gpgsm: DBG: gcry_pk_verify: Conflicting use
gpgsm: self-signed certificate has a BAD signature: Conflicting use
gpgsm: DBG: BEGIN Certificate `self-signing cert':
gpgsm: DBG:      serial: 2F80FE238C0E220F486712289187ACB3
gpgsm: DBG:   notBefore: 2007-11-05 00:00:00
gpgsm: DBG:    notAfter: 2038-01-18 23:59:59
gpgsm: DBG:      issuer: CN=VeriSign Class 3 Public Primary
Certification Authority - G4,OU=(c) 2007 VeriSign\, Inc. - For
authorized use only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US
gpgsm: DBG:     subject: CN=VeriSign Class 3 Public Primary
Certification Authority - G4,OU=(c) 2007 VeriSign\, Inc. - For
authorized use only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US
gpgsm: DBG:   hash algo: 1.2.840.10045.4.3.3
gpgsm: DBG:   SHA1 Fingerprint:
22:D5:D8:DF:8F:02:31:D1:8D:F7:9D:B7:CF:8A:2D:64:C9:3F:6C:3A
gpgsm: DBG: END Certificate
gpgsm: basic certificate checks failed - not imported
[GNUPG:] IMPORT_PROBLEM 1 22D5D8DF8F0231D18DF79DB7CF8A2D64C93F6C3A
gpgsm: total number processed: 1
gpgsm:           not imported: 1
[GNUPG:] IMPORT_RES 1 0 0 0 0 0 0 0 0 0 0 0 0 1
random usage: poolsize=600 mixed=0 polls=0/0 added=0/0
              outmix=0 getlvl1=0/0 getlvl2=0/0
secmem usage: 0/16384 bytes in 0 blocks
----

I guess this is because gcry_pk_verify() fails due to "pubkey algo
ECDH != signature algo ECDSA" in gpgsm_check_cert_sig().

src/gcrypt.h
----
enum gcry_pk_algos
  {
    [...]
    GCRY_PK_ECDSA = 301,
    GCRY_PK_ECDH  = 302
  };
----

// Seiji Ariga