gpgsm --import of CA certificate: Bad signature?
Werner Koch
wk at gnupg.org
Tue Apr 17 23:24:40 CEST 2007
On Tue, 17 Apr 2007 20:14, simon at josefsson.org said:
> As far as I can tell, there is nothing wrong with this certificate.
> Ideas?
If you look at the pkcs#1 encoding, you get:
Your certificate:
0 30 31: SEQUENCE {
2 30 7: SEQUENCE {
4 06 5: OBJECT IDENTIFIER sha1 (1 3 14 3 2 26)
: }
11 04 20: OCTET STRING
: 2D E8 78 BE 21 E4 F4 3F FE 26 9F F3 20 20 9C BC
: D3 CE E6 23
: }
gpgsm constructs this pkcs#1 to compare it against yours:
0 30 33: SEQUENCE {
2 30 9: SEQUENCE {
4 06 5: OBJECT IDENTIFIER sha1 (1 3 14 3 2 26)
11 05 0: NULL
: }
13 04 20: OCTET STRING
: 2D E8 78 BE 21 E4 F4 3F FE 26 9F F3 20 20 9C BC
: D3 CE E6 23
: }
Thus we have an extra NULL and that is the reason that it does not
verify. I am too tired to read pkcs#1 know; will do that tomorrow.
Anyway it is the first case that I noticed such a pkcs#1 encoding.
> I don't know if it is relevant, but the list of 'Supported algorithms'
> seems rather short:
Well there is no routine yet to print them. It would actually be a long
list given all the OIDs you may use to tell taht it is RSA or SHA1 or
whatever.
Salam-Shalom,
Werner
More information about the Gnupg-users
mailing list