gpgsm --import of CA certificate: Bad signature?
Werner Koch
wk at gnupg.org
Wed Apr 18 09:39:06 CEST 2007
Hi,
whether the optional parameter of the AlgorithmIdentifier is really
optional has changed over time. My ASN.1 derived from the German Sphinx
profile state:
AlgorithmIdentifier ::= SEQUENCE {
algorithm OBJECT IDENTIFIER,
parameters ANY DEFINED BY algorithm OPTIONAL
-- should be used but set to NULL
}
rfc3280 (X.509) does not have this remark. Peter Gutmann's X.509 guide
explains this issue:
Another pitfall to be aware of is that algorithms which have no
parameters have this specified as a NULL value rather than omitting
the parameters field entirely. The reason for this is that when the
1988 syntax for AlgorithmIdentifier was translated into the 1997
syntax, the OPTIONAL associated with the AlgorithmIdentifier
parameters got lost. Later it was recovered via a defect report, but
by then everyone thought that algorithm parameters were mandatory.
Because of this the algorithm parameters should be specified as NULL,
regardless of what you read elsewhere.
How did you create this certificate?
Salam-Shalom,
Werner
More information about the Gnupg-users
mailing list