[Help-gnutls] Re: Encryption using DSA keys

Simon Josefsson simon at josefsson.org
Mon Apr 20 16:14:15 CEST 2009


Miroslav Kratochvil <exa.exa at gmail.com> writes:

> Hi everyone,
>
> well, after I solved the problem at [1], I got to real problems problems:
>
> I want gnutls to negotiate encrypted connection using DSA keys. I
> realized that I will have to use DHE_DSS algorithm, but I have no idea
> how to generate a certificate for one. Googling failed, and
> documentation says only that "DHE_DSS uses DSA keys in certificates."
>
> In OpenSSL world (from where I'm migrating) it was easy, one just
> appended "-dsa" to key generating parameters, and it was done.
> Nevertheless; with gnutls and --dsa option; I'm getting error -89
> (Public key signature verification has failed.). RSA alternative
> (--rsa with the same commands) works ok.
>
> So, is there any tutorial or howto on generating suitable DSA keys for
> use with encryption? Ideally with a complete certtool script for
> generating one selfsigned CA keypair and other that-ca-signed keypair.

Check the manual:

http://www.gnu.org/software/gnutls/manual/html_node/Invoking-certtool.html

Generating a certificate using those instructions seems to work fine
here, see log below.

You are right that the manual doesn't give an example for DSA keys, so I
added one:

http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=7ffeba022859b2b9d909bc3fb8a89057a309ae06

Can you explain exactly what you did to get the -89 error?

/Simon

jas at mocca:~$ certtool --generate-privkey --outfile key.pem --dsa
Generating a 2048 bit DSA private key...
jas at mocca:~$ cat key.pem 
-----BEGIN DSA PRIVATE KEY-----
MIIDGQIBAAKCAQEAw8xAilE8wNbdQZJVRGpOjEYdibjT3N5vpDMmsqf4unH1Mlht
w/ZPmkUs5vww+XpTCs64QKfJmBSmoXFAFJMiKm8J8yacnd7PdYBmSFIizZJ9S+BJ
SDY+SAb0lz9F/De/jJNZg9cIAtpcD7oDduoD9pS/rI74JFpwO8v48BuQYnuBb+0y
h95rKGkFSy2yEgQcRjb8H+utddMV57U/w9j80NGJABYevEpzIFttnREpdoXmEk9j
5aqg/eh33fCXXsknhVEq/onojmswXE3zUfyGOxcuTzhaUWU9edN9c28+RusBJFsH
u9E9VJEeNYd2zj4/vxixQZtVRbzfNJuVlXZlOQIDAQABAoIBAEJQysdOTopt+9B6
tKCQdPwzv0tnK3LSb/OoU4INPERB1q9vnfXSVhHFPjkZz6if0sKFU4iqi7ATxoBF
sFOHpfnDVBZjzIX38kI08++oyhrgc8mgNJHdtWiF2o/joVuUsi71tUrfKNp2hNna
wdOj3SXGKclTPx5o9zx5kF4ap+OConIh9t1q1cNntF+slzGh2X8FIJQOV20NrSrm
nsi3O6uLzu6Mg+9j2d9kLF8tph9JhtbV88BsoQVAALwpXsWYEQ4/7FVZfYPr2HNM
sGbm7SKMsYNaDTUB6608Tt6kPUh1b7E8OD2UtE/abtqnM7SW+1Uop8E98ePYPBG+
pYVyc3UCgYEAxYo5RbY5gP9zszToGFNM6/X1wNUsWp5QDFA4qKiy9ZExAhTDnxtL
KIbVHW509LuQnDWES+XmM3KmjIPdKHSb2pgGqCwSShd4xbdUfsy+XDuWCPcsQG+M
geZSZNtYT6a3Y72vWEZrFO71jNaHi2NZrVvY8ekrWY1lc6S7DKBzB0MCgYEA/b4M
Hl9JGQEv0axXQl4jEVlBRVXO+t/ZXyM2Z0wp+s6QCm1LhuhJJXLmWhumSE19eER3
eNmB9SPRIy6Ar96ZfxebMJaLGZZQEpCGT+5CZXIWc9liZZK9W1ef6UkztUOAeyy0
010Hv8kMhryRJtOvpbogv1uxd3YGV/HI5o7949M=
-----END DSA PRIVATE KEY-----
jas at mocca:~$ certtool --generate-certificate --load-privkey key.pem --outfile cert.pem --load-ca-certificate ~/src/www-gnutls/test-credentials/x509-ca.pem --load-ca-privkey ~/src/www-gnutls/test-credentials/x509-ca-key.pem 
Generating a signed certificate...
Please enter the details of the certificate's distinguished name. Just press enter to ignore a field.
Country name (2 chars): SE
Organization name: 
Organizational unit name: 
Locality name: 
State or province name: 
Common name: foo.bar.com
UID: 
This field should not be used in new certificates.
E-mail: 
Enter the certificate's serial number in decimal (default: 1240236605): 


Activation/Expiration time.
The certificate will expire in (days): 
The certificate will expire in (days): 180


Extensions.
Does the certificate belong to an authority? (y/N): 
Is this a TLS web client certificate? (y/N): y
Is this also a TLS web server certificate? (y/N): y
Enter the dnsName of the subject of the certificate: foo.bar.com
Enter the dnsName of the subject of the certificate: 
X.509 Certificate Information:
	Version: 3
	Serial Number (hex): 49ec823d
	Validity:
		Not Before: Mon Apr 20 14:10:06 UTC 2009
		Not After: Sat Oct 17 14:10:08 UTC 2009
	Subject: C=SE,CN=foo.bar.com
	Subject Public Key Algorithm: DSA
		Public key (bits 1024):
			c5:8a:39:45:b6:39:80:ff:73:b3:34:e8:18:53:4c:eb
			f5:f5:c0:d5:2c:5a:9e:50:0c:50:38:a8:a8:b2:f5:91
			31:02:14:c3:9f:1b:4b:28:86:d5:1d:6e:74:f4:bb:90
			9c:35:84:4b:e5:e6:33:72:a6:8c:83:dd:28:74:9b:da
			98:06:a8:2c:12:4a:17:78:c5:b7:54:7e:cc:be:5c:3b
			96:08:f7:2c:40:6f:8c:81:e6:52:64:db:58:4f:a6:b7
			63:bd:af:58:46:6b:14:ee:f5:8c:d6:87:8b:63:59:ad
			5b:d8:f1:e9:2b:59:8d:65:73:a4:bb:0c:a0:73:07:43
		P:
			c3:cc:40:8a:51:3c:c0:d6:dd:41:92:55:44:6a:4e:8c
			46:1d:89:b8:d3:dc:de:6f:a4:33:26:b2:a7:f8:ba:71
			f5:32:58:6d:c3:f6:4f:9a:45:2c:e6:fc:30:f9:7a:53
			0a:ce:b8:40:a7:c9:98:14:a6:a1:71:40:14:93:22:2a
			6f:09:f3:26:9c:9d:de:cf:75:80:66:48:52:22:cd:92
			7d:4b:e0:49:48:36:3e:48:06:f4:97:3f:45:fc:37:bf
			8c:93:59:83:d7:08:02:da:5c:0f:ba:03:76:ea:03:f6
			94:bf:ac:8e:f8:24:5a:70:3b:cb:f8:f0:1b:90:62:7b
			81:6f:ed:32:87:de:6b:28:69:05:4b:2d:b2:12:04:1c
			46:36:fc:1f:eb:ad:75:d3:15:e7:b5:3f:c3:d8:fc:d0
			d1:89:00:16:1e:bc:4a:73:20:5b:6d:9d:11:29:76:85
			e6:12:4f:63:e5:aa:a0:fd:e8:77:dd:f0:97:5e:c9:27
			85:51:2a:fe:89:e8:8e:6b:30:5c:4d:f3:51:fc:86:3b
			17:2e:4f:38:5a:51:65:3d:79:d3:7d:73:6f:3e:46:eb
			01:24:5b:07:bb:d1:3d:54:91:1e:35:87:76:ce:3e:3f
			bf:18:b1:41:9b:55:45:bc:df:34:9b:95:95:76:65:39
		Q:
			01:00:01
		G:
			42:50:ca:c7:4e:4e:8a:6d:fb:d0:7a:b4:a0:90:74:fc
			33:bf:4b:67:2b:72:d2:6f:f3:a8:53:82:0d:3c:44:41
			d6:af:6f:9d:f5:d2:56:11:c5:3e:39:19:cf:a8:9f:d2
			c2:85:53:88:aa:8b:b0:13:c6:80:45:b0:53:87:a5:f9
			c3:54:16:63:cc:85:f7:f2:42:34:f3:ef:a8:ca:1a:e0
			73:c9:a0:34:91:dd:b5:68:85:da:8f:e3:a1:5b:94:b2
			2e:f5:b5:4a:df:28:da:76:84:d9:da:c1:d3:a3:dd:25
			c6:29:c9:53:3f:1e:68:f7:3c:79:90:5e:1a:a7:e3:82
			a2:72:21:f6:dd:6a:d5:c3:67:b4:5f:ac:97:31:a1:d9
			7f:05:20:94:0e:57:6d:0d:ad:2a:e6:9e:c8:b7:3b:ab
			8b:ce:ee:8c:83:ef:63:d9:df:64:2c:5f:2d:a6:1f:49
			86:d6:d5:f3:c0:6c:a1:05:40:00:bc:29:5e:c5:98:11
			0e:3f:ec:55:59:7d:83:eb:d8:73:4c:b0:66:e6:ed:22
			8c:b1:83:5a:0d:35:01:eb:ad:3c:4e:de:a4:3d:48:75
			6f:b1:3c:38:3d:94:b4:4f:da:6e:da:a7:33:b4:96:fb
			55:28:a7:c1:3d:f1:e3:d8:3c:11:be:a5:85:72:73:75
	Extensions:
		Basic Constraints (critical):
			Certificate Authority (CA): FALSE
		Key Purpose (not critical):
			TLS WWW Client.
			TLS WWW Server.
		Subject Alternative Name (not critical):
			DNSname: foo.bar.com
		Key Usage (critical):
			Digital signature.
		Subject Key Identifier (not critical):
			e9e00d4ee9ccf3c9ecd6ca2aa988077628a0d75f
		Authority Key Identifier (not critical):
			e93c1cfbad926ee606a4562ca2e1c05327c8f295
Other Information:
	Public Key Id:
		e9e00d4ee9ccf3c9ecd6ca2aa988077628a0d75f

Is the above information ok? (Y/N): y


Signing certificate...
jas at mocca:~$ certtool -v
certtool (GnuTLS) 2.6.5
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Written by Nikos Mavrogiannopoulos and Simon Josefsson.
jas at mocca:~$ 





More information about the Gnutls-help mailing list