[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Help-gnutls] Re: Encryption using DSA keys
|
From: |
Simon Josefsson |
|
Subject: |
[Help-gnutls] Re: Encryption using DSA keys |
|
Date: |
Mon, 20 Apr 2009 16:14:15 +0200 |
|
User-agent: |
Gnus/5.110011 (No Gnus v0.11) Emacs/23.0.90 (gnu/linux) |
Miroslav Kratochvil <address@hidden> writes:
> Hi everyone,
>
> well, after I solved the problem at [1], I got to real problems problems:
>
> I want gnutls to negotiate encrypted connection using DSA keys. I
> realized that I will have to use DHE_DSS algorithm, but I have no idea
> how to generate a certificate for one. Googling failed, and
> documentation says only that "DHE_DSS uses DSA keys in certificates."
>
> In OpenSSL world (from where I'm migrating) it was easy, one just
> appended "-dsa" to key generating parameters, and it was done.
> Nevertheless; with gnutls and --dsa option; I'm getting error -89
> (Public key signature verification has failed.). RSA alternative
> (--rsa with the same commands) works ok.
>
> So, is there any tutorial or howto on generating suitable DSA keys for
> use with encryption? Ideally with a complete certtool script for
> generating one selfsigned CA keypair and other that-ca-signed keypair.
Check the manual:
http://www.gnu.org/software/gnutls/manual/html_node/Invoking-certtool.html
Generating a certificate using those instructions seems to work fine
here, see log below.
You are right that the manual doesn't give an example for DSA keys, so I
added one:
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=7ffeba022859b2b9d909bc3fb8a89057a309ae06
Can you explain exactly what you did to get the -89 error?
/Simon
address@hidden:~$ certtool --generate-privkey --outfile key.pem --dsa
Generating a 2048 bit DSA private key...
address@hidden:~$ cat key.pem
-----BEGIN DSA PRIVATE KEY-----
MIIDGQIBAAKCAQEAw8xAilE8wNbdQZJVRGpOjEYdibjT3N5vpDMmsqf4unH1Mlht
w/ZPmkUs5vww+XpTCs64QKfJmBSmoXFAFJMiKm8J8yacnd7PdYBmSFIizZJ9S+BJ
SDY+SAb0lz9F/De/jJNZg9cIAtpcD7oDduoD9pS/rI74JFpwO8v48BuQYnuBb+0y
h95rKGkFSy2yEgQcRjb8H+utddMV57U/w9j80NGJABYevEpzIFttnREpdoXmEk9j
5aqg/eh33fCXXsknhVEq/onojmswXE3zUfyGOxcuTzhaUWU9edN9c28+RusBJFsH
u9E9VJEeNYd2zj4/vxixQZtVRbzfNJuVlXZlOQIDAQABAoIBAEJQysdOTopt+9B6
tKCQdPwzv0tnK3LSb/OoU4INPERB1q9vnfXSVhHFPjkZz6if0sKFU4iqi7ATxoBF
sFOHpfnDVBZjzIX38kI08++oyhrgc8mgNJHdtWiF2o/joVuUsi71tUrfKNp2hNna
wdOj3SXGKclTPx5o9zx5kF4ap+OConIh9t1q1cNntF+slzGh2X8FIJQOV20NrSrm
nsi3O6uLzu6Mg+9j2d9kLF8tph9JhtbV88BsoQVAALwpXsWYEQ4/7FVZfYPr2HNM
sGbm7SKMsYNaDTUB6608Tt6kPUh1b7E8OD2UtE/abtqnM7SW+1Uop8E98ePYPBG+
pYVyc3UCgYEAxYo5RbY5gP9zszToGFNM6/X1wNUsWp5QDFA4qKiy9ZExAhTDnxtL
KIbVHW509LuQnDWES+XmM3KmjIPdKHSb2pgGqCwSShd4xbdUfsy+XDuWCPcsQG+M
geZSZNtYT6a3Y72vWEZrFO71jNaHi2NZrVvY8ekrWY1lc6S7DKBzB0MCgYEA/b4M
Hl9JGQEv0axXQl4jEVlBRVXO+t/ZXyM2Z0wp+s6QCm1LhuhJJXLmWhumSE19eER3
eNmB9SPRIy6Ar96ZfxebMJaLGZZQEpCGT+5CZXIWc9liZZK9W1ef6UkztUOAeyy0
010Hv8kMhryRJtOvpbogv1uxd3YGV/HI5o7949M=
-----END DSA PRIVATE KEY-----
address@hidden:~$ certtool --generate-certificate --load-privkey key.pem
--outfile cert.pem --load-ca-certificate
~/src/www-gnutls/test-credentials/x509-ca.pem --load-ca-privkey
~/src/www-gnutls/test-credentials/x509-ca-key.pem
Generating a signed certificate...
Please enter the details of the certificate's distinguished name. Just press
enter to ignore a field.
Country name (2 chars): SE
Organization name:
Organizational unit name:
Locality name:
State or province name:
Common name: foo.bar.com
UID:
This field should not be used in new certificates.
E-mail:
Enter the certificate's serial number in decimal (default: 1240236605):
Activation/Expiration time.
The certificate will expire in (days):
The certificate will expire in (days): 180
Extensions.
Does the certificate belong to an authority? (y/N):
Is this a TLS web client certificate? (y/N): y
Is this also a TLS web server certificate? (y/N): y
Enter the dnsName of the subject of the certificate: foo.bar.com
Enter the dnsName of the subject of the certificate:
X.509 Certificate Information:
Version: 3
Serial Number (hex): 49ec823d
Validity:
Not Before: Mon Apr 20 14:10:06 UTC 2009
Not After: Sat Oct 17 14:10:08 UTC 2009
Subject: C=SE,CN=foo.bar.com
Subject Public Key Algorithm: DSA
Public key (bits 1024):
c5:8a:39:45:b6:39:80:ff:73:b3:34:e8:18:53:4c:eb
f5:f5:c0:d5:2c:5a:9e:50:0c:50:38:a8:a8:b2:f5:91
31:02:14:c3:9f:1b:4b:28:86:d5:1d:6e:74:f4:bb:90
9c:35:84:4b:e5:e6:33:72:a6:8c:83:dd:28:74:9b:da
98:06:a8:2c:12:4a:17:78:c5:b7:54:7e:cc:be:5c:3b
96:08:f7:2c:40:6f:8c:81:e6:52:64:db:58:4f:a6:b7
63:bd:af:58:46:6b:14:ee:f5:8c:d6:87:8b:63:59:ad
5b:d8:f1:e9:2b:59:8d:65:73:a4:bb:0c:a0:73:07:43
P:
c3:cc:40:8a:51:3c:c0:d6:dd:41:92:55:44:6a:4e:8c
46:1d:89:b8:d3:dc:de:6f:a4:33:26:b2:a7:f8:ba:71
f5:32:58:6d:c3:f6:4f:9a:45:2c:e6:fc:30:f9:7a:53
0a:ce:b8:40:a7:c9:98:14:a6:a1:71:40:14:93:22:2a
6f:09:f3:26:9c:9d:de:cf:75:80:66:48:52:22:cd:92
7d:4b:e0:49:48:36:3e:48:06:f4:97:3f:45:fc:37:bf
8c:93:59:83:d7:08:02:da:5c:0f:ba:03:76:ea:03:f6
94:bf:ac:8e:f8:24:5a:70:3b:cb:f8:f0:1b:90:62:7b
81:6f:ed:32:87:de:6b:28:69:05:4b:2d:b2:12:04:1c
46:36:fc:1f:eb:ad:75:d3:15:e7:b5:3f:c3:d8:fc:d0
d1:89:00:16:1e:bc:4a:73:20:5b:6d:9d:11:29:76:85
e6:12:4f:63:e5:aa:a0:fd:e8:77:dd:f0:97:5e:c9:27
85:51:2a:fe:89:e8:8e:6b:30:5c:4d:f3:51:fc:86:3b
17:2e:4f:38:5a:51:65:3d:79:d3:7d:73:6f:3e:46:eb
01:24:5b:07:bb:d1:3d:54:91:1e:35:87:76:ce:3e:3f
bf:18:b1:41:9b:55:45:bc:df:34:9b:95:95:76:65:39
Q:
01:00:01
G:
42:50:ca:c7:4e:4e:8a:6d:fb:d0:7a:b4:a0:90:74:fc
33:bf:4b:67:2b:72:d2:6f:f3:a8:53:82:0d:3c:44:41
d6:af:6f:9d:f5:d2:56:11:c5:3e:39:19:cf:a8:9f:d2
c2:85:53:88:aa:8b:b0:13:c6:80:45:b0:53:87:a5:f9
c3:54:16:63:cc:85:f7:f2:42:34:f3:ef:a8:ca:1a:e0
73:c9:a0:34:91:dd:b5:68:85:da:8f:e3:a1:5b:94:b2
2e:f5:b5:4a:df:28:da:76:84:d9:da:c1:d3:a3:dd:25
c6:29:c9:53:3f:1e:68:f7:3c:79:90:5e:1a:a7:e3:82
a2:72:21:f6:dd:6a:d5:c3:67:b4:5f:ac:97:31:a1:d9
7f:05:20:94:0e:57:6d:0d:ad:2a:e6:9e:c8:b7:3b:ab
8b:ce:ee:8c:83:ef:63:d9:df:64:2c:5f:2d:a6:1f:49
86:d6:d5:f3:c0:6c:a1:05:40:00:bc:29:5e:c5:98:11
0e:3f:ec:55:59:7d:83:eb:d8:73:4c:b0:66:e6:ed:22
8c:b1:83:5a:0d:35:01:eb:ad:3c:4e:de:a4:3d:48:75
6f:b1:3c:38:3d:94:b4:4f:da:6e:da:a7:33:b4:96:fb
55:28:a7:c1:3d:f1:e3:d8:3c:11:be:a5:85:72:73:75
Extensions:
Basic Constraints (critical):
Certificate Authority (CA): FALSE
Key Purpose (not critical):
TLS WWW Client.
TLS WWW Server.
Subject Alternative Name (not critical):
DNSname: foo.bar.com
Key Usage (critical):
Digital signature.
Subject Key Identifier (not critical):
e9e00d4ee9ccf3c9ecd6ca2aa988077628a0d75f
Authority Key Identifier (not critical):
e93c1cfbad926ee606a4562ca2e1c05327c8f295
Other Information:
Public Key Id:
e9e00d4ee9ccf3c9ecd6ca2aa988077628a0d75f
Is the above information ok? (Y/N): y
Signing certificate...
address@hidden:~$ certtool -v
certtool (GnuTLS) 2.6.5
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Written by Nikos Mavrogiannopoulos and Simon Josefsson.
address@hidden:~$