[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Invalid DSA Parameters?



I am trying to validate a certificate that has been issued by a Entrust V6
CA. The certificate was signed using DSA. When I try to verify the
certificate the SFL returns the error "MSB is 1.". Stepping through this I
found that the error occurred when trying to Get the parameters in the
function

SM_RET_VAL CSM_DSAParams::Decode(CSM_Buffer *pParams)

This function calls

void CSM_BigIntegerStr::Get(CSM_Buffer    &bigIntBuf, const size_t   octets)

which performs several checks to see if the parameters are valid. One of
these checks is

if (bigIntData[0] >> 7 == 1)
{
     SME_THROW(BIGINT_DECODE_ERROR, "MSB is 1.", NULL);
}

According to the comment surrounding the code this check is:

/* Make sure value is not negative.  This rule only applies here
   because the octets variable is only used when decoding
   r,s,p,g,q, or y values; which MUST be positive. */

However are parameters all fail this check. If we comment out this line
check then the certificate is verified. To verify there was nothing wrong
with the certificate I imported it into the CAPI Certificate Store and this
managed to verify the certificate. The P parameter that fails is shown here:

b68b0f942b9acea5
25c6f2edfcfb9532
ac011233b9e01cad
909bbc48549ef394
773c2c713555e6fe
4f22cbd5d83e8993
334dfcbd4f41643e
a29870ec31b450de
ebf198280ac93e44
b3fd22979683d018
a3e3bd355bffeea3
21726a7b96dab93f
1e5a90af24d620f0
0d21a7d402b91afc
ac21fb9e949e4b42
459e6ab24863fe43

this was observed both during debugging and also when viewing the
certificate through the CA. Is there a fault with this parameter or is the
check wrong?

Regards

William Adams
Software Engineer
Nexor.
================
Tel:  +44 115 9535536
Fax: +44 115 9520519