Re: [pyOpenSSL] signing a cert request with DSA

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Thu, 11 Sep 2008 00:56:26 -0700, Dan Wendlandt <da...@gm...> wrote:
>Apologies if I missed the answer to this while searching list archives
>and google, but I have a very simple issue:
>
>If i run the examples/mk_simple_certs.py file from the tarball, but
>change the two instances of TYPE_RSA to TYPE_DSA, the code fails with
>the following error:
>
>$ python2.5 mk_simple_certs.py
>Traceback (most recent call last):
> File "mk_simple_certs.py", line 8, in <module>
>   careq = createCertRequest(cakey, CN='Certificate Authority')
> File "/home/danwent/Desktop/pyOpenSSL-0.7/examples/certgen.py", line
>51, in createCertRequest
>   req.sign(pkey, digest)
>OpenSSL.crypto.Error: [('digital envelope routines', 'EVP_SignFinal',
>'wrong public key type'), ('asn1 encoding routines', 'ASN1_item_sign',
>'EVP lib')]
>
>The above code worked fine for TYPE_RSA.
>
>Performing the equivalent operations via the command-line 'openssl'
>utility seems to work for DSA keys.
>
>I have PyOpenSSL version 0.7, installed from the standard debian
>package.  I am running debian testing.
>
>system info: Linux 2.6.25-2-686 #1 SMP Fri Jul 18 17:46:56 UTC 2008
>i686 GNU/Linux
>
>openssl: 7$ OpenSSL 0.9.8g 19 Oct 2007
>
>Any help would be appreciated.  Thanks,
>

Hi Dan,

No idea what's going on here.  It seems like it's probably a pyOpenSSL
bug, but I'm not sure where.  Do you feel like looking through the
implementation of the `openssl ca´ command (I assume that's the equivalent
command you're talking about, correct me if I'm wrong) to see if you can
see what it is doing differently from pyOpenSSL's PKey.sign method?

Jean-Paul