ECDSA curves and certificates in 1.0.2X vs 1.1.x

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

The CIRALabs SecureHomeGateway generates an ECDSA key/CSR at manufacturing
time which is enrolled into a CA to form an IDevID certificate.

We are pondering a regression where the generated key goes clearly
prime256v1, and "prime-field".  We are generating with

openssl req -new -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 \
                -nodes -subj "/CN=${ULA_HOSTNAME}" \
                -keyout ${KEY_NAME}.key -out ${KEY_NAME}.csr -outform DER \
                -reqexts SAN \
                -config /tmp/shg.ossl.cnf

Evidence below, and also at: https://gist.github.com/mcr/089fe7206644f417ba213c9dfe093c7a

I thought that maybe we had a build-regression that meant that we went from
1.1.x back to 1.0.x (this is with nic.cz's build of openwrt 18.06), but so
far this does not appear to be the case.   But... it worked before!  I swear.
(so I didn't think about the version that there)

***
  My question is: is there some build options that I can't see that might have
  affected this?  Made it work before.  My impression is that 1.0.x did *not*
  support ECDSA certificates, yet it seemed to generate CSRs, just does not put in the
  right OIDs in the public parts such that it is recognized by others.
***

We happen to include 1.1.1 in a container, and I will probably change things
to use the openssl inside the container to generate the CSR, but I'm rather confused.


1.1.1:
root@turris:/etc/shg# openssl ec -noout -text -in shg.key
read EC key
Private-Key: (256 bit)
priv:
    stuff
pub:
    04:0c:d5:2f:3b:ed:17:ae:dc:50:57:23:60:10:1e:
    e3:61:84:3b:f4:ad:dd:0d:f4:cd:b4:81:f9:45:4c:
    ee:aa:c6:d3:1a:0c:db:5d:4a:ad:fe:26:d7:c9:a8:
    a2:3c:b6:97:4e:f0:bc:10:37:a2:cc:7b:9a:e6:40:
    ea:c3:1d:d9:52
ASN1 OID: prime256v1
NIST CURVE: P-256

With an openssl 1.0.2s or 1.0.2l:

OpenSSL 1.0.2l  25 May 2017
read EC key
Private-Key: (256 bit)
priv:
    stuff
pub:
    04:c5:e6:dc:fc:df:c1:c0:c2:88:c0:b8:c2:dc:d0:
    fa:1c:3a:84:1a:52:66:8c:fb:a1:bf:c9:77:e1:fa:
    41:33:9a:33:2a:a8:73:ff:70:1b:3d:bb:d9:cf:a0:
    bb:9f:78:14:37:3a:f8:55:bc:7a:86:a3:c2:66:ea:
    b8:e9:3d:05:5d
Field Type: prime-field
Prime: ..elided
A:
B:
Generator (uncompressed):
Order:
Cofactor:  1 (0x1)
Seed:

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
]     mcr@xxxxxxxxxxxx  http://www.sandelman.ca/        |   ruby on rails    [
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux