Re: odd error for ECDSA key in REQ.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



The key is generated by a lovely HSM - which is by its nature a bit of a closed box. Whose vendor is very sure its software is right.

So this helps a lot - and helps confirm what we thought !

Thanks,

Dw

> On 8 Aug 2020, at 04:16, Frank Migge <fm@xxxxxxxxxxxx> wrote:
> 
> Hi Dirk-Willem,
> 
> Something is wrong with your EC key. The error mentions that it can't
> get the curve points from the key data. How did you generate the key?
> 
> If it helps, here is a working CSR example, using a prime256v1 key for
> comparison:
> 
> -----BEGIN CERTIFICATE REQUEST-----
> MIIBDjCBtAIBADArMQswCQYDVQQGEwJKUDEcMBoGA1UEAwwTdGVzdCBmb3IgcHJp
> bWUyNTZ2MTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABOMQV0Vep+9Xnje6bKNy
> +8blwKEscr5LoUQCuwqaUT4HyPgXFE9E0r1PiWbC6bGkS26MuguOBp52X9H9z+NS
> zM6gJzAlBgkqhkiG9w0BCQ4xGDAWMBQGA1UdEQQNMAuCCWZtNGRkLmNvbTAKBggq
> hkjOPQQDAgNJADBGAiEA5uYlfkpRsJhBk+WwippCjupEpaCNaHwNyNqbj8qrR80C
> IQDCoJtaWhFGxbaAB2+o3gm87ZHJSDSjfrD2lEhlkbEXHQ==
> -----END CERTIFICATE REQUEST-----
> 
> 
> $ openssl req -inform PEM -noout -pubkey -in test.csr
> -----BEGIN PUBLIC KEY-----
> MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE4xBXRV6n71eeN7pso3L7xuXAoSxy
> vkuhRAK7CppRPgfI+BcUT0TSvU+JZsLpsaRLboy6C44GnnZf0f3P41LMzg==
> -----END PUBLIC KEY-----
> 
> 
> On Fri, 2020-08-07 at 19:07 +0200, Dirk-Willem van Gulik wrote:
>> Below CSR gives me an odd error with the standard openssl REQ
>> command:
>> 
>> 	openssl req -inform DER -noout -pubkey
>> 
>> 	Error getting public key
>> 
>> 	140673482679616:error:10067066:elliptic curve
>> routines:ec_GFp_simple_oct2point:invalid
>> encoding:../crypto/ec/ecp_oct.c:312:
>> 	140673482679616:error:10098010:elliptic curve
>> routines:o2i_ECPublicKey:EC lib:../crypto/ec/ec_asn1.c:1175:
>> 	140673482679616:error:100D708E:elliptic curve
>> routines:eckey_pub_decode:decode error:../crypto/ec/ec_ameth.c:157:
>> 	140673482679616:error:0B09407D:x509 certificate
>> routines:x509_pubkey_decode:public key decode
>> error:../crypto/x509/x_pubkey.c:125:
>> 
>> Even though the ASN1 of the public key looks correct to me:
>> 
>>    SEQUENCE (2 elem)
>>      SEQUENCE (2 elem)
>>        OBJECT IDENTIFIER 1.2.840.10045.2.1 ecPublicKey (ANSI X9.62
>> public key type)
>>        OBJECT IDENTIFIER 1.2.840.10045.3.1.7 prime256v1 (ANSI X9.62
>> named elliptic curve)
>>      BIT STRING (536 bit)
>> 000001000100000100000100001110010011001110011100011010001010010110100
>> 0…
>>        OCTET STRING (65 byte)
>> 0439339C68A5A333143592C0A36D053F31D3AF6ED18FB54F4747B9DFC6DB6ABC71556
>> 1…
>> 
>> What would be a good way to further debug this ?
>> 
>> With kind regards,
>> 
>> Dw
>> 
>> -----BEGIN CERTIFICATE REQUEST-----
>> MIIBPzCB5QIBADCBgDELMAkGA1UEAxMCQ04xCjAIBgNVBAUTATExCjAIBgNVBAYT
>> AUMxCjAIBgNVBAcTAUwxCjAIBgNVBAgTAVMxCjAIBgNVBAoTAU8xCzAJBgNVBAsT
>> Ak9VMQowCAYDVQQMEwFUMQowCAYDVQQNEwFEMRAwDgYJKoZIhvcNAQkBEwFFMFsw
>> EwYHKoZIzj0CAQYIKoZIzj0DAQcDRAAEQQQ5M5xopaMzFDWSwKNtBT8x069u0Y+1
>> T0dHud/G22q8cVVh8sVcpLUortLxxesEXCddpx/EeuxP+MN/RymHTMrjoAAwCgYI
>> KoZIzj0EAwIDSQAwRgIhAO+K+TFCdYxQg7aT+B3wIVa6CCYxM/mL4/WHSrwXujJy
>> AiEA7UsbQT/YRKaFDPn/U9jdrJaUmKsqKJvGwN7YVaMGdeo=
>> -----END CERTIFICATE REQUEST-----
> 
> 
> -- 
> Frank Migge
> http://fm4dd.com | public@xxxxxxxxxxxx
> 





[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux