The key itself is good. Its encoding in the CSR isn't. Looks like the public key was X9.62 encoded in its uncompressed form (i.e. start with a 04 octet, and then the octets composing the x and y coordinates), and then wrapped into an ASN.1 OCTET STRING (i.e. use the 04 tag, plus a 0x41 length, and the encoded public key), and finally the BIT STRING encapsulation. The OCTET STRING is wrong here. Cordialement, Erwann Abalea Le 08/08/2020 14:24, « openssl-users au nom de Dirk-Willem van Gulik » <openssl-users-bounces@xxxxxxxxxxx au nom de dirkx@xxxxxxxxxxxxxx> a écrit : The key is generated by a lovely HSM - which is by its nature a bit of a closed box. Whose vendor is very sure its software is right. So this helps a lot - and helps confirm what we thought ! Thanks, Dw > On 8 Aug 2020, at 04:16, Frank Migge <fm@xxxxxxxxxxxx> wrote: > > Hi Dirk-Willem, > > Something is wrong with your EC key. The error mentions that it can't > get the curve points from the key data. How did you generate the key? > > If it helps, here is a working CSR example, using a prime256v1 key for > comparison: > > -----BEGIN CERTIFICATE REQUEST----- > MIIBDjCBtAIBADArMQswCQYDVQQGEwJKUDEcMBoGA1UEAwwTdGVzdCBmb3IgcHJp > bWUyNTZ2MTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABOMQV0Vep+9Xnje6bKNy > +8blwKEscr5LoUQCuwqaUT4HyPgXFE9E0r1PiWbC6bGkS26MuguOBp52X9H9z+NS > zM6gJzAlBgkqhkiG9w0BCQ4xGDAWMBQGA1UdEQQNMAuCCWZtNGRkLmNvbTAKBggq > hkjOPQQDAgNJADBGAiEA5uYlfkpRsJhBk+WwippCjupEpaCNaHwNyNqbj8qrR80C > IQDCoJtaWhFGxbaAB2+o3gm87ZHJSDSjfrD2lEhlkbEXHQ== > -----END CERTIFICATE REQUEST----- > > > $ openssl req -inform PEM -noout -pubkey -in test.csr > -----BEGIN PUBLIC KEY----- > MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE4xBXRV6n71eeN7pso3L7xuXAoSxy > vkuhRAK7CppRPgfI+BcUT0TSvU+JZsLpsaRLboy6C44GnnZf0f3P41LMzg== > -----END PUBLIC KEY----- > > > On Fri, 2020-08-07 at 19:07 +0200, Dirk-Willem van Gulik wrote: >> Below CSR gives me an odd error with the standard openssl REQ >> command: >> >> openssl req -inform DER -noout -pubkey >> >> Error getting public key >> >> 140673482679616:error:10067066:elliptic curve >> routines:ec_GFp_simple_oct2point:invalid >> encoding:../crypto/ec/ecp_oct.c:312: >> 140673482679616:error:10098010:elliptic curve >> routines:o2i_ECPublicKey:EC lib:../crypto/ec/ec_asn1.c:1175: >> 140673482679616:error:100D708E:elliptic curve >> routines:eckey_pub_decode:decode error:../crypto/ec/ec_ameth.c:157: >> 140673482679616:error:0B09407D:x509 certificate >> routines:x509_pubkey_decode:public key decode >> error:../crypto/x509/x_pubkey.c:125: >> >> Even though the ASN1 of the public key looks correct to me: >> >> SEQUENCE (2 elem) >> SEQUENCE (2 elem) >> OBJECT IDENTIFIER 1.2.840.10045.2.1 ecPublicKey (ANSI X9.62 >> public key type) >> OBJECT IDENTIFIER 1.2.840.10045.3.1.7 prime256v1 (ANSI X9.62 >> named elliptic curve) >> BIT STRING (536 bit) >> 000001000100000100000100001110010011001110011100011010001010010110100 >> 0… >> OCTET STRING (65 byte) >> 0439339C68A5A333143592C0A36D053F31D3AF6ED18FB54F4747B9DFC6DB6ABC71556 >> 1… >> >> What would be a good way to further debug this ? >> >> With kind regards, >> >> Dw >> >> -----BEGIN CERTIFICATE REQUEST----- >> MIIBPzCB5QIBADCBgDELMAkGA1UEAxMCQ04xCjAIBgNVBAUTATExCjAIBgNVBAYT >> AUMxCjAIBgNVBAcTAUwxCjAIBgNVBAgTAVMxCjAIBgNVBAoTAU8xCzAJBgNVBAsT >> Ak9VMQowCAYDVQQMEwFUMQowCAYDVQQNEwFEMRAwDgYJKoZIhvcNAQkBEwFFMFsw >> EwYHKoZIzj0CAQYIKoZIzj0DAQcDRAAEQQQ5M5xopaMzFDWSwKNtBT8x069u0Y+1 >> T0dHud/G22q8cVVh8sVcpLUortLxxesEXCddpx/EeuxP+MN/RymHTMrjoAAwCgYI >> KoZIzj0EAwIDSQAwRgIhAO+K+TFCdYxQg7aT+B3wIVa6CCYxM/mL4/WHSrwXujJy >> AiEA7UsbQT/YRKaFDPn/U9jdrJaUmKsqKJvGwN7YVaMGdeo= >> -----END CERTIFICATE REQUEST----- > > > -- > Frank Migge > http://fm4dd.com | public@xxxxxxxxxxxx >