Using Openssl version: OpenSSL 1.1.1f 31 Mar 2020
I am trying to encode an arbitrary ASN.1 SEQUENCE in an OpenSSL Config file and I want the result to look like an ECDSA subject key:
0042: | 30 59 ; SEQUENCE (59 Bytes) 0044: | | 30 13 ; SEQUENCE (13 Bytes) 0046: | | | 06 07 ; OBJECT_ID (7 Bytes) 0048: | | | | 2a 86 48 ce 3d 02 01 | | | | ; 1.2.840.10045.2.1 ECC 004f: | | | 06 08 ; OBJECT_ID (8 Bytes) 0051: | | | 2a 86 48 ce 3d 03 01 07 | | | ; 1.2.840.10045.3.1.7 ECDSA_P256 (x962P256v1) 0059: | | 03 42 ; BIT_STRING (42 Bytes) 005b: | | 00 005c: | | 04 f4 df ac 6c 8d e5 b0 6c 55 29 13 1e fe 35 9a 006c: | | c6 06 57 97 ca c5 6f 1b 9e 3b cd 46 f3 01 91 0e 007c: | | 2a 5b 93 fe 6b d3 04 06 44 6c 54 e7 f5 b5 f5 81 008c: | | d4 a4 eb 12 9f e7 ae 27 f6 97 c8 f6 d3 e6 c8 9b 009c: | | 3a
Both the documentation: https://www.openssl.org/docs/man1.1.1/man3/ASN1_generate_nconf.html and a cursory inspection of the OpenSSL source code: https://github.com/openssl/openssl/blob/master/crypto/asn1/asn1_gen.c seem to agree that it should be possible to pass a hex string to BITSTR and/ot OCTETSTRING.
However, I've tried many combinations in the config file and either I get the ASCII interpretation of the data or an error parsing the config file.
I am trying to construct the sequence like this:
[ ECDSA_PublicKeyInfo ]
SubjectPublicKeyInfo=SEQUENCE:ecdsa256_alg
hex1=BITWRAP,BITSTR:0x04112233445566778899aabbccddeeff
hex2=INTEGER:0x04112233445566778899aabbccddeeff
hex3=BITWRAP,INTEGER:0x04112233445566778899aabbccddeeff
The INTEGER lines correct interpret the HEX, but the BITSTR line does not. However, Integer inserts the integer marker bytes (02 10) into the data stream, which I don't want.
I have also tried: hex1=BITWRAP,BITSTR,HEX:0x04112233445566778899aabbccddeeff
This generates an error during parsing, and
hex1=BITWRAP,BITSTR:HEX:0x04112233445566778899aabbccddeeff
encodes "HEX" into the data stream.
How can I construct the sequence shown above with an OpenSSL Config file? Is this just impossible?
Full example below.
Thanks,
Brad
Command lines:
openssl ecparam -name prime256v1 -genkey -out ecc256.pem
openssl req -new -key ecc256.pem -out ecc256_req.pem -config config.txt
config.txt:
[ req ]
distinguished_name = req_dn
req_extensions = req_ext
prompt = no
encrypt_key = no
digest = sha256
version=2
[ req_dn ]
C=US
ST=SomeState
CN=Something
[ req_ext ]
# SubjectDirectoryAttributes
2.5.29.9=ASN1:SEQUENCE:EccPublicKeyInfo
[EccPublicKeyInfo]
X=SEQUENCE:ECDSA_PublicKeyInfo
[ecdsa256_alg]
algorithm=OID:1.2.840.10045.2.1
parameter=OID:1.2.840.10045.3.1.7
[ ECDSA_PublicKeyInfo ]
SubjectPublicKeyInfo=SEQUENCE:ecdsa256_alg
hex1=BITWRAP,BITSTR:0x04112233445566778899aabbccddeeff
hex2=INTEGER:0x04112233445566778899aabbccddeeff
hex3=BITWRAP,INTEGER:0x04112233445566778899aabbccddeeff