This is not a sure thing, but from a quick scan of your code, it looks like you are constructing an incomplete certificate in memory, which might hurt you further down the road, i.e. when transmitting the cert, which is then checked by the other party.
Specifically, check the code to construct public key carrying certificates in, for instance, x509/mkcert.c, demos/selfsign.c, and a few others: X509_new() [*] X509_set_version() // use 2 or 3 [*] X509_set_serialNumber(); [*] X509_set_notBefore() // valid from [*] X509_set_notAfter() // valid until X509_set_pubkey() [*] X509_set_subject_name() [*] X509_set_issuer_name() [*] X509_sign() see also library API call X509_REQ_to_X509(), which goes through the same motions as that call has to deliver a freshly constructed certificate; the same goal (only from a different starting point) as you mentioned. If an analogy helps to explain why you need 'all this', think of a certificate as a passport. Doesn't matter which country you live, your passport always comes with a serial (letters and numbers); if it doesn't, you have something to explain to Mr. Customs Officer. ;-) There's also the version for human passports: modern ones come with smartcards embedded and other gadgets the old ones didn't have; the country you're visiting might not accept antique ones anymore. Every passport comes with your name and picture (you = subject), shows in print in who's name it was issued (in the Netherlands, that'd be the mayor of your town, a.k.a. the issuer) and both dates are in there as well. Plus, last but not least, your signature. Your code produces a blank passport with only your signature in it. Out in the real world, that sort of thing would fetch a hefty sum in the right circles, if you get my meaning ;-) There may be other issues, but this at least should get you on the road again. Last bit: you might want to play safe and add a key check: RSA_check_key; see also the OpenSSL book. It might feel superfluous, but better safe then sorry, eh. And to test your in-memory generated cert, it might be handy to add a bit of simple test code which writes that cert to disc, so you can apply other tools to it to make sure it is /indeed/ what you need and fully comparable to your other disc-based certificates: you may require extensions or other bits in there as well to make the other party (client or server).happy. Regards, Ger On Thu, Nov 6, 2008 at 11:03 AM, Michael Simms <[EMAIL PROTECTED]> wrote: > Hi, > > I posted this last week, and a couple of people said they could help > but then, I havent heard any more. > > If someone has any ideas, they would be gratefully appreciated. > > I am having a bit of a problem generating a set of new keys. > > I have code that works just fine when using a pair of imported keys > from a file generated from the openssl commandline. > > However when I try and use RSA_generate_key, I can obtain the public > and private keypair, they validate using SSL_CTX_check_private_key, > yet, they cause SSL_connect on the client to complain > > error:0D07209B:asn1 encoding routines:ASN1_get_object:too long > > I have the code for generating the keys up for scrutiny at > > http://pastebin.com/m2dc98526 > > Any suggestions gratefully appreciated. > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > -- Met vriendelijke groeten / Best regards, Ger Hobbelt -------------------------------------------------- web: http://www.hobbelt.com/ http://www.hebbut.net/ mail: [EMAIL PROTECTED] mobile: +31-6-11 120 978 -------------------------------------------------- ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
