Hello
I have successfully managed to create and use certificates which
contained and were signed by ecdsa keys in my own prototype program.
However, upon attempting to import such a certificate in the java
certificate store, I came upon some trouble. It seems there is something
wrong with the way I am generating these certificates, as the signature
algorithm and the public key algorithm come up as unknown. Sorry for
lengthy message which follows.
In short, I have the following certificate in PEM format:
-----BEGIN CERTIFICATE-----
MIIB+DCCAbagAwIBAgIBAzAJBgcqhkjOPQQBMEkxCzAJBgNVBAYTAlJPMR8wHQYD
VQQDExZJbmNvcnJlY3QgVGVzdGluZyBUZWFtMRkwFwYDVQQKExBpbmNvcnJlY3Qt
Y2xpZW50MB4XDTA5MDgxNzA5MTkxM1oXDTEwMDgxNzA5MTkxM1owSTELMAkGA1UE
BhMCUk8xHzAdBgNVBAMTFkluY29ycmVjdCBUZXN0aW5nIFRlYW0xGTAXBgNVBAoT
EGluY29ycmVjdC1jbGllbnQwgeowgbsGByqGSM49AgEwga8CAQEwIAYHKoZIzj0B
AQIVAP////////////////////9/////MEMEFP////////////////////9////8
BBQcl778VL16i2Ws+J+B1NStxWX6RQMVABBTzeQsFNaW5naHVhUXUzvz+DNFBCkE
Spa1aI71cyhGZGmJaMOLuRPL/IIjpihVMWiUfVncyRIEI1E3esX7MgIVAQAAAAAA
AAAAAAH0yPknrtPKdSJXAgEBAyoABAm8/G3NfWWhjeRofpq+hNTibLFO/qRFRPoK
yjjVrr53ZII/d++boA8wCQYHKoZIzj0EAQMxADAuAhUAn03MMNELjv87OQc/XRN8
T9u6itoCFQDZieQkFfLKnvg50xT0Tusg0s0ehw==
-----END CERTIFICATE-----
(prettyfied version to be found at bottom).
When running "openssl x509 -in wrong-root-ecdsa160.crt -noout -text" on
it, I get:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 3 (0x3)
Signature Algorithm: UNKNOWN
Issuer: C=RO, CN=Incorrect Testing Team, O=incorrect-client
Validity
Not Before: Aug 17 09:19:13 2009 GMT
Not After : Aug 17 09:19:13 2010 GMT
Subject: C=RO, CN=Incorrect Testing Team, O=incorrect-client
Subject Public Key Info:
Public Key Algorithm: UNKNOWN
Unable to load Public Key
3104:error:0D09C08F:asn1 encoding routines:d2i_PublicKey:unknown public
key type:d2i_pu.c:104:
3104:error:0B077066:x509 certificate routines:X509_PUBKEY_get:err asn1
lib:x_pubkey.c:228:
Signature Algorithm: UNKNOWN
30:2e:02:15:00:9f:4d:cc:30:d1:0b:8e:ff:3b:39:07:3f:5d:
13:7c:4f:db:ba:8a:da:02:15:00:d9:89:e4:24:15:f2:ca:9e:
f8:39:d3:14:f4:4e:eb:20:d2:cd:1e:87
I suspect the reason why the signature/public key algorithms come up as
unknown is the same reason I can't get java to load up this certificate
as well.
The code used to generate this certificate is (removed return-value
testing for brevity):
EC_KEY *ec_key = EC_KEY_new_by_curve_name(NID_secp160r1);
EC_KEY_generate_key(ec_key);
EC_KEY_check_key(ec_key);
FILE *f;
X509 *x;
EVP_PKEY *pk;
X509_NAME *name = NULL;
pk=EVP_PKEY_new();
x=X509_new();
EVP_PKEY_assign_EC_KEY(pk, ec_key);
f = fopen("wrong-root-ecdsa160.key", "w");
PEM_write_PrivateKey(f, pk, NULL, NULL, 0, 0, NULL);
fclose(f);
X509_set_version(x, 2);
ASN1_INTEGER_set(X509_get_serialNumber(x), 3);
// certificate validity
X509_gmtime_adj(X509_get_notBefore(x), 0);
X509_gmtime_adj(X509_get_notAfter(x), (long) 60 * 60 * 24 * 365);
X509_set_pubkey(x, pk);
name = X509_get_subject_name(x);
const char *grp = "incorrect-client";
X509_NAME_add_entry_by_txt(name, "C", MBSTRING_ASC, (const unsigned
char*) "RO", -1, -1, 0);
X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC, (const unsigned
char*) "Incorrect Testing Team", -1, -1, 0);
X509_NAME_add_entry_by_txt(name, "O", MBSTRING_ASC, (const unsigned
char*) grp, -1, -1, 0);
X509_set_issuer_name(x, name);
X509_sign(x, pk, EVP_ecdsa());
f = fopen("wrong-root-ecdsa160.crt", "w");
PEM_write_X509(f, x);
fclose(f);
I can use such the certificate without a problem in my prototype, add it
to the trusted CAs, use it in client-server handshake etc. Any ideas on
what I'm doing wrong and how can i get the openssl x509 command to
output the correct certificate? If I run:
FILE *root_file = fopen("wrong-root-ecdsa160.crt", "r");
X509 *root_cert = PEM_read_X509(root_file, NULL, NULL, NULL);
X509_print_fp(stdout, root_cert);
everything prints out as expected:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 3 (0x3)
Signature Algorithm: ecdsa-with-SHA1
Issuer: C=RO, CN=Incorrect Testing Team, O=incorrect-client
Validity
Not Before: Aug 17 09:19:13 2009 GMT
Not After : Aug 17 09:19:13 2010 GMT
Subject: C=RO, CN=Incorrect Testing Team, O=incorrect-client
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
EC Public Key:
pub:
04:09:bc:fc:6d:cd:7d:65:a1:8d:e4:68:7e:9a:be:
84:d4:e2:6c:b1:4e:fe:a4:45:44:fa:0a:ca:38:d5:
ae:be:77:64:82:3f:77:ef:9b:a0:0f
Field Type: prime-field
Prime:
00:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:7f:ff:ff:ff
A:
00:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:7f:ff:ff:fc
B:
1c:97:be:fc:54:bd:7a:8b:65:ac:f8:9f:81:d4:d4:
ad:c5:65:fa:45
Generator (uncompressed):
04:4a:96:b5:68:8e:f5:73:28:46:64:69:89:68:c3:
8b:b9:13:cb:fc:82:23:a6:28:55:31:68:94:7d:59:
dc:c9:12:04:23:51:37:7a:c5:fb:32
Order:
01:00:00:00:00:00:00:00:00:00:01:f4:c8:f9:27:
ae:d3:ca:75:22:57
Cofactor: 1 (0x1)
Seed:
10:53:cd:e4:2c:14:d6:96:e6:76:87:56:15:17:53:
3b:f3:f8:33:45
Signature Algorithm: ecdsa-with-SHA1
30:2e:02:15:00:9f:4d:cc:30:d1:0b:8e:ff:3b:39:07:3f:5d:
13:7c:4f:db:ba:8a:da:02:15:00:d9:89:e4:24:15:f2:ca:9e:
f8:39:d3:14:f4:4e:eb:20:d2:cd:1e:87
Thanks in advance,
Laura
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
