ecdsa public key output

Tue, 18 Aug 2009 00:56:02 -0700 

Hello
I'm trying to import ecdsa certificates for a java server using the java keytool utility. After having had trouble with openssl generated certificates, I generated a certificate using the keytool utility to see what the difference is. Upon running the "openssl x509 -in cert.crt -noout -text" command on this certificate, the output I get is (only public key info for brevity): 
       Subject Public Key Info:
           Public Key Algorithm: id-ecPublicKey
           EC Public Key:
               pub:
                   04:99:cc:aa:5b:7d:fc:e1:aa:c8:0e:d0:98:b2:ed:
                   79:65:cb:66:7e:0f:c2:b9:7b:28:42:1b:65:1a:86:
                   4b:02:dc:7c:5f:d1:21:1f:ca:f2:ac
              * ASN1 OID: secp160k1*
Which is different from the openssl generated certificates in that it has the curve name in the public key, instead of the curve parameters. The same data (ASN1 OID: secp160k1) in an openssl certificate is: 
               Field Type: prime-field
               Prime:
                   00:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
                   ff:fe:ff:ff:ac:73
               A:    0
               B:    7 (0x7)
               Generator (uncompressed):
                   04:3b:4c:38:2c:e3:7a:a1:92:a4:01:9e:76:30:36:
                   f4:f5:dd:4d:7e:bb:93:8c:f9:35:31:8f:dc:ed:6b:
                   c2:82:86:53:17:33:c3:f0:3c:4f:ee
               Order:
                   01:00:00:00:00:00:00:00:00:00:01:b8:fa:16:df:
                   ab:9a:ca:16:b6:b3
               Cofactor:  1 (0x1)
The keytool output does not seem to be incorrect according to RFC 5280, which defines 
SubjectPublicKeyInfo ::= SEQUENCE {
algoritm    AlgorithmIdentifier
subjectPublicKey BIT STRING
}

AlgorithmIdentifier ::= SEQUENCE {
algorithm OBJECT IDENTIFIER,
parameters ANY DEFINED BY algorithm OPTIONAL }
unless I am reading this wrong, but the way algorithm parameters are defined seem to allow for both variants.
I'm looking into making the java certificate store understand openssl-generated certificates (possibly with 3rd party APIs) as that would make my life easier. However, at the same time I'm trying to tackle the problem at the other end, so I was also wondering if I can get (maybe programatically ?), openssl to output the public key info in the way in which the keytool understands: the curve name instead of the curve parameters. I've had no trouble using a client written in C with openssl to connect to the above mentioned server (using the keytool generated certificate as the server certificate), but since I need some certificate request interaction between the java and C sides, I need to look into this issue further.
Any ideas on how to get the curve name in the certificate instead of the curve parameters ? 

Thanks in advance,

--
Laura 

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to