How did you make your EC certificates?
Here is the result (truncated as yours is) by using OpenSSL - I had to
use a Name Constraint and a prime curve @ 384 for a proof-of-concept:
...
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
EC Public Key:
pub:
04:fa:b7:e7:c8:15:0b:26:5c:b4:d6:53:62:09:66:
7e:6e:15:05:ee:cc:2b:ff:f9:dd:8d:4f:ed:de:35:
56:41:ce:b4:52:4e:c5:99:46:30:b7:81:31:29:cd:
5f:0d:b9:a3:ec:12:c5:47:f1:0b:09:1c:76:fe:e5:
e2:d3:04:97:3c:ac:ad:b6:e8:83:8b:b0:c2:39:ac:
8e:a2:86:59:a0:0b:0a:09:b1:75:5b:2e:83:b6:7e:
c0:ad:8f:24:54:d4:9a
ASN1 OID: secp384r1
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Name Constraints:
Excluded:
IP:10.105.150.234/255.255.254.0
...
The above is the result of the following command-lines:
openssl ecparam -out myECkey.pem -name secp384r1 -genkey
openssl req -new -key myECkey.pem -out req.out
-----Original Message-----
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Laura Arhire
Sent: Tuesday, August 18, 2009 12:55 AM
To: openssl-users@openssl.org
Subject: ecdsa public key output
Hello
I'm trying to import ecdsa certificates for a java server using the java
keytool utility. After having had trouble with openssl generated
certificates, I generated a certificate using the keytool utility to see
what the difference is. Upon running the "openssl x509 -in cert.crt
-noout -text" command on this certificate, the output I get is (only
public key info for brevity):
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
EC Public Key:
pub:
04:99:cc:aa:5b:7d:fc:e1:aa:c8:0e:d0:98:b2:ed:
79:65:cb:66:7e:0f:c2:b9:7b:28:42:1b:65:1a:86:
4b:02:dc:7c:5f:d1:21:1f:ca:f2:ac
* ASN1 OID: secp160k1*
Which is different from the openssl generated certificates in that it
has the curve name in the public key, instead of the curve parameters.
The same data (ASN1 OID: secp160k1) in an openssl certificate is:
Field Type: prime-field
Prime:
00:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:fe:ff:ff:ac:73
A: 0
B: 7 (0x7)
Generator (uncompressed):
04:3b:4c:38:2c:e3:7a:a1:92:a4:01:9e:76:30:36:
f4:f5:dd:4d:7e:bb:93:8c:f9:35:31:8f:dc:ed:6b:
c2:82:86:53:17:33:c3:f0:3c:4f:ee
Order:
01:00:00:00:00:00:00:00:00:00:01:b8:fa:16:df:
ab:9a:ca:16:b6:b3
Cofactor: 1 (0x1)
The keytool output does not seem to be incorrect according to RFC 5280,
which defines
SubjectPublicKeyInfo ::= SEQUENCE {
algoritm AlgorithmIdentifier
subjectPublicKey BIT STRING
}
AlgorithmIdentifier ::= SEQUENCE {
algorithm OBJECT IDENTIFIER,
parameters ANY DEFINED BY algorithm OPTIONAL }
unless I am reading this wrong, but the way algorithm parameters are
defined seem to allow for both variants.
I'm looking into making the java certificate store understand
openssl-generated certificates (possibly with 3rd party APIs) as that
would make my life easier.
However, at the same time I'm trying to tackle the problem at the other
end, so I was also wondering if I can get (maybe programatically ?),
openssl to output the public key info in the way in which the keytool
understands: the curve name instead of the curve parameters.
I've had no trouble using a client written in C with openssl to connect
to the above mentioned server (using the keytool generated certificate
as the server certificate), but since I need some certificate request
interaction between the java and C sides, I need to look into this issue
further.
Any ideas on how to get the curve name in the certificate instead of the
curve parameters ?
Thanks in advance,
--
Laura
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
