> From: owner-openssl-us...@openssl.org On Behalf Of redpath > Sent: Monday, 28 January, 2013 14:33
> I read the public ECKEY in shown below from the x509 > > x509= PEM_read_bio_X509(bio,NULL, 0, NULL); //... > EVP_PKEY *evpkey = X509_get_pubkey(x509); > pubeckey= EVP_PKEY_get1_EC_KEY(evpkey); > BIO_free(bio); > To be safe you should check the first two (at least) for error. I'll assume/hope that was just omitted for ease of posting. > //But do I need this setting the curvetype??? > //Will it know the curve type > EC_GROUP *curve= EC_GROUP_new_by_curve_name(curvetype); > int ret= EC_KEY_set_group(pubeckey,curve); > SubjPubKeyInfo in X.509 cert for EC can and AFAICT for OpenSSL always does specify the curve, so no, you don't have to set it. Per RFC 3279 (and thus 5280) the parameters field for EC can be null to inherit from a parent cert, similar to the way DSA parameters can be inherited or provided externally. In practice I've never seen this used, I don't believe OpenSSL can generate it, and I don't believe OpenSSL can read it. Cases other than an X.509 cert may be different. > //I use this to verify the signature > > int rc = ECDSA_verify(0, result, SHA256_DIGEST_LENGTH, > signature.bytes, signature.length, pubeckey); Before using a pubkey from a cert to verify (or anything else), you should verify the cert (unless already verified in a sufficiently secure and recent manner) and check that KeyUsage and/or ExtendedKeyUsage extensions if present allow the "purpose" you are using the key for. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
