Hi
I am trying to generate a csr in a c program by having the signing part
done by pkcs11 calls, and while I get no errors, the resulting csr fails
upon validation:
$ openssl req -verify -in wltx.csr
verify failure
2948:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too
long:.\cry
pto\asn1\asn1_lib.c:150:
2948:error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad object
header:.\c
rypto\asn1\tasn_dec.c:1306:
2948:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1
error:.\
crypto\asn1\tasn_dec.c:381:Type=X509_SIG
2948:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP
lib:.\crypto\asn
1\a_verify.c:215:
-----BEGIN CERTIFICATE REQUEST-----
MIICvjCCAagCAQAwezELMAkGA1UEBhMCQ0gxEzARBgNVBAcTClJhcHBlcnN3aWwx
FDASBgNVBAoTC2ludGVsbGlDYXJkMRUwEwYDVQQDEwxUaW0gVGFzc29uaXMxKjAo
BgkqhkiG9w0BCQEWG3RpbS50YXNzb25pc0BpbnRlbGxpY2FyZC5jaDCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAK6eAKGt9fVPSd6uv1/Rs8Uf1j9eaaA5
y7GCeybV/vAqxebI7P7RN3POz6XBYP2i2P4DwXiGeU2oDylxnHHUItAWqtIfX3H+
WDb9d98oaZnWjQsWwoBWXLjsALdblU4MKaF1K9k7obDo2rN7exXzBMRdrQnvhbW/
6ICDe3iBNmhAk4xBIKC/lIuwILnb4xjopz261sPfg2fjV4964R/Wa7C8Iu+tPq20
LRLtZfqTTqWnnmMpdYRQMBAt7/MDSoG2l8rbnu7/TYr9F5Dzso/K2T884sZDZPeJ
cIo4ZjIDE7Vj4C9tOWDaG2lhrb11JNM0ok081ZIERhg3lEYSmMZxbbUCAwEAAaAA
MAsGCSqGSIb3DQEBBQOCAQEAeTc7sIpWdIwkh0bj5PVlbMcJT1QDaBG9m7lYkLRg
ACBKqNLaIh/drVvGmkLdMyoedOrtjRp5PHDuEptEtBjWRy3H/fBqOsqIr8w3tGA8
A3zubCM3qmLrm4bHTyhP5w2bqY+1JfrRO68bXTQlb1rhpFddtLO7jmjM2lMr7UgH
d9vicOWuAEjOOF1nenzCXxjWovKX3jB/b4rwmf9lmHx6hD8Z9EKCdwO5JKPgcWzr
/UCznGUe1TAHr0XFRZPwZo2buMCYAVPw70/4u36fc+G6UPaeQSk6QR035BUs8HE0
BBXO9brFuXld13VuE2xg+VnJ8vo3L7/SCC5ufEJaeSUOvQ==
-----END CERTIFICATE REQUEST-----
Below is the function that generates the csr, it always succeds, but as
mentioned, the csr is still invalid
char *gen_csr(char *key_name, struct s_ekva **key_attrs)
{
BIO *bio_err = NULL,*bio_out = NULL;
X509_REQ *req=NULL;
static char *csr_buf = NULL;
int csr_len = 0;
int curr_nid;
X509_NAME *subj=NULL;
int i=0;
int rc;
CK_OBJECT_HANDLE prvkey = NULL, pubkey = NULL;
CK_RV rv;
CK_BYTE *buf_in=NULL,*buf_out=NULL, *p=NULL;
size_t inl=0,outl=0;
RSA *rsa = NULL;
CK_MECHANISM sign_mechanism;
EVP_PKEY *pkey = NULL;
FILE *req_info_file = NULL;
EVP_MD *md = EVP_sha1();
rc = p11_get_key(key_name,CKO_PRIVATE_KEY,&prvkey);
if (rc != 0) {
return NULL;
}
rc = p11_get_key(key_name,CKO_PUBLIC_KEY,&pubkey);
if (rc != 0) {
return NULL;
}
rsa = p11_key_rsa(pubkey);
if (!rsa) {
return NULL;
}
pkey = EVP_PKEY_new();
EVP_PKEY_assign_RSA(pkey, rsa );
req = X509_REQ_new();
if (req == NULL) {
return NULL;
}
if (!X509_REQ_set_version(req,0L)) {
return NULL;
}
subj = X509_REQ_get_subject_name(req);
for (i=0; key_attrs[i] != NULL; i++) {
curr_nid=OBJ_txt2nid(subjattrs[i]->key);
if (curr_nid == NID_undef ) {
continue;
}
if (!X509_NAME_add_entry_by_txt(subj,key_attrs[i]->key,
MBSTRING_ASC,(unsigned char *)key_attrs[i]->val,-1,-1,0)) {
continue;
}
}
X509_REQ_set_pubkey(req, pkey);
subj=NULL;
inl=ASN1_item_i2d((void
*)req->req_info,&buf_in,ASN1_ITEM_rptr(X509_REQ_INFO));
p = buf_in;
outl=EVP_PKEY_size(pkey);
buf_out = malloc(outl);
sign_mechanism.mechanism = CKM_SHA1_RSA_PKCS;
sign_mechanism.pParameter = NULL;
sign_mechanism.ulParameterLen = 0;
rv = p11->C_SignInit(session, &sign_mechanism, prvkey);
if (rv != CKR_OK) {
return NULL;
}
rv = p11->C_Sign(session, p,inl, buf_out, &outl);
if (rv != CKR_OK) {
return NULL;
}
req->signature->data=buf_out;
req->signature->length=outl;
req->sig_alg->algorithm = OBJ_nid2obj(md->pkey_type);
req->signature->flags&= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07);
req->signature->flags|=ASN1_STRING_FLAG_BITS_LEFT;
bio_out=BIO_new(BIO_s_file());
if (BIO_write_filename(bio_out,"my.csr") <= 0) {
return NULL;
}
if (!PEM_write_bio_X509_REQ(bio_out,req)) {
return NULL;
}
BIO_free_all(bio_out); bio_out=NULL;
csr_buf = backend_read_file("my.csr",&csr_len);
csr_buf[csr_len] = '\0';
if (buf_in) free(buf_in);
if (buf_out) free(buf_out);
if (req) X509_REQ_free(req);
#ifndef OPENSSL_NO_ENGINE
ENGINE_cleanup();
#endif
CRYPTO_cleanup_all_ex_data();
if (bio_err) {
CRYPTO_mem_leaks(bio_err);
}
if (bio_err) BIO_free(bio_err);
if (bio_out) BIO_free_all(bio_out);
return csr_buf;
}
Kind regards
Tim
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
