odd error for ECDSA key in REQ.

Frank Migge fm at frank4dd.com
Sat Aug 8 02:16:56 UTC 2020


Hi Dirk-Willem,

Something is wrong with your EC key. The error mentions that it can't
get the curve points from the key data. How did you generate the key?

If it helps, here is a working CSR example, using a prime256v1 key for
comparison:

-----BEGIN CERTIFICATE REQUEST-----
MIIBDjCBtAIBADArMQswCQYDVQQGEwJKUDEcMBoGA1UEAwwTdGVzdCBmb3IgcHJp
bWUyNTZ2MTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABOMQV0Vep+9Xnje6bKNy
+8blwKEscr5LoUQCuwqaUT4HyPgXFE9E0r1PiWbC6bGkS26MuguOBp52X9H9z+NS
zM6gJzAlBgkqhkiG9w0BCQ4xGDAWMBQGA1UdEQQNMAuCCWZtNGRkLmNvbTAKBggq
hkjOPQQDAgNJADBGAiEA5uYlfkpRsJhBk+WwippCjupEpaCNaHwNyNqbj8qrR80C
IQDCoJtaWhFGxbaAB2+o3gm87ZHJSDSjfrD2lEhlkbEXHQ==
-----END CERTIFICATE REQUEST-----


$ openssl req -inform PEM -noout -pubkey -in test.csr
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE4xBXRV6n71eeN7pso3L7xuXAoSxy
vkuhRAK7CppRPgfI+BcUT0TSvU+JZsLpsaRLboy6C44GnnZf0f3P41LMzg==
-----END PUBLIC KEY-----


On Fri, 2020-08-07 at 19:07 +0200, Dirk-Willem van Gulik wrote:
> Below CSR gives me an odd error with the standard openssl REQ
> command:
> 
> 	openssl req -inform DER -noout -pubkey
> 
> 	Error getting public key
> 
> 	140673482679616:error:10067066:elliptic curve
> routines:ec_GFp_simple_oct2point:invalid
> encoding:../crypto/ec/ecp_oct.c:312:
> 	140673482679616:error:10098010:elliptic curve
> routines:o2i_ECPublicKey:EC lib:../crypto/ec/ec_asn1.c:1175:
> 	140673482679616:error:100D708E:elliptic curve
> routines:eckey_pub_decode:decode error:../crypto/ec/ec_ameth.c:157:
> 	140673482679616:error:0B09407D:x509 certificate
> routines:x509_pubkey_decode:public key decode
> error:../crypto/x509/x_pubkey.c:125:
> 
> Even though the ASN1 of the public key looks correct to me:
> 
>     SEQUENCE (2 elem)
>       SEQUENCE (2 elem)
>         OBJECT IDENTIFIER 1.2.840.10045.2.1 ecPublicKey (ANSI X9.62
> public key type)
>         OBJECT IDENTIFIER 1.2.840.10045.3.1.7 prime256v1 (ANSI X9.62
> named elliptic curve)
>       BIT STRING (536 bit)
> 000001000100000100000100001110010011001110011100011010001010010110100
> 0…
>         OCTET STRING (65 byte)
> 0439339C68A5A333143592C0A36D053F31D3AF6ED18FB54F4747B9DFC6DB6ABC71556
> 1…
> 
> What would be a good way to further debug this ?
> 
> With kind regards,
> 
> Dw
> 
> -----BEGIN CERTIFICATE REQUEST-----
> MIIBPzCB5QIBADCBgDELMAkGA1UEAxMCQ04xCjAIBgNVBAUTATExCjAIBgNVBAYT
> AUMxCjAIBgNVBAcTAUwxCjAIBgNVBAgTAVMxCjAIBgNVBAoTAU8xCzAJBgNVBAsT
> Ak9VMQowCAYDVQQMEwFUMQowCAYDVQQNEwFEMRAwDgYJKoZIhvcNAQkBEwFFMFsw
> EwYHKoZIzj0CAQYIKoZIzj0DAQcDRAAEQQQ5M5xopaMzFDWSwKNtBT8x069u0Y+1
> T0dHud/G22q8cVVh8sVcpLUortLxxesEXCddpx/EeuxP+MN/RymHTMrjoAAwCgYI
> KoZIzj0EAwIDSQAwRgIhAO+K+TFCdYxQg7aT+B3wIVa6CCYxM/mL4/WHSrwXujJy
> AiEA7UsbQT/YRKaFDPn/U9jdrJaUmKsqKJvGwN7YVaMGdeo=
> -----END CERTIFICATE REQUEST-----


-- 
Frank Migge
http://fm4dd.com | public at frank4dd.com



More information about the openssl-users mailing list