[EXTERNAL] Re: odd error for ECDSA key in REQ.
Erwann Abalea
Erwann.Abalea at docusign.com
Mon Aug 10 08:32:19 UTC 2020
The key itself is good. Its encoding in the CSR isn't.
Looks like the public key was X9.62 encoded in its uncompressed form (i.e. start with a 04 octet, and then the octets composing the x and y coordinates), and then wrapped into an ASN.1 OCTET STRING (i.e. use the 04 tag, plus a 0x41 length, and the encoded public key), and finally the BIT STRING encapsulation.
The OCTET STRING is wrong here.
Cordialement,
Erwann Abalea
Le 08/08/2020 14:24, « openssl-users au nom de Dirk-Willem van Gulik » <openssl-users-bounces at openssl.org au nom de dirkx at webweaving.org> a écrit :
The key is generated by a lovely HSM - which is by its nature a bit of a closed box. Whose vendor is very sure its software is right.
So this helps a lot - and helps confirm what we thought !
Thanks,
Dw
> On 8 Aug 2020, at 04:16, Frank Migge <fm at frank4dd.com> wrote:
>
> Hi Dirk-Willem,
>
> Something is wrong with your EC key. The error mentions that it can't
> get the curve points from the key data. How did you generate the key?
>
> If it helps, here is a working CSR example, using a prime256v1 key for
> comparison:
>
> -----BEGIN CERTIFICATE REQUEST-----
> MIIBDjCBtAIBADArMQswCQYDVQQGEwJKUDEcMBoGA1UEAwwTdGVzdCBmb3IgcHJp
> bWUyNTZ2MTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABOMQV0Vep+9Xnje6bKNy
> +8blwKEscr5LoUQCuwqaUT4HyPgXFE9E0r1PiWbC6bGkS26MuguOBp52X9H9z+NS
> zM6gJzAlBgkqhkiG9w0BCQ4xGDAWMBQGA1UdEQQNMAuCCWZtNGRkLmNvbTAKBggq
> hkjOPQQDAgNJADBGAiEA5uYlfkpRsJhBk+WwippCjupEpaCNaHwNyNqbj8qrR80C
> IQDCoJtaWhFGxbaAB2+o3gm87ZHJSDSjfrD2lEhlkbEXHQ==
> -----END CERTIFICATE REQUEST-----
>
>
> $ openssl req -inform PEM -noout -pubkey -in test.csr
> -----BEGIN PUBLIC KEY-----
> MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE4xBXRV6n71eeN7pso3L7xuXAoSxy
> vkuhRAK7CppRPgfI+BcUT0TSvU+JZsLpsaRLboy6C44GnnZf0f3P41LMzg==
> -----END PUBLIC KEY-----
>
>
> On Fri, 2020-08-07 at 19:07 +0200, Dirk-Willem van Gulik wrote:
>> Below CSR gives me an odd error with the standard openssl REQ
>> command:
>>
>> openssl req -inform DER -noout -pubkey
>>
>> Error getting public key
>>
>> 140673482679616:error:10067066:elliptic curve
>> routines:ec_GFp_simple_oct2point:invalid
>> encoding:../crypto/ec/ecp_oct.c:312:
>> 140673482679616:error:10098010:elliptic curve
>> routines:o2i_ECPublicKey:EC lib:../crypto/ec/ec_asn1.c:1175:
>> 140673482679616:error:100D708E:elliptic curve
>> routines:eckey_pub_decode:decode error:../crypto/ec/ec_ameth.c:157:
>> 140673482679616:error:0B09407D:x509 certificate
>> routines:x509_pubkey_decode:public key decode
>> error:../crypto/x509/x_pubkey.c:125:
>>
>> Even though the ASN1 of the public key looks correct to me:
>>
>> SEQUENCE (2 elem)
>> SEQUENCE (2 elem)
>> OBJECT IDENTIFIER 1.2.840.10045.2.1 ecPublicKey (ANSI X9.62
>> public key type)
>> OBJECT IDENTIFIER 1.2.840.10045.3.1.7 prime256v1 (ANSI X9.62
>> named elliptic curve)
>> BIT STRING (536 bit)
>> 000001000100000100000100001110010011001110011100011010001010010110100
>> 0…
>> OCTET STRING (65 byte)
>> 0439339C68A5A333143592C0A36D053F31D3AF6ED18FB54F4747B9DFC6DB6ABC71556
>> 1…
>>
>> What would be a good way to further debug this ?
>>
>> With kind regards,
>>
>> Dw
>>
>> -----BEGIN CERTIFICATE REQUEST-----
>> MIIBPzCB5QIBADCBgDELMAkGA1UEAxMCQ04xCjAIBgNVBAUTATExCjAIBgNVBAYT
>> AUMxCjAIBgNVBAcTAUwxCjAIBgNVBAgTAVMxCjAIBgNVBAoTAU8xCzAJBgNVBAsT
>> Ak9VMQowCAYDVQQMEwFUMQowCAYDVQQNEwFEMRAwDgYJKoZIhvcNAQkBEwFFMFsw
>> EwYHKoZIzj0CAQYIKoZIzj0DAQcDRAAEQQQ5M5xopaMzFDWSwKNtBT8x069u0Y+1
>> T0dHud/G22q8cVVh8sVcpLUortLxxesEXCddpx/EeuxP+MN/RymHTMrjoAAwCgYI
>> KoZIzj0EAwIDSQAwRgIhAO+K+TFCdYxQg7aT+B3wIVa6CCYxM/mL4/WHSrwXujJy
>> AiEA7UsbQT/YRKaFDPn/U9jdrJaUmKsqKJvGwN7YVaMGdeo=
>> -----END CERTIFICATE REQUEST-----
>
>
> --
> Frank Migge
> http://fm4dd.com | public at frank4dd.com
>
More information about the openssl-users
mailing list