creating certificate by code / problems to load via openssl x509 / pem format

Andreas Tengicki tengicki at autopoll.de
Thu Dec 10 09:39:06 UTC 2020


The solution was to choice a EVP by signing the certificate

i = X509_sign(x, CApkey, EVP_sha256());

Best regards

   Andreas

Am 09.07.2020 um 11:09 schrieb Andreas Tengicki:
>
> Hello,
>
> your first help in this project, helps much, but now some weeks later, 
> there is a new problem, and I cannot find any tipps via google.
>
> For all the coding a have looked into the openssl examples.
>
> I create a private key per code, the "openssl rsa -in 
> test_privatekey.pem -check" is fine
>
> I create a certificate request per code, "openssl req -text -noout 
> -verify -in test_request.pem" is fine
>
> I create a certifcate via this reqeust and store it with 
> "PEM_write_bio_X509(out, crt);" like the others. (some more code below)
>
> Perhaps there is something wrong, but to detect this, I will use the 
> validation, but it cannot load the certificate to validate it:
>
> >> openssl x509 -in test_certificate.pem -text
> unable to load certificate
> 140180222239872:error:0D07209B:asn1 encoding 
> routines:ASN1_get_object:too long:../crypto/asn1/asn1_lib.c:91:
> 140180222239872:error:0D068066:asn1 encoding 
> routines:asn1_check_tlen:bad object header:../crypto/asn1/tasn_dec.c:1118:
> 140180222239872:error:0D07803A:asn1 encoding 
> routines:asn1_item_embed_d2i:nested asn1 
> error:../crypto/asn1/tasn_dec.c:190:Type=ASN1_TIME
> 140180222239872:error:0D08303A:asn1 encoding 
> routines:asn1_template_noexp_d2i:nested asn1 
> error:../crypto/asn1/tasn_dec.c:627:Field=notBefore, Type=X509_VAL
> 140180222239872:error:0D08303A:asn1 encoding 
> routines:asn1_template_noexp_d2i:nested asn1 
> error:../crypto/asn1/tasn_dec.c:627:Field=validity, Type=X509_CINF
> 140180222239872:error:0D08303A:asn1 encoding 
> routines:asn1_template_noexp_d2i:nested asn1 
> error:../crypto/asn1/tasn_dec.c:627:Field=cert_info, Type=X509
> 140180222239872:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 
> lib:../crypto/pem/pem_oth.c:33:
>
> Thanks for any help.
>
> Best regards
>
>   Andreas
>
> ----
>
> ErrorHandling should be added in a second step, first debug outputs (I 
> have deleted for here) says everything is created
>
> X509* certificate_create(const X509_REQ* req)
> {
>   //openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.crt 
> -CAkey ca.key -CAcreateserial -out server.crt
>
>   if ((crt = X509_new()) == NULL);
>   //xca = load_cert(CAfile, CAformat, "CA Certificate");
>   BIO *bio = NULL;
>   bio = BIO_new_file(CAfile, "r");
>   xca = PEM_read_bio_X509_AUX(bio, NULL, NULL, NULL);
>   BIO_free(bio);
>
>   upkey = X509_get0_pubkey(xca);
>
>   char CAkeyile[] = "ca.key";
>   int CAkeyformat = 5; //FORMAT_PEM
>   char passin[] = "xyz";
>
>   ENGINE *e = NULL;
>   EVP_PKEY * CApkey = NULL;
>   //CApkey = load_key(CAkeyfile, CAkeyformat, 0, passin, e, "CA 
> Private Key");
>   bio = BIO_new_file(CAkeyile, "r");
>   CApkey = PEM_read_bio_PrivateKey(bio, NULL, NULL, passin);
>   BIO_free(bio);
>
>   EVP_PKEY_copy_parameters(upkey, CApkey);
>
>   X509_STORE *ctx = NULL;
>   ctx = X509_STORE_new();
>
>   X509_STORE_CTX *xsc = NULL;
>   xsc = X509_STORE_CTX_new();
>   if (xsc == NULL || !X509_STORE_CTX_init(xsc, ctx, crt, NULL));
>
>   ASN1_INTEGER *serialno = NULL;
>   serialno = ASN1_INTEGER_new();
>   BIGNUM *btmp = NULL;
>   btmp = BN_new();
>
>   # define SERIAL_RAND_BITS        159
>   if (!BN_rand(btmp, SERIAL_RAND_BITS, BN_RAND_TOP_ANY, 
> BN_RAND_BOTTOM_ANY));
>   if (!BN_to_ASN1_INTEGER(btmp, serialno));
>   BN_free(btmp);
>
> X509_STORE_CTX_set_cert(xsc, crt);
>   X509_STORE_CTX_set_flags(xsc, X509_V_FLAG_CHECK_SS_SIGNATURE);
>
>   if (!X509_check_private_key(xca, CApkey)) ;
>
>   if (!X509_set_issuer_name(crt, X509_get_subject_name(xca)));
>   if (!X509_set_serialNumber(crt, serialno));
>
>   int days = 365;
>   if (X509_time_adj_ex(X509_getm_notAfter(crt), days, 0, NULL) == NULL);
>
>   const char digestname[] = "sha256";
>   const EVP_MD* md = EVP_get_digestbyname(digestname);
>   EVP_MD_CTX *mctx = EVP_MD_CTX_new();
>   EVP_PKEY_CTX *pkctx = NULL;
>   EVP_DigestSignInit(mctx, &pkctx, md, NULL, CApkey); //ist CApkey 
> hier der richtige private Key? sollte eigentlich
>   int rv = (X509_sign_ctx(crt, mctx) > 0);
>   EVP_MD_CTX_free(mctx);
>
>   BIO *out = NULL;
>   out = BIO_new_file("test_certificate.pem", "w");
>   PEM_write_bio_X509(out, crt);
>   BIO_free_all(out);
>
>   ...some more frees ...
>   return crt;
> }
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20201210/897e5d1b/attachment.html>


More information about the openssl-users mailing list