creating certificate by code / problems to load via openssl x509 / pem format

Tomas Mraz tmraz at redhat.com
Thu Dec 10 10:42:37 UTC 2020 

On Thu, 2020-12-10 at 10:39 +0100, Andreas Tengicki wrote:
> The solution was to choice a EVP by signing the certificate
> 
> i = X509_sign(x, CApkey, EVP_sha256());

I do not really think this was the problem. In the code below you do
not set the notBefore time which is actually indicated by the parsing
errors when you try to load the invalid certificate.

> Best regards
> 
>   Andreas
> 
> Am 09.07.2020 um 11:09 schrieb Andreas Tengicki:
> > Hello,
> > 
> > your first help in this project, helps much, but now some weeks
> > later, there is a new problem, and I cannot find any tipps via
> > google.
> > 
> > For all the coding a have looked into the openssl examples.
> > 
> > I create a private key per code, the "openssl rsa -in
> > test_privatekey.pem -check" is fine
> > 
> > I create a certificate request per code, "openssl req -text -noout
> > -verify -in test_request.pem" is fine
> > 
> > I create a certifcate via this reqeust and store it with
> > "PEM_write_bio_X509(out, crt);" like the others. (some more code
> > below)
> > 
> > Perhaps there is something wrong, but to detect this, I will use
> > the validation, but it cannot load the certificate to validate it:
> > 
> > >> openssl x509 -in test_certificate.pem -text 
> > unable to load certificate
> > 140180222239872:error:0D07209B:asn1 encoding
> > routines:ASN1_get_object:too long:../crypto/asn1/asn1_lib.c:91:
> > 140180222239872:error:0D068066:asn1 encoding
> > routines:asn1_check_tlen:bad object
> > header:../crypto/asn1/tasn_dec.c:1118:
> > 140180222239872:error:0D07803A:asn1 encoding
> > routines:asn1_item_embed_d2i:nested asn1
> > error:../crypto/asn1/tasn_dec.c:190:Type=ASN1_TIME
> > 140180222239872:error:0D08303A:asn1 encoding
> > routines:asn1_template_noexp_d2i:nested asn1
> > error:../crypto/asn1/tasn_dec.c:627:Field=notBefore, Type=X509_VAL
> > 140180222239872:error:0D08303A:asn1 encoding
> > routines:asn1_template_noexp_d2i:nested asn1
> > error:../crypto/asn1/tasn_dec.c:627:Field=validity, Type=X509_CINF
> > 140180222239872:error:0D08303A:asn1 encoding
> > routines:asn1_template_noexp_d2i:nested asn1
> > error:../crypto/asn1/tasn_dec.c:627:Field=cert_info, Type=X509
> > 140180222239872:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1
> > lib:../crypto/pem/pem_oth.c:33:
> > 
> > 
> > Thanks for any help.
> > 
> > Best regards
> > 
> >   Andreas
> > 
> > ----
> > 
> > ErrorHandling should be added in a second step, first debug outputs
> > (I have deleted for here) says everything is created
> > 
> > X509* certificate_create(const X509_REQ* req)
> > {
> >   //openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.crt
> > -CAkey ca.key -CAcreateserial -out server.crt
> > 
> >   if ((crt = X509_new()) == NULL);
> >   //xca = load_cert(CAfile, CAformat, "CA Certificate");
> >   BIO *bio = NULL;
> >   bio = BIO_new_file(CAfile, "r");
> >   xca = PEM_read_bio_X509_AUX(bio, NULL, NULL, NULL);
> >   BIO_free(bio);
> > 
> >   upkey = X509_get0_pubkey(xca);
> > 
> >   char CAkeyile[] = "ca.key";
> >   int CAkeyformat = 5; //FORMAT_PEM
> >   char passin[] = "xyz";
> > 
> >   ENGINE *e = NULL;
> >   EVP_PKEY * CApkey = NULL;
> >   //CApkey = load_key(CAkeyfile, CAkeyformat, 0, passin, e, "CA
> > Private Key");
> >   bio = BIO_new_file(CAkeyile, "r");
> >   CApkey = PEM_read_bio_PrivateKey(bio, NULL, NULL, passin);
> >   BIO_free(bio);
> > 
> >   EVP_PKEY_copy_parameters(upkey, CApkey);
> > 
> >   X509_STORE *ctx = NULL;
> >   ctx = X509_STORE_new();
> > 
> >   X509_STORE_CTX *xsc = NULL;
> >   xsc = X509_STORE_CTX_new();
> >   if (xsc == NULL || !X509_STORE_CTX_init(xsc, ctx, crt, NULL));
> > 
> >   ASN1_INTEGER *serialno = NULL;
> >   serialno = ASN1_INTEGER_new();
> >   BIGNUM *btmp = NULL;
> >   btmp = BN_new();
> > 
> >   # define SERIAL_RAND_BITS        159
> >   if (!BN_rand(btmp, SERIAL_RAND_BITS, BN_RAND_TOP_ANY,
> > BN_RAND_BOTTOM_ANY));
> >   if (!BN_to_ASN1_INTEGER(btmp, serialno));
> >   BN_free(btmp);
> > 
> >   X509_STORE_CTX_set_cert(xsc, crt);
> >   X509_STORE_CTX_set_flags(xsc, X509_V_FLAG_CHECK_SS_SIGNATURE);
> > 
> >   if (!X509_check_private_key(xca, CApkey)) ;
> > 
> >   if (!X509_set_issuer_name(crt, X509_get_subject_name(xca)));
> >   if (!X509_set_serialNumber(crt, serialno));
> > 
> >   int days = 365;
> >   if (X509_time_adj_ex(X509_getm_notAfter(crt), days, 0, NULL) ==
> > NULL);
> > 
> >   const char digestname[] = "sha256";
> >   const EVP_MD* md = EVP_get_digestbyname(digestname);
> >   EVP_MD_CTX *mctx = EVP_MD_CTX_new();
> >   EVP_PKEY_CTX *pkctx = NULL;
> >   EVP_DigestSignInit(mctx, &pkctx, md, NULL, CApkey);  //ist CApkey
> > hier der richtige private Key? sollte eigentlich
> >   int rv = (X509_sign_ctx(crt, mctx) > 0);
> >   EVP_MD_CTX_free(mctx);
> > 
> >   BIO *out = NULL;
> >   out = BIO_new_file("test_certificate.pem", "w");
> >   PEM_write_bio_X509(out, crt);
> >   BIO_free_all(out);
> > 
> >   ...some more frees ...
> >   return crt;
> > }
> > 
-- 
Tomáš Mráz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb
[You'll know whether the road is wrong if you carefully listen to your
conscience.]

More information about the openssl-users mailing list