OpenSSL 3.0.8: How to decode a public key that has a non-standard OID?
Andrew Lynch
andrew.lynch at atos.net
Wed May 3 15:44:50 UTC 2023
Hi,
I am looking at porting an application that handles Card Verifiable Certificate (CVC) requests from OpenSSL 1.1.1 to 3.0.8.
The requests are basic PKCS#10 but the public key algorithm uses different OIDs. To deal with this the application creates new objects and registers a new EVP_PKEY_ASN1_METHOD for each, copied from an existing. This is sufficient for X509_REQ_get_pubkey() to work with OpenSSL 1.1.1. These are the main function calls minus error handling:
OBJ_create("1.3.36.3.5.3.1", "ecc-with-sha256", "ecc-with-sha256");
meth_default = EVP_PKEY_asn1_find(NULL, NID_X9_62_id_ecPublicKey);
meth_new = EVP_PKEY_asn1_new(OBJ_txt2nid("ecc-with-sha256"), 0, "EC", "G2 ECC with SHA256");
EVP_PKEY_asn1_copy(meth_new, meth_default);
EVP_PKEY_asn1_add0(meth_new);
...
req = PEM_read_bio_X509_REQ(in, NULL, NULL, NULL);
pubkey = X509_REQ_get_pubkey(req);
The same code using 3.0.8 gets a decode error from X509_PUBKEY_get0. I assume this has to do with the introduction of providers and decoders in OpenSSL 3. What are my options for treating these CVC public keys like a regular ecPublicKey? Can I simply add the alternate OIDs to an existing decoder? Do I need to create my own duplicate of an existing decoder?
Regards,
Andrew.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230503/99d3c2c5/attachment.htm>
More information about the openssl-users
mailing list