<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>The solution was to choice a EVP by signing the certificate</p>
<p>i = X509_sign(x, CApkey, EVP_sha256());</p>
<p>Best regards</p>
<p> Andreas<br>
</p>
<div class="moz-cite-prefix">Am 09.07.2020 um 11:09 schrieb Andreas
Tengicki:<br>
</div>
<blockquote type="cite"
cite="mid:6afcb37d-1381-a449-cf87-9e9b79f6343a@autopoll.de">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<p>Hello,</p>
<p>your first help in this project, helps much, but now some weeks
later, there is a new problem, and I cannot find any tipps via
google.</p>
<p>For all the coding a have looked into the openssl examples.<br>
</p>
<p>I create a private key per code, the "openssl rsa -in
test_privatekey.pem -check" is fine</p>
<p>I create a certificate request per code, "openssl req -text
-noout -verify -in test_request.pem" is fine</p>
<p>I create a certifcate via this reqeust and store it with
"PEM_write_bio_X509(out, crt);" like the others. (some more code
below)<br>
</p>
<p>Perhaps there is something wrong, but to detect this, I will
use the validation, but it cannot load the certificate to
validate it:</p>
<p><font size="-1" face="Courier New">>> openssl x509 -in
test_certificate.pem -text <br>
unable to load certificate<br>
140180222239872:error:0D07209B:asn1 encoding
routines:ASN1_get_object:too
long:../crypto/asn1/asn1_lib.c:91:<br>
140180222239872:error:0D068066:asn1 encoding
routines:asn1_check_tlen:bad object
header:../crypto/asn1/tasn_dec.c:1118:<br>
140180222239872:error:0D07803A:asn1 encoding
routines:asn1_item_embed_d2i:nested asn1
error:../crypto/asn1/tasn_dec.c:190:Type=ASN1_TIME<br>
140180222239872:error:0D08303A:asn1 encoding
routines:asn1_template_noexp_d2i:nested asn1
error:../crypto/asn1/tasn_dec.c:627:Field=notBefore,
Type=X509_VAL<br>
140180222239872:error:0D08303A:asn1 encoding
routines:asn1_template_noexp_d2i:nested asn1
error:../crypto/asn1/tasn_dec.c:627:Field=validity,
Type=X509_CINF<br>
140180222239872:error:0D08303A:asn1 encoding
routines:asn1_template_noexp_d2i:nested asn1
error:../crypto/asn1/tasn_dec.c:627:Field=cert_info, Type=X509<br>
140180222239872:error:0906700D:PEM
routines:PEM_ASN1_read_bio:ASN1
lib:../crypto/pem/pem_oth.c:33:</font><br>
<br>
</p>
Thanks for any help.<br>
<br>
Best regards<br>
<br>
Andreas<br>
<br>
<p>----</p>
<p>ErrorHandling should be added in a second step, first debug
outputs (I have deleted for here) says everything is created<br>
</p>
<p><font size="-2" face="Courier New, Courier, monospace">X509*
certificate_create(const X509_REQ* req)<br>
{<br>
//openssl x509 -req -days 365 -sha256 -in server.csr -CA
ca.crt -CAkey ca.key -CAcreateserial -out server.crt<br>
<br>
if ((crt = X509_new()) == NULL);<br>
//xca = load_cert(CAfile, CAformat, "CA Certificate");<br>
BIO *bio = NULL;<br>
bio = BIO_new_file(CAfile, "r");<br>
xca = PEM_read_bio_X509_AUX(bio, NULL, NULL, NULL);<br>
BIO_free(bio);<br>
<br>
upkey = X509_get0_pubkey(xca);<br>
<br>
char CAkeyile[] = "ca.key";<br>
int CAkeyformat = 5; //FORMAT_PEM<br>
char passin[] = "xyz";<br>
<br>
ENGINE *e = NULL;<br>
EVP_PKEY * CApkey = NULL;<br>
//CApkey = load_key(CAkeyfile, CAkeyformat, 0, passin, e,
"CA Private Key");<br>
bio = BIO_new_file(CAkeyile, "r");<br>
CApkey = PEM_read_bio_PrivateKey(bio, NULL, NULL, passin);<br>
BIO_free(bio);<br>
<br>
EVP_PKEY_copy_parameters(upkey, CApkey);<br>
<br>
X509_STORE *ctx = NULL;<br>
ctx = X509_STORE_new();<br>
<br>
X509_STORE_CTX *xsc = NULL;<br>
xsc = X509_STORE_CTX_new();<br>
if (xsc == NULL || !X509_STORE_CTX_init(xsc, ctx, crt,
NULL));<br>
<br>
ASN1_INTEGER *serialno = NULL;<br>
serialno = ASN1_INTEGER_new();<br>
BIGNUM *btmp = NULL;<br>
btmp = BN_new();<br>
</font></p>
<p><font size="-2" face="Courier New, Courier, monospace"> #
define SERIAL_RAND_BITS 159<br>
if (!BN_rand(btmp, SERIAL_RAND_BITS, BN_RAND_TOP_ANY,
BN_RAND_BOTTOM_ANY));<br>
if (!BN_to_ASN1_INTEGER(btmp, serialno));<br>
BN_free(btmp);<br>
</font></p>
<p><font size="-2" face="Courier New, Courier, monospace">
X509_STORE_CTX_set_cert(xsc, crt);<br>
X509_STORE_CTX_set_flags(xsc,
X509_V_FLAG_CHECK_SS_SIGNATURE);<br>
<br>
if (!X509_check_private_key(xca, CApkey)) ;<br>
<br>
if (!X509_set_issuer_name(crt, X509_get_subject_name(xca)));<br>
if (!X509_set_serialNumber(crt, serialno));<br>
<br>
int days = 365;<br>
if (X509_time_adj_ex(X509_getm_notAfter(crt), days, 0, NULL)
== NULL);<br>
<br>
const char digestname[] = "sha256";<br>
const EVP_MD* md = EVP_get_digestbyname(digestname);<br>
EVP_MD_CTX *mctx = EVP_MD_CTX_new();<br>
EVP_PKEY_CTX *pkctx = NULL;<br>
EVP_DigestSignInit(mctx, &pkctx, md, NULL, CApkey);
//ist CApkey hier der richtige private Key? sollte eigentlich<br>
int rv = (X509_sign_ctx(crt, mctx) > 0);<br>
EVP_MD_CTX_free(mctx);<br>
<br>
BIO *out = NULL;<br>
out = BIO_new_file("test_certificate.pem", "w");<br>
PEM_write_bio_X509(out, crt);<br>
BIO_free_all(out);<br>
<br>
...some more frees ...<br>
return crt;<br>
}</font><br>
</p>
</blockquote>
</body>
</html>