Sto tentando di inviare un CSR a un server e viene firmato con successo quando generato dalla riga di comando ma non riesce con un errore (0 lunghezza ASN.1) quando generato a livello di codice. Sospetto, forse, che sia la forma lunga dei parametri della curva, ma non lo saprò fino a quando / se riuscirò a rimuoverli da quello generato in modo programmatico. Come posso specificare solo l'OID ASN1: secp521r1?
Ecco la versione della riga di comando:
openssl ecparam -out ec521.pem -name secp521r1 -genkey
openssl req -new -days 3652 -key ec521.pem -out ec.csr -outform DER
openssl req -in ec.csr -text -inform DER
Certificate Request:
Data:
Version: 0 (0x0)
Subject: CN=305419896
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (521 bit)
pub:
04:00:e3:5d:87:42:16:da:ff:6b:10:35:dc:6a:84:
0b:78:5b:4b:d5:df:3b:fc:aa:01:d7:a6:39:57:11:
45:4c:9b:45:8e:15:64:c8:61:76:05:a2:cf:c6:e7:
23:06:00:a9:b3:a8:88:95:e4:ee:fe:e0:40:d8:d4:
9a:50:51:6f:01:2a:af:00:09:37:78:b4:ef:66:08:
81:87:19:7d:f4:1b:c7:74:49:cb:ee:bd:21:23:a4:
3b:48:a7:6f:f5:aa:d3:cb:31:38:15:2c:d1:ff:96:
57:a8:3c:5b:21:27:44:c1:88:0d:df:f9:0f:e2:43:
41:94:f2:63:bb:23:b4:e3:98:a3:62:4f:e5
ASN1 OID: secp521r1
Attributes:
a0:00
Signature Algorithm: ecdsa-with-SHA1
30:81:87:02:41:04:41:99:91:31:dc:5a:6b:0a:b3:e3:01:c3:
9a:d5:1a:aa:46:74:8c:09:da:22:60:41:41:df:8e:03:ee:81:
a4:0b:e6:0a:de:b0:fd:9a:8b:c1:3c:79:5f:f8:87:9a:dd:38:
6b:e4:4f:eb:3c:a4:9a:d1:6b:a7:a8:4f:a0:94:f0:c3:02:42:
01:48:e2:6b:f1:fe:9f:3e:2e:d1:2d:65:d9:ea:e0:4e:1c:e5:
f1:4d:49:f3:f0:a9:e8:e9:7a:ff:70:98:b5:e0:20:47:c6:b8:
62:75:e9:59:51:64:96:de:eb:2b:bd:30:60:75:09:c5:4c:bb:
f1:64:c6:c0:87:50:fd:57:91:af:72:29
Ecco la versione programmatica:
openssl req -in tempcsr.der -text -inform DER
Certificate Request:
Data:
Version: 0 (0x0)
Subject: CN=305419896
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (521 bit)
pub:
04:00:8f:e8:63:df:83:55:55:34:4d:ec:6b:d8:78:
1d:e8:03:65:48:26:3d:1c:1f:da:2a:ed:d9:2d:d5:
ed:23:e7:d2:d1:2a:b0:fb:47:57:74:8a:24:8f:0b:
81:b7:47:ad:5a:86:73:24:c7:3d:0d:d2:40:42:34:
b6:2f:b6:55:3b:a5:15:01:91:71:ca:9f:23:83:a4:
27:60:ed:45:ae:44:5c:aa:7c:3f:89:fb:25:68:21:
1b:c5:c6:b6:db:d1:59:44:5c:ef:90:b2:84:e2:a7:
38:d6:a2:51:02:6a:99:a8:ac:51:64:e6:ff:09:84:
9a:25:71:ba:ce:51:13:1c:d7:a5:41:f0:be
Field Type: prime-field
Prime:
01:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff
A:
01:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:fc
B:
51:95:3e:b9:61:8e:1c:9a:1f:92:9a:21:a0:b6:85:
40:ee:a2:da:72:5b:99:b3:15:f3:b8:b4:89:91:8e:
f1:09:e1:56:19:39:51:ec:7e:93:7b:16:52:c0:bd:
3b:b1:bf:07:35:73:df:88:3d:2c:34:f1:ef:45:1f:
d4:6b:50:3f:00
Generator (uncompressed):
04:00:c6:85:8e:06:b7:04:04:e9:cd:9e:3e:cb:66:
23:95:b4:42:9c:64:81:39:05:3f:b5:21:f8:28:af:
60:6b:4d:3d:ba:a1:4b:5e:77:ef:e7:59:28:fe:1d:
c1:27:a2:ff:a8:de:33:48:b3:c1:85:6a:42:9b:f9:
7e:7e:31:c2:e5:bd:66:01:18:39:29:6a:78:9a:3b:
c0:04:5c:8a:5f:b4:2c:7d:1b:d9:98:f5:44:49:57:
9b:44:68:17:af:bd:17:27:3e:66:2c:97:ee:72:99:
5e:f4:26:40:c5:50:b9:01:3f:ad:07:61:35:3c:70:
86:a2:72:c2:40:88:be:94:76:9f:d1:66:50
Order:
01:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:fa:51:86:87:83:bf:2f:96:6b:7f:cc:01:
48:f7:09:a5:d0:3b:b5:c9:b8:89:9c:47:ae:bb:6f:
b7:1e:91:38:64:09
Cofactor: 1 (0x1)
Seed:
d0:9e:88:00:29:1c:b8:53:96:cc:67:17:39:32:84:
aa:a0:da:64:ba
Attributes:
a0:00
Signature Algorithm: ecdsa-with-SHA1
30:81:88:02:42:00:b6:d9:11:7b:ff:db:70:e8:a5:f3:3f:67:
99:1d:97:5e:ae:ed:7e:dc:c4:c7:5b:0e:79:6a:b5:67:23:f8:
bb:f2:0e:9e:4b:df:43:41:dc:cb:e5:99:00:6e:a4:7e:9c:fe:
48:3e:8c:97:36:c7:b6:5d:55:4e:f8:2c:8a:c3:ca:b8:47:02:
42:00:a9:2d:01:58:bc:21:df:88:6b:cb:ba:f3:fc:b9:06:6b:
9e:1d:31:d5:07:5b:a1:46:51:4c:99:48:38:41:ab:59:1e:55:
1e:9d:6b:73:23:ee:e9:74:3b:da:97:73:9e:b5:b8:be:23:ef:
45:6c:61:30:31:61:a9:93:50:7b:cb:82:4d
generato come tale:
EVP_PKEY *privkey;
if ((privkey = EVP_PKEY_new()) == NULL) {
printf("Cannot allocate memory for private key.\n");
finssl();
exit(1);
}
EC_KEY *eckey;
printf("Generating ECC keypair...\n");
eckey = EC_KEY_new();
if (NULL == eckey) {
printf("Failed to create new EC Key\n");
return -1;
}
EC_GROUP *ecgroup = EC_GROUP_new_by_curve_name(NID_secp521r1);
if (NULL == ecgroup) {
printf("Failed to create new EC Group\n");
return -1;
}
int set_group_status = EC_KEY_set_group(eckey, ecgroup);
const int set_group_success = 1;
if (set_group_success != set_group_status) {
printf("Failed to set group for EC Key\n");
return -1;
}
if (!EC_KEY_generate_key(eckey)) {
printf("Failed to generate EC Key\n");
finssl();
exit(1);
}
if (!EVP_PKEY_assign_EC_KEY(privkey, eckey)) {
printf("Cannot assign keypair to private key.\n");
finssl();
exit(1);
}
X509_REQ *req;
if ((req = X509_REQ_new()) == NULL) {
printf("Cannot allocate memory for certificate request.\n");
finssl();
exit(1);
}
X509_NAME * name;
name = X509_REQ_get_subject_name(req);
X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC, (unsigned char *)"305419896", -1, -1, 0);
X509_REQ_set_pubkey(req, privkey);
if (!X509_REQ_sign(req, privkey, EVP_ecdsa())) {
printf("Cannot sign request.\n");
finssl();
exit(1);
}
const char *keyfn = "tempkey.der";
const char *csrfn = "tempcsr.der";
// write to files ...
FILE * f;
f = fopen(keyfn, "w");
i2d_PrivateKey_fp(f, privkey);
fclose(f);
f = fopen(csrfn, "w");
i2d_X509_REQ_fp(f, req);
fclose(f);