[dev-crypto-csharp] Invalid CSR when using ECDSA in C#

Tue, 06 Aug 2013 07:40:24 -0700 

Hi,

Earlier, I had the same problem like the URL below:

http://www.bouncycastle.org/csharpdevmailarchive/msg00376.html
(The output of the CSR was padded with 0x00 and 0xFF values when creating
CSR with ECDSA key pair.
Everything works fine with RSA key pair however.)


I solved it by explicit setting the OID of the current X962 named curve
instead of setting ECCurves as DomainParameters.

The CSR is now generated correctly.



The CSR result now is:



MIIBTjCBsgIBADAPMQ0wCwYDVQQDDARUZXN0MIGbMBAGByqGSM49AgEGBSuBBAAj

A4GGAAQBSFbXhrOMQ1syv2wd4jZQY7jRO4ZwvStNmM1W7w7HBOjgamQ6i95+obYE

ydDF7Wo4XRakheacXZiL+T6xM5UfA8cAQ6ZuRtS7SeQ0QdEjuN/9zZz+x9zyHDtN

2gk90XQrDtbiD4QZVXx367wNzdjmCDvdtbIs2B6+J0OZtLkAq3R13iEwCQYHKoZI

zj0EAQOBiwAwgYcCQX70CByEnWC0gDdeIR7glTcK1HsejjvIEfzN2ZLtqlLv4NEP

OHzDggDuq1d9Q+WJ1tFxAgW7UrzLo/jiEBwwme9FAkIA81jMgdb/dEk99S4McIS/

NqleCAitzWVCFiHpkRohyA1aKpup70uY8NZApDx+7j3XftF6v5rog7l2+Ck9UvxT

16s=



My incorrect CSR was:



MIIBnjCCAUUCAQAwEjEQMA4GA1UEAwwHRUNDVGVzdDCCASowgeMGByqGSM49AgEw

gdcCAQEwLAYHKoZIzj0BAQIhAP////8AAAABAAAAAAAAAAAAAAAA////////////

////MFsEIP////8AAAABAAAAAAAAAAAAAAAA///////////////8BCBaxjXYqjqT

57PrvVV2mIa8ZR0GsMxTsPY7zjw+J9JgSwMVAMSdNgiG5wSTamZ44ROdJreBn36Q

BCEDaxfR8uEsQkf4vOblY6RA8ncDfYEt6zOg9KE5RdiYwpYCIQD/////AAAAAP//

////////vOb6racXnoTzucrC/GMlUQIBAQNCAATj3JEfmD4mpzlRBpemOcF57aYI

rRY5+NNYzATALq7cC1jOPDUT/QTcBK7SmHAuATmBCf6qyzbVzYmNrEITQGnIMAkG

ByqGSM49BAEDSAAwRQIgcMiSEQZn3r/KpDAzxN1nmFqQIUGyRCCkXs6S7dQjMc0C

IQDzivZm/pxt/IGeDfygPFiZ0btw+1QxX6Va1aMxiT1Eww==



Here is the code that solves the issue:



[Test]

public void Test()

{

           var ecKeyPairGenerator = new ECKeyPairGenerator("ECDSA");

           var oid = new DerObjectIdentifier("1.3.132.0.35");

           var ecKeyGenerationParameters = new
ECKeyGenerationParameters(oid, new SecureRandom());

           ecKeyPairGenerator.Init(ecKeyGenerationParameters);

           var ecKeyPair = ecKeyPairGenerator.GenerateKeyPair();



           var csr = new Pkcs10CertificationRequest("SHA1withECDSA", new
X509Name("CN=Test"), ecKeyPair.Public, null, ecKeyPair.Private);

}



But now, I have exactly the same issue when I trying to reuse the same
public key to make a new CSR with the same key pair.

I've tried to get the public key (GetPublicKey()) from a Pkcs12Store, a
binary file and current CSR binary object but the CSR still will be padded
with zeros even if the CSR was correctly generated at the first time.



Example of getting the public key and private key from Pkcs12Store:



using (var ms = new MemoryStream(bytes))

{

           var store = new Pkcs12Store();

           store.Load(ms, password);



           var storeCert = store.GetCertificate("CertificateEntry");



           var storeKey = store.GetKey("KeyEntry");



           var publicKey = storeCert.Certificate.GetPublicKey();

           var privateKey = storeKey.Key;



           var keyPair = new AsymmetricCipherKeyPair(publicKey, privateKey);



           var csr = new Pkcs10CertificationRequest("SHA1withECDSA", new
X509Name("CN=Test"), keyPair.Public, null, keyPair.Private);

}



The result of the same key pair generates an invalid CSR again:



MIIDFTCCAngCAQAwEjEQMA4GA1UEAwwHRUNDVGVzdDCCAl0wggHQBgcqhkjOPQIB

MIIBwwIBATBNBgcqhkjOPQEBAkIB////////////////////////////////////

//////////////////////////////////////////////////8wgZ8EQgH/////

////////////////////////////////////////////////////////////////

/////////////////ARCAFGVPrlhjhyaH5KaIaC2hUDuotpyW5mzFfO4tImRjvEJ

4VYZOVHsfpN7FlLAvTuxvwc1c9+IPSw08e9FH9RrUD8AAxUA0J6IACkcuFOWzGcX

OTKEqqDaZLoEgYUEAMaFjga3BATpzZ4+y2YjlbRCnGSBOQU/tSH4KK9ga009uqFL

Xnfv51ko/h3BJ6L/qN4zSLPBhWpCm/l+fjHC5b1mARg5KWp4mjvABFyKX7QsfRvZ

mPVESVebRGgXr70XJz5mLJfucple9CZAxVC5AT+tB2E1PHCGonLCQIi+lHaf0WZQ

AkIB///////////////////////////////////////////6UYaHg78vlmt/zAFI

9wml0Du1ybiJnEeuu2+3HpE4ZAkCAQEDgYYABAGr9Z5bVCTA+tDfKY2jQF6qu33L

ae57sUkGp/TG/+S0PF3U9ihq0e2K3+JrR5oamQBHB9GH6+79laB8EkSmGQ2twAEI

IkIdymBz1M+3L5hGgmn6DwM+mcZhgOcyBb6z1PZdLGOnre4e4V1NOnL0LFo9KsuR

r9KNVxQkFcmGw8AcwnPOAjAJBgcqhkjOPQQBA4GLADCBhwJBMk849unRVL128jSv

j3Kp5dpsSWV9yeOcd66nPa2ffiLC+gDxm5QI7zIND9hBTflm0ZRHD7L3+Ks6Sue/

/EjaKZ8CQgGqsY3pnY9E/bzWkFtylSqn453LOiIxgtf8nSj9V41SyMyMI0zgr0vY

inbcIGi6SJoyVkcM5Etw8rz8gfS5kVG00w==



My question: Is there any way to set a specific OID when I using the
GetPublicKey() or maybe use another type of encoding to solve this issue.





Regards,

Jonas Soderberg

Reply via email to