Dear Viktor, thank you very much for the tip regarding the elliptic curve to use !
2007/3/8, Victor Duchovni <[EMAIL PROTECTED]>:
On Thu, Mar 08, 2007 at 02:41:46PM +0100, Jordi Jaen Pallares wrote: > # openssl ecparam -name sect233r1 -out sect233r1.pem You might do better with "prime256v1" both in terms of performancs and security. The NSA's Suite-B uses "prime256v1" (aka secp256r1) for traffic through "SECRET" and secp384r1 for "TOP SECRET" traffic. A conservative setting may be to use 384r1 for the CA cert and 256r1 for the client/server certs, but using 256r1 everywhere a great deal stronger than (128 bit vs. 80) than the vast majority of RSA 1024-bit certs in the field and on best current attacks is approximately as strong as 3072 bit RSA. > Now, how can I retrieve the server's Public Key from the certificate and > store it in a EC_KEY data ? Why?
My idea is the following: the client sends his long term public key DER encoded and the server creates the certificate request and the certificate for the client's public key. The system works with the constraint that only the server provides a display/keyboard to enter the device name, etc, so that the client only stores their set of keys and the certificate it will get from the server. Do you think it probably is better to always exchange (self-signed) certificate requests ? (at least I will skip this problem) Anyway, I will need to extract (sooner or later) the respective EC keys from the certificate, but first I will concentrate on reading the certificate...
fp = fopen("/home/jordi/Work/test /myCA2/testcafile.cert.der", "r"); This is an X509 object. > pub = d2i_EC_PUBKEY_fp(fp, NULL); It is not an EC_PUBKEY object.
Thanks for the tip. I changed the code to read in a X509*, but I am getting errors as in the mailinglist: (I am running Linux, and I have made sure that the file pointer has been rewound before reading) <snip> X509 *pub = NULL; /* load OpenSSL stuff */ OpenSSL_add_all_algorithms(); ERR_load_crypto_strings(); fp = fopen("/home/jordi/Work/test/myCA2/testcafile.cert.der", "r"); if (!fp) { printf("Error opening file: %s (%d)\n", strerror(errno), errno); exit(-1); } printf("Opened key file...\nTrying to read the keys...\n"); printf("File offset before reading : %ld\n", ftell(fp)); pub = d2i_X509_fp(fp, NULL); printf("File offset after reading : %ld\n", ftell(fp)); if(!pub) { printf("Error in d2i_X509_fp...\n"); ERR_print_errors_fp(stderr); exit(-1); } <snap> and the errors: [EMAIL PROTECTED]:~/Work/test$ ./opencert Opened key file... Trying to read the keys... File offset before reading : 0 File offset after reading : 47 Error in d2i_X509_fp... 10976:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1291: 10976:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:380:Type=X509 [EMAIL PROTECTED]:~/Work/test$ Unfortunately, I could find information In the documentation for the case when you read from a file pointer.: http://www.openssl.org/docs/crypto/d2i_X509.html Any hints ? Best regards, Jordi