Dear Viktor,
thank you very much for the tip regarding the elliptic curve to use !
2007/3/8, Victor Duchovni <[EMAIL PROTECTED]>:
On Thu, Mar 08, 2007 at 02:41:46PM +0100, Jordi Jaen Pallares wrote:
> # openssl ecparam -name sect233r1 -out sect233r1.pem
You might do better with "prime256v1" both in terms of performancs
and security. The NSA's Suite-B uses "prime256v1" (aka secp256r1)
for traffic through "SECRET" and secp384r1 for "TOP SECRET" traffic. A
conservative setting may be to use 384r1 for the CA cert and 256r1 for the
client/server certs, but using 256r1 everywhere a great deal stronger than
(128 bit vs. 80) than the vast majority of RSA 1024-bit certs in the field
and on best current attacks is approximately as strong as 3072 bit RSA.
> Now, how can I retrieve the server's Public Key from the certificate and
> store it in a EC_KEY data ?
Why?
My idea is the following: the client sends his long term public key DER
encoded and the server
creates the certificate request and the certificate for the client's public
key.
The system works with the constraint that only the server provides a
display/keyboard to enter
the device name, etc, so that the client only stores their set of keys and
the certificate it will get
from the server.
Do you think it probably is better to always exchange (self-signed)
certificate requests ?
(at least I will skip this problem)
Anyway, I will need to extract (sooner or later) the respective EC keys from
the certificate, but first
I will concentrate on reading the certificate...
fp = fopen("/home/jordi/Work/test /myCA2/testcafile.cert.der", "r");
This is an X509 object.
> pub = d2i_EC_PUBKEY_fp(fp, NULL);
It is not an EC_PUBKEY object.
Thanks for the tip. I changed the code to read in a X509*, but I am getting
errors as in the mailinglist:
(I am running Linux, and I have made sure that the file pointer has been
rewound before reading)
<snip>
X509 *pub = NULL;
/* load OpenSSL stuff */
OpenSSL_add_all_algorithms();
ERR_load_crypto_strings();
fp = fopen("/home/jordi/Work/test/myCA2/testcafile.cert.der", "r");
if (!fp) {
printf("Error opening file: %s (%d)\n", strerror(errno), errno);
exit(-1);
}
printf("Opened key file...\nTrying to read the keys...\n");
printf("File offset before reading : %ld\n", ftell(fp));
pub = d2i_X509_fp(fp, NULL);
printf("File offset after reading : %ld\n", ftell(fp));
if(!pub) {
printf("Error in d2i_X509_fp...\n");
ERR_print_errors_fp(stderr);
exit(-1);
}
<snap>
and the errors:
[EMAIL PROTECTED]:~/Work/test$ ./opencert
Opened key file...
Trying to read the keys...
File offset before reading : 0
File offset after reading : 47
Error in d2i_X509_fp...
10976:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
tag:tasn_dec.c:1291:
10976:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1
error:tasn_dec.c:380:Type=X509
[EMAIL PROTECTED]:~/Work/test$
Unfortunately, I could find information In the documentation for the case
when you read from a file pointer.:
http://www.openssl.org/docs/crypto/d2i_X509.html
Any hints ?
Best regards,
Jordi
