Hello
I generated the certificate programmatically, but I shall look at the
ecparam.c file and see how the public key is generated there and do the
same. The jave keytool-generated certificate did not have any extensions
attached, so I am guessing those can be stripped.
The code I used for generating a self-signed certificate is below,
stripped of error handling:
EC_KEY *ec_key = EC_KEY_new_by_curve_name(NID_secp160r1);
EC_KEY_generate_key(ec_key);
EC_KEY_check_key(ec_key);
EVP_PKEY *pk = EVP_PKEY_new();
EVP_PKEY_assign_EC_KEY(pk, ec_key);
f = fopen("root-ecdsa160.key", "w");
PEM_write_PrivateKey(f, pk, NULL, NULL, 0, 0, NULL);
fclose(f);
FILE *f;
X509 *x;
x=X509_new();
X509_NAME *name = X509_get_subject_name(x);
X509_set_version(x, 2);
ASN1_INTEGER_set(X509_get_serialNumber(x), 3);
X509_gmtime_adj(X509_get_notBefore(x), 0);
X509_gmtime_adj(X509_get_notAfter(x), (long) 60 * 60 * 24 * 365);
X509_set_pubkey(x, pk);
X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC, (const unsigned
char*) "Testing Team", -1, -1, 0);
X509_NAME_add_entry_by_txt(name, "O", MBSTRING_ASC, (const unsigned
char*) "client", -1, -1, 0);
X509_set_issuer_name(x, name);
X509_sign(x, pk, EVP_ecdsa());
f = fopen("root-ecdsa160.crt", "w");
PEM_write_X509(f, x);
fclose(f);
Thank you for the help.
Laura
Carlo Milono wrote:
How did you make your EC certificates?
Here is the result (truncated as yours is) by using OpenSSL - I had to
use a Name Constraint and a prime curve @ 384 for a proof-of-concept:
...
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
EC Public Key:
pub:
04:fa:b7:e7:c8:15:0b:26:5c:b4:d6:53:62:09:66:
7e:6e:15:05:ee:cc:2b:ff:f9:dd:8d:4f:ed:de:35:
56:41:ce:b4:52:4e:c5:99:46:30:b7:81:31:29:cd:
5f:0d:b9:a3:ec:12:c5:47:f1:0b:09:1c:76:fe:e5:
e2:d3:04:97:3c:ac:ad:b6:e8:83:8b:b0:c2:39:ac:
8e:a2:86:59:a0:0b:0a:09:b1:75:5b:2e:83:b6:7e:
c0:ad:8f:24:54:d4:9a
ASN1 OID: secp384r1
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Name Constraints:
Excluded:
IP:10.105.150.234/255.255.254.0
...
The above is the result of the following command-lines:
openssl ecparam -out myECkey.pem -name secp384r1 -genkey
openssl req -new -key myECkey.pem -out req.out
-----Original Message-----
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Laura Arhire
Sent: Tuesday, August 18, 2009 12:55 AM
To: openssl-users@openssl.org
Subject: ecdsa public key output
Hello
I'm trying to import ecdsa certificates for a java server using the java
keytool utility. After having had trouble with openssl generated
certificates, I generated a certificate using the keytool utility to see
what the difference is. Upon running the "openssl x509 -in cert.crt
-noout -text" command on this certificate, the output I get is (only
public key info for brevity):
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
EC Public Key:
pub:
04:99:cc:aa:5b:7d:fc:e1:aa:c8:0e:d0:98:b2:ed:
79:65:cb:66:7e:0f:c2:b9:7b:28:42:1b:65:1a:86:
4b:02:dc:7c:5f:d1:21:1f:ca:f2:ac
* ASN1 OID: secp160k1*
Which is different from the openssl generated certificates in that it
has the curve name in the public key, instead of the curve parameters.
The same data (ASN1 OID: secp160k1) in an openssl certificate is:
Field Type: prime-field
Prime:
00:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:fe:ff:ff:ac:73
A: 0
B: 7 (0x7)
Generator (uncompressed):
04:3b:4c:38:2c:e3:7a:a1:92:a4:01:9e:76:30:36:
f4:f5:dd:4d:7e:bb:93:8c:f9:35:31:8f:dc:ed:6b:
c2:82:86:53:17:33:c3:f0:3c:4f:ee
Order:
01:00:00:00:00:00:00:00:00:00:01:b8:fa:16:df:
ab:9a:ca:16:b6:b3
Cofactor: 1 (0x1)
The keytool output does not seem to be incorrect according to RFC 5280,
which defines
SubjectPublicKeyInfo ::= SEQUENCE {
algoritm AlgorithmIdentifier
subjectPublicKey BIT STRING
}
AlgorithmIdentifier ::= SEQUENCE {
algorithm OBJECT IDENTIFIER,
parameters ANY DEFINED BY algorithm OPTIONAL }
unless I am reading this wrong, but the way algorithm parameters are
defined seem to allow for both variants.
I'm looking into making the java certificate store understand
openssl-generated certificates (possibly with 3rd party APIs) as that
would make my life easier.
However, at the same time I'm trying to tackle the problem at the other
end, so I was also wondering if I can get (maybe programatically ?),
openssl to output the public key info in the way in which the keytool
understands: the curve name instead of the curve parameters.
I've had no trouble using a client written in C with openssl to connect
to the above mentioned server (using the keytool generated certificate
as the server certificate), but since I need some certificate request
interaction between the java and C sides, I need to look into this issue
further.
Any ideas on how to get the curve name in the certificate instead of the
curve parameters ?
Thanks in advance,
--
Laura Arhire
Software Developer, Endion Software Ltd
Calea Calarasi 249, apt. 22
0749 950 309 / 021 - 326 36 30
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
