On Wed, Jan 30, 2013, cellecial wrote: > Hi, > > I write some code to generate an ECC certificate, it works partly. > The certificate can be parsed by IE but prompt "signature corrupt".
Are you sure that version of Windows supports ECC cerrificates? > So I dump the cert using X509_print_fp(),here is the information: > > /*=============================================*/ > Certificate: > Data: > Version: 1 (0x0) > Serial Number: 0 (0x0) > Signature Algorithm: ecdsa-with-SHA1 > Issuer: C=AU, ST=SS, L=LL, O=LONG, OU=DEV, > CN=CA/emailAddress=ad...@long.com > Validity > Not Before: Jan 29 07:39:02 2013 GMT > Not After : Jan 29 07:39:02 2014 GMT > Subject: C=AU, ST=SS, L=LL, O=LONG, OU=DEV, > CN=CA/emailAddress=ad...@long.com > Subject Public Key Info: > Public Key Algorithm: id-ecPublicKey > Public-Key: (256 bit) > pub: > 04:c6:f8:32:9a:99:ff:8f:66:f4:05:57:33:86:b1: > 6d:18:2b:71:38:35:67:f9:37:b6:3b:e7:fc:26:dc: > 9b:bc:40:76:64:53:ef:b4:1d:18:24:79:bc:93:ab: > 2f:5d:50:4c:63:fb:e6:4c:d5:2e:44:8b:f2:05:e9: > 4c:ca:4c:3d:49 > Field Type: prime-field > Prime: > 00:ff:ff:ff:ff:00:00:00:01:00:00:00:00:00:00: > 00:00:00:00:00:00:ff:ff:ff:ff:ff:ff:ff:ff:ff: > ff:ff:ff > A: > 00:ff:ff:ff:ff:00:00:00:01:00:00:00:00:00:00: > 00:00:00:00:00:00:ff:ff:ff:ff:ff:ff:ff:ff:ff: > ff:ff:fc > B: > 5a:c6:35:d8:aa:3a:93:e7:b3:eb:bd:55:76:98:86: > bc:65:1d:06:b0:cc:53:b0:f6:3b:ce:3c:3e:27:d2: > 60:4b > Generator (uncompressed): > 04:6b:17:d1:f2:e1:2c:42:47:f8:bc:e6:e5:63:a4: > 40:f2:77:03:7d:81:2d:eb:33:a0:f4:a1:39:45:d8: > 98:c2:96:4f:e3:42:e2:fe:1a:7f:9b:8e:e7:eb:4a: > 7c:0f:9e:16:2b:ce:33:57:6b:31:5e:ce:cb:b6:40: > 68:37:bf:51:f5 > Order: > 00:ff:ff:ff:ff:00:00:00:00:ff:ff:ff:ff:ff:ff: > ff:ff:bc:e6:fa:ad:a7:17:9e:84:f3:b9:ca:c2:fc: > 63:25:51 > Cofactor: 1 (0x1) > Seed: > c4:9d:36:08:86:e7:04:93:6a:66:78:e1:13:9d:26: > b7:81:9f:7e:90 > Signature Algorithm: ecdsa-with-SHA1 > 30:45:02:20:1f:7a:53:12:6f:7f:79:f8:8a:f8:15:dd:f0:3a: > b4:cd:4e:46:1d:f3:bd:89:53:33:88:ab:c6:dc:7f:d8:4b:33: > 02:21:00:ca:87:43:6b:35:8f:44:db:ee:56:2a:52:4a:86:8c: > f4:14:b3:ae:71:49:e5:1f:94:67:a5:2a:e2:c9:27:22:90 > > /*=============================================*/ > As you can see, there are some extra info in "Public Key Info" section. > I thought I know the reason, here is my origin code snippet: > That extra info is the default way the EC key is currently encoded by OpenSSL: explicitly giving all the EC curve details. If you want it to just use the curve name instead you have to call: EC_KEY_set_asn1_flag(eckey, OPENSSL_EC_NAMED_CURVE); Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org