Re: EC curve names

Tue, 22 Mar 2011 08:10:05 -0700 

Hello Stephen, all,

thanks for all the advices, I ended up doing the following:
1. Grab the Key from the Certificate
2. Cycle through the built-in curves
3. Generate a new point from the Key's group
4. if order(curve[i]) == order(key) and point is on curve[i]
   ==> curve found! ; return nid
5. i++ ; goto 4

This works. By comparing the nid with the "required" nid, I shall be
guaranteed that the key used to signed is on the specific nid.

Do you see any flaws ?

BTW, for check of point 4 -> I had to add it because otherwise I had
multiple hits on different curves. Initially I expected that that check
would be performed in the EC_POINT_is_on_curve().. maybe is a check
that should be added there ?

Cheers,
Max


On 03/22/2011 10:47 AM, Dr. Stephen Henson wrote:

On Tue, Mar 22, 2011, Massimiliano Pala wrote:


Hello Peter, all,

thanks for the hint.. but I was actually looking more at a way to check if
a certificate has been signed with one of the curves you listed. Maybe it is
not possible, but it would be nice to be able to say "this certificate has
been signed with P-256" - since this can be a requirement for rejecting or
accepting a certificate.

The other solution is to extract the key from the signer's certificate, check
the signature with it and, if it checks out, check that the key is of a
particular curve... is there any better way to do it ?



Are you talking programattically or by parsing text output of an OpenSSL
utility? It should be easy enough programatically.

BTW as regards curve names and their NID equivalents: I looked into this for
the ECDSA tests for the latest validation. There's a translation function in
fips/ecdsa/fips_ecdsavs.c which I'm fairly confident is correct as it passes
the test vectors I've thrown at it.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           majord...@openssl.org




--

Best Regards,

        Massimiliano Pala

--o------------------------------------------------------------------------
Massimiliano Pala [OpenCA Project Manager]                   ope...@acm.org
                                                 project.mana...@openca.org

Dartmouth Computer Science Dept               Home Phone: +1 (603) 369-9332
PKI/Trust Laboratory                          Work Phone: +1 (603) 646-8734
--o------------------------------------------------------------------------
People who think they know everything are a great annoyance to those of us
who do.
                                                           -- Isaac Asimov

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to