On 3/22/2011 9:25 AM, Massimiliano Pala wrote:
Hello Peter, all, thanks for the hint.. but I was actually looking more at a way to check if a certificate has been signed with one of the curves you listed. Maybe it is not possible, but it would be nice to be able to say "this certificate has been signed with P-256" - since this can be a requirement for rejecting or accepting a certificate.
Even if the certificate contained the curve name, the only way to verify that it is correct is to check the signature. So there is no need for storing the curve name used in the signature in the certificate.
The other solution is to extract the key from the signer's certificate, check the signature with it and, if it checks out, check that the key is of a particular curve... is there any better way to do it ?
You are always going to want to verify a certificate, you just have to save the curve name when you verify. I don't see any better way.
Cheers, Max On 03/22/2011 12:14 AM, Peter Waltenberg wrote:The only good way I found was to use the defined OID's - something like this - no guarantees this table is correct, you should check it. const char *NIST_by_OID[] = { "1.2.840.10045.3.1.1", /* P-192 */ "1.3.132.0.33", /* P-224 */ "1.2.840.10045.3.1.7", /* P-256 */ "1.3.132.0.34", /* P-384 */ "1.3.132.0.35", /* P-521 */ "1.3.132.0.1", /* K-163 */ "1.3.132.0.26", /* K-233 */ "1.3.132.0.16", /* K-283 */ "1.3.132.0.36", /* K-409 */ "1.3.132.0.38", /* K-571 */ "1.3.132.0.15", /* B-163 */ "1.3.132.0.27", /* B-233 */ "1.3.132.0.17", /* B-283 */ "1.3.132.0.37", /* B-409 */ "1.3.132.0.39", /* B-571 */ NULL }; OBJ_txt2nid() will handle these as well as the names you are more familliar with. Peter
-- Douglas E. Engert <[email protected]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
