On 3/22/2011 10:10 AM, Massimiliano Pala wrote:
Hello Stephen, all,
thanks for all the advices, I ended up doing the following:
1. Grab the Key from the Certificate
2. Cycle through the built-in curves
3. Generate a new point from the Key's group
4. if order(curve[i]) == order(key) and point is on curve[i]
==> curve found! ; return nid
5. i++ ; goto 4
This works. By comparing the nid with the "required" nid, I shall be
guaranteed that the key used to signed is on the specific nid.
Do you see any flaws ?
I am not sure if the above is correct or not, but the process of verifying
the signature should verify the curve is correct as well. During the verify
you have the pubkey of the signer, the (questionable?) curve NID from the
signer,
the certificate to be verified and its signature.
Your verify routine takes the NID and maps it to the built-in curve parameters,
contained in the openssl library. So you know the signature is valid, using
the built-in parameters of the named curve. (You must be trusting the openssl
library to have the correct curve parameters, is any case.)
So I don't see why you can not trust the NID in the signer's certificate
is valid.
If you don't trust the the signer has provided the correct NID, why would
you trust the signer for anything else?
BTW, for check of point 4 -> I had to add it because otherwise I had
multiple hits on different curves. Initially I expected that that check
would be performed in the EC_POINT_is_on_curve().. maybe is a check
that should be added there ?
Cheers,
Max
On 03/22/2011 10:47 AM, Dr. Stephen Henson wrote:
On Tue, Mar 22, 2011, Massimiliano Pala wrote:
Hello Peter, all,
thanks for the hint.. but I was actually looking more at a way to check if
a certificate has been signed with one of the curves you listed. Maybe it is
not possible, but it would be nice to be able to say "this certificate has
been signed with P-256" - since this can be a requirement for rejecting or
accepting a certificate.
The other solution is to extract the key from the signer's certificate, check
the signature with it and, if it checks out, check that the key is of a
particular curve... is there any better way to do it ?
Are you talking programattically or by parsing text output of an OpenSSL
utility? It should be easy enough programatically.
BTW as regards curve names and their NID equivalents: I looked into this for
the ECDSA tests for the latest validation. There's a translation function in
fips/ecdsa/fips_ecdsavs.c which I'm fairly confident is correct as it passes
the test vectors I've thrown at it.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
--
Douglas E. Engert <[email protected]>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
