Hi all
I trying to create a csr (in a c program) that uses a hardware private
public key and I am accessing this token by pkcs11. However, the csr is
always invalid, with the following message:
$ openssl req -verify -in wltx.csr
verify failure
1996:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too
long:.\cry
pto\asn1\asn1_lib.c:150:
1996:error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad object
header:.\c
rypto\asn1\tasn_dec.c:1306:
1996:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1
error:.\
crypto\asn1\tasn_dec.c:381:Type=X509_SIG
1996:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP
lib:.\crypto\asn
1\a_verify.c:215:
-----BEGIN CERTIFICATE REQUEST-----
MIICvjCCAagCAQAwezELMAkGA1UEBhMCQ0gxEzARBgNVBAcTClJhcHBlcnN3aWwx
FDASBgNVBAoTC2ludGVsbGlDYXJkMRUwEwYDVQQDEwxUaW0gVGFzc29uaXMxKjAo
BgkqhkiG9w0BCQEWG3RpbS50YXNzb25pc0BpbnRlbGxpY2FyZC5jaDCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAK6eAKGt9fVPSd6uv1/Rs8Uf1j9eaaA5
y7GCeybV/vAqxebI7P7RN3POz6XBYP2i2P4DwXiGeU2oDylxnHHUItAWqtIfX3H+
WDb9d98oaZnWjQsWwoBWXLjsALdblU4MKaF1K9k7obDo2rN7exXzBMRdrQnvhbW/
6ICDe3iBNmhAk4xBIKC/lIuwILnb4xjopz261sPfg2fjV4964R/Wa7C8Iu+tPq20
LRLtZfqTTqWnnmMpdYRQMBAt7/MDSoG2l8rbnu7/TYr9F5Dzso/K2T884sZDZPeJ
cIo4ZjIDE7Vj4C9tOWDaG2lhrb11JNM0ok081ZIERhg3lEYSmMZxbbUCAwEAAaAA
MAsGCSqGSIb3DQEBBQOCAQEAeTc7sIpWdIwkh0bj5PVlbMcJT1QDaBG9m7lYkLRg
ACBKqNLaIh/drVvGmkLdMyoedOrtjRp5PHDuEptEtBjWRy3H/fBqOsqIr8w3tGA8
A3zubCM3qmLrm4bHTyhP5w2bqY+1JfrRO68bXTQlb1rhpFddtLO7jmjM2lMr7UgH
d9vicOWuAEjOOF1nenzCXxjWovKX3jB/b4rwmf9lmHx6hD8Z9EKCdwO5JKPgcWzr
/UCznGUe1TAHr0XFRZPwZo2buMCYAVPw70/4u36fc+G6UPaeQSk6QR035BUs8HE0
BBXO9brFuXld13VuE2xg+VnJ8vo3L7/SCC5ufEJaeSUOvQ==
-----END CERTIFICATE REQUEST-----
The code I wrote looks as follows:
int p11_sign_req(X509_REQ *req,CK_OBJECT_HANDLE private_key,
CK_OBJECT_HANDLE public_key)
{
CK_RV rv;
unsigned char *buf_in=NULL,*buf_out=NULL, *p=NULL;
size_t inl=0,outl=0;
RSA *rsa = NULL;
CK_MECHANISM sign_mechanism;
EVP_PKEY *pkey = NULL;
EVP_MD *md = EVP_sha1();
rsa = p11_key_rsa(public_key);
if (!rsa) {
return -1;
}
pkey = EVP_PKEY_new();
EVP_PKEY_assign_RSA(pkey, rsa );
X509_REQ_set_pubkey(req, pkey);
inl=i2d_X509_REQ_INFO(req->req_info,NULL);
buf_in=(unsigned char *)malloc(inl);
p = buf_in;
i2d_X509_REQ_INFO(req->req_info,&buf_in);
outl=EVP_PKEY_size(pkey);
buf_out = malloc(outl);
sign_mechanism.mechanism = CKM_SHA1_RSA_PKCS;
sign_mechanism.pParameter = NULL;
sign_mechanism.ulParameterLen = 0;
rv = p11->C_SignInit(session, &sign_mechanism, private_key);
if (rv != CKR_OK) {
return -1;
}
rv = p11->C_Sign(session, p,inl, buf_out, &outl);
if (rv != CKR_OK) {
return -1;
}
rv = p11->C_VerifyInit(session,&sign_mechanism,public_key);
if (rv != CKR_OK) {
return -1;
}
rv = p11->C_Verify(session, p,inl, buf_out, outl);
if (rv != CKR_OK) {
return -1;
}
req->signature->data=buf_out;
req->signature->length=outl;
req->sig_alg->algorithm = OBJ_nid2obj(md->pkey_type);
free(buf_in);
return 0;
}
The function returns ok, the csr can be viewe, but fails upon
verificatio, as mentioned.
Has anybody any idea what I'm doing wrong?
King regards
Tim
--
Sent from my Android phone with K-9 Mail. Please excuse my brevity.
