Hi all I trying to create a csr (in a c program) that uses a hardware private public key and I am accessing this token by pkcs11. However, the csr is always invalid, with the following message:
$ openssl req -verify -in wltx.csr verify failure 1996:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:.\cry pto\asn1\asn1_lib.c:150: 1996:error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad object header:.\c rypto\asn1\tasn_dec.c:1306: 1996:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:.\ crypto\asn1\tasn_dec.c:381:Type=X509_SIG 1996:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:.\crypto\asn 1\a_verify.c:215: -----BEGIN CERTIFICATE REQUEST----- MIICvjCCAagCAQAwezELMAkGA1UEBhMCQ0gxEzARBgNVBAcTClJhcHBlcnN3aWwx FDASBgNVBAoTC2ludGVsbGlDYXJkMRUwEwYDVQQDEwxUaW0gVGFzc29uaXMxKjAo BgkqhkiG9w0BCQEWG3RpbS50YXNzb25pc0BpbnRlbGxpY2FyZC5jaDCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBAK6eAKGt9fVPSd6uv1/Rs8Uf1j9eaaA5 y7GCeybV/vAqxebI7P7RN3POz6XBYP2i2P4DwXiGeU2oDylxnHHUItAWqtIfX3H+ WDb9d98oaZnWjQsWwoBWXLjsALdblU4MKaF1K9k7obDo2rN7exXzBMRdrQnvhbW/ 6ICDe3iBNmhAk4xBIKC/lIuwILnb4xjopz261sPfg2fjV4964R/Wa7C8Iu+tPq20 LRLtZfqTTqWnnmMpdYRQMBAt7/MDSoG2l8rbnu7/TYr9F5Dzso/K2T884sZDZPeJ cIo4ZjIDE7Vj4C9tOWDaG2lhrb11JNM0ok081ZIERhg3lEYSmMZxbbUCAwEAAaAA MAsGCSqGSIb3DQEBBQOCAQEAeTc7sIpWdIwkh0bj5PVlbMcJT1QDaBG9m7lYkLRg ACBKqNLaIh/drVvGmkLdMyoedOrtjRp5PHDuEptEtBjWRy3H/fBqOsqIr8w3tGA8 A3zubCM3qmLrm4bHTyhP5w2bqY+1JfrRO68bXTQlb1rhpFddtLO7jmjM2lMr7UgH d9vicOWuAEjOOF1nenzCXxjWovKX3jB/b4rwmf9lmHx6hD8Z9EKCdwO5JKPgcWzr /UCznGUe1TAHr0XFRZPwZo2buMCYAVPw70/4u36fc+G6UPaeQSk6QR035BUs8HE0 BBXO9brFuXld13VuE2xg+VnJ8vo3L7/SCC5ufEJaeSUOvQ== -----END CERTIFICATE REQUEST----- The code I wrote looks as follows: int p11_sign_req(X509_REQ *req,CK_OBJECT_HANDLE private_key, CK_OBJECT_HANDLE public_key) { CK_RV rv; unsigned char *buf_in=NULL,*buf_out=NULL, *p=NULL; size_t inl=0,outl=0; RSA *rsa = NULL; CK_MECHANISM sign_mechanism; EVP_PKEY *pkey = NULL; EVP_MD *md = EVP_sha1(); rsa = p11_key_rsa(public_key); if (!rsa) { return -1; } pkey = EVP_PKEY_new(); EVP_PKEY_assign_RSA(pkey, rsa ); X509_REQ_set_pubkey(req, pkey); inl=i2d_X509_REQ_INFO(req->req_info,NULL); buf_in=(unsigned char *)malloc(inl); p = buf_in; i2d_X509_REQ_INFO(req->req_info,&buf_in); outl=EVP_PKEY_size(pkey); buf_out = malloc(outl); sign_mechanism.mechanism = CKM_SHA1_RSA_PKCS; sign_mechanism.pParameter = NULL; sign_mechanism.ulParameterLen = 0; rv = p11->C_SignInit(session, &sign_mechanism, private_key); if (rv != CKR_OK) { return -1; } rv = p11->C_Sign(session, p,inl, buf_out, &outl); if (rv != CKR_OK) { return -1; } rv = p11->C_VerifyInit(session,&sign_mechanism,public_key); if (rv != CKR_OK) { return -1; } rv = p11->C_Verify(session, p,inl, buf_out, outl); if (rv != CKR_OK) { return -1; } req->signature->data=buf_out; req->signature->length=outl; req->sig_alg->algorithm = OBJ_nid2obj(md->pkey_type); free(buf_in); return 0; } The function returns ok, the csr can be viewe, but fails upon verificatio, as mentioned. Has anybody any idea what I'm doing wrong? King regards Tim -- Sent from my Android phone with K-9 Mail. Please excuse my brevity.