On 28 May 2014 08:47, Sverre Moe <[email protected]> wrote:
> When creating a ECC Certificate Signing Request I noticed the CSR from
> OpenSSL was quite different from the one I generated with Java Keytool.
>
> Checking the CSRs with: openssl req -in ecc.csr -text -noout
>
> OpenSSL CSR has the following attributes:
> Subject Public Key Info:
> Public Key Algorithm: id-ecPublicKey
> Public-Key: (521 bit)
> pub:
> Field Type: prime-field
> Prime:
> A:
> B:
> Generator (uncompressed):
> Order:
> Cofactor: 1 (0x1)
> Seed:
> Attributes:
> a0:00
> Signature Algorithm: ecdsa-with-SHA384
>
> While the Keytool CSR has the following attributes:
> Subject Public Key Info:
> Public Key Algorithm: id-ecPublicKey
> Public-Key: (521 bit)
> pub:
> ASN1 OID: secp521r1
> Attributes:
> Requested Extensions:
> X509v3 Subject Key Identifier:
> Signature Algorithm: ecdsa-with-SHA384
>
>
> Does that mean OpenSSL is better suited for creating ECC CSR? What are the
> extra attributes for that comes with OpenSSL CSR? Also Keytool has Requested
> Extensions which OpenSSL doesn't.
How did you generate your key with openssl?
You are using explicit curve parameters rather than a named curve. The
keytool version just names curve secp521r. This is a well known curve,
with a well defined set of parameters associated with it (and
therefore they don't need to be listed). The openssl version is not
using a named curve and is explicitly listing out the set of
parameters associated with the curve its using.
Normally you would use named curves. So for example if I type:
openssl ecparam -name secp256k1 -genkey -noout -out secp256-key.pem
openssl req -out secp256.csr -key secp256-key.pem -new
openssl req -in secp256.csr -text -noout
Then I get:
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:fc:c0:6f:68:13:ce:bf:23:f7:51:65:b2:e5:35:
d1:39:1b:38:6a:3e:11:7a:07:02:06:97:56:f7:a4:
b2:24:f7:a8:73:34:e5:bf:8d:b3:8a:95:71:c5:a5:
4f:b0:54:a4:d7:9f:55:4a:b2:81:10:6c:60:4b:05:
77:3b:63:f2:aa
ASN1 OID: secp256k1
Attributes:
a0:00
Signature Algorithm: ecdsa-with-SHA1
30:46:02:21:00:fc:89:36:23:68:ed:e5:96:a6:ec:96:2a:20:
bf:45:be:ae:d0:81:f2:f8:f3:91:31:6e:ca:13:cf:8f:b2:84:
9d:02:21:00:f5:ed:e3:72:83:30:0a:f1:8c:80:7e:d9:e0:e5:
fc:a6:fc:35:c0:7f:73:60:ea:c9:76:f4:5a:6a:bf:70:b5:1f
Whereas if I generate my key with
openssl ecparam -name secp256k1 -genkey -noout -out secp256-key.pem
-param_enc explicit
Then I get a csr which looks more like your one.
Matt
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [email protected]