The key itself is good. Its encoding in the CSR isn't.
Looks like the public key was X9.62 encoded in its uncompressed form (i.e. 
start with a 04 octet, and then the octets composing the x and y coordinates), 
and then wrapped into an ASN.1 OCTET STRING (i.e. use the 04 tag, plus a 0x41 
length, and the encoded public key), and finally the BIT STRING encapsulation.
The OCTET STRING is wrong here.

Cordialement,
Erwann Abalea

Le 08/08/2020 14:24, « openssl-users au nom de Dirk-Willem van Gulik » 
<openssl-users-boun...@openssl.org au nom de di...@webweaving.org> a écrit :

    The key is generated by a lovely HSM - which is by its nature a bit of a 
closed box. Whose vendor is very sure its software is right.

    So this helps a lot - and helps confirm what we thought !

    Thanks,

    Dw

    > On 8 Aug 2020, at 04:16, Frank Migge <f...@frank4dd.com> wrote:
    > 
    > Hi Dirk-Willem,
    > 
    > Something is wrong with your EC key. The error mentions that it can't
    > get the curve points from the key data. How did you generate the key?
    > 
    > If it helps, here is a working CSR example, using a prime256v1 key for
    > comparison:
    > 
    > -----BEGIN CERTIFICATE REQUEST-----
    > MIIBDjCBtAIBADArMQswCQYDVQQGEwJKUDEcMBoGA1UEAwwTdGVzdCBmb3IgcHJp
    > bWUyNTZ2MTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABOMQV0Vep+9Xnje6bKNy
    > +8blwKEscr5LoUQCuwqaUT4HyPgXFE9E0r1PiWbC6bGkS26MuguOBp52X9H9z+NS
    > zM6gJzAlBgkqhkiG9w0BCQ4xGDAWMBQGA1UdEQQNMAuCCWZtNGRkLmNvbTAKBggq
    > hkjOPQQDAgNJADBGAiEA5uYlfkpRsJhBk+WwippCjupEpaCNaHwNyNqbj8qrR80C
    > IQDCoJtaWhFGxbaAB2+o3gm87ZHJSDSjfrD2lEhlkbEXHQ==
    > -----END CERTIFICATE REQUEST-----
    > 
    > 
    > $ openssl req -inform PEM -noout -pubkey -in test.csr
    > -----BEGIN PUBLIC KEY-----
    > MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE4xBXRV6n71eeN7pso3L7xuXAoSxy
    > vkuhRAK7CppRPgfI+BcUT0TSvU+JZsLpsaRLboy6C44GnnZf0f3P41LMzg==
    > -----END PUBLIC KEY-----
    > 
    > 
    > On Fri, 2020-08-07 at 19:07 +0200, Dirk-Willem van Gulik wrote:
    >> Below CSR gives me an odd error with the standard openssl REQ
    >> command:
    >> 
    >>  openssl req -inform DER -noout -pubkey
    >> 
    >>  Error getting public key
    >> 
    >>  140673482679616:error:10067066:elliptic curve
    >> routines:ec_GFp_simple_oct2point:invalid
    >> encoding:../crypto/ec/ecp_oct.c:312:
    >>  140673482679616:error:10098010:elliptic curve
    >> routines:o2i_ECPublicKey:EC lib:../crypto/ec/ec_asn1.c:1175:
    >>  140673482679616:error:100D708E:elliptic curve
    >> routines:eckey_pub_decode:decode error:../crypto/ec/ec_ameth.c:157:
    >>  140673482679616:error:0B09407D:x509 certificate
    >> routines:x509_pubkey_decode:public key decode
    >> error:../crypto/x509/x_pubkey.c:125:
    >> 
    >> Even though the ASN1 of the public key looks correct to me:
    >> 
    >>    SEQUENCE (2 elem)
    >>      SEQUENCE (2 elem)
    >>        OBJECT IDENTIFIER 1.2.840.10045.2.1 ecPublicKey (ANSI X9.62
    >> public key type)
    >>        OBJECT IDENTIFIER 1.2.840.10045.3.1.7 prime256v1 (ANSI X9.62
    >> named elliptic curve)
    >>      BIT STRING (536 bit)
    >> 000001000100000100000100001110010011001110011100011010001010010110100
    >> 0…
    >>        OCTET STRING (65 byte)
    >> 0439339C68A5A333143592C0A36D053F31D3AF6ED18FB54F4747B9DFC6DB6ABC71556
    >> 1…
    >> 
    >> What would be a good way to further debug this ?
    >> 
    >> With kind regards,
    >> 
    >> Dw
    >> 
    >> -----BEGIN CERTIFICATE REQUEST-----
    >> MIIBPzCB5QIBADCBgDELMAkGA1UEAxMCQ04xCjAIBgNVBAUTATExCjAIBgNVBAYT
    >> AUMxCjAIBgNVBAcTAUwxCjAIBgNVBAgTAVMxCjAIBgNVBAoTAU8xCzAJBgNVBAsT
    >> Ak9VMQowCAYDVQQMEwFUMQowCAYDVQQNEwFEMRAwDgYJKoZIhvcNAQkBEwFFMFsw
    >> EwYHKoZIzj0CAQYIKoZIzj0DAQcDRAAEQQQ5M5xopaMzFDWSwKNtBT8x069u0Y+1
    >> T0dHud/G22q8cVVh8sVcpLUortLxxesEXCddpx/EeuxP+MN/RymHTMrjoAAwCgYI
    >> KoZIzj0EAwIDSQAwRgIhAO+K+TFCdYxQg7aT+B3wIVa6CCYxM/mL4/WHSrwXujJy
    >> AiEA7UsbQT/YRKaFDPn/U9jdrJaUmKsqKJvGwN7YVaMGdeo=
    >> -----END CERTIFICATE REQUEST-----
    > 
    > 
    > -- 
    > Frank Migge
    > http://fm4dd.com | pub...@frank4dd.com
    > 


Reply via email to