Re: Custom certificate extensions CSR / cert creation: Missing field
Hello, I have isolated the problem to the private key that seems to be incorrectly generated. When I take my self-created certificate and my self-created RSA key and try to convert them to PKCS#12, the following error occurs: [EMAIL PROTECTED] kunz]$ openssl pkcs12 -export -in testcert.pem -inkey testkey.pem -out test.p12 Error loading private key 22864:error:0D06B078:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:140: 22864:error:0D080065:asn1 encoding routines:d2i_ASN1_INTEGER:bad object header:a_int.c:204: 22864:error:0D09D082:asn1 encoding routines:d2i_RSAPrivateKey:parsing:d2i_r_pr.c:117: 22864:error:0D09B00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib:d2i_pr.c:89: 22864:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_lib.c:291: The portion of my C code that generates the key and adds it to the certificate request looks like this (readers of the O'Reilly OpenSSL book will find this strangely familiar): keypair = RSA_generate_key(1024, RSA_3, NULL, NULL); if (!(RSA_check_key(keypair))) int_error(Error with keypair!); pkey = EVP_PKEY_new(); if (!(EVP_PKEY_set1_RSA(pkey, keypair))) int_error(Error setting key to RSA); if (!(req = X509_REQ_new ())) int_error(Error creating new request); X509_REQ_set_pubkey (req, pkey); After all is said and done, the private key is written to the PEM file: if (!(PEM_write_PrivateKey(fp, pkey, NULL,NULL,0,0,NULL))) int_error (Error writing private key); We're not encrypting the key because the resulting proxy certificate chain is used for single-sign-on purposes in a Grid environment. We do need the key because we need to be able to delegate new proxy certificates based on the one that has just been generated. However, since the private key and certificate are basically throwaway items that are regenerated for each job submission, I feel no pain showing both to you. Impersonate me if you want, but do it quickly ;) -BEGIN CERTIFICATE- MIICGzCCAcWgAwIBAgIBATANBgkqhkiG9w0BAQUFADBWMRMwEQYDVQQKEwpHZXJt YW5HcmlkMRQwEgYDVQQLEwtVbmlIYW5ub3ZlcjEZMBcGA1UEAxMQQ2hyaXN0b3Bo ZXIgS3VuejEOMAwGA1UEAxMFcHJveHkwHhcNMDcwNTEwMDg0MzQ5WhcNMDcwNTEw MjA0MzQ5WjBmMRMwEQYDVQQKEwpHZXJtYW5HcmlkMRQwEgYDVQQLEwtVbmlIYW5u b3ZlcjEZMBcGA1UEAxMQQ2hyaXN0b3BoZXIgS3VuejEOMAwGA1UEAxMFcHJveHkx DjAMBgNVBAMTBXByb3h5MIGdMA0GCSqGSIb3DQEBAQUAA4GLADCBhwKBgQCR6a8b EHwnIxfOS3SXw30rrnYf07iwqC1oEkwZyyfHvfEZnIR9EH60hJ6FJghYvm6YNrp6 +qQotYBg9lQln+L7PySYL+f6KeEfCkymD1owqHbqKLvoDEhvRoiWioiU0YX2+zGh 5MpN8DWhKbs4xeJnydHKvvMbZcXKBwwVcXiHqQIBA6MsMCowDgYDVR0PAQH/BAQD AgSwMBgGDCsGAQQBgY1dZAMCAQQIZm9vCmZvbwowDQYJKoZIhvcNAQEFBQADQQAm DzWVnPzJ8lwLL2ti5nZ4PzOYp+EZnROMemOaDJ/iX1X7YZ/kR8WaGr2NA+vzZhPL tp9fv6d7FQjjGOYHJ0b/ -END CERTIFICATE- -BEGIN RSA PRIVATE KEY- MIGKAgEAAoGBAJHprxsQfCcjF85LdJfDfSuudh/TuLCoLWgSTBnLJ8e98RmchH0Q frSEnoUmCFi+bpg2unr6pCi1gGD2VCWf4vs/JJgv5/op4R8KTKYPWjCoduoou+gM SG9GiJaKiJTRhfb7MaHkyk3wNaEpuzjF4mfJ0cq+8xtlxcoHDBVxeIepAgED -END RSA PRIVATE KEY- The key is somehow wrong, but how? And why? Regards, --ck __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Custom certificate extensions CSR / cert creation: Missing field
Hello Christopher, --On Mai 10, 2007 11:29:25 +0200 Christopher Kunz [EMAIL PROTECTED] wrote: I have isolated the problem to the private key that seems to be incorrectly generated. [...] -BEGIN RSA PRIVATE KEY- MIGKAgEAAoGBAJHprxsQfCcjF85LdJfDfSuudh/TuLCoLWgSTBnLJ8e98RmchH0Q frSEnoUmCFi+bpg2unr6pCi1gGD2VCWf4vs/JJgv5/op4R8KTKYPWjCoduoou+gM SG9GiJaKiJTRhfb7MaHkyk3wNaEpuzjF4mfJ0cq+8xtlxcoHDBVxeIepAgED -END RSA PRIVATE KEY- The private key is suspiciously short: openssl asn1parse -in key.pem 0:d=0 hl=3 l= 138 cons: SEQUENCE 3:d=1 hl=2 l= 1 prim: INTEGER :00 6:d=1 hl=3 l= 129 prim: INTEGER :91E9AF1B107C272317CE4B7497C37D2BAE761FD3B8B0A82D68124C19CB27C7BDF1199C847D107EB4849E85260858BE6E9836BA7AFAA428B58060F654259FE2FB3F24982FE7FA29E11F0A4CA60F5A30A876EA28BBE80C486F4688968A8894D185F6FB31A1E4CA4DF035A129BB38C5E267C9D1CABEF31B65C5CA070C15717887A9 138:d=1 hl=2 l= 1 prim: INTEGER :03 The key is somehow wrong, but how? And why? It contains only the public part of the key. The private part seems to get lost in between... Bye Goetz -- DMCA: The greed of the few outweights the freedom of the many pgpsNCCBr5ETu.pgp Description: PGP signature
Re: Custom certificate extensions CSR / cert creation: Missing field
Goetz Babin-Ebell schrieb: The key is somehow wrong, but how? And why? It contains only the public part of the key. The private part seems to get lost in between... You are so right. In the course of my copypaste work of art, I reassigned pkey with... guess what? The certificate's public key. D'oh. Thanks a lot for pointing me in the correct direction. Regards, --ck __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Custom certificate extensions CSR / cert creation: Missing field
Hi,
I am using the examples from the O'Reilly book Network Security with
OpenSSL (X.509 section) to create a CSR, push a custom extension into
it and sign that CSR with a given private key. This - in general - works
OK, but when I want to use the resulting certificate chain (I have the
signing certificate and a couple more in there) for anything secure
(i.e. mutual authentication), I am greeted with failure.
I wrote an extremely simple program to check what might be wrong with
the certificate stack and this seems to be the problem:
15939:error:0D078079:asn1 encoding routines:ASN1_ITEM_EX_D2I:field
missing:tasn_dec.c:391:Field=d, Type=RSA
15939:error:0907400D:PEM routines:PEM_X509_INFO_read_bio:ASN1
lib:pem_info.c:224:
I figure that there is something wrong with the way I create the ASN.1
object and push it onto the extension stack for the CSR. This looks like
so in my code:
ASN1_OBJECT *obj;
ASN1_OCTET_STRING *ex_oct = NULL;
X509_EXTENSION *ex_execpol = NULL;
new_nid = OBJ_create(EXECPOLICY_OID, EXECPOLICY_SN, EXECPOLICY_LN);
obj = OBJ_nid2obj(new_nid);
if (!(ex_oct = ASN1_OCTET_STRING_new())) {
int_error(Error creating custom ASN.1 struct);
}
extlist = sk_X509_EXTENSION_new_null();
ASN1_OCTET_STRING_set(ex_oct,policy,-1);
if (!(ex_execpol = X509_EXTENSION_create_by_OBJ(ex_execpol, obj, 0,
ex_oct))) { //3rd parameter is critical/noncritical
int_error(Error creating X509 extension for execpolicy);
}
if (!(sk_X509_EXTENSION_push (extlist, ex_execpol))) {
int_error(Error pushing custom extension to stack);
}
if (!(X509_REQ_add_extensions (req, extlist))) {
int_error (Error adding ExecPolicy to the request);
}
sk_X509_EXTENSION_pop_free (extlist, X509_EXTENSION_free);
}
Later, I am getting the extension stack from the CSR...
if (!(req_exts = X509_REQ_get_extensions (req)))
int_error (Error getting the request's extensions);
int new_nid;
ASN1_OBJECT *obj;
new_nid = OBJ_create(EXECPOLICY_OID, EXECPOLICY_SN, EXECPOLICY_LN);
execPolicy_pos = X509v3_get_ext_by_NID (req_exts,
new_nid, -1);
execPolicy = X509v3_get_ext (req_exts, execPolicy_pos);
fputc ('\n', stdout);
...and add them to the certificate before signing:
/* add x509v3 extensions as specified */
X509V3_set_ctx (ctx, CAcert, cert, NULL, NULL, 0);
for (i = 0; i EXT_COUNT; i++)
{
X509_EXTENSION *ext;
if (!(ext = X509V3_EXT_conf (NULL, ctx,
ext_ent[i].key, ext_ent[i].value)))
{
fprintf (stderr, Error on \%s = %s\\n,
ext_ent[i].key, ext_ent[i].value);
int_error (Error creating X509 extension object);
}
// Mark purpose as critical
if (!(X509_EXTENSION_set_critical (ext, 1))) {
fprintf(stderr, Error setting Extension to critical:
%s, ext_ent[i].key);
int_error(Error setting Extension to critical);
}
if (!X509_add_ext (cert, ext, -1))
{
fprintf (stderr, Error on \%s = %s\\n,
ext_ent[i].key, ext_ent[i].value);
int_error (Error adding X509 extension to certificate);
}
X509_EXTENSION_free (ext);
}
/* add the extension in the request to the cert */
if (!X509_add_ext (cert, execPolicy, -1))
int_error (etc);
Is there anything I am doing horribly wrong along the way? Any pointers
where the missing field could be? I guess it can only be in the custom
ASN.1 structure I have created for my own extension.
Regards and thanks,
--ck
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
Re: Custom certificate extensions CSR / cert creation: Missing field
On Wed, May 09, 2007, Christopher Kunz wrote: I wrote an extremely simple program to check what might be wrong with the certificate stack and this seems to be the problem: 15939:error:0D078079:asn1 encoding routines:ASN1_ITEM_EX_D2I:field missing:tasn_dec.c:391:Field=d, Type=RSA 15939:error:0907400D:PEM routines:PEM_X509_INFO_read_bio:ASN1 lib:pem_info.c:224: Hmmm that error shouldn't be encountered when you load a certificate. It suggests that you have an RSA private key but that it is in an invalid format. If you want to create custom extensions there is a much easier way now: the mini-ASN1 compiler as mentioned in the docs. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Custom certificate extensions CSR / cert creation: Missing field
Dr. Stephen Henson schrieb: Hmmm that error shouldn't be encountered when you load a certificate. It suggests that you have an RSA private key but that it is in an invalid format. I forgot to mention that openssl x509 -text -noout -in mycertchain.pem does produce valid output, and seems to disregard the error that prevents the certificate from actually being usable. To me that means that it somehow has to be syntactically correct. I can provide you with demo credentials if that is of any help - they are set to run out after 12 hours anyway. :) Thanks for your help, --ck __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Custom certificate extensions CSR / cert creation: Missing field
On Wed, May 09, 2007, Christopher Kunz wrote: Dr. Stephen Henson schrieb: Hmmm that error shouldn't be encountered when you load a certificate. It suggests that you have an RSA private key but that it is in an invalid format. I forgot to mention that openssl x509 -text -noout -in mycertchain.pem does produce valid output, and seems to disregard the error that prevents the certificate from actually being usable. To me that means that it somehow has to be syntactically correct. I can provide you with demo credentials if that is of any help - they are set to run out after 12 hours anyway. :) Thanks for your help, What I meant was that error looks like there is a private key in the file which is causing the function PEM_read_bio_X509_INFO() to fail when it attempts to read it rather than a certificate reading error or possibly that error is from a previous function call. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
