Estoy intentando enviar un CSR a un servidor y se firma correctamente cuando se genera desde la línea de comandos, pero falla con un error (ASN.1 de longitud 0) cuando se genera mediante programación. Sospecho, tal vez, que es la forma larga de los parámetros de la curva, pero no lo sabré hasta / si puedo eliminarlos de la generada programáticamente. ¿Cómo puedo especificar solo el OID ASN1: secp521r1?
Aquí está la versión de línea de comandos:
openssl ecparam -out ec521.pem -name secp521r1 -genkey
openssl req -new -days 3652 -key ec521.pem -out ec.csr -outform DER
openssl req -in ec.csr -text -inform DER
Certificate Request:
Data:
Version: 0 (0x0)
Subject: CN=305419896
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (521 bit)
pub:
04:00:e3:5d:87:42:16:da:ff:6b:10:35:dc:6a:84:
0b:78:5b:4b:d5:df:3b:fc:aa:01:d7:a6:39:57:11:
45:4c:9b:45:8e:15:64:c8:61:76:05:a2:cf:c6:e7:
23:06:00:a9:b3:a8:88:95:e4:ee:fe:e0:40:d8:d4:
9a:50:51:6f:01:2a:af:00:09:37:78:b4:ef:66:08:
81:87:19:7d:f4:1b:c7:74:49:cb:ee:bd:21:23:a4:
3b:48:a7:6f:f5:aa:d3:cb:31:38:15:2c:d1:ff:96:
57:a8:3c:5b:21:27:44:c1:88:0d:df:f9:0f:e2:43:
41:94:f2:63:bb:23:b4:e3:98:a3:62:4f:e5
ASN1 OID: secp521r1
Attributes:
a0:00
Signature Algorithm: ecdsa-with-SHA1
30:81:87:02:41:04:41:99:91:31:dc:5a:6b:0a:b3:e3:01:c3:
9a:d5:1a:aa:46:74:8c:09:da:22:60:41:41:df:8e:03:ee:81:
a4:0b:e6:0a:de:b0:fd:9a:8b:c1:3c:79:5f:f8:87:9a:dd:38:
6b:e4:4f:eb:3c:a4:9a:d1:6b:a7:a8:4f:a0:94:f0:c3:02:42:
01:48:e2:6b:f1:fe:9f:3e:2e:d1:2d:65:d9:ea:e0:4e:1c:e5:
f1:4d:49:f3:f0:a9:e8:e9:7a:ff:70:98:b5:e0:20:47:c6:b8:
62:75:e9:59:51:64:96:de:eb:2b:bd:30:60:75:09:c5:4c:bb:
f1:64:c6:c0:87:50:fd:57:91:af:72:29
Aquí está la versión programática:
openssl req -in tempcsr.der -text -inform DER
Certificate Request:
Data:
Version: 0 (0x0)
Subject: CN=305419896
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (521 bit)
pub:
04:00:8f:e8:63:df:83:55:55:34:4d:ec:6b:d8:78:
1d:e8:03:65:48:26:3d:1c:1f:da:2a:ed:d9:2d:d5:
ed:23:e7:d2:d1:2a:b0:fb:47:57:74:8a:24:8f:0b:
81:b7:47:ad:5a:86:73:24:c7:3d:0d:d2:40:42:34:
b6:2f:b6:55:3b:a5:15:01:91:71:ca:9f:23:83:a4:
27:60:ed:45:ae:44:5c:aa:7c:3f:89:fb:25:68:21:
1b:c5:c6:b6:db:d1:59:44:5c:ef:90:b2:84:e2:a7:
38:d6:a2:51:02:6a:99:a8:ac:51:64:e6:ff:09:84:
9a:25:71:ba:ce:51:13:1c:d7:a5:41:f0:be
Field Type: prime-field
Prime:
01:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff
A:
01:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:fc
B:
51:95:3e:b9:61:8e:1c:9a:1f:92:9a:21:a0:b6:85:
40:ee:a2:da:72:5b:99:b3:15:f3:b8:b4:89:91:8e:
f1:09:e1:56:19:39:51:ec:7e:93:7b:16:52:c0:bd:
3b:b1:bf:07:35:73:df:88:3d:2c:34:f1:ef:45:1f:
d4:6b:50:3f:00
Generator (uncompressed):
04:00:c6:85:8e:06:b7:04:04:e9:cd:9e:3e:cb:66:
23:95:b4:42:9c:64:81:39:05:3f:b5:21:f8:28:af:
60:6b:4d:3d:ba:a1:4b:5e:77:ef:e7:59:28:fe:1d:
c1:27:a2:ff:a8:de:33:48:b3:c1:85:6a:42:9b:f9:
7e:7e:31:c2:e5:bd:66:01:18:39:29:6a:78:9a:3b:
c0:04:5c:8a:5f:b4:2c:7d:1b:d9:98:f5:44:49:57:
9b:44:68:17:af:bd:17:27:3e:66:2c:97:ee:72:99:
5e:f4:26:40:c5:50:b9:01:3f:ad:07:61:35:3c:70:
86:a2:72:c2:40:88:be:94:76:9f:d1:66:50
Order:
01:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:fa:51:86:87:83:bf:2f:96:6b:7f:cc:01:
48:f7:09:a5:d0:3b:b5:c9:b8:89:9c:47:ae:bb:6f:
b7:1e:91:38:64:09
Cofactor: 1 (0x1)
Seed:
d0:9e:88:00:29:1c:b8:53:96:cc:67:17:39:32:84:
aa:a0:da:64:ba
Attributes:
a0:00
Signature Algorithm: ecdsa-with-SHA1
30:81:88:02:42:00:b6:d9:11:7b:ff:db:70:e8:a5:f3:3f:67:
99:1d:97:5e:ae:ed:7e:dc:c4:c7:5b:0e:79:6a:b5:67:23:f8:
bb:f2:0e:9e:4b:df:43:41:dc:cb:e5:99:00:6e:a4:7e:9c:fe:
48:3e:8c:97:36:c7:b6:5d:55:4e:f8:2c:8a:c3:ca:b8:47:02:
42:00:a9:2d:01:58:bc:21:df:88:6b:cb:ba:f3:fc:b9:06:6b:
9e:1d:31:d5:07:5b:a1:46:51:4c:99:48:38:41:ab:59:1e:55:
1e:9d:6b:73:23:ee:e9:74:3b:da:97:73:9e:b5:b8:be:23:ef:
45:6c:61:30:31:61:a9:93:50:7b:cb:82:4d
generado como tal:
EVP_PKEY *privkey;
if ((privkey = EVP_PKEY_new()) == NULL) {
printf("Cannot allocate memory for private key.\n");
finssl();
exit(1);
}
EC_KEY *eckey;
printf("Generating ECC keypair...\n");
eckey = EC_KEY_new();
if (NULL == eckey) {
printf("Failed to create new EC Key\n");
return -1;
}
EC_GROUP *ecgroup = EC_GROUP_new_by_curve_name(NID_secp521r1);
if (NULL == ecgroup) {
printf("Failed to create new EC Group\n");
return -1;
}
int set_group_status = EC_KEY_set_group(eckey, ecgroup);
const int set_group_success = 1;
if (set_group_success != set_group_status) {
printf("Failed to set group for EC Key\n");
return -1;
}
if (!EC_KEY_generate_key(eckey)) {
printf("Failed to generate EC Key\n");
finssl();
exit(1);
}
if (!EVP_PKEY_assign_EC_KEY(privkey, eckey)) {
printf("Cannot assign keypair to private key.\n");
finssl();
exit(1);
}
X509_REQ *req;
if ((req = X509_REQ_new()) == NULL) {
printf("Cannot allocate memory for certificate request.\n");
finssl();
exit(1);
}
X509_NAME * name;
name = X509_REQ_get_subject_name(req);
X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC, (unsigned char *)"305419896", -1, -1, 0);
X509_REQ_set_pubkey(req, privkey);
if (!X509_REQ_sign(req, privkey, EVP_ecdsa())) {
printf("Cannot sign request.\n");
finssl();
exit(1);
}
const char *keyfn = "tempkey.der";
const char *csrfn = "tempcsr.der";
// write to files ...
FILE * f;
f = fopen(keyfn, "w");
i2d_PrivateKey_fp(f, privkey);
fclose(f);
f = fopen(csrfn, "w");
i2d_X509_REQ_fp(f, req);
fclose(f);