[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Generating EC keys with certtool
|
From: |
Fabrice Gautier |
|
Subject: |
Re: Generating EC keys with certtool |
|
Date: |
Thu, 10 Nov 2011 10:48:29 -0800 |
Ahah, so it happens to work on one of my machines, but not on the other two.
The machine were it works is a mac running Lion, the other two are
macs running SnowLeopard.
I'm recompiling gnutls from source on all of them, openssl is also
recompiled (either from source or through macports) so I'm guessing
that something went wrong while compiling. On some machine, I used the
gmp that came with macport, on others I recompiled myself, so who
knows where the problem lies...
Is there a way to verify a CSR with gnutls's certtool ?
-- Fabrice
On Thu, Nov 10, 2011 at 10:29 AM, Fabrice Gautier
<address@hidden> wrote:
> On Thu, Nov 10, 2011 at 9:12 AM, Nikos Mavrogiannopoulos
> <address@hidden> wrote:
>> On 11/10/2011 06:53 AM, Fabrice Gautier wrote:
>>> Hi,
>>>
>>> When i generate an EC key with certtool,I get this:
>> [...]
>>> I am pretty sure that this command used to (in 3.0.5) only output the
>>> encoded part, not the textual part.
>>> This also end up in the file when specifying a file with --outfile
>>> The textual part should be output on stderr, if at all. The
>>> "Generating a 224 bit ECC private key..." message is indeed output on
>>
>> Hello,
>> Printing the key information is deliberate, and also deliberate it is
>> sent to stdout. What is the issue that you have with openssl?
>>
>
> I'm generating a key with gnutls, then generating a CSR and cert with openssl.
>
> ${GNUTLS_CERTTOOL} -p --ecc --sec-param high --outfile ClientKey.ecc.pem
>
> ${OPENSSL} req -new -nodes -days 365 -subj '/CN=Client Cert (ECC)'
> -key ClientKey.ecc.pem -out ClientReq.ecc.pem
> ${OPENSSL} x509 -req -in ClientReq.ecc.pem -CA CACert.pem -CAkey
> CAKey.pem -set_serial 1003 -out ClientCert.ecc.pem
>
>
> The last command returns:"Signature did not match the certificate request"
>
> If I use openssl to try to verify the request I also get an error:
> $ ${OPENSSL} req -verify -noout -in ClientReq.ecc.pem
> verify failure
> 140735082790172:error:0D0C5006:asn1 encoding
> routines:ASN1_item_verify:EVP lib:a_verify.c:184:
>
> That said, the extra text does not seem to be the cause of this, I
> tried to remove it and just use the encoded blob and got the same
> result. And it looks like its not new from 3.0.7.
>
> The reason I mix-n-match gnutls/openssl is that gnutls does not parse
> EC key generated by openssl properly, as I reported before. It looks
> like openssl has some trouble with gnutls EC key somehow, although I'm
> kind of baffled at the moment, because I'm pretty sure it used to work
> at some point...
>
- Generating EC keys with certtool, Fabrice Gautier, 2011/11/10
- Re: Generating EC keys with certtool, Nikos Mavrogiannopoulos, 2011/11/10
- Re: Generating EC keys with certtool, Fabrice Gautier, 2011/11/10
- Re: Generating EC keys with certtool,
Fabrice Gautier <=
- Re: Generating EC keys with certtool, Nikos Mavrogiannopoulos, 2011/11/10
- Re: Generating EC keys with certtool, Fabrice Gautier, 2011/11/10
- Re: Generating EC keys with certtool, Nikos Mavrogiannopoulos, 2011/11/10
- Re: Generating EC keys with certtool, Nikos Mavrogiannopoulos, 2011/11/10
- Re: Generating EC keys with certtool, Fabrice Gautier, 2011/11/10
- Re: Generating EC keys with certtool, Fabrice Gautier, 2011/11/10
- Re: Generating EC keys with certtool, Nikos Mavrogiannopoulos, 2011/11/10
- Re: Generating EC keys with certtool, Fabrice Gautier, 2011/11/11
- RE: Generating EC keys with certtool, Hoyt, David, 2011/11/11
- Re: Generating EC keys with certtool, Nikos Mavrogiannopoulos, 2011/11/10