Fwd: Problem with generating keys (lib not commandline)

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Fwd: Problem with generating keys (lib not commandline)

Michael Simms-3
Hi,

I posted this last week, and a couple of people said they could help
but then, I havent heard any more.

If someone has any ideas, they would be gratefully appreciated.

I am having a bit of a problem generating a set of new keys.

I have code that works just fine when using a pair of imported keys
from a file generated from the openssl commandline.

However when I try and use RSA_generate_key, I can obtain the public
and private keypair, they validate using SSL_CTX_check_private_key,
yet, they cause SSL_connect on the client to complain

error:0D07209B:asn1 encoding routines:ASN1_get_object:too long

I have the code for generating the keys up for scrutiny at

http://pastebin.com/m2dc98526

Any suggestions gratefully appreciated.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Problem with generating keys (lib not commandline)

Ger Hobbelt
This is not a sure thing, but from a quick scan of your code, it looks
like you are constructing an incomplete certificate in memory, which
might hurt you further down the road, i.e. when transmitting the cert,
which is then checked by the other party.

Specifically, check the code to construct public key carrying
certificates in, for instance, x509/mkcert.c, demos/selfsign.c, and a
few others:

X509_new()
[*] X509_set_version() // use 2 or 3
[*] X509_set_serialNumber();
[*] X509_set_notBefore() // valid from
[*] X509_set_notAfter() // valid until
X509_set_pubkey()
[*] X509_set_subject_name()
[*] X509_set_issuer_name()
[*] X509_sign()

see also library API call X509_REQ_to_X509(), which goes through the
same motions as that call has to deliver a freshly constructed
certificate; the same goal (only from a different starting point) as
you mentioned.

If an analogy helps to explain why you need 'all this', think of a
certificate as a passport. Doesn't matter which country you live, your
passport always comes with a serial (letters and numbers); if it
doesn't, you have something to explain to Mr. Customs Officer. ;-)
There's also the version for human passports: modern ones come with
smartcards embedded and other gadgets the old ones didn't have; the
country you're visiting might not accept antique ones anymore.
Every passport comes with your name and picture (you = subject), shows
in print in who's name it was issued (in the Netherlands, that'd be
the mayor of your town, a.k.a. the issuer) and both dates are in there
as well. Plus, last but not least, your signature.

Your code produces a blank passport with only your signature in it.
Out in the real world, that sort of thing would fetch a hefty sum in
the right circles, if you get my meaning ;-)


There may be other issues, but this at least should get you on the road again.

Last bit: you might want to play safe and add a key check:
RSA_check_key; see also the OpenSSL book. It might feel superfluous,
but better safe then sorry, eh.

And to test your in-memory generated cert, it might be handy to add a
bit of simple test code which writes that cert to disc, so you can
apply other tools to it to make sure it is /indeed/ what you need and
fully comparable to your other disc-based certificates: you may
require extensions or other bits in there as well to make the other
party (client or server).happy.


Regards,

Ger



On Thu, Nov 6, 2008 at 11:03 AM, Michael Simms <[hidden email]> wrote:

> Hi,
>
> I posted this last week, and a couple of people said they could help
> but then, I havent heard any more.
>
> If someone has any ideas, they would be gratefully appreciated.
>
> I am having a bit of a problem generating a set of new keys.
>
> I have code that works just fine when using a pair of imported keys
> from a file generated from the openssl commandline.
>
> However when I try and use RSA_generate_key, I can obtain the public
> and private keypair, they validate using SSL_CTX_check_private_key,
> yet, they cause SSL_connect on the client to complain
>
> error:0D07209B:asn1 encoding routines:ASN1_get_object:too long
>
> I have the code for generating the keys up for scrutiny at
>
> http://pastebin.com/m2dc98526
>
> Any suggestions gratefully appreciated.
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>



--
Met vriendelijke groeten / Best regards,

Ger Hobbelt

--------------------------------------------------
web:    http://www.hobbelt.com/
        http://www.hebbut.net/
mail:   [hidden email]
mobile: +31-6-11 120 978
--------------------------------------------------
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Problem with generating keys (lib not commandline)

Ger Hobbelt
One line in my reply went other places. It was this: [*] starred items
are not called in your code.

On Fri, Nov 7, 2008 at 12:59 AM, Ger Hobbelt <[hidden email]> wrote:

> Specifically, check the code to construct public key carrying
> certificates in, for instance, x509/mkcert.c, demos/selfsign.c, and a
> few others:
>
> X509_new()
> [*] X509_set_version() // use 2 or 3
> [*] X509_set_serialNumber();
> [*] X509_set_notBefore() // valid from
> [*] X509_set_notAfter() // valid until
> X509_set_pubkey()
> [*] X509_set_subject_name()
> [*] X509_set_issuer_name()
> [*] X509_sign()
>
> see also library API call X509_REQ_to_X509(), which goes through the



--
Met vriendelijke groeten / Best regards,

Ger Hobbelt

--------------------------------------------------
web:    http://www.hobbelt.com/
        http://www.hebbut.net/
mail:   [hidden email]
mobile: +31-6-11 120 978
--------------------------------------------------
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]