creating certificate by code / problems to load via openssl x509 / pem format

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

creating certificate by code / problems to load via openssl x509 / pem format

Andreas Tengicki

Hello,

your first help in this project, helps much, but now some weeks later, there is a new problem, and I cannot find any tipps via google.

For all the coding a have looked into the openssl examples.

I create a private key per code, the "openssl rsa -in test_privatekey.pem -check" is fine

I create a certificate request per code, "openssl req -text -noout -verify -in test_request.pem" is fine

I create a certifcate via this reqeust and store it with "PEM_write_bio_X509(out, crt);" like the others. (some more code below)

Perhaps there is something wrong, but to detect this, I will use the validation, but it cannot load the certificate to validate it:

>> openssl x509 -in test_certificate.pem -text
unable to load certificate
140180222239872:error:0D07209B:asn1 encoding routines:ASN1_get_object:too long:../crypto/asn1/asn1_lib.c:91:
140180222239872:error:0D068066:asn1 encoding routines:asn1_check_tlen:bad object header:../crypto/asn1/tasn_dec.c:1118:
140180222239872:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:190:Type=ASN1_TIME
140180222239872:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:627:Field=notBefore, Type=X509_VAL
140180222239872:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:627:Field=validity, Type=X509_CINF
140180222239872:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:627:Field=cert_info, Type=X509
140180222239872:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:../crypto/pem/pem_oth.c:33:


Thanks for any help.

Best regards

  Andreas

----

ErrorHandling should be added in a second step, first debug outputs (I have deleted for here) says everything is created

X509* certificate_create(const X509_REQ* req)
{
  //openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt

  if ((crt = X509_new()) == NULL);
  //xca = load_cert(CAfile, CAformat, "CA Certificate");
  BIO *bio = NULL;
  bio = BIO_new_file(CAfile, "r");
  xca = PEM_read_bio_X509_AUX(bio, NULL, NULL, NULL);
  BIO_free(bio);

  upkey = X509_get0_pubkey(xca);

  char CAkeyile[] = "ca.key";
  int CAkeyformat = 5; //FORMAT_PEM
  char passin[] = "xyz";

  ENGINE *e = NULL;
  EVP_PKEY * CApkey = NULL;
  //CApkey = load_key(CAkeyfile, CAkeyformat, 0, passin, e, "CA Private Key");
  bio = BIO_new_file(CAkeyile, "r");
  CApkey = PEM_read_bio_PrivateKey(bio, NULL, NULL, passin);
  BIO_free(bio);

  EVP_PKEY_copy_parameters(upkey, CApkey);

  X509_STORE *ctx = NULL;
  ctx = X509_STORE_new();

  X509_STORE_CTX *xsc = NULL;
  xsc = X509_STORE_CTX_new();
  if (xsc == NULL || !X509_STORE_CTX_init(xsc, ctx, crt, NULL));

  ASN1_INTEGER *serialno = NULL;
  serialno = ASN1_INTEGER_new();
  BIGNUM *btmp = NULL;
  btmp = BN_new();

  # define SERIAL_RAND_BITS        159
  if (!BN_rand(btmp, SERIAL_RAND_BITS, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY));
  if (!BN_to_ASN1_INTEGER(btmp, serialno));
  BN_free(btmp);

  X509_STORE_CTX_set_cert(xsc, crt);
  X509_STORE_CTX_set_flags(xsc, X509_V_FLAG_CHECK_SS_SIGNATURE);

  if (!X509_check_private_key(xca, CApkey)) ;

  if (!X509_set_issuer_name(crt, X509_get_subject_name(xca)));
  if (!X509_set_serialNumber(crt, serialno));

  int days = 365;
  if (X509_time_adj_ex(X509_getm_notAfter(crt), days, 0, NULL) == NULL);

  const char digestname[] = "sha256";
  const EVP_MD* md = EVP_get_digestbyname(digestname);
  EVP_MD_CTX *mctx = EVP_MD_CTX_new();
  EVP_PKEY_CTX *pkctx = NULL;
  EVP_DigestSignInit(mctx, &pkctx, md, NULL, CApkey);  //ist CApkey hier der richtige private Key? sollte eigentlich
  int rv = (X509_sign_ctx(crt, mctx) > 0);
  EVP_MD_CTX_free(mctx);

  BIO *out = NULL;
  out = BIO_new_file("test_certificate.pem", "w");
  PEM_write_bio_X509(out, crt);
  BIO_free_all(out);

  ...some more frees ...
  return crt;
}

Reply | Threaded
Open this post in threaded view
|

Re: creating certificate by code / problems to load via openssl x509 / pem format

Andreas Tengicki

The solution was to choice a EVP by signing the certificate

i = X509_sign(x, CApkey, EVP_sha256());

Best regards

  Andreas

Am 09.07.2020 um 11:09 schrieb Andreas Tengicki:

Hello,

your first help in this project, helps much, but now some weeks later, there is a new problem, and I cannot find any tipps via google.

For all the coding a have looked into the openssl examples.

I create a private key per code, the "openssl rsa -in test_privatekey.pem -check" is fine

I create a certificate request per code, "openssl req -text -noout -verify -in test_request.pem" is fine

I create a certifcate via this reqeust and store it with "PEM_write_bio_X509(out, crt);" like the others. (some more code below)

Perhaps there is something wrong, but to detect this, I will use the validation, but it cannot load the certificate to validate it:

>> openssl x509 -in test_certificate.pem -text
unable to load certificate
140180222239872:error:0D07209B:asn1 encoding routines:ASN1_get_object:too long:../crypto/asn1/asn1_lib.c:91:
140180222239872:error:0D068066:asn1 encoding routines:asn1_check_tlen:bad object header:../crypto/asn1/tasn_dec.c:1118:
140180222239872:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:190:Type=ASN1_TIME
140180222239872:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:627:Field=notBefore, Type=X509_VAL
140180222239872:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:627:Field=validity, Type=X509_CINF
140180222239872:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:627:Field=cert_info, Type=X509
140180222239872:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:../crypto/pem/pem_oth.c:33:


Thanks for any help.

Best regards

  Andreas

----

ErrorHandling should be added in a second step, first debug outputs (I have deleted for here) says everything is created

X509* certificate_create(const X509_REQ* req)
{
  //openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt

  if ((crt = X509_new()) == NULL);
  //xca = load_cert(CAfile, CAformat, "CA Certificate");
  BIO *bio = NULL;
  bio = BIO_new_file(CAfile, "r");
  xca = PEM_read_bio_X509_AUX(bio, NULL, NULL, NULL);
  BIO_free(bio);

  upkey = X509_get0_pubkey(xca);

  char CAkeyile[] = "ca.key";
  int CAkeyformat = 5; //FORMAT_PEM
  char passin[] = "xyz";

  ENGINE *e = NULL;
  EVP_PKEY * CApkey = NULL;
  //CApkey = load_key(CAkeyfile, CAkeyformat, 0, passin, e, "CA Private Key");
  bio = BIO_new_file(CAkeyile, "r");
  CApkey = PEM_read_bio_PrivateKey(bio, NULL, NULL, passin);
  BIO_free(bio);

  EVP_PKEY_copy_parameters(upkey, CApkey);

  X509_STORE *ctx = NULL;
  ctx = X509_STORE_new();

  X509_STORE_CTX *xsc = NULL;
  xsc = X509_STORE_CTX_new();
  if (xsc == NULL || !X509_STORE_CTX_init(xsc, ctx, crt, NULL));

  ASN1_INTEGER *serialno = NULL;
  serialno = ASN1_INTEGER_new();
  BIGNUM *btmp = NULL;
  btmp = BN_new();

  # define SERIAL_RAND_BITS        159
  if (!BN_rand(btmp, SERIAL_RAND_BITS, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY));
  if (!BN_to_ASN1_INTEGER(btmp, serialno));
  BN_free(btmp);

  X509_STORE_CTX_set_cert(xsc, crt);
  X509_STORE_CTX_set_flags(xsc, X509_V_FLAG_CHECK_SS_SIGNATURE);

  if (!X509_check_private_key(xca, CApkey)) ;

  if (!X509_set_issuer_name(crt, X509_get_subject_name(xca)));
  if (!X509_set_serialNumber(crt, serialno));

  int days = 365;
  if (X509_time_adj_ex(X509_getm_notAfter(crt), days, 0, NULL) == NULL);

  const char digestname[] = "sha256";
  const EVP_MD* md = EVP_get_digestbyname(digestname);
  EVP_MD_CTX *mctx = EVP_MD_CTX_new();
  EVP_PKEY_CTX *pkctx = NULL;
  EVP_DigestSignInit(mctx, &pkctx, md, NULL, CApkey);  //ist CApkey hier der richtige private Key? sollte eigentlich
  int rv = (X509_sign_ctx(crt, mctx) > 0);
  EVP_MD_CTX_free(mctx);

  BIO *out = NULL;
  out = BIO_new_file("test_certificate.pem", "w");
  PEM_write_bio_X509(out, crt);
  BIO_free_all(out);

  ...some more frees ...
  return crt;
}

Reply | Threaded
Open this post in threaded view
|

Re: creating certificate by code / problems to load via openssl x509 / pem format

Tomas Mraz-2
On Thu, 2020-12-10 at 10:39 +0100, Andreas Tengicki wrote:
> The solution was to choice a EVP by signing the certificate
>
> i = X509_sign(x, CApkey, EVP_sha256());

I do not really think this was the problem. In the code below you do
not set the notBefore time which is actually indicated by the parsing
errors when you try to load the invalid certificate.

> Best regards
>
>   Andreas
>
> Am 09.07.2020 um 11:09 schrieb Andreas Tengicki:
> > Hello,
> >
> > your first help in this project, helps much, but now some weeks
> > later, there is a new problem, and I cannot find any tipps via
> > google.
> >
> > For all the coding a have looked into the openssl examples.
> >
> > I create a private key per code, the "openssl rsa -in
> > test_privatekey.pem -check" is fine
> >
> > I create a certificate request per code, "openssl req -text -noout
> > -verify -in test_request.pem" is fine
> >
> > I create a certifcate via this reqeust and store it with
> > "PEM_write_bio_X509(out, crt);" like the others. (some more code
> > below)
> >
> > Perhaps there is something wrong, but to detect this, I will use
> > the validation, but it cannot load the certificate to validate it:
> >
> > >> openssl x509 -in test_certificate.pem -text
> > unable to load certificate
> > 140180222239872:error:0D07209B:asn1 encoding
> > routines:ASN1_get_object:too long:../crypto/asn1/asn1_lib.c:91:
> > 140180222239872:error:0D068066:asn1 encoding
> > routines:asn1_check_tlen:bad object
> > header:../crypto/asn1/tasn_dec.c:1118:
> > 140180222239872:error:0D07803A:asn1 encoding
> > routines:asn1_item_embed_d2i:nested asn1
> > error:../crypto/asn1/tasn_dec.c:190:Type=ASN1_TIME
> > 140180222239872:error:0D08303A:asn1 encoding
> > routines:asn1_template_noexp_d2i:nested asn1
> > error:../crypto/asn1/tasn_dec.c:627:Field=notBefore, Type=X509_VAL
> > 140180222239872:error:0D08303A:asn1 encoding
> > routines:asn1_template_noexp_d2i:nested asn1
> > error:../crypto/asn1/tasn_dec.c:627:Field=validity, Type=X509_CINF
> > 140180222239872:error:0D08303A:asn1 encoding
> > routines:asn1_template_noexp_d2i:nested asn1
> > error:../crypto/asn1/tasn_dec.c:627:Field=cert_info, Type=X509
> > 140180222239872:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1
> > lib:../crypto/pem/pem_oth.c:33:
> >
> >
> > Thanks for any help.
> >
> > Best regards
> >
> >   Andreas
> >
> > ----
> >
> > ErrorHandling should be added in a second step, first debug outputs
> > (I have deleted for here) says everything is created
> >
> > X509* certificate_create(const X509_REQ* req)
> > {
> >   //openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.crt
> > -CAkey ca.key -CAcreateserial -out server.crt
> >
> >   if ((crt = X509_new()) == NULL);
> >   //xca = load_cert(CAfile, CAformat, "CA Certificate");
> >   BIO *bio = NULL;
> >   bio = BIO_new_file(CAfile, "r");
> >   xca = PEM_read_bio_X509_AUX(bio, NULL, NULL, NULL);
> >   BIO_free(bio);
> >
> >   upkey = X509_get0_pubkey(xca);
> >
> >   char CAkeyile[] = "ca.key";
> >   int CAkeyformat = 5; //FORMAT_PEM
> >   char passin[] = "xyz";
> >
> >   ENGINE *e = NULL;
> >   EVP_PKEY * CApkey = NULL;
> >   //CApkey = load_key(CAkeyfile, CAkeyformat, 0, passin, e, "CA
> > Private Key");
> >   bio = BIO_new_file(CAkeyile, "r");
> >   CApkey = PEM_read_bio_PrivateKey(bio, NULL, NULL, passin);
> >   BIO_free(bio);
> >
> >   EVP_PKEY_copy_parameters(upkey, CApkey);
> >
> >   X509_STORE *ctx = NULL;
> >   ctx = X509_STORE_new();
> >
> >   X509_STORE_CTX *xsc = NULL;
> >   xsc = X509_STORE_CTX_new();
> >   if (xsc == NULL || !X509_STORE_CTX_init(xsc, ctx, crt, NULL));
> >
> >   ASN1_INTEGER *serialno = NULL;
> >   serialno = ASN1_INTEGER_new();
> >   BIGNUM *btmp = NULL;
> >   btmp = BN_new();
> >
> >   # define SERIAL_RAND_BITS        159
> >   if (!BN_rand(btmp, SERIAL_RAND_BITS, BN_RAND_TOP_ANY,
> > BN_RAND_BOTTOM_ANY));
> >   if (!BN_to_ASN1_INTEGER(btmp, serialno));
> >   BN_free(btmp);
> >
> >   X509_STORE_CTX_set_cert(xsc, crt);
> >   X509_STORE_CTX_set_flags(xsc, X509_V_FLAG_CHECK_SS_SIGNATURE);
> >
> >   if (!X509_check_private_key(xca, CApkey)) ;
> >
> >   if (!X509_set_issuer_name(crt, X509_get_subject_name(xca)));
> >   if (!X509_set_serialNumber(crt, serialno));
> >
> >   int days = 365;
> >   if (X509_time_adj_ex(X509_getm_notAfter(crt), days, 0, NULL) ==
> > NULL);
> >
> >   const char digestname[] = "sha256";
> >   const EVP_MD* md = EVP_get_digestbyname(digestname);
> >   EVP_MD_CTX *mctx = EVP_MD_CTX_new();
> >   EVP_PKEY_CTX *pkctx = NULL;
> >   EVP_DigestSignInit(mctx, &pkctx, md, NULL, CApkey);  //ist CApkey
> > hier der richtige private Key? sollte eigentlich
> >   int rv = (X509_sign_ctx(crt, mctx) > 0);
> >   EVP_MD_CTX_free(mctx);
> >
> >   BIO *out = NULL;
> >   out = BIO_new_file("test_certificate.pem", "w");
> >   PEM_write_bio_X509(out, crt);
> >   BIO_free_all(out);
> >
> >   ...some more frees ...
> >   return crt;
> > }
> >
--
Tomáš Mráz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb
[You'll know whether the road is wrong if you carefully listen to your
conscience.]