odd error for ECDSA key in REQ.

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

odd error for ECDSA key in REQ.

Dirk-Willem van Gulik
Below CSR gives me an odd error with the standard openssl REQ command:

        openssl req -inform DER -noout -pubkey

        Error getting public key

        140673482679616:error:10067066:elliptic curve routines:ec_GFp_simple_oct2point:invalid encoding:../crypto/ec/ecp_oct.c:312:
        140673482679616:error:10098010:elliptic curve routines:o2i_ECPublicKey:EC lib:../crypto/ec/ec_asn1.c:1175:
        140673482679616:error:100D708E:elliptic curve routines:eckey_pub_decode:decode error:../crypto/ec/ec_ameth.c:157:
        140673482679616:error:0B09407D:x509 certificate routines:x509_pubkey_decode:public key decode error:../crypto/x509/x_pubkey.c:125:

Even though the ASN1 of the public key looks correct to me:

    SEQUENCE (2 elem)
      SEQUENCE (2 elem)
        OBJECT IDENTIFIER 1.2.840.10045.2.1 ecPublicKey (ANSI X9.62 public key type)
        OBJECT IDENTIFIER 1.2.840.10045.3.1.7 prime256v1 (ANSI X9.62 named elliptic curve)
      BIT STRING (536 bit) 0000010001000001000001000011100100110011100111000110100010100101101000…
        OCTET STRING (65 byte) 0439339C68A5A333143592C0A36D053F31D3AF6ED18FB54F4747B9DFC6DB6ABC715561…

What would be a good way to further debug this ?

With kind regards,

Dw

-----BEGIN CERTIFICATE REQUEST-----
MIIBPzCB5QIBADCBgDELMAkGA1UEAxMCQ04xCjAIBgNVBAUTATExCjAIBgNVBAYT
AUMxCjAIBgNVBAcTAUwxCjAIBgNVBAgTAVMxCjAIBgNVBAoTAU8xCzAJBgNVBAsT
Ak9VMQowCAYDVQQMEwFUMQowCAYDVQQNEwFEMRAwDgYJKoZIhvcNAQkBEwFFMFsw
EwYHKoZIzj0CAQYIKoZIzj0DAQcDRAAEQQQ5M5xopaMzFDWSwKNtBT8x069u0Y+1
T0dHud/G22q8cVVh8sVcpLUortLxxesEXCddpx/EeuxP+MN/RymHTMrjoAAwCgYI
KoZIzj0EAwIDSQAwRgIhAO+K+TFCdYxQg7aT+B3wIVa6CCYxM/mL4/WHSrwXujJy
AiEA7UsbQT/YRKaFDPn/U9jdrJaUmKsqKJvGwN7YVaMGdeo=
-----END CERTIFICATE REQUEST-----

Reply | Threaded
Open this post in threaded view
|

Re: odd error for ECDSA key in REQ.

Frank Migge-2
Hi Dirk-Willem,

Something is wrong with your EC key. The error mentions that it can't
get the curve points from the key data. How did you generate the key?

If it helps, here is a working CSR example, using a prime256v1 key for
comparison:

-----BEGIN CERTIFICATE REQUEST-----
MIIBDjCBtAIBADArMQswCQYDVQQGEwJKUDEcMBoGA1UEAwwTdGVzdCBmb3IgcHJp
bWUyNTZ2MTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABOMQV0Vep+9Xnje6bKNy
+8blwKEscr5LoUQCuwqaUT4HyPgXFE9E0r1PiWbC6bGkS26MuguOBp52X9H9z+NS
zM6gJzAlBgkqhkiG9w0BCQ4xGDAWMBQGA1UdEQQNMAuCCWZtNGRkLmNvbTAKBggq
hkjOPQQDAgNJADBGAiEA5uYlfkpRsJhBk+WwippCjupEpaCNaHwNyNqbj8qrR80C
IQDCoJtaWhFGxbaAB2+o3gm87ZHJSDSjfrD2lEhlkbEXHQ==
-----END CERTIFICATE REQUEST-----


$ openssl req -inform PEM -noout -pubkey -in test.csr
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE4xBXRV6n71eeN7pso3L7xuXAoSxy
vkuhRAK7CppRPgfI+BcUT0TSvU+JZsLpsaRLboy6C44GnnZf0f3P41LMzg==
-----END PUBLIC KEY-----


On Fri, 2020-08-07 at 19:07 +0200, Dirk-Willem van Gulik wrote:

> Below CSR gives me an odd error with the standard openssl REQ
> command:
>
> openssl req -inform DER -noout -pubkey
>
> Error getting public key
>
> 140673482679616:error:10067066:elliptic curve
> routines:ec_GFp_simple_oct2point:invalid
> encoding:../crypto/ec/ecp_oct.c:312:
> 140673482679616:error:10098010:elliptic curve
> routines:o2i_ECPublicKey:EC lib:../crypto/ec/ec_asn1.c:1175:
> 140673482679616:error:100D708E:elliptic curve
> routines:eckey_pub_decode:decode error:../crypto/ec/ec_ameth.c:157:
> 140673482679616:error:0B09407D:x509 certificate
> routines:x509_pubkey_decode:public key decode
> error:../crypto/x509/x_pubkey.c:125:
>
> Even though the ASN1 of the public key looks correct to me:
>
>     SEQUENCE (2 elem)
>       SEQUENCE (2 elem)
>         OBJECT IDENTIFIER 1.2.840.10045.2.1 ecPublicKey (ANSI X9.62
> public key type)
>         OBJECT IDENTIFIER 1.2.840.10045.3.1.7 prime256v1 (ANSI X9.62
> named elliptic curve)
>       BIT STRING (536 bit)
> 000001000100000100000100001110010011001110011100011010001010010110100
> 0…
>         OCTET STRING (65 byte)
> 0439339C68A5A333143592C0A36D053F31D3AF6ED18FB54F4747B9DFC6DB6ABC71556
> 1…
>
> What would be a good way to further debug this ?
>
> With kind regards,
>
> Dw
>
> -----BEGIN CERTIFICATE REQUEST-----
> MIIBPzCB5QIBADCBgDELMAkGA1UEAxMCQ04xCjAIBgNVBAUTATExCjAIBgNVBAYT
> AUMxCjAIBgNVBAcTAUwxCjAIBgNVBAgTAVMxCjAIBgNVBAoTAU8xCzAJBgNVBAsT
> Ak9VMQowCAYDVQQMEwFUMQowCAYDVQQNEwFEMRAwDgYJKoZIhvcNAQkBEwFFMFsw
> EwYHKoZIzj0CAQYIKoZIzj0DAQcDRAAEQQQ5M5xopaMzFDWSwKNtBT8x069u0Y+1
> T0dHud/G22q8cVVh8sVcpLUortLxxesEXCddpx/EeuxP+MN/RymHTMrjoAAwCgYI
> KoZIzj0EAwIDSQAwRgIhAO+K+TFCdYxQg7aT+B3wIVa6CCYxM/mL4/WHSrwXujJy
> AiEA7UsbQT/YRKaFDPn/U9jdrJaUmKsqKJvGwN7YVaMGdeo=
> -----END CERTIFICATE REQUEST-----


--
Frank Migge
http://fm4dd.com | [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: odd error for ECDSA key in REQ.

Dirk-Willem van Gulik
The key is generated by a lovely HSM - which is by its nature a bit of a closed box. Whose vendor is very sure its software is right.

So this helps a lot - and helps confirm what we thought !

Thanks,

Dw

> On 8 Aug 2020, at 04:16, Frank Migge <[hidden email]> wrote:
>
> Hi Dirk-Willem,
>
> Something is wrong with your EC key. The error mentions that it can't
> get the curve points from the key data. How did you generate the key?
>
> If it helps, here is a working CSR example, using a prime256v1 key for
> comparison:
>
> -----BEGIN CERTIFICATE REQUEST-----
> MIIBDjCBtAIBADArMQswCQYDVQQGEwJKUDEcMBoGA1UEAwwTdGVzdCBmb3IgcHJp
> bWUyNTZ2MTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABOMQV0Vep+9Xnje6bKNy
> +8blwKEscr5LoUQCuwqaUT4HyPgXFE9E0r1PiWbC6bGkS26MuguOBp52X9H9z+NS
> zM6gJzAlBgkqhkiG9w0BCQ4xGDAWMBQGA1UdEQQNMAuCCWZtNGRkLmNvbTAKBggq
> hkjOPQQDAgNJADBGAiEA5uYlfkpRsJhBk+WwippCjupEpaCNaHwNyNqbj8qrR80C
> IQDCoJtaWhFGxbaAB2+o3gm87ZHJSDSjfrD2lEhlkbEXHQ==
> -----END CERTIFICATE REQUEST-----
>
>
> $ openssl req -inform PEM -noout -pubkey -in test.csr
> -----BEGIN PUBLIC KEY-----
> MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE4xBXRV6n71eeN7pso3L7xuXAoSxy
> vkuhRAK7CppRPgfI+BcUT0TSvU+JZsLpsaRLboy6C44GnnZf0f3P41LMzg==
> -----END PUBLIC KEY-----
>
>
> On Fri, 2020-08-07 at 19:07 +0200, Dirk-Willem van Gulik wrote:
>> Below CSR gives me an odd error with the standard openssl REQ
>> command:
>>
>> openssl req -inform DER -noout -pubkey
>>
>> Error getting public key
>>
>> 140673482679616:error:10067066:elliptic curve
>> routines:ec_GFp_simple_oct2point:invalid
>> encoding:../crypto/ec/ecp_oct.c:312:
>> 140673482679616:error:10098010:elliptic curve
>> routines:o2i_ECPublicKey:EC lib:../crypto/ec/ec_asn1.c:1175:
>> 140673482679616:error:100D708E:elliptic curve
>> routines:eckey_pub_decode:decode error:../crypto/ec/ec_ameth.c:157:
>> 140673482679616:error:0B09407D:x509 certificate
>> routines:x509_pubkey_decode:public key decode
>> error:../crypto/x509/x_pubkey.c:125:
>>
>> Even though the ASN1 of the public key looks correct to me:
>>
>>    SEQUENCE (2 elem)
>>      SEQUENCE (2 elem)
>>        OBJECT IDENTIFIER 1.2.840.10045.2.1 ecPublicKey (ANSI X9.62
>> public key type)
>>        OBJECT IDENTIFIER 1.2.840.10045.3.1.7 prime256v1 (ANSI X9.62
>> named elliptic curve)
>>      BIT STRING (536 bit)
>> 000001000100000100000100001110010011001110011100011010001010010110100
>> 0…
>>        OCTET STRING (65 byte)
>> 0439339C68A5A333143592C0A36D053F31D3AF6ED18FB54F4747B9DFC6DB6ABC71556
>> 1…
>>
>> What would be a good way to further debug this ?
>>
>> With kind regards,
>>
>> Dw
>>
>> -----BEGIN CERTIFICATE REQUEST-----
>> MIIBPzCB5QIBADCBgDELMAkGA1UEAxMCQ04xCjAIBgNVBAUTATExCjAIBgNVBAYT
>> AUMxCjAIBgNVBAcTAUwxCjAIBgNVBAgTAVMxCjAIBgNVBAoTAU8xCzAJBgNVBAsT
>> Ak9VMQowCAYDVQQMEwFUMQowCAYDVQQNEwFEMRAwDgYJKoZIhvcNAQkBEwFFMFsw
>> EwYHKoZIzj0CAQYIKoZIzj0DAQcDRAAEQQQ5M5xopaMzFDWSwKNtBT8x069u0Y+1
>> T0dHud/G22q8cVVh8sVcpLUortLxxesEXCddpx/EeuxP+MN/RymHTMrjoAAwCgYI
>> KoZIzj0EAwIDSQAwRgIhAO+K+TFCdYxQg7aT+B3wIVa6CCYxM/mL4/WHSrwXujJy
>> AiEA7UsbQT/YRKaFDPn/U9jdrJaUmKsqKJvGwN7YVaMGdeo=
>> -----END CERTIFICATE REQUEST-----
>
>
> --
> Frank Migge
> http://fm4dd.com | [hidden email]
>

Reply | Threaded
Open this post in threaded view
|

Re: [EXTERNAL] Re: odd error for ECDSA key in REQ.

OpenSSL - User mailing list
The key itself is good. Its encoding in the CSR isn't.
Looks like the public key was X9.62 encoded in its uncompressed form (i.e. start with a 04 octet, and then the octets composing the x and y coordinates), and then wrapped into an ASN.1 OCTET STRING (i.e. use the 04 tag, plus a 0x41 length, and the encoded public key), and finally the BIT STRING encapsulation.
The OCTET STRING is wrong here.

Cordialement,
Erwann Abalea

Le 08/08/2020 14:24, « openssl-users au nom de Dirk-Willem van Gulik » <[hidden email] au nom de [hidden email]> a écrit :

    The key is generated by a lovely HSM - which is by its nature a bit of a closed box. Whose vendor is very sure its software is right.

    So this helps a lot - and helps confirm what we thought !

    Thanks,

    Dw

    > On 8 Aug 2020, at 04:16, Frank Migge <[hidden email]> wrote:
    >
    > Hi Dirk-Willem,
    >
    > Something is wrong with your EC key. The error mentions that it can't
    > get the curve points from the key data. How did you generate the key?
    >
    > If it helps, here is a working CSR example, using a prime256v1 key for
    > comparison:
    >
    > -----BEGIN CERTIFICATE REQUEST-----
    > MIIBDjCBtAIBADArMQswCQYDVQQGEwJKUDEcMBoGA1UEAwwTdGVzdCBmb3IgcHJp
    > bWUyNTZ2MTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABOMQV0Vep+9Xnje6bKNy
    > +8blwKEscr5LoUQCuwqaUT4HyPgXFE9E0r1PiWbC6bGkS26MuguOBp52X9H9z+NS
    > zM6gJzAlBgkqhkiG9w0BCQ4xGDAWMBQGA1UdEQQNMAuCCWZtNGRkLmNvbTAKBggq
    > hkjOPQQDAgNJADBGAiEA5uYlfkpRsJhBk+WwippCjupEpaCNaHwNyNqbj8qrR80C
    > IQDCoJtaWhFGxbaAB2+o3gm87ZHJSDSjfrD2lEhlkbEXHQ==
    > -----END CERTIFICATE REQUEST-----
    >
    >
    > $ openssl req -inform PEM -noout -pubkey -in test.csr
    > -----BEGIN PUBLIC KEY-----
    > MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE4xBXRV6n71eeN7pso3L7xuXAoSxy
    > vkuhRAK7CppRPgfI+BcUT0TSvU+JZsLpsaRLboy6C44GnnZf0f3P41LMzg==
    > -----END PUBLIC KEY-----
    >
    >
    > On Fri, 2020-08-07 at 19:07 +0200, Dirk-Willem van Gulik wrote:
    >> Below CSR gives me an odd error with the standard openssl REQ
    >> command:
    >>
    >> openssl req -inform DER -noout -pubkey
    >>
    >> Error getting public key
    >>
    >> 140673482679616:error:10067066:elliptic curve
    >> routines:ec_GFp_simple_oct2point:invalid
    >> encoding:../crypto/ec/ecp_oct.c:312:
    >> 140673482679616:error:10098010:elliptic curve
    >> routines:o2i_ECPublicKey:EC lib:../crypto/ec/ec_asn1.c:1175:
    >> 140673482679616:error:100D708E:elliptic curve
    >> routines:eckey_pub_decode:decode error:../crypto/ec/ec_ameth.c:157:
    >> 140673482679616:error:0B09407D:x509 certificate
    >> routines:x509_pubkey_decode:public key decode
    >> error:../crypto/x509/x_pubkey.c:125:
    >>
    >> Even though the ASN1 of the public key looks correct to me:
    >>
    >>    SEQUENCE (2 elem)
    >>      SEQUENCE (2 elem)
    >>        OBJECT IDENTIFIER 1.2.840.10045.2.1 ecPublicKey (ANSI X9.62
    >> public key type)
    >>        OBJECT IDENTIFIER 1.2.840.10045.3.1.7 prime256v1 (ANSI X9.62
    >> named elliptic curve)
    >>      BIT STRING (536 bit)
    >> 000001000100000100000100001110010011001110011100011010001010010110100
    >> 0…
    >>        OCTET STRING (65 byte)
    >> 0439339C68A5A333143592C0A36D053F31D3AF6ED18FB54F4747B9DFC6DB6ABC71556
    >> 1…
    >>
    >> What would be a good way to further debug this ?
    >>
    >> With kind regards,
    >>
    >> Dw
    >>
    >> -----BEGIN CERTIFICATE REQUEST-----
    >> MIIBPzCB5QIBADCBgDELMAkGA1UEAxMCQ04xCjAIBgNVBAUTATExCjAIBgNVBAYT
    >> AUMxCjAIBgNVBAcTAUwxCjAIBgNVBAgTAVMxCjAIBgNVBAoTAU8xCzAJBgNVBAsT
    >> Ak9VMQowCAYDVQQMEwFUMQowCAYDVQQNEwFEMRAwDgYJKoZIhvcNAQkBEwFFMFsw
    >> EwYHKoZIzj0CAQYIKoZIzj0DAQcDRAAEQQQ5M5xopaMzFDWSwKNtBT8x069u0Y+1
    >> T0dHud/G22q8cVVh8sVcpLUortLxxesEXCddpx/EeuxP+MN/RymHTMrjoAAwCgYI
    >> KoZIzj0EAwIDSQAwRgIhAO+K+TFCdYxQg7aT+B3wIVa6CCYxM/mL4/WHSrwXujJy
    >> AiEA7UsbQT/YRKaFDPn/U9jdrJaUmKsqKJvGwN7YVaMGdeo=
    >> -----END CERTIFICATE REQUEST-----
    >
    >
    > --
    > Frank Migge
    > http://fm4dd.com | [hidden email]
    >