We are working on tokens to generate CSR (certificate signing requests). Keypair is generating perfectly in token but we are unable to get proper csr. I'm trying to create X509 certificate request signed inside smart card using PKCS11 interface. I’m using openssl-1.0.2.
To perform this task I have to perform following steps: 1, create certificate request (X509_new) 2, load public key (X509_REQ_set_pubkey) 3, set up subject name and extensions as required 4, export req_info structure (i2d_X509_REQ_INFO) 5, sign this structure using PKCS11
Unfortunately created request doesn't contain valid signature. After closer look at the openssl calls I've noticed, that the buffer exported using i2d_X509_REQ_INFO function doesn't contain properly encoded structure. Can somebody help me, what I'm doing wrong, or which parameter of the structure I forgot to initialize?
Relevant part of the code:
...
X509_REQ *req;
X509_NAME *subj;
if (!(req = X509_REQ_new())) {
printf("Unable to initialize X509_REQ structure\n");
return -1;
}
RSA *rsa;
rsa = RSA_new();
rsa->e = BN_bin2bn( (unsigned char *) pub_publicExponent, (int) 3, NULL );
rsa->n = BN_bin2bn( (unsigned char *) modulus, (int) (pub_modulusbits/8), NULL );
if( (pkey = EVP_PKEY_new()) == NULL ) {
printf("Unable to initialize PKEY structure\n");
return -1;
}
EVP_PKEY_assign_RSA( pkey , rsa );
X509_REQ_set_pubkey(req, pkey);
subj=X509_REQ_get_subject_name(req);
X509_NAME_add_entry_by_txt(subj,"C",
MBSTRING_ASC, (unsigned char *)"SK", -1, -1, 0);
X509_NAME_add_entry_by_txt(subj,"CN",
MBSTRING_ASC, (unsigned char *)"Test", -1, -1, 0);
int datasig_len;
unsigned char *tobesigned;
datasig_len = i2d_X509_REQ_INFO( req->req_info, NULL );
tobesigned = (unsigned char *) malloc( datasig_len );
if( !tobesigned ) {
printf("Unable to alloc mem buffer\n");
return -1;
}
int zzz = i2d_X509_REQ_INFO( req->req_info, &tobesigned );
Aucun commentaire:
Enregistrer un commentaire