[prev in list] [next in list] [prev in thread] [next in thread]
List: bouncycastle-crypto-dev
Subject: Re: [dev-crypto] Problem with generating ECDSA PKCS#10 Certificate
From: David Hook <dgh () lockboxlabs ! com>
Date: 2008-06-19 6:19:27
Message-ID: 1213856367.3870.45.camel () echidna
[Download RAW message or body]
Have a look at the source for
org.bouncycastle.jce.provider.JCEEC{Public,Private}Key.java
Regards,
David
On Wed, 2008-06-18 at 23:44 -0400, Joe Smithian wrote:
>
> Thanks David. Yes, I noticed today that my provider doesn't implement
> getEncoded() for ECDSA. Where can I find examples of implementing it
> for ECDSA?
>
> Thanks
> Joe
>
> On Tue, Jun 17, 2008 at 6:47 PM, David Hook <dgh@lockboxlabs.com>
> wrote:
>
> There is an example of creating an ECDSA certificate request
> in
> org.bouncycastle.jce.provider.test.PKCS10CertRequestTest.java
>
> Note this is using a BC provider key - looking at your email
> it sounds
> like you might be working with another provider which does not
> implement
> getEncoded().
>
> Regards,
>
> David
>
>
> On Tue, 2008-06-17 at 14:49 -0400, Joe Smithian wrote:
> > I tried to create ECDSA PKCS#10 certificate request using
> BouncyCstle
> > release139 with JDK6 but it didn't work properly. It was OK
> for RSA
> > and DSA. The problem looks like is in the ASN1 encoding of
> ECDSA pubic
> > keys. I'm wondering if there is a bug in the BC classes.
> > I experienced the same problem using both BC and non-BC
> providers.
> >
> > My code is simply the example on the BC website:
> > KeyPair keyPair = ... // generete KeyPair OK
> > X500Principal subjectName = new X500Principal("CN=Test V3
> > Certificate");
> > PKCS10CertificationRequest kpGen = new
> PKCS10CertificationRequest(
> >
> Algorithm,
> >
> > pair.getPublic(),
> > null,
> >
> > pair.getPrivate());
> >
> > This simple code works well for RSA and DSA but throws an
> Exception if
> > I try it with ECDSA. After some debugging I found that the
> following
> > line of code in the file PKCS10CertificationRequest.java
> throws an
> > Exception if I use ECDSA:
> >
> > this.reqInfo = new CertificationRequestInfo(subject, new
> > SubjectPublicKeyInfo((ASN1Sequence)dIn.readObject()),
> attributes); //
> > exception with ECDSA
> >
> > The exception is actually from: dIn.readObject();
> > java.io.IOException: unexpected end-of-contents marker
> > at
> org.bouncycastle.asn1.ASN1InputStream.readObject(Unknown
> > Source)
> > at
> >
> PKCS10CertificationRequest_Y.<init>(PKCS10CertificationRequest.java)
> > at
> >
> PKCS10CertificationRequest_Y.<init>(PKCS10CertificationRequest.java)
> >
> >
> > Then I modified the PKCS10CertificationRequest.java to use
> differen
> > constructor of SubjectPublicKeyInfo for ECDSA:
> >
> >
> > Modifed PKCS10CertificationRequest.java code:
> >
> > byte[] bytes = key.getEncoded(); //
> publicKey
> > ByteArrayInputStream bIn = new
> ByteArrayInputStream(bytes);
> > ASN1InputStream dIn = new ASN1InputStream(bIn);
> >
> > ASN1StreamParser asp = new ASN1StreamParser(bytes);
> > DEREncodable obj = asp.readObject();
> > DEREncodable asn1Obj =
> > obj.getDERObject().toASN1Object() ; //.toASN1Obect(); //OK
> >
> > SubjectPublicKeyInfo spki = null;
> >
> > if( algorithmName.contains("ECDSA")) {
> > spki = new SubjectPublicKeyInfo(sigAlgId,
> obj); // Option
> > 1 No exception but doesn't create a valid CSR
> > // spki = new SubjectPublicKeyInfo(sigAlgId,
> bytes); //
> > option 2 No exception CSR is a valid ASN1 file but portecle
> tool can
> > not read it
> > } else { // RSA and DSA (ASN1Sequence)
> > // spki = new
> > SubjectPublicKeyInfo((ASN1Sequence)asn1Obj); // ok for rsa
> and dsa but
> > not for ecsda
> > spki = new
> > SubjectPublicKeyInfo((ASN1Sequence)dIn.readObject()); // ok
> for rsa
> > and dsa but not for ecsda
> > }
> >
> > this.reqInfo = new
> CertificationRequestInfo(subject,
> > spki , attributes);
> > }
> > catch (IOException e)
> > {
> > e.printStackTrace();
> > throw new
> IllegalArgumentException(e.getMessage() + "
> > can't encode public key");
> > }
> > Signature sig =
> Signature.getInstance(signatureAlgorithm,
> > provider);
> > sig.initSign(signingKey);
> > // rest of the code .....
> >
> > After this chnage it didn't throw any Exception and created
> the CSR
> > file but when I examined the CSR file it was not valid for
> ECDSA:
> >
> > C:\dumpasn1.exe sect233r1.der
> > 0 129: SEQUENCE {
> > 3 53: SEQUENCE {
> > 5 1: INTEGER 0
> > 8 30: SEQUENCE {
> > 10 28: SET {
> > 12 26: SEQUENCE {
> > 14 3: OBJECT IDENTIFIER commonName (2 5 4 3)
> > 19 19: PrintableString 'Test V3 Certificate'
> > : }
> > : }
> > : }
> > 40 16: SEQUENCE {
> > 42 9: SEQUENCE {
> > 44 7: OBJECT IDENTIFIER '1 2 840 10045 4 1'
> > : }
> > 53 3: BIT STRING
> > : '0000000000000000'B
> > : Error: Spurious zero bits in bitstring.
> > : }
> > : }
> > 58 9: SEQUENCE {
> > 60 7: OBJECT IDENTIFIER '1 2 840 10045 4 1'
> > : }
> > 69 61: BIT STRING
> > : 00 36 54 0E 1E 1D 02 9D 3E 8E B9 22 0B CF 29
> C1
> > : 1D 0D 5E 2F 9C 6F 94 4E 1F B5 DB F5 8B D5 00
> 43
> > : 92 38 01 2C A8 CA 8F 96 1B 0C A7 C1 36 E4 15
> 77
> > : 14 60 2D BB 9F B5 82 2A BE E0 63 A0
> > : }
> >
> > 0 warnings, 1 error.
> >
> >
> >
> > I'd apprecite your help to fix this problem
> >
> > Joe
> >
> >
>
>
>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic