search

PeculiarVentures / x509

@peculiar/x509 is an easy to use TypeScript/Javascript library based on @peculiar/asn1-schema that makes generating X.509 Certificates and Certificate Requests as well as validating certificate chains easy
https://peculiarventures.github.io/x509/
MIT License
78 stars 10 forks source link

certificates and CSR cannot always be verified by openssl #8

Closed fmonniot closed 3 years ago

fmonniot commented 3 years ago

Hello there,

I'm trying to use this library to issue certificates (using ECDSA P-256 algorithm). I though I got something working, but then the generated CSR and leaf certificates can not always be verified by openssl. I tried to find a common cause, but to me it seems the signature is randomly invalid (at least from openssl point of view).

I have put together a reproduction script (should only require npm i @peculiar/x509 @peculiar/webcrypto, typescript and openssl in the path) to be executable. It can be found in this gist: https://gist.github.com/fmonniot/e94ed40e3902415ccb9ca5a1d932297e.

Running this script multiple times yields different results: either the csr is valid, or the end cert is valid, or both, or neither :(

Is there a known format issue with openssl req -verify and x509 -verify commands?

And last but not least, Thank you for writing this library !

microshine commented 3 years ago

I fixed and published the new version @peculiar/x509@1.3.1

@fmonniot Please try it

fmonniot commented 3 years ago

The new version fixed it. Thanks for the prompt bug fix !