search

Yubico / yubikey-piv-manager

Tool for configuring your PIV-enabled YubiKey
https://developers.yubico.com/yubikey-piv-manager/
GNU General Public License v3.0
39 stars 7 forks source link

EC P256 Certificate Signing Requests are Broken #1

Closed darconeous closed 9 years ago

darconeous commented 9 years ago

Whenever I have the tool generate a CSR using ECC P256, the generated CSR is invalid. The issue appears to be with the ECDSA signature on the certificate request, which appears to be stored incorrectly:

Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: DC=net, DC=voria, DC=token, CN=Yubikey NEO 35XXXXX
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
            EC Public Key: 
                pub: 
                    04:dd:91:86:6a:92:69:90:d9:cd:f0:81:ca:a3:40:
                    80:d8:64:e3:ad:13:3a:ed:43:0e:42:a0:95:b2:1e:
                    8c:2c:46:60:f3:5b:75:33:92:38:51:52:b8:6c:0c:
                    1a:b8:b0:6f:ee:f1:33:7a:9a:37:a8:79:d7:c8:de:
                    19:92:43:23:83
                ASN1 OID: prime256v1
        Attributes:
            a0:00
    Signature Algorithm: ecdsa-with-SHA256
        30:46:02:21:00:c3:7d:49:a6:da:e9:fe:25:18:26:7d:20:3e:
        6a:80:22:04:a4:9d:a8:fb:72:9a:7c:99:c5:48:02:e2:28:0b:
        65:02:21:00:d6:58:07:d0:f5:a5:f9:d9:f1:53:49:5d:3b:8a:
        5c:75:87:66:43:32:da:ce:97:67:33:0d:9b:8e:78:54:3a:17
Check that the request matches the signature
Signature verification problems....
20298:error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm:/SourceCache/OpenSSL098/OpenSSL098-52.30.1/src/crypto/asn1/a_verify.c:164:
dainnilsson commented 9 years ago

This project uses yubico-piv-tool to generate certificates. I've copied the issue to that project: Yubico/yubico-piv-tool#27 and am now closing this one.