search

oxidecomputer / pki-playground

Tool for generating non-trivial X.509 certificate chains
Mozilla Public License 2.0
29 stars 2 forks source link

add support for p384 and sha384 #13

Closed flihp closed 1 year ago

mx-shift commented 1 year ago 

~/Projects/oxidecomputer/pki-playground/examples/simple-chain-client-server_p384 [ p384-sha384 L | …42 ] $ openssl verify --check_ss_sig -trusted TEST\ USE\ ONLY\ -\ Test\ CA\ A.cert.der  TEST\ USE\ ONLY\ -\ Test\ Int\ A.cert.der
CN = UK, ST = England, L = London, O = Fun, OU = Test, CN = TEST USE ONLY - Test CA A
error 7 at 1 depth lookup: certificate signature failure
error TEST USE ONLY - Test Int A.cert.der: verification failed
40E7497F247F0000:error:06880006:asn1 encoding routines:ASN1_item_verify_ctx:EVP lib:../crypto/asn1/a_verify.c:217:
flihp commented 1 year ago

Just flipped the switch to make this a draft. Looks like I missed the algorithm parameters in the certs.

flihp commented 1 year ago

The culprit was the encoding of the rfc5280 signatureValue. ECDSA signatures are encoded as a SEQUENCE of the r and s integers. My fist, failing pass at this was using the raw r & s (no DER encoding).