Open jhfigueiredo opened 1 year ago
randombit
commented
1 year ago Can you reference how one performs the signature for ECDH CSRs? Is it supposed to just be omitted? That part was never clear to me. RFC reference would be great if it exists.
jhfigueiredo
commented
1 year ago Hi, The signature is performed in the same manner as ECDSA. The issue here is that the same OID is used for both and in the function choose_extensions in X509_CA::sign_request, it only creates a ECDSA public key which then has conflicts in the function verify_cert_constraints_valid_for_key_type because this key is not for Key Agreements. The way the code is structured there is no direct way create a ECDH public key based on the same OID, because I also need this for ECDSA. For now, I commented out verify_cert_constraints_valid_for_key_type for it to work.
Hello, I tried generating a x509 from a CSR containing an OID value: 1.2.840.10045.2.1 for Key Agreement. The problem is that with this OID it only generates an ECDSA public key, and not an ECDH public key, and when validating using verify_cert_constraints_valid_for_key_type it doesn't match the key constaints. For this OID it should be possible ECDSA and ECDH.