Hi, I am verifying ICAO CSCA certificates as shown in tests however because of the way ICAO Doc 9303-12 defines the EC public keys:
Those issuing States or organizations implementing ECDSA for signature generation or verification SHALL use [X9.62]
or [ISO/IEC 15946]. The elliptic curve domain parameters used to generate the ECDSA key pair MUST be described
explicitly in the parameters of the public key, i.e. parameters MUST be of type ECParameters (no named curves, no
implicit parameters) and MUST include the optional co-factor. ECPoints MUST be in uncompressed format.
I must support the explicit parameters in the public keys. Currently, when I try to verify a certificate, I get Certificate public key has explicit ECC parameters error. In openssl issue number 20117 (https://github.com/openssl/openssl/issues/20117#issuecomment-1400783170), a solution to use X509_STORE_CTX_set_verify_cb was recommended. Indeed, if I could set this callback I could search for this error and continue parsing. Relevant lines in openssl are x509_vfy.c#172 and x509_vfy.c#570 where the check itself happens. Is there a possibility of exposing this function?
li0ard
commented
2 months ago
Hi, I am verifying ICAO CSCA certificates as shown in tests however because of the way ICAO Doc 9303-12 defines the EC public keys:
I must support the explicit parameters in the public keys. Currently, when I try to verify a certificate, I get
Certificate public key has explicit ECC parameterserror. In openssl issue number 20117 (https://github.com/openssl/openssl/issues/20117#issuecomment-1400783170), a solution to useX509_STORE_CTX_set_verify_cbwas recommended. Indeed, if I could set this callback I could search for this error and continue parsing. Relevant lines in openssl are x509_vfy.c#172 and x509_vfy.c#570 where the check itself happens. Is there a possibility of exposing this function?