Menu
▾
▴
#14 ECC keys/certs not working
Using ECC keys/certs instead produces strange misleading errors:
2675996:error:3306D073:CRMF routines:CRMF_poposigningkey_new:unsupported alg for popsigningkey:crmf_lib.c:601:
2675996:error:3306D06D:CRMF routines:CRMF_poposigningkey_new:error setting popsigningkey:crmf_lib.c:623:
2675996:error:3306B067:CRMF routines:CRMF_CERTREQMSG_calc_and_set_popo:error calculating and setting popo:crmf_lib.c:695:
2675996:error:3206808E:CMP routines:CMP_CERTREPMESSAGE_get_certificate:request rejected by ca:cmp_lib.c:1393:PKIFailureInfo: badPOP, statusString: "CRMF template verification failed: PoP verification failed: invalid PoP (type: ir from: 192.35.17.16 transaction: a2a8761c36c80aa50004c0773ca03589): "
Here is a simple patch that eliminates the above error when issuing, e.g., an "ir" command using an EC key, and as a result enables ECC for enrollment (and revocation).
BTW, the hash algorithm for the self signature used for PoP is hard-coded.
For RSA and DSA, currently SHA-128 is used, but for EC I decided to use SHA-256.
It turned out that the patch I gave before is incomplete.
Here is an extended one.
BTW, my patch includes (actually two times, unfortunately) a workaround for NULL output of the OpenSSL function "EVP_get_digestbynid" for ECDSA NIDs like NID_ecdsa_with_SHA256. See also
http://openssl.6102.n7.nabble.com/Question-about-EVP-get-digestbynid-and-ECDSA-td28312.html
After exchange with Steve Hensen: http://rt.openssl.org/Ticket/Display.html?id=3922
it turned out that you have been abusing the EVP_get_digestbynid() function.
I've replaced it by OBJ_find_sigid_algs(), which also leads to a clean patch.
Patch is merged now, thanks for the contribution!