-
Notifications
You must be signed in to change notification settings - Fork 347
New issue
Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? # to your account
Key mismatch with OpenSSL and 2 prime256v1 keys in token #784
Comments
Sounds like a problem with the pkcs11 URI (RFC 7512) and the first entry is found. I recall a problem (that I can not find) where only the first character was used on one of the entries in the URI in one of the packages you may be using. Some things to try:
|
Tests:
No change: a.csr is correct, b.csr is wrong
It does works.
I don't see the point.
I'll try that later. I don't understand why there is an issue with ECDSA, and not with RSA... |
Also check if the CSRs have the matching ECpoints output from pkcs11-tool. If they are the same that could be a problem and use the first created pubkey would point at parsing the URI in the the engine.
|
I do not know how to read ASN1.
|
In
is the
is the X509 format of the public key. where the ECpoint listed as 04|x|y i.e. uncompressed with the X and Y of the point
In
is
which is the SAME AS IN a.csr So most likely the engine is always selecting the first key i.e. ignores the Or try the latest version libp11-0.4.13 See https://github.com/OpenSC/libp11/wiki This site can be helpful if you have the DER version of someting |
I did not finish the line. The site is https://lapo.it/asn1js/ And search for "Layman's guide to ASN.1" which covers the basics. |
Newer versions of OpenSC's
Note the |
I've just upgraded opensc from 0.23 (in Debian stable) to 0.26 (in Debian testing), and the uri will be very useful! |
Opened here: OpenSC/OpenSC#3331 |
On Debian testing, with:
The first CSR is ok.
The second CSR is wrong, with OpenSSL error:
If key2 is created before key1, 2.csr is ok and 1.csr is wrong.
There is no issue with RSA:2048 keys.
The text was updated successfully, but these errors were encountered: