Hi Eric,
Thanks for the update, for the moment I can't test'it due to other tasks I must finish, but I will come back with feedback soon as possible.
Thanks,
Paul
You are not logged in. Please login or register.
Please post questions or comments you have about wolfSSL products here. It is helpful to be as descriptive as possible when asking your questions.
ReferenceswolfSSL - Embedded SSL Library → Posts by ePaul
Pages 1
Hi Eric,
Thanks for the update, for the moment I can't test'it due to other tasks I must finish, but I will come back with feedback soon as possible.
Thanks,
Paul
Hi ePaul,
The code changes to use multi-attrib for serial number are not valid. In fact the serial number field is different all-together and is not encoded into a CSR.
If you'd like to have a unique identifier in the certificate typically that goes into one of the subject fields such as common name. The only valid mult-attrib fields are: ASN_ORGUNIT_NAME and ASN_DOMAIN_COMPONENT.
Example here:
https://github.com/wolfSSL/wolfssl/blob … st.c#L8564If you are going to use the multi-attrib fields then make sure the csr.c `CertName myCertName` is not const (I see you made it static above, which is fine).
Thanks,
David Garske, wolfSSL
Hi David,
in first paragraph you are saying that code changes are not valid, but in last one you said it is fine that I made it static, so the code is correct?
As you can check in the link on my fist post:
https://www.alvestrand.no/objectid/2.5.4.5.html
2.5.4.5 - id-at-serialNumber
Submitted by j.onions at nexor.co.uk from host trident.nexor.co.uk (128.243.9.9) on Mon Jan 13 11:46:05 MET 1997 using a WWW entry form.
OID value: 2.5.4.5OID description:
The Serial Number attribute type specifies an identifier, the serial number of a device.An attribute value for Serial Number is a printable string.
serialNumber ATTRIBUTE ::= {
WITH SYNTAX PrintableString (SIZE (1..ub-serialNumber))
EQUALITY MATCHING RULE caseIgnoreMatch
SUBSTRINGS MATCHING RULE caseIgnoreSubstringsMatch
ID id-at-serialNumber
}
Thanks a lot,
Paul
Hi,
using this code with debug print:
/* csr.c
*
* Copyright (C) 2006-2018 wolfSSL Inc.
*
* This file is part of wolfTPM.
*
* wolfTPM is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* wolfTPM is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
*/
#include <wolftpm/tpm2.h>
#include <wolftpm/tpm2_wrap.h>
#if !defined(WOLFTPM2_NO_WRAPPER) && defined(WOLFSSL_CERT_REQ) && \
defined(WOLF_CRYPTO_DEV) && !defined(WOLFTPM2_NO_WOLFCRYPT)
#include <examples/tpm_io.h>
#include <examples/csr/csr.h>
#include <wolfssl/wolfcrypt/asn.h>
#include <wolfssl/wolfcrypt/asn_public.h>
static const char gClientCertRsaFile[] = "./certs/client-rsa-cert.csr";
static const char gClientCertEccFile[] = "./certs/client-ecc-cert.csr";
/******************************************************************************/
/* --- BEGIN TPM2 CSR Example -- */
/******************************************************************************/
static int TPM2_CSR_Generate(WOLFTPM2_DEV* dev, int key_type, void* wolfKey,
const char* outputPemFile)
{
int rc;
Cert req;
// const CertName myCertName = {
static CertName myCertName = {
.country = "US", .countryEnc = CTC_PRINTABLE, /* country */
.state = "Oregon", .stateEnc = CTC_UTF8, /* state */
.locality = "Portland", .localityEnc = CTC_UTF8, /* locality */
.sur = "1801908070", .surEnc = CTC_UTF8, /* sur */
.org = "wolfSSL", .orgEnc = CTC_UTF8, /* org */
.unit = "Development", .unitEnc = CTC_UTF8, /* unit */
.commonName = "www.wolfssl.com", /* commonName */
.commonNameEnc = CTC_UTF8,
.email = "info@wolfssl.com" /* email */
};
/* serialNumber Attribute*/
NameAttrib* n;
n = &myCertName.name[0];
n->id = ASN_SERIAL_NUMBER;
n->type = CTC_PRINTABLE;
n->sz = strlen("1801908070");
XMEMCPY(n->value, "1801908070", strlen("1801908070"));
/* serialNumber Attribute*/
/* serialNumber Attribute print for debug*/
printf("\n\r\n\r id: 0x%02X ", myCertName.name[0].id);
printf("type: 0x%02X ", myCertName.name[0].type);
printf("sz: %02d ", myCertName.name[0].sz);
printf("strlen: %02d ", strlen("1801908070"));
printf("value: %s \n\r\n\r", (char*)&myCertName.name[0].value);
/* serialNumber Attribute print for debug*/
const char* myKeyUsage = "serverAuth,clientAuth,codeSigning,"
"emailProtection,timeStamping,OCSPSigning";
WOLFTPM2_BUFFER der;
#ifdef WOLFSSL_DER_TO_PEM
WOLFTPM2_BUFFER output;
#endif
/* Generate CSR (using TPM key) for certification authority */
rc = wc_InitCert(&req);
if (rc != 0) goto exit;
XMEMCPY(&req.subject, &myCertName, sizeof(myCertName));
/* make sure each common name is unique */
if (key_type == RSA_TYPE) {
req.sigType = CTC_SHA256wRSA;
XSTRNCPY(req.subject.unit, "RSA", sizeof(req.subject.unit));
}
else if (key_type == ECC_TYPE) {
req.sigType = CTC_SHA256wECDSA;
XSTRNCPY(req.subject.unit, "ECC", sizeof(req.subject.unit));
}
#ifdef WOLFSSL_CERT_EXT
/* add SKID from the Public Key */
rc = wc_SetSubjectKeyIdFromPublicKey_ex(&req, key_type, wolfKey);
if (rc != 0) goto exit;
/* add Extended Key Usage */
rc = wc_SetExtKeyUsage(&req, myKeyUsage);
if (rc != 0) goto exit;
#endif
rc = wc_MakeCertReq_ex(&req, der.buffer, sizeof(der.buffer), key_type,
wolfKey);
if (rc <= 0) goto exit;
der.size = rc;
rc = wc_SignCert_ex(req.bodySz, req.sigType, der.buffer, sizeof(der.buffer),
key_type, wolfKey, wolfTPM2_GetRng(dev));
if (rc <= 0) goto exit;
der.size = rc;
#ifdef WOLFSSL_DER_TO_PEM
/* Convert to PEM */
XMEMSET(output.buffer, 0, sizeof(output.buffer));
rc = wc_DerToPem(der.buffer, der.size, output.buffer, sizeof(output.buffer),
CERTREQ_TYPE);
if (rc <= 0) goto exit;
output.size = rc;
printf("Generated/Signed Cert (DER %d, PEM %d)\n", der.size, output.size);
printf("%s\n", (char*)output.buffer);
#if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES)
{
FILE* pemFile = fopen(outputPemFile, "wb");
if (pemFile) {
rc = (int)fwrite(output.buffer, 1, output.size, pemFile);
fclose(pemFile);
if (rc != output.size) {
rc = -1; goto exit;
}
}
}
#endif
#endif /* WOLFSSL_DER_TO_PEM */
(void)outputPemFile;
rc = 0; /* success */
exit:
return rc;
}
int TPM2_CSR_Example(void* userCtx)
{
int rc;
WOLFTPM2_DEV dev;
WOLFTPM2_KEY storageKey;
#ifndef NO_RSA
WOLFTPM2_KEY rsaKey;
RsaKey wolfRsaKey;
#endif
#ifdef HAVE_ECC
WOLFTPM2_KEY eccKey;
ecc_key wolfEccKey;
#endif
TPMT_PUBLIC publicTemplate;
TpmCryptoDevCtx tpmCtx;
int tpmDevId;
printf("TPM2 CSR Example\n");
/* Init the TPM2 device */
rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx);
if (rc != 0) return rc;
/* Setup the wolf crypto device callback */
#ifndef NO_RSA
XMEMSET(&wolfRsaKey, 0, sizeof(wolfRsaKey));
tpmCtx.rsaKey = &rsaKey;
#endif
#ifdef HAVE_ECC
XMEMSET(&wolfEccKey, 0, sizeof(wolfEccKey));
tpmCtx.eccKey = &eccKey;
#endif
rc = wolfTPM2_SetCryptoDevCb(&dev, wolfTPM2_CryptoDevCb, &tpmCtx, &tpmDevId);
if (rc != 0) goto exit;
/* See if primary storage key already exists */
rc = wolfTPM2_ReadPublicKey(&dev, &storageKey,
TPM2_DEMO_STORAGE_KEY_HANDLE);
if (rc != 0) {
/* Create primary storage key */
rc = wolfTPM2_GetKeyTemplate_RSA(&publicTemplate,
TPMA_OBJECT_fixedTPM | TPMA_OBJECT_fixedParent |
TPMA_OBJECT_sensitiveDataOrigin | TPMA_OBJECT_userWithAuth |
TPMA_OBJECT_restricted | TPMA_OBJECT_decrypt | TPMA_OBJECT_noDA);
if (rc != 0) goto exit;
rc = wolfTPM2_CreatePrimaryKey(&dev, &storageKey, TPM_RH_OWNER,
&publicTemplate, (byte*)gStorageKeyAuth, sizeof(gStorageKeyAuth)-1);
if (rc != 0) goto exit;
/* Move this key into persistent storage */
rc = wolfTPM2_NVStoreKey(&dev, TPM_RH_OWNER, &storageKey,
TPM2_DEMO_STORAGE_KEY_HANDLE);
if (rc != 0) goto exit;
}
else {
/* specify auth password for storage key */
storageKey.handle.auth.size = sizeof(gStorageKeyAuth)-1;
XMEMCPY(storageKey.handle.auth.buffer, gStorageKeyAuth,
storageKey.handle.auth.size);
}
#ifndef NO_RSA
/* Create/Load RSA key for CSR */
rc = wolfTPM2_ReadPublicKey(&dev, &rsaKey, TPM2_DEMO_RSA_KEY_HANDLE);
if (rc != 0) {
rc = wolfTPM2_GetKeyTemplate_RSA(&publicTemplate,
TPMA_OBJECT_sensitiveDataOrigin | TPMA_OBJECT_userWithAuth |
TPMA_OBJECT_decrypt | TPMA_OBJECT_sign | TPMA_OBJECT_noDA);
if (rc != 0) goto exit;
rc = wolfTPM2_CreateAndLoadKey(&dev, &rsaKey, &storageKey.handle,
&publicTemplate, (byte*)gKeyAuth, sizeof(gKeyAuth)-1);
if (rc != 0) goto exit;
/* Move this key into persistent storage */
rc = wolfTPM2_NVStoreKey(&dev, TPM_RH_OWNER, &rsaKey,
TPM2_DEMO_RSA_KEY_HANDLE);
if (rc != 0) goto exit;
}
else {
/* specify auth password for RSA key */
rsaKey.handle.auth.size = sizeof(gKeyAuth)-1;
XMEMCPY(rsaKey.handle.auth.buffer, gKeyAuth, rsaKey.handle.auth.size);
}
/* setup wolf RSA key with TPM deviceID, so crypto callbacks are used */
rc = wc_InitRsaKey_ex(&wolfRsaKey, NULL, tpmDevId);
if (rc != 0) goto exit;
/* load public portion of key into wolf RSA Key */
rc = wolfTPM2_RsaKey_TpmToWolf(&dev, &rsaKey, &wolfRsaKey);
if (rc != 0) goto exit;
rc = TPM2_CSR_Generate(&dev, RSA_TYPE, &wolfRsaKey, gClientCertRsaFile);
if (rc != 0) goto exit;
#endif /* !NO_RSA */
#ifdef HAVE_ECC
/* Create/Load ECC key for CSR */
rc = wolfTPM2_ReadPublicKey(&dev, &eccKey, TPM2_DEMO_ECC_KEY_HANDLE);
if (rc != 0) {
rc = wolfTPM2_GetKeyTemplate_ECC(&publicTemplate,
TPMA_OBJECT_sensitiveDataOrigin | TPMA_OBJECT_userWithAuth |
TPMA_OBJECT_sign | TPMA_OBJECT_noDA,
TPM_ECC_NIST_P256, TPM_ALG_ECDSA);
if (rc != 0) goto exit;
rc = wolfTPM2_CreateAndLoadKey(&dev, &eccKey, &storageKey.handle,
&publicTemplate, (byte*)gKeyAuth, sizeof(gKeyAuth)-1);
if (rc != 0) goto exit;
/* Move this key into persistent storage */
rc = wolfTPM2_NVStoreKey(&dev, TPM_RH_OWNER, &eccKey,
TPM2_DEMO_ECC_KEY_HANDLE);
if (rc != 0) goto exit;
}
else {
/* specify auth password for ECC key */
eccKey.handle.auth.size = sizeof(gKeyAuth)-1;
XMEMCPY(eccKey.handle.auth.buffer, gKeyAuth, eccKey.handle.auth.size);
}
/* setup wolf ECC key with TPM deviceID, so crypto callbacks are used */
rc = wc_ecc_init_ex(&wolfEccKey, NULL, tpmDevId);
if (rc != 0) goto exit;
/* load public portion of key into wolf ECC Key */
rc = wolfTPM2_EccKey_TpmToWolf(&dev, &eccKey, &wolfEccKey);
if (rc != 0) goto exit;
rc = TPM2_CSR_Generate(&dev, ECC_TYPE, &wolfEccKey, gClientCertEccFile);
if (rc != 0) goto exit;
#endif /* HAVE_ECC */
exit:
if (rc != 0) {
printf("Failure 0x%x: %s\n", rc, wolfTPM2_GetRCString(rc));
}
#ifndef NO_RSA
wc_FreeRsaKey(&wolfRsaKey);
wolfTPM2_UnloadHandle(&dev, &rsaKey.handle);
#endif
#ifdef HAVE_ECC
wc_ecc_free(&wolfEccKey);
wolfTPM2_UnloadHandle(&dev, &eccKey.handle);
#endif
wolfTPM2_Cleanup(&dev);
return rc;
}
/******************************************************************************/
/* --- END TPM2 CSR Example -- */
/******************************************************************************/
#endif /* !WOLFTPM2_NO_WRAPPER && WOLFSSL_CERT_REQ && WOLF_CRYPTO_DEV */
#ifndef NO_MAIN_DRIVER
int main(void)
{
int rc = -1;
#if !defined(WOLFTPM2_NO_WRAPPER) && defined(WOLFSSL_CERT_REQ) && \
defined(WOLF_CRYPTO_DEV) && !defined(WOLFTPM2_NO_WOLFCRYPT)
rc = TPM2_CSR_Example(NULL);
#else
printf("Wrapper/CertReq/CryptoDev code not compiled in\n");
printf("Build wolfssl with ./configure --enable-certgen --enable-certreq --enable-certext --enable-cryptodev\n");
#endif
return rc;
}
#endif /* !NO_MAIN_DRIVER */
output this:
root@raspberrypi:/home/pi/wolfTPM# make
make -j5 all-am
make[1]: Entering directory '/home/pi/wolfTPM'
CC examples/csr/csr.o
CCLD examples/csr/csr
make[1]: Leaving directory '/home/pi/wolfTPM'
root@raspberrypi:/home/pi/wolfTPM# ./examples/csr/csr
TPM2 CSR Example
id: 0x05 type: 0x13 sz: 10 strlen: 10 value: 1801908070
Generated/Signed Cert (DER 887, PEM 1273)
-----BEGIN CERTIFICATE REQUEST-----
MIIDczCCAlsCAQIwgbYxCzAJBgNVBAYTAlVTMQ8wDQYDVQQIDAZPcmVnb24xETAP
BgNVBAcMCFBvcnRsYW5kMRMwEQYDVQQEDAoxODAxOTA4MDcwMRAwDgYDVQQKDAd3
b2xmU1NMMQwwCgYDVQQLDANSU0ExGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEf
MB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbQAAAAAAAAAAAAAAAAAAAAAA
AAAAADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJr2V/jfWyV4R6H9
5LN2SBavdQMW7cAP+ti7MuSIlEwDvU77otn1utzAbMKSaL53PiHasxyiEiD22MCD
o7IR1aeUvmd+7WXPvTYrmT/lVFlcD0RG0I3QkCD18tOXI6qhr6fYPbqUG3+J/q0q
zb0+N5aYIIVrXeWEzp45WK1BNRz7jbz2lTNmxo7KOxVnw23vZWmtFJbRJdjULaxF
/UBYdgzfLexoHYRi+NrTf5B4LYQLmVehoMw8Ktf7IY98ZWk62UumbJFbLatPT2RH
9KywvX9jk3s4pnSPlI52Cj4iWZ6dtgT06ZRqLy0UgipYB9ylu8g6/mVk+QitTpRo
K0sKG6cCAwEAAaB3MHUGCSqGSIb3DQEJDjFoMGYwHQYDVR0OBBYEFKp04Zy81iQg
2Y64oNzcbDMoeyd1MEUGA1UdJQQ+MDwGCCsGAQUFBwMBBggrBgEFBQcDAgYIKwYB
BQUHAwMGCCsGAQUFBwMEBggrBgEFBQcDCAYIKwYBBQUHAwkwDQYJKoZIhvcNAQEL
BQADggEBAJnyN3/9ubr0CBquIuVlXQacAW6ERnGMWWFOFfYgyFb5BwEGyWLsvMt4
k9OLkX7CqVz3xFfzOdtmqnslt3Ho80CrVhe5xTbS06mK3o3RBBoKkADPT+4QC8wn
XtVeKCHmtd3fOb5R+W4wxMHlCnR6wGQOL7y6ZgPQtvyruVvBr9lrghlZNPM4E7cH
UrhKkrPUFDUlQ+N3eAep6esAeu7AwLWjhBUVCiWJdvMOCE28Jo08sd2NY/xGwi3E
ijx82durYKSTimqPEI3c19SaMh7NLTLSy5WIBAd+ahea9ouJq3G4rqTipoNEe0b4
GySU/IVx+CET+YjBL4AygiqMiFee79g=
-----END CERTIFICATE REQUEST-----
id: 0x05 type: 0x13 sz: 10 strlen: 10 value: 1801908070
Generated/Signed Cert (DER 495, PEM 741)
-----BEGIN CERTIFICATE REQUEST-----
MIIB6zCCAZACAQIwgbYxCzAJBgNVBAYTAlVTMQ8wDQYDVQQIDAZPcmVnb24xETAP
BgNVBAcMCFBvcnRsYW5kMRMwEQYDVQQEDAoxODAxOTA4MDcwMRAwDgYDVQQKDAd3
b2xmU1NMMQwwCgYDVQQLDANFQ0MxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEf
MB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbQAAAAAAAAAAAAAAAAAAAAAA
AAAAADBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABO5NsRS06GhvzOhNOxHMhpyV
kzDTczrqp6gqxnObwGnXC4LtiG8ZpBgwwDVdwYVTQrrn6QwThgStQaKtnSDztIqg
dzB1BgkqhkiG9w0BCQ4xaDBmMB0GA1UdDgQWBBQnjtx0mDdWozjRUq8U0CHQ3eGE
0jBFBgNVHSUEPjA8BggrBgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUFBwMDBggrBgEF
BQcDBAYIKwYBBQUHAwgGCCsGAQUFBwMJMAoGCCqGSM49BAMCA0kAMEYCIQCrvAIb
uazflUMm8vU8HP5LBVzfq1T445id20n9VeSABAIhALCSQiXv4VTGF+fbAIbE1pN9
lYjiUuWSItro5j5aUUNq
-----END CERTIFICATE REQUEST-----
so id, type, sz, values looks ok, as i set them, but CSR is still invalid.
Thanks,
Paul
Hi,
using
...
/* serialNumber Attribute*/
NameAttrib* n;
n = &myCertName.name[0];
n->id = ASN_SERIAL_NUMBER;
n->type = CTC_PRINTABLE;
n->sz = strlen("1801908070");
XMEMCPY(n->value, "1801908070", strlen("1801908070"));
/* serialNumber Attribute*/
const char* myKeyUsage = "serverAuth,clientAuth,codeSigning,"
"emailProtection,timeStamping,OCSPSigning";
WOLFTPM2_BUFFER der;
#ifdef WOLFSSL_DER_TO_PEM
WOLFTPM2_BUFFER output;
#endif
/* Generate CSR (using TPM key) for certification authority */
rc = wc_InitCert(&req);
if (rc != 0) goto exit;
XMEMCPY(&req.subject, &myCertName, sizeof(myCertName));
...
where I changed "sizeof" to "strlen" still produce invalid CSR.
As you can check on https://github.com/wolfSSL/wolfTPM/blob … /csr.c#L67 "sizeof" is used with "XMEMCPY" in the example in other places.
"" result
-----BEGIN CERTIFICATE REQUEST-----
MIIDczCCAlsCAQIwgbYxCzAJBgNVBAYTAlVTMQ8wDQYDVQQIDAZPcmVnb24xETAP
BgNVBAcMCFBvcnRsYW5kMRMwEQYDVQQEDAoxODAxOTA4MDcwMRAwDgYDVQQKDAd3
b2xmU1NMMQwwCgYDVQQLDANSU0ExGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEf
MB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbQAAAAAAAAAAAAAAAAAAAAAA
AAAAADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJr2V/jfWyV4R6H9
5LN2SBavdQMW7cAP+ti7MuSIlEwDvU77otn1utzAbMKSaL53PiHasxyiEiD22MCD
o7IR1aeUvmd+7WXPvTYrmT/lVFlcD0RG0I3QkCD18tOXI6qhr6fYPbqUG3+J/q0q
zb0+N5aYIIVrXeWEzp45WK1BNRz7jbz2lTNmxo7KOxVnw23vZWmtFJbRJdjULaxF
/UBYdgzfLexoHYRi+NrTf5B4LYQLmVehoMw8Ktf7IY98ZWk62UumbJFbLatPT2RH
9KywvX9jk3s4pnSPlI52Cj4iWZ6dtgT06ZRqLy0UgipYB9ylu8g6/mVk+QitTpRo
K0sKG6cCAwEAAaB3MHUGCSqGSIb3DQEJDjFoMGYwHQYDVR0OBBYEFKp04Zy81iQg
2Y64oNzcbDMoeyd1MEUGA1UdJQQ+MDwGCCsGAQUFBwMBBggrBgEFBQcDAgYIKwYB
BQUHAwMGCCsGAQUFBwMEBggrBgEFBQcDCAYIKwYBBQUHAwkwDQYJKoZIhvcNAQEL
BQADggEBAJnyN3/9ubr0CBquIuVlXQacAW6ERnGMWWFOFfYgyFb5BwEGyWLsvMt4
k9OLkX7CqVz3xFfzOdtmqnslt3Ho80CrVhe5xTbS06mK3o3RBBoKkADPT+4QC8wn
XtVeKCHmtd3fOb5R+W4wxMHlCnR6wGQOL7y6ZgPQtvyruVvBr9lrghlZNPM4E7cH
UrhKkrPUFDUlQ+N3eAep6esAeu7AwLWjhBUVCiWJdvMOCE28Jo08sd2NY/xGwi3E
ijx82durYKSTimqPEI3c19SaMh7NLTLSy5WIBAd+ahea9ouJq3G4rqTipoNEe0b4
GySU/IVx+CET+YjBL4AygiqMiFee79g=
-----END CERTIFICATE REQUEST-----
Generated/Signed Cert (DER 494, PEM 741)
-----BEGIN CERTIFICATE REQUEST-----
MIIB6jCCAZACAQIwgbYxCzAJBgNVBAYTAlVTMQ8wDQYDVQQIDAZPcmVnb24xETAP
BgNVBAcMCFBvcnRsYW5kMRMwEQYDVQQEDAoxODAxOTA4MDcwMRAwDgYDVQQKDAd3
b2xmU1NMMQwwCgYDVQQLDANFQ0MxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEf
MB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbQAAAAAAAAAAAAAAAAAAAAAA
AAAAADBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABO5NsRS06GhvzOhNOxHMhpyV
kzDTczrqp6gqxnObwGnXC4LtiG8ZpBgwwDVdwYVTQrrn6QwThgStQaKtnSDztIqg
dzB1BgkqhkiG9w0BCQ4xaDBmMB0GA1UdDgQWBBQnjtx0mDdWozjRUq8U0CHQ3eGE
0jBFBgNVHSUEPjA8BggrBgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUFBwMDBggrBgEF
BQcDBAYIKwYBBQUHAwgGCCsGAQUFBwMJMAoGCCqGSM49BAMCA0gAMEUCIQCZx6iH
0orLeUo53J6i5h/zs5ikmru2SroQavmywIgL2gIgHixEdr2y/tOY27HRH8QdTjwV
IMMbnrKtfdrwy3494hg=
-----END CERTIFICATE REQUEST-----
Verification result: see pos 157 "Error: Inconsistent object length, 1 byte difference."
Decoding Problem
Sorry, we were unable to fully decode the data provided
ASN.1 Information
0 883: SEQUENCE {
4 603: SEQUENCE {
8 1: INTEGER 2
11 182: SEQUENCE {
14 11: SET {
16 9: SEQUENCE {
18 3: OBJECT IDENTIFIER countryName (2 5 4 6)
23 2: PrintableString 'US'
: }
: }
27 15: SET {
29 13: SEQUENCE {
31 3: OBJECT IDENTIFIER stateOrProvinceName (2 5 4 8)
36 6: UTF8String 'Oregon'
: }
: }
44 17: SET {
46 15: SEQUENCE {
48 3: OBJECT IDENTIFIER localityName (2 5 4 7)
53 8: UTF8String 'Portland'
: }
: }
63 19: SET {
65 17: SEQUENCE {
67 3: OBJECT IDENTIFIER surname (2 5 4 4)
72 10: UTF8String '1801908070'
: }
: }
84 16: SET {
86 14: SEQUENCE {
88 3: OBJECT IDENTIFIER organizationName (2 5 4 10)
93 7: UTF8String 'wolfSSL'
: }
: }
102 12: SET {
104 10: SEQUENCE {
106 3: OBJECT IDENTIFIER organizationalUnitName (2 5 4 11)
111 3: UTF8String 'RSA'
: }
: }
116 24: SET {
118 22: SEQUENCE {
120 3: OBJECT IDENTIFIER commonName (2 5 4 3)
125 15: UTF8String 'www.wolfssl.com'
: }
: }
142 31: SET {
144 29: SEQUENCE {
146 9: OBJECT IDENTIFIER emailAddress (1 2 840 113549 1 9 1)
157 16: IA5String 'info@wolfssl.com'
: }
: }
: Error: Spurious EOC in definite-length item.
: Error: Spurious EOC in definite-length item.
: Error: Spurious EOC in definite-length item.
: Error: Spurious EOC in definite-length item.
: Error: Spurious EOC in definite-length item.
: Error: Spurious EOC in definite-length item.
: Error: Spurious EOC in definite-length item.
: Error: Spurious EOC in definite-length item.
: Error: Spurious EOC in definite-length item.
: Error: Spurious EOC in definite-length item.
Error: Inconsistent object length, 1 byte difference.
: }
196 290: SEQUENCE {
200 13: SEQUENCE {
202 9: OBJECT IDENTIFIER rsaEncryption (1 2 840 113549 1 1 1)
213 0: NULL
: }
215 271: BIT STRING
: 30 82 01 0A 02 82 01 01 00 9A F6 57 F8 DF 5B 25
: 78 47 A1 FD E4 B3 76 48 16 AF 75 03 16 ED C0 0F
: FA D8 BB 32 E4 88 94 4C 03 BD 4E FB A2 D9 F5 BA
: DC C0 6C C2 92 68 BE 77 3E 21 DA B3 1C A2 12 20
: F6 D8 C0 83 A3 B2 11 D5 A7 94 BE 67 7E ED 65 CF
: BD 36 2B 99 3F E5 54 59 5C 0F 44 46 D0 8D D0 90
: 20 F5 F2 D3 97 23 AA A1 AF A7 D8 3D BA 94 1B 7F
: 89 FE AD 2A CD BD 3E 37 96 98 20 85 6B 5D E5 84
: [ Another 142 bytes skipped ]
: }
490 119: [0] {
492 117: SEQUENCE {
494 9: OBJECT IDENTIFIER extensionRequest (1 2 840 113549 1 9 14)
505 104: SET {
507 102: SEQUENCE {
509 29: SEQUENCE {
511 3: OBJECT IDENTIFIER subjectKeyIdentifier (2 5 29 14)
516 22: OCTET STRING
: 04 14 AA 74 E1 9C BC D6 24 20 D9 8E B8 A0 DC DC
: 6C 33 28 7B 27 75
: }
540 69: SEQUENCE {
542 3: OBJECT IDENTIFIER extKeyUsage (2 5 29 37)
547 62: OCTET STRING
: 30 3C 06 08 2B 06 01 05 05 07 03 01 06 08 2B 06
: 01 05 05 07 03 02 06 08 2B 06 01 05 05 07 03 03
: 06 08 2B 06 01 05 05 07 03 04 06 08 2B 06 01 05
: 05 07 03 08 06 08 2B 06 01 05 05 07 03 09
: }
: }
: }
: }
: }
: }
611 13: SEQUENCE {
613 9: OBJECT IDENTIFIER sha256WithRSAEncryption (1 2 840 113549 1 1 11)
624 0: NULL
: }
626 257: BIT STRING
: 99 F2 37 7F FD B9 BA F4 08 1A AE 22 E5 65 5D 06
: 9C 01 6E 84 46 71 8C 59 61 4E 15 F6 20 C8 56 F9
: 07 01 06 C9 62 EC BC CB 78 93 D3 8B 91 7E C2 A9
: 5C F7 C4 57 F3 39 DB 66 AA 7B 25 B7 71 E8 F3 40
: AB 56 17 B9 C5 36 D2 D3 A9 8A DE 8D D1 04 1A 0A
: 90 00 CF 4F EE 10 0B CC 27 5E D5 5E 28 21 E6 B5
: DD DF 39 BE 51 F9 6E 30 C4 C1 E5 0A 74 7A C0 64
: 0E 2F BC BA 66 03 D0 B6 FC AB B9 5B C1 AF D9 6B
: [ Another 128 bytes skipped ]
: }
David is correct that CSRs do not have a Serial Number and they are added by the CA, there is a "serialnumber" name attribute for your use.
Corect, but CA requested and openssl can do, they will issue the certificate using own SerialNumber but they need in CSR the machine serial number.
I didn't find any "serialnumber" in "asn.h", can you detailed what is about?
Thanks a lot,
Paul
Hi,
what is the maximum file size that can be signed using wolfssl, wolfTPM and key in TPM2.0 device (SLB96670)?
From what I found the example in "wolfTPM/examples/pkcs/pkcs.c" is using "WOLFTPM2_BUFFER" for output https://github.com/wolfSSL/wolfTPM/blob … kcs7.c#L57 which is maximum 2048 as per https://github.com/wolfSSL/wolfTPM/blob … wrap.h#L52
#ifndef WOLFTPM2_MAX_BUFFER
#define WOLFTPM2_MAX_BUFFER 2048
#endif
typedef struct WOLFTPM2_BUFFER {
int size;
byte buffer[WOLFTPM2_MAX_BUFFER];
} WOLFTPM2_BUFFER;
Thanks a lot,
Paul
Hi David,
please do, running this code:
Cert req;
// const CertName myCertName = {
static CertName myCertName = {
.country = "US", .countryEnc = CTC_PRINTABLE, /* country */
.state = "Oregon", .stateEnc = CTC_UTF8, /* state */
.locality = "Portland", .localityEnc = CTC_UTF8, /* locality */
.sur = "1801908070", .surEnc = CTC_UTF8, /* sur */
.org = "wolfSSL", .orgEnc = CTC_UTF8, /* org */
.unit = "Development", .unitEnc = CTC_UTF8, /* unit */
.commonName = "www.wolfssl.com", /* commonName */
.commonNameEnc = CTC_UTF8,
.email = "info@wolfssl.com" /* email */
};
/* serialNumber Attribute*/
NameAttrib* n;
n = &myCertName.name[0];
n->id = ASN_DOMAIN_COMPONENT; //ASN_SERIAL_NUMBER;
n->type = CTC_UTF8; //CTC_PRINTABLE;
n->sz = sizeof("1801908070");
XMEMCPY(n->value, "1801908070", sizeof("1801908070"));
/* serialNumber Attribute*/
const char* myKeyUsage = "serverAuth,clientAuth,codeSigning,"
produce a valid CSR:
root@raspberrypi:/home/pi/wolfTPM# make
make -j5 all-am
make[1]: Entering directory '/home/pi/wolfTPM'
make[1]: Leaving directory '/home/pi/wolfTPM'
root@raspberrypi:/home/pi/wolfTPM# ./examples/csr/csr
TPM2 CSR Example
Generated/Signed Cert (DER 894, PEM 1281)
-----BEGIN CERTIFICATE REQUEST-----
MIIDejCCAmICAQIwgb0xCzAJBgNVBAYTAlVTMQ8wDQYDVQQIDAZPcmVnb24xETAP
BgNVBAcMCFBvcnRsYW5kMRMwEQYDVQQEDAoxODAxOTA4MDcwMRAwDgYDVQQKDAd3
b2xmU1NMMRowGAYKCZImiZPyLGQBGQwKMTgwMTkwODA3MDEMMAoGA1UECwwDUlNB
MRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9A
d29sZnNzbC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDWYTPe
lQ3W9dc1Md0Zvh87sTkV7whKJ7ZMHXWIefU+P1FtOeol3dT3sdHQEA54n7b1/adA
cpQkAR0Q+3TNdgcr7KHzvMnHfqst/ocBHvZBx5FSCDaA8Lh9IH118V5YaiBHuLXP
62OS27DMvAXksHLOw5qGd4y39sTt8vgeJrYcUk0v7paFRMWQv1p4Bcxqpl+K0IK6
CWFcXbuMYM6BqDq/J+gyvzoY4Xa/yq1TqNNIIDO8c5B1+tBCxXyAVh5N1FncRwi2
GtfbfTqNFPmh5aCIM+DsVl5xx9WVS2iIdzAouPBfC3SDTWxOl8g7/DTwD6nb0dw5
eJQNime/S/8HbnQVAgMBAAGgdzB1BgkqhkiG9w0BCQ4xaDBmMB0GA1UdDgQWBBSp
9xFbK4V0bxlpE1wciWQ7OKmiKzBFBgNVHSUEPjA8BggrBgEFBQcDAQYIKwYBBQUH
AwIGCCsGAQUFBwMDBggrBgEFBQcDBAYIKwYBBQUHAwgGCCsGAQUFBwMJMA0GCSqG
SIb3DQEBCwUAA4IBAQAvmgWw3CDIew3drW3dSwRriq2/hEyreCjQz9cMYe90FNzc
ohk1eIyTWVL8u2P0WA2pyebNAAUnu/rlhTJDcr7ZYMevP1zp0mj4ay8tW1PXpiH1
3snW8yhiBagEcUTdi+GmPKtikVekRL57/TCdFOztZuolRe5cZQB/mfp0IKTsUWO8
ObN/nQlChZML0m/Zb5FYxkV9+UucFjI98Zsaw8sfiRCQZoB9XaVJNURNzgWYBVoI
mnIo7xTvPxthd0sOD/ogiDwtLi+M4tubz1N+I+DB9LjjjbS4QjPS4zZvWShWWK89
mSZpHlfz+1HPytQ01sBW0WhV2U/RNfdYvqb/eruV
-----END CERTIFICATE REQUEST-----
Generated/Signed Cert (DER 501, PEM 749)
-----BEGIN CERTIFICATE REQUEST-----
MIIB8TCCAZcCAQIwgb0xCzAJBgNVBAYTAlVTMQ8wDQYDVQQIDAZPcmVnb24xETAP
BgNVBAcMCFBvcnRsYW5kMRMwEQYDVQQEDAoxODAxOTA4MDcwMRAwDgYDVQQKDAd3
b2xmU1NMMRowGAYKCZImiZPyLGQBGQwKMTgwMTkwODA3MDEMMAoGA1UECwwDRUND
MRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9A
d29sZnNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQv0nG/fBy5F0yU
gwRou60QiUtLK/eBdREVy03tEh5DXoMzaGerPGHWhPoy2nJkXNOfYXG8VPeHDlLA
7zOvNRE2oHcwdQYJKoZIhvcNAQkOMWgwZjAdBgNVHQ4EFgQUxAlZKSvRexYDVUWq
GyP+mmafEp8wRQYDVR0lBD4wPAYIKwYBBQUHAwEGCCsGAQUFBwMCBggrBgEFBQcD
AwYIKwYBBQUHAwQGCCsGAQUFBwMIBggrBgEFBQcDCTAKBggqhkjOPQQDAgNIADBF
AiAyusIIptmArj4EChHu/8vgs/i74W0DaNlpPxhN/xQKwQIhAOtKjhMmIqcBjpxd
G2PgGHFk9i5MhTeRE4qRfHfacKqq
-----END CERTIFICATE REQUEST-----
CSR Summary
CSR Checks
Check Result
Debian Weak Key PASSED - Does not use a key on our blacklist - this is good
Key Size PASSED (2048 bits)
Signature PASSED - CSR has a valid signature
MD5 PASSED - Not using the MD5 algorithm
CSR Subject
emailAddress info@wolfssl.com
Common Name (CN) www.wolfssl.com
Organizational Unit (OU) RSA
Domain Component (DC) 1801908070
Organization (O) wolfSSL
SN 1801908070
Locality (L) Portland
State (ST) Oregon
Country (C) US
CSR Properties
Subject C=US, ST=Oregon, L=Portland, SN=1801908070, O=wolfSSL, DC=1801908070, OU=RSA, CN=www.wolfssl.com, emailAddress=info@wolfssl.com
Key Size 2048 bits
Key Algorithm RSA
Sig. Algorithm sha256WithRSAEncryption
SHA256 Fingerprint 66:2E:44:8B:89:C4:3D:D2:23:C6:38:D0:02:2F:DC:4B:11:14:AF:F5:C1:6B:AC:C5:8D:FD:61:12:01:CB:C7:F0
SHA1 Fingerprint 80:3C:02:79:95:DB:07:83:F2:63:54:67:E2:FF:66:A0:64:EE:5D:06
MD5 Fingeprint 22:01:B3:E5:C9:F6:B6:C5:40:15:F6:D2:BC:AB:33:2E
SANs
CSR Detailed Information
Certificate Request:
Data:
Version: 2 (0x2)
Subject: C=US, ST=Oregon, L=Portland, SN=1801908070, O=wolfSSL, DC=1801908070, OU=RSA, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d6:61:33:de:95:0d:d6:f5:d7:35:31:dd:19:be:
1f:3b:b1:39:15:ef:08:4a:27:b6:4c:1d:75:88:79:
f5:3e:3f:51:6d:39:ea:25:dd:d4:f7:b1:d1:d0:10:
0e:78:9f:b6:f5:fd:a7:40:72:94:24:01:1d:10:fb:
74:cd:76:07:2b:ec:a1:f3:bc:c9:c7:7e:ab:2d:fe:
87:01:1e:f6:41:c7:91:52:08:36:80:f0:b8:7d:20:
7d:75:f1:5e:58:6a:20:47:b8:b5:cf:eb:63:92:db:
b0:cc:bc:05:e4:b0:72:ce:c3:9a:86:77:8c:b7:f6:
c4:ed:f2:f8:1e:26:b6:1c:52:4d:2f:ee:96:85:44:
c5:90:bf:5a:78:05:cc:6a:a6:5f:8a:d0:82:ba:09:
61:5c:5d:bb:8c:60:ce:81:a8:3a:bf:27:e8:32:bf:
3a:18:e1:76:bf:ca:ad:53:a8:d3:48:20:33:bc:73:
90:75:fa:d0:42:c5:7c:80:56:1e:4d:d4:59:dc:47:
08:b6:1a:d7:db:7d:3a:8d:14:f9:a1:e5:a0:88:33:
e0:ec:56:5e:71:c7:d5:95:4b:68:88:77:30:28:b8:
f0:5f:0b:74:83:4d:6c:4e:97:c8:3b:fc:34:f0:0f:
a9:db:d1:dc:39:78:94:0d:8a:67:bf:4b:ff:07:6e:
74:15
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Subject Key Identifier:
A9:F7:11:5B:2B:85:74:6F:19:69:13:5C:1C:89:64:3B:38:A9:A2:2B
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication, Code Signing, E-mail Protection, Time Stamping, OCSP Signing
Signature Algorithm: sha256WithRSAEncryption
2f:9a:05:b0:dc:20:c8:7b:0d:dd:ad:6d:dd:4b:04:6b:8a:ad:
bf:84:4c:ab:78:28:d0:cf:d7:0c:61:ef:74:14:dc:dc:a2:19:
35:78:8c:93:59:52:fc:bb:63:f4:58:0d:a9:c9:e6:cd:00:05:
27:bb:fa:e5:85:32:43:72:be:d9:60:c7:af:3f:5c:e9:d2:68:
f8:6b:2f:2d:5b:53:d7:a6:21:f5:de:c9:d6:f3:28:62:05:a8:
04:71:44:dd:8b:e1:a6:3c:ab:62:91:57:a4:44:be:7b:fd:30:
9d:14:ec:ed:66:ea:25:45:ee:5c:65:00:7f:99:fa:74:20:a4:
ec:51:63:bc:39:b3:7f:9d:09:42:85:93:0b:d2:6f:d9:6f:91:
58:c6:45:7d:f9:4b:9c:16:32:3d:f1:9b:1a:c3:cb:1f:89:10:
90:66:80:7d:5d:a5:49:35:44:4d:ce:05:98:05:5a:08:9a:72:
28:ef:14:ef:3f:1b:61:77:4b:0e:0f:fa:20:88:3c:2d:2e:2f:
8c:e2:db:9b:cf:53:7e:23:e0:c1:f4:b8:e3:8d:b4:b8:42:33:
d2:e3:36:6f:59:28:56:58:af:3d:99:26:69:1e:57:f3:fb:51:
cf:ca:d4:34:d6:c0:56:d1:68:55:d9:4f:d1:35:f7:58:be:a6:
ff:7a:bb:95
CSR ASN.1 Information
0 890: SEQUENCE {
4 610: SEQUENCE {
8 1: INTEGER 2
11 189: SEQUENCE {
14 11: SET {
16 9: SEQUENCE {
18 3: OBJECT IDENTIFIER countryName (2 5 4 6)
23 2: PrintableString 'US'
: }
: }
27 15: SET {
29 13: SEQUENCE {
31 3: OBJECT IDENTIFIER stateOrProvinceName (2 5 4 8)
36 6: UTF8String 'Oregon'
: }
: }
44 17: SET {
46 15: SEQUENCE {
48 3: OBJECT IDENTIFIER localityName (2 5 4 7)
53 8: UTF8String 'Portland'
: }
: }
63 19: SET {
65 17: SEQUENCE {
67 3: OBJECT IDENTIFIER surname (2 5 4 4)
72 10: UTF8String '1801908070'
: }
: }
84 16: SET {
86 14: SEQUENCE {
88 3: OBJECT IDENTIFIER organizationName (2 5 4 10)
93 7: UTF8String 'wolfSSL'
: }
: }
102 26: SET {
104 24: SEQUENCE {
106 10: OBJECT IDENTIFIER
: domainComponent (0 9 2342 19200300 100 1 25)
118 10: UTF8String '1801908070'
: }
: }
130 12: SET {
132 10: SEQUENCE {
134 3: OBJECT IDENTIFIER organizationalUnitName (2 5 4 11)
139 3: UTF8String 'RSA'
: }
: }
144 24: SET {
146 22: SEQUENCE {
148 3: OBJECT IDENTIFIER commonName (2 5 4 3)
153 15: UTF8String 'www.wolfssl.com'
: }
: }
170 31: SET {
172 29: SEQUENCE {
174 9: OBJECT IDENTIFIER emailAddress (1 2 840 113549 1 9 1)
185 16: IA5String 'info@wolfssl.com'
: }
: }
: }
203 290: SEQUENCE {
207 13: SEQUENCE {
209 9: OBJECT IDENTIFIER rsaEncryption (1 2 840 113549 1 1 1)
220 0: NULL
: }
222 271: BIT STRING
: 30 82 01 0A 02 82 01 01 00 D6 61 33 DE 95 0D D6
: F5 D7 35 31 DD 19 BE 1F 3B B1 39 15 EF 08 4A 27
: B6 4C 1D 75 88 79 F5 3E 3F 51 6D 39 EA 25 DD D4
: F7 B1 D1 D0 10 0E 78 9F B6 F5 FD A7 40 72 94 24
: 01 1D 10 FB 74 CD 76 07 2B EC A1 F3 BC C9 C7 7E
: AB 2D FE 87 01 1E F6 41 C7 91 52 08 36 80 F0 B8
: 7D 20 7D 75 F1 5E 58 6A 20 47 B8 B5 CF EB 63 92
: DB B0 CC BC 05 E4 B0 72 CE C3 9A 86 77 8C B7 F6
: [ Another 142 bytes skipped ]
: }
497 119: [0] {
499 117: SEQUENCE {
501 9: OBJECT IDENTIFIER extensionRequest (1 2 840 113549 1 9 14)
512 104: SET {
514 102: SEQUENCE {
516 29: SEQUENCE {
518 3: OBJECT IDENTIFIER subjectKeyIdentifier (2 5 29 14)
523 22: OCTET STRING
: 04 14 A9 F7 11 5B 2B 85 74 6F 19 69 13 5C 1C 89
: 64 3B 38 A9 A2 2B
: }
547 69: SEQUENCE {
549 3: OBJECT IDENTIFIER extKeyUsage (2 5 29 37)
554 62: OCTET STRING
: 30 3C 06 08 2B 06 01 05 05 07 03 01 06 08 2B 06
: 01 05 05 07 03 02 06 08 2B 06 01 05 05 07 03 03
: 06 08 2B 06 01 05 05 07 03 04 06 08 2B 06 01 05
: 05 07 03 08 06 08 2B 06 01 05 05 07 03 09
: }
: }
: }
: }
: }
: }
618 13: SEQUENCE {
620 9: OBJECT IDENTIFIER sha256WithRSAEncryption (1 2 840 113549 1 1 11)
631 0: NULL
: }
633 257: BIT STRING
: 2F 9A 05 B0 DC 20 C8 7B 0D DD AD 6D DD 4B 04 6B
: 8A AD BF 84 4C AB 78 28 D0 CF D7 0C 61 EF 74 14
: DC DC A2 19 35 78 8C 93 59 52 FC BB 63 F4 58 0D
: A9 C9 E6 CD 00 05 27 BB FA E5 85 32 43 72 BE D9
: 60 C7 AF 3F 5C E9 D2 68 F8 6B 2F 2D 5B 53 D7 A6
: 21 F5 DE C9 D6 F3 28 62 05 A8 04 71 44 DD 8B E1
: A6 3C AB 62 91 57 A4 44 BE 7B FD 30 9D 14 EC ED
: 66 EA 25 45 EE 5C 65 00 7F 99 FA 74 20 A4 EC 51
: [ Another 128 bytes skipped ]
: }
so trying to use "id = ASN_SERIAL_NUMBER" always make an invalid CSR.
Thanks a lot for your support,
Paul
Hi David,
I have tried to add "serialNumber" attribute to the csr example but the result is getting "Decoding Problem".
This is the code:
/* csr.c
*
* Copyright (C) 2006-2018 wolfSSL Inc.
*
* This file is part of wolfTPM.
*
* wolfTPM is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* wolfTPM is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
*/
#include <wolftpm/tpm2.h>
#include <wolftpm/tpm2_wrap.h>
#if !defined(WOLFTPM2_NO_WRAPPER) && defined(WOLFSSL_CERT_REQ) && \
defined(WOLF_CRYPTO_DEV) && !defined(WOLFTPM2_NO_WOLFCRYPT)
#include <examples/tpm_io.h>
#include <examples/csr/csr.h>
#include <wolfssl/wolfcrypt/asn.h>
#include <wolfssl/wolfcrypt/asn_public.h>
static const char gClientCertRsaFile[] = "./certs/client-rsa-cert.csr";
static const char gClientCertEccFile[] = "./certs/client-ecc-cert.csr";
/******************************************************************************/
/* --- BEGIN TPM2 CSR Example -- */
/******************************************************************************/
static int TPM2_CSR_Generate(WOLFTPM2_DEV* dev, int key_type, void* wolfKey,
const char* outputPemFile)
{
int rc;
Cert req;
// const CertName myCertName = {
static CertName myCertName = {
.country = "US", .countryEnc = CTC_PRINTABLE, /* country */
.state = "Oregon", .stateEnc = CTC_UTF8, /* state */
.locality = "Portland", .localityEnc = CTC_UTF8, /* locality */
.sur = "Test", .surEnc = CTC_UTF8, /* sur */
.org = "wolfSSL", .orgEnc = CTC_UTF8, /* org */
.unit = "Development", .unitEnc = CTC_UTF8, /* unit */
.commonName = "www.wolfssl.com", /* commonName */
.commonNameEnc = CTC_UTF8,
.email = "info@wolfssl.com" /* email */
};
/* serialNumber Attribute*/
NameAttrib* n;
n = &myCertName.name[0];
n->id = ASN_SERIAL_NUMBER;
n->type = CTC_PRINTABLE;
n->sz = sizeof("1801908070");
XMEMCPY(n->value, "1801908070", sizeof("1801908070"));
/* serialNumber Attribute*/
const char* myKeyUsage = "serverAuth,clientAuth,codeSigning,"
"emailProtection,timeStamping,OCSPSigning";
WOLFTPM2_BUFFER der;
#ifdef WOLFSSL_DER_TO_PEM
WOLFTPM2_BUFFER output;
#endif
/* Generate CSR (using TPM key) for certification authority */
rc = wc_InitCert(&req);
if (rc != 0) goto exit;
XMEMCPY(&req.subject, &myCertName, sizeof(myCertName));
/* make sure each common name is unique */
if (key_type == RSA_TYPE) {
req.sigType = CTC_SHA256wRSA;
XSTRNCPY(req.subject.unit, "RSA", sizeof(req.subject.unit));
}
else if (key_type == ECC_TYPE) {
req.sigType = CTC_SHA256wECDSA;
XSTRNCPY(req.subject.unit, "ECC", sizeof(req.subject.unit));
}
#ifdef WOLFSSL_CERT_EXT
/* add SKID from the Public Key */
rc = wc_SetSubjectKeyIdFromPublicKey_ex(&req, key_type, wolfKey);
if (rc != 0) goto exit;
/* add Extended Key Usage */
rc = wc_SetExtKeyUsage(&req, myKeyUsage);
if (rc != 0) goto exit;
#endif
rc = wc_MakeCertReq_ex(&req, der.buffer, sizeof(der.buffer), key_type,
wolfKey);
if (rc <= 0) goto exit;
der.size = rc;
rc = wc_SignCert_ex(req.bodySz, req.sigType, der.buffer, sizeof(der.buffer),
key_type, wolfKey, wolfTPM2_GetRng(dev));
if (rc <= 0) goto exit;
der.size = rc;
#ifdef WOLFSSL_DER_TO_PEM
/* Convert to PEM */
XMEMSET(output.buffer, 0, sizeof(output.buffer));
rc = wc_DerToPem(der.buffer, der.size, output.buffer, sizeof(output.buffer),
CERTREQ_TYPE);
if (rc <= 0) goto exit;
output.size = rc;
printf("Generated/Signed Cert (DER %d, PEM %d)\n", der.size, output.size);
printf("%s\n", (char*)output.buffer);
#if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES)
{
FILE* pemFile = fopen(outputPemFile, "wb");
if (pemFile) {
rc = (int)fwrite(output.buffer, 1, output.size, pemFile);
fclose(pemFile);
if (rc != output.size) {
rc = -1; goto exit;
}
}
}
#endif
#endif /* WOLFSSL_DER_TO_PEM */
(void)outputPemFile;
rc = 0; /* success */
exit:
return rc;
}
int TPM2_CSR_Example(void* userCtx)
{
int rc;
WOLFTPM2_DEV dev;
WOLFTPM2_KEY storageKey;
#ifndef NO_RSA
WOLFTPM2_KEY rsaKey;
RsaKey wolfRsaKey;
#endif
#ifdef HAVE_ECC
WOLFTPM2_KEY eccKey;
ecc_key wolfEccKey;
#endif
TPMT_PUBLIC publicTemplate;
TpmCryptoDevCtx tpmCtx;
int tpmDevId;
printf("TPM2 CSR Example\n");
/* Init the TPM2 device */
rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx);
if (rc != 0) return rc;
/* Setup the wolf crypto device callback */
#ifndef NO_RSA
XMEMSET(&wolfRsaKey, 0, sizeof(wolfRsaKey));
tpmCtx.rsaKey = &rsaKey;
#endif
#ifdef HAVE_ECC
XMEMSET(&wolfEccKey, 0, sizeof(wolfEccKey));
tpmCtx.eccKey = &eccKey;
#endif
rc = wolfTPM2_SetCryptoDevCb(&dev, wolfTPM2_CryptoDevCb, &tpmCtx, &tpmDevId);
if (rc != 0) goto exit;
/* See if primary storage key already exists */
rc = wolfTPM2_ReadPublicKey(&dev, &storageKey,
TPM2_DEMO_STORAGE_KEY_HANDLE);
if (rc != 0) {
/* Create primary storage key */
rc = wolfTPM2_GetKeyTemplate_RSA(&publicTemplate,
TPMA_OBJECT_fixedTPM | TPMA_OBJECT_fixedParent |
TPMA_OBJECT_sensitiveDataOrigin | TPMA_OBJECT_userWithAuth |
TPMA_OBJECT_restricted | TPMA_OBJECT_decrypt | TPMA_OBJECT_noDA);
if (rc != 0) goto exit;
rc = wolfTPM2_CreatePrimaryKey(&dev, &storageKey, TPM_RH_OWNER,
&publicTemplate, (byte*)gStorageKeyAuth, sizeof(gStorageKeyAuth)-1);
if (rc != 0) goto exit;
/* Move this key into persistent storage */
rc = wolfTPM2_NVStoreKey(&dev, TPM_RH_OWNER, &storageKey,
TPM2_DEMO_STORAGE_KEY_HANDLE);
if (rc != 0) goto exit;
}
else {
/* specify auth password for storage key */
storageKey.handle.auth.size = sizeof(gStorageKeyAuth)-1;
XMEMCPY(storageKey.handle.auth.buffer, gStorageKeyAuth,
storageKey.handle.auth.size);
}
#ifndef NO_RSA
/* Create/Load RSA key for CSR */
rc = wolfTPM2_ReadPublicKey(&dev, &rsaKey, TPM2_DEMO_RSA_KEY_HANDLE);
if (rc != 0) {
rc = wolfTPM2_GetKeyTemplate_RSA(&publicTemplate,
TPMA_OBJECT_sensitiveDataOrigin | TPMA_OBJECT_userWithAuth |
TPMA_OBJECT_decrypt | TPMA_OBJECT_sign | TPMA_OBJECT_noDA);
if (rc != 0) goto exit;
rc = wolfTPM2_CreateAndLoadKey(&dev, &rsaKey, &storageKey.handle,
&publicTemplate, (byte*)gKeyAuth, sizeof(gKeyAuth)-1);
if (rc != 0) goto exit;
/* Move this key into persistent storage */
rc = wolfTPM2_NVStoreKey(&dev, TPM_RH_OWNER, &rsaKey,
TPM2_DEMO_RSA_KEY_HANDLE);
if (rc != 0) goto exit;
}
else {
/* specify auth password for RSA key */
rsaKey.handle.auth.size = sizeof(gKeyAuth)-1;
XMEMCPY(rsaKey.handle.auth.buffer, gKeyAuth, rsaKey.handle.auth.size);
}
/* setup wolf RSA key with TPM deviceID, so crypto callbacks are used */
rc = wc_InitRsaKey_ex(&wolfRsaKey, NULL, tpmDevId);
if (rc != 0) goto exit;
/* load public portion of key into wolf RSA Key */
rc = wolfTPM2_RsaKey_TpmToWolf(&dev, &rsaKey, &wolfRsaKey);
if (rc != 0) goto exit;
rc = TPM2_CSR_Generate(&dev, RSA_TYPE, &wolfRsaKey, gClientCertRsaFile);
if (rc != 0) goto exit;
#endif /* !NO_RSA */
#ifdef HAVE_ECC
/* Create/Load ECC key for CSR */
rc = wolfTPM2_ReadPublicKey(&dev, &eccKey, TPM2_DEMO_ECC_KEY_HANDLE);
if (rc != 0) {
rc = wolfTPM2_GetKeyTemplate_ECC(&publicTemplate,
TPMA_OBJECT_sensitiveDataOrigin | TPMA_OBJECT_userWithAuth |
TPMA_OBJECT_sign | TPMA_OBJECT_noDA,
TPM_ECC_NIST_P256, TPM_ALG_ECDSA);
if (rc != 0) goto exit;
rc = wolfTPM2_CreateAndLoadKey(&dev, &eccKey, &storageKey.handle,
&publicTemplate, (byte*)gKeyAuth, sizeof(gKeyAuth)-1);
if (rc != 0) goto exit;
/* Move this key into persistent storage */
rc = wolfTPM2_NVStoreKey(&dev, TPM_RH_OWNER, &eccKey,
TPM2_DEMO_ECC_KEY_HANDLE);
if (rc != 0) goto exit;
}
else {
/* specify auth password for ECC key */
eccKey.handle.auth.size = sizeof(gKeyAuth)-1;
XMEMCPY(eccKey.handle.auth.buffer, gKeyAuth, eccKey.handle.auth.size);
}
/* setup wolf ECC key with TPM deviceID, so crypto callbacks are used */
rc = wc_ecc_init_ex(&wolfEccKey, NULL, tpmDevId);
if (rc != 0) goto exit;
/* load public portion of key into wolf ECC Key */
rc = wolfTPM2_EccKey_TpmToWolf(&dev, &eccKey, &wolfEccKey);
if (rc != 0) goto exit;
rc = TPM2_CSR_Generate(&dev, ECC_TYPE, &wolfEccKey, gClientCertEccFile);
if (rc != 0) goto exit;
#endif /* HAVE_ECC */
exit:
if (rc != 0) {
printf("Failure 0x%x: %s\n", rc, wolfTPM2_GetRCString(rc));
}
#ifndef NO_RSA
wc_FreeRsaKey(&wolfRsaKey);
wolfTPM2_UnloadHandle(&dev, &rsaKey.handle);
#endif
#ifdef HAVE_ECC
wc_ecc_free(&wolfEccKey);
wolfTPM2_UnloadHandle(&dev, &eccKey.handle);
#endif
wolfTPM2_Cleanup(&dev);
return rc;
}
/******************************************************************************/
/* --- END TPM2 CSR Example -- */
/******************************************************************************/
#endif /* !WOLFTPM2_NO_WRAPPER && WOLFSSL_CERT_REQ && WOLF_CRYPTO_DEV */
#ifndef NO_MAIN_DRIVER
int main(void)
{
int rc = -1;
#if !defined(WOLFTPM2_NO_WRAPPER) && defined(WOLFSSL_CERT_REQ) && \
defined(WOLF_CRYPTO_DEV) && !defined(WOLFTPM2_NO_WOLFCRYPT)
rc = TPM2_CSR_Example(NULL);
#else
printf("Wrapper/CertReq/CryptoDev code not compiled in\n");
printf("Build wolfssl with ./configure --enable-certgen --enable-certreq --enable-certext --enable-cryptodev\n");
#endif
return rc;
}
#endif /* !NO_MAIN_DRIVER */
this is the result:
root@raspberrypi:/home/pi/wolfTPM# nano /home/pi/wolfTPM/examples/csr/csr.c
root@raspberrypi:/home/pi/wolfTPM# make
make -j5 all-am
make[1]: Entering directory '/home/pi/wolfTPM'
CC examples/csr/csr.o
CCLD examples/csr/csr
make[1]: Leaving directory '/home/pi/wolfTPM'
root@raspberrypi:/home/pi/wolfTPM# ./examples/csr/csr
TPM2 CSR Example
Generated/Signed Cert (DER 881, PEM 1265)
-----BEGIN CERTIFICATE REQUEST-----
MIIDbTCCAlUCAQIwgbAxCzAJBgNVBAYTAlVTMQ8wDQYDVQQIDAZPcmVnb24xETAP
BgNVBAcMCFBvcnRsYW5kMQ0wCwYDVQQEDARUZXN0MRAwDgYDVQQKDAd3b2xmU1NM
MQwwCgYDVQQLDANSU0ExGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqG
SIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbQAAAAAAAAAAAAAAAAAAAAAAAAAAADCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANZhM96VDdb11zUx3Rm+Hzux
ORXvCEontkwddYh59T4/UW056iXd1Pex0dAQDniftvX9p0BylCQBHRD7dM12Byvs
ofO8ycd+qy3+hwEe9kHHkVIINoDwuH0gfXXxXlhqIEe4tc/rY5LbsMy8BeSwcs7D
moZ3jLf2xO3y+B4mthxSTS/uloVExZC/WngFzGqmX4rQgroJYVxdu4xgzoGoOr8n
6DK/Ohjhdr/KrVOo00ggM7xzkHX60ELFfIBWHk3UWdxHCLYa19t9Oo0U+aHloIgz
4OxWXnHH1ZVLaIh3MCi48F8LdINNbE6XyDv8NPAPqdvR3Dl4lA2KZ79L/wdudBUC
AwEAAaB3MHUGCSqGSIb3DQEJDjFoMGYwHQYDVR0OBBYEFKn3EVsrhXRvGWkTXByJ
ZDs4qaIrMEUGA1UdJQQ+MDwGCCsGAQUFBwMBBggrBgEFBQcDAgYIKwYBBQUHAwMG
CCsGAQUFBwMEBggrBgEFBQcDCAYIKwYBBQUHAwkwDQYJKoZIhvcNAQELBQADggEB
AGO+M1MWAnmG6WdtTWQgum86s+p1678o4WCH0tZKZ3yBu/v9lV4wQvtCVe9kqCiK
r2+Aria4JymM9ALREivqBcf10B0lxX8eL6t1EtE85fa1YBGEM/rbaD0vkuGc8+gw
NFnSm/YVg/PjHp3fOp8oN/Q6nCRUSU0mZQgjUfS4LeVFuyLbTVVQ0dCVAFSvgY+S
NWsZzyOfprao4TYCumfxU3zEO8CerXwFn+CqGfOz4zqk67piR1BiVp+dmq2LRysp
Fxl6BDEwp8HfXqtpSzObqePRjpEOB36h+INYpA9jFqUwZUAzzM7u8wtGw9NCOU5u
wl/mVyv0DAy7l4mjpgwldsU=
-----END CERTIFICATE REQUEST-----
Generated/Signed Cert (DER 487, PEM 733)
-----BEGIN CERTIFICATE REQUEST-----
MIIB4zCCAYoCAQIwgbAxCzAJBgNVBAYTAlVTMQ8wDQYDVQQIDAZPcmVnb24xETAP
BgNVBAcMCFBvcnRsYW5kMQ0wCwYDVQQEDARUZXN0MRAwDgYDVQQKDAd3b2xmU1NM
MQwwCgYDVQQLDANFQ0MxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqG
SIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbQAAAAAAAAAAAAAAAAAAAAAAAAAAADBZ
MBMGByqGSM49AgEGCCqGSM49AwEHA0IABC/Scb98HLkXTJSDBGi7rRCJS0sr94F1
ERXLTe0SHkNegzNoZ6s8YdaE+jLacmRc059hcbxU94cOUsDvM681ETagdzB1Bgkq
hkiG9w0BCQ4xaDBmMB0GA1UdDgQWBBTECVkpK9F7FgNVRaobI/6aZp8SnzBFBgNV
HSUEPjA8BggrBgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUFBwMDBggrBgEFBQcDBAYI
KwYBBQUHAwgGCCsGAQUFBwMJMAoGCCqGSM49BAMCA0cAMEQCIFXm6SDmtGdVnsTb
VuKnR2Tm33fq24QZ1JEj2oyNVavTAiB7xK30dB0HMDGAXuX+IBp9d/JRU1IeSkna
BlLFiLrr2w==
-----END CERTIFICATE REQUEST-----
and this is verification result:
https://redkestrel.co.uk/products/decoder/
Have a look at the next lines after "151 16: IA5String 'info@wolfssl.com'"
Decoding Problem
Sorry, we were unable to fully decode the data provided
ASN.1 Information
0 877: SEQUENCE {
4 597: SEQUENCE {
8 1: INTEGER 2
11 176: SEQUENCE {
14 11: SET {
16 9: SEQUENCE {
18 3: OBJECT IDENTIFIER countryName (2 5 4 6)
23 2: PrintableString 'US'
: }
: }
27 15: SET {
29 13: SEQUENCE {
31 3: OBJECT IDENTIFIER stateOrProvinceName (2 5 4 8)
36 6: UTF8String 'Oregon'
: }
: }
44 17: SET {
46 15: SEQUENCE {
48 3: OBJECT IDENTIFIER localityName (2 5 4 7)
53 8: UTF8String 'Portland'
: }
: }
63 13: SET {
65 11: SEQUENCE {
67 3: OBJECT IDENTIFIER surname (2 5 4 4)
72 4: UTF8String 'Test'
: }
: }
78 16: SET {
80 14: SEQUENCE {
82 3: OBJECT IDENTIFIER organizationName (2 5 4 10)
87 7: UTF8String 'wolfSSL'
: }
: }
96 12: SET {
98 10: SEQUENCE {
100 3: OBJECT IDENTIFIER organizationalUnitName (2 5 4 11)
105 3: UTF8String 'RSA'
: }
: }
110 24: SET {
112 22: SEQUENCE {
114 3: OBJECT IDENTIFIER commonName (2 5 4 3)
119 15: UTF8String 'www.wolfssl.com'
: }
: }
136 31: SET {
138 29: SEQUENCE {
140 9: OBJECT IDENTIFIER emailAddress (1 2 840 113549 1 9 1)
151 16: IA5String 'info@wolfssl.com'
: }
: }
: Error: Spurious EOC in definite-length item.
: Error: Spurious EOC in definite-length item.
: Error: Spurious EOC in definite-length item.
: Error: Spurious EOC in definite-length item.
: Error: Spurious EOC in definite-length item.
: Error: Spurious EOC in definite-length item.
: Error: Spurious EOC in definite-length item.
: Error: Spurious EOC in definite-length item.
: Error: Spurious EOC in definite-length item.
: Error: Spurious EOC in definite-length item.
Error: Inconsistent object length, 1 byte difference.
: }
190 290: SEQUENCE {
194 13: SEQUENCE {
196 9: OBJECT IDENTIFIER rsaEncryption (1 2 840 113549 1 1 1)
207 0: NULL
: }
209 271: BIT STRING
: 30 82 01 0A 02 82 01 01 00 D6 61 33 DE 95 0D D6
: F5 D7 35 31 DD 19 BE 1F 3B B1 39 15 EF 08 4A 27
: B6 4C 1D 75 88 79 F5 3E 3F 51 6D 39 EA 25 DD D4
: F7 B1 D1 D0 10 0E 78 9F B6 F5 FD A7 40 72 94 24
: 01 1D 10 FB 74 CD 76 07 2B EC A1 F3 BC C9 C7 7E
: AB 2D FE 87 01 1E F6 41 C7 91 52 08 36 80 F0 B8
: 7D 20 7D 75 F1 5E 58 6A 20 47 B8 B5 CF EB 63 92
: DB B0 CC BC 05 E4 B0 72 CE C3 9A 86 77 8C B7 F6
: [ Another 142 bytes skipped ]
: }
484 119: [0] {
486 117: SEQUENCE {
488 9: OBJECT IDENTIFIER extensionRequest (1 2 840 113549 1 9 14)
499 104: SET {
501 102: SEQUENCE {
503 29: SEQUENCE {
505 3: OBJECT IDENTIFIER subjectKeyIdentifier (2 5 29 14)
510 22: OCTET STRING
: 04 14 A9 F7 11 5B 2B 85 74 6F 19 69 13 5C 1C 89
: 64 3B 38 A9 A2 2B
: }
534 69: SEQUENCE {
536 3: OBJECT IDENTIFIER extKeyUsage (2 5 29 37)
541 62: OCTET STRING
: 30 3C 06 08 2B 06 01 05 05 07 03 01 06 08 2B 06
: 01 05 05 07 03 02 06 08 2B 06 01 05 05 07 03 03
: 06 08 2B 06 01 05 05 07 03 04 06 08 2B 06 01 05
: 05 07 03 08 06 08 2B 06 01 05 05 07 03 09
: }
: }
: }
: }
: }
: }
605 13: SEQUENCE {
607 9: OBJECT IDENTIFIER sha256WithRSAEncryption (1 2 840 113549 1 1 11)
618 0: NULL
: }
620 257: BIT STRING
: 63 BE 33 53 16 02 79 86 E9 67 6D 4D 64 20 BA 6F
: 3A B3 EA 75 EB BF 28 E1 60 87 D2 D6 4A 67 7C 81
: BB FB FD 95 5E 30 42 FB 42 55 EF 64 A8 28 8A AF
: 6F 80 AE 26 B8 27 29 8C F4 02 D1 12 2B EA 05 C7
: F5 D0 1D 25 C5 7F 1E 2F AB 75 12 D1 3C E5 F6 B5
: 60 11 84 33 FA DB 68 3D 2F 92 E1 9C F3 E8 30 34
: 59 D2 9B F6 15 83 F3 E3 1E 9D DF 3A 9F 28 37 F4
: 3A 9C 24 54 49 4D 26 65 08 23 51 F4 B8 2D E5 45
: [ Another 128 bytes skipped ]
: }
Thanks a lot,
Paul
PS. Did you read my PM?
Also works now "./wolfTPM/examples/csr/csr":
root@raspberrypi:/home/pi/wolfTPM# ./examples/csr/csr
TPM2 CSR Example
Generated/Signed Cert (DER 860, PEM 1236)
-----BEGIN CERTIFICATE REQUEST-----
MIIDWDCCAkACAQIwgZsxCzAJBgNVBAYTAlVTMQ8wDQYDVQQIDAZPcmVnb24xETAP
BgNVBAcMCFBvcnRsYW5kMQ0wCwYDVQQEDARUZXN0MRAwDgYDVQQKDAd3b2xmU1NM
MQwwCgYDVQQLDANSU0ExGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqG
SIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBANZhM96VDdb11zUx3Rm+HzuxORXvCEontkwddYh59T4/UW056iXd
1Pex0dAQDniftvX9p0BylCQBHRD7dM12ByvsofO8ycd+qy3+hwEe9kHHkVIINoDw
uH0gfXXxXlhqIEe4tc/rY5LbsMy8BeSwcs7DmoZ3jLf2xO3y+B4mthxSTS/uloVE
xZC/WngFzGqmX4rQgroJYVxdu4xgzoGoOr8n6DK/Ohjhdr/KrVOo00ggM7xzkHX6
0ELFfIBWHk3UWdxHCLYa19t9Oo0U+aHloIgz4OxWXnHH1ZVLaIh3MCi48F8LdINN
bE6XyDv8NPAPqdvR3Dl4lA2KZ79L/wdudBUCAwEAAaB3MHUGCSqGSIb3DQEJDjFo
MGYwHQYDVR0OBBYEFKn3EVsrhXRvGWkTXByJZDs4qaIrMEUGA1UdJQQ+MDwGCCsG
AQUFBwMBBggrBgEFBQcDAgYIKwYBBQUHAwMGCCsGAQUFBwMEBggrBgEFBQcDCAYI
KwYBBQUHAwkwDQYJKoZIhvcNAQELBQADggEBAFT94Nqo18RTxIe1aqewRVrYS0U4
ug7xRiav9eE1TFyQM/udoQszLn+VLtXlH62O/LWVvpjpQQ9C/+NB4Cx32nFmyyW8
XO1icPTFm7Vp9HOS3w3a+7rIbG4r1kTpzDoL7gCeS7FBRKu7NoC6gzPAgrKQMP68
A/Es/3X5XmtzzXCSYPfopoAweOmFvZ4RJ0S4CZ2XV+3jj9XzoYztj1o1/OJ14MvS
5MG7itnEThgBTjHgTsNpKiCb8G2G4+cIjOwlIKzwnbAC2Xr66bAtDuYZAb1S2xiq
bHBsobMh/d1cd5mHLhm1wWO5O9WXEDDVTUTaYuIJTbS0eyldvd1eQmZOoas=
-----END CERTIFICATE REQUEST-----
TPM2_ReadPublic failed 395: TPM_RC_HANDLE
Generated/Signed Cert (DER 467, PEM 704)
-----BEGIN CERTIFICATE REQUEST-----
MIIBzzCCAXUCAQIwgZsxCzAJBgNVBAYTAlVTMQ8wDQYDVQQIDAZPcmVnb24xETAP
BgNVBAcMCFBvcnRsYW5kMQ0wCwYDVQQEDARUZXN0MRAwDgYDVQQKDAd3b2xmU1NM
MQwwCgYDVQQLDANFQ0MxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqG
SIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEH
A0IABC/Scb98HLkXTJSDBGi7rRCJS0sr94F1ERXLTe0SHkNegzNoZ6s8YdaE+jLa
cmRc059hcbxU94cOUsDvM681ETagdzB1BgkqhkiG9w0BCQ4xaDBmMB0GA1UdDgQW
BBTECVkpK9F7FgNVRaobI/6aZp8SnzBFBgNVHSUEPjA8BggrBgEFBQcDAQYIKwYB
BQUHAwIGCCsGAQUFBwMDBggrBgEFBQcDBAYIKwYBBQUHAwgGCCsGAQUFBwMJMAoG
CCqGSM49BAMCA0gAMEUCIBdcR6wO4FeO70MiyuUR2HUJuI6Yms6kAUwnJ8tYmVPD
AiEAu29P1m+9v2kdbuCZ+l7H9jolXNrkMwO3FIMQURKiOZ4=
-----END CERTIFICATE REQUEST-----
Hi David,
your example from post https://www.wolfssl.com/forums/post3590.html#p3590 is OK now:
root@raspberrypi:/home/pi/wolfTPM/examples/csr# cat makecsr.c
#include <wolfssl/options.h>
#include <wolfssl/wolfcrypt/settings.h>
#include <wolfssl/wolfcrypt/ecc.h>
#include <wolfssl/wolfcrypt/asn_public.h>
#define MAX_TEMP_SIZE 1024
/* Build using:
gcc -lwolfssl -o makecsr makecsr.c
*/
int main(void)
{
ecc_key key;
WC_RNG rng;
Cert req;
byte der[MAX_TEMP_SIZE], pem[MAX_TEMP_SIZE];
int derSz, pemSz;
wc_ecc_init(&key);
wc_InitRng(&rng);
wc_ecc_make_key_ex(&rng, 32, &key, ECC_SECP256R1);
derSz = wc_EccKeyToDer(&key, der, sizeof(der));
memset(pem, 0, sizeof(pem));
pemSz = wc_DerToPem(der, derSz, pem, sizeof(pem), ECC_PRIVATEKEY_TYPE);
printf("%s", pem);
wc_InitCert(&req);
strncpy(req.subject.country, "US", CTC_NAME_SIZE);
strncpy(req.subject.state, "OR", CTC_NAME_SIZE);
strncpy(req.subject.locality, "Portland", CTC_NAME_SIZE);
strncpy(req.subject.org, "yaSSL", CTC_NAME_SIZE);
strncpy(req.subject.unit, "Development", CTC_NAME_SIZE);
strncpy(req.subject.commonName, "www.wolfssl.com", CTC_NAME_SIZE);
strncpy(req.subject.email, "info@wolfssl.com", CTC_NAME_SIZE);
derSz = wc_MakeCertReq(&req, der, sizeof(der), NULL, &key);
req.sigType = CTC_SHA256wECDSA;
derSz = wc_SignCert(req.bodySz, req.sigType, der, sizeof(der), NULL, &key, &rng);
pemSz = wc_DerToPem(der, derSz, pem, sizeof(pem), CERTREQ_TYPE);
printf("%s", pem);
wc_ecc_free(&key);
wc_FreeRng(&rng);
return 0;
}
root@raspberrypi:/home/pi/wolfTPM/examples/csr# ./makecsr
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEILf/jyepHbL1iOPrwf1v7u3cpXpxB2+hcR8WcEzMAQy8oAoGCCqGSM49
AwEHoUQDQgAESZxt3pFt+nMS2gRjEc9hNP34Lt/GeC4jjX+x4Y0QKlMJkPXvGHkI
bETPV/nFGlXNCgEmAy29Mg8YhTmHtqZEmA==
-----END EC PRIVATE KEY-----
-----BEGIN CERTIFICATE REQUEST-----
MIIBSzCB8QIBAjCBjjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk9SMREwDwYDVQQH
DAhQb3J0bGFuZDEOMAwGA1UECgwFeWFTU0wxFDASBgNVBAsMC0RldmVsb3BtZW50
MRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9A
d29sZnNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARJnG3ekW36cxLa
BGMRz2E0/fgu38Z4LiONf7HhjRAqUwmQ9e8YeQhsRM9X+cUaVc0KASYDLb0yDxiF
OYe2pkSYoAAwCgYIKoZIzj0EAwIDSQAwRgIhAJ2aHQ0OGLIB6c4scJfHQOTKyY0a
1diz9KfAu/OSS99mAiEAsu7Dawf05ziOYOpYBq7mnPEkF1c7dkooP7HX+NEcJEo=
-----END CERTIFICATE REQUEST-----
CSR ASN.1 Information
0 331: SEQUENCE {
4 241: SEQUENCE {
7 1: INTEGER 2
10 142: SEQUENCE {
13 11: SET {
15 9: SEQUENCE {
17 3: OBJECT IDENTIFIER countryName (2 5 4 6)
22 2: PrintableString 'US'
: }
: }
26 11: SET {
28 9: SEQUENCE {
30 3: OBJECT IDENTIFIER stateOrProvinceName (2 5 4 8)
35 2: UTF8String 'OR'
: }
: }
39 17: SET {
41 15: SEQUENCE {
43 3: OBJECT IDENTIFIER localityName (2 5 4 7)
48 8: UTF8String 'Portland'
: }
: }
58 14: SET {
60 12: SEQUENCE {
62 3: OBJECT IDENTIFIER organizationName (2 5 4 10)
67 5: UTF8String 'yaSSL'
: }
: }
74 20: SET {
76 18: SEQUENCE {
78 3: OBJECT IDENTIFIER organizationalUnitName (2 5 4 11)
83 11: UTF8String 'Development'
: }
: }
96 24: SET {
98 22: SEQUENCE {
100 3: OBJECT IDENTIFIER commonName (2 5 4 3)
105 15: UTF8String 'www.wolfssl.com'
: }
: }
122 31: SET {
124 29: SEQUENCE {
126 9: OBJECT IDENTIFIER emailAddress (1 2 840 113549 1 9 1)
137 16: IA5String 'info@wolfssl.com'
: }
: }
: }
155 89: SEQUENCE {
157 19: SEQUENCE {
159 7: OBJECT IDENTIFIER ecPublicKey (1 2 840 10045 2 1)
168 8: OBJECT IDENTIFIER prime256v1 (1 2 840 10045 3 1 7)
: }
178 66: BIT STRING
: 04 49 9C 6D DE 91 6D FA 73 12 DA 04 63 11 CF 61
: 34 FD F8 2E DF C6 78 2E 23 8D 7F B1 E1 8D 10 2A
: 53 09 90 F5 EF 18 79 08 6C 44 CF 57 F9 C5 1A 55
: CD 0A 01 26 03 2D BD 32 0F 18 85 39 87 B6 A6 44
: 98
: }
246 0: [0]
: Error: Object has zero length.
: }
248 10: SEQUENCE {
250 8: OBJECT IDENTIFIER ecdsaWithSHA256 (1 2 840 10045 4 3 2)
: }
260 73: BIT STRING
: 30 46 02 21 00 9D 9A 1D 0D 0E 18 B2 01 E9 CE 2C
: 70 97 C7 40 E4 CA C9 8D 1A D5 D8 B3 F4 A7 C0 BB
: F3 92 4B DF 66 02 21 00 B2 EE C3 6B 07 F4 E7 38
: 8E 60 EA 58 06 AE E6 9C F1 24 17 57 3B 76 4A 28
: 3F B1 D7 F8 D1 1C 24 4A
: }
Hi David,
should I do the same fix locally?
Thanks,
Paul
Hi David,
please tell my whats your time zone and working hours so we can synchronize on tests.
Thank you,
Paul
Hi David,
I add to "/examples/csr/csr.c" the nameAtrib as bellow:
/* csr.c
*
* Copyright (C) 2006-2018 wolfSSL Inc.
*
* This file is part of wolfTPM.
*
* wolfTPM is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* wolfTPM is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
*/
#include <wolftpm/tpm2.h>
#include <wolftpm/tpm2_wrap.h>
#if !defined(WOLFTPM2_NO_WRAPPER) && defined(WOLFSSL_CERT_REQ) && \
defined(WOLF_CRYPTO_DEV) && !defined(WOLFTPM2_NO_WOLFCRYPT)
#include <examples/tpm_io.h>
#include <examples/csr/csr.h>
#include <wolfssl/wolfcrypt/asn.h>
#include <wolfssl/wolfcrypt/asn_public.h>
static const char gClientCertRsaFile[] = "./certs/client-rsa-cert.csr";
static const char gClientCertEccFile[] = "./certs/client-ecc-cert.csr";
/******************************************************************************/
/* --- BEGIN TPM2 CSR Example -- */
/******************************************************************************/
static int TPM2_CSR_Generate(WOLFTPM2_DEV* dev, int key_type, void* wolfKey,
const char* outputPemFile)
{
int rc;
Cert req;
static CertName myCertName = {
.country = "US", .countryEnc = CTC_PRINTABLE, /* country */
.state = "Oregon", .stateEnc = CTC_UTF8, /* state */
.locality = "Portland", .localityEnc = CTC_UTF8, /* locality */
.sur = "Test", .surEnc = CTC_UTF8, /* sur */
.org = "wolfSSL", .orgEnc = CTC_UTF8, /* org */
.unit = "Development", .unitEnc = CTC_UTF8, /* unit */
.commonName = "www.wolfssl.com", /* commonName */
.commonNameEnc = CTC_UTF8,
.email = "info@wolfssl.com" /* email */
/* serialNumber Attribute*/
NameAttrib* n;
n = &myCertName.name[0];
n->id = ASN_SERIAL_NUMBER;
n->type = CTC_PRINTABLE;
n->sz = sizeof("1801908070");
XMEMCPY(n->value, "1801908070", sizeof("1801908070"));
};
const char* myKeyUsage = "serverAuth,clientAuth,codeSigning,"
"emailProtection,timeStamping,OCSPSigning";
WOLFTPM2_BUFFER der;
#ifdef WOLFSSL_DER_TO_PEM
WOLFTPM2_BUFFER output;
#endif
/* Generate CSR (using TPM key) for certification authority */
rc = wc_InitCert(&req);
if (rc != 0) goto exit;
XMEMCPY(&req.subject, &myCertName, sizeof(myCertName));
/* make sure each common name is unique */
if (key_type == RSA_TYPE) {
req.sigType = CTC_SHA256wRSA;
XSTRNCPY(req.subject.unit, "RSA", sizeof(req.subject.unit));
}
else if (key_type == ECC_TYPE) {
req.sigType = CTC_SHA256wECDSA;
XSTRNCPY(req.subject.unit, "ECC", sizeof(req.subject.unit));
}
#ifdef WOLFSSL_CERT_EXT
/* add SKID from the Public Key */
rc = wc_SetSubjectKeyIdFromPublicKey_ex(&req, key_type, wolfKey);
if (rc != 0) goto exit;
/* add Extended Key Usage */
rc = wc_SetExtKeyUsage(&req, myKeyUsage);
if (rc != 0) goto exit;
#endif
rc = wc_MakeCertReq_ex(&req, der.buffer, sizeof(der.buffer), key_type,
wolfKey);
if (rc <= 0) goto exit;
der.size = rc;
rc = wc_SignCert_ex(req.bodySz, req.sigType, der.buffer, sizeof(der.buffer),
key_type, wolfKey, wolfTPM2_GetRng(dev));
if (rc <= 0) goto exit;
der.size = rc;
#ifdef WOLFSSL_DER_TO_PEM
/* Convert to PEM */
XMEMSET(output.buffer, 0, sizeof(output.buffer));
rc = wc_DerToPem(der.buffer, der.size, output.buffer, sizeof(output.buffer),
CERTREQ_TYPE);
if (rc <= 0) goto exit;
output.size = rc;
printf("Generated/Signed Cert (DER %d, PEM %d)\n", der.size, output.size);
printf("%s\n", (char*)output.buffer);
#if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES)
{
FILE* pemFile = fopen(outputPemFile, "wb");
if (pemFile) {
rc = (int)fwrite(output.buffer, 1, output.size, pemFile);
fclose(pemFile);
if (rc != output.size) {
rc = -1; goto exit;
}
}
}
#endif
#endif /* WOLFSSL_DER_TO_PEM */
(void)outputPemFile;
rc = 0; /* success */
exit:
return rc;
}
int TPM2_CSR_Example(void* userCtx)
{
int rc;
WOLFTPM2_DEV dev;
WOLFTPM2_KEY storageKey;
#ifndef NO_RSA
WOLFTPM2_KEY rsaKey;
RsaKey wolfRsaKey;
#endif
#ifdef HAVE_ECC
WOLFTPM2_KEY eccKey;
ecc_key wolfEccKey;
#endif
TPMT_PUBLIC publicTemplate;
TpmCryptoDevCtx tpmCtx;
int tpmDevId;
printf("TPM2 CSR Example\n");
/* Init the TPM2 device */
rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx);
if (rc != 0) return rc;
/* Setup the wolf crypto device callback */
#ifndef NO_RSA
XMEMSET(&wolfRsaKey, 0, sizeof(wolfRsaKey));
tpmCtx.rsaKey = &rsaKey;
#endif
#ifdef HAVE_ECC
XMEMSET(&wolfEccKey, 0, sizeof(wolfEccKey));
tpmCtx.eccKey = &eccKey;
#endif
rc = wolfTPM2_SetCryptoDevCb(&dev, wolfTPM2_CryptoDevCb, &tpmCtx, &tpmDevId);
if (rc != 0) goto exit;
/* See if primary storage key already exists */
rc = wolfTPM2_ReadPublicKey(&dev, &storageKey,
TPM2_DEMO_STORAGE_KEY_HANDLE);
if (rc != 0) {
/* Create primary storage key */
rc = wolfTPM2_GetKeyTemplate_RSA(&publicTemplate,
TPMA_OBJECT_fixedTPM | TPMA_OBJECT_fixedParent |
TPMA_OBJECT_sensitiveDataOrigin | TPMA_OBJECT_userWithAuth |
TPMA_OBJECT_restricted | TPMA_OBJECT_decrypt | TPMA_OBJECT_noDA);
if (rc != 0) goto exit;
rc = wolfTPM2_CreatePrimaryKey(&dev, &storageKey, TPM_RH_OWNER,
&publicTemplate, (byte*)gStorageKeyAuth, sizeof(gStorageKeyAuth)-1);
if (rc != 0) goto exit;
/* Move this key into persistent storage */
rc = wolfTPM2_NVStoreKey(&dev, TPM_RH_OWNER, &storageKey,
TPM2_DEMO_STORAGE_KEY_HANDLE);
if (rc != 0) goto exit;
}
else {
/* specify auth password for storage key */
storageKey.handle.auth.size = sizeof(gStorageKeyAuth)-1;
XMEMCPY(storageKey.handle.auth.buffer, gStorageKeyAuth,
storageKey.handle.auth.size);
}
#ifndef NO_RSA
/* Create/Load RSA key for CSR */
rc = wolfTPM2_ReadPublicKey(&dev, &rsaKey, TPM2_DEMO_RSA_KEY_HANDLE);
if (rc != 0) {
rc = wolfTPM2_GetKeyTemplate_RSA(&publicTemplate,
TPMA_OBJECT_sensitiveDataOrigin | TPMA_OBJECT_userWithAuth |
TPMA_OBJECT_decrypt | TPMA_OBJECT_sign | TPMA_OBJECT_noDA);
if (rc != 0) goto exit;
rc = wolfTPM2_CreateAndLoadKey(&dev, &rsaKey, &storageKey.handle,
&publicTemplate, (byte*)gKeyAuth, sizeof(gKeyAuth)-1);
if (rc != 0) goto exit;
/* Move this key into persistent storage */
rc = wolfTPM2_NVStoreKey(&dev, TPM_RH_OWNER, &rsaKey,
TPM2_DEMO_RSA_KEY_HANDLE);
if (rc != 0) goto exit;
}
else {
/* specify auth password for RSA key */
rsaKey.handle.auth.size = sizeof(gKeyAuth)-1;
XMEMCPY(rsaKey.handle.auth.buffer, gKeyAuth, rsaKey.handle.auth.size);
}
/* setup wolf RSA key with TPM deviceID, so crypto callbacks are used */
rc = wc_InitRsaKey_ex(&wolfRsaKey, NULL, tpmDevId);
if (rc != 0) goto exit;
/* load public portion of key into wolf RSA Key */
rc = wolfTPM2_RsaKey_TpmToWolf(&dev, &rsaKey, &wolfRsaKey);
if (rc != 0) goto exit;
rc = TPM2_CSR_Generate(&dev, RSA_TYPE, &wolfRsaKey, gClientCertRsaFile);
if (rc != 0) goto exit;
#endif /* !NO_RSA */
#ifdef HAVE_ECC
/* Create/Load ECC key for CSR */
rc = wolfTPM2_ReadPublicKey(&dev, &eccKey, TPM2_DEMO_ECC_KEY_HANDLE);
if (rc != 0) {
rc = wolfTPM2_GetKeyTemplate_ECC(&publicTemplate,
TPMA_OBJECT_sensitiveDataOrigin | TPMA_OBJECT_userWithAuth |
TPMA_OBJECT_sign | TPMA_OBJECT_noDA,
TPM_ECC_NIST_P256, TPM_ALG_ECDSA);
if (rc != 0) goto exit;
rc = wolfTPM2_CreateAndLoadKey(&dev, &eccKey, &storageKey.handle,
&publicTemplate, (byte*)gKeyAuth, sizeof(gKeyAuth)-1);
if (rc != 0) goto exit;
/* Move this key into persistent storage */
rc = wolfTPM2_NVStoreKey(&dev, TPM_RH_OWNER, &eccKey,
TPM2_DEMO_ECC_KEY_HANDLE);
if (rc != 0) goto exit;
}
else {
/* specify auth password for ECC key */
eccKey.handle.auth.size = sizeof(gKeyAuth)-1;
XMEMCPY(eccKey.handle.auth.buffer, gKeyAuth, eccKey.handle.auth.size);
}
/* setup wolf ECC key with TPM deviceID, so crypto callbacks are used */
rc = wc_ecc_init_ex(&wolfEccKey, NULL, tpmDevId);
if (rc != 0) goto exit;
/* load public portion of key into wolf ECC Key */
rc = wolfTPM2_EccKey_TpmToWolf(&dev, &eccKey, &wolfEccKey);
if (rc != 0) goto exit;
rc = TPM2_CSR_Generate(&dev, ECC_TYPE, &wolfEccKey, gClientCertEccFile);
if (rc != 0) goto exit;
#endif /* HAVE_ECC */
exit:
if (rc != 0) {
printf("Failure 0x%x: %s\n", rc, wolfTPM2_GetRCString(rc));
}
#ifndef NO_RSA
wc_FreeRsaKey(&wolfRsaKey);
wolfTPM2_UnloadHandle(&dev, &rsaKey.handle);
#endif
#ifdef HAVE_ECC
wc_ecc_free(&wolfEccKey);
wolfTPM2_UnloadHandle(&dev, &eccKey.handle);
#endif
wolfTPM2_Cleanup(&dev);
return rc;
}
/******************************************************************************/
/* --- END TPM2 CSR Example -- */
/******************************************************************************/
#endif /* !WOLFTPM2_NO_WRAPPER && WOLFSSL_CERT_REQ && WOLF_CRYPTO_DEV */
#ifndef NO_MAIN_DRIVER
int main(void)
{
int rc = -1;
#if !defined(WOLFTPM2_NO_WRAPPER) && defined(WOLFSSL_CERT_REQ) && \
defined(WOLF_CRYPTO_DEV) && !defined(WOLFTPM2_NO_WOLFCRYPT)
rc = TPM2_CSR_Example(NULL);
#else
printf("Wrapper/CertReq/CryptoDev code not compiled in\n");
printf("Build wolfssl with ./configure --enable-certgen --enable-certreq --enable-certext --enable-cryptodev\n");
#endif
return rc;
}
#endif /* !NO_MAIN_DRIVER */
Resulting:
root@raspberrypi:/home/pi/wolfTPM# make
make -j5 all-am
make[1]: Entering directory '/home/pi/wolfTPM'
make[1]: Leaving directory '/home/pi/wolfTPM'
root@raspberrypi:/home/pi/wolfTPM# ./examples/csr/csr
TPM2 CSR Example
Generated/Signed Cert (DER 875, PEM 1257)
-----BEGIN CERTIFICATE REQUEST-----
MIIDZzCCAk8CAQIwgaoxCzAJBgNVBAYTAlVTMQ8wDQYDVQQIDAZPcmVnb24xETAP
BgNVBAcMCFBvcnRsYW5kMQ0wCwYDVQQEDARUZXN0MRAwDgYDVQQKDAd3b2xmU1NM
MQwwCgYDVQQLDANSU0ExGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEZMBcGA1UE
AAAQaW5mb0B3b2xmc3NsLmNvbQAAAAAAAAAAAAAAAAAAAAAAAAAAADCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBANlC3p9+JQVU4eU5f6e16s7I7bvDjC0O
vFcuzjGncKp87TDuzSkjPK60pJNt9mZIRBo4f6JLM7oRIYP8TKzngikim8ob5S+Q
ZWxYAnbqB/DBKYeMt6HN++eDnD2jvEwE/qpX/mc9SiSLkzcB6r6Nqy1fKlLfqVGU
U2Jfkacw+TmN+WPRXWSWia3CUKyQwC+6hKsyp8aztrJn6hjEq3JKdTw/PeUNdRWP
k+P84Z2yTYsHR1WbZ1lhyFAjfnRKcBBUactndDfBP3BwlaLi07m9u+FtnwVeQsuf
tHWRiJvAQJYytyDQARKWO2V0U+vltYk0nVZdUr6KHzYDL8XeQ9EJWzkCAwEAAaB3
MHUGCSqGSIb3DQEJDjFoMGYwHQYDVR0OBBYEFN1lEl4rpToosdwM1qvpCJrBdYEo
MEUGA1UdJQQ+MDwGCCsGAQUFBwMBBggrBgEFBQcDAgYIKwYBBQUHAwMGCCsGAQUF
BwMEBggrBgEFBQcDCAYIKwYBBQUHAwkwDQYJKoZIhvcNAQELBQADggEBAGz6/sSh
fAu1HhwMZQDIhB/AuG80c46rbjUS5rkOFGKurx6tGKebeNmqKz8EG8FMbbzjmQpO
BXZB+DBy16ZWHFLKhMXVGwrvkwMErtRgyBBbkBdwY3JZdzW4EZqtwFScnVOVNkca
Kd+RYb/6Y5e1Y+N/VJa8BnKcufkHViwBHx5I7d83B/0qpG45IQyR8K5apdGNdp6/
jcRNR3lIzWGcGkttTUAe383DMsMvevzr/BPixGlLk91HYnzlt7HUqxDycH+RVD+g
F1swzCvNpY8zcNyNfcguurSZwL3e/UegiCd4aa6ncFs/imNneZNhqpM4642Qx4Cd
Z+Wt2ytH/8QQY+Q=
-----END CERTIFICATE REQUEST-----
which also give "Decoding Problem, Sorry, we were unable to fully decode the data provided"
ASN.1 Information
0 871: SEQUENCE {
4 591: SEQUENCE {
8 1: INTEGER 2
11 170: SEQUENCE {
14 11: SET {
16 9: SEQUENCE {
18 3: OBJECT IDENTIFIER countryName (2 5 4 6)
23 2: PrintableString 'US'
: }
: }
27 15: SET {
29 13: SEQUENCE {
31 3: OBJECT IDENTIFIER stateOrProvinceName (2 5 4 8)
36 6: UTF8String 'Oregon'
: }
: }
44 17: SET {
46 15: SEQUENCE {
48 3: OBJECT IDENTIFIER localityName (2 5 4 7)
53 8: UTF8String 'Portland'
: }
: }
63 13: SET {
65 11: SEQUENCE {
67 3: OBJECT IDENTIFIER surname (2 5 4 4)
72 4: UTF8String 'Test'
: }
: }
78 16: SET {
80 14: SEQUENCE {
82 3: OBJECT IDENTIFIER organizationName (2 5 4 10)
87 7: UTF8String 'wolfSSL'
: }
: }
96 12: SET {
98 10: SEQUENCE {
100 3: OBJECT IDENTIFIER organizationalUnitName (2 5 4 11)
105 3: UTF8String 'RSA'
: }
: }
110 24: SET {
112 22: SEQUENCE {
114 3: OBJECT IDENTIFIER commonName (2 5 4 3)
119 15: UTF8String 'www.wolfssl.com'
: }
: }
136 25: SET {
138 23: SEQUENCE {
140 3: OBJECT IDENTIFIER objectClass (2 5 4 0)
: Error: Spurious EOC in definite-length item.
: }
: }
: Error: Spurious EOC in definite-length item.
: Error: Spurious EOC in definite-length item.
: Error: Spurious EOC in definite-length item.
: Error: Spurious EOC in definite-length item.
: Error: Spurious EOC in definite-length item.
: Error: Spurious EOC in definite-length item.
: Error: Spurious EOC in definite-length item.
: Error: Spurious EOC in definite-length item.
: Error: Spurious EOC in definite-length item.
: Error: Spurious EOC in definite-length item.
Error: Inconsistent object length, 1 byte difference.
: }
184 290: SEQUENCE {
188 13: SEQUENCE {
190 9: OBJECT IDENTIFIER rsaEncryption (1 2 840 113549 1 1 1)
201 0: NULL
: }
203 271: BIT STRING
: 30 82 01 0A 02 82 01 01 00 D9 42 DE 9F 7E 25 05
: 54 E1 E5 39 7F A7 B5 EA CE C8 ED BB C3 8C 2D 0E
: BC 57 2E CE 31 A7 70 AA 7C ED 30 EE CD 29 23 3C
: AE B4 A4 93 6D F6 66 48 44 1A 38 7F A2 4B 33 BA
: 11 21 83 FC 4C AC E7 82 29 22 9B CA 1B E5 2F 90
: 65 6C 58 02 76 EA 07 F0 C1 29 87 8C B7 A1 CD FB
: E7 83 9C 3D A3 BC 4C 04 FE AA 57 FE 67 3D 4A 24
: 8B 93 37 01 EA BE 8D AB 2D 5F 2A 52 DF A9 51 94
: [ Another 142 bytes skipped ]
: }
478 119: [0] {
480 117: SEQUENCE {
482 9: OBJECT IDENTIFIER extensionRequest (1 2 840 113549 1 9 14)
493 104: SET {
495 102: SEQUENCE {
497 29: SEQUENCE {
499 3: OBJECT IDENTIFIER subjectKeyIdentifier (2 5 29 14)
504 22: OCTET STRING
: 04 14 DD 65 12 5E 2B A5 3A 28 B1 DC 0C D6 AB E9
: 08 9A C1 75 81 28
: }
528 69: SEQUENCE {
530 3: OBJECT IDENTIFIER extKeyUsage (2 5 29 37)
535 62: OCTET STRING
: 30 3C 06 08 2B 06 01 05 05 07 03 01 06 08 2B 06
: 01 05 05 07 03 02 06 08 2B 06 01 05 05 07 03 03
: 06 08 2B 06 01 05 05 07 03 04 06 08 2B 06 01 05
: 05 07 03 08 06 08 2B 06 01 05 05 07 03 09
: }
: }
: }
: }
: }
: }
599 13: SEQUENCE {
601 9: OBJECT IDENTIFIER sha256WithRSAEncryption (1 2 840 113549 1 1 11)
612 0: NULL
: }
614 257: BIT STRING
: 6C FA FE C4 A1 7C 0B B5 1E 1C 0C 65 00 C8 84 1F
: C0 B8 6F 34 73 8E AB 6E 35 12 E6 B9 0E 14 62 AE
: AF 1E AD 18 A7 9B 78 D9 AA 2B 3F 04 1B C1 4C 6D
: BC E3 99 0A 4E 05 76 41 F8 30 72 D7 A6 56 1C 52
: CA 84 C5 D5 1B 0A EF 93 03 04 AE D4 60 C8 10 5B
: 90 17 70 63 72 59 77 35 B8 11 9A AD C0 54 9C 9D
: 53 95 36 47 1A 29 DF 91 61 BF FA 63 97 B5 63 E3
: 7F 54 96 BC 06 72 9C B9 F9 07 56 2C 01 1F 1E 48
: [ Another 128 bytes skipped ]
: }
I got an "OBJECT IDENTIFIER objectClass (2 5 4 0)" (see 140 3:) which appear also in request generated by original csr.c but I don't see it on openssl request.
Hi David,
Yes, CSR work after building with my second configure example, but at first run I got error "TPM2_ReadPublic failed 395: TPM_RC_HANDLE" which disappear at second run.
Unfortunately the generated CSR seems not to be valid, when I check on https://redkestrel.co.uk/products/decoder/ I got "Decoding problem" but it shows the ASN
Decoding Problem
Sorry, we were unable to fully decode the data provided
ASN.1 Information
0 850: SEQUENCE {
4 570: SEQUENCE {
8 1: INTEGER 2
11 149: SEQUENCE {
14 11: SET {
16 9: SEQUENCE {
18 3: OBJECT IDENTIFIER countryName (2 5 4 6)
23 2: PrintableString 'US'
: }
: }
27 15: SET {
29 13: SEQUENCE {
31 3: OBJECT IDENTIFIER stateOrProvinceName (2 5 4 8)
36 6: UTF8String 'Oregon'
: }
: }
44 17: SET {
46 15: SEQUENCE {
48 3: OBJECT IDENTIFIER localityName (2 5 4 7)
53 8: UTF8String 'Portland'
: }
: }
63 13: SET {
65 11: SEQUENCE {
67 3: OBJECT IDENTIFIER surname (2 5 4 4)
72 4: UTF8String 'Test'
: }
: }
78 16: SET {
80 14: SEQUENCE {
82 3: OBJECT IDENTIFIER organizationName (2 5 4 10)
87 7: UTF8String 'wolfSSL'
: }
: }
96 12: SET {
98 10: SEQUENCE {
100 3: OBJECT IDENTIFIER organizationalUnitName (2 5 4 11)
105 3: UTF8String 'RSA'
: }
: }
110 24: SET {
112 22: SEQUENCE {
114 3: OBJECT IDENTIFIER commonName (2 5 4 3)
119 15: UTF8String 'www.wolfssl.com'
: }
: }
136 25: SET {
138 23: SEQUENCE {
140 3: OBJECT IDENTIFIER objectClass (2 5 4 0)
: Error: Spurious EOC in definite-length item.
: }
: }
: }
163 290: SEQUENCE {
167 13: SEQUENCE {
169 9: OBJECT IDENTIFIER rsaEncryption (1 2 840 113549 1 1 1)
180 0: NULL
: }
182 271: BIT STRING
: 30 82 01 0A 02 82 01 01 00 D9 42 DE 9F 7E 25 05
: 54 E1 E5 39 7F A7 B5 EA CE C8 ED BB C3 8C 2D 0E
: BC 57 2E CE 31 A7 70 AA 7C ED 30 EE CD 29 23 3C
: AE B4 A4 93 6D F6 66 48 44 1A 38 7F A2 4B 33 BA
: 11 21 83 FC 4C AC E7 82 29 22 9B CA 1B E5 2F 90
: 65 6C 58 02 76 EA 07 F0 C1 29 87 8C B7 A1 CD FB
: E7 83 9C 3D A3 BC 4C 04 FE AA 57 FE 67 3D 4A 24
: 8B 93 37 01 EA BE 8D AB 2D 5F 2A 52 DF A9 51 94
: [ Another 142 bytes skipped ]
: }
457 119: [0] {
459 117: SEQUENCE {
461 9: OBJECT IDENTIFIER extensionRequest (1 2 840 113549 1 9 14)
472 104: SET {
474 102: SEQUENCE {
476 29: SEQUENCE {
478 3: OBJECT IDENTIFIER subjectKeyIdentifier (2 5 29 14)
483 22: OCTET STRING
: 04 14 DD 65 12 5E 2B A5 3A 28 B1 DC 0C D6 AB E9
: 08 9A C1 75 81 28
: }
507 69: SEQUENCE {
509 3: OBJECT IDENTIFIER extKeyUsage (2 5 29 37)
514 62: OCTET STRING
: 30 3C 06 08 2B 06 01 05 05 07 03 01 06 08 2B 06
: 01 05 05 07 03 02 06 08 2B 06 01 05 05 07 03 03
: 06 08 2B 06 01 05 05 07 03 04 06 08 2B 06 01 05
: 05 07 03 08 06 08 2B 06 01 05 05 07 03 09
: }
: }
: }
: }
: }
: }
578 13: SEQUENCE {
580 9: OBJECT IDENTIFIER sha256WithRSAEncryption (1 2 840 113549 1 1 11)
591 0: NULL
: }
593 257: BIT STRING
: 1B 8A 50 FF 2E FC 76 34 20 37 BB 7B 53 20 6C 1E
: A9 04 A6 BC 96 27 B4 4D A2 3C 9A 77 90 B1 E1 5F
: F7 9B 2E E6 73 F1 19 A9 28 37 F1 D4 68 67 81 08
: D7 1B 3D 2A 23 2F D1 3B 42 32 9E C3 D1 9A 49 E9
: F1 37 FD 10 59 11 CF A9 A8 F2 87 AC 58 0B A1 92
: 95 B4 63 05 52 75 9F FE 19 17 15 E6 8F 8C 94 B1
: 9B D9 CC C9 F5 94 52 74 16 92 C4 E3 E6 96 B1 87
: D7 13 71 EF A2 F4 F2 4F B7 3B 10 1E 2E 45 D6 F9
: [ Another 128 bytes skipped ]
: }
Similar to problem in https://www.wolfssl.com/forums/post3590.html#p3590.
root@raspberrypi:/home/pi/wolfTPM# ./examples/csr/csr
TPM2 CSR Example
TPM2_ReadPublic failed 395: TPM_RC_HANDLE
TPM2_ReadPublic failed 395: TPM_RC_HANDLE
Generated/Signed Cert (DER 854, PEM 1228)
-----BEGIN CERTIFICATE REQUEST-----
MIIDUjCCAjoCAQIwgZUxCzAJBgNVBAYTAlVTMQ8wDQYDVQQIDAZPcmVnb24xETAP
BgNVBAcMCFBvcnRsYW5kMQ0wCwYDVQQEDARUZXN0MRAwDgYDVQQKDAd3b2xmU1NM
MQwwCgYDVQQLDANSU0ExGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEZMBcGA1UE
AAAQaW5mb0B3b2xmc3NsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBANlC3p9+JQVU4eU5f6e16s7I7bvDjC0OvFcuzjGncKp87TDuzSkjPK60pJNt
9mZIRBo4f6JLM7oRIYP8TKzngikim8ob5S+QZWxYAnbqB/DBKYeMt6HN++eDnD2j
vEwE/qpX/mc9SiSLkzcB6r6Nqy1fKlLfqVGUU2Jfkacw+TmN+WPRXWSWia3CUKyQ
wC+6hKsyp8aztrJn6hjEq3JKdTw/PeUNdRWPk+P84Z2yTYsHR1WbZ1lhyFAjfnRK
cBBUactndDfBP3BwlaLi07m9u+FtnwVeQsuftHWRiJvAQJYytyDQARKWO2V0U+vl
tYk0nVZdUr6KHzYDL8XeQ9EJWzkCAwEAAaB3MHUGCSqGSIb3DQEJDjFoMGYwHQYD
VR0OBBYEFN1lEl4rpToosdwM1qvpCJrBdYEoMEUGA1UdJQQ+MDwGCCsGAQUFBwMB
BggrBgEFBQcDAgYIKwYBBQUHAwMGCCsGAQUFBwMEBggrBgEFBQcDCAYIKwYBBQUH
AwkwDQYJKoZIhvcNAQELBQADggEBABuKUP8u/HY0IDe7e1MgbB6pBKa8lie0TaI8
mneQseFf95su5nPxGakoN/HUaGeBCNcbPSojL9E7QjKew9GaSenxN/0QWRHPqajy
h6xYC6GSlbRjBVJ1n/4ZFxXmj4yUsZvZzMn1lFJ0FpLE4+aWsYfXE3HvovTyT7c7
EB4uRdb5bOEqCQjikR3huTQTQVyHGRfPPu8GvJV6FMDLEkVOupNFo9BqJzClJqbD
L8Ui31h02ua4ULe1r6yZJMipmTndt7m+0xghrPlaD/q3DmiH7C/hKqS93t8wqlRe
9E14y+Mc1mX5YbAg8N79Y9SHvsZ4YKFNa1fwacpshH6300Xetgo=
-----END CERTIFICATE REQUEST-----
TPM2_ReadPublic failed 395: TPM_RC_HANDLE
Generated/Signed Cert (DER 462, PEM 696)
-----BEGIN CERTIFICATE REQUEST-----
MIIByjCCAW8CAQIwgZUxCzAJBgNVBAYTAlVTMQ8wDQYDVQQIDAZPcmVnb24xETAP
BgNVBAcMCFBvcnRsYW5kMQ0wCwYDVQQEDARUZXN0MRAwDgYDVQQKDAd3b2xmU1NM
MQwwCgYDVQQLDANFQ0MxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEZMBcGA1UE
AAAQaW5mb0B3b2xmc3NsLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABMNK
Ya2DUKJndeA+z2K5rrD9QDZzJAtf/07nxie3iKmbx/uB51qmTL6Fz8xeZoNasJRc
Ha9FJs3c7J7vm8ufZBigdzB1BgkqhkiG9w0BCQ4xaDBmMB0GA1UdDgQWBBRldiw9
d/Dqs8fysULEWEgtr1AJQDBFBgNVHSUEPjA8BggrBgEFBQcDAQYIKwYBBQUHAwIG
CCsGAQUFBwMDBggrBgEFBQcDBAYIKwYBBQUHAwgGCCsGAQUFBwMJMAoGCCqGSM49
BAMCA0kAMEYCIQDstd1TkvAWopbOTG10w/eJ3dCUZIr/t+f+WRPf51iPMQIhAK3n
0FPk8yEGoqrMtP55QvAd+/aDmH1gq4kVc8ia9uA2
-----END CERTIFICATE REQUEST-----
root@raspberrypi:/home/pi/wolfTPM#
root@raspberrypi:/home/pi/wolfTPM# ls /de
debootstrap/ dev/
root@raspberrypi:/home/pi/wolfTPM# ./examples/csr/csr
TPM2 CSR Example
Generated/Signed Cert (DER 854, PEM 1228)
-----BEGIN CERTIFICATE REQUEST-----
MIIDUjCCAjoCAQIwgZUxCzAJBgNVBAYTAlVTMQ8wDQYDVQQIDAZPcmVnb24xETAP
BgNVBAcMCFBvcnRsYW5kMQ0wCwYDVQQEDARUZXN0MRAwDgYDVQQKDAd3b2xmU1NM
MQwwCgYDVQQLDANSU0ExGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEZMBcGA1UE
AAAQaW5mb0B3b2xmc3NsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBANlC3p9+JQVU4eU5f6e16s7I7bvDjC0OvFcuzjGncKp87TDuzSkjPK60pJNt
9mZIRBo4f6JLM7oRIYP8TKzngikim8ob5S+QZWxYAnbqB/DBKYeMt6HN++eDnD2j
vEwE/qpX/mc9SiSLkzcB6r6Nqy1fKlLfqVGUU2Jfkacw+TmN+WPRXWSWia3CUKyQ
wC+6hKsyp8aztrJn6hjEq3JKdTw/PeUNdRWPk+P84Z2yTYsHR1WbZ1lhyFAjfnRK
cBBUactndDfBP3BwlaLi07m9u+FtnwVeQsuftHWRiJvAQJYytyDQARKWO2V0U+vl
tYk0nVZdUr6KHzYDL8XeQ9EJWzkCAwEAAaB3MHUGCSqGSIb3DQEJDjFoMGYwHQYD
VR0OBBYEFN1lEl4rpToosdwM1qvpCJrBdYEoMEUGA1UdJQQ+MDwGCCsGAQUFBwMB
BggrBgEFBQcDAgYIKwYBBQUHAwMGCCsGAQUFBwMEBggrBgEFBQcDCAYIKwYBBQUH
AwkwDQYJKoZIhvcNAQELBQADggEBABuKUP8u/HY0IDe7e1MgbB6pBKa8lie0TaI8
mneQseFf95su5nPxGakoN/HUaGeBCNcbPSojL9E7QjKew9GaSenxN/0QWRHPqajy
h6xYC6GSlbRjBVJ1n/4ZFxXmj4yUsZvZzMn1lFJ0FpLE4+aWsYfXE3HvovTyT7c7
EB4uRdb5bOEqCQjikR3huTQTQVyHGRfPPu8GvJV6FMDLEkVOupNFo9BqJzClJqbD
L8Ui31h02ua4ULe1r6yZJMipmTndt7m+0xghrPlaD/q3DmiH7C/hKqS93t8wqlRe
9E14y+Mc1mX5YbAg8N79Y9SHvsZ4YKFNa1fwacpshH6300Xetgo=
-----END CERTIFICATE REQUEST-----
Generated/Signed Cert (DER 461, PEM 696)
-----BEGIN CERTIFICATE REQUEST-----
MIIByTCCAW8CAQIwgZUxCzAJBgNVBAYTAlVTMQ8wDQYDVQQIDAZPcmVnb24xETAP
BgNVBAcMCFBvcnRsYW5kMQ0wCwYDVQQEDARUZXN0MRAwDgYDVQQKDAd3b2xmU1NM
MQwwCgYDVQQLDANFQ0MxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEZMBcGA1UE
AAAQaW5mb0B3b2xmc3NsLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABMNK
Ya2DUKJndeA+z2K5rrD9QDZzJAtf/07nxie3iKmbx/uB51qmTL6Fz8xeZoNasJRc
Ha9FJs3c7J7vm8ufZBigdzB1BgkqhkiG9w0BCQ4xaDBmMB0GA1UdDgQWBBRldiw9
d/Dqs8fysULEWEgtr1AJQDBFBgNVHSUEPjA8BggrBgEFBQcDAQYIKwYBBQUHAwIG
CCsGAQUFBwMDBggrBgEFBQcDBAYIKwYBBQUHAwgGCCsGAQUFBwMJMAoGCCqGSM49
BAMCA0gAMEUCIGJ7JhEyPND2v5LoF5avebXHgbl77cD1+2pHN0ahuC87AiEA6BSh
ujYDkitYeXj/BKD5f0U4GsCRWfAwXybqRgUAi80=
-----END CERTIFICATE REQUEST-----
Thanks a lot,
Paul
Hi David,
Thanks, that works. So in order to have the extra NameAttrib active I should run
./configure CFLAGS="-DTIME_T_NOT_LONG" CFLAGS="-DWOLFSSL_MULTI_ATTRIB"
or
./configure --enable-certgen --enable-certreq --enable-certext --enable-pkcs7 --enable-cryptodev --enable-opensslextra=x509small CFLAGS="-DTIME_T_NOT_LONG"
Thanks a lot,
Paul
EDIT
./configure --enable-all CFLAGS="-DTIME_T_NOT_LONG"
doesn't work with CSR example.
Hi Kaleb,
Thanks for you support.
I found in https://github.com/wolfSSL/wolfssl/blob … lic.h#L177 that for extra attributes(NameAttrib ) I need WOLFSSL_MULTI_ATTRIB to be define (as you previuosly said) so I run:
./configure --enable-all
... => resulted in bellow ERROR
CC tests/tests_unit_test-api.o
CC tests/tests_unit_test-suites.o
CC tests/tests_unit_test-hash.o
tests/api.c: In function ‘test_wolfSSL_ASN1_TIME_adj’:
tests/api.c:17716:20: error: integer overflow in expression [-Werror=overflow]
t = (time_t)85 * year + 59 * day + 9 * hour + 21 * day;
~~~~~~~~~~~^~~~~~
CC tests/tests_unit_test-srp.o
CCLD src/libwolfssl.la
CCLD wolfcrypt/benchmark/benchmark
Please advise how to solve.
Thank you,
Paul
Hello Everybody,
Please guide me for proper way to generate CSR (Certificate Signing Requests) containing "serialNumber" attribute (OBJECT IDENTIFIER serialNumber (2 5 4 5)[https://www.alvestrand.no/objectid/2.5.4.5.html.
I'm using current wolfSSL & wolfTPM master brach from github on PI3Bplus with raspbian 4.14.66-v7+ and SLB9670 IRIDIUM board (TPM2.0).
I only manage to do it in openssl:
openssl genrsa -out rsa.key 2048
openssl req -new -sha256 -key rsa.key -out reqcsr.csr -subj "/C=GB/ST=London/L=London/O=Global\ Security/OU=IT\ Department/CN=example.com/serialNumber=1801908070"
-----BEGIN CERTIFICATE REQUEST-----
MIIC0jCCAboCAQAwgYwxCzAJBgNVBAYTAkdCMQ8wDQYDVQQIDAZMb25kb24xDzAN
BgNVBAcMBkxvbmRvbjEYMBYGA1UECgwPR2xvYmFsIFNlY3VyaXR5MRYwFAYDVQQL
DA1JVCBEZXBhcnRtZW50MRQwEgYDVQQDDAtleGFtcGxlLmNvbTETMBEGA1UEBRMK
MTgwMTkwODA3MDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKfpHrGY
FprGTq5g261U/eYp2mo0aBZmlT4QN1C20Un9OGOwsitQAE0/pKdD4kqb3kAzaKmX
hrraHIpCCz9fMHdty4pTe6hgA5pS5oM1sBuQ/yDhca20Tu4kF9ka+ZegVkbpdnIe
BRYT6mTMTgJh3qOb3Jy3fk4b5WHxWlnDtkZ2GssABzAWmycm20gdw4XE7Gjny+P2
d6IVMaYM4vxzhlGMoZClKSW5GnfJ+bNbeiAJ1MvyGQkIrAzysquzxgnPbg8uDS1J
v7t+PrxhlIb6ug278xpZ7hTahUMC0JlKYqgy5UjZqJs0vz4s6DGOWgWFdqdXmlYt
qrMA2SpzmNUyN1kCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQB9oo0ceORqHULb
j165QlgUNGr+ry1S4k8Acb1GDN6EysL3Udj8SnMqR7lqDl77hvGs+b9cbbm9kg+y
XzKTD/c7nlKOaR3pyeUTjUfg/mruygIzU/xL9tFb3T4tZ1C7kJZY6d+Xxhr15UWW
lPdg7ijftHVLtvzQFeXywiTzNdRyuYUvA53Qk6OFp0wT4vfQsAT9KOVBNKVlRhiO
WsdEzlF1g3JGQaR0KdaPcV7ZNmFa7lfYVFMBwPK7vT05ie7Mc6b8KrgQHJcQtmRL
MyPXPTY9Wy0ubC8tfx7OLD4G7gxEeak277CHhcbBbvvF+/RFRi6yf7VuZqLyHtjl
5n06UrZb
-----END CERTIFICATE REQUEST-----
Pages 1
wolfSSL - Embedded SSL Library → Posts by ePaul
Powered by PunBB, supported by Informer Technologies, Inc.
Generated in 0.018 seconds (95% PHP - 5% DB) with 4 queries