Invalid signature on CSR when finalizing

Smakrypsletaren · April 6, 2022, 4:41pm

Hi, i'm getting this error:

"type": urn:ietf:params:acme:error:badCSR
"detail": Error finalizing order :: invalid signature on CSR

when i try to finalize the order.
The error thes not occur when using pebble, only with let's encrypt using the dir:

https://acme-v02.api.letsencrypt.org/directory

or

https://acme-staging-v02.api.letsencrypt.org/directory

The request (using pebble):

POST /finalize-order/FLXqUh_yzjeEMNI5ena5unt7r2FkCAYbrs6NkBWy7LE HTTP/1.1
Host: 127.0.0.1
Content-Type: application/jose+json
Content-Length: 1006

{
   "payload": "ICAgewogICAgICAgImNzciI6ICJNSUlCS1RDQjFRSUJBREFqTVFzd0NRWURWUVFHRXdKVFZqRVVNQklHQTFVRUF3d0xjMjFoYTJSbGRpNXVaWFF3V1RBVEJnY3Foa2pPUFFJQkJnZ3Foa2pPUFFNQkJ3TkNBQVFaZFNNT2VDY0JaRW53SUhrbllvcHdDV2ZvRjRzbGxOd3BQblFERF9IYm44NWdkVkx6QkI4SVVYS3Vnc1ZCcU5MS3hWLTlwb1BteEpPU2lySlNWUUhyb0ZBd1RnWUpLb1pJaHZjTkFRa09NVUV3UHpBOUJnTlZIUkVFTmpBMGdndHpiV0ZyWkdWMkxtNWxkSUlQZDNkM0xuTnRZV3RrWlhZdWJtVjBnaFJzWVhWdVkyaGxjaTV6YldGclpHVjJMbTVsZERBTUJnZ3Foa2pPUFFRREFnVUFBMEVBVGdjNGhHOU5LOU0yM1I5UWVhWXJZb2RQaXRYQUpTdmUzTmNXLWU0bDZOUFVlQXhaR0Q4UVpJUWFscF9UUlZkMjB2a1I2VkE1dGFVQWtDejlUWWpGX0EiCiAgIH0K",
   "protected": "ICAgewogICAgICAgImFsZyI6ICJFUzI1NiIsCiAgICAgICAia2lkIjogImh0dHBzOi8vMTI3LjAuMC4xL215LWFjY291bnQvMSIsCiAgICAgICAibm9uY2UiOiAiX2dDLXItOUtNcTJTMjZ5NmREeG9SZyIsCiAgICAgICAidXJsIjogImh0dHBzOi8vMTI3LjAuMC4xL2ZpbmFsaXplLW9yZGVyL0ZMWHFVaF95emplRU1OSTVlbmE1dW50N3IyRmtDQVlicnM2TmtCV3k3TEUiCiAgIH0K",
   "signature": "sLWkp_bzvlEuZJVObIQPgG_-gaTw6LZrXuYKYPssq47RpqEvNQRyHKXDJUzm78qyic76CQumzcbPrmuH9TBrZg"
}

9peppe · April 6, 2022, 5:04pm

What signature are you using?

bruncsak · April 6, 2022, 5:50pm

Here is his request from the json data:

It looks like elliptic curve. (ecdsa-with-SHA256)

Smakrypsletaren · April 6, 2022, 6:33pm

That should be correct

Smakrypsletaren · April 6, 2022, 7:44pm

Now when i am home again i can check the code:

bruncsak is correct with the "ecdsa-with-SHA256" part.

The key is a "ecPublicKey" using "prime256v1"

The key has a padding of "04" before the key.

stewe · April 6, 2022, 7:53pm

When running OpenSSL with the -verify option I get:

# openssl req -noout -text -verify
-----BEGIN CERTIFICATE REQUEST-----
MIIBKTCB1QIBADAjMQswCQYDVQQGEwJTVjEUMBIGA1UEAwwLc21ha2Rldi5uZXQw
WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQZdSMOeCcBZEnwIHknYopwCWfoF4sl
lNwpPnQDD/Hbn85gdVLzBB8IUXKugsVBqNLKxV+9poPmxJOSirJSVQHroFAwTgYJ
KoZIhvcNAQkOMUEwPzA9BgNVHREENjA0ggtzbWFrZGV2Lm5ldIIPd3d3LnNtYWtk
ZXYubmV0ghRsYXVuY2hlci5zbWFrZGV2Lm5ldDAMBggqhkjOPQQDAgUAA0EATgc4
hG9NK9M23R9QeaYrYodPitXAJSve3NcW+e4l6NPUeAxZGD8QZIQalp/TRVd20vkR
6VA5taUAkCz9TYjF/A==
-----END CERTIFICATE REQUEST-----
139839042229568:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:../crypto/asn1/tasn_dec.c:1149:
139839042229568:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:309:Type=ECDSA_SIG
139839042229568:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:../crypto/asn1/a_verify.c:170:

seems to be something broken with the ASN.1 structure.. ¯_(ツ)_/¯

Smakrypsletaren · April 6, 2022, 8:03pm

Yay......

So something is missing or is in the wrong place.

Or is it invalid ASN.1

But at least something.

Will look more into it.

Osiris · April 6, 2022, 8:14pm

How did you generate the CSR?

Smakrypsletaren · April 6, 2022, 8:27pm

I use a self made class to build ASN.1 objects, and i also made a program that can show the data and the ASN.1 seems valid there (some problems with showing the big oids):

SEQUENCE (L: 297(0x0129)) UNIVERSAL
├──SEQUENCE (L: 213(0xd5)) UNIVERSAL
|  ├──INTEGER (L: 1(0x01)) UNIVERSAL
|  |  └──00
|  ├──SEQUENCE (L: 35(0x23)) UNIVERSAL
|  |  ├──SET (L: 11(0x0b)) UNIVERSAL
|  |  |  └──SEQUENCE (L: 9(0x09)) UNIVERSAL
|  |  |     ├──OBJECT IDENTIFIER (L: 3(0x03)) UNIVERSAL
|  |  |     |  └──2.5.4.6
|  |  |     └──PrintableString (L: 2(0x02)) UNIVERSAL
|  |  |        └──SV
|  |  └──SET (L: 20(0x14)) UNIVERSAL
|  |     └──SEQUENCE (L: 18(0x12)) UNIVERSAL
|  |        ├──OBJECT IDENTIFIER (L: 3(0x03)) UNIVERSAL
|  |        |  └──2.5.4.3
|  |        └──UTF8String (L: 11(0x0b)) UNIVERSAL
|  |           └──smakdev.net
|  ├──SEQUENCE (L: 89(0x59)) UNIVERSAL
|  |  ├──SEQUENCE (L: 19(0x13)) UNIVERSAL
|  |  |  ├──OBJECT IDENTIFIER (L: 7(0x07)) UNIVERSAL
|  |  |  |  └──1.10.134.72.206.61.2.1
|  |  |  └──OBJECT IDENTIFIER (L: 8(0x08)) UNIVERSAL
|  |  |     └──1.10.134.72.206.61.3.1.7
|  |  └──BIT STRING (L: 66(0x42)) UNIVERSAL
|  |     └──00041975230e7827016449f0207927628a700967e8178b2594dc293e74030ff1db9fce607552f3041f085172ae82c541a8d2cac55fbda683e6c493928ab2525501eb
|  └──[0] (L: 80(0x50)) CONTEXT-SPECIFIC
|     └──SEQUENCE (L: 78(0x4e)) UNIVERSAL
|        ├──OBJECT IDENTIFIER (L: 9(0x09)) UNIVERSAL
|        |  └──1.10.134.72.134.247.13.1.9.14
|        └──SET (L: 65(0x41)) UNIVERSAL
|           └──SEQUENCE (L: 63(0x3f)) UNIVERSAL
|              └──SEQUENCE (L: 61(0x3d)) UNIVERSAL
|                 ├──OBJECT IDENTIFIER (L: 3(0x03)) UNIVERSAL
|                 |  └──2.5.29.17
|                 └──OCTET STRING (L: 54(0x36)) UNIVERSAL
|                    └──3034820b736d616b6465762e6e6574820f7777772e736d616b6465762e6e657482146c61756e636865722e736d616b6465762e6e6574
├──SEQUENCE (L: 12(0x0c)) UNIVERSAL
|  ├──OBJECT IDENTIFIER (L: 8(0x08)) UNIVERSAL
|  |  └──1.10.134.72.206.61.4.3.2
|  └──NULL (L: 0(0x00)) UNIVERSAL
└──BIT STRING (L: 65(0x41)) UNIVERSAL
   └──004e0738846f4d2bd336dd1f5079a62b62874f8ad5c0252bdedcd716f9ee25e8d3d4780c59183f1064841a969fd3455776d2f911e95039b5a50

But i whould guess that it's the wrong version or missing stuff att the "info" part (where the commonName and some other stuff is)

Smakrypsletaren · April 6, 2022, 8:39pm

Could the keys have the wrong byte order

the keys are created in C# with the ECDsaCng class and i get the keys with:

ECDsaCng CertDsa = new ECDsaCng
{
    HashAlgorithm = CngAlgorithm.Sha256,
    KeySize = 256
};
CertDsa.GenerateKey(ECCurve.NamedCurves.nistP256);
//This is sent in a function to create the CSR
CertDsa.Key.Export(CngKeyBlobFormat.EccPublicBlob).split(8, 64);

Just errors if i flip them so no

stewe · April 6, 2022, 10:37pm

For example the following CSR works:

Decoded:

SEQUENCE (3 elem)
  SEQUENCE (4 elem)
    INTEGER 0
    SEQUENCE (1 elem)
      SET (1 elem)
        SEQUENCE (2 elem)
          OBJECT IDENTIFIER 2.5.4.3 commonName (X.520 DN component)
          UTF8String example.com
    SEQUENCE (2 elem)
      SEQUENCE (2 elem)
        OBJECT IDENTIFIER 1.2.840.10045.2.1 ecPublicKey (ANSI X9.62 public key type)
        OBJECT IDENTIFIER 1.2.840.10045.3.1.7 prime256v1 (ANSI X9.62 named elliptic curve)
      BIT STRING (520 bit) 0000010011011100110101100010111001011010010011110001000101100000001010…
    [0] (1 elem)
      SEQUENCE (2 elem)
        OBJECT IDENTIFIER 1.2.840.113549.1.9.14 extensionRequest (PKCS #9 via CRMF)
        SET (1 elem)
          SEQUENCE (1 elem)
            SEQUENCE (2 elem)
              OBJECT IDENTIFIER 2.5.29.17 subjectAltName (X.509 extension)
              OCTET STRING (15 byte) 300D820B6578616D706C652E636F6D
                SEQUENCE (1 elem)
                  [2] (11 byte) example.com
  SEQUENCE (1 elem)
    OBJECT IDENTIFIER 1.2.840.10045.4.3.2 ecdsaWithSHA256 (ANSI X9.62 ECDSA algorithm with SHA256)
  BIT STRING (560 bit) 0011000001000100000000100010000001101001000011111010111110101010100011…
    SEQUENCE (2 elem)
      INTEGER (255 bit) 4752056421108518441151578761023877142206350592547055977270459534446338…
      INTEGER (255 bit) 3072563262386804320213910585892675670143331761642979495222111684847135…

In comparison your CSR:

SEQUENCE (3 elem)
  SEQUENCE (4 elem)
    INTEGER 0
    SEQUENCE (2 elem)
      SET (1 elem)
        SEQUENCE (2 elem)
          OBJECT IDENTIFIER 2.5.4.6 countryName (X.520 DN component)
          PrintableString SV
      SET (1 elem)
        SEQUENCE (2 elem)
          OBJECT IDENTIFIER 2.5.4.3 commonName (X.520 DN component)
          UTF8String smakdev.net
    SEQUENCE (2 elem)
      SEQUENCE (2 elem)
        OBJECT IDENTIFIER 1.2.840.10045.2.1 ecPublicKey (ANSI X9.62 public key type)
        OBJECT IDENTIFIER 1.2.840.10045.3.1.7 prime256v1 (ANSI X9.62 named elliptic curve)
      BIT STRING (520 bit) 0000010000011001011101010010001100001110011110000010011100000001011001…
    [0] (1 elem)
      SEQUENCE (2 elem)
        OBJECT IDENTIFIER 1.2.840.113549.1.9.14 extensionRequest (PKCS #9 via CRMF)
        SET (1 elem)
          SEQUENCE (1 elem)
            SEQUENCE (2 elem)
              OBJECT IDENTIFIER 2.5.29.17 subjectAltName (X.509 extension)
              OCTET STRING (54 byte) 3034820B736D616B6465762E6E6574820F7777772E736D616B6465762E6E657482146C…
                SEQUENCE (3 elem)
                  [2] (11 byte) smakdev.net
                  [2] (15 byte) www.smakdev.net
                  [2] (20 byte) launcher.smakdev.net
  SEQUENCE (2 elem)
    OBJECT IDENTIFIER 1.2.840.10045.4.3.2 ecdsaWithSHA256 (ANSI X9.62 ECDSA algorithm with SHA256)
    NULL
  BIT STRING (512 bit) 0100111000000111001110001000010001101111010011010010101111010011001101…

I think the signature has to have the following structure instead of just concatenating both 32-byte values:

  BIT STRING
    SEQUENCE (2 elem)
      INTEGER
      INTEGER

When signing, the ECDSA algorithm generates two values. These values
are commonly referred to as r and s. To easily transfer these two
values as one signature, they MUST be ASN.1 encoded using the
following ASN.1 structure:
 Ecdsa-Sig-Value  ::=  SEQUENCE  {
      r     INTEGER,
      s     INTEGER  }

Smakrypsletaren · April 7, 2022, 4:43pm

New cert request.
Same error,

Osiris · April 7, 2022, 4:47pm

OpenSSL can't make heads or tails of that CSR:

osiris@erazer tmp $ openssl asn1parse -i -in csr.pem 
Error: offset out of range
osiris@erazer tmp $

From a online parser: "Length over 48 bits not supported at position 1"

Smakrypsletaren · April 7, 2022, 4:54pm

Here is everything without breaklines in case i broke something

MIIBLjCB1QIBADAjMQswCQYDVQQGEwJTVjEUMBIGA1UEAwwLc21ha2Rldi5uZXQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATr7Biw2rJ6a08Ypc91Fl6SvtOnKY0BAvln55a09_AuWrbB5wzALELn40ibKFVs1v5FE0tI13Zbh4IIAlzZ_e9uoFAwTgYJKoZIhvcNAQkOMUEwPzA9BgNVHREENjA0ggtzbWFrZGV2Lm5ldIIPd3d3LnNtYWtkZXYubmV0ghRsYXVuY2hlci5zbWFrZGV2Lm5ldDAMBggqhkjOPQQDAgUAA0YwRAIgygCmx0hNj4q2yFq7tycfHbfq-o0FmX7jg_8X2zt7pWECIHY9WLvUvXE_QBCaJhqfD_MDJVnrnWcC2cRtJV2yRvNN

And what my thing got from this

SEQUENCE (L: 302(0x012e)) UNIVERSAL
├──SEQUENCE (L: 213(0xd5)) UNIVERSAL
|  ├──INTEGER (L: 1(0x01)) UNIVERSAL
|  |  └──00
|  ├──SEQUENCE (L: 35(0x23)) UNIVERSAL
|  |  ├──SET (L: 11(0x0b)) UNIVERSAL
|  |  |  └──SEQUENCE (L: 9(0x09)) UNIVERSAL
|  |  |     ├──OBJECT IDENTIFIER (L: 3(0x03)) UNIVERSAL
|  |  |     |  └──2.5.4.6
|  |  |     └──PrintableString (L: 2(0x02)) UNIVERSAL
|  |  |        └──SV
|  |  └──SET (L: 20(0x14)) UNIVERSAL
|  |     └──SEQUENCE (L: 18(0x12)) UNIVERSAL
|  |        ├──OBJECT IDENTIFIER (L: 3(0x03)) UNIVERSAL
|  |        |  └──2.5.4.3
|  |        └──UTF8String (L: 11(0x0b)) UNIVERSAL
|  |           └──smakdev.net
|  ├──SEQUENCE (L: 89(0x59)) UNIVERSAL
|  |  ├──SEQUENCE (L: 19(0x13)) UNIVERSAL
|  |  |  ├──OBJECT IDENTIFIER (L: 7(0x07)) UNIVERSAL
|  |  |  |  └──1.10.134.72.206.61.2.1
|  |  |  └──OBJECT IDENTIFIER (L: 8(0x08)) UNIVERSAL
|  |  |     └──1.10.134.72.206.61.3.1.7
|  |  └──BIT STRING (L: 66(0x42)) UNIVERSAL
|  |     └──0004ebec18b0dab27a6b4f18a5cf75165e92bed3a7298d0102f967e796b4f7f02e5ab6c1e70cc02c42e7e3489b28556cd6fe45134b48d7765b878208025cd9fdef6e
|  └──[0] (L: 80(0x50)) CONTEXT-SPECIFIC
|     └──SEQUENCE (L: 78(0x4e)) UNIVERSAL
|        ├──OBJECT IDENTIFIER (L: 9(0x09)) UNIVERSAL
|        |  └──1.10.134.72.134.247.13.1.9.14
|        └──SET (L: 65(0x41)) UNIVERSAL
|           └──SEQUENCE (L: 63(0x3f)) UNIVERSAL
|              └──SEQUENCE (L: 61(0x3d)) UNIVERSAL
|                 ├──OBJECT IDENTIFIER (L: 3(0x03)) UNIVERSAL
|                 |  └──2.5.29.17
|                 └──OCTET STRING (L: 54(0x36)) UNIVERSAL
|                    └──3034820b736d616b6465762e6e6574820f7777772e736d616b6465762e6e657482146c61756e636865722e736d616b6465762e6e6574
├──SEQUENCE (L: 12(0x0c)) UNIVERSAL
|  ├──OBJECT IDENTIFIER (L: 8(0x08)) UNIVERSAL
|  |  └──1.10.134.72.206.61.4.3.2
|  └──NULL (L: 0(0x00)) UNIVERSAL
└──BIT STRING (L: 70(0x46)) UNIVERSAL
   └──30440220ca00a6c7484d8f8ab6c85abbb7271f1db7eafa8d05997ee383ff17db3b7ba5610220763d58bbd4bd713f40109a261a9f0ff3032559eb9d6702d9c46d255db246f34d

Osiris · April 7, 2022, 4:56pm

That's also unparsable using the online decoder I mentioned above.

Smakrypsletaren · April 7, 2022, 5:01pm

This one seems to have a byte missing from the last one

MIIBLzCB1QIBADAjMQswCQYDVQQGEwJTVjEUMBIGA1UEAwwLc21ha2Rldi5uZXQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATpRQm4Ta1exZNEi3iR5MNcW7t08Tuyg86QGg5_RZENETM6nROfSeon3P8ABNp7NYPbThPwwig9-P55cTdXGeQVoFAwTgYJKoZIhvcNAQkOMUEwPzA9BgNVHREENjA0ggtzbWFrZGV2Lm5ldIIPd3d3LnNtYWtkZXYubmV0ghRsYXVuY2hlci5zbWFrZGV2Lm5ldDAMBggqhkjOPQQDAgUAA0cAMEQCIOuXCxsLvQ4WN7YoOos2-jBm8Ux45T0GvZBMnUxhXh4vAiDNVttMxbxmz5-ZWT89AUvdm1tjCef3hgtzb6gptiG7wQ

stewe · April 7, 2022, 5:21pm

The CSR data should be base64 encoded, not base64url. If you replace "_" -> "/" and "-" -> "+" the CSR can be parsed:

# openssl req -noout -text
-----BEGIN CERTIFICATE REQUEST-----
MIIBLzCB1QIBADAjMQswCQYDVQQGEwJTVjEUMBIGA1UEAwwLc21ha2Rldi5uZXQw
WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATpRQm4Ta1exZNEi3iR5MNcW7t08Tuy
g86QGg5/RZENETM6nROfSeon3P8ABNp7NYPbThPwwig9+P55cTdXGeQVoFAwTgYJ
KoZIhvcNAQkOMUEwPzA9BgNVHREENjA0ggtzbWFrZGV2Lm5ldIIPd3d3LnNtYWtk
ZXYubmV0ghRsYXVuY2hlci5zbWFrZGV2Lm5ldDAMBggqhkjOPQQDAgUAA0cAMEQC
IOuXCxsLvQ4WN7YoOos2+jBm8Ux45T0GvZBMnUxhXh4vAiDNVttMxbxmz5+ZWT89
AUvdm1tjCef3hgtzb6gptiG7wQ==
-----END CERTIFICATE REQUEST-----
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: C = SV, CN = smakdev.net
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:e9:45:09:b8:4d:ad:5e:c5:93:44:8b:78:91:e4:
                    c3:5c:5b:bb:74:f1:3b:b2:83:ce:90:1a:0e:7f:45:
                    91:0d:11:33:3a:9d:13:9f:49:ea:27:dc:ff:00:04:
                    da:7b:35:83:db:4e:13:f0:c2:28:3d:f8:fe:79:71:
                    37:57:19:e4:15
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        Attributes:
        Requested Extensions:
            X509v3 Subject Alternative Name:
                DNS:smakdev.net, DNS:www.smakdev.net, DNS:launcher.smakdev.net
    Signature Algorithm: ecdsa-with-SHA256
         30:44:02:20:eb:97:0b:1b:0b:bd:0e:16:37:b6:28:3a:8b:36:
         fa:30:66:f1:4c:78:e5:3d:06:bd:90:4c:9d:4c:61:5e:1e:2f:
         02:20:cd:56:db:4c:c5:bc:66:cf:9f:99:59:3f:3d:01:4b:dd:
         9b:5b:63:09:e7:f7:86:0b:73:6f:a8:29:b6:21:bb:c1

but the verification still fails:

139696996119872:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:../crypto/asn1/a_verify.c:170:

SEQUENCE (3 elem)
  SEQUENCE (4 elem)
    INTEGER 0
    SEQUENCE (2 elem)
      SET (1 elem)
        SEQUENCE (2 elem)
          OBJECT IDENTIFIER 2.5.4.6 countryName (X.520 DN component)
          PrintableString SV
      SET (1 elem)
        SEQUENCE (2 elem)
          OBJECT IDENTIFIER 2.5.4.3 commonName (X.520 DN component)
          UTF8String smakdev.net
    SEQUENCE (2 elem)
      SEQUENCE (2 elem)
        OBJECT IDENTIFIER 1.2.840.10045.2.1 ecPublicKey (ANSI X9.62 public key type)
        OBJECT IDENTIFIER 1.2.840.10045.3.1.7 prime256v1 (ANSI X9.62 named elliptic curve)
      BIT STRING (520 bit) 0000010011101001010001010000100110111000010011011010110101011110110001…
    [0] (1 elem)
      SEQUENCE (2 elem)
        OBJECT IDENTIFIER 1.2.840.113549.1.9.14 extensionRequest (PKCS #9 via CRMF)
        SET (1 elem)
          SEQUENCE (1 elem)
            SEQUENCE (2 elem)
              OBJECT IDENTIFIER 2.5.29.17 subjectAltName (X.509 extension)
              OCTET STRING (54 byte) 3034820B736D616B6465762E6E6574820F7777772E736D616B6465762E6E657482146C…
                SEQUENCE (3 elem)
                  [2] (11 byte) smakdev.net
                  [2] (15 byte) www.smakdev.net
                  [2] (20 byte) launcher.smakdev.net
  SEQUENCE (2 elem)
    OBJECT IDENTIFIER 1.2.840.10045.4.3.2 ecdsaWithSHA256 (ANSI X9.62 ECDSA algorithm with SHA256)
    NULL
  BIT STRING (560 bit) 0011000001000100000000100010000011101011100101110000101100011011000010…
    SEQUENCE (2 elem)
      INTEGER (253 bit) -9.231699265102476e+75
      INTEGER (254 bit) -2.2914492877945727e+76

the structure seems ok now, but both integers look weird..

Smakrypsletaren · April 7, 2022, 5:50pm

if i add a 0 in front off the integers

MIIBMTCB1QIBADAjMQswCQYDVQQGEwJTVjEUMBIGA1UEAwwLc21ha2Rldi5uZXQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAREGL5IF1P2AnHPd9JcZxuklHXKOGfyjK3pGmm9SRgCVKS8FcgsR5K17w/pj0gdea9WylgOObVGhDFIcqzW4Xs1oFAwTgYJKoZIhvcNAQkOMUEwPzA9BgNVHREENjA0ggtzbWFrZGV2Lm5ldIIPd3d3LnNtYWtkZXYubmV0ghRsYXVuY2hlci5zbWFrZGV2Lm5ldDAMBggqhkjOPQQDAgUAA0kAMEYCIQCXtej84SsAsaOKrirxvLInANyv6yIut/78AXiJjtTaogIhAJIclydQbAljImQE4uXXr9tKin0PpeWlLDOXch5kuxI4

stewe · April 7, 2022, 5:58pm

Looks good:

# openssl req -noout -text -verify
-----BEGIN CERTIFICATE REQUEST-----
MIIBMTCB1QIBADAjMQswCQYDVQQGEwJTVjEUMBIGA1UEAwwLc21ha2Rldi5uZXQw
WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAREGL5IF1P2AnHPd9JcZxuklHXKOGfy
jK3pGmm9SRgCVKS8FcgsR5K17w/pj0gdea9WylgOObVGhDFIcqzW4Xs1oFAwTgYJ
KoZIhvcNAQkOMUEwPzA9BgNVHREENjA0ggtzbWFrZGV2Lm5ldIIPd3d3LnNtYWtk
ZXYubmV0ghRsYXVuY2hlci5zbWFrZGV2Lm5ldDAMBggqhkjOPQQDAgUAA0kAMEYC
IQCXtej84SsAsaOKrirxvLInANyv6yIut/78AXiJjtTaogIhAJIclydQbAljImQE
4uXXr9tKin0PpeWlLDOXch5kuxI4
-----END CERTIFICATE REQUEST-----
verify OK
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: C = SV, CN = smakdev.net
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:44:18:be:48:17:53:f6:02:71:cf:77:d2:5c:67:
                    1b:a4:94:75:ca:38:67:f2:8c:ad:e9:1a:69:bd:49:
                    18:02:54:a4:bc:15:c8:2c:47:92:b5:ef:0f:e9:8f:
                    48:1d:79:af:56:ca:58:0e:39:b5:46:84:31:48:72:
                    ac:d6:e1:7b:35
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        Attributes:
        Requested Extensions:
            X509v3 Subject Alternative Name:
                DNS:smakdev.net, DNS:www.smakdev.net, DNS:launcher.smakdev.net
    Signature Algorithm: ecdsa-with-SHA256
         30:46:02:21:00:97:b5:e8:fc:e1:2b:00:b1:a3:8a:ae:2a:f1:
         bc:b2:27:00:dc:af:eb:22:2e:b7:fe:fc:01:78:89:8e:d4:da:
         a2:02:21:00:92:1c:97:27:50:6c:09:63:22:64:04:e2:e5:d7:
         af:db:4a:8a:7d:0f:a5:e5:a5:2c:33:97:72:1e:64:bb:12:38

Smakrypsletaren · April 7, 2022, 6:19pm

When i tried i got the same error.

the integers seem to be 255 bits in this request and was 256 in the last one

Topic		Replies	Views
A error response about /finalize API Client dev	7	680	January 20, 2021
Finalize Order URL returning error Client dev	8	689	January 18, 2024
Invalid signature on CSR? Client dev	2	7579	November 12, 2015
Error when finalizing order Client dev	5	7096	November 21, 2019
Error on finalize csr submission Client dev	13	1263	November 22, 2021

Invalid signature on CSR when finalizing

Related topics