Invalid signature on CSR when finalizing

Yay......

So something is missing or is in the wrong place.

Or is it invalid ASN.1

But at least something.

Will look more into it.

How did you generate the CSR?

2 Likes

I use a self made class to build ASN.1 objects, and i also made a program that can show the data and the ASN.1 seems valid there (some problems with showing the big oids):

SEQUENCE (L: 297(0x0129)) UNIVERSAL
├──SEQUENCE (L: 213(0xd5)) UNIVERSAL
|  ├──INTEGER (L: 1(0x01)) UNIVERSAL
|  |  └──00
|  ├──SEQUENCE (L: 35(0x23)) UNIVERSAL
|  |  ├──SET (L: 11(0x0b)) UNIVERSAL
|  |  |  └──SEQUENCE (L: 9(0x09)) UNIVERSAL
|  |  |     ├──OBJECT IDENTIFIER (L: 3(0x03)) UNIVERSAL
|  |  |     |  └──2.5.4.6
|  |  |     └──PrintableString (L: 2(0x02)) UNIVERSAL
|  |  |        └──SV
|  |  └──SET (L: 20(0x14)) UNIVERSAL
|  |     └──SEQUENCE (L: 18(0x12)) UNIVERSAL
|  |        ├──OBJECT IDENTIFIER (L: 3(0x03)) UNIVERSAL
|  |        |  └──2.5.4.3
|  |        └──UTF8String (L: 11(0x0b)) UNIVERSAL
|  |           └──smakdev.net
|  ├──SEQUENCE (L: 89(0x59)) UNIVERSAL
|  |  ├──SEQUENCE (L: 19(0x13)) UNIVERSAL
|  |  |  ├──OBJECT IDENTIFIER (L: 7(0x07)) UNIVERSAL
|  |  |  |  └──1.10.134.72.206.61.2.1
|  |  |  └──OBJECT IDENTIFIER (L: 8(0x08)) UNIVERSAL
|  |  |     └──1.10.134.72.206.61.3.1.7
|  |  └──BIT STRING (L: 66(0x42)) UNIVERSAL
|  |     └──00041975230e7827016449f0207927628a700967e8178b2594dc293e74030ff1db9fce607552f3041f085172ae82c541a8d2cac55fbda683e6c493928ab2525501eb
|  └──[0] (L: 80(0x50)) CONTEXT-SPECIFIC
|     └──SEQUENCE (L: 78(0x4e)) UNIVERSAL
|        ├──OBJECT IDENTIFIER (L: 9(0x09)) UNIVERSAL
|        |  └──1.10.134.72.134.247.13.1.9.14
|        └──SET (L: 65(0x41)) UNIVERSAL
|           └──SEQUENCE (L: 63(0x3f)) UNIVERSAL
|              └──SEQUENCE (L: 61(0x3d)) UNIVERSAL
|                 ├──OBJECT IDENTIFIER (L: 3(0x03)) UNIVERSAL
|                 |  └──2.5.29.17
|                 └──OCTET STRING (L: 54(0x36)) UNIVERSAL
|                    └──3034820b736d616b6465762e6e6574820f7777772e736d616b6465762e6e657482146c61756e636865722e736d616b6465762e6e6574
├──SEQUENCE (L: 12(0x0c)) UNIVERSAL
|  ├──OBJECT IDENTIFIER (L: 8(0x08)) UNIVERSAL
|  |  └──1.10.134.72.206.61.4.3.2
|  └──NULL (L: 0(0x00)) UNIVERSAL
└──BIT STRING (L: 65(0x41)) UNIVERSAL
   └──004e0738846f4d2bd336dd1f5079a62b62874f8ad5c0252bdedcd716f9ee25e8d3d4780c59183f1064841a969fd3455776d2f911e95039b5a50

But i whould guess that it's the wrong version or missing stuff att the "info" part (where the commonName and some other stuff is)

Could the keys have the wrong byte order

the keys are created in C# with the ECDsaCng class and i get the keys with:

ECDsaCng CertDsa = new ECDsaCng
{
    HashAlgorithm = CngAlgorithm.Sha256,
    KeySize = 256
};
CertDsa.GenerateKey(ECCurve.NamedCurves.nistP256);
//This is sent in a function to create the CSR
CertDsa.Key.Export(CngKeyBlobFormat.EccPublicBlob).split(8, 64);

Just errors if i flip them so no

For example the following CSR works:

-----BEGIN CERTIFICATE REQUEST-----
MIH5MIGhAgEAMBYxFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYI
KoZIzj0DAQcDQgAE3NYuWk8RYCiLXFZMM51YyHEFsT2l3+JTUDauF0lkoQEV1xn6
YLUV71FGydee0Yiz6jQqiMOCWb2CP4LsBXVRWKApMCcGCSqGSIb3DQEJDjEaMBgw
FgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgaQ+vqo8W
gYNWpFXhse8ihHH4Nk1jtKTS25/eKge4WukCIEPuF38fRDMkF08zxb2MYWGHBD2w
iZB6i34Pvq5RsxME
-----END CERTIFICATE REQUEST-----

Decoded:

SEQUENCE (3 elem)
  SEQUENCE (4 elem)
    INTEGER 0
    SEQUENCE (1 elem)
      SET (1 elem)
        SEQUENCE (2 elem)
          OBJECT IDENTIFIER 2.5.4.3 commonName (X.520 DN component)
          UTF8String example.com
    SEQUENCE (2 elem)
      SEQUENCE (2 elem)
        OBJECT IDENTIFIER 1.2.840.10045.2.1 ecPublicKey (ANSI X9.62 public key type)
        OBJECT IDENTIFIER 1.2.840.10045.3.1.7 prime256v1 (ANSI X9.62 named elliptic curve)
      BIT STRING (520 bit) 0000010011011100110101100010111001011010010011110001000101100000001010…
    [0] (1 elem)
      SEQUENCE (2 elem)
        OBJECT IDENTIFIER 1.2.840.113549.1.9.14 extensionRequest (PKCS #9 via CRMF)
        SET (1 elem)
          SEQUENCE (1 elem)
            SEQUENCE (2 elem)
              OBJECT IDENTIFIER 2.5.29.17 subjectAltName (X.509 extension)
              OCTET STRING (15 byte) 300D820B6578616D706C652E636F6D
                SEQUENCE (1 elem)
                  [2] (11 byte) example.com
  SEQUENCE (1 elem)
    OBJECT IDENTIFIER 1.2.840.10045.4.3.2 ecdsaWithSHA256 (ANSI X9.62 ECDSA algorithm with SHA256)
  BIT STRING (560 bit) 0011000001000100000000100010000001101001000011111010111110101010100011…
    SEQUENCE (2 elem)
      INTEGER (255 bit) 4752056421108518441151578761023877142206350592547055977270459534446338…
      INTEGER (255 bit) 3072563262386804320213910585892675670143331761642979495222111684847135…

In comparison your CSR:

SEQUENCE (3 elem)
  SEQUENCE (4 elem)
    INTEGER 0
    SEQUENCE (2 elem)
      SET (1 elem)
        SEQUENCE (2 elem)
          OBJECT IDENTIFIER 2.5.4.6 countryName (X.520 DN component)
          PrintableString SV
      SET (1 elem)
        SEQUENCE (2 elem)
          OBJECT IDENTIFIER 2.5.4.3 commonName (X.520 DN component)
          UTF8String smakdev.net
    SEQUENCE (2 elem)
      SEQUENCE (2 elem)
        OBJECT IDENTIFIER 1.2.840.10045.2.1 ecPublicKey (ANSI X9.62 public key type)
        OBJECT IDENTIFIER 1.2.840.10045.3.1.7 prime256v1 (ANSI X9.62 named elliptic curve)
      BIT STRING (520 bit) 0000010000011001011101010010001100001110011110000010011100000001011001…
    [0] (1 elem)
      SEQUENCE (2 elem)
        OBJECT IDENTIFIER 1.2.840.113549.1.9.14 extensionRequest (PKCS #9 via CRMF)
        SET (1 elem)
          SEQUENCE (1 elem)
            SEQUENCE (2 elem)
              OBJECT IDENTIFIER 2.5.29.17 subjectAltName (X.509 extension)
              OCTET STRING (54 byte) 3034820B736D616B6465762E6E6574820F7777772E736D616B6465762E6E657482146C…
                SEQUENCE (3 elem)
                  [2] (11 byte) smakdev.net
                  [2] (15 byte) www.smakdev.net
                  [2] (20 byte) launcher.smakdev.net
  SEQUENCE (2 elem)
    OBJECT IDENTIFIER 1.2.840.10045.4.3.2 ecdsaWithSHA256 (ANSI X9.62 ECDSA algorithm with SHA256)
    NULL
  BIT STRING (512 bit) 0100111000000111001110001000010001101111010011010010101111010011001101…

I think the signature has to have the following structure instead of just concatenating both 32-byte values:

  BIT STRING
    SEQUENCE (2 elem)
      INTEGER
      INTEGER

When signing, the ECDSA algorithm generates two values. These values
are commonly referred to as r and s. To easily transfer these two
values as one signature, they MUST be ASN.1 encoded using the
following ASN.1 structure:

 Ecdsa-Sig-Value  ::=  SEQUENCE  {
      r     INTEGER,
      s     INTEGER  }
3 Likes

New cert request.
Same error,

-----BEGIN CERTIFICATE REQUEST-----
MIIBLjCB1QIBADAjMQswCQYDVQQGEwJTVjEUMBIGA1UEAwwLc21ha2Rldi5uZXQw
WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATr7Biw2rJ6a08Ypc91Fl6SvtOnKY0B
Avln55a09_AuWrbB5wzALELn40ibKFVs1v5FE0tI13Zbh4IIAlzZ_e9uoFAwTgYJ
KoZIhvcNAQkOMUEwPzA9BgNVHREENjA0ggtzbWFrZGV2Lm5ldIIPd3d3LnNtYWtk
ZXYubmV0ghRsYXVuY2hlci5zbWFrZGV2Lm5ldDAMBggqhkjOPQQDAgUAA0YwRAIg
ygCmx0hNj4q2yFq7tycfHbfq-o0FmX7jg_8X2zt7pWECIHY9WLvUvXE_QBCaJhqf
D_MDJVnrnWcC2cRtJV2yRvNN
-----END CERTIFICATE REQUEST-----

OpenSSL can't make heads or tails of that CSR:

osiris@erazer tmp $ openssl asn1parse -i -in csr.pem 
Error: offset out of range
osiris@erazer tmp $

From a online parser: "Length over 48 bits not supported at position 1"

1 Like

Here is everything without breaklines in case i broke something

MIIBLjCB1QIBADAjMQswCQYDVQQGEwJTVjEUMBIGA1UEAwwLc21ha2Rldi5uZXQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATr7Biw2rJ6a08Ypc91Fl6SvtOnKY0BAvln55a09_AuWrbB5wzALELn40ibKFVs1v5FE0tI13Zbh4IIAlzZ_e9uoFAwTgYJKoZIhvcNAQkOMUEwPzA9BgNVHREENjA0ggtzbWFrZGV2Lm5ldIIPd3d3LnNtYWtkZXYubmV0ghRsYXVuY2hlci5zbWFrZGV2Lm5ldDAMBggqhkjOPQQDAgUAA0YwRAIgygCmx0hNj4q2yFq7tycfHbfq-o0FmX7jg_8X2zt7pWECIHY9WLvUvXE_QBCaJhqfD_MDJVnrnWcC2cRtJV2yRvNN

And what my thing got from this

SEQUENCE (L: 302(0x012e)) UNIVERSAL
├──SEQUENCE (L: 213(0xd5)) UNIVERSAL
|  ├──INTEGER (L: 1(0x01)) UNIVERSAL
|  |  └──00
|  ├──SEQUENCE (L: 35(0x23)) UNIVERSAL
|  |  ├──SET (L: 11(0x0b)) UNIVERSAL
|  |  |  └──SEQUENCE (L: 9(0x09)) UNIVERSAL
|  |  |     ├──OBJECT IDENTIFIER (L: 3(0x03)) UNIVERSAL
|  |  |     |  └──2.5.4.6
|  |  |     └──PrintableString (L: 2(0x02)) UNIVERSAL
|  |  |        └──SV
|  |  └──SET (L: 20(0x14)) UNIVERSAL
|  |     └──SEQUENCE (L: 18(0x12)) UNIVERSAL
|  |        ├──OBJECT IDENTIFIER (L: 3(0x03)) UNIVERSAL
|  |        |  └──2.5.4.3
|  |        └──UTF8String (L: 11(0x0b)) UNIVERSAL
|  |           └──smakdev.net
|  ├──SEQUENCE (L: 89(0x59)) UNIVERSAL
|  |  ├──SEQUENCE (L: 19(0x13)) UNIVERSAL
|  |  |  ├──OBJECT IDENTIFIER (L: 7(0x07)) UNIVERSAL
|  |  |  |  └──1.10.134.72.206.61.2.1
|  |  |  └──OBJECT IDENTIFIER (L: 8(0x08)) UNIVERSAL
|  |  |     └──1.10.134.72.206.61.3.1.7
|  |  └──BIT STRING (L: 66(0x42)) UNIVERSAL
|  |     └──0004ebec18b0dab27a6b4f18a5cf75165e92bed3a7298d0102f967e796b4f7f02e5ab6c1e70cc02c42e7e3489b28556cd6fe45134b48d7765b878208025cd9fdef6e
|  └──[0] (L: 80(0x50)) CONTEXT-SPECIFIC
|     └──SEQUENCE (L: 78(0x4e)) UNIVERSAL
|        ├──OBJECT IDENTIFIER (L: 9(0x09)) UNIVERSAL
|        |  └──1.10.134.72.134.247.13.1.9.14
|        └──SET (L: 65(0x41)) UNIVERSAL
|           └──SEQUENCE (L: 63(0x3f)) UNIVERSAL
|              └──SEQUENCE (L: 61(0x3d)) UNIVERSAL
|                 ├──OBJECT IDENTIFIER (L: 3(0x03)) UNIVERSAL
|                 |  └──2.5.29.17
|                 └──OCTET STRING (L: 54(0x36)) UNIVERSAL
|                    └──3034820b736d616b6465762e6e6574820f7777772e736d616b6465762e6e657482146c61756e636865722e736d616b6465762e6e6574
├──SEQUENCE (L: 12(0x0c)) UNIVERSAL
|  ├──OBJECT IDENTIFIER (L: 8(0x08)) UNIVERSAL
|  |  └──1.10.134.72.206.61.4.3.2
|  └──NULL (L: 0(0x00)) UNIVERSAL
└──BIT STRING (L: 70(0x46)) UNIVERSAL
   └──30440220ca00a6c7484d8f8ab6c85abbb7271f1db7eafa8d05997ee383ff17db3b7ba5610220763d58bbd4bd713f40109a261a9f0ff3032559eb9d6702d9c46d255db246f34d

That's also unparsable using the online decoder I mentioned above.

1 Like

This one seems to have a byte missing from the last one

MIIBLzCB1QIBADAjMQswCQYDVQQGEwJTVjEUMBIGA1UEAwwLc21ha2Rldi5uZXQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATpRQm4Ta1exZNEi3iR5MNcW7t08Tuyg86QGg5_RZENETM6nROfSeon3P8ABNp7NYPbThPwwig9-P55cTdXGeQVoFAwTgYJKoZIhvcNAQkOMUEwPzA9BgNVHREENjA0ggtzbWFrZGV2Lm5ldIIPd3d3LnNtYWtkZXYubmV0ghRsYXVuY2hlci5zbWFrZGV2Lm5ldDAMBggqhkjOPQQDAgUAA0cAMEQCIOuXCxsLvQ4WN7YoOos2-jBm8Ux45T0GvZBMnUxhXh4vAiDNVttMxbxmz5-ZWT89AUvdm1tjCef3hgtzb6gptiG7wQ

The CSR data should be base64 encoded, not base64url. If you replace "_" -> "/" and "-" -> "+" the CSR can be parsed:

# openssl req -noout -text
-----BEGIN CERTIFICATE REQUEST-----
MIIBLzCB1QIBADAjMQswCQYDVQQGEwJTVjEUMBIGA1UEAwwLc21ha2Rldi5uZXQw
WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATpRQm4Ta1exZNEi3iR5MNcW7t08Tuy
g86QGg5/RZENETM6nROfSeon3P8ABNp7NYPbThPwwig9+P55cTdXGeQVoFAwTgYJ
KoZIhvcNAQkOMUEwPzA9BgNVHREENjA0ggtzbWFrZGV2Lm5ldIIPd3d3LnNtYWtk
ZXYubmV0ghRsYXVuY2hlci5zbWFrZGV2Lm5ldDAMBggqhkjOPQQDAgUAA0cAMEQC
IOuXCxsLvQ4WN7YoOos2+jBm8Ux45T0GvZBMnUxhXh4vAiDNVttMxbxmz5+ZWT89
AUvdm1tjCef3hgtzb6gptiG7wQ==
-----END CERTIFICATE REQUEST-----
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: C = SV, CN = smakdev.net
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:e9:45:09:b8:4d:ad:5e:c5:93:44:8b:78:91:e4:
                    c3:5c:5b:bb:74:f1:3b:b2:83:ce:90:1a:0e:7f:45:
                    91:0d:11:33:3a:9d:13:9f:49:ea:27:dc:ff:00:04:
                    da:7b:35:83:db:4e:13:f0:c2:28:3d:f8:fe:79:71:
                    37:57:19:e4:15
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        Attributes:
        Requested Extensions:
            X509v3 Subject Alternative Name:
                DNS:smakdev.net, DNS:www.smakdev.net, DNS:launcher.smakdev.net
    Signature Algorithm: ecdsa-with-SHA256
         30:44:02:20:eb:97:0b:1b:0b:bd:0e:16:37:b6:28:3a:8b:36:
         fa:30:66:f1:4c:78:e5:3d:06:bd:90:4c:9d:4c:61:5e:1e:2f:
         02:20:cd:56:db:4c:c5:bc:66:cf:9f:99:59:3f:3d:01:4b:dd:
         9b:5b:63:09:e7:f7:86:0b:73:6f:a8:29:b6:21:bb:c1

but the verification still fails:

139696996119872:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:../crypto/asn1/a_verify.c:170:
SEQUENCE (3 elem)
  SEQUENCE (4 elem)
    INTEGER 0
    SEQUENCE (2 elem)
      SET (1 elem)
        SEQUENCE (2 elem)
          OBJECT IDENTIFIER 2.5.4.6 countryName (X.520 DN component)
          PrintableString SV
      SET (1 elem)
        SEQUENCE (2 elem)
          OBJECT IDENTIFIER 2.5.4.3 commonName (X.520 DN component)
          UTF8String smakdev.net
    SEQUENCE (2 elem)
      SEQUENCE (2 elem)
        OBJECT IDENTIFIER 1.2.840.10045.2.1 ecPublicKey (ANSI X9.62 public key type)
        OBJECT IDENTIFIER 1.2.840.10045.3.1.7 prime256v1 (ANSI X9.62 named elliptic curve)
      BIT STRING (520 bit) 0000010011101001010001010000100110111000010011011010110101011110110001…
    [0] (1 elem)
      SEQUENCE (2 elem)
        OBJECT IDENTIFIER 1.2.840.113549.1.9.14 extensionRequest (PKCS #9 via CRMF)
        SET (1 elem)
          SEQUENCE (1 elem)
            SEQUENCE (2 elem)
              OBJECT IDENTIFIER 2.5.29.17 subjectAltName (X.509 extension)
              OCTET STRING (54 byte) 3034820B736D616B6465762E6E6574820F7777772E736D616B6465762E6E657482146C…
                SEQUENCE (3 elem)
                  [2] (11 byte) smakdev.net
                  [2] (15 byte) www.smakdev.net
                  [2] (20 byte) launcher.smakdev.net
  SEQUENCE (2 elem)
    OBJECT IDENTIFIER 1.2.840.10045.4.3.2 ecdsaWithSHA256 (ANSI X9.62 ECDSA algorithm with SHA256)
    NULL
  BIT STRING (560 bit) 0011000001000100000000100010000011101011100101110000101100011011000010…
    SEQUENCE (2 elem)
      INTEGER (253 bit) -9.231699265102476e+75
      INTEGER (254 bit) -2.2914492877945727e+76

the structure seems ok now, but both integers look weird..

if i add a 0 in front off the integers

MIIBMTCB1QIBADAjMQswCQYDVQQGEwJTVjEUMBIGA1UEAwwLc21ha2Rldi5uZXQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAREGL5IF1P2AnHPd9JcZxuklHXKOGfyjK3pGmm9SRgCVKS8FcgsR5K17w/pj0gdea9WylgOObVGhDFIcqzW4Xs1oFAwTgYJKoZIhvcNAQkOMUEwPzA9BgNVHREENjA0ggtzbWFrZGV2Lm5ldIIPd3d3LnNtYWtkZXYubmV0ghRsYXVuY2hlci5zbWFrZGV2Lm5ldDAMBggqhkjOPQQDAgUAA0kAMEYCIQCXtej84SsAsaOKrirxvLInANyv6yIut/78AXiJjtTaogIhAJIclydQbAljImQE4uXXr9tKin0PpeWlLDOXch5kuxI4

Looks good:

# openssl req -noout -text -verify
-----BEGIN CERTIFICATE REQUEST-----
MIIBMTCB1QIBADAjMQswCQYDVQQGEwJTVjEUMBIGA1UEAwwLc21ha2Rldi5uZXQw
WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAREGL5IF1P2AnHPd9JcZxuklHXKOGfy
jK3pGmm9SRgCVKS8FcgsR5K17w/pj0gdea9WylgOObVGhDFIcqzW4Xs1oFAwTgYJ
KoZIhvcNAQkOMUEwPzA9BgNVHREENjA0ggtzbWFrZGV2Lm5ldIIPd3d3LnNtYWtk
ZXYubmV0ghRsYXVuY2hlci5zbWFrZGV2Lm5ldDAMBggqhkjOPQQDAgUAA0kAMEYC
IQCXtej84SsAsaOKrirxvLInANyv6yIut/78AXiJjtTaogIhAJIclydQbAljImQE
4uXXr9tKin0PpeWlLDOXch5kuxI4
-----END CERTIFICATE REQUEST-----
verify OK
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: C = SV, CN = smakdev.net
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:44:18:be:48:17:53:f6:02:71:cf:77:d2:5c:67:
                    1b:a4:94:75:ca:38:67:f2:8c:ad:e9:1a:69:bd:49:
                    18:02:54:a4:bc:15:c8:2c:47:92:b5:ef:0f:e9:8f:
                    48:1d:79:af:56:ca:58:0e:39:b5:46:84:31:48:72:
                    ac:d6:e1:7b:35
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        Attributes:
        Requested Extensions:
            X509v3 Subject Alternative Name:
                DNS:smakdev.net, DNS:www.smakdev.net, DNS:launcher.smakdev.net
    Signature Algorithm: ecdsa-with-SHA256
         30:46:02:21:00:97:b5:e8:fc:e1:2b:00:b1:a3:8a:ae:2a:f1:
         bc:b2:27:00:dc:af:eb:22:2e:b7:fe:fc:01:78:89:8e:d4:da:
         a2:02:21:00:92:1c:97:27:50:6c:09:63:22:64:04:e2:e5:d7:
         af:db:4a:8a:7d:0f:a5:e5:a5:2c:33:97:72:1e:64:bb:12:38
1 Like

When i tried i got the same error.

-----BEGIN CERTIFICATE REQUEST-----
MIIBMTCB1QIBADAjMQswCQYDVQQGEwJTVjEUMBIGA1UEAwwLc21ha2Rldi5uZXQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASq9YAef40RPpmSaoB80hAL7zgQlQ0bhzaWnPHA2Ka7cxjmXWXerIY2lEP4uTe7HIEbvbeaelTAGY+Tdj2p9rIHoFAwTgYJKoZIhvcNAQkOMUEwPzA9BgNVHREENjA0ggtzbWFrZGV2Lm5ldIIPd3d3LnNtYWtkZXYubmV0ghRsYXVuY2hlci5zbWFrZGV2Lm5ldDAMBggqhkjOPQQDAgUAA0kAMEYCIQBiqg/kEGKxzKRFtWvtd8wqtc6PDjb0lnOYQE+8EGLyzQIhAFEg0Xme57IhuWJW/1HaKuTcyjeD3cBXoYRyk6Wq3U4H
-----END CERTIFICATE REQUEST-----

the integers seem to be 255 bits in this request and was 256 in the last one

Verification of the above CSR fails again:

140551506605376:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:../crypto/asn1/a_verify.c:170:

Can you try it with this one? This should work.

Seems to "work".
It crashes because i just give it this and no private key.

but it's made using pebble, and it says that you should not use them.

If my theory is correct this should work.

MIIBMDCB1QIBADAjMQswCQYDVQQGEwJTVjEUMBIGA1UEAwwLc21ha2Rldi5uZXQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASrjUcTneMlpvzNZ59jcOXQqk2gqF3dO7SOuF4/45ZiHbWekhJK9EFlAwH0G0dWDzysYsQgOGHr/aTmLKAKJk+AoFAwTgYJKoZIhvcNAQkOMUEwPzA9BgNVHREENjA0ggtzbWFrZGV2Lm5ldIIPd3d3LnNtYWtkZXYubmV0ghRsYXVuY2hlci5zbWFrZGV2Lm5ldDAMBggqhkjOPQQDAgUAA0gAMEUCIQCjm0q0WlCfjTQyLH6Zgn0XqLRPHU4T/eJc3FSa4E2cYQIgQf7PrYTHGfyhT7hdImt+tiec39mpVnUF8vAYOtojclk=

But maby not.

Looks good:

# openssl req -noout -text -verify
-----BEGIN CERTIFICATE REQUEST-----
MIIBMDCB1QIBADAjMQswCQYDVQQGEwJTVjEUMBIGA1UEAwwLc21ha2Rldi5uZXQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASrjUcTneMlpvzNZ59jcOXQqk2gqF3dO7SOuF4/45ZiHbWekhJK9EFlAwH0G0dWDzysYsQgOGHr/aTmLKAKJk+AoFAwTgYJKoZIhvcNAQkOMUEwPzA9BgNVHREENjA0ggtzbWFrZGV2Lm5ldIIPd3d3LnNtYWtkZXYubmV0ghRsYXVuY2hlci5zbWFrZGV2Lm5ldDAMBggqhkjOPQQDAgUAA0gAMEUCIQCjm0q0WlCfjTQyLH6Zgn0XqLRPHU4T/eJc3FSa4E2cYQIgQf7PrYTHGfyhT7hdImt+tiec39mpVnUF8vAYOtojclk=
-----END CERTIFICATE REQUEST-----
verify OK
1 Like

So that problem is fixed (needed to add a 0 in front of the integers only if the first byte was negative).

So to conclude this:
The thing mensioned above.
I had the wrong format on the signature.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.