This is not a sure thing, but from a quick scan of your code, it looks
like you are constructing an incomplete certificate in memory, which
might hurt you further down the road, i.e. when transmitting the cert,
which is then checked by the other party.

Specifically, check the code to construct public key carrying
certificates in, for instance, x509/mkcert.c, demos/selfsign.c, and a
few others:

X509_new()[*] X509_set_version() // use 2 or 3[*] X509_set_serialNumber();[*] X509_set_notBefore() // valid from[*] X509_set_notAfter() // valid until
X509_set_pubkey()[*] X509_set_subject_name()[*] X509_set_issuer_name()[*] X509_sign()

see also library API call X509_REQ_to_X509(), which goes through the
same motions as that call has to deliver a freshly constructed
certificate; the same goal (only from a different starting point) as
you mentioned.

If an analogy helps to explain why you need 'all this', think of a
certificate as a passport. Doesn't matter which country you live, your
passport always comes with a serial (letters and numbers); if it
doesn't, you have something to explain to Mr. Customs Officer. ;-)
There's also the version for human passports: modern ones come with
smartcards embedded and other gadgets the old ones didn't have; the
country you're visiting might not accept antique ones anymore.
Every passport comes with your name and picture (you = subject), shows
in print in who's name it was issued (in the Netherlands, that'd be
the mayor of your town, a.k.a. the issuer) and both dates are in there
as well. Plus, last but not least, your signature.

Your code produces a blank passport with only your signature in it.
Out in the real world, that sort of thing would fetch a hefty sum in
the right circles, if you get my meaning ;-)

There may be other issues, but this at least should get you on the road again.

Last bit: you might want to play safe and add a key check:
RSA_check_key; see also the OpenSSL book. It might feel superfluous,
but better safe then sorry, eh.

And to test your in-memory generated cert, it might be handy to add a
bit of simple test code which writes that cert to disc, so you can
apply other tools to it to make sure it is /indeed/ what you need and
fully comparable to your other disc-based certificates: you may
require extensions or other bits in there as well to make the other
party (client or server).happy.



On Thu, Nov 6, 2008 at 11:03 AM, Michael Simms wrote:
> Hi,
> I posted this last week, and a couple of people said they could help
> but then, I havent heard any more.
> If someone has any ideas, they would be gratefully appreciated.
> I am having a bit of a problem generating a set of new keys.
> I have code that works just fine when using a pair of imported keys
> from a file generated from the openssl commandline.
> However when I try and use RSA_generate_key, I can obtain the public
> and private keypair, they validate using SSL_CTX_check_private_key,
> yet, they cause SSL_connect on the client to complain
> error:0D07209B:asn1 encoding routines:ASN1_get_object:too long
> I have the code for generating the keys up for scrutiny at
> Any suggestions gratefully appreciated.
> __________________________________________________ ____________________
> OpenSSL Project
> User Support Mailing List
> Automated List Manager

Met vriendelijke groeten / Best regards,

Ger Hobbelt

mobile: +31-6-11 120 978
__________________________________________________ ____________________
OpenSSL Project
User Support Mailing List
Automated List Manager