1

我想创建一个 x509 证书并使用 eddsa(ed25519) 私钥对其进行自签名!

所以我从文档中尝试了以下示例: https ://www.openssl.org/docs/man1.1.1/man7/Ed25519.html

EVP_PKEY* server::generate_privatekey()
{
   EVP_PKEY *pkey = NULL;
   EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_ED25519, NULL);

   if(EVP_PKEY_keygen_init(pctx) <= 0){
       std::cout << "keygen init fail\n" << std::endl;
   }
   
   //EVP_PKEY_CTX_set_ec_paramgen_curve_nid(ctx, NID_ED25519); 
   //gives return value -1 in combination with EVP_PKEY_CTX_new_id(EVP_PKEY_EC , NULL); 
   //EVP_PKEY_EC != eddsa (ecdsa/ecdh only?)
   //gives return value 0 in combination with EVP_PKEY_CTX_new_id(EVP_PKEY_ED25519 , NULL);

   if(EVP_PKEY_keygen(pctx, &pkey) <= 0){
       std::cout << "keygen fail\n" << std::endl;
   }

   //////////KEYPAIR CHECK///////////
   int chk = EVP_PKEY_check(pctx);

   if(chk == 1){
       std::cout << "key pair valid: " << chk << std::endl;
   }
   else if(chk == -2){
       std::cout << "algorithm not supported: " << chk << std::endl;
   }
   else{
       std::cout << "keypair error: " << chk << std::endl;
   }
   //////////////////////////////////

   EVP_PKEY_CTX_free(pctx);

   return pkey;
}

https://www.openssl.org/docs/man1.1.1/man3/EVP_PKEY_check.html

EVP_PKEY_check()给出返回值 0(“密钥对错误”)!

EVP_PKEY_public_check()是相同的结果。

我认为这就是为什么我得到X509_sign()一个返回值 0(失败):

string server::Generate_x509(EVP_PKEY* pkey)
{
   //////////////////////////////////////////////////////
   //set expiration = 10 years
   time_t exp;
   time(&exp);
   exp += 315360000;

   //create x509 structure
   X509* x509= X509_new();

   //set serial to 420
   if(ASN1_INTEGER_set(X509_get_serialNumber(x509), 420) == 0){
       std::cout << "asn1 set serial number fail\n" << std::endl;
   }

   //set start & expiration time
   if(X509_time_adj_ex(X509_getm_notBefore(x509), 0, 0, 0) == NULL){
       std::cout << "set time fail\n" << std::endl;
   }

   if(X509_time_adj_ex(X509_getm_notAfter(x509), 0, 0, &exp) == NULL){
       std::cout << "set end time fail\n" << std::endl;
   }

   //set public key
   if(X509_set_pubkey(x509, pkey) == 0){
       std::cout << "set pubkey fail\n" << std::endl;
   }

   //sign certificate with private key
   if(X509_sign(x509, pkey, EVP_sha512()) == 0){
       std::cout << "sign fail\n" << std::endl;
       return "Creating certificate failed...\n";
   }

   FILE*f;

   f = fopen("key.pem", "wb");

   PEM_write_PrivateKey(
       f,                          /* write the key to the file we've opened */
       pkey,                       /* our key from earlier */
       EVP_aes_256_cbc(),          /* default cipher for encrypting the key on disk */
       (unsigned char*)"aaa",      /* passphrase required for decrypting the key on disk */
       3,                          /* length of the passphrase string */
       NULL,                       /* callback for requesting a password */
       NULL                        /* data to pass to the callback */
   );
   fclose(f);

   f = fopen("cert.pem", "wb");
   PEM_write_X509(
       f,   /* write the certificate to the file we've opened */
       x509 /* our certificate */
   );
   fclose(f);

   return "Certificate created succesfully\n";
}

使用生成的 RSA 密钥一切正常。

此示例也适用,但不适用于我的参数(请参见上面的代码):

使用 OpenSSL 1.1 生成 EC 密钥时仅使用 1 个 EVP_PKEY

我正在使用 OpenSSL v1.1.1i

我希望这个问题不会太愚蠢..

此致

4

0 回答 0