Re: Generating EC keys with certtool

[Fabrice Gautier]

On Thu, Nov 10, 2011 at 11:16 AM, Nikos Mavrogiannopoulos
<address@hidden> wrote:
> On 11/10/2011 07:48 PM, Fabrice Gautier wrote:
>
>> Ahah, so it happens to work on one of my machines, but not on the other two.
>> The machine were it works is a mac running Lion, the other two are
>> macs running SnowLeopard.
>> I'm recompiling gnutls from source on all of them, openssl is also
>> recompiled (either from source or through macports) so I'm guessing
>> that something went wrong while compiling. On some machine, I used the
>> gmp that came with macport, on others I recompiled myself, so who
>> knows where the problem lies...
>> Is there a way to verify a CSR with gnutls's certtool ?
>
> What do you mean verify a CSR? Verify the self signature? That is being
> done automatically when it is signed.

Ah yes, I see that. Openssl has a command to verify without signing.

The reason I'm not using certtool to generate the request is that I
already had a script to generate certs using openssl. The only reason
I used certtool for the key was that gnutls does not read openssl ec
keys (Thats the issue I reported a few days ago).


After investigating, it appears that the problem lies in gnutls
generating a bad EC key on the BAD system. Both gnutls and openssl (on
both GOOD and BAD systems) will happily generate a CSR using that bad
key, but both will fail the verification when trying to sign the CSR.

The rest of gnutls on the BAD system seems to work fine, I have been
using the BAD system as a server, using keys and certs that were
generated on the GOOD system.

At least that's what it looks like so far...  I'm attaching what I
think is a BAD key if anybody wants to poke at it.



> regards,
> Nikos
>

ClientKey.ecc.pem
Description: Binary data