https://stackoverflow.com/questions/22542560
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianHow I could get more information about what is wrong with my private key or X509 certificate?
There are a few things you can do (not withstanding your answer of using a correct key pair :).
First, you should run any keys you load through EC_KEY_check_key. Loading a key only checks that its well formed PEM or DER encoded. EC_KEY_check_key performs the checks you expect like making sure the base point is on the curve and the public point (public key) is the base point raised to the private exponent (private key).
An example of OpenSSL loading an bad key is at Private key generated by openssl does not satisfy n = p * q. In the code provided, an invalid key was loaded. It loaded fine because it was well formed PEM. But n = p * q did not hold, which made the key itself invalid.
EC_KEY_check_key is kind of lame. It returns 1 if the key is valid, 0 otherwise. Other library provided key checks, like DH_check_key, returns a bit mask of failures (like "p is not prime" and "g is not a generator", etc).
If the key is valid, then you can check a certificate under the key. Checking a certificate is answered in Check that a file is certificate or a key, so I won't repeat it here. The short answer: use X509_verify and X509_verify_cert. Both return 1 on success and 0 on failure.
You can retrieve X509_verify's failure code through ERR_get_error; while you get X509_verify_cert failure code from X509_STORE_CTX_get_error. The X509_verify_cert errors will be from those listed at X509_STORE_CTX_get_error(3), and include X509_V_OK and X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT.
