How to insert public key and hash signature generated in smart card in a CSR with openssl API's

Question

1)I am generating a Key file and a CSR with the help of openssl commands. When displaying the CSR information with command “ openssl req -in test_csr.pem -noout –text” I get the following printings:

Certificate Request:
Data:
    Version: 0 (0x0)
    Subject: C=GB, O=Test
    Subject Public Key Info:
        Public Key Algorithm: rsaEncryption
        RSA Public Key: (2048 bit)
            Modulus (2048 bit):
                00:a6:af:51:e9:23:65:50:27:14:83:f5:c8:11:10:
                b1:03:0b:c7:0d:2d:ae:09:81:d9:f8:31:ad:8e:d7:
                8e:65:a8:e0:d4:b4:7e:f9:3e:99:fa:b0:43:5d:e0:
                41:7a:ee:9f:90:3d:05:c0:6f:80:bb:bb:9e:dd:64:
                1e:15:89:0c:bc:e6:3d:76:4e:d0:ef:5c:e4:de:34:
                00:d0:ac:5c:e4:f8:73:b7:22:12:81:30:28:85:cd:
                5a:bb:d6:28:c3:dc:01:67:f5:56:3a:3f:01:f3:d7:
                8f:d9:19:67:90:1e:23:24:b0:58:e9:80:44:c9:36:
                ae:2b:c3:81:a3:ce:de:af:8b:32:33:7d:f7:81:d7:
                80:b8:d2:97:ce:8b:f3:21:2b:e8:e2:96:d0:b1:3f:
                cc:dc:18:18:c1:e7:99:81:2a:e9:45:20:b7:80:39:
                b3:5d:b3:ab:61:6a:61:f3:e1:7c:32:b7:a8:29:1a:
                b2:e1:02:81:42:1f:b4:c3:7f:bf:21:f6:2d:4f:ec:
                19:d4:3a:d4:bf:90:8a:3b:f0:24:cf:83:1b:21:ab:
                b2:cb:15:38:f2:ac:1d:80:ba:33:2b:c8:f4:8d:52:
                90:7a:25:2b:e5:08:68:a2:f2:84:61:2f:24:48:a9:
                25:97:85:28:64:52:f9:15:91:eb:36:c6:d9:98:08:
                09:d3
            Exponent: 65537 (0x10001)
    Attributes:
        a0:00

Now when I edit the key file in DER format with an Hex editor, I get the following data

30 82 01 22 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82 01 0F 00 30 82 01 0A 02 82 01 01 00 A6 AF 51 E9 23 65 50 27 14 83 F5 C8 11 10 B1 03 0B C7 0D 2D AE 09 81 D9 F8 31 AD 8E D7 8E 65 A8 E0 D4 B4 7E F9 3E 99 FA B0 43 5D E0 41 7A EE 9F 90 3D 05 C0 6F 80 BB BB 9E DD 64 1E 15 89 0C BC E6 3D 76 4E D0 EF 5C E4 DE 34 00 D0 AC 5C E4 F8 73 B7 22 12 81 30 28 85 CD 5A BB D6 28 C3 DC 01 67 F5 56 3A 3F 01 F3 D7 8F D9 19 67 90 1E 23 24 B0 58 E9 80 44 C9 36 AE 2B C3 81 A3 CE DE AF 8B 32 33 7D F7 81 D7 80 B8 D2 97 CE 8B F3 21 2B E8 E2 96 D0 B1 3F CC DC 18 18 C1 E7 99 81 2A E9 45 20 B7 80 39 B3 5D B3 AB 61 6A 61 F3 E1 7C 32 B7 A8 29 1A B2 E1 02 81 42 1F B4 C3 7F BF 21 F6 2D 4F EC 19 D4 3A D4 BF 90 8A 3B F0 24 CF 83 1B 21 AB B2 CB 15 38 F2 AC 1D 80 BA 33 2B C8 F4 8D 52 90 7A 25 2B E5 08 68 A2 F2 84 61 2F 24 48 A9 25 97 85 28 64 52 F9 15 91 EB 36 C6 D9 98 08 09 D3 02 03 01 00 01

I observe that in addition to the Key (from byte 33) as is it displayed in the previous step, there is extra data before the key (32 first bytes) and after the key (5 last bytes). Does somebody know where the extra information comes from and how to decrypt it?

2)I have to test a configuration where the pair of the Keys (private and public) and the hash signature are generated in a smart card with the help of vendor API’s. With a first API I get the Public Key and Length from the smart card. With a second API I a get the hash signature data and length. I guess that the Public key can be inserted in the CSR with openssl X509_REQ_set_pubkey API (is it correct?). The question is: Is there an existing openssl API I can use to insert the hash signature in the CSR (something like X509_REQ_sign but without hashing and signature process that has already been done by the smart card). Thanks. P.L.

Answer 1

First 256 bytes should be structure describing certificates owner (Subject, algorithm, etc). Last 5 bytes is the RSA public exponent - 65537 in ASN.1 encoding. To get more information use ASN.1 decoder (or openssl asn1parse command).

Unfortunately I don't know about such function on OpenSSL and don't have time to dig into their sources, but at least it is possible to form CSR ASN.1 structure manually, that's not that hard.