generate csr from privatekey and publickey

anouri · 2024-08-14 08:07:12

Hi, ab
first of all I thank you for very powerful framework.

I want to generate csr file from private key and public key:

var
pem: TCertPem;
CryptCertFields: TCryptCertFields; //record
LPFields: PCryptCertFields;
priv: RawUtf8;
csr: RawUtf8;
CryptCertAlgo: TCryptCertAlgo;
begin
CryptCertFields.Country := 'US';
CryptCertFields.CommonName := 'aaaaa';
CryptCertFields.EmailAddress := 'a@b.com';
LPFields := @CryptCertFields;
pem := Memo1.Lines.Text;
priv := pem;
//priv := '';
CryptCertAlgo := TCryptCertAlgo.Create('aes-256-cfc');//what is algoname
csr := CryptCertAlgo.CreateSelfSignedCsr('','', priv,[], LPFields);

raise an error : TCryptCertAlgo.Create('aes-256-cfc' does not support a custom private key.
I changed algoritm to
es-256-gcm
aes-256-ofb
aes-256-cbc
aes-256-ctr
with no success.

Last edited by anouri (2024-08-14 08:07:44)

ab · 2024-08-14 09:16:27

AES is an encryption algorithm, not a public key encryption algorithm.

The algorithms are pre-allocated at startup.
Do not call Create() on them, but use the global variables, or the corresponding factory function, e.g. as CertAlgo('x509-es256').

Here is an exemple about how it works (with OpenSSL for instance):

procedure TestCreateCsr();
var
  AKey: RawUtf8;
  aCSR: RawByteString;
  f: TCryptCertFields;
begin
  f.EmailAddress := 'hubert@reeves.ca';
  f.Organization := 'Perso';
  //RegisterOpenSsl;
  aCSR := CryptCertOpenSsl[caaRS256].CreateSelfSignedCsr(
    'hubert-test','',AKey,[cuTlsClient, cuDigitalSignature,cuCodeSign,cuCA],@f);
  FileFromString(ACSR,'/tmp/test.csr');
end;

You can use CryptCert[caaRS256] if you don't include OpenSSL, but use our mormot.crypt.x509.pas unit (which should be part of your project).

anouri · 2024-08-14 09:47:27

CryptCertOpenSsl[caaRS256] does not created and raise AV.
I tried CryptCertOpenSsl[caaRS256] := TCryptCertAlgo.Create('ES256');
and
CryptCertOpenSsl[caaRS256] := TCryptCertAlgo.Create('');
with no success !

Last edited by anouri (2024-08-14 09:47:58)

Chaa · 2024-08-14 10:23:45

There are two options, choose the appropriate one:

1. Include mormot.crypt.openssl and mormot.lib.openssl11, define USE_OPENSSL and FORCE_OPENSSL in project options and call RegisterOpenSsl. Then use CryptCertOpenSsl[caaRS256].

2. Include mormot.crypt.x509, call RegisterX509 and then use CryptCert[caaRS256].

Last edited by Chaa (2024-08-14 10:24:32)

anouri · 2024-08-14 11:12:21

openssl disabled by default. I think mormot.crypt.x509 is better.

anouri · 2024-08-15 09:30:57

I was able to generate the csr file using the suggested method and with mormot.crypt.x509. But I can't fill the field 2.5.4.5 or serialnumber. There is no such field.

ab · 2024-08-15 11:55:50

Because the serial number is generated from random when the certificate is actual created.
I guess it is due to the fact that otherwise, you may have duplicates, since a CSR can be used to generate several certificates.

This what the RFC documents, AFAIR
https://datatracker.ietf.org/doc/html/rfc2986

anouri · 2024-08-15 14:47:22

But I do it with other third party component now.I want to change it to mormot.
CkCsr_SetSubjectField(csr,'2.5.4.5', pchar(Shenase) ,'UTF8String');

anouri · 2024-08-22 08:49:43

There is a taxpayer system that requires the national code of individuals or the company's national ID in this field to produce a certificate in field 2.5.4.5.
Therefore, I have no choice and I have to fill this field so that I can send an invoice to the government taxpayer system. Is there no solution?

Last edited by anouri (2024-08-22 08:50:04)

ab · 2024-08-22 19:33:03

I am sorry, I made a confusion between the X.509 Certificate main "Serial Number" which is a fixed 160-bit integer, and this XName "SER" field.

Please try
https://github.com/synopse/mORMot2/commit/80f1e0ae

anouri · 2024-08-23 17:34:20

The problem is solved. thank you very much

mORMot Open Source

#1 2024-08-14 08:07:12

generate csr from privatekey and publickey

#2 2024-08-14 09:16:27

Re: generate csr from privatekey and publickey

#3 2024-08-14 09:47:27

Re: generate csr from privatekey and publickey

#4 2024-08-14 10:23:45

Re: generate csr from privatekey and publickey

#5 2024-08-14 11:12:21

Re: generate csr from privatekey and publickey

#6 2024-08-15 09:30:57

Re: generate csr from privatekey and publickey

#7 2024-08-15 11:55:50

Re: generate csr from privatekey and publickey

#8 2024-08-15 14:47:22

Re: generate csr from privatekey and publickey

#9 2024-08-22 08:49:43

Re: generate csr from privatekey and publickey

#10 2024-08-22 19:33:03

Re: generate csr from privatekey and publickey

#11 2024-08-23 17:34:20

Re: generate csr from privatekey and publickey

Board footer