Hello everyone,

I'm creating a new RSA key pair and then trying to use that to create a CSR.

When I call the CSNDPIC api, I pass a label for the RSA key pair, a subject name, and no extensions or reserved fields.

I get a RC=8 RSN=2004(decimal).   This tells me that I have a length problem.  But for the life of me I'm not sure where that is.

The private key identifier can be a label.  Labels can be up to 64 characters long.  I created one with 15 characters when I saved the key pair in the PKDS.   I'm using that label to identify the key pair for use.  I've tried a length of 64 characters.   I've tried a length of 15 characters.  Both return the error.

The subject name length is the exact length of my  string:   C=US,O=MYORG,OU=MYORGDEPARTMENT,CN=MYPUBCERT.  I can't for the life of me see anything wrong with this data or the length passed.

I'm using array values: PK10SNRQ, SELFSIGN, SNDCLEAR, PEM-FMT, U-KEYENC, RSA & SHA-256.

The extension and reserve field lengths are zero.

The certificate input length his 3500.  I am expecting a different value returned on a successful call.

Anyone have any ideas where I can  look to fix this? 

• priv key id length
• subject name length
• certificate length

are all that I can think of to fix.   The priv key id length is my most likely candidate.  But not a clue what I did wrong.

Thanks for your help.

-Mark

------------------------------
Mark Vollmer
------------------------------

Hello, Mark. Looking at the checking, I see the following validations:
Before we send a request to the card:
If subject_private_key_identifier_length is negative, 0, or more than 3500, fail with 8/2004
If subject_name_length is negative, 0, or more than 400, fail with 8/2004
If extensions_length is more than 1000, fail with 8/2004
If certificate_length is negative, 0, or more than 3500, fail with 8/2004
If any of reserved1_length, reserved2_length, reserved3_length, reserved6_length are non-zero, fail with 8/2004

After we send a request to the card:
If the returned certificate length is larger than certificate_length, fail with 8/2004

Since you are using a label, the subject_private_key_identifier_length must be 64 (as you tried) as all labels are exactly 64 bytes long, left-justified and padded with blanks. Can you send a list of all the parms with any sensitive values redacted?

I'm wondering if one of the lengths is not a 32-bit integer. That is a common cause for the 8/2004 that you are seeing (such as passing a 16-bit integer instead).

------------------------------
Eric Rossman
------------------------------

Original Message:
Sent: Mon May 02, 2022 04:29 PM
From: Mark Vollmer
Subject: Problem creating CSR 8/2004

Hello everyone,

I'm creating a new RSA key pair and then trying to use that to create a CSR.

When I call the CSNDPIC api, I pass a label for the RSA key pair, a subject name, and no extensions or reserved fields.

I get a RC=8 RSN=2004(decimal).   This tells me that I have a length problem.  But for the life of me I'm not sure where that is.

The private key identifier can be a label.  Labels can be up to 64 characters long.  I created one with 15 characters when I saved the key pair in the PKDS.   I'm using that label to identify the key pair for use.  I've tried a length of 64 characters.   I've tried a length of 15 characters.  Both return the error.

The subject name length is the exact length of my  string:   C=US,O=MYORG,OU=MYORGDEPARTMENT,CN=MYPUBCERT.  I can't for the life of me see anything wrong with this data or the length passed.

I'm using array values: PK10SNRQ, SELFSIGN, SNDCLEAR, PEM-FMT, U-KEYENC, RSA & SHA-256.

The extension and reserve field lengths are zero.

The certificate input length his 3500.  I am expecting a different value returned on a successful call.

Anyone have any ideas where I can  look to fix this? 

• priv key id length
• subject name length
• certificate length

are all that I can think of to fix.   The priv key id length is my most likely candidate.  But not a clue what I did wrong.

Thanks for your help.

-Mark

------------------------------
Mark Vollmer
------------------------------

Eric,

Thanks for the memory jog.  As I went through to look at the lengths, I also went through the parameter list.

I had noticed in the beginning that reserved field 5 did not have a length.   But for some strange reason, I did not notice that reserved field 4 did not have a length either.  I have an extra parameter in my list that needs to be removed.

Now that I've removed the extra parameter, the call works just fine.

I'm sorry that I wasted your time.  The exchange did a world for me though.  It got me out of my tunnel vision.

Thanks very much for your help.


-Mark

------------------------------
Mark Vollmer
------------------------------

Original Message:
Sent: Tue May 03, 2022 10:09 AM
From: Eric Rossman
Subject: Problem creating CSR 8/2004

Hello, Mark. Looking at the checking, I see the following validations:
Before we send a request to the card:
If subject_private_key_identifier_length is negative, 0, or more than 3500, fail with 8/2004
If subject_name_length is negative, 0, or more than 400, fail with 8/2004
If extensions_length is more than 1000, fail with 8/2004
If certificate_length is negative, 0, or more than 3500, fail with 8/2004
If any of reserved1_length, reserved2_length, reserved3_length, reserved6_length are non-zero, fail with 8/2004

After we send a request to the card:
If the returned certificate length is larger than certificate_length, fail with 8/2004

Since you are using a label, the subject_private_key_identifier_length must be 64 (as you tried) as all labels are exactly 64 bytes long, left-justified and padded with blanks. Can you send a list of all the parms with any sensitive values redacted?

I'm wondering if one of the lengths is not a 32-bit integer. That is a common cause for the 8/2004 that you are seeing (such as passing a 16-bit integer instead).

------------------------------
Eric Rossman

Original Message:
Sent: Mon May 02, 2022 04:29 PM
From: Mark Vollmer
Subject: Problem creating CSR 8/2004

Hello everyone,

I'm creating a new RSA key pair and then trying to use that to create a CSR.

When I call the CSNDPIC api, I pass a label for the RSA key pair, a subject name, and no extensions or reserved fields.

I get a RC=8 RSN=2004(decimal).   This tells me that I have a length problem.  But for the life of me I'm not sure where that is.

The private key identifier can be a label.  Labels can be up to 64 characters long.  I created one with 15 characters when I saved the key pair in the PKDS.   I'm using that label to identify the key pair for use.  I've tried a length of 64 characters.   I've tried a length of 15 characters.  Both return the error.

The subject name length is the exact length of my  string:   C=US,O=MYORG,OU=MYORGDEPARTMENT,CN=MYPUBCERT.  I can't for the life of me see anything wrong with this data or the length passed.

I'm using array values: PK10SNRQ, SELFSIGN, SNDCLEAR, PEM-FMT, U-KEYENC, RSA & SHA-256.

The extension and reserve field lengths are zero.

The certificate input length his 3500.  I am expecting a different value returned on a successful call.

Anyone have any ideas where I can  look to fix this? 

• priv key id length
• subject name length
• certificate length

are all that I can think of to fix.   The priv key id length is my most likely candidate.  But not a clue what I did wrong.

Thanks for your help.

-Mark

------------------------------
Mark Vollmer
------------------------------

There's no time wasted at all if we got your application working. Always happy to help.

------------------------------
Eric Rossman
------------------------------

Original Message:
Sent: Tue May 03, 2022 10:27 AM
From: Mark Vollmer
Subject: Problem creating CSR 8/2004

Eric,

Thanks for the memory jog.  As I went through to look at the lengths, I also went through the parameter list.

I had noticed in the beginning that reserved field 5 did not have a length.   But for some strange reason, I did not notice that reserved field 4 did not have a length either.  I have an extra parameter in my list that needs to be removed.

Now that I've removed the extra parameter, the call works just fine.

I'm sorry that I wasted your time.  The exchange did a world for me though.  It got me out of my tunnel vision.

Thanks very much for your help.


-Mark

------------------------------
Mark Vollmer

Original Message:
Sent: Tue May 03, 2022 10:09 AM
From: Eric Rossman
Subject: Problem creating CSR 8/2004

Hello, Mark. Looking at the checking, I see the following validations:
Before we send a request to the card:
If subject_private_key_identifier_length is negative, 0, or more than 3500, fail with 8/2004
If subject_name_length is negative, 0, or more than 400, fail with 8/2004
If extensions_length is more than 1000, fail with 8/2004
If certificate_length is negative, 0, or more than 3500, fail with 8/2004
If any of reserved1_length, reserved2_length, reserved3_length, reserved6_length are non-zero, fail with 8/2004

After we send a request to the card:
If the returned certificate length is larger than certificate_length, fail with 8/2004

Since you are using a label, the subject_private_key_identifier_length must be 64 (as you tried) as all labels are exactly 64 bytes long, left-justified and padded with blanks. Can you send a list of all the parms with any sensitive values redacted?

I'm wondering if one of the lengths is not a 32-bit integer. That is a common cause for the 8/2004 that you are seeing (such as passing a 16-bit integer instead).

------------------------------
Eric Rossman

Original Message:
Sent: Mon May 02, 2022 04:29 PM
From: Mark Vollmer
Subject: Problem creating CSR 8/2004

Hello everyone,

I'm creating a new RSA key pair and then trying to use that to create a CSR.

When I call the CSNDPIC api, I pass a label for the RSA key pair, a subject name, and no extensions or reserved fields.

I get a RC=8 RSN=2004(decimal).   This tells me that I have a length problem.  But for the life of me I'm not sure where that is.

The private key identifier can be a label.  Labels can be up to 64 characters long.  I created one with 15 characters when I saved the key pair in the PKDS.   I'm using that label to identify the key pair for use.  I've tried a length of 64 characters.   I've tried a length of 15 characters.  Both return the error.

The subject name length is the exact length of my  string:   C=US,O=MYORG,OU=MYORGDEPARTMENT,CN=MYPUBCERT.  I can't for the life of me see anything wrong with this data or the length passed.

I'm using array values: PK10SNRQ, SELFSIGN, SNDCLEAR, PEM-FMT, U-KEYENC, RSA & SHA-256.

The extension and reserve field lengths are zero.

The certificate input length his 3500.  I am expecting a different value returned on a successful call.

Anyone have any ideas where I can  look to fix this? 

• priv key id length
• subject name length
• certificate length

are all that I can think of to fix.   The priv key id length is my most likely candidate.  But not a clue what I did wrong.

Thanks for your help.

-Mark

------------------------------
Mark Vollmer
------------------------------