Hey
I am facing a problem that I have narrowed down to this:
I have two certificates, one being signed by the other
the attached code is a python code that uses M2Crypto to check for that fact
and it turns out, on some boxes x509_verify() returns 1 as expected, while on some others I am getting -1
---
I apologize that I am not able to write a pure C code that would reproduce the issue (I’m afraid that me trying to achieve that would just lead to more artificial problems than be actually helpful in any way :)
the m2crypto guys tell me they are essentially just passing stuff along to openssl’s function
X509_verify
as described here
https://www.openssl.org/docs/man1.1.0/crypto/X509_verify.html
---
and this says, I quote:
X509_verify(), X509_REQ_verify() and X509_CRL_verify() return 1 if the signature is valid and 0 if the signature check fails. If the signature could not be checked at all because it was invalid or some other error occurred then -1 is returned.
So my question here is, how do I go about figuring out what ‘some other error’ might be in my case ?
I was wondering, for example, if it could just be a missing library or something along this line, as my understanding is that the range of algorithms, ciphers, and other hashes can be configured at build-time
what tools can I use to look in this direction ?
---
So far it looks like the problems happens on fedora installations, while the code behaves as expected on macos and ubuntus
I have not yet been able to assess that on a wide variety of installations yet
Thanks for any hint
#!/usr/bin/env python
import M2Crypto
p1 = """-----BEGIN CERTIFICATE-----
MIICOjCCAaOgAwIBAgIBAzANBgkqhkiG9w0BAQQFADAXMRUwEwYDVQQDEwxvbmVs
YWIuaW5yaWEwHhcNMTQwODE4MTMzMDQ5WhcNMTkwODE3MTMzMDQ5WjArMSkwJwYD
VQQDFCBvbmVsYWIuaW5yaWEudGhpZXJyeV9wYXJtZW50ZWxhdDCBnTANBgkqhkiG
9w0BAQEFAAOBiwAwgYcCgYEAqK1lKNf61lAGYAXzG6xKnFQkfv3ViG0GP2Krp1zD
7d/93IkmsXVEjLfGhEJQjRjzRc9/gFdATP703cDzp4Ag2eR2wdQz0e6SXOBd2sLu
W3LqTwor1XMmp5f0QCOg5OSKXwozE3Tlt0+ewBNvAE8HWwZFjou5CFnrFMVZPjqf
hpUCASOjgYMwgYAwDAYDVR0TAQH/BAIwADBwBgNVHREEaTBnhjZ1cm46cHVibGlj
aWQ6SUROK29uZWxhYjppbnJpYSt1c2VyK3RoaWVycnlfcGFybWVudGVsYXSGLXVy
bjp1dWlkOjhlZTVhYWJlLTVhMTYtNGFjNS1hMThmLTdjYTE0NWFmMjg1YTANBgkq
hkiG9w0BAQQFAAOBgQCcjZnVO9vXmX/4a0kY34g87rxsk/9zOV7LqmSoCd66Qf5y
mRIJ/WCpCKJHQA2PU/LWBGS+Iv/E2z3cYrah02TkCGYB7Nzps5n40jQVI93UC4k7
uN73t6fwXwzM6i238LfbQUpTmqOL022mw06jbNhDl2ohhiXVKoCCQMG+7EyQjg==
-----END CERTIFICATE-----
"""
p2 = """-----BEGIN CERTIFICATE-----
MIICFzCCAYCgAwIBAgIBAzANBgkqhkiG9w0BAQQFADARMQ8wDQYDVQQDEwZvbmVs
YWIwHhcNMTMxMjIzMTUwMDE0WhcNMTgxMjIyMTUwMDE0WjAXMRUwEwYDVQQDEwxv
bmVsYWIuaW5yaWEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL7irzhKl2iR
hRcO88n+R88zqdPKUNGKTcKErKpb8XNb5legIXAPKQvrB5dANuz02ptBs1FHeCqF
S+D6kond4F9DZrQm6Z2RRZltZfOs78JtY56KvjYkbnKfBkgmQLIDDLTrZV6xBt33
lblKwvzXCuQA5qP7Vu+Jvqyf5Oxo1MQFAgMBAAGjeTB3MA8GA1UdEwEB/wQFMAMB
Af8wZAYDVR0RBF0wW4YqdXJuOnB1YmxpY2lkOklETitvbmVsYWI6aW5yaWErYXV0
aG9yaXR5K3Nhhi11cm46dXVpZDozNzgzNzdlZi0wMGFlLTQ0N2YtOGZkOC0xZTNm
ZWJjNmQ5NzkwDQYJKoZIhvcNAQEEBQADgYEANuSaNpw3Z/+01bZPi7V9YFzyetUk
wj+aX0oj5xqECryLwemSc386caYxoNLxRiJinh1rfls45G1Nsm7lKHQTheWK55vC
sqHK3lDFu4m9LqnHct1bOO/tx3lNxR4PrcoiMWBUhHCzjOx6xKI1llbDP7G4Y76o
gHZYoVJPwm30wuE=
-----END CERTIFICATE-----
"""
c1 = M2Crypto.X509.load_cert_string(p1)
c2 = M2Crypto.X509.load_cert_string(p2)
k2 = c2.get_pubkey()
v = c1.verify(k2)
print("v = {}".format(v))
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
