Re: openssl verify question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

On 12/06/21 22:20, Gaardiolor wrote:

Hello,
My openssl-1.0.2k-21.0.1.el7_9.x86_64 verify fails with HSM-signed certificates. The HSM is causing other issues and is likely misbehaving, I think this is a HSM bug. I'm sure I'm using the correct server.crt and rootca.crt. 

$ openssl verify -CAfile rootca.crt server.crt
server.crt: C <snip>
error 7 at 0 depth lookup:certificate signature failure
139734096439184:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1239: 139734096439184:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:405:Type=X509_SIG 139734096439184:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:a_verify.c:249:
just wondering: why and how are you using an HSM to verify a certificate (without including a private key) ?  is the certificate stored only on the HSM?  is it possible to get it off the HSM?
Also, how are you connecting the HSM to OpenSSL? via opensc-pkcs11 ?  you should have an openssl.cnf file somewhere for this. 

HTH,

JJK




I tried doing the verification manually like so:

Extracting the 'to be signed' part of the server.crt:
openssl asn1parse -in server.crt -strparse 4 -out server.tbs

sha256 that:
cat server.tbs | openssl sha256 -binary > server.tbs.sha256

Extracting the signature from the server.crt:
openssl asn1parse -in server.crt -strparse 569 -out server.sig

Extracting the public key from rootca.crt:
openssl x509 -in rootca.crt -noout -pubkey > rootca.pub

Decrypting the signature:
openssl rsautl -inkey rootca.pub -pubin -in server.sig -out server.sig.decrypted 

Comparing server.tbs.sha256 and server.sig.decrypted .
When I compare those, they are exactly the same. But that's the thing, I think server.sig.decrypted should be prepended with a sha256 designator 30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20, which is missing. I do see this designator with working certificates. I suspect this is the problem.
Is that designator mandatory and likely the cause of my issue ? https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.1.2 suggests it's mandatory.. but I'm not sure if I'm looking at the right section. 

Thanks.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux