CRL verification padding problems
Hello guys, I have a problem with X509 certificate and CRL checking. When using the X509_CRL_verify(crl, pkey) function (I get an error also by using the 'openssl crl -CAfile... ' command), I get the following Error: 7322:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:100: 7322:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay.c:580: 7322:error:0D089006:asn1 encoding routines:ASN1_verify:EVP lib:a_verify.c:162: Anyway, separately both the certificate and the CRL seems to look good. If you have ideas I can send you the certificate and the CRL, I am not sending them to the list as them are quite big (~1.6Mb). Have a nice day, Byz! --- Massimiliano Pala ([EMAIL PROTECTED]) __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: CRL verification padding problems
On Fri, Jan 14, 2005, Massimiliano Pala wrote: Hello guys, I have a problem with X509 certificate and CRL checking. When using the X509_CRL_verify(crl, pkey) function (I get an error also by using the 'openssl crl -CAfile... ' command), I get the following Error: 7322:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:100: 7322:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay.c:580: 7322:error:0D089006:asn1 encoding routines:ASN1_verify:EVP lib:a_verify.c:162: Anyway, separately both the certificate and the CRL seems to look good. If you have ideas I can send you the certificate and the CRL, I am not sending them to the list as them are quite big (~1.6Mb). Check to see if the CRL has an authority key id and if so if it matches the subject key id of the CA you are using. If not then the problem is that the wong CA and hence wrong public key is being used to verify the CRL signature. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: CRL verification padding problems
Dr. Stephen Henson wrote: [...] Check to see if the CRL has an authority key id and if so if it matches the subject key id of the CA you are using. If not then the problem is that the wong CA and hence wrong public key is being used to verify the CRL signature. You are right, unfortunately I have to deal with a PKI where multiple certs are issued to every SubCA -- all of them are valid at the same time, and issued to the same Subject, what changes is the Key and the keyUsage... a real mess... I guess no 'standard' client is capable of verifying correctly the CRLs as the certificate used to issue certs is not the same used to sign CRLs... rrrgghh! The problem was that :-( In my opinion the error reported 7322:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:100: 7322:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay.c:580: 7322:error:0D089006:asn1 encoding routines:ASN1_verify:EVP lib:a_verify.c:162: should be changed as it is not really clear :-D Thank you again. -- Best Regards, Massimiliano Pala --o Massimiliano Pala [OpenCA Project Manager] [EMAIL PROTECTED] Tel.: +39 (0)11 564 7081 http://security.polito.it Fax:+39 178 270 2077 Mobile: +39 (0)347 7222 365 Politecnico di Torino (EuroPKI) Certification Authority Informations: Authority Access Point http://ca.polito.it Authority's Certificate: http://ca.polito.it/ca_cert/en_index.html Certificate Revocation List: http://ca.polito.it/crl02/crl.crl --o smime.p7s Description: S/MIME Cryptographic Signature
Re: CRL verification padding problems
On Sat, Jan 15, 2005, Massimiliano Pala wrote: Dr. Stephen Henson wrote: [...] Check to see if the CRL has an authority key id and if so if it matches the subject key id of the CA you are using. If not then the problem is that the wong CA and hence wrong public key is being used to verify the CRL signature. You are right, unfortunately I have to deal with a PKI where multiple certs are issued to every SubCA -- all of them are valid at the same time, and issued to the same Subject, what changes is the Key and the keyUsage... a real mess... I guess no 'standard' client is capable of verifying correctly the CRLs as the certificate used to issue certs is not the same used to sign CRLs... rrrgghh! It's something which may be supported at some stage. Can you send me the CAs and CRLs involved so I can check them? Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]