Hi, Sorry if this is a second post, but the first one should not have reached the openssl mail server due to the attachment. Move test-2-bad.crt to test-2-bad.pem
Hi, thanks for your answer, But the signature is OK when creating the X509 certificate signing it and verifying it. (the dump is also ok) This is a problem with the serial number (ASN1) when NOT setting it in the X509 struct and saving in a file and reloading it from the file for a verification. My certificate is a bad one because i did not set the serial number. The question is: should the serial number be set to a defualt one (0x00)? Morevover, i found that the verify function is not working properly. I try to verify, and the return is OK whereeas it should not. [EMAIL PROTECTED] Atempo-Tina]$ LD_LIBRARY_PATH=/usr/local/ossl-0.9.8/lib /netsecureone/dev/openssl/ossl-0.9.8x/openssl-0.9.8/apps/openssl verify -purpose any -verbose -CAfile testCA-1.crt test-2-bad.crt INFO: X509_VRFY_PARM: inh_flags: 1, flags: 0, purpose: 7, trust: 0, depth: -1 INFO: argc: 1 test-2-bad.crt: INFO: vflags value: 0, purpose value: -1 INFO X509stack ptr: uchain: (nil), tchain: (nil) INFO: x value: 0x80b0cf0 OK My certificate has no Key extension (see attached file test-2-bad.crt). If i us the X509_check_purpose() function things are ok (i could detect SSL settings). Regards, Fred PS: i just do CSR (X509_REQ), CRT (X509), sign using X509_sign(), and verify using X509_verify(). (my code is based on apps/req.c, appas/x509.c apps/verify.c and other file in the demo directory) If required i should be able to provide it. -----Original Message----- From: Nils Larsch [mailto:[EMAIL PROTECTED] Sent: Wed 8/31/2005 12:21 AM To: openssl-users@openssl.org Cc: Subject: Re: CA generation/certificate serial number Frédéric Donnat wrote: > Hi, > > Sorry for the mistake (nothing to deal with openssl.cnf file). I was just > looking for ca.txt file. > > Is it normal behavior of openssl to be able to view a certificate without > serial number using (without any error mentioned): > openssl x509 -in some_cert_without_sn.pem -text > But to be unable to verify it using: > openssl verify -CAfile some_cert_without_sn.pem some_cert_without_sn.pem > > > Sample: (attached self-sign cert name pipo-bad.pem) hmm, the attached certificate as has a serial number it's 0x0 > > [EMAIL PROTECTED] simple]$ LD_LIBRARY_PATH=/usr/local/ossl-0.9.8/lib > /usr/local/ossl-0.9.8/bin/openssl verify -verbose -CAfile pipo-bad.pem > pipo-bad.pem > pipo-bad.pem: /C=UK/CN=OpenSSL Group > error 7 at 0 depth lookup:certificate signature failure > 18588:error:04077068:rsa routines:RSA_verify:bad signature:rsa_sign.c:218: > 18588:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP > lib:a_verify.c:168: well the signature really seems to be wrong. How did you create the certificate ? Cheers, Nils ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
test-2-bad.pem
Description: test-2-bad.pem