Hello Dalini, this is the situation.
In my company we will have a project, in a few days,
in which we will have to process 250.000 requests in
about a month or something. We are going to receive
about 10.000 CSR per day, so our RA has to process
(approve and sign) all 10.000 CSRs (or the number
registered when processing) but OpenCA doesn't have a
massive signing feature, the CA batch interface can
Issue certificates all the signed CSRs but only if the
are signed by the RA. So I will have to do it by
myself, I mean the signing of the CSRs, I'm trying to
do it in a java program.
My java program reads the data column from the request
table, sign it using the RA private Key and then
stored the required changes in OpenCA's database, that
includes:
- Change its format from PKCS#10 to PKCS#10 with
PKCS#7 Signature
- Change its data from the CSR to the CSR plus the
PKCS7 signature
- and Change its status from NEW to APPROVED
But, when I go to the CA to see the APRROVED requests,
all requests "signed" using my java app, stands with
this message to the left column, the one that lists
the RA that signed the CSR: Cannot build PKCS#7-object
from signature!
When I click on the serial to see the 'APPROVED' CSR
the lock icon is red and stands: Signature Error.
Some facts:
- The signature that I obtain from java is very
different from the one that gives the JavaScript
method signText
- When I use the interface the Method signText shows a
window with the data it is going to sign, that data
looks in a different order from the data I'm obtaining
in Java from the DB. So I guess that's the problem why
the signature is invalid.
- The error message in OpenCA's Interface when I click
the red icon (Signature error) is like this:
Error 560
General Error. Signature Object not
returned, check the openca-verify command. Cannot
build PKCS#7-object from extracted signature!
OpenCA::PKCS7 returns errorcode
7911031 (OpenCA::PKCS7->new: Cannot initialize
signature (7912021). OpenCA::PKCS7->initSignature:
Cannot parse signature (7921021).
OpenCA::PKCS7->getParsed: The crypto-backend cannot
verify the signature (7742075).
OpenCA::OpenSSL->verify: openca-sv failed. [Error]:
Digest mismatch. Signature is wrong.
[Info]: Input file intialized.
[Info]: Signaturefile initialized.
[Info]: Reading Certificate file.
[Info]: PKCS#7 object loaded.
[Info]: Data is ready for
verification.
[Info]: Signature Informations
(PKCS#7):
depth:1 serial:00
subject:[EMAIL PROTECTED],CN=camanager,OU=Internet,O=certicamara,C=CO
depth:0 serial:03
subject:serialNumber=3,CN=radmin,OU=Internet,O=Certicamara,C=CO
[Info]: Signature is corrupt.
Errorcode -1.
signature:error:-1
)..
What is going on?
How can I solve this big Issue?
thanks a lot,
Johnny
--- Ives Steglich <[EMAIL PROTECTED]>
escribió:
> Johnny Gonzalez wrote:
> > Hello I find a command called openca-sv Could I
> use it
> > to sign my requests? If that's true, can anybody
> tell
> > me how to sign (files or something) using it?
> >
> just to get things sorted out - what exactly do you
> wanna sign, at which
> step in the process and where and how do you put
> those signed requests?
>
> greetings
> dalini
>
>
>
-------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT
> Products from real users.
> Discover which products truly live up to the hype.
> Start reading now.
>
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> OpenCA-Devel mailing list
> OpenCA-Devel@lists.sourceforge.net
>
https://lists.sourceforge.net/lists/listinfo/openca-devel
>
______________________________________________
Renovamos el Correo Yahoo!: ¡250 MB GRATIS!
Nuevos servicios, más seguridad
http://correo.yahoo.es
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
OpenCA-Devel mailing list
OpenCA-Devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-devel
