Hello Michael,
--- Michael Bell <[EMAIL PROTECTED]>
escribi�:
> Put the PKCS#10 request with the header and the
> signature together, copy
> it into the DATA column of the request table and set
> the status column
> to APPROVED.
Yes that is what I'm actually doing, and changing
PKCS#10 to PKCS#10 with PKCS#7 Signature
But OpenCA doesn't verify correctly the signature so,
as Dalini told me before, maybe it's a problem related
to cr/lf.
When I see the "approved" CSR in the CA the error from
the Signature Error is:
Error 560
General Error. Signature Object not returned, check
the openca-verify command. Cannot build PKCS#7-object
from extracted signature!
OpenCA::PKCS7 returns errorcode 7911031
(OpenCA::PKCS7->new: Cannot initialize signature
(7912021). OpenCA::PKCS7->initSignature: Cannot parse
signature (7921021). OpenCA::PKCS7->getParsed: The
crypto-backend cannot verify the signature (7742075).
OpenCA::OpenSSL->verify: openca-sv failed. [Error]:
Digest mismatch. Signature is wrong.
[Info]: Input file intialized.
[Info]: Signaturefile initialized.
[Info]: Reading Certificate file.
[Info]: PKCS#7 object loaded.
[Info]: Data is ready for verification.
[Info]: Signature Informations (PKCS#7):
depth:1 serial:00
subject:[EMAIL PROTECTED],CN=camanager,OU=Internet,O=certicamara,C=CO
depth:0 serial:03
subject:serialNumber=3,CN=radmin,OU=Internet,O=Certicamara,C=CO
[Info]: Signature is corrupt. Errorcode -1.
signature:error:-1
)..
I cheked the signature by myself using the command:
openca-sv verify -verbose -in 2080Firmada.pem -data
2080.pem -cert ../RACert.pem -keyfile ../RAKey.pem -cf
../cacert.pem
And the result is:
[Info]: Input file intialized.
[Info]: Signaturefile initialized.
[Info]: Reading Certificate file.
[Info]: PKCS#7 object loaded.
[Info]: Data is ready for verification.
[Info]: Signature Informations (PKCS#7):
depth:1 serial:00
subject:[EMAIL PROTECTED],CN=certicamara,OU=desarrollo,O=certicamara,C=co
depth:0 serial:2D
subject:serialNumber=45,CN=rad2,OU=Internet,O=CERTICAMARA,C=CO
signature:ok:1
The PKCS#10 data I'm reading in java is exactly this:
-----BEGIN HEADER-----\nTYPE = PKCS#10\nSERIAL =
1056\nNOTBEFORE = Fri Feb 25 13:42:17 2005
UTC\nADDITIONAL_ATTRIBUTE_REQUESTERCN =
\nADDITIONAL_ATTRIBUTE_EMAIL =
\nADDITIONAL_ATTRIBUTE_DEPARTMENT =
\nADDITIONAL_ATTRIBUTE_TELEPHONE = \nRA = Trustcenter
itself\nROLE = User\nLOA = 10\n-----END
HEADER-----\n-----BEGIN CERTIFICATE REQUEST
-----\r\nMIIB5zCCAVACAQAwgaYxCzAJBgNVBAYTAkNPMRUwEwYDVQQIEwxDVU5ESU5BTUFS\r\nQ0ExDzANBgNVBAcTBkJPR09UQTEUMBIGA1UEChMLQ0VSVElDQU1BUkExETAPBgNV\r\nBAsTCEludGVybmV0MRcwFQYDVQQDEw5EaWVnbyBHdWVycmVybzEtMCsGCSqGSIb3\r\nDQEJARMeZGllZ28uZ3VlcnJlcm9AY2VydGljYW1hcmEuY29tMIGfMA0GCSqGSIb3\r\nDQEBAQUAA4GNADCBiQKBgFQ9Jws7D5pZQgfvSiKH72zeTS3EuE4bkYGh9tigEFOM\r\nuVrp2KUgPR6yl871+qzATi+G/KjqdLG0Q7D/oHZayrbnNcNDwnTRGslM6mgvG58v\r\nHVK5h4mPx5xm02oVVcyiAkTxWL39ORLgRlwXmzBWwNQn+JwS4F0zNvab/jKZWvvB\r\nAgQAAQABoAAwDQYJKoZIhvcNAQEFBQADgYEANFGlwKsfup8hZsz882P8fsmljOME\r\n5STz7lfcvQxwBM3dfgdDp1AmZ8ze2xWwbJLbtG5A7WBrYgL/FM1RblQXtaP40dbI\r\nJYrtUiQujKImeox5nK7UA70tVtXWIKRgxUCNQ6ZGF/U5lE7H3kCuLPj/dJGSk5T5\r\nTILgYWPcPQAxE3I=\r\n-----END
CERTIFICATE REQUEST -----
As you can see there are in the certificate request
body not only LFs but also CRs. so but that couldn't
be a problem yet, If I sign exactly the same data and
store it again with the respective pkcs#7 that would
be right. That's what I'm doing, before writting tho
the PostgreSQL DB the data (pkcs#10 with the pkcs#7)
I'm checking that the data is the same to the data I
signed and the response to that signature.
More than that, I made a test retrieving one more time
the data written to the DB, obviously this time it
gives me the data column with the values of pkcs#10
and the pkcs#7, and I have checked that it is the same
I'm writting to the DB. So I think the problem is when
perl retreived the data form the DB to check the
signature, now I have a question, how does perl read
the data from the DB when it is going to check the
signature? does it add or remove special characters
(CRs, LFs)?
I tryed another solution, but it remains the same. I
deleted the database and created again using the flag
-E latin1, to see if that could affects what I'm
writting to the DB.
Thanks for any help you can give me,
Johnny
--- Michael Bell <[EMAIL PROTECTED]>
escribi�:
> Hi Jphnny,
>
> > 1. Load the pkcs#10 data from the DB
> > 2. store the pkcs#10 data in a file (ej: 544.pem)
> > 3. I sing the request (the file containing the
> pkcs#10
> > data) using the openca-sv tool, this way:
> >
> > openca-sv sign -verbose -in 288.pem -out
> 288Signed.pem
> > -cert RACert.pem -keyfile RAKey.pem
> >
> > That is the status of my project, now I want to:
> >
> > 1. load the data from the files (pkcs#10 and
> pkcs#7)
> > 2. send the loaded data a long with the other
> > parameters to the approveCSR command.
>
> If you implement 1., 2. and 3. with Java then you
> can do the rest with
> Java and without OpenCA too.
>
> Put the PKCS#10 request with the header and the
> signature together, copy
> it into the DATA column of the request table and set
> the status column
> to APPROVED.
>
> This is what approveCSR does. You have to verify of
> course that OpenCA
> can verify your signatures. I don't recommend you to
> try to ue
> approveCSR because this command only works inside of
> the complete OpenCA
> server framework.
>
> Michael
> --
>
_______________________________________________________________
>
> Michael Bell
> Humboldt-Universitaet zu Berlin
>
> Tel.: +49 (0)30-2093 2482 ZE Computer- und
> Medienservice
> Fax: +49 (0)30-2093 2704 Unter den Linden 6
> [EMAIL PROTECTED] D-10099 Berlin
>
_______________________________________________________________
>
> ATTACHMENT part 2 application/x-pkcs7-signature
name=smime.p7s
______________________________________________
Renovamos el Correo Yahoo!: �250 MB GRATIS!
Nuevos servicios, m�s seguridad
http://correo.yahoo.es
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
OpenCA-Devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openca-devel
