Hello everybody,
A few weeks ago I post a problem I'm facing, this is a
small summary:
I have to sign and approve all new requests that I
have registered in OpenCA. So I need to make a
software that performs this operation, so I made a
java app that invokes the command "openca-sv" to sign
the request, what I do to sign the data is:
- read the data column from the request table
- store it in a file
- sign it usign this command:
openca-sv sign -in
/usr/local/bin/temporal/requestToProcess.pem -out
/usr/local/bin/temporal/requestToProcessFirmada.pem
-cert /usr/local/bin/RACert.pem -keyfile
/usr/local/bin/RAKey.pem -cd
/usr/local/OpenCA/var/crypto/
Where requestToProcess is the req_key field so I added
.pem to recognize the file.
the requestToProcessFirmada.pem is the output of the
execution of the command, so it has the pkcs#7
signature including header/footer
Then I concatenate data + signature and store it in
the data field of the request table
Besides this I change:
- Format from PKCS#10 to PKCS#10 With PKCS#7 Signature
- status from NEW to APPROVED
I verified the signature from the console and it is
ok, but when I go to the CA to see the Approved
Requests I see this error:
Cannot build PKCS#7-object from signature
if I see the details these are the messages:
Error 560
General Error. Signature Object not
returned, check the openca-verify command. Cannot
build PKCS#7-object from extracted signature!
OpenCA::PKCS7 returns errorcode
7911031 (OpenCA::PKCS7->new: Cannot initialize
signature (7912021). OpenCA::PKCS7->initSignature:
Cannot parse signature (7921021).
OpenCA::PKCS7->getParsed: The crypto-backend cannot
verify the signature (7742075).
OpenCA::OpenSSL->verify: openca-sv failed. [Error]:
Digest mismatch. Signature is wrong.
[Info]: Input file intialized.
[Info]: Signaturefile initialized.
[Info]: Reading Certificate file.
[Info]: PKCS#7 object loaded.
[Info]: Data is ready for
verification.
[Info]: Signature Informations
(PKCS#7):
depth:1 serial:00
subject:[EMAIL PROTECTED],CN=certicamara,OU=desarrollo,O=certicamara,C=co
depth:0 serial:2D
subject:serialNumber=45,CN=rad2,OU=Internet,O=CERTICAMARA,C=CO
[Info]: Signature is corrupt.
Errorcode -1.
signature:error:-1
)..
The error message, as I understand and as some friend
in the list have noticed me, means that the data
signed is different from the data used by OpenCA to
check the signature, is that ok? The message show not
only the CA certificate DN, but also the DN for the RA
certificate (the one used to sign the data)
What could be wrong?
Am I doing something the wrong way?
Do I have to specify some other parameters to the
command that signs the data?
I tryed reading again the data from the DB (in asccii
format) to see if the data stored is exactly the same
that I send to the DB, including LFs. I send the data
using LF, not CR/LF, because the other way didn't work
for me in the some tests.
Help please.
Johnny
______________________________________________
Renovamos el Correo Yahoo!: ˇ250 MB GRATIS!
Nuevos servicios, más seguridad
http://correo.yahoo.es
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
OpenCA-Devel mailing list
OpenCA-Devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-devel
