Re: [Openca-Users] OpenCA 1.5.1 signature not valid

Fri, 05 Sep 2014 16:09:22 -0700

Hi all

Some more info on this.

I commented out the unlink statements so I could debug. The openssl verify command validates the cert fine using the same CA file and chain path as OpenCA uses.

I also compared the pkcs7 files that openca-sv uses. One file is extracted from the database and the other file is recalculated. Both files are exactly the same using binary diff.

So I am confused why the UI fails.

Dave


Sent from XFINITY Connect Mobile App


-----Original Message-----

From: blain...@gdls.com
To: he...@hlrs.de
Cc: openca-users@lists.sourceforge.net
Sent: 2014-09-05 09:41:30 GMT
Subject: Re: [Openca-Users] OpenCA 1.5.1 signature not valid

Hi Martin,

Although there are some cases of expired RA certificates, there are others were certs are signed by a valid RA certificate yet cannot be verified. See output from verification window below:



Cannot build PKCS#7-object from extracted signature!



OpenCA::PKCS7 returns errorcode 7911031



OpenCA::PKCS7->new: Cannot initialize signature (7912021). OpenCA::PKCS7->initSignature: Cannot parse signature (7921021). OpenCA::PKCS7->getParsed: The crypto-backend cannot verify the signature (7742075). OpenCA::OpenSSL->verify: openca-sv failed. [Error]: error:04091068:rsa routines:INT_RSA_VERIFY:bad signature

[Info]: Input file intialized.

[Info]: Signaturefile initialized.

[Info]: Reading Certificate file.

[Info]: PKCS#7 object loaded.

[Info]: Data is ready for verification.

[Info]: Signature Informations (PKCS#7):

depth:2 serial:blah subject:CN=root CA blah

depth:1 serial:blah subject:CN=issuing CA blah

depth:0 serial:blah subject:RA cert blah

[Info]: Signature is corrupt. Errorcode -1.

signature:error:-1



Based on your comments about hashes I did notice the hash values in the root chain directory were different between the old installation (using 0.9.8) and the new installation. I changed the Makefile to use subject_hash_old and rebuilt the chain. This only made matters worse. It was "unable to get issuer certificate". So I switched the hashes back.

If the hashes need to be changed anywhere else I am unaware of it.

Dave

------------------------------------------------------------------------------ Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/

_______________________________________________ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users 



------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users

Reply via email to