Here come the openssl error messages when verifying this CSR with -verify parameter.
verify failure 26390:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:100: 26390:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay.c:699: 26390:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:a_verify.c:168: In the meanwhile i tried this on a windows machine, which was able to create a valid csr (on windows) on the same card. So this seems somehow related to my linux system. Maybe openct is the error as this is not used on windows. I will check with other openct version as i am using the ubuntu 7.10 package atm. Cheers, Simon Am Montag, den 03.12.2007, 12:51 +0100 schrieb Simon Eisenmann: > Hi, > > today is tried to create a new schlumberger e-gate 32K card to test 2048 > bit keys on these type of cards. Though i failed to sign the CSR with > openssl, cause openssl tells me that the CSR's signature does not match > the request. > > This is what i did (blank e-gate 32K card): > > $ pkcs15-init -EC -T --no-so-pin > $ pkcs15-init -P -a 01 -T > $ pkcs15-init -G rsa/2048 -a 01 --key-usage sign > > $ openssl> engine -t dynamic -pre > SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 > -pre LOAD -pre MODULE_PATH:/usr/lib/opensc-pkcs11.so > > $ openssl> req -engine pkcs11 -new -key id_45 -keyform engine -out > test.csr > > > This is the CSR which was created: > > -----BEGIN CERTIFICATE REQUEST----- > MIIC3TCCAcUCAQAwgZcxCzAJBgNVBAYTAkRFMQswCQYDVQQIEwJCVzESMBAGA1UE > BxMJU3R1dHRnYXJ0MRQwEgYDVQQKEwtzdHJ1a3R1ciBBRzEYMBYGA1UECxMPSVQg > VEVTVElORyBPTkxZMRUwEwYDVQQDEwxIaWxkZSBUZXN0ZXIxIDAeBgkqhkiG9w0B > CQEWEXNpbW9uQHN0cnVrdHVyLmRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB > CgKCAQEA1q+rnL68ta+NJ6cmT5nlW/nYbl0pVnmwdnBPIfTLDyiIPX93mjvvmnf9 > o4L18ayc1IDTOiUzfSg1p6IGfcnFOB8MWt9LIz52Kbp5417kIJp/QdVFz3WIGV1F > gAPN0CduVoNy198WtZrOQR+neYAIlNFR44YisoToxpp7c7xIrHaJv8mnO3bGIKR4 > bv7DUgLVzNuMu5mBXmn3plL/gKQdog5A8wt4sCt7mgleqhOcy/EDfFkVoq5inzNY > 2v58yB5OPJxZz4IVhz/ljAzSKwKK+4KmZddVhIhbIUzjSyPushxdwsin7CK7yhKS > FdtwNKNXwRUa94FHgs6chdnd0qo2JwIDAQABoAAwDQYJKoZIhvcNAQEFBQADggEB > AALlcN1QUk/QIE0fmdK+cbhrSA6n25l3tB2/y0uX6ZwNT65i5kdHpcOX0Gj45u0x > oALQbiVis5j8oXVel646D9C8UDJUS1M58WydJ3G0CwZZVIR81dm1nTVJzSbiI8gM > S/x90htz5vzbgXaeHIm1zL9gYY94CqfPafPOLTpo82+RBvEY8yItE2nnbnJkS16a > gUEw2vlY3Bgb3/jHAlPjjiItNEhijv/KZlLM9+TStqdy5Y4I5gxg3Wnb7B5/Wlut > DThiizzYUC4sFaBSy6QnWsHyzCa4+uySYpxgYAIsgkUM1SBzzDVq4csFrHW+63xw > jwWoSf6CMkcrAuVw3VBST9A= > -----END CERTIFICATE REQUEST----- > > > Basically its valid, but the inner signature is not. So when i try to > sign it using openssl i get > > "Signature did not match the certificate request". > > This has been working fine in the past (~ a year ago). I am using the > latest released versions of opensc, engine, and libp11. > > Exactly the same works fine when using a 1024 bit key. > > I am using a scm CCID reader in combination with opensc max_send and > recv_size set to 248 in opensc.conf. > > > Any hints? > > > Best regards, > Simon > > > > > > > > > > _______________________________________________ > opensc-devel mailing list > opensc-devel@lists.opensc-project.org > http://www.opensc-project.org/mailman/listinfo/opensc-devel -- Simon Eisenmann [ mailto:[EMAIL PROTECTED] ] [ struktur AG | Kronenstraße 22a | D-70173 Stuttgart ] [ T. +49.711.896656.68 | F.+49.711.89665610 ] [ http://www.struktur.de | mailto:[EMAIL PROTECTED] ]
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
