Hi,
Signature verification is done through a modular exponentiation (using
public exponent and modulus) that always leads to a result even fur a
bogus RSA modulus.
This result is checked against the PKCS#1 padding format. Since the RSA
private key is invalid, the output of this exponentiation is different
from DataToBeSigned used during certificate creation and thus the code
doesn't find the PKCS#1 padding block header.
So, the signature is bad because the decrypted signature has a bad format!
I hope this clarifies things to you.
You say at the end of your message that the private key was generated by
a python wrapper, certainly a wrapper of OpenSSL, but in a previous
message you are saying that you generated the key yourself (pen and
paper). Which statement is correct? Maybe your wrapper wraps something
else...
Cheers,
--
Mounir IDRASSI
IDRIX
http://www.idrix.fr
On 8/9/2010 7:44 AM, Georgi Guninski wrote:
is the certificate at http://marc.info/?l=openssl-dev&m=128118163216952&w=2
(with the malformed key) *syntactically* correct modulo the bad self signature?
with 1.0.0a
~/local/bin/openssl verify -check_ss_sig -CAfile /tmp/CA-P.cert /tmp/CA-P.cert
/tmp/CA-P.cert: CN = CA
error 7 at 0 depth lookup:certificate signature failure
139828504536744:error:0407006A:rsa
routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:100:
139828504536744:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding
check failed:rsa_eay.c:699:
139828504536744:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP
lib:a_verify.c:184:
echo $?
0
i would expect an error about bad self signature, not format stuff.
the private key was generated by a python wrapper, the cert was generated with
ubuntu's 0.9.8k 25 Mar 2009
On Sun, Aug 08, 2010 at 03:21:34PM +0200, Mounir IDRASSI wrote:
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org