Gleison Santos wrote:
>
> Hi, all.
>
> In a project I'm working now we don't want to use any X509 extensions,
> basically due to binary size limitation. I've commented a lot a source
> code, removing any reference to X509_EXTENSION structure.
>
> But during server certificate validation I get a error while validating
> the second certificate in the cert chain. Something get wrong while
> executing hash function.
>
> I got a error (rsa_sign.c, in RSA_verify):
> RSAerr(RSA_F_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
>
> Call Stack:
> RSA_verify(...) line 208
> EVP_DigestFinal(...) line 78 + 21 bytes
> EVP_VerifyFinal(...) line 90 + 20 bytes
> ASN1_verify(...) line 106 + 29 bytes
> X509_verify(...) line 71 + 34 bytes
> internal_verify(...) line 522 + 13 bytes
>
> Does any body knows what can be wrong? Is X509v3 really that important?
>
If a certificate contains extensions (as many do) and you remove all
references to them then the ASN1 code will not be able to parse it.
Extensions are also used for security purposes, for example to indicate
whether a certificate is a valid CA certificate and to prevent end user
certificates being able to masquerade as CAs.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
