I have found a bug in the openssl req -verify . It is present in 101i as well as a couple older versions. I have not gone on a testing spree. This may be a semantic discussion, as it accurately verifies if the signature is correct, based on the data, but not if the data is correct.
The CSR below is actually invalid, but passes verify. It is constructed missing the CSR version number, which should always be 00. The ASN1 is done correctly but has an arbitrary silliness. The ASN1 looks like this 0000: 30 82 02 b1 ; SEQUENCE (2b1 Bytes) 0004: 30 82 01 99 ; SEQUENCE (199 Bytes) 0008: | 02 00 ; INTEGER (0 Bytes) 000a: | 30 39 ; SEQUENCE (39 Bytes) 0008 should be 02 01, indicating a 1 byte value. Instead it calls out an int of 00 length, which is silly. That integer is the CSR version number from the CertificationRequestInfo Sequence. This is 4.1 of RFC 2986 http://tools.ietf.org/html/rfc2986 -----BEGIN CERTIFICATE REQUEST----- MIICtDCCAZwCADA5MQswCQYDVQQGEwJVUzELMAkGA1UECBMCV0ExDDAKBgNVBAoT A0FMVTEPMA0GA1UEAxMGU2VHVzAxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB CgKCAQEAsGpV5X0/KF3bw4RXfU/HPVNtxRvuB8q1CJFKv+avOJsZwW3ZvLLIxsyf 4WMO+viTbULxvK9om1JhCSDc0lKXM1S/k1dNIRBIYrEaoRuxrmKeM+Tu6xw9it8o wZ0RSHJnNIZXZ74skra68uef0XuzPRw5ajn9VJq1ensHl8BWALL2CLyRGRi2DFV1 Nj+DtRZ4vhU8UwYo3F/4UJngIDgC4VCf6KpIw9N0elWzS59GBOZBF0tsTZuPiX3U 8dJrlg75kyys4NaH5nZG53qozLD+aEwhFm5EJtOTTLP3/Z60604ujs3n+s9EPNSL oTXqJm710vCN+3cSgoDIgzRmkY4+vQIDAQABoDcwNQYJKoZIhvcNAQkOMSgwJjAk BgNVHREEHTAbghkzZy5zbWFsbGNlbGwudC1tb2JpbGUuY29tMA0GCSqGSIb3DQEB BQUAA4IBAQCpeHaB5gicHVdeKKmz8dwTlLzNNswRdxvRnft+cFedenYbIpQiB02x QPNOK4dsO6rGfojxkwYktsZ7whcDsjwgJGzcu+822rVEuD3ifFLudcpvmTuqMHcq mO5a/1kMVboc3sDk0hnO7OSqCRueTulCjNVCpudhIbhJzJC+MLt2pN5LYHB6dNJ+ 1mq92CfsHD1COMwUMONjPUszXFkEvJBDgutYDEJlmMwvTkRSuc+5mUxHc3/R447p 8iDgWuXcsbbSkWhIJXJFbiwwhlZ8SpO19JUIGp6dgFBMPmqOvJJ3hokVrA472ZGO mMPza1dnCjfkEszE4gN16ymOIPzKFKkt -----END CERTIFICATE REQUEST----- Cheers, Mark Gamache Directory and Security Services 425-302-8873 mark.gama...@t-mobile.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org