signature failure when certificate contains no serial number (ie, not one that equals zero)?

Mon, 07 Jan 2008 00:58:46 -0800 

i was messing around with (self-signed) certificate creation/signing
and ran into this. the following two certificates are the same except
for the serial number: "with_serial" has a serial number that is zero,
and "no_serial" does not have any serial number.

the "with_serial" certificate verifies ok, but the "no_serial" one
fails verification with "certificate signature failure."

is this expected?

if not, i thought the signing is applied to the entire blob of data,
so with or without the serial number, the signing code wouldn't know
or care to know, so it's probably not a signing problem. then is it a
verification problem then?

not that this is causing problems for me. just curious.

thanks.

arch [apps]$ ./openssl version
OpenSSL 0.9.8g 19 Oct 2007
arch [apps]$
arch [apps]$ ./openssl verify -CAfile /tmp/with_serial.pem /tmp/with_serial.pem
/tmp/with_serial.pem: OK
arch [apps]$
arch [apps]$ ./openssl verify -CAfile /tmp/no_serial.pem /tmp/no_serial.pem
/tmp/no_serial.pem: /CN=test
error 7 at 0 depth lookup:certificate signature failure
15143:error:04077068:rsa routines:RSA_verify:bad signature:rsa_sign.c:235:
15143:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP 
lib:a_verify.c:168:
arch [apps]$
arch [apps]$ ./openssl asn1parse -in /tmp/with_serial.pem
    0:d=0  hl=4 l= 268 cons: SEQUENCE
    4:d=1  hl=3 l= 183 cons: SEQUENCE
    7:d=2  hl=2 l=   3 cons: cont [ 0 ]
    9:d=3  hl=2 l=   1 prim: INTEGER           :02
   12:d=2  hl=2 l=   1 prim: INTEGER           :00
   15:d=2  hl=2 l=  13 cons: SEQUENCE
   17:d=3  hl=2 l=   9 prim: OBJECT            :sha1WithRSAEncryption
   28:d=3  hl=2 l=   0 prim: NULL
   30:d=2  hl=2 l=  15 cons: SEQUENCE
   32:d=3  hl=2 l=  13 cons: SET
   34:d=4  hl=2 l=  11 cons: SEQUENCE
   36:d=5  hl=2 l=   3 prim: OBJECT            :commonName
   41:d=5  hl=2 l=   4 prim: PRINTABLESTRING   :test
   47:d=2  hl=2 l=  30 cons: SEQUENCE
   49:d=3  hl=2 l=  13 prim: UTCTIME           :040722175719Z
   64:d=3  hl=2 l=  13 prim: UTCTIME           :130123152135Z
   79:d=2  hl=2 l=  15 cons: SEQUENCE
   81:d=3  hl=2 l=  13 cons: SET
   83:d=4  hl=2 l=  11 cons: SEQUENCE
   85:d=5  hl=2 l=   3 prim: OBJECT            :commonName
   90:d=5  hl=2 l=   4 prim: PRINTABLESTRING   :test
   96:d=2  hl=2 l=  92 cons: SEQUENCE
   98:d=3  hl=2 l=  13 cons: SEQUENCE
  100:d=4  hl=2 l=   9 prim: OBJECT            :rsaEncryption
  111:d=4  hl=2 l=   0 prim: NULL
  113:d=3  hl=2 l=  75 prim: BIT STRING
  190:d=1  hl=2 l=  13 cons: SEQUENCE
  192:d=2  hl=2 l=   9 prim: OBJECT            :sha1WithRSAEncryption
  203:d=2  hl=2 l=   0 prim: NULL
  205:d=1  hl=2 l=  65 prim: BIT STRING
arch [apps]$
arch [apps]$ ./openssl asn1parse -in /tmp/no_serial.pem
    0:d=0  hl=4 l= 267 cons: SEQUENCE
    4:d=1  hl=3 l= 182 cons: SEQUENCE
    7:d=2  hl=2 l=   3 cons: cont [ 0 ]
    9:d=3  hl=2 l=   1 prim: INTEGER           :02
   12:d=2  hl=2 l=   0 prim: INTEGER           :00
   14:d=2  hl=2 l=  13 cons: SEQUENCE
   16:d=3  hl=2 l=   9 prim: OBJECT            :sha1WithRSAEncryption
   27:d=3  hl=2 l=   0 prim: NULL
   29:d=2  hl=2 l=  15 cons: SEQUENCE
   31:d=3  hl=2 l=  13 cons: SET
   33:d=4  hl=2 l=  11 cons: SEQUENCE
   35:d=5  hl=2 l=   3 prim: OBJECT            :commonName
   40:d=5  hl=2 l=   4 prim: PRINTABLESTRING   :test
   46:d=2  hl=2 l=  30 cons: SEQUENCE
   48:d=3  hl=2 l=  13 prim: UTCTIME           :040722175719Z
   63:d=3  hl=2 l=  13 prim: UTCTIME           :130123152135Z
   78:d=2  hl=2 l=  15 cons: SEQUENCE
   80:d=3  hl=2 l=  13 cons: SET
   82:d=4  hl=2 l=  11 cons: SEQUENCE
   84:d=5  hl=2 l=   3 prim: OBJECT            :commonName
   89:d=5  hl=2 l=   4 prim: PRINTABLESTRING   :test
   95:d=2  hl=2 l=  92 cons: SEQUENCE
   97:d=3  hl=2 l=  13 cons: SEQUENCE
   99:d=4  hl=2 l=   9 prim: OBJECT            :rsaEncryption
  110:d=4  hl=2 l=   0 prim: NULL
  112:d=3  hl=2 l=  75 prim: BIT STRING
  189:d=1  hl=2 l=  13 cons: SEQUENCE
  191:d=2  hl=2 l=   9 prim: OBJECT            :sha1WithRSAEncryption
  202:d=2  hl=2 l=   0 prim: NULL
  204:d=1  hl=2 l=  65 prim: BIT STRING
arch [apps]$
arch [apps]$ cat /tmp/with_serial.pem
-----BEGIN CERTIFICATE-----
MIIBDDCBt6ADAgECAgEAMA0GCSqGSIb3DQEBBQUAMA8xDTALBgNVBAMTBHRlc3Qw
HhcNMDQwNzIyMTc1NzE5WhcNMTMwMTIzMTUyMTM1WjAPMQ0wCwYDVQQDEwR0ZXN0
MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALFAze8BSQUyQvvwbWw86Jh7wwOsTAMa
cc8uKQ3ZCgR9CnsvMgsSfHR9XPLzcGkXwuUIDGQ8QWPqNp9g76xqy/kCAwEAATAN
BgkqhkiG9w0BAQUFAANBAHtxTN9bC7jCJDs9iKBE7O2U4jMlLievUR3YgWsrfxVJ
k1v/vXdL4H8/+QndErV8Bl8AavnsjQjFgfPiOs3pi70=
-----END CERTIFICATE-----
arch [apps]$
arch [apps]$ cat /tmp/no_serial.pem
-----BEGIN CERTIFICATE-----
MIIBCzCBtqADAgECAgAwDQYJKoZIhvcNAQEFBQAwDzENMAsGA1UEAxMEdGVzdDAe
Fw0wNDA3MjIxNzU3MTlaFw0xMzAxMjMxNTIxMzVaMA8xDTALBgNVBAMTBHRlc3Qw
XDANBgkqhkiG9w0BAQEFAANLADBIAkEAsUDN7wFJBTJC+/BtbDzomHvDA6xMAxpx
zy4pDdkKBH0Key8yCxJ8dH1c8vNwaRfC5QgMZDxBY+o2n2DvrGrL+QIDAQABMA0G
CSqGSIb3DQEBBQUAA0EAiWk2QM5lxijnjQE/D/tsoWf0LZvPIuPC7laTUFUrAIKr
JbkAQ9rrf33pf+7JIhiJIgFxVVgOv2PXYKPWC7duUA==
-----END CERTIFICATE-----
arch [apps]$
arch [apps]$ ./openssl x509 -noout -fingerprint -in /tmp/with_serial.pem
SHA1 Fingerprint=C5:DE:16:61:DC:92:2D:47:A6:5F:E0:97:61:2E:AA:D7:BF:91:2E:35
arch [apps]$
arch [apps]$ ./openssl x509 -noout -fingerprint -in /tmp/no_serial.pem
SHA1 Fingerprint=A3:34:61:FE:5C:B7:FA:A1:40:43:5D:AC:16:8F:AF:98:CD:76:1C:2D
arch [apps]$

_________________________________________________________________
Don't get caught with egg on your face. Play Chicktionary!
http://club.live.com/chicktionary.aspx?icid=chick_wlhmtextlink1_dec______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to