Verify X.509 certificate, openssl verify returns bad signature

Sat, 28 Aug 2010 14:05:38 -0700 

Hi all,

I have two X.509 certificates MUPCAGradjani.crt and MUPCARoot.crt
downloaded from http://ca.mup.gov.rs/sertifikati-lat.html

Certificate path is MUPCARoot > MUPCAGradjani and I would like to
validate MUPCAGradjani against the other. What I did is to convert both
to PEM format and rename them by hash as efd6650d.0 (Gradjani) and
fc5fe32d.0 (Root) using this script:

    #!/bin/bash
    hash=`openssl x509 -in $1 -inform DER -noout -hash`
    echo "Saving $1 as $hash.0"
    openssl x509 -in $1 -inform DER -out $hash.0 -outform PEM

Now I run:

    $ openssl verify -CApath . efd6650d.0
    error 7 at 0 depth lookup:certificate signature failure
    16206:error:04077068:rsa routines:RSA_verify:bad signature:rsa_sign.c:255:
    16206:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP 
lib:a_verify.c:173:</pre>

Hm, that is not working. What am I doing wrong here?

I am running OpenSSL 0.9.8k 25 Mar 2009 on Ubuntu 10.04 GNU/Linux. I
also have my personal certificate issued by MUPCAGradjani that I would
like to verify but it is failing with the same error (just one level
down):

    $ openssl verify -CApath . qualified.pem 
    qualified.pem: /CN=MUPCA Gradjani/O=MUP Republike 
Srbije/L=Beograd/C=Republika Srbija (RS)
    error 7 at 1 depth lookup:certificate signature failure
    16258:error:04077068:rsa routines:RSA_verify:bad signature:rsa_sign.c:255:
    16258:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP 
lib:a_verify.c:173:</pre>

When I install downloaded certificates in Windows using Internet
Explorer and doubleclick on my personal certificate (qualified.cer) it
looks valid. I am not sure, but I believe it is doing certificate chain
validation so the certificates and paths should be valid. After all they
are issued by a trustful CA.

Output of "openssl x509 -nameopt multiline,utf8,-esc_msb -noout -text
-in $1" looks reasonable for both downloaded certificates and is the
same before and after conversion to PEM (using -inform DER in the first
case). My take on this is that I am not doing conversion properly or
maybe the original certificates are in some other format requiring extra
argument, but I can not find answer in the docs.

How can I properly validate X.509 certificate from
http://ca.mup.gov.rs/sertifikati-lat.html by certificate chain?

Kind regards,
Goran


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [email protected]
Automated List Manager                           [email protected]

Reply via email to