Hi,
I don't agree : from the error description
(lib(47):func(131):reason(117):ts_rsp_sign.c:206) it is clear that
OpenSSL loaded the certificate but the X509_check_purpose(signer,
X509_PURPOSE_TIMESTAMP_SIGN, 0) call in ts_rsp_sign failed.
Actaully, reading the certificate dump shows that the problem is coming
from the certificate Key Usage : it MUST NOT contain Key Encipherment.
So, to resolve your problem, set the Key Usage to ONLY Digital
Signature, Non Repudiation.
I hope this will help.
Cheers,
--
Mounir IDRASSI
IDRIX
http://www.idrix.fr
On 2/22/2011 2:40 PM, Patrick Patterson wrote:
Hi Yessica:
That error is fairly straightforward - it's can't load the cert (meaning, it
can't even load the file).
Have you made sure that the permissions are correct? Are you absolutely sure
that you have the right cert in the right location?
Have fun.
Patrick.
On 2011-02-22, at 8:37 AM, Yessica De Ascencao wrote:
Hi!
This is the new certificate:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
d8:e6:a3:f6:22:c7:a4:0b
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=ve, ST=distrito capital, O=suscerte, OU=acraiz,
CN=ac/emailAddress=a...@suscerte.gob.ve
Validity
Not Before: Feb 21 20:15:08 2011 GMT
Not After : Feb 21 20:15:08 2012 GMT
Subject: C=ve, ST=distritocapital, L=caracas, O=tss, OU=suscerte,
CN=tsscompany/emailAddress=t...@company.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:bd:6e:12:e5:72:37:f2:74:e4:95:f7:43:f2:c7:
00:7d:53:cb:2d:a9:49:68:4d:04:b7:40:8d:b7:cd:
56:23:89:8a:e1:78:d6:a8:bd:a3:ef:16:62:d6:37:
6d:25:ce:eb:9d:30:8a:5e:be:6a:68:6f:bf:cd:f7:
6b:cd:85:f8:c6:62:f3:ea:8e:32:79:2a:d2:38:40:
b9:d7:88:c9:18:5c:63:98:69:ea:b6:95:83:a2:ac:
1b:b4:17:9a:e7:ea:66:bc:c3:e6:c8:e6:47:94:9b:
36:3c:3b:e0:59:9e:85:90:a6:8f:ad:8a:0a:0b:9e:
51:de:ef:93:73:e5:6b:a9:f2:49:ec:c0:46:57:71:
27:fd:85:47:09:f7:90:f7:bb:c5:3a:83:0a:3c:cc:
f2:88:2f:69:5c:80:e2:7f:9e:28:d3:19:09:62:fb:
2b:61:a4:f8:4c:64:d6:72:cb:41:a9:68:69:38:8b:
3f:03:04:83:26:e0:9a:ce:be:1f:05:f0:6d:99:2c:
87:16:97:e2:7f:8b:2f:b1:eb:19:2f:10:45:00:2c:
8e:dd:f5:80:de:cf:c7:17:a0:cc:cf:0d:f3:48:19:
7f:5b:b0:dd:51:a8:80:e0:65:eb:79:ef:ea:fc:d8:
6d:a5:2d:e3:06:b0:83:83:14:7f:61:f9:dc:ea:a7:
7a:4b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
FA:0C:6E:6E:88:58:51:F4:DF:F1:E3:CC:DD:9D:71:8C:CD:95:68:17
X509v3 Authority Key Identifier:
keyid:76:B9:CB:3B:5D:C8:B6:AB:02:74:86:D3:1C:C7:42:58:B1:AE:7E:76
X509v3 Subject Alternative Name:
email:t...@company.com
X509v3 Extended Key Usage: critical
Time Stamping
Signature Algorithm: sha1WithRSAEncryption
02:d1:fd:44:de:1e:9f:e0:29:66:35:8f:43:da:e6:b5:20:43:
52:90:b0:dc:8a:0f:09:92:9e:c2:6b:dc:14:ab:2c:9f:1b:8e:
02:76:9a:17:08:77:ca:26:06:13:25:9e:4a:e2:bf:bb:2b:4d:
cf:67:41:c0:2b:3a:1a:d0:ae:a8:88:3c:13:e2:0d:f6:9c:1e:
e7:ba:ef:22:c6:b8:18:3b:a8:5e:f9:0e:43:b8:de:82:b1:e0:
be:00:d2:57:9c:f3:d9:48:72:28:70:5d:06:d7:73:84:bc:f7:
5e:65:27:86:0d:e8:28:b4:dd:72:4d:8e:59:02:cc:39:0f:8d:
47:87
And this is the error:
[Mon Feb 21 20:15:37 2011] [error] mod_tsa:could not load X.509 certificate:
/usr/local/ssl/misc/demoCA/tss.pem
[Mon Feb 21 20:15:37 2011] [error]
mod_tsa:17262:error:2F083075:lib(47):func(131):reason(117):ts_rsp_sign.c:206:
[Mon Feb 21 20:15:37 2011] [emerg] exiting, fatal error during mod_tsa
initialisation.
Thanks!!!
2011/2/21 Jaroslav Imrich<jaroslav.imr...@gmail.com>
Hello Yessica,
please post new certificate and exact error you're getting.
--
Kind Regards / S pozdravom
Jaroslav Imrich
http://www.jariq.sk
On Mon, Feb 21, 2011 at 4:41 PM, Yessica De Ascencao<yessima...@gmail.com>
wrote:
hello!!!
Thanks for the response!
Yes I needed the extension to Time Stamping, however when I load the sample
certificate in the OpenTSA page, continues to show me the same error. I created
a certificate with the correct extension and likewise gives me error.
I really do not know what may be happening.
Thank you very much!
2011/2/18 Jaroslav Imrich<jaroslav.imr...@gmail.com>
Hello Yessica,
this line in your logs tells you where the error occured:
[Thu Feb 17 19:23:09 2011] [error]
mod_tsa:1510:error:2F083075:lib(47):func(131):reason(117):ts_rsp_sign.c:206:
When you look into source code of openssl ts module -
http://cvs.openssl.org/fileview?f=openssl/crypto/ts/ts_rsp_sign.c&v=1.6.4.2 -
you can see that line 206 contains following code:
if (X509_check_purpose(signer, X509_PURPOSE_TIMESTAMP_SIGN, 0) != 1)
{
TSerr(TS_F_TS_RESP_CTX_SET_SIGNER_CERT,
TS_R_INVALID_SIGNER_CERTIFICATE_PURPOSE);
return 0;
}
That means loading of TSA certificate failed because of incorrect extensions.
Certificate you posted has critical mark on "X509v3 Subject Alternative Name" which is
completely wrong in this case. It is "Time Stamping" that has to be marked as critical.
--
Kind Regards / S pozdravom
Jaroslav Imrich
http://www.jariq.sk
--
Saludos!
Yessica De Ascencao
0426-7142582
--
Saludos!
Yessica De Ascencao
0426-7142582
---
Patrick Patterson
Chief PKI Architect
Carillon Information Security Inc.
http://www.carillon.ca
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
