Hi Marc,
Am 30.03.2011 um 23:26 schrieb Marc Posch:
> I also got hold of the input- and output files, they are attached.
>
> The output openca-sv generates seems to be:
> [Error]: Digest mismatch. Signature is wrong.
>
> What can be wrong?
thanks for the detailed debugging output. I reproduced the error and added the
-verbose flag. The result confirms my suspicion that the verify command was
missing either the cert chain or the trust anchor:
$ openca-sv verify -data openxpkigFRhUb.txt -in openxpkiAhYhyo.txt -verbose
[Info]: Input file intialized.
[Info]: Signaturefile initialized.
[Info]: Reading Certificate file.
[Info]: PKCS#7 object loaded.
[Info]: Data is ready for verification.
[Info]: Signature Informations (PKCS#7):
depth:0 serial:02DF687F2ADC4D88CAFF subject:UID=raop+CN=RA Operator,DC=Test
Deployment,DC=OpenXPKI,DC=org
error:20:unable to get local issuer certificate
[Info]: Signature is corrupt. Errorcode -1.
signature:error:-1
[Error]: Digest mismatch. Signature is wrong.
This indicates that you have not configured the Root CA certificates which are
considered as trusted for signature verification.
In your certificate signing request activity configuration file
(workflow_activity_certificate_signing_request.xml) you should find a section
that looks like:
<action name="I18N_OPENXPKI_WF_ACTION_APPROVE_CSR"
class="OpenXPKI::Server::Workflow::Activity::Tools::Approve"
pkcs7tool="testsceppkcs7tool1"
multi_role_approval="0"
check_creator="0">
<!-- if multi_role_approval is set to 1, a user is allowed
to approve the certificate request with different
session roles -->
<field name="_check_hash"/>
<field name="_signature"/>
<field name="_signature_text"/>
<validator name="ValidApprovalSignatureCSR">
<arg>$_signature</arg>
<arg>$_signature_text</arg>
</validator>
</action>
Without having tested this (we currently do not use signed approvals here), you
should change this to something like that.
...
<validator name="ValidApprovalSignatureCSR"
pkcs7tool="testsceppkcs7tool1"
signature_required="1"
trust_anchors="REPLACEME"
>
<arg>$_signature</arg>
<arg>$_signature_text</arg>
</validator>
...
In the above configuration use the same pkcs7tool value as in the action
definition above.
Setting "signature_required" to 1 disables unsigned signatures (your decision).
The trust_anchors value can either be a comma separated list of certificate
identifiers you explicitly trust (e. g. all cert identifiers of your trusted
Root CA certificates) or a Realm name (same as in the config.xml realm
definition).
If you specify a Realm name, the validation implicitly trusts all CAs within
this Realm. This is what I suggest to do.
Hope this helps,
Martin
------------------------------------------------------------------------------
Create and publish websites with WebMatrix
Use the most popular FREE web apps or write code yourself;
WebMatrix provides all the features you need to develop and
publish your website. http://p.sf.net/sfu/ms-webmatrix-sf
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
