Re: {Spam?} Invalid signature with PKCS11
Thanks TIM, it works as expected.
On 6/5/10 2:20 AM, Tim Hudson t...@cryptsoft.com wrote:
On 5/06/2010 12:56 AM, Fares Gianluca wrote:
Hi all,
I¹m try to figure out why my X509_REQ signature is always not verified.
I¹m using openssl-1.0.0 and gclib.dll provided by gemalto.
It is helpful to actually provide a complete working example rather than just
a
subset. However in this case the simple fix to the code is to pass in the
correct information to C_Sign:
just change:
if ((rv = (C_Sign(hSession, m, m_len, buf_out, outl))) != CKR_OK) {
to the following:
if ((rv = (C_Sign(hSession, p, inl, buf_out, outl))) != CKR_OK) {
You can remove the manual digest calls in the block before that as they are
not
required.
Basically the C_Sign operation wants the whole data passed to it (the request)
and not a pre-calculated digest.
After doing that the code will work on devices where that template is
accepted.
Generally you require additional information in the template when creating
keys
making it clear which of the various operations are permitted.
http://www.cryptsoft.com/pkcs11doc/v220/ contains the documentation for the
current version of the PKCS#11 standard which also helps when working with
various vendor devices.
The bad signature is a rather accurate and precise error return - you were
presenting a signature for different data (a digest) for verification against
the request.
Tim.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
Re: NameConstraints are not being applied (or I don't know how to enforce them?)
I tested this openssl 1.0.0. Error 34 is gone now but now error 47 shows up which shows the name constraint is being applied. However, it's being applied or verified in a way that I don't understand. To show you I have simplified the test. Generating only one end certificate and specifying one very simple name constraint. The name constraint is chosen in a way to eliminate an guess work and unspecified matching requirements. Here are some relevant output. The test scripts are attached. Command output: $ ./testnameconst.sh 2/dev/null OpenSSL 1.0.0a 1 Jun 2010 error 47 at 0 depth lookup:permitted subtree violation ERROR: Good cert should have been verified but it didn't End entity (Good) cert: Version: 3 (0x2) Serial Number: 17 (0x11) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, CN=SUB CA Subject: O=good, CN=Good X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: critical Digital Signature, Key Encipherment, Key Agreement X509v3 Extended Key Usage: TLS Web Client Authentication subCA cert: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: CN=Root CA, C=US Validity Not Before: Jun 5 03:10:07 2010 GMT Not After : Jun 5 03:10:07 2011 GMT Subject: C=US, ST=NY, O=SubCa, CN=SubCA X509v3 extensions: X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE, pathlen:0 X509v3 Name Constraints: critical Permitted: DirName: CN = Good, O = good This email contains Morega Systems Inc. Privileged and Confidential information.# OpenSSL configuration file for NameConstraint Test # HOME= . RANDFILE= $ENV::HOME/.rnd [ ca ] default_ca = CA_default [ CA_default ] dir = . new_certs_dir = $dir/ crl_dir = $dir/ database= $dir/index certificate = $dir/rootcacert.pem serial = $dir/serial private_key = $dir/rootcakey.pem RANDFILE= $dir/.rand x509_extensions = cert_ext unique_subject = no name_opt= ca_default cert_opt= ca_default default_crl_days= 30 default_days= 365 default_md = sha1 preserve= no policy = policy_default email_in_dn = no msie_hack = no copy_extensions = none [ policy_default ] countryName = optional stateOrProvinceName = optional organizationName= optional organizationalUnitName = optional commonName = supplied emailAddress= optional [ req ] default_bits= 1024 default_keyfile = ./rootcakey.pem default_md = sha1 prompt = no distinguished_name = root_ca_distinguished_name string_mask = nombstr [ root_ca_distinguished_name ] commonName = Root CA countryName = US [ cert_ext ] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always basicConstraints = critical,CA:FALSE keyUsage = critical, keyCertSign, cRLSign extendedKeyUsage=clientAuth [ root_ca_ext ] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always keyUsage = critical, keyCertSign, cRLSign basicConstraints = critical,CA:TRUE [ trusted_ca_ext ] # Extensions for the Sub CA subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always keyUsage = critical, keyCertSign, cRLSign basicConstraints = critical,CA:TRUE,pathlen:0 nameConstraints = critical,@name_const_section [ name_const_section ] #excluded;dirName=excluded_trust_ca_DN permitted;dirName=permitted_trust_ca_DN [ excluded_trust_ca_DN ] O=bad [ permitted_trust_ca_DN ] CN=Good O=good # OpenSSL configuration file for NameConstraint Test # HOME= . RANDFILE= $ENV::HOME/.rnd [ ca ] default_ca = SUBCA_default [ SUBCA_default ] dir = . new_certs_dir = $dir/ crl_dir = $dir/ database= $dir/subcaindex certificate = $dir/subcacert.pem serial = $dir/subcaserial private_key = $dir/subcakey.pem RANDFILE= $dir/.rand x509_extensions = cert_ext unique_subject = no name_opt= ca_default cert_opt= ca_default default_crl_days= 30 default_days= 365 default_md = sha1 preserve= no policy = policy_default email_in_dn = no msie_hack = no copy_extensions = none [ policy_default ] countryName = optional stateOrProvinceName = optional organizationName= optional organizationalUnitName = optional commonName = supplied emailAddress= optional [ req ] default_bits= 1024 default_keyfile = ./subcakey.pem default_md = sha1 prompt
Re: NameConstraints are not being applied (or I don't know how to enforce them?)
I did a little debugging and managed to fix on my end.
The issue is now resolved. There's nothing wrong with OpenSSL1.0.0's
handling of nameConstraints. It just Rocks!
For those who might run into the same problem i'll explain more.
Debugging revealed the problem to be in the following area:
Breakpoint 2, nc_dn (nm=0x8269a98, base=0x8268b38) at
v3_ncons.c:378
378 {
(gdb) p nm-canon_enc
$5 = (unsigned char *) 0x826a590 1\r0\v\006\003U\004\n\f
\004good1\r0\v\006\003U\004\003\f\004good
(gdb) p base-canon_enc
$6 = (unsigned char *) 0x826aab0 1\r0\v\006\003U\004\003\f
\004good1\r0\v\006\003U\004\n\f\004good
(gdb) n
386 if (memcmp(base-canon_enc, nm-canon_enc,
base-canon_enclen))
(gdb) n
387 return X509_V_ERR_PERMITTED_VIOLATION;
(gdb)
The above shows that the provided DN and the allowed one seem out of
order. Look at $5 and $6.
So i took another look at the target cert and the nameConstraint in the
signing cert:
X509v3 Name Constraints: critical
Permitted:
DirName: CN = Good, O = good
Subject: O=good, CN=Good
Look how the order of CN and O are transposed in these entries.
Now whether that is legitimate or not it remains.
Regardless, as soon as I fixed my nameConstraint to:
[ permitted_trust_ca_DN ]
O=good
CN=Good
The problem went away.
I revised my script to have a good test case and a failed one.
The latest are attached for those who may benefit from this.
Thanks to Victor Duchovni and Dr. Stephen Henson for providing guidance and
help.
jeff
On Sat, 2010-06-05 at 20:27 -0400, jeff wrote:
I tested this openssl 1.0.0. Error 34 is gone now but now error 47 shows
up which shows the name constraint is being applied. However, it's being
applied or verified in a way that I don't understand.
To show you I have simplified the test. Generating only one end
certificate and specifying one very simple name constraint.
The name constraint is chosen in a way to eliminate an guess work and
unspecified matching requirements.
Here are some relevant output. The test scripts are attached.
Command output:
$ ./testnameconst.sh 2/dev/null
OpenSSL 1.0.0a 1 Jun 2010
error 47 at 0 depth lookup:permitted subtree violation
ERROR: Good cert should have been verified but it didn't
End entity (Good) cert:
Version: 3 (0x2)
Serial Number: 17 (0x11)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, CN=SUB CA
Subject: O=good, CN=Good
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage: critical
Digital Signature, Key Encipherment, Key Agreement
X509v3 Extended Key Usage:
TLS Web Client Authentication
subCA cert:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=Root CA, C=US
Validity
Not Before: Jun 5 03:10:07 2010 GMT
Not After : Jun 5 03:10:07 2011 GMT
Subject: C=US, ST=NY, O=SubCa, CN=SubCA
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
d
This email contains Morega Systems Inc. Privileged and Confidential
information.
This email contains Morega Systems Inc. Privileged and Confidential information.# OpenSSL configuration file for NameConstraint Test
#
HOME= .
RANDFILE= $ENV::HOME/.rnd
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = .
new_certs_dir = $dir/
crl_dir = $dir/
database= $dir/index
certificate = $dir/rootcacert.pem
serial = $dir/serial
private_key = $dir/rootcakey.pem
RANDFILE= $dir/.rand
x509_extensions = cert_ext
unique_subject = no
name_opt= ca_default
cert_opt= ca_default
default_crl_days= 30
default_days= 365
default_md = sha1
preserve= no
policy = policy_default
email_in_dn = no
msie_hack = no
copy_extensions = none
[ policy_default ]
countryName = optional
stateOrProvinceName = optional
organizationName= optional
organizationalUnitName = optional
commonName = supplied
emailAddress= optional
[ req ]
default_bits= 1024
default_keyfile = ./rootcakey.pem
default_md = sha1
prompt = no
distinguished_name = root_ca_distinguished_name
string_mask = nombstr
[ root_ca_distinguished_name ]
commonName = Root CA
countryName = US
[ cert_ext ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
