Re: {Spam?} Invalid signature with PKCS11
Thanks TIM, it works as expected. On 6/5/10 2:20 AM, Tim Hudson t...@cryptsoft.com wrote: On 5/06/2010 12:56 AM, Fares Gianluca wrote: Hi all, I¹m try to figure out why my X509_REQ signature is always not verified. I¹m using openssl-1.0.0 and gclib.dll provided by gemalto. It is helpful to actually provide a complete working example rather than just a subset. However in this case the simple fix to the code is to pass in the correct information to C_Sign: just change: if ((rv = (C_Sign(hSession, m, m_len, buf_out, outl))) != CKR_OK) { to the following: if ((rv = (C_Sign(hSession, p, inl, buf_out, outl))) != CKR_OK) { You can remove the manual digest calls in the block before that as they are not required. Basically the C_Sign operation wants the whole data passed to it (the request) and not a pre-calculated digest. After doing that the code will work on devices where that template is accepted. Generally you require additional information in the template when creating keys making it clear which of the various operations are permitted. http://www.cryptsoft.com/pkcs11doc/v220/ contains the documentation for the current version of the PKCS#11 standard which also helps when working with various vendor devices. The bad signature is a rather accurate and precise error return - you were presenting a signature for different data (a digest) for verification against the request. Tim. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: NameConstraints are not being applied (or I don't know how to enforce them?)
I tested this openssl 1.0.0. Error 34 is gone now but now error 47 shows up which shows the name constraint is being applied. However, it's being applied or verified in a way that I don't understand. To show you I have simplified the test. Generating only one end certificate and specifying one very simple name constraint. The name constraint is chosen in a way to eliminate an guess work and unspecified matching requirements. Here are some relevant output. The test scripts are attached. Command output: $ ./testnameconst.sh 2/dev/null OpenSSL 1.0.0a 1 Jun 2010 error 47 at 0 depth lookup:permitted subtree violation ERROR: Good cert should have been verified but it didn't End entity (Good) cert: Version: 3 (0x2) Serial Number: 17 (0x11) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, CN=SUB CA Subject: O=good, CN=Good X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: critical Digital Signature, Key Encipherment, Key Agreement X509v3 Extended Key Usage: TLS Web Client Authentication subCA cert: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: CN=Root CA, C=US Validity Not Before: Jun 5 03:10:07 2010 GMT Not After : Jun 5 03:10:07 2011 GMT Subject: C=US, ST=NY, O=SubCa, CN=SubCA X509v3 extensions: X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE, pathlen:0 X509v3 Name Constraints: critical Permitted: DirName: CN = Good, O = good This email contains Morega Systems Inc. Privileged and Confidential information.# OpenSSL configuration file for NameConstraint Test # HOME= . RANDFILE= $ENV::HOME/.rnd [ ca ] default_ca = CA_default [ CA_default ] dir = . new_certs_dir = $dir/ crl_dir = $dir/ database= $dir/index certificate = $dir/rootcacert.pem serial = $dir/serial private_key = $dir/rootcakey.pem RANDFILE= $dir/.rand x509_extensions = cert_ext unique_subject = no name_opt= ca_default cert_opt= ca_default default_crl_days= 30 default_days= 365 default_md = sha1 preserve= no policy = policy_default email_in_dn = no msie_hack = no copy_extensions = none [ policy_default ] countryName = optional stateOrProvinceName = optional organizationName= optional organizationalUnitName = optional commonName = supplied emailAddress= optional [ req ] default_bits= 1024 default_keyfile = ./rootcakey.pem default_md = sha1 prompt = no distinguished_name = root_ca_distinguished_name string_mask = nombstr [ root_ca_distinguished_name ] commonName = Root CA countryName = US [ cert_ext ] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always basicConstraints = critical,CA:FALSE keyUsage = critical, keyCertSign, cRLSign extendedKeyUsage=clientAuth [ root_ca_ext ] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always keyUsage = critical, keyCertSign, cRLSign basicConstraints = critical,CA:TRUE [ trusted_ca_ext ] # Extensions for the Sub CA subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always keyUsage = critical, keyCertSign, cRLSign basicConstraints = critical,CA:TRUE,pathlen:0 nameConstraints = critical,@name_const_section [ name_const_section ] #excluded;dirName=excluded_trust_ca_DN permitted;dirName=permitted_trust_ca_DN [ excluded_trust_ca_DN ] O=bad [ permitted_trust_ca_DN ] CN=Good O=good # OpenSSL configuration file for NameConstraint Test # HOME= . RANDFILE= $ENV::HOME/.rnd [ ca ] default_ca = SUBCA_default [ SUBCA_default ] dir = . new_certs_dir = $dir/ crl_dir = $dir/ database= $dir/subcaindex certificate = $dir/subcacert.pem serial = $dir/subcaserial private_key = $dir/subcakey.pem RANDFILE= $dir/.rand x509_extensions = cert_ext unique_subject = no name_opt= ca_default cert_opt= ca_default default_crl_days= 30 default_days= 365 default_md = sha1 preserve= no policy = policy_default email_in_dn = no msie_hack = no copy_extensions = none [ policy_default ] countryName = optional stateOrProvinceName = optional organizationName= optional organizationalUnitName = optional commonName = supplied emailAddress= optional [ req ] default_bits= 1024 default_keyfile = ./subcakey.pem default_md = sha1 prompt
Re: NameConstraints are not being applied (or I don't know how to enforce them?)
I did a little debugging and managed to fix on my end. The issue is now resolved. There's nothing wrong with OpenSSL1.0.0's handling of nameConstraints. It just Rocks! For those who might run into the same problem i'll explain more. Debugging revealed the problem to be in the following area: Breakpoint 2, nc_dn (nm=0x8269a98, base=0x8268b38) at v3_ncons.c:378 378 { (gdb) p nm-canon_enc $5 = (unsigned char *) 0x826a590 1\r0\v\006\003U\004\n\f \004good1\r0\v\006\003U\004\003\f\004good (gdb) p base-canon_enc $6 = (unsigned char *) 0x826aab0 1\r0\v\006\003U\004\003\f \004good1\r0\v\006\003U\004\n\f\004good (gdb) n 386 if (memcmp(base-canon_enc, nm-canon_enc, base-canon_enclen)) (gdb) n 387 return X509_V_ERR_PERMITTED_VIOLATION; (gdb) The above shows that the provided DN and the allowed one seem out of order. Look at $5 and $6. So i took another look at the target cert and the nameConstraint in the signing cert: X509v3 Name Constraints: critical Permitted: DirName: CN = Good, O = good Subject: O=good, CN=Good Look how the order of CN and O are transposed in these entries. Now whether that is legitimate or not it remains. Regardless, as soon as I fixed my nameConstraint to: [ permitted_trust_ca_DN ] O=good CN=Good The problem went away. I revised my script to have a good test case and a failed one. The latest are attached for those who may benefit from this. Thanks to Victor Duchovni and Dr. Stephen Henson for providing guidance and help. jeff On Sat, 2010-06-05 at 20:27 -0400, jeff wrote: I tested this openssl 1.0.0. Error 34 is gone now but now error 47 shows up which shows the name constraint is being applied. However, it's being applied or verified in a way that I don't understand. To show you I have simplified the test. Generating only one end certificate and specifying one very simple name constraint. The name constraint is chosen in a way to eliminate an guess work and unspecified matching requirements. Here are some relevant output. The test scripts are attached. Command output: $ ./testnameconst.sh 2/dev/null OpenSSL 1.0.0a 1 Jun 2010 error 47 at 0 depth lookup:permitted subtree violation ERROR: Good cert should have been verified but it didn't End entity (Good) cert: Version: 3 (0x2) Serial Number: 17 (0x11) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, CN=SUB CA Subject: O=good, CN=Good X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: critical Digital Signature, Key Encipherment, Key Agreement X509v3 Extended Key Usage: TLS Web Client Authentication subCA cert: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: CN=Root CA, C=US Validity Not Before: Jun 5 03:10:07 2010 GMT Not After : Jun 5 03:10:07 2011 GMT Subject: C=US, ST=NY, O=SubCa, CN=SubCA X509v3 extensions: X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE, pathlen:0 d This email contains Morega Systems Inc. Privileged and Confidential information. This email contains Morega Systems Inc. Privileged and Confidential information.# OpenSSL configuration file for NameConstraint Test # HOME= . RANDFILE= $ENV::HOME/.rnd [ ca ] default_ca = CA_default [ CA_default ] dir = . new_certs_dir = $dir/ crl_dir = $dir/ database= $dir/index certificate = $dir/rootcacert.pem serial = $dir/serial private_key = $dir/rootcakey.pem RANDFILE= $dir/.rand x509_extensions = cert_ext unique_subject = no name_opt= ca_default cert_opt= ca_default default_crl_days= 30 default_days= 365 default_md = sha1 preserve= no policy = policy_default email_in_dn = no msie_hack = no copy_extensions = none [ policy_default ] countryName = optional stateOrProvinceName = optional organizationName= optional organizationalUnitName = optional commonName = supplied emailAddress= optional [ req ] default_bits= 1024 default_keyfile = ./rootcakey.pem default_md = sha1 prompt = no distinguished_name = root_ca_distinguished_name string_mask = nombstr [ root_ca_distinguished_name ] commonName = Root CA countryName = US [ cert_ext ] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always