openssl Signature Verification Failure : “RSA_padding_check_PKCS1_type_1:block type is not 01”
I am trying to verify the signature of a sample downloaded from NIST . But I am getting the following output: retval=0 err='error:0407006A:lib(4):func(112):reason(106)' When I collected the detailed description I found: openssl errstr 0407006A error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01 The signature verification is expected to pass as per the data input I have provided. Something might be wrong in my code. Any help is appreciated. The data and the example code that I used is , in http://stackoverflow.com/q/10927586/986020 thanks for help
Re: openssl Signature Verification Failure : “RSA_padding_check_PKCS1_type_1:block type is not 01”
Here is the vector and code that is provided in the link:
/*
VECTOR SOURCE: csrc.nist.gov/groups/STM/cavp/documents/dss/RSAVS.pdf
B.1.3 SigVerRSA.req., it's Result = P as per B.3.3 SigVerRSA.rsp
# CAVS 3.2
# SigVer RSA (X9.31) information for testshas
# Mod sizes selected: 1024 1536
# SHA Algorithm selected:SHA1 SHA256 SHA384 SHA512
# Generated on Wed Apr 28 08:35:11 2004
[mod = 1024]
n =
9ec4d483330916b69eee4e9b7614eafc4fbf60e74b5127a3ff5bd9d48c7ecf8418d94d1e60388bb68546f8bc92deb1974b9def6748fbb4ec93029ea8b7bea36f61c5c6aeedfd512a0f765846fad5edacb08c3d75cf1d43b48b394c94323c3f3e9ba6612f93fe2900134217433afb088b5ca33fc4e6b270194df077d2b6592743
SHAAlg = SHA1
e =
0003
Msg =
b915e774b083e8cec80929cfbc89d87bd046f65cb43e5e78acba0380ee23794a4b17b78112bc1b9c3254ae0c9e12aabaf62c39b063328016c39edc6106ac6bc7d76ccff67f152e05079c7dab9d85ffaf3afa089f811a07c5e993c3571e73e5eea53bb739bf352bf391081f12818adf42e3d5ec91d59dfc6c67c141ca001feea7
S =
1c886e8041a0bfa57320c2033ac37eb2f8d8a96d42f3187b0f9164f37a0ce270ba35602a1e27c96fb6e2fdcfb25b00da1cceeb146f6a3320de97594d6de8664d3055142d408fc28c47dd380847d92450fad37535d366aabced070cc1fff6a6e023e2ce64e9e1914e82f384688c63beada87dd0ab7117b5d4c1129e39b40d2440
*/
int verfiysignature (void)
{
int retval;
EVP_PKEYpkey;
EVP_MD_CTX ctx;
RSA *rsa;
chartestbuffer[512];
unsigned char testN[128] =
{0x9e,0xc4,0xd4,0x83,0x33,0x09,0x16,0xb6,0x9e,0xee,0x4e,0x9b,0x76,0x14,0xea,0xfc,0x4f,0xbf,0x60,0xe7,0x4b,0x51,0x27,0xa3,0xff,0x5b,0xd9,0xd4,0x8c,0x7e,0xcf,0x84,0x18,0xd9,0x4d,0x1e,0x60,0x38,0x8b,0xb6,0x85,0x46,0xf8,0xbc,0x92,0xde,0xb1,0x97,0x4b,0x9d,0xef,0x67,0x48,0xfb,0xb4,0xec,0x93,0x02,0x9e,0xa8,0xb7,0xbe,0xa3,0x6f,0x61,0xc5,0xc6,0xae,0xed,0xfd,0x51,0x2a,0x0f,0x76,0x58,0x46,0xfa,0xd5,0xed,0xac,0xb0,0x8c,0x3d,0x75,0xcf,0x1d,0x43,0xb4,0x8b,0x39,0x4c,0x94,0x32,0x3c,0x3f,0x3e,0x9b,0xa6,0x61,0x2f,0x93,0xfe,0x29,0x00,0x13,0x42,0x17,0x43,0x3a,0xfb,0x08,0x8b,0x5c,0xa3,0x3f,0xc4,0xe6,0xb2,0x70,0x19,0x4d,0xf0,0x77,0xd2,0xb6,0x59,0x27,0x43};
unsigned char testE[1] = {0x03};
unsigned char testMsg[128] =
{0xb9,0x15,0xe7,0x74,0xb0,0x83,0xe8,0xce,0xc8,0x09,0x29,0xcf,0xbc,0x89,0xd8,0x7b,0xd0,0x46,0xf6,0x5c,0xb4,0x3e,0x5e,0x78,0xac,0xba,0x03,0x80,0xee,0x23,0x79,0x4a,0x4b,0x17,0xb7,0x81,0x12,0xbc,0x1b,0x9c,0x32,0x54,0xae,0x0c,0x9e,0x12,0xaa,0xba,0xf6,0x2c,0x39,0xb0,0x63,0x32,0x80,0x16,0xc3,0x9e,0xdc,0x61,0x06,0xac,0x6b,0xc7,0xd7,0x6c,0xcf,0xf6,0x7f,0x15,0x2e,0x05,0x07,0x9c,0x7d,0xab,0x9d,0x85,0xff,0xaf,0x3a,0xfa,0x08,0x9f,0x81,0x1a,0x07,0xc5,0xe9,0x93,0xc3,0x57,0x1e,0x73,0xe5,0xee,0xa5,0x3b,0xb7,0x39,0xbf,0x35,0x2b,0xf3,0x91,0x08,0x1f,0x12,0x81,0x8a,0xdf,0x42,0xe3,0xd5,0xec,0x91,0xd5,0x9d,0xfc,0x6c,0x67,0xc1,0x41,0xca,0x00,0x1f,0xee,0xa7};
unsigned char testSig[128] =
{0x1c,0x88,0x6e,0x80,0x41,0xa0,0xbf,0xa5,0x73,0x20,0xc2,0x03,0x3a,0xc3,0x7e,0xb2,0xf8,0xd8,0xa9,0x6d,0x42,0xf3,0x18,0x7b,0x0f,0x91,0x64,0xf3,0x7a,0x0c,0xe2,0x70,0xba,0x35,0x60,0x2a,0x1e,0x27,0xc9,0x6f,0xb6,0xe2,0xfd,0xcf,0xb2,0x5b,0x00,0xda,0x1c,0xce,0xeb,0x14,0x6f,0x6a,0x33,0x20,0xde,0x97,0x59,0x4d,0x6d,0xe8,0x66,0x4d,0x30,0x55,0x14,0x2d,0x40,0x8f,0xc2,0x8c,0x47,0xdd,0x38,0x08,0x47,0xd9,0x24,0x50,0xfa,0xd3,0x75,0x35,0xd3,0x66,0xaa,0xbc,0xed,0x07,0x0c,0xc1,0xff,0xf6,0xa6,0xe0,0x23,0xe2,0xce,0x64,0xe9,0xe1,0x91,0x4e,0x82,0xf3,0x84,0x68,0x8c,0x63,0xbe,0xad,0xa8,0x7d,0xd0,0xab,0x71,0x17,0xb5,0xd4,0xc1,0x12,0x9e,0x39,0xb4,0x0d,0x24,0x40};
rsa = RSA_new();
rsa-n = BN_bin2bn(testN, 128, rsa-n);
rsa-e = BN_bin2bn(testE, 1, rsa-e);
rsa-d = 0;
rsa-p = 0;
rsa-q = 0;
pkey.type = EVP_PKEY_RSA;
pkey.pkey.rsa = rsa;
EVP_MD_CTX_init (ctx);
ctx.flags |= EVP_MD_CTX_FLAG_PAD_X931;
if (EVP_VerifyInit_ex (ctx, EVP_sha1(), NULL))
{
if (EVP_VerifyUpdate (ctx, testMsg, 128))
{
retval = EVP_VerifyFinal (ctx, testSig, 128, pkey);
memset(testbuffer,0,sizeof(testbuffer));
printf(retval=%d err='%s', retval,
ERR_error_string(ERR_get_error(), testbuffer));
}
else
{
retval = -1;
}
}
else
{
retval = -1;
}
EVP_MD_CTX_cleanup (ctx);
RSA_free (rsa);
return retval;
}
On Thu, Jun 7, 2012 at 1:58 PM, Lunar Mushrooms
lunar.mushro...@gmail.comwrote:
I am trying to verify the signature of a sample downloaded from NIST . But
I am getting the following output:
retval=0 err='error:0407006A:lib(4):func(112):reason(106)'
When I collected the detailed description I found:
openssl errstr 0407006A
error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not
01
The signature verification is expected to pass as per the data input I
Re: openssl Signature Verification Failure : “RSA_padding_check_PKCS1_type_1:block type is not 01”
I typically divide the problem in two. Do a raw public key operation. If you see something that looks random, then the public key doesn't match the private key used to generate the signature, or either the public key or signature has been altered. If it looks like padding + OID + hash, then either the padding or digest you expect is wrong. On 6/7/2012 4:28 AM, Lunar Mushrooms wrote: I am trying to verify the signature of a sample downloaded from NIST . But I am getting the following output: retval=0 err='error:0407006A:lib(4):func(112):reason(106)' When I collected the detailed description I found: |openssl errstr 0407006A error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01 | The signature verification is expected to pass as per the data input I have provided. Something might be wrong in my code. Any help is appreciated. The data and the example code that I used is , in http://stackoverflow.com/q/10927586/986020 thanks for help __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Openssl signature verification of CKM_ECDSA_SHA1 from Safenet HSM fails.
Hi, I am trying to use OpenSSL to independently verify a CKM_ECDSA_SHA1 signature produced by a Safenet protect gold HSM. The signature verification with the error below, however using the HSM ctbrowse tool I can verify the signature being produced. Can anybody out there help me interpret what I'm getting back from the SafeNet device? Or any suggestions how I can validate it using OpenSSL without having a dependency on the HSM / libcryptoki etc? This is the error I am getting: gm@dev:~/hsm/help$ ./a.out Signature verification: ERROR - error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long dumpasn1 doesn't seem to recognize the structure either: gm@dev:~/hsm/help$ dumpasn1 sig.dat Error: Invalid data encountered at position 2: E4 99. Hexdump of data: 0d0e0a0d0b0e0e0f Hexdump of signature (tool was run against raw format): e49938467bef558e63b25d8460ef753c51dfa3d277beecaeffb23f6c23deb6913de34391990c6150dea05472c91156026898477118b872ec2b26aa326799049c Demo verification source code: http://pastebin.com/PybRp0jq Certificate: -BEGIN CERTIFICATE- MIIBxTCCAXECAQEwCwYHKoZIzj0EAQUAMHExEjAQBgNVBAMTCWVjZHNhZGVtbzEQ MA4GA1UEChMHdGVzdG9yZzEUMBIGA1UECxMLdGVzdG9yZ3VuaXQxETAPBgNVBAcT CEJyaXNiYW5lMQwwCgYDVQQIEwNRbGQxEjAQBgNVBAYTCUF1c3RyYWxpYTAeFw0x MTA1MTEwNDIyNDVaFw0xMjA1MTAyMjIyNDVaMHExEjAQBgNVBAMTCWVjZHNhZGVt bzEQMA4GA1UEChMHdGVzdG9yZzEUMBIGA1UECxMLdGVzdG9yZ3VuaXQxETAPBgNV BAcTCEJyaXNiYW5lMQwwCgYDVQQIEwNRbGQxEjAQBgNVBAYTCUF1c3RyYWxpYTBZ MBMGByqGSM49AgEGCCqGSM49AwEHA0IABDHDFQ1VOjE4hgdBsE3Qb/BurxJdUMOi Cbzw6Hn5I916NDppDpkEbYy3NXD15KifAF0JIpNalK8Uc3//o8lrIzIwCwYHKoZI zj0EAQUAA0EAGajEF/eDt3qlwdG8Zv1+yhwkrgL44UHsY0JGLog8TWBrNFqg6Qu/ SD3lJJv9g88rKtQs7DNbj5amNI4/kWaMcQ== -END CERTIFICATE- OpenSSL versions I've tried: OpenSSL 0.9.8g 19 Oct 2007, OpenSSL 0.9.8o 01 Jun 2010 Platfroms tested: Debian, Ubuntu, Windows. Many thanks, Grant.
RE: Openssl signature verification
Dear All, Thank you Dave Thompson for your help and clarifying my doubt. Thank you. Regards, --Ajeet Kumar Singh Sarve Bhavantu Sukhina ,Sarve Santu NiramayaSarve Bhadrani Pashyantu , Maa Kaschit Dukha Bhagh Bhavet -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dave Thompson Sent: Saturday, January 31, 2009 8:11 AM To: openssl-users@openssl.org Subject: RE: Openssl signature verification From: owner-openssl-us...@openssl.org On Behalf Of Ajeet kumar.S Sent: Friday, 30 January, 2009 00:07 In openssl API X509_verify(X509 *a, EVP_PKEY *r) is used to verify the signature of certificate. I have some doubt please help me. Is in this API we are passing the CA certificate and public key of CA certificate? We pass any cert and the key we believe (are told) will verify it. CA root certs are self-signed; the key _in_ the cert is used to sign it, or to be precise the keypair whose public half is in the cert is used. As a result you can't trust a root cert simply because the signature verifies; you must have other evidence this is the/a valid root cert from/for a given CA, such as a trusted distribution or manually-checked fingerprint. Lower-level CA certs (if any) and end-entity certs are signed by a parent cert, or to be precise by a keypair whose public half is certified by the parent cert. If you instead use X509_verify_cert, it tries several methods to find and verify the whole cert chain (from a root) by looking in (data from) a configurable file and/or (hashed) entries in a configurable directory. If you want to do this job or part(s) of it yourself, you can look at that for an example, but it's pretty complicated. What is data over SSL compute the HASH? The DER-encoded CertificateInfo portion of the cert, which is the first element in the outermost SEQUENCE and contains version, serial, copy of sig-algid, issuer name, subject name publickey, validity period, and for v3 optional extensions such as keyusage, subjectaltname, keyids, etc. This is everything in the cert except the appended algid and signature, and is indented under Data: in the display from openssl x509 -text . SSL will decrypt the CA signature (Which is on CA certificate bundle)? Decrypted CA Signature will match to above HASH.(query 2)? For RSA signatures this is approximately true. You actually raise the signature value to the public exponent (like RSA encryption) rather than the private exponent (as for RSA decryption), and the (standard) padding is different for sign/verify than for encrypt/decrypt. For DSA signatures this is not true at all. There is no corresponding encryption or decryption; there is simply a signing algorithm and a verifying algorithm. You apply the verifying algorithm to determine if the received signature is correct for the (recomputed) hash. You separately asked In Openssl for signature verification we are using API ASN1_item_verify(). Let me know the data which is used for finger print (signature) creation is the CA public key or some thing else data . Please clarify this doubt. How we are verifying the signature? If you mean in crypto/x509/x_all.c X509_verify(), we are verifying the signature in the cert, of the data in the cert, using the key. No fingerprint is involved. This only applies to X509 certs; the verification of signatures on other things is similar but not identical. Fingerprints can be used in lots of situations and ways. _PKI_ fingerprints can meaningfully be computed on either the whole CertificateInfo thus verifying all the attributes directly, or just on the publickey since that is enough to verify the signature. But a fingerprint is not a signature; it does not itself have any cryptographic protection. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Openssl signature verification
From: owner-openssl-us...@openssl.org On Behalf Of Ajeet kumar.S Sent: Friday, 30 January, 2009 00:07 In openssl API X509_verify(X509 *a, EVP_PKEY *r) is used to verify the signature of certificate. I have some doubt please help me. Is in this API we are passing the CA certificate and public key of CA certificate? We pass any cert and the key we believe (are told) will verify it. CA root certs are self-signed; the key _in_ the cert is used to sign it, or to be precise the keypair whose public half is in the cert is used. As a result you can't trust a root cert simply because the signature verifies; you must have other evidence this is the/a valid root cert from/for a given CA, such as a trusted distribution or manually-checked fingerprint. Lower-level CA certs (if any) and end-entity certs are signed by a parent cert, or to be precise by a keypair whose public half is certified by the parent cert. If you instead use X509_verify_cert, it tries several methods to find and verify the whole cert chain (from a root) by looking in (data from) a configurable file and/or (hashed) entries in a configurable directory. If you want to do this job or part(s) of it yourself, you can look at that for an example, but it's pretty complicated. What is data over SSL compute the HASH? The DER-encoded CertificateInfo portion of the cert, which is the first element in the outermost SEQUENCE and contains version, serial, copy of sig-algid, issuer name, subject name publickey, validity period, and for v3 optional extensions such as keyusage, subjectaltname, keyids, etc. This is everything in the cert except the appended algid and signature, and is indented under Data: in the display from openssl x509 -text . SSL will decrypt the CA signature (Which is on CA certificate bundle)? Decrypted CA Signature will match to above HASH.(query 2)? For RSA signatures this is approximately true. You actually raise the signature value to the public exponent (like RSA encryption) rather than the private exponent (as for RSA decryption), and the (standard) padding is different for sign/verify than for encrypt/decrypt. For DSA signatures this is not true at all. There is no corresponding encryption or decryption; there is simply a signing algorithm and a verifying algorithm. You apply the verifying algorithm to determine if the received signature is correct for the (recomputed) hash. You separately asked In Openssl for signature verification we are using API ASN1_item_verify(). Let me know the data which is used for finger print (signature) creation is the CA public key or some thing else data . Please clarify this doubt. How we are verifying the signature? If you mean in crypto/x509/x_all.c X509_verify(), we are verifying the signature in the cert, of the data in the cert, using the key. No fingerprint is involved. This only applies to X509 certs; the verification of signatures on other things is similar but not identical. Fingerprints can be used in lots of situations and ways. _PKI_ fingerprints can meaningfully be computed on either the whole CertificateInfo thus verifying all the attributes directly, or just on the publickey since that is enough to verify the signature. But a fingerprint is not a signature; it does not itself have any cryptographic protection. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Openssl signature verification
Dear All, In openssl API X509_verify(X509 *a, EVP_PKEY *r) is used to verify the signature of certificate. I have some doubt please help me. 1. Is in this API we are passing the CA certificate and public key of CA certificate? 2. What is data over SSL compute the HASH? 3. SSL will decrypt the CA signature (Which is on CA certificate bundle)? 4. Decrypted CA Signature will match to above HASH.(query 2)? Please tell me. Thank you. Regards, --Ajeet Kumar Singh
