Hallo all
I have a little problem atm where I have to sign certificates. I have both
the private key, and the ca certificate loaded as cacert and cakey
respectively. Here is the part of the code where I suspect
things break.
/*
* Variables to be used:
* X509 *cacert; // contains CA certificate.
* EVP_PKEY *cakey; // contains CA private key.
*/
X509 *usrcert = X509_new();
if(!usrcert)
{
log_ssl_errors("X509_new");
return ERROR_NULL;
}
if(!X509_set_version(usrcert,USRCERTVERSION))
{
log_ssl_errors("X509_set_version");
return ERROR_SSL;
}
if(!X509_set_issuer_name(usrcert,X509_get_subject_name(cacert)))
{
log_ssl_errors("X509_set_issuer_name/X509_get_subject_name");
return ERROR_SSL;
}
X509_gmtime_adj(X509_get_notBefore(usrcert),0);
X509_gmtime_adj(X509_get_notAfter(usrcert),(long)60*60*24*TRIALPERIOD);
X509_NAME *subject = X509_NAME_new();
if(!subject)
{
log_ssl_errors("X509_NAME_new");
return ERROR_NULL;
}
if(
!X509_NAME_add_entry_by_NID(subject,NID_pkcs9_emailAddress,MBSTRING_ASC,(uns
igned char*)email,-1,-1,0) ||
!X509_NAME_add_entry_by_NID(subject,NID_commonName,MBSTRING_ASC,(unsigned
char*)uname,-1,-1,0)
)
{
log_ssl_errors("X509_NAME_add_entry_by_NID");
return ERROR_SSL;
}
if(!X509_set_subject_name(usrcert,subject))
{
log_ssl_errors("X509_set_subject_name");
return ERROR_SSL;
}
X509_NAME_free(subject);
if(!X509_set_pubkey(usrcert,pkey))
{
log_ssl_errors("X509_set_pubkey");
return ERROR_SSL;
}
EVP_MD *dgst = USR_DGST();
res = X509_sign(usrcert,cakey,dgst);
/*
* res now equals 128 - the size of the private rsa key.
*/
I then go ahead and dump the certificate using X509_print and get
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 0 (0x0)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=ZA, ST=Gauteng, L=Pretoria, O=InterExcel, OU=BackupServer,
[EMAIL PROTECTED]
Validity
Not Before: Jan 22 19:20:46 2003 GMT
Not After : Feb 21 19:20:46 2003 GMT
Subject: [EMAIL PROTECTED], CN=6feffc9edd8be3e8
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:b9:d5:be:8b:1e:f2:9e:6c:4b:88:5a:84:23:c5:
ec:3e:be:7c:97:1d:e4:c1:f8:c4:45:b5:a6:1e:45:
b9:57:d2:84:36:21:ec:53:35:94:65:18:c9:f8:f5:
ef:da:10:c1:25:14:04:fa:14:77:83:a7:8b:79:ac:
d2:c7:51:f2:6f:8e:83:19:ba:20:8d:ed:96:24:fd:
ad:e9:9c:68:78:92:76:64:c0:b9:54:08:2c:5c:6a:
d0:70:15:75:4c:57:b6:9e:f9:68:b1:44:8e:2a:16:
2e:90:85:73:63:30:43:21:28:f2:46:5d:f7:40:d5:
8a:a5:72:a2:00:0d:f9:7c:d7
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
4c:7b:eb:10:3b:70:7f:d6:96:67:96:2d:55:e6:ce:ab:48:ee:
cc:28:dc:81:9e:2a:b1:80:ac:e5:bf:84:e6:71:b7:56:dd:39:
41:2b:1d:fb:dc:8e:16:85:2a:f0:f7:96:6f:b1:c9:69:38:bc:
46:2e:13:cc:28:5e:95:72:81:81:f7:83:97:80:98:96:35:73:
c7:4e:3b:48:b9:99:60:ae:c8:8f:4f:57:74:73:fb:09:0c:19:
c5:00:37:71:40:1f:cb:2c:3e:11:c5:c8:88:a5:53:f7:d6:61:
e2:f6:76:e7:3b:d8:bb:35:9d:24:21:55:bd:fe:09:81:ee:6b:
70:bc
Which is what I want. Except that when I perform the command "openssl
verify -CAfile cacert.pem gencert.pem" I get the output:
error 7 at 0 depth lookup:certificate signature failure
And my own program gives more detail:
rsa routines::RSA_verify failed with error code 0x4077068 (bad signature).
asn1 encoding routines::ASN1_verify failed with error code 0xd079006 (bad
get asn1 object call).
Certificate failed.
I output the X509 certificate using PEM_write_X509(stdout,usrcert) which I
then pipe into a file.
Jaco
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
