On Wed, Jan 22, 2003, Jaco Kroon wrote:
> Hallo all
>
> I have a little problem atm where I have to sign certificates. I have both
> the private key, and the ca certificate loaded as cacert and cakey
> respectively. Here is the part of the code where I suspect
> things break.
>
> /*
> * Variables to be used:
> * X509 *cacert; // contains CA certificate.
> * EVP_PKEY *cakey; // contains CA private key.
> */
> X509 *usrcert = X509_new();
> if(!usrcert)
> {
> log_ssl_errors("X509_new");
> return ERROR_NULL;
> }
>
> if(!X509_set_version(usrcert,USRCERTVERSION))
> {
> log_ssl_errors("X509_set_version");
> return ERROR_SSL;
> }
>
> if(!X509_set_issuer_name(usrcert,X509_get_subject_name(cacert)))
> {
> log_ssl_errors("X509_set_issuer_name/X509_get_subject_name");
> return ERROR_SSL;
> }
>
> X509_gmtime_adj(X509_get_notBefore(usrcert),0);
> X509_gmtime_adj(X509_get_notAfter(usrcert),(long)60*60*24*TRIALPERIOD);
>
> X509_NAME *subject = X509_NAME_new();
> if(!subject)
> {
> log_ssl_errors("X509_NAME_new");
> return ERROR_NULL;
> }
>
> if(
>
> !X509_NAME_add_entry_by_NID(subject,NID_pkcs9_emailAddress,MBSTRING_ASC,(uns
> igned char*)email,-1,-1,0) ||
>
> !X509_NAME_add_entry_by_NID(subject,NID_commonName,MBSTRING_ASC,(unsigned
> char*)uname,-1,-1,0)
> )
> {
> log_ssl_errors("X509_NAME_add_entry_by_NID");
> return ERROR_SSL;
> }
>
> if(!X509_set_subject_name(usrcert,subject))
> {
> log_ssl_errors("X509_set_subject_name");
> return ERROR_SSL;
> }
> X509_NAME_free(subject);
>
> if(!X509_set_pubkey(usrcert,pkey))
> {
> log_ssl_errors("X509_set_pubkey");
> return ERROR_SSL;
> }
>
> EVP_MD *dgst = USR_DGST();
> res = X509_sign(usrcert,cakey,dgst);
>
> /*
> * res now equals 128 - the size of the private rsa key.
> */
>
> I then go ahead and dump the certificate using X509_print and get
> Certificate:
> Data:
> Version: 1 (0x0)
> Serial Number: 0 (0x0)
> Signature Algorithm: sha1WithRSAEncryption
> Issuer: C=ZA, ST=Gauteng, L=Pretoria, O=InterExcel, OU=BackupServer,
> [EMAIL PROTECTED]
> Validity
> Not Before: Jan 22 19:20:46 2003 GMT
> Not After : Feb 21 19:20:46 2003 GMT
> Subject: [EMAIL PROTECTED], CN=6feffc9edd8be3e8
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> RSA Public Key: (1024 bit)
> Modulus (1024 bit):
> 00:b9:d5:be:8b:1e:f2:9e:6c:4b:88:5a:84:23:c5:
> ec:3e:be:7c:97:1d:e4:c1:f8:c4:45:b5:a6:1e:45:
> b9:57:d2:84:36:21:ec:53:35:94:65:18:c9:f8:f5:
> ef:da:10:c1:25:14:04:fa:14:77:83:a7:8b:79:ac:
> d2:c7:51:f2:6f:8e:83:19:ba:20:8d:ed:96:24:fd:
> ad:e9:9c:68:78:92:76:64:c0:b9:54:08:2c:5c:6a:
> d0:70:15:75:4c:57:b6:9e:f9:68:b1:44:8e:2a:16:
> 2e:90:85:73:63:30:43:21:28:f2:46:5d:f7:40:d5:
> 8a:a5:72:a2:00:0d:f9:7c:d7
> Exponent: 65537 (0x10001)
> Signature Algorithm: sha1WithRSAEncryption
> 4c:7b:eb:10:3b:70:7f:d6:96:67:96:2d:55:e6:ce:ab:48:ee:
> cc:28:dc:81:9e:2a:b1:80:ac:e5:bf:84:e6:71:b7:56:dd:39:
> 41:2b:1d:fb:dc:8e:16:85:2a:f0:f7:96:6f:b1:c9:69:38:bc:
> 46:2e:13:cc:28:5e:95:72:81:81:f7:83:97:80:98:96:35:73:
> c7:4e:3b:48:b9:99:60:ae:c8:8f:4f:57:74:73:fb:09:0c:19:
> c5:00:37:71:40:1f:cb:2c:3e:11:c5:c8:88:a5:53:f7:d6:61:
> e2:f6:76:e7:3b:d8:bb:35:9d:24:21:55:bd:fe:09:81:ee:6b:
> 70:bc
>
> Which is what I want. Except that when I perform the command "openssl
> verify -CAfile cacert.pem gencert.pem" I get the output:
>
> error 7 at 0 depth lookup:certificate signature failure
>
> And my own program gives more detail:
>
> rsa routines::RSA_verify failed with error code 0x4077068 (bad signature).
> asn1 encoding routines::ASN1_verify failed with error code 0xd079006 (bad
> get asn1 object call).
> Certificate failed.
>
> I output the X509 certificate using PEM_write_X509(stdout,usrcert) which I
> then pipe into a file.
>
One problem is probably that you aren't setting the certificate serial number.
You will get the default of zero which will clash with the CA certificate
serial number. The issuer_name and serial number combination should be unique.
Steve.
--
Dr. Stephen Henson [EMAIL PROTECTED]
OpenSSL Project http://www.openssl.org/~steve/
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
