Jaco Kroon wrote: ....
I don't think this is it. I managed to set up a certificate with excactly the same parameters using the openssl utitility, including a serial number of 0. It verified ok. Could it be that I'm not setting it explicitly? Say I have a string containing a hex number, how would I go about converting this to a BN I can use for setting the serial number?
You can use the BN_hex2bn() and BN_to_ASN1_INTEGER functions to set the serial number.
Also, something else that *might* influence things is that the pkey struct is initialized from a private key using code similar to: RSA *usrrsa; // then proceed to convert the received ASN1 data to an RSA structure. EVP_PKEY *pkey = EVP_PKEY_new(); EVP_PKEY_assign_RSA(pkey,usrrsa); then I don't use pkey again until where I assign it to the certificate. If somehow the private key becomes part of the signature but only the public key ends up in the certificate this will explain it as the hashes at the
X509_sign() signs the content of the X509 structure => the private part of the client key doesn't matter.
time of signing and at the time of verification will differ, which will explain why I can directly after signing verify and it will verify ok, but after writing out and then verifying it gives a bad signature. If the signing code is written with great care or the X509_set_pubkey only extracts the public key, this should not be a problem. How would I go about getting only the public key?
Is it possible to show us both certificates ? Which version of OpenSSL are you using ? OS ? Regards, Nils ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
