Re: Problem with signing X509 certificate.

Thu, 23 Jan 2003 06:18:19 -0800 

> here is the 'openssl asn1parse ...' output of the certificate
> created by your program:
> 
>      0:d=0  hl=4 l= 598 cons: SEQUENCE
>      4:d=1  hl=4 l= 447 cons:  SEQUENCE
>      8:d=2  hl=2 l=   3 cons:   cont [ 0 ]
>     10:d=3  hl=2 l=   1 prim:    INTEGER           :00
>     13:d=2  hl=2 l=   1 prim:   INTEGER           :00
> 
> 
> That's wrong (at least I think so). The default version
> (v1 == 0x0) shouldn't be encoded in the DER encoding
> (see RFC 3280 etc.) If you look at 'asn1parse' output
> of the other certificate (created with openssl):
> 
>      0:d=0  hl=4 l= 593 cons: SEQUENCE
>      4:d=1  hl=4 l= 442 cons:  SEQUENCE
>      8:d=2  hl=2 l=   1 prim:   INTEGER           :00
>     11:d=2  hl=2 l=  13 cons:   SEQUENCE
>     13:d=3  hl=2 l=   9 prim:    OBJECT            :sha1WithRSAEncryption
> 
> you see that the version number (0x0) is omitted.
> I'm not really familiar with the 0.9.6 OpenSSL ASN1 code but could
> you try two things: a) set the version to 02 (== X509v3 certificate)
> and b) don't set the version at all.
> 

Neither of those helped and a version upgrade won't be needed.  I managed 
to fix the problem.  Closely related to what the first reply implied that a 
default serial number of 0 is not good, is the fact that the serial number 
has to be set explicitly.

I suspect that what happened is something like this:
X509_new initializes the X509 structure, setting most fields (pointers 
mostly?) to NULL.  This will indicate no serial number.
I then go and add all the other fields, serial number still NULL.
X509_sign then hashes all the fields except serial number, and signs it.
i2d_X509 then goes and adds the serial number (Am I correct in saying that 
PEM_write_X509 calls i2d_X509?), changing the certificate, and indirectly 
the hash value, making the signature invalid.

It would be nice if this can be confirmed.  If this is not the case, why is 
it needed to explicitly set the serial number?

Thanks a million for your help.

Jaco Kroon

www.webfountain.co.za
[EMAIL PROTECTED]
+27 72 215 2548

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to