nils >Frédéric Donnat wrote: > > Hi, > > Sorry for the mistake (nothing to deal with openssl.cnf file). I was just > looking for ca.txt file. > > Is it normal behavior of openssl to be able to view a certificate without > serial number using (without any error mentioned): > openssl x509 -in some_cert_without_sn.pem -text > But to be unable to verify it using: > openssl verify -CAfile some_cert_without_sn.pem some_cert_without_sn.pem > > > Sample: (attached self-sign cert name pipo-bad.pem) > >hmm, the attached certificate as has a serial number it's 0x0
actually the attachment http://www.mail-archive.com/openssl-users@openssl.org/msg41447/pipo-bad.pem does not have a serial number; that field is has lenght of zero: 0:d=0 hl=4 l= 546 cons: SEQUENCE 4:d=1 hl=4 l= 395 cons: SEQUENCE 8:d=2 hl=2 l= 3 cons: cont [ 0 ] 10:d=3 hl=2 l= 1 prim: INTEGER :02 13:d=2 hl=2 l= 0 prim: INTEGER :00 15:d=2 hl=2 l= 13 cons: SEQUENCE 17:d=3 hl=2 l= 9 prim: OBJECT :md5WithRSAEncryption similar to the certificate i posted in the "signature failure when certificate contains no serial number (ie, not one that equals zero)?" thread: arch [apps]$ cat /tmp/no_serial.pem -----BEGIN CERTIFICATE----- MIIBCzCBtqADAgECAgAwDQYJKoZIhvcNAQEFBQAwDzENMAsGA1UEAxMEdGVzdDAe Fw0wNDA3MjIxNzU3MTlaFw0xMzAxMjMxNTIxMzVaMA8xDTALBgNVBAMTBHRlc3Qw XDANBgkqhkiG9w0BAQEFAANLADBIAkEAsUDN7wFJBTJC+/BtbDzomHvDA6xMAxpx zy4pDdkKBH0Key8yCxJ8dH1c8vNwaRfC5QgMZDxBY+o2n2DvrGrL+QIDAQABMA0G CSqGSIb3DQEBBQUAA0EAiWk2QM5lxijnjQE/D/tsoWf0LZvPIuPC7laTUFUrAIKr JbkAQ9rrf33pf+7JIhiJIgFxVVgOv2PXYKPWC7duUA== -----END CERTIFICATE----- 0:d=0 hl=4 l= 267 cons: SEQUENCE 4:d=1 hl=3 l= 182 cons: SEQUENCE 7:d=2 hl=2 l= 3 cons: cont [ 0 ] 9:d=3 hl=2 l= 1 prim: INTEGER :02 12:d=2 hl=2 l= 0 prim: INTEGER :00 14:d=2 hl=2 l= 13 cons: SEQUENCE 16:d=3 hl=2 l= 9 prim: OBJECT :sha1WithRSAEncryption > > > [EMAIL PROTECTED] simple]$ LD_LIBRARY_PATH=/usr/local/ossl-0.9.8/lib > /usr/local/ossl-0.9.8/bin/openssl verify -verbose -CAfile pipo-bad.pem > pipo-bad.pem > pipo-bad.pem: /C=UK/CN=OpenSSL Group > error 7 at 0 depth lookup:certificate signature failure > 18588:error:04077068:rsa routines:RSA_verify:bad signature:rsa_sign.c:218: > 18588:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP > lib:a_verify.c:168: > >well the signature really seems to be wrong. How did you create >the certificate ? as to how i generated the certificate with no serial number, i simply commented out the code and ran "./openssl req" without specifying "-set_serial": arch [apps]$ diff -u req.c.BAK req.c --- req.c.BAK 2007-12-29 12:26:41.000000000 -0800 +++ req.c 2007-12-29 12:39:11.000000000 -0800 @@ -937,16 +937,18 @@ { if (!X509_set_serialNumber(x509ss, serial)) goto end; } - else - { - if (!rand_serial(NULL, - X509_get_serialNumber(x509ss))) - goto end; - } if (!X509_set_issuer_name(x509ss, X509_REQ_get_subject_name(req))) goto end; again, this is not causing any problems for me, just curious. thanks. > >Cheers, >Nils _________________________________________________________________ The best games are on Xbox 360. Click here for a special offer on an Xbox 360 Console. http://www.xbox.com/en-US/hardware/wheretobuy/______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
