> From: owner-openssl-us...@openssl.org On Behalf Of Rodrigo Canellas
> Sent: Thursday, 16 April, 2009 15:59
> I am trying to use 'RSA_verify' to verify a signature, but
> I am getting the error "67567722", which is translated to:
> "error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is
not 01".
> When I use 'openssl pkcs7 -in TEST_KEY.RSA -print_certs -text -noout
-inform DER', I get:
> [ entity cert, with serial a7:01:33:46:d1:d9:e3:d0,
> of RSA key with Exponent=0x10001 and ] Modulus (1024 bit):
00:8b:2d:a8:e6:e8:8f:7c:29:4e:ff:b3:28:b2:3e:
61:aa:ee:50:6e:2c:9a:5e:11:5d:2a:48:e9:dc:93:
7f:e5:74:d1:6f:6b:65:fb:0a:43:3a:69:fe:b4:64:
9a:bf:c3:17:2f:ca:f3:4d:92:be:9c:24:4c:0a:cd:
13:08:8c:a3:32:9b:b1:b1:a2:06:bb:41:b9:ce:22:
37:5f:0b:de:a2:0d:f7:49:cb:cd:b1:77:72:e8:ab:
04:2f:e7:a7:73:2d:95:d4:ae:7e:8a:7c:7c:9b:92:
86:83:6e:5b:46:b7:a1:bc:0f:d4:22:bf:a3:74:df:
75:26:6b:21:72:ec:ae:6e:9b
> [ and Signature Algorithm: sha1WithRSAEncryption and sig: ]
06:90:74:58:c1:fb:5a:50:fd:fe:97:26:2f:f0:4c:f1:4c:93:
2e:6a:86:63:ad:57:b7:8c:9c:c5:43:e9:c1:70:c9:11:68:4a:
18:a4:08:a7:6b:3f:2b:99:31:96:cb:53:21:7a:a3:dc:7d:02:
0e:c3:da:30:8e:93:3a:5a:19:af:b7:ca:8f:30:2b:e8:17:f6:
59:ac:3e:47:a7:8b:45:35:f5:8f:1f:ac:b6:ec:db:f2:57:21:
ce:79:67:a5:f4:3d:03:05:cd:65:b6:c0:7e:70:77:a2:7e:be:
8f:00:40:2a:51:65:a7:c5:11:82:ec:6e:b1:2b:6b:d3:2d:47:
6e:99
> [followed by CA cert, snipped]
> The hash of the file that was signed by the first certificate
> in the chain, i.e., serial "a7:01:33:46:d1:d9:e3:d0" is
> "11 18 41 32 20 0B 73 D9 B4 6B 35 B3 CF FA B4 73 96 66 3C 8F".
> I get this result from my program as well as from 'sha1sum'.
> 'RSA_verify' is called with:
> 'type' as "NID_sha1",
> 'm' as "11 18 41 32 20 0B 73 D9 B4 6B 35 B3 CF FA B4 73 96 66 3C
8F",
> 'm_len' is "20",
> 'sigbuf' is [the cert signature above and] 'siglen' is "128",
I assume you mean the internal forms, not actual strings; i.e.
m is unsigned char [20] (or more) where the first byte is 0x11 etc.
> and 'rsa' is created like this (error checking and handling
ommited):
"
rsa = RSA_new ();
rsa->n = BN_bin2bn(bufPubKeyMod, pubKeyMod.size (), 0);
rsa->e = BN_bin2bn(bufPubKeyExp, 3, 0);
"
where 'bufPubKeyMod' [and] 'bufPubKeyExp' [as above]
> What I do not understand (and I think this is the cause of the
error)
> is why the modulus of the certificate "a7:01:33:46:d1:d9:e3:d0" has 129
bytes,
> instead of 128?
It's not the cause and is normal. A (X.509) certificate and particularly
the subjectPublicKey within it is ASN.1 encoded, and the ASN.1 encoding
for integers whose positive magnitude is an exact multiple of 8 bits
(which RSA moduli typically are designed to be, and this one is)
requires a leading zero octet. (More generally, ASN.1 INTEGERs
are two's-complement, so if there isn't room for a sign bit
in the top magnitude octet, you need an extra sign-only octet.)
Openssl's BN doesn't need this; you could pass bin2bn either the
129 bytes beginning 00 8b 2d or the 128 bytes beginning 8b 2d.
> But, as I am extremely newbie to cryptography, and even more
> to 'openssl', I am sure I am making a, well, newbie mistake.
But the real problem is the signature value you are apparently
trying to verify is the signature value IN the entity cert.
That is the signature OF the certificate contents BY the CA,
specifically by the key 'certified' by the parent=CA cert.
The first step in RSA verify is to decrypt the sig value under
the verifying key as PKCS1 format; then it is decoded and matched
to the signed value (usually as here a data hash). Decrypting with
the wrong key gives garbage which with overwhelming probability
is PKCS1-invalid, and produces the error return you got.
It should work, if you wanted to, to RSA-verify the SHA1-hash of
the body (the DER-encoded TBS) of the entity cert, to the signature
value in the entity cert, under (using) the pubkey in the CA cert
(modulus beginning 00:a9:f9).
What you say you want is to verify a signature on some data under
(the key in) the entity cert. (That is, the signature was created
using the private half of the keypair whose public half is distributed
in the cert.) Use the pubkey from the entity cert as you did,
and the signature OF THE DATA, against the hash of the claimed data.
Depending on how that signature was constructed, I suspect you need
a different id also. NID_sha1 is not normally used for signatures;
NID_sha1withRSAEncryption is. That's a different errorcode though.
If the data is in the PKCS7 along with the certs (which was
actually the original purpose of that standard; using it just
to transmit certs and CRLs is degenerate, but in a good way),
it appears the openssl commandline won't show it to you.
But the actual library functions apparently can get at it.
(I've never had a need to do that myself so can't testify.)
Also, there are other, usually more convenient, ways to get a
pubkey out of a cert, or even a pkcs7, than doing it by hand.
But that's another topic. Get the principle right first.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
