In addition to Mr Henson answer, your CA certificate doesn't have any
keyUsage extension, depending on the toolkit it may not be considered a
valid CA.
Your countryName AVA is wrong, too. It must be only 2 characters long,
"NL" in your case.
--
Erwann ABALEA
-----
yuppiexpédidétritus: cadavres gelés de grimpeurs occidentaux jonchant l'Everest
parmi les yakocoprolithes
Le 14/11/2012 19:16, Dirk-Willem van Gulik a écrit :
On 14 nov. 2012, at 18:42, Dirk-Willem van Gulik <di...@webweaving.org> wrote:
Have a CA (created by certtool, validates in openssl as self signed just fine)
and a server cert (created with certtool, signed with certool) which des NOT
validate in openssl.
However the signature (when extracted with openssl its asn1parse; openssl its
rsautl and openssl its sha256) looks correct.
And it seems to be accepted by the NSS and apple their stack.
As well as java its native and bouncy-castle stack. So this starts to feel a
bit like a openssl bug.
Any suggestions? Not unlikely this is sha256 specific - as that is what
triggered this.
Tried against 1.0.1c and 0.9.8q (with the latter of course not do the SHA256).
Thanks.
Dw.
$ openssl verify -CAfile ca.pem ca.pem
ca.pem: OK
$ openssl verify -CAfile ca.pem x.pem
x.pem: O = MedVision360 Test Org, CN = svc01.local
error 7 at 0 depth lookup:certificate signature failure
140735152787932:error:04091077:rsa routines:INT_RSA_VERIFY:wrong
signature length:rsa_sign.c:175:
140735152787932:error:0D0C5006:asn1 encoding
routines:ASN1_item_verify:EVP lib:a_verify.c:215:
Which errors out. Extracting the signature manually with
$ openssl asn1parse -in x.pem -out x.sig -noout -strparse 828
$ openssl x509 -in x.pem -pubkey -noout > x.rsa
$ openssl rsautl -in x.sig -verify -asn1parse -inkey x.rsa -pubin
$ openssl asn1parse -in x.pem -out x.tbs -noout -strparse 4
0:d=0 hl=2 l= 49 cons: SEQUENCE
2:d=1 hl=2 l= 13 cons: SEQUENCE
4:d=2 hl=2 l= 9 prim: OBJECT :sha256
15:d=2 hl=2 l= 0 prim: NULL
17:d=1 hl=2 l= 32 prim: OCTET STRING
0000 - 73 87 b0 9d e8 15 9f fb-ce af 3d ef 18 33 b3 04 s.........=..3..
0010 - 28 64 b5 85 e9 88 91 69-e9 74 2a e6 45 ea 63 62 (d.....i.t*.E.cb
$ openssl sha256 -c x.tbs
SHA256(x.tbs)=
73:87:b0:9d:e8:15:9f:fb:ce:af:3d:ef:18:33:b3:04:28:64:b5:85:e9:88:91:69:e9:74:2a:e6:45:ea:63:62
looks actually good. As does the ANS1 it seems
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
