From: <dbl...@co...> - 2014-09-05 23:08:38
|
Hi all<br><br>Some more info on this. <br><br>I commented out the unlink statements so I could debug. The openssl verify command validates the cert fine using the same CA file and chain path as OpenCA uses. <br><br>I also compared the pkcs7 files that openca-sv uses. One file is extracted from the database and the other file is recalculated. Both files are exactly the same using binary diff. <br><br>So I am confused why the UI fails. <br><br>Dave<br><br><br>Sent from XFINITY Connect Mobile App<br><br><br>-----Original Message-----<br><br>From: bla...@gd...<br>To: he...@hl...<br>Cc: ope...@li...<br>Sent: 2014-09-05 09:41:30 GMT<br>Subject: Re: [Openca-Users] OpenCA 1.5.1 signature not valid<br><br><html><font size="2" face="sans-serif">Hi Martin,</font> <br> <br><font size="2" face="sans-serif">Although there are some cases of expired RA certificates, there are others were certs are signed by a valid RA certificate yet cannot be verified. See output from verification window below:</font> <br><font size="2" face="sans-serif"><br> <br> </font> <form action="https://cancert3/cgi-bin/pki/ra/RAServer" method="post"> <table width="991" align="center" style="border-collapse:collapse;"> <tr> <td width="989" style="border-style:solid;border-color:#000000;border-width:0px 0px 0px 0px;padding:1px 1px;"><font size="1"><br> </font> <table width="593" align="center" style="border-collapse:collapse;"> <tr> <td width="591" style="border-style:solid;border-color:#000000;border-width:0px 0px 0px 0px;padding:1px 1px;"><tt><font size="3">Cannot build PKCS#7-object from extracted signature!<br> <br> <br> <br> OpenCA::PKCS7 returns errorcode 7911031 <br> <br> <br> <br> OpenCA::PKCS7->new: Cannot initialize signature (7912021). OpenCA::PKCS7->initSignature: Cannot parse signature (7921021). OpenCA::PKCS7->getParsed: The crypto-backend cannot verify the signature (7742075). OpenCA::OpenSSL->verify: openca-sv failed. [Error]: error:04091068:rsa routines:INT_RSA_VERIFY:bad signature<br> <br> [Info]: Input file intialized.<br> <br> [Info]: Signaturefile initialized.<br> <br> [Info]: Reading Certificate file.<br> <br> [Info]: PKCS#7 object loaded.<br> <br> [Info]: Data is ready for verification.<br> <br> [Info]: Signature Informations (PKCS#7):<br> <br> depth:2 serial:blah subject:CN=root CA blah<br> <br> depth:1 serial:blah subject:CN=issuing CA blah<br> <br> depth:0 serial:blah subject:RA cert blah</font></tt> <br><tt><font size="3"><br> [Info]: Signature is corrupt. Errorcode -1.<br> <br> signature:error:-1<br> <br> </font></tt></table> <br></table> <br><font size="2" face="sans-serif">Based on your comments about hashes I did notice the hash values in the root chain directory were different between the old installation (using 0.9.8) and the new installation. I changed the Makefile to use subject_hash_old and rebuilt the chain. This only made matters worse. It was "unable to get issuer certificate". So I switched the hashes back.</font> <br> <br><font size="2" face="sans-serif">If the hashes need to be changed anywhere else I am unaware of it.</font> <br> <br><font size="2" face="sans-serif">Dave</font> <br></form> <br><html><body>------------------------------------------------------------------------------ Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/<br><br></body></html><html><body>_______________________________________________ Openca-Users mailing list Ope...@li... https://lists.sourceforge.net/lists/listinfo/openca-users <br><br></body></html></html><br><br> |