Re: [Ocf-linux-users] openssl 1.0.1g Signature verification problem using OCF

[David M. <uc...@gm...>]

anand rao wrote the following:
> Hi, 
> 
>  I am using openssl 1.0.1g to create a CA and generate certificates. 
> 
> I am facing an issue while generating the device certificates. 
> After creating the ca certificate using below command 
> 
> # openssl req -x509 -new -newkey rsa:1024 -keyout private/cakey.pem -days 3650 -out cacert.pem 
> 
> when we try to display the contents  the signature algorithm is shown as itu-t instead of sha1WithRSAEncryption 
> 
> #openssl x509 -in cacert.pem -noout -text 
> 
> 
> Certificate: 
>     Data: 
>         Version: 3 (0x2) 
>         Serial Number: 
>             96:15:a3:26:59:5f:46:1d 
>     Signature Algorithm: itu-t 
>         Issuer: C=US, ST=LA, L=CA, O=Internet Widgits Pty Ltd, OU=crop, CN=GWCA/subjectAltName=DNS:www.evmweb.com 
>         Validity 
>             Not Before: Jun 14 12:08:24 2013 GMT 
>             Not After : Jun 12 12:08:24 2023 GMT 
>         Subject: C=US, ST=LA, L=CA, O=Internet Widgits Pty Ltd, OU=crop, CN=GWCA/subjectAltName=DNS:www.evmweb.com 
>         Subject Public Key Info: 
>             Public Key Algorithm: rsaEncryption 
>                 Public-Key: (1024 bit) 
>                 Modulus: 
>                     00:c1:73:b4:37:ed:d1:1f:fb:bf:63:b0:8a:91:82: 
>                     a8:f0:83:4d:5a:32:9b:5d:bc:23:06:3f:d4:fc:77: 
>                     cf:83:0f:ab:ac:35:46:98:02:e5:a3:cc:89:30:34: 
>                     05:3f:80:ad:33:ae:dc:7e:57:60:e2:02:d6:c9:6b: 
>                     b8:76:f7:56:e6:0f:44:c4:71:3a:cf:e1:59:8e:b4: 
>                     4b:6a:4a:de:59:25:4d:58:74:f0:82:27:0e:35:34: 
>                     72:86:9e:7c:a3:c8:cb:ba:55:8f:d5:8f:2f:cd:a0: 
>                     1f:e8:89:7c:74:0e:92:a0:de:72:d1:33:96:41:42: 
>                     bc:44:d0:20:29:cf:7b:2c:a7 
>                 Exponent: 65537 (0x10001) 
>         X509v3 extensions: 
>             X509v3 Subject Key Identifier: 
>                 C3:92:EF:07:DE:25:21:48:F4:51:2B:38:C8:DE:56:D0:14:8E:CD:0A 
>             X509v3 Authority Key Identifier: 
>                 keyid:C3:92:EF:07:DE:25:21:48:F4:51:2B:38:C8:DE:56:D0:14:8E:CD:0A 
>                 DirName:/C=US/ST=LA/L=CA/O=Internet Widgits Pty Ltd/OU=crop/CN=GWCA/subjectAltName=DNS:www.evmweb.com 
>                 serial:96:15:A3:26:59:5F:46:1D 
> 
>             X509v3 Basic Constraints: 
>                 CA:TRUE 
>     Signature Algorithm: itu-t 
>          a0:0e:98:f2:46:4e:0e:b5:d9:ff:f2:e5:57:24:d2:81:66:2e: 
>          4a:2b:3c:f6:02:48:4a:37:d8:4d:d9:70:b2:01:43:f4:71:fc: 
>          92:27:a9:d0:0b:9f:1a:c2:b7:54:3e:67:f3:0e:71:76:15:c0: 
>          c2:0f:b7:3a:13:de:93:4e:42:27:f9:5a:bb:d9:9e:e8:19:55: 
>          88:7e:4b:d6:3a:b7:2d:46:3f:79:13:f4:c7:da:59:37:95:ef: 
>          15:47:91:2a:32:4d:0d:ba:6f:a6:13:c3:57:87:ac:70:53:98: 
>          41:11:8d:ee:af:3d:46:d1:48:bb:f7:de:5d:00:a4:f1:59:c2: 
>          0c:56 
> 
> when we try to sign a device certificate I am getting below error. 
> 
> # openssl ca -policy policy_anything -out certs/evm1gwcert.pem -infiles evm1gwCSR.pem 
> 
> Using configuration from /etc/ssl/openssl.cnf 
> Enter pass phrase for /etc/ssl/private/cakey.pem: 
> Check that the request matches the signature 
> Signature verification problems.. 
> 
> 
> This issue is not observed when we disable OCF, I mean if remove OCF modules OR compile OpenSSL without HAVE_CRYPTODEV then this issues is not seen.
> Has something changed between OpenSSL version 1.0.0g and 1.0.1g, which OCF is not compatible with?

I am not aware of any change between 1.0.0g and 1.0.1g that would have this
affect.

Which HW driver are you using ?

Which version of OCF are you using ?

I will try and reproduce this if I get a chance.  Perhaps you should try
posting the query to the openssl mailing list.  They may be more uptodate
on openssl changes that may affect this code,

Cheers,
Davidm

-- 
David McCullough,  da...@sp...,   Ph: 0410 560 763