/usr/local/ossl-0.9.8/ssl/openssl.cnf

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

/usr/local/ossl-0.9.8/ssl/openssl.cnf

Frédéric Donnat-2
Hi all,

Could someone telle where i can find the following file: ca.txt

I'm reading opthe HOWTO and i see the following comment (cetificates.txt):
This is NOT the recommended way to create a"
CA certificate, see ca.txt."

regards,

Fred
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

CA generation/certificate serial number

Frédéric Donnat-2
Hi,

Sorry for the mistake (nothing to deal with openssl.cnf file). I was just looking for ca.txt file.

Is it normal behavior of openssl to be able to view a certificate without serial number using (without any error mentioned):
openssl x509 -in some_cert_without_sn.pem -text
But to be unable to verify it using:
openssl verify -CAfile some_cert_without_sn.pem some_cert_without_sn.pem


Sample: (attached self-sign cert name pipo-bad.pem)

[donnatfr@CoyoteNux simple]$ LD_LIBRARY_PATH=/usr/local/ossl-0.9.8/lib /usr/local/ossl-0.9.8/bin/openssl verify -verbose -CAfile pipo-bad.pem pipo-bad.pem
pipo-bad.pem: /C=UK/CN=OpenSSL Group
error 7 at 0 depth lookup:certificate signature failure
18588:error:04077068:rsa routines:RSA_verify:bad signature:rsa_sign.c:218:
18588:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:a_verify.c:168:


I'm using openssl 0.9.8.

regards,


Fred

-----Original Message-----
From: Frédéric Donnat
Sent: Mon 8/29/2005 11:51 AM
To: [hidden email]
Cc:
Subject: /usr/local/ossl-0.9.8/ssl/openssl.cnf
Hi all,

Could someone telle where i can find the following file: ca.txt

I'm reading opthe HOWTO and i see the following comment (cetificates.txt):
This is NOT the recommended way to create a"
CA certificate, see ca.txt."

regards,

Fred
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]






pipo-bad.pem (1K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: CA generation/certificate serial number

Nils Larsch
Frédéric Donnat wrote:

> Hi,
>
> Sorry for the mistake (nothing to deal with openssl.cnf file). I was just looking for ca.txt file.
>
> Is it normal behavior of openssl to be able to view a certificate without serial number using (without any error mentioned):
> openssl x509 -in some_cert_without_sn.pem -text
> But to be unable to verify it using:
> openssl verify -CAfile some_cert_without_sn.pem some_cert_without_sn.pem
>
>
> Sample: (attached self-sign cert name pipo-bad.pem)

hmm, the attached certificate as has a serial number it's 0x0

>
> [donnatfr@CoyoteNux simple]$ LD_LIBRARY_PATH=/usr/local/ossl-0.9.8/lib /usr/local/ossl-0.9.8/bin/openssl verify -verbose -CAfile pipo-bad.pem pipo-bad.pem
> pipo-bad.pem: /C=UK/CN=OpenSSL Group
> error 7 at 0 depth lookup:certificate signature failure
> 18588:error:04077068:rsa routines:RSA_verify:bad signature:rsa_sign.c:218:
> 18588:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:a_verify.c:168:

well the signature really seems to be wrong. How did you create
the certificate ?

Cheers,
Nils
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

FW: CA generation/certificate serial number

Frédéric Donnat-2
In reply to this post by Frédéric Donnat-2
Hi,
Sorry if this is a second post, but the first one should not have reached the openssl mail server due to the attachment.
Move test-2-bad.crt to test-2-bad.pem


Hi, thanks for your answer,

But the signature is OK when creating the X509 certificate signing it and verifying it. (the dump is also ok)

This is a problem with the serial number (ASN1) when NOT setting it in the X509 struct and saving in a file and reloading it from the file for a verification.

My certificate is a bad one because i did not set the serial number.
The question is: should the serial number be set to a defualt one (0x00)?



Morevover, i found that the verify function is not working properly.
I try to verify, and the return is OK whereeas it should not.

[donnatfr@CoyoteNux Atempo-Tina]$ LD_LIBRARY_PATH=/usr/local/ossl-0.9.8/lib /netsecureone/dev/openssl/ossl-0.9.8x/openssl-0.9.8/apps/openssl verify -purpose any -verbose -CAfile testCA-1.crt test-2-bad.crt
INFO: X509_VRFY_PARM: inh_flags: 1, flags: 0, purpose: 7, trust: 0, depth: -1
INFO: argc: 1
test-2-bad.crt:
INFO: vflags value: 0, purpose value: -1
INFO X509stack ptr: uchain: (nil), tchain: (nil)
INFO: x value: 0x80b0cf0
OK

My certificate has no Key extension (see attached file test-2-bad.crt).
If i us the  X509_check_purpose() function things are ok (i could detect SSL settings).

Regards,

Fred

PS: i just do CSR (X509_REQ), CRT (X509), sign using X509_sign(), and verify using X509_verify().
(my code is based on apps/req.c, appas/x509.c apps/verify.c and other file in the demo directory)
If required i should be able to provide it.


-----Original Message-----
From: Nils Larsch [mailto:[hidden email]]
Sent: Wed 8/31/2005 12:21 AM
To: [hidden email]
Cc:
Subject: Re: CA generation/certificate serial number
Frédéric Donnat wrote:

> Hi,
>
> Sorry for the mistake (nothing to deal with openssl.cnf file). I was just looking for ca.txt file.
>
> Is it normal behavior of openssl to be able to view a certificate without serial number using (without any error mentioned):
> openssl x509 -in some_cert_without_sn.pem -text
> But to be unable to verify it using:
> openssl verify -CAfile some_cert_without_sn.pem some_cert_without_sn.pem
>
>
> Sample: (attached self-sign cert name pipo-bad.pem)
hmm, the attached certificate as has a serial number it's 0x0

>
> [donnatfr@CoyoteNux simple]$ LD_LIBRARY_PATH=/usr/local/ossl-0.9.8/lib /usr/local/ossl-0.9.8/bin/openssl verify -verbose -CAfile pipo-bad.pem pipo-bad.pem
> pipo-bad.pem: /C=UK/CN=OpenSSL Group
> error 7 at 0 depth lookup:certificate signature failure
> 18588:error:04077068:rsa routines:RSA_verify:bad signature:rsa_sign.c:218:
> 18588:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:a_verify.c:168:

well the signature really seems to be wrong. How did you create
the certificate ?

Cheers,
Nils
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]






test-2-bad.pem (1K) Download Attachment