Thread: [Ocf-linux-users] openssl 1.0.1g Signature verification problem using OCF

Hi, 

 I am using openssl 1.0.1g to create a CA and generate certificates. 

I am facing an issue while generating the device certificates. 
After creating the ca certificate using below command 

# openssl req -x509 -new -newkey rsa:1024 -keyout private/cakey.pem -days 3650 -out cacert.pem 

when we try to display the contents  the signature algorithm is shown as itu-t instead of sha1WithRSAEncryption 

#openssl x509 -in cacert.pem -noout -text 


Certificate: 
    Data: 
        Version: 3 (0x2) 
        Serial Number: 
            96:15:a3:26:59:5f:46:1d 
    Signature Algorithm: itu-t 
        Issuer: C=US, ST=LA, L=CA, O=Internet Widgits Pty Ltd, OU=crop, CN=GWCA/subjectAltName=DNS:www.evmweb.com 
        Validity 
            Not Before: Jun 14 12:08:24 2013 GMT 
            Not After : Jun 12 12:08:24 2023 GMT 
        Subject: C=US, ST=LA, L=CA, O=Internet Widgits Pty Ltd, OU=crop, CN=GWCA/subjectAltName=DNS:www.evmweb.com 
        Subject Public Key Info: 
            Public Key Algorithm: rsaEncryption 
                Public-Key: (1024 bit) 
                Modulus: 
                    00:c1:73:b4:37:ed:d1:1f:fb:bf:63:b0:8a:91:82: 
                    a8:f0:83:4d:5a:32:9b:5d:bc:23:06:3f:d4:fc:77: 
                    cf:83:0f:ab:ac:35:46:98:02:e5:a3:cc:89:30:34: 
                    05:3f:80:ad:33:ae:dc:7e:57:60:e2:02:d6:c9:6b: 
                    b8:76:f7:56:e6:0f:44:c4:71:3a:cf:e1:59:8e:b4: 
                    4b:6a:4a:de:59:25:4d:58:74:f0:82:27:0e:35:34: 
                    72:86:9e:7c:a3:c8:cb:ba:55:8f:d5:8f:2f:cd:a0: 
                    1f:e8:89:7c:74:0e:92:a0:de:72:d1:33:96:41:42: 
                    bc:44:d0:20:29:cf:7b:2c:a7 
                Exponent: 65537 (0x10001) 
        X509v3 extensions: 
            X509v3 Subject Key Identifier: 
                C3:92:EF:07:DE:25:21:48:F4:51:2B:38:C8:DE:56:D0:14:8E:CD:0A 
            X509v3 Authority Key Identifier: 
                keyid:C3:92:EF:07:DE:25:21:48:F4:51:2B:38:C8:DE:56:D0:14:8E:CD:0A 
                DirName:/C=US/ST=LA/L=CA/O=Internet Widgits Pty Ltd/OU=crop/CN=GWCA/subjectAltName=DNS:www.evmweb.com 
                serial:96:15:A3:26:59:5F:46:1D 

            X509v3 Basic Constraints: 
                CA:TRUE 
    Signature Algorithm: itu-t 
         a0:0e:98:f2:46:4e:0e:b5:d9:ff:f2:e5:57:24:d2:81:66:2e: 
         4a:2b:3c:f6:02:48:4a:37:d8:4d:d9:70:b2:01:43:f4:71:fc: 
         92:27:a9:d0:0b:9f:1a:c2:b7:54:3e:67:f3:0e:71:76:15:c0: 
         c2:0f:b7:3a:13:de:93:4e:42:27:f9:5a:bb:d9:9e:e8:19:55: 
         88:7e:4b:d6:3a:b7:2d:46:3f:79:13:f4:c7:da:59:37:95:ef: 
         15:47:91:2a:32:4d:0d:ba:6f:a6:13:c3:57:87:ac:70:53:98: 
         41:11:8d:ee:af:3d:46:d1:48:bb:f7:de:5d:00:a4:f1:59:c2: 
         0c:56 

when we try to sign a device certificate I am getting below error. 

# openssl ca -policy policy_anything -out certs/evm1gwcert.pem -infiles evm1gwCSR.pem 

Using configuration from /etc/ssl/openssl.cnf 
Enter pass phrase for /etc/ssl/private/cakey.pem: 
Check that the request matches the signature 
Signature verification problems.. 


This issue is not observed when we disable OCF, I mean if remove OCF modules OR compile OpenSSL without HAVE_CRYPTODEV then this issues is not seen.
Has something changed between OpenSSL version 1.0.0g and 1.0.1g, which OCF is not compatible with?
Please suggest.

Best Regards, 
Anand 

anand rao wrote the following:
> Hi, 
> 
>  I am using openssl 1.0.1g to create a CA and generate certificates. 
> 
> I am facing an issue while generating the device certificates. 
> After creating the ca certificate using below command 
> 
> # openssl req -x509 -new -newkey rsa:1024 -keyout private/cakey.pem -days 3650 -out cacert.pem 
> 
> when we try to display the contents  the signature algorithm is shown as itu-t instead of sha1WithRSAEncryption 
> 
> #openssl x509 -in cacert.pem -noout -text 
> 
> 
> Certificate: 
>     Data: 
>         Version: 3 (0x2) 
>         Serial Number: 
>             96:15:a3:26:59:5f:46:1d 
>     Signature Algorithm: itu-t 
>         Issuer: C=US, ST=LA, L=CA, O=Internet Widgits Pty Ltd, OU=crop, CN=GWCA/subjectAltName=DNS:www.evmweb.com 
>         Validity 
>             Not Before: Jun 14 12:08:24 2013 GMT 
>             Not After : Jun 12 12:08:24 2023 GMT 
>         Subject: C=US, ST=LA, L=CA, O=Internet Widgits Pty Ltd, OU=crop, CN=GWCA/subjectAltName=DNS:www.evmweb.com 
>         Subject Public Key Info: 
>             Public Key Algorithm: rsaEncryption 
>                 Public-Key: (1024 bit) 
>                 Modulus: 
>                     00:c1:73:b4:37:ed:d1:1f:fb:bf:63:b0:8a:91:82: 
>                     a8:f0:83:4d:5a:32:9b:5d:bc:23:06:3f:d4:fc:77: 
>                     cf:83:0f:ab:ac:35:46:98:02:e5:a3:cc:89:30:34: 
>                     05:3f:80:ad:33:ae:dc:7e:57:60:e2:02:d6:c9:6b: 
>                     b8:76:f7:56:e6:0f:44:c4:71:3a:cf:e1:59:8e:b4: 
>                     4b:6a:4a:de:59:25:4d:58:74:f0:82:27:0e:35:34: 
>                     72:86:9e:7c:a3:c8:cb:ba:55:8f:d5:8f:2f:cd:a0: 
>                     1f:e8:89:7c:74:0e:92:a0:de:72:d1:33:96:41:42: 
>                     bc:44:d0:20:29:cf:7b:2c:a7 
>                 Exponent: 65537 (0x10001) 
>         X509v3 extensions: 
>             X509v3 Subject Key Identifier: 
>                 C3:92:EF:07:DE:25:21:48:F4:51:2B:38:C8:DE:56:D0:14:8E:CD:0A 
>             X509v3 Authority Key Identifier: 
>                 keyid:C3:92:EF:07:DE:25:21:48:F4:51:2B:38:C8:DE:56:D0:14:8E:CD:0A 
>                 DirName:/C=US/ST=LA/L=CA/O=Internet Widgits Pty Ltd/OU=crop/CN=GWCA/subjectAltName=DNS:www.evmweb.com 
>                 serial:96:15:A3:26:59:5F:46:1D 
> 
>             X509v3 Basic Constraints: 
>                 CA:TRUE 
>     Signature Algorithm: itu-t 
>          a0:0e:98:f2:46:4e:0e:b5:d9:ff:f2:e5:57:24:d2:81:66:2e: 
>          4a:2b:3c:f6:02:48:4a:37:d8:4d:d9:70:b2:01:43:f4:71:fc: 
>          92:27:a9:d0:0b:9f:1a:c2:b7:54:3e:67:f3:0e:71:76:15:c0: 
>          c2:0f:b7:3a:13:de:93:4e:42:27:f9:5a:bb:d9:9e:e8:19:55: 
>          88:7e:4b:d6:3a:b7:2d:46:3f:79:13:f4:c7:da:59:37:95:ef: 
>          15:47:91:2a:32:4d:0d:ba:6f:a6:13:c3:57:87:ac:70:53:98: 
>          41:11:8d:ee:af:3d:46:d1:48:bb:f7:de:5d:00:a4:f1:59:c2: 
>          0c:56 
> 
> when we try to sign a device certificate I am getting below error. 
> 
> # openssl ca -policy policy_anything -out certs/evm1gwcert.pem -infiles evm1gwCSR.pem 
> 
> Using configuration from /etc/ssl/openssl.cnf 
> Enter pass phrase for /etc/ssl/private/cakey.pem: 
> Check that the request matches the signature 
> Signature verification problems.. 
> 
> 
> This issue is not observed when we disable OCF, I mean if remove OCF modules OR compile OpenSSL without HAVE_CRYPTODEV then this issues is not seen.
> Has something changed between OpenSSL version 1.0.0g and 1.0.1g, which OCF is not compatible with?

I am not aware of any change between 1.0.0g and 1.0.1g that would have this
affect.

Which HW driver are you using ?

Which version of OCF are you using ?

I will try and reproduce this if I get a chance.  Perhaps you should try
posting the query to the openssl mailing list.  They may be more uptodate
on openssl changes that may affect this code,

Cheers,
Davidm

-- 
David McCullough,  da...@sp...,   Ph: 0410 560 763

Hi David,

>>I am not aware of any change between 1.0.0g and 1.0.1g that would have this affect.

This issue is reproduced on 1.0.1e also.


>>Which HW driver are you using ?

This issue is reproducible with OCF software crypto also, without any HW registered with OCF.

>>Which version of OCF are you using ?

I am using ocf-linux-20120127 , my kernel version is 3.2.26

>> Perhaps you should try posting the query to the openssl mailing list.  They may be more uptodate
>>on openssl changes that may affect this code,

I have posted this on OpenSSL forum, the response was that OpenSSL was broken because of the patches applied. I have applied only OCF patch, but even without any patches applied the issue is observed.

I have mentioned that I was using OCF underneath, there were no further response to my query.

Best Regards,
Anand

anand rao wrote the following:
> Hi David,
> 
> >>I am not aware of any change between 1.0.0g and 1.0.1g that would have this affect.
> 
> This issue is reproduced on 1.0.1e also.
> 
> 
> >>Which HW driver are you using ?
> 
> This issue is reproducible with OCF software crypto also, without any HW registered with OCF.

Really,  thats interesting.

> >>Which version of OCF are you using ?
> 
> I am using ocf-linux-20120127 , my kernel version is 3.2.26
> 
> >> Perhaps you should try posting the query to the openssl mailing list.  They may be more uptodate
> >>on openssl changes that may affect this code,
> 
> I have posted this on OpenSSL forum, the response was that OpenSSL was broken because of the patches applied. I have applied only OCF patch, but even without any patches applied the issue is observed.
> 
> I have mentioned that I was using OCF underneath, there were no further response to my query.

Bummer.

You should not need to patch any of the 1.0.0 or later versions for use
with OCF.  All the "main" changes should already be in there.

Are you appling any patches to 1.0.1g ?

Cheers,
Davidm


-- 
David McCullough,  uc...@gm...,   Ph: 0410 560 763

Hi David,
>>You should not need to patch any of the 1.0.0 or later versions for use



>>with OCF.  All the "main" changes should already be in there.

>>Are you appling any patches to 1.0.1g ?'

No. I have not applied any patches to 1.0.1g.
As I mentioned without applying any patches this issue is reproducible.

Cheers,
Davidm


-- 
David McCullough,  uc...@gm...,   Ph: 0410 560 763

anand rao wrote the following:
> Hi David,
> >>You should not need to patch any of the 1.0.0 or later versions for use
> 
> >>with OCF.  All the "main" changes should already be in there.
> 
> >>Are you appling any patches to 1.0.1g ?'
> 
> No. I have not applied any patches to 1.0.1g.
> As I mentioned without applying any patches this issue is reproducible.

No problems,  just making sure I can reproduce you setup :-)

-- 
David McCullough,  uc...@gm...,   Ph: 0410 560 763

Hi David,

I have few more information which I missed earlier.
In my OpenSSL configuration along with HAVE_CRYPTODEV I have also enabled USE_CRYPTODEV_DIGESTS.

If I don't enable USE_CRYPTODEV_DIGESTS option then I am observing below error.

root@OpenWrt:/etc/ssl# openssl req -x509 -engine cryptodev -new -newkey rsa:1024
 -keyout private/cakey.pem -days 3650 -out cacert.pem
engine "cryptodev" set.
Generating a 1024 bit RSA private key
..++++++
................................................++++++
writing new private key to 'private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:problems making Certificate Request


BRs,
Anand





On Friday, July 25, 2014 6:54 PM, David McCullough <uc...@gm...> wrote:
 

anand rao wrote the following:
> Hi David,
> >>You should not need to patch any of the 1.0.0 or later versions for use
> 
> >>with OCF.  All the "main" changes should already be in there.
> 
> >>Are you appling any patches to 1.0.1g ?'
> 
> No. I have not applied any patches to 1.0.1g.
> As I mentioned without applying any patches this issue is reproducible.

No problems,  just making sure I can reproduce you setup :-)

-- 
David McCullough,  uc...@gm...,   Ph: 0410 560 763

anand rao wrote the following:
> 
> 
> Hi David,
> 
> I have few more information which I missed earlier.
> In my OpenSSL configuration along with HAVE_CRYPTODEV I have also enabled USE_CRYPTODEV_DIGESTS.
> 
> If I don't enable USE_CRYPTODEV_DIGESTS option then I am observing below error.

That is interesting as I never use USE_CRYPTODEV_DIGESTS, thanks for the
update.

Cheers,
Davidm

> root@OpenWrt:/etc/ssl# openssl req -x509 -engine cryptodev -new -newkey rsa:1024
>  -keyout private/cakey.pem -days 3650 -out cacert.pem
> engine "cryptodev" set.
> Generating a 1024 bit RSA private key
> ..++++++
> ................................................++++++
> writing new private key to 'private/cakey.pem'
> Enter PEM pass phrase:
> Verifying - Enter PEM pass phrase:
> -----
> You are about to be asked to enter information that will be incorporated
> into your certificate request.
> What you are about to enter is what is called a Distinguished Name or a DN.
> There are quite a few fields but you can leave some blank
> For some fields there will be a default value,
> If you enter '.', the field will be left blank.
> -----
> Country Name (2 letter code) [AU]:problems making Certificate Request
> 
> 
> BRs,
> Anand
> 
> 
> 
> 
> 
> On Friday, July 25, 2014 6:54 PM, David McCullough <uc...@gm...> wrote:
>  
> 
> anand rao wrote the following:
> > Hi David,
> > >>You should not need to patch any of the 1.0.0 or later versions for use
> > 
> > >>with OCF.  All the "main" changes should already be in there.
> > 
> > >>Are you appling any patches to 1.0.1g ?'
> > 
> > No. I have not applied any patches to 1.0.1g.
> > As I mentioned without applying any patches this issue is reproducible.
> 
> No problems,  just making sure I can reproduce you setup :-)
> 
> -- 
> David McCullough,  uc...@gm...,   Ph: 0410 560 763

-- 
David McCullough,  da...@sp...,   Ph: 0410 560 763

Hi David,

Did you get a chance to reproduce the setup and issue.
I have made no progress on this as I am unable to find the reason.

BRs,
Anand


On Tuesday, July 29, 2014 3:44 AM, David McCullough <uc...@gm...> wrote:
 



anand rao wrote the following:
> 
> 
> Hi David,
> 
> I have few more information which I missed earlier.
> In my OpenSSL configuration along with HAVE_CRYPTODEV I have also enabled USE_CRYPTODEV_DIGESTS.
> 
> If I don't enable USE_CRYPTODEV_DIGESTS option then I am observing below error.

That is interesting as I never use USE_CRYPTODEV_DIGESTS, thanks for the
update.

Cheers,
Davidm

> root@OpenWrt:/etc/ssl# openssl req -x509 -engine cryptodev -new -newkey rsa:1024
>  -keyout private/cakey.pem -days 3650 -out cacert.pem
> engine "cryptodev" set.
> Generating a 1024 bit RSA private key
> ..++++++
> ................................................++++++
> writing new private key to 'private/cakey.pem'
> Enter PEM pass phrase:
> Verifying - Enter PEM pass phrase:
> -----
> You are about to be asked to enter information that will be incorporated
> into your certificate request.
> What you are about to enter is what is called a Distinguished Name or a DN.
> There are quite a few fields but you can leave some blank
> For some fields there will be a default value,
> If you enter '.', the field will be left blank.
> -----
> Country Name (2 letter code) [AU]:problems making Certificate Request
> 
> 
> BRs,
> Anand
> 
> 
> 
> 
> 
> On Friday, July 25, 2014 6:54 PM, David McCullough <uc...@gm...> wrote:
>  
> 
> anand rao wrote the following:
> > Hi David,
> > >>You should not need to patch any of the 1.0.0 or later versions for use
> > 
> > >>with OCF.  All the "main" changes should already be in there.
> > 
> > >>Are you appling any patches to 1.0.1g ?'
> > 
> > No. I have not applied any patches to 1.0.1g.
> > As I mentioned without applying any patches this issue is reproducible.
> 
> No problems,  just making sure I can reproduce you setup :-)
> 
> -- 
> David McCullough,  uc...@gm...,   Ph: 0410 560 763

-- 
David McCullough,  da...@sp...,   Ph: 0410 560 763

anand rao wrote the following:
> Hi David,
> 
> Did you get a chance to reproduce the setup and issue.
> I have made no progress on this as I am unable to find the reason.

Sorry,  not yet :-(

Keep bugging me and I promise to get to it :-)

Cheers,
Davidm

> On Tuesday, July 29, 2014 3:44 AM, David McCullough <uc...@gm...> wrote:
> 
> anand rao wrote the following:
> > 
> > 
> > Hi David,
> > 
> > I have few more information which I missed earlier.
> > In my OpenSSL configuration along with HAVE_CRYPTODEV I have also enabled USE_CRYPTODEV_DIGESTS.
> > 
> > If I don't enable USE_CRYPTODEV_DIGESTS option then I am observing below error.
> 
> That is interesting as I never use USE_CRYPTODEV_DIGESTS, thanks for the
> update.
> 
> Cheers,
> Davidm
> 
> > root@OpenWrt:/etc/ssl# openssl req -x509 -engine cryptodev -new -newkey rsa:1024
> >  -keyout private/cakey.pem -days 3650 -out cacert.pem
> > engine "cryptodev" set.
> > Generating a 1024 bit RSA private key
> > ..++++++
> > ................................................++++++
> > writing new private key to 'private/cakey.pem'
> > Enter PEM pass phrase:
> > Verifying - Enter PEM pass phrase:
> > -----
> > You are about to be asked to enter information that will be incorporated
> > into your certificate request.
> > What you are about to enter is what is called a Distinguished Name or a DN.
> > There are quite a few fields but you can leave some blank
> > For some fields there will be a default value,
> > If you enter '.', the field will be left blank.
> > -----
> > Country Name (2 letter code) [AU]:problems making Certificate Request
> > 
> > 
> > BRs,
> > Anand
> > 
> > 
> > 
> > 
> > 
> > On Friday, July 25, 2014 6:54 PM, David McCullough <uc...@gm...> wrote:
> >  
> > 
> > anand rao wrote the following:
> > > Hi David,
> > > >>You should not need to patch any of the 1.0.0 or later versions for use
> > > 
> > > >>with OCF.  All the "main" changes should already be in there.
> > > 
> > > >>Are you appling any patches to 1.0.1g ?'
> > > 
> > > No. I have not applied any patches to 1.0.1g.
> > > As I mentioned without applying any patches this issue is reproducible.
> > 
> > No problems,  just making sure I can reproduce you setup :-)
> > 
> > -- 
> > David McCullough,  uc...@gm...,   Ph: 0410 560 763
> 
> -- 
> David McCullough,  da...@sp...,   Ph: 0410 560 763

-- 
David McCullough,  da...@sp...,   Ph: 0410 560 763