[openssl-users] CSR verify failure
Felipe Gasper
felipe at felipegasper.com
Mon Mar 26 16:15:58 UTC 2018
I see the same errors with 1.0.2n.
Going by posts I see out-and-about about this error, there seem to be two possibilities:
1) There’s an RSA padding scheme mismatch. Maybe your openssl.cnf has something nonstandard, e.g., raw padding rather than PKCS1?
2) The signature is simply incorrect. It’s been a while since I did this, but I *believe* you could check this by extracting the bytes for the first-nested SEQUENCE from the ASN.1 structure, get the signature for that blob against your private key, then compare that to the CSR’s stored signature. They should be the same.
Also, did you verify that the modulus and exponent as stored in the CSR match up against your private key file?
-F
> On Mar 26, 2018, at 11:55 AM, Jon Uriarte <juriarte at redhat.com> wrote:
>
> Sure, here it is:
>
> $ cat CSR.csr
> -----BEGIN CERTIFICATE REQUEST-----
> MIIChzCCAW8CAQAwQjELMAkGA1UEBhMCWFgxFTATBgNVBAcMDERlZmF1bHQgQ2l0
> eTEcMBoGA1UECgwTRGVmYXVsdCBDb21wYW55IEx0ZDCCASIwDQYJKoZIhvcNAQEB
> BQADggEPADCCAQoCggEBAOJuhJcO1eqtGE8Yc7P4cSgSwlwyuAe8AYzseGCqwAEY
> XHVdAXaPspJcRyP2ndz2AmYfytPPogFEWPnf86WKyaNHp4Aan2LEo0Z345Zqhb8G
> rApR6hqdAyqATGNrgYchtVZNo1JN2bRgY/MUXqdunfS3W33LEJwg0b7tf4KBHPLw
> lOqkyWo75xvMROcMISRX+k5NbckAsXkX5H52lryYQrirzqgHR8C8Bqe4pzYHLsqA
> 2Sw6F+emfOxTGmqhN6O2WQBryP5/9CpySHST1oG5wDtPqZ2EhE1gdpeQDPjHRiaU
> kITBlcsAQY0LNUEqqKnqc/0IgZJGAxocxRhbh908ow0CAwEAAaAAMA0GCSqGSIb3
> DQEBCwUAA4IBAQBxhvGIfkvJZjZqB/B2ZEtVcODj/BhfmSjUlcQ74NdSZC5CUslc
> y7ozJQiAXiRibaGOcPmeIGY6FNbLECWT/Fr2eciozvadDM+Klp92cqT3ZowuSjX0
> UV+1zfy2pu5OBtKfbGs0pBlsC6bLKyVH2s4yoYluBEeGRuVv69HmZXOGE6H0SvHj
> LOV2puEkwtZcM/xq0uszDHfKVrbLp+kT+m0OIgNRUDngkcpdp9P1W8tMLVY5m8ar
> h8ebVGxVF7ZtYihi6LPVaRcJgNyoawntxhhiX/3rmzq3pavbcrxV3+j6rSLxvw2z
> eeHSCU6jTmFbKK/KPR9TUlJycelzKP1zAZCV
> -----END CERTIFICATE REQUEST-----
>
>
> Jon
>
> On Mon, Mar 26, 2018 at 5:49 PM, Felipe Gasper <felipe at felipegasper.com> wrote:
> But what is the actual PEM of the CSR?
>
> It should look like:
>
> -----BEGIN CERTIFICATE REQUEST-----
> ...
> -----END CERTIFICATE REQUEST-----
>
> -FG
>
> > On Mar 26, 2018, at 11:47 AM, Jon Uriarte <juriarte at redhat.com> wrote:
> >
> > Thanks for your replies.
> >
> > I'm creating the CSR with the default values.
> >
> > $ openssl req -noout -text -in CSR.csr
> > Certificate Request:
> > Data:
> > Version: 0 (0x0)
> > Subject: C=XX, L=Default City, O=Default Company Ltd
> > Subject Public Key Info:
> > Public Key Algorithm: rsaEncryption
> > Public-Key: (2048 bit)
> > Modulus:
> > 00:e2:6e:84:97:0e:d5:ea:ad:18:4f:18:73:b3:f8:
> > 71:28:12:c2:5c:32:b8:07:bc:01:8c:ec:78:60:aa:
> > c0:01:18:5c:75:5d:01:76:8f:b2:92:5c:47:23:f6:
> > 9d:dc:f6:02:66:1f:ca:d3:cf:a2:01:44:58:f9:df:
> > f3:a5:8a:c9:a3:47:a7:80:1a:9f:62:c4:a3:46:77:
> > e3:96:6a:85:bf:06:ac:0a:51:ea:1a:9d:03:2a:80:
> > 4c:63:6b:81:87:21:b5:56:4d:a3:52:4d:d9:b4:60:
> > 63:f3:14:5e:a7:6e:9d:f4:b7:5b:7d:cb:10:9c:20:
> > d1:be:ed:7f:82:81:1c:f2:f0:94:ea:a4:c9:6a:3b:
> > e7:1b:cc:44:e7:0c:21:24:57:fa:4e:4d:6d:c9:00:
> > b1:79:17:e4:7e:76:96:bc:98:42:b8:ab:ce:a8:07:
> > 47:c0:bc:06:a7:b8:a7:36:07:2e:ca:80:d9:2c:3a:
> > 17:e7:a6:7c:ec:53:1a:6a:a1:37:a3:b6:59:00:6b:
> > c8:fe:7f:f4:2a:72:48:74:93:d6:81:b9:c0:3b:4f:
> > a9:9d:84:84:4d:60:76:97:90:0c:f8:c7:46:26:94:
> > 90:84:c1:95:cb:00:41:8d:0b:35:41:2a:a8:a9:ea:
> > 73:fd:08:81:92:46:03:1a:1c:c5:18:5b:87:dd:3c:
> > a3:0d
> > Exponent: 65537 (0x10001)
> > Attributes:
> > a0:00
> > Signature Algorithm: sha256WithRSAEncryption
> > 71:86:f1:88:7e:4b:c9:66:36:6a:07:f0:76:64:4b:55:70:e0:
> > e3:fc:18:5f:99:28:d4:95:c4:3b:e0:d7:52:64:2e:42:52:c9:
> > 5c:cb:ba:33:25:08:80:5e:24:62:6d:a1:8e:70:f9:9e:20:66:
> > 3a:14:d6:cb:10:25:93:fc:5a:f6:79:c8:a8:ce:f6:9d:0c:cf:
> > 8a:96:9f:76:72:a4:f7:66:8c:2e:4a:35:f4:51:5f:b5:cd:fc:
> > b6:a6:ee:4e:06:d2:9f:6c:6b:34:a4:19:6c:0b:a6:cb:2b:25:
> > 47:da:ce:32:a1:89:6e:04:47:86:46:e5:6f:eb:d1:e6:65:73:
> > 86:13:a1:f4:4a:f1:e3:2c:e5:76:a6:e1:24:c2:d6:5c:33:fc:
> > 6a:d2:eb:33:0c:77:ca:56:b6:cb:a7:e9:13:fa:6d:0e:22:03:
> > 51:50:39:e0:91:ca:5d:a7:d3:f5:5b:cb:4c:2d:56:39:9b:c6:
> > ab:87:c7:9b:54:6c:55:17:b6:6d:62:28:62:e8:b3:d5:69:17:
> > 09:80:dc:a8:6b:09:ed:c6:18:62:5f:fd:eb:9b:3a:b7:a5:ab:
> > db:72:bc:55:df:e8:fa:ad:22:f1:bf:0d:b3:79:e1:d2:09:4e:
> > a3:4e:61:5b:28:af:ca:3d:1f:53:52:52:72:71:e9:73:28:fd:
> > 73:01:90:95
> >
> >
> > $ openssl asn1parse -dump -in CSR.csr
> > 0:d=0 hl=4 l= 647 cons: SEQUENCE
> > 4:d=1 hl=4 l= 367 cons: SEQUENCE
> > 8:d=2 hl=2 l= 1 prim: INTEGER :00
> > 11:d=2 hl=2 l= 66 cons: SEQUENCE
> > 13:d=3 hl=2 l= 11 cons: SET
> > 15:d=4 hl=2 l= 9 cons: SEQUENCE
> > 17:d=5 hl=2 l= 3 prim: OBJECT :countryName
> > 22:d=5 hl=2 l= 2 prim: PRINTABLESTRING :XX
> > 26:d=3 hl=2 l= 21 cons: SET
> > 28:d=4 hl=2 l= 19 cons: SEQUENCE
> > 30:d=5 hl=2 l= 3 prim: OBJECT :localityName
> > 35:d=5 hl=2 l= 12 prim: UTF8STRING :Default City
> > 49:d=3 hl=2 l= 28 cons: SET
> > 51:d=4 hl=2 l= 26 cons: SEQUENCE
> > 53:d=5 hl=2 l= 3 prim: OBJECT :organizationName
> > 58:d=5 hl=2 l= 19 prim: UTF8STRING :Default Company Ltd
> > 79:d=2 hl=4 l= 290 cons: SEQUENCE
> > 83:d=3 hl=2 l= 13 cons: SEQUENCE
> > 85:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption
> > 96:d=4 hl=2 l= 0 prim: NULL
> > 98:d=3 hl=4 l= 271 prim: BIT STRING
> > 0000 - 00 30 82 01 0a 02 82 01-01 00 e2 6e 84 97 0e d5 .0.........n....
> > 0010 - ea ad 18 4f 18 73 b3 f8-71 28 12 c2 5c 32 b8 07 ...O.s..q(..\2..
> > 0020 - bc 01 8c ec 78 60 aa c0-01 18 5c 75 5d 01 76 8f ....x`....\u].v.
> > 0030 - b2 92 5c 47 23 f6 9d dc-f6 02 66 1f ca d3 cf a2 ..\G#.....f.....
> > 0040 - 01 44 58 f9 df f3 a5 8a-c9 a3 47 a7 80 1a 9f 62 .DX.......G....b
> > 0050 - c4 a3 46 77 e3 96 6a 85-bf 06 ac 0a 51 ea 1a 9d ..Fw..j.....Q...
> > 0060 - 03 2a 80 4c 63 6b 81 87-21 b5 56 4d a3 52 4d d9 .*.Lck..!.VM.RM.
> > 0070 - b4 60 63 f3 14 5e a7 6e-9d f4 b7 5b 7d cb 10 9c .`c..^.n...[}...
> > 0080 - 20 d1 be ed 7f 82 81 1c-f2 f0 94 ea a4 c9 6a 3b .............j;
> > 0090 - e7 1b cc 44 e7 0c 21 24-57 fa 4e 4d 6d c9 00 b1 ...D..!$W.NMm...
> > 00a0 - 79 17 e4 7e 76 96 bc 98-42 b8 ab ce a8 07 47 c0 y..~v...B.....G.
> > 00b0 - bc 06 a7 b8 a7 36 07 2e-ca 80 d9 2c 3a 17 e7 a6 .....6.....,:...
> > 00c0 - 7c ec 53 1a 6a a1 37 a3-b6 59 00 6b c8 fe 7f f4 |.S.j.7..Y.k....
> > 00d0 - 2a 72 48 74 93 d6 81 b9-c0 3b 4f a9 9d 84 84 4d *rHt.....;O....M
> > 00e0 - 60 76 97 90 0c f8 c7 46-26 94 90 84 c1 95 cb 00 `v.....F&.......
> > 00f0 - 41 8d 0b 35 41 2a a8 a9-ea 73 fd 08 81 92 46 03 A..5A*...s....F.
> > 0100 - 1a 1c c5 18 5b 87 dd 3c-a3 0d 02 03 01 00 01 ....[..<.......
> > 373:d=2 hl=2 l= 0 cons: cont [ 0 ]
> > 375:d=1 hl=2 l= 13 cons: SEQUENCE
> > 377:d=2 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
> > 388:d=2 hl=2 l= 0 prim: NULL
> > 390:d=1 hl=4 l= 257 prim: BIT STRING
> > 0000 - 00 71 86 f1 88 7e 4b c9-66 36 6a 07 f0 76 64 4b .q...~K.f6j..vdK
> > 0010 - 55 70 e0 e3 fc 18 5f 99-28 d4 95 c4 3b e0 d7 52 Up...._.(...;..R
> > 0020 - 64 2e 42 52 c9 5c cb ba-33 25 08 80 5e 24 62 6d d.BR.\..3%..^$bm
> > 0030 - a1 8e 70 f9 9e 20 66 3a-14 d6 cb 10 25 93 fc 5a ..p.. f:....%..Z
> > 0040 - f6 79 c8 a8 ce f6 9d 0c-cf 8a 96 9f 76 72 a4 f7 .y..........vr..
> > 0050 - 66 8c 2e 4a 35 f4 51 5f-b5 cd fc b6 a6 ee 4e 06 f..J5.Q_......N.
> > 0060 - d2 9f 6c 6b 34 a4 19 6c-0b a6 cb 2b 25 47 da ce ..lk4..l...+%G..
> > 0070 - 32 a1 89 6e 04 47 86 46-e5 6f eb d1 e6 65 73 86 2..n.G.F.o...es.
> > 0080 - 13 a1 f4 4a f1 e3 2c e5-76 a6 e1 24 c2 d6 5c 33 ...J..,.v..$..\3
> > 0090 - fc 6a d2 eb 33 0c 77 ca-56 b6 cb a7 e9 13 fa 6d .j..3.w.V......m
> > 00a0 - 0e 22 03 51 50 39 e0 91-ca 5d a7 d3 f5 5b cb 4c .".QP9...]...[.L
> > 00b0 - 2d 56 39 9b c6 ab 87 c7-9b 54 6c 55 17 b6 6d 62 -V9......TlU..mb
> > 00c0 - 28 62 e8 b3 d5 69 17 09-80 dc a8 6b 09 ed c6 18 (b...i.....k....
> > 00d0 - 62 5f fd eb 9b 3a b7 a5-ab db 72 bc 55 df e8 fa b_...:....r.U...
> > 00e0 - ad 22 f1 bf 0d b3 79 e1-d2 09 4e a3 4e 61 5b 28 ."....y...N.Na[(
> > 00f0 - af ca 3d 1f 53 52 52 72-71 e9 73 28 fd 73 01 90 ..=.SRRrq.s(.s..
> > 0100 - 95 .
> >
> >
> > Jon
> >
> > On Mon, Mar 26, 2018 at 5:36 PM, Michael Wojcik <Michael.Wojcik at microfocus.com> wrote:
> > I just tried the same commands on my system, using 1.0.2n, and didn't have any problems (as I'd expect).
> >
> > What's the output of openssl asn1parse -dump -in CSR.csr?
> >
> > --
> > Michael Wojcik
> > Distinguished Engineer, Micro Focus
> >
> >
> > --
> > openssl-users mailing list
> > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
> >
> > --
> > openssl-users mailing list
> > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
More information about the openssl-users
mailing list