Re: Practical CA problem - modified requests

Ludovic FLAMENT Fri, 24 Aug 2001 08:30:57 -0700
>the openssl verify command checks CA chains, not certificate/key pairs.

    No it is not true. The verification is on the signature of the
certificate request.

    Example :

$>openssl req -in my.req -verify -noout
Using configuration from /usr/local/ssl/openssl.cnf
verify OK

$> openssl asn1parse -in my.req -dump
...
 249:d=3  hl=3 l= 141 prim: BIT STRING  (!! : change)
     0000 - 00 30 81 89 02 81 81 00-d9 5b a7 4c 6f fe d3 07
.0.......[.Lo...
     0010 - ef fc d1 6e c6 2b 81 43-4d 7f 50 2a 28 01 ea 3f
...n.+.CM.P*(..?
     0020 - da 2a 7c 8e 14 81 31 41-0e 92 85 1d 7b 98 37 f8
.*|...1A....{.7.
     0030 - 24 ef 93 71 51 d8 1f f3-7f 55 ca cd 0d 18 e8 5c
$..qQ....U.....\
     0040 - 8b e8 bb 49 31 f3 e4 62-db 20 be 19 80 fc 67 7e   ...I1..b.
....g~
     0050 - 9d dc 8f 26 c0 12 d4 05-79 42 88 92 43 76 e1 0a
...&....yB..Cv..
     0060 - 73 34 ec 46 32 8a 81 23-27 4b 39 fe a4 5b 32 a7
s4.F2..#'K9..[2.
     0070 - f9 a6 90 d0 58 5a 08 ca-e1 3c 7b 29 ef ac 2b 89
....XZ...<{)..+.
     0080 - 96 42 d9 21 c4 f7 6f 81-02 03 01 00 01            .B.!..o......
...
    This is the publickey corresponding of the private key that sign the
request.

    I change one octet of the publickey and verify the request.

$> openssl asn1parse -in my.req -dump
...
  249:d=3  hl=3 l= 141 prim: BIT STRING  (!! : change)
      0000 - 00 30 81 89 02 81 81 00-d9 5b b7 4c 6f fe d3 07
.0.......[.Lo...
      0010 - ef fc d1 6e c6 2b 81 43-4d 7f 50 2a 28 01 ea 3f
...n.+.CM.P*(..?
      0020 - da 2a 7c 8e 14 81 31 41-0e 92 85 1d 7b 98 37 f8
.*|...1A....{.7.
      0030 - 24 ef 93 71 51 d8 1f f3-7f 55 ca cd 0d 18 e8 5c
$..qQ....U.....\
      0040 - 8b e8 bb 49 31 f3 e4 62-db 20 be 19 80 fc 67 7e   ...I1..b.
....g~
      0050 - 9d dc 8f 26 c0 12 d4 05-79 42 88 92 43 76 e1 0a
...&....yB..Cv..
      0060 - 73 34 ec 46 32 8a 81 23-27 4b 39 fe a4 5b 32 a7
s4.F2..#'K9..[2.
      0070 - f9 a6 90 d0 58 5a 08 ca-e1 3c 7b 29 ef ac 2b 89
....XZ...<{)..+.
      0080 - 96 42 d9 21 c4 f7 6f 81-02 03 01 00 01            .B.!..o......
...

$>openssl req -in my.req -verify -noout
Using configuration from /usr/local/ssl/openssl.cnf
verify failure

--
Ludovic FLAMENT.

----- Original Message -----
From: "Andrew Cooke" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, August 24, 2001 4:54 PM
Subject: Practical CA problem - modified requests



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]
Re: Practical CA problem - modified requests

Reply via email to
