On Wed, May 29, 2002 at 12:57:20PM -0700, Bob Steele wrote:
> So, with the callback in place, I do indeed get more detailed errors.
> I've added the lines of dashes for clarity, and numbered each block of
> the verify debug so I can refer to them below:
>
> [1]
> depth=2 /C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification
> Authority
> verify return:1
> ------------------------------------------------------------------------
> [2]
> depth=1 /O=VeriSign, Inc./OU=VeriSign Trust Network/OU=www.verisign.co
> m/repository/RPA Incorp. By Ref.,LIAB.LTD(c)98/CN=VeriSign Class 1 CA
> Individual Subscriber-Persona Not Validated
> verify return:1
> -----------------------------------------------------------------------
> [3]
> depth=0 /O=VeriSign, Inc./OU=VeriSign Trust Network/OU=www.verisign.co
> m/repository/RPA Incorp. by Ref.,LIAB.LTD(c)98/OU=Persona Not Validated
> /OU=Digital ID Class 1 - Microsoft Full Service/CN=Robert Steele/Email=
> [EMAIL PROTECTED]
> verify error:num=10:certificate has expired
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> verify return:1
> -----------------------------------------------------------------------
> [4]
> depth=0 /O=VeriSign, Inc./OU=VeriSign Trust Network/OU=www.verisign.co
> m/repository/RPA Incorp. by Ref.,LIAB.LTD(c)98/OU=Persona Not Validate
> d/OU=Digital ID Class 1 - Microsoft Full Service/CN=Robert Steele/Emai
> [EMAIL PROTECTED]
> verify return:1
> -----------------------------------------------------------------------
>
> Now, obviously #3 is a certificate that has expired - but are 1,2, and
> 4 references to other, distinct certificates that are valid? I don't see
> any way to distinguish these Certificates from each other at this level.
You are referencing 4 messages from 3 certificates. The "depth" info informs
you about the nesting level. depth=0 is your certificate, depth=1 is an
intermediate certificate, depth=2 ist the root certificate. Your certificate
is expired.
> Part of my problem clearly is I do not know which of these certificates,
> if any, is the one I would need to use to validate my signature. Is it
> possible to examine my signing certificate, determine which CA
> certificate
> was used to sign it, and then download it from VeriSign? This would make
> my testing much clearer, I think.
??? Your chain is complete...
> Anyhow, adding the callback routine now changes the error I get back
> from
> OpenSSL:
>
> 1904:error:04077068:rsa routines:RSA_verify:bad signature:.\crypto\rs
> a\rsa_sign.c:210:
> 1904:error:21071069:PKCS7 routines:PKCS7_signatureVerify:signature fail
> ure:.\crypto\pkcs7\pk7_doit.c:806:
>
> (If I'm right that adding the callback has changed behavior, why is
> this?)
I don't know. I am as surprised as you are.
> It seems to be complaining that the signature itself is bad. (This is
> certainly possible. Although it was a VeriSign product that produced the
> signature, I may be presenting the detached data it is signing off on
> incorrectly.)
In order to help you in testing, I would recommend you to use the
"openssl verify" command line utility. This way problems with the
certificates will become independent from problems with your
implementation.
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
