sorry please ignore; this had been asked before: http://www.mail-archive.com/openssl-users@openssl.org/msg41502.html
> From: [EMAIL PROTECTED] > To: openssl-users@openssl.org > Subject: signature failure when certificate contains no serial number (ie, > not one that equals zero)? > Date: Sat, 29 Dec 2007 21:05:02 +0000 > > > i was messing around with (self-signed) certificate creation/signing > and ran into this. the following two certificates are the same except > for the serial number: "with_serial" has a serial number that is zero, > and "no_serial" does not have any serial number. > > the "with_serial" certificate verifies ok, but the "no_serial" one > fails verification with "certificate signature failure." > > is this expected? > > if not, i thought the signing is applied to the entire blob of data, > so with or without the serial number, the signing code wouldn't know > or care to know, so it's probably not a signing problem. then is it a > verification problem then? > > not that this is causing problems for me. just curious. > > thanks. > > arch [apps]$ ./openssl version > OpenSSL 0.9.8g 19 Oct 2007 > arch [apps]$ > arch [apps]$ ./openssl verify -CAfile /tmp/with_serial.pem > /tmp/with_serial.pem > /tmp/with_serial.pem: OK > arch [apps]$ > arch [apps]$ ./openssl verify -CAfile /tmp/no_serial.pem /tmp/no_serial.pem > /tmp/no_serial.pem: /CN=test > error 7 at 0 depth lookup:certificate signature failure > 15143:error:04077068:rsa routines:RSA_verify:bad signature:rsa_sign.c:235: > 15143:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP > lib:a_verify.c:168: > arch [apps]$ > arch [apps]$ ./openssl asn1parse -in /tmp/with_serial.pem > 0:d=0 hl=4 l= 268 cons: SEQUENCE > 4:d=1 hl=3 l= 183 cons: SEQUENCE > 7:d=2 hl=2 l= 3 cons: cont [ 0 ] > 9:d=3 hl=2 l= 1 prim: INTEGER :02 > 12:d=2 hl=2 l= 1 prim: INTEGER :00 > 15:d=2 hl=2 l= 13 cons: SEQUENCE > 17:d=3 hl=2 l= 9 prim: OBJECT :sha1WithRSAEncryption > 28:d=3 hl=2 l= 0 prim: NULL > 30:d=2 hl=2 l= 15 cons: SEQUENCE > 32:d=3 hl=2 l= 13 cons: SET > 34:d=4 hl=2 l= 11 cons: SEQUENCE > 36:d=5 hl=2 l= 3 prim: OBJECT :commonName > 41:d=5 hl=2 l= 4 prim: PRINTABLESTRING :test > 47:d=2 hl=2 l= 30 cons: SEQUENCE > 49:d=3 hl=2 l= 13 prim: UTCTIME :040722175719Z > 64:d=3 hl=2 l= 13 prim: UTCTIME :130123152135Z > 79:d=2 hl=2 l= 15 cons: SEQUENCE > 81:d=3 hl=2 l= 13 cons: SET > 83:d=4 hl=2 l= 11 cons: SEQUENCE > 85:d=5 hl=2 l= 3 prim: OBJECT :commonName > 90:d=5 hl=2 l= 4 prim: PRINTABLESTRING :test > 96:d=2 hl=2 l= 92 cons: SEQUENCE > 98:d=3 hl=2 l= 13 cons: SEQUENCE > 100:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption > 111:d=4 hl=2 l= 0 prim: NULL > 113:d=3 hl=2 l= 75 prim: BIT STRING > 190:d=1 hl=2 l= 13 cons: SEQUENCE > 192:d=2 hl=2 l= 9 prim: OBJECT :sha1WithRSAEncryption > 203:d=2 hl=2 l= 0 prim: NULL > 205:d=1 hl=2 l= 65 prim: BIT STRING > arch [apps]$ > arch [apps]$ ./openssl asn1parse -in /tmp/no_serial.pem > 0:d=0 hl=4 l= 267 cons: SEQUENCE > 4:d=1 hl=3 l= 182 cons: SEQUENCE > 7:d=2 hl=2 l= 3 cons: cont [ 0 ] > 9:d=3 hl=2 l= 1 prim: INTEGER :02 > 12:d=2 hl=2 l= 0 prim: INTEGER :00 > 14:d=2 hl=2 l= 13 cons: SEQUENCE > 16:d=3 hl=2 l= 9 prim: OBJECT :sha1WithRSAEncryption > 27:d=3 hl=2 l= 0 prim: NULL > 29:d=2 hl=2 l= 15 cons: SEQUENCE > 31:d=3 hl=2 l= 13 cons: SET > 33:d=4 hl=2 l= 11 cons: SEQUENCE > 35:d=5 hl=2 l= 3 prim: OBJECT :commonName > 40:d=5 hl=2 l= 4 prim: PRINTABLESTRING :test > 46:d=2 hl=2 l= 30 cons: SEQUENCE > 48:d=3 hl=2 l= 13 prim: UTCTIME :040722175719Z > 63:d=3 hl=2 l= 13 prim: UTCTIME :130123152135Z > 78:d=2 hl=2 l= 15 cons: SEQUENCE > 80:d=3 hl=2 l= 13 cons: SET > 82:d=4 hl=2 l= 11 cons: SEQUENCE > 84:d=5 hl=2 l= 3 prim: OBJECT :commonName > 89:d=5 hl=2 l= 4 prim: PRINTABLESTRING :test > 95:d=2 hl=2 l= 92 cons: SEQUENCE > 97:d=3 hl=2 l= 13 cons: SEQUENCE > 99:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption > 110:d=4 hl=2 l= 0 prim: NULL > 112:d=3 hl=2 l= 75 prim: BIT STRING > 189:d=1 hl=2 l= 13 cons: SEQUENCE > 191:d=2 hl=2 l= 9 prim: OBJECT :sha1WithRSAEncryption > 202:d=2 hl=2 l= 0 prim: NULL > 204:d=1 hl=2 l= 65 prim: BIT STRING > arch [apps]$ > arch [apps]$ cat /tmp/with_serial.pem > -----BEGIN CERTIFICATE----- > MIIBDDCBt6ADAgECAgEAMA0GCSqGSIb3DQEBBQUAMA8xDTALBgNVBAMTBHRlc3Qw > HhcNMDQwNzIyMTc1NzE5WhcNMTMwMTIzMTUyMTM1WjAPMQ0wCwYDVQQDEwR0ZXN0 > MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALFAze8BSQUyQvvwbWw86Jh7wwOsTAMa > cc8uKQ3ZCgR9CnsvMgsSfHR9XPLzcGkXwuUIDGQ8QWPqNp9g76xqy/kCAwEAATAN > BgkqhkiG9w0BAQUFAANBAHtxTN9bC7jCJDs9iKBE7O2U4jMlLievUR3YgWsrfxVJ > k1v/vXdL4H8/+QndErV8Bl8AavnsjQjFgfPiOs3pi70= > -----END CERTIFICATE----- > arch [apps]$ > arch [apps]$ cat /tmp/no_serial.pem > -----BEGIN CERTIFICATE----- > MIIBCzCBtqADAgECAgAwDQYJKoZIhvcNAQEFBQAwDzENMAsGA1UEAxMEdGVzdDAe > Fw0wNDA3MjIxNzU3MTlaFw0xMzAxMjMxNTIxMzVaMA8xDTALBgNVBAMTBHRlc3Qw > XDANBgkqhkiG9w0BAQEFAANLADBIAkEAsUDN7wFJBTJC+/BtbDzomHvDA6xMAxpx > zy4pDdkKBH0Key8yCxJ8dH1c8vNwaRfC5QgMZDxBY+o2n2DvrGrL+QIDAQABMA0G > CSqGSIb3DQEBBQUAA0EAiWk2QM5lxijnjQE/D/tsoWf0LZvPIuPC7laTUFUrAIKr > JbkAQ9rrf33pf+7JIhiJIgFxVVgOv2PXYKPWC7duUA== > -----END CERTIFICATE----- > arch [apps]$ > arch [apps]$ ./openssl x509 -noout -fingerprint -in /tmp/with_serial.pem > SHA1 Fingerprint=C5:DE:16:61:DC:92:2D:47:A6:5F:E0:97:61:2E:AA:D7:BF:91:2E:35 > arch [apps]$ > arch [apps]$ ./openssl x509 -noout -fingerprint -in /tmp/no_serial.pem > SHA1 Fingerprint=A3:34:61:FE:5C:B7:FA:A1:40:43:5D:AC:16:8F:AF:98:CD:76:1C:2D > arch [apps]$ > > _________________________________________________________________ > Don't get caught with egg on your face. Play Chicktionary! > http://club.live.com/chicktionary.aspx?icid=chick_wlhmtextlink1_dec _________________________________________________________________ i’m is proud to present Cause Effect, a series about real people making a difference. http://im.live.com/Messenger/IM/MTV/?source=text_Cause_Effect______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
