> From: owner-openssl-us...@openssl.org On Behalf Of Rodrigo Canellas > Sent: Wednesday, 22 April, 2009 09:30 <snip long quote, including PKCS7 containing entity and CA certs>
> I tried to use the other certificate in the PKCS#7 file, and this time > I got an error that clearly tells me I am using a bad signature: > "Error number '67596392', which means > 'error:04077068:rsa routines:RSA_verify:bad signature', while verifying the signature", > instead of the error "67567722", which is translated to: > "error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01". Do you mean you are using the pubkey from the second cert, with the signature value from the first cert as before? > Isn't it possible that the error "67567722" means something different from > "> In this case you are using the wrong signature altogether.", > as Dr. Stephen N. Henson pointed out? Not really. As I said before, the signature in the entity cert is the signature OF THAT CERT'S BODY BY THE CA (KEY&) CERT. Using cert1.signature and cert1.body.pubkey couldn't even RSA-decrypt the signature as it failed PKCS1 checking, because that's not the right key for that sigvalue. If you used cert1.signature and cert2.body.pubkey then the signature will RSA-decrypt OK (no PKCS1 problem) but it will only match (and verify) the data in cert1.body because that's the data it signed. If you want to verify a signature of data by (the key in) cert1, which is what you said you wanted, you have to use: - rawsigneddata = hash of the file (as you had before) - signaturevalue = THE SIGNATURE OF THE FILE - pubkey = (internalized) cert1.pubkey If you want to verify cert1 itself (under cert2) use: - rawsigneddata = hash of the certinfo part of cert1 - signaturevalue = cert1.signature - pubkey = (internalized) cert2.pubkey I don't see how I say it any clearer than that. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
