Em Thursday 23 April 2009 16:07:04 Dave Thompson escreveu: > > From: owner-openssl-us...@openssl.org On Behalf Of Rodrigo Canellas > > Sent: Wednesday, 22 April, 2009 09:30 > <snip long quote, including PKCS7 containing entity and CA certs> > > > I tried to use the other certificate in the PKCS#7 file, and this > time > > I got an error that clearly tells me I am using a bad signature: > > "Error number '67596392', which means > > 'error:04077068:rsa routines:RSA_verify:bad signature', while verifying > the signature", > > instead of the error "67567722", which is translated to: > > "error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is > not 01". > > Do you mean you are using the pubkey from the second cert, > with the signature value from the first cert as before? > > > Isn't it possible that the error "67567722" means something > different from > > "> In this case you are using the wrong signature altogether.", > > as Dr. Stephen N. Henson pointed out? > > Not really. As I said before, the signature in the entity cert > is the signature OF THAT CERT'S BODY BY THE CA (KEY&) CERT. > > Using cert1.signature and cert1.body.pubkey couldn't even > RSA-decrypt the signature as it failed PKCS1 checking, > because that's not the right key for that sigvalue. > > If you used cert1.signature and cert2.body.pubkey > then the signature will RSA-decrypt OK (no PKCS1 problem) > but it will only match (and verify) the data in cert1.body > because that's the data it signed. > > If you want to verify a signature of data by (the key in) cert1, > which is what you said you wanted, you have to use: > - rawsigneddata = hash of the file (as you had before) > - signaturevalue = THE SIGNATURE OF THE FILE > - pubkey = (internalized) cert1.pubkey > > If you want to verify cert1 itself (under cert2) use: > - rawsigneddata = hash of the certinfo part of cert1 > - signaturevalue = cert1.signature > - pubkey = (internalized) cert2.pubkey > > I don't see how I say it any clearer than that. > > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org >
I thank you all very much for your help!! It is working now! And I apologize for the lack of basic knowledge... -- Rodrigo Canellas Software Developer Digital TV Products +55 21 3147-3000/8675 rodrigo.canel...@tqtvd.com www.tqtvd.com TQTVD Software
