Hi all,
I¹m try to figure out why my X509_REQ signature is always not verified. I¹m
using openssl-1.0.0 and gclib.dll provided by gemalto.
Here is my code:
// Some declarations are omitted
CK_BYTE data[2][1024];
CK_ATTRIBUTE keyAttr[] = {
{CKA_MODULUS, (void *)data[0], 1024},
{CKA_PUBLIC_EXPONENT, (void *)data[1], 1024},
};
CK_MECHANISM Mechanism = { CKM_RSA_PKCS_KEY_PAIR_GEN, NULL_PTR, 0 };
CK_MECHANISM sMechanism = { 0, NULL_PTR, 0 };
CK_ATTRIBUTE GenPubTemplate[] = {
{CKA_MODULUS_BITS, &mod_bits, sizeof(CK_ULONG)} ,
{CKA_PUBLIC_EXPONENT, (char *)"\x01\x00\x01", 3} ,
{CKA_TOKEN, &bTrue, sizeof(CK_BBOOL)} ,
{CKA_ID, keyID, strlen(keyID)}
};
CK_ATTRIBUTE GenPrivTemplate[] = {
{CKA_TOKEN, &bTrue, sizeof(CK_BBOOL)} ,
{CKA_PRIVATE, &bTrue, sizeof(CK_BBOOL)} ,
{CKA_SENSITIVE, &bTrue, sizeof(CK_BBOOL)} ,
{CKA_ID, keyID, strlen(keyID)}
};
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
// Create key pair
if ((rv = C_GenerateKeyPair(hSession, &Mechanism, GenPubTemplate,
4, GenPrivTemplate, 4, &hPublicKey, &hPrivateKey)) !=
CKR_OK) {
return rv;
}
// Get modulus and public exponent
if ((rv = C_GetAttributeValue(hSession, hPublicKey, keyAttr,
sizeof(keyAttr)/sizeof(CK_ATTRIBUTE))) != CKR_OK) {
return rv;
}
// Setup RSA structure
rsa = RSA_new();
rsa->n = BN_bin2bn(data[0], keyAttr[0].ulValueLen, NULL); // MODULUS
rsa->e = BN_bin2bn(data[1], keyAttr[1].ulValueLen, NULL); // PUBLIC
EXPONENT
// Create X509 request for CSR
req = X509_REQ_new();
pkey = EVP_PKEY_new();
EVP_PKEY_assign_RSA(pkey, rsa );
X509_REQ_set_pubkey(req, pkey);
// Setup subject
name = X509_REQ_get_subject_name(req);
X509_NAME_add_entry_by_txt(name, "C", MBSTRING_ASC, "IT", -1, -1, 0);
X509_NAME_add_entry_by_txt(name, "O", MBSTRING_ASC, "Organization", -1,
-1, 0);
X509_NAME_add_entry_by_txt(name, "OU", MBSTRING_ASC, "Organization
Unit", -1, -1, 0);
X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC, "Common Name", -1,
-1, 0);
// Prepare the digest
digest=EVP_sha1();
inl=i2d_X509_REQ_INFO(req->req_info,NULL);
buf_in=(unsigned char *)MEMORY_ALLOC(inl);
p = buf_in;
i2d_X509_REQ_INFO(req->req_info,&buf_in);
outl=EVP_PKEY_size(pkey);
// Create message digest
EVP_MD_CTX_init(&ctx);
EVP_DigestInit(&ctx,digest);
EVP_DigestUpdate(&ctx,p,inl)
EVP_DigestFinal(&ctx,m,&m_len);
// Sign the digest with the private key using pkcs11 functions
sMechanism.mechanism = CKM_SHA1_RSA_PKCS;
if ((rv = (C_SignInit(hSession, &sMechanism, hPrivateKey))) != CKR_OK) {
return rv;
}
if ((rv = (C_Sign(hSession, m, m_len, buf_out, &outl))) != CKR_OK) {
return rv;
}
MEMORY_FREE(p);
// Setup request signature data
req->sig_alg->algorithm= OBJ_nid2obj(digest->pkey_type);
req->signature->data=buf_out;
req->signature->length=outl;
// Print formatted request to stdout
X509_REQ_print_fp(stdout, req);
// Print CSR in PEM format
fp = fopen("c:\\cert.csr", "w");
PEM_write_X509_REQ(fp, req);
fclose(fp);
³Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=IT, O=Organization, OU=Organization Unit, CN=Common Name
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (512 bit)
Modulus:
00:bc:f3:d2:65:6a:9d:5a:fe:c1:9e:5b:a3:ed:b2:
40:94:ae:db:b7:83:ce:eb:eb:3f:9c:27:75:9a:fe:
b9:5c:43:01:2c:36:22:d4:3a:d3:bb:79:f6:18:1c:
cb:3b:14:04:4e:ce:3b:99:6e:e8:cb:ad:04:55:ba:
d8:c4:b6:f8:d1
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha1WithRSAEncryption
17:0a:b0:13:7e:b5:1a:d9:da:f6:76:91:b5:9d:40:91:01:7f:
57:e4:7d:16:16:a5:da:b3:18:a7:9f:6e:cf:c9:88:70:ca:45:
44:d7:4b:72:f2:21:ac:55:1c:5a:3d:97:24:63:69:92:4d:cd:
33:03:2a:2f:a1:34:63:2f:82:ea²
But if i run openssl req verify text modulus in c:\cert-csr I receive:
verify failure
3020:error:04077068:rsa routines:RSA_verify:bad
signature:.\crypto\rsa\rsa_sign.c:255:
3020:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP
lib:.\crypto\asn1\a_verify.c:173:
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=IT, O=Organization, OU=Organization Unit, CN=Common Name
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (512 bit)
Modulus (512 bit):
00:bc:f3:d2:65:6a:9d:5a:fe:c1:9e:5b:a3:ed:b2:
40:94:ae:db:b7:83:ce:eb:eb:3f:9c:27:75:9a:fe:
b9:5c:43:01:2c:36:22:d4:3a:d3:bb:79:f6:18:1c:
cb:3b:14:04:4e:ce:3b:99:6e:e8:cb:ad:04:55:ba:
d8:c4:b6:f8:d1
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha1WithRSAEncryption
17:0a:b0:13:7e:b5:1a:d9:da:f6:76:91:b5:9d:40:91:01:7f:
57:e4:7d:16:16:a5:da:b3:18:a7:9f:6e:cf:c9:88:70:ca:45:
44:d7:4b:72:f2:21:ac:55:1c:5a:3d:97:24:63:69:92:4d:cd:
33:03:2a:2f:a1:34:63:2f:82:ea
Modulus=BCF3D2656A9D5AFEC19E5BA3EDB24094AEDBB783CEEBEB3F9C27759AFEB95C43012C
3622D43AD3BB79F6181CCB3B14044ECE3B996EE8CBAD
0455BAD8C4B6F8D1
-----BEGIN CERTIFICATE REQUEST-----
MIIBDTCBugIAMFYxCzAJBgNVBAYTAklUMRUwEwYDVQQKEwxPcmdhbml6YXRpb24x
GjAYBgNVBAsTEU9yZ2FuaXphdGlvbiBVbml0MRQwEgYDVQQDEwtDb21tb24gTmFt
ZTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQC889Jlap1a/sGeW6PtskCUrtu3g87r
6z+cJ3Wa/rlcQwEsNiLUOtO7efYYHMs7FAROzjuZbujLrQRVutjEtvjRAgMBAAGg
ADALBgkqhkiG9w0BAQUDQQEXCrATfrUa2dr2dpG1nUCRAX9X5H0WFqXasxinn27P
yYhwykVE10ty8iGsVRxaPZckY2mSTc0zAyovoTRjL4Lq
-----END CERTIFICATE REQUEST-----
Can someone help me ? Thanks in advance !
