> From: owner-openssl-users On Behalf Of Wubin Cheng > Sent: Tuesday, November 26, 2013 01:22
> I'm in trouble to use X509_verify and X509_CRL_verify function. > i create a certificate,then sign it and verify it. Sometimes I would get > verify failure when I repeat that. > i checked the public key and the private key were both correct. > the error strings: [rewrapped] > error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1: > block type is not 01:.\crypto\rsa\rsa_pk1.c:100: > error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT: > padding check failed:.\crypto\rsa\rsa_eay.c:721: > error:0D0C5006:asn1 encoding routines:ASN1_item_verify: > EVP lib:.\crypto\asn1\a_verify.c:215: > openssl version:openssl-1.0.1c > For some reason when the verify operation "decrypts" the signature it gets an invalid value. The most common cause is if the public key used does not match the private key used to sign, in which case the value is essentially random gibberish. How exactly are you checking that the public key is correct? If it is correct in a file which is read into memory then used, is it possible the memory gets clobbered/corrupted in between? Or that the object being verified (cert or CRL) gets damaged? Assuming your program making these calls is C or C++, remember it's very easy to use an uninitialized or stale pointer and clobber data from code that looks entirely unrelated. You say "sometimes" you get this error. Do you get both good and bad on the same signed object, or good on one and bad on other? In the same program execution or different ones? If these objects are (or can be) saved externally, can you try verify on a different system? ideally with different software? Can you try cutting out parts of your program(s) to produce the minimum that exhibits (even occasionally) the problem? Can you compile/run with valgrind or similar debugging tools? For completeness this *could* be a hardware problem (CPU not computing correctly sometimes, or memory not returning right data sometimes). But on modern systems that would usually cause *lots* of other errors, generally to the point you can't even start an application program. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
