Hi Victor, Thanks for the response. We are digging further into how app1 is generating the signature. Problem seems to be pointing more towards app1.
Regards, Rituparna Mitra -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Viktor Dukhovni Sent: Monday, August 04, 2014 8:51 PM To: openssl-users@openssl.org Subject: Re: Query on X509 certificate validation- EVP_VerifyUpdate & EVP_VerifyFinal On Mon, Aug 04, 2014 at 05:43:47AM +0000, Mitra, Rituparna (STSD) wrote: > 1. app1: sends a CGI POST request to app2 ? the POST request has the UN > (username). > > 2. app2: does a CGI GET to receive the UN within app1?s POST request. > > 3. app2: has app1?s x509 certificate already stored, since it has to > allow SSO from app1 ? gets verification ctx from here. > > 4. app2: uses the UN (containing ! character) to form a hashdata, > > 5. app2: passes hashdata to EVP_VerifyUpdate(ctx, .. ) > > 6. app2: calls EVP_VerifyFinal -- this eventually fails during public > key check (EVP_PKEY_verify), due to the ! character in UN Sorry, that's not the reason. Your mistake is elsewhere. In particular the signature is likely incorrect or signed something other than what you expected. Also the SSO protocol design is deeply flawed. It is not sufficient to send a signature of the username alone. If the two applications are communicating directly, app1 should authenticate the channel with a client certificate, and can then just send the username unsigned in the request, since all the data sent is authenticated with app1's certificate. -- Viktor. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
