Problem verifying certificates genereated by hxtool

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Problem verifying certificates genereated by hxtool

Norbert Paschedag
Hi,

since the openssl patches for CVE-2014-8275 appeared in the various
distros I'm having problems verifying the hxtool generated certificates
using openssl:

    % openssl verify  -CAfile newca.pem newcrt.pem
    newcert.pem: DC = domain, DC = my, DC = test, UID = user
    error 7 at 0 depth lookup:certificate signature failure

The CA and user-certs were generated according to the manual:

    hxtool issue-certificate \
       --signature-algorithm=rsa-with-sha1  \
       --self-signed  \
       --issue-ca \
       --generate-key=rsa \
       --subject="uid=kdc,DC=test,DC=my,DC=domain" \
       --lifetime=10years \
       --certificate="FILE:${PWD}/newca.pem" "$@"

    hxtool issue-certificate \
        --signature-algorithm=rsa-with-sha1  \
        --generate-key=rsa \
        --subject="uid=user,DC=test,DC=my,DC=domain" \
        --ca-certificate=FILE:${PWD}/newca.pem \
        --type=https-client \
        --certificate=FILE:${PWD}/newtemplate.pem

Does anyone know if/what hxtool is doing wrong
(Or what _I_ am doing wrong) ?

Regards,
  Norbert

Reply | Threaded
Open this post in threaded view
|

Re: Problem verifying certificates genereated by hxtool

Nico Williams
On Mon, Feb 09, 2015 at 11:23:43AM +0100, Norbert Paschedag wrote:
> since the openssl patches for CVE-2014-8275 appeared in the various
> distros I'm having problems verifying the hxtool generated certificates
> using openssl:

This describes the changes to OpenSSL:

https://github.com/openssl/openssl/commit/684400ce192dac51df3d3e92b61830a6ef90be3e

Of the three changes listed, only the first two could apply here.

Using openssl x509 -text -in FILE:${PWD}/newtemplate.pem I see that the
first second doesn't apply, though it's not entirely clear.  If that's
right then it's got to be the first issue: that there may be non-zero
unused bits in the cert's signature.

I'll take a closer look some time this week.

Nico
--