[PYTHON-CRYPTO] Invalid signature

Jan Pobrislo ccx at WEBPROJEKTY.CZ
Wed Jan 17 16:31:06 CET 2007 

Hello, I'm having trouble producing properly signed certificates.
Self-signed (CA) certificates works okay, but when I sign another  
certificate by CA's key it doesn't seem to be valid in some  
applications.

PS: Now I tried it in IE and it reports even the CA to be broken

It works in:
  Firefox/win32 - I'm not sure I've didn't force it to use the  
certificate though
  M2Crypto.X509.X509.verify method reports success
Reports invalid RSA signature:
  Internet exlporer 6
  openssl cli tool
  konqueror
  kmail
  seamonkey / Linux

I'm using m2crypto-0.17 on gentoo linux
Example cerificates attached

I do something like this:

from M2Crypto import X509,RSA,EVP
from M2Crypto.ASN1 import *

     def generate(self,top):
         top.log("Generating keypair")
         keypair = RSA.gen_key(int(top['bits']),0x10001)
         top.key = EVP.PKey()
         top.key.assign_rsa(keypair)

         top.log("Creating certificate")
         top.cert = X509.X509()
         top.cert.set_pubkey(top.key)

         top.log("Configuring certificate")

         #... Setting validity, DN, Extensions

         top.log("Signing")
         if top.parent:
             #... Setting Issuer DN, Serial number
             if not hasattr(top.parent,'key'): self.load(top.parent)
             top.cert.sign(top.parent.key,top['digest'])
         else:
             top.log("Self-signed certificate")
             top.cert.set_issuer_name(self.get_name(top))
             top.cert.sign(top.key,top['digest'])

#... then it gets written like this:

     def write(self,top):
         top.log("Writing to %s"%top.filesdir)
         top.key.save_key(top.key_filename(),None)
         top.cert.save_pem(top.cert_filename())

You can get whole code at svn://ccx.sh.cvut.cz/generic/xmlca
It's a CA application that automatically generates and distributes SSL  
certificates.

Thanks for replies, it's quite urgent

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: webprojekty.cz_cert.pem
Type: application/x-x509-ca-cert
Size: 899 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/python-crypto/attachments/20070117/51d8f66b/attachment.crt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: apache_cert.pem
Type: application/x-x509-ca-cert
Size: 1863 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/python-crypto/attachments/20070117/51d8f66b/attachment-0001.crt>

More information about the python-crypto mailing list