I am writing a test fixture in python2 and pyOpensSSL, which is essentially an SSL factory. This text appliance creates its own CA certificate and key, and then creates the certificates signed by this CA.
Currently, I cannot verify certificates using openssl validation. This is what I get:
server.pem: OU = Hosting Platform CA Testing, CN = test.com
error 7 at 0 depth lookup:certificate signature failure
139891057788744:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:100:
139891057788744:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay.c:797:
139891057788744:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:a_verify.c:221:
Keys for the CA, as well as for certificates are generated as follows:
def createKey(self):
self.key = OpenSSL.crypto.PKey()
self.key.generate_key(OpenSSL.crypto.TYPE_RSA, self.bits)
I checked -subject, -subject-hash, -issuerand -issuer-hashfor cert certificate and the certificate CA:
server.pem:
subject= /OU=Hosting Platform CA Testing/CN=test.com
e209e907
issuer= /C=US/ST=Arizona/L=Gilbert/O=GoDaddy Hosting Platform/OU=Hosting Platform CA Testing/CN=ca.reveller.me
f04ea969
/etc/pki/tls/certs/f04ea969.0:
subject= /C=US/ST=Arizona/L=Gilbert/O=GoDaddy Hosting Platform/OU=Hosting Platform CA Testing/CN=ca.reveller.me
f04ea969
issuer= /C=US/ST=Arizona/L=Gilbert/O=GoDaddy Hosting Platform/OU=Hosting Platform CA Testing/CN=ca.reveller.me
f04ea969
I use the X509v3 extensions and checked the key identifier hashes to match:
server.pem:
X509v3 Subject Key Identifier:
12:A1:CF:8A:FE:4C:BF:AD:3B:7D:1E:5F:8B:9B:B3:49:0E:D8:9D:91
X509v3 Authority Key Identifier:
keyid:24:13:EF:DC:9D:A6:09:28:08:FB:34:76:E0:56:AA:EF:42:02:99:2F
/etc/pki/tls/certs/f04ea969.0:
X509v3 Subject Key Identifier:
24:13:EF:DC:9D:A6:09:28:08:FB:34:76:E0:56:AA:EF:42:02:99:2F
X509v3 Authority Key Identifier:
24:13:EF:DC:9D:A6:09:28:08:FB:34:76:E0:56:AA:EF:42:02:99:2F
Why am I getting padding errors? Any ideas on where I can look for inconsistencies?