modifikace CSR

[sasha]

ahoj,
jelikoz jsem neprosel programovaci skolou a nedari se mi asi slozit spravnou kombinaci pro google, obracim se na Vas zkusene

v zaklade muj dotaz je - jak zjistit jaka cast CSR je realne podepsana

muj problem:

router vygeneruje CSR a je v nem spousta nesmyslu, proto klasicky jak uz to delam, zmenim subject pomoci openssl
jenze v tomto pripade (prestoze to probehne korektne!!!)

Kód:

openssl req -in ddd -subj "/L=Luxor/OU=Pyramida/O=Egyptska Rise/ST=Okolo Memphisu/C=EG/CN=pyramida.re.com" -out ddd.req

jakmile chci ten CSR file overit - at uz certutil a nebo openssl krici:

Kód:

Signature does not match Public key: 80090006
308.7459.0: 0x80090006 (-2146893818)
308.3848.0: 0x80090006 (-2146893818)
Cannot decode object: Invalid Signature. 0x80090006 (-2146893818)
308.8346.0: 0x80090006 (-2146893818): ddd.req
CertUtil: -dump command FAILED: 0x80090006 (-2146893818)
CertUtil: Invalid Signature.
301.3128.0: 0x80090006 (-2146893818)

Kód:

$ openssl req -verify -in ddd.req -text -noout
verify failure
884:error:04077068:rsa routines:RSA_verify:bad signature:rsa_sign.c:255:
884:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:a_verify.c:173:

no pokud jsem spatne necetl rfc tak signatura nezahrnuje subject ale jen public key a EKU apod....

v praxi to mam i overeno na jinych certifikatech, ktere takto upravim a bez problemu overim ci necham je podepsat autorityou

diky za kazdy hint

PS:
CSR pred modifikaci

Kód:

        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (512 bit)
                Modulus (512 bit):
                    00:c7:c4:ab:a8:df:ab:02:51:89:88:b4:b1:b4:1c:
                    f8:5d:e8:d3:77:e0:f5:a0:6a:da:9f:30:06:2a:f4:
                    77:f9:65:1c:28:8d:7e:23:04:86:a4:33:0d:e0:77:
                    69:1e:e1:8a:92:01:07:ee:d9:5d:1e:51:4a:23:f3:
                    fc:c6:b2:2f:09
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
    Signature Algorithm: md5WithRSAEncryption
        83:62:aa:0c:1f:f5:5e:35:af:10:03:b3:48:11:bb:99:f6:33:
        ec:c6:95:93:80:d9:3d:9b:c1:70:91:f2:6e:86:ae:42:c4:54:
        20:fa:a8:3a:70:ee:ab:69:55:61:36:72:7d:94:f5:b5:07:a7:
        81:63:ef:13:7d:4f:c4:e3:46:5b

po modifikaci

Kód:

        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (512 bit)
                Modulus (512 bit):
                    00:c7:c4:ab:a8:df:ab:02:51:89:88:b4:b1:b4:1c:
                    f8:5d:e8:d3:77:e0:f5:a0:6a:da:9f:30:06:2a:f4:
                    77:f9:65:1c:28:8d:7e:23:04:86:a4:33:0d:e0:77:
                    69:1e:e1:8a:92:01:07:ee:d9:5d:1e:51:4a:23:f3:
                    fc:c6:b2:2f:09
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
    Signature Algorithm: md5WithRSAEncryption
        83:62:aa:0c:1f:f5:5e:35:af:10:03:b3:48:11:bb:99:f6:33:
        ec:c6:95:93:80:d9:3d:9b:c1:70:91:f2:6e:86:ae:42:c4:54:
        20:fa:a8:3a:70:ee:ab:69:55:61:36:72:7d:94:f5:b5:07:a7:
        81:63:ef:13:7d:4f:c4:e3:46:5b

[sasha]

tak koukam, ze jsem to neupdatnul....

toz tedy vec je v tom ze pri pouziti stare netscape authority - CA nekouka dle vseho na signature a sama dokonce umozni zmenit CN...
s novou MS authoritou je to uz jinak ta spravne zkontroluje signature a jelikoz je tu konflikt tak odmitne request podepsat.... - tak to ma byt