I am writing a test fixture in python2 and pyOpensSSL that is essentially an SSL factory. This text fixture creates its own CA cert and key, and then creates certs signed by this CA.
Currently, I am unable to verify the certs using openssl verify. This is what I am getting:
server.pem: OU = Hosting Platform CA Testing, CN = test.com
error 7 at 0 depth lookup:certificate signature failure
139891057788744:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:100:
139891057788744:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay.c:797:
139891057788744:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:a_verify.c:221:
Keys for the CA, as well as for the certs are generate like so:
def createKey(self):
self.key = OpenSSL.crypto.PKey()
self.key.generate_key(OpenSSL.crypto.TYPE_RSA, self.bits)
I have verified -subject, -subject-hash, -issuer and -issuer-hash for both the cert and the issuer CA cert:
server.pem:
subject= /OU=Hosting Platform CA Testing/CN=test.com
e209e907
issuer= /C=US/ST=Arizona/L=Gilbert/O=GoDaddy Hosting Platform/OU=Hosting Platform CA Testing/CN=ca.reveller.me
f04ea969
/etc/pki/tls/certs/f04ea969.0:
subject= /C=US/ST=Arizona/L=Gilbert/O=GoDaddy Hosting Platform/OU=Hosting Platform CA Testing/CN=ca.reveller.me
f04ea969
issuer= /C=US/ST=Arizona/L=Gilbert/O=GoDaddy Hosting Platform/OU=Hosting Platform CA Testing/CN=ca.reveller.me
f04ea969
I am using X509v3 extensions and have verified the Key Identifier hashes to ensure they match up:
server.pem:
X509v3 Subject Key Identifier:
12:A1:CF:8A:FE:4C:BF:AD:3B:7D:1E:5F:8B:9B:B3:49:0E:D8:9D:91
X509v3 Authority Key Identifier:
keyid:24:13:EF:DC:9D:A6:09:28:08:FB:34:76:E0:56:AA:EF:42:02:99:2F
/etc/pki/tls/certs/f04ea969.0:
X509v3 Subject Key Identifier:
24:13:EF:DC:9D:A6:09:28:08:FB:34:76:E0:56:AA:EF:42:02:99:2F
X509v3 Authority Key Identifier:
24:13:EF:DC:9D:A6:09:28:08:FB:34:76:E0:56:AA:EF:42:02:99:2F
Why am I getting padding errors? Any ideas on where I can look for mismatches?