筆者手頭有一張證書,內容如下(PEM格式)
-----BEGIN CERTIFICATE-----
MIICkzCCAfygAwIBAgIJAACiQkqialHfMA0GCSqGSIb3DQEBBQUAMEsxCzAJBgNV
BAYTAkNOMQswCQYDVQQIEwJCSjEUMBIGA1UEChMLTmV0U2VjdXJpdHkxDDAKBgNV
BAsTA1NTTDELMAkGA1UEAxMCQ0EwHhcNMTExMTAzMTY1MDUxWhcNMTIxMTAyMTY1
MDUxWjBPMQswCQYDVQQGEwJDTjELMAkGA1UECBMCQkoxFDASBgNVBAoTC05ldFNl
Y3VyaXR5MQwwCgYDVQQLEwNTU0wxDzANBgNVBAMTBkNsaWVudDCBnzANBgkqhkiG
9w0BAQEFAAOBjQAwgYkCgYEAse122kpIc84wlQz9KU6Rn5bmsGyROkk/54yBoda3
U3Bz1UxMPYzyZyZA0Plfjl60mLWLsX2viIpD78ZqzXuchBQ62eEufu7T0H3MJ/Sw
Kmgh0/Abezbmb3TJG3ZBvM335zUi8yP4uSLDxWKIXlpllkaBoMxRdN8tKKhe1sfQ
7TcCAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBH
ZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFBNzwfdnDvwbcADgp60y00vt
VRajMB8GA1UdIwQYMBaAFE/E6zIXLFGHCuph0HA3K7BEmV+aMA0GCSqGSIb3DQEB
BQUAA4GBAKTkytVZ4UkKr2iLdZKG2+5ifJQocTAdjrQQ70yw3OFjdmRR+LA/yOpF
4irhAmDPYKutAcxQQoUeGDTJ/RwTHgEvUFoDHDHYf2TsRH1C02zi8cCyHK1Q7Whh
VkvTSPxpQpDjEnYGj9Efs5449YLB+koCJIKnRwgXnY5GKjfnzxcz
-----END CERTIFICATE-----
其在Windows下的部分截圖為
並且顯示該證書沒有問題。
問題本來到此該結束了,但是將此證書用OpenSSL命令進行驗證時,卻出現下面的錯誤提示:
>openssl verify -CAfile cacert.pem openssl.cert.verify.error.pem
openssl.cert.verify.error.pem: /C=CN/ST=BJ/O=NetSecurity/OU=SSL/CN=Client
error 7 at 0 depth lookup:certificate signature failure
14160:error:04077068:rsa routines:RSA_verify:bad signature:.\crypto\rsa\rsa_sign.c:235:
14160:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:.\crypto\asn1\a_verify.c:168:
上面是OpenSSL驗證證書的標准命令,驗證過程用到了CA文件cacert.pem,這是驗證證書的基本原理,不再討論
另外為了強調,命令中將被OpenSSL驗證失敗的證書命名為openssl.cert.verify.error.pem。所用版本為OpenSSL 0.9.8e 23 Feb 2007。
有心的讀者可以看出,這張驗證失敗的證書與以前在“從數學到密碼學”系列中提到的證書sslclientcert內容很像。
至於有多少程度像,后面再做交待。
問題出來了,同一張證書,Windows和OpenSSL給出相反的結論。到底誰說得對?
還是那句話說得好:源碼面前,了無秘密。既然OpenSSL是開源的,我們何不趁此一探究竟,看看到底是誰的錯。