EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Invalid Request Signature

Also by EldoS: RawDisk
Access locked and protected files in Windows, read and write disks and partitions and more.
#33971
Posted: 07/09/2015 11:41:39
by Charlie Jimenez (Standard support level)
Joined: 08/14/2012
Posts: 38

I created a certificate request and saved it to a file. The certificate uses DSA 2048 with SHA1 with DSA signature.

I then try to sign this certificate request with a CA and I get the error message "Invalid request signature".

This occurs only when the CSR uses DSA public key. I have used the same exact process to sign many CSRs created using RSA public key with no problem.

Here is my signing code snippet:

Code
          CreatedCert = New SBX509Ex.TElX509CertificateEx(Nothing)
          CreatedCert.ValidFrom = Me.ValidFrom
          CreatedCert.ValidTo = Me.ValidTo
          signatureAlgorithm = Me.SignatureHashAlgorithm
          CreatedCert.CAAvailable = True
          CACert.PreferredHashAlgorithm = signatureAlgorithm
          CreatedCert.Extensions.AuthorityKeyIdentifier.AuthorityCertSerial = CACert.SerialNumber
          GenerateCreatedCertExtensions()
          cmdBack.Enabled = False
          cmdNext.Enabled = False
          cmdCancel.Enabled = False
          cmdGenerate.Enabled = False
          CreatedCert.SerialNumber = HexToBytes(txtSNCSR.Text)
          CACert.Generate(CertReq, CreatedCert)


Any suggestions?
#33975
Posted: 07/10/2015 03:24:31
by Vsevolod Ievgiienko (EldoS Corp.)

Thank you for contacting us.

This exception is thrown when TElCertificateRequest.ValidateSignature returns false for your request. Most likelly the request was generated incorrectly. Could you please post corresponding code here to check.
#33982
Posted: 07/10/2015 10:10:17
by Charlie Jimenez (Standard support level)
Joined: 08/14/2012
Posts: 38

Her is my code used to create the CSR. It is taken mostly from your CertDemo sample:

Code
          CertReq = New TElCertificateRequest
          setRDNProperty(CertReq.Subject, ByteArrayFromBufferType(SBConstants.Unit.SB_CERT_OID_COUNTRY), txtCountry.Text)
          setRDNProperty(CertReq.Subject, ByteArrayFromBufferType(SBConstants.Unit.SB_CERT_OID_STATE_OR_PROVINCE), txtState.Text)
          setRDNProperty(CertReq.Subject, ByteArrayFromBufferType(SBConstants.Unit.SB_CERT_OID_LOCALITY), txtLocality.Text)
          setRDNProperty(CertReq.Subject, ByteArrayFromBufferType(SBConstants.Unit.SB_CERT_OID_ORGANIZATION), txtOrg.Text)
          setRDNProperty(CertReq.Subject, ByteArrayFromBufferType(SBConstants.Unit.SB_CERT_OID_ORGANIZATION_UNIT), txtOrgUnit.Text)
          setRDNProperty(CertReq.Subject, ByteArrayFromBufferType(SBConstants.Unit.SB_CERT_OID_COMMON_NAME), txtCommonName.Text)

          keyandhashalgorithm = Me.PublicKeyAndHashAlgorithm
          If (keyandhashalgorithm = SBConstants.Unit.SB_CERT_ALGORITHM_ID_DSA_SHA1) Then
            keyalgorithm = SBConstants.Unit.SB_CERT_ALGORITHM_ID_DSA
          ElseIf (keyandhashalgorithm = SBConstants.Unit.SB_CERT_ALGORITHM_SHA1_ECDSA) Or (keyandhashalgorithm = SBConstants.Unit.SB_CERT_ALGORITHM_SHA256_ECDSA) Or (keyandhashalgorithm = SBConstants.Unit.SB_CERT_ALGORITHM_SHA384_ECDSA) Or (keyandhashalgorithm = SBConstants.Unit.SB_CERT_ALGORITHM_SHA512_ECDSA) Then
            keyalgorithm = SBConstants.Unit.SB_CERT_ALGORITHM_EC
          Else
            keyalgorithm = SBConstants.Unit.SB_CERT_ALGORITHM_ID_RSA_ENCRYPTION
          End If
          cmdBack.Enabled = False
          cmdNext.Enabled = False
          cmdCancel.Enabled = False
          cmdGenerate.Enabled = False
          Me.Cursor = Cursors.WaitCursor

          If keyalgorithm = SBConstants.Unit.SB_CERT_ALGORITHM_EC Then
            Dim algId As New TElECAlgorithmIdentifier
            algId.Curve = Curve
            Dim sigId As New TElECDSAAlgorithmIdentifier
            sigId.Algorithm = keyandhashalgorithm
            CertReq.Generate(algId, 0, sigId)
          Else
            CertReq.Generate(keyalgorithm, PublicKeyLength, keyandhashalgorithm)
          End If
          CertReq.Tag = txtCommonName.Text
          Me.DialogResult = Windows.Forms.DialogResult.OK
          Me.Close()


This CSR is using DSA with SHA1. The 'keyalgorithm' selected = 4 and the 'keyandhashalgorithm' selected is 5. The 'PublicKeyLength' is 2048.

One thing I noticed is that I do not get the error when signing if the CSR is created with a PublicKeyLength of 1024.

Thanks,

Charlie
#33998
Posted: 07/12/2015 11:54:09
by Charlie Jimenez (Standard support level)
Joined: 08/14/2012
Posts: 38

Just FYI - I was able to view the CSR file with openssl

openssl req -noout -text -in Test.csr

and it did not report any problem with the CSR. It displayed the DSA public key parameters and signature DSA with SHA1.
#34000
Posted: 07/13/2015 05:49:19
by Vsevolod Ievgiienko (EldoS Corp.)

I was able to generate certificate from CSR with DSA-2048 key using our CertDemo sample. Please compare your code to the sample code, most likely something doesn't match.
#34007
Posted: 07/13/2015 11:07:26
by Charlie Jimenez (Standard support level)
Joined: 08/14/2012
Posts: 38

I looked at both VB and C# versions of CertDemo and CertDemowithGenerator and I could not find a way to load a CSR from file and sign it using a CA. Are there newer versions of the samples? I am using the ones that came with SBB 12.0.260
#34008
Posted: 07/13/2015 15:16:18
by Vsevolod Ievgiienko (EldoS Corp.)

Both samples create certificate request and sign it using CA when you choose Certificate -> New certificate -> Certificate Signed by CA menu.
#34009
Posted: 07/13/2015 15:33:21
by Charlie Jimenez (Standard support level)
Joined: 08/14/2012
Posts: 38

Ok, that's the difference. The samples do not create a certificate request object, then try to sign it. They create a certificate object and then sign it. I verified that it works when done that way.

Here is a test I made without even trying to sign the Cert Request:

Code
          CertReq = New TElCertificateRequest
          setRDNProperty(CertReq.Subject, ByteArrayFromBufferType(SBConstants.Unit.SB_CERT_OID_COMMON_NAME), txtCommonName.Text)
          setRDNProperty(CertReq.Subject, ByteArrayFromBufferType(SBConstants.Unit.SB_CERT_OID_ORGANIZATION), txtOrg.Text)
          setRDNProperty(CertReq.Subject, ByteArrayFromBufferType(SBConstants.Unit.SB_CERT_OID_ORGANIZATION_UNIT), txtOrgUnit.Text)
          setRDNProperty(CertReq.Subject, ByteArrayFromBufferType(SBConstants.Unit.SB_CERT_OID_LOCALITY), txtLocality.Text)
          setRDNProperty(CertReq.Subject, ByteArrayFromBufferType(SBConstants.Unit.SB_CERT_OID_STATE_OR_PROVINCE), txtState.Text)
          setRDNProperty(CertReq.Subject, ByteArrayFromBufferType(SBConstants.Unit.SB_CERT_OID_COUNTRY), txtCountry.Text)
          Me.Cursor = Cursors.WaitCursor
          CertReq.Tag = txtCommonName.Text
          cmdBack.Enabled = False
          cmdNext.Enabled = False
          cmdCancel.Enabled = False
          cmdGenerate.Enabled = False
          signatureAlgorithm = Me.PublicKeyAndHashAlgorithm
          Select Case signatureAlgorithm
            Case SBConstants.Unit.SB_CERT_ALGORITHM_MD2_RSA_ENCRYPTION, SBConstants.Unit.SB_CERT_ALGORITHM_MD5_RSA_ENCRYPTION, SBConstants.Unit.SB_CERT_ALGORITHM_SHA1_RSA_ENCRYPTION, SBConstants.Unit.SB_CERT_ALGORITHM_SHA224_RSA_ENCRYPTION, SBConstants.Unit.SB_CERT_ALGORITHM_SHA256_RSA_ENCRYPTION, SBConstants.Unit.SB_CERT_ALGORITHM_SHA384_RSA_ENCRYPTION, SBConstants.Unit.SB_CERT_ALGORITHM_SHA512_RSA_ENCRYPTION
              keyalgorithm = SBConstants.Unit.SB_CERT_ALGORITHM_ID_RSA_ENCRYPTION
            Case SBConstants.Unit.SB_CERT_ALGORITHM_SHA1_ECDSA, SBConstants.Unit.SB_CERT_ALGORITHM_SHA256_ECDSA, SBConstants.Unit.SB_CERT_ALGORITHM_SHA384_ECDSA, SBConstants.Unit.SB_CERT_ALGORITHM_SHA512_ECDSA
              keyalgorithm = SBConstants.Unit.SB_CERT_ALGORITHM_EC
            Case SBConstants.Unit.SB_CERT_ALGORITHM_ID_DSA_SHA1
              keyalgorithm = SBConstants.Unit.SB_CERT_ALGORITHM_ID_DSA
            Case SBConstants.Unit.SB_CERT_ALGORITHM_SHA1_RSA_ENCRYPTION
          End Select
          sigId.Algorithm = signatureAlgorithm
          CertReq.Generate(keyalgorithm, PublicKeyLength, signatureAlgorithm)
          If Not CertReq.ValidateSignature Then
            Throw New ApplicationException("Certificate Request created with invalid signature.")  <-- ValidateSignature Fails when PublicKeyLength = 2048 but succeeds when 1024
          End If


ValidateSignature Fails when PublicKeyLength = 2048 but succeeds when it equals 1024.

Does the signature algorithm need to change from SHA1 to something else when using DSA/2048?

Maybe this will help you.
#34010
Posted: 07/13/2015 15:54:26
by Eugene Mayevski (EldoS Corp.)

The CSR MUST be signed in order to be used. If it's not signed, you can't use it for certificate generation.


Sincerely yours
Eugene Mayevski
#34011
Posted: 07/13/2015 18:58:06
by Charlie Jimenez (Standard support level)
Joined: 08/14/2012
Posts: 38

If it is not signed then it is a bug in the TElCertificateRequest module's Generate method.

The problem is that I get a good signature when the selected key size is 1024 but not if the key size is 2048.

Take a look at my code above. If the PublicKeyLength = 1024, CertReq's ValidateSignature method validates the signature correctly. If the PublicKeyLength = 2048 it does not.
Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.

Reply

Statistics

Topic viewed 3938 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!