[openstack-dev] Quantum/Keystone issue (401) seems to be due to encoding

Yee, Guang guang.yee at hp.com
Wed Nov 7 21:57:40 UTC 2012


The text Adam pasted

 

-----BEGIN CMS-----

MIIBQwYJKoZIhvcNAQcCoIIBNDCCATACAQExCTAHBgUrDgMCGjAeBgkqhkiG9w0B

BwGgEQQPeyJyZXZva2VkIjogW119MYH/MIH8AgEBMFwwVzELMAkGA1UEBhMCVVMx

DjAMBgNVBAgTBVVuc2V0MQ4wDAYDVQQHEwVVbnNldDEOMAwGA1UEChMFVW5zZXQx

GDAWBgNVBAMTD3d3dy5leGFtcGxlLmNvbQIBATAHBgUrDgMCGjANBgkqhkiG9w0B

AQEFAASBgIPLThGutiaKye5AYYdF3z7FGztoQsCaaqHKHVgtEHk3bM7k5ZqIsNN/

YMUKE8l87UHwto0BZ3WF6IqXzSRCKrm11bzTbKMna5I1vmSanDG/Ws6CyXQRaQeb

1IebcfL+tPWFLN5Y6WsuSobGCGV30wll1F0qgfXCwDkEinVc35vC

-----END CMS-----

 

yield the following

 

openssl cms -cmsout -in /tmp/cms.txt -inform PEM -print

CMS_ContentInfo: 

  contentType: pkcs7-signedData (1.2.840.113549.1.7.2)

  d.signedData: 

    version: 1

    digestAlgorithms:

        algorithm: sha1 (1.3.14.3.2.26)

        parameter: <ABSENT>

    encapContentInfo: 

      eContentType: pkcs7-data (1.2.840.113549.1.7.1)

      eContent: 

        0000 - 7b 22 72 65 76 6f 6b 65-64 22 3a 20 5b 5d 7d   {"revoked":
[]}

    certificates:

      <EMPTY>

    crls:

      <EMPTY>

    signerInfos:

        version: 1

        d.issuerAndSerialNumber: 

          issuer: C=US, ST=Unset, L=Unset, O=Unset, CN=www.example.com

          serialNumber: 1

        digestAlgorithm: 

          algorithm: sha1 (1.3.14.3.2.26)

          parameter: <ABSENT>

        signedAttrs:

          <EMPTY>

        signatureAlgorithm: 

          algorithm: rsaEncryption (1.2.840.113549.1.1.1)

          parameter: NULL

        signature: 

          0000 - 83 cb 4e 11 ae b6 26 8a-c9 ee 40 61 87 45 df
..N...&... at a.E.

          000f - 3e c5 1b 3b 68 42 c0 9a-6a a1 ca 1d 58 2d 10
>..;hB..j...X-.

          001e - 79 37 6c ce e4 e5 9a 88-b0 d3 7f 60 c5 0a 13
y7l........`...

          002d - c9 7c ed 41 f0 b6 8d 01-67 75 85 e8 8a 97 cd
.|.A....gu.....

          003c - 24 42 2a b9 b5 d5 bc d3-6c a3 27 6b 92 35 be
$B*.....l.'k.5.

          004b - 64 9a 9c 31 bf 5a ce 82-c9 74 11 69 07 9b d4
d..1.Z...t.i...

          005a - 87 9b 71 f2 fe b4 f5 85-2c de 58 e9 6b 2e 4a
..q.....,.X.k.J

          0069 - 86 c6 08 65 77 d3 09 65-d4 5d 2a 81 f5 c2 c0
...ew..e.]*....

          0078 - 39 04 8a 75 5c df 9b c2-                       9..u\...

        unsignedAttrs:

          <EMPTY>

 

 

Where's this cert come from?

 

"issuer: C=US, ST=Unset, L=Unset, O=Unset, CN=www.example.com"

 

 

Guang

 

 

 

 

From: Adam [mailto:adam at younglogic.com] 
Sent: Wednesday, November 07, 2012 1:07 PM
To: Gary Kotton; Yee, Guang; OpenStack Development Mailing List
Subject: Quantum/Keystone issue (401) seems to be due to encoding

 

I get the following erros when trying to decode the revocation list:

1.  140580198655840:error:0407006A:rsa
routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:100:
2.  140580198655840:error:04067072:rsa
routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay.c:795:
3.  140580198655840:error:2E09A09E:CMS
routines:CMS_SignerInfo_verify_content:verification failure:cms_sd.c:899:
4.  140580198655840:error:2E09D06D:CMS routines:CMS_verify:content verify
error:cms_smime.c:425:

 

The biggest difference I can see between this and the successful runs in the
other projects is that this one comes in enced as unicode, elsewhere we see
it as string.

The data is coming through OK.  I can see:

{"revoked": []}

So I think the DER encoding is getting messed up in translation.  

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20121107/552a949a/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6186 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20121107/552a949a/attachment.bin>


More information about the OpenStack-dev mailing list