1. Home
  2. Linux
  3. Signature verification failed on SPKAC public key – Fix OpenCA error

Signature verification failed on SPKAC public key – Fix OpenCA error

After installing OpenCA and setting up Certificate Authority (CA), I encountered an error – “Signature verification failed on SPKAC public key” while signing the end-entity certificate request on CA machine.

Error while issuing Certificate to David (filename: /home/openca/var/openca/tmp/4229D72DA1BA34B416B9.req).

OpenCA::OpenSSL returns errocode 7731075 (OpenCA::OpenSSL->issueCert: OpenSSL fails (7777067). Using configuration from /home/openca/etc/openca/openssl/openssl/User.conf
Check that the SPKAC request matches the signature
Signature verification failed on SPKAC public key
140250398984096:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too 
large:a_object.c:108:
140250398984096:error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm:a_verify.c:206:
error in ca
).

I’m using openca-base-1.5.0 and openca-tools-1.3.0

Debugging:

OpenCA::OpenSSL->_execute_command: ca -batch -config /home/openca/etc/openca/openssl/openssl/User.conf -keyfile /home/openca/var/openca/crypto/keys/cakey.pem -passin env:pwd -extfile /home/openca/var/openca/tmp/User.ext -preserveDN -subj "/O=OpenCA Labs/OU=Users/CN=David" -spkac /home/openca/var/openca/tmp/4229D72DA1BA34B416B9.req

More from the debug…

OpenCA::OpenSSL->setError: errno: 7731075
OpenCA::OpenSSL->setError: errval: OpenCA::OpenSSL->issueCert: OpenSSL fails (7777067). Using configuration from /home/openca/etc/openca/openssl/openssl/User.conf
Check that the SPKAC request matches the signature
signature verification failed on SPKAC public key
140030475425696:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large:a_object.c:108:
140030475425696:error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm:a_verify.c:206:
error in ca

The error “signature verification failed on SPKAC public key” clearly says that the issue is while signing the SPKAC public key – The request was generated on the users browser window as shown below:

Signature verification failed

The browser generated request consists of SPKAC public key and signature. The SPKAC probably uses MD5 in its signature. That is insecure and OpenSSL does not verify signatures which use MD5 by default.

So how do we tell OpenSSL to accept requests that uses MD5? Here’s how it’s.

How to fix Signature verification failed on SPKAC public key

Set the environment variable OPENSSL_ENABLE_MD5_VERIFY as a workaround to allow OpenSSL to sign requests that uses MD5. As the OpenCA uses sessions, you cannot just set the environment variable on the command line. You need to set it programatically, so that whenever OpenCA uses OpenSSL command to sign, it should be set.

So, set environment variable OPENSSL_ENABLE_MD5_VERIFY in /home/openca/lib/openca/perl_modules/perl5/x86_64-linux-thread-multi/OpenCA/OpenSSL.pm file:

Search for the Line: # running the OpenSSL command

Below is the code, where the certificate signing happens.

$self->_debug ("issueCert: openssl=$command");
 $ENV{'pwd'} = "$passwd";
 $ret = $self->_execute_command (COMMAND => $command, KEY_USAGE => $engine);
 delete ($ENV{'pwd'});
 unlink ($reqfile) if ($reqdata);
 if( not $ret ) {
 $self->setError (7731075,
 $self->{gettext} ("OpenCA::OpenSSL->issueCert: OpenSSL fails (__ERRNO__). __ERRVAL__",
 "__ERRNO__", $self->errno,
 "__ERRVAL__", $self->errval));
 return undef;
 }

Before executing the above code, you need to set the environment Variable as shown below:

$ENV{OPENSSL_ENABLE_MD5_VERIFY} = 0;

Now restart the OpenCA daemon and sign your user certificate. It should work.

Via Bugzilla

Updated on March 21, 2018

Was this article helpful?

Related Articles

Leave a Comment