This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

AM335x Openssl library always verify certificate fails with error 7 at 0 depth lookup:certificate signature failure Error

Hi TI team,

          I am using am335x-evm platform and my version is as below

Arago Project http://arago-project.org am335x-evm /dev/ttyO0

Arago 2015.03 am335x-evm /dev/ttyO0

am335x-evm login: root

root@am335x-evm:~# cat /etc/mlb-version
PKG-20150714-FULL

I find the "openssl verify -CAfile"  not working.

I just simply using below command to reproudce the issue "openssl verify -CAfile ca.crt client1.crt"

I confirmed my ca.crt and client.crt is corrected since I have tested the same files in other platform that doesn't have problem,
It only failed in TI asm335-evm openssl, even if you download some sample cert and will get the same error
for example, download from https://github.com/freelan-developers/freelan/wiki/Sample-certificate-files
and use command "openssl verify -CAfile ca.crt alice.crt" will get the same failed.

This failure will affect the OpenVPN application that I want to ported to this platform which required Openssl certificate verify process....
Please help to check and comment, thanks a lot!!

Detail log and cert attached below:

openssl verify -CAfile ca.crt client1.crt
client1.crt: C = TW, ST = TW, L = Taipei, O = Foxconn, OU = IOT, CN = client1, name = EasyRSA, emailAddress = james.ck.chien@foxconn.com
error 7 at 0 depth lookup:certificate signature failure
3068262112:error:04091068:rsa routines:INT_RSA_VERIFY:bad signature:rsa_sign.c:290:
3068262112:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:a_verify.c:218

Here are the openssl libary info:
root@am335x-evm:~# openssl version -a
OpenSSL 1.0.1m 19 Mar 2015
built on: Fri Apr 10 14:36:34 2015
platform: linux-armv4
options: bn(64,32) rc4(ptr,char) des(idx,cisc,16,long) idea(int) blowfish(ptr)
compiler: arm-linux-gnueabihf-gcc -march=armv7-a -marm -mthumb-interwork -mfloat-abi=hard -mfpu=neon -mtune=cortex-a8 --sysroot=/home/gtbldadm/ti/oe-layersetup/build-CORTEX_1/arago-tmp-external-linaro-toolchain/sysroots/am335x-evm -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -isystem/opt/linaro-2013.03/arm-linux-gnueabihf/include -fstack-protector -O2 -pipe -g -feliminate-unused-debug-types -Wall -Wa,--noexecstack -DHAVE_CRYPTODEV -DUSE_CRYPTODEV_DIGESTS -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -DGHASH_ASM
OPENSSLDIR: "/usr/lib/ssl"

Here is the cert I used.

root@am335x-evm:~# openssl x509 -in ca.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
e5:16:7f:96:50:e9:bf:e4
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=TW, ST=TW, L=Taipei, O=Foxconn, OU=IOT, CN=server25-CA/name=EasyRSA/emailAddress=james.ck.chien@foxconn.com
Validity
Not Before: Sep 25 08:00:49 2015 GMT
Not After : Sep 22 08:00:49 2025 GMT
Subject: C=TW, ST=TW, L=Taipei, O=Foxconn, OU=IOT, CN=server25-CA/name=EasyRSA/emailAddress=james.ck.chien@foxconn.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d3:3a:be:b8:cf:91:e1:00:0e:20:0e:76:31:bd:
e6:64:f3:e1:2a:60:d6:d3:d7:3c:d8:e1:30:0e:21:
a7:7c:b7:26:e2:9d:96:dd:d0:2d:26:f2:1c:ce:cf:
38:71:5a:24:91:3c:84:9a:2d:44:23:2e:98:38:9b:
ea:70:a5:24:75:57:a4:f4:2f:16:67:50:0c:28:b5:
0e:71:c3:5b:76:a7:0b:eb:cd:cc:34:39:f4:9b:74:
16:40:4b:5c:94:43:07:ef:aa:03:28:03:6b:c8:26:
d5:54:8f:e1:2e:4b:67:39:4b:5c:6a:64:e6:28:d8:
7a:62:75:7c:68:f3:b5:44:eb:2a:ef:ba:a8:38:70:
2e:c1:02:ac:ff:60:b2:65:73:28:5b:93:02:67:1e:
24:f2:f2:aa:89:b0:59:58:ca:d1:37:59:ec:2f:2f:
9e:76:d7:02:a6:04:02:1c:54:a2:77:5a:34:8d:1b:
b9:68:4f:0a:3c:6f:90:8b:f3:bd:fb:4d:4f:fb:86:
21:bc:ee:5e:1e:72:93:7d:41:3c:d0:39:a4:89:c7:
da:75:10:2c:8a:b0:1d:d5:65:19:a1:a1:2e:22:3f:
ba:15:63:be:29:c0:08:db:52:12:bd:e6:33:2a:37:
c7:34:a1:be:71:df:62:aa:1d:20:24:df:95:02:d9:
79:f3
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
82:ED:78:18:DC:57:6E:B3:AA:0F:1E:B6:0A:14:34:5E:8E:14:93:25
X509v3 Authority Key Identifier:
keyid:82:ED:78:18:DC:57:6E:B3:AA:0F:1E:B6:0A:14:34:5E:8E:14:93:25
DirName:/C=TW/ST=TW/L=Taipei/O=Foxconn/OU=IOT/CN=server25-CA/name=EasyRSA/emailAddress=james.ck.chien@foxconn.com
serial:E5:16:7F:96:50:E9:BF:E4

X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
9b:b1:70:52:0a:8e:b7:79:a1:a3:ee:3a:65:96:e6:5e:82:af:
cd:6e:8f:92:f8:b8:2c:70:dd:28:ee:5d:c1:ce:71:fd:a2:d8:
f8:fa:75:49:c9:2a:ff:2a:e2:4f:d8:42:b8:d7:e1:aa:ec:b5:
80:2b:61:a1:c5:49:9e:4d:4b:8d:0c:95:54:7b:32:59:ee:03:
f4:ca:f6:a8:e9:72:d2:23:37:ef:33:1e:17:68:ec:19:45:86:
ab:b7:27:01:f6:b2:1f:cd:74:8a:97:16:48:ca:90:35:fa:05:
73:10:0a:9b:d5:4a:b5:43:80:f2:b9:7f:1e:44:69:12:f8:20:
0d:18:05:6e:37:17:a4:42:1f:37:cb:00:79:1b:5f:07:ca:80:
08:30:8a:c9:bc:eb:7d:db:e2:43:2a:5c:2b:aa:97:7f:02:32:
c9:61:06:ca:1b:1e:d6:a9:77:60:48:78:ca:2d:b0:80:00:06:
2d:b8:44:41:62:fc:9b:08:3b:8e:93:5f:df:50:1f:e1:2e:fb:
47:47:e6:35:3d:3d:6b:c5:2b:8f:7d:ab:ab:0f:31:77:56:45:
af:fc:d1:34:61:66:13:ab:68:4b:f1:59:28:7f:e7:8c:65:a2:
c2:43:f6:0f:50:d7:a3:c7:e0:38:f0:fd:c5:00:de:67:a8:2c:
0d:c8:39:40
root@am335x-evm:~# openssl x509 -in client1.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=TW, ST=TW, L=Taipei, O=Foxconn, OU=IOT, CN=server25-CA/name=EasyRSA/emailAddress=james.ck.chien@foxconn.com
Validity
Not Before: Sep 25 08:02:05 2015 GMT
Not After : Sep 22 08:02:05 2025 GMT
Subject: C=TW, ST=TW, L=Taipei, O=Foxconn, OU=IOT, CN=client1/name=EasyRSA/emailAddress=james.ck.chien@foxconn.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d8:24:7b:96:89:a8:09:fa:36:21:03:47:a8:30:
64:e6:42:06:5f:4b:e3:e2:f9:4a:b7:ea:77:d3:90:
f3:7e:b3:78:d0:d2:c6:29:a7:06:c6:cb:9a:57:44:
31:b8:55:22:4c:18:cc:30:5b:57:f1:3b:e4:fc:55:
21:a0:32:06:2a:b0:ec:d3:84:62:b2:2a:c2:7b:79:
1b:61:27:70:74:4d:d5:e8:2a:16:37:e9:17:7a:94:
77:07:c6:dd:84:d8:86:47:ab:ac:5c:a3:8d:c2:81:
57:da:96:54:ba:18:b5:f0:d6:14:41:3b:93:83:ff:
a7:8b:71:42:52:a2:47:a3:8b:05:b2:38:4e:97:d5:
ec:21:e8:e3:4d:ca:dd:31:c3:6c:67:11:ce:a6:0e:
9c:05:18:56:35:df:a7:6d:94:1a:1f:d9:e9:49:5b:
28:bd:79:71:3a:0d:24:42:16:7b:d5:b1:95:a3:20:
c0:d3:a8:e9:50:6a:1f:1d:c5:bf:3f:d4:d8:46:80:
29:1c:b2:31:f4:f7:bc:5d:43:04:fc:98:10:ed:eb:
f1:c1:fd:9f:3e:b6:16:27:74:a6:71:61:84:8f:24:
5d:14:65:ad:be:4f:c4:6c:3f:b6:79:fc:56:b6:cd:
a3:67:0e:c3:c6:28:79:da:6f:b2:97:01:68:7b:fb:
5e:59
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
Easy-RSA Generated Certificate
X509v3 Subject Key Identifier:
99:7E:D4:CA:CD:16:25:A0:37:6F:6B:DB:7C:79:45:5F:28:01:F8:19
X509v3 Authority Key Identifier:
keyid:82:ED:78:18:DC:57:6E:B3:AA:0F:1E:B6:0A:14:34:5E:8E:14:93:25
DirName:/C=TW/ST=TW/L=Taipei/O=Foxconn/OU=IOT/CN=server25-CA/name=EasyRSA/emailAddress=james.ck.chien@foxconn.com
serial:E5:16:7F:96:50:E9:BF:E4

X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
X509v3 Subject Alternative Name:
DNS:client1
Signature Algorithm: sha256WithRSAEncryption
2d:7c:69:74:97:26:62:b3:ed:8a:e9:ea:43:ec:43:a7:bb:aa:
37:6f:65:ca:60:89:ef:0e:ba:2e:65:66:b7:5b:ca:9a:68:5d:
62:e1:eb:d6:2a:e1:56:53:00:4b:61:b3:6c:f7:09:2a:4a:35:
34:92:87:7e:0a:a9:45:22:9c:af:31:dd:c9:8e:16:de:d0:2a:
4a:aa:ad:c3:20:2a:34:fd:12:73:3d:50:12:b6:34:ef:07:34:
60:15:03:b4:92:04:cf:19:4e:d5:7b:ce:37:9d:f3:9c:61:22:
e3:f6:bb:50:4f:5d:a5:cc:e7:cd:66:e0:c7:09:7b:84:fe:d1:
87:e4:f8:34:7c:0e:81:34:d6:ff:81:82:b9:cc:a8:da:bf:00:
cf:05:93:66:81:f7:ee:a2:26:14:06:53:33:5e:ed:97:47:04:
d0:a7:58:c7:86:ff:dc:28:3d:13:c9:b5:e3:5a:1e:e2:95:c4:
22:71:b9:04:59:ad:c0:1c:f2:2d:cf:35:c2:02:2d:df:cc:9d:
25:85:97:6b:15:39:30:c7:aa:2e:ee:30:96:ad:f4:3f:04:53:
f3:7d:6c:15:64:eb:cd:23:05:ba:3a:18:a6:e4:e1:ea:8f:0d:
89:0e:22:72:91:d3:78:1b:5f:4e:57:f7:c9:b3:5c:32:ab:1d:
f1:6c:49:95
root@am335x-evm:~#


Best Regards
James
  • Hi,

    I will forward this to the SW team.
  • Hi Biser,
    Thanks for the feedback, here update you more information, currently I have worked around the issue by porting another "openssl" library (I try 1.0.1g and 1.0.1p both works) . Now my OpenVPN working properly with my own build Openssl. But it still always fail if I used original Intel openssl library.......
    it will be great if TI original openssl issue can clarified because I haven't enabled acceleration in my own build lib, also I don't think porting another openssl library is good solution and just a work around.....

    Best Regards
    James
  • I still haven't received feedback from the SW team on this.
  • Hello James,

    This error shouldn't arise with the latest processor SDK v01.00.00.03
    You can download it from here.

    Best regards,
    Kemal

  • Hi Kemal,
    Thanks, I will have a try and let you know, BTW, can you reproduce in Old SDK and
    do you know since which SDK version have fixed the issue?
    Best Regards
    James
  • Hi Kemal,
    I just try and confirm the New SDK V01.00.00.03 have fixed the issue, thanks.
    Best Regards
    James
  • Hi Kemal,
    BTW, I found out the issue not happen in Openssl library itself, and it happens with SDK V01.00.00.00 Prebuild Kernel image.
    I found it only fail on below case, FYI.

    Kernel OpenSSL Result
    Pre-Build SDKV01.00.00.00 Kernel Image TI Openssl Fail
    Pre-Build SDKV01.00.00.00 kernel Image Own build Openssl Pass
    Rebuild SDK V01.00.00.00 Kernel Image TI Openssl Pass
    Rebuild SDK V01.00.00.00 kernel Image Own build Openssl Pass
    Prebuild SDK V01.00.00.03 Kernel Image TI Openssl Pass
    Prebuild SDK V01.00.00.03 Kernel image Own build Openssl Pass

    Best Regards
    James
  • Hello James,

    Thank you for the update. This issue occurs if the Cryptodev module is loaded and it has been fixed in SDK v01.00.00.03 by the last changes in linux-3.14.43/drivers/crypto.

    Best regards,
    Kemal