AM335x Openssl library always verify certificate fails with error 7 at 0 depth lookup:certificate signature failure Error

Hi TI team,

          I am using am335x-evm platform and my version is as below

Arago Project http://arago-project.org am335x-evm /dev/ttyO0

Arago 2015.03 am335x-evm /dev/ttyO0

am335x-evm login: root

root@am335x-evm:~# cat /etc/mlb-version
PKG-20150714-FULL

I find the "openssl verify -CAfile"  not working.

I just simply using below command to reproudce the issue "openssl verify -CAfile ca.crt client1.crt"

I confirmed my ca.crt and client.crt  is corrected  since I have tested the same files in other platform that doesn't have problem,
It only failed in TI asm335-evm openssl,  even if you download some sample cert and will get the same error
for example, download from https://github.com/freelan-developers/freelan/wiki/Sample-certificate-files
and use command "openssl verify -CAfile ca.crt alice.crt" will get the same failed.

This failure will affect the OpenVPN application  that I want to ported to this platform which required Openssl certificate verify process....
Please help to check and comment, thanks a lot!!

Detail log and cert attached below:

openssl verify -CAfile ca.crt client1.crt
client1.crt: C = TW, ST = TW, L = Taipei, O = Foxconn, OU = IOT, CN = client1, name = EasyRSA, emailAddress = james.ck.chien@foxconn.com
error 7 at 0 depth lookup:certificate signature failure
3068262112:error:04091068:rsa routines:INT_RSA_VERIFY:bad signature:rsa_sign.c:290:
3068262112:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:a_verify.c:218

Here are the openssl libary info:
root@am335x-evm:~# openssl version -a
OpenSSL 1.0.1m 19 Mar 2015
built on: Fri Apr 10 14:36:34 2015
platform: linux-armv4
options: bn(64,32) rc4(ptr,char) des(idx,cisc,16,long) idea(int) blowfish(ptr)
compiler: arm-linux-gnueabihf-gcc -march=armv7-a -marm -mthumb-interwork -mfloat-abi=hard -mfpu=neon -mtune=cortex-a8 --sysroot=/home/gtbldadm/ti/oe-layersetup/build-CORTEX_1/arago-tmp-external-linaro-toolchain/sysroots/am335x-evm -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -isystem/opt/linaro-2013.03/arm-linux-gnueabihf/include -fstack-protector -O2 -pipe -g -feliminate-unused-debug-types -Wall -Wa,--noexecstack -DHAVE_CRYPTODEV -DUSE_CRYPTODEV_DIGESTS -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -DGHASH_ASM
OPENSSLDIR: "/usr/lib/ssl"

Here is the cert I used.

root@am335x-evm:~# openssl x509 -in ca.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
e5:16:7f:96:50:e9:bf:e4
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=TW, ST=TW, L=Taipei, O=Foxconn, OU=IOT, CN=server25-CA/name=EasyRSA/emailAddress=james.ck.chien@foxconn.com
Validity
Not Before: Sep 25 08:00:49 2015 GMT
Not After : Sep 22 08:00:49 2025 GMT
Subject: C=TW, ST=TW, L=Taipei, O=Foxconn, OU=IOT, CN=server25-CA/name=EasyRSA/emailAddress=james.ck.chien@foxconn.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d3:3a:be:b8:cf:91:e1:00:0e:20:0e:76:31:bd:
e6:64:f3:e1:2a:60:d6:d3:d7:3c:d8:e1:30:0e:21:
a7:7c:b7:26:e2:9d:96:dd:d0:2d:26:f2:1c:ce:cf:
38:71:5a:24:91:3c:84:9a:2d:44:23:2e:98:38:9b:
ea:70:a5:24:75:57:a4:f4:2f:16:67:50:0c:28:b5:
0e:71:c3:5b:76:a7:0b:eb:cd:cc:34:39:f4:9b:74:
16:40:4b:5c:94:43:07:ef:aa:03:28:03:6b:c8:26:
d5:54:8f:e1:2e:4b:67:39:4b:5c:6a:64:e6:28:d8:
7a:62:75:7c:68:f3:b5:44:eb:2a:ef:ba:a8:38:70:
2e:c1:02:ac:ff:60:b2:65:73:28:5b:93:02:67:1e:
24:f2:f2:aa:89:b0:59:58:ca:d1:37:59:ec:2f:2f:
9e:76:d7:02:a6:04:02:1c:54:a2:77:5a:34:8d:1b:
b9:68:4f:0a:3c:6f:90:8b:f3:bd:fb:4d:4f:fb:86:
21:bc:ee:5e:1e:72:93:7d:41:3c:d0:39:a4:89:c7:
da:75:10:2c:8a:b0:1d:d5:65:19:a1:a1:2e:22:3f:
ba:15:63:be:29:c0:08:db:52:12:bd:e6:33:2a:37:
c7:34:a1:be:71:df:62:aa:1d:20:24:df:95:02:d9:
79:f3
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
82:ED:78:18:DC:57:6E:B3:AA:0F:1E:B6:0A:14:34:5E:8E:14:93:25
X509v3 Authority Key Identifier:
keyid:82:ED:78:18:DC:57:6E:B3:AA:0F:1E:B6:0A:14:34:5E:8E:14:93:25
DirName:/C=TW/ST=TW/L=Taipei/O=Foxconn/OU=IOT/CN=server25-CA/name=EasyRSA/emailAddress=james.ck.chien@foxconn.com
serial:E5:16:7F:96:50:E9:BF:E4

X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
9b:b1:70:52:0a:8e:b7:79:a1:a3:ee:3a:65:96:e6:5e:82:af:
cd:6e:8f:92:f8:b8:2c:70:dd:28:ee:5d:c1:ce:71:fd:a2:d8:
f8:fa:75:49:c9:2a:ff:2a:e2:4f:d8:42:b8:d7:e1:aa:ec:b5:
80:2b:61:a1:c5:49:9e:4d:4b:8d:0c:95:54:7b:32:59:ee:03:
f4:ca:f6:a8:e9:72:d2:23:37:ef:33:1e:17:68:ec:19:45:86:
ab:b7:27:01:f6:b2:1f:cd:74:8a:97:16:48:ca:90:35:fa:05:
73:10:0a:9b:d5:4a:b5:43:80:f2:b9:7f:1e:44:69:12:f8:20:
0d:18:05:6e:37:17:a4:42:1f:37:cb:00:79:1b:5f:07:ca:80:
08:30:8a:c9:bc:eb:7d:db:e2:43:2a:5c:2b:aa:97:7f:02:32:
c9:61:06:ca:1b:1e:d6:a9:77:60:48:78:ca:2d:b0:80:00:06:
2d:b8:44:41:62:fc:9b:08:3b:8e:93:5f:df:50:1f:e1:2e:fb:
47:47:e6:35:3d:3d:6b:c5:2b:8f:7d:ab:ab:0f:31:77:56:45:
af:fc:d1:34:61:66:13:ab:68:4b:f1:59:28:7f:e7:8c:65:a2:
c2:43:f6:0f:50:d7:a3:c7:e0:38:f0:fd:c5:00:de:67:a8:2c:
0d:c8:39:40
root@am335x-evm:~# openssl x509 -in client1.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=TW, ST=TW, L=Taipei, O=Foxconn, OU=IOT, CN=server25-CA/name=EasyRSA/emailAddress=james.ck.chien@foxconn.com
Validity
Not Before: Sep 25 08:02:05 2015 GMT
Not After : Sep 22 08:02:05 2025 GMT
Subject: C=TW, ST=TW, L=Taipei, O=Foxconn, OU=IOT, CN=client1/name=EasyRSA/emailAddress=james.ck.chien@foxconn.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d8:24:7b:96:89:a8:09:fa:36:21:03:47:a8:30:
64:e6:42:06:5f:4b:e3:e2:f9:4a:b7:ea:77:d3:90:
f3:7e:b3:78:d0:d2:c6:29:a7:06:c6:cb:9a:57:44:
31:b8:55:22:4c:18:cc:30:5b:57:f1:3b:e4:fc:55:
21:a0:32:06:2a:b0:ec:d3:84:62:b2:2a:c2:7b:79:
1b:61:27:70:74:4d:d5:e8:2a:16:37:e9:17:7a:94:
77:07:c6:dd:84:d8:86:47:ab:ac:5c:a3:8d:c2:81:
57:da:96:54:ba:18:b5:f0:d6:14:41:3b:93:83:ff:
a7:8b:71:42:52:a2:47:a3:8b:05:b2:38:4e:97:d5:
ec:21:e8:e3:4d:ca:dd:31:c3:6c:67:11:ce:a6:0e:
9c:05:18:56:35:df:a7:6d:94:1a:1f:d9:e9:49:5b:
28:bd:79:71:3a:0d:24:42:16:7b:d5:b1:95:a3:20:
c0:d3:a8:e9:50:6a:1f:1d:c5:bf:3f:d4:d8:46:80:
29:1c:b2:31:f4:f7:bc:5d:43:04:fc:98:10:ed:eb:
f1:c1:fd:9f:3e:b6:16:27:74:a6:71:61:84:8f:24:
5d:14:65:ad:be:4f:c4:6c:3f:b6:79:fc:56:b6:cd:
a3:67:0e:c3:c6:28:79:da:6f:b2:97:01:68:7b:fb:
5e:59
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
Easy-RSA Generated Certificate
X509v3 Subject Key Identifier:
99:7E:D4:CA:CD:16:25:A0:37:6F:6B:DB:7C:79:45:5F:28:01:F8:19
X509v3 Authority Key Identifier:
keyid:82:ED:78:18:DC:57:6E:B3:AA:0F:1E:B6:0A:14:34:5E:8E:14:93:25
DirName:/C=TW/ST=TW/L=Taipei/O=Foxconn/OU=IOT/CN=server25-CA/name=EasyRSA/emailAddress=james.ck.chien@foxconn.com
serial:E5:16:7F:96:50:E9:BF:E4

X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
X509v3 Subject Alternative Name:
DNS:client1
Signature Algorithm: sha256WithRSAEncryption
2d:7c:69:74:97:26:62:b3:ed:8a:e9:ea:43:ec:43:a7:bb:aa:
37:6f:65:ca:60:89:ef:0e:ba:2e:65:66:b7:5b:ca:9a:68:5d:
62:e1:eb:d6:2a:e1:56:53:00:4b:61:b3:6c:f7:09:2a:4a:35:
34:92:87:7e:0a:a9:45:22:9c:af:31:dd:c9:8e:16:de:d0:2a:
4a:aa:ad:c3:20:2a:34:fd:12:73:3d:50:12:b6:34:ef:07:34:
60:15:03:b4:92:04:cf:19:4e:d5:7b:ce:37:9d:f3:9c:61:22:
e3:f6:bb:50:4f:5d:a5:cc:e7:cd:66:e0:c7:09:7b:84:fe:d1:
87:e4:f8:34:7c:0e:81:34:d6:ff:81:82:b9:cc:a8:da:bf:00:
cf:05:93:66:81:f7:ee:a2:26:14:06:53:33:5e:ed:97:47:04:
d0:a7:58:c7:86:ff:dc:28:3d:13:c9:b5:e3:5a:1e:e2:95:c4:
22:71:b9:04:59:ad:c0:1c:f2:2d:cf:35:c2:02:2d:df:cc:9d:
25:85:97:6b:15:39:30:c7:aa:2e:ee:30:96:ad:f4:3f:04:53:
f3:7d:6c:15:64:eb:cd:23:05:ba:3a:18:a6:e4:e1:ea:8f:0d:
89:0e:22:72:91:d3:78:1b:5f:4e:57:f7:c9:b3:5c:32:ab:1d:
f1:6c:49:95
root@am335x-evm:~#

Best Regards
James