openssl creates invalid signature if run by a different user

Posted by divB on Super User See other posts from Super User or by divB
Published on 2013-07-01T10:09:07Z Indexed on 2013/07/01 10:23 UTC
Read the original article Hit count: 344

Filed under:

openssl

|

digital-signature

|

cryptography

Very strange problem here: openssl successfully creates signatures but only those created as root are valid whereas created by another user (www-data) are invalid! All files are readable and there are not error messages:

# echo -ne Test | openssl dgst -ecdsa-with-SHA1 -sign activation.key > /tmp/asRoot.der
# su www-data
$ echo -ne Test | openssl dgst -ecdsa-with-SHA1 -sign activation.key > /tmp/asWww-data.der
$ uname -a
Linux linux 2.6.32-5-openvz-amd64 #1 SMP Mon Feb 25 01:16:25 UTC 2013 i686 GNU/Linux
$ cat /etc/debian_version
6.0.7

Both files (asRoot.der and asWww-data.der) are transfered to a different computer for verification with the public key:

$ echo -ne Test | openssl dgst -verify activation.pub -keyform DER -signature asRoot.der
Verified OK
$ echo -ne Test | openssl dgst -verify activation.pub -keyform DER -signature asWww-data.der
Verification Failure

That can't be true! What's wrong here?

© Super User or respective owner

Related posts about openssl

Redhat | Openssl installation error

as seen on Server Fault - Search for 'Server Fault'
make -f objs/Makefile make[1]: Entering directory `/root/fuse-ssh/nginx-0.7.65' cd /usr/bin/openssl \ && make clean \ && ./config --prefix=/usr/bin/openssl/.openssl no-shared no-threads \ && make \ && make install /bin/sh: line 0: cd:… >>> More
Redhat | Openssl installation error

as seen on Stack Overflow - Search for 'Stack Overflow'
make -f objs/Makefile make[1]: Entering directory `/root/fuse-ssh/nginx-0.7.65' cd /usr/bin/openssl \ && make clean \ && ./config --prefix=/usr/bin/openssl/.openssl no-shared no-threads \ && make \ && make install /bin/sh: line 0: cd:… >>> More
Upgrade OpenSSL 0.9.8k to OpenSSL 1.0.1c on Ubuntu 10.04

as seen on Server Fault - Search for 'Server Fault'
We're currently using Ubuntu 10.04 and based on the PCI Compliance results, we're told to upgrade our OpenSSL. I attempted to do this using this reference: http://sandilands.info/sgordon/upgrade-latest-version-openssl-on-ubuntu and http://www.lunarforums.com/dedicated_web_hosting_at_lunarpages/upgrading_openssl-t35015… >>> More
Installing OpenSSL that supports SNI along with previous version of OpenSSL

as seen on Server Fault - Search for 'Server Fault'
So I learned that to host multiple HTTPS websites on the same IP address you need an OpenSSL version that supports SNI (0.9.8f and higher). My RHEL5 box currently has 0.9.8e and Apache version httpd-2.2.26-2.el5. According to a same question here it's not a good idea to replace the original version… >>> More
Solaris X86 AESNI OpenSSL Engine

as seen on Oracle Blogs - Search for 'Oracle Blogs'
Solaris X86 AESNI OpenSSL Engine Cryptography is a major component of secure e-commerce. Since cryptography is compute intensive and adds a significant load to applications, such as SSL web servers (https), crypto performance is an important factor. Providing accelerated crypto hardware greatly… >>> More

Related posts about digital-signature

Digital Signature Device Recommendations (Mini Tablet)

as seen on Stack Overflow - Search for 'Stack Overflow'
I'd like to capture signatures of application users with a mini-tablet/little pos signature device. I welcome any first hand experiences of which ones were good and which ones to stay away from. Off the top of my head I can think of a few features I'd like to see: USB interface Not too expensive… >>> More
Bonnie.NET Web Edition - Digital Signature form ASP.NET Web Pages

as seen on Dot net Slackers - Search for 'Dot net Slackers'
Cassandra relseases on the we-coffee.com site a new version of Bonnie.NET. The Bonnie.NET Web Edition (http://www.we-coffee.com/bonnie/bonnieWeb.aspx). This new version permits to digitally sign texts, files and from data from an ASP.NET web-pages. It integrates the PKCS#7 standard to permits… >>> More
Does Windows actually verify digital signatures in the Properties dialog?

as seen on Super User - Search for 'Super User'
When downloading executables from the Internet, I always check to see if they are digitally signed before I feel safe running them. In Windows, when right-clicking a digitally-signed file and selecting Properties, a digital signature tab will be present in the Properties dialog. What I'd like to… >>> More
Handling Digital ID/Signature in Outlook Add-in

as seen on Stack Overflow - Search for 'Stack Overflow'
I have a C# Outlook Add-In application (VS2005 and 2003 Outlook) that reads incoming emails and strips out the attachments and the email text body for future processing. Occasionally I'll get an email that contains a digital signature. The application will fail when I try to access the mailitem… >>> More
Storing a digital signature for bookings on a web based system

as seen on Stack Overflow - Search for 'Stack Overflow'
I have a web based bookings system built for a UK higher education client to allow students to sign out equipment (laptops, camera's etc). It's been in use successfully for a couple of years, in the current workflow equipment is collected and the booking is printed, signed by the student and kept… >>> More