[cisco-voip] Problem with signed tcl scripts

Tom Storey tom at snnap.net
Sun May 10 09:23:49 EDT 2009


Hi All,

Im having some difficulties getting signed scripts to work on a router.

Ive got openssl 0.9.8h installed on a FreeBSD 6.2 box, and following the
documentation located below, word for word, I cant seem to get any scripts
to run properly. The router just seems to continually fail to verify the
digital signature.

http://www.cisco.com/en/US/docs/ios/12_4t/netmgmt/configuration/guide/sign_tcl.html#wp1079441

When trying to run a script I usually end up with the following error
messages:

Invalid Signature
May 10 04:54:30.845: ../cert-c/source/p7spprt.c(614) :
E_VERIFY_ASN_SIGNATURE : error verifying digital signature
May 10 04:54:30.849: CRYPTO_PKI: status = 0x725(E_VERIFY_ASN_SIGNATURE :
error verifying digital signature): pkcs7 verify data returned status
May 10 04:54:30.849: CRYPTO_PKI: status = 0x725(E_VERIFY_ASN_SIGNATURE :
error verifying digital signature): failed to verify
May 10 04:54:30.849: CRYPTO_PKI: unlocked trustpoint scriptsigning,
refcount is 0
May 10 04:54:30.849: %SYS-6-SCRIPTING_TCL_INVALID_OR_MISSING_SIGNATURE:
tcl signing validation failed on script signed with trustpoint name
scriptsigning, cannot run the signed TCL script.

But when I try signing the example script in the document mentioned above
it seems to work fine:

#tclsh flash:hello.tcl
hello
argc = 0
argv =
argv0 = flash:hello.tcl
tcl_interactive = 0

May 10 03:58:00.408: CRYPTO_PKI: self-signed cert within the pkcs7.
May 10 03:58:00.408: CRYPTO_PKI: Added x509 peer certificate - (1073) bytes
May 10 03:58:00.408: CRYPTO_PKI: chain received from the peer has been
reduced to one already trusted cert
May 10 03:58:00.408: CRYPTO_PKI: validation path has 0 certs

May 10 03:58:00.408: CRYPTO_PKI: unable to get cert attributesfor AAA list
authorization.
May 10 03:58:00.408: CRYPTO_PKI: chain cert was anchored to trustpoint
scriptsigning, and chain validation result was: CRYPTO_VALID_CERT
May 10 03:58:00.412: CRYPTO_PKI: Success on PKCS7 verify!
May 10 03:58:00.412: CRYPTO_PKI: unlocked trustpoint scriptsigning,
refcount is 0

In both cases I used the exact same private key and CA certificate to sign
both scripts.

Does anyone have any clues, tips, or pointers for doing this successfully?

Cheers,
Tom



More information about the cisco-voip mailing list