[cisco-voip] Problem with signed tcl scripts

Tom Storey tom at snnap.net
Tue May 12 05:37:36 EDT 2009 

Its ok, got it sorted.

Was missing an extra blank line in between the plain text script and  
the encoded/signed copy of the script.

On 10/05/2009, at 10:53 PM, Tom Storey wrote:

> Hi All,
>
> Im having some difficulties getting signed scripts to work on a  
> router.
>
> Ive got openssl 0.9.8h installed on a FreeBSD 6.2 box, and following  
> the
> documentation located below, word for word, I cant seem to get any  
> scripts
> to run properly. The router just seems to continually fail to verify  
> the
> digital signature.
>
> http://www.cisco.com/en/US/docs/ios/12_4t/netmgmt/configuration/guide/sign_tcl.html#wp1079441
>
> When trying to run a script I usually end up with the following error
> messages:
>
> Invalid Signature
> May 10 04:54:30.845: ../cert-c/source/p7spprt.c(614) :
> E_VERIFY_ASN_SIGNATURE : error verifying digital signature
> May 10 04:54:30.849: CRYPTO_PKI: status =  
> 0x725(E_VERIFY_ASN_SIGNATURE :
> error verifying digital signature): pkcs7 verify data returned status
> May 10 04:54:30.849: CRYPTO_PKI: status =  
> 0x725(E_VERIFY_ASN_SIGNATURE :
> error verifying digital signature): failed to verify
> May 10 04:54:30.849: CRYPTO_PKI: unlocked trustpoint scriptsigning,
> refcount is 0
> May 10 04:54:30.849: %SYS-6- 
> SCRIPTING_TCL_INVALID_OR_MISSING_SIGNATURE:
> tcl signing validation failed on script signed with trustpoint name
> scriptsigning, cannot run the signed TCL script.
>
> But when I try signing the example script in the document mentioned  
> above
> it seems to work fine:
>
> #tclsh flash:hello.tcl
> hello
> argc = 0
> argv =
> argv0 = flash:hello.tcl
> tcl_interactive = 0
>
> May 10 03:58:00.408: CRYPTO_PKI: self-signed cert within the pkcs7.
> May 10 03:58:00.408: CRYPTO_PKI: Added x509 peer certificate -  
> (1073) bytes
> May 10 03:58:00.408: CRYPTO_PKI: chain received from the peer has been
> reduced to one already trusted cert
> May 10 03:58:00.408: CRYPTO_PKI: validation path has 0 certs
>
> May 10 03:58:00.408: CRYPTO_PKI: unable to get cert attributesfor  
> AAA list
> authorization.
> May 10 03:58:00.408: CRYPTO_PKI: chain cert was anchored to trustpoint
> scriptsigning, and chain validation result was: CRYPTO_VALID_CERT
> May 10 03:58:00.412: CRYPTO_PKI: Success on PKCS7 verify!
> May 10 03:58:00.412: CRYPTO_PKI: unlocked trustpoint scriptsigning,
> refcount is 0
>
> In both cases I used the exact same private key and CA certificate  
> to sign
> both scripts.
>
> Does anyone have any clues, tips, or pointers for doing this  
> successfully?
>
> Cheers,
> Tom
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip

More information about the cisco-voip mailing list