笔者手头有一张证书,内容如下(PEM格式)
-----BEGIN CERTIFICATE-----
MIICkzCCAfygAwIBAgIJAACiQkqialHfMA0GCSqGSIb3DQEBBQUAMEsxCzAJBgNV
BAYTAkNOMQswCQYDVQQIEwJCSjEUMBIGA1UEChMLTmV0U2VjdXJpdHkxDDAKBgNV
BAsTA1NTTDELMAkGA1UEAxMCQ0EwHhcNMTExMTAzMTY1MDUxWhcNMTIxMTAyMTY1
MDUxWjBPMQswCQYDVQQGEwJDTjELMAkGA1UECBMCQkoxFDASBgNVBAoTC05ldFNl
Y3VyaXR5MQwwCgYDVQQLEwNTU0wxDzANBgNVBAMTBkNsaWVudDCBnzANBgkqhkiG
9w0BAQEFAAOBjQAwgYkCgYEAse122kpIc84wlQz9KU6Rn5bmsGyROkk/54yBoda3
U3Bz1UxMPYzyZyZA0Plfjl60mLWLsX2viIpD78ZqzXuchBQ62eEufu7T0H3MJ/Sw
Kmgh0/Abezbmb3TJG3ZBvM335zUi8yP4uSLDxWKIXlpllkaBoMxRdN8tKKhe1sfQ
7TcCAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBH
ZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFBNzwfdnDvwbcADgp60y00vt
VRajMB8GA1UdIwQYMBaAFE/E6zIXLFGHCuph0HA3K7BEmV+aMA0GCSqGSIb3DQEB
BQUAA4GBAKTkytVZ4UkKr2iLdZKG2+5ifJQocTAdjrQQ70yw3OFjdmRR+LA/yOpF
4irhAmDPYKutAcxQQoUeGDTJ/RwTHgEvUFoDHDHYf2TsRH1C02zi8cCyHK1Q7Whh
VkvTSPxpQpDjEnYGj9Efs5449YLB+koCJIKnRwgXnY5GKjfnzxcz
-----END CERTIFICATE-----
其在Windows下的部分截图为


并且显示该证书没有问题。
问题本来到此该结束了,但是将此证书用OpenSSL命令进行验证时,却出现下面的错误提示:
>openssl verify -CAfile cacert.pem openssl.cert.verify.error.pem
openssl.cert.verify.error.pem: /C=CN/ST=BJ/O=NetSecurity/OU=SSL/CN=Client
error 7 at 0 depth lookup:certificate signature failure
14160:error:04077068:rsa routines:RSA_verify:bad signature:.\crypto\rsa\rsa_sign.c:235:
14160:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:.\crypto\asn1\a_verify.c:168:
上面是OpenSSL验证证书的标准命令,验证过程用到了CA文件cacert.pem,这是验证证书的基本原理,不再讨论
另外为了强调,命令中将被OpenSSL验证失败的证书命名为openssl.cert.verify.error.pem。所用版本为OpenSSL 0.9.8e 23 Feb 2007。
有心的读者可以看出,这张验证失败的证书与以前在“从数学到密码学”系列中提到的证书sslclientcert内容很像。
至于有多少程度像,后面再做交待。

问题出来了,同一张证书,Windows和OpenSSL给出相反的结论。到底谁说得对?
还是那句话说得好:源码面前,了无秘密。既然OpenSSL是开源的,我们何不趁此一探究竟,看看到底是谁的错。