Problem with signed tcl scripts

Unanswered Question
May 9th, 2009

Hi All,

Im having some difficulties getting signed scripts to work on a router.

Ive got openssl 0.9.8h installed on a FreeBSD 6.2 box, and following the documentation located below, word for word, I cant seem to get any scripts to run properly. The router just seems to continually fail to verify the digital signature.

http://www.cisco.com/en/US/docs/ios/12_4t/netmgmt/configuration/guide/sign_tcl.html#wp1079441

When trying to run a script I usually end up with the following error messages:

Invalid Signature

May 10 04:54:30.845: ../cert-c/source/p7spprt.c(614) : E_VERIFY_ASN_SIGNATURE : error verifying digital signature

May 10 04:54:30.849: CRYPTO_PKI: status = 0x725(E_VERIFY_ASN_SIGNATURE : error verifying digital signature): pkcs7 verify data returned status

May 10 04:54:30.849: CRYPTO_PKI: status = 0x725(E_VERIFY_ASN_SIGNATURE : error verifying digital signature): failed to verify

May 10 04:54:30.849: CRYPTO_PKI: unlocked trustpoint scriptsigning, refcount is 0

May 10 04:54:30.849: %SYS-6-SCRIPTING_TCL_INVALID_OR_MISSING_SIGNATURE: tcl signing validation failed on script signed with trustpoint name scriptsigning, cannot run the signed TCL script.

But when I try signing the example script in the document mentioned above it seems to work fine:

#tclsh flash:hello.tcl

hello

argc = 0

argv =

argv0 = flash:hello.tcl

tcl_interactive = 0

May 10 03:58:00.408: CRYPTO_PKI: self-signed cert within the pkcs7.

May 10 03:58:00.408: CRYPTO_PKI: Added x509 peer certificate - (1073) bytes

May 10 03:58:00.408: CRYPTO_PKI: chain received from the peer has been reduced to one already trusted cert

May 10 03:58:00.408: CRYPTO_PKI: validation path has 0 certs

May 10 03:58:00.408: CRYPTO_PKI: unable to get cert attributesfor AAA list authorization.

May 10 03:58:00.408: CRYPTO_PKI: chain cert was anchored to trustpoint scriptsigning, and chain validation result was: CRYPTO_VALID_CERT

May 10 03:58:00.412: CRYPTO_PKI: Success on PKCS7 verify!

May 10 03:58:00.412: CRYPTO_PKI: unlocked trustpoint scriptsigning, refcount is 0

In both cases I used the exact same private key and CA certificate to sign both scripts.

Does anyone have any clues, tips, or pointers for doing this successfully?

Cheers,

Tom

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Joe Clarke Mon, 05/11/2009 - 10:47

FreeBSD! Good man. I have a FreeBSD 6-STABLE box, and I am unable to reproduce the problem you're seeing. However, I'm using the base OpenSSL version 0.9.7e-p1, and not the version from ports. It would be helpful to get your cert and signed script for testing. I have attached my test script and cert so you can validate on your device.

I tested on a 7206 running 12.4(24)T. To run this script, just do:

tclsh flash:btest_sign.tcl IPADDRESS

Attachment: 
tom.storey Mon, 05/11/2009 - 16:19

Hi Joe

Unfortunately for me, your script/cert works. :-)

However, when I take a copy of your script and sign it with my certificate (attached), it gives me grief again.

I am currently attempting to compile the latest version of openssl from source (0.9.8k, going alright so far!), rather than from the ports tree. I'll see how that goes.

edit: hmm nope no go with that either. :-(

And yes, FreeBSD ftw. Not sure what I would do without it. ;-)

Cheers,

Tom

Joe Clarke Mon, 05/11/2009 - 17:00

I'll give your script/cert a go, but have you tried the base version of OpenSSL in FreeBSD 6.2? Assuming you're tracking RELENG_6_2 on this box, it should be close to the version I'm using.

tom.storey Mon, 05/11/2009 - 17:05

Hi Joe,

I installed the version from /usr/ports/security/openssl.

It sounded like the most basic version available.

Im running 6.2-RELEASE.

Cheers,

Tom

Joe Clarke Mon, 05/11/2009 - 17:16

OpenSSL is part of the base FreeBSD operating system. You don't need to install it from ports. You should have a /usr/bin/openssl which is a 0.9.7 version.

Joe Clarke Mon, 05/11/2009 - 17:06

I can reproduce the failure with your cert and script. Can you post your pkcs7 signature of btest.tcl? Perhaps your hex dump is wrong. I'd also like a copy of your private key if possible.

tom.storey Mon, 05/11/2009 - 17:19

Hi Joe,

Would you mind if I emailed you those bits?

I assume jclarke@ ?

Cheers,

Tom

tom.storey Mon, 05/11/2009 - 20:11

Hi Joe,

Thanks for your support.

I have uploaded tree files:

snnap.net-priv.pem, snnap.net-cert.pem and btest_sig.tcl.pk7.

Different to the last, but still the same problem.

Cheers,

Tom

Joe Clarke Mon, 05/11/2009 - 20:59

Your files work just fine for me. Try this signed script (generated from your files using OpenSSL 0.9.8e on FreeBSD 7-STABLE).

Note: the format is VERY important. There must be one newline between the end of the script and the #Cisco Tcl Signature V1.0 line.

Attachment: 
tom.storey Mon, 05/11/2009 - 21:13

Yes that works for me too. :-(

Ive been making sure there is a blank link between the last line of the script and the signature header.

This is quite puzzling. What is my box doing!!?? :-/

I downloaded FreeBSD 7.2 yesterday, I'll fire it up and give it a try aswell, though I did also try generating keys, a certificate, and signing a script on a Fedora 10 box too and still had no luck. What are my chances? ;-)

Cheers,

Tom

Joe Clarke Mon, 05/11/2009 - 21:38

I found your problem. The ORIGINAL script ended in a blank line. Therefore, you need TWO lines before the signature. I took the pkcs7 file you sent, your latest cert, and then added the signature to a clean btest.tcl with a trailing newline. The result worked perfectly.

I'm attaching the signed btest.tcl along with the exact same cert and pkcs7 file you sent (I'm not attaching the private key for obvious reasons, but it is the same).

All I did was take your pkcs7 file and:

xxd -ps btest_sig.tcl.pk7 > btest.hex

(I added a newline to the top of btest.hex, added the signature header, and commented each subsequent line)

cat btest.tcl btest.hex > btest_sig.tcl

I loaded your cert into my router, then loaded the signed script:

Loading btest_sig.tcl from 14.32.100.33 (via FastEthernet0/0): !

[OK - 5618 bytes]

Bandwidth is 8434.

Attachment: 
tom.storey Mon, 05/11/2009 - 21:54

Legend! :-D

I just grabbed one of the scripts I had done earlier that werent working, simply edited it and stuck an extra line in, and hey presto, it works!

Thats amazingly simple, as the really annoying things always are. :-)

I wrote a small perl script to take the hex dump, add the signature header and comment out all of the other lines. I'll modify that to include a newline at the beginning.

Thanks for all of your help, its been very ... helpful!!

Cheers,

Tom

Actions

This Discussion