From: David du Colombier <0intro@gmail.com>
To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net>
Subject: Re: [9fans] tlsClient: tls: local invalid x509/rsa certificate
Date: Sun, 26 Oct 2014 23:19:46 +0100 [thread overview]
Message-ID: <20141026231946.422eaac5@zinc.9fans.fr> (raw)
In-Reply-To: <CAO41-mOQsQ=d12CTQOyMx5NVt6nq+v+0WueQC7BUZ=wxA3t+Aw@mail.gmail.com>
> I'm trying to download the a Python script and keep running into
> trouble. I am running this:
>
> hget https://hg.python.org/cpython/raw-file/4391ab72dd7b/Lib/types.py
> > types.py
>
> However, hget keeps complaining with `tlsClient: tls: local invalid
> x509/rsa certificate`. The time and date of my Plan 9 VM are correct
> and are set to sync with pool.ntp.org. I have NO clue what's wrong.
> Can anybody help?
This is not an issue in you side, since I can reproduce it here.
It looks like for some reason, X509toRSApub doesn't succeed to
decode the hg.python.org X.509 certificate.
Actually the issue is that /sys/src/libsec/port/x509.c:/^oid_lookup
returns -1.
This function is called by parse_alg, which is called during the
X.509 certificate decoding by decode_cert.
It means the signature algorithm of the hg.python.org X.509
certificate is not one of the few supported ones:
- rsaEncryption
- md2WithRSAEncryption
- md4WithRSAEncryption
- md5WithRSAEncryption
- sha1WithRSAEncryption
- md5
And indeed, after decoding the hg.python.org X.509
certificate with OpenSSL, I can notice the signature
algorithm is sha256WithRSAEncryption.
Luckily, this is trivially fixed by adding the missing OID
in the signature algorithm array:
--- /n/sources/plan9/sys/src/libsec/port/x509.c
+++ /sys/src/libsec/port/x509.c
@@ -1582,6 +1582,7 @@
ALG_md5WithRSAEncryption,
ALG_sha1WithRSAEncryption,
ALG_sha1WithRSAEncryptionOiw,
+ ALG_sha256WithRSAEncryption,
ALG_md5,
NUMALGS
};
@@ -1594,6 +1595,7 @@
static Ints7 oid_md4WithRSAEncryption = {7, 1, 2, 840, 113549, 1, 1, 3 };
static Ints7 oid_md5WithRSAEncryption = {7, 1, 2, 840, 113549, 1, 1, 4 };
static Ints7 oid_sha1WithRSAEncryption ={7, 1, 2, 840, 113549, 1, 1, 5 };
+static Ints7 sha256WithRSAEncryption ={7, 1, 2, 840, 113549, 1, 1, 11 };
static Ints7 oid_sha1WithRSAEncryptionOiw ={6, 1, 3, 14, 3, 2, 29 };
static Ints7 oid_md5 ={6, 1, 2, 840, 113549, 2, 5, 0 };
static Ints *alg_oid_tab[NUMALGS+1] = {
@@ -1602,6 +1604,7 @@
(Ints*)&oid_md4WithRSAEncryption,
(Ints*)&oid_md5WithRSAEncryption,
(Ints*)&oid_sha1WithRSAEncryption,
+ (Ints*)&sha256WithRSAEncryption,
(Ints*)&oid_sha1WithRSAEncryptionOiw,
(Ints*)&oid_md5,
nil
Then you have to rebuild libsec and hget.
Have fun!
--
David du Colombier
next prev parent reply other threads:[~2014-10-26 22:19 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-10-26 21:04 Ryan Gonzalez
2014-10-26 22:19 ` David du Colombier [this message]
2014-10-26 22:30 ` David du Colombier
2014-10-26 22:36 ` Ryan Gonzalez
2014-10-26 22:39 ` David du Colombier
2014-10-26 22:52 ` David du Colombier
2014-10-27 9:19 ` Richard Miller
2014-10-27 15:44 ` erik quanstrom
2014-10-27 23:34 ` Ryan Gonzalez
2014-10-27 4:22 ` lucio
2014-10-27 6:24 ` David du Colombier
2014-10-27 7:33 ` lucio
2014-10-27 15:45 ` erik quanstrom
2014-10-27 15:50 ` lucio
2014-10-27 4:23 ` lucio
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141026231946.422eaac5@zinc.9fans.fr \
--to=0intro@gmail.com \
--cc=9fans@9fans.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).