From mboxrd@z Thu Jan 1 00:00:00 1970 Date: Sun, 26 Oct 2014 23:19:46 +0100 From: David du Colombier <0intro@gmail.com> To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> Message-ID: <20141026231946.422eaac5@zinc.9fans.fr> In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: [9fans] tlsClient: tls: local invalid x509/rsa certificate Topicbox-Message-UUID: 2003b8d8-ead9-11e9-9d60-3106f5b1d025 > I'm trying to download the a Python script and keep running into > trouble. I am running this: > > hget https://hg.python.org/cpython/raw-file/4391ab72dd7b/Lib/types.py > > types.py > > However, hget keeps complaining with `tlsClient: tls: local invalid > x509/rsa certificate`. The time and date of my Plan 9 VM are correct > and are set to sync with pool.ntp.org. I have NO clue what's wrong. > Can anybody help? This is not an issue in you side, since I can reproduce it here. It looks like for some reason, X509toRSApub doesn't succeed to decode the hg.python.org X.509 certificate. Actually the issue is that /sys/src/libsec/port/x509.c:/^oid_lookup returns -1. This function is called by parse_alg, which is called during the X.509 certificate decoding by decode_cert. It means the signature algorithm of the hg.python.org X.509 certificate is not one of the few supported ones: - rsaEncryption - md2WithRSAEncryption - md4WithRSAEncryption - md5WithRSAEncryption - sha1WithRSAEncryption - md5 And indeed, after decoding the hg.python.org X.509 certificate with OpenSSL, I can notice the signature algorithm is sha256WithRSAEncryption. Luckily, this is trivially fixed by adding the missing OID in the signature algorithm array: --- /n/sources/plan9/sys/src/libsec/port/x509.c +++ /sys/src/libsec/port/x509.c @@ -1582,6 +1582,7 @@ ALG_md5WithRSAEncryption, ALG_sha1WithRSAEncryption, ALG_sha1WithRSAEncryptionOiw, + ALG_sha256WithRSAEncryption, ALG_md5, NUMALGS }; @@ -1594,6 +1595,7 @@ static Ints7 oid_md4WithRSAEncryption = {7, 1, 2, 840, 113549, 1, 1, 3 }; static Ints7 oid_md5WithRSAEncryption = {7, 1, 2, 840, 113549, 1, 1, 4 }; static Ints7 oid_sha1WithRSAEncryption ={7, 1, 2, 840, 113549, 1, 1, 5 }; +static Ints7 sha256WithRSAEncryption ={7, 1, 2, 840, 113549, 1, 1, 11 }; static Ints7 oid_sha1WithRSAEncryptionOiw ={6, 1, 3, 14, 3, 2, 29 }; static Ints7 oid_md5 ={6, 1, 2, 840, 113549, 2, 5, 0 }; static Ints *alg_oid_tab[NUMALGS+1] = { @@ -1602,6 +1604,7 @@ (Ints*)&oid_md4WithRSAEncryption, (Ints*)&oid_md5WithRSAEncryption, (Ints*)&oid_sha1WithRSAEncryption, + (Ints*)&sha256WithRSAEncryption, (Ints*)&oid_sha1WithRSAEncryptionOiw, (Ints*)&oid_md5, nil Then you have to rebuild libsec and hget. Have fun! -- David du Colombier