From mboxrd@z Thu Jan 1 00:00:00 1970 MIME-Version: 1.0 From: Ryan Gonzalez Date: Sun, 26 Oct 2014 16:04:53 -0500 Message-ID: To: 9fans@9fans.net Content-Type: multipart/alternative; boundary=001a113356e8316c6a050659c523 Subject: [9fans] tlsClient: tls: local invalid x509/rsa certificate Topicbox-Message-UUID: 1fff52ca-ead9-11e9-9d60-3106f5b1d025 --001a113356e8316c6a050659c523 Content-Type: text/plain; charset=UTF-8 I'm trying to download the a Python script and keep running into trouble. I am running this: hget https://hg.python.org/cpython/raw-file/4391ab72dd7b/Lib/types.py > types.py However, hget keeps complaining with `tlsClient: tls: local invalid x509/rsa certificate`. The time and date of my Plan 9 VM are correct and are set to sync with pool.ntp.org. I have NO clue what's wrong. Can anybody help? -- Ryan If anybody ever asks me why I prefer C++ to C, my answer will be simple: "It's becauseslejfp23(@#Q*(E*EIdc-SEGFAULT. Wait, I don't think that was nul-terminated." Personal reality distortion fields are immune to contradictory evidence. - srean Check out my website: http://kirbyfan64.github.io/ --001a113356e8316c6a050659c523 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
I'm trying to download the a Python script and keep ru= nning into trouble. I am running this:

hget=C2=A0https= ://hg.python.org/cpython/raw-file/4391ab72dd7b/Lib/types.py > types.= py

However, hget keeps complaining with `tlsClient= : tls: local invalid x509/rsa certificate`. The time and date of my Plan 9 = VM are correct and are set to sync with poo= l.ntp.org. I have NO clue what's wrong. Can anybody help?
<= div>
--
Ryan
If anybody ever asks me = why I prefer C++ to C, my answer will be simple: "It's becauseslej= fp23(@#Q*(E*EIdc-SEGFAULT. Wait, I don't think that was nul-terminated.= "
Personal reality distortion fields are immune to contradi= ctory evidence. - srean
Check out my website:=C2=A0http://kirbyfan64.github.io/=C2=A0
--001a113356e8316c6a050659c523-- From mboxrd@z Thu Jan 1 00:00:00 1970 Date: Sun, 26 Oct 2014 23:19:46 +0100 From: David du Colombier <0intro@gmail.com> To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> Message-ID: <20141026231946.422eaac5@zinc.9fans.fr> In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: [9fans] tlsClient: tls: local invalid x509/rsa certificate Topicbox-Message-UUID: 2003b8d8-ead9-11e9-9d60-3106f5b1d025 > I'm trying to download the a Python script and keep running into > trouble. I am running this: > > hget https://hg.python.org/cpython/raw-file/4391ab72dd7b/Lib/types.py > > types.py > > However, hget keeps complaining with `tlsClient: tls: local invalid > x509/rsa certificate`. The time and date of my Plan 9 VM are correct > and are set to sync with pool.ntp.org. I have NO clue what's wrong. > Can anybody help? This is not an issue in you side, since I can reproduce it here. It looks like for some reason, X509toRSApub doesn't succeed to decode the hg.python.org X.509 certificate. Actually the issue is that /sys/src/libsec/port/x509.c:/^oid_lookup returns -1. This function is called by parse_alg, which is called during the X.509 certificate decoding by decode_cert. It means the signature algorithm of the hg.python.org X.509 certificate is not one of the few supported ones: - rsaEncryption - md2WithRSAEncryption - md4WithRSAEncryption - md5WithRSAEncryption - sha1WithRSAEncryption - md5 And indeed, after decoding the hg.python.org X.509 certificate with OpenSSL, I can notice the signature algorithm is sha256WithRSAEncryption. Luckily, this is trivially fixed by adding the missing OID in the signature algorithm array: --- /n/sources/plan9/sys/src/libsec/port/x509.c +++ /sys/src/libsec/port/x509.c @@ -1582,6 +1582,7 @@ ALG_md5WithRSAEncryption, ALG_sha1WithRSAEncryption, ALG_sha1WithRSAEncryptionOiw, + ALG_sha256WithRSAEncryption, ALG_md5, NUMALGS }; @@ -1594,6 +1595,7 @@ static Ints7 oid_md4WithRSAEncryption = {7, 1, 2, 840, 113549, 1, 1, 3 }; static Ints7 oid_md5WithRSAEncryption = {7, 1, 2, 840, 113549, 1, 1, 4 }; static Ints7 oid_sha1WithRSAEncryption ={7, 1, 2, 840, 113549, 1, 1, 5 }; +static Ints7 sha256WithRSAEncryption ={7, 1, 2, 840, 113549, 1, 1, 11 }; static Ints7 oid_sha1WithRSAEncryptionOiw ={6, 1, 3, 14, 3, 2, 29 }; static Ints7 oid_md5 ={6, 1, 2, 840, 113549, 2, 5, 0 }; static Ints *alg_oid_tab[NUMALGS+1] = { @@ -1602,6 +1604,7 @@ (Ints*)&oid_md4WithRSAEncryption, (Ints*)&oid_md5WithRSAEncryption, (Ints*)&oid_sha1WithRSAEncryption, + (Ints*)&sha256WithRSAEncryption, (Ints*)&oid_sha1WithRSAEncryptionOiw, (Ints*)&oid_md5, nil Then you have to rebuild libsec and hget. Have fun! -- David du Colombier From mboxrd@z Thu Jan 1 00:00:00 1970 Date: Sun, 26 Oct 2014 23:30:59 +0100 From: David du Colombier <0intro@gmail.com> To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> Message-ID: <20141026233059.65fc4959@zinc.9fans.fr> In-Reply-To: <20141026231946.422eaac5@zinc.9fans.fr> References: <20141026231946.422eaac5@zinc.9fans.fr> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: [9fans] tlsClient: tls: local invalid x509/rsa certificate Topicbox-Message-UUID: 206c9f1a-ead9-11e9-9d60-3106f5b1d025 The patch is now available here: /n/sources/patch/libsec-x509-sha256rsa -- David du Colombier From mboxrd@z Thu Jan 1 00:00:00 1970 MIME-Version: 1.0 In-Reply-To: <20141026233059.65fc4959@zinc.9fans.fr> References: <20141026231946.422eaac5@zinc.9fans.fr> <20141026233059.65fc4959@zinc.9fans.fr> From: Ryan Gonzalez Date: Sun, 26 Oct 2014 17:36:19 -0500 Message-ID: To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> Content-Type: multipart/alternative; boundary=001a11c2561828261605065b0c03 Subject: Re: [9fans] tlsClient: tls: local invalid x509/rsa certificate Topicbox-Message-UUID: 20877ad8-ead9-11e9-9d60-3106f5b1d025 --001a11c2561828261605065b0c03 Content-Type: text/plain; charset=UTF-8 Thanks! Quick question: how do I apply the patch? I didn't see an argument to diff or a patch utility. On Sun, Oct 26, 2014 at 5:30 PM, David du Colombier <0intro@gmail.com> wrote: > The patch is now available here: > > /n/sources/patch/libsec-x509-sha256rsa > > -- > David du Colombier > > -- Ryan If anybody ever asks me why I prefer C++ to C, my answer will be simple: "It's becauseslejfp23(@#Q*(E*EIdc-SEGFAULT. Wait, I don't think that was nul-terminated." Personal reality distortion fields are immune to contradictory evidence. - srean Check out my website: http://kirbyfan64.github.io/ --001a11c2561828261605065b0c03 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Thanks! Quick question: how do I apply the patch? I didn&#= 39;t see an argument to diff or a patch utility.

On Sun, Oct 26, 2014 at 5:30 PM, David= du Colombier <0intro@gmail.com> wrote:
The patch is now available here:

/n/sources/patch/libsec-x509-sha256rsa

--
David du Colombier




--
Ryan
If anybody ever asks me why I prefer C++ t= o C, my answer will be simple: "It's becauseslejfp23(@#Q*(E*EIdc-S= EGFAULT. Wait, I don't think that was nul-terminated."
= Personal reality distortion fields are immune to contradictory evidence. - = srean
Check out my website:=C2=A0http://kirbyfan64.github.io/
--001a11c2561828261605065b0c03-- From mboxrd@z Thu Jan 1 00:00:00 1970 Date: Sun, 26 Oct 2014 23:39:45 +0100 From: David du Colombier <0intro@gmail.com> To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> Message-ID: <20141026233945.3ea7ce00@zinc.9fans.fr> In-Reply-To: References: <20141026231946.422eaac5@zinc.9fans.fr> <20141026233059.65fc4959@zinc.9fans.fr> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: [9fans] tlsClient: tls: local invalid x509/rsa certificate Topicbox-Message-UUID: 208befd2-ead9-11e9-9d60-3106f5b1d025 > Thanks! Quick question: how do I apply the patch? I didn't see an > argument to diff or a patch utility. You can apply the patch with ape/patch, or simply copy the x509.c file from /n/sources: cp /n/sources/patch/libsec-x509-sha256rsa/x509.c /sys/src/libsec/port -- David du Colombier From mboxrd@z Thu Jan 1 00:00:00 1970 Date: Sun, 26 Oct 2014 23:52:13 +0100 From: David du Colombier <0intro@gmail.com> To: 9fans@9fans.net Message-ID: <20141026235213.67c14be1@zinc.9fans.fr> In-Reply-To: References: <20141026231946.422eaac5@zinc.9fans.fr> <20141026233059.65fc4959@zinc.9fans.fr> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: [9fans] tlsClient: tls: local invalid x509/rsa certificate Topicbox-Message-UUID: 2090509a-ead9-11e9-9d60-3106f5b1d025 Just to be clearer. The patch (unified diff) attached in my previous email can be applied with ape/patch. A patch(1) (/n/sources/patch) can't be applied automatically without modifying patch/apply. You have to copy the individual files by hand to the destination indicated in the "files" file. -- David du Colombier From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: To: 9fans@9fans.net Date: Mon, 27 Oct 2014 06:22:24 +0200 From: lucio@proxima.alt.za In-Reply-To: <20141026231946.422eaac5@zinc.9fans.fr> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit Subject: Re: [9fans] tlsClient: tls: local invalid x509/rsa certificate Topicbox-Message-UUID: 209485e8-ead9-11e9-9d60-3106f5b1d025 > @@ -1594,6 +1595,7 @@ > static Ints7 oid_md4WithRSAEncryption = {7, 1, 2, 840, 113549, 1, 1, 3 }; > static Ints7 oid_md5WithRSAEncryption = {7, 1, 2, 840, 113549, 1, 1, 4 }; > static Ints7 oid_sha1WithRSAEncryption ={7, 1, 2, 840, 113549, 1, 1, 5 }; > +static Ints7 sha256WithRSAEncryption ={7, 1, 2, 840, 113549, 1, 1, 11 }; > static Ints7 oid_sha1WithRSAEncryptionOiw ={6, 1, 3, 14, 3, 2, 29 }; > static Ints7 oid_md5 ={6, 1, 2, 840, 113549, 2, 5, 0 }; > static Ints *alg_oid_tab[NUMALGS+1] = { > @@ -1602,6 +1604,7 @@ > (Ints*)&oid_md4WithRSAEncryption, > (Ints*)&oid_md5WithRSAEncryption, > (Ints*)&oid_sha1WithRSAEncryption, > + (Ints*)&sha256WithRSAEncryption, > (Ints*)&oid_sha1WithRSAEncryptionOiw, > (Ints*)&oid_md5, > nil The existing identifiers are prefixed with "oid_"; is there a reason for leaving the prefix out? Lucio. ------------------------------------------------------------------------------------- This email has been scanned by the MxScan Email Security System. ------------------------------------------------------------------------------------- From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: To: 9fans@9fans.net Date: Mon, 27 Oct 2014 06:23:22 +0200 From: lucio@proxima.alt.za In-Reply-To: <20141026231946.422eaac5@zinc.9fans.fr> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit Subject: Re: [9fans] tlsClient: tls: local invalid x509/rsa certificate Topicbox-Message-UUID: 2098ae0c-ead9-11e9-9d60-3106f5b1d025 > Then you have to rebuild libsec and hget. ... and any other client of libsec, presumably? Lucio. ------------------------------------------------------------------------------------- This email has been scanned by the MxScan Email Security System. ------------------------------------------------------------------------------------- From mboxrd@z Thu Jan 1 00:00:00 1970 Date: Mon, 27 Oct 2014 07:24:10 +0100 From: David du Colombier <0intro@gmail.com> To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> Message-ID: <20141027072410.4740679f@zinc.9fans.fr> In-Reply-To: References: <20141026231946.422eaac5@zinc.9fans.fr> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: [9fans] tlsClient: tls: local invalid x509/rsa certificate Topicbox-Message-UUID: 209cac8c-ead9-11e9-9d60-3106f5b1d025 > The existing identifiers are prefixed with "oid_"; is there a reason > for leaving the prefix out? It was a typo. I fixed it before submitting the patch to /n/sources. -- David du Colombier From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: <7cdf3ebf72d1884fc0eda6043690a336@proxima.alt.za> To: 9fans@9fans.net Date: Mon, 27 Oct 2014 09:33:32 +0200 From: lucio@proxima.alt.za In-Reply-To: <20141027072410.4740679f@zinc.9fans.fr> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit Subject: Re: [9fans] tlsClient: tls: local invalid x509/rsa certificate Topicbox-Message-UUID: 20aa68e0-ead9-11e9-9d60-3106f5b1d025 > It was a typo. I fixed it before submitting the patch to /n/sources. I thought it might be; better safe than sorry, I suppose. Lucio. ------------------------------------------------------------------------------------- This email has been scanned by the MxScan Email Security System. ------------------------------------------------------------------------------------- From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: To: 9fans@9fans.net From: Richard Miller <9fans@hamnavoe.com> Date: Mon, 27 Oct 2014 09:19:54 +0000 In-Reply-To: <20141026235213.67c14be1@zinc.9fans.fr> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit Subject: Re: [9fans] tlsClient: tls: local invalid x509/rsa certificate Topicbox-Message-UUID: 20aeb314-ead9-11e9-9d60-3106f5b1d025 > A patch(1) (/n/sources/patch) can't be applied automatically > without modifying patch/apply. Actually it can, thanks to the magic of bind(1): cpu% 9fs sources cpu% PATCH=libsec-x509-sha256rsa cpu% mkdir -p $home/patch/$PATCH cpu% bind -bc $home/patch/$PATCH /n/sources/patch/$PATCH cpu% patch/apply $PATCH merge...backup...copy... to update sources: update /sys/src/libsec/port/x509.c cpu% ls -l /sys/src/libsec/port/x509.c --rw-rw-r-- M 9996 sys sys 54387 Oct 27 09:15 /sys/src/libsec/port/x509.c From mboxrd@z Thu Jan 1 00:00:00 1970 From: erik quanstrom Date: Mon, 27 Oct 2014 11:44:00 -0400 To: 9fans@9fans.net Message-ID: In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit Subject: Re: [9fans] tlsClient: tls: local invalid x509/rsa certificate Topicbox-Message-UUID: 20bb3ab2-ead9-11e9-9d60-3106f5b1d025 On Mon Oct 27 05:20:04 EDT 2014, 9fans@hamnavoe.com wrote: > > A patch(1) (/n/sources/patch) can't be applied automatically > > without modifying patch/apply. > > Actually it can, thanks to the magic of bind(1): > > cpu% 9fs sources > cpu% PATCH=libsec-x509-sha256rsa > cpu% mkdir -p $home/patch/$PATCH > cpu% bind -bc $home/patch/$PATCH /n/sources/patch/$PATCH > cpu% patch/apply $PATCH > merge...backup...copy... > to update sources: > update /sys/src/libsec/port/x509.c > cpu% ls -l /sys/src/libsec/port/x509.c > --rw-rw-r-- M 9996 sys sys 54387 Oct 27 09:15 /sys/src/libsec/port/x509.c fwiw, 9atom has had this, and serial checking (i think cinap did this). - erik From mboxrd@z Thu Jan 1 00:00:00 1970 From: erik quanstrom Date: Mon, 27 Oct 2014 11:45:31 -0400 To: 9fans@9fans.net Message-ID: <8048141c1d8c264e97d7de78d70c4507@ladd.quanstro.net> In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit Subject: Re: [9fans] tlsClient: tls: local invalid x509/rsa certificate Topicbox-Message-UUID: 20c42a5a-ead9-11e9-9d60-3106f5b1d025 On Mon Oct 27 00:22:36 EDT 2014, lucio@proxima.alt.za wrote: > > @@ -1594,6 +1595,7 @@ > > static Ints7 oid_md4WithRSAEncryption = {7, 1, 2, 840, 113549, 1, 1, 3 }; > > static Ints7 oid_md5WithRSAEncryption = {7, 1, 2, 840, 113549, 1, 1, 4 }; > > static Ints7 oid_sha1WithRSAEncryption ={7, 1, 2, 840, 113549, 1, 1, 5 }; > > +static Ints7 sha256WithRSAEncryption ={7, 1, 2, 840, 113549, 1, 1, 11 }; > > static Ints7 oid_sha1WithRSAEncryptionOiw ={6, 1, 3, 14, 3, 2, 29 }; > > static Ints7 oid_md5 ={6, 1, 2, 840, 113549, 2, 5, 0 }; > > static Ints *alg_oid_tab[NUMALGS+1] = { > > @@ -1602,6 +1604,7 @@ > > (Ints*)&oid_md4WithRSAEncryption, > > (Ints*)&oid_md5WithRSAEncryption, > > (Ints*)&oid_sha1WithRSAEncryption, > > + (Ints*)&sha256WithRSAEncryption, > > (Ints*)&oid_sha1WithRSAEncryptionOiw, > > (Ints*)&oid_md5, > > nil > > The existing identifiers are prefixed with "oid_"; is there a reason > for leaving the prefix out? you make a good point. - erik From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: <909c274e67eae2c5b408abbfd846ec9a@proxima.alt.za> To: 9fans@9fans.net Date: Mon, 27 Oct 2014 17:50:32 +0200 From: lucio@proxima.alt.za In-Reply-To: <8048141c1d8c264e97d7de78d70c4507@ladd.quanstro.net> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit Subject: Re: [9fans] tlsClient: tls: local invalid x509/rsa certificate Topicbox-Message-UUID: 20d40da8-ead9-11e9-9d60-3106f5b1d025 > you make a good point. David did explain. It's fixed in the patch. Lucio. ------------------------------------------------------------------------------------- This email has been scanned by the MxScan Email Security System. ------------------------------------------------------------------------------------- From mboxrd@z Thu Jan 1 00:00:00 1970 MIME-Version: 1.0 In-Reply-To: <20141026235213.67c14be1@zinc.9fans.fr> References: <20141026231946.422eaac5@zinc.9fans.fr> <20141026233059.65fc4959@zinc.9fans.fr> <20141026235213.67c14be1@zinc.9fans.fr> From: Ryan Gonzalez Date: Mon, 27 Oct 2014 18:34:38 -0500 Message-ID: To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> Content-Type: multipart/alternative; boundary=bcaec52c683d8e61e605066ffa57 Subject: Re: [9fans] tlsClient: tls: local invalid x509/rsa certificate Topicbox-Message-UUID: 213ad290-ead9-11e9-9d60-3106f5b1d025 --bcaec52c683d8e61e605066ffa57 Content-Type: text/plain; charset=UTF-8 Thanks! I just tested it. It works! On Sun, Oct 26, 2014 at 5:52 PM, David du Colombier <0intro@gmail.com> wrote: > Just to be clearer. The patch (unified diff) attached in my > previous email can be applied with ape/patch. > > A patch(1) (/n/sources/patch) can't be applied automatically > without modifying patch/apply. You have to copy the individual > files by hand to the destination indicated in the "files" file. > > -- > David du Colombier > > -- Ryan If anybody ever asks me why I prefer C++ to C, my answer will be simple: "It's becauseslejfp23(@#Q*(E*EIdc-SEGFAULT. Wait, I don't think that was nul-terminated." Personal reality distortion fields are immune to contradictory evidence. - srean Check out my website: http://kirbyfan64.github.io/ --bcaec52c683d8e61e605066ffa57 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Thanks! I just tested it. It works!

On Sun, Oct 26, 2014 at 5:52 PM, D= avid du Colombier <0intro@gmail.com> wrote:
Just to be clearer. The patch (unified diff) attached in m= y
previous email can be applied with ape/patch.

A patch(1) (/n/sources/patch) can't be applied automatically
without modifying patch/apply. You have to copy the individual
files by hand to the destination indicated in the "files" file.
--
David du Colombier




--
Ryan
If anybody ever asks me why I prefer C++ t= o C, my answer will be simple: "It's becauseslejfp23(@#Q*(E*EIdc-S= EGFAULT. Wait, I don't think that was nul-terminated."
= Personal reality distortion fields are immune to contradictory evidence. - = srean
Check out my website:=C2=A0http://kirbyfan64.github.io/
--bcaec52c683d8e61e605066ffa57--