* [9fans] tlsClient: tls: local invalid x509/rsa certificate @ 2014-10-26 21:04 Ryan Gonzalez 2014-10-26 22:19 ` David du Colombier 0 siblings, 1 reply; 15+ messages in thread From: Ryan Gonzalez @ 2014-10-26 21:04 UTC (permalink / raw) To: 9fans [-- Attachment #1: Type: text/plain, Size: 722 bytes --] I'm trying to download the a Python script and keep running into trouble. I am running this: hget https://hg.python.org/cpython/raw-file/4391ab72dd7b/Lib/types.py > types.py However, hget keeps complaining with `tlsClient: tls: local invalid x509/rsa certificate`. The time and date of my Plan 9 VM are correct and are set to sync with pool.ntp.org. I have NO clue what's wrong. Can anybody help? -- Ryan If anybody ever asks me why I prefer C++ to C, my answer will be simple: "It's becauseslejfp23(@#Q*(E*EIdc-SEGFAULT. Wait, I don't think that was nul-terminated." Personal reality distortion fields are immune to contradictory evidence. - srean Check out my website: http://kirbyfan64.github.io/ [-- Attachment #2: Type: text/html, Size: 1137 bytes --] ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [9fans] tlsClient: tls: local invalid x509/rsa certificate 2014-10-26 21:04 [9fans] tlsClient: tls: local invalid x509/rsa certificate Ryan Gonzalez @ 2014-10-26 22:19 ` David du Colombier 2014-10-26 22:30 ` David du Colombier ` (2 more replies) 0 siblings, 3 replies; 15+ messages in thread From: David du Colombier @ 2014-10-26 22:19 UTC (permalink / raw) To: Fans of the OS Plan 9 from Bell Labs > I'm trying to download the a Python script and keep running into > trouble. I am running this: > > hget https://hg.python.org/cpython/raw-file/4391ab72dd7b/Lib/types.py > > types.py > > However, hget keeps complaining with `tlsClient: tls: local invalid > x509/rsa certificate`. The time and date of my Plan 9 VM are correct > and are set to sync with pool.ntp.org. I have NO clue what's wrong. > Can anybody help? This is not an issue in you side, since I can reproduce it here. It looks like for some reason, X509toRSApub doesn't succeed to decode the hg.python.org X.509 certificate. Actually the issue is that /sys/src/libsec/port/x509.c:/^oid_lookup returns -1. This function is called by parse_alg, which is called during the X.509 certificate decoding by decode_cert. It means the signature algorithm of the hg.python.org X.509 certificate is not one of the few supported ones: - rsaEncryption - md2WithRSAEncryption - md4WithRSAEncryption - md5WithRSAEncryption - sha1WithRSAEncryption - md5 And indeed, after decoding the hg.python.org X.509 certificate with OpenSSL, I can notice the signature algorithm is sha256WithRSAEncryption. Luckily, this is trivially fixed by adding the missing OID in the signature algorithm array: --- /n/sources/plan9/sys/src/libsec/port/x509.c +++ /sys/src/libsec/port/x509.c @@ -1582,6 +1582,7 @@ ALG_md5WithRSAEncryption, ALG_sha1WithRSAEncryption, ALG_sha1WithRSAEncryptionOiw, + ALG_sha256WithRSAEncryption, ALG_md5, NUMALGS }; @@ -1594,6 +1595,7 @@ static Ints7 oid_md4WithRSAEncryption = {7, 1, 2, 840, 113549, 1, 1, 3 }; static Ints7 oid_md5WithRSAEncryption = {7, 1, 2, 840, 113549, 1, 1, 4 }; static Ints7 oid_sha1WithRSAEncryption ={7, 1, 2, 840, 113549, 1, 1, 5 }; +static Ints7 sha256WithRSAEncryption ={7, 1, 2, 840, 113549, 1, 1, 11 }; static Ints7 oid_sha1WithRSAEncryptionOiw ={6, 1, 3, 14, 3, 2, 29 }; static Ints7 oid_md5 ={6, 1, 2, 840, 113549, 2, 5, 0 }; static Ints *alg_oid_tab[NUMALGS+1] = { @@ -1602,6 +1604,7 @@ (Ints*)&oid_md4WithRSAEncryption, (Ints*)&oid_md5WithRSAEncryption, (Ints*)&oid_sha1WithRSAEncryption, + (Ints*)&sha256WithRSAEncryption, (Ints*)&oid_sha1WithRSAEncryptionOiw, (Ints*)&oid_md5, nil Then you have to rebuild libsec and hget. Have fun! -- David du Colombier ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [9fans] tlsClient: tls: local invalid x509/rsa certificate 2014-10-26 22:19 ` David du Colombier @ 2014-10-26 22:30 ` David du Colombier 2014-10-26 22:36 ` Ryan Gonzalez 2014-10-27 4:22 ` lucio 2014-10-27 4:23 ` lucio 2 siblings, 1 reply; 15+ messages in thread From: David du Colombier @ 2014-10-26 22:30 UTC (permalink / raw) To: Fans of the OS Plan 9 from Bell Labs The patch is now available here: /n/sources/patch/libsec-x509-sha256rsa -- David du Colombier ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [9fans] tlsClient: tls: local invalid x509/rsa certificate 2014-10-26 22:30 ` David du Colombier @ 2014-10-26 22:36 ` Ryan Gonzalez 2014-10-26 22:39 ` David du Colombier 2014-10-26 22:52 ` David du Colombier 0 siblings, 2 replies; 15+ messages in thread From: Ryan Gonzalez @ 2014-10-26 22:36 UTC (permalink / raw) To: Fans of the OS Plan 9 from Bell Labs [-- Attachment #1: Type: text/plain, Size: 622 bytes --] Thanks! Quick question: how do I apply the patch? I didn't see an argument to diff or a patch utility. On Sun, Oct 26, 2014 at 5:30 PM, David du Colombier <0intro@gmail.com> wrote: > The patch is now available here: > > /n/sources/patch/libsec-x509-sha256rsa > > -- > David du Colombier > > -- Ryan If anybody ever asks me why I prefer C++ to C, my answer will be simple: "It's becauseslejfp23(@#Q*(E*EIdc-SEGFAULT. Wait, I don't think that was nul-terminated." Personal reality distortion fields are immune to contradictory evidence. - srean Check out my website: http://kirbyfan64.github.io/ [-- Attachment #2: Type: text/html, Size: 1135 bytes --] ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [9fans] tlsClient: tls: local invalid x509/rsa certificate 2014-10-26 22:36 ` Ryan Gonzalez @ 2014-10-26 22:39 ` David du Colombier 2014-10-26 22:52 ` David du Colombier 1 sibling, 0 replies; 15+ messages in thread From: David du Colombier @ 2014-10-26 22:39 UTC (permalink / raw) To: Fans of the OS Plan 9 from Bell Labs > Thanks! Quick question: how do I apply the patch? I didn't see an > argument to diff or a patch utility. You can apply the patch with ape/patch, or simply copy the x509.c file from /n/sources: cp /n/sources/patch/libsec-x509-sha256rsa/x509.c /sys/src/libsec/port -- David du Colombier ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [9fans] tlsClient: tls: local invalid x509/rsa certificate 2014-10-26 22:36 ` Ryan Gonzalez 2014-10-26 22:39 ` David du Colombier @ 2014-10-26 22:52 ` David du Colombier 2014-10-27 9:19 ` Richard Miller 2014-10-27 23:34 ` Ryan Gonzalez 1 sibling, 2 replies; 15+ messages in thread From: David du Colombier @ 2014-10-26 22:52 UTC (permalink / raw) To: 9fans Just to be clearer. The patch (unified diff) attached in my previous email can be applied with ape/patch. A patch(1) (/n/sources/patch) can't be applied automatically without modifying patch/apply. You have to copy the individual files by hand to the destination indicated in the "files" file. -- David du Colombier ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [9fans] tlsClient: tls: local invalid x509/rsa certificate 2014-10-26 22:52 ` David du Colombier @ 2014-10-27 9:19 ` Richard Miller 2014-10-27 15:44 ` erik quanstrom 2014-10-27 23:34 ` Ryan Gonzalez 1 sibling, 1 reply; 15+ messages in thread From: Richard Miller @ 2014-10-27 9:19 UTC (permalink / raw) To: 9fans > A patch(1) (/n/sources/patch) can't be applied automatically > without modifying patch/apply. Actually it can, thanks to the magic of bind(1): cpu% 9fs sources cpu% PATCH=libsec-x509-sha256rsa cpu% mkdir -p $home/patch/$PATCH cpu% bind -bc $home/patch/$PATCH /n/sources/patch/$PATCH cpu% patch/apply $PATCH merge...backup...copy... to update sources: update /sys/src/libsec/port/x509.c cpu% ls -l /sys/src/libsec/port/x509.c --rw-rw-r-- M 9996 sys sys 54387 Oct 27 09:15 /sys/src/libsec/port/x509.c ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [9fans] tlsClient: tls: local invalid x509/rsa certificate 2014-10-27 9:19 ` Richard Miller @ 2014-10-27 15:44 ` erik quanstrom 0 siblings, 0 replies; 15+ messages in thread From: erik quanstrom @ 2014-10-27 15:44 UTC (permalink / raw) To: 9fans On Mon Oct 27 05:20:04 EDT 2014, 9fans@hamnavoe.com wrote: > > A patch(1) (/n/sources/patch) can't be applied automatically > > without modifying patch/apply. > > Actually it can, thanks to the magic of bind(1): > > cpu% 9fs sources > cpu% PATCH=libsec-x509-sha256rsa > cpu% mkdir -p $home/patch/$PATCH > cpu% bind -bc $home/patch/$PATCH /n/sources/patch/$PATCH > cpu% patch/apply $PATCH > merge...backup...copy... > to update sources: > update /sys/src/libsec/port/x509.c > cpu% ls -l /sys/src/libsec/port/x509.c > --rw-rw-r-- M 9996 sys sys 54387 Oct 27 09:15 /sys/src/libsec/port/x509.c fwiw, 9atom has had this, and serial checking (i think cinap did this). - erik ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [9fans] tlsClient: tls: local invalid x509/rsa certificate 2014-10-26 22:52 ` David du Colombier 2014-10-27 9:19 ` Richard Miller @ 2014-10-27 23:34 ` Ryan Gonzalez 1 sibling, 0 replies; 15+ messages in thread From: Ryan Gonzalez @ 2014-10-27 23:34 UTC (permalink / raw) To: Fans of the OS Plan 9 from Bell Labs [-- Attachment #1: Type: text/plain, Size: 785 bytes --] Thanks! I just tested it. It works! On Sun, Oct 26, 2014 at 5:52 PM, David du Colombier <0intro@gmail.com> wrote: > Just to be clearer. The patch (unified diff) attached in my > previous email can be applied with ape/patch. > > A patch(1) (/n/sources/patch) can't be applied automatically > without modifying patch/apply. You have to copy the individual > files by hand to the destination indicated in the "files" file. > > -- > David du Colombier > > -- Ryan If anybody ever asks me why I prefer C++ to C, my answer will be simple: "It's becauseslejfp23(@#Q*(E*EIdc-SEGFAULT. Wait, I don't think that was nul-terminated." Personal reality distortion fields are immune to contradictory evidence. - srean Check out my website: http://kirbyfan64.github.io/ [-- Attachment #2: Type: text/html, Size: 1315 bytes --] ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [9fans] tlsClient: tls: local invalid x509/rsa certificate 2014-10-26 22:19 ` David du Colombier 2014-10-26 22:30 ` David du Colombier @ 2014-10-27 4:22 ` lucio 2014-10-27 6:24 ` David du Colombier 2014-10-27 15:45 ` erik quanstrom 2014-10-27 4:23 ` lucio 2 siblings, 2 replies; 15+ messages in thread From: lucio @ 2014-10-27 4:22 UTC (permalink / raw) To: 9fans > @@ -1594,6 +1595,7 @@ > static Ints7 oid_md4WithRSAEncryption = {7, 1, 2, 840, 113549, 1, 1, 3 }; > static Ints7 oid_md5WithRSAEncryption = {7, 1, 2, 840, 113549, 1, 1, 4 }; > static Ints7 oid_sha1WithRSAEncryption ={7, 1, 2, 840, 113549, 1, 1, 5 }; > +static Ints7 sha256WithRSAEncryption ={7, 1, 2, 840, 113549, 1, 1, 11 }; > static Ints7 oid_sha1WithRSAEncryptionOiw ={6, 1, 3, 14, 3, 2, 29 }; > static Ints7 oid_md5 ={6, 1, 2, 840, 113549, 2, 5, 0 }; > static Ints *alg_oid_tab[NUMALGS+1] = { > @@ -1602,6 +1604,7 @@ > (Ints*)&oid_md4WithRSAEncryption, > (Ints*)&oid_md5WithRSAEncryption, > (Ints*)&oid_sha1WithRSAEncryption, > + (Ints*)&sha256WithRSAEncryption, > (Ints*)&oid_sha1WithRSAEncryptionOiw, > (Ints*)&oid_md5, > nil The existing identifiers are prefixed with "oid_"; is there a reason for leaving the prefix out? Lucio. ------------------------------------------------------------------------------------- This email has been scanned by the MxScan Email Security System. ------------------------------------------------------------------------------------- ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [9fans] tlsClient: tls: local invalid x509/rsa certificate 2014-10-27 4:22 ` lucio @ 2014-10-27 6:24 ` David du Colombier 2014-10-27 7:33 ` lucio 2014-10-27 15:45 ` erik quanstrom 1 sibling, 1 reply; 15+ messages in thread From: David du Colombier @ 2014-10-27 6:24 UTC (permalink / raw) To: Fans of the OS Plan 9 from Bell Labs > The existing identifiers are prefixed with "oid_"; is there a reason > for leaving the prefix out? It was a typo. I fixed it before submitting the patch to /n/sources. -- David du Colombier ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [9fans] tlsClient: tls: local invalid x509/rsa certificate 2014-10-27 6:24 ` David du Colombier @ 2014-10-27 7:33 ` lucio 0 siblings, 0 replies; 15+ messages in thread From: lucio @ 2014-10-27 7:33 UTC (permalink / raw) To: 9fans > It was a typo. I fixed it before submitting the patch to /n/sources. I thought it might be; better safe than sorry, I suppose. Lucio. ------------------------------------------------------------------------------------- This email has been scanned by the MxScan Email Security System. ------------------------------------------------------------------------------------- ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [9fans] tlsClient: tls: local invalid x509/rsa certificate 2014-10-27 4:22 ` lucio 2014-10-27 6:24 ` David du Colombier @ 2014-10-27 15:45 ` erik quanstrom 2014-10-27 15:50 ` lucio 1 sibling, 1 reply; 15+ messages in thread From: erik quanstrom @ 2014-10-27 15:45 UTC (permalink / raw) To: 9fans On Mon Oct 27 00:22:36 EDT 2014, lucio@proxima.alt.za wrote: > > @@ -1594,6 +1595,7 @@ > > static Ints7 oid_md4WithRSAEncryption = {7, 1, 2, 840, 113549, 1, 1, 3 }; > > static Ints7 oid_md5WithRSAEncryption = {7, 1, 2, 840, 113549, 1, 1, 4 }; > > static Ints7 oid_sha1WithRSAEncryption ={7, 1, 2, 840, 113549, 1, 1, 5 }; > > +static Ints7 sha256WithRSAEncryption ={7, 1, 2, 840, 113549, 1, 1, 11 }; > > static Ints7 oid_sha1WithRSAEncryptionOiw ={6, 1, 3, 14, 3, 2, 29 }; > > static Ints7 oid_md5 ={6, 1, 2, 840, 113549, 2, 5, 0 }; > > static Ints *alg_oid_tab[NUMALGS+1] = { > > @@ -1602,6 +1604,7 @@ > > (Ints*)&oid_md4WithRSAEncryption, > > (Ints*)&oid_md5WithRSAEncryption, > > (Ints*)&oid_sha1WithRSAEncryption, > > + (Ints*)&sha256WithRSAEncryption, > > (Ints*)&oid_sha1WithRSAEncryptionOiw, > > (Ints*)&oid_md5, > > nil > > The existing identifiers are prefixed with "oid_"; is there a reason > for leaving the prefix out? you make a good point. - erik ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [9fans] tlsClient: tls: local invalid x509/rsa certificate 2014-10-27 15:45 ` erik quanstrom @ 2014-10-27 15:50 ` lucio 0 siblings, 0 replies; 15+ messages in thread From: lucio @ 2014-10-27 15:50 UTC (permalink / raw) To: 9fans > you make a good point. David did explain. It's fixed in the patch. Lucio. ------------------------------------------------------------------------------------- This email has been scanned by the MxScan Email Security System. ------------------------------------------------------------------------------------- ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [9fans] tlsClient: tls: local invalid x509/rsa certificate 2014-10-26 22:19 ` David du Colombier 2014-10-26 22:30 ` David du Colombier 2014-10-27 4:22 ` lucio @ 2014-10-27 4:23 ` lucio 2 siblings, 0 replies; 15+ messages in thread From: lucio @ 2014-10-27 4:23 UTC (permalink / raw) To: 9fans > Then you have to rebuild libsec and hget. ... and any other client of libsec, presumably? Lucio. ------------------------------------------------------------------------------------- This email has been scanned by the MxScan Email Security System. ------------------------------------------------------------------------------------- ^ permalink raw reply [flat|nested] 15+ messages in thread
end of thread, other threads:[~2014-10-27 23:34 UTC | newest] Thread overview: 15+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2014-10-26 21:04 [9fans] tlsClient: tls: local invalid x509/rsa certificate Ryan Gonzalez 2014-10-26 22:19 ` David du Colombier 2014-10-26 22:30 ` David du Colombier 2014-10-26 22:36 ` Ryan Gonzalez 2014-10-26 22:39 ` David du Colombier 2014-10-26 22:52 ` David du Colombier 2014-10-27 9:19 ` Richard Miller 2014-10-27 15:44 ` erik quanstrom 2014-10-27 23:34 ` Ryan Gonzalez 2014-10-27 4:22 ` lucio 2014-10-27 6:24 ` David du Colombier 2014-10-27 7:33 ` lucio 2014-10-27 15:45 ` erik quanstrom 2014-10-27 15:50 ` lucio 2014-10-27 4:23 ` lucio
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).