* [9fans] tlsClient: tls: local invalid x509/rsa certificate
@ 2014-10-26 21:04 Ryan Gonzalez
2014-10-26 22:19 ` David du Colombier
0 siblings, 1 reply; 15+ messages in thread
From: Ryan Gonzalez @ 2014-10-26 21:04 UTC (permalink / raw)
To: 9fans
[-- Attachment #1: Type: text/plain, Size: 722 bytes --]
I'm trying to download the a Python script and keep running into trouble. I
am running this:
hget https://hg.python.org/cpython/raw-file/4391ab72dd7b/Lib/types.py >
types.py
However, hget keeps complaining with `tlsClient: tls: local invalid
x509/rsa certificate`. The time and date of my Plan 9 VM are correct and
are set to sync with pool.ntp.org. I have NO clue what's wrong. Can anybody
help?
--
Ryan
If anybody ever asks me why I prefer C++ to C, my answer will be simple:
"It's becauseslejfp23(@#Q*(E*EIdc-SEGFAULT. Wait, I don't think that was
nul-terminated."
Personal reality distortion fields are immune to contradictory evidence. -
srean
Check out my website: http://kirbyfan64.github.io/
[-- Attachment #2: Type: text/html, Size: 1137 bytes --]
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [9fans] tlsClient: tls: local invalid x509/rsa certificate
2014-10-26 21:04 [9fans] tlsClient: tls: local invalid x509/rsa certificate Ryan Gonzalez
@ 2014-10-26 22:19 ` David du Colombier
2014-10-26 22:30 ` David du Colombier
` (2 more replies)
0 siblings, 3 replies; 15+ messages in thread
From: David du Colombier @ 2014-10-26 22:19 UTC (permalink / raw)
To: Fans of the OS Plan 9 from Bell Labs
> I'm trying to download the a Python script and keep running into
> trouble. I am running this:
>
> hget https://hg.python.org/cpython/raw-file/4391ab72dd7b/Lib/types.py
> > types.py
>
> However, hget keeps complaining with `tlsClient: tls: local invalid
> x509/rsa certificate`. The time and date of my Plan 9 VM are correct
> and are set to sync with pool.ntp.org. I have NO clue what's wrong.
> Can anybody help?
This is not an issue in you side, since I can reproduce it here.
It looks like for some reason, X509toRSApub doesn't succeed to
decode the hg.python.org X.509 certificate.
Actually the issue is that /sys/src/libsec/port/x509.c:/^oid_lookup
returns -1.
This function is called by parse_alg, which is called during the
X.509 certificate decoding by decode_cert.
It means the signature algorithm of the hg.python.org X.509
certificate is not one of the few supported ones:
- rsaEncryption
- md2WithRSAEncryption
- md4WithRSAEncryption
- md5WithRSAEncryption
- sha1WithRSAEncryption
- md5
And indeed, after decoding the hg.python.org X.509
certificate with OpenSSL, I can notice the signature
algorithm is sha256WithRSAEncryption.
Luckily, this is trivially fixed by adding the missing OID
in the signature algorithm array:
--- /n/sources/plan9/sys/src/libsec/port/x509.c
+++ /sys/src/libsec/port/x509.c
@@ -1582,6 +1582,7 @@
ALG_md5WithRSAEncryption,
ALG_sha1WithRSAEncryption,
ALG_sha1WithRSAEncryptionOiw,
+ ALG_sha256WithRSAEncryption,
ALG_md5,
NUMALGS
};
@@ -1594,6 +1595,7 @@
static Ints7 oid_md4WithRSAEncryption = {7, 1, 2, 840, 113549, 1, 1, 3 };
static Ints7 oid_md5WithRSAEncryption = {7, 1, 2, 840, 113549, 1, 1, 4 };
static Ints7 oid_sha1WithRSAEncryption ={7, 1, 2, 840, 113549, 1, 1, 5 };
+static Ints7 sha256WithRSAEncryption ={7, 1, 2, 840, 113549, 1, 1, 11 };
static Ints7 oid_sha1WithRSAEncryptionOiw ={6, 1, 3, 14, 3, 2, 29 };
static Ints7 oid_md5 ={6, 1, 2, 840, 113549, 2, 5, 0 };
static Ints *alg_oid_tab[NUMALGS+1] = {
@@ -1602,6 +1604,7 @@
(Ints*)&oid_md4WithRSAEncryption,
(Ints*)&oid_md5WithRSAEncryption,
(Ints*)&oid_sha1WithRSAEncryption,
+ (Ints*)&sha256WithRSAEncryption,
(Ints*)&oid_sha1WithRSAEncryptionOiw,
(Ints*)&oid_md5,
nil
Then you have to rebuild libsec and hget.
Have fun!
--
David du Colombier
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [9fans] tlsClient: tls: local invalid x509/rsa certificate
2014-10-26 22:19 ` David du Colombier
@ 2014-10-26 22:30 ` David du Colombier
2014-10-26 22:36 ` Ryan Gonzalez
2014-10-27 4:22 ` lucio
2014-10-27 4:23 ` lucio
2 siblings, 1 reply; 15+ messages in thread
From: David du Colombier @ 2014-10-26 22:30 UTC (permalink / raw)
To: Fans of the OS Plan 9 from Bell Labs
The patch is now available here:
/n/sources/patch/libsec-x509-sha256rsa
--
David du Colombier
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [9fans] tlsClient: tls: local invalid x509/rsa certificate
2014-10-26 22:30 ` David du Colombier
@ 2014-10-26 22:36 ` Ryan Gonzalez
2014-10-26 22:39 ` David du Colombier
2014-10-26 22:52 ` David du Colombier
0 siblings, 2 replies; 15+ messages in thread
From: Ryan Gonzalez @ 2014-10-26 22:36 UTC (permalink / raw)
To: Fans of the OS Plan 9 from Bell Labs
[-- Attachment #1: Type: text/plain, Size: 622 bytes --]
Thanks! Quick question: how do I apply the patch? I didn't see an argument
to diff or a patch utility.
On Sun, Oct 26, 2014 at 5:30 PM, David du Colombier <0intro@gmail.com>
wrote:
> The patch is now available here:
>
> /n/sources/patch/libsec-x509-sha256rsa
>
> --
> David du Colombier
>
>
--
Ryan
If anybody ever asks me why I prefer C++ to C, my answer will be simple:
"It's becauseslejfp23(@#Q*(E*EIdc-SEGFAULT. Wait, I don't think that was
nul-terminated."
Personal reality distortion fields are immune to contradictory evidence. -
srean
Check out my website: http://kirbyfan64.github.io/
[-- Attachment #2: Type: text/html, Size: 1135 bytes --]
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [9fans] tlsClient: tls: local invalid x509/rsa certificate
2014-10-26 22:36 ` Ryan Gonzalez
@ 2014-10-26 22:39 ` David du Colombier
2014-10-26 22:52 ` David du Colombier
1 sibling, 0 replies; 15+ messages in thread
From: David du Colombier @ 2014-10-26 22:39 UTC (permalink / raw)
To: Fans of the OS Plan 9 from Bell Labs
> Thanks! Quick question: how do I apply the patch? I didn't see an
> argument to diff or a patch utility.
You can apply the patch with ape/patch, or simply copy the
x509.c file from /n/sources:
cp /n/sources/patch/libsec-x509-sha256rsa/x509.c /sys/src/libsec/port
--
David du Colombier
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [9fans] tlsClient: tls: local invalid x509/rsa certificate
2014-10-26 22:36 ` Ryan Gonzalez
2014-10-26 22:39 ` David du Colombier
@ 2014-10-26 22:52 ` David du Colombier
2014-10-27 9:19 ` Richard Miller
2014-10-27 23:34 ` Ryan Gonzalez
1 sibling, 2 replies; 15+ messages in thread
From: David du Colombier @ 2014-10-26 22:52 UTC (permalink / raw)
To: 9fans
Just to be clearer. The patch (unified diff) attached in my
previous email can be applied with ape/patch.
A patch(1) (/n/sources/patch) can't be applied automatically
without modifying patch/apply. You have to copy the individual
files by hand to the destination indicated in the "files" file.
--
David du Colombier
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [9fans] tlsClient: tls: local invalid x509/rsa certificate
2014-10-26 22:19 ` David du Colombier
2014-10-26 22:30 ` David du Colombier
@ 2014-10-27 4:22 ` lucio
2014-10-27 6:24 ` David du Colombier
2014-10-27 15:45 ` erik quanstrom
2014-10-27 4:23 ` lucio
2 siblings, 2 replies; 15+ messages in thread
From: lucio @ 2014-10-27 4:22 UTC (permalink / raw)
To: 9fans
> @@ -1594,6 +1595,7 @@
> static Ints7 oid_md4WithRSAEncryption = {7, 1, 2, 840, 113549, 1, 1, 3 };
> static Ints7 oid_md5WithRSAEncryption = {7, 1, 2, 840, 113549, 1, 1, 4 };
> static Ints7 oid_sha1WithRSAEncryption ={7, 1, 2, 840, 113549, 1, 1, 5 };
> +static Ints7 sha256WithRSAEncryption ={7, 1, 2, 840, 113549, 1, 1, 11 };
> static Ints7 oid_sha1WithRSAEncryptionOiw ={6, 1, 3, 14, 3, 2, 29 };
> static Ints7 oid_md5 ={6, 1, 2, 840, 113549, 2, 5, 0 };
> static Ints *alg_oid_tab[NUMALGS+1] = {
> @@ -1602,6 +1604,7 @@
> (Ints*)&oid_md4WithRSAEncryption,
> (Ints*)&oid_md5WithRSAEncryption,
> (Ints*)&oid_sha1WithRSAEncryption,
> + (Ints*)&sha256WithRSAEncryption,
> (Ints*)&oid_sha1WithRSAEncryptionOiw,
> (Ints*)&oid_md5,
> nil
The existing identifiers are prefixed with "oid_"; is there a reason
for leaving the prefix out?
Lucio.
-------------------------------------------------------------------------------------
This email has been scanned by the MxScan Email Security System.
-------------------------------------------------------------------------------------
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [9fans] tlsClient: tls: local invalid x509/rsa certificate
2014-10-26 22:19 ` David du Colombier
2014-10-26 22:30 ` David du Colombier
2014-10-27 4:22 ` lucio
@ 2014-10-27 4:23 ` lucio
2 siblings, 0 replies; 15+ messages in thread
From: lucio @ 2014-10-27 4:23 UTC (permalink / raw)
To: 9fans
> Then you have to rebuild libsec and hget.
... and any other client of libsec, presumably?
Lucio.
-------------------------------------------------------------------------------------
This email has been scanned by the MxScan Email Security System.
-------------------------------------------------------------------------------------
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [9fans] tlsClient: tls: local invalid x509/rsa certificate
2014-10-27 4:22 ` lucio
@ 2014-10-27 6:24 ` David du Colombier
2014-10-27 7:33 ` lucio
2014-10-27 15:45 ` erik quanstrom
1 sibling, 1 reply; 15+ messages in thread
From: David du Colombier @ 2014-10-27 6:24 UTC (permalink / raw)
To: Fans of the OS Plan 9 from Bell Labs
> The existing identifiers are prefixed with "oid_"; is there a reason
> for leaving the prefix out?
It was a typo. I fixed it before submitting the patch to /n/sources.
--
David du Colombier
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [9fans] tlsClient: tls: local invalid x509/rsa certificate
2014-10-27 6:24 ` David du Colombier
@ 2014-10-27 7:33 ` lucio
0 siblings, 0 replies; 15+ messages in thread
From: lucio @ 2014-10-27 7:33 UTC (permalink / raw)
To: 9fans
> It was a typo. I fixed it before submitting the patch to /n/sources.
I thought it might be; better safe than sorry, I suppose.
Lucio.
-------------------------------------------------------------------------------------
This email has been scanned by the MxScan Email Security System.
-------------------------------------------------------------------------------------
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [9fans] tlsClient: tls: local invalid x509/rsa certificate
2014-10-26 22:52 ` David du Colombier
@ 2014-10-27 9:19 ` Richard Miller
2014-10-27 15:44 ` erik quanstrom
2014-10-27 23:34 ` Ryan Gonzalez
1 sibling, 1 reply; 15+ messages in thread
From: Richard Miller @ 2014-10-27 9:19 UTC (permalink / raw)
To: 9fans
> A patch(1) (/n/sources/patch) can't be applied automatically
> without modifying patch/apply.
Actually it can, thanks to the magic of bind(1):
cpu% 9fs sources
cpu% PATCH=libsec-x509-sha256rsa
cpu% mkdir -p $home/patch/$PATCH
cpu% bind -bc $home/patch/$PATCH /n/sources/patch/$PATCH
cpu% patch/apply $PATCH
merge...backup...copy...
to update sources:
update /sys/src/libsec/port/x509.c
cpu% ls -l /sys/src/libsec/port/x509.c
--rw-rw-r-- M 9996 sys sys 54387 Oct 27 09:15 /sys/src/libsec/port/x509.c
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [9fans] tlsClient: tls: local invalid x509/rsa certificate
2014-10-27 9:19 ` Richard Miller
@ 2014-10-27 15:44 ` erik quanstrom
0 siblings, 0 replies; 15+ messages in thread
From: erik quanstrom @ 2014-10-27 15:44 UTC (permalink / raw)
To: 9fans
On Mon Oct 27 05:20:04 EDT 2014, 9fans@hamnavoe.com wrote:
> > A patch(1) (/n/sources/patch) can't be applied automatically
> > without modifying patch/apply.
>
> Actually it can, thanks to the magic of bind(1):
>
> cpu% 9fs sources
> cpu% PATCH=libsec-x509-sha256rsa
> cpu% mkdir -p $home/patch/$PATCH
> cpu% bind -bc $home/patch/$PATCH /n/sources/patch/$PATCH
> cpu% patch/apply $PATCH
> merge...backup...copy...
> to update sources:
> update /sys/src/libsec/port/x509.c
> cpu% ls -l /sys/src/libsec/port/x509.c
> --rw-rw-r-- M 9996 sys sys 54387 Oct 27 09:15 /sys/src/libsec/port/x509.c
fwiw, 9atom has had this, and serial checking (i think cinap did this).
- erik
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [9fans] tlsClient: tls: local invalid x509/rsa certificate
2014-10-27 4:22 ` lucio
2014-10-27 6:24 ` David du Colombier
@ 2014-10-27 15:45 ` erik quanstrom
2014-10-27 15:50 ` lucio
1 sibling, 1 reply; 15+ messages in thread
From: erik quanstrom @ 2014-10-27 15:45 UTC (permalink / raw)
To: 9fans
On Mon Oct 27 00:22:36 EDT 2014, lucio@proxima.alt.za wrote:
> > @@ -1594,6 +1595,7 @@
> > static Ints7 oid_md4WithRSAEncryption = {7, 1, 2, 840, 113549, 1, 1, 3 };
> > static Ints7 oid_md5WithRSAEncryption = {7, 1, 2, 840, 113549, 1, 1, 4 };
> > static Ints7 oid_sha1WithRSAEncryption ={7, 1, 2, 840, 113549, 1, 1, 5 };
> > +static Ints7 sha256WithRSAEncryption ={7, 1, 2, 840, 113549, 1, 1, 11 };
> > static Ints7 oid_sha1WithRSAEncryptionOiw ={6, 1, 3, 14, 3, 2, 29 };
> > static Ints7 oid_md5 ={6, 1, 2, 840, 113549, 2, 5, 0 };
> > static Ints *alg_oid_tab[NUMALGS+1] = {
> > @@ -1602,6 +1604,7 @@
> > (Ints*)&oid_md4WithRSAEncryption,
> > (Ints*)&oid_md5WithRSAEncryption,
> > (Ints*)&oid_sha1WithRSAEncryption,
> > + (Ints*)&sha256WithRSAEncryption,
> > (Ints*)&oid_sha1WithRSAEncryptionOiw,
> > (Ints*)&oid_md5,
> > nil
>
> The existing identifiers are prefixed with "oid_"; is there a reason
> for leaving the prefix out?
you make a good point.
- erik
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [9fans] tlsClient: tls: local invalid x509/rsa certificate
2014-10-27 15:45 ` erik quanstrom
@ 2014-10-27 15:50 ` lucio
0 siblings, 0 replies; 15+ messages in thread
From: lucio @ 2014-10-27 15:50 UTC (permalink / raw)
To: 9fans
> you make a good point.
David did explain. It's fixed in the patch.
Lucio.
-------------------------------------------------------------------------------------
This email has been scanned by the MxScan Email Security System.
-------------------------------------------------------------------------------------
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [9fans] tlsClient: tls: local invalid x509/rsa certificate
2014-10-26 22:52 ` David du Colombier
2014-10-27 9:19 ` Richard Miller
@ 2014-10-27 23:34 ` Ryan Gonzalez
1 sibling, 0 replies; 15+ messages in thread
From: Ryan Gonzalez @ 2014-10-27 23:34 UTC (permalink / raw)
To: Fans of the OS Plan 9 from Bell Labs
[-- Attachment #1: Type: text/plain, Size: 785 bytes --]
Thanks! I just tested it. It works!
On Sun, Oct 26, 2014 at 5:52 PM, David du Colombier <0intro@gmail.com>
wrote:
> Just to be clearer. The patch (unified diff) attached in my
> previous email can be applied with ape/patch.
>
> A patch(1) (/n/sources/patch) can't be applied automatically
> without modifying patch/apply. You have to copy the individual
> files by hand to the destination indicated in the "files" file.
>
> --
> David du Colombier
>
>
--
Ryan
If anybody ever asks me why I prefer C++ to C, my answer will be simple:
"It's becauseslejfp23(@#Q*(E*EIdc-SEGFAULT. Wait, I don't think that was
nul-terminated."
Personal reality distortion fields are immune to contradictory evidence. -
srean
Check out my website: http://kirbyfan64.github.io/
[-- Attachment #2: Type: text/html, Size: 1315 bytes --]
^ permalink raw reply [flat|nested] 15+ messages in thread
end of thread, other threads:[~2014-10-27 23:34 UTC | newest]
Thread overview: 15+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-10-26 21:04 [9fans] tlsClient: tls: local invalid x509/rsa certificate Ryan Gonzalez
2014-10-26 22:19 ` David du Colombier
2014-10-26 22:30 ` David du Colombier
2014-10-26 22:36 ` Ryan Gonzalez
2014-10-26 22:39 ` David du Colombier
2014-10-26 22:52 ` David du Colombier
2014-10-27 9:19 ` Richard Miller
2014-10-27 15:44 ` erik quanstrom
2014-10-27 23:34 ` Ryan Gonzalez
2014-10-27 4:22 ` lucio
2014-10-27 6:24 ` David du Colombier
2014-10-27 7:33 ` lucio
2014-10-27 15:45 ` erik quanstrom
2014-10-27 15:50 ` lucio
2014-10-27 4:23 ` lucio
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).