[9fans] tlsClient: tls: local invalid x509/rsa certificate

[9fans] tlsClient: tls: local invalid x509/rsa certificate

[Ryan Gonzalez]

[-- Attachment #1: Type: text/plain, Size: 722 bytes --]

I'm trying to download the a Python script and keep running into trouble. I
am running this:

hget https://hg.python.org/cpython/raw-file/4391ab72dd7b/Lib/types.py >
types.py

However, hget keeps complaining with `tlsClient: tls: local invalid
x509/rsa certificate`. The time and date of my Plan 9 VM are correct and
are set to sync with pool.ntp.org. I have NO clue what's wrong. Can anybody
help?

--
Ryan
If anybody ever asks me why I prefer C++ to C, my answer will be simple:
"It's becauseslejfp23(@#Q*(E*EIdc-SEGFAULT. Wait, I don't think that was
nul-terminated."
Personal reality distortion fields are immune to contradictory evidence. -
srean
Check out my website: http://kirbyfan64.github.io/

[-- Attachment #2: Type: text/html, Size: 1137 bytes --]

Re: [9fans] tlsClient: tls: local invalid x509/rsa certificate

[David du Colombier]

> I'm trying to download the a Python script and keep running into
> trouble. I am running this:
>
> hget https://hg.python.org/cpython/raw-file/4391ab72dd7b/Lib/types.py
> > types.py
>
> However, hget keeps complaining with `tlsClient: tls: local invalid
> x509/rsa certificate`. The time and date of my Plan 9 VM are correct
> and are set to sync with pool.ntp.org. I have NO clue what's wrong.
> Can anybody help?

This is not an issue in you side, since I can reproduce it here.

It looks like for some reason, X509toRSApub doesn't succeed to
decode the hg.python.org X.509 certificate.

Actually the issue is that /sys/src/libsec/port/x509.c:/^oid_lookup
returns -1.

This function is called by parse_alg, which is called during the
X.509 certificate decoding by decode_cert.

It means the signature algorithm of the hg.python.org X.509
certificate is not one of the few supported ones:

 - rsaEncryption
 - md2WithRSAEncryption
 - md4WithRSAEncryption
 - md5WithRSAEncryption
 - sha1WithRSAEncryption
 - md5

And indeed, after decoding the hg.python.org X.509
certificate with OpenSSL, I can notice the signature
algorithm is sha256WithRSAEncryption.

Luckily, this is trivially fixed by adding the missing OID
in the signature algorithm array:

--- /n/sources/plan9/sys/src/libsec/port/x509.c
+++ /sys/src/libsec/port/x509.c
@@ -1582,6 +1582,7 @@
 	ALG_md5WithRSAEncryption,
 	ALG_sha1WithRSAEncryption,
 	ALG_sha1WithRSAEncryptionOiw,
+	ALG_sha256WithRSAEncryption,
 	ALG_md5,
 	NUMALGS
 };
@@ -1594,6 +1595,7 @@
 static Ints7 oid_md4WithRSAEncryption = {7, 1, 2, 840, 113549, 1, 1, 3 };
 static Ints7 oid_md5WithRSAEncryption = {7, 1, 2, 840, 113549, 1, 1, 4 };
 static Ints7 oid_sha1WithRSAEncryption ={7, 1, 2, 840, 113549, 1, 1, 5 };
+static Ints7 sha256WithRSAEncryption ={7, 1, 2, 840, 113549, 1, 1, 11 };
 static Ints7 oid_sha1WithRSAEncryptionOiw ={6, 1, 3, 14, 3, 2, 29 };
 static Ints7 oid_md5 ={6, 1, 2, 840, 113549, 2, 5, 0 };
 static Ints *alg_oid_tab[NUMALGS+1] = {
@@ -1602,6 +1604,7 @@
 	(Ints*)&oid_md4WithRSAEncryption,
 	(Ints*)&oid_md5WithRSAEncryption,
 	(Ints*)&oid_sha1WithRSAEncryption,
+	(Ints*)&sha256WithRSAEncryption,
 	(Ints*)&oid_sha1WithRSAEncryptionOiw,
 	(Ints*)&oid_md5,
 	nil

Then you have to rebuild libsec and hget.

Have fun!

--
David du Colombier

Re: [9fans] tlsClient: tls: local invalid x509/rsa certificate

[David du Colombier]

The patch is now available here:

/n/sources/patch/libsec-x509-sha256rsa

--
David du Colombier

Re: [9fans] tlsClient: tls: local invalid x509/rsa certificate

[Ryan Gonzalez]

[-- Attachment #1: Type: text/plain, Size: 622 bytes --]

Thanks! Quick question: how do I apply the patch? I didn't see an argument
to diff or a patch utility.

On Sun, Oct 26, 2014 at 5:30 PM, David du Colombier <0intro@gmail.com>
wrote:

> The patch is now available here:
>
> /n/sources/patch/libsec-x509-sha256rsa
>
> --
> David du Colombier
>
>


--
Ryan
If anybody ever asks me why I prefer C++ to C, my answer will be simple:
"It's becauseslejfp23(@#Q*(E*EIdc-SEGFAULT. Wait, I don't think that was
nul-terminated."
Personal reality distortion fields are immune to contradictory evidence. -
srean
Check out my website: http://kirbyfan64.github.io/

[-- Attachment #2: Type: text/html, Size: 1135 bytes --]

Re: [9fans] tlsClient: tls: local invalid x509/rsa certificate

[David du Colombier]

> Thanks! Quick question: how do I apply the patch? I didn't see an
> argument to diff or a patch utility.

You can apply the patch with ape/patch, or simply copy the
x509.c file from /n/sources:

cp /n/sources/patch/libsec-x509-sha256rsa/x509.c /sys/src/libsec/port

--
David du Colombier

Re: [9fans] tlsClient: tls: local invalid x509/rsa certificate

[David du Colombier]

Just to be clearer. The patch (unified diff) attached in my
previous email can be applied with ape/patch.

A patch(1) (/n/sources/patch) can't be applied automatically
without modifying patch/apply. You have to copy the individual
files by hand to the destination indicated in the "files" file.

--
David du Colombier

Re: [9fans] tlsClient: tls: local invalid x509/rsa certificate

[lucio]

> @@ -1594,6 +1595,7 @@
>  static Ints7 oid_md4WithRSAEncryption = {7, 1, 2, 840, 113549, 1, 1, 3 };
>  static Ints7 oid_md5WithRSAEncryption = {7, 1, 2, 840, 113549, 1, 1, 4 };
>  static Ints7 oid_sha1WithRSAEncryption ={7, 1, 2, 840, 113549, 1, 1, 5 };
> +static Ints7 sha256WithRSAEncryption ={7, 1, 2, 840, 113549, 1, 1, 11 };
>  static Ints7 oid_sha1WithRSAEncryptionOiw ={6, 1, 3, 14, 3, 2, 29 };
>  static Ints7 oid_md5 ={6, 1, 2, 840, 113549, 2, 5, 0 };
>  static Ints *alg_oid_tab[NUMALGS+1] = {
> @@ -1602,6 +1604,7 @@
>  	(Ints*)&oid_md4WithRSAEncryption,
>  	(Ints*)&oid_md5WithRSAEncryption,
>  	(Ints*)&oid_sha1WithRSAEncryption,
> +	(Ints*)&sha256WithRSAEncryption,
>  	(Ints*)&oid_sha1WithRSAEncryptionOiw,
>  	(Ints*)&oid_md5,
>  	nil

The existing identifiers are prefixed with "oid_"; is there a reason
for leaving the prefix out?

Lucio.


-------------------------------------------------------------------------------------
This email has been scanned by the MxScan Email Security System.
-------------------------------------------------------------------------------------

Re: [9fans] tlsClient: tls: local invalid x509/rsa certificate

[lucio]

> Then you have to rebuild libsec and hget.

... and any other client of libsec, presumably?

Lucio.


-------------------------------------------------------------------------------------
This email has been scanned by the MxScan Email Security System.
-------------------------------------------------------------------------------------

Re: [9fans] tlsClient: tls: local invalid x509/rsa certificate

[David du Colombier]

> The existing identifiers are prefixed with "oid_"; is there a reason
> for leaving the prefix out?

It was a typo. I fixed it before submitting the patch to /n/sources.

--
David du Colombier

Re: [9fans] tlsClient: tls: local invalid x509/rsa certificate

[lucio]

> It was a typo. I fixed it before submitting the patch to /n/sources.

I thought it might be; better safe than sorry, I suppose.

Lucio.


-------------------------------------------------------------------------------------
This email has been scanned by the MxScan Email Security System.
-------------------------------------------------------------------------------------

Re: [9fans] tlsClient: tls: local invalid x509/rsa certificate

[Richard Miller]

> A patch(1) (/n/sources/patch) can't be applied automatically
> without modifying patch/apply.

Actually it can, thanks to the magic of bind(1):

	cpu% 9fs sources
	cpu% PATCH=libsec-x509-sha256rsa
	cpu% mkdir -p $home/patch/$PATCH
	cpu% bind -bc $home/patch/$PATCH /n/sources/patch/$PATCH
	cpu% patch/apply $PATCH
	merge...backup...copy...
	to update sources:
		update /sys/src/libsec/port/x509.c
	cpu% ls -l /sys/src/libsec/port/x509.c
	--rw-rw-r-- M 9996 sys sys 54387 Oct 27 09:15 /sys/src/libsec/port/x509.c

Re: [9fans] tlsClient: tls: local invalid x509/rsa certificate

[erik quanstrom]

On Mon Oct 27 05:20:04 EDT 2014, 9fans@hamnavoe.com wrote:
> > A patch(1) (/n/sources/patch) can't be applied automatically
> > without modifying patch/apply.
>
> Actually it can, thanks to the magic of bind(1):
>
> 	cpu% 9fs sources
> 	cpu% PATCH=libsec-x509-sha256rsa
> 	cpu% mkdir -p $home/patch/$PATCH
> 	cpu% bind -bc $home/patch/$PATCH /n/sources/patch/$PATCH
> 	cpu% patch/apply $PATCH
> 	merge...backup...copy...
> 	to update sources:
> 		update /sys/src/libsec/port/x509.c
> 	cpu% ls -l /sys/src/libsec/port/x509.c
> 	--rw-rw-r-- M 9996 sys sys 54387 Oct 27 09:15 /sys/src/libsec/port/x509.c

fwiw, 9atom has had this, and serial checking (i think cinap did this).

- erik

Re: [9fans] tlsClient: tls: local invalid x509/rsa certificate

[erik quanstrom]

On Mon Oct 27 00:22:36 EDT 2014, lucio@proxima.alt.za wrote:
> > @@ -1594,6 +1595,7 @@
> >  static Ints7 oid_md4WithRSAEncryption = {7, 1, 2, 840, 113549, 1, 1, 3 };
> >  static Ints7 oid_md5WithRSAEncryption = {7, 1, 2, 840, 113549, 1, 1, 4 };
> >  static Ints7 oid_sha1WithRSAEncryption ={7, 1, 2, 840, 113549, 1, 1, 5 };
> > +static Ints7 sha256WithRSAEncryption ={7, 1, 2, 840, 113549, 1, 1, 11 };
> >  static Ints7 oid_sha1WithRSAEncryptionOiw ={6, 1, 3, 14, 3, 2, 29 };
> >  static Ints7 oid_md5 ={6, 1, 2, 840, 113549, 2, 5, 0 };
> >  static Ints *alg_oid_tab[NUMALGS+1] = {
> > @@ -1602,6 +1604,7 @@
> >  	(Ints*)&oid_md4WithRSAEncryption,
> >  	(Ints*)&oid_md5WithRSAEncryption,
> >  	(Ints*)&oid_sha1WithRSAEncryption,
> > +	(Ints*)&sha256WithRSAEncryption,
> >  	(Ints*)&oid_sha1WithRSAEncryptionOiw,
> >  	(Ints*)&oid_md5,
> >  	nil
>
> The existing identifiers are prefixed with "oid_"; is there a reason
> for leaving the prefix out?

you make a good point.

- erik

Re: [9fans] tlsClient: tls: local invalid x509/rsa certificate

[lucio]

> you make a good point.

David did explain.  It's fixed in the patch.

Lucio.


-------------------------------------------------------------------------------------
This email has been scanned by the MxScan Email Security System.
-------------------------------------------------------------------------------------

Re: [9fans] tlsClient: tls: local invalid x509/rsa certificate

[Ryan Gonzalez]

[-- Attachment #1: Type: text/plain, Size: 785 bytes --]

Thanks! I just tested it. It works!

On Sun, Oct 26, 2014 at 5:52 PM, David du Colombier <0intro@gmail.com>
wrote:

> Just to be clearer. The patch (unified diff) attached in my
> previous email can be applied with ape/patch.
>
> A patch(1) (/n/sources/patch) can't be applied automatically
> without modifying patch/apply. You have to copy the individual
> files by hand to the destination indicated in the "files" file.
>
> --
> David du Colombier
>
>


--
Ryan
If anybody ever asks me why I prefer C++ to C, my answer will be simple:
"It's becauseslejfp23(@#Q*(E*EIdc-SEGFAULT. Wait, I don't think that was
nul-terminated."
Personal reality distortion fields are immune to contradictory evidence. -
srean
Check out my website: http://kirbyfan64.github.io/

[-- Attachment #2: Type: text/html, Size: 1315 bytes --]