Re: [9fans] tlsClient: tls: local invalid x509/rsa certificate

Sun, 26 Oct 2014 15:21:06 -0700 

> I'm trying to download the a Python script and keep running into
> trouble. I am running this:
> 
> hget https://hg.python.org/cpython/raw-file/4391ab72dd7b/Lib/types.py
> > types.py
> 
> However, hget keeps complaining with `tlsClient: tls: local invalid
> x509/rsa certificate`. The time and date of my Plan 9 VM are correct
> and are set to sync with pool.ntp.org. I have NO clue what's wrong.
> Can anybody help?

This is not an issue in you side, since I can reproduce it here.

It looks like for some reason, X509toRSApub doesn't succeed to
decode the hg.python.org X.509 certificate.

Actually the issue is that /sys/src/libsec/port/x509.c:/^oid_lookup
returns -1.

This function is called by parse_alg, which is called during the
X.509 certificate decoding by decode_cert.

It means the signature algorithm of the hg.python.org X.509
certificate is not one of the few supported ones:

 - rsaEncryption
 - md2WithRSAEncryption
 - md4WithRSAEncryption
 - md5WithRSAEncryption
 - sha1WithRSAEncryption
 - md5

And indeed, after decoding the hg.python.org X.509
certificate with OpenSSL, I can notice the signature
algorithm is sha256WithRSAEncryption.

Luckily, this is trivially fixed by adding the missing OID
in the signature algorithm array:

--- /n/sources/plan9/sys/src/libsec/port/x509.c
+++ /sys/src/libsec/port/x509.c
@@ -1582,6 +1582,7 @@
        ALG_md5WithRSAEncryption,
        ALG_sha1WithRSAEncryption,
        ALG_sha1WithRSAEncryptionOiw,
+       ALG_sha256WithRSAEncryption,
        ALG_md5,
        NUMALGS
 };
@@ -1594,6 +1595,7 @@
 static Ints7 oid_md4WithRSAEncryption = {7, 1, 2, 840, 113549, 1, 1, 3 };
 static Ints7 oid_md5WithRSAEncryption = {7, 1, 2, 840, 113549, 1, 1, 4 };
 static Ints7 oid_sha1WithRSAEncryption ={7, 1, 2, 840, 113549, 1, 1, 5 };
+static Ints7 sha256WithRSAEncryption ={7, 1, 2, 840, 113549, 1, 1, 11 };
 static Ints7 oid_sha1WithRSAEncryptionOiw ={6, 1, 3, 14, 3, 2, 29 };
 static Ints7 oid_md5 ={6, 1, 2, 840, 113549, 2, 5, 0 };
 static Ints *alg_oid_tab[NUMALGS+1] = {
@@ -1602,6 +1604,7 @@
        (Ints*)&oid_md4WithRSAEncryption,
        (Ints*)&oid_md5WithRSAEncryption,
        (Ints*)&oid_sha1WithRSAEncryption,
+       (Ints*)&sha256WithRSAEncryption,
        (Ints*)&oid_sha1WithRSAEncryptionOiw,
        (Ints*)&oid_md5,
        nil

Then you have to rebuild libsec and hget.

Have fun!

-- 
David du Colombier

Reply via email to