On Tue, Sep 05, 2017 at 11:37:01AM +0200, Enrico Zini wrote: > I refactored the certificate generation code for sso.debian.org, and the > certificates it generates now still work in Firefox but not in Chrome.
I found the reason: python-cryptography writes the certificate issuer as UTF8 String while the CA certificate has it as Printable String. Because of that, the subject names don't match bit-by-bit. For openssl, encoding does not matter for comparison, while for libnss3 it does. I do not know if this is: - a bug in openssl, which should be stricter in matching - a bug in libnss3, which should deal with encodings - a bug in python3-cryptography, which should do a bit-for-bit copy when copying attributes over: https://anonscm.debian.org/cgit/debian-sso/debian-sso.git/tree/ca/ca.py#n429 Please help me report the bugs, while I try to implement a workaround on sso.debian.org. I'm attaching a test case that reproduces the issue. Unpack the tarball and run ./test to reproduce. This is the output of a run: $ ./test + trap cleanup EXIT + cleanup + rm -fr newcerts + rm -f index.txt index.txt.attr serial '*.old' + certtool -p --outfile=testkey.pem + certtool --load-privkey=testkey.pem -s --outfile=testcrt.pem --template=testcrt.conf + mkdir -p newcerts + touch index.txt + touch index.txt.attr + openssl genrsa -out client.key 2048 + openssl req -new -sha256 -key client.key -batch + openssl ca -batch -config testca.conf -in client.csr -create_serial -days 7 -keyfile testkey.pem -cert testcrt.pem -out client.crt + openssl verify -CAfile testcrt.pem client.crt client.crt: OK + certtool --load-ca-certificate testcrt.pem --verify --infile client.crt Loaded 1 certificates, 1 CAs and 0 CRLs Subject: O=Internet Widgits Pty Ltd Issuer: O=Test client certificate,CN=Test CA 2017-09-06 Checked against: O=Test client certificate,CN=Test CA 2017-09-06 Output: Verified. The certificate is trusted. Chain verification output: Verified. The certificate is trusted. + ./utf8ize --crt testcrt.pem --key testkey.pem testcrtutf8.pem + openssl x509 -noout -nameopt multiline,show_type -subject -issuer -in testcrt.pem subject= commonName = PRINTABLESTRING:Test CA 2017-09-06 organizationName = PRINTABLESTRING:Test client certificate issuer= commonName = PRINTABLESTRING:Test CA 2017-09-06 organizationName = PRINTABLESTRING:Test client certificate + openssl x509 -noout -nameopt multiline,show_type -subject -issuer -in testcrtutf8.pem subject= commonName = UTF8STRING:Test CA 2017-09-06 organizationName = UTF8STRING:Test client certificate issuer= commonName = UTF8STRING:Test CA 2017-09-06 organizationName = UTF8STRING:Test client certificate + openssl verify -CAfile testcrtutf8.pem client.crt client.crt: OK + certtool --load-ca-certificate testcrtutf8.pem --verify --infile client.crt Loaded 1 certificates, 1 CAs and 0 CRLs Subject: O=Internet Widgits Pty Ltd Issuer: O=Test client certificate,CN=Test CA 2017-09-06 Output: Not verified. The certificate is NOT trusted. The certificate issuer is unknown. Subject: O=Internet Widgits Pty Ltd Issuer: O=Test client certificate,CN=Test CA 2017-09-06 Output: Not verified. The certificate is NOT trusted. The certificate issuer is unknown. Chain verification output: Not verified. The certificate is NOT trusted. The certificate issuer is unknown. + cleanup + rm -fr newcerts + rm -f index.txt index.txt.attr serial index.txt.attr.old index.txt.old Enrico -- GPG key: 4096R/634F4BD1E7AD5568 2009-05-08 Enrico Zini <enr...@enricozini.org>
testcase.tar.xz
Description: application/xz
signature.asc
Description: PGP signature
