[gnutls-devel] GnuTLS | Apparent failure to accept SHA1 signature of root CA when using SECURE256 (#1348)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Tue Mar 29 16:40:12 CEST 2022 



Richard Frith-Macdonald commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1348#note_893124739

>
> Daiki Ueno commented:
>
> Do you have the last certificate in your trust store? Maybe you could check with:

Yes, that was the first thing I checked.

> trust list --filter=ca-anchors

pkcs11:id=%03%de%50%35%56%d1%4c%bb%66%f0%a3%e2%1b%1b%c3%97%b2%3d%d1%55;type=cert
    type: certificate
    label: DigiCert Global Root CA
    trust: anchor
    category: authority


X.509 Certificate Information:
	Version: 3
	Serial Number (hex): 083be056904246b1a1756ac95991c74a
	Issuer: CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
	Validity:
		Not Before: Fri Nov 10 00:00:00 UTC 2006
		Not After: Mon Nov 10 00:00:00 UTC 2031
	Subject Public Key Algorithm: RSA
	Algorithm Security Level: Medium (2048 bits)
		Modulus (bits 2048):
			00:e2:3b:e1:11:72:de:a8:a4:d3:a3:57:aa:50:a2:8f
			0b:77:90:c9:a2:a5:ee:12:ce:96:5b:01:09:20:cc:01
			93:a7:4e:30:b7:53:f7:43:c4:69:00:57:9d:e2:8d:22
			dd:87:06:40:00:81:09:ce:ce:1b:83:bf:df:cd:3b:71
			46:e2:d6:66:c7:05:b3:76:27:16:8f:7b:9e:1e:95:7d
			ee:b7:48:a3:08:da:d6:af:7a:0c:39:06:65:7f:4a:5d
			1f:bc:17:f8:ab:be:ee:28:d7:74:7f:7a:78:99:59:85
			68:6e:5c:23:32:4b:bf:4e:c0:e8:5a:6d:e3:70:bf:77
			10:bf:fc:01:f6:85:d9:a8:44:10:58:32:a9:75:18:d5
			d1:a2:be:47:e2:27:6a:f4:9a:33:f8:49:08:60:8b:d4
			5f:b4:3a:84:bf:a1:aa:4a:4c:7d:3e:cf:4f:5f:6c:76
			5e:a0:4b:37:91:9e:dc:22:e6:6d:ce:14:1a:8e:6a:cb
			fe:cd:b3:14:64:17:c7:5b:29:9e:32:bf:f2:ee:fa:d3
			0b:42:d4:ab:b7:41:32:da:0c:d4:ef:f8:81:d5:bb:8d
			58:3f:b5:1b:e8:49:28:a2:70:da:31:04:dd:f7:b2:16
			f2:4c:0a:4e:07:a8:ed:4a:3d:5e:b5:7f:a3:90:c3:af
			27
		Exponent (bits 24):
			01:00:01
	Extensions:
		Key Usage (critical):
			Digital signature.
			Certificate signing.
			CRL signing.
		Basic Constraints (critical):
			Certificate Authority (CA): TRUE
		Subject Key Identifier (not critical):
			03de503556d14cbb66f0a3e21b1bc397b23dd155
		Authority Key Identifier (not critical):
			03de503556d14cbb66f0a3e21b1bc397b23dd155
	Signature Algorithm: RSA-SHA1
warning: signed using a broken signature algorithm that can be forged.
	Signature:
		cb:9c:37:aa:48:13:12:0a:fa:dd:44:9c:4f:52:b0:f4
		df:ae:04:f5:79:79:08:a3:24:18:fc:4b:2b:84:c0:2d
		b9:d5:c7:fe:f4:c1:1f:58:cb:b8:6d:9c:7a:74:e7:98
		29:ab:11:b5:e3:70:a0:a1:cd:4c:88:99:93:8c:91:70
		e2:ab:0f:1c:be:93:a9:ff:63:d5:e4:07:60:d3:a3:bf
		9d:5b:09:f1:d5:8e:e3:53:f4:8e:63:fa:3f:a7:db:b4
		66:df:62:66:d6:d1:6e:41:8d:f2:2d:b5:ea:77:4a:9f
		9d:58:e2:2b:59:c0:40:23:ed:2d:28:82:45:3e:79:54
		92:26:98:e0:80:48:a8:37:ef:f0:d6:79:60:16:de:ac
		e8:0e:cd:6e:ac:44:17:38:2f:49:da:e1:45:3e:2a:b9
		36:53:cf:3a:50:06:f7:2e:e8:c4:57:49:6c:61:21:18
		d5:04:ad:78:3c:2c:3a:80:6b:a7:eb:af:15:14:e9:d8
		89:c1:b9:38:6c:e2:91:6c:8a:ff:64:b9:77:25:57:30
		c0:1b:24:a3:e1:dc:e9:df:47:7c:b5:b4:24:08:05:30
		ec:2d:bd:0b:bf:45:bf:50:b9:a9:f3:eb:98:01:12:ad
		c8:88:c6:98:34:5f:8d:0a:3c:c6:e9:d5:95:95:6d:de
Other Information:
	Fingerprint:
		sha1:a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c5436
		sha256:4348a0e9444c78cb265e058d5e8944b4d84f9662bd26db257f8934a443c70161
	Public Key ID:
		sha1:d52e13c1abe349dae8b49594ef7c3843606466bd
		sha256:aff988906dde12955d9bebbf928fdcc31cce328d5b9384f21c8941ca26e20391
	Public Key PIN:
		pin-sha256:r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E=

-----BEGIN CERTIFICATE-----
MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB
CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97
nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt
43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P
T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4
gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO
BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR
TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw
DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr
hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg
06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF
PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls
YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk
CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=
-----END CERTIFICATE-----

<details><summary>...</summary>

> On 29 Mar 2022, at 15:08, Daiki Ueno (@dueno) <gitlab at mg.gitlab.com> wrote:
	Subject: CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

</details>

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1348#note_893124739
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20220329/96adb626/attachment-0001.html>

More information about the Gnutls-devel mailing list