[Help-gnutls] Re: gnutls_certificate_verify_peers2() / GNUTLS_CERT_INVALID

Rainer Gerhards rgerhards at gmail.com
Fri Jun 20 10:40:08 CEST 2008


Some more info: asn1_read_value returns ASN1_ELEMENT_NOT_FOUND. The
value in question is "pathLenConstraint", node is a non-NULL value (I
put a printf() in _gnutls_x509_read_uint()).

Rainer

On Fri, Jun 20, 2008 at 10:26 AM, Rainer Gerhards <rgerhards at gmail.com> wrote:
> I mangled the names (## in their places) because this is a cert I
> received from a user:
>
> [root at rgf9dev nick]# certtool -i < cert.pem
> X.509 Certificate Information:
>        Version: 3
>        Serial Number (hex): 485a73f4
>        Issuer: C=US,O=###Host,OU=Online,L=##,ST=##,CN=######.com
>        Validity:
>                Not Before: Thu Jun 19 14:57:58 UTC 2008
>                Not After: Wed Mar 16 14:58:01 UTC 2011
>        Subject: C=US,O=######,OU=Online,L=######,ST=##,CN=######.com
>        Subject Public Key Algorithm: RSA
>                Modulus (bits 2048):
>                        ac:ad:f0:eb:35:6b:9e:41:e9:6a:67:03:ed:2c:12:6e
>                        00:ea:ae:ea:10:2a:bd:52:00:4a:2d:d3:55:77:20:b6
>                        dd:78:97:e3:83:4d:19:f8:64:af:7d:58:e7:b3:bb:92
>                        05:92:0e:38:9b:98:2e:55:44:74:3b:af:24:65:33:f8
>                        42:d6:76:b5:f2:97:dc:8c:e8:b5:ae:a6:1d:17:71:62
>                        16:cc:db:1c:78:ae:a2:53:78:7a:88:3e:b0:85:ce:4f
>                        3b:e9:76:53:db:6f:f4:40:99:24:91:ec:b9:ab:40:76
>                        66:de:21:3e:36:1b:7c:ff:7e:ca:0c:9f:e8:5c:52:84
>                        3d:cb:51:41:db:30:89:c9:0c:95:f1:da:d2:d7:4f:30
>                        73:2b:00:a5:e2:a0:da:27:84:6c:db:03:11:8c:a3:16
>                        3c:2d:48:30:c7:a3:0a:26:ea:68:4a:c2:e8:7e:e0:ae
>                        6a:66:c3:80:d3:38:66:8f:49:37:c8:af:01:10:aa:f0
>                        cf:59:73:55:44:e9:99:ba:a2:9f:3c:42:91:06:02:04
>                        6b:f8:76:da:21:31:66:77:af:64:1b:48:59:62:59:7e
>                        28:bd:4e:99:76:6d:bf:b1:09:78:32:6e:e2:16:4b:67
>                        fc:06:5f:86:e4:18:54:cb:01:5a:5f:74:81:b5:98:5f
>                Exponent:
>                        01:00:01
>        Extensions:
>                Basic Constraints (critical):
>                        Certificate Authority (CA): FALSE
>                Key Purpose (not critical):
>                        TLS WWW Client.
>                        TLS WWW Server.
>                Subject Alternative Name (not critical):
>                        DNSname: ######
>                Subject Key Identifier (not critical):
>                        504a788c6ac79c390474f2d4ea93178bb851bd3e
>                Authority Key Identifier (not critical):
>                        b8ef8b453849432cbee53238e6ec165d75b45b28
>        Signature Algorithm: RSA-SHA
>        Signature:
>                57:8d:2c:14:0c:2a:2a:86:35:0d:9c:9e:b0:6e:76:0c
>                22:6f:6e:bc:0b:db:4f:a1:c5:29:62:60:e4:03:d1:df
>                10:b0:2f:c2:2d:f3:a0:62:cf:33:7c:cb:ba:67:53:8c
>                8d:bb:bb:0a:6d:fe:7f:74:e4:2f:ae:2d:e4:77:f5:ad
>                c3:77:c9:76:9a:57:fd:f1:63:b6:dc:b1:2c:fa:3f:5f
>                96:da:a7:42:2f:36:a0:af:6e:56:1e:30:d1:e5:f3:7b
>                64:10:22:14:44:05:7b:a2:a6:27:f0:d2:b3:47:3f:74
>                25:81:f7:7f:91:ca:8c:7b:a0:fe:fe:89:86:6e:d9:45
>                97:8d:f0:93:5c:0e:d2:fe:11:00:28:92:c8:e6:a3:a8
>                60:9c:0e:b2:33:90:29:ed:b4:e8:21:73:56:9d:ad:fe
>                c1:04:fe:23:aa:3a:39:ef:e0:39:0e:8a:91:b0:14:7e
>                41:2b:d1:08:0f:96:a0:5f:11:8a:bf:66:92:1a:b5:12
>                a3:19:f7:59:1f:ef:8c:59:34:72:49:97:8c:f4:79:f4
>                e6:3d:5e:b5:b4:5c:96:8f:71:d2:0e:e0:c8:af:55:6f
>                d6:36:ef:3f:89:98:14:38:6d:bf:2f:76:4b:d3:7b:bf
>                20:d7:48:85:9b:76:60:45:43:be:f8:d4:05:c0:bc:24
> Other Information:
>        MD5 fingerprint:
>                728189e4c0f146e4d302b6a2eb5341e9
>        SHA-1 fingerprint:
>                66762b9c21aaef11209125b909ea13c5c96f3b8e
>        Public Key Id:
>                504a788c6ac79c390474f2d4ea93178bb851bd3e
>
>
> Rainer
>
> On Fri, Jun 20, 2008 at 9:58 AM, Nikos Mavrogiannopoulos
> <n.mavrogiannopoulos at gmail.com> wrote:
>> On Fri, Jun 20, 2008 at 10:06 AM, Rainer Gerhards <rgerhards at gmail.com> wrote:
>>> I dug a bit deeper and the problem seems to manifest here:
>>>
>>> 5292.506957161:main queue:Reg/w0: GnuTLS handshake succeeded
>>> 5292.512077291:main queue:Reg/w0: nsd_gtls.c:1013: gtlsChkPeerAuth: enter
>>> 5292.514658306:main queue:Reg/w0: nsd_gtls.c:919: gtlsChkPeerCertValidity: enter
>>> 5292.629403970:main queue:Reg/w0: GnuTLS log msg, level 2: ASSERT: mpi.c:587
>>>
>>> 5292.671502166:main queue:Reg/w0: GnuTLS log msg, level 2: ASSERT:
>>> gnutls_pk.c:285
>>>
>>> 5292.672798260:main queue:Reg/w0: GnuTLS log msg, level 2: ASSERT: verify.c:552
>>>
>>> 5292.673415581:main queue:Reg/w0: GnuTLS log msg, level 2: ASSERT: verify.c:642
>>>
>>> 5292.675380113:main queue:Reg/w0: GnuTLS log msg, level 2: ASSERT: verify.c:301
>>>
>>> 5292.741284540:main queue:Reg/w0: GnuTLS log msg, level 2: ASSERT: dn.c:1212
>>>
>>> 5292.744965838:main queue:Reg/w0: GnuTLS log msg, level 2: ASSERT: verify.c:395
>>>
>>> 5292.751276475:main queue:Reg/w0: GnuTLS returned no specific reason
>>> for GNUTLS_CERT_INVALID, certificate status is 2
>>>
>>> I used the code I just pulled from the git archive. So the assert in
>>> mpi.c is this one here:
>>
>> It seems like a value cannot be parsed. What is the output of certtool
>> in this certificate?
>>
>





More information about the Gnutls-help mailing list