[Help-gnutls] Re: gnutls_certificate_verify_peers2() / GNUTLS_CERT_INVALID
Rainer Gerhards
rgerhards at gmail.com
Fri Jun 20 10:40:08 CEST 2008
Some more info: asn1_read_value returns ASN1_ELEMENT_NOT_FOUND. The
value in question is "pathLenConstraint", node is a non-NULL value (I
put a printf() in _gnutls_x509_read_uint()).
Rainer
On Fri, Jun 20, 2008 at 10:26 AM, Rainer Gerhards <rgerhards at gmail.com> wrote:
> I mangled the names (## in their places) because this is a cert I
> received from a user:
>
> [root at rgf9dev nick]# certtool -i < cert.pem
> X.509 Certificate Information:
> Version: 3
> Serial Number (hex): 485a73f4
> Issuer: C=US,O=###Host,OU=Online,L=##,ST=##,CN=######.com
> Validity:
> Not Before: Thu Jun 19 14:57:58 UTC 2008
> Not After: Wed Mar 16 14:58:01 UTC 2011
> Subject: C=US,O=######,OU=Online,L=######,ST=##,CN=######.com
> Subject Public Key Algorithm: RSA
> Modulus (bits 2048):
> ac:ad:f0:eb:35:6b:9e:41:e9:6a:67:03:ed:2c:12:6e
> 00:ea:ae:ea:10:2a:bd:52:00:4a:2d:d3:55:77:20:b6
> dd:78:97:e3:83:4d:19:f8:64:af:7d:58:e7:b3:bb:92
> 05:92:0e:38:9b:98:2e:55:44:74:3b:af:24:65:33:f8
> 42:d6:76:b5:f2:97:dc:8c:e8:b5:ae:a6:1d:17:71:62
> 16:cc:db:1c:78:ae:a2:53:78:7a:88:3e:b0:85:ce:4f
> 3b:e9:76:53:db:6f:f4:40:99:24:91:ec:b9:ab:40:76
> 66:de:21:3e:36:1b:7c:ff:7e:ca:0c:9f:e8:5c:52:84
> 3d:cb:51:41:db:30:89:c9:0c:95:f1:da:d2:d7:4f:30
> 73:2b:00:a5:e2:a0:da:27:84:6c:db:03:11:8c:a3:16
> 3c:2d:48:30:c7:a3:0a:26:ea:68:4a:c2:e8:7e:e0:ae
> 6a:66:c3:80:d3:38:66:8f:49:37:c8:af:01:10:aa:f0
> cf:59:73:55:44:e9:99:ba:a2:9f:3c:42:91:06:02:04
> 6b:f8:76:da:21:31:66:77:af:64:1b:48:59:62:59:7e
> 28:bd:4e:99:76:6d:bf:b1:09:78:32:6e:e2:16:4b:67
> fc:06:5f:86:e4:18:54:cb:01:5a:5f:74:81:b5:98:5f
> Exponent:
> 01:00:01
> Extensions:
> Basic Constraints (critical):
> Certificate Authority (CA): FALSE
> Key Purpose (not critical):
> TLS WWW Client.
> TLS WWW Server.
> Subject Alternative Name (not critical):
> DNSname: ######
> Subject Key Identifier (not critical):
> 504a788c6ac79c390474f2d4ea93178bb851bd3e
> Authority Key Identifier (not critical):
> b8ef8b453849432cbee53238e6ec165d75b45b28
> Signature Algorithm: RSA-SHA
> Signature:
> 57:8d:2c:14:0c:2a:2a:86:35:0d:9c:9e:b0:6e:76:0c
> 22:6f:6e:bc:0b:db:4f:a1:c5:29:62:60:e4:03:d1:df
> 10:b0:2f:c2:2d:f3:a0:62:cf:33:7c:cb:ba:67:53:8c
> 8d:bb:bb:0a:6d:fe:7f:74:e4:2f:ae:2d:e4:77:f5:ad
> c3:77:c9:76:9a:57:fd:f1:63:b6:dc:b1:2c:fa:3f:5f
> 96:da:a7:42:2f:36:a0:af:6e:56:1e:30:d1:e5:f3:7b
> 64:10:22:14:44:05:7b:a2:a6:27:f0:d2:b3:47:3f:74
> 25:81:f7:7f:91:ca:8c:7b:a0:fe:fe:89:86:6e:d9:45
> 97:8d:f0:93:5c:0e:d2:fe:11:00:28:92:c8:e6:a3:a8
> 60:9c:0e:b2:33:90:29:ed:b4:e8:21:73:56:9d:ad:fe
> c1:04:fe:23:aa:3a:39:ef:e0:39:0e:8a:91:b0:14:7e
> 41:2b:d1:08:0f:96:a0:5f:11:8a:bf:66:92:1a:b5:12
> a3:19:f7:59:1f:ef:8c:59:34:72:49:97:8c:f4:79:f4
> e6:3d:5e:b5:b4:5c:96:8f:71:d2:0e:e0:c8:af:55:6f
> d6:36:ef:3f:89:98:14:38:6d:bf:2f:76:4b:d3:7b:bf
> 20:d7:48:85:9b:76:60:45:43:be:f8:d4:05:c0:bc:24
> Other Information:
> MD5 fingerprint:
> 728189e4c0f146e4d302b6a2eb5341e9
> SHA-1 fingerprint:
> 66762b9c21aaef11209125b909ea13c5c96f3b8e
> Public Key Id:
> 504a788c6ac79c390474f2d4ea93178bb851bd3e
>
>
> Rainer
>
> On Fri, Jun 20, 2008 at 9:58 AM, Nikos Mavrogiannopoulos
> <n.mavrogiannopoulos at gmail.com> wrote:
>> On Fri, Jun 20, 2008 at 10:06 AM, Rainer Gerhards <rgerhards at gmail.com> wrote:
>>> I dug a bit deeper and the problem seems to manifest here:
>>>
>>> 5292.506957161:main queue:Reg/w0: GnuTLS handshake succeeded
>>> 5292.512077291:main queue:Reg/w0: nsd_gtls.c:1013: gtlsChkPeerAuth: enter
>>> 5292.514658306:main queue:Reg/w0: nsd_gtls.c:919: gtlsChkPeerCertValidity: enter
>>> 5292.629403970:main queue:Reg/w0: GnuTLS log msg, level 2: ASSERT: mpi.c:587
>>>
>>> 5292.671502166:main queue:Reg/w0: GnuTLS log msg, level 2: ASSERT:
>>> gnutls_pk.c:285
>>>
>>> 5292.672798260:main queue:Reg/w0: GnuTLS log msg, level 2: ASSERT: verify.c:552
>>>
>>> 5292.673415581:main queue:Reg/w0: GnuTLS log msg, level 2: ASSERT: verify.c:642
>>>
>>> 5292.675380113:main queue:Reg/w0: GnuTLS log msg, level 2: ASSERT: verify.c:301
>>>
>>> 5292.741284540:main queue:Reg/w0: GnuTLS log msg, level 2: ASSERT: dn.c:1212
>>>
>>> 5292.744965838:main queue:Reg/w0: GnuTLS log msg, level 2: ASSERT: verify.c:395
>>>
>>> 5292.751276475:main queue:Reg/w0: GnuTLS returned no specific reason
>>> for GNUTLS_CERT_INVALID, certificate status is 2
>>>
>>> I used the code I just pulled from the git archive. So the assert in
>>> mpi.c is this one here:
>>
>> It seems like a value cannot be parsed. What is the output of certtool
>> in this certificate?
>>
>
More information about the Gnutls-help
mailing list