[gnutls-help] certtool, honor_crq_extensions: The request is invalid?

Mon Mar 20 12:35:24 CET 2023

20.03.2023 04:59, Daiki Ueno wrote:
..>> certtool -V -d10 --generate-certificate --load-request mjt.crq --template /dev/stdin <<- EOF
>>          expiration_days = 365
>>          signing_key
>>          honor_crq_extensions
>>          #honor_crq_ext = 2.5.29.17
>>          #honor_crq_ext = 1.3.6.1
>>          #.4.1.311.13.2.2
>> EOF
>>
>> Setting log level to 10
>> Generating a signed certificate...
>> |<3>| ASSERT: ../../../lib/x509/common.c[_gnutls_strdatum_to_buf]:1543
>> |<3>| ASSERT: ../../../lib/x509/common.c[_gnutls_strdatum_to_buf]:1543
>> |<3>| ASSERT: ../../../lib/x509/common.c[_gnutls_copy_data]:1610
>> |<3>| ASSERT: ../../../lib/x509/common.c[_gnutls_strdatum_to_buf]:1543
>> |<3>| ASSERT: ../../../lib/x509/common.c[_gnutls_strdatum_to_buf]:1543
>> |<3>| ASSERT: ../../../lib/x509/common.c[_gnutls_strdatum_to_buf]:1543
>> |<3>| ASSERT: ../../../lib/x509/common.c[_gnutls_copy_data]:1610
>> |<3>| ASSERT: ../../../lib/x509/common.c[_gnutls_strdatum_to_buf]:1543
>> |<3>| ASSERT: ../../../lib/x509/common.c[_gnutls_strdatum_to_buf]:1543
>> |<3>| ASSERT: ../../../lib/nettle/mpi.c[wrap_nettle_mpi_print]:60
>> |<3>| ASSERT: ../../../lib/nettle/mpi.c[wrap_nettle_mpi_print]:60
>> |<3>| ASSERT:
>> | ../../../lib/x509/x509_write.c[gnutls_x509_crt_set_subject_key_id]:1609
>> set_subject_key_id: The request is invalid.
> 
> Assuming this is with GnuTLS 3.7.9 (or a similar version), the last line
> means that there was some failure when retrieving a subjectKeyIdentifier
> extension from the certificate, where the extension exists but cannot be
> retrieved for some reason.
> 
> Would it be possible to share the certificate request so I can reproduce
> it locally?

Sure. This comes out of standard windows 10 certreq.exe, with the following
description file:

--- mjt.inf ---
[NewRequest]
Subject = "CN=Michael Tokarev,O=JSC CITTS,C=RU"
FriendlyName = "Michael Tokarev"
KeyUsage = "CERT_DIGITAL_SIGNATURE_KEY_USAGE"
HashAlgorithm = SHA256
KeyAlgorithm = RSA
KeyLength = 2048
ProviderName = "Microsoft Base Smart Card Crypto Provider"
--- end ---

with this command:
certreq.exe -new mjt.inf mjt.csr

This is the contents of mjt.csr which is being produced with the
above command:

-----BEGIN NEW CERTIFICATE REQUEST-----
MIIDizCCAnMCAQAwOzELMAkGA1UEBhMCUlUxEjAQBgNVBAoMCUpTQyBDSVRUUzEY
MBYGA1UEAwwPTWljaGFlbCBUb2thcmV2MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAxQ7CtR/pwd4KtRB1pfwqVwgMgHxwetPB4h8WdefXNv2bJMMhIvrQ
4TY+vw0E59y7WWrUlNT5FCFfTWiLgWczjsoB7GtmAR62M8HsTcDXjzfB+g1YxxZ2
R0ceFVPtmOrE4xTjVvdCCRVN1toOB2dqQBW47yGqfXs3I87D9XrJXiHATvwT53sO
Ha4CPDUYDT+70lj+mcjKFrrAobLsKdhO3uhi8ou/txruL43hjqzlCvRioYJx9Ftc
u78swPFoxH7GhstwULKvAcZYJKS5ZOtBvnyUixZx+o88XL5FTX5IHyHe3SSK305Q
TtTP9AwF9kgp4VqaZbVHTBN3L63T4Mvo1wIDAQABoIIBCTAcBgorBgEEAYI3DQID
MQ4WDDEwLjAuMTkwNDQuMjA9BgkrBgEEAYI3FRQxMDAuAgEJDA9NQVZFLnRscy5t
c2sucnUMC1RMU1xtanQtYWRtDAtjZXJ0cmVxLmV4ZTA+BgkqhkiG9w0BCQ4xMTAv
MA4GA1UdDwEB/wQEAwIHgDAdBgNVHQ4EFgQUemj+4owKzTpVSQZh3+dHLId4HhMw
agYKKwYBBAGCNw0CAjFcMFoCAQIeUgBNAGkAYwByAG8AcwBvAGYAdAAgAEIAYQBz
AGUAIABTAG0AYQByAHQAIABDAGEAcgBkACAAQwByAHkAcAB0AG8AIABQAHIAbwB2
AGkAZABlAHIDAQAwDQYJKoZIhvcNAQELBQADggEBADjd0Tt5VCLSH1Y9GPABuu/+
/fDvAU4SEvdORGKDckIyI6mL6lwP/M7xLbN+MmxeTT5r9Qamwie9cx7WOtv+PdJQ
g8PUzqbbJsPMjiwYrljAvSJGtcZ9kOJt4JDqCwMkjoAKke/qEieCpVHASQGu/5Ik
NYwVYvXSiePb5tehdrzeiIsGEraamrrodwpr6LabyqSwLARxjmeg3M1i6DoRd1Cd
RTCvkROTNpy3vXXU9nlAE1/WIYXCPzhFH/CZAFPH+mToTBM2arSpvhBu+IX67oC0
vipWJ5czR8EdLNtVJN6m+D2028gwBK4Ek9ZLpucv53kXeNrYh+Ou8oSLOqtVR8c=
-----END NEW CERTIFICATE REQUEST-----

When certtool is used with a template file which have honor_crq_extensions
field, it fails with the above command.

Thank you!

/mjt