-
Notifications
You must be signed in to change notification settings - Fork 33
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Chain building in certificate validation #32
Comments
Please post the PEM encoded certs in a comment here. My hunch is that the certificate isn’t using properly encoded strings, as the error message includes what appears to be UTF-8 represented as Latin encoding. |
Dear Will Bond,
You have all the certs in DER format.
It's very unlikely that the certs have errors, they are part of the
Portuguese identity certification chains.
And yes, it's quite natural to have UTF-8 text on them, Portuguese has
several diacritics.
Regards,
|
The issue is, I don't have time and you want help, so I am asking you do leg work. Downloading, extracting certs, converging them so that I confirm is my hunch is true is a bunch of work.
My experience with certs is that plenty of software puts improperly encoded data into them. This is just a hunch, based on the mojibake in the error message.
UTF-8 is good. The issue here is that the error message implies the certs have UTF-8 in an ASN.1 encoding that is not designed for UTF-8. However, this is all my hunch. Once the data is laid out, it will be easier to confirm. |
PEM files attached. I've checked the chain step by step with openssl and it says it is good. |
Can you post the PEM inline here so we can just copy paste to https://lapo.it/asn1js/? |
That doesn't really help in this situation, as we don't use OpenSSL's chain building, nor validation code. |
PEM certificates inline. First certificate is leaf, last is root, rest are chain aligned. -----BEGIN CERTIFICATE----- |
I though so. But my comment was not in that direction. I knew that that chain is correctly found (and presented) by the standard Windows certificate presenter. I just checked if openssl would behave likewise; and it does. And, as such, this reduces he probability of having encoding problems on the certificates. They may exist, though, I don't know enough of ASN.1 to discuss that with you, but it is very unlikely, given the results of those two tools. Regards, |
Can you provide the code that resulted in the backtrace? So far it looks like the encoding on the leaf is good, so it is like that the encoding corruption is from wherever the exception was printed. |
Sure. First parameter is certificate to check, second is year, them month, them day, then the rest of the certificates in the chain. #!/usr/bin/python3 import os import sys def main():
if name == "main": |
The current chain that is posted in the message #32 (comment) looks to be: Subject: <Name(C=PT,O=Cartão de Cidadão,OU=Assinatura Qualificada do Cidadão,OU=Cidadão Português,2.5.4.4=DOS SANTOS RODRIGUES,2.5.4.42=JOÃO PEDRO,2.5.4.5=BI151540446,CN=JOÃO PEDRO DOS SANTOS RODRIGUES)> Subject: <Name(C=PT,O=Instituto dos Registos e do Notariado I.P.,OU=Cartão de Cidadão,OU=subECEstado,CN=EC de Assinatura Digital Qualificada do Cartão de Cidadão 0015)> Subject: <Name(C=PT,O=SCEE - Sistema de Certificação Electrónica do Estado,OU=ECEstado,CN=Cartão de Cidadão 004)> Subject: <Name(C=PT,O=SCEE,CN=ECRaizEstado)> Subject: <Name(C=PT,O=MULTICERT - Serviços de Certificação Electrónica S.A.,OU=Entidade de Certificação Credenciada,CN=MULTICERT - Entidade de Certificação 001)> As you can see the root cert provided is not suiteable for the chain. This is the chain that works for me but with Root Cert (https://crt.sh/?id=76) instead of the Root Cert provided. Subject: <Name(C=PT,O=Cartão de Cidadão,OU=Assinatura Qualificada do Cidadão,OU=Cidadão Português,2.5.4.4=DOS SANTOS RODRIGUES,2.5.4.42=JOÃO PEDRO,2.5.4.5=BI151540446,CN=JOÃO PEDRO DOS SANTOS RODRIGUES)> Subject: <Name(C=PT,O=Instituto dos Registos e do Notariado I.P.,OU=Cartão de Cidadão,OU=subECEstado,CN=EC de Assinatura Digital Qualificada do Cartão de Cidadão 0015)> Subject: <Name(C=PT,O=SCEE - Sistema de Certificação Electrónica do Estado,OU=ECEstado,CN=Cartão de Cidadão 004)> Subject: <Name(C=PT,O=SCEE,CN=ECRaizEstado)> Subject: <Name(C=IE,O=Baltimore,OU=CyberTrust,CN=Baltimore CyberTrust Root)> However when using this correct ROOT cert you will encounter the issue fixed in #28. |
I'm also having trouble validating the cert chain and am happy to open a separate issue if needed but i'll add to this one until asked to make a separate specific issue for my scenario. To make things easy, i'll test against badssl.com so we can avoid zipping certs or posting walls of text. choose any host you like for this problem, they all have a chain. the chain obtained using: def get_peer_certificate_chain(domain_name):
peer_certificate_chain = []
for method in [SSL.TLSv1_2_METHOD, SSL.TLSv1_1_METHOD, SSL.TLSv1_METHOD, SSL.SSLv23_METHOD]:
context = SSL.Context(method=method)
for bundle in [requests.certs.where()]:
context.load_verify_locations(cafile=bundle)
sock = SSL.Connection(context=context, socket=socket(AF_INET, SOCK_STREAM))
sock.settimeout(5)
sock.set_tlsext_host_name(domain_name.encode())
try:
sock.connect((domain_name, 443))
sock.setblocking(1)
sock.do_handshake()
for (_, cert) in enumerate(sock.get_peer_cert_chain()):
peer_certificate_chain.append(cert)
sock.shutdown()
sock.close()
break
except Exception as ex:
logger.exception(ex)
sock.shutdown()
sock.close()
return peer_certificate_chain but intermediate_certs = []
for cert in peer_certificate_chain(host):
intermediate_certs.append(dump_certificate(FILETYPE_PEM, cert)) okay on with the example; ctx = ValidationContext(allow_fetching=True, revocation_mode='hard-fail', weak_hash_algos=set(["md2", "md5", "sha1"]))
der = sock.getpeercert(True) # should be self explanatory how to create a socket using get_peer_certificate_chain example
x509 = self.server_certificate.to_cryptography() # I use the cryptography lib extensively
# later, I have access to the cryptography lib but CertificateValidator requires the der
der = x509.tbs_certificate_bytes
validator = CertificateValidator(der, validation_context=ctx, intermediate_certs=intermediate_certs)
validator.validate_usage(
key_usage=set(['digital_signature', 'crl_sign']),
extended_key_usage=set(['ocsp_signing']),
) this is the error I get: The trace:
I have refactored to remove the usage of cryptography lib entirely, i.e. # create sock using get_peer_certificate_chain example
host = 'mozilla-modern.badssl.com'
intermediate_certs = []
for cert in get_peer_certificate_chain(host):
intermediate_certs.append(dump_certificate(FILETYPE_PEM, cert))
ctx = ValidationContext(allow_fetching=True, revocation_mode='hard-fail', weak_hash_algos=set(["md2", "md5", "sha1"]))
der = sock.getpeercert(True)
validator = CertificateValidator(der, validation_context=ctx, intermediate_certs=intermediate_certs)
validator.validate_usage(
key_usage=set(['digital_signature', 'crl_sign']),
extended_key_usage=set(['ocsp_signing']),
) But no change, the same exception occurs. I've spent over 12 hours on this, the scenario is pretty complete now, am at a loss what to try next so I'm keen for any advice at all. |
@stof What version of asn1crypto are you using? The error message indicates that asn1crypto is finding an ASN.1 construction it doesn't expect in one of the certificates. |
@wbond you mentioned the wrong person |
Sorry about that! |
@chrisdlangton See above ^ |
Hi,
I'm using certvalidator 0.11.1.
It cannot build a chain with the attached certificates for the one in me.der.
However, it should work, as the chain was extracted from a Windows tools that examines certificate chains.
me.zip
The traceback gives:
File "/usr/local/lib/python3.8/site-packages/certvalidator/init.py", line 193, in validate_usage
self._validate_path()
File "/usr/local/lib/python3.8/site-packages/certvalidator/init.py", line 108, in _validate_path
paths = self._context.certificate_registry.build_paths(self._certificate)
File "/usr/local/lib/python3.8/site-packages/certvalidator/registry.py", line 314, in build_paths
raise PathBuildingError(pretty_message(
certvalidator.errors.PathBuildingError: Unable to build a validation path for the certificate "Common Name: ANDRÉ VENTURA DA CRUZ MARNÔTO ZÚQUETE; Serial Number: BI068540477; Given Name: ANDRÉ; Surname: VENTURA DA CRUZ MARNÔTO ZÚQUETE; Organizational Unit: Cidadão Português, Assinatura Qualificada do Cidadão; Organization: Cartão de Cidadão; Country: PT" - no issuer matching "Common Name: ECRaizEstado 002, Organization: Sistema de Certificação Eletrónica do Estado, Country: PT" was found
The text was updated successfully, but these errors were encountered: