Re: [Cryptography-dev] Signing with Intermediate Certificate not accepted by Browsers

Julian Meyer Sun, 01 Oct 2017 06:55:25 -0700

Hi Alex,

    0:d=0  hl=4 l= 964 cons: SEQUENCE          
    4:d=1  hl=4 l= 684 cons: SEQUENCE          
    8:d=2  hl=2 l=   3 cons: cont [ 0 ]        
   10:d=3  hl=2 l=   1 prim: INTEGER           :02
   13:d=2  hl=2 l=  20 prim: INTEGER           
:317DC7DB62E6BDDD32EE885BB9BB5792337907E0
   35:d=2  hl=2 l=  13 cons: SEQUENCE          
   37:d=3  hl=2 l=   9 prim: OBJECT            :sha256WithRSAEncryption
   48:d=3  hl=2 l=   0 prim: NULL              
   50:d=2  hl=3 l= 142 cons: SEQUENCE          
   53:d=3  hl=2 l=  11 cons: SET               
   55:d=4  hl=2 l=   9 cons: SEQUENCE          
   57:d=5  hl=2 l=   3 prim: OBJECT            :countryName
   62:d=5  hl=2 l=   2 prim: PRINTABLESTRING   :DE
   66:d=3  hl=2 l=  15 cons: SET               
   68:d=4  hl=2 l=  13 cons: SEQUENCE          
   70:d=5  hl=2 l=   3 prim: OBJECT            :stateOrProvinceName
   75:d=5  hl=2 l=   6 prim: UTF8STRING        :Bayern
   83:d=3  hl=2 l=  17 cons: SET               
   85:d=4  hl=2 l=  15 cons: SEQUENCE          
   87:d=5  hl=2 l=   3 prim: OBJECT            :localityName
   92:d=5  hl=2 l=   8 prim: UTF8STRING        :Augsburg
  102:d=3  hl=2 l=  13 cons: SET               
  104:d=4  hl=2 l=  11 cons: SEQUENCE          
  106:d=5  hl=2 l=   3 prim: OBJECT            :organizationName
  111:d=5  hl=2 l=   4 prim: UTF8STRING        :Corp
  117:d=3  hl=2 l=  11 cons: SET               
  119:d=4  hl=2 l=   9 cons: SEQUENCE          
  121:d=5  hl=2 l=   3 prim: OBJECT            :organizationalUnitName
  126:d=5  hl=2 l=   2 prim: UTF8STRING        :IT
  130:d=3  hl=2 l=  30 cons: SET               
  132:d=4  hl=2 l=  28 cons: SEQUENCE          
  134:d=5  hl=2 l=   3 prim: OBJECT            :commonName
  139:d=5  hl=2 l=  21 prim: UTF8STRING        :JMY Intermidiate CA 3
  162:d=3  hl=2 l=  31 cons: SET               
  164:d=4  hl=2 l=  29 cons: SEQUENCE          
  166:d=5  hl=2 l=   9 prim: OBJECT            :emailAddress
  177:d=5  hl=2 l=  16 prim: IA5STRING         :i...@example.com
  195:d=2  hl=2 l=  30 cons: SEQUENCE          
  197:d=3  hl=2 l=  13 prim: UTCTIME           :171001000000Z
  212:d=3  hl=2 l=  13 prim: UTCTIME           :171230115900Z
  227:d=2  hl=2 l=  42 cons: SEQUENCE          
  229:d=3  hl=2 l=  11 cons: SET               
  231:d=4  hl=2 l=   9 cons: SEQUENCE          
  233:d=5  hl=2 l=   3 prim: OBJECT            :countryName
  238:d=5  hl=2 l=   2 prim: PRINTABLESTRING   :DE
  242:d=3  hl=2 l=  27 cons: SET               
  244:d=4  hl=2 l=  25 cons: SEQUENCE          
  246:d=5  hl=2 l=   3 prim: OBJECT            :commonName
  251:d=5  hl=2 l=  18 prim: UTF8STRING        :cert.testserver.io
  271:d=2  hl=4 l= 290 cons: SEQUENCE          
  275:d=3  hl=2 l=  13 cons: SEQUENCE          
  277:d=4  hl=2 l=   9 prim: OBJECT            :rsaEncryption
  288:d=4  hl=2 l=   0 prim: NULL              
  290:d=3  hl=4 l= 271 prim: BIT STRING        
  565:d=2  hl=2 l= 125 cons: cont [ 3 ]        
  567:d=3  hl=2 l= 123 cons: SEQUENCE          
  569:d=4  hl=2 l=  12 cons: SEQUENCE          
  571:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Basic Constraints
  576:d=5  hl=2 l=   1 prim: BOOLEAN           :255
  579:d=5  hl=2 l=   2 prim: OCTET STRING      [HEX DUMP]:3000
  583:d=4  hl=2 l=  14 cons: SEQUENCE          
  585:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Key Usage
  590:d=5  hl=2 l=   1 prim: BOOLEAN           :255
  593:d=5  hl=2 l=   4 prim: OCTET STRING      [HEX DUMP]:030205A0
  599:d=4  hl=2 l=  29 cons: SEQUENCE          
  601:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Extended Key Usage
  606:d=5  hl=2 l=  22 prim: OCTET STRING      [HEX 
DUMP]:301406082B0601050507030106082B06010505070302
  630:d=4  hl=2 l=  29 cons: SEQUENCE          
  632:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Subject Alternative Name
  637:d=5  hl=2 l=  22 prim: OCTET STRING      [HEX 
DUMP]:30148212636572742E746573747365727665722E696F
  661:d=4  hl=2 l=  29 cons: SEQUENCE          
  663:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Subject Key Identifier
  668:d=5  hl=2 l=  22 prim: OCTET STRING      [HEX 
DUMP]:0414E3BA2AFAEA7B63A16E0905DB7B1DD22CC423CF09
  692:d=1  hl=2 l=  13 cons: SEQUENCE          
  694:d=2  hl=2 l=   9 prim: OBJECT            :sha256WithRSAEncryption
  705:d=2  hl=2 l=   0 prim: NULL              
  707:d=1  hl=4 l= 257 prim: BIT STRING

    0:d=0  hl=4 l= 964 cons: SEQUENCE          
    4:d=1  hl=4 l= 684 cons: SEQUENCE          
    8:d=2  hl=2 l=   3 cons: cont [ 0 ]        
   10:d=3  hl=2 l=   1 prim: INTEGER           :02
   13:d=2  hl=2 l=  20 prim: INTEGER           
:4A8D43EBAC541846A6B08FD2981C74490DEF14DD
   35:d=2  hl=2 l=  13 cons: SEQUENCE          
   37:d=3  hl=2 l=   9 prim: OBJECT            :sha256WithRSAEncryption
   48:d=3  hl=2 l=   0 prim: NULL              
   50:d=2  hl=3 l= 142 cons: SEQUENCE          
   53:d=3  hl=2 l=  11 cons: SET               
   55:d=4  hl=2 l=   9 cons: SEQUENCE          
   57:d=5  hl=2 l=   3 prim: OBJECT            :countryName
   62:d=5  hl=2 l=   2 prim: PRINTABLESTRING   :DE
   66:d=3  hl=2 l=  15 cons: SET               
   68:d=4  hl=2 l=  13 cons: SEQUENCE          
   70:d=5  hl=2 l=   3 prim: OBJECT            :stateOrProvinceName
   75:d=5  hl=2 l=   6 prim: PRINTABLESTRING   :Bayern
   83:d=3  hl=2 l=  17 cons: SET               
   85:d=4  hl=2 l=  15 cons: SEQUENCE          
   87:d=5  hl=2 l=   3 prim: OBJECT            :localityName
   92:d=5  hl=2 l=   8 prim: PRINTABLESTRING   :Augsburg
  102:d=3  hl=2 l=  13 cons: SET               
  104:d=4  hl=2 l=  11 cons: SEQUENCE          
  106:d=5  hl=2 l=   3 prim: OBJECT            :organizationName
  111:d=5  hl=2 l=   4 prim: PRINTABLESTRING   :Corp
  117:d=3  hl=2 l=  11 cons: SET               
  119:d=4  hl=2 l=   9 cons: SEQUENCE          
  121:d=5  hl=2 l=   3 prim: OBJECT            :organizationalUnitName
  126:d=5  hl=2 l=   2 prim: PRINTABLESTRING   :IT
  130:d=3  hl=2 l=  30 cons: SET               
  132:d=4  hl=2 l=  28 cons: SEQUENCE          
  134:d=5  hl=2 l=   3 prim: OBJECT            :commonName
  139:d=5  hl=2 l=  21 prim: PRINTABLESTRING   :JMY Intermidiate CA 3
  162:d=3  hl=2 l=  31 cons: SET               
  164:d=4  hl=2 l=  29 cons: SEQUENCE          
  166:d=5  hl=2 l=   9 prim: OBJECT            :emailAddress
  177:d=5  hl=2 l=  16 prim: IA5STRING         :i...@example.com
  195:d=2  hl=2 l=  30 cons: SEQUENCE          
  197:d=3  hl=2 l=  13 prim: UTCTIME           :171001114600Z
  212:d=3  hl=2 l=  13 prim: UTCTIME           :181001114600Z
  227:d=2  hl=2 l=  42 cons: SEQUENCE          
  229:d=3  hl=2 l=  11 cons: SET               
  231:d=4  hl=2 l=   9 cons: SEQUENCE          
  233:d=5  hl=2 l=   3 prim: OBJECT            :countryName
  238:d=5  hl=2 l=   2 prim: PRINTABLESTRING   :DE
  242:d=3  hl=2 l=  27 cons: SET               
  244:d=4  hl=2 l=  25 cons: SEQUENCE          
  246:d=5  hl=2 l=   3 prim: OBJECT            :commonName
  251:d=5  hl=2 l=  18 prim: PRINTABLESTRING   :cert.testserver.io
  271:d=2  hl=4 l= 290 cons: SEQUENCE          
  275:d=3  hl=2 l=  13 cons: SEQUENCE          
  277:d=4  hl=2 l=   9 prim: OBJECT            :rsaEncryption
  288:d=4  hl=2 l=   0 prim: NULL              
  290:d=3  hl=4 l= 271 prim: BIT STRING        
  565:d=2  hl=2 l= 125 cons: cont [ 3 ]        
  567:d=3  hl=2 l= 123 cons: SEQUENCE          
  569:d=4  hl=2 l=  29 cons: SEQUENCE          
  571:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Subject Key Identifier
  576:d=5  hl=2 l=  22 prim: OCTET STRING      [HEX 
DUMP]:0414E3BA2AFAEA7B63A16E0905DB7B1DD22CC423CF09
  600:d=4  hl=2 l=  12 cons: SEQUENCE          
  602:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Basic Constraints
  607:d=5  hl=2 l=   1 prim: BOOLEAN           :255
  610:d=5  hl=2 l=   2 prim: OCTET STRING      [HEX DUMP]:3000
  614:d=4  hl=2 l=  14 cons: SEQUENCE          
  616:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Key Usage
  621:d=5  hl=2 l=   1 prim: BOOLEAN           :255
  624:d=5  hl=2 l=   4 prim: OCTET STRING      [HEX DUMP]:030205A0
  630:d=4  hl=2 l=  29 cons: SEQUENCE          
  632:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Extended Key Usage
  637:d=5  hl=2 l=  22 prim: OCTET STRING      [HEX 
DUMP]:301406082B0601050507030106082B06010505070302
  661:d=4  hl=2 l=  29 cons: SEQUENCE          
  663:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Subject Alternative Name
  668:d=5  hl=2 l=  22 prim: OCTET STRING      [HEX 
DUMP]:30148212636572742E746573747365727665722E696F
  692:d=1  hl=2 l=  13 cons: SEQUENCE          
  694:d=2  hl=2 l=   9 prim: OBJECT            :sha256WithRSAEncryption
  705:d=2  hl=2 l=   0 prim: NULL              
  707:d=1  hl=4 l= 257 prim: BIT STRING

Thanks for the fast answer. It seems that you have the right guess. I’ve attached the Outputs of the openssl command. In comparing the Files I can see one created with python are UTF8STRING and the one with my other application are PRINTABLESTRING.

I try to make a new test with the current git version of cryptography.

Thanks,

Julian

Am 01.10.2017 um 15:45 schrieb Alex Gaynor <alex.gay...@gmail.com>:

Can you point your certificate at `openssl asn1parse` and compare the string types used in the signature?

My guess it that the cryptography generated cert will have UTF8String, and the cert generated by your other software will have PrintableString or some other string time.

If yes, good news! This will be fixed in the next cryptography release -- you can verify this by testing with the version of cryptography in git.

Alex

On Sun, Oct 1, 2017 at 9:43 AM, Julian Meyer <jul...@meyer-privat.com> wrote:
Hi,

I woud like to sign a certificate with my internal intermediate (CA) certificate. First I thought the issue was caused by the AuthorityKeyIdentifier Extension without the authority_cert_issuer and authority_cert_serial_number parameters.

But as Paul wrote back and I made a few tests, this isn’t the issue.

Until now, I used a Desktop application called XCA to manage my testing certificates. I like to automate this, witch my python program. But the Webbrowser don’t accept the created certificates. In Crome I get ERR_CERT_AUTHORITY_INVALID as an error message, but if I check this certificate with openssl, or by importing it in XCA, all themes alright. Yes, the Root Certificate is in the Truststore and the Webserver is delivering the Intermediate and server certificate.

I can't locate the issue why the browser can not validate the trust chain if the certificate is signed by the cryptography library.

My Software is Open Source and this is the part, where the certificate is signed:
https://github.com/meyju/cert-master/blob/92104e07bc8d909d763f3559783e9e3698785dbc/cert_master/certificate.py#L239

Is the order of the extensions in the certificate imported? This is the only difference I can see right now.

Any suggestions or tipps?

Should I send my testing certificates?

Kind regards,
Julian
_______________________________________________
Cryptography-dev mailing list
Cryptography-dev@python.org
https://mail.python.org/mailman/listinfo/cryptography-dev

--
"I disapprove of what you say, but I will defend to the death your right to say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
"The people's good is the highest law." -- Cicero
GPG Key fingerprint: D1B3 ADC0 E023 8CA6

_______________________________________________
Cryptography-dev mailing list
Cryptography-dev@python.org
https://mail.python.org/mailman/listinfo/cryptography-dev

_______________________________________________
Cryptography-dev mailing list
Cryptography-dev@python.org
https://mail.python.org/mailman/listinfo/cryptography-dev

Re: [Cryptography-dev] Signing with Intermediate Certificate not accepted by Browsers

Reply via email to