Re: devel/nspr dumps core when checking cert with security/nss

Tue, 21 Feb 2012 04:22:49 -0800 

Florian Smeets wrote:

RELENG_9, world and ports built with clang.



Do you know if it's caused by the port being built with clang or if
world compiled with clang is the cause?


I tested that on RELENG_8 also with the same result.

Random junk or hints:
   1. certtool from gnutls verifies certificates successfully.
   2. Making both keys with 2048 bit width gives the same result.

So maybe it's rather about supporting wide (2048 bit) DSA keys?



This seems to be fixed by nspr-4.9 / nss-3.13.2. With your Makefile the
tool does not crash anymore.


Strange, still crashes for me on RELENG_8_2 and RELENG_9 built with clang:

# checking with certtool
certtool -e --infile site.cert --infile base.cert
Certificate[0]: C=AU,ST=Some-State,O=Internet Widgits Pty Ltd,OU=Pity sec,CN=base,[email protected] Issued by: C=AU,ST=Some-State,O=Internet Widgits Pty Ltd,OU=Pity sec,CN=base,[email protected] 
        Verification output: Verified.

Chain verification output: Verified.
# checking cert with nss
checkcert -aA site.cert base.cert
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 0 (0x0)
*** Signal 11

Stop in /home/arcade/tmp.

I'll include Makefile for later reference.
And I was wrong, this is not about 2048-bit keys, it fails on 1024-bit keys too. 

I'll try to setup a virtual host with stock RELENG_9_0 and recheck there.

--
Sphinx of black quartz judge my vow.

all:
        # creating simple CA
        openssl dsaparam -out dp2048.pem 1024
        openssl gendsa -out base.pem dp2048.pem
        printf '\n\n\n\nPity sec\nbase\[email protected]\n' | openssl req -new 
-x509 -out base.cert -key base.pem -days 365
        @echo
        mkdir -p demoCA/newcerts
        touch demoCA/index.txt
        echo 00 > demoCA/serial
        # creating sample cert
        openssl dsaparam -out dp1024.pem 1024
        openssl gendsa -out site.pem dp1024.pem
        printf '\n\n\n\nPity sec\nsite.base\[email protected]\n\n\n' | openssl 
req -new -out site.req -key site.pem -days 365
        @echo
        # signing cert
        printf 'y\ny\n' | openssl ca -cert base.cert -keyfile base.pem -policy 
policy_anything -out site.cert -infiles site.req
        # checking with certtool
        certtool -e --infile site.cert --infile base.cert
        # checking cert with nss
        checkcert -aA site.cert base.cert

clean:
        rm -rf dp2048.pem dp1024.pem base.pem site.pem base.cert site.req 
site.cert demoCA

_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-gecko
To unsubscribe, send any mail to "[email protected]"

Reply via email to