Hi Dmitry,
ca-cacert just fell out of testing because of this issue.
Lucas Nussbaum wrote:
> > make[1]: Entering directory '/<>'
> > #find . -maxdepth 1 -type f -name "*.crt" -exec openssl verify "{}" \;
> > certtool --verify --load-ca-certificate root.crt --infile class3.crt
> > Loaded CAs (1 available)
> > Subject: CN=CAcert Class 3 Root,OU=http://www.CAcert.org,O=CAcert Inc.
> > Issuer: EMAIL=supp...@cacert.org,CN=CA Cert Signing
> > Authority,OU=http://www.cacert.org,O=Root CA
> > Checked against: EMAIL=supp...@cacert.org,CN=CA Cert Signing
> > Authority,OU=http://www.cacert.org,O=Root CA
> > Signature algorithm: RSA-SHA256
> > Output: Verified. The certificate is trusted.
> >
> > Chain verification output: Verified. The certificate is trusted.
> >
> > certtool --verify --load-ca-certificate root.crt --infile root.crt
> > Loaded CAs (1 available)
> > Subject: EMAIL=supp...@cacert.org,CN=CA Cert Signing
> > Authority,OU=http://www.cacert.org,O=Root CA
> > Issuer: EMAIL=supp...@cacert.org,CN=CA Cert Signing
> > Authority,OU=http://www.cacert.org,O=Root CA
> > Checked against: EMAIL=supp...@cacert.org,CN=CA Cert Signing
> > Authority,OU=http://www.cacert.org,O=Root CA
> > Signature algorithm: RSA-MD5
^^^
> > Output: Not verified. The certificate is NOT trusted.
> >
> > Chain verification output: Not verified. The certificate is NOT trusted.
Reason for this test suite failure is likely that certtool stopped to
accept the MD5 hashing algorithm.
The man page says:
--verify-allow-broken
Allow broken algorithms, such as MD5 for verification.
This can be combined with --p7-verify, --verify or
--verify-chain.
This could be fixed to change
certtool --verify --load-ca-certificate root.crt --infile root.crt
to
certtool --verify --verify-allow-broken --load-ca-certificate root.crt
--infile root.crt
As far as I see understand that seems to be only the self-signature of
root.crt (which AFAICT should be neglectable) while the (AFAICT
relevant) signature on class3.crt uses SHA256 which is ok.
Regards, Axel
--
,''`. | Axel Beckert , https://people.debian.org/~abe/
: :' : | Debian Developer, ftp.ch.debian.org Admin
`. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5
`-| 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE