From 74243ee87873487cabccb992907dfab7d5678e86 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 21 Aug 2020 15:52:17 +0200 Subject: [PATCH] Regenerate server2-sha256.crt with a PrintableString issuer MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit server2-sha256.crt had the issuer ON and CN encoded as UTF8String, but the corresponding CA certificate test-ca_cat12.crt had them encoded as PrintableString. The strings matched, which is sufficient according to RFC 5280 §7.1 and RFC 4518 §2.1. However, GnuTLS 3.4.10 requires the strings to have the same encoding, so it did not accept that the UTF8String "PolarSSL Test CA" certificate was signed by the PrintableString "PolarSSL Test CA" CA. Since Mbed TLS 2.14 (specifically ebc1f40aa008f6a2ba42e7436e4596d8f780b612 merged via https://github.com/ARMmbed/mbedtls/pull/1641), server2-sha256.crt is generated by Mbed TLS's own cert_write program, which emits a PrintableString. In older versions, this file was generated by OpenSSL, which started emitting UTF8String at some point. 4f928c0f374558ec352825061a399db7a37ca2fc merged via https://github.com/ARMmbed/mbedtls/pull/2418 fixed this for the SHA-1 certificate which was used at the time. The present commit applies the same fix for the SHA-256 certificate that is now in use. Signed-off-by: Gilles Peskine --- tests/data_files/Makefile | 2 +- tests/data_files/server2-sha256.crt | 27 +++++++++++++-------------- 2 files changed, 14 insertions(+), 15 deletions(-) diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index aeebf67bdd..61edad1d41 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -136,7 +136,7 @@ server2.crt: server2-rsa.csr $(MBEDTLS_CERT_WRITE) request_file=server2-rsa.csr issuer_crt=test-ca-sha256.crt issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) serial=4 not_before=20190410141727 not_after=20290410141727 md=SHA1 version=3 output_file=$@ all_final += server2.crt server2-sha256.crt: server2-rsa.csr - $(OPENSSL) x509 -req -extfile $(cli_crt_extensions_file) -extensions cli-rsa -CA test-ca-sha256.crt -CAkey $(test_ca_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" -set_serial 4 -days 3653 -sha256 -in server2-rsa.csr -out $@ + $(MBEDTLS_CERT_WRITE) request_file=server2-rsa.csr serial=2 issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) not_before=20190210144406 not_after=20290210144406 md=SHA256 version=3 output_file=$@ all_final += server2-sha256.crt test_ca_int_rsa1 = test-int-ca.crt diff --git a/tests/data_files/server2-sha256.crt b/tests/data_files/server2-sha256.crt index f13fe6499c..7b2e95efc6 100644 --- a/tests/data_files/server2-sha256.crt +++ b/tests/data_files/server2-sha256.crt @@ -1,21 +1,20 @@ -----BEGIN CERTIFICATE----- -MIIDfTCCAmWgAwIBAgIBBDANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER -MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN -MTkwMzEyMTAwNzA0WhcNMjkwMzEyMTAwNzA0WjA0MQswCQYDVQQGEwJOTDERMA8G -A1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN +MIIDNzCCAh+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER +MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN +MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8G +A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTN owCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKz NtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kM tQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8P hYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjya -HT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaOBkjCBjzAd -BgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwYwYDVR0jBFwwWoAUtFrkpbPe -0lL2udWmlQ/rPrzH/f+hP6Q9MDsxCzAJBgNVBAYTAk5MMREwDwYDVQQKDAhQb2xh -clNTTDEZMBcGA1UEAwwQUG9sYXJTU0wgVGVzdCBDQYIBAzAJBgNVHRMEAjAAMA0G -CSqGSIb3DQEBCwUAA4IBAQCI8yvc3JSUnfBoWZbyia9BZJ3ZhqbH8V4fN7Co7l5J -5985ZRPZ6Wz8pF3Cf97VrbqTHmC8PCYwXaxUbQif4apfEhvJP0luOGefAY5S87bw -iQHEW7WcQwVwGxRIMLqlFwhJrNDyvvilTgLeILZIsY81HY+mw1FNtzZY94SRsyth -x2dH/bJt/GeJq6XYAwQlurU6dFFTGPsvkg9tjMJyOcYRkT6+KvlpR8xSC/V673hH -T7o2ePkWW73wWG1Qit3de6e2eMIHNZZTSVerd/IKiPfW6ro/123EWSZXbQ3DHHLD -/0JVgqo90NrhRJQA249h/Og43ewiex75ToVoLWuijFx/ +HT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNNMEswCQYD +VR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgw +FoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQELBQADggEBALVvYxsd +o5YSOIaApPlpnFUnz5zD/TbI9/63iJH+ae61jvpjTY1bqLBBEcqMMg9tVFUdt4xd +9MifL5zRZOGqKpfhWyoUZv7kXXMtfJsy0A6sqK11FcUE9r2Mt50tAO1MLZLJ5tKD +XY9/dTqXnENPxCGUo89/UwIFuNhKPUDBRMeyx8FaKsGVksF/lGxYVFWrfzZFlW0M +SXduk5xjoHE83erLEtZoxWIgrx7LXXgkDtswGkH+VpFt9dFFXJaeAQPeUBDAhEE9 +UDkaCx5tPlyriwUW1w1xDx40VFV+Dgg9CFxiHCF+ppg+MG8HV0LVDRJlhN94QHNg +DAAVd5iuv8P+00Y= -----END CERTIFICATE-----