Client returning invalid_SCT data but cert seems to be OK
105 views
Skip to first unread message
Javier Olmo Gil
Dec 11, 2015, 9:31:06 AM12/11/15
to certificate-transparency
Hello!
I'm having a trouble when creating certficates with CT enabled:
I generated a certificate and installed it on https://servicio.dfirma.com
The SCT I've generated is correctly generated (at least in the structure) but Chrome says that the log enties are not correct.
I've verified sending again the Poisoned precert alongside with the chain with the CA and SUBCA public keys to the same logs and they retrieve to me the SCT data. If I compare the SCT data with the SCT embedded in the cert, they appear to be the same. The timestamp of the two SCTs is the same.
I'm blocked at this point. Chrome says this in the netinternals window:
I'm having a trouble when creating certficates with CT enabled:
I generated a certificate and installed it on https://servicio.dfirma.com
The SCT I've generated is correctly generated (at least in the structure) but Chrome says that the log enties are not correct.
I've verified sending again the Poisoned precert alongside with the chain with the CA and SUBCA public keys to the same logs and they retrieve to me the SCT data. If I compare the SCT data with the SCT embedded in the cert, they appear to be the same. The timestamp of the two SCTs is the same.
I'm blocked at this point. Chrome says this in the netinternals window:
SIGNED_CERTIFICATE_TIMESTAMPS_RECEIVED
--> embedded_scts = "APEAdgBo9pj4H2SCvjqM7rkoHUz8cVFdZ5PURNEKZ6y7T0/7xAAAAVGRaQhRAAAEAwBHMEUCIQCD9yOn5iKfNAeac+XrvfOQOcnGPXHptZ2pfq51SG3QtAIgRcTdSbcZHXedUaQ6IPVdroj1i+JIlOJOw1liM58kLG4AdwCkuQmQtBhYFIe7E6LMZ3AKPDWYBPkb37jjd80OyA3cEAAAAVGRaQzhAAAEAwBIMEYCIQC/GM960XCLW/wSIKcMiWDR8eFNyHnm+FHg8zdJrrJZ9AIhALvhYXI9SrjtFEcaUwcbO19/0oMlmR77VHNVtZ43SeVp"
--> scts_from_ocsp_response = ""
--> scts_from_tls_extension = ""
t= 3299 [st= 50] SIGNED_CERTIFICATE_TIMESTAMPS_CHECKED
--> invalid_scts = [{"extensions":"","hash_algorithm":"SHA256","log_id":"aPaY+B9kgr46jO65KB1M/HFRXWeT1ETRCmesu09P+8Q=","origin":"embedded_in_certificate","signature_algorithm":"ECDSA","signature_data":"MEUCIQCD9yOn5iKfNAeac+XrvfOQOcnGPXHptZ2pfq51SG3QtAIgRcTdSbcZHXedUaQ6IPVdroj1i+JIlOJOw1liM58kLG4=","timestamp":"1449843558481","version":0},{"extensions":"","hash_algorithm":"SHA256","log_id":"pLkJkLQYWBSHuxOizGdwCjw1mAT5G9+443fNDsgN3BA=","origin":"embedded_in_certificate","signature_algorithm":"ECDSA","signature_data":"MEYCIQC/GM960XCLW/wSIKcMiWDR8eFNyHnm+FHg8zdJrrJZ9AIhALvhYXI9SrjtFEcaUwcbO19/0oMlmR77VHNVtZ43SeVp","timestamp":"1449843559649","version":0}]
--> unknown_logs_scts = []
--> verified_scts = []
I'm completly blocked right now. I'm thinking that maybe some OID that we embeed in the cert is ugly for the client (google chrome) anyway the cert seems to be valid.
I don't know what i'm doing wrong.
Many thanks for the help!
Adam Eijdenberg
Dec 11, 2015, 12:15:31 PM12/11/15
to certificate-transparency
Hi Javier,
Your site is currently returning this certificate:
-----BEGIN CERTIFICATE-----
MIIJTjCCBzagAwIBAgIJALvMInm6+2BzMA0GCSqGSIb3DQEBCwUAMIHTMQswCQYD
VQQGEwJFUzEWMBQGA1UECwwNQUMgQ0FNRVJGSVJNQTEbMBkGA1UECgwSQUMgQ2Ft
ZXJmaXJtYSBTLkEuMRIwEAYDVQQFEwlBODI3NDMyODcxSzBJBgNVBAcMQk1hZHJp
ZCAoc2VlIGN1cnJlbnQgYWRkcmVzcyBhdCBodHRwczovL3d3dy5jYW1lcmZpcm1h
LmNvbS9hZGRyZXNzKTEuMCwGA1UEAwwlQ2FtZXJmaXJtYSBDb3Jwb3JhdGUgU2Vy
dmVyIElJIC0gMjAxNTAeFw0xNTEyMTExNDE5MjlaFw0xNjEyMTAxNDE5MjlaMIIB
FTEWMBQGA1UEDQwNQ0FNLVNTTC1FVi1TVzEOMAwGA1UEEQwFMjgwNDIxJjAkBgNV
BAkMHUNBTExFIFJJQkVSQSBERUwgTE9JUkEgTsK6IDEyMQ8wDQYDVQQHDAZNQURS
SUQxDzANBgNVBAgMBk1BRFJJRDETMBEGCysGAQQBgjc8AgEDDAJFUzEdMBsGA1UE
DwwUUHJpdmF0ZSBPcmdhbml6YXRpb24xEjAQBgNVBAUTCUE4Mjc0MzI4NzETMBEG
A1UECwwKREVTQVJST0xMTzEZMBcGA1UECgwQQUMgQ0FNRVJGSVJNQSBTQTEcMBoG
A1UEAwwTc2VydmljaW8uZGZpcm1hLmNvbTELMAkGA1UEBhMCRVMwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCWhLl5Vcn0RoXBM6OqfSTWdeTV2eSpjOMS
bRaLKs+aCmDAj+FJgBEsr8MfIHFGYJYv7IzH1DgMYVG/jJzTbYpHreGPC+QnM4Xb
NXwJjGHjkp+LLegA4xyzPYL66XPb0jdyU5PhWENlvnmH39KLqmifq+QHbr725FOv
VSOr4OhUOM+esK1k3/wBFe8GLB1vUs3i6zTMJzRdxLkSvGIgyxCkMjJMx65I9eIt
HPsqJQJ7cEMPGvIN+iGsF54oDlQMkvbZ0bVJIJ/9TIX+aDbEzIdyp85gNMm8GMRF
5CDKOLIqgm8Q7liP4oW/uyLaMN5GF4Ou7lKZwkO2Lub3dUypHcEPAgMBAAGjggPe
MIID2jAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIFoDA0BgNVHSUELTArBggr
BgEFBQcDAgYIKwYBBQUHAwEGCisGAQQBgjcKAwMGCWCGSAGG+EIEATAdBgNVHQ4E
FgQUZ0W3x1WKuQezi/pkHq2aPQLdPokwggEFBgorBgEEAdZ5AgQCBIH2BIHzAPEA
dgBo9pj4H2SCvjqM7rkoHUz8cVFdZ5PURNEKZ6y7T0/7xAAAAVGRaQhRAAAEAwBH
MEUCIQCD9yOn5iKfNAeac+XrvfOQOcnGPXHptZ2pfq51SG3QtAIgRcTdSbcZHXed
UaQ6IPVdroj1i+JIlOJOw1liM58kLG4AdwCkuQmQtBhYFIe7E6LMZ3AKPDWYBPkb
37jjd80OyA3cEAAAAVGRaQzhAAAEAwBIMEYCIQC/GM960XCLW/wSIKcMiWDR8eFN
yHnm+FHg8zdJrrJZ9AIhALvhYXI9SrjtFEcaUwcbO19/0oMlmR77VHNVtZ43SeVp
MIGBBggrBgEFBQcBAQR1MHMwSQYIKwYBBQUHMAKGPWh0dHA6Ly93d3cuY2FtZXJm
aXJtYS5jb20vY2VydHMvY2FtZXJmaXJtYV9jc2VydmVyaWktMjAxNS5jcnQwJgYI
KwYBBQUHMAGGGmh0dHA6Ly9vY3NwLmNhbWVyZmlybWEuY29tMIHiBgNVHSMEgdow
gdeAFGPp8PBWAGhlsCFsDlzXGQidCDRloYG0pIGxMIGuMQswCQYDVQQGEwJFVTFD
MEEGA1UEBxM6TWFkcmlkIChzZWUgY3VycmVudCBhZGRyZXNzIGF0IHd3dy5jYW1l
cmZpcm1hLmNvbS9hZGRyZXNzKTESMBAGA1UEBRMJQTgyNzQzMjg3MRswGQYDVQQK
ExJBQyBDYW1lcmZpcm1hIFMuQS4xKTAnBgNVBAMTIENoYW1iZXJzIG9mIENvbW1l
cmNlIFJvb3QgLSAyMDA4gghiH/McSJuhNjCBiQYDVR0fBIGBMH8wPaA7oDmGN2h0
dHA6Ly9jcmwuY2FtZXJmaXJtYS5jb20vY2FtZXJmaXJtYV9jc2VydmVyaWktMjAx
NS5jcmwwPqA8oDqGOGh0dHA6Ly9jcmwxLmNhbWVyZmlybWEuY29tL2NhbWVyZmly
bWFfY3NlcnZlcmlpLTIwMTUuY3JsMB4GA1UdEQQXMBWCE3NlcnZpY2lvLmRmaXJt
YS5jb20wRwYDVR0gBEAwPjA8Bg0rBgEEAYGHLgoOAgECMCswKQYIKwYBBQUHAgEW
HWh0dHBzOi8vcG9saWN5LmNhbWVyZmlybWEuY29tMA0GCSqGSIb3DQEBCwUAA4IC
AQBeGwlUkAvuwAT5/IOKivdyM6JFiRZGDF/MJqpErl4XKjlWUd1oZvJfazFRLceW
LSQWjw/xZ1vB49SGb7TNPzS7beAveQWP/sQR3i30hY7uWVgSD5kvcJcNLgz4Cn+q
FLGZCr0/Aei2aZS8c9t0mp5rrOCBQDSc33VefV0i94QRZd5QCnaEaYurcmOJUalF
/bUYvrj0zGq42ZFzxgm3NuqKWstvvYO+P36kQprsLsGOGosgOWw2LRzEfl4ixiY7
Dzrk6CwPB5QZwVWGkM/qJLT9tAiBalkNUBvHIlLj/tM/n8O94b2/K6FnK1vTl+H/
vHFweYFqf/dZrzS1dCfVZb0QJ8BmZCjjnKHjcX6s2KK9xyrNCrxamHxroSdeK53x
d9L/Ea4HnuX8GbX8R46AfHG3mM/ka8fLJqsz6NHD9xpqYUuDYW0QZg5kn/q6leZ8
9aF1kpQWIVNJA0AcqJ3qcYyCl7HPRDPBzq4xAO15vp8y0oBSntWAnU0W79cWKvpY
Q8Ui9C4ZfHisWCqKmwFl80cjhHy+3BAcr+7JkdrHLswPItuJGAVXvZ1mdMBkrOBE
isec84O9dDm5re2ejEmTORgw0cCG4AaN+BQD1HPxGSHlHPmQA+8h3leUQXf5+Ag+
6JTM5AliPUF25JQWKRuTTKWqwQEdwJYhga6apIy7NcLz6Q==
-----END CERTIFICATE-----
Which I believe (based on the timestamps in the SCTs) corresponds to this log entry:
However that entry (for the pre-cert) has different start/end dates than the cert they are embedded in (varies by 5 seconds) and a different serial number and possibly other differences, so I think that is why the signature is failing to validate.
Does that help?
Cheers, Adam
--
You received this message because you are subscribed to the Google Groups "certificate-transparency" group.
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transp...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Javier Olmo Gil
Dec 17, 2015, 3:24:23 AM12/17/15
to certificate-transparency
Yes!! It helped!!
I used the same valid_from, valid_to and serial for both precertificate and final certificate and the server now returns that the certificate sent certificate transparency info correctly.
MANY MANY THANKS!!
I used the same valid_from, valid_to and serial for both precertificate and final certificate and the server now returns that the certificate sent certificate transparency info correctly.
MANY MANY THANKS!!
Reply all
Reply to author
Forward
0 new messages