Please help! - problem with trusted certificate store
29 views
Skip to first unread message
ArkanoiD
Apr 30, 2010, 12:40:35 PM4/30/10
to Pathfinder Mailing List
I've found that i cannot validate certificates signed with one CA and
i was unable to track that down yet.
My setup is (r224 from svn):
[General]
Allow MD5 = 1
[Trusted directories]
Extra certs = /etc/pki/pathfinderd/trusted-store/
[Verification options]
ignore missing crls = 1
[CA Location]
...
%2FC%3DUS%2FO%3DVeriSign, Inc.%2FOU%3DClass 3 Public Primary
Certification Authority = /etc/pki/pathfinderd/trusted-store/
root_16.pem
...
cat /etc/pki/pathfinderd/trusted-store/root_16.pem
-----BEGIN CERTIFICATE-----
MIICPDCCAaUCEHC65B0Q2Sk0tjjKewPMur8wDQYJKoZIhvcNAQECBQAwXzELMAkG
A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz
cyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2
MDEyOTAwMDAwMFoXDTI4MDgwMTIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV
BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmlt
YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQDJXFme8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ2RHP7gJYHyX3KqhE
BarsAx94f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaOIG+YD/is
I19wKTakyYbnsZogy1Olhec9vn2a/iRFM9x2Fe0PonFkTGUugWhFpwIDAQABMA0G
CSqGSIb3DQEBAgUAA4GBALtMEivPLCYATxQT3ab7/AoRhIzzKBxnki98tsX63/Do
lbwdj2wsqFHMc9ikwFPwTtYmwHYBV4GSXiHx0bH/59AhWM1pF+NEHJwZRDmJXNyc
AA9WjQKZ7aKQRUzkuxCkPfAyAw7xzvjoyVGM5mKf5p/AfbdynMk2OmufTqj/ZA1k
-----END CERTIFICATE-----
Everything seems to be set up correctly. But i get this error:
Apr 30 19:53:43 48-214 pathfinderd: Certificate (/C=ZA/O=Thawte
Consulting (Pty) Ltd./CN=Thawte SGC CA) we just got has an issuer (/
C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
Authority). We continue building the path.
Apr 30 19:53:43 48-214 pathfinderd: Attempting to get signer.
Apr 30 19:53:43 48-214 pathfinderd: Checked certificate (/C=US/
O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority).
Seems to be ok.
Apr 30 19:53:43 48-214 pathfinderd: Is this certificate signed with
MD5 or MD2? Yes
Apr 30 19:53:43 48-214 pathfinderd: Self-signed certificate doesn't
have SKI! (/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary
Certification Authority)
Apr 30 19:53:43 48-214 pathfinderd: Got a self-signed root that I
don't trust.
Apr 30 19:53:43 48-214 pathfinderd: Download finished.
Apr 30 19:53:43 48-214 pathfinderd: Downloaded signer did not lead to
a valid trust path.
Apr 30 19:53:43 48-214 pathfinderd: Trust anchor for cert not found in
store, and no bridges defined. Giving up.
Apr 30 19:53:43 48-214 pathfinderd: Encountered error (Couldn't build
path. Check the logs to find out why.) during path discovery.
Aborting.
Apr 30 19:53:43 48-214 pathfinderd: Path validated for certificate /
C=US/ST=California/L=Mountain View/O=Google Inc/CN=mail.google.com.
Result: NOT valid
I found it out that get_signer() retrieves it successfully from
hardcoded location.
But check_cert() called says it does not know this root and
trusted_store->exists does not seem to be
called at all (it tried placing some debug output in "exists" method
in x509path/wvx509store.cc and
got nothing) and thus path validation fails. How can i fix that?
--
You received this message because you are subscribed to the Google Groups "Pathfinder Mailing List" group.
To post to this group, send email to pathfinder...@googlegroups.com.
To unsubscribe from this group, send email to pathfinder-discu...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/pathfinder-discussion?hl=en.
i was unable to track that down yet.
My setup is (r224 from svn):
[General]
Allow MD5 = 1
[Trusted directories]
Extra certs = /etc/pki/pathfinderd/trusted-store/
[Verification options]
ignore missing crls = 1
[CA Location]
...
%2FC%3DUS%2FO%3DVeriSign, Inc.%2FOU%3DClass 3 Public Primary
Certification Authority = /etc/pki/pathfinderd/trusted-store/
root_16.pem
...
cat /etc/pki/pathfinderd/trusted-store/root_16.pem
-----BEGIN CERTIFICATE-----
MIICPDCCAaUCEHC65B0Q2Sk0tjjKewPMur8wDQYJKoZIhvcNAQECBQAwXzELMAkG
A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz
cyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2
MDEyOTAwMDAwMFoXDTI4MDgwMTIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV
BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmlt
YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQDJXFme8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ2RHP7gJYHyX3KqhE
BarsAx94f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaOIG+YD/is
I19wKTakyYbnsZogy1Olhec9vn2a/iRFM9x2Fe0PonFkTGUugWhFpwIDAQABMA0G
CSqGSIb3DQEBAgUAA4GBALtMEivPLCYATxQT3ab7/AoRhIzzKBxnki98tsX63/Do
lbwdj2wsqFHMc9ikwFPwTtYmwHYBV4GSXiHx0bH/59AhWM1pF+NEHJwZRDmJXNyc
AA9WjQKZ7aKQRUzkuxCkPfAyAw7xzvjoyVGM5mKf5p/AfbdynMk2OmufTqj/ZA1k
-----END CERTIFICATE-----
Everything seems to be set up correctly. But i get this error:
Apr 30 19:53:43 48-214 pathfinderd: Certificate (/C=ZA/O=Thawte
Consulting (Pty) Ltd./CN=Thawte SGC CA) we just got has an issuer (/
C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
Authority). We continue building the path.
Apr 30 19:53:43 48-214 pathfinderd: Attempting to get signer.
Apr 30 19:53:43 48-214 pathfinderd: Checked certificate (/C=US/
O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority).
Seems to be ok.
Apr 30 19:53:43 48-214 pathfinderd: Is this certificate signed with
MD5 or MD2? Yes
Apr 30 19:53:43 48-214 pathfinderd: Self-signed certificate doesn't
have SKI! (/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary
Certification Authority)
Apr 30 19:53:43 48-214 pathfinderd: Got a self-signed root that I
don't trust.
Apr 30 19:53:43 48-214 pathfinderd: Download finished.
Apr 30 19:53:43 48-214 pathfinderd: Downloaded signer did not lead to
a valid trust path.
Apr 30 19:53:43 48-214 pathfinderd: Trust anchor for cert not found in
store, and no bridges defined. Giving up.
Apr 30 19:53:43 48-214 pathfinderd: Encountered error (Couldn't build
path. Check the logs to find out why.) during path discovery.
Aborting.
Apr 30 19:53:43 48-214 pathfinderd: Path validated for certificate /
C=US/ST=California/L=Mountain View/O=Google Inc/CN=mail.google.com.
Result: NOT valid
I found it out that get_signer() retrieves it successfully from
hardcoded location.
But check_cert() called says it does not know this root and
trusted_store->exists does not seem to be
called at all (it tried placing some debug output in "exists" method
in x509path/wvx509store.cc and
got nothing) and thus path validation fails. How can i fix that?
--
You received this message because you are subscribed to the Google Groups "Pathfinder Mailing List" group.
To post to this group, send email to pathfinder...@googlegroups.com.
To unsubscribe from this group, send email to pathfinder-discu...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/pathfinder-discussion?hl=en.
Reply all
Reply to author
Forward
0 new messages