[botan-devel] X.509 signature algorithm decoding error

Uri Blumenthal uri at mit.edu
Sun Jan 4 14:43:58 EST 2015


On Jan 4, 2015, at 11:33 , Jack Lloyd <lloyd at randombit.net<mailto:lloyd at randombit.net>> wrote:
On Sun, Jan 04, 2015 at 02:01:50AM +0000, Uri Blumenthal wrote:
2. src/lib/cert/x509/x509cert.cpp incorrectly rejects certificates
where different signing algorithms are used. These are the offending
lines (99 and 100):

   if(sig_algo != sig_algo_inner)
      throw Decoding_Error("Algorithm identifier mismatch");

Hi Uri,

Can you send me example certificate(s) which cause this to trigger?

Certainly. Will attach one example to this email, and can produce/find more if needed.

That check has been in place since 2006 and while it's been a while
since I read the PKIX docs my understanding is these two fields should
always be the same.

I’ve modified the check in x509_cert.cpp to look like this:

   if(sig_algo != sig_algo_inner) {
     std::cerr << "\nX509_Certificate::force_decode(): "
      << "Algorithm identifier mismatch: \n"
      << "sig_algo: \t\t\"" << sig_algo.oid.as_string() << "\""
      << " vs.\n"
      << "sig_algo_inner: \t\""
      << sig_algo_inner.oid.as_string() << "\"" << "\n\n";
     //throw Decoding_Error("Algorithm identifier mismatch");
   }

and here’s its output on the cert in question:

$ ./botan x509print cert.pem

X509_Certificate::force_decode(): Algorithm identifier mismatch:
sig_algo: "1.2.840.113549.1.1.11" vs.
sig_algo_inner: "1.2.840.113549.1.1.11"

Subject Name: RabbitMQ-manager
Subject Organization: The Burrow
Subject Organizational Unit: Messengers
Subject Country: US
Issuer Name: Forest CA
Issuer Organization: Forest PKI and CA
Issuer Organizational Unit: PKI
Issuer Locality: Westford
Issuer State: MA
Issuer Country: US
Version: 3
Not valid before: 2014/12/24 02:01:42 UTC
Not valid after: 2018/09/19 02:01:42 UTC
Constraints:
   Digital Signature
   Non-Repuidation
   Key Encipherment
   Data Encipherment
   Key Agreement
Extended Constraints:
   PKIX.ClientAuth



Signature algorithm: RSA/EMSA3(SHA-256)
Serial number: 05ADAA01
Public Key:
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4LtO3a5lLQQO2n/pp55H
meLa2QbWn6vDyxlbs346Ss8iaIDdQezM7i58bcl7BowuKX3u4n8DmN9wR123BSSR
HGF35rkWKjz7BoO1N9YPF3MFUm29tmJXQZguKXQ5W+N3AKfmtUleuifpkRgmF2Nw
lhZtBqJGN3Ab73rXfJXS8EWdtL4QuRzonrXULAWoSOLDqngAEvFI+N4FMxXYX4lA
eOOMmEcvUppz4oRZ6yqhvfS1lhr4NLfZxm14Kfu6mHitZZLMqUQJfGIOsxcrWO7K
bVf+M3vMcRzxpnvcceov9oVFRfAZd50aNbBiaeA8lRJT5TEGtprs96yO7x9Bbq0v
/wIDAQAB
-----END PUBLIC KEY-----



And here’s the certificate itself.

Just in case I’ve also cat ’n’ pasted it below.
--
Uri Blumenthal
uri at mit.edu<mailto:uri at mit.edu>

Bag Attributes
    friendlyName: RabbitMQ-manager
    localKeyID: C7 2B A2 5B 26 9C C7 6B 9B 13 B1 45 B8 EA D9 72 D0 2B 13 99
subject=/CN=RabbitMQ-manager/O=The Burrow/OU=Messengers/C=US
issuer=/CN=Forest CA/O=Forest PKI and CA/OU=PKI/ST=MA/C=US/L=Westford
-----BEGIN CERTIFICATE-----
MIIDfTCCAmWgAwIBAgIEBa2qATALBgkqhkiG9w0BAQswazESMBAGA1UEAwwJRm9y
ZXN0IENBMRowGAYDVQQKDBFGb3Jlc3QgUEtJIGFuZCBDQTEMMAoGA1UECwwDUEtJ
MQswCQYDVQQIDAJNQTELMAkGA1UEBhMCVVMxETAPBgNVBAcMCFdlc3Rmb3JkMB4X
DTE0MTIyNDAyMDE0MloXDTE4MDkxOTAyMDE0MlowUjEZMBcGA1UEAwwQUmFiYml0
TVEtbWFuYWdlcjETMBEGA1UECgwKVGhlIEJ1cnJvdzETMBEGA1UECwwKTWVzc2Vu
Z2VyczELMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDgu07drmUtBA7af+mnnkeZ4trZBtafq8PLGVuzfjpKzyJogN1B7MzuLnxtyXsG
jC4pfe7ifwOY33BHXbcFJJEcYXfmuRYqPPsGg7U31g8XcwVSbb22YldBmC4pdDlb
43cAp+a1SV66J+mRGCYXY3CWFm0GokY3cBvvetd8ldLwRZ20vhC5HOietdQsBahI
4sOqeAAS8Uj43gUzFdhfiUB444yYRy9SmnPihFnrKqG99LWWGvg0t9nGbXgp+7qY
eK1lksypRAl8Yg6zFytY7sptV/4ze8xxHPGme9xx6i/2hUVF8Bl3nRo1sGJp4DyV
ElPlMQa2muz3rI7vH0FurS//AgMBAAGjRDBCMA8GA1UdEwEB/wQFMAMBAQAwDgYD
VR0PAQH/BAQDAgP4MB8GA1UdJQEB/wQVMBMGCCsGAQUFBwMCBgcrBgEFAgMEMA0G
CSqGSIb3DQEBCwUAA4IBAQAVs7Aee3iYevJsaBCcZTB77IMWGvnzbMPymcH8Yz0P
6KtsMWe+LUY4W27Mg7shdxVetAGNKYyZgAktWVSBuB2d3rkwyA+UyKXcLDEoUe5A
eVaGQpKQVoNEvcIteVZ89E9gDSynpTqyYAp7CZaRC5JLw+W9spzm19isYaykZ1PD
Z0iA2gtH1MVNDWRdlhQm5t/az9qjyjrSJ/RJI/tzSx5ZybQ2SVUyBrkoBBJxekOZ
3pLKtKlViYzsYeKo5SHiEf3OSo1w5miNk4+zKSTXp8JOiSLD4eWkztWFij2HouIq
VcAXSJFxz3Fvda8+sp5nwDJJZ28pQ7HeUTe8/gVkiAvD
-----END CERTIFICATE-----


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/botan-devel/attachments/20150104/388aff62/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: RabbitMQ-manager.pem
Type: application/x-x509-ca-cert
Size: 2827 bytes
Desc: RabbitMQ-manager.pem
URL: <http://lists.randombit.net/pipermail/botan-devel/attachments/20150104/388aff62/attachment-0001.der>


More information about the botan-devel mailing list