Date: Tue, 21 Feb 2012 13:54:02 +0200 From: Volodymyr Kostyrko <c.kworr@gmail.com> To: Florian Smeets <flo@FreeBSD.org> Cc: freebsd-gecko@FreeBSD.org Subject: Re: devel/nspr dumps core when checking cert with security/nss Message-ID: <4F4385DA.5020708@gmail.com> In-Reply-To: <4F42C061.9070604@FreeBSD.org> References: <4EDF2F1A.1080807@gmail.com> <4EF065C0.1040908@freebsd.org> <4EF06742.2070501@gmail.com> <4F42C061.9070604@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
Florian Smeets wrote:
>>>> RELENG_9, world and ports built with clang.
>>>>
>>>
>>> Do you know if it's caused by the port being built with clang or if
>>> world compiled with clang is the cause?
>>
>> I tested that on RELENG_8 also with the same result.
>>
>> Random junk or hints:
>> 1. certtool from gnutls verifies certificates successfully.
>> 2. Making both keys with 2048 bit width gives the same result.
>>
>> So maybe it's rather about supporting wide (2048 bit) DSA keys?
>>
>
> This seems to be fixed by nspr-4.9 / nss-3.13.2. With your Makefile the
> tool does not crash anymore.
Strange, still crashes for me on RELENG_8_2 and RELENG_9 built with clang:
# checking with certtool
certtool -e --infile site.cert --infile base.cert
Certificate[0]: C=AU,ST=Some-State,O=Internet Widgits Pty Ltd,OU=Pity
sec,CN=base,EMAIL=noone@nowhere.com
Issued by: C=AU,ST=Some-State,O=Internet Widgits Pty
Ltd,OU=Pity sec,CN=base,EMAIL=noone@nowhere.com
Verification output: Verified.
Chain verification output: Verified.
# checking cert with nss
checkcert -aA site.cert base.cert
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
*** Signal 11
Stop in /home/arcade/tmp.
I'll include Makefile for later reference.
And I was wrong, this is not about 2048-bit keys, it fails on 1024-bit
keys too.
I'll try to setup a virtual host with stock RELENG_9_0 and recheck there.
--
Sphinx of black quartz judge my vow.
[-- Attachment #2 --]
all:
# creating simple CA
openssl dsaparam -out dp2048.pem 1024
openssl gendsa -out base.pem dp2048.pem
printf '\n\n\n\nPity sec\nbase\nnoone@nowhere.com\n' | openssl req -new -x509 -out base.cert -key base.pem -days 365
@echo
mkdir -p demoCA/newcerts
touch demoCA/index.txt
echo 00 > demoCA/serial
# creating sample cert
openssl dsaparam -out dp1024.pem 1024
openssl gendsa -out site.pem dp1024.pem
printf '\n\n\n\nPity sec\nsite.base\nnoone@nowhere.com\n\n\n' | openssl req -new -out site.req -key site.pem -days 365
@echo
# signing cert
printf 'y\ny\n' | openssl ca -cert base.cert -keyfile base.pem -policy policy_anything -out site.cert -infiles site.req
# checking with certtool
certtool -e --infile site.cert --infile base.cert
# checking cert with nss
checkcert -aA site.cert base.cert
clean:
rm -rf dp2048.pem dp1024.pem base.pem site.pem base.cert site.req site.cert demoCA
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4F4385DA.5020708>