Closed
Description
Hi,
im using phpseclib for issuing self signed certificates for my local systems.
The Problem
Since some days i have noticed some problems using chromium based browsers with only one of my websites. (Firefox works as expected on this site.) If i open this site on chromium based browsers, i got the error message: net::ERR_CERT_INVALID. This specific certificate was issued by an ECC Certificate Authority and used and RSA 2048 bit key.
Detailed Analyse of the Problem
For the further analysis it is important to know something about my local setup. For Web-Certificates i issued an intermediate CA by one of my root certificate authorities. The keytype of both authorities is ecc. I use rarely chrome based browsers since i switched to firefox on all my devices. The device/system where i use this certificate only supports RSA certificates.
I started my investigation with reading the changelog of chromium, but unfortunatelly i haven't found an acceptable answer or change which describes this behaviour. (Maybe someone other knows sth about it?)
Next i took a closer look to the certificate and have found one big differnence to a working one (issued from the same intermediate CA): ECC (works like a charm) vs RSA (does not work).
So the chain for the working certificate:
Root CA (ECC) -> Intermediate CA (ECC) -> working.site.example.com (ECC)
And the Chain for the not working certificate:
Root CA (ECC) -> Intermediate CA (ECC) -> error.site.example.com (RSA)
And therefor the "Public Key Algorithm" differences for the two certificates: "rsaEncryption" vs. "id-ecPublicKey"
So I used my test instance too reproduce this specific behaviour:
I created one Root Certificate Authority:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
1c:ef:b4:85:31:d8:ca:52:e8:17:01:f4:1c:98:55:80
Signature Algorithm: ecdsa-with-SHA384
Issuer: C=DE, O=Lemmi Trust Services, CN=LTS Testing Root G3
Validity
Not Before: Nov 20 23:00:00 2024 GMT
Not After : Nov 20 23:00:00 2049 GMT
Subject: C=DE, O=Lemmi Trust Services, CN=LTS Testing Root G3
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (384 bit)
pub:
04:f6:7b:6c:4d:7c:17:af:c0:ee:14:ad:3e:33:57:
a4:6d:b0:99:60:58:1b:68:8d:35:2d:bf:a8:95:f7:
7d:08:31:1f:8f:c3:79:25:21:23:48:9e:f8:a1:10:
6a:d2:8c:59:fa:0c:d9:0f:42:d6:c9:a6:2a:e5:17:
45:53:13:62:ef:4c:a4:90:52:d6:3c:33:31:c1:26:
b0:46:b9:3a:55:8b:48:1f:2d:5c:21:24:f7:14:29:
af:1d:83:dd:08:69:20
ASN1 OID: secp384r1
NIST CURVE: P-384
X509v3 extensions:
X509v3 Subject Key Identifier:
5D:77:2E:35:6D:7C:FD:A0:4C:8F:A8:0B:98:49:F2:F6:C1:85:1F:C9
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Authority Key Identifier:
5D:77:2E:35:6D:7C:FD:A0:4C:8F:A8:0B:98:49:F2:F6:C1:85:1F:C9
Signature Algorithm: ecdsa-with-SHA384
Signature Value:
30:65:02:30:11:d3:6e:5b:09:27:0f:cd:56:30:66:8d:b7:66:
11:d6:a7:8e:9f:ac:36:4c:48:ec:a5:12:e8:32:dc:61:a0:cd:
9c:26:7c:69:d1:cf:47:06:29:56:ef:cb:e7:24:cf:86:02:31:
00:80:57:2c:db:2c:7b:3f:a4:88:9c:3e:4e:17:57:7e:b1:34:
5f:15:ea:e4:58:68:5f:b0:50:4d:67:04:1b:36:16:aa:c1:db:
90:be:df:a1:a3:7b:09:85:09:0a:fb:4a:5d
-----BEGIN CERTIFICATE-----
MIICMjCCAbigAwIBAgIQHO+0hTHYylLoFwH0HJhVgDAKBggqhkjOPQQDAzBKMQsw
CQYDVQQGDAJERTEdMBsGA1UECgwUTGVtbWkgVHJ1c3QgU2VydmljZXMxHDAaBgNV
BAMME0xUUyBUZXN0aW5nIFJvb3QgRzMwHhcNMjQxMTIwMjMwMDAwWhcNNDkxMTIw
MjMwMDAwWjBKMQswCQYDVQQGDAJERTEdMBsGA1UECgwUTGVtbWkgVHJ1c3QgU2Vy
dmljZXMxHDAaBgNVBAMME0xUUyBUZXN0aW5nIFJvb3QgRzMwdjAQBgcqhkjOPQIB
BgUrgQQAIgNiAAT2e2xNfBevwO4UrT4zV6RtsJlgWBtojTUtv6iV930IMR+Pw3kl
ISNInvihEGrSjFn6DNkPQtbJpirlF0VTE2LvTKSQUtY8MzHBJrBGuTpVi0gfLVwh
JPcUKa8dg90IaSCjYzBhMB0GA1UdDgQWBBRddy41bXz9oEyPqAuYSfL2wYUfyTAO
BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBRddy41
bXz9oEyPqAuYSfL2wYUfyTAKBggqhkjOPQQDAwNoADBlAjAR025bCScPzVYwZo23
ZhHWp46frDZMSOylEugy3GGgzZwmfGnRz0cGKVbvy+ckz4YCMQCAVyzbLHs/pIic
Pk4XV36xNF8V6uRYaF+wUE1nBBs2FqrB25C+36GjewmFCQr7Sl0=
-----END CERTIFICATE-----
And I issued one Intermediate Certificate Authority and setup this as them in my production PKI:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
16:1f:de:8c:ce:a8:46:fd:06:fe:3e:f6:7b:0b:c7:95
Signature Algorithm: ecdsa-with-SHA384
Issuer: C=DE, O=Lemmi Trust Services, CN=LTS Testing Root G3
Validity
Not Before: Nov 20 23:00:00 2024 GMT
Not After : Nov 20 23:00:00 2029 GMT
Subject: C=DE, O=LemmiSign, CN=LemmiSign Testing TLS-DV 3
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (384 bit)
pub:
04:7e:ba:b0:df:9a:5a:e4:9c:c7:fa:87:27:e1:e5:
96:a5:37:eb:6a:78:23:23:1b:63:88:13:4c:38:46:
41:da:c1:10:7f:92:0d:8d:cd:b4:11:e0:a7:bb:0c:
16:6b:bd:fa:ee:6d:da:28:31:67:c3:f1:2b:77:fa:
b0:ac:36:8e:78:41:f3:f8:1d:2b:48:b0:02:3d:31:
36:95:bf:f2:5a:9e:00:e2:75:fb:88:30:ec:4d:f6:
ff:ae:4c:3a:13:f0:2f
ASN1 OID: secp384r1
NIST CURVE: P-384
X509v3 extensions:
X509v3 Subject Key Identifier:
D3:12:5C:D6:D1:08:E7:92:FB:38:61:3D:4F:7E:C7:16:93:04:16:D4
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Authority Key Identifier:
5D:77:2E:35:6D:7C:FD:A0:4C:8F:A8:0B:98:49:F2:F6:C1:85:1F:C9
Authority Information Access:
OCSP - URI:http://ocsp01.testing.lemmi.org/
CA Issuers - URI:http://cacerts.testing.lemmi.org/LTS_Testing_Root_G3.crt
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl01.testing.lemmi.org/LTS_Testing_Root_G3.crl
Signature Algorithm: ecdsa-with-SHA384
Signature Value:
30:64:02:30:3f:ef:09:cb:e7:0b:c6:56:cb:dc:ec:c2:d9:4f:
ae:a8:ab:84:eb:54:b8:1e:ee:2d:11:0c:be:e5:67:cc:04:f4:
f2:69:44:48:9c:75:67:79:c4:e6:17:91:08:a3:4a:8f:02:30:
77:5e:8a:93:63:13:af:a9:72:6f:b2:f7:65:8b:44:61:b9:a1:
e8:e8:0a:39:7b:b3:e6:e8:e0:18:b2:78:ae:39:49:fb:7b:c7:
e2:2d:d8:ff:71:b1:4d:45:f2:c8:73:d5
-----BEGIN CERTIFICATE-----
MIIDITCCAqigAwIBAgIQFh/ejM6oRv0G/j72ewvHlTAKBggqhkjOPQQDAzBKMQsw
CQYDVQQGDAJERTEdMBsGA1UECgwUTGVtbWkgVHJ1c3QgU2VydmljZXMxHDAaBgNV
BAMME0xUUyBUZXN0aW5nIFJvb3QgRzMwHhcNMjQxMTIwMjMwMDAwWhcNMjkxMTIw
MjMwMDAwWjBGMQswCQYDVQQGDAJERTESMBAGA1UECgwJTGVtbWlTaWduMSMwIQYD
VQQDDBpMZW1taVNpZ24gVGVzdGluZyBUTFMtRFYgMzB2MBAGByqGSM49AgEGBSuB
BAAiA2IABH66sN+aWuScx/qHJ+HllqU362p4IyMbY4gTTDhGQdrBEH+SDY3NtBHg
p7sMFmu9+u5t2igxZ8PxK3f6sKw2jnhB8/gdK0iwAj0xNpW/8lqeAOJ1+4gw7E32
/65MOhPwL6OCAVUwggFRMB0GA1UdDgQWBBTTElzW0Qjnkvs4YT1PfscWkwQW1DAO
BgNVHQ8BAf8EBAMCAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIG
A1UdEwEB/wQIMAYBAf8CAQAwHwYDVR0jBBgwFoAUXXcuNW18/aBMj6gLmEny9sGF
H8kwgYIGCCsGAQUFBwEBBHYwdDAsBggrBgEFBQcwAYYgaHR0cDovL29jc3AwMS50
ZXN0aW5nLmxlbW1pLm9yZy8wRAYIKwYBBQUHMAKGOGh0dHA6Ly9jYWNlcnRzLnRl
c3RpbmcubGVtbWkub3JnL0xUU19UZXN0aW5nX1Jvb3RfRzMuY3J0MEcGA1UdHwRA
MD4wPKA6oDiGNmh0dHA6Ly9jcmwwMS50ZXN0aW5nLmxlbW1pLm9yZy9MVFNfVGVz
dGluZ19Sb290X0czLmNybDAKBggqhkjOPQQDAwNnADBkAjA/7wnL5wvGVsvc7MLZ
T66oq4TrVLge7i0RDL7lZ8wE9PJpREicdWd5xOYXkQijSo8CMHdeipNjE6+pcm+y
92WLRGG5oejoCjl7s+bo4BiyeK45Sft7x+It2P9xsU1F8shz1Q==
-----END CERTIFICATE-----
Then i issued two Subscribe Certificates:
One with key type RSA (Lets call this one "Test Certificate RSA"):
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
1e:cc:90:97:b4:d5:76:a8:28:8f:a1:a6:42:1d:e3:a1
Signature Algorithm: ecdsa-with-SHA256
Issuer: C=DE, O=LemmiSign, CN=LemmiSign Testing TLS-DV 3
Validity
Not Before: Nov 20 23:00:00 2024 GMT
Not After : Dec 20 23:00:00 2025 GMT
Subject: C=DE, O=Lemmi Networks, OU=Test Certificate RSA, CN=localhost
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:99:28:35:66:8c:91:62:f0:3b:aa:64:29:2c:c3:
9f:fe:b4:94:b4:eb:90:11:49:af:6f:05:c2:0c:c9:
e9:f9:9a:c3:cd:a4:1c:5f:85:07:b7:9f:e4:ea:27:
21:ba:08:4e:1d:99:6f:91:02:33:ee:fc:50:c9:08:
c9:58:8c:4c:38:31:43:63:72:c1:a6:1b:10:c4:e4:
66:28:04:6b:aa:ba:42:4c:98:f8:21:4a:8c:6a:ad:
50:b7:2d:74:a0:a6:ae:ce:c2:3f:db:88:3a:f5:6f:
3a:90:36:cc:c6:74:17:c8:5e:c8:bf:5b:9b:0b:61:
b5:93:c8:58:9b:15:d8:20:8b:2e:86:bd:6d:c2:f4:
fa:38:5e:e6:e8:56:ec:b6:65:33:58:bc:bf:7e:47:
53:f9:11:89:39:1b:f1:ec:6e:3d:e7:99:6a:17:f0:
f6:3c:38:ec:c3:47:cc:0f:d3:15:5f:a1:4f:d5:03:
9a:95:d9:7e:a0:7e:c7:d8:7a:73:62:97:5f:3b:b5:
8d:8c:f8:4d:14:92:12:a8:14:68:84:2f:d9:37:81:
db:69:3e:4c:9a:05:38:f7:25:fd:b4:c1:e5:e1:f8:
c4:b3:f5:da:6e:40:49:65:eb:2c:9b:c0:b7:ac:6a:
36:91:0c:ce:b0:9a:80:f6:cb:26:b2:ad:40:76:89:
11:85
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
14:1A:29:3B:E7:84:88:54:89:0C:F8:88:1C:CF:D8:80:28:58:55:F0
X509v3 Key Usage: critical
Digital Signature
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Alternative Name:
DNS:localhost
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Authority Key Identifier:
D3:12:5C:D6:D1:08:E7:92:FB:38:61:3D:4F:7E:C7:16:93:04:16:D4
Authority Information Access:
OCSP - URI:http://ocsp01.testing.lemmi.org
CA Issuers - URI:http://cacerts.testing.lemmi.org/LemmiSign_Testing_TLS_DV_3.crt
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl01.testing.lemmi.org/LemmiSign_Testing_TLS_DV_3.crl
Signature Algorithm: ecdsa-with-SHA256
Signature Value:
30:65:02:31:00:89:c4:eb:39:6a:ee:b3:f6:eb:36:2a:9a:0b:
1e:11:aa:71:6e:ca:42:e8:6f:fb:2f:b4:ee:3c:f8:df:47:82:
b8:f9:43:94:e9:f7:a5:46:70:7f:d4:66:b7:eb:de:b9:9c:02:
30:7c:56:70:e7:7f:0d:3a:e8:df:b5:c0:67:d9:b1:0c:84:bf:
88:c1:76:1c:c7:a2:be:fd:c6:d9:5f:9b:2d:25:d4:e6:e3:21:
d0:95:41:c6:37:57:33:b5:d8:12:85:3c:ab
-----BEGIN CERTIFICATE-----
MIID9jCCA3qgAwIBAgIQHsyQl7TVdqgoj6GmQh3joTAMBggqhkjOPQQDAgUAMEYx
CzAJBgNVBAYMAkRFMRIwEAYDVQQKDAlMZW1taVNpZ24xIzAhBgNVBAMMGkxlbW1p
U2lnbiBUZXN0aW5nIFRMUy1EViAzMB4XDTI0MTEyMDIzMDAwMFoXDTI1MTIyMDIz
MDAwMFowWTELMAkGA1UEBgwCREUxFzAVBgNVBAoMDkxlbW1pIE5ldHdvcmtzMR0w
GwYDVQQLDBRUZXN0IENlcnRpZmljYXRlIFJTQTESMBAGA1UEAwwJbG9jYWxob3N0
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmSg1ZoyRYvA7qmQpLMOf
/rSUtOuQEUmvbwXCDMnp+ZrDzaQcX4UHt5/k6ichughOHZlvkQIz7vxQyQjJWIxM
ODFDY3LBphsQxORmKARrqrpCTJj4IUqMaq1Qty10oKauzsI/24g69W86kDbMxnQX
yF7Iv1ubC2G1k8hYmxXYIIsuhr1twvT6OF7m6FbstmUzWLy/fkdT+RGJORvx7G49
55lqF/D2PDjsw0fMD9MVX6FP1QOaldl+oH7H2HpzYpdfO7WNjPhNFJISqBRohC/Z
N4HbaT5MmgU49yX9tMHl4fjEs/XabkBJZessm8C3rGo2kQzOsJqA9ssmsq1AdokR
hQIDAQABo4IBaDCCAWQwHQYDVR0OBBYEFBQaKTvnhIhUiQz4iBzP2IAoWFXwMA4G
A1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAUBgNVHREEDTALggls
b2NhbGhvc3QwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBTTElzW0Qjnkvs4YT1P
fscWkwQW1DCBiAYIKwYBBQUHAQEEfDB6MCsGCCsGAQUFBzABhh9odHRwOi8vb2Nz
cDAxLnRlc3RpbmcubGVtbWkub3JnMEsGCCsGAQUFBzAChj9odHRwOi8vY2FjZXJ0
cy50ZXN0aW5nLmxlbW1pLm9yZy9MZW1taVNpZ25fVGVzdGluZ19UTFNfRFZfMy5j
cnQwTgYDVR0fBEcwRTBDoEGgP4Y9aHR0cDovL2NybDAxLnRlc3RpbmcubGVtbWku
b3JnL0xlbW1pU2lnbl9UZXN0aW5nX1RMU19EVl8zLmNybDAMBggqhkjOPQQDAgUA
A2gAMGUCMQCJxOs5au6z9us2KpoLHhGqcW7KQuhv+y+07jz430eCuPlDlOn3pUZw
f9Rmt+veuZwCMHxWcOd/DTro37XAZ9mxDIS/iMF2HMeivv3G2V+bLSXU5uMh0JVB
xjdXM7XYEoU8qw==
-----END CERTIFICATE-----
And one with key type ECC (Lets call this one "Test Certificate ECC"):
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
12:9a:f3:a9:9d:85:da:62:54:fd:65:f3:9f:ad:fb:5f
Signature Algorithm: ecdsa-with-SHA256
Issuer: C=DE, O=LemmiSign, CN=LemmiSign Testing TLS-DV 3
Validity
Not Before: Nov 20 23:00:00 2024 GMT
Not After : Dec 20 23:00:00 2025 GMT
Subject: C=DE, O=Lemmi Networks, OU=Test Certificate ECC, CN=localhost
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:d6:c2:fd:2c:dd:4b:cb:9c:77:76:5d:f1:52:7b:
93:d2:30:36:dd:48:87:41:00:cc:ea:04:db:71:9d:
1f:41:21:b3:26:5c:d5:d1:5a:57:57:e9:e8:a5:cd:
4e:e5:20:ec:5d:03:40:67:e9:5e:a1:00:3a:59:71:
42:ce:19:f1:32
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Subject Key Identifier:
EF:FE:7B:19:DF:83:1E:35:35:4E:8C:BD:F8:17:5A:07:D0:2C:6C:30
X509v3 Key Usage: critical
Digital Signature
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Alternative Name:
DNS:localhost
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Authority Key Identifier:
D3:12:5C:D6:D1:08:E7:92:FB:38:61:3D:4F:7E:C7:16:93:04:16:D4
Authority Information Access:
OCSP - URI:http://ocsp01.testing.lemmi.org
CA Issuers - URI:http://cacerts.testing.lemmi.org/LemmiSign_Testing_TLS_DV_3.crt
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl01.testing.lemmi.org/LemmiSign_Testing_TLS_DV_3.crl
Signature Algorithm: ecdsa-with-SHA256
Signature Value:
30:65:02:31:00:c2:3c:22:0f:c7:b4:a4:a2:2a:8e:58:5d:62:
50:f4:b3:b8:7d:1b:b8:be:58:2f:52:5d:d0:6c:9b:4b:0d:c5:
da:12:b1:59:5c:87:81:e9:9c:8c:06:38:4f:9f:fa:8f:dd:02:
30:4b:a6:39:18:2a:e1:94:f6:06:89:10:1f:3d:36:fe:a8:7a:
ef:49:b6:60:6a:75:56:37:19:fe:c7:3f:07:aa:cf:ad:11:26:
79:16:76:51:d8:c5:47:ed:00:b6:3e:9d:d9
-----BEGIN CERTIFICATE-----
MIIDJzCCAq2gAwIBAgIQEprzqZ2F2mJU/WXzn637XzAKBggqhkjOPQQDAjBGMQsw
CQYDVQQGDAJERTESMBAGA1UECgwJTGVtbWlTaWduMSMwIQYDVQQDDBpMZW1taVNp
Z24gVGVzdGluZyBUTFMtRFYgMzAeFw0yNDExMjAyMzAwMDBaFw0yNTEyMjAyMzAw
MDBaMFkxCzAJBgNVBAYMAkRFMRcwFQYDVQQKDA5MZW1taSBOZXR3b3JrczEdMBsG
A1UECwwUVGVzdCBDZXJ0aWZpY2F0ZSBFQ0MxEjAQBgNVBAMMCWxvY2FsaG9zdDBZ
MBMGByqGSM49AgEGCCqGSM49AwEHA0IABNbC/SzdS8ucd3Zd8VJ7k9IwNt1Ih0EA
zOoE23GdH0EhsyZc1dFaV1fp6KXNTuUg7F0DQGfpXqEAOllxQs4Z8TKjggFoMIIB
ZDAdBgNVHQ4EFgQU7/57Gd+DHjU1Toy9+BdaB9AsbDAwDgYDVR0PAQH/BAQDAgeA
MBMGA1UdJQQMMAoGCCsGAQUFBwMBMBQGA1UdEQQNMAuCCWxvY2FsaG9zdDAMBgNV
HRMBAf8EAjAAMB8GA1UdIwQYMBaAFNMSXNbRCOeS+zhhPU9+xxaTBBbUMIGIBggr
BgEFBQcBAQR8MHowKwYIKwYBBQUHMAGGH2h0dHA6Ly9vY3NwMDEudGVzdGluZy5s
ZW1taS5vcmcwSwYIKwYBBQUHMAKGP2h0dHA6Ly9jYWNlcnRzLnRlc3RpbmcubGVt
bWkub3JnL0xlbW1pU2lnbl9UZXN0aW5nX1RMU19EVl8zLmNydDBOBgNVHR8ERzBF
MEOgQaA/hj1odHRwOi8vY3JsMDEudGVzdGluZy5sZW1taS5vcmcvTGVtbWlTaWdu
X1Rlc3RpbmdfVExTX0RWXzMuY3JsMAoGCCqGSM49BAMCA2gAMGUCMQDCPCIPx7Sk
oiqOWF1iUPSzuH0buL5YL1Jd0GybSw3F2hKxWVyHgemcjAY4T5/6j90CMEumORgq
4ZT2BokQHz02/qh670m2YGp1VjcZ/sc/B6rPrREmeRZ2UdjFR+0Atj6d2Q==
-----END CERTIFICATE-----
Since this is only a fresh testing certificate authority and is not in production use, i leak the two private keys (and for better reproducing this behaviour ;) ):
"Test Certificate RSA":
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCZKDVmjJFi8Duq
ZCksw5/+tJS065ARSa9vBcIMyen5msPNpBxfhQe3n+TqJyG6CE4dmW+RAjPu/FDJ
CMlYjEw4MUNjcsGmGxDE5GYoBGuqukJMmPghSoxqrVC3LXSgpq7Owj/biDr1bzqQ
NszGdBfIXsi/W5sLYbWTyFibFdggiy6GvW3C9Po4XuboVuy2ZTNYvL9+R1P5EYk5
G/Hsbj3nmWoX8PY8OOzDR8wP0xVfoU/VA5qV2X6gfsfYenNil187tY2M+E0UkhKo
FGiEL9k3gdtpPkyaBTj3Jf20weXh+MSz9dpuQEll6yybwLesajaRDM6wmoD2yyay
rUB2iRGFAgMBAAECggEAGXB3UOhKVy+7XrWyV9Af6YkJ0PShAm4bKLVrzP9WJh08
fBIlRaxtYrpj+zddam6/YuU92yKNiRr55C/ZxHkmnogi6bLW/YXYsYuVIv0mURO3
uCIJx6XVUFF8wGBZfecRzsqvHAIzINnv1U0fkwXCKYhXjzQNEG/otCT+qraPJqBq
/IFVnLuZxWzFUxEpUU0aA6bs2WwHhduy/3X+dEZOfQabrIwmmIy8r/5CSyxGa4Gd
AOCMO939PAzibRMAc0Zu1uzd5hXBPhzAksbHHllwZdb3B7J+oe/7Vi6PUGmYo+nN
9+qEXDR+ir/rVK7ppDebAozxpZHEMopKQaIVrjgR5QKBgQDX3eJVci7jIbZu6jDP
Ef/CmTl+AQHxyLsZNrL6ga+FfkpCNPNlB418XzhWcv6w5G35fsxYDeXEsXDiW7XQ
ekUP+RYubAn7OZKayDytbCl6ZCck9OvsuR5Ol9TtT6lne0zVys7+JtAACo8d4cbd
QUiIJ9CMofvulT+ORG2fOZRHJwKBgQC1oazxlsmHC5ee4tmG6uoT4HQvaYL57poZ
jHi9mwAAccfsanweFqNl/qnZxxmi+LP41C8w3iUiKzVY1wxb9SIeyG8sYzfhroTt
fqtbPiQUGuKRC+iuPkQxnh4lQ1vGbhOvl+uBJhQ7C3wF9sMa/lndxV5ughY5iqpU
TaFMDULtcwKBgQDRAyaDVWvQwHPEMT3RQbxCz9m7B366fYGriCsEI02wE/gS4vJI
gGeeZRRHoFC7NnLFgOCa4dn3+Vcz1VjV4427SZMQn8uKVNR+yiL2SCRhPVgpkHxf
WV7e+mRQ4zFD4T8kQprpuurrH04zwMissuln7CUiBjXJbPl85wS9hyLrQQKBgA9v
IqQQ3SUlnge5XSSy15tCynyw6ZlVZjDfl+78ud5PzN5RGiTwZYgoQMSpv4ryuVBe
r3fmmJ8zrr/S3lD+Hp0hCRlrgPcjflY0GlmRiT1QH4qVyXrs/Zx9xDAEbksJVZDp
RvDdjICL9EkJdADaNka7G9AmK79OAjVRt3Af/FzzAoGBALuP3CWss2dGcLXtsns+
A7Kus8Pqwp0twFmzONlpizBGKzdiG3vkma6OHqeZ0r31qcxeKmGhUN2bacFIrOBb
OSXdO6X6DNbFxNVqiuuWO72/yRz40VgZQ17KddknY7EMWw2Dh7El56hKn/sKD9oy
MRx119+pk0R7yABu0IG4h3cj
-----END PRIVATE KEY-----
"Test Certificate ECC":
-----BEGIN PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgRgiVSfIomn7C8jdK
T4W6fSR+FG0R5IM0e1x7ZI3TMkShRANCAATWwv0s3UvLnHd2XfFSe5PSMDbdSIdB
AMzqBNtxnR9BIbMmXNXRWldX6eilzU7lIOxdA0Bn6V6hADpZcULOGfEy
-----END PRIVATE KEY-----
Furthermore i installed a debian virtual machine and imported in chromium (Version 130.0.6723.116) the previously created root certificate authority. I installed nginx for checking if my subscriber certificates are working.
Our "Test Certificate ECC" works as expected on this setup (Lock-Symbol is not RED):
Compared too our "Test Certificate RSA" which does not work (Lock-Symbol is RED):
=> so we are able to reproduce this specific behaviour. All extensions on both Test Certificates are identical so we can previously exclude this as an reason.
Next I linted both certificates using x509lint:
"Test Certificate RSA":
E: Subject with organizationName, givenName or surname but without stateOrProvince or localityName
E: Name entry contains an invalid type
E: No policy extension
E: Algorithm parameter present
"Test Certificate ECC":
E: Subject with organizationName, givenName or surname but without stateOrProvince or localityName
E: Name entry contains an invalid type
E: No policy extension
It seems like my application is not setting Subject->Country in the correct encoding, but we can exclude every message which occours on both certificates, so only one leaves on the "Test Certificate RSA": E: Algorithm parameter present.
If we take a closer look into the ASN.1 structure of the "Test Certificate RSA", we can explore this ($ openssl asn1parse -in file.crt):
0:d=0 hl=4 l=1014 cons: SEQUENCE
4:d=1 hl=4 l= 890 cons: SEQUENCE
8:d=2 hl=2 l= 3 cons: cont [ 0 ]
10:d=3 hl=2 l= 1 prim: INTEGER :02
13:d=2 hl=2 l= 16 prim: INTEGER :1ECC9097B4D576A8288FA1A6421DE3A1
31:d=2 hl=2 l= 12 cons: SEQUENCE
33:d=3 hl=2 l= 8 prim: OBJECT :ecdsa-with-SHA256
43:d=3 hl=2 l= 0 prim: NULL
45:d=2 hl=2 l= 70 cons: SEQUENCE
47:d=3 hl=2 l= 11 cons: SET
49:d=4 hl=2 l= 9 cons: SEQUENCE
51:d=5 hl=2 l= 3 prim: OBJECT :countryName
56:d=5 hl=2 l= 2 prim: UTF8STRING :DE
60:d=3 hl=2 l= 18 cons: SET
62:d=4 hl=2 l= 16 cons: SEQUENCE
64:d=5 hl=2 l= 3 prim: OBJECT :organizationName
69:d=5 hl=2 l= 9 prim: UTF8STRING :LemmiSign
80:d=3 hl=2 l= 35 cons: SET
82:d=4 hl=2 l= 33 cons: SEQUENCE
84:d=5 hl=2 l= 3 prim: OBJECT :commonName
89:d=5 hl=2 l= 26 prim: UTF8STRING :LemmiSign Testing TLS-DV 3
117:d=2 hl=2 l= 30 cons: SEQUENCE
119:d=3 hl=2 l= 13 prim: UTCTIME :241120230000Z
134:d=3 hl=2 l= 13 prim: UTCTIME :251220230000Z
149:d=2 hl=2 l= 89 cons: SEQUENCE
151:d=3 hl=2 l= 11 cons: SET
153:d=4 hl=2 l= 9 cons: SEQUENCE
155:d=5 hl=2 l= 3 prim: OBJECT :countryName
160:d=5 hl=2 l= 2 prim: UTF8STRING :DE
164:d=3 hl=2 l= 23 cons: SET
166:d=4 hl=2 l= 21 cons: SEQUENCE
168:d=5 hl=2 l= 3 prim: OBJECT :organizationName
173:d=5 hl=2 l= 14 prim: UTF8STRING :Lemmi Networks
189:d=3 hl=2 l= 29 cons: SET
191:d=4 hl=2 l= 27 cons: SEQUENCE
193:d=5 hl=2 l= 3 prim: OBJECT :organizationalUnitName
198:d=5 hl=2 l= 20 prim: UTF8STRING :Test Certificate RSA
220:d=3 hl=2 l= 18 cons: SET
222:d=4 hl=2 l= 16 cons: SEQUENCE
224:d=5 hl=2 l= 3 prim: OBJECT :commonName
229:d=5 hl=2 l= 9 prim: UTF8STRING :localhost
240:d=2 hl=4 l= 290 cons: SEQUENCE
244:d=3 hl=2 l= 13 cons: SEQUENCE
246:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption
257:d=4 hl=2 l= 0 prim: NULL
259:d=3 hl=4 l= 271 prim: BIT STRING
534:d=2 hl=4 l= 360 cons: cont [ 3 ]
538:d=3 hl=4 l= 356 cons: SEQUENCE
542:d=4 hl=2 l= 29 cons: SEQUENCE
544:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier
549:d=5 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:0414141A293BE7848854890CF8881CCFD880285855F0
573:d=4 hl=2 l= 14 cons: SEQUENCE
575:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage
580:d=5 hl=2 l= 1 prim: BOOLEAN :255
583:d=5 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:03020780
589:d=4 hl=2 l= 19 cons: SEQUENCE
591:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Extended Key Usage
596:d=5 hl=2 l= 12 prim: OCTET STRING [HEX DUMP]:300A06082B06010505070301
610:d=4 hl=2 l= 20 cons: SEQUENCE
612:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Subject Alternative Name
617:d=5 hl=2 l= 13 prim: OCTET STRING [HEX DUMP]:300B82096C6F63616C686F7374
632:d=4 hl=2 l= 12 cons: SEQUENCE
634:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints
639:d=5 hl=2 l= 1 prim: BOOLEAN :255
642:d=5 hl=2 l= 2 prim: OCTET STRING [HEX DUMP]:3000
646:d=4 hl=2 l= 31 cons: SEQUENCE
648:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier
653:d=5 hl=2 l= 24 prim: OCTET STRING [HEX DUMP]:30168014D3125CD6D108E792FB38613D4F7EC716930416D4
679:d=4 hl=3 l= 136 cons: SEQUENCE
682:d=5 hl=2 l= 8 prim: OBJECT :Authority Information Access
692:d=5 hl=2 l= 124 prim: OCTET STRING [HEX DUMP]:307A302B06082B06010505073001861F687474703A2F2F6F63737030312E74657374696E672E6C656D6D692E6F7267304B06082B06010505073002863F687474703A2F2F636163657274732E74657374696E672E6C656D6D692E6F72672F4C656D6D695369676E5F54657374696E675F544C535F44565F332E637274
818:d=4 hl=2 l= 78 cons: SEQUENCE
820:d=5 hl=2 l= 3 prim: OBJECT :X509v3 CRL Distribution Points
825:d=5 hl=2 l= 71 prim: OCTET STRING [HEX DUMP]:30453043A041A03F863D687474703A2F2F63726C30312E74657374696E672E6C656D6D692E6F72672F4C656D6D695369676E5F54657374696E675F544C535F44565F332E63726C
898:d=1 hl=2 l= 12 cons: SEQUENCE
900:d=2 hl=2 l= 8 prim: OBJECT :ecdsa-with-SHA256
910:d=2 hl=2 l= 0 prim: NULL
912:d=1 hl=2 l= 104 prim: BIT STRING
Combined to the previous x509lint message, we have to take a closer look at this lines:
...
33:d=3 hl=2 l= 8 prim: OBJECT :ecdsa-with-SHA256
43:d=3 hl=2 l= 0 prim: NULL
...
900:d=2 hl=2 l= 8 prim: OBJECT :ecdsa-with-SHA256
910:d=2 hl=2 l= 0 prim: NULL
...
It seems like, phpseclib sets the the parameter to null. If i take a closer look into the code, i am able to find the following in vendor/phpseclib/phpseclib/phpseclib/File/X509.php#505:
...
public function saveX509(array $cert, $format = self::FORMAT_PEM)
{
if (!is_array($cert) || !isset($cert['tbsCertificate'])) {
return false;
}
switch (true) {
// "case !$a: case !$b: break; default: whatever();" is the same thing as "if ($a && $b) whatever()"
case !($algorithm = $this->subArray($cert, 'tbsCertificate/subjectPublicKeyInfo/algorithm/algorithm')):
case is_object($cert['tbsCertificate']['subjectPublicKeyInfo']['subjectPublicKey']):
break;
default:
$cert['tbsCertificate']['subjectPublicKeyInfo'] = new Element(
base64_decode(preg_replace('#-.+-|[\r\n]#', '', $cert['tbsCertificate']['subjectPublicKeyInfo']['subjectPublicKey']))
);
}
if ($algorithm == 'rsaEncryption') {
$cert['signatureAlgorithm']['parameters'] = null;
$cert['tbsCertificate']['signature']['parameters'] = null;
}
.....If the algorithm is rsaEncryption phpseclib is setting the parameters to null. (IF-Statement lines 522-525)
For testing purposes i commented this if-statement out and created an new certificate (lets call this one "Test Certificate RSA Working"):
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
18:59:80:22:90:24:eb:eb:54:bb:83:69:90:d9:4c:61
Signature Algorithm: ecdsa-with-SHA256
Issuer: C=DE, O=LemmiSign, CN=LemmiSign Testing TLS-DV 3
Validity
Not Before: Nov 20 23:00:00 2024 GMT
Not After : Dec 20 23:00:00 2025 GMT
Subject: C=DE, O=Lemmi Networks, OU=Test Certificate RSA Working, CN=localhost
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b8:b8:3a:67:7a:7f:05:bd:b5:2e:6a:e1:1e:e4:
d3:cb:38:38:32:b0:e9:f7:fa:75:63:4f:dd:f2:da:
36:0a:c1:15:5d:bf:bd:f0:da:26:97:8c:b4:74:cb:
84:bc:ce:8f:f3:21:a3:25:a2:8d:14:c1:4b:25:13:
cf:ab:ae:7b:3b:c5:f3:03:b6:97:49:d4:89:c3:d0:
05:5d:52:70:db:4d:01:50:56:85:51:61:f1:b0:82:
b8:60:a1:81:d6:4f:b5:86:49:34:fc:8a:4a:60:5f:
0a:54:9a:17:27:00:36:01:a8:d6:5e:b5:fa:43:34:
4a:0d:88:58:9b:2d:ce:e4:93:4e:77:16:22:e3:38:
cb:25:95:5d:eb:0f:91:e7:88:53:60:ba:0e:00:dc:
13:7b:e1:26:d0:49:76:e6:60:43:93:e3:31:cf:4e:
42:31:8b:a4:fa:33:18:d8:5d:dd:fb:09:88:91:4d:
67:9e:b6:76:d9:d4:97:6c:44:5f:76:a5:02:c8:2b:
55:a6:64:f2:eb:88:1a:94:0f:c5:ce:a7:cb:2b:d9:
ec:12:6c:1d:85:e4:12:8e:58:6a:f2:3e:27:ed:36:
57:a2:a1:5b:63:de:80:32:97:de:ea:42:6f:94:02:
ea:69:1b:d1:15:07:e8:4c:d2:8c:d8:00:12:d9:4a:
3f:db
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
7E:34:61:95:16:E3:07:CC:50:4B:04:DA:3B:4D:95:03:0D:51:C3:EE
X509v3 Key Usage: critical
Digital Signature
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Alternative Name:
DNS:localhost
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Authority Key Identifier:
D3:12:5C:D6:D1:08:E7:92:FB:38:61:3D:4F:7E:C7:16:93:04:16:D4
Authority Information Access:
OCSP - URI:http://ocsp01.testing.lemmi.org
CA Issuers - URI:http://cacerts.testing.lemmi.org/LemmiSign_Testing_TLS_DV_3.crt
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl01.testing.lemmi.org/LemmiSign_Testing_TLS_DV_3.crl
Signature Algorithm: ecdsa-with-SHA256
Signature Value:
30:66:02:31:00:f1:f6:f6:7d:81:53:d8:5c:da:06:63:dc:7c:
c1:f9:77:cd:d8:e9:70:42:96:65:d2:57:a9:5a:06:1e:57:ac:
5a:63:cc:18:61:65:62:fc:e3:c3:48:79:91:2d:c1:ba:3a:02:
31:00:b2:d9:0a:c7:d4:b1:04:55:c1:cf:a0:4e:28:88:a1:9a:
60:93:4e:a1:c0:0c:b9:d2:9c:a5:1a:63:3f:5e:3c:9f:09:57:
e7:4b:54:b9:0b:df:25:58:c6:31:af:81:8e:29
-----BEGIN CERTIFICATE-----
MIID+zCCA4CgAwIBAgIQGFmAIpAk6+tUu4NpkNlMYTAKBggqhkjOPQQDAjBGMQsw
CQYDVQQGDAJERTESMBAGA1UECgwJTGVtbWlTaWduMSMwIQYDVQQDDBpMZW1taVNp
Z24gVGVzdGluZyBUTFMtRFYgMzAeFw0yNDExMjAyMzAwMDBaFw0yNTEyMjAyMzAw
MDBaMGExCzAJBgNVBAYMAkRFMRcwFQYDVQQKDA5MZW1taSBOZXR3b3JrczElMCMG
A1UECwwcVGVzdCBDZXJ0aWZpY2F0ZSBSU0EgV29ya2luZzESMBAGA1UEAwwJbG9j
YWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuLg6Z3p/Bb21
LmrhHuTTyzg4MrDp9/p1Y0/d8to2CsEVXb+98Noml4y0dMuEvM6P8yGjJaKNFMFL
JRPPq657O8XzA7aXSdSJw9AFXVJw200BUFaFUWHxsIK4YKGB1k+1hkk0/IpKYF8K
VJoXJwA2AajWXrX6QzRKDYhYmy3O5JNOdxYi4zjLJZVd6w+R54hTYLoOANwTe+Em
0El25mBDk+Mxz05CMYuk+jMY2F3d+wmIkU1nnrZ22dSXbERfdqUCyCtVpmTy64ga
lA/FzqfLK9nsEmwdheQSjlhq8j4n7TZXoqFbY96AMpfe6kJvlALqaRvRFQfoTNKM
2AAS2Uo/2wIDAQABo4IBaDCCAWQwHQYDVR0OBBYEFH40YZUW4wfMUEsE2jtNlQMN
UcPuMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAUBgNVHREE
DTALgglsb2NhbGhvc3QwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBTTElzW0Qjn
kvs4YT1PfscWkwQW1DCBiAYIKwYBBQUHAQEEfDB6MCsGCCsGAQUFBzABhh9odHRw
Oi8vb2NzcDAxLnRlc3RpbmcubGVtbWkub3JnMEsGCCsGAQUFBzAChj9odHRwOi8v
Y2FjZXJ0cy50ZXN0aW5nLmxlbW1pLm9yZy9MZW1taVNpZ25fVGVzdGluZ19UTFNf
RFZfMy5jcnQwTgYDVR0fBEcwRTBDoEGgP4Y9aHR0cDovL2NybDAxLnRlc3Rpbmcu
bGVtbWkub3JnL0xlbW1pU2lnbl9UZXN0aW5nX1RMU19EVl8zLmNybDAKBggqhkjO
PQQDAgNpADBmAjEA8fb2fYFT2FzaBmPcfMH5d83Y6XBClmXSV6laBh5XrFpjzBhh
ZWL848NIeZEtwbo6AjEAstkKx9SxBFXBz6BOKIihmmCTTqHADLnSnKUaYz9ePJ8J
V+dLVLkL3yVYxjGvgY4p
-----END CERTIFICATE-----
the private key of "Test Certificate RSA Working":
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC4uDpnen8FvbUu
auEe5NPLODgysOn3+nVjT93y2jYKwRVdv73w2iaXjLR0y4S8zo/zIaMloo0UwUsl
E8+rrns7xfMDtpdJ1InD0AVdUnDbTQFQVoVRYfGwgrhgoYHWT7WGSTT8ikpgXwpU
mhcnADYBqNZetfpDNEoNiFibLc7kk053FiLjOMsllV3rD5HniFNgug4A3BN74SbQ
SXbmYEOT4zHPTkIxi6T6MxjYXd37CYiRTWeetnbZ1JdsRF92pQLIK1WmZPLriBqU
D8XOp8sr2ewSbB2F5BKOWGryPiftNleioVtj3oAyl97qQm+UAuppG9EVB+hM0ozY
ABLZSj/bAgMBAAECggEAAkB3jBZj1+FuO8nXVW7dsdFNRqc1CK4TK0VoepwPrCpR
aZOEmcCN6b3CcbJWTdc2hCub4HildqQ84KHn1mkFL2z/scL3JHagCwcfhjClKfzy
i4KIOD4eEMsmBGb6fSXWUuGvuggeZ5FaLaxG7dWSLmba3ZUjVfTTKEfKKLvXAsNP
U7oSjg/3kc1SxH/DyZhYiQZrJHWeEfeIxRm6YRnNVQaFDS7p81SOiEk2xNWNFwxy
4hDDMN2hMXcy2lxhBq94uOrQVr2pAIRVXRICsYYuxLTSUnXJx8ruv+ZNOL1lm9XJ
YyeDsr6ofV7TDvAnSqtxDRgiN2ioP4KpvHqfUd7YsQKBgQD1W2pmquWlQVdy7a1H
sQUvfIiu2B4UWz8+CKf77tvu5dzE3UXup0mUAvp5ndAq8N7VGWxmmdOQ7cCSWCs0
V3oV1ZDM7m7xHaA9wk3mm2zJqEcsj/IRaRTP+ajc3IFFX5625d7mvTjaNdqfYjn1
/mUgh09IH2LRYyV4ZlK1+XbOkQKBgQDAu3W4pu85MPkkA7DLdZ3yIP9mVtiyeNq1
pqxKM7js8FsKO+cM5hTiTVZzORPkVLkKDFnoHzI1Vc8GhjYQ8LqlDAU5PBHUVpNg
UVQWDRII2cke0NUElFR/0ErDmy50+8jnFybvPxpYxw7paXqK8bvQtseDuj7p9Abn
cmi9sSZ1qwKBgQCXdIm2vJGrtC0OJcdMNOrViFM7Uu8mc7kTSvafHrAmxT/FSi3s
Btn1gu0o+5DPoQZ8lwgCQbyGfyzbaY+p7MHRDpcm2ZwkPLx4wyOhUZoS1UyyJl0w
ACS3yQ5C397wevkXP8ibuHyKvqmor1LGFfZI4R3AkJdIV6J+svMln8uF8QKBgAM8
4vxoKYqvbPAS88xnPHEN5tyERv2wlBQLKcfRWKD6ZL0mRnpr/xvSKsqiwdfLKJSn
oncI1yIYP/MfHBdqw+fz7L6KaM5FahJrK1t3er8VUZCn93wtNcIz8J2apMwoUra3
J9tLFxk4tuJq+DkPWJVoDLAE1/u8MsV+oY3WRQwjAoGAbstN5MUkJW2a1WNbX2y0
AbfVMGItazunOHd2I77fV1UedCC/GPitnxt3x49rM5rQOQ2seJJeFrKT2fNNtJtD
7riAiVBQG0VuYN910PQP+4sIPUTtvkN7Ot61T93XUpQJ4PMq9bvy1jZe5HfVkblm
vx5CYmQ8nLPImy0iLbd/id0=
-----END PRIVATE KEY-----
output of x509lint:
E: Subject with organizationName, givenName or surname but without stateOrProvince or localityName
E: Name entry contains an invalid type
E: No policy extension
output of asn1parse:
0:d=0 hl=4 l=1019 cons: SEQUENCE
4:d=1 hl=4 l= 896 cons: SEQUENCE
8:d=2 hl=2 l= 3 cons: cont [ 0 ]
10:d=3 hl=2 l= 1 prim: INTEGER :02
13:d=2 hl=2 l= 16 prim: INTEGER :185980229024EBEB54BB836990D94C61
31:d=2 hl=2 l= 10 cons: SEQUENCE
33:d=3 hl=2 l= 8 prim: OBJECT :ecdsa-with-SHA256
43:d=2 hl=2 l= 70 cons: SEQUENCE
45:d=3 hl=2 l= 11 cons: SET
47:d=4 hl=2 l= 9 cons: SEQUENCE
49:d=5 hl=2 l= 3 prim: OBJECT :countryName
54:d=5 hl=2 l= 2 prim: UTF8STRING :DE
58:d=3 hl=2 l= 18 cons: SET
60:d=4 hl=2 l= 16 cons: SEQUENCE
62:d=5 hl=2 l= 3 prim: OBJECT :organizationName
67:d=5 hl=2 l= 9 prim: UTF8STRING :LemmiSign
78:d=3 hl=2 l= 35 cons: SET
80:d=4 hl=2 l= 33 cons: SEQUENCE
82:d=5 hl=2 l= 3 prim: OBJECT :commonName
87:d=5 hl=2 l= 26 prim: UTF8STRING :LemmiSign Testing TLS-DV 3
115:d=2 hl=2 l= 30 cons: SEQUENCE
117:d=3 hl=2 l= 13 prim: UTCTIME :241120230000Z
132:d=3 hl=2 l= 13 prim: UTCTIME :251220230000Z
147:d=2 hl=2 l= 97 cons: SEQUENCE
149:d=3 hl=2 l= 11 cons: SET
151:d=4 hl=2 l= 9 cons: SEQUENCE
153:d=5 hl=2 l= 3 prim: OBJECT :countryName
158:d=5 hl=2 l= 2 prim: UTF8STRING :DE
162:d=3 hl=2 l= 23 cons: SET
164:d=4 hl=2 l= 21 cons: SEQUENCE
166:d=5 hl=2 l= 3 prim: OBJECT :organizationName
171:d=5 hl=2 l= 14 prim: UTF8STRING :Lemmi Networks
187:d=3 hl=2 l= 37 cons: SET
189:d=4 hl=2 l= 35 cons: SEQUENCE
191:d=5 hl=2 l= 3 prim: OBJECT :organizationalUnitName
196:d=5 hl=2 l= 28 prim: UTF8STRING :Test Certificate RSA Working
226:d=3 hl=2 l= 18 cons: SET
228:d=4 hl=2 l= 16 cons: SEQUENCE
230:d=5 hl=2 l= 3 prim: OBJECT :commonName
235:d=5 hl=2 l= 9 prim: UTF8STRING :localhost
246:d=2 hl=4 l= 290 cons: SEQUENCE
250:d=3 hl=2 l= 13 cons: SEQUENCE
252:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption
263:d=4 hl=2 l= 0 prim: NULL
265:d=3 hl=4 l= 271 prim: BIT STRING
540:d=2 hl=4 l= 360 cons: cont [ 3 ]
544:d=3 hl=4 l= 356 cons: SEQUENCE
548:d=4 hl=2 l= 29 cons: SEQUENCE
550:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier
555:d=5 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:04147E34619516E307CC504B04DA3B4D95030D51C3EE
579:d=4 hl=2 l= 14 cons: SEQUENCE
581:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage
586:d=5 hl=2 l= 1 prim: BOOLEAN :255
589:d=5 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:03020780
595:d=4 hl=2 l= 19 cons: SEQUENCE
597:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Extended Key Usage
602:d=5 hl=2 l= 12 prim: OCTET STRING [HEX DUMP]:300A06082B06010505070301
616:d=4 hl=2 l= 20 cons: SEQUENCE
618:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Subject Alternative Name
623:d=5 hl=2 l= 13 prim: OCTET STRING [HEX DUMP]:300B82096C6F63616C686F7374
638:d=4 hl=2 l= 12 cons: SEQUENCE
640:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints
645:d=5 hl=2 l= 1 prim: BOOLEAN :255
648:d=5 hl=2 l= 2 prim: OCTET STRING [HEX DUMP]:3000
652:d=4 hl=2 l= 31 cons: SEQUENCE
654:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier
659:d=5 hl=2 l= 24 prim: OCTET STRING [HEX DUMP]:30168014D3125CD6D108E792FB38613D4F7EC716930416D4
685:d=4 hl=3 l= 136 cons: SEQUENCE
688:d=5 hl=2 l= 8 prim: OBJECT :Authority Information Access
698:d=5 hl=2 l= 124 prim: OCTET STRING [HEX DUMP]:307A302B06082B06010505073001861F687474703A2F2F6F63737030312E74657374696E672E6C656D6D692E6F7267304B06082B06010505073002863F687474703A2F2F636163657274732E74657374696E672E6C656D6D692E6F72672F4C656D6D695369676E5F54657374696E675F544C535F44565F332E637274
824:d=4 hl=2 l= 78 cons: SEQUENCE
826:d=5 hl=2 l= 3 prim: OBJECT :X509v3 CRL Distribution Points
831:d=5 hl=2 l= 71 prim: OCTET STRING [HEX DUMP]:30453043A041A03F863D687474703A2F2F63726C30312E74657374696E672E6C656D6D692E6F72672F4C656D6D695369676E5F54657374696E675F544C535F44565F332E63726C
904:d=1 hl=2 l= 10 cons: SEQUENCE
906:d=2 hl=2 l= 8 prim: OBJECT :ecdsa-with-SHA256
916:d=1 hl=2 l= 105 prim: BIT STRING
As we can see, the parameters are not set anymore and x509lint does not display the error message E: Algorithm parameter present using "Test Certificate RSA Working".
I changed my nginx config and chromium displays the page using the new generated certificate:
maybe possible solution
It looks like chromium does not accept this parameters in the certificate if the signature is done using ecdsa. In my opinion an option is to switch the IF-Statement to check against the signature algorithm not against the used key type. (Since this is a very critical code part, I recommend to check this twice!)
Conclusion
I hope it's not a problem if the analysis part got a bit lengthy. If more information is needed, please let me know. I will try to provide it as quickly as possible.
Thank you for your time and consideration regarding this issue. I look forward to any feedback or assistance you may provide.
Best regards
Tobias
Metadata
Metadata
Assignees
Labels
No labels