Message 333224 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	christian.heimes
Recipients	christian.heimes, pervlad, vstinner
Date	2019-01-08.11:45:01
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1546947902.31.0.671854035842.issue35665@roundup.psfhosted.org>
In-reply-to

Content
I also checked how other implementations deal with invalid DER encoding. NSS 3.41, Firefox, and Chromium accept the certifiate. NSS shows the serial number as "102 (0x66)" Firefox and Chromium display the serial number as "00:00:00:66". $ echo "password" > passwd $ certutil -d . -f passwd -N $ certutil -d . -f passwd -A -n ca -i ../ca.pem -t C,C,C $ certutil -d . -L -n ca Certificate: Data: Version: 3 (0x2) Serial Number: 102 (0x66) Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption Issuer: "C=RS,L=Beograd,O=MUP Republike Srbije,CN=MUPCA Root" Validity: Not Before: Sat Feb 27 16:19:18 2010 Not After : Thu Feb 27 16:19:18 2020 Subject: "C=Re...,L=Beograd,O=MUP Republike Srbije,CN=MUPCA Resursi" Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: ea:69:46:bc:c7:70:00:d5:f5:32:8d:c7:4e:ad:3a:a5: d3:29:7e:a2:46:12:a9:dd:57:75:b1:49:95:80:20:ed: 9b:68:6b:e3:c5:55:d8:64:15:68:42:ab:a3:f7:c0:96: 37:08:51:cb:05:ca:b5:99:f6:07:a6:8b:f2:cd:d2:f5: d6:16:12:da:bf:a8:0b:9c:45:5d:ac:79:1d:a8:67:47: ee:7f:83:40:f8:58:00:d5:dd:c4:c9:52:1b:d2:f4:ce: e1:fa:8a:66:d3:18:86:1e:ea:fc:0a:8b:b5:ec:49:cd: 86:bf:8b:7e:b0:61:81:ec:ea:99:4f:64:82:96:93:9d: ab:80:7d:a7:27:65:00:d4:12:26:98:45:64:7e:76:0b: 98:ff:16:50:49:0c:45:20:82:ce:2e:23:a2:65:3a:b7: 44:cd:51:00:d9:bf:e3:1f:de:23:1d:57:e9:32:c3:55: f0:24:af:d4:cf:cd:9e:77:1f:19:7e:1c:03:5b:7a:e4: 75:84:3b:d4:1d:e9:23:d6:8c:f2:8f:b2:0d:e3:79:df: 9e:03:1e:0e:15:5b:7b:0c:dd:6e:4d:82:86:5a:63:79: 64:b5:07:79:dd:fd:08:e3:d6:cb:60:01:fd:82:11:59: 2c:8d:22:f8:f9:91:59:b1:cd:12:7b:39:6d:08:82:5d Exponent: 65537 (0x10001) Signed Extensions: Name: Certificate Basic Constraints Critical: True Data: Is a CA with no maximum path length. Name: Certificate Key Usage Critical: True Usages: Certificate Signing CRL Signing Name: Authority Information Access Method: PKIX CA issuers access method Location: URI: "http://ca.mup.gov.rs/MUPCARoot.crt" Name: Certificate Subject Key ID Data: cb:f9:00:a9:b7:b6:c1:6f:44:43:d0:22:ad:fc:0e:6e: cc:8f:f6:0f Name: Certificate Authority Key Identifier Key ID: 3f:66:b0:0f:66:fb:f0:10:2e:61:a4:6f:ef:2c:95:8a: 14:72:6f:71 Name: CRL Distribution Points Distribution point: URI: "http://ca.mup.gov.rs/MUPCARoot.crl" Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption

I also checked how other implementations deal with invalid DER encoding. NSS 3.41, Firefox, and Chromium accept the certifiate.

NSS shows the serial number as "102 (0x66)"
Firefox and Chromium display the serial number as "00:00:00:66".

$ echo "password" > passwd
$ certutil -d . -f passwd -N
$ certutil -d . -f passwd -A -n ca -i ../ca.pem -t C,C,C
$ certutil -d . -L -n ca
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 102 (0x66)
        Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
        Issuer: "C=RS,L=Beograd,O=MUP Republike Srbije,CN=MUPCA Root"
        Validity:
            Not Before: Sat Feb 27 16:19:18 2010
            Not After : Thu Feb 27 16:19:18 2020
        Subject: "C=Re...,L=Beograd,O=MUP Republike Srbije,CN=MUPCA Resursi"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                    ea:69:46:bc:c7:70:00:d5:f5:32:8d:c7:4e:ad:3a:a5:
                    d3:29:7e:a2:46:12:a9:dd:57:75:b1:49:95:80:20:ed:
                    9b:68:6b:e3:c5:55:d8:64:15:68:42:ab:a3:f7:c0:96:
                    37:08:51:cb:05:ca:b5:99:f6:07:a6:8b:f2:cd:d2:f5:
                    d6:16:12:da:bf:a8:0b:9c:45:5d:ac:79:1d:a8:67:47:
                    ee:7f:83:40:f8:58:00:d5:dd:c4:c9:52:1b:d2:f4:ce:
                    e1:fa:8a:66:d3:18:86:1e:ea:fc:0a:8b:b5:ec:49:cd:
                    86:bf:8b:7e:b0:61:81:ec:ea:99:4f:64:82:96:93:9d:
                    ab:80:7d:a7:27:65:00:d4:12:26:98:45:64:7e:76:0b:
                    98:ff:16:50:49:0c:45:20:82:ce:2e:23:a2:65:3a:b7:
                    44:cd:51:00:d9:bf:e3:1f:de:23:1d:57:e9:32:c3:55:
                    f0:24:af:d4:cf:cd:9e:77:1f:19:7e:1c:03:5b:7a:e4:
                    75:84:3b:d4:1d:e9:23:d6:8c:f2:8f:b2:0d:e3:79:df:
                    9e:03:1e:0e:15:5b:7b:0c:dd:6e:4d:82:86:5a:63:79:
                    64:b5:07:79:dd:fd:08:e3:d6:cb:60:01:fd:82:11:59:
                    2c:8d:22:f8:f9:91:59:b1:cd:12:7b:39:6d:08:82:5d
                Exponent: 65537 (0x10001)
        Signed Extensions:
            Name: Certificate Basic Constraints
            Critical: True
            Data: Is a CA with no maximum path length.

            Name: Certificate Key Usage
            Critical: True
            Usages: Certificate Signing
                    CRL Signing

            Name: Authority Information Access
            Method: PKIX CA issuers access method
            Location: 
                URI: "http://ca.mup.gov.rs/MUPCARoot.crt"

            Name: Certificate Subject Key ID
            Data:
                cb:f9:00:a9:b7:b6:c1:6f:44:43:d0:22:ad:fc:0e:6e:
                cc:8f:f6:0f

            Name: Certificate Authority Key Identifier
            Key ID:
                3f:66:b0:0f:66:fb:f0:10:2e:61:a4:6f:ef:2c:95:8a:
                14:72:6f:71

            Name: CRL Distribution Points
            Distribution point:
                URI: "http://ca.mup.gov.rs/MUPCARoot.crl"

    Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption

History
Date	User	Action	Args
2019-01-08 11:45:04	christian.heimes	set	recipients: + christian.heimes, vstinner, pervlad
2019-01-08 11:45:02	christian.heimes	set	messageid: <1546947902.31.0.671854035842.issue35665@roundup.psfhosted.org>
2019-01-08 11:45:02	christian.heimes	link	issue35665 messages
2019-01-08 11:45:01	christian.heimes	create