O Mozilla NSS não aceita certificado com assinatura “PKCS # 1 SHA-256 com RSA Encryption”

1

No Centos 7.2 O certutil NSS e outras ferramentas usando bibliotecas NSS rejeitam meu certificado com a mensagem certutil: certificate is invalid: The certificate was signed using a signature algorithm that is disabled because it is not secure.

Eu criei meu próprio certificado raiz e certificado intermediário usando o OpenSSL 0.9.8zh no Mac OS X. Todas as chaves privadas são RSA de 4096 bits e o resumo da mensagem é SHA256. A configuração da autoridade de certificação é basicamente copiada daqui: link

Em seguida, criei chave privada para o servidor usando o certutil no Centos e o assinei usando o intermediário ca novamente no OS X. Eu importei o certificado do servidor, o certificado intermediário e o certificado raiz para o servidor usando o certutil.

Agora, certutil mostra corretamente o certificado:

# certutil -d . -L -n server-cert
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4098 (0x1002)
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: "Redacted"
        Validity:
            Not Before: Tue Aug 09 06:23:57 2016
            Not After : Wed Aug 09 06:23:57 2017
        Subject: "CN=ldap-qa1.example.com,OU=redacted"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                    c6:14:ae:37:fe:48:70:58:0c:29:c1:dc:97:0d:4d:b5:
                    e0:d4:04:4a:31:43:ae:c9:81:b9:e4:6a:e5:cf:c3:dc:
                    f5:f2:79:ef:85:3e:20:cc:ac:0c:31:85:3f:b2:05:ab:
                    01:82:ea:66:de:1f:62:68:de:59:f2:73:ff:ea:1b:95:
                    8c:7a:24:a6:1b:4d:87:45:95:cc:72:0d:d1:6c:8b:f6:
                    63:6d:24:43:f0:a9:12:1d:4a:b6:3b:f1:0e:7f:c7:e8:
                    90:e4:0e:08:77:a2:dc:9c:1a:53:2e:e0:74:0b:42:6d:
                    79:da:2d:2b:de:8b:91:8d:51:fb:f4:f7:8d:83:4d:07:
                    e3:ff:4b:22:1d:4f:7f:0b:80:cf:92:1a:3a:64:e3:a4:
                    f0:b3:fc:fc:0d:ac:87:83:0c:ed:7f:74:6f:fb:b5:53:
                    8e:39:de:2c:69:74:68:d9:15:59:f7:5e:6b:50:8a:b8:
                    72:52:d5:e0:3e:be:e6:2a:32:a7:14:a7:e0:07:06:5b:
                    1c:f0:86:3b:66:0b:2e:c2:9b:d8:f0:c3:e4:78:ab:a0:
                    2d:00:12:d3:60:4c:5e:0d:e1:5c:16:37:e8:f8:26:3b:
                    9c:72:34:42:ca:99:36:6b:57:c9:9b:89:98:b9:61:ae:
                    d3:da:ff:a4:d1:be:58:34:bc:52:99:fb:6a:2d:9a:03:
                    4d:01:80:b7:98:04:ff:a7:c3:3a:47:99:e0:2a:72:ae:
                    1a:a3:59:54:70:3d:09:eb:0c:d4:22:36:c2:fd:bf:dd:
                    0e:01:62:9c:30:64:f9:b1:ed:bb:83:49:4e:f7:03:85:
                    57:27:e5:7c:3d:aa:a4:d4:3e:3d:ce:5f:c0:9a:a5:6c:
                    52:03:21:7a:69:b0:e7:49:e9:ae:6d:8a:82:f7:ca:3a:
                    bd:65:fa:63:de:3c:7e:aa:23:4b:e1:c8:a5:e6:a5:28:
                    0b:f1:31:04:9b:5a:ea:a3:52:73:e5:78:34:61:35:4f:
                    a5:5e:2b:18:df:eb:a5:de:da:f3:f9:c4:04:c1:68:e7:
                    42:71:ca:79:3a:2a:a6:7d:d4:62:88:e6:12:29:05:8e:
                    39:b5:50:90:8d:6d:d1:8c:66:33:0e:e8:1a:33:e6:fb:
                    bd:6a:0f:14:c8:7a:de:4d:06:a2:f9:1a:3d:e1:65:87:
                    ed:0c:e3:b9:62:d4:46:94:d6:75:75:f3:f8:f4:76:7f:
                    23:55:4c:70:a9:ba:d8:46:71:78:72:c4:cd:36:60:3d:
                    ee:2e:f0:f9:8c:e4:4b:24:7d:07:25:3d:6d:f1:1d:9c:
                    f8:40:ea:cf:3d:bd:53:d8:db:bd:fe:50:7a:76:52:2f:
                    04:d2:b7:71:bb:96:27:5c:7a:6d:f1:7f:08:2c:77:2f
                Exponent: 65537 (0x10001)
        Signed Extensions:
            Name: Certificate Basic Constraints
            Data: Is not a CA.

            Name: Certificate Type
            Data: <SSL Server>

            Name: Certificate Comment
            Comment: "OpenSSL Generated Server Certificate"

            Name: Certificate Subject Key ID
            Data:
                a9:c0:d6:bd:65:e5:1e:c3:d5:78:ed:e7:9d:2e:d6:0f:
                1f:07:d7:31

            Name: Certificate Authority Key Identifier
            Key ID:
                96:ed:bb:e3:7f:9c:b9:7e:dd:41:75:ce:46:83:99:4b:
                82:38:1c:f8
            Issuer: 
                Directory Name: "redacted"
            Serial Number: 4096 (0x1000)

            Name: Certificate Key Usage
            Critical: True
            Usages: Digital Signature
                    Key Encipherment

            Name: Extended Key Usage
                TLS Web Server Authentication Certificate

    Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
    Signature:
        24:5d:32:73:ce:da:94:57:30:86:43:de:c4:71:5b:dd:
        f8:c6:e1:62:d9:48:da:eb:e7:38:95:57:f2:24:5a:15:
        c1:cf:19:a8:a7:c1:02:93:9b:f5:df:c6:a1:65:42:64:
        70:f3:43:bb:6e:be:a5:e3:7a:26:2f:42:82:ba:bc:a4
    Fingerprint (SHA-256):
        00:88:D1:EC:4D:E0:2F:22:53:76:6C:69:82:1C:8F:59:87:A5:E7:C3:C8:7B:04:ED:63:B4:2A:E3:73:BD:B3:BB
    Fingerprint (SHA1):
        2B:0B:D1:8E:C0:CB:9B:D2:29:EC:E4:C2:03:97:2B:AF:2C:9E:E9:51

    Certificate Trust Flags:
        SSL Flags:
            User
        Email Flags:
            User
        Object Signing Flags:
            User

Mas a tentativa de validar o certificado falha:

# certutil -d . -V -n server-cert -u V -e 
Enter Password or Pin for "NSS Certificate DB":
certutil: certificate is invalid: The certificate was signed using a signature algorithm that is disabled because it is not secure.

A validação do certificado intermediário e raiz funciona conforme o esperado.

A versão do nss é nss-3.21.0-9.el7_2.x86_64

Você consegue identificar algo incorreto no certificado ou isso pode ser um bug no nss?

EDIT: aparentemente o certificado não foi criado corretamente. Criando-o novamente com parâmetros diferentes e uma ferramenta diferente resolveu o problema.

    
por Kimmo Ahokas 10.08.2016 / 08:44

0 respostas