Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
cacert.pem includes two malformed Trustwave certificates
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Jeffrey Walton via curl-users <curl-users_at_lists.haxx.se>
Date: Tue, 21 Jun 2022 10:30:37 -0400
Hi Everyone/Daniel,
It appears cacert.pem includes two malformed Trustwave certificates.
We encountered the issue testing some C++ code against cacert.pem (to
ensure all certs could be parsed without error). The Trustwave
certificates were identified and then tested against Gutmann's
dumpasn1. The certificates produced an error with dumpasn1, too:
479 15: SEQUENCE {
481 3: OBJECT IDENTIFIER keyUsage (2 5 29 15)
486 1: BOOLEAN TRUE
489 5: OCTET STRING, encapsulates {
491 3: BIT STRING 7 unused bits
: '001100000'B
: Error: Spurious zero bits in bitstring.
: }
: }
It appears the Trustwave certs are using two octets for keyUsage
instead of one. The first octet is keyUsage, the second octet is 0.
ASN.1 octets are labeled bits 8 to 1 starting left (msb) and moving
right (lsb). The two octets means the bits are 16...1. When one
inspects the bits per RFC 5280 Section 4.2.1.3, like bit 0 is
digitalSignature, the low order bits are all 0 so key usage is
effectively 'none'.
Here are the certs:
Trustwave Global ECC P256 Certification Authority
=================================================
-----BEGIN CERTIFICATE-----
MIICYDCCAgegAwIBAgIMDWpfCD8oXD5Rld9dMAoGCCqGSM49BAMCMIGRMQswCQYDVQQGEwJVUzER
MA8GA1UECBMISWxsaW5vaXMxEDAOBgNVBAcTB0NoaWNhZ28xITAfBgNVBAoTGFRydXN0d2F2ZSBI
b2xkaW5ncywgSW5jLjE6MDgGA1UEAxMxVHJ1c3R3YXZlIEdsb2JhbCBFQ0MgUDI1NiBDZXJ0aWZp
Y2F0aW9uIEF1dGhvcml0eTAeFw0xNzA4MjMxOTM1MTBaFw00MjA4MjMxOTM1MTBaMIGRMQswCQYD
VQQGEwJVUzERMA8GA1UECBMISWxsaW5vaXMxEDAOBgNVBAcTB0NoaWNhZ28xITAfBgNVBAoTGFRy
dXN0d2F2ZSBIb2xkaW5ncywgSW5jLjE6MDgGA1UEAxMxVHJ1c3R3YXZlIEdsb2JhbCBFQ0MgUDI1
NiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABH77bOYj
43MyCMpg5lOcunSNGLB4kFKA3TjASh3RqMyTpJcGOMoNFWLGjgEqZZ2q3zSRLoHB5DOSMcT9CTqm
P62jQzBBMA8GA1UdEwEB/wQFMAMBAf8wDwYDVR0PAQH/BAUDAwcGADAdBgNVHQ4EFgQUo0EGrJBt
0UrrdaVKEJmzsaGLSvcwCgYIKoZIzj0EAwIDRwAwRAIgB+ZU2g6gWrKuEZ+Hxbb/ad4lvvigtwjz
RM4q3wghDDcCIC0mA6AFvWvR9lz4ZcyGbbOcNEhjhAnFjXca4syc4XR7
-----END CERTIFICATE-----
Trustwave Global ECC P384 Certification Authority
=================================================
-----BEGIN CERTIFICATE-----
MIICnTCCAiSgAwIBAgIMCL2Fl2yZJ6SAaEc7MAoGCCqGSM49BAMDMIGRMQswCQYDVQQGEwJVUzER
MA8GA1UECBMISWxsaW5vaXMxEDAOBgNVBAcTB0NoaWNhZ28xITAfBgNVBAoTGFRydXN0d2F2ZSBI
b2xkaW5ncywgSW5jLjE6MDgGA1UEAxMxVHJ1c3R3YXZlIEdsb2JhbCBFQ0MgUDM4NCBDZXJ0aWZp
Y2F0aW9uIEF1dGhvcml0eTAeFw0xNzA4MjMxOTM2NDNaFw00MjA4MjMxOTM2NDNaMIGRMQswCQYD
VQQGEwJVUzERMA8GA1UECBMISWxsaW5vaXMxEDAOBgNVBAcTB0NoaWNhZ28xITAfBgNVBAoTGFRy
dXN0d2F2ZSBIb2xkaW5ncywgSW5jLjE6MDgGA1UEAxMxVHJ1c3R3YXZlIEdsb2JhbCBFQ0MgUDM4
NCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTB2MBAGByqGSM49AgEGBSuBBAAiA2IABGvaDXU1CDFH
Ba5FmVXxERMuSvgQMSOjfoPTfygIOiYaOs+Xgh+AtycJj9GOMMQKmw6sWASr9zZ9lCOkmwqKi6vr
/TklZvFe/oyujUF5nQlgziip04pt89ZF1PKYhDhloKNDMEEwDwYDVR0TAQH/BAUwAwEB/zAPBgNV
HQ8BAf8EBQMDBwYAMB0GA1UdDgQWBBRVqYSJ0sEyvRjLbKYHTsjnnb6CkDAKBggqhkjOPQQDAwNn
ADBkAjA3AZKXRRJ+oPM+rRk6ct30UJMDEr5E0k9BpIycnR+j9sKS50gU/k6bpZFXrsY3crsCMGcl
CrEMXu6pY5Jv5ZAL/mYiykf9ijH3g/56vxC+GCsej/YpHpRZ744hN8tRmKVuSw==
-----END CERTIFICATE-----
Here is a dump of the first certificate:
$ openssl x509 -in trustwave-1.pem -inform PEM -out trustwave-1.der -outform DER
$ dumpasn1 trustwave-1.der
0 608: SEQUENCE {
4 519: SEQUENCE {
8 3: [0] {
10 1: INTEGER 2
: }
13 12: INTEGER 0D 6A 5F 08 3F 28 5C 3E 51 95 DF 5D
27 10: SEQUENCE {
29 8: OBJECT IDENTIFIER ecdsaWithSHA256 (1 2 840 10045 4 3 2)
: }
39 145: SEQUENCE {
42 11: SET {
44 9: SEQUENCE {
46 3: OBJECT IDENTIFIER countryName (2 5 4 6)
51 2: PrintableString 'US'
: }
: }
55 17: SET {
57 15: SEQUENCE {
59 3: OBJECT IDENTIFIER stateOrProvinceName (2 5 4 8)
64 8: PrintableString 'Illinois'
: }
: }
74 16: SET {
76 14: SEQUENCE {
78 3: OBJECT IDENTIFIER localityName (2 5 4 7)
83 7: PrintableString 'Chicago'
: }
: }
92 33: SET {
94 31: SEQUENCE {
96 3: OBJECT IDENTIFIER organizationName (2 5 4 10)
101 24: PrintableString 'Trustwave Holdings, Inc.'
: }
: }
127 58: SET {
129 56: SEQUENCE {
131 3: OBJECT IDENTIFIER commonName (2 5 4 3)
136 49: PrintableString
: 'Trustwave Global ECC P256 Certification Authorit'
: 'y'
: }
: }
: }
187 30: SEQUENCE {
189 13: UTCTime 23/08/2017 19:35:10 GMT
204 13: UTCTime 23/08/2042 19:35:10 GMT
: }
219 145: SEQUENCE {
222 11: SET {
224 9: SEQUENCE {
226 3: OBJECT IDENTIFIER countryName (2 5 4 6)
231 2: PrintableString 'US'
: }
: }
235 17: SET {
237 15: SEQUENCE {
239 3: OBJECT IDENTIFIER stateOrProvinceName (2 5 4 8)
244 8: PrintableString 'Illinois'
: }
: }
254 16: SET {
256 14: SEQUENCE {
258 3: OBJECT IDENTIFIER localityName (2 5 4 7)
263 7: PrintableString 'Chicago'
: }
: }
272 33: SET {
274 31: SEQUENCE {
276 3: OBJECT IDENTIFIER organizationName (2 5 4 10)
281 24: PrintableString 'Trustwave Holdings, Inc.'
: }
: }
307 58: SET {
309 56: SEQUENCE {
311 3: OBJECT IDENTIFIER commonName (2 5 4 3)
316 49: PrintableString
: 'Trustwave Global ECC P256 Certification Authorit'
: 'y'
: }
: }
: }
367 89: SEQUENCE {
369 19: SEQUENCE {
371 7: OBJECT IDENTIFIER ecPublicKey (1 2 840 10045 2 1)
380 8: OBJECT IDENTIFIER prime256v1 (1 2 840 10045 3 1 7)
: }
390 66: BIT STRING
: 04 7E FB 6C E6 23 E3 73 32 08 CA 60 E6 53 9C BA
: 74 8D 18 B0 78 90 52 80 DD 38 C0 4A 1D D1 A8 CC
: 93 A4 97 06 38 CA 0D 15 62 C6 8E 01 2A 65 9D AA
: DF 34 91 2E 81 C1 E4 33 92 31 C4 FD 09 3A A6 3F
: AD
: }
458 67: [3] {
460 65: SEQUENCE {
462 15: SEQUENCE {
464 3: OBJECT IDENTIFIER basicConstraints (2 5 29 19)
469 1: BOOLEAN TRUE
472 5: OCTET STRING, encapsulates {
474 3: SEQUENCE {
476 1: BOOLEAN TRUE
: }
: }
: }
479 15: SEQUENCE {
481 3: OBJECT IDENTIFIER keyUsage (2 5 29 15)
486 1: BOOLEAN TRUE
489 5: OCTET STRING, encapsulates {
491 3: BIT STRING 7 unused bits
: '001100000'B
: Error: Spurious zero bits in bitstring.
: }
: }
496 29: SEQUENCE {
498 3: OBJECT IDENTIFIER subjectKeyIdentifier (2 5 29 14)
503 22: OCTET STRING, encapsulates {
505 20: OCTET STRING
: A3 41 06 AC 90 6D D1 4A EB 75 A5 4A 10 99 B3 B1
: A1 8B 4A F7
: }
: }
: }
: }
: }
527 10: SEQUENCE {
529 8: OBJECT IDENTIFIER ecdsaWithSHA256 (1 2 840 10045 4 3 2)
: }
539 71: BIT STRING, encapsulates {
542 68: SEQUENCE {
544 32: INTEGER
: 07 E6 54 DA 0E A0 5A B2 AE 11 9F 87 C5 B6 FF 69
: DE 25 BE F8 A0 B7 08 F3 44 CE 2A DF 08 21 0C 37
578 32: INTEGER
: 2D 26 03 A0 05 BD 6B D1 F6 5C F8 65 CC 86 6D B3
: 9C 34 48 63 84 09 C5 8D 77 1A E2 CC 9C E1 74 7B
: }
: }
: }
0 warnings, 1 error.
Finally, thanks to _at_chazzmcdaniels on GitHub for reporting the issue.
Jeff
Date: Tue, 21 Jun 2022 10:30:37 -0400
Hi Everyone/Daniel,
It appears cacert.pem includes two malformed Trustwave certificates.
We encountered the issue testing some C++ code against cacert.pem (to
ensure all certs could be parsed without error). The Trustwave
certificates were identified and then tested against Gutmann's
dumpasn1. The certificates produced an error with dumpasn1, too:
479 15: SEQUENCE {
481 3: OBJECT IDENTIFIER keyUsage (2 5 29 15)
486 1: BOOLEAN TRUE
489 5: OCTET STRING, encapsulates {
491 3: BIT STRING 7 unused bits
: '001100000'B
: Error: Spurious zero bits in bitstring.
: }
: }
It appears the Trustwave certs are using two octets for keyUsage
instead of one. The first octet is keyUsage, the second octet is 0.
ASN.1 octets are labeled bits 8 to 1 starting left (msb) and moving
right (lsb). The two octets means the bits are 16...1. When one
inspects the bits per RFC 5280 Section 4.2.1.3, like bit 0 is
digitalSignature, the low order bits are all 0 so key usage is
effectively 'none'.
Here are the certs:
Trustwave Global ECC P256 Certification Authority
=================================================
-----BEGIN CERTIFICATE-----
MIICYDCCAgegAwIBAgIMDWpfCD8oXD5Rld9dMAoGCCqGSM49BAMCMIGRMQswCQYDVQQGEwJVUzER
MA8GA1UECBMISWxsaW5vaXMxEDAOBgNVBAcTB0NoaWNhZ28xITAfBgNVBAoTGFRydXN0d2F2ZSBI
b2xkaW5ncywgSW5jLjE6MDgGA1UEAxMxVHJ1c3R3YXZlIEdsb2JhbCBFQ0MgUDI1NiBDZXJ0aWZp
Y2F0aW9uIEF1dGhvcml0eTAeFw0xNzA4MjMxOTM1MTBaFw00MjA4MjMxOTM1MTBaMIGRMQswCQYD
VQQGEwJVUzERMA8GA1UECBMISWxsaW5vaXMxEDAOBgNVBAcTB0NoaWNhZ28xITAfBgNVBAoTGFRy
dXN0d2F2ZSBIb2xkaW5ncywgSW5jLjE6MDgGA1UEAxMxVHJ1c3R3YXZlIEdsb2JhbCBFQ0MgUDI1
NiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABH77bOYj
43MyCMpg5lOcunSNGLB4kFKA3TjASh3RqMyTpJcGOMoNFWLGjgEqZZ2q3zSRLoHB5DOSMcT9CTqm
P62jQzBBMA8GA1UdEwEB/wQFMAMBAf8wDwYDVR0PAQH/BAUDAwcGADAdBgNVHQ4EFgQUo0EGrJBt
0UrrdaVKEJmzsaGLSvcwCgYIKoZIzj0EAwIDRwAwRAIgB+ZU2g6gWrKuEZ+Hxbb/ad4lvvigtwjz
RM4q3wghDDcCIC0mA6AFvWvR9lz4ZcyGbbOcNEhjhAnFjXca4syc4XR7
-----END CERTIFICATE-----
Trustwave Global ECC P384 Certification Authority
=================================================
-----BEGIN CERTIFICATE-----
MIICnTCCAiSgAwIBAgIMCL2Fl2yZJ6SAaEc7MAoGCCqGSM49BAMDMIGRMQswCQYDVQQGEwJVUzER
MA8GA1UECBMISWxsaW5vaXMxEDAOBgNVBAcTB0NoaWNhZ28xITAfBgNVBAoTGFRydXN0d2F2ZSBI
b2xkaW5ncywgSW5jLjE6MDgGA1UEAxMxVHJ1c3R3YXZlIEdsb2JhbCBFQ0MgUDM4NCBDZXJ0aWZp
Y2F0aW9uIEF1dGhvcml0eTAeFw0xNzA4MjMxOTM2NDNaFw00MjA4MjMxOTM2NDNaMIGRMQswCQYD
VQQGEwJVUzERMA8GA1UECBMISWxsaW5vaXMxEDAOBgNVBAcTB0NoaWNhZ28xITAfBgNVBAoTGFRy
dXN0d2F2ZSBIb2xkaW5ncywgSW5jLjE6MDgGA1UEAxMxVHJ1c3R3YXZlIEdsb2JhbCBFQ0MgUDM4
NCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTB2MBAGByqGSM49AgEGBSuBBAAiA2IABGvaDXU1CDFH
Ba5FmVXxERMuSvgQMSOjfoPTfygIOiYaOs+Xgh+AtycJj9GOMMQKmw6sWASr9zZ9lCOkmwqKi6vr
/TklZvFe/oyujUF5nQlgziip04pt89ZF1PKYhDhloKNDMEEwDwYDVR0TAQH/BAUwAwEB/zAPBgNV
HQ8BAf8EBQMDBwYAMB0GA1UdDgQWBBRVqYSJ0sEyvRjLbKYHTsjnnb6CkDAKBggqhkjOPQQDAwNn
ADBkAjA3AZKXRRJ+oPM+rRk6ct30UJMDEr5E0k9BpIycnR+j9sKS50gU/k6bpZFXrsY3crsCMGcl
CrEMXu6pY5Jv5ZAL/mYiykf9ijH3g/56vxC+GCsej/YpHpRZ744hN8tRmKVuSw==
-----END CERTIFICATE-----
Here is a dump of the first certificate:
$ openssl x509 -in trustwave-1.pem -inform PEM -out trustwave-1.der -outform DER
$ dumpasn1 trustwave-1.der
0 608: SEQUENCE {
4 519: SEQUENCE {
8 3: [0] {
10 1: INTEGER 2
: }
13 12: INTEGER 0D 6A 5F 08 3F 28 5C 3E 51 95 DF 5D
27 10: SEQUENCE {
29 8: OBJECT IDENTIFIER ecdsaWithSHA256 (1 2 840 10045 4 3 2)
: }
39 145: SEQUENCE {
42 11: SET {
44 9: SEQUENCE {
46 3: OBJECT IDENTIFIER countryName (2 5 4 6)
51 2: PrintableString 'US'
: }
: }
55 17: SET {
57 15: SEQUENCE {
59 3: OBJECT IDENTIFIER stateOrProvinceName (2 5 4 8)
64 8: PrintableString 'Illinois'
: }
: }
74 16: SET {
76 14: SEQUENCE {
78 3: OBJECT IDENTIFIER localityName (2 5 4 7)
83 7: PrintableString 'Chicago'
: }
: }
92 33: SET {
94 31: SEQUENCE {
96 3: OBJECT IDENTIFIER organizationName (2 5 4 10)
101 24: PrintableString 'Trustwave Holdings, Inc.'
: }
: }
127 58: SET {
129 56: SEQUENCE {
131 3: OBJECT IDENTIFIER commonName (2 5 4 3)
136 49: PrintableString
: 'Trustwave Global ECC P256 Certification Authorit'
: 'y'
: }
: }
: }
187 30: SEQUENCE {
189 13: UTCTime 23/08/2017 19:35:10 GMT
204 13: UTCTime 23/08/2042 19:35:10 GMT
: }
219 145: SEQUENCE {
222 11: SET {
224 9: SEQUENCE {
226 3: OBJECT IDENTIFIER countryName (2 5 4 6)
231 2: PrintableString 'US'
: }
: }
235 17: SET {
237 15: SEQUENCE {
239 3: OBJECT IDENTIFIER stateOrProvinceName (2 5 4 8)
244 8: PrintableString 'Illinois'
: }
: }
254 16: SET {
256 14: SEQUENCE {
258 3: OBJECT IDENTIFIER localityName (2 5 4 7)
263 7: PrintableString 'Chicago'
: }
: }
272 33: SET {
274 31: SEQUENCE {
276 3: OBJECT IDENTIFIER organizationName (2 5 4 10)
281 24: PrintableString 'Trustwave Holdings, Inc.'
: }
: }
307 58: SET {
309 56: SEQUENCE {
311 3: OBJECT IDENTIFIER commonName (2 5 4 3)
316 49: PrintableString
: 'Trustwave Global ECC P256 Certification Authorit'
: 'y'
: }
: }
: }
367 89: SEQUENCE {
369 19: SEQUENCE {
371 7: OBJECT IDENTIFIER ecPublicKey (1 2 840 10045 2 1)
380 8: OBJECT IDENTIFIER prime256v1 (1 2 840 10045 3 1 7)
: }
390 66: BIT STRING
: 04 7E FB 6C E6 23 E3 73 32 08 CA 60 E6 53 9C BA
: 74 8D 18 B0 78 90 52 80 DD 38 C0 4A 1D D1 A8 CC
: 93 A4 97 06 38 CA 0D 15 62 C6 8E 01 2A 65 9D AA
: DF 34 91 2E 81 C1 E4 33 92 31 C4 FD 09 3A A6 3F
: AD
: }
458 67: [3] {
460 65: SEQUENCE {
462 15: SEQUENCE {
464 3: OBJECT IDENTIFIER basicConstraints (2 5 29 19)
469 1: BOOLEAN TRUE
472 5: OCTET STRING, encapsulates {
474 3: SEQUENCE {
476 1: BOOLEAN TRUE
: }
: }
: }
479 15: SEQUENCE {
481 3: OBJECT IDENTIFIER keyUsage (2 5 29 15)
486 1: BOOLEAN TRUE
489 5: OCTET STRING, encapsulates {
491 3: BIT STRING 7 unused bits
: '001100000'B
: Error: Spurious zero bits in bitstring.
: }
: }
496 29: SEQUENCE {
498 3: OBJECT IDENTIFIER subjectKeyIdentifier (2 5 29 14)
503 22: OCTET STRING, encapsulates {
505 20: OCTET STRING
: A3 41 06 AC 90 6D D1 4A EB 75 A5 4A 10 99 B3 B1
: A1 8B 4A F7
: }
: }
: }
: }
: }
527 10: SEQUENCE {
529 8: OBJECT IDENTIFIER ecdsaWithSHA256 (1 2 840 10045 4 3 2)
: }
539 71: BIT STRING, encapsulates {
542 68: SEQUENCE {
544 32: INTEGER
: 07 E6 54 DA 0E A0 5A B2 AE 11 9F 87 C5 B6 FF 69
: DE 25 BE F8 A0 B7 08 F3 44 CE 2A DF 08 21 0C 37
578 32: INTEGER
: 2D 26 03 A0 05 BD 6B D1 F6 5C F8 65 CC 86 6D B3
: 9C 34 48 63 84 09 C5 8D 77 1A E2 CC 9C E1 74 7B
: }
: }
: }
0 warnings, 1 error.
Finally, thanks to _at_chazzmcdaniels on GitHub for reporting the issue.
Jeff
-- Unsubscribe: https://lists.haxx.se/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2022-06-21