Re: Invalide certificate encoding crashing certutil [Re: Thunderbird: "Could not verify this certificate for unknown reasons"]
On 29. 10. 2010 14:11, Nelson B Bolyard wrote: On 2010/10/28 02:14 PDT, Jean-Marc Desperrier wrote: Nelson B Bolyard wrote: Please don't file a bug without a stack trace showing the crash is in NSS. [...] If the back trace shows the crash is not in NSS, but in some other library, please direct the bug report accordingly. The report is that the crashs is inside NSS's certutil, Nelson. Perhaps I have confused this Matej with another. I understood that Matej is developing his own PKCS#11 module, and his report is that NSS's certutil crashes when run with his non-NSS PKCS#11 module. The crash may well be in that module. Matej, If I'm confused, feel free to set me straight. You are right, Nelson. M. Kurpel -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Invalide certificate encoding crashing certutil [Re: Thunderbird: "Could not verify this certificate for unknown reasons"]
On 2010/10/28 02:14 PDT, Jean-Marc Desperrier wrote: > Nelson B Bolyard wrote: >> Please don't file a bug without a stack trace showing the crash is in NSS. >> [...] >> If the back trace shows the crash is not in NSS, but in some other >> library, please direct the bug report accordingly. > > The report is that the crashs is inside NSS's certutil, Nelson. Perhaps I have confused this Matej with another. I understood that Matej is developing his own PKCS#11 module, and his report is that NSS's certutil crashes when run with his non-NSS PKCS#11 module. The crash may well be in that module. Matej, If I'm confused, feel free to set me straight. > As Thunderbird with the same data doesn't crash, it doesn't seem to > actually be in the library, but even just in a NSS tool, a crash is serious. Show me that the crash occurred in NSS code, and not in the code of some PKCS#11 module, and I'll be more convinced. A bug report that says nothing more than "I ran this program with this other PKCS#11 module and it crashed" won't yield any desirable results, unless someone happens to say "Oh I saw that too and fixed it by ...". -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Invalide certificate encoding crashing certutil [Re: Thunderbird: "Could not verify this certificate for unknown reasons"]
On 28. 10. 2010 11:14, Jean-Marc Desperrier wrote: Nelson B Bolyard wrote: Please don't file a bug without a stack trace showing the crash is in NSS. [...] If the back trace shows the crash is not in NSS, but in some other library, please direct the bug report accordingly. The report is that the crashs is inside NSS's certutil, Nelson. As Thunderbird with the same data doesn't crash, it doesn't seem to actually be in the library, but even just in a NSS tool, a crash is serious. I would like to file the bug if I had a way to actually obtain the stack trace. I guess I need to compile a debug version of certutil myself, but again, I failed doing that and I found no answer to the errors I was getting from cl.exe. I don't want to get headache again from all the C++ stuff which doesn't work as it should when it comes to compilation. M. Kurpel -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Invalide certificate encoding crashing certutil [Re: Thunderbird: "Could not verify this certificate for unknown reasons"]
Nelson B Bolyard wrote: Please don't file a bug without a stack trace showing the crash is in NSS. [...] If the back trace shows the crash is not in NSS, but in some other library, please direct the bug report accordingly. The report is that the crashs is inside NSS's certutil, Nelson. As Thunderbird with the same data doesn't crash, it doesn't seem to actually be in the library, but even just in a NSS tool, a crash is serious. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Invalide certificate encoding crashing certutil [Re: Thunderbird: "Could not verify this certificate for unknown reasons"]
On 2010-10-26 05:07 PDT, Jean-Marc Desperrier wrote: > Matej Kurpel wrote: >> However, how does a printable string differ from utf8string (and other >> strings, particularly ia5string) when there are no non-ascii characters? >> Do you think it's a bug in NSS...? > > printable string basically allows only the alphabet and numeric > characters. ia5string allows all of 7-bit ASCII. > For both, any character with the eighth bit set will be invalid. > > A crash when meeting invalid data is always a bug, especially for a > security tool. Even if here it seem to only be a bug inside the certutil > tool, not inside the NSS library component themselves. Please don't file a bug without a stack trace showing the crash is in NSS. When your program crashes, it should create a file named "core" or "core" (where X is a number that varies). You run the gdb debugger pointing it to the executable and the core file, and give it the command "bt" (Back Trace), and it does the rest. If the back trace shows the crash is not in NSS, but in some other library, please direct the bug report accordingly. -- /Nelson Bolyard -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Invalide certificate encoding crashing certutil [Re: Thunderbird: "Could not verify this certificate for unknown reasons"]
Matej Kurpel wrote: However, how does a printable string differ from utf8string (and other strings, particularly ia5string) when there are no non-ascii characters? Do you think it's a bug in NSS...? printable string basically allows only the alphabet and numeric characters. ia5string allows all of 7-bit ASCII. For both, any character with the eighth bit set will be invalid. A crash when meeting invalid data is always a bug, especially for a security tool. Even if here it seem to only be a bug inside the certutil tool, not inside the NSS library component themselves. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Invalide certificate encoding crashing certutil [Re: Thunderbird: "Could not verify this certificate for unknown reasons"]
On 26. 10. 2010 10:43, Jean-Marc Desperrier wrote: Matej Kurpel wrote: In the Type field for S:, O:, OU: and CN: I always provided 0x0c which is utf-8 string, but in the certificate there was 0x13 - printable string. After I changed it - voila, it's working in Thunderbird, and certutil doesn't crash anymore. It sounds like a serious bug. Could you open it in bugzilla, with NSS tools as the component ? Just to recap: it was my fault that I provided the wrong Type fields - other ones than those that were physically in the certificate. In the CKA_VALUE I provided all certificate bytes and in CKA_ISSUER and CKA_SUBJECT I provided my own DER-encoded values with the wrong Type fields. However, how does a printable string differ from utf8string (and other strings, particularly ia5string) when there are no non-ascii characters? Do you think it's a bug in NSS...? M. Kurpel -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Invalide certificate encoding crashing certutil [Re: Thunderbird: "Could not verify this certificate for unknown reasons"]
Matej Kurpel wrote: In the Type field for S:, O:, OU: and CN: I always provided 0x0c which is utf-8 string, but in the certificate there was 0x13 - printable string. After I changed it - voila, it's working in Thunderbird, and certutil doesn't crash anymore. It sounds like a serious bug. Could you open it in bugzilla, with NSS tools as the component ? -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Thunderbird: "Could not verify this certificate for unknown reasons"
On 25. 10. 2010 12:16, Matej Kurpel wrote: On 24. 10. 2010 20:59, Nelson B Bolyard wrote: On 2010-10-24 02:12 PDT, Matej Kurpel wrote: [snip] You can clearly see both my CA and user certificates. Certutil has used my PKCS#11 module to obtain my user certificate. Then I launched the second commany you were suggesting: certutil -d . -L -n "HTC Touch HD T8282:Matej Kurpel" Now it popped up a message that certutil.exe has stopped working. From my PKCS11-spy logs it's apparent that it searched for the certificate, found it, got some of its atttributes, and then searched for a private key belonging to this certificate (and found it): FindObjectsInit - FindObjects - FindObjectsFinal. That's all it did and then crashed. Looks like something is wrong with my certificate but how can I check it when certutil is crashing? Maybe something is wrong with your PKCS#11 module, or maybe something is wrong with certutil. What does the stack backtrace from the crash show you? Hey, excuse my n00b-ness :) but I don't know how to get the stack trace. I wanted to create the certutil project in VC++ and compile and debug it there but I couldn't find a header file "prcpucfg.h" which, according to google, had yet to be generated by make (grrr...). So I went to compile NSS myself. I did everything according to this page: http://www.mozilla.org/projects/security/pki/nss/buildnss_32.html But after launching the final step, "gmake nss_build_all", all I get are some errors: Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 15.00.30729.01 for 80x86 Copyright (C) Microsoft Corporation. All rights reserved. cl : Command line warning D9002 : ignoring unknown option '-ne' cl : Command line warning D9024 : unrecognized source file type '2>&1', object f ile assumed cl : Command line warning D9024 : unrecognized source file type '|', object file assumed cl : Command line warning D9024 : unrecognized source file type 'sed', object fi le assumed cl : Command line warning D9024 : unrecognized source file type 's|.* \([0-9]\+\ .[0-9]\+\.[0-9]\+\(\.[0-9]\+\)\?\).*|\1|p', object file assumed gmake: *** No rule to make target `ns_build_all'. Stop. Google provides no solutions. I am starting to tear my hair out when it comes to these annoying trouble with compiling and all the C/C++ stuff, when nothing works as it should. Please help me :( M. Kurpel Aaah, well... Now in the evening I looked at the certificate in binary and my issuer and subject der-output from the token and there were differences. In the Type field for S:, O:, OU: and CN: I always provided 0x0c which is utf-8 string, but in the certificate there was 0x13 - printable string. After I changed it - voila, it's working in Thunderbird, and certutil doesn't crash anymore. Thanks for your willing to help, Nelson, it's really appreciated. M. Kurpel -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Thunderbird: "Could not verify this certificate for unknown reasons"
On 24. 10. 2010 20:59, Nelson B Bolyard wrote: On 2010-10-24 02:12 PDT, Matej Kurpel wrote: [snip] You can clearly see both my CA and user certificates. Certutil has used my PKCS#11 module to obtain my user certificate. Then I launched the second commany you were suggesting: certutil -d . -L -n "HTC Touch HD T8282:Matej Kurpel" Now it popped up a message that certutil.exe has stopped working. From my PKCS11-spy logs it's apparent that it searched for the certificate, found it, got some of its atttributes, and then searched for a private key belonging to this certificate (and found it): FindObjectsInit - FindObjects - FindObjectsFinal. That's all it did and then crashed. Looks like something is wrong with my certificate but how can I check it when certutil is crashing? Maybe something is wrong with your PKCS#11 module, or maybe something is wrong with certutil. What does the stack backtrace from the crash show you? Hey, excuse my n00b-ness :) but I don't know how to get the stack trace. I wanted to create the certutil project in VC++ and compile and debug it there but I couldn't find a header file "prcpucfg.h" which, according to google, had yet to be generated by make (grrr...). So I went to compile NSS myself. I did everything according to this page: http://www.mozilla.org/projects/security/pki/nss/buildnss_32.html But after launching the final step, "gmake nss_build_all", all I get are some errors: Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 15.00.30729.01 for 80x86 Copyright (C) Microsoft Corporation. All rights reserved. cl : Command line warning D9002 : ignoring unknown option '-ne' cl : Command line warning D9024 : unrecognized source file type '2>&1', object f ile assumed cl : Command line warning D9024 : unrecognized source file type '|', object file assumed cl : Command line warning D9024 : unrecognized source file type 'sed', object fi le assumed cl : Command line warning D9024 : unrecognized source file type 's|.* \([0-9]\+\ .[0-9]\+\.[0-9]\+\(\.[0-9]\+\)\?\).*|\1|p', object file assumed gmake: *** No rule to make target `ns_build_all'. Stop. Google provides no solutions. I am starting to tear my hair out when it comes to these annoying trouble with compiling and all the C/C++ stuff, when nothing works as it should. Please help me :( M. Kurpel -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Thunderbird: "Could not verify this certificate for unknown reasons"
On 2010-10-24 02:12 PDT, Matej Kurpel wrote: [snip] > You can clearly see both my CA and user certificates. Certutil has used > my PKCS#11 module to obtain my user certificate. Then I launched the > second commany you were suggesting: > > certutil -d . -L -n "HTC Touch HD T8282:Matej Kurpel" > > Now it popped up a message that certutil.exe has stopped working. From > my PKCS11-spy logs it's apparent that it searched for the certificate, > found it, got some of its atttributes, and then searched for a private > key belonging to this certificate (and found it): FindObjectsInit - > FindObjects - FindObjectsFinal. That's all it did and then crashed. > Looks like something is wrong with my certificate but how can I check it > when certutil is crashing? Maybe something is wrong with your PKCS#11 module, or maybe something is wrong with certutil. What does the stack backtrace from the crash show you? -- /Nelson Bolyard -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Thunderbird: "Could not verify this certificate for unknown reasons"
On 23. 10. 2010 22:18, Nelson B Bolyard wrote: On 2010-10-21 13:31 PDT, Matej Kurpel wrote: This looks like Thunderbird cannot find the user certificate in its database. Well, it shouldn't anyway, since it resides on the token provided by a PKCS#11 module I am developing. Right. It's not necessary for the cert to be in the database. It's only necessary that NSS can find it in one of the attached tokens. However, in its properties it says it couldn't verify the certificate for unknown reasons. And the CA certificate is added into the authorities correctly. Any more ideas, please? For purposes of your command line testing, you should add your PKCS#11 module to the secmod.db configuration file, using the modutil program. Thereafter, you should be able to get the command line utilities to see and attempt to verity the certificate in your token. I'd tell you how to do that, but you seem to be doing VERY VERY well at figuring it out on your own! Here are some hints: certutil -d . -L -h all certutil -d . -L -n "my token name:my cert name" I did what you said but didn't really get anywhere... First I did this: certutil -d . -L -h all It showed all certificates in this way: Mekova CA - CA organizacia CT,C,C Google Internet Authority,, DigiCert High Assurance CA-3 ,, VeriSign Class 3 Extended Validation SSL CA ,, HTC Touch HD T8282:Matej Kurpel u,u,u Builtin Object Token:Verisign/RSA Secure Server CA CG,C,p Builtin Object Token:GTE CyberTrust Root CA CG,C,C (more Builtin Object token lines following) You can clearly see both my CA and user certificates. Certutil has used my PKCS#11 module to obtain my user certificate. Then I launched the second commany you were suggesting: certutil -d . -L -n "HTC Touch HD T8282:Matej Kurpel" Now it popped up a message that certutil.exe has stopped working. From my PKCS11-spy logs it's apparent that it searched for the certificate, found it, got some of its atttributes, and then searched for a private key belonging to this certificate (and found it): FindObjectsInit - FindObjects - FindObjectsFinal. That's all it did and then crashed. Looks like something is wrong with my certificate but how can I check it when certutil is crashing? :( Windows didn't have any problems with the certificate... Also in an ASN.1 Editor I have downloaded off the web, the certificate loads up fine. Can you suggest anything more to try, please? pkcs11-spy log begin - 9: C_OpenSession [in] slotID = 0x0 [in] flags = 0x4 pApplication=0219E338 Notify=004564D0 [out] *phSession = 0x1 Returned: 0 CKR_OK 10: C_GetMechanismList [in] slotID = 0x0 [out] pMechanismList[1]: Count is 1 Returned: 0 CKR_OK 11: C_GetMechanismList [in] slotID = 0x0 [out] pMechanismList[1]: CKM_RSA_PKCS Returned: 0 CKR_OK 12: C_FindObjectsInit [in] hSession = 0x1 [in] pTemplate[1]: CKA_CLASS CKO_NETSCAPE_BUILTIN_ROOT_LIST Returned: 19 CKR_ATTRIBUTE_VALUE_INVALID 13: C_FindObjectsInit [in] hSession = 0x1 [in] pTemplate[2]: CKA_TOKEN True CKA_CLASS CKO_CERTIFICATE Returned: 0 CKR_OK 14: C_FindObjects [in] hSession = 0x1 [in] ulMaxObjectCount = 0xa [out] ulObjectCount = 0x1 Object 1 Matches Returned: 0 CKR_OK 15: C_FindObjectsFinal [in] hSession = 0x1 Returned: 0 CKR_OK 16: C_GetAttributeValue [in] hSession = 0x1 [in] hObject = 0x1 [in] pTemplate[2]: CKA_TOKEN requested with 0 buffer CKA_LABEL requested with 0 buffer [out] pTemplate[2]: CKA_TOKEN has size 1 CKA_LABEL has size 12 Returned: 0 CKR_OK 17: C_GetAttributeValue [in] hSession = 0x1 [in] hObject = 0x1 [in] pTemplate[2]: CKA_TOKEN requested with 1 buffer CKA_LABEL requested with 12 buffer [out] pTemplate[2]: CKA_TOKEN True CKA_LABEL [size : 0xC (12)] 4D617465 6A204B75 7270656C M a t e j . K u r p e l Returned: 0 CKR_OK 18: C_GetAttributeValue [in] hSession = 0x1 [in] hObject = 0x1 [in] pTemplate[10]: CKA_CLASS requested with 0 buffer CKA_TOKEN requested with 0 buffer CKA_LABEL requested with 0 buffer CKA_CERTIFICATE_TYPE requested with 0 buffer CKA_IDrequested with 0 buffer CKA_VALUE requested with 0 buffer CKA_ISSUERrequested with 0 buffer CKA_SERIAL_NUMBER requested with 0 buffer CKA_SUBJECT requested with 0 buffer CKA_NETSCAPE_EMAIL(Netsc) requested with 0 buffer [out] pTemplate[10]: CKA_CLASS has size 4 CKA_TOKEN has size 1 CKA_LABEL has size 12 CKA_CERTIFICATE_TYPE has size 4 CKA_IDhas size 4 CKA_VAL
Re: Thunderbird: "Could not verify this certificate for unknown reasons"
On 2010-10-21 13:31 PDT, Matej Kurpel wrote: > This looks like Thunderbird cannot find the user certificate in its > database. Well, it shouldn't anyway, since it resides on the token > provided by a PKCS#11 module I am developing. Right. It's not necessary for the cert to be in the database. It's only necessary that NSS can find it in one of the attached tokens. > However, in its properties it says it couldn't verify the certificate > for unknown reasons. And the CA certificate is added into the > authorities correctly. Any more ideas, please? For purposes of your command line testing, you should add your PKCS#11 module to the secmod.db configuration file, using the modutil program. Thereafter, you should be able to get the command line utilities to see and attempt to verity the certificate in your token. I'd tell you how to do that, but you seem to be doing VERY VERY well at figuring it out on your own! Here are some hints: certutil -d . -L -h all certutil -d . -L -n "my token name:my cert name" -- /Nelson Bolyard -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Thunderbird: "Could not verify this certificate for unknown reasons"
On 20. 10. 2010 21:01, Nelson B Bolyard wrote:
On 2010-10-20 09:54 PDT, Matej Kurpel wrote:
Hello,
I have set up my own CA and issued one certificate signed by this CA.
However, I cannot use this certificate to send signed e-mail from
Thunderbird. It says "Could not verify this certificate for unknown
reasons".
PSM's infamous "for an unknown reason" error message,
the bane of my existence for about a decade now. See
https://bugzilla.mozilla.org/show_bug.cgi?id=desired
When any NSS function fails, NSS always provides a reason code. But years
ago, the manager of the group responsible for implementing the GUI for
Mozilla's crypto security decided that error details were unimportant, and
so, to save schedule time, he allowed his employee to do
a very incomplete job of producing error message strings for the various
error codes, and simply present a default string in all other cases that
says "for an unknown reason". We've been plagued with that ever since.
In all the years since then, it has never been important to Mozilla UI
folks to fix this. It seems to be an entrance requirement to get into GUI
design school. They ask you "is security UI design important?", and if
you say "yes", or even hesitate to say "NO!", you're out. ("HELL NO!" is
the preferred answer.)
So, here's what you do. Use one of NSS's command line tools to verify
your certificate chain for the email certificate usage, and see what it
says.
Thank you, Nelson. I have downloaded the NSS utils and used the
certutil. I have copied *.db files from Thunderbird's profile folder to
the same folder in which certutil and other utils reside. And I have put
both my CA certificate (ca_cert.der with subject address
mekova...@spam.la) and the user certificate (cert.der with subject
address mkur...@gmail.com), in the same folder.
Then I made this to validate my user certificate:
certutil -V -n mkur...@gmail.com -u -SR -e -l -d .
It said:
certutil: could not find certificate named "mkur...@gmail.com": security
library
: bad database.
So, apparently the user certificate wasn't in the database. I then tried
to verify the CA certificate:
certutil -V -n mekova...@spam.la -u -SR -e -l -d .
certutil: certificate is valid
Then I added the user certificate into the database and tried to verify
it again:
certutil -A -n mkur...@gmail.com -t Pug -d . -i cert.der
certutil -V -n mkur...@gmail.com -u -SR -e -l -d .
certutil: certificate is valid
This looks like Thunderbird cannot find the user certificate in its
database. Well, it shouldn't anyway, since it resides on the token
provided by a PKCS#11 module I am developing. However, in its properties
it says it couldn't verify the certificate for unknown reasons. And the
CA certificate is added into the authorities correctly. Any more ideas,
please?
M. Kurpel
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Thunderbird: "Could not verify this certificate for unknown reasons"
On 2010-10-20 09:54 PDT, Matej Kurpel wrote:
> Hello,
> I have set up my own CA and issued one certificate signed by this CA.
> However, I cannot use this certificate to send signed e-mail from
> Thunderbird. It says "Could not verify this certificate for unknown
> reasons".
PSM's infamous "for an unknown reason" error message,
the bane of my existence for about a decade now. See
https://bugzilla.mozilla.org/show_bug.cgi?id=desired
When any NSS function fails, NSS always provides a reason code. But years
ago, the manager of the group responsible for implementing the GUI for
Mozilla's crypto security decided that error details were unimportant, and
so, to save schedule time, he allowed his employee to do
a very incomplete job of producing error message strings for the various
error codes, and simply present a default string in all other cases that
says "for an unknown reason". We've been plagued with that ever since.
In all the years since then, it has never been important to Mozilla UI
folks to fix this. It seems to be an entrance requirement to get into GUI
design school. They ask you "is security UI design important?", and if
you say "yes", or even hesitate to say "NO!", you're out. ("HELL NO!" is
the preferred answer.)
So, here's what you do. Use one of NSS's command line tools to verify
your certificate chain for the email certificate usage, and see what it
says.
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
Thunderbird: "Could not verify this certificate for unknown reasons"
Hello, I have set up my own CA and issued one certificate signed by this CA. However, I cannot use this certificate to send signed e-mail from Thunderbird. It says "Could not verify this certificate for unknown reasons". I don't understand; I have added the root CA certificate into the Authorities tab in Certificate Manager and it says the CA certificate is OK (and I have checked all three checkboxes of trust when adding it). Now, Windows itself doesn't have a problem with this; it was sufficient to just add the root CA certificate into the Trusted CA certificate store, and then it recognized and validated the second certificate without any trouble. Can someone point me in the right direction on what does Thunderbird not like? Thanks in advance. M. Kurpel -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
