[MacPorts] #42718: certsync fails to verify macports.org certificate

MacPorts noreply at macports.org
Wed Mar 5 06:36:07 PST 2014 

#42718: certsync fails to verify macports.org certificate
---------------------------+-----------------------
  Reporter:  ryandesign@…  |      Owner:  landonf@…
      Type:  defect        |     Status:  assigned
  Priority:  High          |  Milestone:
 Component:  ports         |    Version:  2.2.1
Resolution:                |   Keywords:
      Port:  certsync      |
---------------------------+-----------------------

Comment (by raimue@…):

 The valid "GlobalSign Root CA" is actually a re-signed certificate with a
 longer lifetime using the same modulus/exponent from the older one that
 expired end of January 2014. They both have the '''identical''' public
 key.

 After some more analysis, the curl-ca-bundle only contains the "GlobalSign
 Root CA" certificate that is valid throughout 2028, while certsync
 includes them both into the same bundle. It seems like OpenSSL cannot
 handle the same certificate twice in a bundle.

 ''Side note: I will attach a small perl helper script which I used to
 split the certificate bundle into the original certificates, so they can
 be examined using `openssl x509 -text -noout -in <file>.pem`.''

 With experiments I got it to work when switching the order of the
 certificates, but it's not working again when adding another one. I guess
 it's up to some hash algorithm which one gets used, so a different order
 is not a reliable fix. It seems like the only fix would be to leave out
 that expired certificate...

 I see two solutions:

 ==== Don't export any expired certificate

 Which means using this CA in a chain would be reported as "untrusted"
 instead of "expired". That solves this immediate problem because the older
 "GlobalSign Root CA" certificate is expired now. It might not work in
 other cases.

 This is relatively easy to accomplish as we only need to check the expiry
 date against the current date.

 ==== Only export one valid/non-expired certificate per public key

 This means certsync needs a special case to check for duplicates and
 decide for the one with the later expiry date.

 Needs a hash/dictionary with the key being the public key of the cert and
 some more checking.

-- 
Ticket URL: <https://trac.macports.org/ticket/42718#comment:4>
MacPorts <http://www.macports.org/>
Ports system for OS X

More information about the macports-tickets mailing list