[Fed-Talk] PKI Certificates - Unknown Critical Extensions causing problems...
[Fed-Talk] PKI Certificates - Unknown Critical Extensions causing problems...
- Subject: [Fed-Talk] PKI Certificates - Unknown Critical Extensions causing problems...
- From: "Mark Radleigh (CTR)" <email@hidden>
- Date: Fri, 02 Apr 2010 14:36:40 -1000
- Thread-topic: PKI Certificates - Unknown Critical Extensions causing problems...
Greetings all,
I'm running Leopard (10.5.8) with the latest patches, and lately Entourage
would all of the sudden start having trust issues with PKI certificates for
*existing*, known good certificates. Following some previous advise,
quitting Entourage, deleting the 'Microsoft_Intermediate_Certificates'
keychain, and then restart Entourage would fix the issue for a bit, but then
it would pop back up!
Well, after a while (and getting sufficiently annoyed), I noticed that this
issue would happen right after I read a digitally signed or encrypted email
from a particular group of (DoD related) people (and that group is growing).
So I did some digging around and found that these people would have
legitimate DoD issued certificates, but the 'issuing certificate path' was
different from normal. Specifically, the 'problem' certs have been issued
by a 'newer' 'DoD Root CA 2', which has the following 'issuing' path:
1) FBCA (Serial #: 18:cc:d6:6b:00:01:00:00:00:6f)
-> Issuer => CN=Common Policy,OU=Entrust,OU=FBCA=O=U.S. Government,C=US
2) DoD Interoperability Root CA 1 (Serial #: 0x451de523 or 1159587107)
-> Issuer => OU=Entrust,OU=FBCA=O=U.S. Government,C=US
3) DoD Root CA 2 (Serial #: 0xc or 12)
-> Issuer => OCN= DoD Interoperability Root CA 1,OU=PKI,OU=DoD=O=U.S.
Government,C=US
I noticed that these Certificate Authorities would be added in the
'Microsoft_Intermediate_Certificates' keychain immediately upon processing
an email from a 'problem' user and the 'Keychain Access' Utility program
would give the following errors for the 'DoD Interoperability Root CA 1' and
'DoD Root CA 2' certificates:
* This certificate cannot be used (unrecognized critical extension)
I suspect this has to do with the outdated OpenSSL binaries installed on
with Leopard, as one can see it chokes when trying to process the extensions
in question for the 'problem' certificates (via 'openssl x509 -text
-noout'):
----- <BEGIN SNIPPET> ------
2.5.29.33:
020..
`.H.e.......`.H.e....0..
`.H.e.......`.H.e....
X509v3 Certificate Policies:
Policy: 2.16.840.1.101.3.2.1.3.3
Policy: 2.16.840.1.101.3.2.1.3.12
X509v3 Name Constraints: critical
0=.;09.7051.0...U....US1.0...U.
..U.S. Government1.0
..U....DoD
----- <END SNIPPET> --------
It seems that the problem with this 'DoD Root CA 2' affects *everything*
that was issued by a 'DoD Root CA 2' CA (normal *or* new) from that point
on! Also, it looks like the *key* security binaries and/or Frameworks are
*STATICALLY* linked to the 'old' OpenSSL libraries so, unless I am missing
something, even if you update them, it doesn't get you anything until they
are recompiled!
It should be worth mentioning that the 'normal' 'DoD Root CA 2' is issued to
itself, and adding the problem certificates to the 'System Root' keychain
(and trust settings file) just makes everything worse. So, anybody have any
ideas? Can Apple maybe update OpenSSL to at least 0.9.8 (or even 1.0.0) and
RE-COMPILE any statically linked binaries using OpenSSL? This is starting
to be a pain to deal with.
Thanks,
--
Mark Radleigh, Contractor, AFRL/RDSM
email@hidden
Caution: This message may contain competitive, sensitive or other
non-public information not intended for disclosure outside official
government channels. Do not disseminate this message without the approval
of the undersigned's office. If you received this message in error, please
notify the sender by reply e-mail and delete all copies of this message.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden