Re: [Fed-Talk] PKI Certificates - Unknown Critical Extensions causing problems...
Re: [Fed-Talk] PKI Certificates - Unknown Critical Extensions causing problems...
- Subject: Re: [Fed-Talk] PKI Certificates - Unknown Critical Extensions causing problems...
- From: "C. A. Norton" <email@hidden>
- Date: Sun, 04 Apr 2010 07:16:37 -0400
Mark,
Thanks for doing to legwork to figure out the culprit... about the only I've had time to do is figure out a work-around (which I use so frequently I've bound it to a keystoke!!):
#!/Bin/sh
echo Delete Certs from MS Intermediate Keychain
echo .
echo .
security delete-certificate -Z EEA68FC8701E41E6429A341AE4162BBDA634F7F4 ~/Library/Keychains/Microsoft_Intermediate_Certificates
echo .
security delete-certificate -Z 3BAE7B920EE6616755BE4FA287777EEF2F6B33F6 ~/Library/Keychains/Microsoft_Intermediate_Certificates
echo .
security delete-certificate -Z DC92F91BAB283472023B32178504E19BF7D9A94C ~/Library/Keychains/Microsoft_Intermediate_Certificates
echo .
security delete-certificate -Z 0A0E46657F4148DF2D1C6778EA9308A8CA41989F ~/Library/Keychains/Microsoft_Intermediate_Certificates
echo .
echo .
echo Delete Certs from Login Keychain
echo .
security delete-certificate -Z EEA68FC8701E41E6429A341AE4162BBDA634F7F4 ~/Library/Keychains/login.keychain
echo .
security delete-certificate -Z 3BAE7B920EE6616755BE4FA287777EEF2F6B33F6 ~/Library/Keychains/login.keychain
echo .
security delete-certificate -Z DC92F91BAB283472023B32178504E19BF7D9A94C ~/Library/Keychains/login.keychain
echo .
security delete-certificate -Z 0A0E46657F4148DF2D1C6778EA9308A8CA41989F ~/Library/Keychains/login.keychain
echo .
echo .
echo Done!
It seems if you just delete the offending FBCA, Interoperability CA and DoD Root CA (w/ the 2011 date, not the 2029 date) you can get going again. While this certainly isn't a solution (it's really barely a work around). I think we may have already submitted a bug report (or at least Tim & I were discussing it).
ca
On Apr 3, 2010, at 2:52 PM, Ron Broersma wrote:
> Mark,
>
> This is causing serious problems for us as well. But in our case we notice it mostly with Mail.app. The problem still exists in 10.6.3.
>
> Digital signatures show up as invalid, and the cert chain gets really confused. For example, if you "show details" when a signature can't be verified, you can get really messed up chains...
>
> <PastedGraphic-2.png>
>
> Reading the same email in Thunderbird shows that the original message has a valid cert chain up to the correct "DoD Root CA 2" via "DOD EMAIL CA-20".
>
> Have you filed a bugreport yet?
>
> --Ron
>
> On Apr 2, 2010, at 5:36 PM, Mark Radleigh (CTR) wrote:
>
>> Greetings all,
>>
>> I'm running Leopard (10.5.8) with the latest patches, and lately Entourage
>> would all of the sudden start having trust issues with PKI certificates for
>> *existing*, known good certificates. Following some previous advise,
>> quitting Entourage, deleting the 'Microsoft_Intermediate_Certificates'
>> keychain, and then restart Entourage would fix the issue for a bit, but then
>> it would pop back up!
>>
>> Well, after a while (and getting sufficiently annoyed), I noticed that this
>> issue would happen right after I read a digitally signed or encrypted email
>> from a particular group of (DoD related) people (and that group is growing).
>> So I did some digging around and found that these people would have
>> legitimate DoD issued certificates, but the 'issuing certificate path' was
>> different from normal. Specifically, the 'problem' certs have been issued
>> by a 'newer' 'DoD Root CA 2', which has the following 'issuing' path:
>>
>> 1) FBCA (Serial #: 18:cc:d6:6b:00:01:00:00:00:6f)
>> -> Issuer => CN=Common Policy,OU=Entrust,OU=FBCA=O=U.S. Government,C=US
>> 2) DoD Interoperability Root CA 1 (Serial #: 0x451de523 or 1159587107)
>> -> Issuer => OU=Entrust,OU=FBCA=O=U.S. Government,C=US
>> 3) DoD Root CA 2 (Serial #: 0xc or 12)
>> -> Issuer => OCN= DoD Interoperability Root CA 1,OU=PKI,OU=DoD=O=U.S.
>> Government,C=US
>>
>> I noticed that these Certificate Authorities would be added in the
>> 'Microsoft_Intermediate_Certificates' keychain immediately upon processing
>> an email from a 'problem' user and the 'Keychain Access' Utility program
>> would give the following errors for the 'DoD Interoperability Root CA 1' and
>> 'DoD Root CA 2' certificates:
>>
>> * This certificate cannot be used (unrecognized critical extension)
>>
>> I suspect this has to do with the outdated OpenSSL binaries installed on
>> with Leopard, as one can see it chokes when trying to process the extensions
>> in question for the 'problem' certificates (via 'openssl x509 -text
>> -noout'):
>>
>> ----- <BEGIN SNIPPET> ------
>> 2.5.29.33:
>> 020..
>> `.H.e.......`.H.e....0..
>> `.H.e.......`.H.e....
>> X509v3 Certificate Policies:
>> Policy: 2.16.840.1.101.3.2.1.3.3
>> Policy: 2.16.840.1.101.3.2.1.3.12
>>
>> X509v3 Name Constraints: critical
>> 0=.;09.7051.0...U....US1.0...U.
>> ..U.S. Government1.0
>> ..U....DoD
>> ----- <END SNIPPET> --------
>>
>> It seems that the problem with this 'DoD Root CA 2' affects *everything*
>> that was issued by a 'DoD Root CA 2' CA (normal *or* new) from that point
>> on! Also, it looks like the *key* security binaries and/or Frameworks are
>> *STATICALLY* linked to the 'old' OpenSSL libraries so, unless I am missing
>> something, even if you update them, it doesn't get you anything until they
>> are recompiled!
>>
>> It should be worth mentioning that the 'normal' 'DoD Root CA 2' is issued to
>> itself, and adding the problem certificates to the 'System Root' keychain
>> (and trust settings file) just makes everything worse. So, anybody have any
>> ideas? Can Apple maybe update OpenSSL to at least 0.9.8 (or even 1.0.0) and
>> RE-COMPILE any statically linked binaries using OpenSSL? This is starting
>> to be a pain to deal with.
>>
>> Thanks,
>>
>> --
>> Mark Radleigh, Contractor, AFRL/RDSM
>> email@hidden
>>
>>
>> Caution: This message may contain competitive, sensitive or other
>> non-public information not intended for disclosure outside official
>> government channels. Do not disseminate this message without the approval
>> of the undersigned's office. If you received this message in error, please
>> notify the sender by reply e-mail and delete all copies of this message.
>>
>>
>>
>>
>>
>> _______________________________________________
>> Do not post admin requests to the list. They will be ignored.
>> Fed-talk mailing list (email@hidden)
>> Help/Unsubscribe/Update your Subscription:
>>
>> This email sent to email@hidden
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden