Closed Bug 1111197 Opened 10 years ago Closed 10 years ago

sec_error_bad_der on www.digid.nl

Categories

(Core :: Security: PSM, defect)

37 Branch
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 1108408

People

(Reporter: djc, Unassigned)

Details

I'm not sure if this is a duplicate of bug 1088140 (but I don't think they use RSA-PSS) or bug 1101214, so feel free to close as duplicate if appropriate. This is the single sign-on provider for organizations related to the Dutch government, so this potentially affects a large user population. djc@djc-mbp ~ $ openssl x509 -text -in digid.crt Certificate: Data: Version: 3 (0x2) Serial Number: 14:09:93:57:1c:65:26:53:2f:e9:43:cc:35:ff:1c:6e:88:ac:2f:c5 Signature Algorithm: sha256WithRSAEncryption Issuer: C=NL, O=QuoVadis Trustlink BV, OU=Issuing Certification Authority, CN=QuoVadis CSP - PKI Overheid CA - G2 Validity Not Before: Jul 10 14:59:01 2012 GMT Not After : Jul 10 14:59:01 2015 GMT Subject: serialNumber=00000004003214345001, C=NL, ST=Zuid-Holland, L='s-Gravenhage, O=Logius, OU=DigiD, CN=www.digid.nl Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:ad:ef:d8:c2:5c:3e:fa:ee:5b:31:fe:0d:81:96: b4:dc:8e:23:b8:42:a9:84:d7:1d:09:07:71:aa:af: d8:7e:57:0c:a4:86:34:fa:71:16:58:eb:75:fd:8f: 9a:73:91:f7:3c:6e:73:9b:17:08:75:29:f5:5f:2b: e0:e2:d7:64:2f:ce:7e:f1:5b:08:f3:6e:67:20:5d: 34:0a:fa:7a:68:1c:0c:50:35:bd:45:e0:da:6e:d6: 2e:9e:b2:2a:07:3d:0f:4f:21:c9:da:5d:94:b8:f8: 17:dd:2d:4b:1a:18:f3:ae:39:88:cf:5e:86:d8:73: af:e2:e1:3f:d6:ea:46:ad:72:47:b8:cb:30:ed:aa: 14:22:93:6c:8d:0f:a4:54:e6:17:f7:35:e7:c5:4c: 61:bd:11:51:e0:06:6d:73:94:46:37:31:7d:a1:49: c7:b7:0d:80:a9:95:6a:b2:1b:37:bb:2b:9c:77:14: 4c:ca:ab:d4:11:92:d7:9d:f5:f8:ac:81:d6:b2:e3: 52:1f:1e:b5:07:87:04:2f:f3:16:3a:09:e5:bb:3b: 59:0b:86:d6:56:da:9d:e5:14:f9:ef:05:06:29:b0: a0:f6:9e:21:95:be:32:0e:55:6b:7b:d7:8b:d5:c3: 4e:44:b2:02:29:6f:75:05:d5:8f:34:3f:96:a1:bf: b1:bd Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Certificate Policies: Policy: 2.16.528.1.1003.1.2.5.6 User Notice: Explicit Text: Reliance on this certificate by any party assumes acceptance of the relevant QuoVadis Certification Practice Statement and other documents in the QuoVadis repository (http://www.quovadisglobal.com). CPS: http://www.quovadisglobal.com/repository X509v3 Subject Alternative Name: othername:<unsupported>, DNS:www.digid.nl Authority Information Access: OCSP - URI:http://ocsp.quovadisglobal.com CA Issuers - URI:http://trust.quovadisglobal.com/qvocag2.crt X509v3 Key Usage: critical Digital Signature, Key Encipherment, Key Agreement X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Authority Key Identifier: keyid:69:CB:7F:50:76:00:86:53:95:79:12:C1:58:76:1F:13:EF:F2:4D:A3 X509v3 CRL Distribution Points: URI:http://crl.quovadisglobal.com/qvocag2.crl X509v3 Subject Key Identifier: 32:D0:1B:FC:62:71:E4:5B:84:29:3E:98:B5:FA:83:AA:98:AF:EF:43 Signature Algorithm: sha256WithRSAEncryption d8:1a:e0:e8:c2:6f:5d:60:4c:d4:17:5e:6a:af:2f:fc:de:04: 47:e1:58:90:d1:1b:92:8b:e7:40:60:21:14:19:f1:a5:c0:e4: 28:75:ae:1c:f5:ce:14:67:a8:87:ef:f9:7a:08:1d:7f:00:b1: ad:ef:59:65:31:90:bb:60:27:5f:59:f7:4f:63:7d:31:42:f5: c6:c1:73:c4:81:9c:8e:9b:a8:db:5a:70:c7:53:0d:e2:db:3a: 92:7a:54:2e:76:9a:95:2b:c3:04:6b:80:47:e3:29:ee:05:f4: 85:64:ac:b1:64:38:1b:5f:dc:c4:9e:5b:1a:4d:63:99:a4:b5: f2:7e:63:b5:c3:fa:5b:1e:a3:9a:6e:20:2a:d5:c6:e9:df:88: bc:63:71:1e:ef:18:6a:31:c0:77:4a:af:0f:d1:df:a3:2b:9d: f1:56:e1:1a:7c:3a:97:78:0a:49:1f:6e:c2:18:6e:aa:54:84: 1b:a0:c2:f7:b2:aa:18:e0:20:39:83:1c:83:93:fa:21:8f:ce: 61:97:84:a6:19:51:18:33:0f:bc:70:b1:32:c7:c9:21:65:e5: 44:cd:93:a1:0e:88:50:92:57:4c:5e:e6:e8:ca:d2:c5:1f:e5: 2a:b3:7e:44:73:f7:77:ec:ea:9b:f5:a4:dc:5c:67:bc:97:ee: 03:b1:e3:25:5f:9d:42:de:89:8c:f7:a0:31:c6:25:ac:43:ed: df:43:c6:c6:a5:b5:f5:ce:07:de:ad:fb:52:38:73:27:cf:a7: a2:1e:51:bf:f3:af:d3:3d:59:c4:b3:8c:7a:8d:fc:1b:9a:cf: e5:8c:6a:88:b8:b3:80:85:70:03:4b:8f:cc:87:53:2f:69:e9: 23:42:6d:76:4e:83:ac:19:67:15:bb:4d:db:c7:f2:46:70:25: f4:d2:82:58:88:59:c8:f4:45:a1:4e:7f:8b:2e:c9:f9:31:bc: b0:13:47:8a:05:51:ce:89:45:47:c3:dd:7f:0f:86:b5:ec:d9: 49:17:6c:ef:b7:46:63:a3:1c:23:a6:e0:cd:69:76:cf:42:07: ee:a7:6f:6d:70:42:28:ab:a4:1e:a9:40:d7:0e:d5:0f:91:8e: 59:31:3a:ff:c7:c2:fc:6d:21:1c:b2:28:bf:5b:cd:c7:1e:62: e9:5b:e1:f0:01:13:7b:5b:b7:b3:6c:04:73:31:52:e1:ba:6d: 6d:64:45:b7:f5:38:e8:84:fb:f1:8f:07:79:e9:58:70:d2:b9: 49:f2:01:af:65:10:47:33:b5:5e:f6:8b:47:48:a7:26:14:fe: 10:49:37:96:4f:43:37:18:d6:6e:ff:64:ce:a3:e2:9c:ad:14: eb:ea:60:55:c9:c1:34:e2 -----BEGIN CERTIFICATE----- MIIHajCCBVKgAwIBAgIUFAmTVxxlJlMv6UPMNf8cboisL8UwDQYJKoZIhvcNAQEL BQAwgYUxCzAJBgNVBAYTAk5MMR4wHAYDVQQKDBVRdW9WYWRpcyBUcnVzdGxpbmsg QlYxKDAmBgNVBAsMH0lzc3VpbmcgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxLDAq BgNVBAMMI1F1b1ZhZGlzIENTUCAtIFBLSSBPdmVyaGVpZCBDQSAtIEcyMB4XDTEy MDcxMDE0NTkwMVoXDTE1MDcxMDE0NTkwMVowgZMxHTAbBgNVBAUTFDAwMDAwMDA0 MDAzMjE0MzQ1MDAxMQswCQYDVQQGEwJOTDEVMBMGA1UECBMMWnVpZC1Ib2xsYW5k MRYwFAYDVQQHEw0ncy1HcmF2ZW5oYWdlMQ8wDQYDVQQKEwZMb2dpdXMxDjAMBgNV BAsTBURpZ2lEMRUwEwYDVQQDEwx3d3cuZGlnaWQubmwwggEiMA0GCSqGSIb3DQEB AQUAA4IBDwAwggEKAoIBAQCt79jCXD767lsx/g2BlrTcjiO4QqmE1x0JB3Gqr9h+ VwykhjT6cRZY63X9j5pzkfc8bnObFwh1KfVfK+Di12Qvzn7xWwjzbmcgXTQK+npo HAxQNb1F4Npu1i6esioHPQ9PIcnaXZS4+BfdLUsaGPOuOYjPXobYc6/i4T/W6kat cke4yzDtqhQik2yND6RU5hf3NefFTGG9EVHgBm1zlEY3MX2hSce3DYCplWqyGze7 K5x3FEzKq9QRkted9fisgday41IfHrUHhwQv8xY6CeW7O1kLhtZW2p3lFPnvBQYp sKD2niGVvjIOVWt714vVw05EsgIpb3UF1Y80P5ahv7G9AgMBAAGjggLAMIICvDAM BgNVHRMBAf8EAjAAMIIBMQYDVR0gBIIBKDCCASQwggEgBgpghBABh2sBAgUGMIIB EDCB1wYIKwYBBQUHAgIwgcoagcdSZWxpYW5jZSBvbiB0aGlzIGNlcnRpZmljYXRl IGJ5IGFueSBwYXJ0eSBhc3N1bWVzIGFjY2VwdGFuY2Ugb2YgdGhlIHJlbGV2YW50 IFF1b1ZhZGlzIENlcnRpZmljYXRpb24gUHJhY3RpY2UgU3RhdGVtZW50IGFuZCBv dGhlciBkb2N1bWVudHMgaW4gdGhlIFF1b1ZhZGlzIHJlcG9zaXRvcnkgIChodHRw Oi8vd3d3LnF1b3ZhZGlzZ2xvYmFsLmNvbSkuMDQGCCsGAQUFBwIBFihodHRwOi8v d3d3LnF1b3ZhZGlzZ2xvYmFsLmNvbS9yZXBvc2l0b3J5MFcGA1UdEQRQME6gPgYK KwYBBAGCNxQCA6AwDC4yLjE2LjUyOC4xLjEwMDMuMS4zLjUuMi4xLTAwMDAwMDA0 MDAzMjE0MzQ1MDAxggx3d3cuZGlnaWQubmwwcwYIKwYBBQUHAQEEZzBlMCoGCCsG AQUFBzABhh5odHRwOi8vb2NzcC5xdW92YWRpc2dsb2JhbC5jb20wNwYIKwYBBQUH MAKGK2h0dHA6Ly90cnVzdC5xdW92YWRpc2dsb2JhbC5jb20vcXZvY2FnMi5jcnQw DgYDVR0PAQH/BAQDAgOoMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAf BgNVHSMEGDAWgBRpy39QdgCGU5V5EsFYdh8T7/JNozA6BgNVHR8EMzAxMC+gLaAr hilodHRwOi8vY3JsLnF1b3ZhZGlzZ2xvYmFsLmNvbS9xdm9jYWcyLmNybDAdBgNV HQ4EFgQUMtAb/GJx5FuEKT6YtfqDqpiv70MwDQYJKoZIhvcNAQELBQADggIBANga 4OjCb11gTNQXXmqvL/zeBEfhWJDRG5KL50BgIRQZ8aXA5Ch1rhz1zhRnqIfv+XoI HX8Asa3vWWUxkLtgJ19Z909jfTFC9cbBc8SBnI6bqNtacMdTDeLbOpJ6VC52mpUr wwRrgEfjKe4F9IVkrLFkOBtf3MSeWxpNY5mktfJ+Y7XD+lseo5puICrVxunfiLxj cR7vGGoxwHdKrw/R36MrnfFW4Rp8Opd4CkkfbsIYbqpUhBugwveyqhjgIDmDHIOT +iGPzmGXhKYZURgzD7xwsTLHySFl5UTNk6EOiFCSV0xe5ujK0sUf5SqzfkRz93fs 6pv1pNxcZ7yX7gOx4yVfnULeiYz3oDHGJaxD7d9DxsaltfXOB96t+1I4cyfPp6Ie Ub/zr9M9WcSzjHqN/Buaz+WMaoi4s4CFcANLj8yHUy9p6SNCbXZOg6wZZxW7TdvH 8kZwJfTSgliIWcj0RaFOf4suyfkxvLATR4oFUc6JRUfD3X8PhrXs2UkXbO+3RmOj HCOm4M1pds9CB+6nb21wQiirpB6pQNcO1Q+RjlkxOv/HwvxtIRyyKL9bzcceYulb 4fABE3tbt7NsBHMxUuG6bW1kRbf1OOiE+/GPB3npWHDSuUnyAa9lEEcztV72i0dI pyYU/hBJN5ZPQzcY1m7/ZM6j4pytFOvqYFXJwTTi -----END CERTIFICATE-----
I forgot to mention, it seems to work fine in Safari on Yosemite.
Duplicate of bug 1108408 - the certificate includes a subjectAltName entry of type otherName (with the Microsoft UPN value '2.16.528.1.1003.1.3.5.2.1-00000004003214345001')
Status: NEW → RESOLVED
Closed: 10 years ago
OS: Mac OS X → All
Hardware: x86 → All
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.