sec_error_bad_der on www.digid.nl

RESOLVED DUPLICATE of bug 1108408

Status

()

RESOLVED DUPLICATE of bug 1108408
4 years ago
4 years ago

People

(Reporter: djc, Unassigned)

Tracking

37 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

4 years ago
I'm not sure if this is a duplicate of bug 1088140 (but I don't think they use RSA-PSS) or bug 1101214, so feel free to close as duplicate if appropriate.

This is the single sign-on provider for organizations related to the Dutch government, so this potentially affects a large user population.

djc@djc-mbp ~ $ openssl x509 -text -in digid.crt 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            14:09:93:57:1c:65:26:53:2f:e9:43:cc:35:ff:1c:6e:88:ac:2f:c5
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=NL, O=QuoVadis Trustlink BV, OU=Issuing Certification Authority, CN=QuoVadis CSP - PKI Overheid CA - G2
        Validity
            Not Before: Jul 10 14:59:01 2012 GMT
            Not After : Jul 10 14:59:01 2015 GMT
        Subject: serialNumber=00000004003214345001, C=NL, ST=Zuid-Holland, L='s-Gravenhage, O=Logius, OU=DigiD, CN=www.digid.nl
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:ad:ef:d8:c2:5c:3e:fa:ee:5b:31:fe:0d:81:96:
                    b4:dc:8e:23:b8:42:a9:84:d7:1d:09:07:71:aa:af:
                    d8:7e:57:0c:a4:86:34:fa:71:16:58:eb:75:fd:8f:
                    9a:73:91:f7:3c:6e:73:9b:17:08:75:29:f5:5f:2b:
                    e0:e2:d7:64:2f:ce:7e:f1:5b:08:f3:6e:67:20:5d:
                    34:0a:fa:7a:68:1c:0c:50:35:bd:45:e0:da:6e:d6:
                    2e:9e:b2:2a:07:3d:0f:4f:21:c9:da:5d:94:b8:f8:
                    17:dd:2d:4b:1a:18:f3:ae:39:88:cf:5e:86:d8:73:
                    af:e2:e1:3f:d6:ea:46:ad:72:47:b8:cb:30:ed:aa:
                    14:22:93:6c:8d:0f:a4:54:e6:17:f7:35:e7:c5:4c:
                    61:bd:11:51:e0:06:6d:73:94:46:37:31:7d:a1:49:
                    c7:b7:0d:80:a9:95:6a:b2:1b:37:bb:2b:9c:77:14:
                    4c:ca:ab:d4:11:92:d7:9d:f5:f8:ac:81:d6:b2:e3:
                    52:1f:1e:b5:07:87:04:2f:f3:16:3a:09:e5:bb:3b:
                    59:0b:86:d6:56:da:9d:e5:14:f9:ef:05:06:29:b0:
                    a0:f6:9e:21:95:be:32:0e:55:6b:7b:d7:8b:d5:c3:
                    4e:44:b2:02:29:6f:75:05:d5:8f:34:3f:96:a1:bf:
                    b1:bd
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Certificate Policies: 
                Policy: 2.16.528.1.1003.1.2.5.6
                  User Notice:
                    Explicit Text: Reliance on this certificate by any party assumes acceptance of the relevant QuoVadis Certification Practice Statement and other documents in the QuoVadis repository  (http://www.quovadisglobal.com).
                  CPS: http://www.quovadisglobal.com/repository

            X509v3 Subject Alternative Name: 
                othername:<unsupported>, DNS:www.digid.nl
            Authority Information Access: 
                OCSP - URI:http://ocsp.quovadisglobal.com
                CA Issuers - URI:http://trust.quovadisglobal.com/qvocag2.crt

            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Authority Key Identifier: 
                keyid:69:CB:7F:50:76:00:86:53:95:79:12:C1:58:76:1F:13:EF:F2:4D:A3

            X509v3 CRL Distribution Points: 
                URI:http://crl.quovadisglobal.com/qvocag2.crl

            X509v3 Subject Key Identifier: 
                32:D0:1B:FC:62:71:E4:5B:84:29:3E:98:B5:FA:83:AA:98:AF:EF:43
    Signature Algorithm: sha256WithRSAEncryption
        d8:1a:e0:e8:c2:6f:5d:60:4c:d4:17:5e:6a:af:2f:fc:de:04:
        47:e1:58:90:d1:1b:92:8b:e7:40:60:21:14:19:f1:a5:c0:e4:
        28:75:ae:1c:f5:ce:14:67:a8:87:ef:f9:7a:08:1d:7f:00:b1:
        ad:ef:59:65:31:90:bb:60:27:5f:59:f7:4f:63:7d:31:42:f5:
        c6:c1:73:c4:81:9c:8e:9b:a8:db:5a:70:c7:53:0d:e2:db:3a:
        92:7a:54:2e:76:9a:95:2b:c3:04:6b:80:47:e3:29:ee:05:f4:
        85:64:ac:b1:64:38:1b:5f:dc:c4:9e:5b:1a:4d:63:99:a4:b5:
        f2:7e:63:b5:c3:fa:5b:1e:a3:9a:6e:20:2a:d5:c6:e9:df:88:
        bc:63:71:1e:ef:18:6a:31:c0:77:4a:af:0f:d1:df:a3:2b:9d:
        f1:56:e1:1a:7c:3a:97:78:0a:49:1f:6e:c2:18:6e:aa:54:84:
        1b:a0:c2:f7:b2:aa:18:e0:20:39:83:1c:83:93:fa:21:8f:ce:
        61:97:84:a6:19:51:18:33:0f:bc:70:b1:32:c7:c9:21:65:e5:
        44:cd:93:a1:0e:88:50:92:57:4c:5e:e6:e8:ca:d2:c5:1f:e5:
        2a:b3:7e:44:73:f7:77:ec:ea:9b:f5:a4:dc:5c:67:bc:97:ee:
        03:b1:e3:25:5f:9d:42:de:89:8c:f7:a0:31:c6:25:ac:43:ed:
        df:43:c6:c6:a5:b5:f5:ce:07:de:ad:fb:52:38:73:27:cf:a7:
        a2:1e:51:bf:f3:af:d3:3d:59:c4:b3:8c:7a:8d:fc:1b:9a:cf:
        e5:8c:6a:88:b8:b3:80:85:70:03:4b:8f:cc:87:53:2f:69:e9:
        23:42:6d:76:4e:83:ac:19:67:15:bb:4d:db:c7:f2:46:70:25:
        f4:d2:82:58:88:59:c8:f4:45:a1:4e:7f:8b:2e:c9:f9:31:bc:
        b0:13:47:8a:05:51:ce:89:45:47:c3:dd:7f:0f:86:b5:ec:d9:
        49:17:6c:ef:b7:46:63:a3:1c:23:a6:e0:cd:69:76:cf:42:07:
        ee:a7:6f:6d:70:42:28:ab:a4:1e:a9:40:d7:0e:d5:0f:91:8e:
        59:31:3a:ff:c7:c2:fc:6d:21:1c:b2:28:bf:5b:cd:c7:1e:62:
        e9:5b:e1:f0:01:13:7b:5b:b7:b3:6c:04:73:31:52:e1:ba:6d:
        6d:64:45:b7:f5:38:e8:84:fb:f1:8f:07:79:e9:58:70:d2:b9:
        49:f2:01:af:65:10:47:33:b5:5e:f6:8b:47:48:a7:26:14:fe:
        10:49:37:96:4f:43:37:18:d6:6e:ff:64:ce:a3:e2:9c:ad:14:
        eb:ea:60:55:c9:c1:34:e2
-----BEGIN CERTIFICATE-----
MIIHajCCBVKgAwIBAgIUFAmTVxxlJlMv6UPMNf8cboisL8UwDQYJKoZIhvcNAQEL
BQAwgYUxCzAJBgNVBAYTAk5MMR4wHAYDVQQKDBVRdW9WYWRpcyBUcnVzdGxpbmsg
QlYxKDAmBgNVBAsMH0lzc3VpbmcgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxLDAq
BgNVBAMMI1F1b1ZhZGlzIENTUCAtIFBLSSBPdmVyaGVpZCBDQSAtIEcyMB4XDTEy
MDcxMDE0NTkwMVoXDTE1MDcxMDE0NTkwMVowgZMxHTAbBgNVBAUTFDAwMDAwMDA0
MDAzMjE0MzQ1MDAxMQswCQYDVQQGEwJOTDEVMBMGA1UECBMMWnVpZC1Ib2xsYW5k
MRYwFAYDVQQHEw0ncy1HcmF2ZW5oYWdlMQ8wDQYDVQQKEwZMb2dpdXMxDjAMBgNV
BAsTBURpZ2lEMRUwEwYDVQQDEwx3d3cuZGlnaWQubmwwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQCt79jCXD767lsx/g2BlrTcjiO4QqmE1x0JB3Gqr9h+
VwykhjT6cRZY63X9j5pzkfc8bnObFwh1KfVfK+Di12Qvzn7xWwjzbmcgXTQK+npo
HAxQNb1F4Npu1i6esioHPQ9PIcnaXZS4+BfdLUsaGPOuOYjPXobYc6/i4T/W6kat
cke4yzDtqhQik2yND6RU5hf3NefFTGG9EVHgBm1zlEY3MX2hSce3DYCplWqyGze7
K5x3FEzKq9QRkted9fisgday41IfHrUHhwQv8xY6CeW7O1kLhtZW2p3lFPnvBQYp
sKD2niGVvjIOVWt714vVw05EsgIpb3UF1Y80P5ahv7G9AgMBAAGjggLAMIICvDAM
BgNVHRMBAf8EAjAAMIIBMQYDVR0gBIIBKDCCASQwggEgBgpghBABh2sBAgUGMIIB
EDCB1wYIKwYBBQUHAgIwgcoagcdSZWxpYW5jZSBvbiB0aGlzIGNlcnRpZmljYXRl
IGJ5IGFueSBwYXJ0eSBhc3N1bWVzIGFjY2VwdGFuY2Ugb2YgdGhlIHJlbGV2YW50
IFF1b1ZhZGlzIENlcnRpZmljYXRpb24gUHJhY3RpY2UgU3RhdGVtZW50IGFuZCBv
dGhlciBkb2N1bWVudHMgaW4gdGhlIFF1b1ZhZGlzIHJlcG9zaXRvcnkgIChodHRw
Oi8vd3d3LnF1b3ZhZGlzZ2xvYmFsLmNvbSkuMDQGCCsGAQUFBwIBFihodHRwOi8v
d3d3LnF1b3ZhZGlzZ2xvYmFsLmNvbS9yZXBvc2l0b3J5MFcGA1UdEQRQME6gPgYK
KwYBBAGCNxQCA6AwDC4yLjE2LjUyOC4xLjEwMDMuMS4zLjUuMi4xLTAwMDAwMDA0
MDAzMjE0MzQ1MDAxggx3d3cuZGlnaWQubmwwcwYIKwYBBQUHAQEEZzBlMCoGCCsG
AQUFBzABhh5odHRwOi8vb2NzcC5xdW92YWRpc2dsb2JhbC5jb20wNwYIKwYBBQUH
MAKGK2h0dHA6Ly90cnVzdC5xdW92YWRpc2dsb2JhbC5jb20vcXZvY2FnMi5jcnQw
DgYDVR0PAQH/BAQDAgOoMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAf
BgNVHSMEGDAWgBRpy39QdgCGU5V5EsFYdh8T7/JNozA6BgNVHR8EMzAxMC+gLaAr
hilodHRwOi8vY3JsLnF1b3ZhZGlzZ2xvYmFsLmNvbS9xdm9jYWcyLmNybDAdBgNV
HQ4EFgQUMtAb/GJx5FuEKT6YtfqDqpiv70MwDQYJKoZIhvcNAQELBQADggIBANga
4OjCb11gTNQXXmqvL/zeBEfhWJDRG5KL50BgIRQZ8aXA5Ch1rhz1zhRnqIfv+XoI
HX8Asa3vWWUxkLtgJ19Z909jfTFC9cbBc8SBnI6bqNtacMdTDeLbOpJ6VC52mpUr
wwRrgEfjKe4F9IVkrLFkOBtf3MSeWxpNY5mktfJ+Y7XD+lseo5puICrVxunfiLxj
cR7vGGoxwHdKrw/R36MrnfFW4Rp8Opd4CkkfbsIYbqpUhBugwveyqhjgIDmDHIOT
+iGPzmGXhKYZURgzD7xwsTLHySFl5UTNk6EOiFCSV0xe5ujK0sUf5SqzfkRz93fs
6pv1pNxcZ7yX7gOx4yVfnULeiYz3oDHGJaxD7d9DxsaltfXOB96t+1I4cyfPp6Ie
Ub/zr9M9WcSzjHqN/Buaz+WMaoi4s4CFcANLj8yHUy9p6SNCbXZOg6wZZxW7TdvH
8kZwJfTSgliIWcj0RaFOf4suyfkxvLATR4oFUc6JRUfD3X8PhrXs2UkXbO+3RmOj
HCOm4M1pds9CB+6nb21wQiirpB6pQNcO1Q+RjlkxOv/HwvxtIRyyKL9bzcceYulb
4fABE3tbt7NsBHMxUuG6bW1kRbf1OOiE+/GPB3npWHDSuUnyAa9lEEcztV72i0dI
pyYU/hBJN5ZPQzcY1m7/ZM6j4pytFOvqYFXJwTTi
-----END CERTIFICATE-----
(Reporter)

Comment 1

4 years ago
I forgot to mention, it seems to work fine in Safari on Yosemite.

Comment 2

4 years ago
Duplicate of bug 1108408 - the certificate includes a subjectAltName entry of type otherName (with the Microsoft UPN value '2.16.528.1.1003.1.3.5.2.1-00000004003214345001')
Status: NEW → RESOLVED
Last Resolved: 4 years ago
OS: Mac OS X → All
Hardware: x86 → All
Resolution: --- → DUPLICATE
Duplicate of bug: 1108408
You need to log in before you can comment on or make changes to this bug.