[gnutls-devel] GnuTLS | System key usability issue (#1365)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Wed May 18 17:17:39 CEST 2022 



juxeii commented:


@dwmw2 I am really sorry! Something went wrong in the other thread. Your provided patched DLL http://david.woodhou.se/libgnutls-30.dll 7fd09cf4eb3c44b7960197f9d0fdf7de4a6620363d49dfdf1208c18c54cf592e **does work**.

I can now see all certificates for `CERT_SYSTEM_STORE_LOCAL_MACHINE`.

And so I tried to connect(GNUTLS_DEBUG_LEVEL=6):

`C:\data\OpenConnect>openconnect --protocol=anyconnect --verbose --timestamp -c system:win:id=468652b4198f2d11b68c6414a20f9e74e09adedf;type=cert -k system:win:id=468652b4198f2d11b68c6414a20f9e74e09adedf;type=privkey --passwd-on-stdin myserver.com`

Log is
```
gnutls[1]: There was a non-CA certificate in the trusted list: OU=Copyright (c) 1997 Microsoft Corp.,OU=Microsoft Corporation,CN=Microsoft Root Authority.
gnutls[3]: ASSERT: ../../../lib/x509/verify-high.c[gnutls_x509_trust_list_add_cas]:396
gnutls[1]: There was a non-CA certificate in the trusted list: C=US,O=MSFT,CN=Microsoft Authenticode(tm) Root Authority.
gnutls[3]: ASSERT: ../../../lib/x509/verify-high.c[gnutls_x509_trust_list_add_cas]:396
gnutls[1]: There was a non-CA certificate in the trusted list: CN=WSUS Publishers Self-signed.
gnutls[3]: ASSERT: ../../../lib/x509/common.c[_gnutls_x509_get_raw_field2]:1560
gnutls[3]: ASSERT: ../../../lib/x509/x509.c[gnutls_x509_crt_get_subject_unique_id]:3936
gnutls[3]: ASSERT: ../../../lib/x509/x509.c[gnutls_x509_crt_get_issuer_unique_id]:3986
gnutls[3]: ASSERT: ../../../lib/x509/common.c[_gnutls_x509_get_raw_field2]:1560
gnutls[3]: ASSERT: ../../../lib/x509/x509.c[gnutls_x509_crt_get_subject_unique_id]:3936
gnutls[3]: ASSERT: ../../../lib/x509/x509.c[gnutls_x509_crt_get_issuer_unique_id]:3986
gnutls[3]: ASSERT: ../../../lib/x509/common.c[_gnutls_x509_get_raw_field2]:1560
gnutls[3]: ASSERT: ../../../lib/x509/x509.c[gnutls_x509_crt_get_subject_unique_id]:3936
gnutls[3]: ASSERT: ../../../lib/x509/x509.c[gnutls_x509_crt_get_issuer_unique_id]:3986
gnutls[3]: ASSERT: ../../../lib/x509/verify-high.c[gnutls_x509_trust_list_add_cas]:396
gnutls[1]: There was a non-CA certificate in the trusted list: CN=Root Agency.
[2022-05-18 16:09:19] Using system certificate system:win:id=468652b4198f2d11b68c6414a20f9e74e09adedf;type=cert
[2022-05-18 16:09:19] Using system key system:win:id=468652b4198f2d11b68c6414a20f9e74e09adedf;type=privkey
gnutls[3]: ASSERT: ../../lib/system/keys-win.c[privkey_import_ncrypt]:713
gnutls[3]: ASSERT: ../../lib/system/keys-win.c[_gnutls_privkey_import_system_url]:866
[2022-05-18 16:09:19] Error importing system key system:win:id=468652b4198f2d11b68c6414a20f9e74e09adedf;type=privkey: The requested data were not available.
[2022-05-18 16:09:19] Loading certificate failed. Aborting.
```

I guess it should now work since you patched the DLL which is used in openconnect?!

I tried different argument permutations with and without `-k`, always same failure. Does it make any difference if the private key is exportable or not?

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1365#note_951469861
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20220518/a458b867/attachment-0001.html>

More information about the Gnutls-devel mailing list