#15666 new defect
VirtualBox 5.1.0 and 5.1.2 fails to import digitally signed appliance (OVA file)
回報者: | koso | 負責人: | |
---|---|---|---|
元件: | other | 版本: | VirtualBox 5.1.2 |
關鍵字: | 副本: | ||
Guest type: | Linux | Host type: | Windows |
描述
When attempting to import appliance from ova file, VBoxMAnage.exe fails with:
C:\Users\...\Downloads>"C:\Program Files\VirtualBox\VBoxManage.exe" import <path to OVA file> 0%... Progress state: E_FAIL VBoxManage.exe: error: Appliance read failed VBoxManage.exe: error: Certificate path validation failed (VERR_CR_PKIX_SIGNATURE_MISMATCH, EVP_VerifyFinal failed) VBoxManage.exe: error: Details: code E_FAIL (0x80004005), component ApplianceWrap, interface IAppliance VBoxManage.exe: error: Context: "enum RTEXITCODE __cdecl handleImportAppliance(struct HandlerArg *)" at line 307 of file VBoxManageAppliance.cpp
Import from GUI ends with error dialog:
Failed to import appliance <path to OVA file>. Certificate path validation failed (VERR_CR_PKIX_SIGNATURE_MISMATCH, EVP_VerifyFinal failed). Result Code: E_FAIL (0x80004005) Component: ApplianceWrap Interface: IAppliance {8398f026-4add-4474-5bc3-2f9f2140b23e}
There is no relevant information in logs except:
00:40:08.764715 ApplRead ERROR [COM]: aRC=E_FAIL (0x80004005) aIID={8398f026-4add-4474-5bc3-2f9f2140b23e} aComponent={ApplianceWrap} aText={Certificate path validation failed (VERR_CR_PKIX_SIGNATURE_MISMATCH, EVP_VerifyFinal failed)}, preserve=false aResultDetail=0
I have seen the same behavior on Windows 7 x64 and Windows 10 x64. On another Windows 7 appliance import finished with information popup stating that certificate cannot be verified.
The same OVA file can be successfully imported using VirtualBox 5.0.X and software of other vendors.
Content of "*.mf":
SHA1(ERA_Appliance-disk1.vmdk)= 44f1d187daa9f6ed129381eec155ece99530bfee
and content of "*.cert":
SHA1(ERA_Appliance.mf)= 7334b00ada502ae4420c9c01ba5c6baf1809e0539a0ca74da780d00b38c89c8fedc6be81f8d8e2e4626a7e0d1e5c19dae2beaded0abde864584b4b1a8dc80294a42e92960ee40a0065a5dfb06a088b8435690475c14a828256b2137c433f868b0bb284c343e84c55c0bc609ea1269f773cbd24269e98b89a2d98332a0aad49d147f3246d47183ee9bf916a4a0b3a774afa49aa885953e1c4535199c86ac59579d07f02a34a68c466becf471cec3d3de7c46fc859740e3cb7dbc7cf8ece6afecbe2baa4072dbe8e7692e58e8a596f2a76499f7c886ab45281608c22e7e4be47da67800eba89627365febeb40bed86c01b3c1706fffc5685bda2d840c3f1c64169 -----BEGIN CERTIFICATE----- MIIFTjCCBDagAwIBAgIQHeEN7VQdUec7xIb0kkmINjANBgkqhkiG9w0BAQUFADCB tDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEuMCwGA1UEAxMl VmVyaVNpZ24gQ2xhc3MgMyBDb2RlIFNpZ25pbmcgMjAxMCBDQTAeFw0xNjA0MTkw MDAwMDBaFw0xOTA3MTkyMzU5NTlaMIGvMQswCQYDVQQGEwJTSzERMA8GA1UECBMI U2xvdmFraWExEzARBgNVBAcTCkJyYXRpc2xhdmExGzAZBgNVBAoUEkVTRVQsIHNw b2wuIHMgci5vLjE+MDwGA1UECxQ1RGlnaXRhbCBJRCBDbGFzcyAzIC0gTWljcm9z b2Z0IFNvZnR3YXJlIFZhbGlkYXRpb24gdjIxGzAZBgNVBAMUEkVTRVQsIHNwb2wu IHMgci5vLjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKW9l/iFn1Y/ BJouXaVLHs6+TlhWgZztdjUWtyuF6FHJaHk8eaU3UbtZJuKzINeg+VLdVCk1O8RN w2P1XRoDecxb5W2m7rX4sUrBHvYY62G6KDYHxzWYqfCLNkgC8R5gpkKtYHROwg4W HP0h+OnRBv0ojYoP8q/lNma1pTcABOQVmYVm8Rg7/NaAmqAAquk0n03Y2+y5rfh2 G2FM3xlLzjBocephZeS30ZxkUhm12TnTf9P+0ZB7j0f8V7N9ecZy8NeUaTSWmjkW czxbwjphePpK9A4xAaca5uoNrvQV4SarnAM1iVJb+zyA/qMRhR78giyfOVQjDGoX Q2U0XovY/HECAwEAAaOCAV0wggFZMAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQDAgeA MCsGA1UdHwQkMCIwIKAeoByGGmh0dHA6Ly9zZi5zeW1jYi5jb20vc2YuY3JsMGEG A1UdIARaMFgwVgYGZ4EMAQQBMEwwIwYIKwYBBQUHAgEWF2h0dHBzOi8vZC5zeW1j Yi5jb20vY3BzMCUGCCsGAQUFBwICMBkMF2h0dHBzOi8vZC5zeW1jYi5jb20vcnBh MBMGA1UdJQQMMAoGCCsGAQUFBwMDMFcGCCsGAQUFBwEBBEswSTAfBggrBgEFBQcw AYYTaHR0cDovL3NmLnN5bWNkLmNvbTAmBggrBgEFBQcwAoYaaHR0cDovL3NmLnN5 bWNiLmNvbS9zZi5jcnQwHwYDVR0jBBgwFoAUz5mp6nsm9EvJjo/X8AUm7+PSp50w HQYDVR0OBBYEFIKSJNBoZdrPFMTF6cPzFNk4c63aMA0GCSqGSIb3DQEBBQUAA4IB AQDzz/hCjjc1kc15nqKjnFy/oiRPDhQpM+C5/bputO8q0AE0uUv17DcGuPQgbQsG 7gfDr4x2suxJfxasRBU2OKKWZfpUfuALqIC5oHviD/8UPU3gk8m+LiwgYr13i5sN ujbBeUaa4WfzrQo+7+GvdfKPw/NpHnmrDSSRadM0AckpyhrLRqMkgVjvIz7t00Yd AQoBhFvQTaOk/I8iIQqsQcK0qyVbdOJFnO7Wu16XNeSb0TxqFzXCsGoI0qDUCatm 1uDWPzIKL7omFDrKNxxGZhCoJAV4btgZE1Ys6NFWazUa43//lGl11f6pncXv7BQf sIlwnYi5uqq1MvtD1mV57wWh -----END CERTIFICATE-----
更動歷史 (8)
comment:2 8 年 前 由 編輯
Would you execute next command: "openssl verify testing.crt". And put the output here.
Where i named "testing.crt" a file contains the part of your ".cert" file following after the line SHA1(ERA_Appliance.mf).
So the file will contain:
-----BEGIN CERTIFICATE----- MIIFTjCCBDagAwIBAgIQHeEN7VQdUec7xIb0kkmINjANBgkqhkiG9w0BAQUFADCB tDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEuMCwGA1UEAxMl VmVyaVNpZ24gQ2xhc3MgMyBDb2RlIFNpZ25pbmcgMjAxMCBDQTAeFw0xNjA0MTkw MDAwMDBaFw0xOTA3MTkyMzU5NTlaMIGvMQswCQYDVQQGEwJTSzERMA8GA1UECBMI U2xvdmFraWExEzARBgNVBAcTCkJyYXRpc2xhdmExGzAZBgNVBAoUEkVTRVQsIHNw b2wuIHMgci5vLjE+MDwGA1UECxQ1RGlnaXRhbCBJRCBDbGFzcyAzIC0gTWljcm9z b2Z0IFNvZnR3YXJlIFZhbGlkYXRpb24gdjIxGzAZBgNVBAMUEkVTRVQsIHNwb2wu IHMgci5vLjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKW9l/iFn1Y/ BJouXaVLHs6+TlhWgZztdjUWtyuF6FHJaHk8eaU3UbtZJuKzINeg+VLdVCk1O8RN w2P1XRoDecxb5W2m7rX4sUrBHvYY62G6KDYHxzWYqfCLNkgC8R5gpkKtYHROwg4W HP0h+OnRBv0ojYoP8q/lNma1pTcABOQVmYVm8Rg7/NaAmqAAquk0n03Y2+y5rfh2 G2FM3xlLzjBocephZeS30ZxkUhm12TnTf9P+0ZB7j0f8V7N9ecZy8NeUaTSWmjkW czxbwjphePpK9A4xAaca5uoNrvQV4SarnAM1iVJb+zyA/qMRhR78giyfOVQjDGoX Q2U0XovY/HECAwEAAaOCAV0wggFZMAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQDAgeA MCsGA1UdHwQkMCIwIKAeoByGGmh0dHA6Ly9zZi5zeW1jYi5jb20vc2YuY3JsMGEG A1UdIARaMFgwVgYGZ4EMAQQBMEwwIwYIKwYBBQUHAgEWF2h0dHBzOi8vZC5zeW1j Yi5jb20vY3BzMCUGCCsGAQUFBwICMBkMF2h0dHBzOi8vZC5zeW1jYi5jb20vcnBh MBMGA1UdJQQMMAoGCCsGAQUFBwMDMFcGCCsGAQUFBwEBBEswSTAfBggrBgEFBQcw AYYTaHR0cDovL3NmLnN5bWNkLmNvbTAmBggrBgEFBQcwAoYaaHR0cDovL3NmLnN5 bWNiLmNvbS9zZi5jcnQwHwYDVR0jBBgwFoAUz5mp6nsm9EvJjo/X8AUm7+PSp50w HQYDVR0OBBYEFIKSJNBoZdrPFMTF6cPzFNk4c63aMA0GCSqGSIb3DQEBBQUAA4IB AQDzz/hCjjc1kc15nqKjnFy/oiRPDhQpM+C5/bputO8q0AE0uUv17DcGuPQgbQsG 7gfDr4x2suxJfxasRBU2OKKWZfpUfuALqIC5oHviD/8UPU3gk8m+LiwgYr13i5sN ujbBeUaa4WfzrQo+7+GvdfKPw/NpHnmrDSSRadM0AckpyhrLRqMkgVjvIz7t00Yd AQoBhFvQTaOk/I8iIQqsQcK0qyVbdOJFnO7Wu16XNeSb0TxqFzXCsGoI0qDUCatm 1uDWPzIKL7omFDrKNxxGZhCoJAV4btgZE1Ys6NFWazUa43//lGl11f6pncXv7BQf sIlwnYi5uqq1MvtD1mV57wWh -----END CERTIFICATE-----
comment:3 8 年 前 由 編輯
on Windows platform you can use cygwin package which contains openssl. or you can try the native Windows tool for certificates. I just want to see that the certificate you provided is validated by CA.
comment:4 8 年 前 由 編輯
I have checked and certificate is valid and trusted by system. Checked it also with OpenSSL from Cygwin, but it failed because I do not have public CA certificate available in cygwin environment.
Regarding appliance file, it is not my, but it is free to download from http://download.eset.com/download/ra/v6/Appliances/era_appliance.ova (size ~2.5GB). Problematic version 6.4.30.0 is still available to download.
comment:5 8 年 前 由 編輯
I have downloaded the package from here http://download.eset.com/download/ra/v6/Appliances/era_appliance.ova. Run import procedure on Windows7 x64, the OVA package has been imported successfully via GUI.
Odd, but you couldn't have run the import procedure from the console as it was shown in the first example "C:\Users\...\Downloads>"C:\Program Files\VirtualBox\VBoxManage.exe" import <path to OVA file> 0%..."
There is the license agreement inside the OVA package era_appliance.ova. and user must agree with this license agreement but it's not possible from CLI.
I can't confirm that your example is correct and relevant.
Using the command line utility "VBoxManage import era_appliance.ova" the import had failed as there was the license agreement inside OVA package as i mentioned. It's normal. User should agree with this agreement and it's possible only from GUI. Again there wasn't such error as you described.
comment:6 8 年 前 由 編輯
Thanks for testing it - at least I know that ova file is not corrupted and problem is somewhere on my machine.
I have checked VirtualBox sources and there is only one place where error code VERR_CR_PKIX_SIGNATURE_MISMATCH is used - and it seems for some reason, validation fails on cryptographic checks and not in building CA path.
Regarding VBoxManage: I actually never tried it to import ova file and I posted it here only to demonstrate that it also fails -> error shows up even before basic OVA file information/metadata is shown (name, version, vendor).
Any idea what could possibly interfere with signature verification?
comment:7 8 年 前 由 編輯
I had the same issue with the latest version of the same. Only thoughts are that i have cygwin installed and this came up with the following error:
$ openssl verify ERA_Appliance.cert ERA_Appliance.cert: C = SK, ST = Slovakia, L = Bratislava, O = "ESET, spol. s r. o.", OU = Digital ID Class 3 - Microsoft Software Validation v2, CN = "ESET, spo l. s r.o." error 20 at 0 depth lookup:unable to get local issuer certificate
My workaround was to extract the OVA using 7Zip and then rename the cert file so that it didn't pay any attention to it on import. However it is concerning that I had to do this.
koso, is it still actual? would you provide your OVA package for testing? next, did this error happened only with a certain package or with other packages too? did you create OVA package by yourself or got it from somewhere? please, just for memory, put here the contents of the OVF package using tar -tvf <OVF package name> to get the list of files.
Now it's obvious that certificate validation failed somewhere with the error "Certificate path validation failed". The certificate validation\verification has very diverse and complex logic. And to say something based only on the couple lines of output is impossible.