Certs generated with TinyCA2 and openssl cause errors in openldap and gnutls

Bug #398366 reported by William King on 2009-07-12
18
This bug affects 3 people
Affects Status Importance Assigned to Milestone
openldap (Ubuntu)
Low
Unassigned

Bug Description

I have generated certs with TinyCA2 for apache, openvpn, and other systems and it works. But openldap can't handle the certs. I have confirmed that openldap does work with locally generated certs.

I use this to generate the certs(fake):

openssl req -new -nodes -out req.pem -keyout key.pem
openssl rsa -in key.pem -out new.key.pem
openssl x509 -in req.pem -out ca-cert -req -signkey new.key.pem -days 9999
mv new.key.pem server.pem
cat ca-cert >> server.pem

That works. But using my certs I get this:

   2.5.13.0 (objectIdentifierMatch): matchingRuleUse: ( 2.5.13.0 NAME 'objectIdentifierMatch' APPLIES ( supportedControl $ supportedExtension $ supportedFeatures $ supportedApplicationContext ) )
main: TLS init def ctx failed: -1
slapd destroy: freeing system resources.
slapd stopped.
connections_destroy: nothing to destroy.

I even have generated new fake certs that I can upload here for people to take a look at. I can reproduce this error easily.

I am flagging this as a security vulnerability because it deals with problems with certs. The problem is either with openssl, gnutls, or me.

William King (quentusrex) wrote :

Here is the cert, the ca cert, and the key. All of these were generated with tinyca2, and fail to work with openldap. They are fake.

William King (quentusrex) wrote :
William King (quentusrex) wrote :

This info might help. this is what TinyCA uses to create the server cert:

/usr/bin/openssl ca -batch -passin env:SSLPASS -notext -config /home/quentusrex/.TinyCA/testing/openssl.cnf -name server_ca -in "/home/quentusrex/.TinyCA/testing/req/dGVzdDp0ZXN0QHRlc3QuY29tOnRlc3Q6dGVzdDpTZWF0dGxlOldhc2hpbmd0b246VVM=.pem" -days 365 -preserveDN -md sha1

Using configuration from /home/quentusrex/.TinyCA/testing/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'Washington'
localityName :PRINTABLE:'Seattle'
organizationName :PRINTABLE:'test'
organizationalUnitName:PRINTABLE:'test'
commonName :PRINTABLE:'test'
emailAddress :IA5STRING:'<email address hidden>'
Certificate is to be certified until Jul 12 08:31:40 2010 GMT (365 days)

Write out database with 1 new entries
Data Base Updated
-----BEGIN CERTIFICATE-----
MIIFwjCCBSugAwIBAgIBAzANBgkqhkiG9w0BAQUFADCBrzELMAkGA1UEBhMCVVMx
EzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1NlYXR0bGUxHTAbBgNVBAoT
FFF1ZW50dXMgVGVjaG5vbG9naWVzMRwwGgYDVQQLExNJbmZvcm1hdGlvbiBTeXN0
ZW1zMRAwDgYDVQQDEwdxdWVudHVzMSowKAYJKoZIhvcNAQkBFht3aWxsaWFta2lu
Z0BxdWVudHVzdGVjaC5jb20wHhcNMDkwNzEyMDgzMTQwWhcNMTAwNzEyMDgzMTQw
WjB/MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMH
U2VhdHRsZTENMAsGA1UEChMEdGVzdDENMAsGA1UECxMEdGVzdDENMAsGA1UEAxME
dGVzdDEcMBoGCSqGSIb3DQEJARYNdGVzdEB0ZXN0LmNvbTCCAiIwDQYJKoZIhvcN
AQEBBQADggIPADCCAgoCggIBAKkqYIUc5LtOak5DLfbKlfZ8d/PQVHvlZVAtyJ6b
ZQwBUgLiMoeDTF/bB2Xsg8mUG4taye9+0Z2BON5eEZPIxS3oATVQLrQn5XJKGYtv
XNYr1E57iFNcbvbLrEfhTwTDUxNQDWlGCHdKTygAM9N63VLGLcvSCWHSbR5jwGOw
ZgedsITYz7GF0vwbE0pJU5ko8Z5fH+G83Bwcn8X2P+Up60l3r1x2tXJiKTl+/muK
hr4mTryM8SR0rcZlrZKQDtAe6YpnyZHEfRDoLY1JMCbkcKZ3G3M1BEk/IWePKdLh
IAXCLSFRpgjtkW4VCKesbiF9eAqAXueeb83EbxEafq5NmskLUeGesq6bwO1bL2Wp
A4BzKVMu9zLc/izIXDFp4uR/9Go8iA0g94V+DPx6DcqHcKlzp7+X/UhA7pHJkYF5
WjZETnJtMjVq8vhU9p+i8RlyNn9PTKiwRHC9/BotKnj2mnSuxBJdNUrMp2HLuD1E
SK6s6HboJShM2SE7hJzC3A18XhWHQvctZE9qfU1U02SaWjemc1ZNLo7x8SnprMkA
Wc6SN33qWS3pgsdODjyzn6OPE0lQq/IvSKF7fJThRY7q21O2CVHe4plaDx2oTkE8
vi9klZXaYU5l4DJ/CSLn9PxJpA7bNvvf5aHmbwgYMoSiLxcJrl5WyXOyg1coLlP9
VzXHAgMBAAGjggGXMIIBkzAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIGQDAr
BglghkgBhvhCAQ0EHhYcVGlueUNBIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNV
HQ4EFgQU/FztqMO4xXvct+ZmrKZsWw31T2QwgeQGA1UdIwSB3DCB2YAUkgd/OzdG
JLV3lpg3DN+32mXRK1OhgbWkgbIwga8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpX
YXNoaW5ndG9uMRAwDgYDVQQHEwdTZWF0dGxlMR0wGwYDVQQKExRRdWVudHVzIFRl
Y2hub2xvZ2llczEcMBoGA1UECxMTSW5mb3JtYXRpb24gU3lzdGVtczEQMA4GA1UE
AxMHcXVlbnR1czEqMCgGCSqGSIb3DQEJARYbd2lsbGlhbWtpbmdAcXVlbnR1c3Rl
Y2guY29tggkAwGVoUxJQA3YwJgYDVR0SBB8wHYEbd2lsbGlhbWtpbmdAcXVlbnR1
c3RlY2guY29tMBgGA1UdEQQRMA+BDXRlc3RAdGVzdC5jb20wDQYJKoZIhvcNAQEF
BQADgYEAc+OmIJlrOwfAEbTITZhyngjHMkome/8JwBN207RCJQ5su/QdADgMKCjI
MEroblTngB32rpFeR2WJJ8kBQJWYMJFHShwPv4/aWvpxfj/WaV84yPI62IKnTBOv
qcGXGLr/PX0yvFfgqP5BQb0Rga0HfpXDvSud0PDx8Z9oswvTw4g=
-----END CERTIFICATE-----

William King (quentusrex) wrote :
Download full text (3.9 KiB)

Here are the configs for the file: /home/quentusrex/.TinyCA/testing/openssl.cnf

[ ca ]
default_ca = server_ca

[ policy_client ]
countryName = optional
stateOrProvinceName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

[ policy_server ]
countryName = optional
stateOrProvinceName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

[ policy_ca ]
countryName = optional
stateOrProvinceName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

[ req ]
default_bits = 4096
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca
string_mask = nombstr
req_extensions = v3_req

[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = AU
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Some-State
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Internet Widgits Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg, YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 40

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name

[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = critical,CA:true
nsCertType = sslCA, emailCA
issuerAltName = issuer:copy
nsComment = "TinyCA Generated Certificate"
subjectAltName = email:copy
keyUsage = critical, keyCertSign, cRLSign

[ crl_ext ]
authorityKeyIdentifier = keyid:always,issuer:always

[ server_ca ]
dir = /home/quentusrex/.TinyCA/testing
certs = $dir/certs
crl_dir = $dir/crl
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/cacert.pem
serial = $dir/serial
crl = $dir/crl.pem
private_key = $dir/cacert.key
RANDFILE = $dir/.rand
x509_extensions = server_cert
default_days = 365
default_crl_days = 30
default_md = sha1
preserve = no
policy = policy_server
unique_subject = yes

[ client_ca ]
dir = /home/quentusrex/.TinyCA/testing
certs = $dir/certs
crl_dir = $dir/crl
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/cacert.pem
serial = $dir/serial
crl = $dir/crl.pem
private_key = $dir/cacert.key
RANDFILE = $dir/.rand
x509_extensions = client_cert
default_days = 365
default_crl_days = 30
default_md = sha1
preserve = no
policy = policy_client
unique_subject = yes

[ ca_ca ]
dir = /home/quentusrex/.TinyCA/testing
certs = $dir/certs
crl_dir = $dir/crl
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/c...

Read more...

visibility: private → public
Jamie Strandboge (jdstrand) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find.

security vulnerability: yes → no
Mathias Gug (mathiaz) wrote :

The relevant error message is:

  main: TLS init def ctx failed: -1

That usually means that slapd wasn't able to read the cert, ca cert or private key. Could you make sure that the openldap user has access to the necessary files as well as making sure they're all in /etc/ldap or /etc/ssl/. If not slapd apparmor profile will refuse access to the files.

Changed in openldap (Ubuntu):
importance: Undecided → Low
status: New → Incomplete
William King (quentusrex) wrote :

The user had access. The problem is one of the fields generated is bad(in the eyes of gnutls).

Certs generated with gnomint work just fine.

Chuck Short (zulcss) wrote :

Thanks for the response.

Regards
chuck

Changed in openldap (Ubuntu):
status: Incomplete → Confirmed
Franck (alci) wrote :

Seems to be still present in Ubuntu 12.04. At least, I get the same symptoms.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers