openssl ca -spkac output regressed
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenSSL |
Fix Released
|
Unknown
|
|||
openssl (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Bionic |
Fix Released
|
High
|
Unassigned | ||
Cosmic |
Won't Fix
|
High
|
Unassigned | ||
Disco |
Fix Released
|
High
|
Unassigned | ||
Eoan |
Fix Released
|
High
|
Unassigned |
Bug Description
[Impact]
* openssl command line utility option parsing has regressed in 1.1.0i+ and produces binary output, where text output is expected, breaking applications that parse that.
[Test Case]
Setup CA:
$ apt install openssl
$ mkdir -p demoCA/private demoCA/newcerts
$ touch demoCA/index.txt
$ echo 01 > demoCA/serial
$ openssl req -new -x509 -days 365 -newkey rsa:4096 -keyout demoCA/
# Use password test
# Accept defaults for all other settings
$ openssl req -new -days 365 -newkey rsa:4096 -keyout demoCA/sslkey.pem -out demoCA/sslcert.pem
Generate regular request / key:
# Use password test
# Set common name to: example.com
# Accept defaults for all other settings
Generate spkac request:
$ openssl spkac -key demoCA/sslkey.pem -out demoCA/
$ cat <<EOF >>demoCA/
countryName=AU
stateOrProvince
organizationNam
commonName=
EOF
Sign spkac request:
$ echo test | openssl ca -passin stdin -batch -spkac demoCA/
Expected: pure text output
Unexpected: binary output for the signed cert
Currently produces binary goop.
Should produce PEM format Base64 encoded certificate data in a block surrounded
with BEGIN/END certificate.
[Regression Potential]
* This is a regression in cosmic and up, and impeding regression in bionic with the upcoming 1.1.1 SRU. A bugfix exists upstream.
[Other Info]
* Originally reported https:/
CVE References
Changed in openssl: | |
status: | Unknown → Fix Released |
tags: | added: regression-release |
Changed in openssl (Ubuntu Bionic): | |
importance: | Undecided → High |
Changed in openssl (Ubuntu Cosmic): | |
importance: | Undecided → High |
Changed in openssl (Ubuntu Disco): | |
importance: | Undecided → High |
Changed in openssl (Ubuntu Eoan): | |
importance: | Undecided → High |
Changed in openssl (Ubuntu Eoan): | |
status: | Confirmed → Fix Committed |
tags: | added: patch |
description: | updated |
Changed in openssl (Ubuntu Cosmic): | |
status: | Fix Committed → Won't Fix |
tags: | removed: verification-done |
Hm, the test case is incomplete. As I appear to not be able to use the stock config, and I need a CA generated too. I should get better details for it.