| 2021-04-27 06:25:00 |
Matthew Ruffell |
bug |
|
|
added bug |
| 2021-04-27 06:25:17 |
Matthew Ruffell |
nominated for series |
|
Ubuntu Focal |
|
| 2021-04-27 06:25:17 |
Matthew Ruffell |
bug task added |
|
openssl (Ubuntu Focal) |
|
| 2021-04-27 06:25:17 |
Matthew Ruffell |
nominated for series |
|
Ubuntu Hirsute |
|
| 2021-04-27 06:25:17 |
Matthew Ruffell |
bug task added |
|
openssl (Ubuntu Hirsute) |
|
| 2021-04-27 06:25:17 |
Matthew Ruffell |
nominated for series |
|
Ubuntu Groovy |
|
| 2021-04-27 06:25:17 |
Matthew Ruffell |
bug task added |
|
openssl (Ubuntu Groovy) |
|
| 2021-04-27 06:25:24 |
Matthew Ruffell |
openssl (Ubuntu): status |
New |
Fix Released |
|
| 2021-04-27 06:25:27 |
Matthew Ruffell |
openssl (Ubuntu Hirsute): status |
New |
Fix Released |
|
| 2021-04-27 06:25:31 |
Matthew Ruffell |
openssl (Ubuntu Focal): status |
New |
In Progress |
|
| 2021-04-27 06:25:34 |
Matthew Ruffell |
openssl (Ubuntu Groovy): status |
New |
In Progress |
|
| 2021-04-27 06:25:41 |
Matthew Ruffell |
openssl (Ubuntu Focal): importance |
Undecided |
Medium |
|
| 2021-04-27 06:25:43 |
Matthew Ruffell |
openssl (Ubuntu Groovy): importance |
Undecided |
Medium |
|
| 2021-04-27 06:25:47 |
Matthew Ruffell |
openssl (Ubuntu Focal): assignee |
|
Matthew Ruffell (mruffell) |
|
| 2021-04-27 06:25:50 |
Matthew Ruffell |
openssl (Ubuntu Groovy): assignee |
|
Matthew Ruffell (mruffell) |
|
| 2021-04-27 06:26:09 |
Matthew Ruffell |
tags |
|
focal groovy sts |
|
| 2021-04-27 06:27:44 |
Matthew Ruffell |
description |
[Impact]
In openssl 1.1.1f, the below commit was merged:
commit ba4356ae4002a04e28642da60c551877eea804f7
Author: Bernd Edlinger <bernd.edlinger@hotmail.de>
Date: Sat Jan 4 15:54:53 2020 +0100
Subject: Fix error handling in x509v3_cache_extensions and related functions
Link: https://github.com/openssl/openssl/commit/ba4356ae4002a04e28642da60c551877eea804f7
This introduced a regression which caused certificate validation to fail when certificates violate RFC 5280 [1], namely, when a certificate has "basicConstraints=CA:FALSE,pathlen:0". This combination is commonly seen by self-signed leaf certificates with an intermediate CA before the root CA.
Because of this, openssl 1.1.1f rejects these certificates and they cannot be used in the system certificate store, and ssl connections fail when you try to use them to connect to a ssl endpoint.
The error you see when you try verify is:
$ openssl verify -CAfile CA/rootCA_cert.pem -untrusted CA/subCA_cert.pem user1_cert.pem
error 20 at 0 depth lookup: unable to get local issuer certificate
error user1_cert.pem: verification failed
The exact same certificates work fine on Xenial, Bionic and Hirsute.
[1] https://tools.ietf.org/html/rfc5280.html
[Testcase]
We will create our own root CA, intermediate CA and leaf server certificate.
Create necessary directories:
$ mkdir reproducer
$ cd reproducer
$ mkdir CA
Write openssl configuration files to disk for each CA and cert:
$ cat << EOF >> rootCA.cnf
[ req ]
prompt = no
distinguished_name = req_distinguished_name
x509_extensions = usr_cert
[ req_distinguished_name ]
C = DE
O = Test Org
CN = Test RSA PSS Root-CA
[ usr_cert ]
basicConstraints = critical,CA:TRUE
keyUsage = critical,keyCertSign,cRLSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
EOF
$ cat << EOF >> subCA.cnf
[ req ]
prompt = no
distinguished_name = req_distinguished_name
x509_extensions = usr_cert
[ req_distinguished_name ]
C = DE
O = Test Org
CN = Test RSA PSS Sub-CA
[ usr_cert ]
basicConstraints = critical,CA:TRUE,pathlen:0
keyUsage = critical,keyCertSign,cRLSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
EOF
$ cat << EOF >> user.cnf
[ req ]
prompt = no
distinguished_name = req_distinguished_name
x509_extensions = usr_cert
[ req_distinguished_name ]
C = DE
O = Test Org
CN = Test User
[ usr_cert ]
basicConstraints = critical,CA:FALSE,pathlen:0
keyUsage = critical,digitalSignature,keyAgreement
extendedKeyUsage = clientAuth,serverAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
EOF
Then generate the necessary RSA keys and form certificates:
$ openssl genpkey -algorithm RSA-PSS -out rootCA_key.pem -pkeyopt rsa_keygen_bits:2048
$ openssl req -config rootCA.cnf -set_serial 01 -new -batch -sha256 -nodes -x509 -days 9125 -out CA/rootCA_cert.pem -key rootCA_key.pem -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1
$ openssl genpkey -algorithm RSA-PSS -out subCA_key.pem -pkeyopt rsa_keygen_bits:2048
$ openssl req -config subCA.cnf -new -out subCA_req.pem -key subCA_key.pem -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1
$ openssl x509 -req -sha256 -in subCA_req.pem -CA CA/rootCA_cert.pem -CAkey rootCA_key.pem -out CA/subCA_cert.pem -CAserial rootCA_serial.txt -CAcreateserial -extfile subCA.cnf -extensions usr_cert -days 4380 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1
$ c_rehash CA
$ openssl genpkey -algorithm RSA-PSS -out user1_key.pem -pkeyopt rsa_keygen_bits:2048
$ openssl req -config user.cnf -new -out user1_req.pem -key user1_key.pem -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1
$ openssl x509 -req -sha256 -in user1_req.pem -CA CA/subCA_cert.pem -CAkey subCA_key.pem -out user1_cert.pem -CAserial subCA_serial.txt -CAcreateserial -extfile user.cnf -extensions usr_cert -days 1825 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1
Now, let's try verify the generated certificates:
$ openssl version
OpenSSL 1.1.1f 31 Mar 2020
$ openssl verify -CAfile CA/rootCA_cert.pem -untrusted CA/subCA_cert.pem user1_cert.pem
error 20 at 0 depth lookup: unable to get local issuer certificate
error user1_cert.pem: verification failed
There are test packages available in the following ppa:
https://launchpad.net/~mruffell/+archive/ubuntu/sf308725-test
If you install these test packages, and attempt to verify, things work as planned.
[Where problems could occur]
If a regression were to occur, it would occur around x509 certificate parsing and validation. It may cause certificates which had previously passed to fail, or certificates which failed to pass. It could potentially cause all certificates to fail or pass.
Since this is the openssl package and the package is security-critical, this will need a lot of validation, testing, and likely a review by the security team.
One of the commits which fixes the issue adds two testcases to the openssl testsuite, which tests the "CA:FALSE, pathlen:0" certificates with and without -x509_strict, and tests to see if it passes without, and fails with.
[Other info]
I believe these three commits fix the issue:
commit 00a0da2f021e6a0bc9519a6a9e5be66d45e6fc91
Author: Tomas Mraz <tmraz@fedoraproject.org>
Date: Thu Apr 2 15:56:12 2020 +0200
Subject: Allow certificates with Basic Constraints CA:false, pathlen:0
Link: https://github.com/openssl/openssl/commit/00a0da2f021e6a0bc9519a6a9e5be66d45e6fc91
commit 29e94f285f7f05b1aec6fa275e320bc5fa37ab1e
Author: Tomas Mraz <tmraz@fedoraproject.org>
Date: Thu Apr 2 17:31:21 2020 +0200
Subject: Set X509_V_ERR_INVALID_EXTENSION error for invalid basic constraints
Link: https://github.com/openssl/openssl/commit/29e94f285f7f05b1aec6fa275e320bc5fa37ab1e
commit e78f2a8f269a4dcf820ca994e2b89b77972d79e1
Author: Tomas Mraz <tmraz@fedoraproject.org>
Date: Fri Apr 3 10:24:40 2020 +0200
Subject: Add test cases for the non CA certificate with pathlen:0
Link: https://github.com/openssl/openssl/commit/e78f2a8f269a4dcf820ca994e2b89b77972d79e1
These landed in openssl 1.1.1g, and hirsute already has these fixes. |
[Impact]
In openssl 1.1.1f, the below commit was merged:
commit ba4356ae4002a04e28642da60c551877eea804f7
Author: Bernd Edlinger <bernd.edlinger@hotmail.de>
Date: Sat Jan 4 15:54:53 2020 +0100
Subject: Fix error handling in x509v3_cache_extensions and related functions
Link: https://github.com/openssl/openssl/commit/ba4356ae4002a04e28642da60c551877eea804f7
This introduced a regression which caused certificate validation to fail when certificates violate RFC 5280 [1], namely, when a certificate has "basicConstraints=CA:FALSE,pathlen:0". This combination is commonly seen by self-signed leaf certificates with an intermediate CA before the root CA.
Because of this, openssl 1.1.1f rejects these certificates and they cannot be used in the system certificate store, and ssl connections fail when you try to use them to connect to a ssl endpoint.
The error you see when you try verify is:
$ openssl verify -CAfile CA/rootCA_cert.pem -untrusted CA/subCA_cert.pem user1_cert.pem
error 20 at 0 depth lookup: unable to get local issuer certificate
error user1_cert.pem: verification failed
The exact same certificates work fine on Xenial, Bionic and Hirsute.
[1] https://tools.ietf.org/html/rfc5280.html
[Testcase]
We will create our own root CA, intermediate CA and leaf server certificate.
Create necessary directories:
$ mkdir reproducer
$ cd reproducer
$ mkdir CA
Write openssl configuration files to disk for each CA and cert:
$ cat << EOF >> rootCA.cnf
[ req ]
prompt = no
distinguished_name = req_distinguished_name
x509_extensions = usr_cert
[ req_distinguished_name ]
C = DE
O = Test Org
CN = Test RSA PSS Root-CA
[ usr_cert ]
basicConstraints = critical,CA:TRUE
keyUsage = critical,keyCertSign,cRLSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
EOF
$ cat << EOF >> subCA.cnf
[ req ]
prompt = no
distinguished_name = req_distinguished_name
x509_extensions = usr_cert
[ req_distinguished_name ]
C = DE
O = Test Org
CN = Test RSA PSS Sub-CA
[ usr_cert ]
basicConstraints = critical,CA:TRUE,pathlen:0
keyUsage = critical,keyCertSign,cRLSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
EOF
$ cat << EOF >> user.cnf
[ req ]
prompt = no
distinguished_name = req_distinguished_name
x509_extensions = usr_cert
[ req_distinguished_name ]
C = DE
O = Test Org
CN = Test User
[ usr_cert ]
basicConstraints = critical,CA:FALSE,pathlen:0
keyUsage = critical,digitalSignature,keyAgreement
extendedKeyUsage = clientAuth,serverAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
EOF
Then generate the necessary RSA keys and form certificates:
$ openssl genpkey -algorithm RSA-PSS -out rootCA_key.pem -pkeyopt rsa_keygen_bits:2048
$ openssl req -config rootCA.cnf -set_serial 01 -new -batch -sha256 -nodes -x509 -days 9125 -out CA/rootCA_cert.pem -key rootCA_key.pem -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1
$ openssl genpkey -algorithm RSA-PSS -out subCA_key.pem -pkeyopt rsa_keygen_bits:2048
$ openssl req -config subCA.cnf -new -out subCA_req.pem -key subCA_key.pem -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1
$ openssl x509 -req -sha256 -in subCA_req.pem -CA CA/rootCA_cert.pem -CAkey rootCA_key.pem -out CA/subCA_cert.pem -CAserial rootCA_serial.txt -CAcreateserial -extfile subCA.cnf -extensions usr_cert -days 4380 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1
$ c_rehash CA
$ openssl genpkey -algorithm RSA-PSS -out user1_key.pem -pkeyopt rsa_keygen_bits:2048
$ openssl req -config user.cnf -new -out user1_req.pem -key user1_key.pem -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1
$ openssl x509 -req -sha256 -in user1_req.pem -CA CA/subCA_cert.pem -CAkey subCA_key.pem -out user1_cert.pem -CAserial subCA_serial.txt -CAcreateserial -extfile user.cnf -extensions usr_cert -days 1825 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1
Now, let's try verify the generated certificates:
$ openssl version
OpenSSL 1.1.1f 31 Mar 2020
$ openssl verify -CAfile CA/rootCA_cert.pem -untrusted CA/subCA_cert.pem user1_cert.pem
error 20 at 0 depth lookup: unable to get local issuer certificate
error user1_cert.pem: verification failed
There are test packages available in the following ppa:
https://launchpad.net/~mruffell/+archive/ubuntu/sf308725-test
If you install these test packages, and attempt to verify, things work as planned.
[Where problems could occur]
If a regression were to occur, it would occur around x509 certificate parsing and validation. It may cause certificates which had previously passed to fail, or certificates which failed to pass. It could potentially cause all certificates to fail or pass.
Since this is the openssl package and the package is security-critical, this will need a lot of validation, testing, and likely a review by the security team.
One of the commits which fixes the issue adds two testcases to the openssl testsuite, which tests the "CA:FALSE, pathlen:0" certificates with and without -x509_strict, and tests to see if it passes without, and fails with.
[Other info]
This was reported in the upstream issue #11456 [2]:
[2] https://github.com/openssl/openssl/issues/11456
I believe these three commits fix the issue:
commit 00a0da2f021e6a0bc9519a6a9e5be66d45e6fc91
Author: Tomas Mraz <tmraz@fedoraproject.org>
Date: Thu Apr 2 15:56:12 2020 +0200
Subject: Allow certificates with Basic Constraints CA:false, pathlen:0
Link: https://github.com/openssl/openssl/commit/00a0da2f021e6a0bc9519a6a9e5be66d45e6fc91
commit 29e94f285f7f05b1aec6fa275e320bc5fa37ab1e
Author: Tomas Mraz <tmraz@fedoraproject.org>
Date: Thu Apr 2 17:31:21 2020 +0200
Subject: Set X509_V_ERR_INVALID_EXTENSION error for invalid basic constraints
Link: https://github.com/openssl/openssl/commit/29e94f285f7f05b1aec6fa275e320bc5fa37ab1e
commit e78f2a8f269a4dcf820ca994e2b89b77972d79e1
Author: Tomas Mraz <tmraz@fedoraproject.org>
Date: Fri Apr 3 10:24:40 2020 +0200
Subject: Add test cases for the non CA certificate with pathlen:0
Link: https://github.com/openssl/openssl/commit/e78f2a8f269a4dcf820ca994e2b89b77972d79e1
These landed in openssl 1.1.1g, and hirsute already has these fixes. |
|
| 2021-04-28 02:23:54 |
Matthew Ruffell |
description |
[Impact]
In openssl 1.1.1f, the below commit was merged:
commit ba4356ae4002a04e28642da60c551877eea804f7
Author: Bernd Edlinger <bernd.edlinger@hotmail.de>
Date: Sat Jan 4 15:54:53 2020 +0100
Subject: Fix error handling in x509v3_cache_extensions and related functions
Link: https://github.com/openssl/openssl/commit/ba4356ae4002a04e28642da60c551877eea804f7
This introduced a regression which caused certificate validation to fail when certificates violate RFC 5280 [1], namely, when a certificate has "basicConstraints=CA:FALSE,pathlen:0". This combination is commonly seen by self-signed leaf certificates with an intermediate CA before the root CA.
Because of this, openssl 1.1.1f rejects these certificates and they cannot be used in the system certificate store, and ssl connections fail when you try to use them to connect to a ssl endpoint.
The error you see when you try verify is:
$ openssl verify -CAfile CA/rootCA_cert.pem -untrusted CA/subCA_cert.pem user1_cert.pem
error 20 at 0 depth lookup: unable to get local issuer certificate
error user1_cert.pem: verification failed
The exact same certificates work fine on Xenial, Bionic and Hirsute.
[1] https://tools.ietf.org/html/rfc5280.html
[Testcase]
We will create our own root CA, intermediate CA and leaf server certificate.
Create necessary directories:
$ mkdir reproducer
$ cd reproducer
$ mkdir CA
Write openssl configuration files to disk for each CA and cert:
$ cat << EOF >> rootCA.cnf
[ req ]
prompt = no
distinguished_name = req_distinguished_name
x509_extensions = usr_cert
[ req_distinguished_name ]
C = DE
O = Test Org
CN = Test RSA PSS Root-CA
[ usr_cert ]
basicConstraints = critical,CA:TRUE
keyUsage = critical,keyCertSign,cRLSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
EOF
$ cat << EOF >> subCA.cnf
[ req ]
prompt = no
distinguished_name = req_distinguished_name
x509_extensions = usr_cert
[ req_distinguished_name ]
C = DE
O = Test Org
CN = Test RSA PSS Sub-CA
[ usr_cert ]
basicConstraints = critical,CA:TRUE,pathlen:0
keyUsage = critical,keyCertSign,cRLSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
EOF
$ cat << EOF >> user.cnf
[ req ]
prompt = no
distinguished_name = req_distinguished_name
x509_extensions = usr_cert
[ req_distinguished_name ]
C = DE
O = Test Org
CN = Test User
[ usr_cert ]
basicConstraints = critical,CA:FALSE,pathlen:0
keyUsage = critical,digitalSignature,keyAgreement
extendedKeyUsage = clientAuth,serverAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
EOF
Then generate the necessary RSA keys and form certificates:
$ openssl genpkey -algorithm RSA-PSS -out rootCA_key.pem -pkeyopt rsa_keygen_bits:2048
$ openssl req -config rootCA.cnf -set_serial 01 -new -batch -sha256 -nodes -x509 -days 9125 -out CA/rootCA_cert.pem -key rootCA_key.pem -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1
$ openssl genpkey -algorithm RSA-PSS -out subCA_key.pem -pkeyopt rsa_keygen_bits:2048
$ openssl req -config subCA.cnf -new -out subCA_req.pem -key subCA_key.pem -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1
$ openssl x509 -req -sha256 -in subCA_req.pem -CA CA/rootCA_cert.pem -CAkey rootCA_key.pem -out CA/subCA_cert.pem -CAserial rootCA_serial.txt -CAcreateserial -extfile subCA.cnf -extensions usr_cert -days 4380 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1
$ c_rehash CA
$ openssl genpkey -algorithm RSA-PSS -out user1_key.pem -pkeyopt rsa_keygen_bits:2048
$ openssl req -config user.cnf -new -out user1_req.pem -key user1_key.pem -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1
$ openssl x509 -req -sha256 -in user1_req.pem -CA CA/subCA_cert.pem -CAkey subCA_key.pem -out user1_cert.pem -CAserial subCA_serial.txt -CAcreateserial -extfile user.cnf -extensions usr_cert -days 1825 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1
Now, let's try verify the generated certificates:
$ openssl version
OpenSSL 1.1.1f 31 Mar 2020
$ openssl verify -CAfile CA/rootCA_cert.pem -untrusted CA/subCA_cert.pem user1_cert.pem
error 20 at 0 depth lookup: unable to get local issuer certificate
error user1_cert.pem: verification failed
There are test packages available in the following ppa:
https://launchpad.net/~mruffell/+archive/ubuntu/sf308725-test
If you install these test packages, and attempt to verify, things work as planned.
[Where problems could occur]
If a regression were to occur, it would occur around x509 certificate parsing and validation. It may cause certificates which had previously passed to fail, or certificates which failed to pass. It could potentially cause all certificates to fail or pass.
Since this is the openssl package and the package is security-critical, this will need a lot of validation, testing, and likely a review by the security team.
One of the commits which fixes the issue adds two testcases to the openssl testsuite, which tests the "CA:FALSE, pathlen:0" certificates with and without -x509_strict, and tests to see if it passes without, and fails with.
[Other info]
This was reported in the upstream issue #11456 [2]:
[2] https://github.com/openssl/openssl/issues/11456
I believe these three commits fix the issue:
commit 00a0da2f021e6a0bc9519a6a9e5be66d45e6fc91
Author: Tomas Mraz <tmraz@fedoraproject.org>
Date: Thu Apr 2 15:56:12 2020 +0200
Subject: Allow certificates with Basic Constraints CA:false, pathlen:0
Link: https://github.com/openssl/openssl/commit/00a0da2f021e6a0bc9519a6a9e5be66d45e6fc91
commit 29e94f285f7f05b1aec6fa275e320bc5fa37ab1e
Author: Tomas Mraz <tmraz@fedoraproject.org>
Date: Thu Apr 2 17:31:21 2020 +0200
Subject: Set X509_V_ERR_INVALID_EXTENSION error for invalid basic constraints
Link: https://github.com/openssl/openssl/commit/29e94f285f7f05b1aec6fa275e320bc5fa37ab1e
commit e78f2a8f269a4dcf820ca994e2b89b77972d79e1
Author: Tomas Mraz <tmraz@fedoraproject.org>
Date: Fri Apr 3 10:24:40 2020 +0200
Subject: Add test cases for the non CA certificate with pathlen:0
Link: https://github.com/openssl/openssl/commit/e78f2a8f269a4dcf820ca994e2b89b77972d79e1
These landed in openssl 1.1.1g, and hirsute already has these fixes. |
[Impact]
In openssl 1.1.1f, the below commit was merged:
commit ba4356ae4002a04e28642da60c551877eea804f7
Author: Bernd Edlinger <bernd.edlinger@hotmail.de>
Date: Sat Jan 4 15:54:53 2020 +0100
Subject: Fix error handling in x509v3_cache_extensions and related functions
Link: https://github.com/openssl/openssl/commit/ba4356ae4002a04e28642da60c551877eea804f7
This introduced a regression which caused certificate validation to fail when certificates violate RFC 5280 [1], namely, when a certificate has "basicConstraints=CA:FALSE,pathlen:0". This combination is commonly seen by self-signed leaf certificates with an intermediate CA before the root CA.
Because of this, openssl 1.1.1f rejects these certificates and they cannot be used in the system certificate store, and ssl connections fail when you try to use them to connect to a ssl endpoint.
The error you see when you try verify is:
$ openssl verify -CAfile CA/rootCA_cert.pem -untrusted CA/subCA_cert.pem user1_cert.pem
error 20 at 0 depth lookup: unable to get local issuer certificate
error user1_cert.pem: verification failed
The exact same certificates work fine on Xenial, Bionic and Hirsute.
[1] https://tools.ietf.org/html/rfc5280.html
[Testcase]
We will create our own root CA, intermediate CA and leaf server certificate.
Create necessary directories:
$ mkdir reproducer
$ cd reproducer
$ mkdir CA
Write openssl configuration files to disk for each CA and cert:
$ cat << EOF >> rootCA.cnf
[ req ]
prompt = no
distinguished_name = req_distinguished_name
x509_extensions = usr_cert
[ req_distinguished_name ]
C = DE
O = Test Org
CN = Test RSA PSS Root-CA
[ usr_cert ]
basicConstraints = critical,CA:TRUE
keyUsage = critical,keyCertSign,cRLSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
EOF
$ cat << EOF >> subCA.cnf
[ req ]
prompt = no
distinguished_name = req_distinguished_name
x509_extensions = usr_cert
[ req_distinguished_name ]
C = DE
O = Test Org
CN = Test RSA PSS Sub-CA
[ usr_cert ]
basicConstraints = critical,CA:TRUE,pathlen:0
keyUsage = critical,keyCertSign,cRLSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
EOF
$ cat << EOF >> user.cnf
[ req ]
prompt = no
distinguished_name = req_distinguished_name
x509_extensions = usr_cert
[ req_distinguished_name ]
C = DE
O = Test Org
CN = Test User
[ usr_cert ]
basicConstraints = critical,CA:FALSE,pathlen:0
keyUsage = critical,digitalSignature,keyAgreement
extendedKeyUsage = clientAuth,serverAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
EOF
Then generate the necessary RSA keys and form certificates:
$ openssl genpkey -algorithm RSA-PSS -out rootCA_key.pem -pkeyopt rsa_keygen_bits:2048
$ openssl req -config rootCA.cnf -set_serial 01 -new -batch -sha256 -nodes -x509 -days 9125 -out CA/rootCA_cert.pem -key rootCA_key.pem -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1
$ openssl genpkey -algorithm RSA-PSS -out subCA_key.pem -pkeyopt rsa_keygen_bits:2048
$ openssl req -config subCA.cnf -new -out subCA_req.pem -key subCA_key.pem -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1
$ openssl x509 -req -sha256 -in subCA_req.pem -CA CA/rootCA_cert.pem -CAkey rootCA_key.pem -out CA/subCA_cert.pem -CAserial rootCA_serial.txt -CAcreateserial -extfile subCA.cnf -extensions usr_cert -days 4380 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1
$ c_rehash CA
$ openssl genpkey -algorithm RSA-PSS -out user1_key.pem -pkeyopt rsa_keygen_bits:2048
$ openssl req -config user.cnf -new -out user1_req.pem -key user1_key.pem -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1
$ openssl x509 -req -sha256 -in user1_req.pem -CA CA/subCA_cert.pem -CAkey subCA_key.pem -out user1_cert.pem -CAserial subCA_serial.txt -CAcreateserial -extfile user.cnf -extensions usr_cert -days 1825 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1
Now, let's try verify the generated certificates:
$ openssl version
OpenSSL 1.1.1f 31 Mar 2020
$ openssl verify -CAfile CA/rootCA_cert.pem -untrusted CA/subCA_cert.pem user1_cert.pem
error 20 at 0 depth lookup: unable to get local issuer certificate
error user1_cert.pem: verification failed
There are test packages available in the following ppa:
https://launchpad.net/~mruffell/+archive/ubuntu/sf308725-test
If you install these test packages, and attempt to verify, things work as planned.
$ openssl verify -CAfile CA/rootCA_cert.pem -untrusted CA/subCA_cert.pem user1_cert.pem
user1_cert.pem: OK
[Where problems could occur]
If a regression were to occur, it would occur around x509 certificate parsing and validation. It may cause certificates which had previously passed to fail, or certificates which failed to pass. It could potentially cause all certificates to fail or pass.
Since this is the openssl package and the package is security-critical, this will need a lot of validation, testing, and likely a review by the security team.
One of the commits which fixes the issue adds two testcases to the openssl testsuite, which tests the "CA:FALSE, pathlen:0" certificates with and without -x509_strict, and tests to see if it passes without, and fails with.
[Other info]
This was reported in the upstream issue #11456 [2]:
[2] https://github.com/openssl/openssl/issues/11456
I believe these three commits fix the issue:
commit 00a0da2f021e6a0bc9519a6a9e5be66d45e6fc91
Author: Tomas Mraz <tmraz@fedoraproject.org>
Date: Thu Apr 2 15:56:12 2020 +0200
Subject: Allow certificates with Basic Constraints CA:false, pathlen:0
Link: https://github.com/openssl/openssl/commit/00a0da2f021e6a0bc9519a6a9e5be66d45e6fc91
commit 29e94f285f7f05b1aec6fa275e320bc5fa37ab1e
Author: Tomas Mraz <tmraz@fedoraproject.org>
Date: Thu Apr 2 17:31:21 2020 +0200
Subject: Set X509_V_ERR_INVALID_EXTENSION error for invalid basic constraints
Link: https://github.com/openssl/openssl/commit/29e94f285f7f05b1aec6fa275e320bc5fa37ab1e
commit e78f2a8f269a4dcf820ca994e2b89b77972d79e1
Author: Tomas Mraz <tmraz@fedoraproject.org>
Date: Fri Apr 3 10:24:40 2020 +0200
Subject: Add test cases for the non CA certificate with pathlen:0
Link: https://github.com/openssl/openssl/commit/e78f2a8f269a4dcf820ca994e2b89b77972d79e1
These landed in openssl 1.1.1g, and hirsute already has these fixes. |
|
| 2021-04-29 23:55:43 |
Matthew Ruffell |
attachment added |
|
Debdiff for openssl on focal https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1926254/+attachment/5493442/+files/lp1926254_focal.debdiff |
|
| 2021-04-29 23:56:25 |
Matthew Ruffell |
attachment added |
|
Debdiff for openssl on Groovy https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1926254/+attachment/5493443/+files/lp1926254_groovy.debdiff |
|
| 2021-04-30 00:25:55 |
Matthew Ruffell |
tags |
focal groovy sts |
focal groovy sts sts-sponsor |
|
| 2021-04-30 19:49:32 |
Dan Streetman |
bug |
|
|
added subscriber Ubuntu Security Team |
| 2021-05-07 10:23:01 |
Robie Basak |
openssl (Ubuntu Groovy): status |
In Progress |
Fix Committed |
|
| 2021-05-07 10:23:03 |
Robie Basak |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2021-05-07 10:23:04 |
Robie Basak |
bug |
|
|
added subscriber SRU Verification |
| 2021-05-07 10:23:08 |
Robie Basak |
tags |
focal groovy sts sts-sponsor |
focal groovy sts sts-sponsor verification-needed verification-needed-groovy |
|
| 2021-05-07 10:23:35 |
Robie Basak |
openssl (Ubuntu Focal): status |
In Progress |
Fix Committed |
|
| 2021-05-07 10:23:41 |
Robie Basak |
tags |
focal groovy sts sts-sponsor verification-needed verification-needed-groovy |
focal groovy sts sts-sponsor verification-needed verification-needed-focal verification-needed-groovy |
|
| 2021-05-12 00:58:28 |
Matthew Ruffell |
tags |
focal groovy sts sts-sponsor verification-needed verification-needed-focal verification-needed-groovy |
focal groovy sts sts-sponsor verification-done-focal verification-needed verification-needed-groovy |
|
| 2021-05-12 03:28:22 |
Matthew Ruffell |
tags |
focal groovy sts sts-sponsor verification-done-focal verification-needed verification-needed-groovy |
focal groovy sts sts-sponsor verification-done verification-done-focal verification-done-groovy |
|
| 2021-05-19 02:27:26 |
Chris Halse Rogers |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
| 2021-05-19 03:02:54 |
Launchpad Janitor |
openssl (Ubuntu Focal): status |
Fix Committed |
Fix Released |
|
| 2021-05-19 03:03:09 |
Launchpad Janitor |
openssl (Ubuntu Groovy): status |
Fix Committed |
Fix Released |
|
