ubuntu@deep-mako:~/reproducer$ openssl verify -CAfile CA/rootCA_cert.pem -untrusted CA/subCA_cert.pem user1_cert.pem
C = DE, O = Test Org, CN = Test User
error 20 at 0 depth lookup: unable to get local issuer certificate
error user1_cert.pem: verification failed
We see verification failed, again on CA:FALSE,pathlen:0 basicConstraints.
Now if we enable -proposed and install openssl 1.1.1f-1ubuntu4.4.
$ openssl verify -CAfile CA/rootCA_cert.pem -untrusted CA/subCA_cert.pem user1_cert.pem
user1_cert.pem: OK
The certificate verifies properly. The problem is fixed.
Additionally, if we examine the new unit tests added to openssl's testsuite in
the buildlog for Groovy:
Performing verification for Groovy.
I went and generated the ssl certificates and attempted to verify them with
the openssl version 1.1.1f-1ubuntu4.3 from -updates.
ubuntu@deep-mako:~$ sudo apt-cache policy openssl | grep Installed deep-mako: ~/reproducer$ mkdir CA deep-mako: ~/reproducer$ cat << EOF >> rootCA.cnf ed_name ed_name ] keyCertSign, cRLSign ifier = hash ntifier = keyid:always deep-mako: ~/reproducer$ cat << EOF >> subCA.cnf ed_name ed_name ] CA:TRUE, pathlen: 0 keyCertSign, cRLSign ifier = hash ntifier = keyid:always deep-mako: ~/reproducer$ cat << EOF >> user.cnf ed_name ed_name ] CA:FALSE, pathlen: 0 digitalSignatur e,keyAgreement serverAuth ifier = hash ntifier = keyid:always deep-mako: ~/reproducer$ openssl genpkey -algorithm RSA-PSS -out rootCA_key.pem -pkeyopt rsa_keygen_ bits:2048 ....... ....... ....... +++++ deep-mako: ~/reproducer$ openssl req -config rootCA.cnf -set_serial 01 -new -batch -sha256 -nodes -x509 -days 9125 -out CA/rootCA_cert.pem -key rootCA_key.pem -sigopt rsa_padding_ mode:pss -sigopt rsa_pss_saltlen:-1 deep-mako: ~/reproducer$ openssl genpkey -algorithm RSA-PSS -out subCA_key.pem -pkeyopt rsa_keygen_ bits:2048 ....... ....... ....... ....... ....... ....... .+++++ ....... ....... ....... ....... ..+++++ deep-mako: ~/reproducer$ openssl req -config subCA.cnf -new -out subCA_req.pem -key subCA_key.pem -sigopt rsa_padding_ mode:pss -sigopt rsa_pss_saltlen:-1 deep-mako: ~/reproducer$ openssl x509 -req -sha256 -in subCA_req.pem -CA CA/rootCA_cert.pem -CAkey rootCA_key.pem -out CA/subCA_cert.pem -CAserial rootCA_serial.txt -CAcreateserial -extfile subCA.cnf -extensions usr_cert -days 4380 -sigopt rsa_padding_ mode:pss -sigopt rsa_pss_saltlen:-1 deep-mako: ~/reproducer$ c_rehash CA deep-mako: ~/reproducer$ openssl genpkey -algorithm RSA-PSS -out user1_key.pem -pkeyopt rsa_keygen_ bits:2048 ....... ....... ....... ....... ....... ....... ....... .....++ +++ deep-mako: ~/reproducer$ openssl req -config user.cnf -new -out user1_req.pem -key user1_key.pem -sigopt rsa_padding_ mode:pss -sigopt rsa_pss_saltlen:-1 deep-mako: ~/reproducer$ openssl x509 -req -sha256 -in user1_req.pem -CA CA/subCA_cert.pem -CAkey subCA_key.pem -out user1_cert.pem -CAserial subCA_serial.txt -CAcreateserial -extfile user.cnf -extensions usr_cert -days 1825 -sigopt rsa_padding_ mode:pss -sigopt rsa_pss_saltlen:-1
Installed: 1.1.1f-1ubuntu4.3
ubuntu@deep-mako:~$ mkdir reproducer
ubuntu@deep-mako:~$ cd reproducer
ubuntu@
ubuntu@
> [ req ]
> prompt = no
> distinguished_name = req_distinguish
> x509_extensions = usr_cert
>
> [ req_distinguish
> C = DE
> O = Test Org
> CN = Test RSA PSS Root-CA
>
> [ usr_cert ]
> basicConstraints = critical,CA:TRUE
> keyUsage = critical,
> subjectKeyIdent
> authorityKeyIde
> EOF
ubuntu@
> [ req ]
> prompt = no
> distinguished_name = req_distinguish
> x509_extensions = usr_cert
>
> [ req_distinguish
> C = DE
> O = Test Org
> CN = Test RSA PSS Sub-CA
>
> [ usr_cert ]
> basicConstraints = critical,
> keyUsage = critical,
> subjectKeyIdent
> authorityKeyIde
> EOF
ubuntu@
> [ req ]
> prompt = no
> distinguished_name = req_distinguish
> x509_extensions = usr_cert
>
> [ req_distinguish
> C = DE
> O = Test Org
> CN = Test User
>
> [ usr_cert ]
> basicConstraints = critical,
> keyUsage = critical,
> extendedKeyUsage = clientAuth,
> subjectKeyIdent
> authorityKeyIde
> EOF
ubuntu@
....+++++
.......
ubuntu@
ubuntu@
.......
.......
ubuntu@
ubuntu@
Signature ok
subject=C = DE, O = Test Org, CN = Test RSA PSS Sub-CA
Getting CA Private Key
ubuntu@
Doing CA
ubuntu@
...+++++
.......
ubuntu@
ubuntu@
Signature ok
subject=C = DE, O = Test Org, CN = Test User
Getting CA Private Key
Now going and verifying the certificates:
ubuntu@ deep-mako: ~/reproducer$ openssl verify -CAfile CA/rootCA_cert.pem -untrusted CA/subCA_cert.pem user1_cert.pem
C = DE, O = Test Org, CN = Test User
error 20 at 0 depth lookup: unable to get local issuer certificate
error user1_cert.pem: verification failed
We see verification failed, again on CA:FALSE,pathlen:0 basicConstraints.
Now if we enable -proposed and install openssl 1.1.1f-1ubuntu4.4.
$ openssl verify -CAfile CA/rootCA_cert.pem -untrusted CA/subCA_cert.pem user1_cert.pem
user1_cert.pem: OK
The certificate verifies properly. The problem is fixed.
Additionally, if we examine the new unit tests added to openssl's testsuite in
the buildlog for Groovy:
https:/ /launchpadlibra rian.net/ 537503607/ buildlog_ ubuntu- groovy- amd64.openssl_ 1.1.1f- 1ubuntu4. 4_BUILDING. txt.gz
We see:
../../util/ shlib_wrap. sh ../../apps/openssl verify -auth_level 1 -purpose sslserver -trusted ../../. ./test/ certs/root- cert.pem -untrusted ../../. ./test/ certs/ca- cert.pem ../../. ./test/ certs/ee- pathlen. pem => 0 ./test/ certs/ee- pathlen. pem: verification failed shlib_wrap. sh ../../apps/openssl verify -auth_level 1 -purpose sslserver -x509_strict -trusted ../../. ./test/ certs/root- cert.pem -untrusted ../../. ./test/ certs/ca- cert.pem ../../. ./test/ certs/ee- pathlen. pem => 2
ok 84 - accept non-ca with pathlen:0 by default
CN = server.example
error 41 at 0 depth lookup: invalid or inconsistent certificate extension
error ../../.
../../util/
ok 85 - reject non-ca with pathlen:0 with strict flag
Both tests pass with "ok", so the feature is working as intended in both standard and strict mode.
Since everything is in order, I am happy to mark verified for Groovy.