View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0001101 | Main CAcert Website | source code | public | 2012-09-23 11:22 | 2013-09-29 16:28 |
| Reporter | Uli60 | Assigned To | TimoAHummel | ||
| Priority | normal | Severity | minor | Reproducibility | have not tried |
| Status | needs work | Resolution | open | ||
| Summary | 0001101: general rewrite of get info from csr routine in includes/general.php | ||||
| Description | 1. general rewrite of get info from csr routine in includes/general.php (bug 1054, bug 440) * Timo will check | ||||
| Additional Information | from meeting https://wiki.cacert.org/Software/Assessment/20120918-S-A-MiniTOP | ||||
| Tags | No tags attached. | ||||
| Reviewed by | |||||
| Test Instructions | |||||
| related to | 0001054 | needs review & testing | Ted | Review the code regarding the new point calculation in ./includes/general.php |
| related to | 0000440 | closed | NEOatNHNG | Problem with subjectAltName |
| related to | 0001095 | needs work | NEOatNHNG | Problems with creating server sertificate where the csr is created with Java SDK Tools |
| related to | 0001048 | needs review & testing | Eva | Review the code regarding the new point calculation in ./www/api/ccsr.php |
| related to | 0001035 | closed | CN gets deleted from subjectAltName on cert renewal | |
| related to | 0000995 | new | Slashes in OU value gets stripped (org cert) | |
| related to | 0000991 | needs work | NEOatNHNG | commonName is wrongly burned on CSR |
| related to | 0000952 | needs work | Uli60 | CSR not signed, pending forever: "Supported Key Types and Sizes" |
| related to | 0000807 | needs review & testing | NEOatNHNG | cacert ignores signature algorithm from csr |
| related to | 0000799 | new | Repeated CN in SAN in original CSR and produced in 1st received CRT is removed when CRT is renewed | |
| related to | 0000790 | closed | NEOatNHNG | Creating organisation client certs by pasted CSR |
| related to | 0000788 | new | Altnames can only be assigned when in CSR | |
| related to | 0000607 | new | csr field doesn't accept an x509 encoded cert | |
| related to | 0000540 | needs feedback | NEOatNHNG | No key usage attribute in cacert org certs anymore? |
| related to | 0000530 | closed | XMPP extension not present after renewal | |
| related to | 0000392 | needs work | Check Signature Check in Web-Interface | |
| related to | 0000363 | closed | Organisational Client Certificate CSRs | |
| related to | 0000060 | confirmed | CSR debugger | |
| parent of | 0001214 | closed | NEOatNHNG | Extended validity certificates don't have the same Subject Alt Name as newly created certificates |
| related to | 0000658 | needs work | report to end user fields not copied from CSR | |
| related to | 0001205 | confirmed | Refactor certificate creation routines into /includes/notary.inc.php |
|
|
Refactoring is in progress; one thing that is a bit of "ouch" is that it actually forks openssl. This can't be solved on a short-term basis. An ASN.1 parser written in PHP can be found here: http://www.phpkode.com/source/s/mistpark-server/library/asn1.php |
|
|
To retrieve the subject line only it is advised to use the following openssl call: openssl req -in <file> -subject -noout This only outputs the subject, so we don't need to parse any lines and hopefully retrieve the one starting with "Subject:". |
|
|
I might have stumbled over a potential issue, not sure if this is security relevant: When extracting the data via OpenSSL, no escaping is applied. That means that when I'm specifying "In/Ex,CN=www.foobar.org" for OU, it is correctly returned in it's ASN.1 form (OU=In/Ex,CN=www.foobar.org) and can be properly recognised. However, when using the openssl subject function, OpenSSL mixes the value with keys, so in the example, any parser would assume that CN=www.foobar.org doesn't belong to the OU entry. Another example I've done: During openssl CSR generation: Organization Name (eg, company) [Internet Widgits Pty Ltd]:In/Exgen=Foobar openssl req -in test.csr -subject -noout subject=/C=DE/ST=Some-State/O=In/Exgen=Foobar openssl asn1parse -in test.csr ... 56:d=5 hl=2 l= 15 prim: UTF8STRING :In/Exgen=Foobar ... So the only reliable method would be to use asn1parse. |
|
|
on normal user accounts company will be stripped completely under org assurance, company will be added by the Org Assurer according to the given registrations so if there is an issue here, it has to be notified to the OAs to check for problem company settings users: only email and username will be read from the given csr and written to the signed key organisations: some values (see CPS) will be written to the signed key all values about the org will be read from the database written org account information only username, email or servername will be read from the csr |
|
|
Uli, I did not understand your comment. Do you assume that the issue is related to OU only? That's not the case, it's related to any key/value assignment. |
|
|
no keys except the email address and/or servername will be picked up from the pasted CSR for signing. All other stuff will be stripped away build a csr with multiple SAN's entering company name: [Internet Widgits Pty Ltd]:In/Exgen=Foobar openssl-san.cfg [alt_names] DNS.1 = Foo,Bar=Bla DNS.2 = Ltd:In/Exgen=Foobar DNS.3 = test3b.avintec.com entering in interactive OpenSSL create CSR: .............................................................. Organization Name (eg, company) [World Wide Web Pty Ltd]: => DNS.1 = Foo,Bar=Bla Organizational Unit Name (eg, section) [IT]: => DNS.2 = Ltd:In/Exgen=Foobar Common Name (e.g. server FQDN or YOUR name) []: => DNS.3 = test3b.avintec.com email: cert.test@w.d <== the only one valid entry ............................................................... created => test3-avintec-com-2048.csr Account + Server Certs + New Sign by class 3 root cert paste csr content [submit] results in: Please make sure the following details are correct before proceeding any further. subjectAltName: DNS:test3b.avintec.com No additional information will be included on certificates because it can not be automatically checked by the system. The following hostnames were rejected because the system couldn't link them to your account, if they are valid please verify the domains against your account. Rejected: DNS.3 Rejected: Foo Rejected: Ltd:In [submit] Below is your Server Certificate -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE----- copy & paste to: test3-avintec-com-2048-signed-c3.key https://cacert1.it-sls.de/account.php?id=12 Server certs lists: Valid DNS:test3b.avintec.com 10D9 Not Revoked 2012-11-15 13:14:31 rem testing CSR openssl req -text -noout -in test3-avintec-com-2048.csr ..................................................................... Certificate Request: Data: Version: 0 (0x0) Subject: C=DE, ST=Germany, L=Frankfurt/Main, O=DNS.1 = Foo,Bar=Bla, OU=D NS.2 = Ltd:In/Exgen=Foobar, CN=DNS.3 = test3b.avintec.com/emailAddress=certs.tes t@w.d Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): [...] Exponent: 65537 (0x10001) Attributes: Requested Extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment X509v3 Subject Alternative Name: DNS:Foo,Bar=Bla, DNS:Ltd:In/Exgen=Foobar, DNS:test3b.avintec.com Signature Algorithm: sha1WithRSAEncryption [...] ..................................................................... rem testing signed cert openssl x509 -text -in test3-avintec-com-2048-signed-c3.key -noout ..................................................................... Certificate: Data: Version: 3 (0x2) Serial Number: 4313 (0x10d9) Signature Algorithm: sha1WithRSAEncryption Issuer: O=CAcert Testsever, OU=http://cacert1.it-sls.de, CN=CAcert Tests erver Class 3 Validity Not Before: Oct 16 13:14:31 2012 GMT Not After : Nov 15 13:14:31 2012 GMT Subject: Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): [...] Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: critical Digital Signature, Key Encipherment, Key Agreement X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication, Ne tscape Server Gated Crypto, Microsoft Server Gated Crypto Authority Information Access: OCSP - URI:http://ocsp.cacert.org/ X509v3 CRL Distribution Points: URI:http://crl.cacert.org/class3-revoke.crl X509v3 Subject Alternative Name: DNS:test3b.avintec.com, othername:<unsupported> ^^^^^^^^^^ <==== !!!!! Signature Algorithm: sha1WithRSAEncryption [...] ..................................................................... the only issue here is the primary servername entry if it doesn't include a valid domain that has been verified, all other stuff will be stripped. If the delivered URL includes one of the registered domain names, the test passes the procedure OU, O and other stuff will be completely stripped before any processing you can place any foo into the CSR, it will be stripped anyway until it does finish with a registered domain name in the line registered with your account. |
|
|
current state: is under development |
|
|
Personally, I think this would be better off using phpseclib, a pure PHP X.509 encoder / decoder: http://phpseclib.sourceforge.net/x509/decoder.php http://phpseclib.sourceforge.net/x509/asn1parse.php |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2012-09-23 11:22 | Uli60 | New Issue | |
| 2012-09-23 11:23 | Uli60 | Relationship added | related to 0001054 |
| 2012-09-23 11:23 | Uli60 | Relationship added | related to 0000440 |
| 2012-09-23 11:25 | Uli60 | Additional Information Updated | |
| 2012-09-29 23:00 | TimoAHummel | Note Added: 0003223 | |
| 2012-09-29 23:28 | TimoAHummel | Note Added: 0003224 | |
| 2012-09-30 15:33 | TimoAHummel | Note Added: 0003225 | |
| 2012-10-02 22:01 | Uli60 | Assigned To | => TimoAHummel |
| 2012-10-15 23:57 | Uli60 | Note Added: 0003245 | |
| 2012-10-16 00:18 | TimoAHummel | Note Added: 0003247 | |
| 2012-10-16 13:35 | Uli60 | Note Added: 0003252 | |
| 2012-10-30 11:08 | Uli60 | Note Added: 0003281 | |
| 2012-10-30 11:08 | Uli60 | Status | new => needs work |
| 2013-01-07 21:41 | Werner Dworak | Relationship added | related to 0001095 |
| 2013-01-07 21:44 | Werner Dworak | Relationship added | related to 0001048 |
| 2013-01-07 21:47 | Werner Dworak | Relationship added | related to 0001035 |
| 2013-01-07 21:49 | Werner Dworak | Relationship added | related to 0000995 |
| 2013-01-07 21:50 | Werner Dworak | Relationship added | related to 0000991 |
| 2013-01-07 21:55 | Werner Dworak | Relationship added | related to 0000952 |
| 2013-01-07 21:59 | Werner Dworak | Relationship added | related to 0000807 |
| 2013-01-07 22:00 | Werner Dworak | Relationship added | related to 0000799 |
| 2013-01-07 22:00 | Werner Dworak | Relationship added | related to 0000790 |
| 2013-01-07 22:01 | Werner Dworak | Relationship added | related to 0000788 |
| 2013-01-07 22:09 | Werner Dworak | Relationship added | related to 0000607 |
| 2013-01-07 22:16 | Werner Dworak | Relationship added | related to 0000540 |
| 2013-01-07 22:17 | Werner Dworak | Relationship added | related to 0000530 |
| 2013-01-07 22:21 | Werner Dworak | Relationship added | related to 0000392 |
| 2013-01-07 22:22 | Werner Dworak | Relationship added | related to 0000363 |
| 2013-01-07 22:26 | Werner Dworak | Relationship added | related to 0000060 |
| 2013-01-11 16:26 | Werner Dworak | Relationship added | related to 0000658 |
| 2013-03-23 21:14 | ziddle | Note Added: 0003845 | |
| 2013-08-20 16:41 | Uli60 | Relationship added | related to 0001205 |
| 2013-09-29 16:28 | Uli60 | Relationship added | related to 0001214 |
| 2013-09-29 16:28 | Uli60 | Relationship deleted | related to 0001214 |
| 2013-09-29 16:28 | Uli60 | Relationship added | parent of 0001214 |
