View Issue Details

IDProjectCategoryView StatusLast Update
0001101Main CAcert Websitesource codepublic2013-09-29 16:28
ReporterUli60 Assigned ToTimoAHummel  
PrioritynormalSeverityminorReproducibilityhave not tried
Status needs workResolutionopen 
Summary0001101: general rewrite of get info from csr routine in includes/general.php
Description 1. general rewrite of get info from csr routine in includes/general.php (bug 1054, bug 440)
  * Timo will check
Additional Informationfrom meeting https://wiki.cacert.org/Software/Assessment/20120918-S-A-MiniTOP
TagsNo tags attached.
Reviewed by
Test Instructions

Relationships

related to 0001054 needs review & testingTed Review the code regarding the new point calculation in ./includes/general.php 
related to 0000440 closedNEOatNHNG Problem with subjectAltName 
related to 0001095 needs workNEOatNHNG Problems with creating server sertificate where the csr is created with Java SDK Tools 
related to 0001048 needs review & testingEva Review the code regarding the new point calculation in ./www/api/ccsr.php 
related to 0001035 closed CN gets deleted from subjectAltName on cert renewal 
related to 0000995 new Slashes in OU value gets stripped (org cert) 
related to 0000991 needs workNEOatNHNG commonName is wrongly burned on CSR 
related to 0000952 needs workUli60 CSR not signed, pending forever: "Supported Key Types and Sizes" 
related to 0000807 needs review & testingNEOatNHNG cacert ignores signature algorithm from csr 
related to 0000799 new Repeated CN in SAN in original CSR and produced in 1st received CRT is removed when CRT is renewed 
related to 0000790 closedNEOatNHNG Creating organisation client certs by pasted CSR 
related to 0000788 new Altnames can only be assigned when in CSR 
related to 0000607 new csr field doesn't accept an x509 encoded cert 
related to 0000540 needs feedbackNEOatNHNG No key usage attribute in cacert org certs anymore? 
related to 0000530 closed XMPP extension not present after renewal 
related to 0000392 needs work Check Signature Check in Web-Interface 
related to 0000363 closed Organisational Client Certificate CSRs 
related to 0000060 confirmed CSR debugger 
parent of 0001214 closedNEOatNHNG Extended validity certificates don't have the same Subject Alt Name as newly created certificates 
related to 0000658 needs work report to end user fields not copied from CSR 
related to 0001205 confirmed Refactor certificate creation routines into /includes/notary.inc.php 

Activities

TimoAHummel

2012-09-29 23:00

developer   ~0003223

Refactoring is in progress; one thing that is a bit of "ouch" is that it actually forks openssl. This can't be solved on a short-term basis.

An ASN.1 parser written in PHP can be found here: http://www.phpkode.com/source/s/mistpark-server/library/asn1.php

TimoAHummel

2012-09-29 23:28

developer   ~0003224

To retrieve the subject line only it is advised to use the following openssl call:

openssl req -in <file> -subject -noout

This only outputs the subject, so we don't need to parse any lines and hopefully retrieve the one starting with "Subject:".

TimoAHummel

2012-09-30 15:33

developer   ~0003225

I might have stumbled over a potential issue, not sure if this is security relevant:

When extracting the data via OpenSSL, no escaping is applied. That means that when I'm specifying "In/Ex,CN=www.foobar.org" for OU, it is correctly returned in it's ASN.1 form (OU=In/Ex,CN=www.foobar.org) and can be properly recognised. However, when using the openssl subject function, OpenSSL mixes the value with keys, so in the example, any parser would assume that CN=www.foobar.org doesn't belong to the OU entry.

Another example I've done:

During openssl CSR generation:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:In/Exgen=Foobar

openssl req -in test.csr -subject -noout
subject=/C=DE/ST=Some-State/O=In/Exgen=Foobar

openssl asn1parse -in test.csr
...
   56:d=5 hl=2 l= 15 prim: UTF8STRING :In/Exgen=Foobar
...

So the only reliable method would be to use asn1parse.

Uli60

2012-10-15 23:57

updater   ~0003245

on normal user accounts company will be stripped completely
under org assurance, company will be added by the Org Assurer
according to the given registrations
so if there is an issue here, it has to be notified to the OAs
to check for problem company settings

users: only email and username will be read from the given csr
       and written to the signed key
organisations: some values (see CPS) will be written to the signed key
   all values about the org will be read from the database written
   org account information
   only username, email or servername will be read from the csr

TimoAHummel

2012-10-16 00:18

developer   ~0003247

Uli, I did not understand your comment. Do you assume that the issue is related to OU only? That's not the case, it's related to any key/value assignment.

Uli60

2012-10-16 13:35

updater   ~0003252

no keys except the email address and/or servername will be picked up from the pasted CSR for signing. All other stuff will be stripped away

build a csr with multiple SAN's

entering company name:
[Internet Widgits Pty Ltd]:In/Exgen=Foobar

openssl-san.cfg
[alt_names]
DNS.1 = Foo,Bar=Bla
DNS.2 = Ltd:In/Exgen=Foobar
DNS.3 = test3b.avintec.com

entering in interactive OpenSSL create CSR:
..............................................................
Organization Name (eg, company) [World Wide Web Pty Ltd]:
  => DNS.1 = Foo,Bar=Bla
Organizational Unit Name (eg, section) [IT]:
  => DNS.2 = Ltd:In/Exgen=Foobar
Common Name (e.g. server FQDN or YOUR name) []:
  => DNS.3 = test3b.avintec.com

email: cert.test@w.d <== the only one valid entry
...............................................................
created => test3-avintec-com-2048.csr

Account
 + Server Certs
   + New

Sign by class 3 root cert

paste csr content

[submit]

results in:

 Please make sure the following details are correct before proceeding any further.

subjectAltName: DNS:test3b.avintec.com
No additional information will be included on certificates because it can not be automatically
 checked by the system.

The following hostnames were rejected because the system couldn't link them to your account,
 if they are valid please verify the domains against your account.
Rejected: DNS.3
Rejected: Foo
Rejected: Ltd:In


[submit]

Below is your Server Certificate

-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----

copy & paste to: test3-avintec-com-2048-signed-c3.key


https://cacert1.it-sls.de/account.php?id=12
Server certs lists:
Valid DNS:test3b.avintec.com 10D9 Not Revoked 2012-11-15 13:14:31



rem testing CSR
openssl req -text -noout -in test3-avintec-com-2048.csr
.....................................................................
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=DE, ST=Germany, L=Frankfurt/Main, O=DNS.1 = Foo,Bar=Bla, OU=D
NS.2 = Ltd:In/Exgen=Foobar, CN=DNS.3 = test3b.avintec.com/emailAddress=certs.tes
t@w.d
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    [...]
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Subject Alternative Name:
                DNS:Foo,Bar=Bla, DNS:Ltd:In/Exgen=Foobar, DNS:test3b.avintec.com

    Signature Algorithm: sha1WithRSAEncryption
[...]
.....................................................................


rem testing signed cert
openssl x509 -text -in test3-avintec-com-2048-signed-c3.key -noout
.....................................................................
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4313 (0x10d9)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: O=CAcert Testsever, OU=http://cacert1.it-sls.de, CN=CAcert Tests
erver Class 3
        Validity
            Not Before: Oct 16 13:14:31 2012 GMT
            Not After : Nov 15 13:14:31 2012 GMT
        Subject:
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    [...]
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication, Ne
tscape Server Gated Crypto, Microsoft Server Gated Crypto
            Authority Information Access:
                OCSP - URI:http://ocsp.cacert.org/

            X509v3 CRL Distribution Points:
                URI:http://crl.cacert.org/class3-revoke.crl

            X509v3 Subject Alternative Name:
                DNS:test3b.avintec.com, othername:<unsupported>
                ^^^^^^^^^^ <==== !!!!!
    Signature Algorithm: sha1WithRSAEncryption
            [...]
.....................................................................

the only issue here is the primary servername entry
if it doesn't include a valid domain that has been verified, all other stuff will be stripped. If the delivered URL includes one of the registered domain names, the test passes the procedure
OU, O and other stuff will be completely stripped before any processing

you can place any foo into the CSR, it will be stripped anyway until it does finish with a registered domain name in the line registered with your account.

Uli60

2012-10-30 11:08

updater   ~0003281

current state: is under development

ziddle

2013-03-23 21:14

reporter   ~0003845

Personally, I think this would be better off using phpseclib, a pure PHP X.509 encoder / decoder:

http://phpseclib.sourceforge.net/x509/decoder.php
http://phpseclib.sourceforge.net/x509/asn1parse.php

Issue History

Date Modified Username Field Change
2012-09-23 11:22 Uli60 New Issue
2012-09-23 11:23 Uli60 Relationship added related to 0001054
2012-09-23 11:23 Uli60 Relationship added related to 0000440
2012-09-23 11:25 Uli60 Additional Information Updated View Revisions
2012-09-29 23:00 TimoAHummel Note Added: 0003223
2012-09-29 23:28 TimoAHummel Note Added: 0003224
2012-09-30 15:33 TimoAHummel Note Added: 0003225
2012-10-02 22:01 Uli60 Assigned To => TimoAHummel
2012-10-15 23:57 Uli60 Note Added: 0003245
2012-10-16 00:18 TimoAHummel Note Added: 0003247
2012-10-16 13:35 Uli60 Note Added: 0003252
2012-10-30 11:08 Uli60 Note Added: 0003281
2012-10-30 11:08 Uli60 Status new => needs work
2013-01-07 21:41 Werner Dworak Relationship added related to 0001095
2013-01-07 21:44 Werner Dworak Relationship added related to 0001048
2013-01-07 21:47 Werner Dworak Relationship added related to 0001035
2013-01-07 21:49 Werner Dworak Relationship added related to 0000995
2013-01-07 21:50 Werner Dworak Relationship added related to 0000991
2013-01-07 21:55 Werner Dworak Relationship added related to 0000952
2013-01-07 21:59 Werner Dworak Relationship added related to 0000807
2013-01-07 22:00 Werner Dworak Relationship added related to 0000799
2013-01-07 22:00 Werner Dworak Relationship added related to 0000790
2013-01-07 22:01 Werner Dworak Relationship added related to 0000788
2013-01-07 22:09 Werner Dworak Relationship added related to 0000607
2013-01-07 22:16 Werner Dworak Relationship added related to 0000540
2013-01-07 22:17 Werner Dworak Relationship added related to 0000530
2013-01-07 22:21 Werner Dworak Relationship added related to 0000392
2013-01-07 22:22 Werner Dworak Relationship added related to 0000363
2013-01-07 22:26 Werner Dworak Relationship added related to 0000060
2013-01-11 16:26 Werner Dworak Relationship added related to 0000658
2013-03-23 21:14 ziddle Note Added: 0003845
2013-08-20 16:41 Uli60 Relationship added related to 0001205
2013-09-29 16:28 Uli60 Relationship added related to 0001214
2013-09-29 16:28 Uli60 Relationship deleted related to 0001214
2013-09-29 16:28 Uli60 Relationship added parent of 0001214