View Issue Details

IDProjectCategoryView StatusLast Update
0001297Main CAcert Websitesource codepublic2014-12-02 22:48
Reporterwytze Assigned ToBenBE  
PriorityurgentSeverityblockReproducibilityalways
Status closedResolutionfixed 
Product Version2014 Q2 
Target Version2014 Q3Fixed in Version2014 Q3 
Summary0001297: includes/lib/check_weak_key.php is broken after upgrade to Debian Wheezy with openssl 1.0
DescriptionThe code in includes/lib/check_weak_key.php relies on the output of openssl for a number of textual messages. Since Debian Wheezy uses openssl 1.0.1 rather than 0.9.8. some of the matched strings have changed. As a result, when upgrading the CAcert application chroot environment to Debian Wheezy, certificate issuing fails with errors like: "checkWeakKeyText(): Couldn't parse the RSA key size."

Steps To ReproduceUpgrade CAcert application environment to Debian Wheezy and try to create a certificate.
Note: cacert2.it-sls.de has the required test environment, but also has the patch suggested below installed. By reverting check_weak_key.php to the old version, the problem can be observed.
Additional InformationA suggested patch is attached.

A permanent fix for this problem is urgent, since the CAcert application chroot environment on the production server needs to be upgraded to Debian Wheezy ASAP;
the current Debian Squeeze environment is lacking security support/patches for recently reported problems with Apache2 / PHP / openssl.

TagsNo tags attached.
Reviewed byTed, BenBE
Test Instructions

Activities

wytze

2014-08-07 15:49

developer  

check_weak_key.php.patch (1,060 bytes)   
--- /home/cacert/www/includes/lib/check_weak_key.php.org	2014-03-10 17:58:51.000000000 +0100
+++ /home/cacert/www/includes/lib/check_weak_key.php	2014-06-20 17:13:08.293552377 +0200
@@ -128,7 +128,7 @@
 
 	if ($algorithm === "rsaEncryption")
 	{
-		if (!preg_match('/^\s*RSA Public Key: \((\d+) bit\)$/m', $text, $keysize))
+		if (!preg_match('/^\s*Public-Key: \((\d+) bit\)$/m', $text, $keysize))
 		{
 			return failWithId("checkWeakKeyText(): Couldn't parse the RSA ".
 						"key size.\nData:\n$text");
@@ -308,7 +308,7 @@
 		if ($algorithm !== "rsaEncryption") return false;
 			
 		/* Extract public key size */
-		if (!preg_match('/^\s*RSA Public Key: \((\d+) bit\)$/m', $text,
+		if (!preg_match('/^\s*Public-Key: \((\d+) bit\)$/m', $text,
 		$keysize))
 		{
 			trigger_error("checkDebianVulnerability(): Couldn't parse the ".
@@ -338,7 +338,7 @@
 
 
 	/* Extract RSA modulus */
-	if (!preg_match('/^\s*Modulus \(\d+ bit\):\n'.
+	if (!preg_match('/^\s*Modulus:\n'.
 				'((?:\s*[0-9a-f][0-9a-f]:(?:\n)?)+[0-9a-f][0-9a-f])$/m',
 	$text, $modulus))
 	{
check_weak_key.php.patch (1,060 bytes)   

felixd

2014-08-08 23:30

updater   ~0004923

I have looked over the patch and created a git commit from it as it seemed sane to me.

The commit is available here:
https://github.com/yellowant/cacert-devel/commits/bug-1297

BenBE

2014-08-09 00:11

updater   ~0004926

Last edited: 2014-08-09 00:12

View 2 revisions

Applied on testserver, but needs a rebuilt of the chroot to be fully working.

wytze

2014-08-09 10:08

developer   ~0004930

The chroot on test.cacert.org aka cacert1.it-sls.de has been rebuilt to Debian Wheezy on August 9, 2014 around 12:00 CEST.

wytze

2014-08-09 10:55

developer   ~0004933

Tests performed:

1. request client certificate, SHA-512, medium grade:
   "The keys that you use are very small and therefore insecure.
    Please generate stronger keys. More information about this issue
    can be found in the wiki"
   => OK
2. request client certificate, SHA-512, high grade:
   Works
   => OK
3. request client certificate, SHA-256, high grade:
   Works
   => OK
4. request server certificate, 1024-bit key:
   "The keys that you use are very small and therefore insecure.
    Please generate stronger keys. More information about this issue
    can be found in the wiki"
   => OK
5. request server certificate, 2048-bit key:
   Works
   => OK

All tests succeeded.

Ted

2014-08-15 18:33

administrator   ~0004945

Reviewed fa3a17789986431c15dac26c43a8100ee7e8d0d4 vs. 061fec271f164c0efb356d98b5b4f640ed3c6c2f

The only changed file is includes/lib/check_weak_key.php

Verified different output of OpenSSL versions 0.9.8 and 1.0.1 by using openssl x509 -noout -text on a certificate file

Code changes match changes in OpenSSL output.

Review is PASSED.

felixd

2014-08-16 13:43

updater   ~0004951

1. Client cert 2048-bit-spkac (High Grade) random:
   --> Works
=> OK

2. Client cert 1024-bit-spkac (Medium Grade) random:
   --> key size too small
=> OK

3. Client cert 4096-bit-CSR random:
   --> Works
=> OK

4. Client cert 1024-bit-CSR random:
   --> key size too small
=> OK

5. Orga-server-cert 1024-bit-CSR:
    --> key size too small
=> OK

6. Orga-server-cert 4096-bit-CSR:
     --> Works
=> OK

==> Test PASSED

wytze

2014-08-28 15:22

developer   ~0004982

The patch has been installed on the production server on August 28, 2014, immediately after upgrading the CAcert chroot application environment to Debian Wheezy. See also:
https://lists.cacert.org/wws/arc/cacert-systemlog/2014-08/msg00019.html
https://lists.cacert.org/wws/arc/cacert-systemlog/2014-08/msg00020.html

Issue History

Date Modified Username Field Change
2014-08-07 15:49 wytze New Issue
2014-08-07 15:49 wytze File Added: check_weak_key.php.patch
2014-08-08 16:55 BenBE Assigned To => felixd
2014-08-08 16:55 BenBE Status new => needs work
2014-08-08 23:30 felixd Note Added: 0004923
2014-08-08 23:55 BenBE Source_changeset_attached => cacert-devel testserver-stable 61da9da5
2014-08-08 23:55 felixd Source_changeset_attached => cacert-devel testserver-stable 061fec27
2014-08-09 00:11 BenBE Reviewed by => BenBE
2014-08-09 00:11 BenBE Note Added: 0004926
2014-08-09 00:11 BenBE Assigned To felixd => NEOatNHNG
2014-08-09 00:11 BenBE Status needs work => needs review & testing
2014-08-09 00:12 BenBE Note Edited: 0004926 View Revisions
2014-08-09 10:08 wytze Note Added: 0004930
2014-08-09 10:55 wytze Note Added: 0004933
2014-08-15 18:33 Ted Note Added: 0004945
2014-08-15 18:34 Ted Reviewed by BenBE => Ted, BenBE
2014-08-15 18:34 Ted Status needs review & testing => needs testing
2014-08-16 13:43 felixd Note Added: 0004951
2014-08-18 05:36 BenBE Assigned To NEOatNHNG => BenBE
2014-08-18 05:36 BenBE Status needs testing => ready to deploy
2014-08-28 07:25 BenBE Source_changeset_attached => cacert-devel release f7509bc9
2014-08-28 15:22 wytze Note Added: 0004982
2014-08-28 15:22 wytze Status ready to deploy => solved?
2014-08-28 15:22 wytze Fixed in Version => 2014 Q3
2014-08-28 15:22 wytze Resolution open => fixed
2014-12-02 22:48 INOPIAE Status solved? => closed