View Issue Details

IDProjectCategoryView StatusLast Update
0001392Main CAcert Websitecertificate issuingpublic2015-07-30 06:58
ReporterBenBEAssigned ToBenBE 
PriorityimmediateSeveritymajorReproducibilityalways
Status solved?Resolutionfixed 
Product Version2015 Q3 
Target Version2015 Q3Fixed in Version2015 Q3 
Summary0001392: Issue of certificates to arbitrary domains
DescriptionAn issue was reported regarding the issuance of certificates that allows for issuing certificates to arbitrary domains.
TagsNo tags attached.
Reviewed byNEOatNHNG, BenBE
Test InstructionsCreate a CSR containing evil.com#something.you.own.com (arbitrary domain in front, acceptable domain behind #) and check that normal combinations work.

Activities

BenBE

2015-07-25 12:55

updater   ~0005429

Review of patch done by Michael Tänzer (NEOatNHNG) and me (BenBE) via phone.

In course of review the initial regexp was changed slightly.

INOPIAE

2015-07-25 12:56

updater   ~0005430

Create CSR with this command:
openssl req -newkey rsa:4096 -nodes -subj /CN=google.com#www.inopiae.com

-----BEGIN CERTIFICATE REQUEST-----
MIIEajCCAlICAQAwJTEjMCEGA1UEAwwaZ29vZ2xlLmNvbSN3d3cuaW5vcGlhZS5j
b20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCUK62P3biTyhbGhMff
0UNytukvRrtN7WNBfjzGQMbM71DZSj0cV1KGxL7HAFYR4zUbcA5zfbNvT4UHOO/j
NTwrYZf4Hj9X3Dgk2wF/e189TKCVoox9ohHYRzpfOYMMmjyYrhk3bixPqjfRLXkE
06NS11vDpPOaGq+rGLO7KqNl5ZVp7CNhdJab8IUSvpJvT3hLWaviz8KYBCVJIo2F
3b0ifgmcTFAKLkL7c3upcrtoB82Q7n5CQGEqFNYMjD0GHOMm7cWa7+1wZ0+yeHtG
f6kH/l0j8NgC2AE6OF+W+Oucq7vvafDBgEVf+Rnoz1wgTaQwdDfzawCNdDSgFl6m
2mlX2lqXgIpCwlfrikOVsGlMOB6zi+hzSvu7JiaN4JP3zYBR38JYu0lHvfYvmqUd
Fmi6V1m2+OSYF1Au+vJJhZP9zucP5882umurILs1OAR4Hq7LAvDQn/R/90KDyeqx
U0c22LRu2v/ge3MbO7Ao6YL2EHEY9SeS8X5UTFowgjEiAi4S9EjVIi5GaZ3tTBh4
/7PQ+VKsZ1bTjlE5ODHuLAmq0rBFSzjnSDBvw7OX7jl1fHXc/z0UakGG+OUrLEzT
ft1oa3aTa54BEtNkYfAuu4GZTdxDBewtWjk/gmZ9LjXnIRPFdBKGLfGZF4ZNn1Mn
mQuRZDndKGugxTYlJdOfOeOZWQIDAQABoAAwDQYJKoZIhvcNAQEFBQADggIBAEnG
Tl6R/o5xEvIWbhbMWg//YabSOqc0WUAK8TIGP8tXKCa+z2ZaxwGas/EL8oPdZvEv
DSTR06LiB9jlKJaw7dUUHdvpLyiySt4aQBfPVN8uhrwGpjqMf4DGE9vIPoVLUyow
cYNmE46cgytGk8jH6OI4AEzgcMTl+edH++j7vbuZZAMHtg31cTxpZJwYIOh9YZcP
4aU7lxdGOPIVYEzllF0+hkb20wqKLcAYYJelSXOw8bBWmpNWlEdG5rofSDYzIslj
dPdugX6VmMXFWYZwKQegDbQ8nBg8h3FMgfh4lHSpnWTVYLRKDovtkCiPh0R2oKFT
BrAyi7qtFvJ5Bzd8mH9ur3LpC3aXzL1mJawaU+XkrsUb+a8/rjtKlIAfaT4ISfKj
2+C65PxYgDu8CdDIOhvhONLn2kMyHV+Gvn1zv0HFEkNTYrwARyvo7yeghBzjfy6j
K+M7PvFOCujces/A4UsTiBgfSfTycxUQveHRYstyi/AolFTemxNeDBaGau0cs8xK
EPBzyTMvObP08JH6/NvrSdQ6+2cowemd1MWFOX+bKsEgnsp445J3Ug+rw77zKQV5
zbjfqyUBhKVUvcFWuPZUb2v5G5Rg9hir3N8s3GDnQMwfwQnNJHPON05/WJDvfc2q
FtcRRjMK8okr+6m8S5m/z9FojYYGbWVybddS03XW
-----END CERTIFICATE REQUEST-----

After submitting the CSR to the system I get this statement:
Rejected: google.com#www.inopiae.com => ok

After pressing Submit a second time:
Domain not verified. => ok

=>OK

StefanT

2015-07-25 13:47

updater   ~0005431

Domain looney.info in my Testaccount verified.
create a csr: openssl req -newkey rsa:4096 -nodes -subj '/CN=google.com#test.looney.info'


-----BEGIN CERTIFICATE REQUEST-----
MIIEazCCAlMCAQAwJjEkMCIGA1UEAwwbZ29vZ2xlLmNvbSN0ZXN0Lmxvb25leS5p
bmZvMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAu5mrSULK211x+t/c
N16WLbWA1nOnanwCUma7O39aYwdj7jNgE233H/5R1xmJKppqkAs13FZ9Si6ohU/O
B9hs00wtzGp6C1XfAp9ydxOFu2hsJaSqDHDVcbYfVwK3d2bwTt+pebzmF70LOKx7
5TN6EJPNfTEqxnYyC6Nwy2jGW1vpzES005oeHv4pQPfWQwk9iPlC2OWSeLpRSg3A
1MBDVYS2l+OgUVBYLQL9e6QhfunBm4gqz5uoW1K1CPoEOgONJBn6g9Y0du3TgmxY
SXTgC1zqeqGxMf9DlwJEstJtApMHdDGLYzxj0I/LZmFh7ARKlVGharrNWRBDL+cR
hpUy98uu4hrq+Wn09nHuxvavj0uuIrmSOibF9zYujW0ox6iHLSSlaMAJuiBcEaV5
QmjixffMyyw7oXQXWRbpj2BHic8WkH80uR1kvt5YSunFTZSZihfBaaIU7kPeSDFj
TZRh7yOCL+r1bFu84BbwAbH8E9ljbE65PY83nnlxepspoq51/WRqPMKkrnNDw6cE
iPe2eamD67M86Yp6E7c5e2WfpKRjAho5JWmt79exfDgjA6wgJ4ANLT2fiqjqY+W3
BFWUcJNhhHjvXgfROf6CC6xj9OSlMrTv68CLHzSSWBcC4Yvj0C4bX3LK/eMWh8wz
WQROy4L1hOaxpgoUuyEDzs/WZTkCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4ICAQBr
dmw9KsVJqP9y/o7FtlsQKv7Hbj5KkoNmL1fB0p5MS6+mVkzhMm9NuTyl+vpJeiaM
6PaTlhuYhZqC7TwblgSM+YoHTRXHKrfHxFIDD7CNGSxWHukpHspqF46gd6ECrT6m
MESHPmNcP9xO0utIs0rYTRusWTka4KH3Swbv3HFA7KydzrD9NUd8h7GR/624Vr8M
t0ZJLf3rmcvh/+BT9Et5EzqArMWZRZQhO8BFTu3Ms2GPVemUNRsI0+ATsQEiOD4q
C2gFdnUZznY5Xm7zCL7jTrntBCBORWRaunG4dwyaPzj0WTV7jKvZCi/NfJ83Hgyi
03xz/DkZFY92pXtSCHZ+PqqwfZKs/2eAnSKmKYJWfGU6xzdofluGCKuMcpM2EV5j
7s9ozn3NxcH/iWDa6isrxJ/Wbrw95bEhgpL8GV1x0Vf95NfowVmsMuUndWwEiyXU
0Uls5HMZ/bVqAXA6NWT/MgF78c0Tza5p+AZpokgw13fhDQK66koAUcJ8y5yCPoBD
Ml9iNNcb73e5WaN/HQw3Lul3+wPiVf8hzlM05uOZ4Q/y7fUgMk6IhUvEr+2zbNek
ATSeO+XX4k+7XT/OAZX0zYxHU0VVEFhdZBfOWTm8Ua8rgyoJGMm2q0w65XZyBk2I
K6zUe0UdZXLq3HEPTZAOVVw6POw0tjxVHoa8Axs49g==
-----END CERTIFICATE REQUEST-----

Answer1 in german: Die folgenden Hostnamen wurden abgelehnt, da das System diese nicht Ihrem Konto zuordnen konnte. Wenn die Hostnamen gültig sind, dann fügen Sie Ihrem Konto die entsprechenden Domains hinzu.
Abgelehnt: google.com#test.looney.info

Answer2 in german: Die Domain ist nicht bestätigt.

This is equal to the Test before.

wytze

2015-07-25 15:32

developer   ~0005432

The webserver part of the patch has been installed on the production server on July 25, 2015. See also the log message recorded here:
https://lists.cacert.org/wws/arc/cacert-systemlog/2015-07/msg00003.html

The signer part of the patch will be installed next week, arrangements for access to the secured site are in progress.

INOPIAE

2015-07-25 21:51

updater   ~0005433

report from ticket s20150719.73:
It seems there is a bug in the portal. Since this modification, I am no longer able to use alternate DNS for my certificate:

 BEGIN QUOTE
The following hostnames were rejected because the system couldn't link them to your
account, if they are valid please verify the domains against your account.
Rejected: *.aaaa.net
Rejected: bbbbbbb.com
Rejected: *.bbbbb.com
 END QUOTE

INOPIAE

2015-07-25 21:52

updater   ~0005434

The test with the CSR from above still shows the same behavior. => ok

A test with SAN DNS:www.inopiae.com,DNS:*.www.inopiae.com,DNS:project-biz.de
-----BEGIN CERTIFICATE REQUEST-----
MIICrzCCAZcCAQAwGjEYMBYGA1UEAxMPd3d3Lmlub3BpYWUuY29tMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0ZnXrsYOPgAYyQGU7YGMPwGGMk+r64Hg
sckSNZd61PaTzLaCXmtyZmEa2NR7k/qZbhHh9kzpuCOGmkeSAW4bge/NJoe+EVu6
dCExQJqjn8MkK0CQzLjpRGvWX4W+GiRr00PG47MSphbBGoXzRSzi7FyrKwSdERTJ
vg0dkO9ayHicmdQbi38vrjAEdSqzhcxY0d4EDczUWDa5h9qnq1EJprFhUmPrllVF
A5dPFcSUiwcGIbAz0AmhGCnPCOFIZSOjBVNUP+23XdXLLV8XCQJZAGCtgwOBX4vc
akwnQy6aInj989hIfqn0fVs5ykys7A37UlNGJx0U7M8v9JpuGsDwLwIDAQABoFAw
TgYJKoZIhvcNAQkOMUEwPzA9BgNVHREENjA0gg93d3cuaW5vcGlhZS5jb22CESou
d3d3Lmlub3BpYWUuY29tgg5wcm9qZWN0LWJpei5kZTANBgkqhkiG9w0BAQUFAAOC
AQEAgsvdlozi4R7vpuuqsOO62CK9Yk+UAr6a1EiRQKTBbf8C0UcyCSZoJ5Sj6KKL
J3U2REM3lTokX8jFxA6yt0COkf/tx1myZnoFn1Sh1X+M0ErRS+6QdON7tZS5ql0d
aYDzG0vVs2OKKIOU7lflw/WTDT6a+2e5TFwJJDWHnhdqfRkNb12H+oUlcaH4wJjw
ARDi62kxMdQ+1YwSam/CSPPFsm+Y2F0u5xGo37Qet7lImrGx3tWzM51ebot1Gh8m
3sy+hE/iqQhROZfKVcj1Xvq2vm1LgJIerh0kGLiTRZjLKPEgTXky7hFibNemKjnB
matlC2rKDs6xE71BtJ2PHrQ8tw==
-----END CERTIFICATE REQUEST-----

works: => ok

=> ok

janmaco

2015-07-26 16:11

updater   ~0005435

Tested on the current testsystem with a account which owns the domain 'janis-streib.de'.

Created CSR with the command
openssl req -newkey rsa:4096 -nodes -subj /CN=google.com#janis-streib.de

-> Rejected => OK

Created CSR with the command
openssl req -newkey rsa:4096 -nodes -subj /CN=janis-streib.de

-> Accepted => OK

Created CSR with the command
openssl req -newkey rsa:4096 -nodes -subj /CN=*.janis-streib.de

-> Accepted => OK

Created CSR with the command
openssl req -newkey rsa:4096 -nodes -subj /CN=*.janis-streib.de/CN=google.com#janis-streib.de

-> The google one gets rejected => OK

Created CSR with the command
openssl req -newkey rsa:4096 -nodes -subj /CN=google.com?janis-streib.de

-> Rejected => OK

Generated CSR with the command
openssl req -newkey rsa:4096 -nodes -subj /CN=*.www.janis-streib.de/CN=janis-streib.de/CN=*.janis-streib
.de

-> All domain accepeted and in the cert => OK

=>PASSED

StefanT

2015-07-26 19:14

updater   ~0005436

Test Domain looney.info with my Testaccount
csr: openssl req -newkey rsa:4096 -nodes -subj '/CN=google.com#test.looney.info

 
-----BEGIN CERTIFICATE REQUEST-----
MIIEazCCAlMCAQAwJjEkMCIGA1UEAwwbZ29vZ2xlLmNvbSN0ZXN0Lmxvb25leS5p
bmZvMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAu5mrSULK211x+t/c
N16WLbWA1nOnanwCUma7O39aYwdj7jNgE233H/5R1xmJKppqkAs13FZ9Si6ohU/O
B9hs00wtzGp6C1XfAp9ydxOFu2hsJaSqDHDVcbYfVwK3d2bwTt+pebzmF70LOKx7
5TN6EJPNfTEqxnYyC6Nwy2jGW1vpzES005oeHv4pQPfWQwk9iPlC2OWSeLpRSg3A
1MBDVYS2l+OgUVBYLQL9e6QhfunBm4gqz5uoW1K1CPoEOgONJBn6g9Y0du3TgmxY
SXTgC1zqeqGxMf9DlwJEstJtApMHdDGLYzxj0I/LZmFh7ARKlVGharrNWRBDL+cR
hpUy98uu4hrq+Wn09nHuxvavj0uuIrmSOibF9zYujW0ox6iHLSSlaMAJuiBcEaV5
QmjixffMyyw7oXQXWRbpj2BHic8WkH80uR1kvt5YSunFTZSZihfBaaIU7kPeSDFj
TZRh7yOCL+r1bFu84BbwAbH8E9ljbE65PY83nnlxepspoq51/WRqPMKkrnNDw6cE
iPe2eamD67M86Yp6E7c5e2WfpKRjAho5JWmt79exfDgjA6wgJ4ANLT2fiqjqY+W3
BFWUcJNhhHjvXgfROf6CC6xj9OSlMrTv68CLHzSSWBcC4Yvj0C4bX3LK/eMWh8wz
WQROy4L1hOaxpgoUuyEDzs/WZTkCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4ICAQBr
dmw9KsVJqP9y/o7FtlsQKv7Hbj5KkoNmL1fB0p5MS6+mVkzhMm9NuTyl+vpJeiaM
6PaTlhuYhZqC7TwblgSM+YoHTRXHKrfHxFIDD7CNGSxWHukpHspqF46gd6ECrT6m
MESHPmNcP9xO0utIs0rYTRusWTka4KH3Swbv3HFA7KydzrD9NUd8h7GR/624Vr8M
t0ZJLf3rmcvh/+BT9Et5EzqArMWZRZQhO8BFTu3Ms2GPVemUNRsI0+ATsQEiOD4q
C2gFdnUZznY5Xm7zCL7jTrntBCBORWRaunG4dwyaPzj0WTV7jKvZCi/NfJ83Hgyi
03xz/DkZFY92pXtSCHZ+PqqwfZKs/2eAnSKmKYJWfGU6xzdofluGCKuMcpM2EV5j
7s9ozn3NxcH/iWDa6isrxJ/Wbrw95bEhgpL8GV1x0Vf95NfowVmsMuUndWwEiyXU
0Uls5HMZ/bVqAXA6NWT/MgF78c0Tza5p+AZpokgw13fhDQK66koAUcJ8y5yCPoBD
Ml9iNNcb73e5WaN/HQw3Lul3+wPiVf8hzlM05uOZ4Q/y7fUgMk6IhUvEr+2zbNek
ATSeO+XX4k+7XT/OAZX0zYxHU0VVEFhdZBfOWTm8Ua8rgyoJGMm2q0w65XZyBk2I
K6zUe0UdZXLq3HEPTZAOVVw6POw0tjxVHoa8Axs49g==
-----END CERTIFICATE REQUEST-----


Answer1: After the submission of the CSR the Request was denied by error: The Hostnames was rejected. The Domains are not verified to your Domain.

Answer2: The Domain is not verified. => OK

csr: openssl req -newkey rsa:4096 -nodes -subj '/CN=looney.info/CN=test.looney.info/CN=*.looney.info'

 
-----BEGIN CERTIFICATE REQUEST-----
MIIEjjCCAnYCAQAwSTEUMBIGA1UEAwwLbG9vbmV5LmluZm8xGTAXBgNVBAMMEHRl
c3QubG9vbmV5LmluZm8xFjAUBgNVBAMMDSoubG9vbmV5LmluZm8wggIiMA0GCSqG
SIb3DQEBAQUAA4ICDwAwggIKAoICAQDBYygKxWEbeJB0M8vWB+ML1f/pZRkPa3fZ
7m/YT1fE7UkIZictXizZYmdwsa6q/DEDNNHzHpn/wIOpVzLV1OaeKLXP6018uh5c
R39HcCPkOBY4KYS31BcQx5Or13wG1UhQ5UtB8HvDWix/hnqwzIBAkBC0zeXvFjra
WcQRctxniwfKvz173bedJ9m2DAiTgUUCHarb1/hqEfUnhQIzn0E8P8atzYXctR6j
wiF6svj7Kl7k1rnxR2AX0t6jto3PPYjSNK1kJ9CRXlkcmyuVgQDAU3TioBqdWOW/
KIjYrmgMmHVsMBomBbbk9HYENbqdxpE3xjr3EqQ2CzVxJhWhvqsHO/Qv2DB++OqJ
gnjeqxtlePPG/AjuZAYmnxoWBTWScWd7qfqmY/kchEmeAKaAL0FZEl1SipgRsWuv
OBHmLphZzDUv5Fnw930dQnp0LEmllk3C7AlXMZuJLWKonXlBA3YHh/E0GyRUDJ4C
z9/k11snsWQTf813NhRrscZradccJdodQhWcXw2pgU0g5HQZLw20RZq9qCv7DAgl
htQcIcLYHX4WJ5Y2ujx+RsuY2tPWlaMaBYeFOZeNjVCdEnZCS0rynOxBrw9JfZ2z
0dRGWlVumZE4pRjtnVed//geBrBFyXv77u+etx88ukMXsI2bQaQNEMDoH2uwSnLU
fHw7PjhtZQIDAQABoAAwDQYJKoZIhvcNAQEFBQADggIBADv61rrNHUMhs+vBy5Rc
0Wi+VWiKxgGAxcRJa2hhPfYa/qKMrcQPNCHkVOUuU9wYxt9N5MUG496yRd/GD3jH
jF0ebNvCv/xcM8z+02DR82zqjjogXL831xrTAIp0BIM1KYTnws1L+7rM2k+NN8zl
7peCYKTYvX4M0Q4A2y5eUkT1oX2GL1Bw1AmCkJyIkNJSjl7cZ/j7eYXSuzZ49MRW
in4FH8hv8eWErD0btyXfU/hpVy6YJCtYZwou6qjkWFSpdQZERIt+LuKm5zXkfuzB
qSrHnHMCqnGU6QB8lSQbR3Ml+h7i8ks2Gr/bud5PLNG2VitE0O0SIYSNcg8756fb
BRqbTBkpFEs9Ls1mo4dOaK2wORaiojuvyjriIVsyKLIyqkLz9oN5IHQNZ7Hl1ytI
aPWPQiiH/fe1b78GlUFNCnRtqEvwDzml1ZPumPAKvGFXrbN+WCbfradoeqXCElc9
UdlAZhbGEw/1PXbW22I34vzvP6YZFdyYwU2fv+ZVGLV21ccF0rjwTjvLB+n2/KAT
RHgfmcjjQY0+kKoMtkXOcUp56c0Vjq2MUBwc7ZBtOHT5f51Xv4sWRntuDWWyE+x7
lCepHViri/1jpikW/HFov5QO5ynMPldKSzPBVKUAeTBFGbeq3H13da6ExLwtN2+j
u/GBBKuqxlvlYNzj9aur5Hkd
-----END CERTIFICATE REQUEST-----


Answer1: All 3 Names are accepted => OK

Answer2: The Certificate was issued => OK

wytze

2015-07-27 07:29

developer   ~0005437

The additional part of the patch for the webserver side has been installed on the production server on July 27, 2015. See also the log message recorded here:
https://lists.cacert.org/wws/arc/cacert-systemlog/2015-07/msg00004.html [^]

The signer part of the patch will be installed later this week, arrangements for access to the secured site are in progress.

wytze

2015-07-29 10:29

developer   ~0005441

The signer part of the fix has been installed on the production server on July 29, 2015, by means of a visit to the hosting centre. See also:
https://lists.cacert.org/wws/arc/cacert-systemlog/2015-07/msg00008.html

Issue History

Date Modified Username Field Change
2015-07-25 06:20 BenBE New Issue
2015-07-25 06:20 BenBE Assigned To => BenBE
2015-07-25 12:53 BenBE Reviewed by => NEOatNHNG, BenBE
2015-07-25 12:53 BenBE Test Instructions => Create a CSR containing evil.com#something.you.own.com (arbitrary domain in front, acceptable domain behind #)
2015-07-25 12:53 BenBE Status new => needs review & testing
2015-07-25 12:55 BenBE Note Added: 0005429
2015-07-25 12:56 INOPIAE Note Added: 0005430
2015-07-25 13:47 StefanT Note Added: 0005431
2015-07-25 15:32 wytze Note Added: 0005432
2015-07-25 21:51 INOPIAE Note Added: 0005433
2015-07-25 21:52 INOPIAE Note Added: 0005434
2015-07-26 15:29 INOPIAE Test Instructions Create a CSR containing evil.com#something.you.own.com (arbitrary domain in front, acceptable domain behind #) => Create a CSR containing evil.com#something.you.own.com (arbitrary domain in front, acceptable domain behind #) and check that normal combinations work.
2015-07-26 16:11 janmaco Note Added: 0005435
2015-07-26 19:14 StefanT Note Added: 0005436
2015-07-27 07:29 wytze Note Added: 0005437
2015-07-28 19:31 BenBE Status needs review & testing => ready to deploy
2015-07-29 10:29 wytze Note Added: 0005441
2015-07-29 10:29 wytze Status ready to deploy => solved?
2015-07-29 10:29 wytze Fixed in Version => 2015 Q3
2015-07-29 10:29 wytze Resolution open => fixed
2015-07-30 06:58 BenBE View Status private => public