View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0000440 | Main CAcert Website | certificate issuing | public | 2007-05-21 11:46 | 2014-06-15 12:14 |
| Reporter | fbusse | Assigned To | NEOatNHNG | ||
| Priority | low | Severity | trivial | Reproducibility | always |
| Status | closed | Resolution | fixed | ||
| Product Version | 2007 | ||||
| Target Version | 2013 Q4 | Fixed in Version | 2014 Q1 | ||
| Summary | 0000440: Problem with subjectAltName | ||||
| Description | There seems to be a problem with the subjectAltName. As CSR with the following content 509v3 Subject Alternative Name: DNS:fbunet.de, DNS:www.fbunet.de becomes this in the signed certificate: X509v3 Subject Alternative Name: DNS:www.fbunet.de, othername:<unsupported>, DNS:fbunet.de, othername:<unsupported>, DNS:www.fbunet.de, othername:<unsupported> The othername is probably the xmpp-extension, but as you can see, www.fbunet.de now appears twice as a DNS record. Looks like the CN is taken and put into subjectAltName additionally (which makes no sense, as it's already there). | ||||
| Steps To Reproduce | Create a CSR and copy the CommonName into a SubjectAltName. i.e CN=foo.com SubjectAltName=DNS:foo.com Dump the resulting certificate and check the duplicate entry. | ||||
| Additional Information | The parser should detect duplicate SubjectAltNames and eliminate them. | ||||
| Tags | No tags attached. | ||||
| Reviewed by | dastrath, NEOatNHNG | ||||
| Test Instructions | |||||
| related to | 0000530 | closed | XMPP extension not present after renewal | |
| related to | 0000672 | new | RFC5280 deprecates EmailAddress= in certificates, wants subjectAltName= instead | |
| related to | 0001017 | closed | NEOatNHNG | Chrome certificate enrollement |
| has duplicate | 0000768 | closed | CAcert adds CommonName to SubjectAltName, although it's already there | |
| has duplicate | 0001035 | closed | CN gets deleted from subjectAltName on cert renewal | |
| has duplicate | 0001214 | closed | NEOatNHNG | Extended validity certificates don't have the same Subject Alt Name as newly created certificates |
| has duplicate | 0001233 | closed | BenBE | Deduplication of SAN not working properly |
| related to | 0000540 | needs feedback | NEOatNHNG | No key usage attribute in cacert org certs anymore? |
| related to | 0000978 | closed | BenBE | Invalid SPKAC requests are not properly validated |
| related to | 0001054 | needs review & testing | Ted | Review the code regarding the new point calculation in ./includes/general.php |
| related to | 0001101 | needs work | TimoAHummel | general rewrite of get info from csr routine in includes/general.php |
| related to | 0000392 | needs work | Check Signature Check in Web-Interface | |
| related to | 0000658 | needs work | report to end user fields not copied from CSR | |
| related to | 0001205 | confirmed | Refactor certificate creation routines into /includes/notary.inc.php |
|
|
might not make sense to you, but when SubjectAltNames exist, CN isnt used anymore (and 99% people dont know that). This helps people, after all dropping the cert and starting from scratch everytime you forget to retype the CN into SAName is annoying :) So we just need to check whether its already in or not (duplicate). |
|
|
That's exactly what I meant: If the CN is already in SAName, don't add it a second time. I'm quite optimistic that having a duplicate SAName doesn't break anything, but it's not useful for anything on the other hand :) |
|
|
After processing the certificate request, CA cert automatically adds the CN as the first subjectAltName, even if it was already present. In addition, it adds the XMPP extensions. However, when renewing a certificate, these additional subjectAltNames are no longer there. So there is an inconsistency between the first issue of a certificate and renewed certificates. I'll report this in a separate bug (0000530). I recommend to: * Always add the CN as subjectAltName if not present * Remove duplicate subjectAltNames * Make it consistent for first issues and renewals * Decide to either always add, or always leave out the xmpp-extensions. By the way, the othername is indeed an xmpp extension. Some examination revealed that the contents is an OID 1.3.6.1.5.5.7.8.5, as defined in section 5.1.1 or RFC 3920. The rest is simply the hostname again with some control bytes (A1 14 0C in my case) and a length byte. |
|
|
Noticed this same discrepancy today: first I refreshed a cert, which gave me a new cert lacking both one DNS SAN and both xmpp exts. As this caused regressions due to the missing CN in the SAN section, I modified the CSR and requested the cert anew, now resulting in duplicate SANs together with all that xmpp stuff. I second the recommendation by macfreek. |
|
|
I can confirm this. |
|
2011-04-12 19:28
|
bug440a.patch (3,898 bytes)
Factor out common code to build subject string. Should fix bug #440.
2010-04-12 Martin von Gagern
http://bugs.cacert.org/bug_view_page.php?bug_id=440
diff --git a/includes/account.php b/includes/account.php
index 685b53a..c709bf8 100644
--- a/includes/account.php
+++ b/includes/account.php
@@ -19,6 +19,48 @@
loadem("account");
+function appendUnique($str, $suffix) {
+ if (!strstr($str, "$suffix/") &&
+ substr($str, -strlen($suffix)) != $suffix)
+ $str .= $suffix;
+ return $str;
+}
+
+function appendSubjectAltName($subject, $name, $supress) {
+ if (!$supress)
+ {
+ $subject = appendUnique($subject, "/subjectAltName=DNS:$name");
+ $subject = appendUnique($subject, "/subjectAltName=otherName:1.3.6.1.5.5.7.8.5;UTF8:$name");
+ }
+ return $subject;
+}
+
+function buildSubject() {
+ $subject = "";
+ $count = 0;
+ $supressSAN=0;
+ if($_SESSION["profile"]["id"] == 104074) $supressSAN=1;
+
+ if(is_array($_SESSION['_config']['rows']))
+ foreach($_SESSION['_config']['rows'] as $row)
+ {
+ $count++;
+ if($count <= 1)
+ $subject .= "/CN=$row";
+ $subject = appendSubjectAltName($subject, $row, $supressSAN);
+ }
+ if(is_array($_SESSION['_config']['altrows']))
+ foreach($_SESSION['_config']['altrows'] as $row)
+ {
+ if(substr($row, 0, 4) == "DNS:")
+ {
+ $row = substr($row, 4);
+ $subject = appendSubjectAltName($subject, $row, $supressSAN);
+ }
+ }
+ return $subject;
+}
+
$id = 0; if(array_key_exists("id",$_REQUEST)) $id=intval($_REQUEST['id']);
$oldid = 0; if(array_key_exists("oldid",$_REQUEST)) $oldid=intval($_REQUEST['oldid']);
$process = ""; if(array_key_exists("process",$_REQUEST)) $process=$_REQUEST['process'];
@@ -667,35 +709,7 @@
exit;
}
- $subject = "";
- $count = 0;
- $supressSAN=0;
- if($_SESSION["profile"]["id"] == 104074) $supressSAN=1;
-
- if(is_array($_SESSION['_config']['rows']))
- foreach($_SESSION['_config']['rows'] as $row)
- {
- $count++;
- if($count <= 1)
- {
- $subject .= "/CN=$row";
- if(!$supressSAN) $subject .= "/subjectAltName=DNS:$row";
- if(!$supressSAN) $subject .= "/subjectAltName=otherName:1.3.6.1.5.5.7.8.5;UTF8:$row";
- } else {
- if(!$supressSAN) $subject .= "/subjectAltName=DNS:$row";
- if(!$supressSAN) $subject .= "/subjectAltName=otherName:1.3.6.1.5.5.7.8.5;UTF8:$row";
- }
- }
- if(is_array($_SESSION['_config']['altrows']))
- foreach($_SESSION['_config']['altrows'] as $row)
- {
- if(substr($row, 0, 4) == "DNS:")
- {
- $row = substr($row, 4);
- if(!$supressSAN) $subject .= "/subjectAltName=DNS:$row";
- if(!$supressSAN) $subject .= "/subjectAltName=otherName:1.3.6.1.5.5.7.8.5;UTF8:$row";
- }
- }
+ $subject = buildSubject();
if($_SESSION['_config']['rootcert'] < 1 || $_SESSION['_config']['rootcert'] > 2)
$_SESSION['_config']['rootcert'] = 1;
@@ -813,29 +827,7 @@
continue;
}
- $subject = "";
- $count = 0;
- if(is_array($_SESSION['_config']['rows']))
- foreach($_SESSION['_config']['rows'] as $row)
- {
- $count++;
- if($count <= 1)
- {
- $subject .= "/CN=$row";
- if(!strstr($subject, "=$row/") &&
- substr($subject, -strlen("=$row")) != "=$row")
- $subject .= "/subjectAltName=$row";
- } else {
- if(!strstr($subject, "=$row/") &&
- substr($subject, -strlen("=$row")) != "=$row")
- $subject .= "/subjectAltName=$row";
- }
- }
- if(is_array($_SESSION['_config']['altrows']))
- foreach($_SESSION['_config']['altrows'] as $row)
- if(!strstr($subject, "=$row/") &&
- substr($subject, -strlen("=$row")) != "=$row")
- $subject .= "/subjectAltName=$row";
+ $subject = buildSubject();
$subject = mysql_real_escape_string($subject);
mysql_query("update `domaincerts` set `subject`='$subject',`csr_name`='$newfile' where `id`='$newid'");
|
|
|
This bit me again today, which is really annoying. So I wrote a patch, attached here as bug440a.patch. Completely untested, as I don't have a working replica here and I don't have the time to set one up. So expect the code to not work at all. Nevertheless, the general idea should be sound, and any problems rather easy to fix. So please give it a try on some dev setup. Apparently there are two regions in account.php where a subject string is built up from a set of names. They both have their merits and their drawbacks: the one for initial cert will always include CN as a SAN as well, even if it is already listed as a SAN. It will also include the XMPP version. The one for refreshing will take extra care to avoid duplicate entries, but it does so solely based on field value, ignoring the key. Therefore any SAN that also matches the CN will be filtered out. I've aimed at turning duplicate code into simple functions with easy to understand semantics. I have to confess that the lack of this approach makes the whole code very hard to read for me. So now I've got a function to build up a subject string, to be invoked in both places. It calls other newly introduced functions to do its work. appendUnique should compare both key and value, so it should ensure that real duplicates are avoided, but SAN and CN for the same value can exist simultaneously. Perhaps you can increase the priority of this issue, now that you have something to work with. |
|
|
Hurray to Martin von Gagern! Let's hope one of the CAcert admins will pick this up. I just looked at the diff (I hadn't figured out where to download the original code). The patch is an improvement over the old code (much cleaner now that this has moved to a new function). Just for my understanding, does the appendUnique() makes sure that the all subjectAltNames are unique? The code seems to work, though it may be cleaned a bit: * code style (don't know if there is any, but you may want to add some brackets, changes spaces to tabs, etc.) * I would move the $supress parameter out of the appendSubjectAltName function and simply don't call the function is $supressSAN is set. For the original author of this code: why are subjectaltnames ignored if profile id is 104074? (a comments in the code would have been useful here). The patch code seems to work exactly the same as the original code in this case, so I presume it is OK. But without proper documentation, it is unclear what was intended. |
|
|
I got the sources from git, but there are tarballs as well: http://wiki.cacert.org/Software/DevelopmentWorkflow#Get_the_Source_Code https://secure.cacert.org/src-lic.php Yes, appendUnique makes sure subjectAltNames are unique. Upstream code style is a pain imho, but I've tried to follow what's there. I forgot to convert spaces to tabs in one instance, mea culpa. Moving the if related to supression outside the function would reintroduce common code, but yes, one could do that. I've also considered moving the if is_array and nested foreach into the function as well. Dunno if that would be a good idea. I guess 104074 is some customer who complained loudly enough about the SAN causing trouble, so they introduced some custom codepath to work around that issue. A field in some table would be cleaner, but perhaps not worth the effort unless there are other similar cases as well. One thing I forgot to mention: original code for renewal didn't prepend "DNS:" to the names, but my patch will do so again. Not sure whether that's correct, or whether the DNS: are already present in the renewal case for some reason. |
|
|
to SA's for review and transfer to testserver |
|
|
I have reviewed and slightly modified the proposed patch and added it to the test system (https://cacert1.it-sls.de). Please test and review the changes. |
|
|
Note to testers: Please also report to bug 0000540 and 0000978 as they also deal with certificate issuing |
|
|
test #1 - client certs variations creating new account: certs.test@w.d confirmed email/account add assurances (100 pts) add experience points (50) create client cert a) email 1 class1 no name enable cert login create client cert install client cert serno: 10D5 displ.name: CAcert WoT User -> ok valid from/to: 2012-02-21 / 2012-03-22 -> ok owner: E = certs.test@w.d, CN = CAcert WoT User -> ok extended key usage: Nicht kritisch E-Mail-Schutz (1.3.6.1.5.5.7.3.4) TLS-Web-Client-Authentifikation (1.3.6.1.5.5.7.3.2) Microsoft-Dateisystemverschlüsselung (1.3.6.1.4.1.311.10.3.4) Microsoft servergesperrte Kryptographie (1.3.6.1.4.1.311.10.3.3) Netscape servergesperrte Kryptographie (2.16.840.1.113730.4.1) certs alternate name Nicht kritisch E-Mail-Adresse: certs.test@w.d => all ok b) email 1 class3 no name enable cert login create client cert install client cert serno: 10A1 displ.name: CAcert WoT User -> ok valid from/to: 2012-02-21 / 2012-03-22 -> ok owner: E = certs.test@w.d, CN = CAcert WoT User -> ok extended key usage: Nicht kritisch E-Mail-Schutz (1.3.6.1.5.5.7.3.4) TLS-Web-Client-Authentifikation (1.3.6.1.5.5.7.3.2) Microsoft-Dateisystemverschlüsselung (1.3.6.1.4.1.311.10.3.4) Microsoft servergesperrte Kryptographie (1.3.6.1.4.1.311.10.3.3) Netscape servergesperrte Kryptographie (2.16.840.1.113730.4.1) certs alternate name Nicht kritisch E-Mail-Adresse: certs.test@w.d => all ok c) email 1 class1 "Certs Test" enable cert login create client cert install client cert serno: 10D6 displ.name: Certs Test -> ok d) email 1 class3 "Certs Test" enable cert login create client cert install client cert serno: 10A2 e) email 1 class1 "Certs Sub Test" enable cert login create client cert install client cert serno: 10D7 displ.name: Certs Sub Test -> ok owner: E = certs.test@w.d, CN = Certs Sub Test -> ok extended key usage: Nicht kritisch E-Mail-Schutz (1.3.6.1.5.5.7.3.4) TLS-Web-Client-Authentifikation (1.3.6.1.5.5.7.3.2) Microsoft-Dateisystemverschlüsselung (1.3.6.1.4.1.311.10.3.4) Microsoft servergesperrte Kryptographie (1.3.6.1.4.1.311.10.3.3) Netscape servergesperrte Kryptographie (2.16.840.1.113730.4.1) certs alternate name Nicht kritisch E-Mail-Adresse: certs.test@w.d => all ok f) email 1 class3 "Certs Sub Test" enable cert login create client cert install client cert serno: 10A3 displ.name: Certs Sub Test -> ok owner: E = certs.test@w.d, CN = Certs Sub Test -> ok extended key usage: Nicht kritisch E-Mail-Schutz (1.3.6.1.5.5.7.3.4) TLS-Web-Client-Authentifikation (1.3.6.1.5.5.7.3.2) Microsoft-Dateisystemverschlüsselung (1.3.6.1.4.1.311.10.3.4) Microsoft servergesperrte Kryptographie (1.3.6.1.4.1.311.10.3.3) Netscape servergesperrte Kryptographie (2.16.840.1.113730.4.1) certs alternate name Nicht kritisch E-Mail-Adresse: certs.test@w.d => all ok |
|
|
test 0000002 - server certs variations using prev account add domain avintec.com confirmed avintec.com openssl genrsa -out test1-avintec-com-512.key 512 openssl req -new -key test1-avintec-com-512.key -out test1-avintec-com-512.csr paste csr sign class1 <paste> submit error/warning "The keys that you use are very small and therefore insecure. Please generate stronger keys. More information about this issue can be found in the wiki" => ok sign class3 <paste> submit error/warning "The keys that you use are very small and therefore insecure. Please generate stronger keys. More information about this issue can be found in the wiki" => ok openssl genrsa -out test1-avintec-com-1024.key 1024 openssl req -new -key test1-avintec-com-1024.key -out test1-avintec-com-1024.csr sign class1 <paste> submit Please make sure the following details are correct before proceeding any further. CommonName: test1.avintec.com No additional information will be included on certificates because it can not be automatically checked by the system. submit returns: Below is your Server Certificate -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- new file test1-avintec-com-1024-signed-c1.key <paste> key in list: Valid test1.avintec.com 10DA Not Revoked 2012-03-22 23:59:21 openssl x509 -text -in test1-avintec-com-1024-signed-c1.key -noout .................................................................... Certificate: Data: Version: 3 (0x2) Serial Number: 4314 (0x10da) Signature Algorithm: sha1WithRSAEncryption Issuer: C=AU, ST=New South Wales, O=CAcert Testserver, OU=http://cacert1 .it-sls.de, CN=CAcert Testserver Root Validity Not Before: Feb 21 23:59:21 2012 GMT Not After : Mar 22 23:59:21 2012 GMT Subject: CN=test1.avintec.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): [...] Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: critical Digital Signature, Key Encipherment, Key Agreement X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication, Ne tscape Server Gated Crypto, Microsoft Server Gated Crypto Authority Information Access: OCSP - URI:http://ocsp.cacert.org/ X509v3 CRL Distribution Points: URI:http://crl.cacert.org/revoke.crl X509v3 Subject Alternative Name: DNS:test1.avintec.com, othername:<unsupported> Signature Algorithm: sha1WithRSAEncryption [...] .................................................................... => ok sign class3 <paste> submit Please make sure the following details are correct before proceeding any further. CommonName: test1.avintec.com No additional information will be included on certificates because it can not be automatically checked by the system. submit returns: Below is your Server Certificate -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- new file test1-avintec-com-signed-c1.key <paste> key in list: Valid test1.avintec.com 10A6 Not Revoked 2012-03-23 00:02:34 .................................................................... Certificate: Data: Version: 3 (0x2) Serial Number: 4262 (0x10a6) Signature Algorithm: sha1WithRSAEncryption Issuer: O=CAcert Testsever, OU=http://cacert1.it-sls.de, CN=CAcert Tests erver Class 3 Validity Not Before: Feb 22 00:02:34 2012 GMT Not After : Mar 23 00:02:34 2012 GMT Subject: CN=test1.avintec.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): [...] Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: critical Digital Signature, Key Encipherment, Key Agreement X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication, Ne tscape Server Gated Crypto, Microsoft Server Gated Crypto Authority Information Access: OCSP - URI:http://ocsp.cacert.org/ X509v3 CRL Distribution Points: URI:http://crl.cacert.org/class3-revoke.crl X509v3 Subject Alternative Name: DNS:test1.avintec.com, othername:<unsupported> Signature Algorithm: sha1WithRSAEncryption [...] .................................................................... => ok openssl genrsa -out test1-avintec-com-2048.key 2048 openssl req -new -key test1-avintec-com-2048.key -out test1-avintec-com-2048.csr sign class1 <paste> submit Please make sure the following details are correct before proceeding any further. CommonName: test1.avintec.com No additional information will be included on certificates because it can not be automatically checked by the system. submit returns: Below is your Server Certificate -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- new file test1-avintec-com-2048-signed-c1.key <paste> key in list: Valid test1.avintec.com 10DB Not Revoked 2012-03-23 00:12:53 openssl x509 -text -in test1-avintec-com-2048-signed-c1.key -noout .................................................................... Certificate: Data: Version: 3 (0x2) Serial Number: 4315 (0x10db) Signature Algorithm: sha1WithRSAEncryption Issuer: C=AU, ST=New South Wales, O=CAcert Testserver, OU=http://cacert1 .it-sls.de, CN=CAcert Testserver Root Validity Not Before: Feb 22 00:12:53 2012 GMT Not After : Mar 23 00:12:53 2012 GMT Subject: CN=test1.avintec.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): [...] Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: critical Digital Signature, Key Encipherment, Key Agreement X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication, Ne tscape Server Gated Crypto, Microsoft Server Gated Crypto Authority Information Access: OCSP - URI:http://ocsp.cacert.org/ X509v3 CRL Distribution Points: URI:http://crl.cacert.org/revoke.crl X509v3 Subject Alternative Name: DNS:test1.avintec.com, othername:<unsupported> Signature Algorithm: sha1WithRSAEncryption [...] .................................................................... => ok sign class3 <paste> submit Please make sure the following details are correct before proceeding any further. CommonName: test1.avintec.com No additional information will be included on certificates because it can not be automatically checked by the system. submit returns: Below is your Server Certificate -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- new file test1-avintec-com-2048-signed-c3.key <paste> key in list: Valid test1.avintec.com 10A7 Not Revoked 2012-03-23 00:20:44 openssl x509 -text -in test1-avintec-com-2048-signed-c3.key -noout .................................................................... Certificate: Data: Version: 3 (0x2) Serial Number: 4263 (0x10a7) Signature Algorithm: sha1WithRSAEncryption Issuer: O=CAcert Testsever, OU=http://cacert1.it-sls.de, CN=CAcert Tests erver Class 3 Validity Not Before: Feb 22 00:20:44 2012 GMT Not After : Mar 23 00:20:44 2012 GMT Subject: CN=test1.avintec.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): [...] Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: critical Digital Signature, Key Encipherment, Key Agreement X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication, Ne tscape Server Gated Crypto, Microsoft Server Gated Crypto Authority Information Access: OCSP - URI:http://ocsp.cacert.org/ X509v3 CRL Distribution Points: URI:http://crl.cacert.org/class3-revoke.crl X509v3 Subject Alternative Name: DNS:test1.avintec.com, othername:<unsupported> Signature Algorithm: sha1WithRSAEncryption [...] .................................................................... => ok |
|
|
test 3 - client cert login Valid certs.test@w.d 10A3 Not Revoked 2012-03-22 21:56:34 Valid certs.test@w.d 10D7 Not Revoked 2012-03-22 21:55:49 Valid certs.test@w.d 10A2 Not Revoked 2012-03-22 21:54:57 Valid certs.test@w.d 10D6 Not Revoked 2012-03-22 21:53:42 Valid certs.test@w.d 10A1 Not Revoked 2012-03-22 21:52:39 Valid certs.test@w.d 10D5 Not Revoked 2012-03-22 21:51:09 cert login using: Ausgestellt auf: E=certs.test@w.d,CN=CAcert WoT User Seriennummer: 10:D5 Gültig von 21.02.2012 22:51:09 an 22.03.2012 22:51:09 Verwendung eines Zertifikatsschlüssels: unterzeichne,Schlüssel-Verschlüsselung,Schlüssel-Vereinbarung E-Mail: certs.test@w.d Ausgestellt von: CN=CAcert Testserver Root,OU=http://cacert1.it-sls.de,O=CAcert Testserver,ST=New South Wales,C=AU Gespeichert in: Software-Sicherheitsmodul => ok logout logout crypto modul cert login using: Ausgestellt auf: E=certs.test@w.d,CN=CAcert WoT User Seriennummer: 10:A1 Gültig von 21.02.2012 22:52:39 an 22.03.2012 22:52:39 Verwendung eines Zertifikatsschlüssels: unterzeichne,Schlüssel-Verschlüsselung,Schlüssel-Vereinbarung E-Mail: certs.test@w.d Ausgestellt von: CN=CAcert Testserver Class 3,OU=http://cacert1.it-sls.de,O=CAcert Testsever Gespeichert in: Software-Sicherheitsmodul => ok logout logout crypto modul cert login using: Ausgestellt auf: E=certs.test@w.d,CN=Certs Test Seriennummer: 10:D6 Gültig von 21.02.2012 22:53:42 an 22.03.2012 22:53:42 Verwendung eines Zertifikatsschlüssels: unterzeichne,Schlüssel-Verschlüsselung,Schlüssel-Vereinbarung E-Mail: certs.test@w.d Ausgestellt von: CN=CAcert Testserver Root,OU=http://cacert1.it-sls.de,O=CAcert Testserver,ST=New South Wales,C=AU Gespeichert in: Software-Sicherheitsmodul => ok logout logout crypto modul cert login using: Ausgestellt auf: E=certs.test@w.d,CN=Certs Test Seriennummer: 10:A2 Gültig von 21.02.2012 22:54:57 an 22.03.2012 22:54:57 Verwendung eines Zertifikatsschlüssels: unterzeichne,Schlüssel-Verschlüsselung,Schlüssel-Vereinbarung E-Mail: certs.test@w.d Ausgestellt von: CN=CAcert Testserver Class 3,OU=http://cacert1.it-sls.de,O=CAcert Testsever Gespeichert in: Software-Sicherheitsmodul => ok logout logout crypto modul cert login using: Ausgestellt auf: E=certs.test@w.d,CN=Certs Sub Test Seriennummer: 10:D7 Gültig von 21.02.2012 22:55:49 an 22.03.2012 22:55:49 Verwendung eines Zertifikatsschlüssels: unterzeichne,Schlüssel-Verschlüsselung,Schlüssel-Vereinbarung E-Mail: certs.test@w.d Ausgestellt von: CN=CAcert Testserver Root,OU=http://cacert1.it-sls.de,O=CAcert Testserver,ST=New South Wales,C=AU Gespeichert in: Software-Sicherheitsmodul => ok logout logout crypto modul cert login using: Ausgestellt auf: E=certs.test@w.d,CN=Certs Sub Test Seriennummer: 10:A3 Gültig von 21.02.2012 22:56:34 an 22.03.2012 22:56:34 Verwendung eines Zertifikatsschlüssels: unterzeichne,Schlüssel-Verschlüsselung,Schlüssel-Vereinbarung E-Mail: certs.test@w.d Ausgestellt von: CN=CAcert Testserver Class 3,OU=http://cacert1.it-sls.de,O=CAcert Testsever Gespeichert in: Software-Sicherheitsmodul => ok |
|
|
test 4 - org client certs preparation for test 4 + 5 (once) make test user OA Admin (Organisation-Admin) login OrgAssurer new organisations Avintec COM view organisations Avintec COM, Germany/Hessen DE Domains (0) Admins (0) Edit Delete add domain: avintec.com added. view organisations Avintec COM, Germany/Hessen DE Domains (1) Admins (0) Edit Delete add admin: certs.test@w.d Department: IT Master Account: Yes Comments: ... view organisations Avintec COM, Germany/Hessen DE Domains (1) Admins (1) Edit Delete logout cert login using: Ausgestellt auf: E=certs.test@w.d,CN=Certs Sub Test Seriennummer: 10:A3 Gültig von 21.02.2012 22:56:34 an 22.03.2012 22:56:34 3 more menu choices - Org Client Certs - Org Server Certs - Org Admin Org Admin - View Organisations # Organisation Admins 275 Avintec COM, Germany/Hessen DE Admins (1) 796 Domain available avintec.com => ok alice, bob, carol, dave new org client cert: alice@a.c class1 Dep1 next create Installing your certificate You are about to install a certificate, if you are using mozilla/netscape based browsers you will not be informed that the certificate was installed successfully, you can go into the options dialog box, security and manage certificates to view if it was installed correctly however. Click here to install your certificate. org client cert - view Valid alice@a.c 10DC Not Revoked 2012-02-29 01:02:36 new org client cert: alice@a.c class3 Dep1 next create org client cert - view Valid alice@a.c 10A8 Not Revoked 2012-02-29 01:04:36 Valid alice@a.c 10DC Not Revoked 2012-02-29 01:02:36 new org client cert: bob@a.c class1 Dep2 next create org client cert - view Valid bob@a.c 10DD Not Revoked 2012-02-29 01:06:18 Valid alice@a.c 10A8 Not Revoked 2012-02-29 01:04:36 Valid alice@a.c 10DC Not Revoked 2012-02-29 01:02:36 new org client cert: bob@a.c class3 Dep2 next create org client cert - view Valid bob@a.c 10A9 Not Revoked 2012-02-29 01:08:19 Valid bob@a.c 10DD Not Revoked 2012-02-29 01:06:18 Valid alice@a.c 10A8 Not Revoked 2012-02-29 01:04:36 Valid alice@a.c 10DC Not Revoked 2012-02-29 01:02:36 new org client cert: carol@a.c class1 Dep3 next create org client cert - view Valid carol@a.c 10DE Not Revoked 2012-02-29 01:10:16 Valid bob@a.c 10A9 Not Revoked 2012-02-29 01:08:19 Valid bob@a.c 10DD Not Revoked 2012-02-29 01:06:18 Valid alice@a.c 10A8 Not Revoked 2012-02-29 01:04:36 Valid alice@a.c 10DC Not Revoked 2012-02-29 01:02:36 new org client cert: carol@a.c class3 Dep3 next create org client cert - view Valid carol@a.c 10AA Not Revoked 2012-02-29 01:11:23 Valid carol@a.c 10DE Not Revoked 2012-02-29 01:10:16 Valid bob@a.c 10A9 Not Revoked 2012-02-29 01:08:19 Valid bob@a.c 10DD Not Revoked 2012-02-29 01:06:18 Valid alice@a.c 10A8 Not Revoked 2012-02-29 01:04:36 Valid alice@a.c 10DC Not Revoked 2012-02-29 01:02:36 new org client cert: dave@a.c class1 Dep4 next create org client cert - view Valid dave@a.c 10DF Not Revoked 2012-02-29 01:15:07 Valid carol@a.c 10AA Not Revoked 2012-02-29 01:11:23 Valid carol@a.c 10DE Not Revoked 2012-02-29 01:10:16 Valid bob@a.c 10A9 Not Revoked 2012-02-29 01:08:19 Valid bob@a.c 10DD Not Revoked 2012-02-29 01:06:18 Valid alice@a.c 10A8 Not Revoked 2012-02-29 01:04:36 Valid alice@a.c 10DC Not Revoked 2012-02-29 01:02:36 new org client cert: dave@a.c class3 Dep4 next create org client cert - view Valid dave@a.c 10AB Not Revoked 2012-02-29 01:15:47 Valid dave@a.c 10DF Not Revoked 2012-02-29 01:15:07 Valid carol@a.c 10AA Not Revoked 2012-02-29 01:11:23 Valid carol@a.c 10DE Not Revoked 2012-02-29 01:10:16 Valid bob@a.c 10A9 Not Revoked 2012-02-29 01:08:19 Valid bob@a.c 10DD Not Revoked 2012-02-29 01:06:18 Valid alice@a.c 10A8 Not Revoked 2012-02-29 01:04:36 Valid alice@a.c 10DC Not Revoked 2012-02-29 01:02:36 checking keys in cert manager: CAcert Testserver (-> is root, class1) Alice (10DC), Bob (10DD), Carol (10DE), Dave (10DF) -and- CAcert Testserver (-> is subroot, class3) Alice (10A8), Bob (10A9), Carol (10AA), Dave (10AB) Alice (10A8) CN Alice O Avintec COM OU Dep1 Ser 10:A8 From 2012-02-22 To 2012-02-29 => ok owner: E = alice@a.c CN = Alice OU = Dep1 O = Avintec COM L = Frankfurt/Main ST = Germany/Hessen C = DE => Ok extended key usage: Nicht kritisch E-Mail-Schutz (1.3.6.1.5.5.7.3.4) TLS-Web-Client-Authentifikation (1.3.6.1.5.5.7.3.2) Microsoft-Dateisystemverschlüsselung (1.3.6.1.4.1.311.10.3.4) Microsoft servergesperrte Kryptographie (1.3.6.1.4.1.311.10.3.3) Netscape servergesperrte Kryptographie (2.16.840.1.113730.4.1) cert alternate name Nicht kritisch E-Mail-Adresse: alice@a.c => ok Dave (10DF) cN Dave O Avintec COM OU Dep4 Ser 10:DF From 2012-02-22 To 2012-02-29 => ok owner: E = dave@a.c CN = Dave OU = Dep4 O = Avintec COM L = Frankfurt/Main ST = Germany/Hessen C = DE => ok extended key usage: Nicht kritisch E-Mail-Schutz (1.3.6.1.5.5.7.3.4) TLS-Web-Client-Authentifikation (1.3.6.1.5.5.7.3.2) Microsoft-Dateisystemverschlüsselung (1.3.6.1.4.1.311.10.3.4) Microsoft servergesperrte Kryptographie (1.3.6.1.4.1.311.10.3.3) Netscape servergesperrte Kryptographie (2.16.840.1.113730.4.1) cert alternate name Nicht kritisch E-Mail-Adresse: dave@a.c => ok |
|
|
test 5 - org server certs Org Server Certs - View empty list => ok openssl genrsa -out testserver1-avintec-com-512.key 512 openssl req -new -key testserver1-avintec-com-512.key -out testserver1-avintec-com-512.csr using values from Org Account Org Server Certs - New class 1 <paste> error/warning The keys that you use are very small and therefore insecure. Please generate stronger keys. More information about this issue can be found in the wiki => ok Org Server Certs - New class 3 <paste> error/warning The keys that you use are very small and therefore insecure. Please generate stronger keys. More information about this issue can be found in the wiki => ok openssl genrsa -out testserver2-avintec-com-1024.key 1024 openssl req -new -key testserver2-avintec-com-1024.key -out testserver2-avintec-com-1024.csr using values from Org Account Org Server Certs - New class 1 <paste> Please make sure the following details are correct before proceeding any further. CommonName: testserver2.avintec.com Organisation: Avintec COM Org. Unit: UT Location: Frankfurt/Main State/Province: Germany/Hessen Country: DE Submit new file testserver2-avintec-com-1024-signed-c1.key <paste> Org Server Certs - View Valid testserver2.avintec.com 10E0 Not Revoked 2012-03-23 01:41:16 Org Server Certs - New class 3 <paste> Please make sure the following details are correct before proceeding any further. CommonName: testserver2.avintec.com Organisation: Avintec COM Org. Unit: UT Location: Frankfurt/Main State/Province: Germany/Hessen Country: DE Submit new file testserver2-avintec-com-1024-signed-c3.key <paste> Org Server Certs - View Valid testserver2.avintec.com 10AC Not Revoked 2012-03-23 01:44:33 Valid testserver2.avintec.com 10E0 Not Revoked 2012-03-23 01:41:16 openssl genrsa -out testserver3-avintec-com-2048.key 2048 openssl req -new -key testserver3-avintec-com-2048.key -out testserver3-avintec-com-2048.csr using values from Org Account Org Server Certs - New class 1 <paste> Please make sure the following details are correct before proceeding any further. CommonName: testserver3.avintec.com Organisation: Avintec COM Org. Unit: IT Location: Frankfurt/Main State/Province: Germany/Hessen Country: DE Submit new file testserver3-avintec-com-2048-signed-c1.key <paste> Org Server Certs - View Valid testserver3.avintec.com 10E1 Not Revoked 2012-03-23 01:50:21 Valid testserver2.avintec.com 10AC Not Revoked 2012-03-23 01:44:33 Valid testserver2.avintec.com 10E0 Not Revoked 2012-03-23 01:41:16 Org Server Certs - New class 1 <paste> Please make sure the following details are correct before proceeding any further. CommonName: testserver3.avintec.com Organisation: Avintec COM Org. Unit: IT Location: Frankfurt/Main State/Province: Germany/Hessen Country: DE Submit new file testserver3-avintec-com-2048-signed-c3.key <paste> Org Server Certs - View Valid testserver3.avintec.com 10AD Not Revoked 2012-03-23 01:52:37 Valid testserver3.avintec.com 10E1 Not Revoked 2012-03-23 01:50:21 Valid testserver2.avintec.com 10AC Not Revoked 2012-03-23 01:44:33 Valid testserver2.avintec.com 10E0 Not Revoked 2012-03-23 01:41:16 test keys: openssl x509 -text -in testserver2-avintec-com-1024-signed-c1.key -noout .......................................................................... Certificate: Data: Version: 3 (0x2) Serial Number: 4320 (0x10e0) Signature Algorithm: sha1WithRSAEncryption Issuer: C=AU, ST=New South Wales, O=CAcert Testserver, OU=http://cacert1 .it-sls.de, CN=CAcert Testserver Root Validity Not Before: Feb 22 01:41:16 2012 GMT Not After : Mar 23 01:41:16 2012 GMT Subject: L=Frankfurt, O=Avintec COM, OU=UT, CN=testserver2.avintec.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): [...] Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: critical Digital Signature, Key Encipherment, Key Agreement X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication, Ne tscape Server Gated Crypto, Microsoft Server Gated Crypto Authority Information Access: OCSP - URI:http://ocsp.cacert.org/ X509v3 CRL Distribution Points: URI:http://crl.cacert.org/revoke.crl X509v3 Subject Alternative Name: DNS:testserver2.avintec.com, othername:<unsupported> Signature Algorithm: sha1WithRSAEncryption [...] .......................................................................... => ok openssl x509 -text -in testserver2-avintec-com-1024-signed-c3.key -noout .......................................................................... Certificate: Data: Version: 3 (0x2) Serial Number: 4268 (0x10ac) Signature Algorithm: sha1WithRSAEncryption Issuer: O=CAcert Testsever, OU=http://cacert1.it-sls.de, CN=CAcert Tests erver Class 3 Validity Not Before: Feb 22 01:44:33 2012 GMT Not After : Mar 23 01:44:33 2012 GMT Subject: L=Frankfurt, O=Avintec COM, OU=UT, CN=testserver2.avintec.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): [...] Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: critical Digital Signature, Key Encipherment, Key Agreement X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication, Ne tscape Server Gated Crypto, Microsoft Server Gated Crypto Authority Information Access: OCSP - URI:http://ocsp.cacert.org/ X509v3 CRL Distribution Points: URI:http://crl.cacert.org/class3-revoke.crl X509v3 Subject Alternative Name: DNS:testserver2.avintec.com, othername:<unsupported> Signature Algorithm: sha1WithRSAEncryption [...] .......................................................................... => ok openssl x509 -text -in testserver3-avintec-com-2048-signed-c1.key -noout .......................................................................... Certificate: Data: Version: 3 (0x2) Serial Number: 4321 (0x10e1) Signature Algorithm: sha1WithRSAEncryption Issuer: C=AU, ST=New South Wales, O=CAcert Testserver, OU=http://cacert1 .it-sls.de, CN=CAcert Testserver Root Validity Not Before: Feb 22 01:50:21 2012 GMT Not After : Mar 23 01:50:21 2012 GMT Subject: L=Frankfurt, O=Avintec COM, OU=IT, CN=testserver3.avintec.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): [...] Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: critical Digital Signature, Key Encipherment, Key Agreement X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication, Ne tscape Server Gated Crypto, Microsoft Server Gated Crypto Authority Information Access: OCSP - URI:http://ocsp.cacert.org/ X509v3 CRL Distribution Points: URI:http://crl.cacert.org/revoke.crl X509v3 Subject Alternative Name: DNS:testserver3.avintec.com, othername:<unsupported> Signature Algorithm: sha1WithRSAEncryption [...] .......................................................................... => ok openssl x509 -text -in testserver3-avintec-com-2048-signed-c3.key -noout .......................................................................... Certificate: Data: Version: 3 (0x2) Serial Number: 4269 (0x10ad) Signature Algorithm: sha1WithRSAEncryption Issuer: O=CAcert Testsever, OU=http://cacert1.it-sls.de, CN=CAcert Tests erver Class 3 Validity Not Before: Feb 22 01:52:37 2012 GMT Not After : Mar 23 01:52:37 2012 GMT Subject: L=Frankfurt, O=Avintec COM, OU=IT, CN=testserver3.avintec.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): [...] Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: critical Digital Signature, Key Encipherment, Key Agreement X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication, Ne tscape Server Gated Crypto, Microsoft Server Gated Crypto Authority Information Access: OCSP - URI:http://ocsp.cacert.org/ X509v3 CRL Distribution Points: URI:http://crl.cacert.org/class3-revoke.crl X509v3 Subject Alternative Name: DNS:testserver3.avintec.com, othername:<unsupported> Signature Algorithm: sha1WithRSAEncryption [...] .......................................................................... => ok |
|
|
test 6 - admin console view login admin / OA Sys Admin - search certs.test@w.d Certificates Cert Type: Total Valid Expired Revoked Latest Expire Server: 4 4 0 0 2012-03-23 Client: 6 6 0 0 2012-03-22 GPG: None Org Server: 4 4 0 0 2012-03-23 Org Client: 8 8 0 0 2012-02-29 => ok Sysadmin - find domain avintec.com Select Specific Account Details Domain: 167970 avintec.com 1 rows displayed. Select Specific Account Details Domain: 796 avintec.com 1 rows displayed. 1 relates to member account 1 relates to Org account a) https://cacert1.it-sls.de/account.php?id=43&userid=171296 b) https://cacert1.it-sls.de/account.php?id=26&orgid=275 => ok |
|
|
test #1 - client certs variations using bug 0000440 test account, 150pts assurer similar to test https://bugs.cacert.org/view.php?id=440#c2833 re-test create client cert a) email 1 class1 no name enable cert login create client cert install client cert x1) Valid certs.test@w.d 115C Not Revoked 2012-10-20 21:04:00 serno: 115c displ.name: CAcert WoT User -> ok valid from/to: 20.09.2012 23:04:00 / 20.10.2012 23:04:00 -> ok owner: E = certs.test@w.d, CN = CAcert WoT User -> ok extended key usage: Nicht kritisch E-Mail-Schutz (1.3.6.1.5.5.7.3.4) TLS-Web-Client-Authentifikation (1.3.6.1.5.5.7.3.2) Microsoft-Dateisystemverschlüsselung (1.3.6.1.4.1.311.10.3.4) Microsoft servergesperrte Kryptographie (1.3.6.1.4.1.311.10.3.3) Netscape servergesperrte Kryptographie (2.16.840.1.113730.4.1) certs alternate name Nicht kritisch E-Mail-Adresse: certs.test@w.d => all ok b) email 1 class3 no name enable cert login create client cert install client cert x1) Valid certs.test@w.d 10D6 Not Revoked 2012-10-20 21:14:31 serno: 10D6 displ.name: CAcert WoT User -> ok valid from/to: 20.09.2012 23:14:31 / 20.10.2012 23:14:31 -> ok owner: E = certs.test@w.d, CN = CAcert WoT User -> ok extended key usage: Nicht kritisch E-Mail-Schutz (1.3.6.1.5.5.7.3.4) TLS-Web-Client-Authentifikation (1.3.6.1.5.5.7.3.2) Microsoft-Dateisystemverschlüsselung (1.3.6.1.4.1.311.10.3.4) Microsoft servergesperrte Kryptographie (1.3.6.1.4.1.311.10.3.3) Netscape servergesperrte Kryptographie (2.16.840.1.113730.4.1) certs alternate name Nicht kritisch E-Mail-Adresse: certs.test@w.d => all ok c) email 1 class1 "Certs Test" enable cert login create client cert install client cert x1) Valid certs.test@w.d 115D Not Revoked 2012-10-20 21:26:44 serno: 115d displ.name: Certs Test -> ok owner: E = certs.test@w.d, CN = Certs Test -> ok extended key usage -> ok cert alternate name: Nicht kritisch E-Mail-Adresse: certs.test@w.d -> => all ok d) email 1 class3 "Certs Test" enable cert login create client cert install client cert x1) Valid certs.test@w.d 10D7 Not Revoked 2012-10-20 21:32:52 serno: 10d7 displ.name: Certs Test -> ok owner: E = certs.test@w.d, CN = Certs Test -> ok extended key usage -> ok cert alternate name: Nicht kritisch E-Mail-Adresse: certs.test@w.d -> ok => all ok e) email 1 class1 "Certs Sub Test" enable cert login create client cert install client cert x1) Valid certs.test@w.d 115E Not Revoked 2012-10-20 21:37:02 serno: 115e displ.name: Certs Sub Test -> ok owner: E = certs.test@w.d, CN = Certs Sub Test -> ok extended key usage -> ok cert alternate name: Nicht kritisch E-Mail-Adresse: certs.test@w.d -> ok => all ok f) email 1 class3 "Certs Sub Test" enable cert login create client cert install client cert x1) Valid certs.test@w.d 10D8 Not Revoked 2012-10-20 21:46:32 serno: 10d8 displ.name: Certs Sub Test -> ok owner: E = certs.test@w.d, CN = Certs Sub Test -> ok extended key usage: Nicht kritisch E-Mail-Schutz (1.3.6.1.5.5.7.3.4) TLS-Web-Client-Authentifikation (1.3.6.1.5.5.7.3.2) Microsoft-Dateisystemverschlüsselung (1.3.6.1.4.1.311.10.3.4) Microsoft servergesperrte Kryptographie (1.3.6.1.4.1.311.10.3.3) Netscape servergesperrte Kryptographie (2.16.840.1.113730.4.1) certs alternate name Nicht kritisch E-Mail-Adresse: certs.test@w.d => all ok x1) runs into fix https://bugs.cacert.org/view.php?id=1017 /account.php?id=6 list 3 options a. Install the certificate into your browser b. Download the certificate in PEM format c. Download the certificate in DER format using a. with FF |
|
|
test 0000002 - server certs variations similar to test https://bugs.cacert.org/view.php?id=440#c2839 re-test using prev account from bug#440 testing using prev used domain under bug#440 testing openssl genrsa -out test1-avintec-com-512.key 512 openssl req -new -key test1-avintec-com-512.key -out test1-avintec-com-512.csr paste csr sign class1 <paste> submit error/warning "The keys that you use are very small and therefore insecure. Please generate stronger keys. More information about this issue can be found in the wiki" => ok openssl genrsa -out test1-avintec-com-1024.key 1024 openssl req -new -key test1-avintec-com-1024.key -out test1-avintec-com-1024.csr sign class1 <paste> submit Please make sure the following details are correct before proceeding any further. CommonName: test1.avintec.com No additional information will be included on certificates because it can not be automatically checked by the system. submit returns: Below is your Server Certificate -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- new file test1-avintec-com-1024-signed-c1.key <paste> key in list: Valid test1.avintec.com 115F Not Revoked 2012-10-21 12:19:20 openssl x509 -text -in test1-avintec-com-1024-signed-c1.key -noout .................................................................... Certificate: Data: Version: 3 (0x2) Serial Number: 4447 (0x115f) Signature Algorithm: sha1WithRSAEncryption Issuer: C=AU, ST=New South Wales, O=CAcert Testserver, OU=http://cacert1 .it-sls.de, CN=CAcert Testserver Root Validity Not Before: Sep 21 12:19:20 2012 GMT Not After : Oct 21 12:19:20 2012 GMT Subject: CN=test1.avintec.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): [...] Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: critical Digital Signature, Key Encipherment, Key Agreement X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication, Ne tscape Server Gated Crypto, Microsoft Server Gated Crypto Authority Information Access: OCSP - URI:http://ocsp.cacert.org/ X509v3 CRL Distribution Points: URI:http://crl.cacert.org/revoke.crl X509v3 Subject Alternative Name: DNS:test1.avintec.com, othername:<unsupported> Signature Algorithm: sha1WithRSAEncryption .................................................................... => ok openssl genrsa -out test1-avintec-com-2048.key 2048 openssl req -new -key test1-avintec-com-2048.key -out test1-avintec-com-2048.csr sign class1 <paste> submit Please make sure the following details are correct before proceeding any further. CommonName: test1.avintec.com No additional information will be included on certificates because it can not be automatically checked by the system. submit returns: Below is your Server Certificate -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- new file test1-avintec-com-2048-signed-c1.key <paste> key in list: Valid test1.avintec.com 1160 Not Revoked 2012-10-21 12:43:39 openssl x509 -text -in test1-avintec-com-2048-signed-c1.key -noout ...................................................... Certificate: Data: Version: 3 (0x2) Serial Number: 4448 (0x1160) Signature Algorithm: sha1WithRSAEncryption Issuer: C=AU, ST=New South Wales, O=CAcert Testserver, OU=http://cacert1 .it-sls.de, CN=CAcert Testserver Root Validity Not Before: Sep 21 12:43:39 2012 GMT Not After : Oct 21 12:43:39 2012 GMT Subject: CN=test1.avintec.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): [...] Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: critical Digital Signature, Key Encipherment, Key Agreement X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication, Ne tscape Server Gated Crypto, Microsoft Server Gated Crypto Authority Information Access: OCSP - URI:http://ocsp.cacert.org/ X509v3 CRL Distribution Points: URI:http://crl.cacert.org/revoke.crl X509v3 Subject Alternative Name: DNS:test1.avintec.com, othername:<unsupported> Signature Algorithm: sha1WithRSAEncryption [...] ...................................................... => ok |
|
|
1054.3.6 part III test 0000003 - client certs variations, multiple emails in cert using prev account from bug#440 testing adding 2 more email addresses to test account old 1. certs.test@w.d add 2. bug1054.3.6.3.user1@w.d add 3. bug1054.3.6.3.user2@w.d email accounts - view: prim Verified N/A certs.test@w.d sec1 Verified bug1054.3.6.3.user1@w.d sec2 Verified bug1054.3.6.3.user2@w.d => ok client cert - new selecting email 1-3 class 1 Include 'Certs Sub Test' enable cert login Next Create Cert Request (High) Install the certificate into your browser cert has been installed .... client certs - view: addtl. key: Valid certs.test@w.d 1161 Not Revoked 2012-10-21 13:02:39 Name: Certs Sub Test -> ok Valid from/to: 21.09.2012 15:02:39 / 21.10.2012 15:02:39 -> ok owner: E = bug1054.3.6.3.user2@w.d E = bug1054.3.6.3.user1@w.d E = certs.test@w.d CN = Certs Sub Test -> ok cert alternate name(s): Nicht kritisch E-Mail-Adresse: certs.test@w.d E-Mail-Adresse: bug1054.3.6.3.user1@w.d E-Mail-Adresse: bug1054.3.6.3.user2@w.d -> ok openssl x509 -text -in client-cert-CertsSubTest-c1-3addr.pem -noout .............................................................. Certificate: Data: Version: 3 (0x2) Serial Number: 4449 (0x1161) Signature Algorithm: sha1WithRSAEncryption Issuer: C=AU, ST=New South Wales, O=CAcert Testserver, OU=http://cacert1 .it-sls.de, CN=CAcert Testserver Root Validity Not Before: Sep 21 13:02:39 2012 GMT Not After : Oct 21 13:02:39 2012 GMT Subject: CN=Certs Sub Test/emailAddress=certs.test@w.d/emailAddre ss=bug1054.3.6.3.user1@w.d/emailAddress=bug1054.3.6.3.user2@w.d Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): [...] Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE Netscape Comment: To get your own certificate for FREE head over to http://www.CAc ert.org X509v3 Key Usage: critical Digital Signature, Key Encipherment, Key Agreement X509v3 Extended Key Usage: E-mail Protection, TLS Web Client Authentication, Microsoft Encr ypted File System, Microsoft Server Gated Crypto, Netscape Server Gated Crypto Authority Information Access: OCSP - URI:http://ocsp.cacert.org X509v3 CRL Distribution Points: URI:http://crl.cacert.org/revoke.crl X509v3 Subject Alternative Name: email:certs.test@w.d, email:bug1054.3.6.3.user1@w.d, email:bug1054.3.6.3.user2@w.d Signature Algorithm: sha1WithRSAEncryption [...] .............................................................. => seems to be ok |
|
|
test 0000004 server cert variation multiple servernames in one csr openssl genrsa -out test2-avintec-com-2048.key 2048 openssl req -new -key test2-avintec-com-2048.key -out test2-avintec-com-2048.csr using: Common Name (e.g. server FQDN or YOUR name) []:test1.avintec.com,mail.avintec.co m,www.avintec.com,www.fra.avintec.com,mx.avintec.com,support.avintec.com string is too long, it needs to be less than 64 bytes long Common Name (e.g. server FQDN or YOUR name) []:test1.avintec.com ok, again ... how to enter multiple hostnames into an csr request ? see http://apetec.com/support/GenerateSAN-CSR.htm copy openssl.cnf to openssl-san.cfg edit openssl-san.cfg adding: ............................................................ [ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = test1.avintec.com DNS.2 = mail.avintec.com DNS.3 = www.avintec.com DNS.4 = www.fra.avintec.com DNS.5 = mx.avintec.com DNS.6 = support.avintec.com ............................................................ starting script: openssl genrsa -out test2-avintec-com-2048.key 2048 openssl req -new -out test2-avintec-com-2048.csr -key test2-avintec-com-2048.key -config openssl-san.cfg copy content of test2-avintec-com-2048.csr as server signing request Please make sure the following details are correct before proceeding any further. CommonName: test1.avintec.com No additional information will be included on certificates because it can not be automatically checked by the system. submit Below is your Server Certificate -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- output to file test2-avintec-com-2048-signed-c1.key openssl x509 -text -in test2-avintec-com-2048-signed-c1.key -noout ................................................................. Certificate: Data: Version: 3 (0x2) Serial Number: 4450 (0x1162) Signature Algorithm: sha1WithRSAEncryption Issuer: C=AU, ST=New South Wales, O=CAcert Testserver, OU=http://cacert1 .it-sls.de, CN=CAcert Testserver Root Validity Not Before: Sep 21 13:50:27 2012 GMT Not After : Oct 21 13:50:27 2012 GMT Subject: CN=test1.avintec.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): [...] Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: critical Digital Signature, Key Encipherment, Key Agreement X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication, Ne tscape Server Gated Crypto, Microsoft Server Gated Crypto Authority Information Access: OCSP - URI:http://ocsp.cacert.org/ X509v3 CRL Distribution Points: URI:http://crl.cacert.org/revoke.crl X509v3 Subject Alternative Name: DNS:test1.avintec.com, othername:<unsupported> Signature Algorithm: sha1WithRSAEncryption [...] ................................................................. => fail subjAltNames not transfered :-P procedural problem ?!? verifying csr request: openssl req -text -noout -in test2-avintec-com-2048.csr ................................................................. Certificate Request: Data: Version: 0 (0x0) Subject: C=DE, ST=Germany, L=Frankfurt/Main, O=AVINTEC, OU=IT, CN=test1. avintec.com/emailAddress=certs.test@w.d Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): [...] Exponent: 65537 (0x10001) Attributes: a0:00 Signature Algorithm: sha1WithRSAEncryption [...] ................................................................. no SAN's :-P correct conf file has been used as some parameters has been changed to other default values, shown in the interactive openssl keygen process probably the conf parameter [req] req_extensions = v3_req was missing, retrying .... openssl genrsa -out test2-avintec-com-2048.key 2048 openssl req -new -out test2-avintec-com-2048.csr -key test2-avintec-com-2048.key -config openssl-san.cfg testing csr: openssl req -text -noout -in test2-avintec-com-2048.csr ................................................................. Certificate Request: Data: Version: 0 (0x0) Subject: C=DE, ST=Germany, L=Frankfurt/Main, O=AVINTEC, OU=IT, CN=test1. avintec.com/emailAddress=certs.test@w.d Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): [...] Exponent: 65537 (0x10001) Attributes: Requested Extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment X509v3 Subject Alternative Name: DNS:test1.avintec.com, DNS:mail.avintec.com, DNS:www.avintec.com , DNS:www.fra.avintec.com, DNS:mx.avintec.com, DNS:support.avintec.com Signature Algorithm: sha1WithRSAEncryption [...] ................................................................. => seems to be ok until this state copy & paste content of test2-avintec-com-2048.csr to the signing request results in: Please make sure the following details are correct before proceeding any further. CommonName: test1.avintec.com subjectAltName: DNS:test1.avintec.com subjectAltName: DNS:mail.avintec.com subjectAltName: DNS:www.avintec.com subjectAltName: DNS:www.fra.avintec.com subjectAltName: DNS:mx.avintec.com subjectAltName: DNS:support.avintec.com No additional information will be included on certificates because it can not be automatically checked by the system. submit Below is your Server Certificate -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE----- copy & paste into new file test2-avintec-com-2048-signed-c1.key testing key openssl x509 -text -in test2-avintec-com-2048-signed-c1.key -noout ....................................................................... Certificate: Data: Version: 3 (0x2) Serial Number: 4451 (0x1163) Signature Algorithm: sha1WithRSAEncryption Issuer: C=AU, ST=New South Wales, O=CAcert Testserver, OU=http://cacert1 .it-sls.de, CN=CAcert Testserver Root Validity Not Before: Sep 21 14:41:43 2012 GMT Not After : Oct 21 14:41:43 2012 GMT Subject: CN=test1.avintec.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): [...] Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: critical Digital Signature, Key Encipherment, Key Agreement X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication, Ne tscape Server Gated Crypto, Microsoft Server Gated Crypto Authority Information Access: OCSP - URI:http://ocsp.cacert.org/ X509v3 CRL Distribution Points: URI:http://crl.cacert.org/revoke.crl X509v3 Subject Alternative Name: DNS:test1.avintec.com, othername:<unsupported>, DNS:mail.avintec .com, othername:<unsupported>, DNS:www.avintec.com, othername:<unsupported>, DNS :www.fra.avintec.com, othername:<unsupported>, DNS:mx.avintec.com, othername:<un supported>, DNS:support.avintec.com, othername:<unsupported> Signature Algorithm: sha1WithRSAEncryption ....................................................................... => seems to be ok |
|
|
1054.3.6 part V client certs variation renewal of cert 1. Valid certs.test@w.d 115C Not Revoked 2012-10-20 21:04:00 Now renewing the following certificates: Certificate for 'certs.test@w.d' has been renewed. Click here to install your certificate. (next page) x1) Install your certificate Install the certificate into your browser new cert Valid certs.test@w.d 1164 Not Revoked 2012-10-21 21:26:44 (next cert after Serial Number: 4449 (0x1161) -> 1164) cert serno 115c no longer in list view all certs, 115c listed: Valid certs.test@w.d 115C Not Revoked 2012-10-20 21:04:00 cert serno 1164 details: not yet visible in FF cert store ok, retrying to save new key in FF cert store Install the certificate into your browser https://cacert1.it-sls.de/account.php?id=6&cert=259099&install result: cert stored in cert store ... (or similar msg) now cert is visible in FF cert store Serno: 11:64 valid from/to: 21.09.2012 23:26:44 / 21.10.2012 23:26:44 owner: E = certs.test@w.d CN = CAcert WoT User -> ok cert-alternate-name Nicht kritisch E-Mail-Adresse: certs.test@w.d -> ok 2. renew key ------------------------------------------------------------- Valid certs.test@w.d 1161 Not Revoked 2012-10-21 13:02:39 Name: Certs Sub Test -> ok Valid from/to: 21.09.2012 15:02:39 / 21.10.2012 15:02:39 -> ok owner: E = bug1054.3.6.3.user2@w.d E = bug1054.3.6.3.user1@w.d E = certs.test@w.d CN = Certs Sub Test ------------------------------------------------------------- Now renewing the following certificates: Certificate for 'certs.test@w.d' has been renewed. Click here to install your certificate. https://cacert1.it-sls.de/account.php?id=6&cert=259100 x1) link opens new window/tab ... -> problem Install your certificate Install the certificate into your browser https://cacert1.it-sls.de/account.php?id=6&cert=259100&install cert saved to cert store new cert in list: Valid certs.test@w.d 1165 Not Revoked 2012-10-21 21:41:56 prev cert not in main list view all certs (cert still there) Valid certs.test@w.d 1161 Not Revoked 2012-10-21 13:02:39 cert 1165 details serno: 11:65 valid from/to: 21.09.2012 23:41:56 / 21.10.2012 23:41:56 -> ok owner: E = bug1054.3.6.3.user2@w.d E = bug1054.3.6.3.user1@w.d E = certs.test@w.d CN = Certs Sub Test -> ok externded keyusage -> ok cert-alternate-name: Nicht kritisch E-Mail-Adresse: certs.test@w.d E-Mail-Adresse: bug1054.3.6.3.user1@w.d E-Mail-Adresse: bug1054.3.6.3.user2@w.d -> ok => all ok except problem of https://bugs.cacert.org/view.php?id=1017 routine x1) runs into fix https://bugs.cacert.org/view.php?id=1017 [^] /account.php?id=6 list 3 options a. Install the certificate into your browser b. Download the certificate in PEM format c. Download the certificate in DER format using a. with FF |
|
|
1054.3.6 part VI server certs variation renewal of cert 1. Valid test1.avintec.com 115F Not Revoked 2012-10-21 12:19:20 details original cert openssl x509 -text -in test1-avintec-com-1024-signed-c1.key -noout .................................................................... Certificate: Data: Version: 3 (0x2) Serial Number: 4447 (0x115f) Signature Algorithm: sha1WithRSAEncryption Issuer: C=AU, ST=New South Wales, O=CAcert Testserver, OU=http://cacert1 [^] .it-sls.de, CN=CAcert Testserver Root Validity Not Before: Sep 21 12:19:20 2012 GMT Not After : Oct 21 12:19:20 2012 GMT Subject: CN=test1.avintec.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): [...] Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: critical Digital Signature, Key Encipherment, Key Agreement X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication, Ne tscape Server Gated Crypto, Microsoft Server Gated Crypto Authority Information Access: OCSP - URI:http://ocsp.cacert.org/ [^] X509v3 CRL Distribution Points: URI:http://crl.cacert.org/revoke.crl [^] X509v3 Subject Alternative Name: DNS:test1.avintec.com, othername:<unsupported> Signature Algorithm: sha1WithRSAEncryption .................................................................... => ok starting renewal: Now renewing the following certificates: Processing request 302035: Renewing: test1.avintec.com -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE----- content saved to test1-renewal-115f-signed-c1.key new key after renewal: Valid test1.avintec.com 1166 Not Revoked 2012-10-21 22:06:42 old key 115f not visible in main server certs list view all certs (shows in the list) Valid test1.avintec.com 115F Not Revoked 2012-10-21 12:19:20 details of server cert 0001166 openssl x509 -text -in test1-renewal-115f-signed-c1.key -noout ................................................................. Certificate: Data: Version: 3 (0x2) Serial Number: 4454 (0x1166) Signature Algorithm: sha1WithRSAEncryption Issuer: C=AU, ST=New South Wales, O=CAcert Testserver, OU=http://cacert1 .it-sls.de, CN=CAcert Testserver Root Validity Not Before: Sep 21 22:06:42 2012 GMT Not After : Oct 21 22:06:42 2012 GMT Subject: CN=test1.avintec.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): [...] Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: critical Digital Signature, Key Encipherment, Key Agreement X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication, Ne tscape Server Gated Crypto, Microsoft Server Gated Crypto Authority Information Access: OCSP - URI:http://ocsp.cacert.org/ X509v3 CRL Distribution Points: URI:http://crl.cacert.org/revoke.crl X509v3 Subject Alternative Name: DNS:test1.avintec.com, othername:<unsupported> Signature Algorithm: sha1WithRSAEncryption [...] ................................................................. => ok 2. Valid test1.avintec.com 1163 Not Revoked 2012-10-21 14:41:43 details original cert openssl x509 -text -in test2-avintec-com-2048-signed-c1.key -noout ....................................................................... Certificate: Data: Version: 3 (0x2) Serial Number: 4451 (0x1163) Signature Algorithm: sha1WithRSAEncryption Issuer: C=AU, ST=New South Wales, O=CAcert Testserver, OU=http://cacert1 [^] .it-sls.de, CN=CAcert Testserver Root Validity Not Before: Sep 21 14:41:43 2012 GMT Not After : Oct 21 14:41:43 2012 GMT Subject: CN=test1.avintec.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): [...] Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: critical Digital Signature, Key Encipherment, Key Agreement X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication, Ne tscape Server Gated Crypto, Microsoft Server Gated Crypto Authority Information Access: OCSP - URI:http://ocsp.cacert.org/ [^] X509v3 CRL Distribution Points: URI:http://crl.cacert.org/revoke.crl [^] X509v3 Subject Alternative Name: DNS:test1.avintec.com, othername:<unsupported>, DNS:mail.avintec .com, othername:<unsupported>, DNS:www.avintec.com, othername:<unsupported>, DNS :www.fra.avintec.com, othername:<unsupported>, DNS:mx.avintec.com, othername:<un supported>, DNS:support.avintec.com, othername:<unsupported> Signature Algorithm: sha1WithRSAEncryption ....................................................................... => ok starting renewal: Now renewing the following certificates: Processing request 302038: Renewing: test1.avintec.com -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE----- content saved to test2-renewal-1163-signed-c1.key new key after renewal: Valid test1.avintec.com 1167 Not Revoked 2012-10-21 22:17:20 old key 1163 not visible in main server certs list view all certs (shows in the list) Valid test1.avintec.com 1163 Not Revoked 2012-10-21 14:41:43 details of server cert 0001166 openssl x509 -text -in test2-renewal-1163-signed-c1.key -noout ................................................................. Certificate: Data: Version: 3 (0x2) Serial Number: 4455 (0x1167) Signature Algorithm: sha1WithRSAEncryption Issuer: C=AU, ST=New South Wales, O=CAcert Testserver, OU=http://cacert1 .it-sls.de, CN=CAcert Testserver Root Validity Not Before: Sep 21 22:17:20 2012 GMT Not After : Oct 21 22:17:20 2012 GMT Subject: CN=test1.avintec.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): [...] Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: critical Digital Signature, Key Encipherment, Key Agreement X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication, Ne tscape Server Gated Crypto, Microsoft Server Gated Crypto Authority Information Access: OCSP - URI:http://ocsp.cacert.org/ X509v3 CRL Distribution Points: URI:http://crl.cacert.org/revoke.crl X509v3 Subject Alternative Name: DNS:test1.avintec.com, othername:<unsupported>, DNS:mail.avintec .com, othername:<unsupported>, DNS:www.avintec.com, othername:<unsupported>, DNS :www.fra.avintec.com, othername:<unsupported>, DNS:mx.avintec.com, othername:<un supported>, DNS:support.avintec.com, othername:<unsupported> Signature Algorithm: sha1WithRSAEncryption [...] ................................................................. => ok => all ok |
|
|
A first pre-review of the patch suggests that the current patch should receive some more work because it might be abused to introduce disambiguities in the fields added (Cf. 0001101, comment 3225). I thus advice to rewrite the appendUnique and appendSubjectAltName routine to build an array containing all fields and only after this array was build filtering for duplicates by using array_unique and implode accordingly. Also I'm not yet fully sure that the removed code at all the modified places is fully equivalent. |
|
|
see comment https://bugs.cacert.org/view.php?id=1101#c3245 (3245) in client certs, CAcert information will be written to the signed keys. issuer is: CN = CAcert Class 3 Root OU = http://www.CAcert.org O = CAcert Inc. in server certs issuer is: E = support@cacert.org CN = CA Cert Signing Authority OU = http://www.cacert.org O = Root CA |
|
|
For the time being, I'll assume that you developers will tweak the patch to your satisfaction. If I should be taking any action with regard to my 18 month old patch, please state so explicitely. In that case, be precise about the attack scenario you have in mind, or where you have concerns about the functional equivalence of the replacement code. |
|
|
The issue I see with this patch is less about the injection, which IMHO might have been made worse, but about the way the subject is build which makes it impossible to do proper filtering. What I'd. Suggest is building an array of settings to include and pass this array to the buildSubject function. This also helps mitigating/avoiding 0001101. |
|
|
see report http://bugs.cacert.org/view.php?id=1101#c3252 |
|
|
The patch for 0000440 currently does not pass any data to the buildSubject function thus utterly breaking all certificate issueing. |
|
|
Yep, it probably was in a work-in-progress state I forgot about. Now fixed. Please test and review. |
|
|
created a certificate with SubjectAltName containing a duplicate entry and an additional entry equal to the CommonName After the certificate was created each entry appeared only once in the SubjectAltName. -> ok Renewed the certificate and got the same result. -> ok Created an certificate only with a CommonName. After the certificate was created the CommonName appeared once as SubjectAltName -> ok => ok |
|
|
Review done ... code seems to be correct ... |
|
|
single server cert + SAN server cert test 512 csr The keys that you use are very small and therefore insecure. Please generate stronger keys. More information about this issue can be found in the wiki => ok 1024 csr The keys that you use are very small and therefore insecure. Please generate stronger keys. More information about this issue can be found in the wiki => ok 2048 csr Please make sure the following details are correct before proceeding any further. CommonName: test1.a.c No additional information will be included on certificates because it can not be automatically checked by the system. => ok 2048 csr (II) same result as before => ok 2048 csr (III) Please make sure the following details are correct before proceeding any further. CommonName: test1.a.c subjectAltName: DNS:test1.a.c subjectAltName: DNS:mail.a.c subjectAltName: DNS:www.a.c subjectAltName: DNS:www.fra.a.c subjectAltName: DNS:mx.a.c subjectAltName: DNS:support.a.c No additional information will be included on certificates because it can not be automatically checked by the system. => ok test: openssl x509 -text -in test2-a-c-2048-signed-c3-SAN.txt -noout Data: Version: 3 (0x2) Serial Number: 20135 (0x4ea7) Signature Algorithm: sha512WithRSAEncryption Issuer: O=CAcert Testsever, OU=http://cacert1.it-sls.de, CN=CAcert Testserver Class 3 Validity Not Before: Jan 14 22:54:16 2014 GMT Not After : Feb 13 22:54:16 2014 GMT Subject: CN=test1.avintec.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): ... Exponent: 65537 (0x10001) X509v3 extensions: ... X509v3 Subject Alternative Name: DNS:test1.avintec.com, othername:<unsupported>, DNS:mail.avintec .com, othername:<unsupported>, DNS:www.avintec.com, othername:<unsupported>, DNS :www.fra.avintec.com, othername:<unsupported>, DNS:mx.avintec.com, othername:<un supported>, DNS:support.avintec.com, othername:<unsupported> Signature Algorithm: sha512WithRSAEncryption => ok ==> OK |
|
|
2048 csr (IV) DNS.1 = Foo,Bar=Bla DNS.2 = Ltd:In/Exgen=Foobar DNS.3 = test3b.avintec.com Please make sure the following details are correct before proceeding any further. subjectAltName: DNS:test3b.avintec.com No additional information will be included on certificates because it can not be automatically checked by the system. The following hostnames were rejected because the system couldn't link them to your account, if they are valid please verify the domains against your account. Rejected: DNS.3 Rejected: Foo Rejected: Ltd:In => ok test: openssl x509 -text -in test3-avintec-com-2048-signed-c3-crippled-SAN.txt -noout Data: Version: 3 (0x2) Serial Number: 20136 (0x4ea8) Signature Algorithm: sha512WithRSAEncryption Issuer: O=CAcert Testsever, OU=http://cacert1.it-sls.de, CN=CAcert Testserver Class 3 Validity Not Before: Jan 14 23:14:21 2014 GMT Not After : Feb 13 23:14:21 2014 GMT Subject: CN=test3b.avintec.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): ... Exponent: 65537 (0x10001) X509v3 extensions: ... X509v3 Subject Alternative Name: DNS:test3b.avintec.com, othername:<unsupported> Signature Algorithm: sha512WithRSAEncryption => ok |
|
|
two test and two reviews available |
|
|
Mail sent to critical admins |
|
|
The fix has been installed on the production erver on January 15, 2014. See also: https://lists.cacert.org/wws/arc/cacert-systemlog/2014-01/msg00006.html |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2007-05-21 11:46 | fbusse | New Issue | |
| 2007-06-22 17:15 | evaldo | Note Added: 0000850 | |
| 2007-06-22 17:42 | fbusse | Note Added: 0000854 | |
| 2007-06-25 07:20 | evaldo | Priority | normal => low |
| 2007-06-25 07:20 | evaldo | Severity | major => trivial |
| 2007-06-25 07:20 | evaldo | Status | new => confirmed |
| 2007-06-25 07:20 | evaldo | Projection | none => tweak |
| 2007-06-25 07:20 | evaldo | Steps to Reproduce Updated | |
| 2007-06-25 07:20 | evaldo | Additional Information Updated | |
| 2008-04-02 19:00 | macfreek | Note Added: 0001057 | |
| 2008-04-02 19:03 | macfreek | Note Edited: 0001057 | |
| 2008-04-02 19:16 | macfreek | Note Edited: 0001057 | |
| 2008-04-02 19:17 | macfreek | Relationship added | related to 0000530 |
| 2010-03-15 22:10 | gagern | Relationship added | has duplicate 0000768 |
| 2010-03-15 22:11 | gagern | Note Added: 0001566 | |
| 2011-01-08 04:43 | ott | Note Added: 0001836 | |
| 2011-04-12 19:28 | gagern | File Added: bug440a.patch | |
| 2011-04-12 19:37 | gagern | Note Added: 0001915 | |
| 2011-04-13 11:26 | macfreek | Note Added: 0001916 | |
| 2011-04-13 11:37 | gagern | Note Added: 0001917 | |
| 2012-01-08 23:15 | Uli60 | Note Added: 0002767 | |
| 2012-01-08 23:15 | Uli60 | Assigned To | => Uli60 |
| 2012-01-08 23:15 | Uli60 | Status | confirmed => fix available |
| 2012-01-08 23:21 | Uli60 | Relationship added | related to 0000672 |
| 2012-01-10 14:31 | NEOatNHNG | Assigned To | Uli60 => NEOatNHNG |
| 2012-01-26 22:25 | NEOatNHNG | Source_changeset_attached | => cacert-devel testserver 6426d1eb |
| 2012-01-26 22:25 | NEOatNHNG | Source_changeset_attached | => cacert-devel testserver 6a4fb405 |
| 2012-01-26 22:25 | NEOatNHNG | Source_changeset_attached | => cacert-devel testserver 7759e0d4 |
| 2012-01-26 22:25 | NEOatNHNG | Source_changeset_attached | => cacert-devel testserver cdf42f70 |
| 2012-01-26 22:50 | NEOatNHNG | Note Added: 0002798 | |
| 2012-01-26 22:50 | NEOatNHNG | Status | fix available => needs review & testing |
| 2012-01-26 22:51 | NEOatNHNG | Reviewed by | => NEOatNHNG |
| 2012-01-27 13:20 | NEOatNHNG | Relationship added | related to 0000540 |
| 2012-01-27 13:21 | NEOatNHNG | Relationship added | related to 0000978 |
| 2012-01-27 13:23 | NEOatNHNG | Note Added: 0002801 | |
| 2012-02-21 22:18 | Uli60 | Note Added: 0002833 | |
| 2012-02-22 00:27 | Uli60 | Note Added: 0002839 | |
| 2012-02-22 00:47 | Uli60 | Note Added: 0002844 | |
| 2012-02-22 01:28 | Uli60 | Note Added: 0002849 | |
| 2012-02-22 02:12 | Uli60 | Note Added: 0002854 | |
| 2012-02-22 02:23 | Uli60 | Note Added: 0002859 | |
| 2012-05-01 14:25 | mutax | Relationship added | related to 0001035 |
| 2012-05-01 14:39 | NEOatNHNG | Relationship replaced | has duplicate 0001035 |
| 2012-09-19 10:36 | Uli60 | Relationship added | related to 0001054 |
| 2012-09-19 10:40 | Uli60 | Note Edited: 0002833 | |
| 2012-09-19 10:44 | Uli60 | Note Edited: 0002844 | |
| 2012-09-19 10:50 | Uli60 | Note Edited: 0002849 | |
| 2012-09-19 10:51 | Uli60 | Note Edited: 0002859 | |
| 2012-09-20 21:53 | Uli60 | Note Added: 0003203 | |
| 2012-09-21 12:50 | Uli60 | Note Added: 0003206 | |
| 2012-09-21 13:12 | Uli60 | Note Added: 0003209 | |
| 2012-09-21 14:45 | Uli60 | Note Added: 0003210 | |
| 2012-09-21 21:49 | Uli60 | Note Added: 0003213 | |
| 2012-09-21 21:53 | Uli60 | Relationship added | related to 0001017 |
| 2012-09-21 22:24 | Uli60 | Note Added: 0003216 | |
| 2012-09-23 11:23 | Uli60 | Relationship added | related to 0001101 |
| 2012-10-15 21:58 | BenBE | Note Added: 0003243 | |
| 2012-10-15 23:58 | Uli60 | Note Added: 0003246 | |
| 2012-10-16 00:03 | Uli60 | Note Edited: 0003246 | |
| 2012-10-16 06:24 | gagern | Note Added: 0003249 | |
| 2012-10-16 10:31 | BenBE | Note Added: 0003251 | |
| 2012-10-16 13:36 | Uli60 | Note Added: 0003254 | |
| 2012-11-21 00:31 | Uli60 | Status | needs review & testing => needs work |
| 2012-12-20 19:15 | Werner Dworak | Relationship added | related to 0000392 |
| 2013-01-11 16:23 | Werner Dworak | Relationship added | related to 0000658 |
| 2013-08-20 16:41 | Uli60 | Relationship added | related to 0001205 |
| 2013-09-29 16:26 | Uli60 | Relationship added | has duplicate 0001214 |
| 2013-11-05 22:21 | BenBE | Note Added: 0004432 | |
| 2013-11-06 02:25 | NEOatNHNG | Source_changeset_attached | => cacert-devel testserver-stable 5e3c736a |
| 2013-11-06 02:25 | NEOatNHNG | Source_changeset_attached | => cacert-devel testserver-stable 6238e3b5 |
| 2013-11-06 02:25 | NEOatNHNG | Source_changeset_attached | => cacert-devel testserver-stable 654e5db5 |
| 2013-11-06 02:25 | NEOatNHNG | Source_changeset_attached | => cacert-devel testserver-stable 3b2bd82e |
| 2013-11-06 02:25 | BenBE | Source_changeset_attached | => cacert-devel testserver-stable 17111566 |
| 2013-11-06 02:25 | NEOatNHNG | Source_changeset_attached | => cacert-devel testserver-stable d660b1ed |
| 2013-11-06 02:25 | NEOatNHNG | Source_changeset_attached | => cacert-devel testserver-stable c1d57f10 |
| 2013-11-06 15:03 | NEOatNHNG | Note Added: 0004445 | |
| 2013-11-06 15:03 | NEOatNHNG | Status | needs work => needs review & testing |
| 2013-11-12 23:40 | Eva | Note Added: 0004454 | |
| 2013-11-12 23:46 | Eva | Note Edited: 0004454 | |
| 2013-11-19 23:48 | egal | Note Added: 0004462 | |
| 2013-11-26 22:19 | NEOatNHNG | Reviewed by | NEOatNHNG => dastrath, NEOatNHNG |
| 2014-01-07 21:57 | NEOatNHNG | Status | needs review & testing => needs testing |
| 2014-01-14 08:26 | BenBE | Relationship added | related to 0001233 |
| 2014-01-14 23:04 | Uli60 | Note Added: 0004509 | |
| 2014-01-14 23:18 | Uli60 | Note Added: 0004512 | |
| 2014-01-14 23:50 | Uli60 | Status | needs testing => needs review |
| 2014-01-15 00:00 | INOPIAE | Note Added: 0004516 | |
| 2014-01-15 00:00 | INOPIAE | Status | needs review => ready to deploy |
| 2014-01-15 00:27 | NEOatNHNG | Note Added: 0004518 | |
| 2014-01-15 00:30 | NEOatNHNG | Source_changeset_attached | => cacert-devel release 3213ce91 |
| 2014-01-15 00:30 | NEOatNHNG | Source_changeset_attached | => cacert-devel release e525adb1 |
| 2014-01-15 16:02 | wytze | Note Added: 0004525 | |
| 2014-01-15 16:02 | wytze | Status | ready to deploy => solved? |
| 2014-01-15 16:02 | wytze | Fixed in Version | => 2014 Q1 |
| 2014-01-15 16:02 | wytze | Resolution | open => fixed |
| 2014-04-15 22:24 | INOPIAE | Status | solved? => closed |
| 2014-06-15 10:26 | felixd | Relationship replaced | has duplicate 0001233 |
| 2014-06-15 12:14 | BenBE | Product Version | => 2007 |
| 2014-06-15 12:14 | BenBE | Target Version | => 2013 Q4 |
