View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0000978 | Main CAcert Website | certificate issuing | public | 2011-08-31 15:07 | 2013-03-21 07:24 |
Reporter | NEOatNHNG | Assigned To | BenBE | ||
Priority | normal | Severity | major | Reproducibility | have not tried |
Status | closed | Resolution | fixed | ||
Platform | Main CAcert Website | OS | N/A | OS Version | stable |
Fixed in Version | 2012 Q4 | ||||
Summary | 0000978: Invalid SPKAC requests are not properly validated | ||||
Description | When an invalid SPKAC is submitted the code doesn't fail with a meaningful error message but tries to go on and fails parsing the output of openssl. Relevant error messages logged: [30-Aug-2011 23:00:46] PHP Warning: checkWeakKeyText(): Couldn't extract the public key algorithm used. ID: 386912842 in /www/includes/account_stuff.php on line 300 Error loading SPKAC 31534:error:0B081076:x509 certificate routines:NETSCAPE_SPKI_b64_decode:base64 decode error:x509spki.c:92: | ||||
Additional Information | Maybe also the logged information should be extended to also contain the data on which the code failed which makes debugging easier | ||||
Tags | No tags attached. | ||||
Reviewed by | NEOatNHNG, BenBE | ||||
Test Instructions | |||||
related to | 0000918 | closed | NEOatNHNG | Weak keys in certificates |
related to | 0000440 | closed | NEOatNHNG | Problem with subjectAltName |
related to | 0000540 | needs feedback | NEOatNHNG | No key usage attribute in cacert org certs anymore? |
related to | 0001015 | new | Adding domain under OrgAssurer works despite the fact domain is added under a member account |
|
Additional discussion: https://lists.cacert.org/wws/arc/cacert-devel/2011-08/msg00006.html |
|
I have implemented a fix and put it on the test server. Hopefully we'll get a response from the guy who reported the problem because I was unable to fully reproduce it. The fix is relevant nevertheless because it also makes the code more readable. Apart from checking the original problem it should be tested whether certificate issuing is still possible and the changes from 0000918 continue to work. |
|
Support got feedback from the user: Seems to work as intended (i.e. gives a sensible error message on invalid SPKACs). Open questions for testers: Does it break anything that worked before (especially in the cert issuing area)? Needs a second review. I propose to review in two steps: "git diff origin/release...99d0ec58" which should only be functions moved to other files and then "git diff 99d0ec58 origin/bug-978" which should be all other changes (i.e. the changed functionality) |
|
Using admin account, 200 points: Created client cert without csr => Cert created and valid, OK Created client cert with csr created by openssl => Cert created and valid, OK Created server cert => Cert created and valid, OK Submitted a csr containing a domain that doesn't belong to my accout => rejected, OK Submitted an invalid csr when requesting a server cert => rejected with proper error message, OK Using "normal" accout, 50 points: Created client cert without csr => Cert created and valid, OK Created client cert with csr created by openssl => Cert created and valid, OK Created server cert => Cert created and valid, OK Submitted a csr containing a domain that doesn't belong to my accout => rejected, OK Submitted an invalid csr when requesting a server cert => rejected with proper error message, OK Using an unassured accout, 0 points: Created client cert without csr => Cert created, valid 6 months, name set to "CAcert WoT User", OK Created client cert with csr created by openssl => Cert created, valid 6 months, name set to "CAcert WoT User", OK Created server cert = Cert created, valid 6 months, OK Submitted a csr containing a domain that doesn't belong to my accout => rejected, OK Submitted an invalid csr when requesting a server cert => rejected with proper error message, OK |
|
to the Software Testers: needs full cert create tests more tests: certs routine, weak keys (small keys test), relates to bug#540 tests duplicate your test report to bug#540 |
|
Note to testers: Please also report to bug 0000440 which also deals with certificate issuing |
|
test #1 - client certs variations creating new account: certs.test@wiamail.de confirmed email/account add assurances (100 pts) add experience points (50) create client cert a) email 1 class1 no name enable cert login create client cert install client cert serno: 10D5 displ.name: CAcert WoT User -> ok valid from/to: 2012-02-21 / 2012-03-22 -> ok owner: E = certs.test@wiamail.de, CN = CAcert WoT User -> ok extended key usage: Nicht kritisch E-Mail-Schutz (1.3.6.1.5.5.7.3.4) TLS-Web-Client-Authentifikation (1.3.6.1.5.5.7.3.2) Microsoft-Dateisystemverschlüsselung (1.3.6.1.4.1.311.10.3.4) Microsoft servergesperrte Kryptographie (1.3.6.1.4.1.311.10.3.3) Netscape servergesperrte Kryptographie (2.16.840.1.113730.4.1) certs alternate name Nicht kritisch E-Mail-Adresse: certs.test@wiamail.de => all ok b) email 1 class3 no name enable cert login create client cert install client cert serno: 10A1 displ.name: CAcert WoT User -> ok valid from/to: 2012-02-21 / 2012-03-22 -> ok owner: E = certs.test@wiamail.de, CN = CAcert WoT User -> ok extended key usage: Nicht kritisch E-Mail-Schutz (1.3.6.1.5.5.7.3.4) TLS-Web-Client-Authentifikation (1.3.6.1.5.5.7.3.2) Microsoft-Dateisystemverschlüsselung (1.3.6.1.4.1.311.10.3.4) Microsoft servergesperrte Kryptographie (1.3.6.1.4.1.311.10.3.3) Netscape servergesperrte Kryptographie (2.16.840.1.113730.4.1) certs alternate name Nicht kritisch E-Mail-Adresse: certs.test@wiamail.de => all ok c) email 1 class1 "Certs Test" enable cert login create client cert install client cert serno: 10D6 displ.name: Certs Test -> ok d) email 1 class3 "Certs Test" enable cert login create client cert install client cert serno: 10A2 e) email 1 class1 "Certs Sub Test" enable cert login create client cert install client cert serno: 10D7 displ.name: Certs Sub Test -> ok owner: E = certs.test@wiamail.de, CN = Certs Sub Test -> ok extended key usage: Nicht kritisch E-Mail-Schutz (1.3.6.1.5.5.7.3.4) TLS-Web-Client-Authentifikation (1.3.6.1.5.5.7.3.2) Microsoft-Dateisystemverschlüsselung (1.3.6.1.4.1.311.10.3.4) Microsoft servergesperrte Kryptographie (1.3.6.1.4.1.311.10.3.3) Netscape servergesperrte Kryptographie (2.16.840.1.113730.4.1) certs alternate name Nicht kritisch E-Mail-Adresse: certs.test@wiamail.de => all ok f) email 1 class3 "Certs Sub Test" enable cert login create client cert install client cert serno: 10A3 displ.name: Certs Sub Test -> ok owner: E = certs.test@wiamail.de, CN = Certs Sub Test -> ok extended key usage: Nicht kritisch E-Mail-Schutz (1.3.6.1.5.5.7.3.4) TLS-Web-Client-Authentifikation (1.3.6.1.5.5.7.3.2) Microsoft-Dateisystemverschlüsselung (1.3.6.1.4.1.311.10.3.4) Microsoft servergesperrte Kryptographie (1.3.6.1.4.1.311.10.3.3) Netscape servergesperrte Kryptographie (2.16.840.1.113730.4.1) certs alternate name Nicht kritisch E-Mail-Adresse: certs.test@wiamail.de => all ok |
|
test 0000002 - server certs variations using prev account add domain avintec.com confirmed avintec.com openssl genrsa -out test1-avintec-com-512.key 512 openssl req -new -key test1-avintec-com-512.key -out test1-avintec-com-512.csr paste csr sign class1 <paste> submit error/warning "The keys that you use are very small and therefore insecure. Please generate stronger keys. More information about this issue can be found in the wiki" => ok sign class3 <paste> submit error/warning "The keys that you use are very small and therefore insecure. Please generate stronger keys. More information about this issue can be found in the wiki" => ok openssl genrsa -out test1-avintec-com-1024.key 1024 openssl req -new -key test1-avintec-com-1024.key -out test1-avintec-com-1024.csr sign class1 <paste> submit Please make sure the following details are correct before proceeding any further. CommonName: test1.avintec.com No additional information will be included on certificates because it can not be automatically checked by the system. submit returns: Below is your Server Certificate -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- new file test1-avintec-com-1024-signed-c1.key <paste> key in list: Valid test1.avintec.com 10DA Not Revoked 2012-03-22 23:59:21 openssl x509 -text -in test1-avintec-com-1024-signed-c1.key -noout .................................................................... Certificate: Data: Version: 3 (0x2) Serial Number: 4314 (0x10da) Signature Algorithm: sha1WithRSAEncryption Issuer: C=AU, ST=New South Wales, O=CAcert Testserver, OU=http://cacert1 .it-sls.de, CN=CAcert Testserver Root Validity Not Before: Feb 21 23:59:21 2012 GMT Not After : Mar 22 23:59:21 2012 GMT Subject: CN=test1.avintec.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): [...] Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: critical Digital Signature, Key Encipherment, Key Agreement X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication, Ne tscape Server Gated Crypto, Microsoft Server Gated Crypto Authority Information Access: OCSP - URI:http://ocsp.cacert.org/ X509v3 CRL Distribution Points: URI:http://crl.cacert.org/revoke.crl X509v3 Subject Alternative Name: DNS:test1.avintec.com, othername:<unsupported> Signature Algorithm: sha1WithRSAEncryption [...] .................................................................... => ok sign class3 <paste> submit Please make sure the following details are correct before proceeding any further. CommonName: test1.avintec.com No additional information will be included on certificates because it can not be automatically checked by the system. submit returns: Below is your Server Certificate -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- new file test1-avintec-com-signed-c1.key <paste> key in list: Valid test1.avintec.com 10A6 Not Revoked 2012-03-23 00:02:34 .................................................................... Certificate: Data: Version: 3 (0x2) Serial Number: 4262 (0x10a6) Signature Algorithm: sha1WithRSAEncryption Issuer: O=CAcert Testsever, OU=http://cacert1.it-sls.de, CN=CAcert Tests erver Class 3 Validity Not Before: Feb 22 00:02:34 2012 GMT Not After : Mar 23 00:02:34 2012 GMT Subject: CN=test1.avintec.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): [...] Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: critical Digital Signature, Key Encipherment, Key Agreement X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication, Ne tscape Server Gated Crypto, Microsoft Server Gated Crypto Authority Information Access: OCSP - URI:http://ocsp.cacert.org/ X509v3 CRL Distribution Points: URI:http://crl.cacert.org/class3-revoke.crl X509v3 Subject Alternative Name: DNS:test1.avintec.com, othername:<unsupported> Signature Algorithm: sha1WithRSAEncryption [...] .................................................................... => ok openssl genrsa -out test1-avintec-com-2048.key 2048 openssl req -new -key test1-avintec-com-2048.key -out test1-avintec-com-2048.csr sign class1 <paste> submit Please make sure the following details are correct before proceeding any further. CommonName: test1.avintec.com No additional information will be included on certificates because it can not be automatically checked by the system. submit returns: Below is your Server Certificate -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- new file test1-avintec-com-2048-signed-c1.key <paste> key in list: Valid test1.avintec.com 10DB Not Revoked 2012-03-23 00:12:53 openssl x509 -text -in test1-avintec-com-2048-signed-c1.key -noout .................................................................... Certificate: Data: Version: 3 (0x2) Serial Number: 4315 (0x10db) Signature Algorithm: sha1WithRSAEncryption Issuer: C=AU, ST=New South Wales, O=CAcert Testserver, OU=http://cacert1 .it-sls.de, CN=CAcert Testserver Root Validity Not Before: Feb 22 00:12:53 2012 GMT Not After : Mar 23 00:12:53 2012 GMT Subject: CN=test1.avintec.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): [...] Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: critical Digital Signature, Key Encipherment, Key Agreement X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication, Ne tscape Server Gated Crypto, Microsoft Server Gated Crypto Authority Information Access: OCSP - URI:http://ocsp.cacert.org/ X509v3 CRL Distribution Points: URI:http://crl.cacert.org/revoke.crl X509v3 Subject Alternative Name: DNS:test1.avintec.com, othername:<unsupported> Signature Algorithm: sha1WithRSAEncryption [...] .................................................................... => ok sign class3 <paste> submit Please make sure the following details are correct before proceeding any further. CommonName: test1.avintec.com No additional information will be included on certificates because it can not be automatically checked by the system. submit returns: Below is your Server Certificate -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- new file test1-avintec-com-2048-signed-c3.key <paste> key in list: Valid test1.avintec.com 10A7 Not Revoked 2012-03-23 00:20:44 openssl x509 -text -in test1-avintec-com-2048-signed-c3.key -noout .................................................................... Certificate: Data: Version: 3 (0x2) Serial Number: 4263 (0x10a7) Signature Algorithm: sha1WithRSAEncryption Issuer: O=CAcert Testsever, OU=http://cacert1.it-sls.de, CN=CAcert Tests erver Class 3 Validity Not Before: Feb 22 00:20:44 2012 GMT Not After : Mar 23 00:20:44 2012 GMT Subject: CN=test1.avintec.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): [...] Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: critical Digital Signature, Key Encipherment, Key Agreement X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication, Ne tscape Server Gated Crypto, Microsoft Server Gated Crypto Authority Information Access: OCSP - URI:http://ocsp.cacert.org/ X509v3 CRL Distribution Points: URI:http://crl.cacert.org/class3-revoke.crl X509v3 Subject Alternative Name: DNS:test1.avintec.com, othername:<unsupported> Signature Algorithm: sha1WithRSAEncryption [...] .................................................................... => ok |
|
test 3 - client cert login Valid certs.test@wiamail.de 10A3 Not Revoked 2012-03-22 21:56:34 Valid certs.test@wiamail.de 10D7 Not Revoked 2012-03-22 21:55:49 Valid certs.test@wiamail.de 10A2 Not Revoked 2012-03-22 21:54:57 Valid certs.test@wiamail.de 10D6 Not Revoked 2012-03-22 21:53:42 Valid certs.test@wiamail.de 10A1 Not Revoked 2012-03-22 21:52:39 Valid certs.test@wiamail.de 10D5 Not Revoked 2012-03-22 21:51:09 cert login using: Ausgestellt auf: E=certs.test@wiamail.de,CN=CAcert WoT User Seriennummer: 10:D5 Gültig von 21.02.2012 22:51:09 an 22.03.2012 22:51:09 Verwendung eines Zertifikatsschlüssels: unterzeichne,Schlüssel-Verschlüsselung,Schlüssel-Vereinbarung E-Mail: certs.test@wiamail.de Ausgestellt von: CN=CAcert Testserver Root,OU=http://cacert1.it-sls.de,O=CAcert Testserver,ST=New South Wales,C=AU Gespeichert in: Software-Sicherheitsmodul => ok logout logout crypto modul cert login using: Ausgestellt auf: E=certs.test@wiamail.de,CN=CAcert WoT User Seriennummer: 10:A1 Gültig von 21.02.2012 22:52:39 an 22.03.2012 22:52:39 Verwendung eines Zertifikatsschlüssels: unterzeichne,Schlüssel-Verschlüsselung,Schlüssel-Vereinbarung E-Mail: certs.test@wiamail.de Ausgestellt von: CN=CAcert Testserver Class 3,OU=http://cacert1.it-sls.de,O=CAcert Testsever Gespeichert in: Software-Sicherheitsmodul => ok logout logout crypto modul cert login using: Ausgestellt auf: E=certs.test@wiamail.de,CN=Certs Test Seriennummer: 10:D6 Gültig von 21.02.2012 22:53:42 an 22.03.2012 22:53:42 Verwendung eines Zertifikatsschlüssels: unterzeichne,Schlüssel-Verschlüsselung,Schlüssel-Vereinbarung E-Mail: certs.test@wiamail.de Ausgestellt von: CN=CAcert Testserver Root,OU=http://cacert1.it-sls.de,O=CAcert Testserver,ST=New South Wales,C=AU Gespeichert in: Software-Sicherheitsmodul => ok logout logout crypto modul cert login using: Ausgestellt auf: E=certs.test@wiamail.de,CN=Certs Test Seriennummer: 10:A2 Gültig von 21.02.2012 22:54:57 an 22.03.2012 22:54:57 Verwendung eines Zertifikatsschlüssels: unterzeichne,Schlüssel-Verschlüsselung,Schlüssel-Vereinbarung E-Mail: certs.test@wiamail.de Ausgestellt von: CN=CAcert Testserver Class 3,OU=http://cacert1.it-sls.de,O=CAcert Testsever Gespeichert in: Software-Sicherheitsmodul => ok logout logout crypto modul cert login using: Ausgestellt auf: E=certs.test@wiamail.de,CN=Certs Sub Test Seriennummer: 10:D7 Gültig von 21.02.2012 22:55:49 an 22.03.2012 22:55:49 Verwendung eines Zertifikatsschlüssels: unterzeichne,Schlüssel-Verschlüsselung,Schlüssel-Vereinbarung E-Mail: certs.test@wiamail.de Ausgestellt von: CN=CAcert Testserver Root,OU=http://cacert1.it-sls.de,O=CAcert Testserver,ST=New South Wales,C=AU Gespeichert in: Software-Sicherheitsmodul => ok logout logout crypto modul cert login using: Ausgestellt auf: E=certs.test@wiamail.de,CN=Certs Sub Test Seriennummer: 10:A3 Gültig von 21.02.2012 22:56:34 an 22.03.2012 22:56:34 Verwendung eines Zertifikatsschlüssels: unterzeichne,Schlüssel-Verschlüsselung,Schlüssel-Vereinbarung E-Mail: certs.test@wiamail.de Ausgestellt von: CN=CAcert Testserver Class 3,OU=http://cacert1.it-sls.de,O=CAcert Testsever Gespeichert in: Software-Sicherheitsmodul => ok |
|
test 4 - org client certs preparation for test 4 + 5 (once) make test user OA Admin (Organisation-Admin) login OrgAssurer new organisations Avintec COM view organisations Avintec COM, Germany/Hessen DE Domains (0) Admins (0) Edit Delete add domain: avintec.com added. view organisations Avintec COM, Germany/Hessen DE Domains (1) Admins (0) Edit Delete add admin: certs.test@wiamail.de Department: IT Master Account: Yes Comments: ... view organisations Avintec COM, Germany/Hessen DE Domains (1) Admins (1) Edit Delete logout cert login using: Ausgestellt auf: E=certs.test@wiamail.de,CN=Certs Sub Test Seriennummer: 10:A3 Gültig von 21.02.2012 22:56:34 an 22.03.2012 22:56:34 3 more menu choices - Org Client Certs - Org Server Certs - Org Admin Org Admin - View Organisations # Organisation Admins 275 Avintec COM, Germany/Hessen DE Admins (1) 796 Domain available avintec.com => ok alice, bob, carol, dave new org client cert: alice@avintec.com class1 Dep1 next create Installing your certificate You are about to install a certificate, if you are using mozilla/netscape based browsers you will not be informed that the certificate was installed successfully, you can go into the options dialog box, security and manage certificates to view if it was installed correctly however. Click here to install your certificate. org client cert - view Valid alice@avintec.com 10DC Not Revoked 2012-02-29 01:02:36 new org client cert: alice@avintec.com class3 Dep1 next create org client cert - view Valid alice@avintec.com 10A8 Not Revoked 2012-02-29 01:04:36 Valid alice@avintec.com 10DC Not Revoked 2012-02-29 01:02:36 new org client cert: bob@avintec.com class1 Dep2 next create org client cert - view Valid bob@avintec.com 10DD Not Revoked 2012-02-29 01:06:18 Valid alice@avintec.com 10A8 Not Revoked 2012-02-29 01:04:36 Valid alice@avintec.com 10DC Not Revoked 2012-02-29 01:02:36 new org client cert: bob@avintec.com class3 Dep2 next create org client cert - view Valid bob@avintec.com 10A9 Not Revoked 2012-02-29 01:08:19 Valid bob@avintec.com 10DD Not Revoked 2012-02-29 01:06:18 Valid alice@avintec.com 10A8 Not Revoked 2012-02-29 01:04:36 Valid alice@avintec.com 10DC Not Revoked 2012-02-29 01:02:36 new org client cert: carol@avintec.com class1 Dep3 next create org client cert - view Valid carol@avintec.com 10DE Not Revoked 2012-02-29 01:10:16 Valid bob@avintec.com 10A9 Not Revoked 2012-02-29 01:08:19 Valid bob@avintec.com 10DD Not Revoked 2012-02-29 01:06:18 Valid alice@avintec.com 10A8 Not Revoked 2012-02-29 01:04:36 Valid alice@avintec.com 10DC Not Revoked 2012-02-29 01:02:36 new org client cert: carol@avintec.com class3 Dep3 next create org client cert - view Valid carol@avintec.com 10AA Not Revoked 2012-02-29 01:11:23 Valid carol@avintec.com 10DE Not Revoked 2012-02-29 01:10:16 Valid bob@avintec.com 10A9 Not Revoked 2012-02-29 01:08:19 Valid bob@avintec.com 10DD Not Revoked 2012-02-29 01:06:18 Valid alice@avintec.com 10A8 Not Revoked 2012-02-29 01:04:36 Valid alice@avintec.com 10DC Not Revoked 2012-02-29 01:02:36 new org client cert: dave@avintec.com class1 Dep4 next create org client cert - view Valid dave@avintec.com 10DF Not Revoked 2012-02-29 01:15:07 Valid carol@avintec.com 10AA Not Revoked 2012-02-29 01:11:23 Valid carol@avintec.com 10DE Not Revoked 2012-02-29 01:10:16 Valid bob@avintec.com 10A9 Not Revoked 2012-02-29 01:08:19 Valid bob@avintec.com 10DD Not Revoked 2012-02-29 01:06:18 Valid alice@avintec.com 10A8 Not Revoked 2012-02-29 01:04:36 Valid alice@avintec.com 10DC Not Revoked 2012-02-29 01:02:36 new org client cert: dave@avintec.com class3 Dep4 next create org client cert - view Valid dave@avintec.com 10AB Not Revoked 2012-02-29 01:15:47 Valid dave@avintec.com 10DF Not Revoked 2012-02-29 01:15:07 Valid carol@avintec.com 10AA Not Revoked 2012-02-29 01:11:23 Valid carol@avintec.com 10DE Not Revoked 2012-02-29 01:10:16 Valid bob@avintec.com 10A9 Not Revoked 2012-02-29 01:08:19 Valid bob@avintec.com 10DD Not Revoked 2012-02-29 01:06:18 Valid alice@avintec.com 10A8 Not Revoked 2012-02-29 01:04:36 Valid alice@avintec.com 10DC Not Revoked 2012-02-29 01:02:36 checking keys in cert manager: CAcert Testserver (-> is root, class1) Alice (10DC), Bob (10DD), Carol (10DE), Dave (10DF) -and- CAcert Testserver (-> is subroot, class3) Alice (10A8), Bob (10A9), Carol (10AA), Dave (10AB) Alice (10A8) CN Alice O Avintec COM OU Dep1 Ser 10:A8 From 2012-02-22 To 2012-02-29 => ok owner: E = alice@avintec.com CN = Alice OU = Dep1 O = Avintec COM L = Frankfurt/Main ST = Germany/Hessen C = DE => Ok extended key usage: Nicht kritisch E-Mail-Schutz (1.3.6.1.5.5.7.3.4) TLS-Web-Client-Authentifikation (1.3.6.1.5.5.7.3.2) Microsoft-Dateisystemverschlüsselung (1.3.6.1.4.1.311.10.3.4) Microsoft servergesperrte Kryptographie (1.3.6.1.4.1.311.10.3.3) Netscape servergesperrte Kryptographie (2.16.840.1.113730.4.1) cert alternate name Nicht kritisch E-Mail-Adresse: alice@avintec.com => ok Dave (10DF) cN Dave O Avintec COM OU Dep4 Ser 10:DF From 2012-02-22 To 2012-02-29 => ok owner: E = dave@avintec.com CN = Dave OU = Dep4 O = Avintec COM L = Frankfurt/Main ST = Germany/Hessen C = DE => ok extended key usage: Nicht kritisch E-Mail-Schutz (1.3.6.1.5.5.7.3.4) TLS-Web-Client-Authentifikation (1.3.6.1.5.5.7.3.2) Microsoft-Dateisystemverschlüsselung (1.3.6.1.4.1.311.10.3.4) Microsoft servergesperrte Kryptographie (1.3.6.1.4.1.311.10.3.3) Netscape servergesperrte Kryptographie (2.16.840.1.113730.4.1) cert alternate name Nicht kritisch E-Mail-Adresse: dave@avintec.com => ok |
|
test 5 - org server certs Org Server Certs - View empty list => ok openssl genrsa -out testserver1-avintec-com-512.key 512 openssl req -new -key testserver1-avintec-com-512.key -out testserver1-avintec-com-512.csr using values from Org Account Org Server Certs - New class 1 <paste> error/warning The keys that you use are very small and therefore insecure. Please generate stronger keys. More information about this issue can be found in the wiki => ok Org Server Certs - New class 3 <paste> error/warning The keys that you use are very small and therefore insecure. Please generate stronger keys. More information about this issue can be found in the wiki => ok openssl genrsa -out testserver2-avintec-com-1024.key 1024 openssl req -new -key testserver2-avintec-com-1024.key -out testserver2-avintec-com-1024.csr using values from Org Account Org Server Certs - New class 1 <paste> Please make sure the following details are correct before proceeding any further. CommonName: testserver2.avintec.com Organisation: Avintec COM Org. Unit: UT Location: Frankfurt/Main State/Province: Germany/Hessen Country: DE Submit new file testserver2-avintec-com-1024-signed-c1.key <paste> Org Server Certs - View Valid testserver2.avintec.com 10E0 Not Revoked 2012-03-23 01:41:16 Org Server Certs - New class 3 <paste> Please make sure the following details are correct before proceeding any further. CommonName: testserver2.avintec.com Organisation: Avintec COM Org. Unit: UT Location: Frankfurt/Main State/Province: Germany/Hessen Country: DE Submit new file testserver2-avintec-com-1024-signed-c3.key <paste> Org Server Certs - View Valid testserver2.avintec.com 10AC Not Revoked 2012-03-23 01:44:33 Valid testserver2.avintec.com 10E0 Not Revoked 2012-03-23 01:41:16 openssl genrsa -out testserver3-avintec-com-2048.key 2048 openssl req -new -key testserver3-avintec-com-2048.key -out testserver3-avintec-com-2048.csr using values from Org Account Org Server Certs - New class 1 <paste> Please make sure the following details are correct before proceeding any further. CommonName: testserver3.avintec.com Organisation: Avintec COM Org. Unit: IT Location: Frankfurt/Main State/Province: Germany/Hessen Country: DE Submit new file testserver3-avintec-com-2048-signed-c1.key <paste> Org Server Certs - View Valid testserver3.avintec.com 10E1 Not Revoked 2012-03-23 01:50:21 Valid testserver2.avintec.com 10AC Not Revoked 2012-03-23 01:44:33 Valid testserver2.avintec.com 10E0 Not Revoked 2012-03-23 01:41:16 Org Server Certs - New class 1 <paste> Please make sure the following details are correct before proceeding any further. CommonName: testserver3.avintec.com Organisation: Avintec COM Org. Unit: IT Location: Frankfurt/Main State/Province: Germany/Hessen Country: DE Submit new file testserver3-avintec-com-2048-signed-c3.key <paste> Org Server Certs - View Valid testserver3.avintec.com 10AD Not Revoked 2012-03-23 01:52:37 Valid testserver3.avintec.com 10E1 Not Revoked 2012-03-23 01:50:21 Valid testserver2.avintec.com 10AC Not Revoked 2012-03-23 01:44:33 Valid testserver2.avintec.com 10E0 Not Revoked 2012-03-23 01:41:16 test keys: openssl x509 -text -in testserver2-avintec-com-1024-signed-c1.key -noout .......................................................................... Certificate: Data: Version: 3 (0x2) Serial Number: 4320 (0x10e0) Signature Algorithm: sha1WithRSAEncryption Issuer: C=AU, ST=New South Wales, O=CAcert Testserver, OU=http://cacert1 .it-sls.de, CN=CAcert Testserver Root Validity Not Before: Feb 22 01:41:16 2012 GMT Not After : Mar 23 01:41:16 2012 GMT Subject: L=Frankfurt, O=Avintec COM, OU=UT, CN=testserver2.avintec.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): [...] Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: critical Digital Signature, Key Encipherment, Key Agreement X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication, Ne tscape Server Gated Crypto, Microsoft Server Gated Crypto Authority Information Access: OCSP - URI:http://ocsp.cacert.org/ X509v3 CRL Distribution Points: URI:http://crl.cacert.org/revoke.crl X509v3 Subject Alternative Name: DNS:testserver2.avintec.com, othername:<unsupported> Signature Algorithm: sha1WithRSAEncryption [...] .......................................................................... => ok openssl x509 -text -in testserver2-avintec-com-1024-signed-c3.key -noout .......................................................................... Certificate: Data: Version: 3 (0x2) Serial Number: 4268 (0x10ac) Signature Algorithm: sha1WithRSAEncryption Issuer: O=CAcert Testsever, OU=http://cacert1.it-sls.de, CN=CAcert Tests erver Class 3 Validity Not Before: Feb 22 01:44:33 2012 GMT Not After : Mar 23 01:44:33 2012 GMT Subject: L=Frankfurt, O=Avintec COM, OU=UT, CN=testserver2.avintec.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): [...] Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: critical Digital Signature, Key Encipherment, Key Agreement X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication, Ne tscape Server Gated Crypto, Microsoft Server Gated Crypto Authority Information Access: OCSP - URI:http://ocsp.cacert.org/ X509v3 CRL Distribution Points: URI:http://crl.cacert.org/class3-revoke.crl X509v3 Subject Alternative Name: DNS:testserver2.avintec.com, othername:<unsupported> Signature Algorithm: sha1WithRSAEncryption [...] .......................................................................... => ok openssl x509 -text -in testserver3-avintec-com-2048-signed-c1.key -noout .......................................................................... Certificate: Data: Version: 3 (0x2) Serial Number: 4321 (0x10e1) Signature Algorithm: sha1WithRSAEncryption Issuer: C=AU, ST=New South Wales, O=CAcert Testserver, OU=http://cacert1 .it-sls.de, CN=CAcert Testserver Root Validity Not Before: Feb 22 01:50:21 2012 GMT Not After : Mar 23 01:50:21 2012 GMT Subject: L=Frankfurt, O=Avintec COM, OU=IT, CN=testserver3.avintec.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): [...] Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: critical Digital Signature, Key Encipherment, Key Agreement X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication, Ne tscape Server Gated Crypto, Microsoft Server Gated Crypto Authority Information Access: OCSP - URI:http://ocsp.cacert.org/ X509v3 CRL Distribution Points: URI:http://crl.cacert.org/revoke.crl X509v3 Subject Alternative Name: DNS:testserver3.avintec.com, othername:<unsupported> Signature Algorithm: sha1WithRSAEncryption [...] .......................................................................... => ok openssl x509 -text -in testserver3-avintec-com-2048-signed-c3.key -noout .......................................................................... Certificate: Data: Version: 3 (0x2) Serial Number: 4269 (0x10ad) Signature Algorithm: sha1WithRSAEncryption Issuer: O=CAcert Testsever, OU=http://cacert1.it-sls.de, CN=CAcert Tests erver Class 3 Validity Not Before: Feb 22 01:52:37 2012 GMT Not After : Mar 23 01:52:37 2012 GMT Subject: L=Frankfurt, O=Avintec COM, OU=IT, CN=testserver3.avintec.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): [...] Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: critical Digital Signature, Key Encipherment, Key Agreement X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication, Ne tscape Server Gated Crypto, Microsoft Server Gated Crypto Authority Information Access: OCSP - URI:http://ocsp.cacert.org/ X509v3 CRL Distribution Points: URI:http://crl.cacert.org/class3-revoke.crl X509v3 Subject Alternative Name: DNS:testserver3.avintec.com, othername:<unsupported> Signature Algorithm: sha1WithRSAEncryption [...] .......................................................................... => ok |
|
test 6 - admin console view login admin / OA Sys Admin - search certs.test@wiamail.de Certificates Cert Type: Total Valid Expired Revoked Latest Expire Server: 4 4 0 0 2012-03-23 Client: 6 6 0 0 2012-03-22 GPG: None Org Server: 4 4 0 0 2012-03-23 Org Client: 8 8 0 0 2012-02-29 => ok Sysadmin - find domain avintec.com Select Specific Account Details Domain: 167970 avintec.com 1 rows displayed. Select Specific Account Details Domain: 796 avintec.com 1 rows displayed. 1 relates to member account 1 relates to Org account a) https://cacert1.it-sls.de/account.php?id=43&userid=171296 b) https://cacert1.it-sls.de/account.php?id=26&orgid=275 => ok |
|
addtl. test create new user: org.test1@wiamail.de confirmed assurances 100 pts experience pts 50 pts assurer flag login OrgAssurer create new Org add domain <test> add admin org.test1@wiamail.de login other user add domain <test> The domain '<test>' is already in a different account and is listed as valid. Can't continue. login user org.test1@wiamail.de who is also OrgAdmin for domain <test> add domain <test> The domain '<test>' is already in a different account and is listed as valid. Can't continue. => ok see also bug report https://bugs.cacert.org/view.php?id=1015 |
|
tested by 2 good for 2nd review and go |
|
Current patch is okay and no functional changes to unaffected functionality were found. This patch also centralizes the calls to external programs with interfacing to STDIN and STDOUT thereby reducing the manifold places for errors. 2nd review OK. Thanks for testing to JensK and Uli60. |
|
The patch has been installed on the production server on October 31, 2012. See also: https://lists.cacert.org/wws/arc/cacert-systemlog/2012-10/msg00009.html |
|
More than 3 months solved |
Date Modified | Username | Field | Change |
---|---|---|---|
2011-06-22 00:09 | NEOatNHNG | Source_changeset_attached | => cacert-devel master 98f70ef2 |
2011-08-31 15:07 | NEOatNHNG | New Issue | |
2011-08-31 15:07 | NEOatNHNG | Assigned To | => NEOatNHNG |
2011-08-31 15:13 | NEOatNHNG | Note Added: 0002391 | |
2011-08-31 15:15 | NEOatNHNG | Status | new => needs work |
2011-10-21 18:45 | NEOatNHNG | Source_changeset_attached | => cacert-devel testserver e1998151 |
2011-10-21 18:45 | NEOatNHNG | Source_changeset_attached | => cacert-devel testserver 7b95895e |
2011-10-21 18:45 | NEOatNHNG | Source_changeset_attached | => cacert-devel testserver 8d2e661d |
2011-10-21 18:45 | NEOatNHNG | Source_changeset_attached | => cacert-devel testserver 99d0ec58 |
2011-10-21 19:24 | NEOatNHNG | Note Added: 0002624 | |
2011-10-21 19:24 | NEOatNHNG | Status | needs work => needs review & testing |
2011-10-21 19:25 | NEOatNHNG | Relationship added | related to 0000918 |
2011-10-21 19:25 | NEOatNHNG | Reviewed by | => NEOatNHNG |
2011-10-21 20:05 | NEOatNHNG | Source_changeset_attached | => cacert-devel testserver 6aefc95a |
2011-10-21 20:05 | NEOatNHNG | Source_changeset_attached | => cacert-devel testserver 82c2ea4c |
2011-12-12 09:13 | NEOatNHNG | Note Added: 0002742 | |
2011-12-17 13:54 | JensK | Note Added: 0002745 | |
2012-01-24 04:21 | Uli60 | Relationship added | related to 0000540 |
2012-01-24 04:21 | Uli60 | Note Added: 0002788 | |
2012-01-27 13:21 | NEOatNHNG | Note Added: 0002800 | |
2012-01-27 13:21 | NEOatNHNG | Relationship added | related to 0000440 |
2012-02-21 22:17 | Uli60 | Note Added: 0002831 | |
2012-02-22 00:27 | Uli60 | Note Added: 0002837 | |
2012-02-22 00:47 | Uli60 | Note Added: 0002842 | |
2012-02-22 01:27 | Uli60 | Note Added: 0002847 | |
2012-02-22 02:11 | Uli60 | Note Added: 0002852 | |
2012-02-22 02:23 | Uli60 | Note Added: 0002857 | |
2012-02-22 02:38 | Uli60 | Note Added: 0002862 | |
2012-02-22 02:48 | Uli60 | Relationship added | related to 0001015 |
2012-02-22 02:50 | Uli60 | Note Edited: 0002862 | |
2012-04-24 23:53 | Uli60 | Note Added: 0002962 | |
2012-04-24 23:53 | Uli60 | Status | needs review & testing => needs review |
2012-04-24 23:53 | Uli60 | Assigned To | NEOatNHNG => egal |
2012-10-23 21:17 | Uli60 | Assigned To | egal => BenBE |
2012-10-28 13:18 | BenBE | Reviewed by | NEOatNHNG => NEOatNHNG, BenBE |
2012-10-28 13:18 | BenBE | Note Added: 0003276 | |
2012-10-28 13:18 | BenBE | Status | needs review => ready to deploy |
2012-10-31 10:06 | wytze | Note Added: 0003310 | |
2012-10-31 10:06 | wytze | Status | ready to deploy => solved? |
2012-10-31 10:06 | wytze | Resolution | open => fixed |
2012-10-31 18:45 | BenBE | Source_changeset_attached | => cacert-devel release e74bad9b |
2013-01-13 08:22 | INOPIAE | Fixed in Version | => 2012 Q4 |
2013-03-21 07:24 | Werner Dworak | Note Added: 0003832 | |
2013-03-21 07:24 | Werner Dworak | Status | solved? => closed |