Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

make_ssl_certs fails with "no issuer certificate" with recent openssl #120762

Closed
AdamWill opened this issue Jun 19, 2024 · 3 comments
Closed

make_ssl_certs fails with "no issuer certificate" with recent openssl #120762

AdamWill opened this issue Jun 19, 2024 · 3 comments
Labels
topic-SSL type-bug An unexpected behavior, bug, or error

Comments

@AdamWill
Copy link
Contributor

AdamWill commented Jun 19, 2024
edited by bedevere-app bot
Loading

Bug report

Bug description:

Running python3 ./make_ssl_certs.py in Lib/test/certdata with openssl 3.2.2 fails:

creating cert for localhost
Ignoring -days without -x509; not generating a certificate
..+.+..+......+......+.+...+.........+..++++++++++++++++++++++++++++++++++++++++++*...+......+...+...+.....+.........+......+.........+.+..+.+..............+.......+........+......+.++++++++++++++++++++++++++++++++++++++++++*..+.........+..+......+...+...................+...+...+......+...+......+..+...+.........+.+......+.....+.+........+......+..........+..................+..+......+.......+...+...+......+........+...+...+.......+...+...................................+....+...+.....+....+.....+.+..............+...+...+.......+.....+......+...................+...+..+......+.......+........+.+...+............+.....+.+.....+..........+..+.+..+..................+.......+..+.+......+........+..................+...............+...+.+..............+....+...+.....+.......+...........+.......+........+......+...............+...............+.+........+.+......+...+...............+..............................+++++
........+......+....................+....+..+...+....+..+......++++++++++++++++++++++++++++++++++++++++++*.+.....+.++++++++++++++++++++++++++++++++++++++++++*....+............+...+....+........+..........+........+....+...+...+......+...+........+...+...................+..+.........+.+.....+...+...+.....................................+........+.........+....+..+....+......+...+.....+.+......+........+..............................+......+....+++++
-----
Error adding request extensions from section req_x509_extensions_full
80D2CF679F7F0000:error:11000079:X509 V3 routines:v2i_AUTHORITY_KEYID:no issuer certificate:crypto/x509/v3_akid.c:156:
80D2CF679F7F0000:error:11000080:X509 V3 routines:X509V3_EXT_nconf_int:error in extension:crypto/x509/v3_conf.c:48:section=req_x509_extensions_full, name=authorityKeyIdentifier, value=keyid:always,issuer:always
Traceback (most recent call last):
  File "/home/adamw/local/cpython/Lib/test/certdata/./make_ssl_certs.py", line 252, in <module>
    cert, key = make_cert_key('localhost', sign=True)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/adamw/local/cpython/Lib/test/certdata/./make_ssl_certs.py", line 149, in make_cert_key
    check_call(['openssl'] + args)
  File "/usr/lib64/python3.12/subprocess.py", line 413, in check_call
    raise CalledProcessError(retcode, cmd)
subprocess.CalledProcessError: Command '['openssl', 'req', '-new', '-nodes', '-days', '7000', '-newkey', 'rsa:3072', '-keyout', '/tmp/tmp0z74w6gi', '-extensions', 'req_x509_extensions_full', '-config', '/tmp/tmpx9yl3uel', '-out', '/tmp/tmp2k3xk1tq']' returned non-zero exit status 1.

Per this openssl issue, this is because we're including an SKID and AKID when producing a CSR - the openssl req -new command in make_cert_key, when run with sign=True, creates a CSR. This was never valid, and the fact that it used to succeed was apparently a bug in openssl.

However, I'm not totally sure how to fix this so there's no SKID or AKID in the CSR, but there is one in the final certificate, when created a signed certificate (as, presumably, is our intent here).

CPython versions tested on:

3.12

Operating systems tested on:

Linux

Linked PRs
@AdamWill AdamWill added the type-bug An unexpected behavior, bug, or error label Jun 19, 2024
AdamWill added a commit to AdamWill/cpython that referenced this issue Jun 19, 2024
@AdamWill
pythongh-120762: fix make_ssl_certs.py - no SKID or AKID in CSR
3ba27a1 
Per openssl/openssl#22966 , it is not
valid to have a subjectKeyIdentifier or an authorityKeyIdentifier
in a CSR. Up until openssl 3.2.0 this happened not to cause an
error, but since a bugfix in 3.2.0 it does:

80D2CF679F7F0000:error:11000079:X509 V3 routines:v2i_AUTHORITY_KEYID:no issuer certificate:crypto/x509/v3_akid.c:156:

This fixes it by always using req_x509_extensions_simple for the
CSR, when generated a signed certificate, and using the specified
req (usually req_x509_extensions_full) only when asking the CA to
process the CSR and produce the final signed certificate.

Signed-off-by: Adam Williamson <[email protected]>
@bedevere-app bedevere-app bot mentioned this issue Jun 19, 2024
Closed
AdamWill added a commit to AdamWill/cpython that referenced this issue Jun 19, 2024
@AdamWill
pythongh-120762: fix make_ssl_certs.py - no SKID or AKID in CSR
2432dcf 
Per openssl/openssl#22966 , it is not
valid to have a subjectKeyIdentifier or an authorityKeyIdentifier
in a CSR. Up until openssl 3.2.0 this happened not to cause an
error, but since a bugfix in 3.2.0 it does:

80D2CF679F7F0000:error:11000079:X509 V3 routines:v2i_AUTHORITY_KEYID:no issuer certificate:crypto/x509/v3_akid.c:156:

This fixes it by always using req_x509_extensions_simple for the
CSR, when generated a signed certificate, and using the specified
req (usually req_x509_extensions_full) only when asking the CA to
process the CSR and produce the final signed certificate.

Signed-off-by: Adam Williamson <[email protected]>
@AdamWill
Copy link
Contributor Author

#120764 is a speculative fix, but I'm not 100% confident of it.

AdamWill added a commit to AdamWill/cpython that referenced this issue Jun 20, 2024
@AdamWill
pythongh-120762: fix make_ssl_certs.py - no SKID or AKID in CSR
3027a5c 
Per openssl/openssl#22966 , it is not
valid to have a subjectKeyIdentifier or an authorityKeyIdentifier
in a CSR. Up until openssl 3.2.0 this happened not to cause an
error, but since a bugfix in 3.2.0 it does:

80D2CF679F7F0000:error:11000079:X509 V3 routines:v2i_AUTHORITY_KEYID:no issuer certificate:crypto/x509/v3_akid.c:156:

To fix this, when generating a signed certificate, let's always
use req_x509_extensions_simple for the CSR, and use the specified
req (usually req_x509_extensions_full) only when asking the CA to
process the CSR and produce the final signed certificate.

Signed-off-by: Adam Williamson <[email protected]>
encukou added a commit to encukou/cpython that referenced this issue Oct 7, 2024
@encukou
pythongh-120762: make_ssl_certs: Don't set extensions for the CSR
af9005d 
`openssl req` fails with openssl 3.2.2 because the config line

    authorityKeyIdentifier = keyid:always,issuer:always

is not supported for certificate signing requests (since the issuing
certificate authority is not known).

David von Oheimb, the OpenSSL dev that made the change, commented in:
openssl/openssl#22966 (comment) :

> This problem did not show up in older OpenSSL versions because of a bug:
> the `req` app ignored the `-extensions` option unless `-x505` is given,
> which I fixed in openssl/openssl#16865.

(I assume `-x505` is a typo for `-x509`.)

In our `make_cert_key` function:

If `sign` is true:
- We don't pass `-x509` to `req`, so in this case it should be safe to
  omit the `-extensions` argument. (Old OpenSSL ignores it, new OpenSSL
  fails on it.)
- The extensions are passed to the `ca` call later in the function.
  There they take effect, and `authorityKeyIdentifier` is valid.

If `sign` is false, this commit has no effect except rearranging the
CLI arguments.
@bedevere-app bedevere-app bot mentioned this issue Oct 7, 2024
Merged
@encukou
Copy link
Member

encukou commented Oct 7, 2024

Here's what I came up with: #125045

@gpshead, if you have some cycles, your expertise would be welcome.

@encukou encukou mentioned this issue Oct 7, 2024
Merged
encukou added a commit that referenced this issue Oct 7, 2024
@encukou
gh-120762: make_ssl_certs: Don't set extensions for the temporary CSR (
744caa8 
…GH-125045)

gh-120762: make_ssl_certs: Don't set extensions for the CSR

`openssl req` fails with openssl 3.2.2 because the config line

    authorityKeyIdentifier = keyid:always,issuer:always

is not supported for certificate signing requests (since the issuing
certificate authority is not known).

David von Oheimb, the OpenSSL dev that made the change, commented in:
openssl/openssl#22966 (comment) :

> This problem did not show up in older OpenSSL versions because of a bug:
> the `req` app ignored the `-extensions` option unless `-x505` is given,
> which I fixed in openssl/openssl#16865.

(I assume `-x505` is a typo for `-x509`.)

In our `make_cert_key` function:

If `sign` is true:
- We don't pass `-x509` to `req`, so in this case it should be safe to
  omit the `-extensions` argument. (Old OpenSSL ignores it, new OpenSSL
  fails on it.)
- The extensions are passed to the `ca` call later in the function.
  There they take effect, and `authorityKeyIdentifier` is valid.

If `sign` is false, this commit has no effect except rearranging the
CLI arguments.
@encukou
Copy link
Member

encukou commented Oct 7, 2024

Fixed in 3.14.
I don't think we're planning to regenerate test certs in 3.13; if we need to we can backport this later.

@encukou encukou closed this as completed Oct 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
topic-SSL type-bug An unexpected behavior, bug, or error
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@encukou @AdamWill @AlexWaygood