Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gh-120762: fix make_ssl_certs.py - no SKID or AKID in CSR #120764

Closed
wants to merge 1 commit into from
Closed

gh-120762: fix make_ssl_certs.py - no SKID or AKID in CSR #120764

wants to merge 1 commit into from

Conversation

AdamWill
Copy link
Contributor

@AdamWill AdamWill commented Jun 19, 2024
edited
Loading

Per openssl/openssl#22966 , it is not valid to have a subjectKeyIdentifier or an authorityKeyIdentifier in a CSR. Up until openssl 3.2.0 this happened not to cause an error, but since a bugfix in 3.2.0 it does:

80D2CF679F7F0000:error:11000079:X509 V3 routines:v2i_AUTHORITY_KEYID:no issuer certificate:crypto/x509/v3_akid.c:156:

To fix this, when generating a signed certificate, let's always use req_x509_extensions_simple for the CSR, and use the specified req (usually req_x509_extensions_full) only when asking the CA to process the CSR and produce the final signed certificate.

@bedevere-app bedevere-app bot mentioned this pull request Jun 19, 2024
Closed
@AdamWill
Copy link
Contributor Author

NOTE: I am not 100% confident in this fix, it should be reviewed by someone who knows what they're doing. It seems to work, and examining the signed certificate it produces shows the intended stuff seems to be there, but still not 100% sure.

[adamw@xps13a certdata (main *)]$ openssl x509 -in keycert3.pem -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            cb:2d:80:99:5a:69:52:5c
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=XY, O=Python Software Foundation CA, CN=our-ca-server
        Validity
            Not Before: Aug 29 14:23:16 2018 GMT
            Not After : Oct 28 14:23:16 2037 GMT
        Subject: C=XY, L=Castle Anthrax, O=Python Software Foundation, CN=localhost
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (3072 bit)
                Modulus:
                    00:ab:d7:7b:84:e1:0d:2c:89:f5:99:d5:c4:ea:2f:
                    40:ef:c4:df:d0:89:ef:22:b0:88:95:0b:c8:a2:11:
                    76:06:f5:cd:3c:5a:a2:4e:96:35:c9:3a:83:b9:e8:
                    9a:c8:17:a5:24:5a:e3:2b:07:a3:80:f9:ee:60:17:
                    63:fd:16:5b:fc:ce:ba:7a:48:95:08:40:d8:24:df:
                    f0:58:bf:8b:53:80:a5:14:08:0f:41:6b:fd:ce:27:
                    32:5a:e5:f7:54:8f:e6:81:38:82:40:62:f0:ed:74:
                    10:bd:3c:40:cb:aa:61:99:95:0b:0e:7f:8c:db:72:
                    11:3d:ae:11:9c:9c:99:f7:57:89:c0:95:19:b7:78:
                    df:e8:8b:9b:0b:92:34:35:98:0a:79:e5:7f:f6:ea:
                    4f:77:77:f2:c6:a4:d5:95:d6:c3:60:8d:cd:b8:ab:
                    a8:d5:0b:92:d5:ef:b6:38:15:df:f4:9b:e4:08:07:
                    3f:39:d5:61:00:78:29:98:47:3d:de:45:18:a0:31:
                    c7:b8:bd:ad:07:1f:74:0c:8e:1c:10:b7:2c:24:b1:
                    53:a5:62:2e:d4:f2:80:c7:da:ba:c1:1f:9c:c9:ae:
                    cc:ea:58:6b:08:83:9a:6e:f0:15:1e:08:b1:fc:47:
                    97:36:8f:75:f1:b2:4d:38:c8:71:d0:03:12:6e:da:
                    29:0d:a8:ed:f2:33:bf:a5:a0:16:a6:54:67:30:84:
                    e3:9d:e7:91:48:19:63:68:ed:eb:69:72:a6:56:c3:
                    0f:0d:8f:18:7d:28:7c:9e:4b:35:0d:b6:e7:ad:80:
                    8e:96:80:e2:6f:2a:82:2d:f7:f9:36:1f:56:8d:d2:
                    ef:d0:ab:70:51:88:cf:67:26:c5:5b:c9:12:7c:39:
                    9d:3b:36:e2:b9:98:b9:9d:59:59:9c:c8:d8:04:c5:
                    c5:32:60:3b:af:e4:c7:fb:13:eb:1b:af:25:66:6e:
                    5f:f8:56:f9:cd:08:b3:51:69:b9:29:18:43:e1:b7:
                    21:f1:4e:8c:4c:d9:6e:8f:b9:f9
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name: 
                DNS:localhost
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier: 
                BD:AD:A2:A9:46:64:F5:CE:35:A8:7D:47:84:FB:86:95:3C:FB:27:79
            X509v3 Authority Key Identifier: 
                keyid:FD:A2:A6:BE:21:E6:63:25:87:97:B7:2F:BB:B5:F0:20:D3:D4:93:23
                DirName:/C=XY/O=Python Software Foundation CA/CN=our-ca-server
                serial:CB:2D:80:99:5A:69:52:5B
            Authority Information Access: 
                CA Issuers - URI:http://testca.pythontest.net/testca/pycacert.cer
                OCSP - URI:http://testca.pythontest.net/testca/ocsp/
            X509v3 CRL Distribution Points: 
                Full Name:
                  URI:http://testca.pythontest.net/testca/revocation.crl
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        3e:9b:1a:ce:de:70:03:04:27:ed:a8:69:99:35:28:86:08:3e:
        74:24:8c:a1:f9:9a:63:01:b4:a5:43:fa:b8:8f:c9:c5:f8:38:
        8c:e9:58:ce:fc:9d:0a:ad:41:06:b6:51:38:ee:81:b8:b0:6c:
        33:19:89:29:6d:14:a5:3b:2c:51:77:58:4f:dd:63:f3:78:ef:
        ea:64:bd:6a:0c:4e:70:47:6d:2c:a2:81:f1:da:0e:01:ff:57:
        9f:88:af:ec:9f:c4:cf:16:6d:09:6c:5a:c9:0e:6d:0e:91:d8:
        3f:db:f1:ed:4b:58:7d:ac:56:d9:76:34:cf:83:73:55:43:76:
        89:db:01:dc:94:fd:01:28:ca:1a:0f:1c:fd:50:06:3b:fa:ec:
        61:21:34:75:d0:43:26:4e:e9:1c:79:0a:f0:8f:3a:26:87:fd:
        40:a6:e3:1d:a6:47:be:10:f0:e0:e8:91:0c:45:89:79:23:54:
        74:8e:1d:86:ad:4e:f9:e3:f3:d6:27:2e:81:08:3e:1a:5e:fc:
        b1:b2:03:6f:68:16:57:c9:05:c8:cc:1c:47:ac:71:3e:a1:f7:
        8b:a1:01:2b:09:16:61:9c:25:41:75:fa:a6:a3:22:73:12:71:
        4b:f3:08:5f:54:25:85:e7:18:49:2a:76:45:04:8b:62:df:63:
        73:f0:58:49:e9:11:b1:28:f6:87:c6:5f:2d:70:7d:26:a6:1b:
        49:79:36:09:25:9f:fc:4b:70:af:a2:2e:c6:3c:a7:ca:d8:0d:
        94:67:d7:2a:27:8d:c2:bc:95:03:51:5c:7c:08:b7:c2:6c:db:
        a7:7f:58:b3:3e:80:37:6e:c7:f1:76:9b:06:da:d8:05:02:48:
        7f:c3:62:3b:7f:53:4f:8f:5e:9d:bf:ca:32:a2:2d:a2:fa:2a:
        ce:ea:df:1c:72:d8:24:36:23:4a:b4:81:4e:72:da:4c:39:1a:
        62:c5:b6:4b:8b:b3:c1:4f:97:5f:78:e4:bb:d2:b8:9d:10:27:
        a0:40:47:33:6c:d4
-----BEGIN CERTIFICATE-----
MIIF8TCCBFmgAwIBAgIJAMstgJlaaVJcMA0GCSqGSIb3DQEBCwUAME0xCzAJBgNV
BAYTAlhZMSYwJAYDVQQKDB1QeXRob24gU29mdHdhcmUgRm91bmRhdGlvbiBDQTEW
MBQGA1UEAwwNb3VyLWNhLXNlcnZlcjAeFw0xODA4MjkxNDIzMTZaFw0zNzEwMjgx
NDIzMTZaMF8xCzAJBgNVBAYTAlhZMRcwFQYDVQQHDA5DYXN0bGUgQW50aHJheDEj
MCEGA1UECgwaUHl0aG9uIFNvZnR3YXJlIEZvdW5kYXRpb24xEjAQBgNVBAMMCWxv
Y2FsaG9zdDCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAKvXe4ThDSyJ
9ZnVxOovQO/E39CJ7yKwiJULyKIRdgb1zTxaok6WNck6g7nomsgXpSRa4ysHo4D5
7mAXY/0WW/zOunpIlQhA2CTf8Fi/i1OApRQID0Fr/c4nMlrl91SP5oE4gkBi8O10
EL08QMuqYZmVCw5/jNtyET2uEZycmfdXicCVGbd43+iLmwuSNDWYCnnlf/bqT3d3
8sak1ZXWw2CNzbirqNULktXvtjgV3/Sb5AgHPznVYQB4KZhHPd5FGKAxx7i9rQcf
dAyOHBC3LCSxU6ViLtTygMfausEfnMmuzOpYawiDmm7wFR4IsfxHlzaPdfGyTTjI
cdADEm7aKQ2o7fIzv6WgFqZUZzCE453nkUgZY2jt62lyplbDDw2PGH0ofJ5LNQ22
562AjpaA4m8qgi33+TYfVo3S79CrcFGIz2cmxVvJEnw5nTs24rmYuZ1ZWZzI2ATF
xTJgO6/kx/sT6xuvJWZuX/hW+c0Is1FpuSkYQ+G3IfFOjEzZbo+5+QIDAQABo4IB
wDCCAbwwFAYDVR0RBA0wC4IJbG9jYWxob3N0MA4GA1UdDwEB/wQEAwIFoDAdBgNV
HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4E
FgQUva2iqUZk9c41qH1HhPuGlTz7J3kwfQYDVR0jBHYwdIAU/aKmviHmYyWHl7cv
u7XwINPUkyOhUaRPME0xCzAJBgNVBAYTAlhZMSYwJAYDVQQKDB1QeXRob24gU29m
dHdhcmUgRm91bmRhdGlvbiBDQTEWMBQGA1UEAwwNb3VyLWNhLXNlcnZlcoIJAMst
gJlaaVJbMIGDBggrBgEFBQcBAQR3MHUwPAYIKwYBBQUHMAKGMGh0dHA6Ly90ZXN0
Y2EucHl0aG9udGVzdC5uZXQvdGVzdGNhL3B5Y2FjZXJ0LmNlcjA1BggrBgEFBQcw
AYYpaHR0cDovL3Rlc3RjYS5weXRob250ZXN0Lm5ldC90ZXN0Y2Evb2NzcC8wQwYD
VR0fBDwwOjA4oDagNIYyaHR0cDovL3Rlc3RjYS5weXRob250ZXN0Lm5ldC90ZXN0
Y2EvcmV2b2NhdGlvbi5jcmwwDQYJKoZIhvcNAQELBQADggGBAD6bGs7ecAMEJ+2o
aZk1KIYIPnQkjKH5mmMBtKVD+riPycX4OIzpWM78nQqtQQa2UTjugbiwbDMZiSlt
FKU7LFF3WE/dY/N47+pkvWoMTnBHbSyigfHaDgH/V5+Ir+yfxM8WbQlsWskObQ6R
2D/b8e1LWH2sVtl2NM+Dc1VDdonbAdyU/QEoyhoPHP1QBjv67GEhNHXQQyZO6Rx5
CvCPOiaH/UCm4x2mR74Q8ODokQxFiXkjVHSOHYatTvnj89YnLoEIPhpe/LGyA29o
FlfJBcjMHEescT6h94uhASsJFmGcJUF1+qajInMScUvzCF9UJYXnGEkqdkUEi2Lf
Y3PwWEnpEbEo9ofGXy1wfSamG0l5Ngkln/xLcK+iLsY8p8rYDZRn1yonjcK8lQNR
XHwIt8Js26d/WLM+gDdux/F2mwba2AUCSH/DYjt/U0+PXp2/yjKiLaL6Ks7q3xxy
2CQ2I0q0gU5y2kw5GmLFtkuLs8FPl1945LvSuJ0QJ6BARzNs1A==
-----END CERTIFICATE-----

@AdamWill AdamWill force-pushed the make-ssl-certs-csr-fix branch from 3ba27a1 to 2432dcf Compare June 19, 2024 21:17
@AdamWill AdamWill mentioned this pull request Jun 19, 2024
Open
2 tasks
@AdamWill
pythongh-120762: fix make_ssl_certs.py - no SKID or AKID in CSR
3027a5c 
Per openssl/openssl#22966 , it is not
valid to have a subjectKeyIdentifier or an authorityKeyIdentifier
in a CSR. Up until openssl 3.2.0 this happened not to cause an
error, but since a bugfix in 3.2.0 it does:

80D2CF679F7F0000:error:11000079:X509 V3 routines:v2i_AUTHORITY_KEYID:no issuer certificate:crypto/x509/v3_akid.c:156:

To fix this, when generating a signed certificate, let's always
use req_x509_extensions_simple for the CSR, and use the specified
req (usually req_x509_extensions_full) only when asking the CA to
process the CSR and produce the final signed certificate.

Signed-off-by: Adam Williamson <[email protected]>
@AdamWill AdamWill force-pushed the make-ssl-certs-csr-fix branch from 2432dcf to 3027a5c Compare June 20, 2024 06:22
@encukou
Copy link
Member

encukou commented Oct 7, 2024

Thank you for the report and investigation!
In the end I merged #125045 instead.

@encukou encukou closed this Oct 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
awaiting review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@AdamWill @encukou