Skip to content

gh-120762: fix make_ssl_certs.py - no SKID or AKID in CSR#120764

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
AdamWill wants to merge 1 commit into from
Closed

gh-120762: fix make_ssl_certs.py - no SKID or AKID in CSR #120764

AdamWill wants to merge 1 commit into from

Conversation

@AdamWill
Copy link
Contributor

@AdamWillAdamWill commented Jun 19, 2024
edited
Loading

Per openssl/openssl#22966 , it is not valid to have a subjectKeyIdentifier or an authorityKeyIdentifier in a CSR. Up until openssl 3.2.0 this happened not to cause an error, but since a bugfix in 3.2.0 it does:

80D2CF679F7F0000:error:11000079:X509 V3 routines:v2i_AUTHORITY_KEYID:no issuer certificate:crypto/x509/v3_akid.c:156:

To fix this, when generating a signed certificate, let's always use req_x509_extensions_simple for the CSR, and use the specified req (usually req_x509_extensions_full) only when asking the CA to process the CSR and produce the final signed certificate.

@bedevere-appbedevere-appbot mentioned this pull request Jun 19, 2024
Closed
@AdamWill
Copy link
ContributorAuthor

AdamWill commented Jun 19, 2024

NOTE: I am not 100% confident in this fix, it should be reviewed by someone who knows what they're doing. It seems to work, and examining the signed certificate it produces shows the intended stuff seems to be there, but still not 100% sure.

[adamw@xps13a certdata (main *)]$ openssl x509 -in keycert3.pem -text Certificate: Data: Version: 3 (0x2) Serial Number: cb:2d:80:99:5a:69:52:5c Signature Algorithm: sha256WithRSAEncryption Issuer: C=XY, O=Python Software Foundation CA, CN=our-ca-server Validity Not Before: Aug 29 14:23:16 2018 GMT Not After : Oct 28 14:23:16 2037 GMT Subject: C=XY, L=Castle Anthrax, O=Python Software Foundation, CN=localhost Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (3072 bit) Modulus: 00:ab:d7:7b:84:e1:0d:2c:89:f5:99:d5:c4:ea:2f: 40:ef:c4:df:d0:89:ef:22:b0:88:95:0b:c8:a2:11: 76:06:f5:cd:3c:5a:a2:4e:96:35:c9:3a:83:b9:e8: 9a:c8:17:a5:24:5a:e3:2b:07:a3:80:f9:ee:60:17: 63:fd:16:5b:fc:ce:ba:7a:48:95:08:40:d8:24:df: f0:58:bf:8b:53:80:a5:14:08:0f:41:6b:fd:ce:27: 32:5a:e5:f7:54:8f:e6:81:38:82:40:62:f0:ed:74: 10:bd:3c:40:cb:aa:61:99:95:0b:0e:7f:8c:db:72: 11:3d:ae:11:9c:9c:99:f7:57:89:c0:95:19:b7:78: df:e8:8b:9b:0b:92:34:35:98:0a:79:e5:7f:f6:ea: 4f:77:77:f2:c6:a4:d5:95:d6:c3:60:8d:cd:b8:ab: a8:d5:0b:92:d5:ef:b6:38:15:df:f4:9b:e4:08:07: 3f:39:d5:61:00:78:29:98:47:3d:de:45:18:a0:31: c7:b8:bd:ad:07:1f:74:0c:8e:1c:10:b7:2c:24:b1: 53:a5:62:2e:d4:f2:80:c7:da:ba:c1:1f:9c:c9:ae: cc:ea:58:6b:08:83:9a:6e:f0:15:1e:08:b1:fc:47: 97:36:8f:75:f1:b2:4d:38:c8:71:d0:03:12:6e:da: 29:0d:a8:ed:f2:33:bf:a5:a0:16:a6:54:67:30:84: e3:9d:e7:91:48:19:63:68:ed:eb:69:72:a6:56:c3: 0f:0d:8f:18:7d:28:7c:9e:4b:35:0d:b6:e7:ad:80: 8e:96:80:e2:6f:2a:82:2d:f7:f9:36:1f:56:8d:d2: ef:d0:ab:70:51:88:cf:67:26:c5:5b:c9:12:7c:39: 9d:3b:36:e2:b9:98:b9:9d:59:59:9c:c8:d8:04:c5: c5:32:60:3b:af:e4:c7:fb:13:eb:1b:af:25:66:6e: 5f:f8:56:f9:cd:08:b3:51:69:b9:29:18:43:e1:b7: 21:f1:4e:8c:4c:d9:6e:8f:b9:f9 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Alternative Name: DNS:localhost X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: BD:AD:A2:A9:46:64:F5:CE:35:A8:7D:47:84:FB:86:95:3C:FB:27:79 X509v3 Authority Key Identifier: keyid:FD:A2:A6:BE:21:E6:63:25:87:97:B7:2F:BB:B5:F0:20:D3:D4:93:23 DirName:/C=XY/O=Python Software Foundation CA/CN=our-ca-server serial:CB:2D:80:99:5A:69:52:5B Authority Information Access: CA Issuers - URI:http://testca.pythontest.net/testca/pycacert.cer OCSP - URI:http://testca.pythontest.net/testca/ocsp/ X509v3 CRL Distribution Points: Full Name: URI:http://testca.pythontest.net/testca/revocation.crl Signature Algorithm: sha256WithRSAEncryption Signature Value: 3e:9b:1a:ce:de:70:03:04:27:ed:a8:69:99:35:28:86:08:3e: 74:24:8c:a1:f9:9a:63:01:b4:a5:43:fa:b8:8f:c9:c5:f8:38: 8c:e9:58:ce:fc:9d:0a:ad:41:06:b6:51:38:ee:81:b8:b0:6c: 33:19:89:29:6d:14:a5:3b:2c:51:77:58:4f:dd:63:f3:78:ef: ea:64:bd:6a:0c:4e:70:47:6d:2c:a2:81:f1:da:0e:01:ff:57: 9f:88:af:ec:9f:c4:cf:16:6d:09:6c:5a:c9:0e:6d:0e:91:d8: 3f:db:f1:ed:4b:58:7d:ac:56:d9:76:34:cf:83:73:55:43:76: 89:db:01:dc:94:fd:01:28:ca:1a:0f:1c:fd:50:06:3b:fa:ec: 61:21:34:75:d0:43:26:4e:e9:1c:79:0a:f0:8f:3a:26:87:fd: 40:a6:e3:1d:a6:47:be:10:f0:e0:e8:91:0c:45:89:79:23:54: 74:8e:1d:86:ad:4e:f9:e3:f3:d6:27:2e:81:08:3e:1a:5e:fc: b1:b2:03:6f:68:16:57:c9:05:c8:cc:1c:47:ac:71:3e:a1:f7: 8b:a1:01:2b:09:16:61:9c:25:41:75:fa:a6:a3:22:73:12:71: 4b:f3:08:5f:54:25:85:e7:18:49:2a:76:45:04:8b:62:df:63: 73:f0:58:49:e9:11:b1:28:f6:87:c6:5f:2d:70:7d:26:a6:1b: 49:79:36:09:25:9f:fc:4b:70:af:a2:2e:c6:3c:a7:ca:d8:0d: 94:67:d7:2a:27:8d:c2:bc:95:03:51:5c:7c:08:b7:c2:6c:db: a7:7f:58:b3:3e:80:37:6e:c7:f1:76:9b:06:da:d8:05:02:48: 7f:c3:62:3b:7f:53:4f:8f:5e:9d:bf:ca:32:a2:2d:a2:fa:2a: ce:ea:df:1c:72:d8:24:36:23:4a:b4:81:4e:72:da:4c:39:1a: 62:c5:b6:4b:8b:b3:c1:4f:97:5f:78:e4:bb:d2:b8:9d:10:27: a0:40:47:33:6c:d4 -----BEGIN CERTIFICATE----- MIIF8TCCBFmgAwIBAgIJAMstgJlaaVJcMA0GCSqGSIb3DQEBCwUAME0xCzAJBgNV BAYTAlhZMSYwJAYDVQQKDB1QeXRob24gU29mdHdhcmUgRm91bmRhdGlvbiBDQTEW MBQGA1UEAwwNb3VyLWNhLXNlcnZlcjAeFw0xODA4MjkxNDIzMTZaFw0zNzEwMjgx NDIzMTZaMF8xCzAJBgNVBAYTAlhZMRcwFQYDVQQHDA5DYXN0bGUgQW50aHJheDEj MCEGA1UECgwaUHl0aG9uIFNvZnR3YXJlIEZvdW5kYXRpb24xEjAQBgNVBAMMCWxv Y2FsaG9zdDCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAKvXe4ThDSyJ 9ZnVxOovQO/E39CJ7yKwiJULyKIRdgb1zTxaok6WNck6g7nomsgXpSRa4ysHo4D5 7mAXY/0WW/zOunpIlQhA2CTf8Fi/i1OApRQID0Fr/c4nMlrl91SP5oE4gkBi8O10 EL08QMuqYZmVCw5/jNtyET2uEZycmfdXicCVGbd43+iLmwuSNDWYCnnlf/bqT3d3 8sak1ZXWw2CNzbirqNULktXvtjgV3/Sb5AgHPznVYQB4KZhHPd5FGKAxx7i9rQcf dAyOHBC3LCSxU6ViLtTygMfausEfnMmuzOpYawiDmm7wFR4IsfxHlzaPdfGyTTjI cdADEm7aKQ2o7fIzv6WgFqZUZzCE453nkUgZY2jt62lyplbDDw2PGH0ofJ5LNQ22 562AjpaA4m8qgi33+TYfVo3S79CrcFGIz2cmxVvJEnw5nTs24rmYuZ1ZWZzI2ATF xTJgO6/kx/sT6xuvJWZuX/hW+c0Is1FpuSkYQ+G3IfFOjEzZbo+5+QIDAQABo4IB wDCCAbwwFAYDVR0RBA0wC4IJbG9jYWxob3N0MA4GA1UdDwEB/wQEAwIFoDAdBgNV HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4E FgQUva2iqUZk9c41qH1HhPuGlTz7J3kwfQYDVR0jBHYwdIAU/aKmviHmYyWHl7cv u7XwINPUkyOhUaRPME0xCzAJBgNVBAYTAlhZMSYwJAYDVQQKDB1QeXRob24gU29m dHdhcmUgRm91bmRhdGlvbiBDQTEWMBQGA1UEAwwNb3VyLWNhLXNlcnZlcoIJAMst gJlaaVJbMIGDBggrBgEFBQcBAQR3MHUwPAYIKwYBBQUHMAKGMGh0dHA6Ly90ZXN0 Y2EucHl0aG9udGVzdC5uZXQvdGVzdGNhL3B5Y2FjZXJ0LmNlcjA1BggrBgEFBQcw AYYpaHR0cDovL3Rlc3RjYS5weXRob250ZXN0Lm5ldC90ZXN0Y2Evb2NzcC8wQwYD VR0fBDwwOjA4oDagNIYyaHR0cDovL3Rlc3RjYS5weXRob250ZXN0Lm5ldC90ZXN0 Y2EvcmV2b2NhdGlvbi5jcmwwDQYJKoZIhvcNAQELBQADggGBAD6bGs7ecAMEJ+2o aZk1KIYIPnQkjKH5mmMBtKVD+riPycX4OIzpWM78nQqtQQa2UTjugbiwbDMZiSlt FKU7LFF3WE/dY/N47+pkvWoMTnBHbSyigfHaDgH/V5+Ir+yfxM8WbQlsWskObQ6R 2D/b8e1LWH2sVtl2NM+Dc1VDdonbAdyU/QEoyhoPHP1QBjv67GEhNHXQQyZO6Rx5 CvCPOiaH/UCm4x2mR74Q8ODokQxFiXkjVHSOHYatTvnj89YnLoEIPhpe/LGyA29o FlfJBcjMHEescT6h94uhASsJFmGcJUF1+qajInMScUvzCF9UJYXnGEkqdkUEi2Lf Y3PwWEnpEbEo9ofGXy1wfSamG0l5Ngkln/xLcK+iLsY8p8rYDZRn1yonjcK8lQNR XHwIt8Js26d/WLM+gDdux/F2mwba2AUCSH/DYjt/U0+PXp2/yjKiLaL6Ks7q3xxy 2CQ2I0q0gU5y2kw5GmLFtkuLs8FPl1945LvSuJ0QJ6BARzNs1A== -----END CERTIFICATE-----

@AdamWillAdamWillforce-pushed the make-ssl-certs-csr-fix branch from 3ba27a1 to 2432dcfCompareJune 19, 2024 21:17
@AdamWillAdamWill mentioned this pull request Jun 19, 2024
Open
2 tasks
@AdamWill
pythongh-120762: fix make_ssl_certs.py - no SKID or AKID in CSR
3027a5c
Per openssl/openssl#22966 , it is not valid to have a subjectKeyIdentifier or an authorityKeyIdentifier in a CSR. Up until openssl 3.2.0 this happened not to cause an error, but since a bugfix in 3.2.0 it does: 80D2CF679F7F0000:error:11000079:X509 V3 routines:v2i_AUTHORITY_KEYID:no issuer certificate:crypto/x509/v3_akid.c:156: To fix this, when generating a signed certificate, let's always use req_x509_extensions_simple for the CSR, and use the specified req (usually req_x509_extensions_full) only when asking the CA to process the CSR and produce the final signed certificate. Signed-off-by: Adam Williamson <awilliam@redhat.com>
@AdamWillAdamWillforce-pushed the make-ssl-certs-csr-fix branch from 2432dcf to 3027a5cCompareJune 20, 2024 06:22
@encukou
Copy link
Member

encukou commented Oct 7, 2024

Thank you for the report and investigation!
In the end I merged #125045 instead.

@encukouencukou closed this Oct 7, 2024
Sign up for freeto join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

awaiting review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@AdamWill@encukou