Bug #95437 for Crypt-OpenSSL-CA: Unable to use freshestCRL in certificate after use in CRL

Wed May 07 06:30:15 2014 tlhackque [...] yahoo.com - Ticket created

Subject:

Unable to use freshestCRL in certificate after use in CRL

The freshestCRL extension is defined for both certificates and CRLs. After generating a CRL using freshestCRL, it is not possible to add freshestCRL to a certificate. This is due to the code in Crypt::OpenSSL::CA::X509_CRL that unconditionally generates an object for freshestCRL, assuming that OpenSSL doesn't support it. I have reduced this to a simple test case that fails with OpenSSL 1.0.1g 7 Apr 2014 The test case relies on the undocumented fact that extension_by_name: (a) ignores the object argument and (b) returns the NID. It should return the same non-zero value (857) both before and after the call to set_extension. This is the root cause of the subsequent inability to add freshestCRL to certificates. I don't show this because it complicates the demonstration test case. add_extension requires the nid, which is not returned in the test case. #!/usr/bin/perl use Crypt::OpenSSL::CA; my $crl = Crypt::OpenSSL::CA::X509_CRL->new; # freshestCRL's nid: my $name = 'freshestCRL'; print "Before adding to CRL ", Crypt::OpenSSL::CA::X509->extension_by_name($name), "\n"; $crl->set_extension( $name => '@s', s => { 'URI.0' => 'http://x.net'} ); print "After adding to CRL: ", Crypt::OpenSSL::CA::X509->extension_by_name($name), "\n"; #./fresh.pl Before adding to CRL 857 After adding to CRL: 0 # This patch resolves the problem: --- lib/Crypt/OpenSSL/CA.pm.orig 2011-12-12 03:06:26.000000000 -0500 +++ lib/Crypt/OpenSSL/CA.pm 2014-05-07 05:57:35.000000000 -0400 @@ -1286,11 +1286,11 @@ CONF *, sv_config); static int nid_freshest_crl = 0; if (! value) { croak("No value specified"); } - if (! nid_freshest_crl) { + if (! nid_freshest_crl && ! (nid_freshest_crl = OBJ_txt2nid("freshestCRL")) ) { nid_freshest_crl = OBJ_create("2.5.29.46", "freshestCRL", "Delta CRL distribution points"); } X509V3_set_ctx(&ctx, NULL, NULL, NULL, NULL, 0);

Wed Dec 30 06:57:26 2015 tlhackque [...] yahoo.com - Correspondence added

Subject:	Status of next release?
From:	tlhackque [...] yahoo.com

In checking on the status of open issues, I noticed that there's a developer's release that seems to include this patch and work on other bugs. What's the status of that release (0.24_01)? It seems to have been posted in May of 2014, so it's been baking for a long time. Are you expecting testing? (There was no request or update to the open bugs...) If you think it's done, could you do the formal release so that a normal cpan install will find it? Thanks.

Sun Jan 03 13:50:20 2016 dominique [...] quatravaux.org - Correspondence added

CC:	bug-Crypt-OpenSSL-CA [...] rt.cpan.org
Subject:	Re: [rt.cpan.org #95437] Status of next release?
Date:	Sun, 3 Jan 2016 19:49:37 +0100
To:	tlhackque [...] yahoo.com
From:	Dominique Quatravaux <dominique [...] quatravaux.org>

2015-12-30 12:57 GMT+01:00 via RT <bug-Crypt-OpenSSL-CA@rt.cpan.org>: Show quoted text

> Queue: Crypt-OpenSSL-CA > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=95437 > > > In checking on the status of open issues, I noticed that there's a > developer's release that seems to include this patch and work on other > bugs. > > What's the status of that release (0.24_01)? >

I pushed it out, in hopes that CPANTS would run tests on it. It didn't. Were you able to run the tests successfully? Would you be interested in co-maintainership on this module, so that you can push new releases yourself? If so, please let me know your PAUSE username. Yours truly, -- Dominique Quatravaux dominique@quatravaux.org

Sun Jan 03 13:50:20 2016 The RT System itself - Status changed from 'new' to 'open'

Sun Jan 03 18:11:49 2016 tlhackque [...] yahoo.com - Correspondence added

Subject:	0.24_01 status: Broken
From:	tlhackque [...] yahoo.com

On Sun Jan 03 13:50:20 2016, dominique@quatravaux.org wrote: Show quoted text

> 2015-12-30 12:57 GMT+01:00 via RT <bug-Crypt-OpenSSL-CA@rt.cpan.org>: >

Show quoted text

> > What's the status of that release (0.24_01)? > >

> > I pushed it out, in hopes that CPANTS would run tests on it. It didn't. >

I don't know what CPANTS is :-) But one interesting thing is that on http://search.cpan.org/~domq/Crypt-OpenSSL-CA/lib/Crypt/OpenSSL/CA.pm there's a link to the "latest release" that doesn't get you to the new version. I had to find it by author. I wouldn't be surprised to find that most people would simply give up. Show quoted text

> Were you able to run the tests successfully?

No, I can't build 0,.24_01 for some reason. The failure is in checking the OpenSSL version number; the However, I can still build 0.23. 0.24_01 build fails with the 0.23 Build.PL in the same way. I'm not an expert in the build tools & haven't figured out what changed in 024 to break the build. Any clues? perl Build.PL Checking OpenSSL version number... Generating a Unix-style Makefile Writing Makefile for Crypt::OpenSSL::CA::ExtractVersionNumberProblem Writing MYMETA.yml and MYMETA.json Running Mkbootstrap for Crypt::OpenSSL::CA::ExtractVersionNumberProblem () chmod 644 ExtractVersionNumberProblem.bs /usr/bin/perl /usr/lib/perl5/5.8.8/ExtUtils/xsubpp -typemap /usr/lib/perl5/5.8.8/ExtUtils/typemap ExtractVersionNumberProblem.xs > ExtractVersionNumberProblem.xsc && mv ExtractVersionNumberProblem.xsc ExtractVersionNumberProblem.c cc -c -I/home/litt/kits/Crypt-OpenSSL-CA-0.24 -I/usr/local/ssl/include -D_REENTRANT -D_GNU_SOURCE -DTHREADS_HAVE_PIDS -DSOCKS -fno-strict-aliasing -pipe -Wdeclaration-after-statement -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/include/gdbm -g -O2 -DVERSION=\"0.00\" -DXS_VERSION=\"0.00\" -fpic "-I/usr/lib/perl5/5.8.8/i686-linux-thread-multi/CORE" ExtractVersionNumberProblem.c rm -f blib/arch/auto/Crypt/OpenSSL/CA/ExtractVersionNumberProblem/ExtractVersionNumberProblem.so LD_RUN_PATH="/usr/local/ssl/lib" cc -shared -L/usr/local/lib ExtractVersionNumberProblem.o -o blib/arch/auto/Crypt/OpenSSL/CA/ExtractVersionNumberProblem/ExtractVersionNumberProblem.so \ -L/usr/local/ssl/lib -lssl -lcrypto -ldl -lcrypto -lssl \ chmod 755 blib/arch/auto/Crypt/OpenSSL/CA/ExtractVersionNumberProblem/ExtractVersionNumberProblem.so /usr/bin/perl -MExtUtils::Command::MM -e 'cp_nonempty' -- ExtractVersionNumberProblem.bs blib/arch/auto/Crypt/OpenSSL/CA/ExtractVersionNumberProblem/ExtractVersionNumberProblem.bs 644 Running Mkbootstrap for Crypt::OpenSSL::CA::ExtractVersionNumberProblem () chmod 644 ExtractVersionNumberProblem.bs Files found in blib/arch: installing files in blib/lib into architecture dependent library tree Had problems bootstrapping Inline module 'Crypt::OpenSSL::CA::ExtractVersionNumber' Can't locate loadable object for module Crypt::OpenSSL::CA::ExtractVersionNumber in @INC (@INC contains: /home/litt/kits/Crypt-OpenSSL-CA-0.24/_Inline/lib /home/litt/kits/Crypt-OpenSSL-CA-0.24/_build/lib /home/litt/kits/Crypt-OpenSSL-CA-0.24/inc /usr/lib/perl5/5.8.8/i686-linux-thread-multi /usr/lib/perl5/5.8.8 /usr/lib/perl5/site_perl/5.8.8/i686-linux-thread-multi /usr/lib/perl5/site_perl/5.8.8 /usr/lib/perl5/site_perl/5.8.6 /usr/lib/perl5/site_perl/5.8.5 /usr/lib/perl5/site_perl/5.8.4 /usr/lib/perl5/site_perl/5.8.3 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.8/i686-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.8 /usr/lib/perl5/vendor_perl/5.8.6 /usr/lib/perl5/vendor_perl/5.8.5 /usr/lib/perl5/vendor_perl/5.8.4 /usr/lib/perl5/vendor_perl/5.8.3 /usr/lib/perl5/vendor_perl .) at /usr/lib/perl5/vendor_perl/5.8.6/Inline.pm line 500 at (eval 71) line 10 BEGIN failed--compilation aborted at (eval 71) line 25. find . -name 'ExtractVersionNumber*' ./_Inline/lib/auto/Crypt/OpenSSL/CA/ExtractVersionNumberProblem ./_Inline/lib/auto/Crypt/OpenSSL/CA/ExtractVersionNumberProblem/ExtractVersionNumberProblem.inl ./_Inline/lib/auto/Crypt/OpenSSL/CA/ExtractVersionNumberProblem/ExtractVersionNumberProblem.so ./_Inline/lib/auto/Crypt/OpenSSL/CA/ExtractVersionNumber ./_Inline/lib/auto/Crypt/OpenSSL/CA/ExtractVersionNumber/ExtractVersionNumber.inl ./_Inline/lib/auto/Crypt/OpenSSL/CA/ExtractVersionNumber/ExtractVersionNumber.bundle ./_Inline/lib/auto/Crypt/OpenSSL/CA/ExtractVersionNumber/ExtractVersionNumber.bs Note that the Problem directory has a .so file, while the first build has a .bundle (and an empty .bs) instead. So it appears that the diagnostic rebuild is different from the primary. Show quoted text

> > Would you be interested in co-maintainership on this module, so that you > can push new releases yourself? If so, please let me know your PAUSE > username. >

I hope I don't have a lot more work to do on this module, but one never knows. My PAUSE ID is TLHACKQUE. Show quoted text

> Yours truly, > > -- > Dominique Quatravaux > dominique@quatravaux.org

Sun Jan 03 20:27:30 2016 tlhackque [...] yahoo.com - Correspondence added

Subject:	Linux build problem & test results.
From:	tlhackque [...] yahoo.com

I tracked down the build problem - part way at least. It seems that the build starts off assuming it's under MacOS. This patch allows it to build, albeit with some warnings. I'm sure there's more to a proper fix, but here is the change that allows it to build on linux: --- ./_Inline/config~ 2014-05-28 12:16:51.000000000 -0400 +++ ./_Inline/config 2016-01-03 20:20:44.000000000 -0500 @@ -8,7 +8,7 @@ Foo : interpreted modules : % C : Inline::C Foo : Inline::Foo suffixes : % - C : bundle + C : so Foo : foo Built test report: ./Build test t/10-unknown-method.t ............. ok t/20-taint.t ...................... ok t/example-make-cert-chain.t ....... ok t/example-make-crls.t ............. ok lib/Crypt/OpenSSL/CA.pm ........... 1/? # Failed test in lib/Crypt/OpenSSL/CA.pm at line 3053. # Failed test in lib/Crypt/OpenSSL/CA.pm at line 3057. lib/Crypt/OpenSSL/CA.pm ........... ok lib/Crypt/OpenSSL/CA/Inline/C.pm .. 1/? new 0x8c08ad0 : lib/Crypt/OpenSSL/CA/Inline/C.pm .. ok t/lib/Crypt/OpenSSL/CA/Test.pm .... ok All tests successful. Files=7, Tests=99, 18 wallclock secs ( 0.08 usr 0.20 sys + 9.64 cusr 6.88 csys = 16.80 CPU) Result: PASS

Sun Jan 03 20:32:20 2016 tlhackque [...] yahoo.com - Correspondence added

Subject:	Tests fail unconditionally
From:	tlhackque [...] yahoo.com

Looks like the two hard failures are TODOs: { local $TODO = "UNIMPLEMENTED"; test "PrivateKey: parse engine key" => sub { fail; }; test "PrivateKey: parse engine key with some engine parameters" => sub { fail; }; } I don't know what the "? new 0x8c08ad0 :" is. Hope this helps.

Sun Jan 03 20:46:11 2016 tlhackque [...] yahoo.com - Correspondence added

Subject:	Better build patch
From:	tlhackque [...] yahoo.com

Although I don't have a MacOS platform to test, I think this patch will make that work. (The previous one replaced bundle with so, which would break MacOS. This simply adds so, so both should work.) It does work on linux. --- ./_Inline/config~ 2014-05-28 12:16:51.000000000 -0400 +++ ./_Inline/config 2016-01-03 20:41:17.000000000 -0500 @@ -9,6 +9,7 @@ modules : % C : Inline::C Foo : Inline::Foo suffixes : % C : bundle + C : so Foo : foo Hope you can test on Mac.

Mon Jan 04 07:18:44 2016 tlhackque [...] yahoo.com - Correspondence added

Subject:	More test failures
From:	tlhackque [...] yahoo.com

Installed on another machine, more test failures. This one seems to be OpenSSL selecting a different encoding: Working machine: OpenSSL 1.0.1g, failing 1.0.1j ]# perl Build test t/10-unknown-method.t ............. ok t/20-taint.t ...................... ok t/example-make-cert-chain.t ....... ok t/example-make-crls.t ............. ok lib/Crypt/OpenSSL/CA.pm ........... # Failed test in lib/Crypt/OpenSSL/CA.pm at line 2864. # got: 'utf8String' # expected: 'teletexString' # Failed test in lib/Crypt/OpenSSL/CA.pm at line 2876. # got: 'utf8String' # expected: 'bmpString' lib/Crypt/OpenSSL/CA.pm ........... 1/? # Failed test 'X509_NAME' # at lib/Crypt/OpenSSL/CA.pm line 2879. lib/Crypt/OpenSSL/CA.pm ........... 3/? # Failed test in lib/Crypt/OpenSSL/CA.pm at line 3053. # Failed test in lib/Crypt/OpenSSL/CA.pm at line 3057. lib/Crypt/OpenSSL/CA.pm ........... 26/? # Looks like you failed 1 test of 28. lib/Crypt/OpenSSL/CA.pm ........... Dubious, test returned 1 (wstat 256, 0x100) Failed 1/28 subtests lib/Crypt/OpenSSL/CA/Inline/C.pm .. 1/? new 0x8779084 : lib/Crypt/OpenSSL/CA/Inline/C.pm .. ok t/lib/Crypt/OpenSSL/CA/Test.pm .... ok Test Summary Report ------------------- lib/Crypt/OpenSSL/CA.pm (Wstat: 256 Tests: 28 Failed: 1) Failed test: 1 Non-zero exit status: 1 Files=7, Tests=99, 41 wallclock secs ( 0.06 usr 0.41 sys + 15.31 cusr 20.15 csys = 35.93 CPU) Result: FAIL Failed 1/7 test programs. 1/99 subtests failed. Also seeing these, not sure why. Test::Simple, Test::More & Test::Builder are 1.001014 (latest). One machine reports these, another doesn't. The one that does sees these with 0.23 too. t/10-unknown-method.t ............. 1/? no_plan takes no arguments at t/10-unknown-method.t line 11. t/example-make-cert-chain.t ....... no_plan takes no arguments at t/example-make-cert-chain.t line 13. t/example-make-crls.t ............. no_plan takes no arguments at t/example-make-crls.t line 13. lib/Crypt/OpenSSL/CA.pm ........... no_plan takes no arguments at lib/Crypt/OpenSSL/CA.pm line 2824. lib/t/lib/Crypt/OpenSSL/CA/Test.pm .... no_plan takes no arguments at t/lib/Crypt/OpenSSL/CA/Test.pm line 1406. Crypt/OpenSSL/CA/Inline/C.pm .. no_plan takes no arguments at lib/Crypt/OpenSSL/CA/Inline/C.pm line 733. I noticed that there was an automated test report quite a while ago (another environment); the failure was something else, but the "no_plan takes no arguments" was present there too: See: https://groups.google.com/forum/#!topic/perl.cpan.testers/BJMJ6mVRhIY Sigh.

Mon Jan 04 08:50:00 2016 tlhackque [...] yahoo.com - Correspondence added

Subject:	0.24_01 encoding issue: patch attached
From:	tlhackque [...] yahoo.com

On Mon Jan 04 07:18:44 2016, tlhackque wrote: Show quoted text

> Installed on another machine, more test failures. > > This is OpenSSL unconditionally encoding DNs as UTF-8: > > Working machine: OpenSSL 1.0.1g, failing 1.0.1j > > ]# perl Build test > t/10-unknown-method.t ............. ok > t/20-taint.t ...................... ok > t/example-make-cert-chain.t ....... ok > t/example-make-crls.t ............. ok > lib/Crypt/OpenSSL/CA.pm ........... # Failed test in > lib/Crypt/OpenSSL/CA.pm at line 2864. > # got: 'utf8String' > # expected: 'teletexString' > # Failed test in lib/Crypt/OpenSSL/CA.pm at line 2876. > # got: 'utf8String' > # expected: 'bmpString' > lib/Crypt/OpenSSL/CA.pm ........... 1/? # Failed test 'X509_NAME' > # at lib/Crypt/OpenSSL/CA.pm line 2879. > lib/Crypt/OpenSSL/CA.pm ........... 3/? # Failed test in > lib/Crypt/OpenSSL/CA.pm at line 3053. > # Failed test in lib/Crypt/OpenSSL/CA.pm at line 3057. > lib/Crypt/OpenSSL/CA.pm ........... 26/? # Looks like you failed 1 > test of 28. > lib/Crypt/OpenSSL/CA.pm ........... Dubious, test returned 1 (wstat > 256, 0x100) > Failed 1/28 subtests > lib/Crypt/OpenSSL/CA/Inline/C.pm .. 1/? new 0x8779084 : > lib/Crypt/OpenSSL/CA/Inline/C.pm .. ok > t/lib/Crypt/OpenSSL/CA/Test.pm .... ok > > Test Summary Report > ------------------- > lib/Crypt/OpenSSL/CA.pm (Wstat: 256 Tests: 28 Failed: 1) > Failed test: 1 > Non-zero exit status: 1 > Files=7, Tests=99, 41 wallclock secs ( 0.06 usr 0.41 sys + 15.31 cusr > 20.15 csys = 35.93 CPU) > Result: FAIL > Failed 1/7 test programs. 1/99 subtests failed. > >

Indeed, OpenSSL is unconditionally encoding DNs as UTF-8: See https://rt.openssl.org/Ticket/Display.html?id=3469 (username & password are 'guest') Fixed with attached patch, which makes Crypt::OpenSSL::CA conform to its documentation. However, perhaps the doc should now recommend new_utf8...

Subject:

Crypt-CA-Encoding.patch

--- lib/Crypt/OpenSSL/CA.pm~ 2014-05-28 12:16:51.000000000 -0400 +++ lib/Crypt/OpenSSL/CA.pm 2016-01-04 08:43:15.000000000 -0500 @@ -194,10 +194,11 @@ use utf8 (); use Crypt::OpenSSL::CA::Inline::C <<"X509_BASE"; #include <openssl/x509.h> +#include <openssl/asn1.h> static void DESTROY(SV* sv_self) { X509_NAME_free(perl_unwrap("${\__PACKAGE__}", X509_NAME *, sv_self)); } @@ -285,16 +286,21 @@ static void _add_RDN_best_encoding(SV* sv_self, SV* sv_key, SV* sv_val) { X509_NAME* self = perl_unwrap("${\__PACKAGE__}", X509_NAME *, sv_self); char* key = char0_value(sv_key); char* val = char0_value(sv_val); + unsigned long mask = ASN1_STRING_get_default_mask(); + ASN1_STRING_set_default_mask(0xFFFFFFFFL); + if (! X509_NAME_add_entry_by_txt (self, key, (SvUTF8(sv_val) ? MBSTRING_UTF8 : MBSTRING_ASC), (unsigned char*) val, -1, -1, 0)) { + ASN1_STRING_set_default_mask(mask); sslcroak("X509_NAME_add_entry_by_txt failed for %s=%s", key, val); } + ASN1_STRING_set_default_mask(mask); } static void _add_RDN_utf8(SV* sv_self, SV* sv_key, SV* sv_val) { X509_NAME* self = perl_unwrap("${\__PACKAGE__}", X509_NAME *, sv_self);