[Bug 274952] [REGRESSION] certctl(8): 87945a082980260b52507ad5bfb3a0ce773a80da breaks usage of custom CA files
Date: Tue, 07 Nov 2023 12:45:33 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=274952
Bug ID: 274952
Summary: [REGRESSION] certctl(8):
87945a082980260b52507ad5bfb3a0ce773a80da breaks usage
of custom CA files
Product: Base System
Version: 15.0-CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: bin
Assignee: bugs@FreeBSD.org
Reporter: michaelo@FreeBSD.org
As layed out in the comments:
https://github.com/freebsd/freebsd-src/commit/87945a082980260b52507ad5bfb3a0ce773a80da
> split -p '^-+BEGIN CERTIFICATE-+$' - "$SPLITDIR/x"
Unfortunately, that is broken as well.
https://www.rfc-editor.org/rfc/rfc7468#section-2 says:
> Textual encoding begins with a line comprising "-----BEGIN ", a
> label, and "-----", and ends with a line comprising "-----END ", a
> label, and "-----".
and
> lines are divided with CRLF, CR, or LF.
Now:
> # egrep '^-+BEGIN CERTIFICATE-+$' /usr/local/share/certs/siemens-pki-cert-15.crt
which does not work because it does fully implement the RFC:
> # cat -v /usr/local/share/certs/siemens-pki-cert-15.crt
> subject: CN=Siemens Issuing CA Medium Strength Authentication 2020,OU=Siemens Trust Center,serialNumber=ZZZZZZB6,O=Siemens,L=Muenchen,ST=Bayern,C=DE^M
> issuer: CN=Siemens Root CA V3.0 2016,OU=Siemens Trust Center,serialNumber=ZZZZZZA1,O=Siemens,L=Muenchen,ST=Bayern,C=DE^M
> not valid before: 2020-06-24T10:50:55Z^M
> not valid after: 2026-06-24T10:50:55Z^M
> source: Siemens PKI^M
> client cert auth strength: medium^M
> subject hash: be133774^M
> fingerprint (SHA-1): 5F:B4:05:3E:EE:D6:94:15:9F:25:72:59:0A:82:D5:1E:BE:FB:53:2D^M
> fingerprint (SHA-256): 89:05:AD:16:17:C5:53:05:64:8E:AB:95:33:88:61:55:F8:D4:CE:5B:45:6F:17:83:FB:47:88:7B:F9:28:82:1A^M
> extended key usage:^M
> Transport Layer Security (TLS) World Wide Web (WWW) client authentication (1.3.6.1.5.5.7.3.2)^M
> Email protection (1.3.6.1.5.5.7.3.4)^M
> Signing Online Certificate Status Protocol (OCSP) responses (1.3.6.1.5.5.7.3.9)^M
> -----BEGIN CERTIFICATE-----^M
> MIIJkzCCB3ugAwIBAgIEfGgrtTANBgkqhkiG9w0BAQsFADCBmTELMAkGA1UEBhMC^M
> REUxDzANBgNVBAgMBkJheWVybjERMA8GA1UEBwwITXVlbmNoZW4xEDAOBgNVBAoM^M
> B1NpZW1lbnMxETAPBgNVBAUTCFpaWlpaWkExMR0wGwYDVQQLDBRTaWVtZW5zIFRy^M
> dXN0IENlbnRlcjEiMCAGA1UEAwwZU2llbWVucyBSb290IENBIFYzLjAgMjAxNjAe^M
> Fw0yMDA2MjQxMDUwNTVaFw0yNjA2MjQxMDUwNTVaMIG2MQswCQYDVQQGEwJERTEP^M
> MA0GA1UECAwGQmF5ZXJuMREwDwYDVQQHDAhNdWVuY2hlbjEQMA4GA1UECgwHU2ll^M
> bWVuczERMA8GA1UEBRMIWlpaWlpaQjYxHTAbBgNVBAsMFFNpZW1lbnMgVHJ1c3Qg^M
> Q2VudGVyMT8wPQYDVQQDDDZTaWVtZW5zIElzc3VpbmcgQ0EgTWVkaXVtIFN0cmVu^M
> Z3RoIEF1dGhlbnRpY2F0aW9uIDIwMjAwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw^M
> ggIKAoICAQDGd8o5EWM7+UrZpD9ga1nWo6hQE/haOg3U+uV2Qv9Yrq/TsR0FAQ4X^M
> CzRJ7bYW4h4jkr9XyTwfhOuwW5J+iP/uSHSenEPWoekcsLYMjs2qg0CRDuY+8D9R^M
> nlqQYE6fv6l4mqPymudBOm7Cy3mPS0d6BlO5bWAXyCUOZaB9IxpNk0ouqXajTB64^M
> 2f59BReCORGg52l5tvVs8edsoRop94JRe7LXxn0Byqz3uwHRNTUPbnKdvNGcsWl4^M
> aB66CB7Uj1dFuR9K7Uy4STap9eD5IibXvRnl7tpgsJcX+kOM5c851DJ6gA8zY2Vy^M
> Upsr2SDdPwFWrDjjqqlf7530a2I+ipZruwWBSDce97WSW5XRYE2dUO3h0g68xttZ^M
> JD5iveqdoAhZXf/9yDqAJe7NGzu/C9RNrguq17MpRgWuUqLUx8N/mAGRsZJFLJg9^M
> AJvGSOtz77ambCdnq73Zqy07dnO0ybg6lutm3vPwV2MeIJ+aGh9ECxOIXG8cCVKG^M
> orNxyNhAli+YzPJTytHLmCNqHmTlwMmJcs3v7z7QRdDOeWWV6T4vswI3KJ66EB0q^M
> TDnCzssRqp9mepFQmKPK193rUGDKm+RsIluCBiY/ltKYhawUJe8Q8KztRGZoIjH6^M
> 4CAgumfsGTeICd54tDFdRzxEcqlixeTrOodY3P1IHBr/vCI3ENOlqwIDAQABo4ID^M
> wjCCA74wgfgGCCsGAQUFBwEBBIHrMIHoMEEGCCsGAQUFBzAChjVsZGFwOi8vYWwu^M
> c2llbWVucy5uZXQvQ049WlpaWlpaQTEsTD1QS0k/Y0FDZXJ0aWZpY2F0ZTAyBggr^M
> BgEFBQcwAoYmaHR0cDovL2FoLnNpZW1lbnMuY29tL3BraT9aWlpaWlpBMS5jcnQw^M
> SgYIKwYBBQUHMAKGPmxkYXA6Ly9hbC5zaWVtZW5zLmNvbS91aWQ9WlpaWlpaQTEs^M
> bz1UcnVzdGNlbnRlcj9jQUNlcnRpZmljYXRlMCMGCCsGAQUFBzABhhdodHRwOi8v^M
> b2NzcC5zaWVtZW5zLmNvbTAfBgNVHSMEGDAWgBRwbaBQ7KnQLGedGRX+/QRzNcPi^M
> 1DASBgNVHRMBAf8ECDAGAQH/AgEAMIIBaAYDVR0gBIIBXzCCAVswNQYIKwYBBAGh^M
> aQcwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5zaWVtZW5zLmNvbS9wa2kvMDoG^M
> DSsGAQQBoWkHAgIDAgMwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5zaWVtZW5z^M
> LmNvbS9wa2kvMDoGDSsGAQQBoWkHAgIDAQMwKTAnBggrBgEFBQcCARYbaHR0cDov^M
> L3d3dy5zaWVtZW5zLmNvbS9wa2kvMDoGDSsGAQQBoWkHAgIEAQMwKTAnBggrBgEF^M
> BQcCARYbaHR0cDovL3d3dy5zaWVtZW5zLmNvbS9wa2kvMDcGCisGAQQBoWkHAgUw^M
> KTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5zaWVtZW5zLmNvbS9wa2kvMDUGCCsG^M
> AQQBoWljMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuc2llbWVucy5jb20vcGtp^M
> LzCBxwYDVR0fBIG/MIG8MIG5oIG2oIGzhj9sZGFwOi8vY2wuc2llbWVucy5uZXQv^M
> Q049WlpaWlpaQTEsTD1QS0k/YXV0aG9yaXR5UmV2b2NhdGlvbkxpc3SGJmh0dHA6^M
> Ly9jaC5zaWVtZW5zLmNvbS9wa2k/WlpaWlpaQTEuY3JshkhsZGFwOi8vY2wuc2ll^M
> bWVucy5jb20vdWlkPVpaWlpaWkExLG89VHJ1c3RjZW50ZXI/YXV0aG9yaXR5UmV2^M
> b2NhdGlvbkxpc3QwJwYDVR0lBCAwHgYIKwYBBQUHAwIGCCsGAQUFBwMEBggrBgEF^M
> BQcDCTAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFA1+aaPq7mhwVqIHFPm1k6mu^M
> 4EfCMA0GCSqGSIb3DQEBCwUAA4ICAQBSMbkJZsfcZppTh0KigOHozfdqrFKoXHJB^M
> dFFyMuCF0jvhWr4dWhWfkN1pxNM6AA6fdJjJjJoOzQHUysMNdbcbFZl4e/4VW6Qg^M
> 6h/0CkAV+VJBQYeJ34l3vQKtwPWN/yhItLU6JyxNIt3b5WxTgSXvjicazALcDz9h^M
> tTnXeE39QSgH7jh2uEIZk0q9YHYYaPmAndsDa4j943FQyjayqKm9ggCfS+SHc85f^M
> 3PlCq5yZyypVKzpq/DFJ2r+CCtRWzQXRTz2cvVdGueyF0gmTPlLoGIpc5rPlOWXH^M
> KE07+Ibc25aY0VmIN5VGUMOEbHz0nq+aCDtnx+HfPHiS9oNQH7zyclGhgKcWwI9T^M
> IdsB/IPp+oH/7v7V++Q0d81azfzvc/mCUd0CGCDDNjPqj2gOhn6IPKRU5QFIL/1h^M
> ycW1PEHyC6BmIT1NkUVGWcFEXbkR4GIv72VGfupUf6xBdd36VzL1TUbrbV2tfAvB^M
> OHBahZzzD4/kGKgUUCu9AEsj+BvqCe/va5h3NbB6bAGkZNDdP5coEECIHNu84ywN^M
> 3IKOAVvWBzEcyDWAOu6IU9kOiDxPFq/oniLjxlEXJMEeVOYZL7B4Z2QzJakIdTAO^M
> ZuIehRUdtkj6gKgu84zxgVTaYrHOa/byINCqpEsoeddKyKwCGD4s+LaeuGSSOwOv^M
> cxztI32uTA==^M
> -----END CERTIFICATE-----^M
On: FreeBSD deblndw013x3v.ad001.siemens.net 15.0-CURRENT FreeBSD 15.0-CURRENT
#0 main-n266042-fb7140b1f928: Thu Oct 19 03:02:14 UTC 2023
I assume that this was done for the content from ca_root_nss, but please keep
in mind that this is not the default OpenSSL behavior. OpenSSL will not read
beyond the first entry because rehash is supposed to read one cert per file.
Ultimately, this should not care about ca_root_nss at all.
--
You are receiving this mail because:
You are the assignee for the bug.