[Bug 1828215] Re: openssl ca -spkac output regressed

Launchpad Bug Tracker 1828215 at bugs.launchpad.net
Fri Jun 14 02:05:12 UTC 2019 

This bug was fixed in the package openssl - 1.1.1-1ubuntu2.1~18.04.2

---------------
openssl (1.1.1-1ubuntu2.1~18.04.2) bionic; urgency=medium

  * Cherrypick upstream patch to fix ca -spkac output to be text again.
    LP: #1828215
  * Cherrypick upstream patch to prevent over long nonces in ChaCha20-Poly1305
    CVE-2019-1543
  * Bump major version of OpenSSL in postinst to trigger services restart
    upon upgrade. Many services listed there must be restarted when
    upgrading 1.1.0 to 1.1.1. LP: #1832522

 -- Dimitri John Ledkov <xnox at ubuntu.com>  Wed, 12 Jun 2019 00:12:47
+0100

** Changed in: openssl (Ubuntu Bionic)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1828215

Title:
  openssl ca -spkac output regressed

Status in OpenSSL:
  Fix Released
Status in openssl package in Ubuntu:
  Fix Committed
Status in openssl source package in Bionic:
  Fix Released
Status in openssl source package in Cosmic:
  Fix Committed
Status in openssl source package in Disco:
  Fix Committed
Status in openssl source package in Eoan:
  Fix Committed

Bug description:
  [Impact]

   * openssl command line utility option parsing has regressed in
  1.1.0i+ and produces binary output, where text output is expected,
  breaking applications that parse that.

  [Test Case]

  Setup CA:
  $ apt install openssl
  $ mkdir -p  demoCA/private demoCA/newcerts
  $ touch demoCA/index.txt
  $ echo 01 > demoCA/serial

  $ openssl req -new -x509 -days 365 -newkey rsa:4096 -keyout
  demoCA/private/cakey.pem -out demoCA/cacert.pem

  # Use password test
  # Accept defaults for all other settings

  $ openssl req -new -days 365 -newkey rsa:4096 -keyout
  demoCA/sslkey.pem -out demoCA/sslcert.pem

  Generate regular request / key:
  # Use password test
  # Set common name to: example.com
  # Accept defaults for all other settings

  Generate spkac request:
  $ openssl spkac -key demoCA/sslkey.pem -out demoCA/sslcert.spkac
  $ cat <<EOF >>demoCA/sslcert.spkac 
  countryName=AU
  stateOrProvinceName=Some-State
  organizationName=Internet Widgits Pty Ltd
  commonName=example.com
  EOF

  Sign spkac request:
  $ echo test | openssl ca -passin stdin -batch -spkac demoCA/sslcert.spkac -startdate 190121130654Z

  Expected: pure text output
  Unexpected: binary output for the signed cert

  
   Currently produces binary goop.

   Should produce PEM format Base64 encoded certificate data in a block surrounded
   with BEGIN/END certificate.

  [Regression Potential]

   * This is a regression in cosmic and up, and impeding regression in
  bionic with the upcoming 1.1.1 SRU. A bugfix exists upstream.

  [Other Info]

   * Originally reported
  https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1797386/comments/39

To manage notifications about this bug go to:
https://bugs.launchpad.net/openssl/+bug/1828215/+subscriptions

More information about the foundations-bugs mailing list