[Bug 1828215] Re: openssl ca -spkac output regressed

Tim Wegener 1828215 at bugs.launchpad.net
Wed May 8 13:11:28 UTC 2019 

Here's a recipe for generating a CA directory for testing.
It assumes you have already generated a CA key and cert.

touch $CA_DIR/index.txt
echo '1000' > $CA_DIR/serial
echo '1000' > $CA_DIR/crlnumber
mkdir -m 700 $CA_DIR/newcerts
mkdir -m 700 $CA_DIR/private
mkdir $CA_DIR/certs

cp $CA_KEY $CA_DIR/private/ca_key.pem
chmod 600 $CA_DIR/private/ca_key.pem

cp $CA_CERT $CA_DIR/certs/ca_cert.pem

Those paths need to correspond to those set in the "[ CA_default ]"
section of the openssl.cnf file.

E.g.

[ ca ]
default_ca      = CA_default            # The default ca section
####################################################################
[ CA_default ]
dir             = somedir/ca_dir        # Where everything is kept
certs           = $dir/certs            # Where the issued certs are kept
crl_dir         = $dir/crl              # Where the issued crl are kept
database        = $dir/index.txt        # database index file.
unique_subject  = no                    # Set to 'no' to allow creation of
                                        # several ctificates with same subject.
new_certs_dir   = $dir/newcerts         # default place for new certs.

certificate     = $dir/certs/ca_cert.pem
serial          = $dir/serial           # The current serial number
crlnumber       = $dir/crlnumber        # the current crl number
                                        # must be commented out to leave a V1 CRL
crl             = $dir/crl.pem          # The current CRL
private_key     = $dir/private/ca_key.pem
RANDFILE        = $dir/.rand    # private random number file


The initial crl file can be generated like so:

cat ca_key_passphrase_file.txt | openssl ca -gencrl -out $CA_DIR/crl.pem
-config /path/to/test.openssl.cnf -passin stdin


Use 'openssl req' to generate the cert request private key.
Use 'openssl spkac' to generate the spkac cert request data.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1828215

Title:
  openssl ca -spkac output regressed

Status in OpenSSL:
  Unknown
Status in openssl package in Ubuntu:
  Confirmed
Status in openssl source package in Bionic:
  Confirmed
Status in openssl source package in Cosmic:
  Confirmed
Status in openssl source package in Disco:
  Confirmed
Status in openssl source package in Eoan:
  Confirmed

Bug description:
  [Impact]

   * openssl command line utility option parsing has regressed in
  1.1.0i+ and produces binary output, where text output is expected,
  breaking applications that parse that.

  [Test Case]

   * OPENSSL_ENABLE_MD5_VERIFY=1 openssl ca -config test.openssl.cnf
  -passin stdin -batch -spkac input_file -startdate 190121130654Z

   Currently produces binary goop.

   Should produce PEM format Base64 encoded certificate data in a block surrounded
   with BEGIN/END certificate.

  [Regression Potential]

   * This is a regression in cosmic and up, and impeding regression in
  bionic with the upcoming 1.1.1 SRU. A bugfix exists upstream.

  [Other Info]
   
   * Originally reported https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1797386/comments/39

To manage notifications about this bug go to:
https://bugs.launchpad.net/openssl/+bug/1828215/+subscriptions

More information about the foundations-bugs mailing list