[Bug 2018252] Re: [SRU] Fix invalid CSR version in python-acme

[Robie Basak]

I think it might help to elaborate on the user story that is currently
broken and would be fixed by this change. Right now the description
explains things from the point of view of the code, not the point of
view for users. What is the problem that users are experiencing today
that needs fixing, from the point of view of users?

Once that is described clearly, then an appropriate Test Plan should
become clear - to verify that the change fixes the problem, we should
replay the user story that is described as being broken. We should also
test the common case of use of python-acme, which could
straightforwardly be to ensure that certbot works against the proposed
update of python-acme to configure (say) nginx in the common case, and
that users then don't get a certificate warning on browsing that server.

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to a duplicate bug report (2018260).
https://bugs.launchpad.net/bugs/2018252

Title:
  [SRU] Fix invalid CSR version in python-acme

Status in python-acme package in Ubuntu:
  Fix Released
Status in python-acme source package in Focal:
  Confirmed
Status in python-acme source package in Jammy:
  Incomplete

Bug description:
  [ Impact ]

  This bug causes certbot to generate CSRs which are invalid. These CSRs
  are then sent to ACME servers or otherwise parsed. Some software
  validate CSR validity more aggressively, whichmeans it will reject
  these CSRs.

  The principle motivation for backporting this fix is to stop certbot
  from generating CSRs. This will both alleviate bugs experienced by
  users, as well as reduce pressure on CSR parsers to accept _invalid_
  CSRs.

  [ Test plan ]

  The patch contains a unit test that verifies the patch itself works
  correctly. It has been present in certbot upstream since the 1.29.0
  release. Further, the fix was backported to both Debian and RHEL.
  Therefore, it has received substantial burn-in and is extremely
  unlikely to regress anything.

  [ Where problems could occur ]

  For a problem to occur, it would require software that not only
  accepted, but in fact _required_, an invalid CSR, and which also did
  not process CSRs from recent versions of certbot or versions from
  Debian or RHEL containing the backport.

  The worst-case scenario for such software would be something that
  copied the version value from a CSR into a certificate it was issuing
  (CSRs have only a single valid version, v1. X.509 certificates can be
  either v1 or v3, however in practice v3 is the only version in use.).
  Such software would end up producing different (and less
  correct/compatible) certificates. I am not aware of any software with
  this behavior.

  A more likely (though still improbable) bug would be software which
  merely asserts that the CSR's version is something incorrect.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-acme/+bug/2018252/+subscriptions