FreeBSD Mail Archives

Date:      Tue, 07 Nov 2023 12:45:33 +0000
From:      bugzilla-noreply@freebsd.org
To:        bugs@FreeBSD.org
Subject:   [Bug 274952] [REGRESSION] certctl(8): 87945a082980260b52507ad5bfb3a0ce773a80da breaks usage of custom CA files
Message-ID:  <bug-274952-227@https.bugs.freebsd.org/bugzilla/>

next in thread | raw e-mail | index | archive | help

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D274952

            Bug ID: 274952
           Summary: [REGRESSION] certctl(8):
                    87945a082980260b52507ad5bfb3a0ce773a80da breaks usage
                    of custom CA files
           Product: Base System
           Version: 15.0-CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: bin
          Assignee: bugs@FreeBSD.org
          Reporter: michaelo@FreeBSD.org

As layed out in the comments:
https://github.com/freebsd/freebsd-src/commit/87945a082980260b52507ad5bfb3a=
0ce773a80da

> split -p '^-+BEGIN CERTIFICATE-+$' - "$SPLITDIR/x"

Unfortunately, that is broken as well.
https://www.rfc-editor.org/rfc/rfc7468#section-2 says:

> Textual encoding begins with a line comprising "-----BEGIN ", a
> label, and "-----", and ends with a line comprising "-----END ", a
> label, and "-----".
and
> lines are divided with CRLF, CR, or LF.

Now:
> # egrep  '^-+BEGIN CERTIFICATE-+$' /usr/local/share/certs/siemens-pki-cer=
t-15.crt
which does not work because it does fully implement the RFC:
> # cat -v /usr/local/share/certs/siemens-pki-cert-15.crt
> subject: CN=3DSiemens Issuing CA Medium Strength Authentication 2020,OU=
=3DSiemens Trust Center,serialNumber=3DZZZZZZB6,O=3DSiemens,L=3DMuenchen,ST=
=3DBayern,C=3DDE^M
> issuer: CN=3DSiemens Root CA V3.0 2016,OU=3DSiemens Trust Center,serialNu=
mber=3DZZZZZZA1,O=3DSiemens,L=3DMuenchen,ST=3DBayern,C=3DDE^M
> not valid before: 2020-06-24T10:50:55Z^M
> not valid after: 2026-06-24T10:50:55Z^M
> source: Siemens PKI^M
> client cert auth strength: medium^M
> subject hash: be133774^M
> fingerprint (SHA-1): 5F:B4:05:3E:EE:D6:94:15:9F:25:72:59:0A:82:D5:1E:BE:F=
B:53:2D^M
> fingerprint (SHA-256): 89:05:AD:16:17:C5:53:05:64:8E:AB:95:33:88:61:55:F8=
:D4:CE:5B:45:6F:17:83:FB:47:88:7B:F9:28:82:1A^M
> extended key usage:^M
>   Transport Layer Security (TLS) World Wide Web (WWW) client authenticati=
on (1.3.6.1.5.5.7.3.2)^M
>   Email protection (1.3.6.1.5.5.7.3.4)^M
>   Signing Online Certificate Status Protocol (OCSP) responses (1.3.6.1.5.=
5.7.3.9)^M
> -----BEGIN CERTIFICATE-----^M
> MIIJkzCCB3ugAwIBAgIEfGgrtTANBgkqhkiG9w0BAQsFADCBmTELMAkGA1UEBhMC^M
> REUxDzANBgNVBAgMBkJheWVybjERMA8GA1UEBwwITXVlbmNoZW4xEDAOBgNVBAoM^M
> B1NpZW1lbnMxETAPBgNVBAUTCFpaWlpaWkExMR0wGwYDVQQLDBRTaWVtZW5zIFRy^M
> dXN0IENlbnRlcjEiMCAGA1UEAwwZU2llbWVucyBSb290IENBIFYzLjAgMjAxNjAe^M
> Fw0yMDA2MjQxMDUwNTVaFw0yNjA2MjQxMDUwNTVaMIG2MQswCQYDVQQGEwJERTEP^M
> MA0GA1UECAwGQmF5ZXJuMREwDwYDVQQHDAhNdWVuY2hlbjEQMA4GA1UECgwHU2ll^M
> bWVuczERMA8GA1UEBRMIWlpaWlpaQjYxHTAbBgNVBAsMFFNpZW1lbnMgVHJ1c3Qg^M
> Q2VudGVyMT8wPQYDVQQDDDZTaWVtZW5zIElzc3VpbmcgQ0EgTWVkaXVtIFN0cmVu^M
> Z3RoIEF1dGhlbnRpY2F0aW9uIDIwMjAwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw^M
> ggIKAoICAQDGd8o5EWM7+UrZpD9ga1nWo6hQE/haOg3U+uV2Qv9Yrq/TsR0FAQ4X^M
> CzRJ7bYW4h4jkr9XyTwfhOuwW5J+iP/uSHSenEPWoekcsLYMjs2qg0CRDuY+8D9R^M
> nlqQYE6fv6l4mqPymudBOm7Cy3mPS0d6BlO5bWAXyCUOZaB9IxpNk0ouqXajTB64^M
> 2f59BReCORGg52l5tvVs8edsoRop94JRe7LXxn0Byqz3uwHRNTUPbnKdvNGcsWl4^M
> aB66CB7Uj1dFuR9K7Uy4STap9eD5IibXvRnl7tpgsJcX+kOM5c851DJ6gA8zY2Vy^M
> Upsr2SDdPwFWrDjjqqlf7530a2I+ipZruwWBSDce97WSW5XRYE2dUO3h0g68xttZ^M
> JD5iveqdoAhZXf/9yDqAJe7NGzu/C9RNrguq17MpRgWuUqLUx8N/mAGRsZJFLJg9^M
> AJvGSOtz77ambCdnq73Zqy07dnO0ybg6lutm3vPwV2MeIJ+aGh9ECxOIXG8cCVKG^M
> orNxyNhAli+YzPJTytHLmCNqHmTlwMmJcs3v7z7QRdDOeWWV6T4vswI3KJ66EB0q^M
> TDnCzssRqp9mepFQmKPK193rUGDKm+RsIluCBiY/ltKYhawUJe8Q8KztRGZoIjH6^M
> 4CAgumfsGTeICd54tDFdRzxEcqlixeTrOodY3P1IHBr/vCI3ENOlqwIDAQABo4ID^M
> wjCCA74wgfgGCCsGAQUFBwEBBIHrMIHoMEEGCCsGAQUFBzAChjVsZGFwOi8vYWwu^M
> c2llbWVucy5uZXQvQ049WlpaWlpaQTEsTD1QS0k/Y0FDZXJ0aWZpY2F0ZTAyBggr^M
> BgEFBQcwAoYmaHR0cDovL2FoLnNpZW1lbnMuY29tL3BraT9aWlpaWlpBMS5jcnQw^M
> SgYIKwYBBQUHMAKGPmxkYXA6Ly9hbC5zaWVtZW5zLmNvbS91aWQ9WlpaWlpaQTEs^M
> bz1UcnVzdGNlbnRlcj9jQUNlcnRpZmljYXRlMCMGCCsGAQUFBzABhhdodHRwOi8v^M
> b2NzcC5zaWVtZW5zLmNvbTAfBgNVHSMEGDAWgBRwbaBQ7KnQLGedGRX+/QRzNcPi^M
> 1DASBgNVHRMBAf8ECDAGAQH/AgEAMIIBaAYDVR0gBIIBXzCCAVswNQYIKwYBBAGh^M
> aQcwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5zaWVtZW5zLmNvbS9wa2kvMDoG^M
> DSsGAQQBoWkHAgIDAgMwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5zaWVtZW5z^M
> LmNvbS9wa2kvMDoGDSsGAQQBoWkHAgIDAQMwKTAnBggrBgEFBQcCARYbaHR0cDov^M
> L3d3dy5zaWVtZW5zLmNvbS9wa2kvMDoGDSsGAQQBoWkHAgIEAQMwKTAnBggrBgEF^M
> BQcCARYbaHR0cDovL3d3dy5zaWVtZW5zLmNvbS9wa2kvMDcGCisGAQQBoWkHAgUw^M
> KTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5zaWVtZW5zLmNvbS9wa2kvMDUGCCsG^M
> AQQBoWljMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuc2llbWVucy5jb20vcGtp^M
> LzCBxwYDVR0fBIG/MIG8MIG5oIG2oIGzhj9sZGFwOi8vY2wuc2llbWVucy5uZXQv^M
> Q049WlpaWlpaQTEsTD1QS0k/YXV0aG9yaXR5UmV2b2NhdGlvbkxpc3SGJmh0dHA6^M
> Ly9jaC5zaWVtZW5zLmNvbS9wa2k/WlpaWlpaQTEuY3JshkhsZGFwOi8vY2wuc2ll^M
> bWVucy5jb20vdWlkPVpaWlpaWkExLG89VHJ1c3RjZW50ZXI/YXV0aG9yaXR5UmV2^M
> b2NhdGlvbkxpc3QwJwYDVR0lBCAwHgYIKwYBBQUHAwIGCCsGAQUFBwMEBggrBgEF^M
> BQcDCTAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFA1+aaPq7mhwVqIHFPm1k6mu^M
> 4EfCMA0GCSqGSIb3DQEBCwUAA4ICAQBSMbkJZsfcZppTh0KigOHozfdqrFKoXHJB^M
> dFFyMuCF0jvhWr4dWhWfkN1pxNM6AA6fdJjJjJoOzQHUysMNdbcbFZl4e/4VW6Qg^M
> 6h/0CkAV+VJBQYeJ34l3vQKtwPWN/yhItLU6JyxNIt3b5WxTgSXvjicazALcDz9h^M
> tTnXeE39QSgH7jh2uEIZk0q9YHYYaPmAndsDa4j943FQyjayqKm9ggCfS+SHc85f^M
> 3PlCq5yZyypVKzpq/DFJ2r+CCtRWzQXRTz2cvVdGueyF0gmTPlLoGIpc5rPlOWXH^M
> KE07+Ibc25aY0VmIN5VGUMOEbHz0nq+aCDtnx+HfPHiS9oNQH7zyclGhgKcWwI9T^M
> IdsB/IPp+oH/7v7V++Q0d81azfzvc/mCUd0CGCDDNjPqj2gOhn6IPKRU5QFIL/1h^M
> ycW1PEHyC6BmIT1NkUVGWcFEXbkR4GIv72VGfupUf6xBdd36VzL1TUbrbV2tfAvB^M
> OHBahZzzD4/kGKgUUCu9AEsj+BvqCe/va5h3NbB6bAGkZNDdP5coEECIHNu84ywN^M
> 3IKOAVvWBzEcyDWAOu6IU9kOiDxPFq/oniLjxlEXJMEeVOYZL7B4Z2QzJakIdTAO^M
> ZuIehRUdtkj6gKgu84zxgVTaYrHOa/byINCqpEsoeddKyKwCGD4s+LaeuGSSOwOv^M
> cxztI32uTA=3D=3D^M
> -----END CERTIFICATE-----^M

On: FreeBSD deblndw013x3v.ad001.siemens.net 15.0-CURRENT FreeBSD 15.0-CURRE=
NT
#0 main-n266042-fb7140b1f928: Thu Oct 19 03:02:14 UTC 2023

I assume that this was done for the content from ca_root_nss, but please ke=
ep
in mind that this is not the default OpenSSL behavior. OpenSSL will not read
beyond the first entry because rehash is supposed to read one cert per file=
.=20
Ultimately, this should not care about ca_root_nss at all.

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-274952-227>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation