From nobody Tue Nov 7 12:45:33 2023 X-Original-To: bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SPnxp0X2Zz4yx61 for ; Tue, 7 Nov 2023 12:45:34 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4SPnxn5N2Qz4Jdw for ; Tue, 7 Nov 2023 12:45:33 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1699361133; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=7oHQbG6Sza3SwRisVbEvxQY51ypg5XcsFn1ewfixWa4=; b=VyjDNP/HwMiB9AAqDRWgwCCT87dOwfU4CEtnrn6TvxVAzNtS53pkpDXazhprB9hwDUMgtX BMT1UIIvqwIJ50CL9yBH3HNIpjSjAs6LEUHQJAUH4wkzZSo5Kt2LUb/9H4xQXORESndBhP E28Iv1rUxP5XJIAtYFVLgSqzNKB64tn5pPRXNp375k3E0gMrwCcMMwRl/lQOg04b7zXb7U Pqvc0HW//HnIZ9OervNriz+Jp02b5TuKqdU+Yp2mLzZagjYmG2ShFnBtzalopZvHt5cr6d 0dMC9PTYt36NeNEtJaU8oeDzlJyOMHmLAiRhvylaiJr42looAz/zFIW2pxllRA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1699361133; a=rsa-sha256; cv=none; b=B99+CFRs2azLOmDg2TcO9ahl7kv/ngZyVoe4efddzBuscBRZysmKSfSSzbGnXpT/VLc9Ys yksIs8YRNx93kpCWsM8xTa5AFhtFoFMf1XGmB+TbQSzIfZOqDKVsTISzZ8v0579/FMpP+b iv/w5Ru6+kGEuBO65Ai3rx4GWpTWNQ4svuUzg8nCsf1935uhqw9YWm51IMSUuGarek1cR9 9ZjRx2zJ6CEtKlBbVK/qy/B8/Mw7KJROBkD438UEWaZ1uTnfGX5uHa7nsPKRs5JghZjx57 cNUvHN/5QO6cLoae5noqIOUnEFFROU2ZfHWkPokvtIsPcj+284JhomQufam3vg== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4SPnxn4R88zr2w for ; Tue, 7 Nov 2023 12:45:33 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 3A7CjXMS039400 for ; Tue, 7 Nov 2023 12:45:33 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 3A7CjXCx039399 for bugs@FreeBSD.org; Tue, 7 Nov 2023 12:45:33 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 274952] [REGRESSION] certctl(8): 87945a082980260b52507ad5bfb3a0ce773a80da breaks usage of custom CA files Date: Tue, 07 Nov 2023 12:45:33 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: 15.0-CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: michaelo@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-bugs@freebsd.org MIME-Version: 1.0 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D274952 Bug ID: 274952 Summary: [REGRESSION] certctl(8): 87945a082980260b52507ad5bfb3a0ce773a80da breaks usage of custom CA files Product: Base System Version: 15.0-CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: bin Assignee: bugs@FreeBSD.org Reporter: michaelo@FreeBSD.org As layed out in the comments: https://github.com/freebsd/freebsd-src/commit/87945a082980260b52507ad5bfb3a= 0ce773a80da > split -p '^-+BEGIN CERTIFICATE-+$' - "$SPLITDIR/x" Unfortunately, that is broken as well. https://www.rfc-editor.org/rfc/rfc7468#section-2 says: > Textual encoding begins with a line comprising "-----BEGIN ", a > label, and "-----", and ends with a line comprising "-----END ", a > label, and "-----". and > lines are divided with CRLF, CR, or LF. Now: > # egrep '^-+BEGIN CERTIFICATE-+$' /usr/local/share/certs/siemens-pki-cer= t-15.crt which does not work because it does fully implement the RFC: > # cat -v /usr/local/share/certs/siemens-pki-cert-15.crt > subject: CN=3DSiemens Issuing CA Medium Strength Authentication 2020,OU= =3DSiemens Trust Center,serialNumber=3DZZZZZZB6,O=3DSiemens,L=3DMuenchen,ST= =3DBayern,C=3DDE^M > issuer: CN=3DSiemens Root CA V3.0 2016,OU=3DSiemens Trust Center,serialNu= mber=3DZZZZZZA1,O=3DSiemens,L=3DMuenchen,ST=3DBayern,C=3DDE^M > not valid before: 2020-06-24T10:50:55Z^M > not valid after: 2026-06-24T10:50:55Z^M > source: Siemens PKI^M > client cert auth strength: medium^M > subject hash: be133774^M > fingerprint (SHA-1): 5F:B4:05:3E:EE:D6:94:15:9F:25:72:59:0A:82:D5:1E:BE:F= B:53:2D^M > fingerprint (SHA-256): 89:05:AD:16:17:C5:53:05:64:8E:AB:95:33:88:61:55:F8= :D4:CE:5B:45:6F:17:83:FB:47:88:7B:F9:28:82:1A^M > extended key usage:^M > Transport Layer Security (TLS) World Wide Web (WWW) client authenticati= on (1.3.6.1.5.5.7.3.2)^M > Email protection (1.3.6.1.5.5.7.3.4)^M > Signing Online Certificate Status Protocol (OCSP) responses (1.3.6.1.5.= 5.7.3.9)^M > -----BEGIN CERTIFICATE-----^M > MIIJkzCCB3ugAwIBAgIEfGgrtTANBgkqhkiG9w0BAQsFADCBmTELMAkGA1UEBhMC^M > REUxDzANBgNVBAgMBkJheWVybjERMA8GA1UEBwwITXVlbmNoZW4xEDAOBgNVBAoM^M > B1NpZW1lbnMxETAPBgNVBAUTCFpaWlpaWkExMR0wGwYDVQQLDBRTaWVtZW5zIFRy^M > dXN0IENlbnRlcjEiMCAGA1UEAwwZU2llbWVucyBSb290IENBIFYzLjAgMjAxNjAe^M > Fw0yMDA2MjQxMDUwNTVaFw0yNjA2MjQxMDUwNTVaMIG2MQswCQYDVQQGEwJERTEP^M > MA0GA1UECAwGQmF5ZXJuMREwDwYDVQQHDAhNdWVuY2hlbjEQMA4GA1UECgwHU2ll^M > bWVuczERMA8GA1UEBRMIWlpaWlpaQjYxHTAbBgNVBAsMFFNpZW1lbnMgVHJ1c3Qg^M > Q2VudGVyMT8wPQYDVQQDDDZTaWVtZW5zIElzc3VpbmcgQ0EgTWVkaXVtIFN0cmVu^M > Z3RoIEF1dGhlbnRpY2F0aW9uIDIwMjAwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw^M > ggIKAoICAQDGd8o5EWM7+UrZpD9ga1nWo6hQE/haOg3U+uV2Qv9Yrq/TsR0FAQ4X^M > CzRJ7bYW4h4jkr9XyTwfhOuwW5J+iP/uSHSenEPWoekcsLYMjs2qg0CRDuY+8D9R^M > nlqQYE6fv6l4mqPymudBOm7Cy3mPS0d6BlO5bWAXyCUOZaB9IxpNk0ouqXajTB64^M > 2f59BReCORGg52l5tvVs8edsoRop94JRe7LXxn0Byqz3uwHRNTUPbnKdvNGcsWl4^M > aB66CB7Uj1dFuR9K7Uy4STap9eD5IibXvRnl7tpgsJcX+kOM5c851DJ6gA8zY2Vy^M > Upsr2SDdPwFWrDjjqqlf7530a2I+ipZruwWBSDce97WSW5XRYE2dUO3h0g68xttZ^M > JD5iveqdoAhZXf/9yDqAJe7NGzu/C9RNrguq17MpRgWuUqLUx8N/mAGRsZJFLJg9^M > AJvGSOtz77ambCdnq73Zqy07dnO0ybg6lutm3vPwV2MeIJ+aGh9ECxOIXG8cCVKG^M > orNxyNhAli+YzPJTytHLmCNqHmTlwMmJcs3v7z7QRdDOeWWV6T4vswI3KJ66EB0q^M > TDnCzssRqp9mepFQmKPK193rUGDKm+RsIluCBiY/ltKYhawUJe8Q8KztRGZoIjH6^M > 4CAgumfsGTeICd54tDFdRzxEcqlixeTrOodY3P1IHBr/vCI3ENOlqwIDAQABo4ID^M > wjCCA74wgfgGCCsGAQUFBwEBBIHrMIHoMEEGCCsGAQUFBzAChjVsZGFwOi8vYWwu^M > c2llbWVucy5uZXQvQ049WlpaWlpaQTEsTD1QS0k/Y0FDZXJ0aWZpY2F0ZTAyBggr^M > BgEFBQcwAoYmaHR0cDovL2FoLnNpZW1lbnMuY29tL3BraT9aWlpaWlpBMS5jcnQw^M > SgYIKwYBBQUHMAKGPmxkYXA6Ly9hbC5zaWVtZW5zLmNvbS91aWQ9WlpaWlpaQTEs^M > bz1UcnVzdGNlbnRlcj9jQUNlcnRpZmljYXRlMCMGCCsGAQUFBzABhhdodHRwOi8v^M > b2NzcC5zaWVtZW5zLmNvbTAfBgNVHSMEGDAWgBRwbaBQ7KnQLGedGRX+/QRzNcPi^M > 1DASBgNVHRMBAf8ECDAGAQH/AgEAMIIBaAYDVR0gBIIBXzCCAVswNQYIKwYBBAGh^M > aQcwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5zaWVtZW5zLmNvbS9wa2kvMDoG^M > DSsGAQQBoWkHAgIDAgMwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5zaWVtZW5z^M > LmNvbS9wa2kvMDoGDSsGAQQBoWkHAgIDAQMwKTAnBggrBgEFBQcCARYbaHR0cDov^M > L3d3dy5zaWVtZW5zLmNvbS9wa2kvMDoGDSsGAQQBoWkHAgIEAQMwKTAnBggrBgEF^M > BQcCARYbaHR0cDovL3d3dy5zaWVtZW5zLmNvbS9wa2kvMDcGCisGAQQBoWkHAgUw^M > KTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5zaWVtZW5zLmNvbS9wa2kvMDUGCCsG^M > AQQBoWljMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuc2llbWVucy5jb20vcGtp^M > LzCBxwYDVR0fBIG/MIG8MIG5oIG2oIGzhj9sZGFwOi8vY2wuc2llbWVucy5uZXQv^M > Q049WlpaWlpaQTEsTD1QS0k/YXV0aG9yaXR5UmV2b2NhdGlvbkxpc3SGJmh0dHA6^M > Ly9jaC5zaWVtZW5zLmNvbS9wa2k/WlpaWlpaQTEuY3JshkhsZGFwOi8vY2wuc2ll^M > bWVucy5jb20vdWlkPVpaWlpaWkExLG89VHJ1c3RjZW50ZXI/YXV0aG9yaXR5UmV2^M > b2NhdGlvbkxpc3QwJwYDVR0lBCAwHgYIKwYBBQUHAwIGCCsGAQUFBwMEBggrBgEF^M > BQcDCTAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFA1+aaPq7mhwVqIHFPm1k6mu^M > 4EfCMA0GCSqGSIb3DQEBCwUAA4ICAQBSMbkJZsfcZppTh0KigOHozfdqrFKoXHJB^M > dFFyMuCF0jvhWr4dWhWfkN1pxNM6AA6fdJjJjJoOzQHUysMNdbcbFZl4e/4VW6Qg^M > 6h/0CkAV+VJBQYeJ34l3vQKtwPWN/yhItLU6JyxNIt3b5WxTgSXvjicazALcDz9h^M > tTnXeE39QSgH7jh2uEIZk0q9YHYYaPmAndsDa4j943FQyjayqKm9ggCfS+SHc85f^M > 3PlCq5yZyypVKzpq/DFJ2r+CCtRWzQXRTz2cvVdGueyF0gmTPlLoGIpc5rPlOWXH^M > KE07+Ibc25aY0VmIN5VGUMOEbHz0nq+aCDtnx+HfPHiS9oNQH7zyclGhgKcWwI9T^M > IdsB/IPp+oH/7v7V++Q0d81azfzvc/mCUd0CGCDDNjPqj2gOhn6IPKRU5QFIL/1h^M > ycW1PEHyC6BmIT1NkUVGWcFEXbkR4GIv72VGfupUf6xBdd36VzL1TUbrbV2tfAvB^M > OHBahZzzD4/kGKgUUCu9AEsj+BvqCe/va5h3NbB6bAGkZNDdP5coEECIHNu84ywN^M > 3IKOAVvWBzEcyDWAOu6IU9kOiDxPFq/oniLjxlEXJMEeVOYZL7B4Z2QzJakIdTAO^M > ZuIehRUdtkj6gKgu84zxgVTaYrHOa/byINCqpEsoeddKyKwCGD4s+LaeuGSSOwOv^M > cxztI32uTA=3D=3D^M > -----END CERTIFICATE-----^M On: FreeBSD deblndw013x3v.ad001.siemens.net 15.0-CURRENT FreeBSD 15.0-CURRE= NT #0 main-n266042-fb7140b1f928: Thu Oct 19 03:02:14 UTC 2023 I assume that this was done for the content from ca_root_nss, but please ke= ep in mind that this is not the default OpenSSL behavior. OpenSSL will not read beyond the first entry because rehash is supposed to read one cert per file= .=20 Ultimately, this should not care about ca_root_nss at all. --=20 You are receiving this mail because: You are the assignee for the bug.=