Bug 80094 - openssl fails to sign certs with certain extensions
openssl fails to sign certs with certain extensions
Status: CLOSED CANTFIX
Product: Red Hat Linux
Classification: Retired
Component: openssl096 (Show other bugs)
7.2
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
Brian Brock
http://www.unicom.com/tmp/signfail-te...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2002-12-19 16:20 EST by Need Real Name
Modified: 2007-04-18 12:49 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-10-18 12:27:15 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
test case that demonstrates the bug (2.39 KB, application/octet-stream)
2002-12-28 13:07 EST, Need Real Name
no flags Details

  None (edit)
Description Need Real Name 2002-12-19 16:20:13 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.1) Gecko/20020826

Description of problem:
When openssl is used to sign certs (openssl x509 ...) with certain extensions,
it pukes with an error such as:

Error Loading extension section ext
30767:error:0D06B089:asn1 encoding routines:ASN1_get_object:too long:asn1_lib.c:130:
30767:error:0D081065:asn1 encoding routines:d2i_ASN1_OBJECT:bad object
header:a_object.c:217:
30767:error:2206706E:X509 V3 routines:V2I_EXT_KU:invalid object
identifier:v3_extku.c:143:section:,name:1.3.6.1.5.5.7.3.2,value:
30767:error:2206B080:X509 V3 routines:X509V3_EXT_conf:error in
extension:v3_conf.c:91:name=extendedKeyUsage, value=1.3.6.1.5.5.7.3.2

In this case, it was complaining about:

    extendedKeyUsage = 1.3.6.1.5.5.7.3.2

This is a major problem, because certain Microsoft applications require you to
be able to insert OIDs when signing certs.

This is a recent problem.  It was introduced somewhere between
<openssl-devel-0.9.6b-8> and <openssl-0.9.6b-28>.

It appears there are some snapshot versions of 0.9.6b that had a problem. 
Possibly you built with a bogus snapshot.  See:

http://www.mail-archive.com/openssl-users@openssl.org/msg28171.html





Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Download tarball from http://www.unicom.com/tmp/signfail-test.tar.gz
2. sh cmd
3.
    

Actual Results:  openssl puked

Expected Results:  Running with <openssl-0.9.6b-8> produces:

Signature ok
subject=/C=US/ST=Massachusetts/L=Bolton/O=Amaranth Networks, Inc./CN=Chip
Rosenthal/Email=chip@unicom.com
Getting CA Private Key

and outputs a valid cert to "catool-cert.pem".

Additional info:

Until this problem is fixed, openssl is not useful for signing anything but the
simplest of SSL certs.
Comment 1 Need Real Name 2002-12-28 13:07:52 EST
Created attachment 88967 [details]
test case that demonstrates the bug

This attachment contains the testcase I referred to in the bug report.
(http://www.unicom.com/tmp/signfail-test.tar.gz)
Comment 2 Daniel Senie 2003-03-10 18:06:41 EST
This bug is causing serious problems. Would be nice if someone could look at 
it. An opportunity to address this was missed when the last errata was 
produced.
Comment 3 Bill Nottingham 2006-08-07 15:03:08 EDT
Red Hat Linux is no longer supported by Red Hat, Inc. If you are still
running Red Hat Linux, you are strongly advised to upgrade to a
current Fedora Core release or Red Hat Enterprise Linux or comparable.
Some information on which option may be right for you is available at
http://www.redhat.com/rhel/migrate/redhatlinux/.

Red Hat apologizes that these issues have not been resolved yet. We do
want to make sure that no important bugs slip through the cracks.
Please check if this issue is still present in a current Fedora Core
release. If so, please change the product and version to match, and
check the box indicating that the requested information has been
provided. Note that any bug still open against Red Hat Linux on will be
closed as 'CANTFIX' on September 30, 2006. Thanks again for your help.
Comment 4 Bill Nottingham 2006-10-18 12:27:15 EDT
Red Hat Linux is no longer supported by Red Hat, Inc. If you are still
running Red Hat Linux, you are strongly advised to upgrade to a
current Fedora Core release or Red Hat Enterprise Linux or comparable.
Some information on which option may be right for you is available at
http://www.redhat.com/rhel/migrate/redhatlinux/.

Closing as CANTFIX.

Note You need to log in before you can comment on or make changes to this bug.