Skip to content

Comments

X509: use V3 when extensions present; certs generated by apps bear X.509 V3 by default#19271

Closed
DDvO wants to merge 4 commits intoopenssl:masterfrom
siemens:X509_v3_by_default
Closed

X509: use V3 when extensions present; certs generated by apps bear X.509 V3 by default#19271
DDvO wants to merge 4 commits intoopenssl:masterfrom
siemens:X509_v3_by_default

Conversation

@DDvO
Copy link
Contributor

@DDvO DDvO commented Sep 24, 2022
edited
Loading

When preparing #19076 I found that by default (when no X.509 v3 extensions are used),
certs generated by the x509, ca, and req apps still have X.509 version 1.
This is anachronistic and causes various issues, such as missing key identifiers for chain building
and no clear distinction between CA certs and EE certs.

This PR makes sure V3 is used,
with the exception of a new -x509v1 option of the req app, which implies the -x509 option while forcing using V1 unless extensions are given (which requires V3).

On this occasion, also

  • apps/req.c: properly report parse errors by duplicated(); simplify the function
  • CHANGES.md: 'added' -> 'add', 'extended' -> 'extend' for OpenSSL 3.1 entries
  • test/trace_api_test.c: fix gcc error on -Werror=strict-prototypes
Checklist
  • documentation is added or updated
  • tests are added or updated

@DDvO DDvO added branch: master Applies to master branch approval: review pending This pull request needs review by a committer approval: otc review pending triaged: feature The issue/pr requests/adds a feature labels Sep 24, 2022
@DDvO DDvO changed the title APPS: generated certs bear X.509 V3 by default APPS: make generated certs bear X.509 V3 by default Sep 24, 2022
@DDvO DDvO requested review from t8m and vdukhovni September 24, 2022 22:22
@DDvO
Copy link
Contributor Author

DDvO commented Sep 24, 2022
edited
Loading

The failing external-tests CI run with error 79 at 1 depth lookup: invalid CA certificate
are most likely due to missing basicConstraints = CA:true, which I also fixed in 90-test_store.t.
@beldmit, please verify and fix gost-engine.

@DDvO
Copy link
Contributor Author

DDvO commented Sep 25, 2022

And how about the API level?

I suggest adapting X509_sign{_ctx}() to set version 3 if extensions are present,
which prevents X509_V_ERR_EXTENSIONS_REQUIRE_VERSION_3 on verification.

@beldmit
Copy link
Member

beldmit commented Sep 25, 2022

@DDvO could you please try the gost-engine/engine@a6b9052 ?

@DDvO
Copy link
Contributor Author

DDvO commented Sep 25, 2022

@DDvO could you please try the gost-engine/engine@a6b9052 ?

Thank you for your immediate handling - with this updated submodule reference it works fine :)

t8m
t8m requested changes Sep 26, 2022
View reviewed changes
Copy link
Member

@t8m t8m left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would drop the first commit. IMO the past tense is correct.

t8m
t8m reviewed Sep 26, 2022
View reviewed changes
t8m
t8m reviewed Sep 26, 2022
View reviewed changes
@DDvO
Copy link
Contributor Author

DDvO commented Sep 26, 2022

I would drop the first commit. IMO the past tense is correct.

Will do with the next push.

@DDvO DDvO mentioned this pull request Sep 26, 2022
Closed
@DDvO DDvO changed the title APPS: make generated certs bear X.509 V3 by default X509: use V3 when extensions present; certs generated by apps bear X.509 V3 by default Sep 28, 2022
@DDvO DDvO force-pushed the X509_v3_by_default branch from 7276dc9 to a3eb6c1 Compare September 28, 2022 19:27
@DDvO DDvO requested a review from t8m September 29, 2022 10:46
@DDvO DDvO mentioned this pull request Sep 29, 2022
Closed
@DDvO
Copy link
Contributor Author

DDvO commented Oct 8, 2022

@t8m, ok now?

t8m
t8m requested changes Oct 10, 2022
View reviewed changes
Copy link
Member

@t8m t8m left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a few nits to fix

@DDvO
Copy link
Contributor Author

DDvO commented Oct 18, 2022

Just a few nits to fix

Thanks @t8m for your further comments, which I had overlooked so far, but now they are handled.

t8m
t8m approved these changes Oct 19, 2022
View reviewed changes
Copy link
Member

@t8m t8m left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CI failures are unrelated.

@DDvO DDvO force-pushed the X509_v3_by_default branch from fb22f54 to 24cfffa Compare November 17, 2022 15:05
@DDvO
Copy link
Contributor Author

DDvO commented Nov 17, 2022

Rebased to fix merge conflict in x_all.c

Ping for 2nd review.

@DDvO DDvO force-pushed the X509_v3_by_default branch from 24cfffa to 68c853e Compare November 21, 2022 11:35
@DDvO
Copy link
Contributor Author

DDvO commented Nov 21, 2022

Rebased to fix trivial merge conflict in CHANGES.md.

@openssl-machine
Copy link
Collaborator

openssl-machine commented Dec 22, 2022

This PR is in a state where it requires action by @openssl/committers but the last update was 30 days ago

@t8m t8m added the tests: present The PR has suitable tests present label Dec 22, 2022
@t8m
Copy link
Member

t8m commented Dec 22, 2022

Adding some more tests would be nice.

@DDvO
Copy link
Contributor Author

DDvO commented Dec 22, 2022

Adding some more tests would be nice.

Done.

@DDvO
Copy link
Contributor Author

DDvO commented Dec 22, 2022

@t8m wanna reconfirm, now since more tests have been added?
I also added note to the HISTORY section of the three app docs.

t8m
t8m approved these changes Dec 22, 2022
View reviewed changes
Copy link
Member

@t8m t8m left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CI failure is not related.

@openssl-machine
Copy link
Collaborator

openssl-machine commented Jan 22, 2023

This PR is in a state where it requires action by @openssl/committers but the last update was 30 days ago

@t8m
Copy link
Member

t8m commented Jan 23, 2023

ping for second review

@hlandau hlandau added approval: done This pull request has the required number of approvals and removed approval: review pending This pull request needs review by a committer labels Jan 23, 2023
@openssl-machine openssl-machine added approval: ready to merge The 24 hour grace period has passed, ready to merge and removed approval: done This pull request has the required number of approvals labels Jan 24, 2023
@openssl-machine
Copy link
Collaborator

openssl-machine commented Jan 24, 2023

This pull request is ready to merge

@DDvO
Copy link
Contributor Author

DDvO commented Jan 24, 2023

Merged - thanks @t8m and @hlandau for the reviews.

openssl-machine pushed a commit that referenced this pull request Jan 24, 2023
@DDvO
X509{,_CRL,_REVOKED}_{set,sign}*(): fix 'modified' field and return v…
7e0013d 
…alues

Reviewed-by: Tomas Mraz <[email protected]>
Reviewed-by: Hugo Landau <[email protected]>
Reviewed-by: David von Oheimb <[email protected]>
(Merged from #19271)
openssl-machine pushed a commit that referenced this pull request Jan 24, 2023
@DDvO
apps/req.c: properly report parse errors by duplicated(); simplify th…
66fc90f 
…e function

Reviewed-by: Tomas Mraz <[email protected]>
Reviewed-by: Hugo Landau <[email protected]>
Reviewed-by: David von Oheimb <[email protected]>
(Merged from #19271)
openssl-machine pushed a commit that referenced this pull request Jan 24, 2023
@DDvO
APPS: generated certs bear X.509 V3, unless -x509v1 option of req app…
342e365 
… is given

Reviewed-by: Tomas Mraz <[email protected]>
Reviewed-by: Hugo Landau <[email protected]>
Reviewed-by: David von Oheimb <[email protected]>
(Merged from #19271)
@DDvO DDvO closed this Jan 24, 2023
@bdewater bdewater mentioned this pull request Dec 29, 2023
Closed
@rhenium rhenium mentioned this pull request Jun 8, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@t8m t8m t8m approved these changes

@vdukhovni vdukhovni Awaiting requested review from vdukhovni

+1 more reviewer

@hlandau hlandau hlandau approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

approval: ready to merge The 24 hour grace period has passed, ready to merge branch: master Applies to master branch tests: present The PR has suitable tests present triaged: feature The issue/pr requests/adds a feature

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@DDvO @beldmit @openssl-machine @t8m @hlandau