[openssl.org #3337] Bug in OpenSSL

Sat, 03 May 2014 01:57:05 -0700 

Hey there,

I have encountered an issue with OpenSSL req:

~$ openssl version -a
OpenSSL 1.0.1g 7 Apr 2014
built on: Sat Apr 19 17:02:02 UTC 2014
platform: debian-amd64
options:  bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx) 
compiler: gcc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT
-DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2
-fstack-protector --param=ssp-buffer-size=4 -Wformat
-Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-z,relro
-Wa,--noexecstack -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2
-DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m
-DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM
-DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM OPENSSLDIR: "/usr/lib/ssl"

I use two sections for my CA, one for the certificate request
extensions and one for the selfsigned root certificate as specified by
the manpage:

[ req ]

#[...]
prompt=no

req_extensions = req_ext
x509_extensions = x509_ext
#[...]

In the first I use $ENV::VARNAME to set keyUsage and extendedKeyUsage
like this:

[ req_ext ]

basicConstraints=CA:FALSE
keyUsage=$ENV::KEY_KEYUSAGE
extendedKeyUsage=$ENV::KEY_EKEYUSAGE
subjectKeyIdentifier=hash

and for the -x509 section I use:

[ x509_ext ]

basicConstraints=critical,CA:TRUE,pathlen:0
keyUsage=critical,keyCertSign,cRLSign
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer

When I execute the root certificate generation:

export KEY_CN="foo ca"
export KEY_ORG="foo inc"
openssl req -config openssl.cnf -new -x509 -out root.crt
-passout pass:foobar -keyout root.key -days 3650

I get this error: 

error on line 24 of openssl.cnf
140003809027728:error:0E065068:configuration file
routines:STR_COPY:variable has no value:conf_def.c:618:line 24

Line 24 in openssl.cnf: keyUsage=$ENV::KEY_KEYUSAGE

Which is obviously in the wrong section for a command like that.
Workaround: 

export KEY_KEYUSAGE="digitalSignature"
export KEY_EKEYUSAGE="serverAuth"

And it works flawless with the same command, not using the provided
values at all as they are overwritten by the x509 section: 

~$ openssl x509 -in assets/root.crt -noout -text
[...]
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
[...]

As this is a small issue and there is a workaround this might be a low
priority problem. ;)

Greetings,

Olaf Rühenbeck

Attachment: signature.asc
Description: PGP signature

Reply via email to