Hi! My coworker Sebastian discovered a glitch while playing with `pkitool' of OpenVPN's `easy-rsa'[1]. This was observed with Debian's libssl-1.0.1g-3: If input for a country name is longer than the expected two bytes. openssl will spit out an endless stream of
----------- >8 ======================= error message =
string is too long, it needs to be less than 2 bytes long
========================================= 8< ---------
We noticed that there's configury for the country name's length
(countryName_min and countryName_max). Those have some effect, but
there seems to be a hardcoded limit imposed, too. But whatever is
configured as a minimum/maximum length, openssl shouldn't just go to
100% CPU.
This is a working testcase:
----------- >8 ============================ testcase =
#!/usr/bin/env bash
CFG="/tmp/openssl-conf-$$.cnf"
export PKCS11TOOL="pkcs11-tool"
export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"
export KEY_EXPIRE=3650
export KEY_ORG=Fort-Funston
export KEY_CITY=SanFrancisco
export KEY_SIZE=2048
export KEY_OU=MyOrganizationalUnit
export KEY_EMAIL=me@myhost.mydomain
export KEY_CONFIG="${CFG}"
export KEY_NAME=EasyRSA
export KEY_COUNTRY=US-
export KEY_DIR=/tmp
export KEY_CN=Fort-Funston CA
export KEY_PROVINCE=CA
cat > "${CFG}" << 'EOF'
HOME = .
RANDFILE = $ENV::HOME/.rnd
openssl_conf = openssl_init
[ openssl_init ]
oid_section = new_oids
engines = engine_section
[ new_oids ]
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
dir = $ENV::KEY_DIR # Where everything is kept
certs = $dir # Where the issued certs are kept
crl_dir = $dir # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir # default place for new certs.
certificate = $dir/ca.crt # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/ca.key # The private key
RANDFILE = $dir/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
default_days = 3650 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha256 # use public key default MD
preserve = no # keep passed DN ordering
policy = policy_anything
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
name = optional
emailAddress = optional
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
name = optional
emailAddress = optional
[ req ]
default_bits = $ENV::KEY_SIZE
default_keyfile = privkey.pem
default_md = sha256
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
string_mask = nombstr
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = $ENV::KEY_COUNTRY
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = $ENV::KEY_PROVINCE
localityName = Locality Name (eg, city)
localityName_default = $ENV::KEY_CITY
0.organizationName = Organization Name (eg, company)
0.organizationName_default = $ENV::KEY_ORG
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg, your name or your server\'s
hostname)
commonName_max = 64
name = Name
name_max = 64
emailAddress = Email Address
emailAddress_default = $ENV::KEY_EMAIL
emailAddress_max = 40
organizationalUnitName_default = $ENV::KEY_OU
commonName_default = $ENV::KEY_CN
name_default = $ENV::KEY_NAME
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
basicConstraints=CA:FALSE
nsComment = "Easy-RSA Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=clientAuth
keyUsage = digitalSignature
[ server ]
basicConstraints=CA:FALSE
nsCertType = server
nsComment = "Easy-RSA Generated Server Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=serverAuth
keyUsage = digitalSignature, keyEncipherment
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:true
[ crl_ext ]
authorityKeyIdentifier=keyid:always,issuer:always
[ engine_section ]
[ pkcs11_section ]
engine_id = pkcs11
dynamic_path = /usr/lib/engines/engine_pkcs11.so
MODULE_PATH = $ENV::PKCS11_MODULE_PATH
PIN = $ENV::PKCS11_PIN
init = 0
EOF
exec openssl req -batch \
-days 3650 \
-nodes \
-new \
-newkey rsa:2048 \
-x509 \
-keyout ca.key \
-out ca.crt \
-config "${CFG}"
========================================= 8< ---------
If you change $KEY_COUNTRY back to "US" (or anything else with a
length smaller than 3), openssl will work as expected.
Thanks,
Jan-Benedict
[1] https://github.com/OpenVPN/easy-rsa, tested with v2.2.2 .
--
Getslash GmbH, Bahnhofstraße 16, 59302 Oelde
Tel: +49-2522-834349-5 Fax: +49-2522-834349-1
http://www.getslash.de Mobil: +49-152-33822499
Sitz der Gesellschaft: Oelde
Handelsregister: Amtsgericht Münster, HRB 11911
Ust-Id-Nr.: DE 815060326
Geschäftsführung: Andre Peitz, Tobias Hanisch
signature.asc
Description: PGP signature
