This is an automated email from the ASF dual-hosted git repository.
alexey pushed a commit to branch branch-1.18.x
in repository https://gitbox.apache.org/repos/asf/kudu.git
The following commit(s) were added to refs/heads/branch-1.18.x by this push:
new 21729d6be KUDU-3716 Add version to IPKI CA CSR
21729d6be is described below
commit 21729d6be71d03d1bbc412374dda303517db2e44
Author: Attila Bukor <[email protected]>
AuthorDate: Mon Nov 17 18:25:44 2025 +0100
KUDU-3716 Add version to IPKI CA CSR
OpenSSL 3.4.0 added a version check to certificate signing that causes
signing previously working CSRs to fail with the below error:
Runtime error: failed to self-sign cert: CSR signature verification error:
error:05800091:x509 certificate routines::unsupported
version:crypto/x509/x_all.c:47:X509_REQ_verify_ex
This patch fixes this problem by setting the version on the CSR.
While X509_REQ_set_version() has been there since forever,
the version constant X509_REQ_VERSION_1 was added only in OpenSSL 3.0,
so this X509_REQ_set_version() call is added only in OpenSSL >= 3.0.
Change-Id: I735a56d444009a867fbcab9b78d0053cea593b95
Reviewed-on: http://gerrit.cloudera.org:8080/23681
Reviewed-by: Alexey Serbin <[email protected]>
Reviewed-by: Ashwani Raina <[email protected]>
Tested-by: Attila Bukor <[email protected]>
(cherry picked from commit 879a8f9e2a94f36f1019d7201617fb61d88e9701)
Reviewed-on: http://gerrit.cloudera.org:8080/23690
Tested-by: Alexey Serbin <[email protected]>
Reviewed-by: Abhishek Chennaka <[email protected]>
---
src/kudu/security/ca/cert_management-test.cc | 5 +++++
src/kudu/security/ca/cert_management.cc | 9 +++++++++
2 files changed, 14 insertions(+)
diff --git a/src/kudu/security/ca/cert_management-test.cc
b/src/kudu/security/ca/cert_management-test.cc
index 8423c6694..839561e7d 100644
--- a/src/kudu/security/ca/cert_management-test.cc
+++ b/src/kudu/security/ca/cert_management-test.cc
@@ -17,6 +17,8 @@
#include "kudu/security/ca/cert_management.h"
+#include <openssl/crypto.h>
+
#include <initializer_list>
#include <optional>
#include <string>
@@ -198,6 +200,9 @@ TEST_F(CertManagementTest, SignCert) {
Cert cert;
ASSERT_OK(CertSigner(&ca_cert_, &ca_private_key_).Sign(csr, &cert));
ASSERT_OK(cert.CheckKeyMatch(key));
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ ASSERT_EQ(X509_REQ_VERSION_1, X509_REQ_get_version(csr.GetRawData()));
+#endif
EXPECT_EQ("C = US, ST = CA, O = MyCompany, CN = MyName, emailAddress =
[email protected]",
cert.IssuerName());
diff --git a/src/kudu/security/ca/cert_management.cc
b/src/kudu/security/ca/cert_management.cc
index 2a9e8eff8..0d325b42c 100644
--- a/src/kudu/security/ca/cert_management.cc
+++ b/src/kudu/security/ca/cert_management.cc
@@ -84,6 +84,15 @@ Status CertRequestGeneratorBase::GenerateRequest(const
PrivateKey& key,
OPENSSL_RET_NOT_OK(X509_REQ_set_pubkey(req.get(), key.GetRawData()),
"error setting X509 public key");
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ // Set the request version explicitly to make sure newer OpenSSL versions can
+ // handle it.
+ //
+ // https://github.com/openssl/openssl/pull/24677/
+ OPENSSL_RET_NOT_OK(X509_REQ_set_version(req.get(), X509_REQ_VERSION_1),
+ "error setting X509 version");
+#endif
+
// Populate the subject field of the request.
RETURN_NOT_OK(SetSubject(req.get()));
