Package: tinyca
Version: 0.7.5-1
Followup-For: Bug #328581
I also get the same trouble here with a hanging tinyca while importing a
foreign CA. The CA was created with the "easy-rsa" scripts from the
"openvpn" package. Basically the script does:
pkitool --interact --initca
And the pkitool (part of easy-rsa) in turn - after taking a quick look
- runs:
openssl req -days ... -nodes -new -x509 -keyout "keys/ca.key" \
-out "keys/ca.crt" -config "openssl.conf"
This is my openssl.conf:
HOME = .
RANDFILE = $ENV::HOME/.rnd
oid_section = new_oids
[ new_oids ]
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
dir = $ENV::KEY_DIR # Where everything is kept
certs = $dir # Where the issued certs are
kept
crl_dir = $dir # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir # default place for new certs.
certificate = $dir/ca.crt # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/ca.key # The private key
RANDFILE = $dir/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the
cert
default_days = 3650 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = md5 # which md to use.
preserve = no # keep passed DN ordering
policy = policy_anything
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = $ENV::KEY_SIZE
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
string_mask = nombstr
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = $ENV::KEY_COUNTRY
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = $ENV::KEY_PROVINCE
localityName = Locality Name (eg, city)
localityName_default = $ENV::KEY_CITY
0.organizationName = Organization Name (eg, company)
0.organizationName_default = $ENV::KEY_ORG
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg, your name or your
server\'s hostname)
commonName_max = 64
emailAddress = Email Address
emailAddress_default = $ENV::KEY_EMAIL
emailAddress_max = 40
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
basicConstraints=CA:FALSE
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
[ server ]
basicConstraints=CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=serverAuth
keyUsage = digitalSignature, keyEncipherment
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:true
[ crl_ext ]
authorityKeyIdentifier=keyid:always,issuer:always
Additionally I touched the keys/index.txt, ran tinyca and tried to
import the CA. The CA's private key was not protected by a passphrase by
the way. The footer line of the main TinyCA2 window showed that it wants
to import my keys/ca.key. I then ran tinyca in an strace session and
these are the last lines:
open("/home/ca/debug/keys/ca.key", O_RDONLY|O_LARGEFILE) = 8
ioctl(8, SNDCTL_TMR_TIMEBASE or TCGETS, 0xbf87a058) = -1 ENOTTY
(Inappropriate ioctl for device)
_llseek(8, 0, [0], SEEK_CUR) = 0
fstat64(8, {st_mode=S_IFREG|0600, st_size=1679, ...}) = 0
fcntl64(8, F_SETFD, FD_CLOEXEC) = 0
read(8, "-----BEGIN RSA PRIVATE KEY-----\n"..., 4096) = 1679
read(8, "", 4096) = 0
stat64("/home/ca/.TinyCA/tmp/dataVHOOIJWJ", 0x81510c8) = -1
ENOENT (No such file or directory)
pipe([9, 10]) = 0
ioctl(9, SNDCTL_TMR_TIMEBASE or TCGETS, 0xbf87a1e8) = -1 EINVAL (Invalid
argument)
_llseek(9, 0, 0xbf87a230, SEEK_CUR) = -1 ESPIPE (Illegal seek)
ioctl(10, SNDCTL_TMR_TIMEBASE or TCGETS, 0xbf87a1e8) = -1 EINVAL
(Invalid argument)
_llseek(10, 0, 0xbf87a230, SEEK_CUR) = -1 ESPIPE (Illegal seek)
fcntl64(9, F_SETFD, FD_CLOEXEC) = 0
fcntl64(10, F_SETFD, FD_CLOEXEC) = 0
pipe([11, 12]) = 0
ioctl(11, SNDCTL_TMR_TIMEBASE or TCGETS, 0xbf87a1e8) = -1 EINVAL
(Invalid argument)
_llseek(11, 0, 0xbf87a230, SEEK_CUR) = -1 ESPIPE (Illegal seek)
ioctl(12, SNDCTL_TMR_TIMEBASE or TCGETS, 0xbf87a1e8) = -1 EINVAL
(Invalid argument)
_llseek(12, 0, 0xbf87a230, SEEK_CUR) = -1 ESPIPE (Illegal seek)
fcntl64(11, F_SETFD, FD_CLOEXEC) = 0
fcntl64(12, F_SETFD, FD_CLOEXEC) = 0
clone(child_stack=0,
flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD,
child_tidptr=0xb7dbb928) = 15393
close(9) = 0
close(12) = 0
write(10, "-----BEGIN RSA PRIVATE KEY-----\n"..., 1680) = 1680
read(11,
This is where tinyca hangs. I'd be glad if this gets resolved because
there does not seem to be any other decent GUI for maintaining a CA.
Christoph
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.15-1-686
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) (ignored: LC_ALL
set to de_DE.UTF-8)
Versions of packages tinyca depends on:
ii libgtk2-perl 1:1.121-1 Perl interface to the 2.x series o
ii liblocale-gettext-perl 1.05-1 Using libc functions for internati
ii openssl 0.9.8b-2 Secure Socket Layer (SSL) binary a
Versions of packages tinyca recommends:
pn zip <none> (no description available)
-- no debconf information
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
