https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=274952
Bug ID: 274952
Summary: [REGRESSION] certctl(8):
87945a082980260b52507ad5bfb3a0ce773a80da breaks usage
of custom CA files
Product: Base System
Version: 15.0-CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: bin
Assignee: [email protected]
Reporter: [email protected]
As layed out in the comments:
https://github.com/freebsd/freebsd-src/commit/87945a082980260b52507ad5bfb3a0ce773a80da
> split -p '^-+BEGIN CERTIFICATE-+$' - "$SPLITDIR/x"
Unfortunately, that is broken as well.
https://www.rfc-editor.org/rfc/rfc7468#section-2 says:
> Textual encoding begins with a line comprising "-----BEGIN ", a
> label, and "-----", and ends with a line comprising "-----END ", a
> label, and "-----".
and
> lines are divided with CRLF, CR, or LF.
Now:
> # egrep '^-+BEGIN CERTIFICATE-+$'
> /usr/local/share/certs/siemens-pki-cert-15.crt
which does not work because it does fully implement the RFC:
> # cat -v /usr/local/share/certs/siemens-pki-cert-15.crt
> subject: CN=Siemens Issuing CA Medium Strength Authentication 2020,OU=Siemens
> Trust Center,serialNumber=ZZZZZZB6,O=Siemens,L=Muenchen,ST=Bayern,C=DE^M
> issuer: CN=Siemens Root CA V3.0 2016,OU=Siemens Trust
> Center,serialNumber=ZZZZZZA1,O=Siemens,L=Muenchen,ST=Bayern,C=DE^M
> not valid before: 2020-06-24T10:50:55Z^M
> not valid after: 2026-06-24T10:50:55Z^M
> source: Siemens PKI^M
> client cert auth strength: medium^M
> subject hash: be133774^M
> fingerprint (SHA-1):
> 5F:B4:05:3E:EE:D6:94:15:9F:25:72:59:0A:82:D5:1E:BE:FB:53:2D^M
> fingerprint (SHA-256):
> 89:05:AD:16:17:C5:53:05:64:8E:AB:95:33:88:61:55:F8:D4:CE:5B:45:6F:17:83:FB:47:88:7B:F9:28:82:1A^M
> extended key usage:^M
> Transport Layer Security (TLS) World Wide Web (WWW) client authentication
> (1.3.6.1.5.5.7.3.2)^M
> Email protection (1.3.6.1.5.5.7.3.4)^M
> Signing Online Certificate Status Protocol (OCSP) responses
> (1.3.6.1.5.5.7.3.9)^M
> -----BEGIN CERTIFICATE-----^M
> MIIJkzCCB3ugAwIBAgIEfGgrtTANBgkqhkiG9w0BAQsFADCBmTELMAkGA1UEBhMC^M
> REUxDzANBgNVBAgMBkJheWVybjERMA8GA1UEBwwITXVlbmNoZW4xEDAOBgNVBAoM^M
> B1NpZW1lbnMxETAPBgNVBAUTCFpaWlpaWkExMR0wGwYDVQQLDBRTaWVtZW5zIFRy^M
> dXN0IENlbnRlcjEiMCAGA1UEAwwZU2llbWVucyBSb290IENBIFYzLjAgMjAxNjAe^M
> Fw0yMDA2MjQxMDUwNTVaFw0yNjA2MjQxMDUwNTVaMIG2MQswCQYDVQQGEwJERTEP^M
> MA0GA1UECAwGQmF5ZXJuMREwDwYDVQQHDAhNdWVuY2hlbjEQMA4GA1UECgwHU2ll^M
> bWVuczERMA8GA1UEBRMIWlpaWlpaQjYxHTAbBgNVBAsMFFNpZW1lbnMgVHJ1c3Qg^M
> Q2VudGVyMT8wPQYDVQQDDDZTaWVtZW5zIElzc3VpbmcgQ0EgTWVkaXVtIFN0cmVu^M
> Z3RoIEF1dGhlbnRpY2F0aW9uIDIwMjAwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw^M
> ggIKAoICAQDGd8o5EWM7+UrZpD9ga1nWo6hQE/haOg3U+uV2Qv9Yrq/TsR0FAQ4X^M
> CzRJ7bYW4h4jkr9XyTwfhOuwW5J+iP/uSHSenEPWoekcsLYMjs2qg0CRDuY+8D9R^M
> nlqQYE6fv6l4mqPymudBOm7Cy3mPS0d6BlO5bWAXyCUOZaB9IxpNk0ouqXajTB64^M
> 2f59BReCORGg52l5tvVs8edsoRop94JRe7LXxn0Byqz3uwHRNTUPbnKdvNGcsWl4^M
> aB66CB7Uj1dFuR9K7Uy4STap9eD5IibXvRnl7tpgsJcX+kOM5c851DJ6gA8zY2Vy^M
> Upsr2SDdPwFWrDjjqqlf7530a2I+ipZruwWBSDce97WSW5XRYE2dUO3h0g68xttZ^M
> JD5iveqdoAhZXf/9yDqAJe7NGzu/C9RNrguq17MpRgWuUqLUx8N/mAGRsZJFLJg9^M
> AJvGSOtz77ambCdnq73Zqy07dnO0ybg6lutm3vPwV2MeIJ+aGh9ECxOIXG8cCVKG^M
> orNxyNhAli+YzPJTytHLmCNqHmTlwMmJcs3v7z7QRdDOeWWV6T4vswI3KJ66EB0q^M
> TDnCzssRqp9mepFQmKPK193rUGDKm+RsIluCBiY/ltKYhawUJe8Q8KztRGZoIjH6^M
> 4CAgumfsGTeICd54tDFdRzxEcqlixeTrOodY3P1IHBr/vCI3ENOlqwIDAQABo4ID^M
> wjCCA74wgfgGCCsGAQUFBwEBBIHrMIHoMEEGCCsGAQUFBzAChjVsZGFwOi8vYWwu^M
> c2llbWVucy5uZXQvQ049WlpaWlpaQTEsTD1QS0k/Y0FDZXJ0aWZpY2F0ZTAyBggr^M
> BgEFBQcwAoYmaHR0cDovL2FoLnNpZW1lbnMuY29tL3BraT9aWlpaWlpBMS5jcnQw^M
> SgYIKwYBBQUHMAKGPmxkYXA6Ly9hbC5zaWVtZW5zLmNvbS91aWQ9WlpaWlpaQTEs^M
> bz1UcnVzdGNlbnRlcj9jQUNlcnRpZmljYXRlMCMGCCsGAQUFBzABhhdodHRwOi8v^M
> b2NzcC5zaWVtZW5zLmNvbTAfBgNVHSMEGDAWgBRwbaBQ7KnQLGedGRX+/QRzNcPi^M
> 1DASBgNVHRMBAf8ECDAGAQH/AgEAMIIBaAYDVR0gBIIBXzCCAVswNQYIKwYBBAGh^M
> aQcwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5zaWVtZW5zLmNvbS9wa2kvMDoG^M
> DSsGAQQBoWkHAgIDAgMwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5zaWVtZW5z^M
> LmNvbS9wa2kvMDoGDSsGAQQBoWkHAgIDAQMwKTAnBggrBgEFBQcCARYbaHR0cDov^M
> L3d3dy5zaWVtZW5zLmNvbS9wa2kvMDoGDSsGAQQBoWkHAgIEAQMwKTAnBggrBgEF^M
> BQcCARYbaHR0cDovL3d3dy5zaWVtZW5zLmNvbS9wa2kvMDcGCisGAQQBoWkHAgUw^M
> KTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5zaWVtZW5zLmNvbS9wa2kvMDUGCCsG^M
> AQQBoWljMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuc2llbWVucy5jb20vcGtp^M
> LzCBxwYDVR0fBIG/MIG8MIG5oIG2oIGzhj9sZGFwOi8vY2wuc2llbWVucy5uZXQv^M
> Q049WlpaWlpaQTEsTD1QS0k/YXV0aG9yaXR5UmV2b2NhdGlvbkxpc3SGJmh0dHA6^M
> Ly9jaC5zaWVtZW5zLmNvbS9wa2k/WlpaWlpaQTEuY3JshkhsZGFwOi8vY2wuc2ll^M
> bWVucy5jb20vdWlkPVpaWlpaWkExLG89VHJ1c3RjZW50ZXI/YXV0aG9yaXR5UmV2^M
> b2NhdGlvbkxpc3QwJwYDVR0lBCAwHgYIKwYBBQUHAwIGCCsGAQUFBwMEBggrBgEF^M
> BQcDCTAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFA1+aaPq7mhwVqIHFPm1k6mu^M
> 4EfCMA0GCSqGSIb3DQEBCwUAA4ICAQBSMbkJZsfcZppTh0KigOHozfdqrFKoXHJB^M
> dFFyMuCF0jvhWr4dWhWfkN1pxNM6AA6fdJjJjJoOzQHUysMNdbcbFZl4e/4VW6Qg^M
> 6h/0CkAV+VJBQYeJ34l3vQKtwPWN/yhItLU6JyxNIt3b5WxTgSXvjicazALcDz9h^M
> tTnXeE39QSgH7jh2uEIZk0q9YHYYaPmAndsDa4j943FQyjayqKm9ggCfS+SHc85f^M
> 3PlCq5yZyypVKzpq/DFJ2r+CCtRWzQXRTz2cvVdGueyF0gmTPlLoGIpc5rPlOWXH^M
> KE07+Ibc25aY0VmIN5VGUMOEbHz0nq+aCDtnx+HfPHiS9oNQH7zyclGhgKcWwI9T^M
> IdsB/IPp+oH/7v7V++Q0d81azfzvc/mCUd0CGCDDNjPqj2gOhn6IPKRU5QFIL/1h^M
> ycW1PEHyC6BmIT1NkUVGWcFEXbkR4GIv72VGfupUf6xBdd36VzL1TUbrbV2tfAvB^M
> OHBahZzzD4/kGKgUUCu9AEsj+BvqCe/va5h3NbB6bAGkZNDdP5coEECIHNu84ywN^M
> 3IKOAVvWBzEcyDWAOu6IU9kOiDxPFq/oniLjxlEXJMEeVOYZL7B4Z2QzJakIdTAO^M
> ZuIehRUdtkj6gKgu84zxgVTaYrHOa/byINCqpEsoeddKyKwCGD4s+LaeuGSSOwOv^M
> cxztI32uTA==^M
> -----END CERTIFICATE-----^M
On: FreeBSD deblndw013x3v.ad001.siemens.net 15.0-CURRENT FreeBSD 15.0-CURRENT
#0 main-n266042-fb7140b1f928: Thu Oct 19 03:02:14 UTC 2023
I assume that this was done for the content from ca_root_nss, but please keep
in mind that this is not the default OpenSSL behavior. OpenSSL will not read
beyond the first entry because rehash is supposed to read one cert per file.
Ultimately, this should not care about ca_root_nss at all.
--
You are receiving this mail because:
You are the assignee for the bug.
