Hi !
Can someone confirm the bug I see ?
Thanks.
The file "log" created from the script below:
----------------------------------------------------------------------
pkcs12 ca nesting level: 0 pkcs12 rc=0
pkcs12 ca nesting level: 1 pkcs12 rc=0
pkcs12 ca nesting level: 2 pkcs12 rc=0
pkcs12 ca nesting level: 3 pkcs12 rc=0
pkcs12 ca nesting level: 4 pkcs12 rc=0
pkcs12 ca nesting level: 5 pkcs12 rc=0
pkcs12 ca nesting level: 6 pkcs12 rc=0
pkcs12 ca nesting level: 7 pkcs12 rc=0
pkcs12 ca nesting level: 8 pkcs12 rc=0
pkcs12 ca nesting level: 9 pkcs12 rc=139
----------------------------------------------------------------------
the script itself:
----------------------------------------------------------------------
#! /bin/bash
# bash >= 2.04 is needed.
# (c) 2001 by Stefan Traby <[EMAIL PROTECTED]>
# This script demonstrates a BUG in openssl if
# you want to create a pkcs#12-file that is signed by chained-CA's
# if there are more than 9 CA's in chain.
# run this script within an empty directory, make sure that openssl is in path
# number of chained CA's. More than 9 will create a seg-fault in openssl pkcs12
CHAINS=10
# Each CA is valid for START_DAYS - nesting_level
# A constant number of days would cause illegal certs because
# a higher-level CA are created first; so they expire
# before the lower-ones
#
# When this script is finished, the user certficate can be found
# in ./user/user-{nesting-level}.p12; the import-password is "xxxx"
#
START_DAYS=500
LCHAIN=$((CHAINS - 1))
rm -rf -- ./user ./ca ./log
mkdir -p ./user
mkdir -p ./ca
for((n=0;n<$CHAINS;n++)) ; do
mkdir -p "./ca/$n"
openssl genrsa -des3 -out ./ca/$n/ca.key -passout pass:foofoofoofoo 1024
#test
#openssl rsa -noout -text -in ./ca/$n/ca.key -passin pass:foofoofoofoo || exit 1
DAYS=$((START_DAYS - n))
cat <<EOF > ./ca/$n/conf
[req]
default_bits = 1024
distinguished_name = sepp
extensions = x509v3
[sepp]
countryName = "1. Country Name (2 letter code)"
countryName_default = AT
countryName_min = 2
countryName_max = 2
stateOrProvinceName = "2. State or Province Name (full name) "
stateOrProvinceName_default = Steiermark
localityName = "3. Locality Name (eg, city) "
localityName_default = Graz
0.organizationName = "4. Organization Name (eg, company) "
0.organizationName_default = Stefan Traby Services && Consulting
organizationalUnitName = "5. Organizational Unit Name (eg, section) "
organizationalUnitName_default = Stefans Certificate Authority
commonName = "6. Common Name (eg, CA name) "
commonName_max = 64
commonName_default = Stefans CA (Level $n)
emailAddress = "7. Email Address (eg, name@FQDN)"
emailAddress_max = 40
emailAddress_default = [EMAIL PROTECTED]
[ x509v3 ]
subjectAltName = email:copy
basicConstraints = CA:true,pathlen:$n
nsComment = "CCA generated custom CA certificate"
nsCertType = sslCA,objCA, emailCA
[ca]
default_ca = CA_own
[CA_own]
dir = ./ca/$n
certs = \$dir
new_certs_dir = \$dir/ca.db.certs
database = \$dir/ca.db.index
serial = \$dir/ca.db.serial
RANDFILE = \$dir/ca.db.rand
certificate = \$dir/ca.crt
private_key = \$dir/ca.key
default_days = $DAYS
default_crl_days = 30
#default_md = md5
default_md = sha1
preserve = no
policy = policy_anything
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
EOF
echo -e "\n\n\n\n\n\n\n"|openssl req -new -x509 -days 1001 -key ./ca/$n/ca.key -out
./ca/$n/ca.crt -passin pass:foofoofoofoo -config ./ca/$n/conf
openssl x509 -noout -text -in ./ca/$n/ca.crt || exit 1
echo -e "\n\n\n\n\n\n\ny\ny\n"|openssl req -config ./ca/$n/conf -new -key
./ca/$n/ca.key -out ./ca/$n/ca.csr -passin pass:foofoofoofoo -config ./ca/$n/conf||
exit 1
mkdir ./ca/$n/ca.db.certs &> /dev/null
touch ./ca/$n/ca.db.index
if [ ! -f ./ca/$n/ca.db.serial ]; then
echo '01' >./ca/$n/ca.db.serial
fi
if [ "$n" -gt "0" ] ; then
o=$((n - 1))
echo -e "y\ny\n"|openssl ca -config ./ca/$o/conf -out ./ca/$n/ca.crt -passin
pass:foofoofoofoo -cert ./ca/$o/ca.crt -infiles ./ca/$n/ca.csr
(cat ./ca/$o/chained.certs;openssl x509 -in ./ca/$n/ca.crt -outform PEM) >
./ca/$n/chained.certs
else
openssl x509 -in ./ca/$n/ca.crt -outform PEM >./ca/$n/chained.certs
fi
openssl x509 -in ./ca/$n/ca.crt -out ./ca/$n/ca.der -outform DER
#
# Gen the user-csr
#
openssl genrsa -des3 -out ./user/user-$n.key -passout pass:foofoofoofoo 1024 || exit 1
#test
#openssl rsa -noout -text -in ./user/user-$n.key -passin pass:foofoofoofoo || exit 1
#openssl rsa -in ./user/user-$n.key -out ./user/user-$n.key.insecure -passin
pass:foofoofoofoo || exit 1
echo -e "AT\nSteiermark\nGraz\nNethype\nNethype\nStefan
Traby\[EMAIL PROTECTED]\n\n.\n"| \
openssl req -new -key ./user/user-$n.key -out ./user/user-$n.csr -passin
pass:foofoofoofoo
#
# Gen user cert and pkcs12
#
echo -e "y\ny\n"| openssl ca -batch -config ./ca/$n/conf -out ./user/user-$n.crt
-passin pass:foofoofoofoo -infiles ./user/user-$n.csr
openssl pkcs12 -export -chain -in ./user/user-$n.crt -inkey ./user/user-$n.key -out
./user/user-$n.p12 -passin pass:foofoofoofoo -passout pass:xxxx -name 'Stefan Traby'
-CAfile ./ca/$n/chained.certs
i=$?
echo "pkcs12 ca nesting level: $n pkcs12 rc=$i" >>log
done
----------------------------------------------------------------------
--
ciao -
Stefan
" Man gebe jedem Niedersachsen - seinen eigenen Castor-Kasten. "
Stefan Traby Linux/ia32 fax: +43-3133-6107-9
Mitterlasznitzstr. 13 Linux/alpha phone: +43-699-10157505
8302 Nestelbach Linux/sparc http://www.hello-penguin.com
Austria mailto:[EMAIL PROTECTED]
Europe mailto:[EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
