Re: Zero length certificates

[Charles B Cranston]

Best I can tell from looking at the code, the failure is somewhere
in this block (which I have edited a bit for readability):
# Convert the signed cert to a pkcs12 certificate
# so Netscape and IE can import. (and clean up some files)
  `rm -f "./temp/$input{'email'}.pem"`;

  `cat
      ./temp/$input{'email'}.key
      ./temp/$input{'email'}.pem.signed
      >>./temp/$input{'email'}.temp`;
   sleep 3;

   my $command_conv;

   print "\r";

   $command_conv = Expect->spawn(
      "/usr/local/ssl/bin/openssl pkcs12 -export
         -in ./temp/$input{'email'}.temp
         -out ./temp/$input{'email'}.p12
         -name 'OWL Certificate for $input{'email'}'
         -certfile /usr/local/ssl/misc/owl03CA/cacert.pem"
   );
   if ( $command_conv->expect(5, "pass phrase:")) {
      print $command_conv "$input{'passwd'}\r";
   }
   if ( $command_conv->expect(5, "Export Password:")) {
      print $command_conv "$input{'passwd'}\r";
   }
   if ( $command_conv->expect(5, "Export Password:")) {
      print $command_conv "$input{'passwd'}\r";
   }
I'm not an "expect" expert, but the OpenSSL programs sometimes
make null-length files when an error occurs during their execution.
My guess is that the pkcs12 command is failing and somehow the
error is not detected.  AFAICT the command would be:
   /usr/local/ssl/bin/openssl pkcs12 -export \
      -in ./temp/<xxx>.temp \
      -out ./temp/<xxx>.p12 \
      -name 'OWL Certificate for <xxx>' \
      -certfile /usr/local/ssl/misc/owl03CA/cacert.pem
Where <xxx> is $input{'email'}  -- my suspicions might be that
the cacert.pem file is not there in the new configuration or that
somehow a change of shells screwed up that nested ' thing in
the -name option or what else???  Why don't you try the command
manually from the command line and see if it makes a good p12?
All the pieces are just lying there???
BTW if this does turn out to the the problem it would be good to
modify the expect stuff so if pkcs12 returns a nonzero error code
SOMETHING gets printed or triggered or something...
Brandon wrote:
Charles ,

Here is the complete file, there are two additional calls to openssl after
the req is generated.
Brandon

#!/usr/bin/perl
# This script takes html form data and generates a pem encoded certificate
request.
MAIN: {

require "cgi-lib.pl";
use Expect;
#read in all the variables set by the form
&ReadParse(*input);
$organization = "OWL";  # hard code the Org field
$organization_unit = ""; # changed below
$new_state = "";         # state in case counrty us different from US
# Check to see if all the right fields are filled in
# And if they have requested a cert in the past.
   print &PrintHeader;
   print "<html><head><title>Generating Certificate Request...</title>\n";
   print "<script language=\"Javascript\">\n";
   print "<!--\n";
   print "   function goHome()\n";
   print "{\n";
   print "   window.location=\"http://www.owl.test\"\;\n";;
   print "}\n";
   print "// -->\n";
   print "</script>\n</head>\n<body>\n";
if ( -f "/var/www/cgi-bin/temp/$input{'email'}.p12") {
   &CgiDie("Error:  Certificate already in database\n","It appears you have
requested a certificate twice.  This corrupted your previous certificate.
Please send mail to bamundson\(at)bbn.com so he can correct the problem.  He
will then inform you to request a cert again.\n");
   }
if ($input{'name'} ne "" &&
    $input{'passwd'} ne "" &&
    $input{'passwd2'} ne "" &&
   ($input{'passwd'} eq $input{'passwd2'}) &&
    $input{'email'} ne "" &&
   ($input{'orgunit'} ne "" || $input{'orgunitother'} ne "") &&
    $input{'city'} ne "" &&
  (($input{'state'} ne "") || ($input{'country'} ne "US" && $input{'state'}
eq "")) &&
    $input{'country'} ne "") {
   #
   # Check which orgunit to use and fix state country conflicts
   #
   if ($input{'orgunit'} ne "") {
      $organization_unit = $input{'orgunit'};
   }
   else {
      $organization_unit = $input{'orgunitother'};
   }
   if ($input{'country'} ne "US") {
      $new_state = "none";
   }
   else {
   $new_state = $input{'state'};
   }
   #
   # Create the certificate and private key, put that in email_address.cert
   # while using expect to  interact with openssl...
   #
   #print &PrintHeader;
   print "<pre>\r";
   #$temp = /var/www/cgi-bin/temp;
   $SSLEAY_CONFIG = "-config /usr/local/ssl/openssl.cnf"; #Define alternate
.cnf file
   my $command_req;
   $command_req = Expect->spawn("/usr/local/ssl/bin/openssl req
$SSLEAY_CONFIG -new -keyout ./temp/$input{'email'}.key -out
./temp/$input{'email'}.cert -days 1825");
   if ( $command_req->expect(5, "phrase:")) {
      print $command_req "$input{'passwd'}\r";
   }
   if ( $command_req->expect(5, "phrase:")) {
      print $command_req "$input{'passwd'}\r";
   }
   if ( $command_req->expect(5, "\[US\]:") ) {
      print $command_req "$input{'country'}\r";
   }
   if ( $command_req->expect(5, "\[Some-State\]:")) {
      print $command_req "$input{'state'}\r";
   }
   if ( $command_req->expect(5, "city")) {
      print $command_req "$input{'city'}\r";
   }
   if ( $command_req->expect(5, "Ltd\]:")) {
      print $command_req "$organization\r";
   }
   if ( $command_req->expect(5, "section\) \[\]:")) {
      print $command_req "$organization_unit\r";
   }
   if ( $command_req->expect(5, "name\) \[\]:")) {
      print $command_req "$input{'name'}\r";
   }
   if ( $command_req->expect(5, "Address \[\]:")) {
      print $command_req "$input{'email'}\r";
   }
   if ( $command_req->expect(5, "password \[\]:")) {
      print $command_req "\r";
   }
   if ( $command_req->expect(5, "company name \[\]:")) {
      print $command_req "\r";
   }
   #
   # Now cat the 2 together to form the request
   #
   sleep 2;
   `cat ./temp/$input{'email'}.key ./temp/$input{'email'}.cert >>
./temp/$input{'email'}.pem`;
   #
   sleep 1;
   # Sign the certificate (and clean up some files)
   #
   `rm -f "./temp/$input{'email'}.cert"`;
   print "\r\rCert AutoSigner v1.0...\r";
   my $command_sign;
   $command_sign = Expect->spawn("/usr/local/ssl/bin/openssl ca
$SSLEAY_CONFIG -policy policy_anything -out
./temp/$input{'email'}.pem.signed -infiles ./temp/$input{'email'}.pem");
   if ( $command_sign->expect(5, "pass phrase:")) {
      print $command_sign "passwordhere\r";
   }
   if ( $command_sign->expect(5, "certificate")) {
      print $command_sign "y\r";
   }
   sleep 1;
   if ( $command_sign->expect(5, "commit\? \[y\/n\]")) {
      print $command_sign "y\r\r";
   }
   sleep 2;
   #
   # Convert the signed cert to a pkcs12 certificate so Netscape and IE can
import.
   # (and clean up some files)
  `rm -f "./temp/$input{'email'}.pem"`;
   `cat ./temp/$input{'email'}.key ./temp/$input{'email'}.pem.signed >>
./temp/$input{'email'}.temp`;
   sleep 3;
   my $command_conv;
   print "\r";
   $command_conv = Expect->spawn("/usr/local/ssl/bin/openssl
pkcs12 -export -in ./temp/$input{'email'}.temp -out
./temp/$input{'email'}.p12 -name 'OWL Certificate for
$input{'email'}' -certfile /usr/local/ssl/misc/owl03CA/cacert.pem");
   if ( $command_conv->expect(5, "pass phrase:")) {
      print $command_conv "$input{'passwd'}\r";
   }
   if ( $command_conv->expect(5, "Export Password:")) {
      print $command_conv "$input{'passwd'}\r";
   }
   if ( $command_conv->expect(5, "Export Password:")) {
      print $command_conv "$input{'passwd'}\r";
   }
   #
   `rm -f "./temp/$input{'email'}.key" "./temp/$input{'email'}.pem.signed"
"./temp/$input{'email'}.temp"`;
   # E-mail bamundson(at)bbn.com and tell him he has a cert to approve.
   `echo '$input{'email'} has a owl certificate request.' | mail -s
"certificate request" bamundson\(at)bbn.com `;
   print "</pre>\r";
   print "<font size=4><b>Your certificate was successfully
generated.<br>You will now be redirected to the owl homepage</b></font>\n";
   print "<script language=\"JavaScript\">setTimeout('goHome()',
7000)</script>\n";
   print "</HTML></BODY>\r\n";
   }
else {
   print "ERROR: You left a required field blank or your passwords didn't
match.  Please go back and correct.\n";
   print <<ENDOFTEXT;
   <pre>
   Your name is: +$input{'name'}+
   Your password is: +********+
   Your e-mail address is: +$input{'email'}+
   Your Organization Unit is : +$organization_unit+
   Your City is: +$input{'city'}+
   Your State is: +$new_state+
   Your Country is: +$input{'country'}+
   </pre>
ENDOFTEXT
   }
# Close the document cleanly.
print &HtmlBot;
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]


--
Charles B (Ben) Cranston
mailto: [EMAIL PROTECTED]
http://www.wam.umd.edu/~zben
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]