[Touch-packages] [Bug 1926254] Re: x509 Certificate verification fails when basicConstraints=CA:FALSE, pathlen:0 on self-signed leaf certs
This bug was fixed in the package openssl - 1.1.1f-1ubuntu4.4 --- openssl (1.1.1f-1ubuntu4.4) groovy; urgency=medium * Allow x509 certificates which set basicConstraints=CA:FALSE,pathlen:0 to validate, as it is common on self-signed leaf certificates. (LP: #1926254) - d/p/lp-1926254-1-Allow-certificates-with-Basic-Constraints-CA-fa.patch - d/p/lp-1926254-2-Set-X509_V_ERR_INVALID_EXTENSION-error-for-inva.patch - d/p/lp-1926254-3-Add-test-cases-for-the-non-CA-certificate-with-.patch * Split d/p/pr12272.patch into multiple patchfiles to fix dpkg-source error when attempting to build a source package, due to pr12272.patch patching files multiple times within the same patch. (LP: #1927161) - d/p/lp-1927161-1-x86-Add-endbranch-to-indirect-branch-targets-fo.patch - d/p/lp-1927161-2-Use-swapcontext-for-Intel-CET.patch - d/p/lp-1927161-3-x86-Always-generate-note-gnu-property-section-f.patch - d/p/lp-1927161-4-x86_64-Always-generate-note-gnu-property-sectio.patch - d/p/lp-1927161-5-x86_64-Add-endbranch-at-function-entries-for-In.patch -- Matthew Ruffell Wed, 05 May 2021 12:13:30 +1200 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1926254 Title: x509 Certificate verification fails when basicConstraints=CA:FALSE,pathlen:0 on self-signed leaf certs Status in openssl package in Ubuntu: Fix Released Status in openssl source package in Focal: Fix Released Status in openssl source package in Groovy: Fix Released Status in openssl source package in Hirsute: Fix Released Bug description: [Impact] In openssl 1.1.1f, the below commit was merged: commit ba4356ae4002a04e28642da60c551877eea804f7 Author: Bernd Edlinger Date: Sat Jan 4 15:54:53 2020 +0100 Subject: Fix error handling in x509v3_cache_extensions and related functions Link: https://github.com/openssl/openssl/commit/ba4356ae4002a04e28642da60c551877eea804f7 This introduced a regression which caused certificate validation to fail when certificates violate RFC 5280 [1], namely, when a certificate has "basicConstraints=CA:FALSE,pathlen:0". This combination is commonly seen by self-signed leaf certificates with an intermediate CA before the root CA. Because of this, openssl 1.1.1f rejects these certificates and they cannot be used in the system certificate store, and ssl connections fail when you try to use them to connect to a ssl endpoint. The error you see when you try verify is: $ openssl verify -CAfile CA/rootCA_cert.pem -untrusted CA/subCA_cert.pem user1_cert.pem error 20 at 0 depth lookup: unable to get local issuer certificate error user1_cert.pem: verification failed The exact same certificates work fine on Xenial, Bionic and Hirsute. [1] https://tools.ietf.org/html/rfc5280.html [Testcase] We will create our own root CA, intermediate CA and leaf server certificate. Create necessary directories: $ mkdir reproducer $ cd reproducer $ mkdir CA Write openssl configuration files to disk for each CA and cert: $ cat << EOF >> rootCA.cnf [ req ] prompt = no distinguished_name = req_distinguished_name x509_extensions = usr_cert [ req_distinguished_name ] C = DE O = Test Org CN = Test RSA PSS Root-CA [ usr_cert ] basicConstraints= critical,CA:TRUE keyUsage= critical,keyCertSign,cRLSign subjectKeyIdentifier= hash authorityKeyIdentifier = keyid:always EOF $ cat << EOF >> subCA.cnf [ req ] prompt = no distinguished_name = req_distinguished_name x509_extensions = usr_cert [ req_distinguished_name ] C = DE O = Test Org CN = Test RSA PSS Sub-CA [ usr_cert ] basicConstraints= critical,CA:TRUE,pathlen:0 keyUsage= critical,keyCertSign,cRLSign subjectKeyIdentifier= hash authorityKeyIdentifier = keyid:always EOF $ cat << EOF >> user.cnf [ req ] prompt = no distinguished_name = req_distinguished_name x509_extensions = usr_cert [ req_distinguished_name ] C = DE O = Test Org CN = Test User [ usr_cert ] basicConstraints= critical,CA:FALSE,pathlen:0 keyUsage= critical,digitalSignature,keyAgreement extendedKeyUsage= clientAuth,serverAuth subjectKeyIdentifier= hash authorityKeyIdentifier = keyid:always EOF Then generate the necessary RSA keys and form certificates: $ openssl genpkey -algorithm RSA-PSS -out rootCA_key.pem -pkeyopt rsa_keygen_bits:2048 $ openssl req -config rootCA.cnf -set_serial 01 -new -batch -sha256 -nodes -x509 -days 9125 -out CA/rootCA_cert.pem -key rootCA_key.pem -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 $ openssl genpkey -algorithm RSA-PSS -out subCA_key.pem -pkeyopt rsa_keygen_bits:2048 $ openssl req -config
[Touch-packages] [Bug 1926254] Re: x509 Certificate verification fails when basicConstraints=CA:FALSE, pathlen:0 on self-signed leaf certs
This bug was fixed in the package openssl - 1.1.1f-1ubuntu2.4 --- openssl (1.1.1f-1ubuntu2.4) focal; urgency=medium * Allow x509 certificates which set basicConstraints=CA:FALSE,pathlen:0 to validate, as it is common on self-signed leaf certificates. (LP: #1926254) - d/p/lp-1926254-1-Allow-certificates-with-Basic-Constraints-CA-fa.patch - d/p/lp-1926254-2-Set-X509_V_ERR_INVALID_EXTENSION-error-for-inva.patch - d/p/lp-1926254-3-Add-test-cases-for-the-non-CA-certificate-with-.patch -- Matthew Ruffell Wed, 28 Apr 2021 12:37:28 +1200 ** Changed in: openssl (Ubuntu Focal) Status: Fix Committed => Fix Released ** Changed in: openssl (Ubuntu Groovy) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1926254 Title: x509 Certificate verification fails when basicConstraints=CA:FALSE,pathlen:0 on self-signed leaf certs Status in openssl package in Ubuntu: Fix Released Status in openssl source package in Focal: Fix Released Status in openssl source package in Groovy: Fix Released Status in openssl source package in Hirsute: Fix Released Bug description: [Impact] In openssl 1.1.1f, the below commit was merged: commit ba4356ae4002a04e28642da60c551877eea804f7 Author: Bernd Edlinger Date: Sat Jan 4 15:54:53 2020 +0100 Subject: Fix error handling in x509v3_cache_extensions and related functions Link: https://github.com/openssl/openssl/commit/ba4356ae4002a04e28642da60c551877eea804f7 This introduced a regression which caused certificate validation to fail when certificates violate RFC 5280 [1], namely, when a certificate has "basicConstraints=CA:FALSE,pathlen:0". This combination is commonly seen by self-signed leaf certificates with an intermediate CA before the root CA. Because of this, openssl 1.1.1f rejects these certificates and they cannot be used in the system certificate store, and ssl connections fail when you try to use them to connect to a ssl endpoint. The error you see when you try verify is: $ openssl verify -CAfile CA/rootCA_cert.pem -untrusted CA/subCA_cert.pem user1_cert.pem error 20 at 0 depth lookup: unable to get local issuer certificate error user1_cert.pem: verification failed The exact same certificates work fine on Xenial, Bionic and Hirsute. [1] https://tools.ietf.org/html/rfc5280.html [Testcase] We will create our own root CA, intermediate CA and leaf server certificate. Create necessary directories: $ mkdir reproducer $ cd reproducer $ mkdir CA Write openssl configuration files to disk for each CA and cert: $ cat << EOF >> rootCA.cnf [ req ] prompt = no distinguished_name = req_distinguished_name x509_extensions = usr_cert [ req_distinguished_name ] C = DE O = Test Org CN = Test RSA PSS Root-CA [ usr_cert ] basicConstraints= critical,CA:TRUE keyUsage= critical,keyCertSign,cRLSign subjectKeyIdentifier= hash authorityKeyIdentifier = keyid:always EOF $ cat << EOF >> subCA.cnf [ req ] prompt = no distinguished_name = req_distinguished_name x509_extensions = usr_cert [ req_distinguished_name ] C = DE O = Test Org CN = Test RSA PSS Sub-CA [ usr_cert ] basicConstraints= critical,CA:TRUE,pathlen:0 keyUsage= critical,keyCertSign,cRLSign subjectKeyIdentifier= hash authorityKeyIdentifier = keyid:always EOF $ cat << EOF >> user.cnf [ req ] prompt = no distinguished_name = req_distinguished_name x509_extensions = usr_cert [ req_distinguished_name ] C = DE O = Test Org CN = Test User [ usr_cert ] basicConstraints= critical,CA:FALSE,pathlen:0 keyUsage= critical,digitalSignature,keyAgreement extendedKeyUsage= clientAuth,serverAuth subjectKeyIdentifier= hash authorityKeyIdentifier = keyid:always EOF Then generate the necessary RSA keys and form certificates: $ openssl genpkey -algorithm RSA-PSS -out rootCA_key.pem -pkeyopt rsa_keygen_bits:2048 $ openssl req -config rootCA.cnf -set_serial 01 -new -batch -sha256 -nodes -x509 -days 9125 -out CA/rootCA_cert.pem -key rootCA_key.pem -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 $ openssl genpkey -algorithm RSA-PSS -out subCA_key.pem -pkeyopt rsa_keygen_bits:2048 $ openssl req -config subCA.cnf -new -out subCA_req.pem -key subCA_key.pem -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 $ openssl x509 -req -sha256 -in subCA_req.pem -CA CA/rootCA_cert.pem -CAkey rootCA_key.pem -out CA/subCA_cert.pem -CAserial rootCA_serial.txt -CAcreateserial -extfile subCA.cnf -extensions usr_cert -days 4380 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 $ c_rehash CA $ openssl genpkey
[Touch-packages] [Bug 1926254] Re: x509 Certificate verification fails when basicConstraints=CA:FALSE, pathlen:0 on self-signed leaf certs
Performing verification for Groovy. I went and generated the ssl certificates and attempted to verify them with the openssl version 1.1.1f-1ubuntu4.3 from -updates. ubuntu@deep-mako:~$ sudo apt-cache policy openssl | grep Installed Installed: 1.1.1f-1ubuntu4.3 ubuntu@deep-mako:~$ mkdir reproducer ubuntu@deep-mako:~$ cd reproducer ubuntu@deep-mako:~/reproducer$ mkdir CA ubuntu@deep-mako:~/reproducer$ cat << EOF >> rootCA.cnf > [ req ] > prompt = no > distinguished_name = req_distinguished_name > x509_extensions = usr_cert > > [ req_distinguished_name ] > C = DE > O = Test Org > CN = Test RSA PSS Root-CA > > [ usr_cert ] > basicConstraints = critical,CA:TRUE > keyUsage = critical,keyCertSign,cRLSign > subjectKeyIdentifier = hash > authorityKeyIdentifier = keyid:always > EOF ubuntu@deep-mako:~/reproducer$ cat << EOF >> subCA.cnf > [ req ] > prompt = no > distinguished_name = req_distinguished_name > x509_extensions = usr_cert > > [ req_distinguished_name ] > C = DE > O = Test Org > CN = Test RSA PSS Sub-CA > > [ usr_cert ] > basicConstraints = critical,CA:TRUE,pathlen:0 > keyUsage = critical,keyCertSign,cRLSign > subjectKeyIdentifier = hash > authorityKeyIdentifier = keyid:always > EOF ubuntu@deep-mako:~/reproducer$ cat << EOF >> user.cnf > [ req ] > prompt = no > distinguished_name = req_distinguished_name > x509_extensions = usr_cert > > [ req_distinguished_name ] > C = DE > O = Test Org > CN = Test User > > [ usr_cert ] > basicConstraints = critical,CA:FALSE,pathlen:0 > keyUsage = critical,digitalSignature,keyAgreement > extendedKeyUsage = clientAuth,serverAuth > subjectKeyIdentifier = hash > authorityKeyIdentifier = keyid:always > EOF ubuntu@deep-mako:~/reproducer$ openssl genpkey -algorithm RSA-PSS -out rootCA_key.pem -pkeyopt rsa_keygen_bits:2048 + + ubuntu@deep-mako:~/reproducer$ openssl req -config rootCA.cnf -set_serial 01 -new -batch -sha256 -nodes -x509 -days 9125 -out CA/rootCA_cert.pem -key rootCA_key.pem -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 ubuntu@deep-mako:~/reproducer$ openssl genpkey -algorithm RSA-PSS -out subCA_key.pem -pkeyopt rsa_keygen_bits:2048 ..+ .+ ubuntu@deep-mako:~/reproducer$ openssl req -config subCA.cnf -new -out subCA_req.pem -key subCA_key.pem -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 ubuntu@deep-mako:~/reproducer$ openssl x509 -req -sha256 -in subCA_req.pem -CA CA/rootCA_cert.pem -CAkey rootCA_key.pem -out CA/subCA_cert.pem -CAserial rootCA_serial.txt -CAcreateserial -extfile subCA.cnf -extensions usr_cert -days 4380 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 Signature ok subject=C = DE, O = Test Org, CN = Test RSA PSS Sub-CA Getting CA Private Key ubuntu@deep-mako:~/reproducer$ c_rehash CA Doing CA ubuntu@deep-mako:~/reproducer$ openssl genpkey -algorithm RSA-PSS -out user1_key.pem -pkeyopt rsa_keygen_bits:2048 ...+ .+ ubuntu@deep-mako:~/reproducer$ openssl req -config user.cnf -new -out user1_req.pem -key user1_key.pem -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 ubuntu@deep-mako:~/reproducer$ openssl x509 -req -sha256 -in user1_req.pem -CA CA/subCA_cert.pem -CAkey subCA_key.pem -out user1_cert.pem -CAserial subCA_serial.txt -CAcreateserial -extfile user.cnf -extensions usr_cert -days 1825 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 Signature ok subject=C = DE, O = Test Org, CN = Test User Getting CA Private Key Now going and verifying the certificates: ubuntu@deep-mako:~/reproducer$ openssl verify -CAfile CA/rootCA_cert.pem -untrusted CA/subCA_cert.pem user1_cert.pem C = DE, O = Test Org, CN = Test User error 20 at 0 depth lookup: unable to get local issuer certificate error user1_cert.pem: verification failed We see verification failed, again on CA:FALSE,pathlen:0 basicConstraints. Now if we enable -proposed and install openssl 1.1.1f-1ubuntu4.4. $ openssl verify -CAfile CA/rootCA_cert.pem -untrusted CA/subCA_cert.pem user1_cert.pem user1_cert.pem: OK The certificate verifies properly. The problem is fixed. Additionally, if we examine the new unit tests added to openssl's testsuite in the buildlog for Groovy: https://launchpadlibrarian.net/537503607/buildlog_ubuntu-groovy- amd64.openssl_1.1.1f-1ubuntu4.4_BUILDING.txt.gz We see: ../../util/shlib_wrap.sh ../../apps/openssl verify -auth_level 1 -purpose sslserver -trusted ../../../test/certs/root-cert.pem -untrusted ../../../test/certs/ca-cert.pem ../../../test/certs/ee-pathlen.pem => 0 ok 84 - accept non-ca with pathlen:0 by default CN = server.example error 41 at 0 depth lookup: invalid or inconsistent certificate extension error ../../../test/certs/ee-pathlen.pem: verification failed ../../util/shlib_wrap.sh ../../apps/openssl verify -auth_level 1 -purpose sslserver -x509_strict -trusted ../../../test/certs/root-cert.
[Touch-packages] [Bug 1926254] Re: x509 Certificate verification fails when basicConstraints=CA:FALSE, pathlen:0 on self-signed leaf certs
Performing verification for Focal Generating the ssl certificates, and reproducing the problem with version 1.1.1f-1ubuntu2.3 from -updates. ubuntu@select-lobster:~$ sudo apt-cache policy openssl | grep Installed Installed: 1.1.1f-1ubuntu2.3 ubuntu@select-lobster:~$ mkdir reproducer ubuntu@select-lobster:~$ cd reproducer ubuntu@select-lobster:~/reproducer$ mkdir CA ubuntu@select-lobster:~/reproducer$ cat << EOF >> rootCA.cnf > [ req ] > prompt = no > distinguished_name = req_distinguished_name > x509_extensions = usr_cert > > [ req_distinguished_name ] > C = DE > O = Test Org > CN = Test RSA PSS Root-CA > > [ usr_cert ] > basicConstraints = critical,CA:TRUE > keyUsage = critical,keyCertSign,cRLSign > subjectKeyIdentifier = hash > authorityKeyIdentifier = keyid:always > EOF ubuntu@select-lobster:~/reproducer$ cat << EOF >> subCA.cnf > [ req ] > prompt = no > distinguished_name = req_distinguished_name > x509_extensions = usr_cert > > [ req_distinguished_name ] > C = DE > O = Test Org > CN = Test RSA PSS Sub-CA > > [ usr_cert ] > basicConstraints = critical,CA:TRUE,pathlen:0 > keyUsage = critical,keyCertSign,cRLSign > subjectKeyIdentifier = hash > authorityKeyIdentifier = keyid:always > EOF ubuntu@select-lobster:~/reproducer$ cat << EOF >> user.cnf > [ req ] > prompt = no > distinguished_name = req_distinguished_name > x509_extensions = usr_cert > > [ req_distinguished_name ] > C = DE > O = Test Org > CN = Test User > > [ usr_cert ] > basicConstraints = critical,CA:FALSE,pathlen:0 > keyUsage = critical,digitalSignature,keyAgreement > extendedKeyUsage = clientAuth,serverAuth > subjectKeyIdentifier = hash > authorityKeyIdentifier = keyid:always > EOF ubuntu@select-lobster:~/reproducer$ openssl genpkey -algorithm RSA-PSS -out rootCA_key.pem -pkeyopt rsa_keygen_bits:2048 ..+ + ubuntu@select-lobster:~/reproducer$ openssl req -config rootCA.cnf -set_serial 01 -new -batch -sha256 -nodes -x509 -days 9125 -out CA/rootCA_cert.pem -key rootCA_key.pem -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 ubuntu@select-lobster:~/reproducer$ openssl genpkey -algorithm RSA-PSS -out subCA_key.pem -pkeyopt rsa_keygen_bits:2048 + + ubuntu@select-lobster:~/reproducer$ openssl req -config subCA.cnf -new -out subCA_req.pem -key subCA_key.pem -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 ubuntu@select-lobster:~/reproducer$ openssl x509 -req -sha256 -in subCA_req.pem -CA CA/rootCA_cert.pem -CAkey rootCA_key.pem -out CA/subCA_cert.pem -CAserial rootCA_serial.txt -CAcreateserial -extfile subCA.cnf -extensions usr_cert -days 4380 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 Signature ok subject=C = DE, O = Test Org, CN = Test RSA PSS Sub-CA Getting CA Private Key ubuntu@select-lobster:~/reproducer$ c_rehash CA Doing CA ubuntu@select-lobster:~/reproducer$ openssl genpkey -algorithm RSA-PSS -out user1_key.pem -pkeyopt rsa_keygen_bits:2048 ...+ .+ ubuntu@select-lobster:~/reproducer$ openssl req -config user.cnf -new -out user1_req.pem -key user1_key.pem -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 ubuntu@select-lobster:~/reproducer$ openssl x509 -req -sha256 -in user1_req.pem -CA CA/subCA_cert.pem -CAkey subCA_key.pem -out user1_cert.pem -CAserial subCA_serial.txt -CAcreateserial -extfile user.cnf -extensions usr_cert -days 1825 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 Signature ok subject=C = DE, O = Test Org, CN = Test User Getting CA Private Key Now, we verify the certificates: ubuntu@select-lobster:~/reproducer$ openssl verify -CAfile CA/rootCA_cert.pem -untrusted CA/subCA_cert.pem user1_cert.pem C = DE, O = Test Org, CN = Test User error 20 at 0 depth lookup: unable to get local issuer certificate error user1_cert.pem: verification failed We see verification fail, due to CA:FALSE,pathlen:0 basicConstraints. I then enabled -proposed, and installed openssl and libssl1.1 version 1.1.1f-1ubuntu2.4 If we then repeat the certificate validation: ubuntu@select-lobster:~/reproducer$ openssl verify -CAfile CA/rootCA_cert.pem -untrusted CA/subCA_cert.pem user1_cert.pem user1_cert.pem: OK The certificates validate properly. Additionally, if we examine the new unit tests added to openssl's testsuite in the buildlog for focal: https://launchpadlibrarian.net/537505620/buildlog_ubuntu-focal- amd64.openssl_1.1.1f-1ubuntu2.4_BUILDING.txt.gz we see: ../../../test/certs/ee-pathlen.pem: OK ../../util/shlib_wrap.sh ../../apps/openssl verify -auth_level 1 -purpose sslserver -trusted ../../../test/certs/root-cert.pem -untrusted ../../../test/certs/ca-cert.pem ../../../test/certs/ee-pathlen.pem => 0 ok 84 - accept non-ca with pathlen:0 by default CN = server.example error 41 at 0 depth lookup: invalid or inconsistent certificate extension error ../../../test/certs/ee-pathlen.pem: verification failed ../../util/shlib_wrap.sh ../../apps/openssl verify -auth_level 1
[Touch-packages] [Bug 1926254] Re: x509 Certificate verification fails when basicConstraints=CA:FALSE, pathlen:0 on self-signed leaf certs
I very much appreciate the security review by Seth here. When I first started reading this bug I was going to insist on having a security review, but then I saw you've already taken care to arrange that. Thank you! ** Changed in: openssl (Ubuntu Groovy) Status: In Progress => Fix Committed ** Tags added: verification-needed verification-needed-groovy -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1926254 Title: x509 Certificate verification fails when basicConstraints=CA:FALSE,pathlen:0 on self-signed leaf certs Status in openssl package in Ubuntu: Fix Released Status in openssl source package in Focal: Fix Committed Status in openssl source package in Groovy: Fix Committed Status in openssl source package in Hirsute: Fix Released Bug description: [Impact] In openssl 1.1.1f, the below commit was merged: commit ba4356ae4002a04e28642da60c551877eea804f7 Author: Bernd Edlinger Date: Sat Jan 4 15:54:53 2020 +0100 Subject: Fix error handling in x509v3_cache_extensions and related functions Link: https://github.com/openssl/openssl/commit/ba4356ae4002a04e28642da60c551877eea804f7 This introduced a regression which caused certificate validation to fail when certificates violate RFC 5280 [1], namely, when a certificate has "basicConstraints=CA:FALSE,pathlen:0". This combination is commonly seen by self-signed leaf certificates with an intermediate CA before the root CA. Because of this, openssl 1.1.1f rejects these certificates and they cannot be used in the system certificate store, and ssl connections fail when you try to use them to connect to a ssl endpoint. The error you see when you try verify is: $ openssl verify -CAfile CA/rootCA_cert.pem -untrusted CA/subCA_cert.pem user1_cert.pem error 20 at 0 depth lookup: unable to get local issuer certificate error user1_cert.pem: verification failed The exact same certificates work fine on Xenial, Bionic and Hirsute. [1] https://tools.ietf.org/html/rfc5280.html [Testcase] We will create our own root CA, intermediate CA and leaf server certificate. Create necessary directories: $ mkdir reproducer $ cd reproducer $ mkdir CA Write openssl configuration files to disk for each CA and cert: $ cat << EOF >> rootCA.cnf [ req ] prompt = no distinguished_name = req_distinguished_name x509_extensions = usr_cert [ req_distinguished_name ] C = DE O = Test Org CN = Test RSA PSS Root-CA [ usr_cert ] basicConstraints= critical,CA:TRUE keyUsage= critical,keyCertSign,cRLSign subjectKeyIdentifier= hash authorityKeyIdentifier = keyid:always EOF $ cat << EOF >> subCA.cnf [ req ] prompt = no distinguished_name = req_distinguished_name x509_extensions = usr_cert [ req_distinguished_name ] C = DE O = Test Org CN = Test RSA PSS Sub-CA [ usr_cert ] basicConstraints= critical,CA:TRUE,pathlen:0 keyUsage= critical,keyCertSign,cRLSign subjectKeyIdentifier= hash authorityKeyIdentifier = keyid:always EOF $ cat << EOF >> user.cnf [ req ] prompt = no distinguished_name = req_distinguished_name x509_extensions = usr_cert [ req_distinguished_name ] C = DE O = Test Org CN = Test User [ usr_cert ] basicConstraints= critical,CA:FALSE,pathlen:0 keyUsage= critical,digitalSignature,keyAgreement extendedKeyUsage= clientAuth,serverAuth subjectKeyIdentifier= hash authorityKeyIdentifier = keyid:always EOF Then generate the necessary RSA keys and form certificates: $ openssl genpkey -algorithm RSA-PSS -out rootCA_key.pem -pkeyopt rsa_keygen_bits:2048 $ openssl req -config rootCA.cnf -set_serial 01 -new -batch -sha256 -nodes -x509 -days 9125 -out CA/rootCA_cert.pem -key rootCA_key.pem -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 $ openssl genpkey -algorithm RSA-PSS -out subCA_key.pem -pkeyopt rsa_keygen_bits:2048 $ openssl req -config subCA.cnf -new -out subCA_req.pem -key subCA_key.pem -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 $ openssl x509 -req -sha256 -in subCA_req.pem -CA CA/rootCA_cert.pem -CAkey rootCA_key.pem -out CA/subCA_cert.pem -CAserial rootCA_serial.txt -CAcreateserial -extfile subCA.cnf -extensions usr_cert -days 4380 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 $ c_rehash CA $ openssl genpkey -algorithm RSA-PSS -out user1_key.pem -pkeyopt rsa_keygen_bits:2048 $ openssl req -config user.cnf -new -out user1_req.pem -key user1_key.pem -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 $ openssl x509 -req -sha256 -in user1_req.pem -CA CA/subCA_cert.pem -CAkey subCA_key.pem -out user1_cert.pem -CAserial subCA_serial.txt -CAcreateserial -extfile user.cnf -exte
[Touch-packages] [Bug 1926254] Re: x509 Certificate verification fails when basicConstraints=CA:FALSE, pathlen:0 on self-signed leaf certs
uploaded to f/g, thanks! -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1926254 Title: x509 Certificate verification fails when basicConstraints=CA:FALSE,pathlen:0 on self-signed leaf certs Status in openssl package in Ubuntu: Fix Released Status in openssl source package in Focal: In Progress Status in openssl source package in Groovy: In Progress Status in openssl source package in Hirsute: Fix Released Bug description: [Impact] In openssl 1.1.1f, the below commit was merged: commit ba4356ae4002a04e28642da60c551877eea804f7 Author: Bernd Edlinger Date: Sat Jan 4 15:54:53 2020 +0100 Subject: Fix error handling in x509v3_cache_extensions and related functions Link: https://github.com/openssl/openssl/commit/ba4356ae4002a04e28642da60c551877eea804f7 This introduced a regression which caused certificate validation to fail when certificates violate RFC 5280 [1], namely, when a certificate has "basicConstraints=CA:FALSE,pathlen:0". This combination is commonly seen by self-signed leaf certificates with an intermediate CA before the root CA. Because of this, openssl 1.1.1f rejects these certificates and they cannot be used in the system certificate store, and ssl connections fail when you try to use them to connect to a ssl endpoint. The error you see when you try verify is: $ openssl verify -CAfile CA/rootCA_cert.pem -untrusted CA/subCA_cert.pem user1_cert.pem error 20 at 0 depth lookup: unable to get local issuer certificate error user1_cert.pem: verification failed The exact same certificates work fine on Xenial, Bionic and Hirsute. [1] https://tools.ietf.org/html/rfc5280.html [Testcase] We will create our own root CA, intermediate CA and leaf server certificate. Create necessary directories: $ mkdir reproducer $ cd reproducer $ mkdir CA Write openssl configuration files to disk for each CA and cert: $ cat << EOF >> rootCA.cnf [ req ] prompt = no distinguished_name = req_distinguished_name x509_extensions = usr_cert [ req_distinguished_name ] C = DE O = Test Org CN = Test RSA PSS Root-CA [ usr_cert ] basicConstraints= critical,CA:TRUE keyUsage= critical,keyCertSign,cRLSign subjectKeyIdentifier= hash authorityKeyIdentifier = keyid:always EOF $ cat << EOF >> subCA.cnf [ req ] prompt = no distinguished_name = req_distinguished_name x509_extensions = usr_cert [ req_distinguished_name ] C = DE O = Test Org CN = Test RSA PSS Sub-CA [ usr_cert ] basicConstraints= critical,CA:TRUE,pathlen:0 keyUsage= critical,keyCertSign,cRLSign subjectKeyIdentifier= hash authorityKeyIdentifier = keyid:always EOF $ cat << EOF >> user.cnf [ req ] prompt = no distinguished_name = req_distinguished_name x509_extensions = usr_cert [ req_distinguished_name ] C = DE O = Test Org CN = Test User [ usr_cert ] basicConstraints= critical,CA:FALSE,pathlen:0 keyUsage= critical,digitalSignature,keyAgreement extendedKeyUsage= clientAuth,serverAuth subjectKeyIdentifier= hash authorityKeyIdentifier = keyid:always EOF Then generate the necessary RSA keys and form certificates: $ openssl genpkey -algorithm RSA-PSS -out rootCA_key.pem -pkeyopt rsa_keygen_bits:2048 $ openssl req -config rootCA.cnf -set_serial 01 -new -batch -sha256 -nodes -x509 -days 9125 -out CA/rootCA_cert.pem -key rootCA_key.pem -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 $ openssl genpkey -algorithm RSA-PSS -out subCA_key.pem -pkeyopt rsa_keygen_bits:2048 $ openssl req -config subCA.cnf -new -out subCA_req.pem -key subCA_key.pem -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 $ openssl x509 -req -sha256 -in subCA_req.pem -CA CA/rootCA_cert.pem -CAkey rootCA_key.pem -out CA/subCA_cert.pem -CAserial rootCA_serial.txt -CAcreateserial -extfile subCA.cnf -extensions usr_cert -days 4380 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 $ c_rehash CA $ openssl genpkey -algorithm RSA-PSS -out user1_key.pem -pkeyopt rsa_keygen_bits:2048 $ openssl req -config user.cnf -new -out user1_req.pem -key user1_key.pem -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 $ openssl x509 -req -sha256 -in user1_req.pem -CA CA/subCA_cert.pem -CAkey subCA_key.pem -out user1_cert.pem -CAserial subCA_serial.txt -CAcreateserial -extfile user.cnf -extensions usr_cert -days 1825 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 Now, let's try verify the generated certificates: $ openssl version OpenSSL 1.1.1f 31 Mar 2020 $ openssl verify -CAfile CA/rootCA_cert.pem -untrusted CA/subCA_cert.pem user1_cert.pem error 20 at 0 depth lookup: unable to get local issuer certi
[Touch-packages] [Bug 1926254] Re: x509 Certificate verification fails when basicConstraints=CA:FALSE, pathlen:0 on self-signed leaf certs
Matthew, thanks so much! sounds good to me. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1926254 Title: x509 Certificate verification fails when basicConstraints=CA:FALSE,pathlen:0 on self-signed leaf certs Status in openssl package in Ubuntu: Fix Released Status in openssl source package in Focal: In Progress Status in openssl source package in Groovy: In Progress Status in openssl source package in Hirsute: Fix Released Bug description: [Impact] In openssl 1.1.1f, the below commit was merged: commit ba4356ae4002a04e28642da60c551877eea804f7 Author: Bernd Edlinger Date: Sat Jan 4 15:54:53 2020 +0100 Subject: Fix error handling in x509v3_cache_extensions and related functions Link: https://github.com/openssl/openssl/commit/ba4356ae4002a04e28642da60c551877eea804f7 This introduced a regression which caused certificate validation to fail when certificates violate RFC 5280 [1], namely, when a certificate has "basicConstraints=CA:FALSE,pathlen:0". This combination is commonly seen by self-signed leaf certificates with an intermediate CA before the root CA. Because of this, openssl 1.1.1f rejects these certificates and they cannot be used in the system certificate store, and ssl connections fail when you try to use them to connect to a ssl endpoint. The error you see when you try verify is: $ openssl verify -CAfile CA/rootCA_cert.pem -untrusted CA/subCA_cert.pem user1_cert.pem error 20 at 0 depth lookup: unable to get local issuer certificate error user1_cert.pem: verification failed The exact same certificates work fine on Xenial, Bionic and Hirsute. [1] https://tools.ietf.org/html/rfc5280.html [Testcase] We will create our own root CA, intermediate CA and leaf server certificate. Create necessary directories: $ mkdir reproducer $ cd reproducer $ mkdir CA Write openssl configuration files to disk for each CA and cert: $ cat << EOF >> rootCA.cnf [ req ] prompt = no distinguished_name = req_distinguished_name x509_extensions = usr_cert [ req_distinguished_name ] C = DE O = Test Org CN = Test RSA PSS Root-CA [ usr_cert ] basicConstraints= critical,CA:TRUE keyUsage= critical,keyCertSign,cRLSign subjectKeyIdentifier= hash authorityKeyIdentifier = keyid:always EOF $ cat << EOF >> subCA.cnf [ req ] prompt = no distinguished_name = req_distinguished_name x509_extensions = usr_cert [ req_distinguished_name ] C = DE O = Test Org CN = Test RSA PSS Sub-CA [ usr_cert ] basicConstraints= critical,CA:TRUE,pathlen:0 keyUsage= critical,keyCertSign,cRLSign subjectKeyIdentifier= hash authorityKeyIdentifier = keyid:always EOF $ cat << EOF >> user.cnf [ req ] prompt = no distinguished_name = req_distinguished_name x509_extensions = usr_cert [ req_distinguished_name ] C = DE O = Test Org CN = Test User [ usr_cert ] basicConstraints= critical,CA:FALSE,pathlen:0 keyUsage= critical,digitalSignature,keyAgreement extendedKeyUsage= clientAuth,serverAuth subjectKeyIdentifier= hash authorityKeyIdentifier = keyid:always EOF Then generate the necessary RSA keys and form certificates: $ openssl genpkey -algorithm RSA-PSS -out rootCA_key.pem -pkeyopt rsa_keygen_bits:2048 $ openssl req -config rootCA.cnf -set_serial 01 -new -batch -sha256 -nodes -x509 -days 9125 -out CA/rootCA_cert.pem -key rootCA_key.pem -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 $ openssl genpkey -algorithm RSA-PSS -out subCA_key.pem -pkeyopt rsa_keygen_bits:2048 $ openssl req -config subCA.cnf -new -out subCA_req.pem -key subCA_key.pem -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 $ openssl x509 -req -sha256 -in subCA_req.pem -CA CA/rootCA_cert.pem -CAkey rootCA_key.pem -out CA/subCA_cert.pem -CAserial rootCA_serial.txt -CAcreateserial -extfile subCA.cnf -extensions usr_cert -days 4380 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 $ c_rehash CA $ openssl genpkey -algorithm RSA-PSS -out user1_key.pem -pkeyopt rsa_keygen_bits:2048 $ openssl req -config user.cnf -new -out user1_req.pem -key user1_key.pem -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 $ openssl x509 -req -sha256 -in user1_req.pem -CA CA/subCA_cert.pem -CAkey subCA_key.pem -out user1_cert.pem -CAserial subCA_serial.txt -CAcreateserial -extfile user.cnf -extensions usr_cert -days 1825 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 Now, let's try verify the generated certificates: $ openssl version OpenSSL 1.1.1f 31 Mar 2020 $ openssl verify -CAfile CA/rootCA_cert.pem -untrusted CA/subCA_cert.pem user1_cert.pem error 20 at 0 depth lookup: unable to get
[Touch-packages] [Bug 1926254] Re: x509 Certificate verification fails when basicConstraints=CA:FALSE, pathlen:0 on self-signed leaf certs
Hi Seth, Thanks for the review. I read the commit you found: commit 1e41dadfa7b9f792ed0f4714a3d3d36f070cf30e Author: Dr. David von Oheimb Date: Sat Jun 27 16:16:12 2020 +0200 Subject: Extend X509 cert checks and error reporting in v3_{purp,crld}.c and x509_{set,vfy}.c Link: https://github.com/openssl/openssl/commit/1e41dadfa7b9f792ed0f4714a3d3d36f070cf30e Firstly, yes, you are right, this commit does refactor the code I am suggesting we SRU to focal and groovy, but upon further inspection, this commit was not backported to the 1.1.1 stable series, as it is missing from the OpenSSL_1_1_1-stable branch. As you mentioned, it is a fairly invasive change and modifies a lot of different x509 components, it isn't suitable to be backported to 1.1.1 stable anyway, and much less be acceptable for SRU to focal or groovy. I think we should stick to the small targeted commits I suggested for this SRU, since they are a part of 1.1.1 stable, and are already in hirsute onward. To test that the logic from the suggested commits to SRU matches this new refactor commit from version 3.0alpha, I went and built the master branch of openssl, which had commit d1a770414acd34c774248ce8efbe202fd7a44041 at HEAD. $ env LD_LIBRARY_PATH="/home/ubuntu/openssl/" ../openssl/apps/openssl version OpenSSL 3.0.0-alpha16-dev (Library: OpenSSL 3.0.0-alpha16-dev ) $ env LD_LIBRARY_PATH="/home/ubuntu/openssl/" ../openssl/apps/openssl verify -CAfile CA/rootCA_cert.pem -untrusted CA/subCA_cert.pem user1_cert.pem user1_cert.pem: OK The logic matches and the reproducer certificates verify OK. This confirms we aren't backporting a short lived change, and that this behaviour is the desired and accepted outcome. @ddstreet Please go ahead and sponsor the SRU to -updates, thanks. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1926254 Title: x509 Certificate verification fails when basicConstraints=CA:FALSE,pathlen:0 on self-signed leaf certs Status in openssl package in Ubuntu: Fix Released Status in openssl source package in Focal: In Progress Status in openssl source package in Groovy: In Progress Status in openssl source package in Hirsute: Fix Released Bug description: [Impact] In openssl 1.1.1f, the below commit was merged: commit ba4356ae4002a04e28642da60c551877eea804f7 Author: Bernd Edlinger Date: Sat Jan 4 15:54:53 2020 +0100 Subject: Fix error handling in x509v3_cache_extensions and related functions Link: https://github.com/openssl/openssl/commit/ba4356ae4002a04e28642da60c551877eea804f7 This introduced a regression which caused certificate validation to fail when certificates violate RFC 5280 [1], namely, when a certificate has "basicConstraints=CA:FALSE,pathlen:0". This combination is commonly seen by self-signed leaf certificates with an intermediate CA before the root CA. Because of this, openssl 1.1.1f rejects these certificates and they cannot be used in the system certificate store, and ssl connections fail when you try to use them to connect to a ssl endpoint. The error you see when you try verify is: $ openssl verify -CAfile CA/rootCA_cert.pem -untrusted CA/subCA_cert.pem user1_cert.pem error 20 at 0 depth lookup: unable to get local issuer certificate error user1_cert.pem: verification failed The exact same certificates work fine on Xenial, Bionic and Hirsute. [1] https://tools.ietf.org/html/rfc5280.html [Testcase] We will create our own root CA, intermediate CA and leaf server certificate. Create necessary directories: $ mkdir reproducer $ cd reproducer $ mkdir CA Write openssl configuration files to disk for each CA and cert: $ cat << EOF >> rootCA.cnf [ req ] prompt = no distinguished_name = req_distinguished_name x509_extensions = usr_cert [ req_distinguished_name ] C = DE O = Test Org CN = Test RSA PSS Root-CA [ usr_cert ] basicConstraints= critical,CA:TRUE keyUsage= critical,keyCertSign,cRLSign subjectKeyIdentifier= hash authorityKeyIdentifier = keyid:always EOF $ cat << EOF >> subCA.cnf [ req ] prompt = no distinguished_name = req_distinguished_name x509_extensions = usr_cert [ req_distinguished_name ] C = DE O = Test Org CN = Test RSA PSS Sub-CA [ usr_cert ] basicConstraints= critical,CA:TRUE,pathlen:0 keyUsage= critical,keyCertSign,cRLSign subjectKeyIdentifier= hash authorityKeyIdentifier = keyid:always EOF $ cat << EOF >> user.cnf [ req ] prompt = no distinguished_name = req_distinguished_name x509_extensions = usr_cert [ req_distinguished_name ] C = DE O = Test Org CN = Test User [ usr_cert ] basicConstraints= critical,CA:FALSE,pathlen:0 keyUsage= critical,digitalSigna
[Touch-packages] [Bug 1926254] Re: x509 Certificate verification fails when basicConstraints=CA:FALSE, pathlen:0 on self-signed leaf certs
Hello Dan and Matthew, thanks for working on this. I gave the debdiffs a look, skimmed through openssl changes, and don't see any reason to not do this. There *are* larger changes to that function in https://github.com/openssl/openssl/commit/1e41dadfa7b9f792ed0f4714a3d3d36f070cf30e -- but it's a fairly invasive change, and I'm not recommending or suggesting we take it instead. It'd be nice though if someone could double-check the certs in question against a build that uses this newer commit and make sure that we're not backporting a very short-lived functional change. Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1926254 Title: x509 Certificate verification fails when basicConstraints=CA:FALSE,pathlen:0 on self-signed leaf certs Status in openssl package in Ubuntu: Fix Released Status in openssl source package in Focal: In Progress Status in openssl source package in Groovy: In Progress Status in openssl source package in Hirsute: Fix Released Bug description: [Impact] In openssl 1.1.1f, the below commit was merged: commit ba4356ae4002a04e28642da60c551877eea804f7 Author: Bernd Edlinger Date: Sat Jan 4 15:54:53 2020 +0100 Subject: Fix error handling in x509v3_cache_extensions and related functions Link: https://github.com/openssl/openssl/commit/ba4356ae4002a04e28642da60c551877eea804f7 This introduced a regression which caused certificate validation to fail when certificates violate RFC 5280 [1], namely, when a certificate has "basicConstraints=CA:FALSE,pathlen:0". This combination is commonly seen by self-signed leaf certificates with an intermediate CA before the root CA. Because of this, openssl 1.1.1f rejects these certificates and they cannot be used in the system certificate store, and ssl connections fail when you try to use them to connect to a ssl endpoint. The error you see when you try verify is: $ openssl verify -CAfile CA/rootCA_cert.pem -untrusted CA/subCA_cert.pem user1_cert.pem error 20 at 0 depth lookup: unable to get local issuer certificate error user1_cert.pem: verification failed The exact same certificates work fine on Xenial, Bionic and Hirsute. [1] https://tools.ietf.org/html/rfc5280.html [Testcase] We will create our own root CA, intermediate CA and leaf server certificate. Create necessary directories: $ mkdir reproducer $ cd reproducer $ mkdir CA Write openssl configuration files to disk for each CA and cert: $ cat << EOF >> rootCA.cnf [ req ] prompt = no distinguished_name = req_distinguished_name x509_extensions = usr_cert [ req_distinguished_name ] C = DE O = Test Org CN = Test RSA PSS Root-CA [ usr_cert ] basicConstraints= critical,CA:TRUE keyUsage= critical,keyCertSign,cRLSign subjectKeyIdentifier= hash authorityKeyIdentifier = keyid:always EOF $ cat << EOF >> subCA.cnf [ req ] prompt = no distinguished_name = req_distinguished_name x509_extensions = usr_cert [ req_distinguished_name ] C = DE O = Test Org CN = Test RSA PSS Sub-CA [ usr_cert ] basicConstraints= critical,CA:TRUE,pathlen:0 keyUsage= critical,keyCertSign,cRLSign subjectKeyIdentifier= hash authorityKeyIdentifier = keyid:always EOF $ cat << EOF >> user.cnf [ req ] prompt = no distinguished_name = req_distinguished_name x509_extensions = usr_cert [ req_distinguished_name ] C = DE O = Test Org CN = Test User [ usr_cert ] basicConstraints= critical,CA:FALSE,pathlen:0 keyUsage= critical,digitalSignature,keyAgreement extendedKeyUsage= clientAuth,serverAuth subjectKeyIdentifier= hash authorityKeyIdentifier = keyid:always EOF Then generate the necessary RSA keys and form certificates: $ openssl genpkey -algorithm RSA-PSS -out rootCA_key.pem -pkeyopt rsa_keygen_bits:2048 $ openssl req -config rootCA.cnf -set_serial 01 -new -batch -sha256 -nodes -x509 -days 9125 -out CA/rootCA_cert.pem -key rootCA_key.pem -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 $ openssl genpkey -algorithm RSA-PSS -out subCA_key.pem -pkeyopt rsa_keygen_bits:2048 $ openssl req -config subCA.cnf -new -out subCA_req.pem -key subCA_key.pem -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 $ openssl x509 -req -sha256 -in subCA_req.pem -CA CA/rootCA_cert.pem -CAkey rootCA_key.pem -out CA/subCA_cert.pem -CAserial rootCA_serial.txt -CAcreateserial -extfile subCA.cnf -extensions usr_cert -days 4380 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 $ c_rehash CA $ openssl genpkey -algorithm RSA-PSS -out user1_key.pem -pkeyopt rsa_keygen_bits:2048 $ openssl req -config user.cnf -new -out user1_req.pem -key user1_key.pem -sigopt rsa_paddin
[Touch-packages] [Bug 1926254] Re: x509 Certificate verification fails when basicConstraints=CA:FALSE, pathlen:0 on self-signed leaf certs
added ubuntu-security to the bug, just for quick review to make sure they don't object to the patch I can sponsor this to -updates if there's no objection -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1926254 Title: x509 Certificate verification fails when basicConstraints=CA:FALSE,pathlen:0 on self-signed leaf certs Status in openssl package in Ubuntu: Fix Released Status in openssl source package in Focal: In Progress Status in openssl source package in Groovy: In Progress Status in openssl source package in Hirsute: Fix Released Bug description: [Impact] In openssl 1.1.1f, the below commit was merged: commit ba4356ae4002a04e28642da60c551877eea804f7 Author: Bernd Edlinger Date: Sat Jan 4 15:54:53 2020 +0100 Subject: Fix error handling in x509v3_cache_extensions and related functions Link: https://github.com/openssl/openssl/commit/ba4356ae4002a04e28642da60c551877eea804f7 This introduced a regression which caused certificate validation to fail when certificates violate RFC 5280 [1], namely, when a certificate has "basicConstraints=CA:FALSE,pathlen:0". This combination is commonly seen by self-signed leaf certificates with an intermediate CA before the root CA. Because of this, openssl 1.1.1f rejects these certificates and they cannot be used in the system certificate store, and ssl connections fail when you try to use them to connect to a ssl endpoint. The error you see when you try verify is: $ openssl verify -CAfile CA/rootCA_cert.pem -untrusted CA/subCA_cert.pem user1_cert.pem error 20 at 0 depth lookup: unable to get local issuer certificate error user1_cert.pem: verification failed The exact same certificates work fine on Xenial, Bionic and Hirsute. [1] https://tools.ietf.org/html/rfc5280.html [Testcase] We will create our own root CA, intermediate CA and leaf server certificate. Create necessary directories: $ mkdir reproducer $ cd reproducer $ mkdir CA Write openssl configuration files to disk for each CA and cert: $ cat << EOF >> rootCA.cnf [ req ] prompt = no distinguished_name = req_distinguished_name x509_extensions = usr_cert [ req_distinguished_name ] C = DE O = Test Org CN = Test RSA PSS Root-CA [ usr_cert ] basicConstraints= critical,CA:TRUE keyUsage= critical,keyCertSign,cRLSign subjectKeyIdentifier= hash authorityKeyIdentifier = keyid:always EOF $ cat << EOF >> subCA.cnf [ req ] prompt = no distinguished_name = req_distinguished_name x509_extensions = usr_cert [ req_distinguished_name ] C = DE O = Test Org CN = Test RSA PSS Sub-CA [ usr_cert ] basicConstraints= critical,CA:TRUE,pathlen:0 keyUsage= critical,keyCertSign,cRLSign subjectKeyIdentifier= hash authorityKeyIdentifier = keyid:always EOF $ cat << EOF >> user.cnf [ req ] prompt = no distinguished_name = req_distinguished_name x509_extensions = usr_cert [ req_distinguished_name ] C = DE O = Test Org CN = Test User [ usr_cert ] basicConstraints= critical,CA:FALSE,pathlen:0 keyUsage= critical,digitalSignature,keyAgreement extendedKeyUsage= clientAuth,serverAuth subjectKeyIdentifier= hash authorityKeyIdentifier = keyid:always EOF Then generate the necessary RSA keys and form certificates: $ openssl genpkey -algorithm RSA-PSS -out rootCA_key.pem -pkeyopt rsa_keygen_bits:2048 $ openssl req -config rootCA.cnf -set_serial 01 -new -batch -sha256 -nodes -x509 -days 9125 -out CA/rootCA_cert.pem -key rootCA_key.pem -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 $ openssl genpkey -algorithm RSA-PSS -out subCA_key.pem -pkeyopt rsa_keygen_bits:2048 $ openssl req -config subCA.cnf -new -out subCA_req.pem -key subCA_key.pem -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 $ openssl x509 -req -sha256 -in subCA_req.pem -CA CA/rootCA_cert.pem -CAkey rootCA_key.pem -out CA/subCA_cert.pem -CAserial rootCA_serial.txt -CAcreateserial -extfile subCA.cnf -extensions usr_cert -days 4380 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 $ c_rehash CA $ openssl genpkey -algorithm RSA-PSS -out user1_key.pem -pkeyopt rsa_keygen_bits:2048 $ openssl req -config user.cnf -new -out user1_req.pem -key user1_key.pem -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 $ openssl x509 -req -sha256 -in user1_req.pem -CA CA/subCA_cert.pem -CAkey subCA_key.pem -out user1_cert.pem -CAserial subCA_serial.txt -CAcreateserial -extfile user.cnf -extensions usr_cert -days 1825 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 Now, let's try verify the generated certificates: $ openssl version OpenSSL 1.1.1f 31 Mar 2020 $ openssl verify -CA
[Touch-packages] [Bug 1926254] Re: x509 Certificate verification fails when basicConstraints=CA:FALSE, pathlen:0 on self-signed leaf certs
** Tags added: sts-sponsor -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1926254 Title: x509 Certificate verification fails when basicConstraints=CA:FALSE,pathlen:0 on self-signed leaf certs Status in openssl package in Ubuntu: Fix Released Status in openssl source package in Focal: In Progress Status in openssl source package in Groovy: In Progress Status in openssl source package in Hirsute: Fix Released Bug description: [Impact] In openssl 1.1.1f, the below commit was merged: commit ba4356ae4002a04e28642da60c551877eea804f7 Author: Bernd Edlinger Date: Sat Jan 4 15:54:53 2020 +0100 Subject: Fix error handling in x509v3_cache_extensions and related functions Link: https://github.com/openssl/openssl/commit/ba4356ae4002a04e28642da60c551877eea804f7 This introduced a regression which caused certificate validation to fail when certificates violate RFC 5280 [1], namely, when a certificate has "basicConstraints=CA:FALSE,pathlen:0". This combination is commonly seen by self-signed leaf certificates with an intermediate CA before the root CA. Because of this, openssl 1.1.1f rejects these certificates and they cannot be used in the system certificate store, and ssl connections fail when you try to use them to connect to a ssl endpoint. The error you see when you try verify is: $ openssl verify -CAfile CA/rootCA_cert.pem -untrusted CA/subCA_cert.pem user1_cert.pem error 20 at 0 depth lookup: unable to get local issuer certificate error user1_cert.pem: verification failed The exact same certificates work fine on Xenial, Bionic and Hirsute. [1] https://tools.ietf.org/html/rfc5280.html [Testcase] We will create our own root CA, intermediate CA and leaf server certificate. Create necessary directories: $ mkdir reproducer $ cd reproducer $ mkdir CA Write openssl configuration files to disk for each CA and cert: $ cat << EOF >> rootCA.cnf [ req ] prompt = no distinguished_name = req_distinguished_name x509_extensions = usr_cert [ req_distinguished_name ] C = DE O = Test Org CN = Test RSA PSS Root-CA [ usr_cert ] basicConstraints= critical,CA:TRUE keyUsage= critical,keyCertSign,cRLSign subjectKeyIdentifier= hash authorityKeyIdentifier = keyid:always EOF $ cat << EOF >> subCA.cnf [ req ] prompt = no distinguished_name = req_distinguished_name x509_extensions = usr_cert [ req_distinguished_name ] C = DE O = Test Org CN = Test RSA PSS Sub-CA [ usr_cert ] basicConstraints= critical,CA:TRUE,pathlen:0 keyUsage= critical,keyCertSign,cRLSign subjectKeyIdentifier= hash authorityKeyIdentifier = keyid:always EOF $ cat << EOF >> user.cnf [ req ] prompt = no distinguished_name = req_distinguished_name x509_extensions = usr_cert [ req_distinguished_name ] C = DE O = Test Org CN = Test User [ usr_cert ] basicConstraints= critical,CA:FALSE,pathlen:0 keyUsage= critical,digitalSignature,keyAgreement extendedKeyUsage= clientAuth,serverAuth subjectKeyIdentifier= hash authorityKeyIdentifier = keyid:always EOF Then generate the necessary RSA keys and form certificates: $ openssl genpkey -algorithm RSA-PSS -out rootCA_key.pem -pkeyopt rsa_keygen_bits:2048 $ openssl req -config rootCA.cnf -set_serial 01 -new -batch -sha256 -nodes -x509 -days 9125 -out CA/rootCA_cert.pem -key rootCA_key.pem -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 $ openssl genpkey -algorithm RSA-PSS -out subCA_key.pem -pkeyopt rsa_keygen_bits:2048 $ openssl req -config subCA.cnf -new -out subCA_req.pem -key subCA_key.pem -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 $ openssl x509 -req -sha256 -in subCA_req.pem -CA CA/rootCA_cert.pem -CAkey rootCA_key.pem -out CA/subCA_cert.pem -CAserial rootCA_serial.txt -CAcreateserial -extfile subCA.cnf -extensions usr_cert -days 4380 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 $ c_rehash CA $ openssl genpkey -algorithm RSA-PSS -out user1_key.pem -pkeyopt rsa_keygen_bits:2048 $ openssl req -config user.cnf -new -out user1_req.pem -key user1_key.pem -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 $ openssl x509 -req -sha256 -in user1_req.pem -CA CA/subCA_cert.pem -CAkey subCA_key.pem -out user1_cert.pem -CAserial subCA_serial.txt -CAcreateserial -extfile user.cnf -extensions usr_cert -days 1825 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 Now, let's try verify the generated certificates: $ openssl version OpenSSL 1.1.1f 31 Mar 2020 $ openssl verify -CAfile CA/rootCA_cert.pem -untrusted CA/subCA_cert.pem user1_cert.pem error 20 at 0 depth lookup: unable to get local issuer cer
[Touch-packages] [Bug 1926254] Re: x509 Certificate verification fails when basicConstraints=CA:FALSE, pathlen:0 on self-signed leaf certs
Attached is a debdiff for openssl on Groovy which fixes this bug. ** Patch added: "Debdiff for openssl on Groovy" https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1926254/+attachment/5493443/+files/lp1926254_groovy.debdiff -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1926254 Title: x509 Certificate verification fails when basicConstraints=CA:FALSE,pathlen:0 on self-signed leaf certs Status in openssl package in Ubuntu: Fix Released Status in openssl source package in Focal: In Progress Status in openssl source package in Groovy: In Progress Status in openssl source package in Hirsute: Fix Released Bug description: [Impact] In openssl 1.1.1f, the below commit was merged: commit ba4356ae4002a04e28642da60c551877eea804f7 Author: Bernd Edlinger Date: Sat Jan 4 15:54:53 2020 +0100 Subject: Fix error handling in x509v3_cache_extensions and related functions Link: https://github.com/openssl/openssl/commit/ba4356ae4002a04e28642da60c551877eea804f7 This introduced a regression which caused certificate validation to fail when certificates violate RFC 5280 [1], namely, when a certificate has "basicConstraints=CA:FALSE,pathlen:0". This combination is commonly seen by self-signed leaf certificates with an intermediate CA before the root CA. Because of this, openssl 1.1.1f rejects these certificates and they cannot be used in the system certificate store, and ssl connections fail when you try to use them to connect to a ssl endpoint. The error you see when you try verify is: $ openssl verify -CAfile CA/rootCA_cert.pem -untrusted CA/subCA_cert.pem user1_cert.pem error 20 at 0 depth lookup: unable to get local issuer certificate error user1_cert.pem: verification failed The exact same certificates work fine on Xenial, Bionic and Hirsute. [1] https://tools.ietf.org/html/rfc5280.html [Testcase] We will create our own root CA, intermediate CA and leaf server certificate. Create necessary directories: $ mkdir reproducer $ cd reproducer $ mkdir CA Write openssl configuration files to disk for each CA and cert: $ cat << EOF >> rootCA.cnf [ req ] prompt = no distinguished_name = req_distinguished_name x509_extensions = usr_cert [ req_distinguished_name ] C = DE O = Test Org CN = Test RSA PSS Root-CA [ usr_cert ] basicConstraints= critical,CA:TRUE keyUsage= critical,keyCertSign,cRLSign subjectKeyIdentifier= hash authorityKeyIdentifier = keyid:always EOF $ cat << EOF >> subCA.cnf [ req ] prompt = no distinguished_name = req_distinguished_name x509_extensions = usr_cert [ req_distinguished_name ] C = DE O = Test Org CN = Test RSA PSS Sub-CA [ usr_cert ] basicConstraints= critical,CA:TRUE,pathlen:0 keyUsage= critical,keyCertSign,cRLSign subjectKeyIdentifier= hash authorityKeyIdentifier = keyid:always EOF $ cat << EOF >> user.cnf [ req ] prompt = no distinguished_name = req_distinguished_name x509_extensions = usr_cert [ req_distinguished_name ] C = DE O = Test Org CN = Test User [ usr_cert ] basicConstraints= critical,CA:FALSE,pathlen:0 keyUsage= critical,digitalSignature,keyAgreement extendedKeyUsage= clientAuth,serverAuth subjectKeyIdentifier= hash authorityKeyIdentifier = keyid:always EOF Then generate the necessary RSA keys and form certificates: $ openssl genpkey -algorithm RSA-PSS -out rootCA_key.pem -pkeyopt rsa_keygen_bits:2048 $ openssl req -config rootCA.cnf -set_serial 01 -new -batch -sha256 -nodes -x509 -days 9125 -out CA/rootCA_cert.pem -key rootCA_key.pem -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 $ openssl genpkey -algorithm RSA-PSS -out subCA_key.pem -pkeyopt rsa_keygen_bits:2048 $ openssl req -config subCA.cnf -new -out subCA_req.pem -key subCA_key.pem -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 $ openssl x509 -req -sha256 -in subCA_req.pem -CA CA/rootCA_cert.pem -CAkey rootCA_key.pem -out CA/subCA_cert.pem -CAserial rootCA_serial.txt -CAcreateserial -extfile subCA.cnf -extensions usr_cert -days 4380 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 $ c_rehash CA $ openssl genpkey -algorithm RSA-PSS -out user1_key.pem -pkeyopt rsa_keygen_bits:2048 $ openssl req -config user.cnf -new -out user1_req.pem -key user1_key.pem -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 $ openssl x509 -req -sha256 -in user1_req.pem -CA CA/subCA_cert.pem -CAkey subCA_key.pem -out user1_cert.pem -CAserial subCA_serial.txt -CAcreateserial -extfile user.cnf -extensions usr_cert -days 1825 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 Now, let's try verify the generated certifica
[Touch-packages] [Bug 1926254] Re: x509 Certificate verification fails when basicConstraints=CA:FALSE, pathlen:0 on self-signed leaf certs
Attached is a debdiff for openssl on Focal which fixes this bug. ** Patch added: "Debdiff for openssl on focal" https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1926254/+attachment/5493442/+files/lp1926254_focal.debdiff -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1926254 Title: x509 Certificate verification fails when basicConstraints=CA:FALSE,pathlen:0 on self-signed leaf certs Status in openssl package in Ubuntu: Fix Released Status in openssl source package in Focal: In Progress Status in openssl source package in Groovy: In Progress Status in openssl source package in Hirsute: Fix Released Bug description: [Impact] In openssl 1.1.1f, the below commit was merged: commit ba4356ae4002a04e28642da60c551877eea804f7 Author: Bernd Edlinger Date: Sat Jan 4 15:54:53 2020 +0100 Subject: Fix error handling in x509v3_cache_extensions and related functions Link: https://github.com/openssl/openssl/commit/ba4356ae4002a04e28642da60c551877eea804f7 This introduced a regression which caused certificate validation to fail when certificates violate RFC 5280 [1], namely, when a certificate has "basicConstraints=CA:FALSE,pathlen:0". This combination is commonly seen by self-signed leaf certificates with an intermediate CA before the root CA. Because of this, openssl 1.1.1f rejects these certificates and they cannot be used in the system certificate store, and ssl connections fail when you try to use them to connect to a ssl endpoint. The error you see when you try verify is: $ openssl verify -CAfile CA/rootCA_cert.pem -untrusted CA/subCA_cert.pem user1_cert.pem error 20 at 0 depth lookup: unable to get local issuer certificate error user1_cert.pem: verification failed The exact same certificates work fine on Xenial, Bionic and Hirsute. [1] https://tools.ietf.org/html/rfc5280.html [Testcase] We will create our own root CA, intermediate CA and leaf server certificate. Create necessary directories: $ mkdir reproducer $ cd reproducer $ mkdir CA Write openssl configuration files to disk for each CA and cert: $ cat << EOF >> rootCA.cnf [ req ] prompt = no distinguished_name = req_distinguished_name x509_extensions = usr_cert [ req_distinguished_name ] C = DE O = Test Org CN = Test RSA PSS Root-CA [ usr_cert ] basicConstraints= critical,CA:TRUE keyUsage= critical,keyCertSign,cRLSign subjectKeyIdentifier= hash authorityKeyIdentifier = keyid:always EOF $ cat << EOF >> subCA.cnf [ req ] prompt = no distinguished_name = req_distinguished_name x509_extensions = usr_cert [ req_distinguished_name ] C = DE O = Test Org CN = Test RSA PSS Sub-CA [ usr_cert ] basicConstraints= critical,CA:TRUE,pathlen:0 keyUsage= critical,keyCertSign,cRLSign subjectKeyIdentifier= hash authorityKeyIdentifier = keyid:always EOF $ cat << EOF >> user.cnf [ req ] prompt = no distinguished_name = req_distinguished_name x509_extensions = usr_cert [ req_distinguished_name ] C = DE O = Test Org CN = Test User [ usr_cert ] basicConstraints= critical,CA:FALSE,pathlen:0 keyUsage= critical,digitalSignature,keyAgreement extendedKeyUsage= clientAuth,serverAuth subjectKeyIdentifier= hash authorityKeyIdentifier = keyid:always EOF Then generate the necessary RSA keys and form certificates: $ openssl genpkey -algorithm RSA-PSS -out rootCA_key.pem -pkeyopt rsa_keygen_bits:2048 $ openssl req -config rootCA.cnf -set_serial 01 -new -batch -sha256 -nodes -x509 -days 9125 -out CA/rootCA_cert.pem -key rootCA_key.pem -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 $ openssl genpkey -algorithm RSA-PSS -out subCA_key.pem -pkeyopt rsa_keygen_bits:2048 $ openssl req -config subCA.cnf -new -out subCA_req.pem -key subCA_key.pem -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 $ openssl x509 -req -sha256 -in subCA_req.pem -CA CA/rootCA_cert.pem -CAkey rootCA_key.pem -out CA/subCA_cert.pem -CAserial rootCA_serial.txt -CAcreateserial -extfile subCA.cnf -extensions usr_cert -days 4380 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 $ c_rehash CA $ openssl genpkey -algorithm RSA-PSS -out user1_key.pem -pkeyopt rsa_keygen_bits:2048 $ openssl req -config user.cnf -new -out user1_req.pem -key user1_key.pem -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 $ openssl x509 -req -sha256 -in user1_req.pem -CA CA/subCA_cert.pem -CAkey subCA_key.pem -out user1_cert.pem -CAserial subCA_serial.txt -CAcreateserial -extfile user.cnf -extensions usr_cert -days 1825 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 Now, let's try verify the generated certificates
[Touch-packages] [Bug 1926254] Re: x509 Certificate verification fails when basicConstraints=CA:FALSE, pathlen:0 on self-signed leaf certs
** Description changed: [Impact] In openssl 1.1.1f, the below commit was merged: commit ba4356ae4002a04e28642da60c551877eea804f7 Author: Bernd Edlinger Date: Sat Jan 4 15:54:53 2020 +0100 Subject: Fix error handling in x509v3_cache_extensions and related functions Link: https://github.com/openssl/openssl/commit/ba4356ae4002a04e28642da60c551877eea804f7 This introduced a regression which caused certificate validation to fail when certificates violate RFC 5280 [1], namely, when a certificate has "basicConstraints=CA:FALSE,pathlen:0". This combination is commonly seen by self-signed leaf certificates with an intermediate CA before the root CA. Because of this, openssl 1.1.1f rejects these certificates and they cannot be used in the system certificate store, and ssl connections fail when you try to use them to connect to a ssl endpoint. The error you see when you try verify is: $ openssl verify -CAfile CA/rootCA_cert.pem -untrusted CA/subCA_cert.pem user1_cert.pem error 20 at 0 depth lookup: unable to get local issuer certificate error user1_cert.pem: verification failed The exact same certificates work fine on Xenial, Bionic and Hirsute. [1] https://tools.ietf.org/html/rfc5280.html [Testcase] We will create our own root CA, intermediate CA and leaf server certificate. Create necessary directories: $ mkdir reproducer $ cd reproducer $ mkdir CA Write openssl configuration files to disk for each CA and cert: $ cat << EOF >> rootCA.cnf [ req ] prompt = no distinguished_name = req_distinguished_name x509_extensions = usr_cert [ req_distinguished_name ] C = DE O = Test Org CN = Test RSA PSS Root-CA [ usr_cert ] basicConstraints= critical,CA:TRUE keyUsage= critical,keyCertSign,cRLSign subjectKeyIdentifier= hash authorityKeyIdentifier = keyid:always EOF $ cat << EOF >> subCA.cnf [ req ] prompt = no distinguished_name = req_distinguished_name x509_extensions = usr_cert [ req_distinguished_name ] C = DE O = Test Org CN = Test RSA PSS Sub-CA [ usr_cert ] basicConstraints= critical,CA:TRUE,pathlen:0 keyUsage= critical,keyCertSign,cRLSign subjectKeyIdentifier= hash authorityKeyIdentifier = keyid:always EOF $ cat << EOF >> user.cnf [ req ] prompt = no distinguished_name = req_distinguished_name x509_extensions = usr_cert [ req_distinguished_name ] C = DE O = Test Org CN = Test User [ usr_cert ] basicConstraints= critical,CA:FALSE,pathlen:0 keyUsage= critical,digitalSignature,keyAgreement extendedKeyUsage= clientAuth,serverAuth subjectKeyIdentifier= hash authorityKeyIdentifier = keyid:always EOF Then generate the necessary RSA keys and form certificates: $ openssl genpkey -algorithm RSA-PSS -out rootCA_key.pem -pkeyopt rsa_keygen_bits:2048 $ openssl req -config rootCA.cnf -set_serial 01 -new -batch -sha256 -nodes -x509 -days 9125 -out CA/rootCA_cert.pem -key rootCA_key.pem -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 $ openssl genpkey -algorithm RSA-PSS -out subCA_key.pem -pkeyopt rsa_keygen_bits:2048 $ openssl req -config subCA.cnf -new -out subCA_req.pem -key subCA_key.pem -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 $ openssl x509 -req -sha256 -in subCA_req.pem -CA CA/rootCA_cert.pem -CAkey rootCA_key.pem -out CA/subCA_cert.pem -CAserial rootCA_serial.txt -CAcreateserial -extfile subCA.cnf -extensions usr_cert -days 4380 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 $ c_rehash CA $ openssl genpkey -algorithm RSA-PSS -out user1_key.pem -pkeyopt rsa_keygen_bits:2048 $ openssl req -config user.cnf -new -out user1_req.pem -key user1_key.pem -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 $ openssl x509 -req -sha256 -in user1_req.pem -CA CA/subCA_cert.pem -CAkey subCA_key.pem -out user1_cert.pem -CAserial subCA_serial.txt -CAcreateserial -extfile user.cnf -extensions usr_cert -days 1825 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 Now, let's try verify the generated certificates: $ openssl version OpenSSL 1.1.1f 31 Mar 2020 $ openssl verify -CAfile CA/rootCA_cert.pem -untrusted CA/subCA_cert.pem user1_cert.pem error 20 at 0 depth lookup: unable to get local issuer certificate error user1_cert.pem: verification failed There are test packages available in the following ppa: https://launchpad.net/~mruffell/+archive/ubuntu/sf308725-test If you install these test packages, and attempt to verify, things work as planned. + $ openssl verify -CAfile CA/rootCA_cert.pem -untrusted CA/subCA_cert.pem user1_cert.pem + user1_cert.pem: OK + [Where problems could occur] If a regression were to occur, it would occur around x509 cert