The proposed package is available here:
https://launchpad.net/~lucaskanashiro/+archive/ubuntu/focal-strongswan-
bug-fixes
I performed the test above to check if the CA certificate is generated
correctly:
[in the same container I was using to describe the Test Case section in the
description]
$ add-apt-repository ppa:lucaskanashiro/focal-strongswan-bug-fixes -y
$ apt install strongswan strongswan-pki -y
# Generate key an certificate
$ pki --gen --type ecdsa --size 384 > strongCAkey2.der
$ pki --self --in strongCAkey2.der --dn "C=CH, O=strongSwan, CN=strongSwan CA"
--ca > strongCAcert2.der
# Check the certificate with openssl, note the the CertificateSign and CRLsign
flags are set in the Key Usage extension
$ openssl x509 -inform DER -in strongCAcert2.der -noout -text | grep -A3 -B3
'Key Usage'
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Subject Key Identifier:
AF:A0:08:A7:E1:C7:12:31:77:E1:01:24:23:00:5B:0A:1F:D1:2A:1A
** Description changed:
+ [Impact]
+
+ Strongswan pki/x509 modules create CA certificates with invalid Key
+ Usage flags when compiling with GCC 9+. Actually this is an issue when
+ calling the chunk_from_chars() macro, not impacting only the mentioned
+ modules. The newer compilers might optimize out the assignment leading
+ to invalid values. More information here:
+
+ https://wiki.strongswan.org/issues/3249
+
+ In the case of the CA certificate creation, the NSS library using RFC
+ 4945 IPsec profiles will reject the certificate validation because of
+ the empty yet critical Key Usage section.
+
+ [Test Case]
+
+ $ lxc launch ubuntu-daily:focal strongswan-sru
+ $ lxc shell strongswan-sru
+ $ apt update && apt upgrade -y
+ $ apt install strongswan strongswan-pki -y
+
+ # Generate key an certificate
+ $ pki --gen --type ecdsa --size 384 > strongCAkey.der
+ $ pki --self --in strongCAkey.der --dn "C=CH, O=strongSwan, CN=strongSwan CA"
--ca > strongCAcert.der
+
+ # Check the certificate with openssl, note the '....' in the Key Usage
extension, this is not valid
+ $ openssl x509 -inform DER -in strongCAcert.der -noout -text | grep -A3 -B3
'Key Usage'
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Key Usage: critical
+ ....
+ X509v3 Subject Key Identifier:
+ D2:F5:58:B3:2A:3F:11:68:8E:AA:47:7A:29:9F:AC:8E:70:9E:EA:25
+
+
+ [Regression Potential]
+
+ The upstream patches touch many places of the code base, look here:
+
+ https://git.strongswan.org/?p=strongswan.git&a=search&h=HEAD&st=commit&s=3249
+
+ So a possible regression because of this SRU would be expected in one of
+ those modules: pki, x509, libtpmtss, tls-crypto and lgtm. However, the
+ changes are trivial and the risk is low.
+
+ [Original Description]
+
This bug is already fixed in upstream.
For explanation and steps to reproduce seee
https://wiki.strongswan.org/issues/3249
ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: strongswan-pki 5.8.2-1ubuntu3
ProcVersionSignature: User Name 5.4.0-1010.10-azure 5.4.30
Uname: Linux 5.4.0-1010-azure x86_64
ApportVersion: 2.20.11-0ubuntu27
Architecture: amd64
CasperMD5CheckResult: skip
Date: Wed May 20 12:09:33 2020
ProcEnviron:
- TERM=xterm
- PATH=(custom, no user)
- XDG_RUNTIME_DIR=<set>
- LANG=C.UTF-8
- SHELL=/bin/bash
+ TERM=xterm
+ PATH=(custom, no user)
+ XDG_RUNTIME_DIR=<set>
+ LANG=C.UTF-8
+ SHELL=/bin/bash
SourcePackage: strongswan
UpgradeStatus: No upgrade log present (probably fresh install)
** Summary changed:
- Strongswan pki creates CA certificates with invalid Key Usage flags
+ [SRU] Strongswan pki creates CA certificates with invalid Key Usage flags
** Changed in: strongswan (Ubuntu Focal)
Status: Triaged => In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1879692
Title:
[SRU] Strongswan pki creates CA certificates with invalid Key Usage
flags
To manage notifications about this bug go to:
https://bugs.launchpad.net/strongswan/+bug/1879692/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
