Project

General

Profile

Bug #6953

on mismatching private key for CA, "edit user" silently creates user cert using different CA

Added by Harald Linden 4 months ago. Updated 4 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Certificates
Target version:
Start date:
11/23/2016
Due date:
% Done:

100%

Affected version:
2.3.2
Affected Architecture:

Description

Steps to reproduce:

  • have existing internal CA
  • import external CA (in my case, signed by the internal CA but generated externally)
  • enter wrong private key for CA and save (this should fail, btw.)
  • open dialogue "user manager" -> "edit user"
  • create user certificate

The resulting user cert will be signed by the existing internal CA instead of failing.

Starting this process from the cert manager works as expected and fails with "The following input errors were detected:
openssl library returns: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch".

Associated revisions

Revision 2cf5db21
Added by Jim Pingle 4 months ago

Ensure that the submitted private key matches the certificate or CA when importing. Ticket #6953

Revision 75e80f16
Added by Jim Pingle 4 months ago

If there are input errors when creating a user certificate from the user manager, stop and show the errors rather than appearing to fail silently. Fixes #6953

History

#1 Updated by Jim Pingle 4 months ago

  • Assignee set to Jim Pingle

#2 Updated by Jim Pingle 4 months ago

  • Category set to Certificates
  • Status changed from New to Feedback
  • Assignee changed from Jim Pingle to Harald Linden
  • Target version set to 2.4.0
  • % Done changed from 0 to 100

I was unable to reproduce the problem exactly as stated, but I added validation code to prevent incorrect keys from being accepted when importing a CA or Certificate. It checks the modulus of the certificate and the key to ensure they match before allowing the entry to be saved.

When I attempted to create a user certificate with the mismatched key, it failed but didn't show an error. I also pushed a change where it will stop and display errors if there were any encountered while creating the certificate.

#3 Updated by Jim Pingle 4 months ago

  • Status changed from Feedback to Resolved

Also available in: Atom PDF