Bug #10699
closed
CRL php error
0%
Description
Hello,
I have a php error when I try to add a certificate issued for openvpn client to a CRL. I can create the CRL, but I can't add a certificate to it.
When I try to add I get this PHP error
[18-Jun-2020 17:34:26 Europe/Rome] PHP Fatal error: Uncaught Exception: Can't parse time from string '†°î>Œã>†-Ò™Ïê¶g£Bâx' in /usr/local/share/openssl_x509_crl/ASN1_GENERALTIME.php:73
Stack trace:
#0 /usr/local/share/openssl_x509_crl/ASN1.php(136): Ukrbublik\openssl_x509_crl\ASN1_GENERALTIME->decodeSimple('0\x82\x04H0\x82\x030\xA0\x03\x02\x01\x02\x02\x01...', 962, 21)
#1 /usr/local/share/openssl_x509_crl/ASN1.php(314): Ukrbublik\openssl_x509_crl\ASN1->decode('0\x82\x04H0\x82\x030\xA0\x03\x02\x01\x02\x02\x01...', 962, 21)
#2 /usr/local/share/openssl_x509_crl/ASN1_BITSTRING.php(51): Ukrbublik\openssl_x509_crl\ASN1->decodeConstructed('0\x82\x04H0\x82\x030\xA0\x03\x02\x01\x02\x02\x01...', 844, 256)
#3 /usr/local/share/openssl_x509_crl/ASN1.php(138): Ukrbublik\openssl_x509_crl\ASN1_BITSTRING->decodeConstructed('0\x82\x04H0\x82\x030\xA0\x03\x02\x01\x02\x02\x01...', 843, 257)
#4 /usr/local/share/openssl_x509_crl/ASN1.php(314): Ukrbublik\openssl_x509_crl\ASN1->decode('0\x82\x04H0\x82\x030\xA0\x03\x02\x01\x02\x02\x01...', 843, 257)
#5 /usr/local/share/openssl_x509_cr in /usr/local/share/openssl_x509_crl/ASN1_GENERALTIME.php on line 73
[18-Jun-2020 19:25:06 Europe/Rome] PHP Fatal error: Uncaught Exception: Can't parse time from string '†°î>Œã>†-Ò™Ïê¶g£Bâx' in /usr/local/share/openssl_x509_crl/ASN1_GENERALTIME.php:73
Stack trace:
#0 /usr/local/share/openssl_x509_crl/ASN1.php(136): Ukrbublik\openssl_x509_crl\ASN1_GENERALTIME->decodeSimple('0\x82\x04H0\x82\x030\xA0\x03\x02\x01\x02\x02\x01...', 962, 21)
#1 /usr/local/share/openssl_x509_crl/ASN1.php(314): Ukrbublik\openssl_x509_crl\ASN1->decode('0\x82\x04H0\x82\x030\xA0\x03\x02\x01\x02\x02\x01...', 962, 21)
#2 /usr/local/share/openssl_x509_crl/ASN1_BITSTRING.php(51): Ukrbublik\openssl_x509_crl\ASN1->decodeConstructed('0\x82\x04H0\x82\x030\xA0\x03\x02\x01\x02\x02\x01...', 844, 256)
#3 /usr/local/share/openssl_x509_crl/ASN1.php(138): Ukrbublik\openssl_x509_crl\ASN1_BITSTRING->decodeConstructed('0\x82\x04H0\x82\x030\xA0\x03\x02\x01\x02\x02\x01...', 843, 257)
#4 /usr/local/share/openssl_x509_crl/ASN1.php(314): Ukrbublik\openssl_x509_crl\ASN1->decode('0\x82\x04H0\x82\x030\xA0\x03\x02\x01\x02\x02\x01...', 843, 257)
#5 /usr/local/share/openssl_x509_cr in /usr/local/share/openssl_x509_crl/ASN1_GENERALTIME.php on line 73
[18-Jun-2020 19:43:32 Europe/Rome] PHP Fatal error: Uncaught Exception: Can't parse time from string '†°î>Œã>†-Ò™Ïê¶g£Bâx' in /usr/local/share/openssl_x509_crl/ASN1_GENERALTIME.php:73
Stack trace:
#0 /usr/local/share/openssl_x509_crl/ASN1.php(136): Ukrbublik\openssl_x509_crl\ASN1_GENERALTIME->decodeSimple('0\x82\x04H0\x82\x030\xA0\x03\x02\x01\x02\x02\x01...', 962, 21)
#1 /usr/local/share/openssl_x509_crl/ASN1.php(314): Ukrbublik\openssl_x509_crl\ASN1->decode('0\x82\x04H0\x82\x030\xA0\x03\x02\x01\x02\x02\x01...', 962, 21)
#2 /usr/local/share/openssl_x509_crl/ASN1_BITSTRING.php(51): Ukrbublik\openssl_x509_crl\ASN1->decodeConstructed('0\x82\x04H0\x82\x030\xA0\x03\x02\x01\x02\x02\x01...', 844, 256)
#3 /usr/local/share/openssl_x509_crl/ASN1.php(138): Ukrbublik\openssl_x509_crl\ASN1_BITSTRING->decodeConstructed('0\x82\x04H0\x82\x030\xA0\x03\x02\x01\x02\x02\x01...', 843, 257)
#4 /usr/local/share/openssl_x509_crl/ASN1.php(314): Ukrbublik\openssl_x509_crl\ASN1->decode('0\x82\x04H0\x82\x030\xA0\x03\x02\x01\x02\x02\x01...', 843, 257)
#5 /usr/local/share/openssl_x509_cr in /usr/local/share/openssl_x509_crl/ASN1_GENERALTIME.php on line 73
I have this error in only one pfSense installation. I have several installation and I can use CRL without problems.
The CA and it's private key was generated on the same pfsense in wich I get error. The same with certificate I would to revoke.
I think it's a bug. I can't see any other reason that cause this error. I have this error from version 2.4.4 and also now with 2.4.5-p1 on the same machine running on hyper-v cluster.
Best,
D. Martino
Updated by Jim Pingle almost 4 years ago
- Status changed from New to Feedback
That looks like a problem with your certificate. It can't read the time stamp from the certificate data.
Can you add other certificates to that CRL?
Can you try this on a 2.5.0 snapshot?
Can you reproduce it with a fresh CA and Certificate?
We may need a copy of the CA and Certificate since it's not something we can reproduce here.
Updated by Dario Martino almost 4 years ago
Hi Jim,
thanks for your reply.
Jim Pingle wrote:
That looks like a problem with your certificate. It can't read the time stamp from the certificate data.
Can you add other certificates to that CRL?
I can't add any certificate issued by the same CA to the relative revokation list
Can you try this on a 2.5.0 snapshot?
I'll try it ASAP.
Can you reproduce it with a fresh CA and Certificate?
Now, I've created a new "TEST-CA" and a new "test-certificate". The CRL relative to the "TEST-CA" works fine! I can add "test-certificate" to the CRL.
We may need a copy of the CA and Certificate since it's not something we can reproduce here.
If you need also the private key, I provide It in a private message because it's used for a VPN access.
I can assure that the CA and certificates that have this problem was generated in the same way of "TEST-CA" I talk above. They was generated in the same machine, not imported.
Now, I made another test: I've exported the CA and one certificate issued and I've reimported in another pfsense and the problem is the same also in the other machine!
But, what is wrong in this CA ???
I'm sorry if I waste your time if this isn't a bug, but I think that it's possible that It is.
Thanks,
Dario.
Updated by Dario Martino almost 4 years ago
Nothing seems wrong in my CA:
#openssl rsa -in pfsense.pter.it.key -check -noout
RSA key ok
#openssl x509 -in pfsense.pter.it.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = pfsense.pter.it-internal-ca, C = IT, ST = Sicily, L = Palermo, O = PTER Srl, OU = IT
Validity
Not Before: Apr 12 18:01:22 2019 GMT
Not After : Apr 9 18:01:22 2029 GMT
Subject: CN = pfsense.pter.it-internal-ca, C = IT, ST = Sicily, L = Palermo, O = PTER Srl, OU = IT
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:dc:1b:7e:33:b3:cd:2d:cb:49:6b:e0:b5:9d:5c:
cb:51:21:39:83:63:9b:8a:e2:f2:c9:d9:b4:d3:94:
30:c2:32:ef:c8:69:d5:48:06:eb:90:4c:0c:02:47:
76:c1:20:54:d9:68:51:e5:45:3a:b4:09:de:8d:04:
1f:a7:bc:27:ec:75:38:4f:d4:70:d3:5d:c0:8f:c3:
51:21:2f:60:9c:9d:ad:ac:e8:f3:93:f7:ff:51:de:
11:d6:e1:2b:9c:2c:a7:0c:db:7f:94:cb:bf:a3:c3:
67:dc:2c:5c:5c:e9:7b:c9:1a:e3:99:c1:fb:d2:1f:
35:97:00:e4:7e:5f:d5:5c:92:fa:50:58:98:de:0c:
4b:0c:a2:d2:50:c2:20:19:ba:2f:e0:66:79:37:93:
1d:c5:38:30:da:04:a8:b4:05:be:fb:6d:25:b3:cc:
73:f8:8a:57:3e:0c:4c:4c:b2:0e:c2:56:7e:55:4f:
e9:7d:0a:73:01:55:d2:cc:33:3f:12:9f:39:9f:0b:
3e:b2:14:5e:cb:e9:fa:13:ac:82:48:1a:2a:1c:b8:
fc:d7:8e:a7:b0:34:ef:59:6b:dc:2c:f2:87:07:1d:
6e:f4:8b:22:f8:88:e8:8b:2c:99:a8:d6:58:d9:24:
45:64:ed:d5:e1:ea:5f:11:90:31:a6:56:3e:4f:8e:
6a:b5
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
67:46:62:DA:1F:49:C7:1E:04:F4:48:7D:20:38:16:8A:08:2F:B0:51
X509v3 Authority Key Identifier:
keyid:67:46:62:DA:1F:49:C7:1E:04:F4:48:7D:20:38:16:8A:08:2F:B0:51
DirName:/CN=pfsense.pter.it-internal-ca/C=IT/ST=Sicily/L=Palermo/O=PTER Srl/OU=IT
serial:00
X509v3 Basic Constraints:
CA:TRUE
X509v3 Key Usage:
Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
03:1e:6f:b5:9d:f6:93:f3:f9:e2:ef:90:e5:45:40:a6:dc:5e:
07:79:c4:42:6d:e1:e2:0f:0b:cc:a8:af:7e:49:79:52:5c:af:
ce:f2:dd:67:a7:d5:a5:3a:9d:29:47:29:ed:3c:cf:4e:b3:65:
b9:18:ca:35:b0:ea:11:62:2f:e1:15:d4:ff:09:42:85:53:02:
43:4f:81:8f:35:66:79:a8:52:3f:91:1a:7f:cf:b3:d0:96:3d:
7e:0f:a7:54:80:80:6d:0e:8d:bc:e1:68:13:12:aa:ad:81:43:
98:7b:6b:49:81:de:28:42:18:15:86:b0:ee:3e:8c:e3:3e:10:
86:2d:d2:99:cf:ea:b6:67:a3:07:42:e2:78:e2:73:39:7f:ea:
ae:cb:78:c4:c9:65:e9:ba:ac:99:f0:e0:f0:d4:90:4e:2b:de:
68:07:2c:16:f1:14:b3:55:66:09:eb:cc:1e:77:60:d5:61:82:
8d:b2:2f:25:88:d3:f9:a9:d2:45:1e:c2:a2:9d:5a:f0:70:21:
ed:33:50:6e:7f:c2:5c:26:a2:80:4c:e8:3f:c5:a4:98:64:80:
c5:07:be:71:b6:1f:14:8c:bd:4d:63:10:09:67:fc:de:1a:21:
f3:19:5c:fb:d6:92:c8:54:7f:89:2b:d0:21:83:9a:bc:55:ad:
2c:6a:40:fe
Updated by Jim Pingle almost 4 years ago
Nothing looks obviously wrong in that, but still it's confusing the CRL routines somehow.
If you don't mind to send me that ca + ca private key + one cert (no key) which you can't revoke, I can test it here. Send it to (jimp) [at] {netgate}.{com} (without all the extra fluff there). Since it is sensitive, do not send it in the clear. Encrypt it first with GPG, my key can be found at https://keybase.io/jimp
Updated by Dario Martino almost 4 years ago
Jim Pingle wrote:
Nothing looks obviously wrong in that, but still it's confusing the CRL routines somehow.
If you don't mind to send me that ca + ca private key + one cert (no key) which you can't revoke, I can test it here. Send it to (jimp) [at] {netgate}.{com} (without all the extra fluff there). Since it is sensitive, do not send it in the clear. Encrypt it first with GPG, my key can be found at https://keybase.io/jimp
I've sent you an email. Thanks !!!
Dario.
Updated by Jim Pingle almost 4 years ago
- Assignee set to Jim Pingle
Continuing the discussion here: https://forum.netgate.com/topic/154788/crl-don-t-works/
Updated by Jim Pingle almost 4 years ago
- Status changed from Feedback to Needs Patch
I am able to reproduce the crash with the CA provided by OP. Crash happens on 2.4.5-p1 and 2.5.0. It appears to be due to some property of the CA, but it's not clear what. Comparing the CA to another CA also generated by pfSense, nothing stands out as problematic in the data.
Updated to the latest copy of the PHP code where the crash is encountered, but the same error results. I can't seem to reproduce it with anything other than that one CA, though.
I did manage to tease some more debug data out of the crash, however:
Exception trace:
#0 /usr/local/share/openssl_x509_crl/ASN1.php(136): Ukrbublik\openssl_x509_crl\ASN1_GENERALTIME->decodeSimple('0\x82\x04H0\x82\x030\xA0\x03\x02\x01\x02\x02\x01...', 962, 21)
#1 /usr/local/share/openssl_x509_crl/ASN1.php(314): Ukrbublik\openssl_x509_crl\ASN1->decode('0\x82\x04H0\x82\x030\xA0\x03\x02\x01\x02\x02\x01...', 962, 21)
#2 /usr/local/share/openssl_x509_crl/ASN1_BITSTRING.php(51): Ukrbublik\openssl_x509_crl\ASN1->decodeConstructed('0\x82\x04H0\x82\x030\xA0\x03\x02\x01\x02\x02\x01...', 844, 256)
#3 /usr/local/share/openssl_x509_crl/ASN1.php(138): Ukrbublik\openssl_x509_crl\ASN1_BITSTRING->decodeConstructed('0\x82\x04H0\x82\x030\xA0\x03\x02\x01\x02\x02\x01...', 843, 257)
#4 /usr/local/share/openssl_x509_crl/ASN1.php(314): Ukrbublik\openssl_x509_crl\ASN1->decode('0\x82\x04H0\x82\x030\xA0\x03\x02\x01\x02\x02\x01...', 843, 257)
#5 /usr/local/share/openssl_x509_crl/ASN1.php(138): Ukrbublik\openssl_x509_crl\ASN1->decodeConstructed('0\x82\x04H0\x82\x030\xA0\x03\x02\x01\x02\x02\x01...', 4, 1096)
#6 /usr/local/share/openssl_x509_crl/ASN1.php(314): Ukrbublik\openssl_x509_crl\ASN1->decode('0\x82\x04H0\x82\x030\xA0\x03\x02\x01\x02\x02\x01...', 4, 1096)
#7 /usr/local/share/openssl_x509_crl/ASN1.php(138): Ukrbublik\openssl_x509_crl\ASN1->decodeConstructed('0\x82\x04H0\x82\x030\xA0\x03\x02\x01\x02\x02\x01...', 0, 1100)
#8 /usr/local/share/openssl_x509_crl/X509_CERT.php(44): Ukrbublik\openssl_x509_crl\ASN1->decode('0\x82\x04H0\x82\x030\xA0\x03\x02\x01\x02\x02\x01...', 0, 1100)
#9 /usr/local/share/openssl_x509_crl/X509_CRL.php(60): Ukrbublik\openssl_x509_crl\X509_CERT::decode('0\x82\x04H0\x82\x030\xA0\x03\x02\x01\x02\x02\x01...')
#10 /etc/inc/certs.inc(1039): Ukrbublik\openssl_x509_crl\X509_CRL::create(Array, Resource id #14, '0\x82\x04H0\x82\x030\xA0\x03\x02\x01\x02\x02\x01...')
#11 /etc/inc/certs.inc(1079): crl_update(Array)
#12 /usr/local/www/system_crlmanager.php(153): cert_revoke(Array, Array, '1')
#13 {main}
Function call backtrace:
[array (
0 =>
array (
'file' => '/etc/inc/certs.inc',
'line' => 1079,
'function' => 'crl_update',
'args' =>
array (
0 =>
array (
'refid' => '5ef4f2c791434',
'descr' => 'crash-test',
'caref' => '5ef4f29b87707',
'method' => 'internal',
'serial' => 1242,
'lifetime' => '365',
'cert' =>
array (
0 =>
array (
'refid' => '5ef4f2b5b2b79',
'descr' => 'adriano',
'type' => 'user',
'caref' => '5ef4f29b87707',
'crt' => '<redacted>',
'prv' => '<redacted>',
'serial' => '1917616790264760926',
'reason' => '1',
'revoke_time' => 1593113481,
),
),
),
),
),
1 =>
array (
'file' => '/usr/local/www/system_crlmanager.php',
'line' => 153,
'function' => 'cert_revoke',
'args' =>
array (
0 =>
array (
'refid' => '5ef4f2b5b2b79',
'descr' => 'adriano',
'type' => 'user',
'caref' => '5ef4f29b87707',
'crt' => '<redacted>',
'prv' => '<redacted>',
),
1 =>
array (
'refid' => '5ef4f2c791434',
'descr' => 'crash-test',
'caref' => '5ef4f29b87707',
'method' => 'internal',
'serial' => 1242,
'lifetime' => '365',
'cert' =>
array (
0 =>
array (
'refid' => '5ef4f2b5b2b79',
'descr' => 'adriano',
'type' => 'user',
'caref' => '5ef4f29b87707',
'crt' => '<redacted>',
'prv' => '<redacted>',
'serial' => '1917616790264760926',
'reason' => '1',
'revoke_time' => 1593113481,
),
),
),
2 => '1',
),
),
)]
Note that is not the user cert from OP, but one I created from the problematic CA.
Since it only affects this one CA and not others, and it doesn't appear to have any obvious cause or problem in our code, there may not be anything we can do here.