Project

General

Profile

Actions

Bug #14022

closed

PHP error when exporting a CRL for an old CA

Added by Matthew Fearnley about 1 year ago. Updated 10 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Certificates
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
23.05
Release Notes:
Default
Affected Version:
2.7.0
Affected Architecture:

Description

I have a CA that was generated in 2016, possibly from an old version of pfSense.

When Create a CRL using it and try to Export, I get a PHP error:

Fatal error: Uncaught Error: Call to a member function findContext() on null in /usr/local/share/openssl_x509_crl/X509_CERT.php:56
Stack trace:
#0 /usr/local/share/openssl_x509_crl/X509_CRL.php(98): Ukrbublik\openssl_x509_crl\X509_CERT::getExtVal_Subject('')
#1 /etc/inc/certs.inc(1086): Ukrbublik\openssl_x509_crl\X509_CRL::create(Array, Object(OpenSSLAsymmetricKey), false)
#2 /usr/local/www/system_crlmanager.php(198): crl_update(Array)
#3 {main}
  thrown in /usr/local/share/openssl_x509_crl/X509_CERT.php on line 56
PHP ERROR: Type: 1, File: /usr/local/share/openssl_x509_crl/X509_CERT.php, Line: 56, Message: Uncaught Error: Call to a member function findContext() on null in /usr/local/share/openssl_x509_crl/X509_CERT.php:56
Stack trace:
#0 /usr/local/share/openssl_x509_crl/X509_CRL.php(98): Ukrbublik\openssl_x509_crl\X509_CERT::getExtVal_Subject('')
#1 /etc/inc/certs.inc(1086): Ukrbublik\openssl_x509_crl\X509_CRL::create(Array, Object(OpenSSLAsymmetricKey), false)
#2 /usr/local/www/system_crlmanager.php(198): crl_update(Array)
#3 {main}
  thrown

The behaviour seems to be new to 23.05 or pfSense 2.7.0-DEVELOPMENT.

I'm attaching a redacted version of the CA, regenerated with a new key, which has the same behaviour.


Files

oldca.crt (1.58 KB) oldca.crt Matthew Fearnley, 02/23/2023 06:35 AM
oldca.key (1.64 KB) oldca.key Matthew Fearnley, 02/23/2023 06:35 AM
Actions #1

Updated by Jim Pingle about 1 year ago

  • Project changed from pfSense Plus to pfSense
  • Subject changed from CRL export bug on old CA to PHP error when exporting a CRL for an old CA
  • Category changed from Certificates to Certificates
  • Target version set to 2.7.0
  • Affected Plus Version deleted (23.05)
  • Plus Target Version set to 23.05

Nothing immediately stands out in the cert but I can replicate it easily with that CA.

Making the following change appears to allow it to work, but the issue isn't in our code, it's in an upstream package (security/php-openssl_x509_crl).

--- a/src/usr/local/share/openssl_x509_crl/ASN1_OCTETSTRING.php.orig    2023-02-23 13:30:25.173127000 +0000
+++ b/src/usr/local/share/openssl_x509_crl/ASN1_OCTETSTRING.php    2023-02-23 13:30:30.254299000 +0000
@@ -22,7 +22,7 @@
     public function __construct($str = "", $twodots = false) {
         if($str === false) {
             $this->content = array();
-        } else if(preg_match("|^[0-9A-Fa-f]{2}(:[0-9A-Fa-f]{2})+$|s", $str) /* || $twodots*/) {
+        } else if(preg_match("|^[0-9A-Fa-f]{2}(:[0-9A-Fa-f]{2})+$|s", (string) $str) /* || $twodots*/) {
             $octets = explode(':', $str);
             foreach($octets as &$v) {
                 $v = chr(hexdec($v));

That upstream package doesn't appear to be actively maintained currently so we may have to carry a local patch on it for this.

I'm also not entirely convinced the above is the best solution though it appears to produce valid CRLs.

Actions #2

Updated by Matthew Fearnley about 1 year ago

Thanks Jim, I can confirm the patch works for me.

(Sorry, I've erroneously set the pfSense Plus version to 23.05 when it should be 23.01.)

Actions #3

Updated by Jim Pingle 12 months ago

  • Status changed from New to Feedback
  • Assignee set to Jim Pingle
  • % Done changed from 0 to 100

Local patch added in ports repo commit 3d9792221fb093f50af07d46dd5c753807ecde1f. Will be in the next snapshot.

Actions #4

Updated by Jim Pingle 12 months ago

  • Status changed from Feedback to Resolved

Patch is present and working. I could replicate it before updating, but not after.

Actions #5

Updated by Jim Pingle 10 months ago

  • Affected Version set to 2.7.0
Actions

Also available in: Atom PDF