Bug #14022
closed
PHP error when exporting a CRL for an old CA
100%
Description
I have a CA that was generated in 2016, possibly from an old version of pfSense.
When Create a CRL using it and try to Export, I get a PHP error:
Fatal error: Uncaught Error: Call to a member function findContext() on null in /usr/local/share/openssl_x509_crl/X509_CERT.php:56
Stack trace:
#0 /usr/local/share/openssl_x509_crl/X509_CRL.php(98): Ukrbublik\openssl_x509_crl\X509_CERT::getExtVal_Subject('')
#1 /etc/inc/certs.inc(1086): Ukrbublik\openssl_x509_crl\X509_CRL::create(Array, Object(OpenSSLAsymmetricKey), false)
#2 /usr/local/www/system_crlmanager.php(198): crl_update(Array)
#3 {main}
thrown in /usr/local/share/openssl_x509_crl/X509_CERT.php on line 56
PHP ERROR: Type: 1, File: /usr/local/share/openssl_x509_crl/X509_CERT.php, Line: 56, Message: Uncaught Error: Call to a member function findContext() on null in /usr/local/share/openssl_x509_crl/X509_CERT.php:56
Stack trace:
#0 /usr/local/share/openssl_x509_crl/X509_CRL.php(98): Ukrbublik\openssl_x509_crl\X509_CERT::getExtVal_Subject('')
#1 /etc/inc/certs.inc(1086): Ukrbublik\openssl_x509_crl\X509_CRL::create(Array, Object(OpenSSLAsymmetricKey), false)
#2 /usr/local/www/system_crlmanager.php(198): crl_update(Array)
#3 {main}
thrown
The behaviour seems to be new to 23.05 or pfSense 2.7.0-DEVELOPMENT.
I'm attaching a redacted version of the CA, regenerated with a new key, which has the same behaviour.
Files
Updated by Jim Pingle about 1 year ago
- Project changed from pfSense Plus to pfSense
- Subject changed from CRL export bug on old CA to PHP error when exporting a CRL for an old CA
- Category changed from Certificates to Certificates
- Target version set to 2.7.0
- Affected Plus Version deleted (
23.05) - Plus Target Version set to 23.05
Nothing immediately stands out in the cert but I can replicate it easily with that CA.
Making the following change appears to allow it to work, but the issue isn't in our code, it's in an upstream package (security/php-openssl_x509_crl).
--- a/src/usr/local/share/openssl_x509_crl/ASN1_OCTETSTRING.php.orig 2023-02-23 13:30:25.173127000 +0000
+++ b/src/usr/local/share/openssl_x509_crl/ASN1_OCTETSTRING.php 2023-02-23 13:30:30.254299000 +0000
@@ -22,7 +22,7 @@
public function __construct($str = "", $twodots = false) {
if($str === false) {
$this->content = array();
- } else if(preg_match("|^[0-9A-Fa-f]{2}(:[0-9A-Fa-f]{2})+$|s", $str) /* || $twodots*/) {
+ } else if(preg_match("|^[0-9A-Fa-f]{2}(:[0-9A-Fa-f]{2})+$|s", (string) $str) /* || $twodots*/) {
$octets = explode(':', $str);
foreach($octets as &$v) {
$v = chr(hexdec($v));
That upstream package doesn't appear to be actively maintained currently so we may have to carry a local patch on it for this.
I'm also not entirely convinced the above is the best solution though it appears to produce valid CRLs.
Updated by Matthew Fearnley about 1 year ago
Thanks Jim, I can confirm the patch works for me.
(Sorry, I've erroneously set the pfSense Plus version to 23.05 when it should be 23.01.)
Updated by Jim Pingle 12 months ago
- Status changed from New to Feedback
- Assignee set to Jim Pingle
- % Done changed from 0 to 100
Local patch added in ports repo commit 3d9792221fb093f50af07d46dd5c753807ecde1f. Will be in the next snapshot.
Updated by Jim Pingle 12 months ago
- Status changed from Feedback to Resolved
Patch is present and working. I could replicate it before updating, but not after.