Project

General

Profile

Bug #6877

nsCertType "Server" property of a certificate is not detected if additional nsCertType flags are also set

Added by Bruno Grossmann 7 months ago. Updated 6 months ago.

Status:
Resolved
Priority:
Very Low
Assignee:
Category:
Certificates
Target version:
Start date:
10/26/2016
Due date:
% Done:

100%

Affected version:
All
Affected Architecture:
All

Description

Using a GoDaddy server certificate. The server has both TLS Web Server Authentication and TLS Web Client Authentication EKU OIDs. Yet, the certificate manager screen states the certificate is not a server certificate.

Here is the certificate:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            78:69:e6:2f:b7:82:62:1a
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2
        Validity
            Not Before: Aug 31 17:13:39 2016 GMT
            Not After : Aug 31 17:13:39 2017 GMT
        Subject: OU=Domain Control Validated, CN=cloudmgr.cloudtransform.ca
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:d9:4e:02:2b:0a:6e:28:79:a6:b3:c4:a7:95:11:
                    2b:4c:f3:ff:60:2d:44:29:18:f8:97:1a:1b:92:9b:
                    fb:4b:51:a5:ed:8c:57:99:8c:43:6c:4b:01:64:d4:
                    b6:ea:73:3b:64:2f:d8:84:33:7d:67:09:71:e2:fd:
                    81:46:af:32:fb:5c:bc:8d:01:1f:3b:43:d4:95:01:
                    6a:f4:c8:1d:4b:84:93:35:57:88:7d:c8:3a:36:b2:
                    af:bc:96:9a:7b:7c:98:29:d5:12:26:55:51:a0:d2:
                    2b:77:a2:31:4e:cf:20:90:35:f0:00:89:1f:1c:bb:
                    08:f8:1f:9a:e2:a8:5e:ec:79:fa:27:aa:6a:f6:e9:
                    54:e2:6b:98:9e:cc:3c:39:cd:fe:2e:50:82:66:7f:
                    fc:4b:7c:35:42:0a:a8:df:ae:d5:dc:55:43:f1:4d:
                    10:e6:a6:f8:b3:2f:7a:2d:2b:9c:8b:af:dc:16:23:
                    d6:25:3e:62:90:03:78:87:68:73:1e:22:98:0b:3e:
                    e7:b7:64:e6:e4:19:a2:56:73:8b:0a:62:06:fc:12:
                    cf:9b:59:a5:be:ed:3a:0d:03:b6:21:b9:c9:ce:1e:
                    e6:83:1d:3b:9c:5f:9b:23:a5:65:e9:d0:9a:29:68:
                    45:5c:93:b4:44:2d:c7:db:af:87:7b:bd:42:0b:46:
                    b0:19
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://crl.godaddy.com/gdig2s1-295.crl

            X509v3 Certificate Policies:
                Policy: 2.16.840.1.114413.1.7.23.1
                  CPS: http://certificates.godaddy.com/repository/
                Policy: 2.23.140.1.2.1

            Authority Information Access:
                OCSP - URI:http://ocsp.godaddy.com/
                CA Issuers - URI:http://certificates.godaddy.com/repository/gdig2.crt

            X509v3 Authority Key Identifier:
                keyid:40:C2:BD:27:8E:CC:34:83:30:A2:33:D7:FB:6C:B3:F0:B4:2C:80:CE

            X509v3 Subject Alternative Name:
                DNS:cloudmgr.cloudtransform.ca, DNS:www.cloudmgr.cloudtransform.ca
            X509v3 Subject Key Identifier:
                40:E1:91:BD:E9:1C:BF:9A:84:02:C5:06:B8:8C:A5:10:8D:8D:33:8E
    Signature Algorithm: sha256WithRSAEncryption
         80:77:6f:1b:66:91:e9:9f:92:0c:2c:b2:21:b1:f7:e2:15:4a:
         e7:c0:88:bb:a4:80:8c:f8:60:6f:62:8d:87:b8:04:f5:1c:67:
         83:45:d4:28:62:ac:d4:50:6b:46:7a:c0:28:7a:f9:f6:dc:19:
         52:24:27:0f:03:c2:22:c2:11:b2:38:55:cc:af:c0:2b:de:9e:
         9f:42:90:cd:0a:43:5c:4d:63:40:5b:97:3e:d4:54:6d:8c:63:
         ef:e6:8a:49:5b:ae:22:1e:64:14:32:1d:60:b8:51:0c:40:42:
         46:cf:1f:34:65:1b:61:58:4f:07:69:62:81:b7:57:04:9a:a2:
         23:c3:70:9d:80:75:f6:06:76:4f:52:33:fd:c2:c7:81:51:0b:
         12:3f:10:72:26:54:8d:4f:91:f0:0e:1a:66:3e:d7:86:46:4e:
         9f:3c:4f:3a:66:39:3e:86:ca:d0:9c:f1:69:f9:f1:b7:7b:7d:
         76:7c:6d:d1:0d:e0:9c:ed:1e:0b:d2:2a:96:96:29:51:88:a4:
         54:11:d7:7d:8e:64:f1:c1:a7:8f:6e:ea:35:ec:81:31:02:84:
         e9:11:7a:17:bf:3f:ff:c4:cb:3e:ae:54:cb:ff:5e:05:c7:b2:
         05:22:2e:59:eb:4a:de:08:e5:85:a8:9a:6e:80:85:14:ac:73:
         3f:ca:0a:e9

cert_manager.png - Red rectangle highlights issue described above (96 KB) Bruno Grossmann, 10/26/2016 08:22 AM

Associated revisions

Revision 0db9846a
Added by Doktor Notor 6 months ago

Fix nsCertType matching for some certificates (Bug #6877)

See https://redmine.pfsense.org/issues/6877#note-4

History

#1 Updated by Jim Pingle 7 months ago

  • Status changed from New to Rejected

Those are both authentication attributes, not the server property.

The GUI checks the cert to see if the nsCertType extension is set to "SSL Server", and reports if it is found or not.

#2 Updated by Bruno Grossmann 7 months ago

OK. However, let me point out that, according to https://www.openssl.org/docs/manmaster/apps/x509v3_config.html, the nsCertType extension is "non standard, Netscape specific and largely obsolete".

#3 Updated by Jim Pingle 7 months ago

That means nothing to how it's used on pfSense. One of the primary uses of certificates on pfSense is OpenVPN, and OpenVPN uses that property when validating server certificates. If we keyed off of some other property, it would lead to confusion and problems with clients in OpenVPN.

When creating a server certificate in pfSense we do also set extendedKeyUsage=serverAuth,1.3.6.1.5.5.8.2.2 but the primary indicator for the GUI to say "Server: Yes" is nsCertType because that reflects the type directly and it's significant to OpenVPN.

There could be another flag (e.g. ServerAuth: Yes/No) but that area is already a bit cluttered.

#4 Updated by Kill Bill 6 months ago

Well, this does not work properly even with the nsCertType set. Example:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            27:5a:ca:53:65:40:ca:6c:24:f7:b6:7c:37:b0:e5:1b
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Domain Validation CA SHA2
        Validity
            Not Before: Nov 16 12:58:32 2016 GMT
            Not After : Nov 16 12:58:32 2017 GMT
        Subject: C=CZ, CN=*.ckcesta.cz/emailAddress=admin@ckcesta.cz
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b5:d5:01:72:f4:18:1b:dc:19:17:a0:39:67:5b:
                    9a:cd:0c:73:92:de:a3:12:c7:59:b8:1c:63:47:ed:
                    4d:fb:8d:31:f5:a8:7c:7e:1c:17:61:58:d3:1e:7d:
                    eb:c2:30:19:21:bd:48:d3:f3:9d:d3:13:3e:81:0e:
                    85:94:fa:26:1f:3a:32:4b:77:7f:ca:67:52:2a:4b:
                    10:43:a7:df:4c:61:56:b3:b0:fa:9d:90:83:91:1d:
                    f5:c6:d1:95:5d:79:3e:27:29:d2:c5:23:f3:ca:c4:
                    d1:b3:4e:f2:e6:34:73:d8:ff:db:39:6f:1d:e0:1a:
                    0a:4e:e6:22:d2:2d:5c:15:f7:5e:d3:b8:0b:9e:1f:
                    11:ec:96:c2:f1:f3:31:2e:3b:54:81:ec:c0:01:cb:
                    a3:9b:21:85:f9:67:f3:59:3f:8a:f8:b2:b8:4d:c8:
                    25:27:bf:f0:6e:86:18:fd:ae:36:ab:4f:e3:cf:c5:
                    2d:75:8e:b4:ed:e9:d9:e3:e2:a4:66:92:11:d5:9b:
                    35:4e:9c:c0:f1:9e:1a:2b:e5:4c:1c:ce:e3:68:50:
                    38:88:33:dc:c3:cc:78:ab:68:4c:31:d5:fe:ec:fd:
                    1d:56:1f:ae:ce:54:31:88:5b:7f:b3:7c:21:1b:b3:
                    bd:cf:91:76:9e:19:d9:98:03:1e:30:d4:2f:62:c0:
                    84:cd
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://crl.certum.pl/dvcasha2.crl

            Authority Information Access:
                OCSP - URI:http://dvcasha2.ocsp-certum.com
                CA Issuers - URI:http://repository.certum.pl/dvcasha2.cer

            X509v3 Authority Key Identifier:
                keyid:E5:31:AD:BF:3A:11:96:F4:83:BC:50:3C:D4:B7:90:9B:90:EE:DE:25

            X509v3 Subject Key Identifier:
                2E:96:A7:89:3A:CB:00:67:BD:C8:15:1F:7B:5E:68:9C:99:75:AA:14
            X509v3 Issuer Alternative Name:
                email:dvcasha2@certum.pl
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Certificate Policies:
                Policy: 1.2.616.1.113527.2.5.1.3
                  User Notice:
                    Organization: Unizeto Technologies S.A.
                    Number: 2
                    Explicit Text: Usage of this certificate is strictly subjected to the CERTUM Certification Practice Statement (CPS) incorporated by reference herein and in the repository at https://www.certum.pl/repository.

            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            Netscape Cert Type:
                SSL Client, SSL Server
            X509v3 Subject Alternative Name:
                DNS:*.ckcesta.cz, DNS:ckcesta.cz
    Signature Algorithm: sha256WithRSAEncryption
         0c:7d:ad:b1:bd:16:dd:e1:7a:ef:ef:cc:f1:7e:a0:5a:3f:49:
         af:5b:4c:0b:cc:cd:b3:db:3b:db:f7:77:90:5b:57:f7:2f:00:
         c8:03:82:97:17:4a:8a:ac:4d:63:3f:ce:f9:75:ee:33:f1:2b:
         61:2a:d1:01:19:a2:0f:a4:8b:fb:26:7b:21:21:5a:1b:fb:e2:
         63:02:d5:da:b3:6d:e1:06:1f:ba:a0:49:ea:4a:4e:78:90:9d:
         81:99:9c:e8:08:d0:95:a6:93:b4:c8:8e:ee:24:11:86:5e:0b:
         f4:55:e6:d9:b9:5b:05:fc:81:5e:17:5b:50:45:0e:90:22:c1:
         94:de:a4:89:d9:87:31:40:97:c5:33:12:6f:49:5d:64:ea:c7:
         8c:0c:47:74:ca:08:bb:06:c6:52:bb:a5:61:68:c4:28:2c:f2:
         2c:ae:d7:25:c6:fb:a8:e3:f9:18:5c:08:d3:1b:71:3d:e9:18:
         df:14:af:0e:7e:54:a1:f2:42:40:26:52:b0:77:aa:19:7e:be:
         66:fa:6b:6b:64:ce:c1:8e:06:1b:a5:81:e4:16:06:8d:f0:ad:
         c9:45:90:f2:fd:01:01:33:57:9e:98:2c:2e:fb:65:b8:af:62:
         11:75:d0:f5:45:c1:c2:96:1d:92:22:98:5b:bb:d5:0f:2f:c7:
         99:74:7f:f4
-----BEGIN CERTIFICATE-----
MIIF8DCCBNigAwIBAgIQJ1rKU2VAymwk97Z8N7DlGzANBgkqhkiG9w0BAQsFADCB
hTELMAkGA1UEBhMCUEwxIjAgBgNVBAoTGVVuaXpldG8gVGVjaG5vbG9naWVzIFMu
QS4xJzAlBgNVBAsTHkNlcnR1bSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEpMCcG
A1UEAxMgQ2VydHVtIERvbWFpbiBWYWxpZGF0aW9uIENBIFNIQTIwHhcNMTYxMTE2
MTI1ODMyWhcNMTcxMTE2MTI1ODMyWjBFMQswCQYDVQQGEwJDWjEVMBMGA1UEAwwM
Ki5ja2Nlc3RhLmN6MR8wHQYJKoZIhvcNAQkBFhBhZG1pbkBja2Nlc3RhLmN6MIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtdUBcvQYG9wZF6A5Z1uazQxz
kt6jEsdZuBxjR+1N+40x9ah8fhwXYVjTHn3rwjAZIb1I0/Od0xM+gQ6FlPomHzoy
S3d/ymdSKksQQ6ffTGFWs7D6nZCDkR31xtGVXXk+JynSxSPzysTRs07y5jRz2P/b
OW8d4BoKTuYi0i1cFfde07gLnh8R7JbC8fMxLjtUgezAAcujmyGF+WfzWT+K+LK4
TcglJ7/wboYY/a42q0/jz8UtdY607enZ4+KkZpIR1Zs1TpzA8Z4aK+VMHM7jaFA4
iDPcw8x4q2hMMdX+7P0dVh+uzlQxiFt/s3whG7O9z5F2nhnZmAMeMNQvYsCEzQID
AQABo4ICmTCCApUwDAYDVR0TAQH/BAIwADAyBgNVHR8EKzApMCegJaAjhiFodHRw
Oi8vY3JsLmNlcnR1bS5wbC9kdmNhc2hhMi5jcmwwcQYIKwYBBQUHAQEEZTBjMCsG
CCsGAQUFBzABhh9odHRwOi8vZHZjYXNoYTIub2NzcC1jZXJ0dW0uY29tMDQGCCsG
AQUFBzAChihodHRwOi8vcmVwb3NpdG9yeS5jZXJ0dW0ucGwvZHZjYXNoYTIuY2Vy
MB8GA1UdIwQYMBaAFOUxrb86EZb0g7xQPNS3kJuQ7t4lMB0GA1UdDgQWBBQulqeJ
OssAZ73IFR97XmicmXWqFDAdBgNVHRIEFjAUgRJkdmNhc2hhMkBjZXJ0dW0ucGww
DgYDVR0PAQH/BAQDAgWgMIIBFgYDVR0gBIIBDTCCAQkwggEFBgsqhGgBhvZ3AgUB
AzCB9TCB8gYIKwYBBQUHAgIwgeUwIBYZVW5pemV0byBUZWNobm9sb2dpZXMgUy5B
LjADAgECGoHAVXNhZ2Ugb2YgdGhpcyBjZXJ0aWZpY2F0ZSBpcyBzdHJpY3RseSBz
dWJqZWN0ZWQgdG8gdGhlIENFUlRVTSBDZXJ0aWZpY2F0aW9uIFByYWN0aWNlIFN0
YXRlbWVudCAoQ1BTKSBpbmNvcnBvcmF0ZWQgYnkgcmVmZXJlbmNlIGhlcmVpbiBh
bmQgaW4gdGhlIHJlcG9zaXRvcnkgYXQgaHR0cHM6Ly93d3cuY2VydHVtLnBsL3Jl
cG9zaXRvcnkuMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjARBglghkgB
hvhCAQEEBAMCBsAwIwYDVR0RBBwwGoIMKi5ja2Nlc3RhLmN6ggpja2Nlc3RhLmN6
MA0GCSqGSIb3DQEBCwUAA4IBAQAMfa2xvRbd4Xrv78zxfqBaP0mvW0wLzM2z2zvb
93eQW1f3LwDIA4KXF0qKrE1jP875de4z8SthKtEBGaIPpIv7JnshIVob++JjAtXa
s23hBh+6oEnqSk54kJ2BmZzoCNCVppO0yI7uJBGGXgv0VebZuVsF/IFeF1tQRQ6Q
IsGU3qSJ2YcxQJfFMxJvSV1k6seMDEd0ygi7BsZSu6VhaMQoLPIsrtclxvuo4/kY
XAjTG3E96RjfFK8OflSh8kJAJlKwd6oZfr5m+mtrZM7BjgYbpYHkFgaN8K3JRZDy
/QEBM1eemCwu+2W4r2IRddD1RcHClh2SIphbu9UPL8eZdH/0
-----END CERTIFICATE-----

#5 Updated by Kill Bill 6 months ago

Yeah, this cannot work

$crt = "-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----";
$crt_details = openssl_x509_parse($crt);
var_dump($crt_details['extensions']['nsCertType']);

with the above certificate produces

[nsCertType] => SSL Client, SSL Server

while certs.inc (https://github.com/pfsense/pfsense/blob/master/src/etc/inc/certs.inc#L566) checks for

$purpose['server'] = ($crt_details['extensions']['nsCertType'] == "SSL Server") ? 'Yes': 'No';

See https://github.com/pfsense/pfsense/pull/3233 for a possible fix.

#6 Updated by Jim Pingle 6 months ago

  • Subject changed from Wrong certificate property in certificate manager to nsCertType "Server" property of a certificate is not detected if additional nsCertType flags are also set
  • Category set to Certificates
  • Status changed from Rejected to Assigned
  • Assignee set to Jim Pingle
  • Priority changed from Low to Very Low
  • Target version set to 2.4.0
  • Affected version set to All
  • Affected Architecture set to All

I don't think I've ever seen one with both set, and practically there is rarely if ever a reason to do so. It's worth parsing properly, but it's uncommon.

Updated subject to match the discovered problem.

#7 Updated by Jim Pingle 6 months ago

  • Status changed from Assigned to Feedback
  • % Done changed from 0 to 100

Merged PR

#8 Updated by Kill Bill 6 months ago

Works ;)

#9 Updated by Jim Pingle 6 months ago

  • Status changed from Feedback to Resolved

Looks good, thanks for testing!

Also available in: Atom PDF