Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sign-req: Allow the CSR DN-field order to be preserved #970

Merged
merged 1 commit into from Jul 2, 2023
Merged

sign-req: Allow the CSR DN-field order to be preserved #970

merged 1 commit into from Jul 2, 2023

Conversation

TinCanTech
Copy link
Collaborator

When signing a request, EasyRSA ALWAYS defaults to the CA defined Distinguished Name field order, as defined by openssl-easyrsa.cnf configuration file.

In the unlikely event that a CSR is received with a different DN-field order, that order can be preserved for the signed certificate.

Command 'sign-req', now has a command option 'preserve' for this.

Additional:

Use of 'preserve = yes' in openssl-easyrsa.cnf has no effect for EasyRSA.

Testing OpenSSL directly indicates that this option may have no effect when used in OpenSSL default configuration file openssl.cnf

Also, OpenSSL documentation for command 'ca', option '-preserveDN' does NOT infer that this option can be used in the configuration file.

None of which is important to EasyRSA because only foreign CSRs can have a different DN-field order, so default behavior can remain.

@TinCanTech TinCanTech self-assigned this Jun 30, 2023
@TinCanTech TinCanTech added this to the v3.1.6 milestone Jun 30, 2023
@TinCanTech TinCanTech linked an issue Jun 30, 2023 that may be closed by this pull request
Allow a CSR Distinguished Name fields to remain out-of-order #969
Closed
@TinCanTech
sign-req: Allow the CSR DN-field order to be preserved
d291837 
When signing a request, EasyRSA ALWAYS defaults to the CA defined
Distinguished Name field order, as defined by openssl-easyrsa.cnf
configuration file.

In the unlikely event that a CSR is received with a different DN-
field order, that order can be preserved for the signed certificate.

Command 'sign-req', now has a command option 'preserve' for this.

Additional:

Use of 'preserve = yes' in openssl-easyrsa.cnf has no effect for
EasyRSA.

Testing OpenSSL directly indicates that this option may have no effect
when used in OpenSSL default configuration file openssl.cnf

Also, OpenSSL documentation for command 'ca', option '-preserveDN'
does NOT infer that this option can be used in the configuration file.

None of which is important to EasyRSA because only foreign CSRs can
have a different DN-field order, so default behavior can remain.

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
@TinCanTech
Copy link
Collaborator Author

Note the order of countryName = 00.

log:


tct@home:~/git/easy-rsa/test/installed/test D$ rm pki/issued/c3.crt 
tct@home:~/git/easy-rsa/test/installed/test D$ easyrsa --nopass show-req c3

* Using Easy-RSA configuration:
  /home/tct/git/easy-rsa/test/installed/test D/pki/vars

* Using SSL: /home/tct/openssl/git-mast/apps/openssl OpenSSL 3.2.0-dev  (Library: OpenSSL 3.2.0-dev )


Notice
------
Showing req details for: 'c3'

This file is stored at:
* /home/tct/git/easy-rsa/test/installed/test D/pki/reqs/c3.req
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject:
            stateOrProvinceName       = home
            localityName              = tct
            organizationName          = test
            organizationalUnitName    = testing
            countryName               = 00
            commonName                = c3
            emailAddress              = me@example.net
        Attributes:
            (none)
            Requested Extensions:

tct@home:~/git/easy-rsa/test/installed/test D$ easyrsa sign-req client c3 

* Using Easy-RSA configuration:
  /home/tct/git/easy-rsa/test/installed/test D/pki/vars

* Using SSL: /home/tct/openssl/git-mast/apps/openssl OpenSSL 3.2.0-dev  (Library: OpenSSL 3.2.0-dev )

You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a client certificate 
for '825' days:

subject=
    stateOrProvinceName       = home
    localityName              = tct
    organizationName          = test
    organizationalUnitName    = testing
    countryName               = 00
    commonName                = c3
    emailAddress              = me@example.net


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes

Using configuration from /home/tct/git/easy-rsa/test/installed/test D/pki/b19811bc/temp.2.1
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
stateOrProvinceName   :ASN.1 12:'home'
localityName          :ASN.1 12:'tct'
organizationName      :ASN.1 12:'test'
organizationalUnitName:ASN.1 12:'testing'
countryName           :PRINTABLE:'00'
commonName            :ASN.1 12:'c3'
emailAddress          :IA5STRING:'me@example.net'
Certificate is to be certified until Oct  4 02:29:47 2025 GMT (825 days)

Write out database with 1 new entries
Data Base Updated

Notice
------
Certificate created at:
* /home/tct/git/easy-rsa/test/installed/test D/pki/issued/c3.crt

tct@home:~/git/easy-rsa/test/installed/test D$ easyrsa --nopass show-cert c3

* Using Easy-RSA configuration:
  /home/tct/git/easy-rsa/test/installed/test D/pki/vars

* Using SSL: /home/tct/openssl/git-mast/apps/openssl OpenSSL 3.2.0-dev  (Library: OpenSSL 3.2.0-dev )


Notice
------
Showing cert details for: 'c3'

This file is stored at:
* /home/tct/git/easy-rsa/test/installed/test D/pki/issued/c3.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            a9:2e:ef:87:c2:e1:8b:42:62:4d:a9:a3:6b:fd:a0:b7
        Signature Algorithm: sha256WithRSAEncryption
        Issuer:
            countryName               = 00
            stateOrProvinceName       = home
            localityName              = tct
            organizationName          = test
            organizationalUnitName    = testing
            commonName                = Easy-RSA CA
            emailAddress              = me@example.net
        Validity
            Not Before: Jul  2 02:29:47 2023 GMT
            Not After : Oct  4 02:29:47 2025 GMT
        Subject:
            countryName               = 00
            stateOrProvinceName       = home
            localityName              = tct
            organizationName          = test
            organizationalUnitName    = testing
            commonName                = c3
            emailAddress              = me@example.net
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Subject Key Identifier: 
                0B:FA:49:47:4C:86:0B:D9:97:3F:EB:82:91:0A:95:E4:53:4E:0E:93
            X509v3 Authority Key Identifier: 
                keyid:D9:C5:4D:31:4A:C9:D7:82:BE:69:7C:B1:D9:39:C6:5E:D5:54:82:D6
                DirName:/C=00/ST=home/L=tct/O=test/OU=testing/CN=Easy-RSA CA/emailAddress=me@example.net
                serial:03:62:B4:AD:57:AB:4B:A4:85:09:9F:60:BB:81:2C:33:BA:65:9D:35
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication
            X509v3 Key Usage: 
                Digital Signature

tct@home:~/git/easy-rsa/test/installed/test D$ rm pki/issued/c3.crt 
tct@home:~/git/easy-rsa/test/installed/test D$ easyrsa sign-req client c3 preserve

* Using Easy-RSA configuration:
  /home/tct/git/easy-rsa/test/installed/test D/pki/vars

* Using SSL: /home/tct/openssl/git-mast/apps/openssl OpenSSL 3.2.0-dev  (Library: OpenSSL 3.2.0-dev )

You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a client certificate 
for '825' days:

subject=
    stateOrProvinceName       = home
    localityName              = tct
    organizationName          = test
    organizationalUnitName    = testing
    countryName               = 00
    commonName                = c3
    emailAddress              = me@example.net


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes

Using configuration from /home/tct/git/easy-rsa/test/installed/test D/pki/aa7421f1/temp.2.1
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
stateOrProvinceName   :ASN.1 12:'home'
localityName          :ASN.1 12:'tct'
organizationName      :ASN.1 12:'test'
organizationalUnitName:ASN.1 12:'testing'
countryName           :PRINTABLE:'00'
commonName            :ASN.1 12:'c3'
emailAddress          :IA5STRING:'me@example.net'
Certificate is to be certified until Oct  4 02:30:20 2025 GMT (825 days)

Write out database with 1 new entries
Data Base Updated

Notice
------
Certificate created at:
* /home/tct/git/easy-rsa/test/installed/test D/pki/issued/c3.crt

tct@home:~/git/easy-rsa/test/installed/test D$ easyrsa --nopass show-cert c3

* Using Easy-RSA configuration:
  /home/tct/git/easy-rsa/test/installed/test D/pki/vars

* Using SSL: /home/tct/openssl/git-mast/apps/openssl OpenSSL 3.2.0-dev  (Library: OpenSSL 3.2.0-dev )


Notice
------
Showing cert details for: 'c3'

This file is stored at:
* /home/tct/git/easy-rsa/test/installed/test D/pki/issued/c3.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            37:01:6a:56:64:f9:4a:b6:b7:56:9b:33:7e:9d:79:5f
        Signature Algorithm: sha256WithRSAEncryption
        Issuer:
            countryName               = 00
            stateOrProvinceName       = home
            localityName              = tct
            organizationName          = test
            organizationalUnitName    = testing
            commonName                = Easy-RSA CA
            emailAddress              = me@example.net
        Validity
            Not Before: Jul  2 02:30:20 2023 GMT
            Not After : Oct  4 02:30:20 2025 GMT
        Subject:
            stateOrProvinceName       = home
            localityName              = tct
            organizationName          = test
            organizationalUnitName    = testing
            countryName               = 00
            commonName                = c3
            emailAddress              = me@example.net
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Subject Key Identifier: 
                0B:FA:49:47:4C:86:0B:D9:97:3F:EB:82:91:0A:95:E4:53:4E:0E:93
            X509v3 Authority Key Identifier: 
                keyid:D9:C5:4D:31:4A:C9:D7:82:BE:69:7C:B1:D9:39:C6:5E:D5:54:82:D6
                DirName:/C=00/ST=home/L=tct/O=test/OU=testing/CN=Easy-RSA CA/emailAddress=me@example.net
                serial:03:62:B4:AD:57:AB:4B:A4:85:09:9F:60:BB:81:2C:33:BA:65:9D:35
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication
            X509v3 Key Usage: 
                Digital Signature

tct@home:~/git/easy-rsa/test/installed/test D$

@TinCanTech TinCanTech merged commit e89f4d7 into OpenVPN:master Jul 2, 2023
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@TinCanTech TinCanTech

Labels
ChangeLog Item Feature request Version 3.1.6
Projects
None yet
Milestone
v3.1.6
Development

Successfully merging this pull request may close these issues.

Allow a CSR Distinguished Name fields to remain out-of-order
1 participant
@TinCanTech