openssl_x509_certificate is generating invalid certificates #12091

nico-loeber · 2021-09-27T17:19:27Z

Description

Generating certificates signed with a custom CA certificate result in invalid certificates.
I started working with a CA Cert with a key length of 4096 bytes and a password protected key.
I tried to reduce the causes for an error till I came to the following minimal setup.
Generating and signing the certificate using openssl manually on the cli works without any problems.
Any help is appreciated!

Chef Version

Chef Infra Client, version 17.5.22

Platform Version

Ubuntu 18.04.6 LTS (GNU/Linux 4.15.0-156-generic x86_64)

Replication Case

Generate a certificate you later use as trusted CA on your server: openssl req -x509 -nodes -newkey rsa:2048 -keyout test-ca-key.ley -out test-ca-cert.crt -days 365 (in /data/certs/)
Try to generate a signed certificate in your cookbook

openssl_x509_certificate '/data/certs/test-cert.crt' do
   common_name 'Test Cert'
   ca_key_file '/data/certs/test-ca.key'
   ca_cert_file '/data/certs/test-ca.crt'
   expire 365
end

Verify your certificate openssl verify -CAfile test-ca.crt test-cert.crt this will result in the following error output:

CN = Test Cert
error 7 at 0 depth lookup: certificate signature failure
error test-cert.crt: verification failed
140625572319680:error:0407008A:rsa routines:RSA_padding_check_PKCS1_type_1:invalid padding:../crypto/rsa/rsa_pk1.c:67:
140625572319680:error:04067072:rsa routines:rsa_ossl_public_decrypt:padding check failed:../crypto/rsa/rsa_ossl.c:582:
140625572319680:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:../crypto/asn1/a_verify.c:162:

if you change the key length you might also get this error:

error test3.crt: verification failed
140710574764480:error:04091077:rsa routines:int_rsa_verify:wrong signature length:../crypto/rsa/rsa_sign.c:132:
140710574764480:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:../crypto/asn1/a_verify.c:162:

Client Output

server.example.com   * openssl_x509_certificate[/data/certs/test-cert.crt] action create
server.example.com     * file[/data/certs/test-cert.crt] action create_if_missing
server.example.com       - create new file /data/certs/test-cert.crt
server.example.com       - update content in file /data/certs/test-cert.crt from none to a4edd6
server.example.com       --- /data/certs/test-cert.crt    2021-09-27 18:39:21.512966990 +0200
server.example.com       +++ /data/certs/.chef-test-cert20210927-4456-l80vus.crt  2021-09-27 18:39:21.512966990 +0200
server.example.com       @@ -1 +1,27 @@
server.example.com       +-----BEGIN CERTIFICATE-----
server.example.com       +MIIEVDCCAzygAwIBAgIVAObLc2ZO1VfeWTqEkJ8/JNlxSH1bMA0GCSqGSIb3DQEB
server.example.com       +CwUAMIGkMQswCQYDVQQGEwJERTEPMA0GA1UECAwGSGVzc2VuMRIwEAYDVQQHDAlE
server.example.com       +YXJtc3RhZHQxHDAaBgNVBAoME0VsZWN0cm9uaWMgTWluZHMgQ0ExCzAJBgNVBAsM
server.example.com       +AkVNMRwwGgYDVQQDDBNFbGVjdHJvbmljIE1pbmRzIENBMScwJQYJKoZIhvcNAQkB
server.example.com       +FhhtYWlsQGVsZWN0cm9uaWMtbWluZHMuZGUwHhcNMjEwOTI3MTYzOTIxWhcNMjIw
server.example.com       +OTI3MTYzOTIxWjAUMRIwEAYDVQQDDAlUZXN0IENlcnQwggEiMA0GCSqGSIb3DQEB
server.example.com       +AQUAA4IBDwAwggEKAoIBAQDC84JiySivg3k+sQHLgZuixgL17ov+WaQuR6BtOqFp
server.example.com       +ucjfhK7hKBpmWgZKu89/+7kExSzbIZU3XfZR8Tj3YNpwN3Hh7slpgyelBtnJA2zt
server.example.com       +a47AYUqzFAZ5BBcDd2ogEtuF+CixrdL2LAS9M3WWPQ0LBI3eUba2967i6UEU8zke
server.example.com       +9GH0rRPS4U0XRNDos9lKbZjc6xlCbpeQ/I2bTdFTyxE3wXulXb5tfFDkeFKtw5mQ
server.example.com       +mDNkE1CqCcdkZ19WMSD6eoXtJOoL9zi6ZI0iyx4bIbyttiYjGugC8UgX1+kaQH/Z
server.example.com       +2vH0ZS2gI0P2YyEnrhs6mHeo/kzRyWhhfuRr++wExWKrAgMBAAGjggEKMIIBBjAd
server.example.com       +BgNVHQ4EFgQU53sPrm3YYXcdp9Wf09TcY8FjuHMwgeQGA1UdIwSB3DCB2YAU2fNG
server.example.com       +beHnb2H3c6nQrLWB75FzdpuhgaqkgacwgaQxCzAJBgNVBAYTAkRFMQ8wDQYDVQQI
server.example.com       +DAZIZXNzZW4xEjAQBgNVBAcMCURhcm1zdGFkdDEcMBoGA1UECgwTRWxlY3Ryb25p
server.example.com       +YyBNaW5kcyBDQTELMAkGA1UECwwCRU0xHDAaBgNVBAMME0VsZWN0cm9uaWMgTWlu
server.example.com       +ZHMgQ0ExJzAlBgkqhkiG9w0BCQEWGG1haWxAZWxlY3Ryb25pYy1taW5kcy5kZYIU
server.example.com       +EuYbvyLHFEtTLyTxySi1EYk+pz8wDQYJKoZIhvcNAQELBQADggEBAIL4QjIIR/5V
server.example.com       +KT26gqKO/YBY4xBmbtPF09HB/ys1X/7dH6U/1iCewK/msdPcw/C3QUJPbAxTSnf0
server.example.com       +orQgFecvNuemLC2sTa7yibdIuiciR7H3RhIFK1cExeIDtZWiTGD4sDQDG7nu/sQE
server.example.com       +W/keIDfsuitkjJ4ZkEcjGDcNnNk3H0ebIPmd+I8CuqoLCRM+X3ZcUBlupHN7Oiru
server.example.com       +xg0UMt4s4u4iMQ4r+LF6AP5eWZyTdIZUs9sKK7ucy/1zz/oimqAZE8JMAHLQCkt4
server.example.com       +hzAn0Cm79WSGdqgmbxKqVZuMzS0PNRCSqgK9IIyXXZkGA1GCu6r/JuOu0tq+5ZPa
server.example.com       +AjZkCpoTVVM=
server.example.com       +-----END CERTIFICATE-----
server.example.com     * file[/data/certs/test-cert.key] action create_if_missing
server.example.com       - create new file /data/certs/test-cert.key
server.example.com       - update content in file /data/certs/test-cert.key from none to d8b886
server.example.com       - suppressed sensitive resource
server.example.com

The text was updated successfully, but these errors were encountered:

nico-loeber added the Status: Untriaged An issue that has yet to be triaged. label Sep 27, 2021

marcparadise mentioned this issue Sep 27, 2021

Check for ca_key_file before loading ca key #12092

Merged

marcparadise closed this as completed in #12092 Sep 28, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

openssl_x509_certificate is generating invalid certificates #12091

openssl_x509_certificate is generating invalid certificates #12091

nico-loeber commented Sep 27, 2021

openssl_x509_certificate is generating invalid certificates #12091

openssl_x509_certificate is generating invalid certificates #12091

Comments

nico-loeber commented Sep 27, 2021

Description

Chef Version

Platform Version

Replication Case

Client Output