Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Fix serial number writing into CRL files with the x509 module #47986
What does this PR do?
This PR removes code that is converting certificate serial numbers from hexadecimal to integer when writing CRL files using the x509 module.
What issues does this PR fix or reference?
This PR fixes #47984.
CRLs are saved with wrong serial numbers as per described in the referenced issue, thus being useless to actually revoke certificates.
The correct serial numbers are saved into the CRLs, as described in the next steps:
root@discordia:~# salt-call state.sls pki.crl local: ---------- ID: create root crl Function: x509.crl_managed Name: /srv/certs/root.crl Result: True Comment: File /srv/certs/root.crl is in the correct state Started: 23:56:33.864532 Duration: 36.605 ms Changes: ---------- ID: create intermediate crl Function: x509.crl_managed Name: /srv/certs/intermediate.crl Result: True Comment: File /srv/certs/intermediate.crl updated Started: 23:56:33.901254 Duration: 23.15 ms Changes: ---------- New: ---------- Issuer: ---------- C: DE CN: Intermediate CA L: City ST: City Last Update: 2018-06-05 21:56:33 Next Update: 2018-09-13 21:56:33 Revoked Certificates: |_ ---------- 57CE95B07CDC5DD8: ---------- CRL entry extensions: ---------- X509v3 CRL Reason Code: Key Compromise Revocation Date: 2018-05-01 00:00:00 Signature Algorithm: sha256WithRSAEncryption Version: 1 (0x0) Old: /srv/certs/intermediate.crl does not exist. Summary for local ------------ Succeeded: 2 (changed=1) Failed: 0 ------------ Total states run: 2 Total run time: 59.755 ms
root@discordia:~# openssl verify -CAfile /srv/certs/bundleca.pem -CRLfile /srv/certs/intermediate.crl -crl_check /srv/certs/salt1.dev.infra.network.pem C = DE, CN = salt1.dev.infra.network, L = City, ST = City error 23 at 0 depth lookup: certificate revoked error /srv/certs/salt1.dev.infra.network.pem: verification failed
root@discordia:~# openssl x509 -serial -in /srv/certs/salt1.dev.infra.network.pem -noout serial=57CE95B07CDC5DD8 root@discordia:~# openssl crl -in /srv/certs/intermediate.crl -text -noout | grep Serial Serial Number: 57CE95B07CDC5DD8
Commits signed with GPG?
@garethgreenaway hey! In the process of writing some unit tests to validate the fix I ended up stumbling upon the realization that the CRL function might not be working for Salt 2018 and develop at all, since the OpenSSL bindings except to receive non-Unicode strings and inside Salt it seems to be all unicode now. So whilst the previous fix worked fine for Salt 2017, for Salt 2018 and develop it was simply a no go.
The unit tests and a real test instance confirm that everything should be working fine now.
One small request from me on the new tests. (Thank you for writing those!)