Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Only CSR version 1 (encoded as 0) is allowed by PKIX standards #747

Merged
merged 1 commit into from
Apr 26, 2024

Conversation

botovq
Copy link
Contributor

@botovq botovq commented Apr 24, 2024

Fixes #734

@junaruga
Copy link
Member

@botovq Thank you for the PR. Though I don't understand the content of this PR, could you add the following kind of the text in this PR's commit message? It's like 2e826d5. The text is helpful for us to notice that we need to backport this PR's commit when seeing the error on the Rubies of the master or stable branches in the ruby/ruby.


This commit fixes the following error.

 2) Error: test_version(OpenSSL::TestX509Request): OpenSSL::X509::RequestError: X509_REQ_set_version: passed invalid argument
/home/runner/work/openssl/openssl/test/openssl/test_x509req.rb:18:in `version='
/home/runner/work/openssl/openssl/test/openssl/test_x509req.rb:18:in `issue_csr'
/home/runner/work/openssl/openssl/test/openssl/test_x509req.rb:43:in `test_version'
     40:     req = OpenSSL::X509::Request.new(req.to_der)
     41:     assert_equal(0, req.version)
     42: 
  => 43:     req = issue_csr(1, @dn, @rsa1024, OpenSSL::Digest.new('SHA256'))
     44:     assert_equal(1, req.version)
     45:     req = OpenSSL::X509::Request.new(req.to_der)
     46:     assert_equal(1, req.version)

RFC 2986, section 4.1 only defines version 1 for CSRs. This version
is encoded as a 0. Starting with OpenSSL 3.3, setting the CSR version
to anything but 1 fails.

Do not attempt to generate a CSR with invalid version (which now fails)
and invalidate the CSR in test_sign_and_verify_rsa_sha1 by changing its
subject rather than using an invalid version.

This commit fixes the following error.

```
 2) Error: test_version(OpenSSL::TestX509Request): OpenSSL::X509::RequestError:
X509_REQ_set_version: passed invalid argument
/home/runner/work/openssl/openssl/test/openssl/test_x509req.rb:18:in `version='
/home/runner/work/openssl/openssl/test/openssl/test_x509req.rb:18:in `issue_csr'
/home/runner/work/openssl/openssl/test/openssl/test_x509req.rb:43:in
`test_version'
     40:     req = OpenSSL::X509::Request.new(req.to_der)
     41:     assert_equal(0, req.version)
     42:
  => 43:     req = issue_csr(1, @dn, @rsa1024, OpenSSL::Digest.new('SHA256'))
     44:     assert_equal(1, req.version)
     45:     req = OpenSSL::X509::Request.new(req.to_der)
     46:     assert_equal(1, req.version)
```
@botovq
Copy link
Contributor Author

botovq commented Apr 26, 2024 via email

@rhenium
Copy link
Member

rhenium commented Apr 26, 2024

Looks good to me. Thank you for the PR!

@rhenium rhenium merged commit 362a69a into ruby:master Apr 26, 2024
53 checks passed
botovq added a commit to botovq/ruby-openssl that referenced this pull request Apr 26, 2024
After ruby#747 was merged, no caller sets the CSR version anymore.
botovq added a commit to botovq/ruby-openssl that referenced this pull request Apr 26, 2024
After ruby#747 was merged, no caller sets the CSR version anymore.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

Invalid CSR versions set in regress tests
4 participants