v0.13: Generated cert signed by external CA cert returns cert that can't be validated against CA #261

brocaar · 2024-04-02T09:47:57Z

This might be an error from my side, but after migrating to v0.13, I'm unable again to generate a client-certificate that can be validated against the CA certificate. The generated client-certificate does not have the same X509v3 Authority Key Identifier as the CA certificate.

Most of the context is the same as #195, with the exception that this time when I load the CA certificate from an external file as rcgen::Certificate and then print it as PEM, the X509v3 Subject Key Identifier is equal to the original X509v3 Subject Key Identifier of the CA certificate (that was what the #195 issue, where it would not preserve the original one).

Summary

I load an external CA certificate + key file (rootCA.crt + rootCA.key)
I generate a client-certificate and sign this using the CA certificate
I print the CA certificate + client-certificate
I write the printed CA certificate to outCA.crt and client-certificate to clientCert.crt

Validations:

rootCA.crt X509v3 Authority Key Identifier == outCA.crt X509v3 Authority Key Identifier
rootCA.crt X509v3 Authority Key Identifier != clientCert.crt X509v3 Authority Key Identifier

rootCA.crt contains:

        X509v3 extensions:
            X509v3 Subject Key Identifier:
                FD:50:03:98:06:EC:EA:07:4B:13:09:9E:44:BA:6B:29:5F:5F:19:57
            X509v3 Authority Key Identifier:
                FD:50:03:98:06:EC:EA:07:4B:13:09:9E:44:BA:6B:29:5F:5F:19:57
            X509v3 Basic Constraints: critical
                CA:TRUE

outCA.crt contains:

        X509v3 extensions:
            X509v3 Subject Key Identifier:
                FD:50:03:98:06:EC:EA:07:4B:13:09:9E:44:BA:6B:29:5F:5F:19:57
            X509v3 Basic Constraints: critical
                CA:TRUE

clientCert.crt contains:

        X509v3 extensions:
            X509v3 Authority Key Identifier:
                9F:26:E1:A3:53:B1:BD:1A:3B:0D:CE:37:59:D9:01:CA:FF:E1:2B:7B
            X509v3 Subject Alternative Name:
                DNS:example.com
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Extended Key Usage:
                TLS Web Client Authentication

$ openssl verify -verbose -CAfile rootCA.crt  clientCert.crt
CN = example.com
error 20 at 0 depth lookup: unable to get local issuer certificate
error clientCert.crt: verification failed

Question

Is this a bug, or am I something missing in my migration from v0.12 to v0.13? /cc @cpu . Please find below my code under main.rs, as well the rootCA.crt and rootCA.key that I have been using for my testing (non-critical, only generated for testing this issue).

Files

main.rs

use std::fs::read_to_string;

fn main() {
    let (ca_cert, ca_key) = get_ca_cert();

    println!("=== CA CERTIFICATE (outCA.crt) ===========\n");
    println!("{}", ca_cert.pem());

    let (client_cert, _client_key) = get_client_cert("example.com", &ca_cert, &ca_key);
    println!("=== CLIENT CERT (clientCert.crt) =========\n");
    println!("{}", client_cert.pem());
}

fn get_ca_cert() -> (rcgen::Certificate, rcgen::KeyPair) {
    let cert = read_to_string("rootCA.crt").unwrap();
    let cert_algo = read_algo(&cert);

    println!("CA cert algorithm: {:?}", cert_algo);

    let ca_key = read_to_string("rootCA.key").unwrap();
    let ca_key = rcgen::KeyPair::from_pem_and_sign_algo(&ca_key, cert_algo).unwrap();

    let params = rcgen::CertificateParams::from_ca_cert_pem(&cert).unwrap();
    (params.self_signed(&ca_key).unwrap(), ca_key)
}

fn get_client_cert(
    cn: &str,
    issuer: &rcgen::Certificate,
    issuer_key: &rcgen::KeyPair,
) -> (rcgen::Certificate, rcgen::KeyPair) {
    let mut params = rcgen::CertificateParams::new(vec![cn.to_string()]).unwrap();
    params
        .distinguished_name
        .push(rcgen::DnType::CommonName, cn.to_string());
    params.use_authority_key_identifier_extension = true;
    params
        .key_usages
        .push(rcgen::KeyUsagePurpose::DigitalSignature);
    params
        .extended_key_usages
        .push(rcgen::ExtendedKeyUsagePurpose::ClientAuth);

    let key = rcgen::KeyPair::generate().unwrap();

    (params.signed_by(&key, issuer, issuer_key).unwrap(), key)
}

fn read_algo(cert: &str) -> &'static rcgen::SignatureAlgorithm {
    let cert = pem::parse(cert).unwrap();
    let (_remainder, x509) = x509_parser::parse_x509_certificate(cert.contents()).unwrap();

    let alg_oid = x509
        .signature_algorithm
        .algorithm
        .iter()
        .unwrap()
        .collect::<Vec<_>>();

    rcgen::SignatureAlgorithm::from_oid(&alg_oid).unwrap()
}

rootCA.crt

rootCA.key

Example output

CA cert algorithm: PKCS_RSA_SHA512
=== CA CERTIFICATE (outCA.crt) ===========

-----BEGIN CERTIFICATE-----
MIIE7DCCAtSgAwIBAgIUQYm+VOznM4pP9pPjQZt/UzAYxpowDQYJKoZIhvcNAQEN
BQAwFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wHhcNMjQwNDAxMTU0MzE2WhcNMjUw
MzIzMTU0MzE2WjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcN
AQEBBQADggIPADCCAgoCggIBALhpT3Kypt009+65GuJac3wNosz6krkkUDCylud0
l6tV7w1sd7+km7fUdUbm3lD6z5K3Kpoqzg0W9QQFC0HFyAX0JRcJ78xIJ3py++fS
Om4hAxduwFjLbtMKQ1JrXcNW2De/kK9jbGc4wpMvR7uzM/VGWBl+qZjG58gYyXLj
fH6Lk3N5hWIrDgkCyC+O6UJ1CWM1I+5Lg1GTv5Gt3XZff+UQofooSI3DLbUNs+rG
yamqCKI6tIVVj4immh4rlbazpkYp3UQBvoiXwXRdTxQ4MwPktbD1Dkh8EmMjjOQU
yi5g3KvVAaHCAnu5h3um6I+La5Z903g0npCmxUiBgMkan32o7ZFUgwfjoFT16j+m
m3VsL/QMRgBVsSWUBD6uWYFONO3aun7vdr0m5kbix8n3kYOWBHeycXKboo84PKQJ
KnxacFU9WevICNsIq4GPObFR9hIXy9WYTO9h/h8MvTgZYxiGW0LGH5Zo8B2pMB9G
MTWgN+qH/fqBwLdFqq04kmXnOA10MQpabC81AQYJX47rEwIsNg06XqP4fxfquqmQ
7LEIuaPW5MC7Kvb8VzW4lMD4HALOEqsmcOKA0A5dVogJmqhyxAOjS3syiK3Qw628
BMZP5OsUSaEgjWEcEXPXstsRwsIKJs/Mv1MVlY6sYeZxs0ddHQQHXRc17/tbOkE9
Ljf7AgMBAAGjMjAwMB0GA1UdDgQWBBT9UAOYBuzqB0sTCZ5EumspX18ZVzAPBgNV
HRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQAZvgsdeqZXHHcJfl5+dH2Q
vL5r2qUE72Jyyqwm1N0OIoGrFDkn5RAUKhWZJ1yU4aWuO9ZFaZz/8K52XL0f1NRa
a/Lrtv+QWRdULjiRcAo6/wbsceK4ntULXdVJ0k8gCMeGuo15DdjgvTj0Qtn9buPr
Mf6LWvjPCPq7/bjVmDHovfMuw9gfgURlAUS8C+yI+3/WnYF5CAEFmTkirpHFznjH
tv19JYZLMTyJWfoCXvOIkJ33tbv726s39anTiY/+AvMS+glama87Z3bwMJyBL+l+
sdc+wNVnqjW+U+4z7fQvRFz/7aYgJg85fWXSDK2wTEI0KOcBQPMyi/IBOe9cS7EX
Jn0ZwX+RQ9EvS8SZ0DhYPX+Jvn4G+4KAPAunaHFuh1onmHtGasOt4vAbHrLX2Jld
wFca+kUx8nnT0LRQ2NoWi/JI/qN4haQzmN535j9yUT/VxFNEb3fPvRK/sjzRQMfW
qme6ucFfE1y8F41k8rVAyNxosWKTQWj2JfeJ9anLipHgSR+hcGtWT3obN0DDB9T2
rMLh9RVMf4kBZjct/3nUm1OBTU7A8CiYvVVt0YPMHxUrG60uXC02TOulhQJ/AGBR
U4Dlf/jrXKOorXpIjC+R1ql+fc+7ktHXtywwB7x97tH3JS4Otbic3R+gfytZ2fWB
0tjlkrSYbgWeKcihytR1mw==
-----END CERTIFICATE-----

=== CLIENT CERT (clientCert.crt) =========

-----BEGIN CERTIFICATE-----
MIIDUTCCATmgAwIBAgIUD7uWO18yDhlvEZyLbBLOMQVJ6xEwDQYJKoZIhvcNAQEN
BQAwFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wIBcNNzUwMTAxMDAwMDAwWhgPNDA5
NjAxMDEwMDAwMDBaMBYxFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0C
AQYIKoZIzj0DAQcDQgAEph5+v9wGCNPwh/7J7ffEFmXErF5Telv/GAsB8DwraU+Z
GUPo737mhWkMvuD3JMQlQ7Xic9tdal4oxwLsKR9VcKNgMF4wHwYDVR0jBBgwFoAU
nybho1OxvRo7Dc43WdkByv/hK3swFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wDgYD
VR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMCMA0GCSqGSIb3DQEBDQUA
A4ICAQCfF/yp/kks3qQZ/jlKMGA1lXT1eNCqb6ZNnMRcO0VnrmGbP2fkgpsM9otL
vo1YYjijjr7LKJL7E8nfJFiYkTimUkzIX0o+JGYjxiqB7BOg0K9sFRGtyMMCeuX1
y9yqGScxIybp7UlX7km9oC4dCBW1PsF/hsX53d7jRFJsmSCqD9Z1oQ+M6s7fmRUG
rp5luw5k7bOtLRtaBceoMff5Hmiwm2nCWEhcVofcKWXqodmKNi52hrxs8pW6eFHP
unoMvuNiKUMJdZdNgJNbBEQ51AfLmb0N3GwtIG+IO3ILJHBfTLwkwoMgbCKQTSAk
USynEhhRHvU4H77vM1ssTyrAowXnkccIaBOgfg2z8Rp8u0jP5YFSMQMJCTU23di5
LbnlBcSrlxzJ12hh5NflKwr5AjTeJwJ5Fdu4rzAyvwzexITpsMzbYpVz3fEm3zdw
JOzdBao0ESAx0/zmAmwfkvsqezB1KeQUk7Z/0dx35g+HtFBcbFllFjZJvw7KGUX0
9SdAJrFtmQ+s51mRzJCDI6cLUJBjAHvrIjiSrLvrpbxz1L34u+m/qzufWmBx66jc
GAUZxbRvXNT7PLe1olSY3FaWuK/zX0PytK6AwnhLxQlD+uBPEVNHR6auNBqbeGMF
3SEPWFpLINcDBxepQeOngRF6E+9FlsBeqOzViJ3HM+Dc97HxjA==
-----END CERTIFICATE-----

The text was updated successfully, but these errors were encountered:

djc · 2024-04-02T12:21:49Z

If you have a chance, would be nice to run a git bisect to see when this regressed (it's probably my fault, sorry -- but I won't have time today to run a bisection).

cpu · 2024-04-02T13:26:33Z

@brocaar Thanks for the very detailed issue. I will try and investigate when I can.

To confirm: you're using rcgen with default features? e.g. still *ring* and not aws-lc-rs?

brocaar · 2024-04-03T07:43:33Z

@cpu correct, please find the Cargo.toml for the example below:

[dependencies]
rcgen = { version = "0.13", features = ["x509-parser"]}
pem = "3.0"
x509-parser = "0.16"

cpu · 2024-04-03T21:59:45Z

@brocaar Thanks again for the detailed reproducer. It made this very easy to debug 🌠

PTAL at #262. When I run your reproducer with the rcgen dep pointed at that branch I'm able to verify the client cert with OpenSSL where it prev failed as you describe:

[daniel@blanc:~/Code/Rust/rcgen261]$ openssl verify -verbose -CAfile rootCA.crt  clientCert.crt # Generated w/ rcgen 0.13
CN = example.com
error 20 at 0 depth lookup: unable to get local issuer certificate
error clientCert.crt: verification failed

[daniel@blanc:~/Code/Rust/rcgen261]$ openssl verify -verbose -CAfile rootCA.crt  clientCert2.crt # Generated w/ PR 262
clientCert2.crt: OK

brocaar · 2024-04-04T07:36:04Z

@cpu thank you for the quick feedback and fix 👍

cpu mentioned this issue Apr 3, 2024

cert: use key_identifier_method of issuer for AKI #262

Merged

djc closed this as completed in #262 Apr 5, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

v0.13: Generated cert signed by external CA cert returns cert that can't be validated against CA #261

v0.13: Generated cert signed by external CA cert returns cert that can't be validated against CA #261

brocaar commented Apr 2, 2024

djc commented Apr 2, 2024

cpu commented Apr 2, 2024

brocaar commented Apr 3, 2024

cpu commented Apr 3, 2024

brocaar commented Apr 4, 2024

v0.13: Generated cert signed by external CA cert returns cert that can't be validated against CA #261

v0.13: Generated cert signed by external CA cert returns cert that can't be validated against CA #261

Comments

brocaar commented Apr 2, 2024

Summary

Question

Files

djc commented Apr 2, 2024

cpu commented Apr 2, 2024

brocaar commented Apr 3, 2024

cpu commented Apr 3, 2024

brocaar commented Apr 4, 2024