> >Description: > I have a config file for SSL certificates that declares to use the > x509_extensions crlDistributionPoints with this syntax: > crlDistributionPoints = URI:http://192.168.1.5/crl/root.crl > > however when generation the certificate against this config a check of the > generated certificate shows that the CRL definition is not present.
What command do you actually run? The ones I tried did not generate a cert without CRL. They gave errors clearly pointing at your config: Error Loading extension section default 8235954348040:error:22FFF077:X509 V3 routines:CRYPTO_internal:bad object:/usr/src/lib/libcrypto/x509/x509_alt.c:697:name=URI value='http://192.168.1.5/crl/root.crl' 8235954348040:error:22FFF080:X509 V3 routines:CRYPTO_internal:error in extension:/usr/src/lib/libcrypto/x509/x509_conf.c:102:name=crlDistributionPoints, value=URI:http://192.168.1.5/crl/root.crl > This same config file was fine from around OpenBSD 6.7 up to 7.2. > > >How-To-Repeat: > Create a config file for SSL certificates that declares to use the > x509_extensions crlDistributionPoints with a RUL target. > > Generate a certificate against this config, there should be the CRL options > declared. As far as I can see, the problem is this: your crldp URI contains an IP address and you run into a check that the host component is not an IP address: https://github.com/openbsd/src/blob/master/lib/libcrypto/x509/x509_constraints.c#L52 reached via the GEN_URI case in the v2i_GENERAL_NAME() call from v2i_crld(). This check as it is now was introduced with the start of the CBS rewrite of the name constraints code: https://github.com/openbsd/src/commit/f06436f8f89ac0f304ac1a32314f2adbb2ea3b22 However, such a check was already there with the first version of x509_constraints(). It had a bug due to passing the entire 192.168.1.5/crl/root.crl to inet_pton() instead of only the IP address. That's why your config worked prior to 7.3. My understanding is that the v2i_GENERAL_NAME() was modified with the intention of making SAN checking stricter. I am not convinced these stricter checks should apply to all callers of v2i_GENERAL_NAME*(), in particular SIA, AIA and crlDP. An unrelated bug in the vicinity: cbs_is_ip_address() fails open when CBS_strdup() fails: return value 0 is good, 1 is bad.
