Package: tinyca
Version: 0.7.0-2
Severity: important
Tags: patch
if i import a CA into tinyca, and provide it with an index.txt file,
the initial value for the serial file seems to always be 01.
This is bad, because it makes tinyca fail to sign any new cert
requests with this authority if serial number 01 is already present in
the index file. (the error message for that failure also is wrong: it
claims that the wrong password was entered, when the actual error is
openssl refusing to generate a duplicated serial number for the
certificate). This bug is important because it completely breaks
tinyca for people trying to transition an existing CA infrastructure
to tinyca.
The attached patch fixes the problem for me. there are two hunks in
it. i think the first hunk at least is necessary to fix this problem.
Basically, CA.pm generates the serial count by parsing index.txt, but
then throws it away by re-initializing the stored serial to "01".
Maybe this was intended to handle the case when no index.txt is
supplied, and tinyca must invent some serial numbers? The first hunk
of the patch simply declines to re-initialize the serial value if it
is present and >= 1.
The second hunk in the patch may not be relevant, but it fixes what
looks to me like a logic error when the user has not provided an
index.txt file. However, i don't fully understand the logic of
the code surrounding that hunk, so you may prefer to not apply it. i
don't have much experience importing CA information without a
corresponding index.txt.
Thanks for maintaining tinyca. it's a fairly clean interface to a
very complicated specification, and it makes it easier to work with
these tools.
Regards,
--dkg
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (700, 'testing'), (700, 'stable'), (600, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-1-686
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Versions of packages tinyca depends on:
ii libgnome2-perl 1.023-1 Perl interface to the GNOME librar
ii libgtk2-perl 1:1.081-1 Perl interface to the 2.x series o
ii liblocale-gettext-perl 1.05-1 Using libc functions for internati
ii openssl 0.9.7g-2 Secure Socket Layer (SSL) binary a
Versions of packages tinyca recommends:
ii zip 2.31-3 Archiver for .zip files
-- no debconf information
--- CA.pm.orig 2005-09-29 10:37:44.000000000 -0400
+++ CA.pm 2005-09-29 10:59:25.000000000 -0400
@@ -642,7 +642,9 @@
my $data = {};
my $ca = $opts->{'name'};
- $opts->{'serial'} = "01";
+ if (hex($opts->{'serial'}) < 1) {
+ $opts->{'serial'} = "01";
+ }
if(defined($box)) {
$box->destroy();
@@ -745,7 +747,7 @@
# get information for serial file
if(hex($data->{'parsed'}->{'SERIAL'}) >= hex($opts->{'serial'})) {
- $opts->{'serial'} = sprintf("%x", hex($opts->{'serial'}));
+ $opts->{'serial'} = sprintf("%x",
hex($data->{'parsed'}->{'SERIAL'}));
}
$opts->{'serial'} = hex($opts->{'serial'}) + 1;
$opts->{'serial'} = sprintf("%x", $opts->{'serial'});
