Subject: CAcert Code Development list.
List archive
Error handling on invalid SPKAC requests (was: Re: [s20110830.126] support id 386912842 ; just tried to generate a certificate with Finnish identification card)
Chronological Thread
- From: Michael Tänzer <michael.taenzer AT cacert.org>
- To: Wytze van der Raay <wytze AT cacert.org>
- Cc: CAcert Support <support AT cacert.org>, "critical-admin AT cacert.org" <critical-admin AT cacert.org>, cacert-devel AT lists.cacert.org
- Subject: Error handling on invalid SPKAC requests (was: Re: [s20110830.126] support id 386912842 ; just tried to generate a certificate with Finnish identification card)
- Date: Wed, 31 Aug 2011 17:09:47 +0200
- Authentication-results: lists.cacert.org; dkim=pass (1024-bit key) header.i= AT cacert.org; dkim-asp=none
- Openpgp: id=9940BEF1
Hi Wytze,
On 31.08.2011 12:12, Wytze van der Raay wrote:
> On 31.08.2011 00:07, CAcert Support wrote:
>> could you please check the log files for the ID stated below.
>> ...
>> ---- Forwarded message from XXXXXXXXX> ---
>> From: XXXXXX To:
>> support AT cacert.org
>> Subject: support id 386912842 ; just tried to generate a certificate with
> Finnish identification card
>> Date: 2011-08-30 21:11:41
>>>> In case you are interested : got a message "Something went wrong when
>>>> processing your request. Please contact
>>>> support AT cacert.org
>>>> for help and
>>>> provide them with the following ID: 386912842". I was generating a
>>>> certificate request with finnish identification card. Actually I did not
>>>> except it to work. Would have been nice if it did..
>>>>
>>>> XXXXXXXXXX
>
> The phperrors.log shows (time stamp is in CEST):
>
> [30-Aug-2011 23:00:46] PHP Warning: checkWeakKeyText(): Couldn't extract
> the public key algorithm used. ID: 386912842 in
> /www/includes/account_stuff.php on line 300
>
> Around the same time there is also in the apache errorlog:
>
> Error loading SPKAC
> 31534:error:0B081076:x509 certificate
> routines:NETSCAPE_SPKI_b64_decode:base64 decode error:x509spki.c:92:
>
> I suspect that the user uploaded something that was not formatted like a
> proper certicate signing request (CSR), i.e. something not decodable by
> "openssl req -in xxx.csr -text -noout"
I guess you're right on that one
> I think it is a bit strange that the detailed error message
> "checkWeakKeyText(): Couldn't extract the public key algorithm used"
> is only logged in our internal log and is not reported back to the user.
> If this happens a lot, it could cause many unnecessary interactions with
> support and critical-admin for stuff that might often be solvable by the
> user herself when given enough information. This is part of the new
> coding added for checking for weak keys. Therefore I'll copy this message
> to the developer (there is no privacy sensitive information in it).
There are a lot of expected error condidtions reported back to the user,
I also check the return value of openssl and try to give an error to the
user in this case. SPKACs are handled a little bit different in that
regard so I guess I need to have a look at this again.
The log entries with IDs were only introduced in places which indicate
an error on our side / in our software (i.e. things that should never
happen but, history taught us, occasionally do). I don't want to give
all the details to the user in those cases, because it might indicate a
vulnerability in our code. So I want the user to be able to report a
problem and what caused it but I don't want to give an attacker the
extra bit of information he needs to exploit us. That's why a generic
error message is given to the user with a random ID and more information
is logged along with that same ID to allow us to debug this code. And
according to this case it seems to work. There is an error in our code
that does not catch invalid SPKACs and tries to parse extra information
out of it instead of aborting and giving an error message which does not
make sense. Luckily enough this parsing fails and produces this error
message. Now we developers have to fix the underlying problem.
I have created a bug report for this issue:
https://bugs.cacert.org/view.php?id=978
Have a nice day,
--
Michael Tänzer
CAcert Support Team Leader
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
- Error handling on invalid SPKAC requests (was: Re: [s20110830.126] support id 386912842 ; just tried to generate a certificate with Finnish identification card), Michael Tänzer, 08/31/2011
- Re: Error handling on invalid SPKAC requests, Wytze van der Raay, 08/31/2011
Archive powered by MHonArc 2.6.16.