Skip to Content.
Sympa Menu

cacert-devel - Re: Patch request: Bug #540

Subject: CAcert Code Development list.

List archive

Re: Patch request: Bug #540


Chronological Thread 
  • From: Wytze van der Raay <wytze AT cacert.org>
  • To: Michael Tänzer <michael.taenzer AT cacert.org>
  • Cc: "critical-admin AT cacert.org" <critical-admin AT cacert.org>, cacert-devel AT lists.cacert.org, Ulrich Schröter CAcert <ulrich AT cacert.org>, Dirk Astrath <dirk.astrath AT cacert.org>, Daniel Wagner <dwkwaxi AT gmail.com>, Marcus Mängel <inopiae AT cacert.org>, Kenneth Van Wyk <ken AT krvw.com>
  • Subject: Re: Patch request: Bug #540
  • Date: Fri, 27 Jul 2012 18:22:49 +0200

Hi Michael,

Op 25-7-2012 0:07, Michael Tänzer schreef:
> We have a fix for https://bugs.cacert.org/view.php?id=540
> "No key usage attribute in cacert org certs anymore?"
> 
> The fix was reviewed by Dirk Astrath (dastrath) and me (NEOatNHNG) and
> tested by Ulrich Schröter (Uli60), Daniel Wagner (Kwaxi), Marcus Mängel
> (INOPIAE) and Kenneth Van Wyk.
> 
> Diff is attached (bug-540.diff). Please also run the locale makefile so
> that our translators see the new strings (if present) on
> https://translations.cacert.org and new translations get imported into
> the system.
> 
> The patch also needs to be applied to the signing server and
> additionally the changes found in the svn_bug-540.diff need to be
> applied to the openssl config files on the signer.
> 
> 
> Changed files:
> CommModule/server.pl
> www/policy/CertificationPracticeStatement.php

The patches have been installed on the signing server and the webdb
server as requested above, on July 27, 2012. See also the attached
log messages sent to the cacert-systemlog mailing list.
The ssl configuration files in the CAcert SVN repository have been
updated likewise.
Finally, the translations.cacert.org upload and downloads have been
performed as requested, and the Apache2 webserver has been reloaded
to activate the new strings.

Regards,
-- wytze

--- Begin Message ---
  • From: Wytze van der Raay <wytze AT cacert.org>
  • To: cacert-systemlog AT lists.cacert.org
  • Subject: [Visit BIT][27.07.2012] install software patch on signing server
  • Date: Fri, 27 Jul 2012 18:08:30 +0200
Visit date & time:
    27.07.2012, 17:05 - 17:20 CEST

Persons:
    Stefan Kooman (Oophaga)
    Mendel Mobach (CAcert)
    Wytze van der Raay (CAcert)

Actions performed during this site visit:

* Synchronized time of signing server with webdb server thru timesync.sh
* Installed patches for https://bugs.cacert.org/view.php?id=540 on the
  signing server while backing up old versions of all affected files.
* Restarted Commmodule process to activate the changed code.
* Verified correct operation by requesting a new server certificate
  through the regular user interface and verifying the returned cert.

Follow-up actions:
* Bring the copy of the affected ssl configuration files in CAcert's svn
        http://svn.cacert.org/CAcert/SystemAdministration/signer/ssl/
  back in sync with the new version on the signing server.
* Install the related patch for bug #540 on the webdb server.

-- end


Attachment: smime.p7s
Description: S/MIME-cryptografische ondertekening


--- End Message ---
--- Begin Message ---
  • From: Wytze van der Raay <wytze AT cacert.org>
  • To: cacert-systemlog AT lists.cacert.org
  • Subject: Fwd: [cvs.cacert.org checkin notification]
  • Date: Fri, 27 Jul 2012 18:11:51 +0200
Fix for https://bugs.cacert.org/view.php?id=540
  No key usage attribute in cacert org certs anymore?

Note that these patches have been preceded by installing the
associated patches on the signing server as documented in the
[Visit BIT][27.07.2012] report on the cacert-systemlog mailing list.

In conjunction with the attached CVS changes a new tarball has been
made available incorporating all updates. The new tarball is available
through http://www.cacert.org/src-lic.php

-- end
--- Begin Message ---
  • From: "root" <root AT cvs.cacert.org>
  • To: critical-admin AT cacert.org
  • Subject: cvs.cacert.org checkin notification
  • Date: Fri, 27 Jul 2012 18:00:23 +0200 (CEST)

uid=0(root) gid=0(root) groups=0(root)
server.pl 1.1 1.2
Fri Jul 27 18:00:22 CEST 2012
Update of /var/lib/cvs/cacert/CommModule
In directory hlin:/home/cacert/www/CommModule

Modified Files:
        server.pl 
Log Message:
Fix for https://bugs.cacert.org/view.php?id=540
  No key usage attribute in cacert org certs anymore?

===================================================================
RCS file: /var/lib/cvs/cacert/CommModule/server.pl,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- server.pl   2010/12/13 10:58:19     1.1
+++ server.pl   2012/07/27 16:00:21     1.2
@@ -502,9 +502,28 @@
   {
     open OUT,">$wid/extfile";
     print OUT "basicConstraints = critical, CA:FALSE\n";
+    print OUT "keyUsage = critical, digitalSignature, keyEncipherment, 
keyAgreement\n";
     print OUT "extendedKeyUsage = clientAuth, serverAuth, nsSGC, msSGC\n";
-    print OUT "keyUsage = digitalSignature, keyEncipherment\n";
     print OUT "authorityInfoAccess = OCSP;URI:$OCSPUrl\n";
+    
+    my $CRLUrl="";
+    if($root==0)
+    {
+        $CRLUrl="http://crl.cacert.org/revoke.crl";;
+    }
+    elsif($root==1)
+    {
+        $CRLUrl="http://crl.cacert.org/class3-revoke.crl";;
+    }
+    elsif($root==2)
+    {
+        $CRLUrl="http://crl.cacert.org/class3s-revoke.crl";;
+    }
+    else
+    {
+        $CRLUrl="http://crl.cacert.org/root${root}.crl";;
+    }
+    print OUT "crlDistributionPoints = URI:${CRLUrl}\n";
     print OUT "subjectAltName = $san\n" if(length($san));
     close OUT;
     $extfile=" -extfile $wid/extfile ";

--- End Message ---
--- Begin Message ---
  • From: "root" <root AT cvs.cacert.org>
  • To: critical-admin AT cacert.org
  • Subject: cvs.cacert.org checkin notification
  • Date: Fri, 27 Jul 2012 18:00:29 +0200 (CEST)

uid=0(root) gid=0(root) groups=0(root)
CertificationPracticeStatement.php 1.2 1.3
Fri Jul 27 18:00:29 CEST 2012
Update of /var/lib/cvs/cacert/www/policy
In directory hlin:/home/cacert/www/www/policy

Modified Files:
        CertificationPracticeStatement.php 
Log Message:
Fix for https://bugs.cacert.org/view.php?id=540
  No key usage attribute in cacert org certs anymore?

===================================================================
RCS file: /var/lib/cvs/cacert/www/policy/CertificationPracticeStatement.php,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- CertificationPracticeStatement.php  2011/07/27 10:41:01     1.2
+++ CertificationPracticeStatement.php  2012/07/27 16:00:29     1.3
@@ -69,7 +69,7 @@
 <a href="PolicyOnPolicy.html"><img src="cacert-draft.png" alt="CAcert Policy 
Status" height="31" width="88" style="border-style: none;" /></a><br />
 Creation date: 20060726<br />
 Status: DRAFT p20091108<br />
-<!-- $Id: CertificationPracticeStatement.php,v 1.2 2011/07/27 10:41:01 wytze 
Exp $ -->
+<!-- $Id: CertificationPracticeStatement.php,v 1.3 2012/07/27 16:00:29 wytze 
Exp $ -->
 
 
 <font size="-1">
@@ -3203,54 +3203,50 @@
 <h4><a name="p7.1.2" id="p7.1.2">7.1.2. Certificate extensions</a></h4>
 
 <p>
-Client certificates include the following extensions:.
+  Client certificates include the following extensions:
 </p>
-<ul><li>
-    basicConstraints=CA:FALSE (critical)
-  </li><li>
-    keyUsage=digitalSignature,keyEncipherment,cRLSign
-  </li><li>
-  </li><li>
-    extendedKeyUsage=emailProtection,clientAuth,serverAuth,msEFS,msSGC,nsSGC
-  </li><li>
-    authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
-  </li><li>
-    subjectAltName=(as per <a href="#p3.1.1">&sect;3.1.1.</a>).
-</li></ul>
+<ul>
+  <li>basicConstraints=CA:FALSE (critical)</li>
+  <li>keyUsage=digitalSignature,keyEncipherment,keyAgreement (critical)</li>
+  <li>extendedKeyUsage=emailProtection,clientAuth,msEFS,msSGC,nsSGC</li>
+  <li>authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org</li>
+  <li>crlDistributionPoints=URI:&lt;crlUri&gt; where &lt;crlUri&gt; is 
replaced 
+    with the URI where the certificate revocation list relating to the 
+    certificate is found</li>
+  <li>subjectAltName=(as per <a href="#p3.1.1">&sect;3.1.1.</a>).</li>
+</ul>
   <ul class="q">
     <li> what about Client Certificates Adobe Signing extensions ?</li>
     <li> SubjectAltName should become critical if DN is removed 
http://tools.ietf.org/html/rfc5280#section-4.2.1.6</li>
   </ul>
 
-
 <p>
-Server certificates include the following extensions:
+  Server certificates include the following extensions:
 </p>
-<ul><li>
-    basicConstraints=CA:FALSE (critical)
-  </li><li>
-    keyUsage=digitalSignature,keyEncipherment
-  </li><li>
-    extendedKeyUsage=clientAuth,serverAuth,nsSGC,msSGC
-  </li><li>
-    authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
-  </li><li>
-    subjectAltName=(as per <a href="#p3.1.1">&sect;3.1.1.</a>).
-</li></ul>
+<ul>
+  <li>basicConstraints=CA:FALSE (critical)</li>
+  <li>keyUsage=digitalSignature,keyEncipherment,keyAgreement (critical)</li>
+  <li>extendedKeyUsage=clientAuth,serverAuth,nsSGC,msSGC</li>
+  <li>authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org</li>
+  <li>crlDistributionPoints=URI:&lt;crlUri&gt; where &lt;crlUri&gt; is 
replaced 
+    with the URI where the certificate revocation list relating to the 
+    certificate is found</li>
+  <li>subjectAltName=(as per <a href="#p3.1.1">&sect;3.1.1.</a>).</li>
+</ul>
 
 <p>
-Code-Signing certificates include the following extensions:
+  Code-Signing certificates include the following extensions:
 </p>
-
-<ul><li>
-    basicConstraints=CA:FALSE (critical)
-  </li><li>
-    keyUsage=digitalSignature,keyEncipherment
-  </li><li>
-    
extendedKeyUsage=emailProtection,clientAuth,codeSigning,msCodeInd,msCodeCom,msEFS,msSGC,nsSGC
-  </li><li>
-    authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
-</li></ul>
+<ul>
+  <li>basicConstraints=CA:FALSE (critical)</li>
+  <li>keyUsage=digitalSignature,keyEncipherment,keyAgreement (critical)</li>
+  
<li>extendedKeyUsage=emailProtection,clientAuth,codeSigning,msCodeInd,msCodeCom,msEFS,msSGC,nsSGC</li>
+  <li>authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org</li>
+  <li>crlDistributionPoints=URI:&lt;crlUri&gt; where &lt;crlUri&gt; is 
replaced 
+    with the URI where the certificate revocation list relating to the 
+    certificate is found</li>
+  <li>subjectAltName=(as per <a href="#p3.1.1">&sect;3.1.1.</a>).</li>
+</ul>
   <ul class="q">
     <li> what about subjectAltName for Code-signing</li>
   </ul>

--- End Message ---

Attachment: smime.p7s
Description: S/MIME-cryptografische ondertekening


--- End Message ---

Attachment: smime.p7s
Description: S/MIME-cryptografische ondertekening




Archive powered by MHonArc 2.6.16.

Top of Page