FS#44690 - [ca-certificates] [ca-certificates-utils] "trust extract-compat" doesn't work

Attached to Project: Arch Linux
Opened by ITwrx (andriesinfoserv) - Wednesday, 22 April 2015, 16:12 GMT
Last edited by Jan Alexander Steffens (heftig) - Tuesday, 28 April 2015, 19:32 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Pierre Schmitz (Pierre)
Jan Alexander Steffens (heftig)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description: updating to ca-certificates-20150402-1-any.pkg.tar.xz and ca-certificates-utils-20150402-1-any.pkg.tar.xz seems to have deleted my previously trusted CA cert, breaking mail forms for several applications. running "trust extract-compat" did not successfully extract the CA cert and did not provide any feedback. Downgrading to ca-certificates-20140923-9-any.pkg.tar.xz and ca-certificates-utils-20140923-9-any.pkg.tar.xz and re-running trust extract-compat successfully extracted the CA cert and now mail forms work again.

question: are users expected to re-extract certs upon each upgrade or should previously extracted certs be kept automatically?

Thanks in advance.

Additional info:
* package version(s)
ca-certificates-20150402-1-any.pkg.tar.xz and ca-certificates-utils-20150402-1-any.pkg.tar.xz

Steps to reproduce:
upgrade to these packages.
This task depends upon

Closed by  Jan Alexander Steffens (heftig)
Tuesday, 28 April 2015, 19:32 GMT
Reason for closing:  Works for me
Comment by ITwrx (andriesinfoserv) - Wednesday, 22 April 2015, 22:54 GMT
to clarify: by "updating...deleted my previously trusted CA cert" i mean it deleted the reference in the extracted list, not the original cert.
Comment by Jan Alexander Steffens (heftig) - Sunday, 26 April 2015, 05:24 GMT
What is the certificate used for?
Comment by ITwrx (andriesinfoserv) - Sunday, 26 April 2015, 14:41 GMT
this is the CA cert i generated on a remote mail server and was used to sign my mail server's cert. This CA cert has to be extracted and trusted on these application servers so that the applications' can email via mail server's cert.
Comment by Jan Alexander Steffens (heftig) - Sunday, 26 April 2015, 16:18 GMT
Could you attach the cert or a demo cert that can be used to reproduce this?
Comment by ITwrx (andriesinfoserv) - Sunday, 26 April 2015, 18:33 GMT
here's the actual cert in question. i don't want to throw you off the trail with an accidentally nonidentical cert. if you would, please delete this attachment once you've gotten it(or if i am the one with the delete perms, maybe you could let me know once you've got your copy). thanks.

(deleted attachment --heftig)
Comment by ITwrx (andriesinfoserv) - Sunday, 26 April 2015, 18:34 GMT
BTW, the orig name of the cert had underscores in it, if that might matter.
Comment by Jan Alexander Steffens (heftig) - Sunday, 26 April 2015, 18:48 GMT
Hm, even with the old format the exported certificate has "No trusted uses" so it only worked because your application ignored the trust bits.
Comment by ITwrx (andriesinfoserv) - Sunday, 26 April 2015, 19:08 GMT
Is it being trusted despite that "no trusted uses"? that's my impression b/c as far as i'm aware, php 5.6.x has this trust checking turned on by default and swiftmailer(which some of my apps use) is just now creating workarounds to allow disabling this trust feature (i believe). i'm purposely signing the cert with a homegrown CA so i can import the CA as trusted and leave the trust checking enabled. I think disabling the trust feature is ill-advised but i don't want to use "normal" CA's for this use case either. when the CA cert is not extracted, my apps can't mail do to cert not being trusted. so it seems it is seen as trusted. IOW, i don't think my apps are currently *able* to disregard the built in trust checking, even if i wanted them to.
Comment by Jan Alexander Steffens (heftig) - Sunday, 26 April 2015, 19:25 GMT
Seems p11-kit isn't categorizing your certificate as an "authority", so it doesn't fall under the ca-anchors export filter. Changing the filter to "certificates" makes it appear in the output, but also exports other certificates from the "neutral" trust bundle, which probably shouldn't get trusted.

While I look into this, could you try using your CA certificate as the trust anchor instead of individual self-signed server certs? That should work better.
Comment by ITwrx (andriesinfoserv) - Sunday, 26 April 2015, 19:50 GMT
hmm, in that case i must have forgotten how i had originally done it. I guess the extraction process got stricter with the latest release? I'll go back over/redo my implementation soon and report if it doesn't work with CA signed cert. Sorry for the trouble and thanks.
Comment by Jan Alexander Steffens (heftig) - Sunday, 26 April 2015, 19:53 GMT
The certificate you gave me is a self-signed certificate for mail.(hidden).org, not a CA certificate or a certificate signed by a CA cert.
Comment by Jan Alexander Steffens (heftig) - Tuesday, 28 April 2015, 19:31 GMT
Yes, the extraction became stricter. Only CAs are considered for extraction, not all certificates.

Again, the certificate you gave me is a self-signed certificate. It's actually dangerous to place such in the trust store, as OpenSSL ignores the purpose bits in the root certs, and any such cert now becomes a valid CA for any other certificate the owner of the cert wants to sign.

The proper thing to do is make your own CA certificate, add *that* to the trust store, then sign whatever server certificates you need with the CA cert.

Loading...