View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
000867010000-006: MappingsSpecpublic2023-02-01 18:122023-03-23 21:25
ReporterHock, Christian Assigned ToRandy Armstrong  
PriorityimmediateSeverityblockReproducibilityalways
Status closedResolutionfixed 
Product Version1.04 
Target Version?.??Fixed in Version1.05.03 RC1 
Summary0008670: Update from OpenSSL V1.x.x (EOL(end of live) soon) to V3.x.x
Description

The behavior described in Mantis https://mantis.opcfoundation.org/view.php?id=8357 for 'v3_self_signed' 'CA:FALSE" certificates solves only the halfe of the problem when updating to OpenSSL V3.x.

In the RFC 'https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.9' is stated:

  • Conforming CAs MUST include this extension in all CA certificates that contain public keys used to validate digital signatures on certificates and MUST mark the extension as critical in such certificates.

We miss a description in the spec how to deal with the mentioned scenario above and with the fact, that critical is missed on 'v3_ca' certificaes.

We think, that the behavior SHALL be described in the Spec. how backward compatibility can reached and NEED two additional OPC UA error codes for mapping the OpenSSL errors we get with V3.x.

  • However, these error codes are only to be used internally.
  • About which continue to go a "passionless" OpcUa_BadCertificateInvalid.

New OPC UA ErrorCodes for:

  • X509_V_ERR_KU_KEY_CERT_SIGN_INVALID_FOR_NON_CA -> 'basicConstraints = CA:TRUE' instead of 'CA:FALSE' for [ v3_self_signed ] certificates.
  • X509_V_ERR_CA_BCONS_NOT_CRITICAL -> 'basicConstraints = CA:true' 'critical' is missing in [ v3_ca ] certificates.
Steps To Reproduce

e.g. run actual CTT-Tool x.x.500 with an new updated product version of OpenSSL V3.x

Additional Information

Amendment needed vo 1.04!

TagsNo tags attached.
Commit Version
Fix Due Date

Relationships

related to 0008370 closedRandy Armstrong Requirement on CA Flag for self-signed certificates is a potential security risk 

Activities

Bernd Edlinger

2023-02-02 08:22

reporter   ~0018641

Note: X509_V_ERR_KU_KEY_CERT_SIGN_INVALID_FOR_NON_CA complains about

keyUsage = keyCertSign

when used together with

basicConstraints=CA:FALSE

when that is a leaf certificate that is signed by a CA, so not an issue for self-signed certificates.

Randy Armstrong

2023-02-08 18:05

administrator   ~0018689

The basicConstraints extension shall be present and shall not be ignored. The extension shall be validated and marking the extension as critical has no effect. For backward interoperability, any error related to the critical mark produced by software libraries shall be suppressed and logged as a warning

Randy Armstrong

2023-03-21 15:34

administrator   ~0018926

Fixed in Draft 3

Jim Luth

2023-03-23 21:25

administrator   ~0019027

Agreed to changes and Errata previously in related issue.

Issue History

Date Modified Username Field Change
2023-02-01 18:12 Hock, Christian New Issue
2023-02-01 18:12 Hock, Christian Status new => assigned
2023-02-01 18:12 Hock, Christian Assigned To => Randy Armstrong
2023-02-02 06:14 Hock, Christian Description Updated
2023-02-02 08:22 Bernd Edlinger Note Added: 0018641
2023-02-08 18:05 Randy Armstrong Note Added: 0018689
2023-03-21 15:34 Randy Armstrong Status assigned => resolved
2023-03-21 15:34 Randy Armstrong Resolution open => fixed
2023-03-21 15:34 Randy Armstrong Note Added: 0018926
2023-03-23 21:24 Jim Luth Relationship added related to 0008370
2023-03-23 21:25 Jim Luth Status resolved => closed
2023-03-23 21:25 Jim Luth Fixed in Version => 1.05.03 RC1
2023-03-23 21:25 Jim Luth Note Added: 0019027