| Summary: | signing certificate requests with a CA is impossible | ||
|---|---|---|---|
| Product: | [Frameworks and Libraries] qca | Reporter: | Pippijn van Steenhoven <pip88nl> |
| Component: | general | Assignee: | Ivan Romanov <drizt72> |
| Status: | RESOLVED WORKSFORME | ||
| Severity: | major | CC: | bradh, drizt72 |
| Priority: | NOR | ||
| Version First Reported In: | unspecified | ||
| Target Milestone: | --- | ||
| Platform: | Debian testing | ||
| OS: | Linux | ||
| Latest Commit: | Version Fixed/Implemented In: | ||
| Sentry Crash Report: | |||
What version of qca-ossl are you using? The code in SVN looks like it should include the serial number. Okay I investigated further and I see the problem. A CertificateRequest is not meant to have a serial number (internally it still contains the field, but it is 0). Then when you CA-sign, the serial number value from the CertificateRequest, which is 0, is used for the Certificate. It seems like the remedy is that there should be a way to pass a serial number to signRequest. We should consider now if there is anything similar that may have been overlooked that we can fix at the same time. I'm surprised to discover this, since I thought some people were using QCA in CA situations. Dear Bug Submitter, This bug has been stagnant for a long time. Could you help us out and re-test if the bug is valid in the latest version? I am setting the status to NEEDSINFO pending your response, please change the Status back to REPORTED when you respond. Thank you for helping us make KDE software even better for everyone! Dear Bug Submitter, This is a reminder that this bug has been stagnant for a long time. Could you help us out and re-test if the bug is valid in the latest version? This bug will be moved back to REPORTED Status for manual review later, which may take a while. If you are able to, please lend us a hand. Thank you for helping us make KDE software even better for everyone! Thank you for reporting this issue in KDE software. As it has been a while since this issue was reported, can we please ask you to see if you can reproduce the issue with a recent software version? If you can reproduce the issue, please change the status to "REPORTED" when replying. Thank you! Dear Bug Submitter, This bug has been in NEEDSINFO status with no change for at least 15 days. Please provide the requested information as soon as possible and set the bug status as REPORTED. Due to regular bug tracker maintenance, if the bug is still in NEEDSINFO status with no change in 30 days the bug will be closed as RESOLVED > WORKSFORME due to lack of needed information. For more information about our bug triaging procedures please read the wiki located here: https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging If you have already provided the requested information, please mark the bug as REPORTED so that the KDE team knows that the bug is ready to be confirmed. Thank you for helping us make KDE software even better for everyone! This bug has been in NEEDSINFO status with no change for at least 30 days. The bug is now closed as RESOLVED > WORKSFORME due to lack of needed information. For more information about our bug triaging procedures please read the wiki located here: https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging Thank you for helping us make KDE software even better for everyone! |
It is impossible to sign a CertificateRequest using CertificateAuthority::signRequest, because the serial number will always be 0. There is no way to give it a different serial number, since this is part of CertificateOptions that are not used in signRequest. Reproducible: Always Steps to Reproduce: QCA::CertificateOptions opts; opts.setAsUser(); opts.setSerialNumber("4096"); QCA::CertificateRequest req(opts, serverPriv); qDebug() << static_cast<QCA::CSRContext *>(req.context())->props()->serial.toString(); serverCert = ca->signRequest(req, now.addDays(1)); Actual Results: "0" Expected Results: "4096"