aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@debian.org>2024-06-14 01:14:22 +0200
committerGuilhem Moulin <guilhem@fripost.org>2024-06-14 01:45:12 +0200
commit4340c68fa9626ab3db81dd774f79305dc774a7e6 (patch)
tree699e1f9db9c64b5ab79e05b54dd17df2f5e28a35
parentd531c00ae1c422b3f0948d297098722fb448edb5 (diff)
Backport upstream patches to fix fix post-issuance validation logic.
As well as the upstream test suite. Closes: #1072847
-rw-r--r--debian/patches/Adjust-test-suite-against-current-Let-s-Encrypt-staging-e.patch123
-rw-r--r--debian/patches/Fix-post-issuance-validation-logic.patch211
-rw-r--r--debian/patches/series2
3 files changed, 336 insertions, 0 deletions
diff --git a/debian/patches/Adjust-test-suite-against-current-Let-s-Encrypt-staging-e.patch b/debian/patches/Adjust-test-suite-against-current-Let-s-Encrypt-staging-e.patch
new file mode 100644
index 0000000..0065c39
--- /dev/null
+++ b/debian/patches/Adjust-test-suite-against-current-Let-s-Encrypt-staging-e.patch
@@ -0,0 +1,123 @@
+From: Guilhem Moulin <guilhem@fripost.org>
+Date: Wed, 26 Apr 2023 17:41:24 +0200
+Subject: Adjust test suite against current Let's Encrypt staging environment
+
+Origin: https://git.guilhem.org/lacme/commit/?id=cb0b301e7a62a71d9e4454f9f7af5358c857c48c
+Origin: https://git.guilhem.org/lacme/commit/?id=f84716c064312dd9dc0d149f0ec7a12f5c88c3af
+Origin: https://git.guilhem.org/lacme/commit/?id=a41444b8b1fe5349a4a33c45f1e96036845609bb
+Origin: https://git.guilhem.org/lacme/commit/?id=98e4397f5330245cb7f8a21054ab078c4d0bba82
+---
+ tests/account-encrypted-gpg | 2 +-
+ tests/account-encrypted-openssl | 1 +
+ tests/cert-install | 2 +-
+ tests/cert-verify | 22 +++++-----------------
+ tests/old-lacme | 9 +++++----
+ 5 files changed, 13 insertions(+), 23 deletions(-)
+
+diff --git a/tests/account-encrypted-gpg b/tests/account-encrypted-gpg
+index fd1e4ac..7cb978d 100644
+--- a/tests/account-encrypted-gpg
++++ b/tests/account-encrypted-gpg
+@@ -9,7 +9,7 @@ keyid="$(gpg --list-secret-key --with-colons | grep -m1 ^fpr: | cut -sd: -f10)"
+ gpg --encrypt -r "$keyid" /etc/lacme/account.key
+ sed -ri '0,\|^#?privkey\s*=.*| {s||privkey = gpg:/etc/lacme/account.key.gpg|}' /etc/lacme/lacme-accountd.conf
+
+-export GPG_TTY="$(tty)"
++export GPG_TTY="$(tty)" TERM="linux"
+ lacme account
+
+ # vim: set filetype=sh :
+diff --git a/tests/account-encrypted-openssl b/tests/account-encrypted-openssl
+index e79a528..a3ad707 100644
+--- a/tests/account-encrypted-openssl
++++ b/tests/account-encrypted-openssl
+@@ -5,6 +5,7 @@ PASSPHRASE="test"
+ openssl rsa -aes128 -passout pass:"$PASSPHRASE" </etc/lacme/account.key >/etc/lacme/account.enc.key
+ sed -ri '0,\|^#?privkey\s*=.*| {s||privkey = file:/etc/lacme/account.enc.key|}' /etc/lacme/lacme-accountd.conf
+
++export TERM="linux"
+ lacme account
+
+ # vim: set filetype=sh :
+diff --git a/tests/cert-install b/tests/cert-install
+index 4415cdd..03360fd 100644
+--- a/tests/cert-install
++++ b/tests/cert-install
+@@ -79,7 +79,7 @@ check_chain() {
+
+ # 'certificate' installs only the leaf certificate
+ openssl genpkey -algorithm RSA -out /etc/lacme/test1.key
+-subject="/CN=$(head -c10 /dev/urandom | base32 -w0).$DOMAINNAME"
++subject="/CN=$(head -c10 /dev/urandom | base32 -w0 | tr "A-Z" "a-z").$DOMAINNAME"
+ cat >"/etc/lacme/lacme-certs.conf.d/test1.conf" <<- EOF
+ [test1]
+ certificate-key = /etc/lacme/test1.key
+diff --git a/tests/cert-verify b/tests/cert-verify
+index 4d254c6..6ee9211 100644
+--- a/tests/cert-verify
++++ b/tests/cert-verify
+@@ -8,31 +8,19 @@ for ca in /usr/share/lacme/letsencrypt-stg-root-*.pem; do
+ done
+ update-ca-certificates
+
+-# test (modified) trust store for intermediate certificates
+-openssl verify -no-CAfile -CApath /etc/ssl/certs -show_chain /usr/share/lacme/letsencrypt-stg-int-*.pem
+-openssl verify -no-CApath -CAfile /etc/ssl/certs/ca-certificates.crt -show_chain /usr/share/lacme/letsencrypt-stg-int-*.pem
++# test (modified) trust store
++openssl verify -no-CAfile -CApath /etc/ssl/certs -show_chain /usr/share/lacme/letsencrypt-stg-root-x1.pem
++openssl verify -no-CApath -CAfile /etc/ssl/certs/ca-certificates.crt -show_chain /usr/share/lacme/letsencrypt-stg-root-x1.pem
+
+ mv /usr/share/lacme/ca-certificates.crt /usr/share/lacme/ca-certificates.crt.back
+ ! lacme newOrder 2>"$STDERR" || fail
+-grepstderr -Fxq "Could not open file or uri for loading certs of trusted certificates from /usr/share/lacme/ca-certificates.crt"
++grepstderr -Fq " certs of trusted certificates from /usr/share/lacme/ca-certificates.crt"
+ grepstderr -Fxq "[simpletest-rsa] Error: Received invalid X.509 certificate from ACME server!"
+
+ # verification error for unrelated CA bundle
+ cat /etc/ssl/certs/ssl-cert-snakeoil.pem >/usr/share/lacme/ca-certificates.crt
+ ! lacme newOrder 2>"$STDERR" || fail
+-grepstderr -Fxq "error 20 at 0 depth lookup: unable to get local issuer certificate"
+-grepstderr -Fxq "[simpletest-rsa] Error: Received invalid X.509 certificate from ACME server!"
+-
+-# verification error when the CA bundle contains only the root certificates
+-cat /usr/share/lacme/letsencrypt-stg-root-*.pem >/usr/share/lacme/ca-certificates.crt
+-! lacme newOrder 2>"$STDERR" || fail
+-grepstderr -Fxq "error 20 at 0 depth lookup: unable to get local issuer certificate"
+-grepstderr -Fxq "[simpletest-rsa] Error: Received invalid X.509 certificate from ACME server!"
+-
+-# verification error when the CA bundle contains only the intermediate certificates
+-cat /usr/share/lacme/letsencrypt-stg-int-*.pem >/usr/share/lacme/ca-certificates.crt
+-! lacme newOrder 2>"$STDERR" || fail
+-grepstderr -Fxq "error 2 at 1 depth lookup: unable to get issuer certificate"
++grepstderr -Fxq "error 20 at 1 depth lookup: unable to get local issuer certificate"
+ grepstderr -Fxq "[simpletest-rsa] Error: Received invalid X.509 certificate from ACME server!"
+
+ # use saved bundle as custom CAfile
+diff --git a/tests/old-lacme b/tests/old-lacme
+index b1c9f88..278a705 100644
+--- a/tests/old-lacme
++++ b/tests/old-lacme
+@@ -1,5 +1,6 @@
+-# IPC test between recent lacme-accountd(1) and ancient lacme(8) 0.5 from Debian buster
+-# (we don't try earlier versions as we need v2 support of the ACME API)
++# IPC test between recent lacme-accountd(1) and ancient lacme(8) 0.8 from Debian Bullseye
++# (we don't try earlier versions as we need v2 support of the ACME API
++# and non-pinned intermediates)
+
+ adduser --disabled-password \
+ --home /home/lacme-account \
+@@ -14,12 +15,12 @@ cat >~lacme-account/.config/lacme/lacme-accountd.conf <<-EOF
+ privkey = file:/etc/lacme/account.key
+ EOF
+
+-echo "deb http://deb.debian.org/debian buster main" >>/etc/apt/sources.list
++echo "deb http://deb.debian.org/debian bullseye main" >>/etc/apt/sources.list
+ DEBIAN_FRONTEND="noninteractive" apt update
+ DEBIAN_FRONTEND="noninteractive" apt install -y --no-install-recommends \
+ --reinstall --allow-downgrades \
+ -oDPkg::Options::="--force-confdef" -oDPkg::Options::="--force-overwrite" \
+- lacme/buster
++ lacme/bullseye
+
+ # restore staging environment
+ mv -f /usr/share/lacme/ca-certificates.crt.back /usr/share/lacme/ca-certificates.crt
diff --git a/debian/patches/Fix-post-issuance-validation-logic.patch b/debian/patches/Fix-post-issuance-validation-logic.patch
new file mode 100644
index 0000000..f5ecbed
--- /dev/null
+++ b/debian/patches/Fix-post-issuance-validation-logic.patch
@@ -0,0 +1,211 @@
+From: Guilhem Moulin <guilhem@fripost.org>
+Date: Thu, 13 Jun 2024 03:32:04 +0200
+Subject: Fix post-issuance validation logic
+
+Rather than adding intermediates in the certificate bundle we now
+validate the leaf certificate with intermediates as untrusted (used for
+chain building only). Only the root certificates are used as trust
+anchor.
+
+Not pining intermediate certificates anymore is in line with Let's
+Encrypt's latest recommendations:
+
+ Rotating the set of intermediates we issue from helps keep the
+ Internet agile and more secure. It encourages automation and
+ efficiency, and discourages outdated practices like key pinning.
+ “Key Pinning” is a practice in which clients — either ACME clients
+ getting certificates for their site, or apps connecting to their own
+ backend servers — decide to trust only a single issuing intermediate
+ certificate rather than delegating trust to the system trust store.
+ Updating pinned keys is a manual process, which leads to an
+ increased risk of errors and potential business continuity failures.
+ — https://letsencrypt.org/2024/03/19/new-intermediate-certificates
+
+Origin: https://git.guilhem.org/lacme/commit/?id=9cb882a468843bf8ce9598de8769d5baaaaae3ea
+Bug-Debian: https://bugs.debian.org/1072847
+---
+ Makefile | 8 ++-----
+ lacme | 26 +++++++++++++++++----
+ tests/cert-install | 67 ++++++++++++++++++++++++++++++++++++++++++------------
+ 3 files changed, 76 insertions(+), 25 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index 10e55c5..cb2f4ed 100644
+--- a/Makefile
++++ b/Makefile
+@@ -16,17 +16,13 @@ $(MANUAL_FILES): $(BUILDDIR)/%: $(BUILDDIR)/%.md
+ # used for validation, see https://letsencrypt.org/certificates/
+ $(BUILDDIR)/certs/ca-certificates.crt: \
+ certs/isrgrootx1.pem \
+- certs/isrg-root-x2.pem \
+- certs/lets-encrypt-r[34].pem \
+- certs/lets-encrypt-e[12].pem
++ certs/isrg-root-x2.pem
+ mkdir -pv -- $(@D)
+ cat -- $^ >$@
+
+ # Staging Environment for tests, see https://letsencrypt.org/docs/staging-environment/
+ $(BUILDDIR)/certs-staging/ca-certificates.crt: \
+- certs-staging/letsencrypt-stg-root-x[12].pem \
+- certs-staging/letsencrypt-stg-int-r[34].pem \
+- certs-staging/letsencrypt-stg-int-e[12].pem
++ certs-staging/letsencrypt-stg-root-x[12].pem
+ mkdir -pv -- $(@D)
+ cat -- $^ >$@
+
+diff --git a/lacme b/lacme
+index 6284c66..86a0516 100755
+--- a/lacme
++++ b/lacme
+@@ -822,21 +822,31 @@ elsif ($COMMAND eq 'newOrder' or $COMMAND eq 'new-cert') {
+ next;
+ }
+
+- my $cert;
++ my @chain;
+ eval {
+ my $mem = Net::SSLeay::BIO_s_mem() or die;
+ my $bio = Net::SSLeay::BIO_new($mem) or die;
+ die "incomplete write" unless
+ Net::SSLeay::BIO_write($bio, $chain) == length($chain);
+- my $x509 = Net::SSLeay::PEM_read_bio_X509($bio);
+- $cert = Net::SSLeay::PEM_get_string_X509($x509);
++
++ my $sk_x509_info = Net::SSLeay::PEM_X509_INFO_read_bio($bio);
++
++ my $n = Net::SSLeay::sk_X509_INFO_num($sk_x509_info);
++ for (my $i = 0; $i < $n; $i++) {
++ my $x509_info = Net::SSLeay::sk_X509_INFO_value($sk_x509_info, $i);
++ my $x509 = Net::SSLeay::P_X509_INFO_get_x509($x509_info);
++ my $cert = Net::SSLeay::PEM_get_string_X509($x509);
++ push @chain, $cert;
++ }
++
+ Net::SSLeay::BIO_free($bio) or die;
+ };
+- if ($@) {
++ if ($@ or !@chain) {
+ print STDERR "[$s] Error: Received bogus X.509 certificate from ACME server!\n";
+ $rv = 1;
+ next;
+ }
++ my $cert = shift @chain; # leave only the intermediate in @chain
+
+ # extract pubkeys from CSR and cert, and ensure they match
+ # XXX would be nice to use X509_get_X509_PUBKEY and X509_REQ_get_X509_PUBKEY here,
+@@ -852,9 +862,15 @@ elsif ($COMMAND eq 'newOrder' or $COMMAND eq 'new-cert') {
+
+ # verify certificate validity against the CA bundle
+ if ((my $CAfile = $conf->{CAfile} // '@@datadir@@/lacme/ca-certificates.crt') ne '') {
++ my $chain_tmp = File::Temp::->new(SUFFIX => '.crt', TMPDIR => 1) // die;
++ $chain_tmp->say($_) foreach @chain;
++ $chain_tmp->flush();
++
+ my %args = (in => $cert);
+ $args{out} = \*STDERR if $OPTS{debug};
+- my @options = ('-trusted', $CAfile, '-purpose', 'sslserver', '-x509_strict');
++ my @options = ('-trusted', $CAfile);
++ push @options, '-untrusted', $chain_tmp->filename() if @chain;
++ push @options, ('-purpose', 'sslserver', '-x509_strict');
+ push @options, '-show_chain' if $OPTS{debug};
+ if (spawn(\%args, 'openssl', 'verify', @options)) {
+ print STDERR "[$s] Error: Received invalid X.509 certificate from ACME server!\n";
+diff --git a/tests/cert-install b/tests/cert-install
+index 4b3e820..4415cdd 100644
+--- a/tests/cert-install
++++ b/tests/cert-install
+@@ -28,6 +28,55 @@ EOF
+ grepstderr -Fxq "[bad3] Warning: Couldn't generate CSR, skipping"
+
+
++check_spki() {
++ local p1="$1" p2="$2" s1 s2
++ s1="$(openssl x509 -in "$p1" -noout -pubkey \
++ | openssl pkey -pubin -outform DER \
++ | openssl dgst -sha256 \
++ | sed 's/.*=\s*//')"
++ s2="$(openssl pkey -in "$p2" -pubout -outform DER \
++ | openssl dgst -sha256 \
++ | sed 's/.*=\s*//')"
++ if [ -n "$s1" ] && [ "$s1" = "$s2" ]; then
++ return 0
++ else
++ printf "%s != %s\\n" "$s1" "$s2" >&2
++ return 1
++ fi
++}
++check_chain() {
++ local priv="$1" chain="$2" leaf="${3-}" pem0
++
++ csplit -f "${chain%.crt}.chain.pem" "$chain" \
++ "/-----BEGIN CERTIFICATE-----/" "{*}"
++
++ pem0="${chain%.crt}.chain.pem00"
++ if [ ! -s "$pem0" ]; then
++ # 00 is empty, leaf cert is at 01
++ rm -f -- "$pem0"
++ pem0="${chain%.crt}.chain.pem01"
++ fi
++ test -s "$pem0" || return 1
++ check_spki "$pem0" "$priv"
++
++ if [ -n "$leaf" ]; then
++ diff --ignore-blank-lines --unified "$pem0" "$leaf" || return 1
++ fi
++
++ leaf="${chain%.crt}.leaf.pem"
++ mv -T -- "$pem0" "$leaf"
++
++ intermediates="${chain%.crt}.intermediates.pem"
++ sed "/^$/d" "${chain%.crt}.chain.pem"[0-9]* >"$intermediates"
++ test -s "$intermediates" || return 1 # ensure there is at least one intermediate
++
++ openssl verify -trusted /usr/share/lacme/ca-certificates.crt \
++ -untrusted "$intermediates" \
++ -purpose sslserver -x509_strict \
++ -show_chain \
++ -- "$leaf" || return 1
++}
++
+ # 'certificate' installs only the leaf certificate
+ openssl genpkey -algorithm RSA -out /etc/lacme/test1.key
+ subject="/CN=$(head -c10 /dev/urandom | base32 -w0).$DOMAINNAME"
+@@ -42,6 +91,7 @@ lacme newOrder test1 2>"$STDERR" || fail newOrder test1
+ test /etc/lacme/test1.crt -nt /etc/lacme/test1.key
+ sed -n "0,/^-----END CERTIFICATE-----$/ p" /etc/lacme/test1.crt >/etc/lacme/test1.pem
+ diff --unified /etc/lacme/test1.crt /etc/lacme/test1.pem
++check_spki /etc/lacme/test1.crt /etc/lacme/test1.key
+
+
+ check_hash() {
+@@ -70,16 +120,7 @@ EOF
+
+ lacme newOrder test2 2>"$STDERR" || fail newOrder test2
+ test /etc/lacme/test2.crt -nt /etc/lacme/test2.key
+-csplit -f /etc/lacme/test2.chain.pem /etc/lacme/test2.crt \
+- "/-----BEGIN CERTIFICATE-----/" "{*}"
+-test -s /etc/lacme/test2.chain.pem01 # leaf cert (00 is empty)
+-rm -f /etc/lacme/test2.chain.pem0[01]
+-test -s /etc/lacme/test2.chain.pem02 # depth 1
+-
+-# all certificates at depth >=1 must be in our CA bundle
+-for p in /etc/lacme/test2.chain.pem*; do
+- check_hash "$p"
+-done
++check_chain /etc/lacme/test2.key /etc/lacme/test2.crt
+
+ # 'certificate' + 'certificate-chain'
+ openssl genpkey -algorithm RSA -out /etc/lacme/test3.key
+@@ -94,10 +135,8 @@ EOF
+ lacme newOrder test3 2>"$STDERR" || fail newOrder test3
+ test /etc/lacme/test3.pem -nt /etc/lacme/test3.key
+ test /etc/lacme/test3.crt -nt /etc/lacme/test3.key
+-csplit -f /etc/lacme/test3.chain.pem /etc/lacme/test3.crt \
+- "/-----BEGIN CERTIFICATE-----/" "{*}"
+-sed -i "/^$/d" /etc/lacme/test3.chain.pem*
+-diff -q /etc/lacme/test3.chain.pem01 /etc/lacme/test3.pem
++check_chain /etc/lacme/test3.key /etc/lacme/test3.crt /etc/lacme/test3.pem
++
+ st="$(stat -c "%U:%G %#a" /etc/lacme/test3.pem)"
+ [ "$st" = "root:root 0644" ]
+ st="$(stat -c "%U:%G %#a" /etc/lacme/test3.crt)"
diff --git a/debian/patches/series b/debian/patches/series
index 1c2191a..779bfe8 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,3 @@
Mention-the-Debian-BTS-in-the-manpages.patch
+Fix-post-issuance-validation-logic.patch
+Adjust-test-suite-against-current-Let-s-Encrypt-staging-e.patch