Bug#619746: gnutls-bin: [certtool] include useless data when creating a CSR

Luca Capello luca at pca.it
Wed Mar 30 12:01:42 UTC 2011 

Hi Nikos!

On Sun, 27 Mar 2011 09:38:13 +0200, Nikos Mavrogiannopoulos wrote:
> On 03/26/2011 06:57 PM, Luca Capello wrote:
>> I was creating a Certificate Signing Request with certtool and then I
>> discovered that the output file contains more than the CSR, even worse
>> it contains the password asked during the creation.
[...]
>  I don't quite understand what is the issue here. What is the
> information contained in the CRQ that you consider "useless"?

As I wrote, the "new" CSR (BTW, what does CRQ mean?) contains data other
than the request itself, e.g. the password in clear, example below.

> Could you send a way for us to reproduce the problem or a wrongly
> generated CRQ (and the way it was generated - the example
> you have generates a valid CRQ for me).

Please note that I never wrote that the resulting CSR is broken.  In
fact, I have not even tested the "new" CSR, but I used certtool in the
past in the very same way I am now trying to.

Here how to reproduce the problem:
=====
luca at gismo:~$ certtool --generate-privkey \
 --bits 4096 --outfile pca.it.key

luca at gismo:~$ certtool --generate-request \
 --load-privkey pca.it.key --outfile gallery.pca.it.csr
Generating a PKCS #10 certificate request...
Country name (2 chars): IT
Organization name: PCA
Organizational unit name:
Locality name: Casalpusterlengo
State or province name: Lodi
Common name: gallery.pca.it
UID:
Enter a dnsName of the subject of the certificate: gallery.pca.it
Enter a dnsName of the subject of the certificate:
Enter the IP address of the subject of the certificate:
Enter the e-mail of the subject of the certificate:
Enter a challenge password:
Does the certificate belong to an authority? (y/N): n
Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (y/N): n
Will the certificate be used for encryption (RSA ciphersuites)? (y/N): n
Is this a TLS web client certificate? (y/N): n
Is this also a TLS web server certificate? (y/N): y

luca at gismo:~$ $ cat gallery.pca.it.csr
PKCS #10 Certificate Request Information:
        Version: 1
        Subject: C=IT,O=PCA,L=Casalpusterlengo,ST=Lodi,CN=gallery.pca.it
        Subject Public Key Algorithm: RSA
                Modulus (bits 4096):
                        [bits removed]
                Exponent:
                        01:00:01
        Attributes:
                Extensions:
                        Subject Alternative Name (not critical):
                                DNSname: gallery.pca.it
                        Basic Constraints (critical):
                                Certificate Authority (CA): FALSE
                        Key Usage (critical):
                                Digital signature.
                        Key Purpose (critical):
                                TLS WWW Server.
                Challenge password: asdf
Other Information:
        Public Key Id:
                [Public Key Id removed]

-----BEGIN NEW CERTIFICATE REQUEST-----
[request removed]
-----END NEW CERTIFICATE REQUEST-----

luca at gismo:~$ 
=====

Previous versions of certtool (at least the one I used in August 2008,
<http://snapshot.debian.org/package/gnutls26/2.4.1-1/>) generated a CSR
which contained only the part between the BEGIN and END separators.
This latter is AFAIK the only part needed for a CA (e.g. CAcert.org) and
it is what OpenSSL outputs per the following command:

  $ openssl req -nodes -new -key pca.it.key -out gallery.pca.it.csr

Thx, bye,
Gismo / Luca
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnutls-maint/attachments/20110330/e239625e/attachment.pgp>

More information about the Pkg-gnutls-maint mailing list