Wednesday, January 24, 2024

Anyone using kore,-acme?

kore,-acme is the only port using the X509V3_EXT_add_alias() API, which
I am going to remove from libcrypto. This undocumented API is a gross
hack that allows abusing an X509v3 extension method for something else.

kore aliases the subject key identifier method to build the RFC 8737
ACME Identifier extension since both happen to be encoded as octet
strings. kore uses the OpenSSL config mini language to build this
extension and the SAN. This language is responsible for various holes
and is best avoided altogether.

So the below patch uses the proper types to build up the two extensions
and adds them to the certs. This is admittedly a bit more complicated
than using strings, but it avoids lots of very ugly code in libcrypto.

I also added a bit of logic to avoid adding a copy of the acme OID if it
should happen to be added to some libcrypto of the future (it would most
likely be called NID_acmeIdentifier). This will confuse libcrypto and is
therefore best avoided. I do plan on adding this OID to libcrypto, but I
do not plan on adding a proper extension method, although that would not
be hard.

I checked that the DER encoding of the two extensions is as expected,
but I did not do further testing. Unfortunately, there are no tests
shipped with the port.

Index: Makefile
===================================================================
RCS file: /cvs/ports/www/kore/Makefile,v
diff -u -p -r1.36 Makefile
--- Makefile 27 Sep 2023 19:13:02 -0000 1.36
+++ Makefile 24 Jan 2024 22:02:00 -0000
@@ -1,7 +1,7 @@
COMMENT = web application framework for writing scalable web APIs in C

DISTNAME = kore-4.2.3
-REVISION = 0
+REVISION = 1

CATEGORIES = www

Index: patches/patch-src_keymgr_openssl_c
===================================================================
RCS file: patches/patch-src_keymgr_openssl_c
diff -N patches/patch-src_keymgr_openssl_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_keymgr_openssl_c 24 Jan 2024 22:01:48 -0000
@@ -0,0 +1,184 @@
+Index: src/keymgr_openssl.c
+--- src/keymgr_openssl.c.orig
++++ src/keymgr_openssl.c
+@@ -196,8 +196,12 @@ static int acmeproc_ready = 0;
+ /* Renewal timer for all domains under acme control. */
+ static struct kore_timer *acme_renewal = NULL;
+
++#ifndef NID_acmeIdentifier
++#define NID_acmeIdentifier -1
++

No comments:

Post a Comment