lua-openssl icon indicating copy to clipboard operation
lua-openssl copied to clipboard
verified publisher icon zhaozg

If x509 is initialized by x509.req, the extensions cannot be modified

Open ttyS0 opened this issue 4 years ago • 0 comments

Linux wrt0 4.14.180 #0 Sat May 16 18:32:20 2020 mips GNU/Linux Lua 5.1.5 Copyright (C) 1994-2012 Lua.org, PUC-Rio (double int32) OpenSSL 1.1.1g 21 Apr 2020

Problem details If openssl.x509 is inited by a serial number plus an openssl.x509.req instance, then its extensions cannot be modified.

Steps/codes to reproduce the bug

The following req has no extensions.

local openssl = require('openssl')

local key = openssl.pkey.read([[
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC2c3MqjUw+WIas
MLxIO3WtwivXDCNXJtjkIgWvHcfl+iVdCokyFkJtsANI61oMgI7z/a6HhOy0pjR+
b4Dzyo9hfjtRQCS0tyJEH/FFodWefoqPXK48/LxKY63GAyM2djQWVMFAllvOOOIL
E9WHYkg9wdCbbIuUcqpRDypJWx+wB2X+aiT1prV83TP4l7dGrSY7nemWz9/OGtxt
EaHfgQ2+X+prmEKaUZJRs76WigccluOdBOljsGfcrXapBpiH25x4nAxTNA8bYbv9
x3Q4I7VXyh5k6Kb9MYG9ABty0LHxoxl3A6VhndOYDsE2w285YoMelk1wM2ELsLMz
FgEmFF9tAgMBAAECggEATF/js8pWQjr4lRgJmQsa5dPEWk8AdDkUzdrYGkgTJ9gg
z+PbLpZW1Ge72Eh894LRVJ2684vXMn/otYyjpGoEv0ECP67kLqoCtBXS/90Q+Tnr
crvPTERX5aP4WE1z7hZpE3gDNbA7WgZByXVSC0w/BWsekhFMFKYzWZ9Jik+U4jBh
trfqvx+0d70yAouUCQ2EbIPh9ZfyM5tYjsA6rgS0ktsR0+tYB3nh3sBE1cIyb7Dd
vkRFDO8+Py7JjoAGzhcur4GzB7I20ZYUkExZLhTbBAx6IZ2UHS+8P0E3DoqI5yzI
vrkxBNiUzaC4nkeEiZVS4tDr1GMsuSa8lIeP/b9xwQKBgQDZM0eIjC/mvm/t44i3
0o1xlei0n1DiTL7XAGlZM3Ceq41qmjo71g0NhlTGM1InXRwazw4z9WaWkS7awe7+
gJhgjdv58fqISTdC+NYR4s0zMUb8mjrou+7j5ordjrFImvKmgOsfjMcvfN8orsJM
uIDq9uIuTdUc7PQ2RD6Q8IZplQKBgQDXCw8wFRWm51IQw7qsUqWK72x5Dd+0JTS3
JqnzP9fl8S0ezGkhojoquJN5GxhLYN1nonEIPvAJomrDazrczas3hlcDTkUq45a3
cYP8lC0Cp71IvY+yxSJagtpWD9qWbltYvpL0TBR0wZurueOoh9gEECcZIZf69Up1
sta5aWyYeQKBgG14WfppZY8vtmw4vOShO2bfPn0iuvqD4b+tVmt98KoYHtt2xhj4
ZnXFmZ6XqTVryUl9yFPJwJ3sqKfbDOC64ZHwjclo+3OLK04W6pXzMKc3k+amuUAp
0FqPDLhkPdgxOFFRMrAhHRdDIZp4kjdm2psSOadK1TmR9/gN51bX03cNAoGAQtUd
E0R6RjT+PFeYXJYS/OsMO1Mkg0hM6d8KUp806jHaZAgDZICWs1BKBQl2s3aXWO4T
Uwy8bUIdDD73PEhvPgJyaISa2omA/eI5svYaRwj6uvCvCFBcLOUeFkE3HimOGjag
VWyPrvm899H9/xK5AApFHHpkUYqKaan7MgShy4ECgYBFKR1HS8sWLulMlTN8AMVj
QNi4g+g3aBw9YpeJkzAsY68MwKeEFOoSWHXdxB5WTCTDTbsY0q+aL+/oCrnS7mRI
MvSUyLTj0rM13Tdy4bo9acLofrZf8P0wlFcdCF9lE1JHgyjU5gQ1xYruHcFp4Pb7
ZWG+78J4cYNCymufqT0s3Q==
-----END PRIVATE KEY-----
]], true)

local req = openssl.x509.req.read[[
-----BEGIN CERTIFICATE REQUEST-----
MIICdDCCAVwCAQAwLzELMAkGA1UEBhMCQ04xETAPBgNVBAoMCFRlc3QgT3JnMQ0w
CwYDVQQDDARUZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtnNz
Ko1MPliGrDC8SDt1rcIr1wwjVybY5CIFrx3H5folXQqJMhZCbbADSOtaDICO8/2u
h4TstKY0fm+A88qPYX47UUAktLciRB/xRaHVnn6Kj1yuPPy8SmOtxgMjNnY0FlTB
QJZbzjjiCxPVh2JIPcHQm2yLlHKqUQ8qSVsfsAdl/mok9aa1fN0z+Je3Rq0mO53p
ls/fzhrcbRGh34ENvl/qa5hCmlGSUbO+looHHJbjnQTpY7Bn3K12qQaYh9uceJwM
UzQPG2G7/cd0OCO1V8oeZOim/TGBvQAbctCx8aMZdwOlYZ3TmA7BNsNvOWKDHpZN
cDNhC7CzMxYBJhRfbQIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBAKEmGfn0amRQ
kxJDrAylILlFA4+oSbbct2CIbIXMSg1jTDb31FIE9IqxgOd8veyIqD+iTJT2JzcU
eSQJZZxo3COs8UEq+LyIOxiYl5/LTIjbaOPnqTsB1whQwDih8oOdNYuJipGEHItC
CuJR8ylEUX/hqKufhOdZ1mSr9KiK974Dlfw4oDuJH3cdXMGJYJrD3oKtpI//xg7H
nskZ/AW4CAq3nkMzvZzUCV8g1/fP3+fdks0FlNvzDIGkwo3Oae/Hpr9T3CfudLfx
sQG/PfhOUhxsGUAJCrsTPLi8t2S+A5RUqljWFbWXCAorU5aFLuNg9YRosnMDu4a9
D1q0ARrt6Q8=
-----END CERTIFICATE REQUEST-----
]]

local cert = openssl.x509.new(1, req)
cert:extensions({
    openssl.x509.extension.new_extension({
        object = 'basicConstraints',
        value = 'CA:TRUE',
        critical = true
    })
})
cert:sign(key, cert)
cert:validat(os.time(), os.time() + 3600 * 100)
print(cert:export())

Expected result After lua test.lua | openssl -text -noout, there is no extensions to be found.

Current workaround is to modify extensions directly on openssl.x509.req:

local openssl = require('openssl')

local key = openssl.pkey.read([[
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC2c3MqjUw+WIas
MLxIO3WtwivXDCNXJtjkIgWvHcfl+iVdCokyFkJtsANI61oMgI7z/a6HhOy0pjR+
b4Dzyo9hfjtRQCS0tyJEH/FFodWefoqPXK48/LxKY63GAyM2djQWVMFAllvOOOIL
E9WHYkg9wdCbbIuUcqpRDypJWx+wB2X+aiT1prV83TP4l7dGrSY7nemWz9/OGtxt
EaHfgQ2+X+prmEKaUZJRs76WigccluOdBOljsGfcrXapBpiH25x4nAxTNA8bYbv9
x3Q4I7VXyh5k6Kb9MYG9ABty0LHxoxl3A6VhndOYDsE2w285YoMelk1wM2ELsLMz
FgEmFF9tAgMBAAECggEATF/js8pWQjr4lRgJmQsa5dPEWk8AdDkUzdrYGkgTJ9gg
z+PbLpZW1Ge72Eh894LRVJ2684vXMn/otYyjpGoEv0ECP67kLqoCtBXS/90Q+Tnr
crvPTERX5aP4WE1z7hZpE3gDNbA7WgZByXVSC0w/BWsekhFMFKYzWZ9Jik+U4jBh
trfqvx+0d70yAouUCQ2EbIPh9ZfyM5tYjsA6rgS0ktsR0+tYB3nh3sBE1cIyb7Dd
vkRFDO8+Py7JjoAGzhcur4GzB7I20ZYUkExZLhTbBAx6IZ2UHS+8P0E3DoqI5yzI
vrkxBNiUzaC4nkeEiZVS4tDr1GMsuSa8lIeP/b9xwQKBgQDZM0eIjC/mvm/t44i3
0o1xlei0n1DiTL7XAGlZM3Ceq41qmjo71g0NhlTGM1InXRwazw4z9WaWkS7awe7+
gJhgjdv58fqISTdC+NYR4s0zMUb8mjrou+7j5ordjrFImvKmgOsfjMcvfN8orsJM
uIDq9uIuTdUc7PQ2RD6Q8IZplQKBgQDXCw8wFRWm51IQw7qsUqWK72x5Dd+0JTS3
JqnzP9fl8S0ezGkhojoquJN5GxhLYN1nonEIPvAJomrDazrczas3hlcDTkUq45a3
cYP8lC0Cp71IvY+yxSJagtpWD9qWbltYvpL0TBR0wZurueOoh9gEECcZIZf69Up1
sta5aWyYeQKBgG14WfppZY8vtmw4vOShO2bfPn0iuvqD4b+tVmt98KoYHtt2xhj4
ZnXFmZ6XqTVryUl9yFPJwJ3sqKfbDOC64ZHwjclo+3OLK04W6pXzMKc3k+amuUAp
0FqPDLhkPdgxOFFRMrAhHRdDIZp4kjdm2psSOadK1TmR9/gN51bX03cNAoGAQtUd
E0R6RjT+PFeYXJYS/OsMO1Mkg0hM6d8KUp806jHaZAgDZICWs1BKBQl2s3aXWO4T
Uwy8bUIdDD73PEhvPgJyaISa2omA/eI5svYaRwj6uvCvCFBcLOUeFkE3HimOGjag
VWyPrvm899H9/xK5AApFHHpkUYqKaan7MgShy4ECgYBFKR1HS8sWLulMlTN8AMVj
QNi4g+g3aBw9YpeJkzAsY68MwKeEFOoSWHXdxB5WTCTDTbsY0q+aL+/oCrnS7mRI
MvSUyLTj0rM13Tdy4bo9acLofrZf8P0wlFcdCF9lE1JHgyjU5gQ1xYruHcFp4Pb7
ZWG+78J4cYNCymufqT0s3Q==
-----END PRIVATE KEY-----
]], true)

local req = openssl.x509.req.read[[
-----BEGIN CERTIFICATE REQUEST-----
MIICdDCCAVwCAQAwLzELMAkGA1UEBhMCQ04xETAPBgNVBAoMCFRlc3QgT3JnMQ0w
CwYDVQQDDARUZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtnNz
Ko1MPliGrDC8SDt1rcIr1wwjVybY5CIFrx3H5folXQqJMhZCbbADSOtaDICO8/2u
h4TstKY0fm+A88qPYX47UUAktLciRB/xRaHVnn6Kj1yuPPy8SmOtxgMjNnY0FlTB
QJZbzjjiCxPVh2JIPcHQm2yLlHKqUQ8qSVsfsAdl/mok9aa1fN0z+Je3Rq0mO53p
ls/fzhrcbRGh34ENvl/qa5hCmlGSUbO+looHHJbjnQTpY7Bn3K12qQaYh9uceJwM
UzQPG2G7/cd0OCO1V8oeZOim/TGBvQAbctCx8aMZdwOlYZ3TmA7BNsNvOWKDHpZN
cDNhC7CzMxYBJhRfbQIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBAKEmGfn0amRQ
kxJDrAylILlFA4+oSbbct2CIbIXMSg1jTDb31FIE9IqxgOd8veyIqD+iTJT2JzcU
eSQJZZxo3COs8UEq+LyIOxiYl5/LTIjbaOPnqTsB1whQwDih8oOdNYuJipGEHItC
CuJR8ylEUX/hqKufhOdZ1mSr9KiK974Dlfw4oDuJH3cdXMGJYJrD3oKtpI//xg7H
nskZ/AW4CAq3nkMzvZzUCV8g1/fP3+fdks0FlNvzDIGkwo3Oae/Hpr9T3CfudLfx
sQG/PfhOUhxsGUAJCrsTPLi8t2S+A5RUqljWFbWXCAorU5aFLuNg9YRosnMDu4a9
D1q0ARrt6Q8=
-----END CERTIFICATE REQUEST-----
]]

req:extensions({
    openssl.x509.extension.new_extension({
        object = 'basicConstraints',
        value = 'CA:TRUE',
        critical = true
    })
})
local cert = openssl.x509.new(1, req)
cert:sign(key, cert)
cert:validat(os.time(), os.time() + 3600 * 100)
print(cert:export())

Additional context

ttyS0 avatar May 20 '21 04:05 ttyS0