Qpid
  1. Qpid
  2. QPID-4883

C++ Broker may crash if client provides SSL certificate without CommonName entry.

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Blocker Blocker
    • Resolution: Fixed
    • Affects Version/s: 0.23
    • Fix Version/s: 0.23
    • Component/s: C++ Broker
    • Labels:
      None

      Description

      Broker does not check for a null pointer return value from the Certificate parsing routines.

        Activity

        Hide
        Justin Ross added a comment -
        Show
        Justin Ross added a comment - Released in Qpid 0.24, http://qpid.apache.org/releases/qpid-0.24/index.html
        Hide
        Justin Ross added a comment -

        Reviewed by Gordon. Approved for 0.22.

        Show
        Justin Ross added a comment - Reviewed by Gordon. Approved for 0.22.
        Show
        Ken Giusti added a comment - Fix: http://svn.apache.org/viewvc?view=revision&revision=1485860
        Hide
        Ken Giusti added a comment -

        For testing purposes, I created such a certificate using the following commands:

        + certutil -R -d /home/kgiusti/work/qpid/build/trunk/TMP/server_db -s O=MyCo,ST=California,C=US -o client.req -f /home/kgiusti/work/qpid/build/trunk/TMP/cert.password -z /bin/sh
        Generating key. This may take a few moments...
        + certutil -C -d /home/kgiusti/work/qpid/build/trunk/TMP/CA_db -c Test-CA -i client.req -o client.crt -f /home/kgiusti/work/qpid/build/trunk/TMP/cert.password -m 13949
        + certutil -A -d /home/kgiusti/work/qpid/build/trunk/TMP/server_db -n Test-Client -i client.crt -t Pu,,
        + pk12util -o client_pk12.out -d /home/kgiusti/work/qpid/build/trunk/TMP/server_db -n Test-Client -v -w /home/kgiusti/work/qpid/build/trunk/TMP/cert.password -k /home/kgiusti/work/qpid/build/trunk/TMP/cert.password
        pk12util: PKCS12 EXPORT SUCCESSFUL
        + openssl pkcs12 -in ./client_pk12.out -out client_cert_key.pem -passin file:/home/kgiusti/work/qpid/build/trunk/TMP/cert.password
        MAC verified OK

        Note the "-s" parameter to the first command gives a subject field that does not contain a CN= entry.

        Show
        Ken Giusti added a comment - For testing purposes, I created such a certificate using the following commands: + certutil -R -d /home/kgiusti/work/qpid/build/trunk/TMP/server_db -s O=MyCo,ST=California,C=US -o client.req -f /home/kgiusti/work/qpid/build/trunk/TMP/cert.password -z /bin/sh Generating key. This may take a few moments... + certutil -C -d /home/kgiusti/work/qpid/build/trunk/TMP/CA_db -c Test-CA -i client.req -o client.crt -f /home/kgiusti/work/qpid/build/trunk/TMP/cert.password -m 13949 + certutil -A -d /home/kgiusti/work/qpid/build/trunk/TMP/server_db -n Test-Client -i client.crt -t Pu,, + pk12util -o client_pk12.out -d /home/kgiusti/work/qpid/build/trunk/TMP/server_db -n Test-Client -v -w /home/kgiusti/work/qpid/build/trunk/TMP/cert.password -k /home/kgiusti/work/qpid/build/trunk/TMP/cert.password pk12util: PKCS12 EXPORT SUCCESSFUL + openssl pkcs12 -in ./client_pk12.out -out client_cert_key.pem -passin file:/home/kgiusti/work/qpid/build/trunk/TMP/cert.password MAC verified OK Note the "-s" parameter to the first command gives a subject field that does not contain a CN= entry.
        Hide
        Ken Giusti added a comment -

        Reviewboard entry that contains a proposed patch:

        https://reviews.apache.org/r/11354/

        Show
        Ken Giusti added a comment - Reviewboard entry that contains a proposed patch: https://reviews.apache.org/r/11354/

          People

          • Assignee:
            Ken Giusti
            Reporter:
            Ken Giusti
          • Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development