Giters

openca / libpki

Easy-to-use high-level library for PKI-enabled applications

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

LIBPKI 0.9.0 causes segmentation faults

Yasushi-Fujimoto opened this issue · comments

commented

I am observing libpki causes segmentation faults, when I run ocspd-genreq.sh after I installed openca-ocspd using openca-ocspd-3.1.2.tar.gz.
If some one give me a point where I have to check, it will help

While I am trying to setup RA on the RHEL 8.9, I have download openca-ocspd-3.1.2.tar.gz, configured it and ran
/opt/ocspd/bin/ocspd-genreq.sh.

I got the following message

[root@ttca01 openca-ocspd-3.1.2]# time /opt/ocspd/bin/ocspd-genreq.sh

OCSP Key and Certificate Request generation Tool
(c) 2009 by Massimiliano Pala and OpenCA Labs
All Rights Reserved

Please Enter the Server's Subject (eg., CN=OCSP Server, O=OpenCA, C=US):
XXXXXXXXXXXXXXXXXXXXXXXXXXXX (I have masked original message with XXXXX )
Please Enter the Algorithm (default: RSA-SHA256):

Please Enter the Key Size (default: 2048):

Parameters Summary:

  • prefix ................: /opt/ocspd
  • token Name ............: ocspServerToken
  • subject ...............:XXXXXXXXXXXXXXXXXXXXXXXXXXXX
  • algorithm .............: RSA-SHA256
  • key size ..............: 2048 bits

This tool uses the pki-tool from libpki. The configuration of the
token can be found in '/opt/ocspd/etc/ocspd/pki/token.d'

[ Use a password when prompted if you want the server key to be encrypted ]

/opt/ocspd/bin/ocspd-genreq.sh: line 61: 3130768 Segmentation fault (core dumped) pki-tool genreq -config "$prefix/etc/ocspd/pki" -outkey "$prefix/etc/ocspd/private/key.pem" -newkey -bits $bits -subject "$subject" -algor "$algor" -out "$prefix/etc/ocspd/req.pem" -batch
ERROR, can not complete task. Please check write permissions for target(s)
[most probably you need administrator privileges to continue].

real 2m34.598s
user 0m0.074s
sys 0m0.005s
[root@ttca01 openca-ocspd-3.1.2]#

“libpki” had been downloaded from https://sourceforge.net/projects/openca/files/libpki/releases/v0.9.0/sources/libpki-0.9.0.tar.gz/download

I have run pki-tool command only. The result seems to be same.
[root@ttra01 libpki-0.9.0]# pki-tool genreq -config /opt/ocspd/etc/ocspd/pki -outkey /opt/ocspd/etc/ocspd/private/key.pem -newkey -bits 2048 -subject 'xxxxxxxxxxxxxxxxx' -algor RSA-SHA256 -out /opt/ocspd/etc/ocspd/req.pem -batch
Segmentation fault (core dumped)
[root@ttra01 libpki-0.9.0]#

I have tried gdb expecting I get any more info, but I don’t know what I have to do with this.

[root@ttra01 libpki-0.9.0]# gdb pki-tool
GNU gdb (GDB) Red Hat Enterprise Linux 8.2-20.el8
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
http://www.gnu.org/software/gdb/bugs/.
Find the GDB manual and other documentation resources online at:
http://www.gnu.org/software/gdb/documentation/.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from pki-tool...done.
(gdb) run genreq -config /opt/ocspd/etc/ocspd/pki -outkey /opt/ocspd/etc/ocspd/private/key.pem -newkey -bits 2048 -subject 'xxxxxxxxxxxxxx"' -algor RSA-SHA256 -out /opt/ocspd/etc/ocspd/req.pem -batch
Starting program: /usr/bin/pki-tool genreq -config /opt/ocspd/etc/ocspd/pki -outkey /opt/ocspd/etc/ocspd/private/key.pem -newkey -bits 2048 -subject 'xxxxxxxxxxxxxxx"' -algor RSA-SHA256 -out /opt/ocspd/etc/ocspd/req.pem -batch
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff6f53178 in x509_name_ex_i2d () from /usr/lib64/libcrypto.so.1.1
Missing separate debuginfos, use: yum debuginfo-install cyrus-sasl-lib-2.1.27-6.el8_5.x86_64 glibc-2.28-236.el8.7.x86_64 keyutils-libs-1.5.10-9.el8.x86_64 krb5-libs-1.18.2-25.el8_8.x86_64 libcom_err-1.45.6-5.el8.x86_64 libselinux-2.9-8.el8.x86_64 libxcrypt-4.1.1-6.el8.x86_64 libxml2-2.9.7-16.el8_8.1.x86_64 openldap-2.4.46-18.el8.x86_64 openssl-libs-1.1.1k-9.el8_7.x86_64 pcre2-10.32-3.el8_6.x86_64 xz-libs-5.2.4-4.el8_6.x86_64 zlib-1.2.11-25.el8.x86_64
(gdb) where
#0 0x00007ffff6f53178 in x509_name_ex_i2d () from /usr/lib64/libcrypto.so.1.1
#1 0x00007ffff6de67ac in ASN1_item_ex_i2d () from /usr/lib64/libcrypto.so.1.1
#2 0x00007ffff6de6c29 in asn1_template_ex_i2d () from /usr/lib64/libcrypto.so.1.1
#3 0x00007ffff6de66b7 in ASN1_item_ex_i2d () from /usr/lib64/libcrypto.so.1.1
#4 0x00007ffff6de69f7 in asn1_item_flags_i2d () from /usr/lib64/libcrypto.so.1.1
#5 0x00007ffff7b7ae5b in PKI_X509_VALUE_get_tbs_asn1 (v=, type=) at pki_x509.c:529
#6 0x00007ffff7b8c908 in PKI_X509_sign (x=x@entry=0x628e70, digest=digest@entry=0x7ffff7209d00, key=key@entry=0x62ef50) at hsm_main.c:527
#7 0x00007ffff7b84e1c in PKI_X509_REQ_new (k=0x62ef50, subj_s=subj_s@entry=0x7fffffffe485 "C=JP, O=KEK, OU=CRC, CN="KEK GRID Certificate Authority"",
req_cnf=req_cnf@entry=0x0, oids=, digest=0x7ffff7209d00, hsm=) at pki_x509_req.c:205
#8 0x00007ffff7b76bd1 in PKI_TOKEN_new_req (profile_s=0x0, subject=0x7fffffffe485 "C=JP, O=KEK, OU=CRC, CN="KEK GRID Certificate Authority"", tk=0x62a4c0)
at token.c:2254
#9 PKI_TOKEN_new_req (tk=tk@entry=0x62a4c0, subject=subject@entry=0x7fffffffe485 "C=JP, O=KEK, OU=CRC, CN="KEK GRID Certificate Authority"",
profile_s=profile_s@entry=0x0) at token.c:2211
#10 0x0000000000402ef2 in main (argc=, argv=) at pki-tool.c:906
(gdb)

If anyone gave me a point where I have to start investigation, it will help me