Univention Bugzilla – Bug 54834
univention-certificate dump -id returns wrong/multiple IDs
Last modified: 2023-12-12 11:42:00 CET
$ ( . /usr/share/univention-ssl/make-certificates.sh ; get_cert_name_from_id 0200 ) dschnick.openvpn sscavelli.openvpn $ ( . /usr/share/univention-ssl/make-certificates.sh ; list_cert_names_all | grep -e dschnick.openvpn -e sscavelli.openvpn -n ) 512:0200 dschnick.openvpn (R) 738:02E2 sscavelli.openvpn (V) $ grep -e dschnick.openvpn -e sscavelli.openvpn -n /etc/univention/ssl/ucsCA/index.txt 512:R 220420144607Z 220413081528Z 0200 unknown /C=DE/ST=Bremen/L=Bremen/O=Univention/OU=Univention/CN=dschnick.openvpn/emailAddress=ssl@univention.de 738:V 240212073436Z 02E2 unknown /C=DE/ST=Bremen/L=Bremen/O=Univention/OU=Univention/CN=sscavelli.openvpn/emailAddress=ssl@univention.de $ printf '0200\n0201\n02E2\n' | awk -v id=0200 '$1 == id {print "." $1 "." id "."}' .0200.0200. .02E2.0200.
`awk` does not have *explicit types*, but tries to determine the type automatically; for that it converts the input to numbers first - here `float`: - `"0200"` becomes 0200 - `"0200"` becomes 200 - `"02E2"` is scientific notation for 02*10² = 200 - `"20E1"` is 20*10¹ = 200 - `"2E02"` is 2*10²=200 To prevent the automatic conversion to `float` one can use `("x" id)==("x" $1)`
Patch from Comment 2 is currently applied on nissedal (our primary node). Certificate listing seems to be fixed now. We still have to check if handling openvpn certs is now working or still effected.
In the same Script there is an 'awk' script checking the validity of a given certificate: 362 is_valid () { 363 local id="${1:?Missing argument: number}" 364 tac "${SSLBASE}/${CA}/index.txt" | awk -F '\t' -v id="$id" -v now="$(TZ=UTC date +%y%m%d%H%M%S)" ' 365 BEGIN { ret=1; } 366 $4 == id { 367 ret = ( $1 != "R" ) ? ( $1 == "V" && $2 >= now ? 0 : 3 ) : 2; 368 exit; 369 } 370 END { exit ret; }' 371 } It works well, but with our already mention certificate with id=0200 it returns '0' = valid # grep -E '\s0200\s' /etc/univention/ssl/ucsCA/index.txt R 220420144607Z 220413081528Z 0200 unknown /C=DE/ST=Bremen/L=Bremen/O=Univention/OU=Univention/CN=dschnick.openvpn/emailAddress=ssl@univention.de # tac "/etc/univention/ssl/ucsCA/index.txt" | awk -F '\t' -v id="0200" -v now="$(TZ=UTC date +%y%m%d%H%M%S)" 'BEGIN { ret=1; } $4 == id {ret = ( $1 != "R" ) ? ( $1 == "V" && $2 >= now ? 0 : 3 ) : 2; exit;} END { exit ret; }'; echo $? 0 --- Here is a test script I used to show all revoked certificates: # while read -r cid; do echo -ne "${cid}..."; tac "/etc/univention/ssl/ucsCA/index.txt" | awk -F '\t' -v id="${cid}" -v now="$(TZ=UTC date +%y%m%d%H%M%S)" 'BEGIN { ret=1; } $4 == id {ret = ( $1 != "R" ) ? ( $1 == "V" && $2 >= now ? 0 : 3 ) : 2; exit;} END { exit ret; }'; echo $?; done <<<$( grep -E "^R" /etc/univention/ssl/ucsCA/index.txt | awk '{print $4}' ) Here is the Trace of the call ---8<--- + local rv=0 + echo -n 'Certificate "dschnick.openvpn" with serial number 0200 is ' Certificate "dschnick.openvpn" with serial number 0200 is + is_valid 0200 + local id=0200 + tac /etc/univention/ssl/ucsCA/index.txt ++ TZ=UTC ++ date +%y%m%d%H%M%S + awk -F '\t' -v id=0200 -v now=220614124038 ' BEGIN { ret=1; } $4 == id { ret = ( $1 != "R" ) ? ( $1 == "V" && $2 >= now ? 0 : 3 ) : 2; exit; } END { exit ret; }' + case "$rv" in + echo valid valid + exitcode=0 --->8---
(In reply to Nico Stöckigt from comment #4) > In the same Script there is an 'awk' script checking the validity of a given > certificate: > > 362 is_valid () { > 363 local id="${1:?Missing argument: number}" > 364 tac "${SSLBASE}/${CA}/index.txt" | awk -F '\t' -v id="$id" -v > now="$(TZ=UTC date +%y%m%d%H%M%S)" ' > 365 BEGIN { ret=1; } > 366 $4 == id { > 367 ret = ( $1 != "R" ) ? ( $1 == "V" && $2 >= now ? 0 : 3 ) : 2; > 368 exit; > 369 } > 370 END { exit ret; }' > 371 } > > It works well, but with our already mention certificate with id=0200 it > returns '0' = valid > > # grep -E '\s0200\s' /etc/univention/ssl/ucsCA/index.txt > R 220420144607Z 220413081528Z 0200 unknown > /C=DE/ST=Bremen/L=Bremen/O=Univention/OU=Univention/CN=dschnick.openvpn/ > emailAddress=ssl@univention.de > > # tac "/etc/univention/ssl/ucsCA/index.txt" | awk -F '\t' -v id="0200" -v > now="$(TZ=UTC date +%y%m%d%H%M%S)" 'BEGIN { ret=1; } $4 == id {ret = ( $1 != > "R" ) ? ( $1 == "V" && $2 >= now ? 0 : 3 ) : 2; exit;} END { exit ret; }'; > echo $? > 0 > > --- > Here is a test script I used to show all revoked certificates: > > # while read -r cid; do echo -ne "${cid}..."; tac > "/etc/univention/ssl/ucsCA/index.txt" | awk -F '\t' -v id="${cid}" -v > now="$(TZ=UTC date +%y%m%d%H%M%S)" 'BEGIN { ret=1; } $4 == id {ret = ( $1 != > "R" ) ? ( $1 == "V" && $2 >= now ? 0 : 3 ) : 2; exit;} END { exit ret; }'; > echo $?; done <<<$( grep -E "^R" /etc/univention/ssl/ucsCA/index.txt | awk > '{print $4}' ) > > Here is the Trace of the call > ---8<--- > + local rv=0 > + echo -n 'Certificate "dschnick.openvpn" with serial number 0200 is ' > Certificate "dschnick.openvpn" with serial number 0200 is + is_valid 0200 > + local id=0200 > + tac /etc/univention/ssl/ucsCA/index.txt > ++ TZ=UTC > ++ date +%y%m%d%H%M%S > + awk -F '\t' -v id=0200 -v now=220614124038 ' > BEGIN { ret=1; } > $4 == id { > ret = ( $1 != "R" ) ? ( $1 == "V" && $2 >= now ? 0 : 3 ) : 2; > exit; > } > END { exit ret; }' > + case "$rv" in > + echo valid > valid > + exitcode=0 > --->8--- Ok, it still looks like the same issue! $ tac "/etc/univention/ssl/ucsCA/index.txt" | awk -F '\t' -v id="0200" -v now="$(TZ=UTC date +%y%m%d%H%M%S)" 'BEGIN {} $4 == id {print $1 " - " $2 " - id: " $4} END {}'; V - 240212073436Z - id: 02E2 R - 220420144607Z - id: 0200 so when modifying by the same means it results in: $ tac "/etc/univention/ssl/ucsCA/index.txt" | awk -F '\t' -v id="0200" -v now="$(TZ=UTC date +%y%m%d%H%M%S)" 'BEGIN {} ("x" $4)==("x" id) {print $1 " - " $2 " - id: " $4} END {}'; R - 220420144607Z - id: 0200
Created attachment 10960 [details] make-certificates.sh.patch Comprehensive Patch
https://git.knut.univention.de/univention/ucs/-/merge_requests/763
[5.0-6] 0de41fb16b fix(ssl): Use only configures attributes base/univention-ssl/make-certificates.sh | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) [5.0-6] fd0d5307f1 fix(ssl): Handles IDs as string base/univention-ssl/debian/changelog | 1 + base/univention-ssl/make-certificates.sh | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) [5.0-6] 8c3e0144d5 style(ssl): shell code base/univention-ssl/debian/univention-ssl.postinst | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) [5.0-6] 7e8b618cdf fix(ssl): Depend on ca-certificates base/univention-ssl/debian/changelog | 5 +++-- base/univention-ssl/debian/control | 1 + 2 files changed, 4 insertions(+), 2 deletions(-) [5.0-6] 42d0f14a70 Bug #56832: UCS 5.0-6 version bump base/univention-ssl/debian/changelog | 6 ++++++ 1 file changed, 6 insertions(+) Package: univention-ssl Version: 14.0.5-1 Branch: ucs_5.0-0 Scope: ucs5.0-6