Bug#26521654: AUTO GENERATED CERTIFICATES SHOULD USE X509 V3

Description: Certificates generated by mysql server and
             mysql_ssl_rsa_setup do not use X509v3 and
             related extensions.

Solution: Added X509v3 extension.

Author: harinvadodaria

client/mysql_ssl_rsa_setup.cc

@@ -1,5 +1,5 @@
 /*
-   Copyright (c) 2015, 2016, Oracle and/or its affiliates. All rights reserved.
+   Copyright (c) 2015, 2017, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -71,6 +71,12 @@ enum certs
   OPENSSL_RND
 };
 
+enum extfiles
+{
+  CAV3_EXT=0,
+  CERTV3_EXT
+};
+
 Sql_string_t cert_files[] =
 {
   create_string("ca.pem"),
@@ -87,6 +93,12 @@ Sql_string_t cert_files[] =
   create_string(".rnd")
 };
 
+Sql_string_t ext_files[] =
+{
+  create_string("cav3.ext"),
+  create_string("certv3.ext")
+};
+
 #define MAX_PATH_LEN  (FN_REFLEN - strlen(FN_DIRSEP) \
                        - cert_files[SERVER_CERT].length() - 1)
 /*
@@ -314,6 +326,49 @@ class X509_key
   stringstream m_subj_prefix;
 };
 
+class X509v3_ext_writer
+{
+public:
+  X509v3_ext_writer()
+  {
+    m_cav3_ext_options << "basicConstraints=CA:TRUE" << std::endl;
+
+    m_certv3_ext_options << "basicConstraints=CA:FALSE" << std::endl;
+  }
+  ~X509v3_ext_writer() {};
+
+  bool operator()(const Sql_string_t &cav3_ext_file,
+                  const Sql_string_t &certv3_ext_file)
+  {
+    if (!cav3_ext_file.length() ||
+        !certv3_ext_file.length())
+      return true;
+
+    std::ofstream ext_file;
+
+    ext_file.open(cav3_ext_file.c_str(),
+                  std::ios::out|std::ios::trunc);
+    if (!ext_file.is_open())
+      return true;
+    ext_file << m_cav3_ext_options.str();
+    ext_file.close();
+
+    ext_file.open(certv3_ext_file.c_str(),
+                  std::ios::out|std::ios::trunc);
+    if (!ext_file.is_open())
+    {
+      remove_file(cav3_ext_file.c_str(), false);
+      return true;
+    }
+    ext_file << m_certv3_ext_options.str();
+    ext_file.close();
+
+    return false;
+  }
+private:
+  stringstream m_cav3_ext_options;
+  stringstream m_certv3_ext_options;
+};
 
 class X509_cert
 {
@@ -328,15 +383,17 @@ class X509_cert
                           uint32_t serial,
                           bool self_signed,
                           const Sql_string_t &sign_key_file,
-                          const Sql_string_t &sign_cert_file)
+                          const Sql_string_t &sign_cert_file,
+                          const Sql_string_t &ext_file)
   {
     stringstream command;
     command << "openssl x509 -sha256 -days " << m_validity;
-    command << " -set_serial " << serial << " -req -in " << req_file << " ";
+    command << " -extfile " << ext_file;
+    command << " -set_serial " << serial << " -req -in " << req_file;
     if (self_signed)
-      command << "-signkey " << sign_key_file;
+      command << " -signkey " << sign_key_file;
     else
-      command << "-CA " << sign_cert_file << " -CAkey " << sign_key_file;
+      command << " -CA " << sign_cert_file << " -CAkey " << sign_key_file;
     command << " -out " << cert_file;
 
     return command.str();
@@ -551,6 +608,7 @@ int main(int argc, char *argv[])
       Sql_string_t empty_string("");
       X509_key x509_key(suffix_string);
       X509_cert x509_cert;
+      X509v3_ext_writer x509v3_ext_writer;
 
       /* Delete existing files if any */
       remove_file(cert_files[CA_REQ], false);
@@ -560,14 +618,23 @@ int main(int argc, char *argv[])
       remove_file(cert_files[CLIENT_KEY], false);
       remove_file(cert_files[OPENSSL_RND], false);
 
+      /* Remove existing v3 extension files */
+      remove_file(ext_files[CAV3_EXT], false);
+      remove_file(ext_files[CERTV3_EXT], false);
+
+      /* Create v3 extension files */
+      if (x509v3_ext_writer(ext_files[CAV3_EXT], ext_files[CERTV3_EXT]))
+        goto end;
+
       /* Generate CA Key and Certificate */
       if ((ret_val= execute_command(x509_key("_Auto_Generated_CA_Certificate",
                                              cert_files[CA_KEY], cert_files[CA_REQ]),
                                     "Error generating ca_key.pem and ca_req.pem")))
         goto end;
 
       if ((ret_val= execute_command(x509_cert(cert_files[CA_REQ], cert_files[CA_CERT], 1,
-                                              true, cert_files[CA_KEY], empty_string),
+                                              true, cert_files[CA_KEY], empty_string,
+                                              ext_files[CAV3_EXT]),
                                     "Error generating ca_cert.pem")))
         goto end;
 
@@ -578,7 +645,8 @@ int main(int argc, char *argv[])
         goto end;
 
       if ((ret_val= execute_command(x509_cert(cert_files[SERVER_REQ], cert_files[SERVER_CERT], 2,
-                                              false, cert_files[CA_KEY], cert_files[CA_CERT]),
+                                              false, cert_files[CA_KEY], cert_files[CA_CERT],
+                                              ext_files[CERTV3_EXT]),
                                     "Error generating server_cert.pem")))
         goto end;
 
@@ -589,7 +657,8 @@ int main(int argc, char *argv[])
         goto end;
 
       if ((ret_val= execute_command(x509_cert(cert_files[CLIENT_REQ], cert_files[CLIENT_CERT], 3,
-                                              false, cert_files[CA_KEY], cert_files[CA_CERT]),
+                                              false, cert_files[CA_KEY], cert_files[CA_CERT],
+                                              ext_files[CERTV3_EXT]),
                                     "Error generating client_cert.pem")))
         goto end;
 
@@ -622,6 +691,11 @@ int main(int argc, char *argv[])
         goto end;
 
       remove_file(cert_files[OPENSSL_RND], false);
+
+      /* Remove existing v3 extension files */
+      remove_file(ext_files[CAV3_EXT], false);
+      remove_file(ext_files[CERTV3_EXT], false);
+
     }
 
     /*

sql/auth/sql_authentication.cc

@@ -40,6 +40,7 @@
 #include <openssl/rsa.h>
 #include <openssl/pem.h>
 #include <openssl/err.h>
+#include <openssl/x509v3.h>
 #endif /* HAVE OPENSSL && !HAVE_YASSL */
 
 #include "auth_internal.h"
@@ -3451,21 +3452,68 @@ class X509_gen
                     EVP_PKEY *ca_pkey= NULL)
   {
     X509 *x509= X509_new();
+    X509_EXTENSION *ext= 0;
+    X509V3_CTX v3ctx;
+    X509_NAME *name= 0;
+
     DBUG_ASSERT(cn.length() <= MAX_CN_NAME_LENGTH);
-    ASN1_INTEGER_set(X509_get_serialNumber(x509), serial);
-    X509_gmtime_adj(X509_get_notBefore(x509), notbefore);
-    X509_gmtime_adj(X509_get_notAfter(x509), notafter);
-    /* Set public key */
-    X509_set_pubkey(x509, pkey);
-    X509_NAME *name= X509_get_subject_name(x509);
-    X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC,
-      (const unsigned char *)cn.c_str(), -1, -1, 0);
-
-    X509_set_issuer_name(x509,
-                         self_sign ? name : X509_get_subject_name(ca_x509));
-    X509_sign(x509, self_sign ? pkey : ca_pkey, EVP_sha256());
+    DBUG_ASSERT(serial != 0);
+    DBUG_ASSERT(self_sign || (ca_x509 != NULL && ca_pkey != NULL));
+    if (!x509)
+      goto err;
+
+    /** Set certificate version */
+    if (!X509_set_version(x509, 2))
+      goto err;
+
+    /** Set serial number */
+    if (!ASN1_INTEGER_set(X509_get_serialNumber(x509), serial))
+      goto err;
+
+    /** Set certificate validity */
+    if (!X509_gmtime_adj(X509_get_notBefore(x509), notbefore) ||
+        !X509_gmtime_adj(X509_get_notAfter(x509), notafter))
+      goto err;
+
+    /** Set public key */
+    if (!X509_set_pubkey(x509, pkey))
+      goto err;
+
+    /** Set CN value in subject */
+    name= X509_get_subject_name(x509);
+    if (!name)
+      goto err;
+
+    if (!X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC,
+                                    (const unsigned char *)cn.c_str(),
+                                    -1, -1, 0))
+      goto err;
+
+    /** Set Issuer */
+    if (!X509_set_issuer_name(x509, self_sign ? name :
+                                      X509_get_subject_name(ca_x509)))
+      goto err;
+
+    /** Add X509v3 extensions */
+    X509V3_set_ctx(&v3ctx, self_sign ? x509 : ca_x509, x509, NULL, NULL, 0);
+
+    /** Add CA:TRUE / CA:FALSE inforamation */
+    if (!(ext= X509V3_EXT_conf_nid(NULL, &v3ctx, NID_basic_constraints,
+                                   self_sign ?(char *)"critical,CA:TRUE" :
+                                              (char *)"critical,CA:FALSE")))
+      goto err;
+    X509_add_ext(x509, ext, -1);
+    X509_EXTENSION_free(ext);
+
+    /** Sign using SHA256 */
+    if (!X509_sign(x509, self_sign ? pkey : ca_pkey, EVP_sha256()))
+      goto err;
 
     return x509;
+err:
+    if (x509)
+      X509_free(x509);
+    return 0;
   }
 };