phpseclib3: generated CRL is Version 1 but has extensions #2037
Description
I came across the CRL signing and found myself facing the same issue as #1837. I applied the suggested Fix:
#
#-----[ FIND ]------------------------------------------
#
$CAIssuer->setPrivateKey(PublicKeyLoader::loadPrivateKey($CA_pkey));
#
#-----[ REPLACE WITH ]----------------------------------
#
$CAIssuer->setPrivateKey(PublicKeyLoader::loadPrivateKey($CA_pkey)->withPadding(RSA::SIGNATURE_PKCS1));
Originally posted by @terrafrost in #1837 (comment)
So I now have this code:
$CA_pkey = '-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDmWDe2NQWo89ou
ueWDlkUh3S4w/4Cxb+smclz6CLMh5JWBoZ938KOC+R1rIMamHD4LWxTi8qWC+vZb
2D6e7e7HYfgH7Xd1up9JnV6gCqVYFbFn+xiOIIC56VBJG0GrA3NSoPe4+143adrx
KNaIyPT7HoCwX8havEzPQMqtnXtCtMbZLCVzanAm0nQ1M76TXBXBxO8a38JxDCfb
ljnMh42igMA1uEmXvMCPezM8vV9lZlio/NOmr8LQ7dBg1fSr0qb2w6t0w3HsGr6m
rnoQLqGxCKzgqcaTeRoTa5fVUUT1XztyI6srrAEqgauk9cmhNBY3lFUpRI+IkEtJ
ExM/a3ezAgMBAAECggEBAMKYqIhQBvYS/LIY7mLaYpEXUFyoncpJKLmUSCQbkWoC
uKOJLTWgoCKX3liQmgHfPjNNwTlxkI41AkfZSh3uGJlslKPt48wb21HPlw9RrxnZ
ScT0hmwb3WQyTVdVpYaaJaUaw+0Mvy3FSegOfh+U1hIIVOOsJ5EwHxvAOvmtX2Kb
yEvDyQyzbxmm1jLGaeQQOjxM/8+T5kzZCy3aAe/wtsACxDkLGNRm8E435QBoKx73
kzX1bgOReM1XpqaiLMysXU+arJ3GkIRemyksDxDoreG62GIc3Srjk0AGdOPVuIn7
GP2Qjp50UrWh45Q8i65JYtKnpg04WKFkTUELlYUsuoECgYEA8/IUw/gN/wMMghKk
CqlcdEOnhC8zWwvCLFKyC5xCc2vOn1tNUUIIOgHYudlgTd2PB+5cstN3aI5T9sOQ
CE6tSA8RlSQo40camX2+yWDXh6+Ys0gozn4otF/guKELrACPTJra/ItMwapRs99r
oI4eN1A85c5i89GlMHHwNghCdBMCgYEA8boVRx/FZxBrG5pS1RLVz+A8J/Aat/A6
Lalc/c47zi+pIR9L+QyV+kfxtferno9PVEqdvhM5jZSPWEk341yv/dol5woO1ab0
suhMrFflhP0Y0Pd/hUHuGFtNvcg9N6xldh7Oe++ZyfbsVbxF55a6iWjs4aQ4xsD8
EjTIQ2NfIeECgYAyPyvNzbs8Sql55VMKqyXTANhxXrOKTlq5fHMV9yKs2YjexBSh
5yMAp763UTIH99ntPUi0wN/4llBvJIr3WxVQIWJywNb3MX8mHIN+wUbDuQSP8Q4O
sme594G3JdzcmeTqV39Bw4OU5HsdvKhTktJgfFN+1ksFg6ot11ouFvdxJwKBgELi
sHyLp/2Kp3htzTm0CoGIlFygrWP0DsUPtfFsnVPCEFRf6o+xEda9DX7CVzR6hwLV
2qv7edNZJgjRyasZvIDLWe2B9PTdS5wtdvnBIHsZ5UH9GcXvpkgLC4nV3EqJY1G5
2HymobEmp+JZRCZ+qILZC6Kr5CHqyFTpUfiDiJFBAoGAO/fI/EDeavrvc6MU0DOQ
riQyMa/BZ4gJaoTmQfp48Givs2uPtNDcwi67X3Ydl++LPsJKzIw1ZQ9PuqbNRApD
pIuWYPJEBfgt5vLWSXLmFL6cwOEtuZ71zH8VEoihFw99PSpOqp0DtgSSXjSSUuwq
bEEYbLlNWgfXWw6sUhXZDSQ=
-----END PRIVATE KEY-----';
echo "private key for CA cert (can be discarded):\r\n\r\n";
echo $CA_pkey;
echo "\r\n";
$CA_pkey = str_replace(["\r", "\n", "\r\n"], ' ', $CA_pkey);
$CA_cert = '-----BEGIN CERTIFICATE-----
MIID2DCCAsCgAwIBAgIBADANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJBRDEL
MAkGA1UECAwCQUQxCzAJBgNVBAcMAkFEMQswCQYDVQQKDAJBRDERMA8GCSqGSIb3
DQEJARYCQUQxIDAeBgNVBAMMF3BocHNlY2xpYiBSU0EtU0hBMjU2IENBMB4XDTIy
MDkwNjA1NDc1MFoXDTI0MTIwOTA1NDc1MFowaTELMAkGA1UEBhMCQUQxCzAJBgNV
BAgMAkFEMQswCQYDVQQHDAJBRDELMAkGA1UECgwCQUQxETAPBgkqhkiG9w0BCQEW
AkFEMSAwHgYDVQQDDBdwaHBzZWNsaWIgUlNBLVNIQTI1NiBDQTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAOZYN7Y1Bajz2i655YOWRSHdLjD/gLFv6yZy
XPoIsyHklYGhn3fwo4L5HWsgxqYcPgtbFOLypYL69lvYPp7t7sdh+Aftd3W6n0md
XqAKpVgVsWf7GI4ggLnpUEkbQasDc1Kg97j7Xjdp2vEo1ojI9PsegLBfyFq8TM9A
yq2de0K0xtksJXNqcCbSdDUzvpNcFcHE7xrfwnEMJ9uWOcyHjaKAwDW4SZe8wI97
Mzy9X2VmWKj806avwtDt0GDV9KvSpvbDq3TDcewavqauehAuobEIrOCpxpN5GhNr
l9VRRPVfO3IjqyusASqBq6T1yaE0FjeUVSlEj4iQS0kTEz9rd7MCAwEAAaOBijCB
hzA3BglghkgBhvhCAQ0EKhYoT1BOc2Vuc2UgR2VuZXJhdGVkIENlcnRpZmljYXRl
IEF1dGhvcml0eTAdBgNVHQ4EFgQUzmMOHQ7P+vmuzj19O3eJLQv15dwwHwYDVR0j
BBgwFoAUzmMOHQ7P+vmuzj19O3eJLQv15dwwDAYDVR0TBAUwAwEB/zANBgkqhkiG
9w0BAQsFAAOCAQEAoRak7lrS2ksj8vVLmpqmKTiCwCs2hyafPOR7rVdVoj7w3ZJ8
4XY8NG81mgHSf3k0jxTOKGAvvRlnW0gCgeANokypJpCtligGl7IrbdVHHUBrAAve
8obIKama26k+gX2DS03DrYBgFaHmI62VG72NOVP447E1ksDkXCAdPC2sfAXSMmKL
ZInEDF6O2op4dqwahkbQT8hmIfFXFf0G5FXGZl890DOFhbqHRvdox/Tj5VEN7UaM
YjMeVvOQXIiapgy1LoXgEi2PXZc61k44xrZLNNZIJ5lc+YgabnZHS7FpNE+YprSF
MHFMH8mv/8Stm3ceWdFN9vbO8quKiVf8SqfO9A==
-----END CERTIFICATE-----';
echo "\r\n\r\nCA cert to be imported into browser:\r\n\r\n";
echo $CA_cert;
echo "\r\n";
$CA_cert = str_replace(["\r", "\n", "\r\n"], ' ', $CA_cert);
// create CRL
$CAIssuer = new X509;
$CAIssuer->loadX509($CA_cert);
$CAIssuer->setPrivateKey(PublicKeyLoader::loadPrivateKey($CA_pkey)->withPadding(RSA::SIGNATURE_PKCS1));
$x509 = new X509();
$crl = $x509->loadCRL($x509->saveCRL($x509->signCRL($CAIssuer, new X509())));
$x509->revoke(new BigInteger('zzz', 256), '+1 year');
$crl = $x509->saveCRL($x509->signCRL($CAIssuer, $x509));
echo "\r\n\r\nNew CRL:\r\n\r\n$crl\r\n\r\n";
// validate newly created CRL
$x509 = new X509();
$x509->loadCA($CA_cert);
$x509->loadCRL($crl);
try {
echo $x509->validateSignature() ? "good\r\n" : "bad\r\n";
} catch (Exception $e) {
echo $e;
}The validation gets passed but openssl gives Version 1 - instead I assumed Version 2 because of CRL extensions not being empty:
Certificate Revocation List (CRL):
Version 1 (0x0)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /C=AD/ST=AD/L=AD/O=AD/emailAddress=AD/CN=phpseclib RSA-SHA256 CA
Last Update: Sep 13 13:36:21 2024 GMT
Next Update: NONE
CRL extensions:
X509v3 Authority Key Identifier:
keyid:CE:63:0E:1D:0E:CF:FA:F9:AE:CE:3D:7D:3B:77:89:2D:0B:F5:E5:DC
Revoked Certificates:
Serial Number: 7A7A7A
Revocation Date: Sep 13 13:36:21 2025 GMT
Signature Algorithm: sha256WithRSAEncryption
04:92:41:1c:97:f4:ed:67:2b:88:08:17:a5:7c:61:ca:27:88:
f7:7b:4b:cc:76:ab:b6:c3:a8:60:2d:47:b2:b0:13:f7:da:b6:
e2:d8:f1:04:3f:55:0c:c2:59:8e:74:7c:cf:a5:d3:7b:57:67:
c0:17:f1:17:be:55:90:bb:96:9f:4b:54:e7:7b:4d:75:25:af:
e7:34:7b:19:ab:52:48:e0:4a:b7:45:ae:a8:0f:3f:c1:88:a7:
fa:12:e7:89:75:35:4a:47:ef:4c:0c:3b:10:64:ff:53:2b:6a:
dc:9d:ba:1e:c1:db:a2:b5:b3:5a:7e:66:98:87:63:eb:66:09:
ce:72:b2:68:a3:38:c3:21:7e:2b:99:e4:5f:c3:f8:1a:20:59:
fd:21:c2:de:e9:78:ad:04:00:61:22:89:17:95:bc:73:7f:76:
d1:4d:3c:91:be:f2:b3:9b:7f:a3:2a:02:1c:52:00:1e:e3:75:
a4:03:34:af:fc:0f:4d:74:98:67:52:2f:f9:e8:ba:0f:10:0c:
d7:7e:cb:40:b7:21:27:a0:54:47:f8:8f:44:ce:b7:a2:ca:59:
82:ba:42:a2:b8:2f:54:85:38:c8:f6:8d:c7:6c:12:0d:be:8e:
9d:61:6e:d0:68:f0:4c:c6:90:e7:ed:fc:e2:6e:2d:2e:4a:fd:
de:fc:22:9a