chris2511 / xca Goto Github PK

I have a Yubikey 4, which among other things supports PIV with RSA and ECDSA keys. These can be used in xca via PKCS#11 through either OpenSC or YKCS11 libraries.

I'm often getting the following error when trying to create a certificate using the root key/cert pair stored on the token:

The following error occurred:
(8pki_x509[]:Test EC Sub-CA)
error:0D0DC006:asn1 encoding routines:ASN1_item_sign_ctx:EVP lib

(pki_x509.cpp:586)

I can't yet get a consistent reason as to why this happens. Once I somehow managed to make it all work with different key types, but now it's not working no matter what I do (you might've noticed multiple edits to this issue, that's the reason why).

UPD: I think I found it! It depends on the PIN policy for the given key. For all tests below I've set touch-policy (i.e. the requirement to press the token button after PIN entry) to always for all keys tested.

Cold token (just inserted)

Hot token (keys were already used)

Tested against version 2.0.1:

lib/db_base.cpp: In member function 'virtual QVariant db_base::data(const QModelIndex&, int) const':
lib/db_base.cpp:438:4: error: this statement may fall through [-Werror=implicit-fallthrough=]
    if (hd->id == HD_internal_name || item->isVisible() == 1)
    ^~
lib/db_base.cpp:440:3: note: here
   case Qt::DecorationRole:
   ^~~~
cc1plus: all warnings being treated as errors
make: *** [makefile:2394: db_base.o] Error 1

Everything works when compiled with -Wno-error=implicit-fallthrough.

I'm in a situation where I can't download and run the xca tool as my company's security policy only allows App Store and Identified apps to run on my MacBook.

Therefore, I've cloned the repo and I'm trying to build my own copy of XCA. First, there is not a 'configure' file that is executable in the clone, but there is a configure.w32 file that is executable so I'm trying to run that one.

Here is the output from my attempt at running ./configure.w32:

$ ./configure.w32
found /usr/local/Cellar/openssl/1.0.2o_1/lib/libcrypto.a
NOT found /usr/local/Cellar/openssl/1.0.2o_1/lib/libltdl.a
found /usr/local/Cellar/openssl/1.0.2o_1/include/openssl/opensslv.h
NOT found /usr/local/Cellar/openssl/1.0.2o_1/include/ltdl.h
QT: '/usr/local/Cellar/qt@4/4.8.7_3'

How can I resolve this issue?

Chuck

Currently, all stored or exported private keys are encrypted using 3DES. As 3DES is quite old and considered to be broken if used as a block cipher for long-lasting TLS sessions, its deprecation is underway. It would be better to switch to a more modern encryption algorithm, such as AES256, or - even better - allow the user to choose it when creating the database or exporting private keys.

Hi,

Because I could not convert a 1.4 .xdb with XCA 2.1.0, I just created a new database and started exporting/importing everything from the old to the new database (export to clipboard -> PEM private -> Paste PEM data).
I noticed that each Private Key is imported having the same name (don't recall what it was exactly, but it had "RSA" and "2048" in there). which seems logical: a key doesn't have name info by itself. Luckily we don't have that many keys and they're all imported in the same order as found in the original database, so I took the effort to manually rename the internal names.

Since a PEM key has a begin- and end-markings, would it be possible to enhance this and add additional info that XCA can use when importing private keys so that it can automatically set the correct internal name? The same goes for Templates.

Also, would it be hard to make it possible to export the whole root-intermediate-cert chain and import it? Now you need to export/import each level separately. I know you preferably don't want to do this too often, but it might help a lot of other people.

Trying to create a certificate using on-hand CA and CSR but it gave me this error:

The following error occurred:
(7pki_evp[1]:CA Key)
error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt

(pki_evp.cpp:515)

I have been using 2.0.0 and the database upgraded from version 1.4.0 (encrypted in 2.0.0), and I didn't know what went wrong.
Also when I am trying to change the password (leaving new passwords empty), this error also shows.

While trying to resolve XCA backwards compatibility issues already mentioned in another thread I had to realize that building the app from the source with the given instructions in INSTALL.mac won't work here.

My environment: macOS 10.13.6 & Xcode 9.4.1

1st issue: configure won't be created with line 54 in build-mac.sh: (cd $XCA_DIR && ./bootstrap).

I tried to resolve it by installing the probably missing automake and autoconf with brew.

2nd issue: after installing automake/autoconf configure will be created but its execution stops at line ~2695 trying to detect some OpenSSL parameters. This can be resolved by hacking the configure file. But moreover - some lines later (~2770) - configure stops at detecting the Qt version.

Any hints?

Netscape extension still available, and enabled by default

Currently, the AIA field in certificate extensions supports either OCSP or caIssuers parameter, it would be great if it was possible to specify both simultaneously.

I think that serial numbers were configurable before (next serial number vs random next serial number). Ain't they for version 2?

Hello!

Is it possible to add LibreSSL support to your program?

The documentation tab on the website doesn't lead anywhere.. Is there a reason for this?

When I export a certificate to p12 file The following error occurs.

(pki_x509:Rebus)
error:0D0E10DF:asn1 encoding routines:asn1_get_uint64:too large
error:0D0E10DF:asn1 encoding routines:asn1_get_uint64:too large

(pki_x509.cpp:454)

The version field in xca always contains "Created by Qt/QMake" instead of a "valid" version number. That makes it difficult to deploy the software via common deployment mechanisms (e.g. Munki) as those use the version string to determine whether updates are available.

Filtering certificates does not recursively apply the filter through child items:

System: Arch Linux x64 using the xca from the AUR (which was recently promoted to the community repo, actually, which is where the package is right now). All of my packages are up-to-date as of today, 23 August 2018. Let me know if you need to know specific package versions of anything.

I am using Postgres 10 as the RDBMS.

I get the following error when trying to load my database.

Steps to reproduce:

0. A week or so ago, I made a single self-signed CA key + cert and signed 3-4 end-entity certificates with 10-year expiries. I saved and loaded the database a few times, if I recall correctly, and decrypting the db worked each time.
1. Fast forward to yesterday. I launched xca, typed in the password to log into the RDBMS, then typed in my password to decrypt the actual xca data.
2. Upon hitting enter, I get a pop-up that says:

The following error occurred:
(7pki_evp[]:)
error:140E0197:SSL routines:SSL_shutdown:shutdown while in init

(pki_evp.cpp:178)

After I dismiss this pop-up, I am left at the main xca window but with none of my certs or keys visible.

I can reproduce it each time I try to access my certs/keys.

When I run it from the command line, I see this on stdout/err.

STDOUT/ERR:

Warning: Ignoring XDG_SESSION_TYPE=wayland on Gnome. Use QT_QPA_PLATFORM=wayland to run on Wayland anyway.
DB driver: "QIBASE"
DB driver: "QSQLITE"
DB driver: "QMYSQL"
DB driver: "QMYSQL3"
DB driver: "QODBC"
DB driver: "QODBC3"
DB driver: "QPSQL"
DB driver: "QPSQL7"
DB driver: "QTDS"
DB driver: "QTDS7"
Available Remote DB Drivers:  2
"QMYSQL3"
"QPSQL7"
Creating OID: "/usr/share/xca/oids.txt" 8 1061 "1.3.6.1.4.1.311.20.2" "dom" "Domain Controller"
Creating OID: "/usr/share/xca/oids.txt" 9 1062 "1.3.6.1.4.1.311.21.1" "MsCaV" "Microsoft CA Version"
Creating OID: "/usr/share/xca/oids.txt" 11 1063 "1.3.6.1.4.1.311.10.3.4.1" "msEFSFR" "Microsoft EFS File Recovery"
Creating OID: "/usr/share/xca/oids.txt" 12 1064 "1.3.6.1.5.5.8.2.2" "iKEIntermediate" "IP security end entity"
Creating OID: "/usr/share/xca/oids.txt" 19 1065 "0.2.262.1.10.7.20" "nameDistinguisher" "Name distinguisher"
Creating OID: "/usr/share/xca/oids.txt" 21 1066 "1.3.6.1.5.5.7.3.13" "id-kp-eapOverPPP" "EAP over PPP"
Creating OID: "/usr/share/xca/oids.txt" 22 1067 "1.3.6.1.5.5.7.3.14" "id-kp-eapOverLAN" "EAP over Lan"
SPLIT DB: QMap(("all", "xca@claudius/QPSQL7:xca")("dbname", "xca")("host", "claudius")("prefix", "")("type", "QPSQL7")("user", "xca"))
SPLIT DB: QMap(("all", "xca@claudius/QPSQL7:xca")("dbname", "xca")("host", "claudius")("prefix", "")("type", "QPSQL7")("user", "xca"))
SPLIT DB: QMap(("all", "xca@claudius/QPSQL7:xca")("dbname", "xca")("host", "claudius")("prefix", "")("type", "QPSQL7")("user", "xca"))
SPLIT DB: QMap(("all", "xca@claudius/QPSQL7:xca")("dbname", "xca")("host", "claudius")("prefix", "")("type", "QPSQL7")("user", "xca"))
Opening database: xca@claudius/QPSQL7:xca
Available Remote DB Drivers:  2
"QMYSQL3"
"QPSQL7"
SPLIT DB: QMap(("all", "xca@claudius/QPSQL7:xca")("dbname", "xca")("host", "claudius")("prefix", "")("type", "QPSQL7")("user", "xca"))
SPLIT DB: QMap(("all", "xca@claudius/QPSQL7:xca")("dbname", "xca")("host", "claudius")("prefix", "")("type", "QPSQL7")("user", "xca"))
SPLIT DB: QMap(("all", "xca@claudius/QPSQL7:xca")("dbname", "xca")("host", "claudius")("prefix", "")("type", "QPSQL7")("user", "xca"))
Available Remote DB Drivers:  2
"QMYSQL3"
"QPSQL7"
OpenDb::getDbType:  "QPSQL7"
"MW_database.cpp(40) Transaction: Begin Level 1, E:0 "
table_prefix: ""
"MW_database.cpp(52) Transaction: Commit Level 0, E:0 "
"QUERY: sql.cpp:76 (SELECT MAX(stamp) +1 from items) - Rows selected: -1"
"QUERY: sql.cpp:81 (UPDATE items SET stamp=? WHERE stamp=0[9]) - Rows affected: 0"
OpenDb::getDbType:  "QPSQL7"
OpenDb::getDbType:  "QPSQL7"
DB-DESC: "xca@claudius/QPSQL7:xca" "xca@claudius/QPSQL7:xca" QSqlError("", "", "")
"QUERY: db_base.cpp:117 (SELECT * FROM view_public_keys) - Rows selected: -1"
OpenSSL error (pki_evp.cpp:178) : error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
Closing database: 
"settings.cpp(110) Transaction: Begin Level 1, E:0 "
"QUERY: settings.cpp:114 (UPDATE settings SET value=? WHERE key_=?[702,511,2, mw_geometry]) - Rows affected: 1"
"settings.cpp(123) Transaction: Commit Level 0, E:0 "
"QUERY: sql.cpp:76 (SELECT MAX(stamp) +1 from items) - Rows selected: -1"
"QUERY: sql.cpp:81 (UPDATE items SET stamp=? WHERE stamp=0[9]) - Rows affected: 0"
Empty filename passed to function
SPLIT DB: QMap(("all", "xca@claudius/QPSQL7:xca")("dbname", "xca")("host", "claudius")("prefix", "")("type", "QPSQL7")("user", "xca"))

Please let me know if you need any additional data.

Considering this tool is for Certificates shouldn't the site always use SSL?

Handling of when a user can't load javascript would be useful on the site

In the Extensions tab.
Click Edit button for: "X509v3 Subject Alternative Name"
add an IP
and try to edit content.
Bug!

System: Windows 10 Pro x64 english.

Several modern browsers require that a X.509 certificate include an X.509 v3 Subject Alternative Name DNS entry with all hostnames the certificate is valid issues for. It would be great if the built-in HTTPS_server template added a placeholder entry like, "DNS:your.server.name.here'.

Please point me at the definition of these included templates and I'll file a pull request.

Relevant template:

X.509 v3 extension applied by this template:

Sample DNS Subject Alternative Name:

installing XCA is reporting that it requires latest OSX version.

is there any particular reason for that?

I have some macs with Yosemite, El Capitan, etc. are they not supported?

XCA reports not been able to open the shared library.

The path is correct, I did set it up browsing to it.

The library does work, as I can can use SSH using it with no problem.

Any idea what could be wrong?

First off, I'd like to thank you for making this fantastic piece of software.

Since https://tools.ietf.org/html/rfc6125#section-6.4.4, the SAN is checked, and if present, no CN check will be performed on a server cert.

To automate this, an option to include the CN as either a DNS or IP entry would be nice. That way, templating a certificate would become easier.

Please consider adding this feature

Thanks in advance

i have got a private and public key, also a certificate of the signing ca.

now i want o try to export as pkcs12 chain.
the chain is beeing exported, but it contains no private key.

ok, next try to export the files and use openssl to create the pkcs12 chain.
on exporting the private key to a file, all files i do export , i will never be asked for a password and all file length are 0.
ok, i said... let´s try to export via clipboard:
now the application crashes (not responding anymore)

going back to 1.x does not work, it seems that there is a database change.

exporting the complete certificate structure also does not create a valid file for the private key ( 0 bytes)

thanks

Markus from germany

I cannot put an ip address to the SAN-Field. It's cleared automatically and then the empty field is not allowed.

Can't export to p12 format. Ends everytime in error:

(7pki_evp[3]:certificate)
error:06065064:digital envelope rotines:EVP_DecryptFinal_ex:bad decrypt

(pki_evp.cpp:516)

Version 1.4.1 works well.

Most certificates out there don't include the issuer in the Authority Key Identifier, they only include the keyid. In fact Mozilla's CA guidelines explicitly forbid such a practice. See section 5.2.

Naturally I couldn't find any well-known public site (e.g. google.com, microsoft, letsencrypt.org), where any of the certificates in the chain included something other than the keyid in the AKI.

XCA however sets authorityKeyIdentifier=keyid:always,issuer:always, if one ticks Authority Key Identifier in the Extensions tab. A different behavior can only be accomplished using the Advanced tab.

What's even worse: If one uses the Transform → Similar Certificate feature on a certificate, that had only keyid as authorityKeyIdentifier, XCA drops this information and sets its AKI option in the Extensions tab. One has to manually go back to the Advanced tab and enter authorityKeyIdentifier=keyid again and unset the checkbox in the Extensions tab. This can be easily be forgotten.

Please change the default authorityKeyIdentifier setting to keyid, if the AKI is selected in the UI or at least make it configurable.

Tried to import a bunch of cert with the import from the top menu.
But the application will freeze.
At the import button on the side it will work.

Best Regards

Is there a way how to create intermediate certificate authority?

Hi Christian,
I have finished the final 2.0.0 translation, but I'm facing big problems to get it into xca:

1. Now that contexts are included for each string, msgmerge sets all "non-context"old strings to fuzzy :-( I had to review all translated strings for correctness. The good thing is that it allowed me to fix some of them. Since I did the job, this problem is resolved for me, but I hope this was a one-time work and will not occur at each release.
2. On Fedora, the lconvert probram is not found if you don't have qt4-devel installed (--with-qt-version=5). But there is a lconvert-qt5 program. I think lconvert should be treated by configure/makefiles as you already did for lrelease.
3. After having manually lconverted fr.po, running xca in french appears untranslated. I looked in the generated ts file and noticed the context information was only set as a string comment: all strings are still in an empty context and I suppose this is the reason why the translation is not effective. Perhaps lconvert does not know how to handle msgctxt ?

May be we should resolve these problems before I submit a PR for the translation.

Cheers,
Patrick

If no template (or the empty template) is applied when creating a self-signed certificate, it does not include CA:TRUE in extensions.
IMHO this extension should be preset automatically for self-signed certificates, as this is done by the openssl req -x509 command default configuration.

Hi,

after opening my V 1.3.1 DB with version 2.10 the DB was converted. When signing the first CSR there was an error mesage: "Failed to retrieve unique random serial". In the next try there was no error message and the certificate was generated. But with a serial already in the database.

Best regards,
Daniel

for example it becomes

OU=Default Users,OU=Users,OU=Sck,DC=sck,DC=be,CN=Name

instead of CN=Name,OU=Default Users,OU=Users,OU=Sck,DC=sck,DC=be

When exporting a private key to a file, the created file is created with permissions of 0644. I believe this is based on my umask. Ideally, private keys should always be exported with permissions similar to '0400'

Bug:
When ticking the box for "SKI" when creating a new CSR for an exisiting and known keypair no SKI extension is actually generated when looking at the ASN.1 output.

Steps to reproduce:

1. Create a private key
2. Open the CSR creation dialogue
3. Switch to the tab "extensions" and tick "Subject Key Identifier"
4. Enter all information neccessary for the CSR generation to work
5. Generate the CSR
6. Export it (eg to PEM)
7. Verify using an ASN.1 parser (eg this one) that the resulting file lacks an SKI extension.

Latest Tested Platform for this bug:
Windows 10, x64, XCA 1.3.2
(but there is no mention of a fix in the changelog since then)

For some tests I'd like to create a certificate (renew an existing certificate) which is only valid for 30 minutes.
When I manually edit a sub-item of the date and time in the calendarPopup it instantly gets changed back to the value it had before.
This only happens, when "Local Time" is enabled.

My locale is "Deutschland" on a Windows7 host, running xca 1.4.0

When trying to open a network database I cannot chose a type:

The dropdown simply does not open/is empty.

Windows: 1803 (Build 17133.73)
XCA: 2.0.0

First, I would like to thank you for this great project. We used it quite a few years and we love it. 👍

While trying to migrate to 2.x we discovered an issue with CSRs.

In 1.4.1 there was a clear relationship between a CSR and the issued Cert. After migrating to 2.x all currently signed CSRs are shown as unhandled despite the Certs are in place. So we are no longer able to identify, which CSRs have already been signed and which are pending. And this annoying if you have quite a bunch...

In 1.4.1 if I remove a Cert, the CSR shows "unhandled" as expected. If I reimport the Cert, the CSR shows "signed" again. This was a great feature, but no longer works in 2.x. Removing a signed Cert in 2.x does no longer reflect the state in the corresponding CSR, it stays "signed".

From Changelog for xca 2.0.0-pre01 Sun Mar 11 2018:

CSR signing is now statically stored in the database and the comment of the issued certificate.

So I guess this is the reason? Is there any chance to get this relationship restored?

Are there any plans on supporting MSSQL Server in a future release?

In version 1.x every CRL that was created received a unique name using an incremental number that was added behind the 'Internal Name'. Now, in version 2.0.1 (Win), they don't get an unique name anymore. This makes them more difficult to find back, especially when the list with CRLs is long.

Expired and expiring soon certificates are no longer coloured after upgrade to version 2.
This particular setting was enabled. Disabling, restarting, re-enabling, restarting again didn't help.

When there is an error in the certificate store detected upon start of xca there is no dedicated application icon in the taskbar yet, which is a little inconvenient.

An error message like this for example does not have a taskbar icon.

The application icon should be displayed before any checks for error are performed and if one is found should blink, at least under windows. I guess the OSX Icon would start bouncing(?)

If I try to open a remote connection to a MySQL database with xca 2.0.0-pre03 (Windows) this results in error "driver not loaded", perhaps of not loaded qsqlmysql.dll? No problem under linux (same version build from sources)

When opening a certificate for which I don't have a private key, the signature and key field are simply set as "Signer unknown" and "Not available" respectively, can you please add a way to see these fields? Would be very useful for reviewing other certificates

I was fighting for a while to include custom OIDs and EKUs into xca by following the documentation and comments in oids.txt, which suggested to put them into either:

• ~/.xca
• ~/Library/Preferences/xca

It turned out that on at least High Sierra, xca preferences are located in ~/Library/Application Support/data/xca:

forst@shark /Volumes/xca-2.1.0-dev % ./xca.app/Contents/MacOS/xca 
"/Users/forst/Library/Application Support/data//"
"/Users/forst/Library/Application Support/data//xca"
"/Users/forst/Library/Application Support/data//xca"
DB driver: "QSQLITE"
Available Remote DB Drivers:  0
"/Users/forst/Library/Application Support/data//xca"
"/Users/forst/Library/Application Support/data//xca"
"/Users/forst/Library/Application Support/data//xca"
"/Users/forst/Library/Application Support/data//xca"
"/Users/forst/Library/Application Support/data//xca"
Opening database: /Users/forst/Test.xdb

I basically added a qDebug call in the getUserSettingsDir to view what it outputs:

diff --git a/lib/func.cpp b/lib/func.cpp
index 41ad737..f7c55b5 100644
--- a/lib/func.cpp
+++ b/lib/func.cpp
@@ -189,6 +189,7 @@ QString getUserSettingsDir()
        rv += QDir::separator();
        rv += ".xca";
 #endif
+       qDebug() << rv;
        return rv;
 }
 

It also revealed that in my case:

• QCoreApplication::organizationName() always returns an empty string
• QCoreApplication::applicationName() returns an empty string on the first call, apparently before the application name is set

macOS High Sierra 10.13.5, Qt 5.11.1 from Homebrew. Same directory is also used in the release version of xca with whichever Qt revision it is bundled with.

On a side note, here are the changes to build with Homebrew's Qt:

diff --git a/misc/build-mac.sh b/misc/build-mac.sh
index adae71c..d2951c7 100755
--- a/misc/build-mac.sh
+++ b/misc/build-mac.sh
@@ -47,11 +47,11 @@ rm -rf "$XCA_BUILD"
 mkdir -p "$XCA_BUILD"
 cd "$XCA_BUILD"
 
-export CPPFLAGS="$CFLAGS -I${INSTALL_DIR}/include -F$QTDIR"
-export CXXFLAGS="$CFLAGS -F$QTDIR"
-export LDFLAGS="-L${INSTALL_DIR}/lib"
+export CPPFLAGS="$CFLAGS -I${INSTALL_DIR}/include -I/usr/local/opt/qt/include"
+export CXXFLAGS="$CFLAGS -I/usr/local/opt/qt/include"
+export LDFLAGS="-L${INSTALL_DIR}/lib -L/usr/local/opt/qt/lib"
 
 (cd $XCA_DIR && ./bootstrap)
-$XCA_DIR/configure --with-openssl="$INSTALL_DIR" --with-qt=$QTDIR
+$XCA_DIR/configure --with-openssl="$INSTALL_DIR" --with-qt=/usr/local/opt/qt
 make -j5
 cp *.dmg ..

Hi,

I just updated from XCA 1.4.1 to 2.1.0 on Windows. When I open a XCA 1.4.1 database in XCA 2.1.0, it tells me that it's going to convert the database and make a backup. It's a small database but XCA never finishes and has "Not Responding" in the application title bar. Also, it keeps consuming anywhere between 15-20% CPU time. The resulting .xdb file can be opened but is incomplete. I've repeated this a couple of times but each time I have the same result.

The option 'Midnight' doesn't changes the timestamps for last and next update anymore when creating a new CRL.

I have this issue in version 2.0.1 (Win), in version 1.x this always was working without problems.

Crash always happens after xca main application has quit.

two crash reports appended

xca_crashes.zip

After closing certificate details window, certificate tree folding is toggled, i.e. the tree is folded if it was not and vice versa.

Right now certificates are coloured according to percentage of remaining time. This keeps 5 year certificates coloured for their entire last year. Wouldn't it be better to colour all certificates, say 5 or 10 days before expiry? Or a user configurable setting maybe?