Ubuntu
edk2 package

snakeoil certificates do not have a CN set

Bug #2019993 reported by Scott Moser
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
edk2 (Ubuntu)
Fix Released
Low
dann frazier

Bug Description

There is no CN on the snakeoil PkKek certificate shipped by OVMF package.
That is probably not technically a bug, but is uncommon.

$ openssl x509 -noout -subject -in /usr/share/ovmf/PkKek-1-snakeoil.pem
subject=C = US, ST = Colorado, L = Fort Collins, O = SnakeOil

It causes stacktrace of 'virt-fw-vars' from virt-firmware python package.

$ virt-fw-vars -i /usr/share/OVMF/OVMF_VARS_4M.snakeoil.fd --extract-certs
INFO: reading edk2 varstore from /usr/share/OVMF/OVMF_VARS_4M.snakeoil.fd
INFO: var store range: 0x64 -> 0x40000
Traceback (most recent call last):
  File "/home/smoser/pub/venvs/virt-firmware/bin/virt-fw-vars", line 33, in <module>
    sys.exit(load_entry_point('virt-firmware==23.5', 'console_scripts', 'virt-fw-vars')())
  File "/home/smoser/pub/venvs/virt-firmware/lib/python3.10/site-packages/virt/firmware/vars.py", line 159, in main
    sigdb.extract_certs(key)
  File "/home/smoser/pub/venvs/virt-firmware/lib/python3.10/site-packages/virt/firmware/efi/siglist.py", line 164, in extract_certs
    siglist.extract_cert(prefix)
  File "/home/smoser/pub/venvs/virt-firmware/lib/python3.10/site-packages/virt/firmware/efi/siglist.py", line 78, in extract_cert
    cn = self.x509.subject.get_attributes_for_oid(x509.oid.NameOID.COMMON_NAME)[0]
IndexError: list index out of range

ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: ovmf 2022.02-3ubuntu0.22.04.1
ProcVersionSignature: Ubuntu 5.19.0-41.42~22.04.1-generic 5.19.17
Uname: Linux 5.19.0-41-generic x86_64
NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
ApportVersion: 2.20.11-0ubuntu82.4
Architecture: amd64
CasperMD5CheckResult: unknown
CurrentDesktop: ubuntu:GNOME
Date: Wed May 17 13:16:17 2023
Dependencies:

InstallationDate: Installed on 2020-01-15 (1217 days ago)
InstallationMedia: Ubuntu 18.04.3 LTS "Bionic Beaver" - Release amd64 (20190805)
PackageArchitecture: all
ProcEnviron:
 TERM=xterm-256color
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: edk2
UpgradeStatus: Upgraded to jammy on 2020-04-17 (1125 days ago)

Revision history for this message
Scott Moser (smoser) wrote :
Revision history for this message
Scott Moser (smoser) wrote :

PR to fix this in virt-firmware at https://gitlab.com/kraxel/virt-firmware/-/merge_requests/3

Revision history for this message
Paride Legovini (paride) wrote :

Hi Scott, all looks correct, thanks. AIUI this is a low priority bug (and I triaged it as such), so let's see if your upstream patch gets merged before (maybe) acting on the Ubuntu side.

Changed in edk2 (Ubuntu):
importance: Undecided → Low
status: New → Triaged
dann frazier (dannf)
Changed in edk2 (Ubuntu):
assignee: nobody → dann frazier (dannf)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package edk2 - 2023.02-2

---------------
edk2 (2023.02-2) experimental; urgency=medium

  * Introduce efi-shell-* packages. Thanks to Heinrich Schuchardt of
    Canonical. Closes: #837093, LP: #2006980.
  * Add missing build dependency on lsb-release, thanks to José Martínez
    of Google.
  * Fix empty AAVMF_VARS.fd file, thanks to José Martínez of Google.
  * Generate a new snakeoil certificate with a CN set. LP: #2019993.

 -- dann frazier <email address hidden> Fri, 19 May 2023 17:21:36 -0600

Changed in edk2 (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.