[SRU] Strongswan pki creates CA certificates with invalid Key Usage flags

Thanks Alexander for this bug report and for finding the upstream bug report, I linked it to this report.

The bug is fixed upstream, but the required patches are spread across at least 5 commits:

https://git.strongswan.org/?p=strongswan.git&a=search&h=HEAD&st=commit&s=3249

It is not totally straightforward to understand the scope of those changes, but the bug is valid and actionable.

As @Paride mentioned this issue requires 5 upstream commits because it does not affect only the pki module. This issue is affecting some chunk_from_chars calls throughout the code base.

I am working to backport the 5 upstream commits to Focal.

The proposed package is available here:

https://launchpad.net/~lucaskanashiro/+archive/ubuntu/focal-strongswan-bug-fixes

I performed the test above to check if the CA certificate is generated correctly:

[in the same container I was using to describe the Test Case section in the description]
$ add-apt-repository ppa:lucaskanashiro/focal-strongswan-bug-fixes -y
$ apt install strongswan strongswan-pki -y

# Generate key an certificate
$ pki --gen --type ecdsa --size 384 > strongCAkey2.der
$ pki --self --in strongCAkey2.der --dn "C=CH, O=strongSwan, CN=strongSwan CA" --ca > strongCAcert2.der

# Check the certificate with openssl, note the the CertificateSign and CRLsign flags are set in the Key Usage extension
$ openssl x509 -inform DER -in strongCAcert2.der -noout -text | grep -A3 -B3 'Key Usage'
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Subject Key Identifier:
                AF:A0:08:A7:E1:C7:12:31:77:E1:01:24:23:00:5B:0A:1F:D1:2A:1A

Hello Alexander, or anyone else affected,

Accepted strongswan into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/strongswan/5.8.2-1ubuntu3.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

I just tested the package from focal-proposed and generated a new CA certificate with correct Key-Extension Flags.
This fixes the bug for me.

See https://paste.ubuntu.com/p/z5pPDSZHHH/

Another +1 for what it's worth, this fixes things nicely.

This bug was fixed in the package strongswan - 5.8.2-1ubuntu3.1

---------------
strongswan (5.8.2-1ubuntu3.1) focal; urgency=medium

  * Re-enable eap-{dynamic,peap} libcharon plugins (LP: #1878887)
    - d/control: update libcharon-extra-plugins description.
    - d/libcharon-extra-plugins.install: install .so and conf files.
    - d/rules: add plugins to the configuration arguments.
  * Remove conf files of plugins removed from libcharon-extra-plugins
    - The conf file of the following plugins were removed: eap-aka-3gpp2,
      eap-sim-file, eap-sim-pcsc, eap-sim, eap-simaka-pseudonym,
      eap-simaka-reauth, eap-simaka-sql, xauth-noauth.
    - Created d/libcharon-extra-plugins.maintscript to handle the removals
      properly.
  * Add patches to fix the chunk_from_chars() macro compiled with GCC 9+
    (LP: #1879692)
    - Patches backported from upstream: lp-1879692-{1,2,3,4,5}.patch.
    - Fix the pki CA certificate creation issue.

 -- Lucas Kanashiro <email address hidden> Fri, 22 May 2020 10:53:07 -0300

The verification of the Stable Release Update for strongswan has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.