Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bad value for crlDistributionPoints #205

Open
ahmet2mir opened this issue Jul 21, 2020 · 1 comment
Open

Bad value for crlDistributionPoints #205

ahmet2mir opened this issue Jul 21, 2020 · 1 comment

Comments

@ahmet2mir
Copy link

Hello,

When running this code, create a self signed cert with crlDistributionPoints, i've got strange value when running openssl (and also browser don't recogniez the value)

require 'openssl'

key = OpenSSL::PKey::RSA.new(4096)

subject = "/C=FR/ST=IDF/L=PARIS/O=Company/CN=myhost.example"

cert = OpenSSL::X509::Certificate.new
cert.subject = cert.issuer = OpenSSL::X509::Name.parse(subject)

cert.not_before = Time.now
cert.not_after = Time.now + 365*24*60*60
cert.public_key = key.public_key
cert.serial = 0x0
cert.version = 2

ef = OpenSSL::X509::ExtensionFactory.new
ef.subject_certificate = ef.issuer_certificate = cert

cert.add_extension ef.create_extension('basicConstraints', 'CA:FALSE', true)
cert.add_extension ef.create_extension('keyUsage', 'keyEncipherment,dataEncipherment,digitalSignature')
cert.add_extension ef.create_extension('subjectKeyIdentifier', 'hash')
cert.add_extension ef.create_extension('authorityKeyIdentifier', 'keyid:always,issuer:always')
cert.add_extension ef.create_extension('crlDistributionPoints', "URI:http://example.com")

cert.sign key, OpenSSL::Digest::SHA256.new

File.open("/tmp/cert.pem", "w"){ |f| f.write cert.to_pem }

puts cert.to_text

When running with jruby

I have in output

...
X509v3 extensions:
    X509v3 Basic Constraints: critical
        CA:FALSE
    X509v3 Key Usage: 
        Digital Signature, Key Encipherment, Data Encipherment
    X509v3 Subject Key Identifier: 
        A4:C6:21:3A:A1:85:DA:E6:76:FA:90:80:75:6C:AD:70:A0:C3:D4:EB
    X509v3 Authority Key Identifier: 
        keyid:A4:C6:21:3A:A1:85:DA:E6:76:FA:90:80:75:6C:AD:70:A0:C3:D4:EB
        DirName:/C=FR/ST=IDF/L=PARIS/O=Company/CN=myhost.example
        serial:01
    X509v3 CRL Distribution Points: 
        URI:http://example.com
...

But if I run openssl

$ openssl x509 -noout -text -in /tmp/cert.pem
...
X509v3 extensions:
    X509v3 Basic Constraints: critical
        CA:FALSE
    X509v3 Key Usage: 
        Digital Signature, Key Encipherment, Data Encipherment
    X509v3 Subject Key Identifier: 
        A4:C6:21:3A:A1:85:DA:E6:76:FA:90:80:75:6C:AD:70:A0:C3:D4:EB
    X509v3 Authority Key Identifier: 
        keyid:A4:C6:21:3A:A1:85:DA:E6:76:FA:90:80:75:6C:AD:70:A0:C3:D4:EB
        DirName:/C=FR/ST=IDF/L=PARIS/O=Company/CN=myhost.example
        serial:01

    X509v3 CRL Distribution Points: 
        ..URI:http://example.com
...

Note the value ..URI:

I also try with example from unittests https://github.com/ruby/openssl/blob/master/test/openssl/test_x509ext.rb#L40
But it doesn't understand how to use config because the value rest as is.

# replace cert.add_extension ef.create_extension('crlDistributionPoints', "URI:http://example.com") with
ef.config = OpenSSL::Config.parse(<<-_end_of_cnf_)
[crlDistPts]
URI.1 = http://www.example.com/crl
_end_of_cnf_
cert.add_extension ef.create_extension("crlDistributionPoints", "@crlDistPts")

Output

X509v3 extensions:
    X509v3 Basic Constraints: critical
        CA:FALSE
    X509v3 Key Usage: 
        Digital Signature, Key Encipherment, Data Encipherment
    X509v3 Subject Key Identifier: 
        42:70:31:95:ED:5D:A5:2E:31:E6:EC:CC:F4:B5:AB:3D:E5:16:58:6D
    X509v3 Authority Key Identifier: 
        keyid:42:70:31:95:ED:5D:A5:2E:31:E6:EC:CC:F4:B5:AB:3D:E5:16:58:6D
        DirName:/C=FR/ST=IDF/L=PARIS/O=Company/CN=myhost.example
        serial:01
    X509v3 CRL Distribution Points: 
        @crlDistPts

Note the value @crlDistPts

with openssl

$ openssl x509 -noout -text -in /tmp/cert.pem
...
X509v3 extensions:
    X509v3 Basic Constraints: critical
        CA:FALSE
    X509v3 Key Usage: 
        Digital Signature, Key Encipherment, Data Encipherment
    X509v3 Subject Key Identifier: 
        42:70:31:95:ED:5D:A5:2E:31:E6:EC:CC:F4:B5:AB:3D:E5:16:58:6D
    X509v3 Authority Key Identifier: 
        keyid:42:70:31:95:ED:5D:A5:2E:31:E6:EC:CC:F4:B5:AB:3D:E5:16:58:6D
        DirName:/C=FR/ST=IDF/L=PARIS/O=Company/CN=myhost.example
        serial:01
    X509v3 CRL Distribution Points: 
        @crlDistPts
...

Using jruby embedded in PuppetServer

$ /opt/puppetlabs/server/bin/puppetserver ruby --version
jruby 9.2.11.1 (2.5.7) 2020-03-25 b1f55b1a40 OpenJDK 64-Bit Server VM 25.252-b09 on 1.8.0_252-b09 +jit [linux-x86_64]

$ /opt/puppetlabs/server/bin/puppetserver gem list jruby-openssl
*** LOCAL GEMS ***
jruby-openssl (default: 0.10.4 java)

Similar to jruby/jruby#994
@ahmet2mir
Copy link
Author

ahmet2mir commented Jul 21, 2020
edited

My last Java project was in 2010, so I try to read the code and I see that some extensions had dedicated parser

jruby-openssl/src/main/java/org/jruby/ext/openssl/X509ExtensionFactory.java

Line 183 in c862feb

try {

And also in extension

jruby-openssl/src/main/java/org/jruby/ext/openssl/X509Extension.java

Line 330 in c862feb

try {

Maybe need crlDistributionPoints parser too ?

@p-mongo p-mongo mentioned this issue Sep 10, 2020
Open
@kares kares added this to the 0.10.5 milestone Oct 18, 2020
@kares kares removed this from the 0.10.5 milestone May 8, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kares @ahmet2mir