Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Custom SAN is not trusted by Chrome #76

Closed
honzabfu opened this issue Apr 26, 2019 · 12 comments
Closed

Custom SAN is not trusted by Chrome #76

honzabfu opened this issue Apr 26, 2019 · 12 comments
Labels
bug Bug. An issue exist in our code. fixed-vNext The item is fixed in development code. Will be available in next release.

Comments

@honzabfu
Copy link

Certificate issued with SAN modified by "$Request | Set-CertificateExtension -Extension $SAN" is trusted by Edge and IE, but is not trusted by Chrome.
Error is "NET::ERR_CERT_COMMON_NAME_INVALID".
Same error for version 3.4.1.0 and 3.2.7.0
2019-04-26_13-23-44 (1)
@Crypt32
Copy link
Collaborator

Crypt32 commented Apr 26, 2019

There is a bug in ICertAdmin2 COM interface binary string marshalling when encoded input string contains odd number of characters and I can't fix this, because the issue is at Microsoft's end. I can suggest only workaround: add fake or non-usable alternative name at the end of SAN list. For example, you have two domains: abc.com and adc.cz. Add another alternative name (say abc.x) as last element in the SAN list. There are 50% chances that last name will work, so make last name fake to make all other names valid.

@Crypt32 Crypt32 added the wontfix The behavior is by design, or we don't have an ability to fix this due to API restrictions. label Apr 26, 2019
@honzabfu
Copy link
Author

honzabfu commented Apr 27, 2019
edited

Unfortunately it does not work. Neither with common domain nor with localhost.
2019-04-27_10-21-38

@Crypt32
Copy link
Collaborator

Crypt32 commented Apr 27, 2019
edited

Can you provide sample certificate that doesn’t work?

BTW, does first name in SAN list work?

@honzabfu
Copy link
Author

First SAN does not work in Chrome as well.

abc.fi.crt.txt

@Crypt32
Copy link
Collaborator

Crypt32 commented Apr 27, 2019

Ok, can you send me certificates from first example, where you had 1 and 2 names (as in initial screenshots)? Also, can you paste code you used to create $SAN variable?

@honzabfu
Copy link
Author

Files attached (there is single certificate with CN and two SANs on the 1st screensthot).
BTW thanks for your effort!

SanGen.ps1.txt
abc.com.crt.txt

@honzabfu
Copy link
Author

honzabfu commented May 6, 2019

So is there any other workaround we could use in short term? Or there is no chance to modify SANs for now at all? Thx. in advance.

@Crypt32
Copy link
Collaborator

Crypt32 commented May 6, 2019

Sorry, I was extremely busy last week. I will get back to you soon.

@Crypt32
Copy link
Collaborator

Crypt32 commented May 6, 2019

I made a quick check and my initial suspect was correct. The idea is that when $SAN.RawData.Length is even number and length is less than 128 bytes, extension is added correctly.

The extension is malformed when length of SAN extension is odd number. In this case, you need to add a fake name with odd length (considering that overal length won't exceed 127 bytes). This will fix the extension. The workaround you tried didn't work, because the name length is even number, thus total SAN extension value is still odd.

That is, if you create SAN extension (any extension is affected), check its length. Say,

if ($san.RawData.Length % 2) {"add odd-length name"} else {"leave it as is, it is ok"}

this will work. I tried to contact Microsoft on this long-time bug, but no progress and unlikely will be fixed.

@honzabfu
Copy link
Author

This workaround seems to work, thank you!

@Crypt32 Crypt32 added the bug Bug. An issue exist in our code. label Aug 26, 2019
@Crypt32 Crypt32 removed the wontfix The behavior is by design, or we don't have an ability to fix this due to API restrictions. label Jun 18, 2022
@Crypt32
Copy link
Collaborator

Crypt32 commented Jun 18, 2022

Although, this one is old, but I eventually found a way to work around ICertAdmin::SetCertificateProperty data marshalling issue. Thus, removing wontfix label and hoping to eventually fix this in native way.

Crypt32 added a commit to PKISolutions/pkix.net that referenced this issue Jun 18, 2022
@Crypt32
addressed PKISolutions/PSPKI#76 in backing library
f16b44d
Crypt32 added a commit to PKISolutions/pkix.net that referenced this issue Jul 6, 2022
@Crypt32
Net472 (#52)
894aef6 
* upgraded .NET version to 4.7.2

* added support for KeyBasedRenewal flag in CES URL

* added missing Convert.ToInt32 method on authentication conversion to string

* added missing KeyBasedRenewal bit encoding

* updated CES URL encode to be URI-compliant (spaces replaced with %20)

* ipmproved and updated CRL text dump

* version bump

* updated casing and xml-doc comments

* addressed #49

* added another missing enum value

* code style

* Added ToString() implementation which returns

* addressed #51

* implemented #50

* added basic support for new Microsoft extension 1.3.6.1.4.1.311.25.2 (from KB5014754).

* addressed PKISolutions/PSPKI#76 in backing library

* renamed class and made it static
Crypt32 added a commit that referenced this issue Jun 6, 2023
@Crypt32
addressed #76 in PSPKI
f3547ea
@Crypt32 Crypt32 added the fixed-vNext The item is fixed in development code. Will be available in next release. label Jun 6, 2023
@Crypt32
Copy link
Collaborator

Crypt32 commented Jun 15, 2023

Fixed in v4.0.0

@Crypt32 Crypt32 closed this as completed Jun 15, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Bug. An issue exist in our code. fixed-vNext The item is fixed in development code. Will be available in next release.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Crypt32 @honzabfu