Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OpenSSL::ASN1.decode results vary from MRI (and fail) #389

Closed
vbatts opened this Issue Nov 12, 2012 · 8 comments

Comments

Projects
None yet
4 participants
@vbatts
Copy link

vbatts commented Nov 12, 2012

The test case and results are stored in https://gist.github.com/4061036

Discovered while trying to decode a der encoded octetstring, but it happens on more types than just OctetStrings.

@BanzaiMan

This comment has been minimized.

Copy link
Member

BanzaiMan commented Nov 12, 2012

Can you test it on 1.7.0 and/or jruby-openssl 0.8.0.preN (N=3 is the latest as of this writing)? We are not maintaining 1.6.x at this time.

@vbatts

This comment has been minimized.

Copy link
Author

vbatts commented Nov 12, 2012

the gist comment includes the results from: jruby 1.7.1.dev (1.9.3p286) 2012-11-12 f0cdc2b on OpenJDK 64-Bit Server VM 1.7.0_07-b30 [linux-amd64]
which is using jruby-openssl "0.8.0.pre3"

@BanzaiMan

This comment has been minimized.

Copy link
Member

BanzaiMan commented Nov 13, 2012

@vbatts Sorry about that. I must have overlooked it. Can you give an example PEM file? I'm on a Mac at the moment and I can't find an appropriate file to test against.

Thank you.

@vbatts

This comment has been minimized.

Copy link
Author

vbatts commented Nov 13, 2012

ah, i did that /etc find hoping that it would find certs on a mac as well. Here is just a standard CA cert.

Equifax_Secure_CA.pem
-----BEGIN CERTIFICATE-----
MIIDIDCCAomgAwIBAgIENd70zzANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJV
UzEQMA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2Vy
dGlmaWNhdGUgQXV0aG9yaXR5MB4XDTk4MDgyMjE2NDE1MVoXDTE4MDgyMjE2NDE1
MVowTjELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VxdWlmYXgxLTArBgNVBAsTJEVx
dWlmYXggU2VjdXJlIENlcnRpZmljYXRlIEF1dGhvcml0eTCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEAwV2xWGcIYu6gmi0fCG2RFGiYCh7+2gRvE4RiIcPRfM6f
BeC4AfBONOziipUEZKzxa1NfBbPLZ4C/QgKO/t0BCezhABRP/PvwDN1Dulsr4R+A
cJkVV5MW8Q+XarfCaCMczE1ZMKxRHjuvK9buY0V7xdlfUNLjUA86iOe/FP3gx7kC
AwEAAaOCAQkwggEFMHAGA1UdHwRpMGcwZaBjoGGkXzBdMQswCQYDVQQGEwJVUzEQ
MA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2VydGlm
aWNhdGUgQXV0aG9yaXR5MQ0wCwYDVQQDEwRDUkwxMBoGA1UdEAQTMBGBDzIwMTgw
ODIyMTY0MTUxWjALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAUSOZo+SvSspXXR9gj
IBBPM5iQn9QwHQYDVR0OBBYEFEjmaPkr0rKV10fYIyAQTzOYkJ/UMAwGA1UdEwQF
MAMBAf8wGgYJKoZIhvZ9B0EABA0wCxsFVjMuMGMDAgbAMA0GCSqGSIb3DQEBBQUA
A4GBAFjOKer89961zgK5F7WF0bnj4JXMJTENAKaSbn+2kmOeUJXRmm/kEd5jhW6Y
7qj/WsjTVbJmcVfewCHrPSqnI0kBBIZCe/zuf6IWUrVnZ9NA2zsmWLIodz2uFHdh
1voqZiegDfqnc1zqcPGUIWVEX/r87yloqaKHee9570+sB3c4
-----END CERTIFICATE-----

@BanzaiMan

This comment has been minimized.

Copy link
Member

BanzaiMan commented Nov 14, 2012

Looks like OpenSSL::ASN1.decode is returning an extra object at index 1.

@vbatts

This comment has been minimized.

Copy link
Author

vbatts commented Feb 5, 2013

It's something to do with decoding DER extension sets, because plain decoding functions fine. Here is a decoded DER extension, in ruby-trunk (2.0.0 dev):

=> #<OpenSSL::ASN1::Sequence:0x84958b0
 @infinite_length=false,
 @tag=16,
 @tag_class=:UNIVERSAL,
 @tagging=nil,
 @value=
  [#<OpenSSL::ASN1::ObjectId:0x84959a0
    @infinite_length=false,
    @tag=6,
    @tag_class=:UNIVERSAL,
    @tagging=nil,
    @value="1.2.840.113533.7.65.0">,
   #<OpenSSL::ASN1::OctetString:0x84958ec
    @infinite_length=false,
    @tag=4,
    @tag_class=:UNIVERSAL,
    @tagging=nil,
    @value="0\n\e\x04V4.0\x03\x02\x04\x90">]>

Here is the exact same decoded DER extension, in jruby-head (1.7.3 dev):

=> #<OpenSSL::ASN1::Sequence:0x0fde050
 @tag=16,
 @tag_class=:UNIVERSAL,
 @tagging=nil,
 @value=
  [#<OpenSSL::ASN1::ObjectId:0x14bcae9
    @tag=6,
    @tag_class=:UNIVERSAL,
    @tagging=nil,
    @value="1.2.840.113533.7.65.0">,
   #<OpenSSL::ASN1::Boolean:0x0f690e4
    @tag=1,
    @tag_class=:UNIVERSAL,
    @tagging=nil,
    @value=false>,
   #<OpenSSL::ASN1::OctetString:0x1a29450
    @tag=4,
    @tag_class=:UNIVERSAL,
    @tagging=nil,
    @value="0\n\e\x04V4.0\x03\x02\x04\x90">]>

The objects in the Sequence in jruby, do not have the infinite_length attribute, but instead include an ASN1 boolean of false

@vbatts

This comment has been minimized.

Copy link
Author

vbatts commented Feb 5, 2013

simplest recreation

ext = OpenSSL::X509::Extension.new('1.1.1.1.1.1','foo')
dec = OpenSSL::ASN1.decode(ext.to_der)
p dec
@kares

This comment has been minimized.

Copy link
Member

kares commented Apr 24, 2014

turns out in this case the issue is really with ext.to_der ... fix shall land on master once #1543 is there

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.