OpenSSL::ASN1.decode results vary from MRI (and fail) #389

Closed
vbatts opened this Issue Nov 12, 2012 · 8 comments

Projects

None yet

4 participants

@vbatts
vbatts commented Nov 12, 2012

The test case and results are stored in https://gist.github.com/4061036

Discovered while trying to decode a der encoded octetstring, but it happens on more types than just OctetStrings.

@BanzaiMan
Member

Can you test it on 1.7.0 and/or jruby-openssl 0.8.0.preN (N=3 is the latest as of this writing)? We are not maintaining 1.6.x at this time.

@vbatts
vbatts commented Nov 12, 2012

the gist comment includes the results from: jruby 1.7.1.dev (1.9.3p286) 2012-11-12 f0cdc2b on OpenJDK 64-Bit Server VM 1.7.0_07-b30 [linux-amd64]
which is using jruby-openssl "0.8.0.pre3"

@BanzaiMan
Member

@vbatts Sorry about that. I must have overlooked it. Can you give an example PEM file? I'm on a Mac at the moment and I can't find an appropriate file to test against.

Thank you.

@vbatts
vbatts commented Nov 13, 2012

ah, i did that /etc find hoping that it would find certs on a mac as well. Here is just a standard CA cert.

Equifax_Secure_CA.pem
-----BEGIN CERTIFICATE-----
MIIDIDCCAomgAwIBAgIENd70zzANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJV
UzEQMA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2Vy
dGlmaWNhdGUgQXV0aG9yaXR5MB4XDTk4MDgyMjE2NDE1MVoXDTE4MDgyMjE2NDE1
MVowTjELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VxdWlmYXgxLTArBgNVBAsTJEVx
dWlmYXggU2VjdXJlIENlcnRpZmljYXRlIEF1dGhvcml0eTCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEAwV2xWGcIYu6gmi0fCG2RFGiYCh7+2gRvE4RiIcPRfM6f
BeC4AfBONOziipUEZKzxa1NfBbPLZ4C/QgKO/t0BCezhABRP/PvwDN1Dulsr4R+A
cJkVV5MW8Q+XarfCaCMczE1ZMKxRHjuvK9buY0V7xdlfUNLjUA86iOe/FP3gx7kC
AwEAAaOCAQkwggEFMHAGA1UdHwRpMGcwZaBjoGGkXzBdMQswCQYDVQQGEwJVUzEQ
MA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2VydGlm
aWNhdGUgQXV0aG9yaXR5MQ0wCwYDVQQDEwRDUkwxMBoGA1UdEAQTMBGBDzIwMTgw
ODIyMTY0MTUxWjALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAUSOZo+SvSspXXR9gj
IBBPM5iQn9QwHQYDVR0OBBYEFEjmaPkr0rKV10fYIyAQTzOYkJ/UMAwGA1UdEwQF
MAMBAf8wGgYJKoZIhvZ9B0EABA0wCxsFVjMuMGMDAgbAMA0GCSqGSIb3DQEBBQUA
A4GBAFjOKer89961zgK5F7WF0bnj4JXMJTENAKaSbn+2kmOeUJXRmm/kEd5jhW6Y
7qj/WsjTVbJmcVfewCHrPSqnI0kBBIZCe/zuf6IWUrVnZ9NA2zsmWLIodz2uFHdh
1voqZiegDfqnc1zqcPGUIWVEX/r87yloqaKHee9570+sB3c4
-----END CERTIFICATE-----

@BanzaiMan
Member

Looks like OpenSSL::ASN1.decode is returning an extra object at index 1.

@vbatts
vbatts commented Feb 5, 2013

It's something to do with decoding DER extension sets, because plain decoding functions fine. Here is a decoded DER extension, in ruby-trunk (2.0.0 dev):

=> #<OpenSSL::ASN1::Sequence:0x84958b0
 @infinite_length=false,
 @tag=16,
 @tag_class=:UNIVERSAL,
 @tagging=nil,
 @value=
  [#<OpenSSL::ASN1::ObjectId:0x84959a0
    @infinite_length=false,
    @tag=6,
    @tag_class=:UNIVERSAL,
    @tagging=nil,
    @value="1.2.840.113533.7.65.0">,
   #<OpenSSL::ASN1::OctetString:0x84958ec
    @infinite_length=false,
    @tag=4,
    @tag_class=:UNIVERSAL,
    @tagging=nil,
    @value="0\n\e\x04V4.0\x03\x02\x04\x90">]>

Here is the exact same decoded DER extension, in jruby-head (1.7.3 dev):

=> #<OpenSSL::ASN1::Sequence:0x0fde050
 @tag=16,
 @tag_class=:UNIVERSAL,
 @tagging=nil,
 @value=
  [#<OpenSSL::ASN1::ObjectId:0x14bcae9
    @tag=6,
    @tag_class=:UNIVERSAL,
    @tagging=nil,
    @value="1.2.840.113533.7.65.0">,
   #<OpenSSL::ASN1::Boolean:0x0f690e4
    @tag=1,
    @tag_class=:UNIVERSAL,
    @tagging=nil,
    @value=false>,
   #<OpenSSL::ASN1::OctetString:0x1a29450
    @tag=4,
    @tag_class=:UNIVERSAL,
    @tagging=nil,
    @value="0\n\e\x04V4.0\x03\x02\x04\x90">]>

The objects in the Sequence in jruby, do not have the infinite_length attribute, but instead include an ASN1 boolean of false

@vbatts
vbatts commented Feb 5, 2013

simplest recreation

ext = OpenSSL::X509::Extension.new('1.1.1.1.1.1','foo')
dec = OpenSSL::ASN1.decode(ext.to_der)
p dec
@kares
Member
kares commented Apr 24, 2014

turns out in this case the issue is really with ext.to_der ... fix shall land on master once #1543 is there

@jrubyci jrubyci closed this in 7ae29c9 May 16, 2014
@enebo enebo added this to the JRuby 1.7.13 milestone Jun 24, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment