Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OpenSSL::ASN1.decode results vary from MRI (and fail) #389

Closed
vbatts opened this issue Nov 12, 2012 · 8 comments
Closed

OpenSSL::ASN1.decode results vary from MRI (and fail) #389

vbatts opened this issue Nov 12, 2012 · 8 comments
Labels
Milestone

Comments

@vbatts
Copy link

@vbatts vbatts commented Nov 12, 2012

The test case and results are stored in https://gist.github.com/4061036

Discovered while trying to decode a der encoded octetstring, but it happens on more types than just OctetStrings.

@BanzaiMan
Copy link
Member

@BanzaiMan BanzaiMan commented Nov 12, 2012

Can you test it on 1.7.0 and/or jruby-openssl 0.8.0.preN (N=3 is the latest as of this writing)? We are not maintaining 1.6.x at this time.

@vbatts
Copy link
Author

@vbatts vbatts commented Nov 12, 2012

the gist comment includes the results from: jruby 1.7.1.dev (1.9.3p286) 2012-11-12 f0cdc2b on OpenJDK 64-Bit Server VM 1.7.0_07-b30 [linux-amd64]
which is using jruby-openssl "0.8.0.pre3"

@BanzaiMan
Copy link
Member

@BanzaiMan BanzaiMan commented Nov 13, 2012

@vbatts Sorry about that. I must have overlooked it. Can you give an example PEM file? I'm on a Mac at the moment and I can't find an appropriate file to test against.

Thank you.

@vbatts
Copy link
Author

@vbatts vbatts commented Nov 13, 2012

ah, i did that /etc find hoping that it would find certs on a mac as well. Here is just a standard CA cert.

Equifax_Secure_CA.pem
-----BEGIN CERTIFICATE-----
MIIDIDCCAomgAwIBAgIENd70zzANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJV
UzEQMA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2Vy
dGlmaWNhdGUgQXV0aG9yaXR5MB4XDTk4MDgyMjE2NDE1MVoXDTE4MDgyMjE2NDE1
MVowTjELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VxdWlmYXgxLTArBgNVBAsTJEVx
dWlmYXggU2VjdXJlIENlcnRpZmljYXRlIEF1dGhvcml0eTCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEAwV2xWGcIYu6gmi0fCG2RFGiYCh7+2gRvE4RiIcPRfM6f
BeC4AfBONOziipUEZKzxa1NfBbPLZ4C/QgKO/t0BCezhABRP/PvwDN1Dulsr4R+A
cJkVV5MW8Q+XarfCaCMczE1ZMKxRHjuvK9buY0V7xdlfUNLjUA86iOe/FP3gx7kC
AwEAAaOCAQkwggEFMHAGA1UdHwRpMGcwZaBjoGGkXzBdMQswCQYDVQQGEwJVUzEQ
MA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2VydGlm
aWNhdGUgQXV0aG9yaXR5MQ0wCwYDVQQDEwRDUkwxMBoGA1UdEAQTMBGBDzIwMTgw
ODIyMTY0MTUxWjALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAUSOZo+SvSspXXR9gj
IBBPM5iQn9QwHQYDVR0OBBYEFEjmaPkr0rKV10fYIyAQTzOYkJ/UMAwGA1UdEwQF
MAMBAf8wGgYJKoZIhvZ9B0EABA0wCxsFVjMuMGMDAgbAMA0GCSqGSIb3DQEBBQUA
A4GBAFjOKer89961zgK5F7WF0bnj4JXMJTENAKaSbn+2kmOeUJXRmm/kEd5jhW6Y
7qj/WsjTVbJmcVfewCHrPSqnI0kBBIZCe/zuf6IWUrVnZ9NA2zsmWLIodz2uFHdh
1voqZiegDfqnc1zqcPGUIWVEX/r87yloqaKHee9570+sB3c4
-----END CERTIFICATE-----

@BanzaiMan
Copy link
Member

@BanzaiMan BanzaiMan commented Nov 14, 2012

Looks like OpenSSL::ASN1.decode is returning an extra object at index 1.

@vbatts
Copy link
Author

@vbatts vbatts commented Feb 5, 2013

It's something to do with decoding DER extension sets, because plain decoding functions fine. Here is a decoded DER extension, in ruby-trunk (2.0.0 dev):

=> #<OpenSSL::ASN1::Sequence:0x84958b0
 @infinite_length=false,
 @tag=16,
 @tag_class=:UNIVERSAL,
 @tagging=nil,
 @value=
  [#<OpenSSL::ASN1::ObjectId:0x84959a0
    @infinite_length=false,
    @tag=6,
    @tag_class=:UNIVERSAL,
    @tagging=nil,
    @value="1.2.840.113533.7.65.0">,
   #<OpenSSL::ASN1::OctetString:0x84958ec
    @infinite_length=false,
    @tag=4,
    @tag_class=:UNIVERSAL,
    @tagging=nil,
    @value="0\n\e\x04V4.0\x03\x02\x04\x90">]>

Here is the exact same decoded DER extension, in jruby-head (1.7.3 dev):

=> #<OpenSSL::ASN1::Sequence:0x0fde050
 @tag=16,
 @tag_class=:UNIVERSAL,
 @tagging=nil,
 @value=
  [#<OpenSSL::ASN1::ObjectId:0x14bcae9
    @tag=6,
    @tag_class=:UNIVERSAL,
    @tagging=nil,
    @value="1.2.840.113533.7.65.0">,
   #<OpenSSL::ASN1::Boolean:0x0f690e4
    @tag=1,
    @tag_class=:UNIVERSAL,
    @tagging=nil,
    @value=false>,
   #<OpenSSL::ASN1::OctetString:0x1a29450
    @tag=4,
    @tag_class=:UNIVERSAL,
    @tagging=nil,
    @value="0\n\e\x04V4.0\x03\x02\x04\x90">]>

The objects in the Sequence in jruby, do not have the infinite_length attribute, but instead include an ASN1 boolean of false

@vbatts
Copy link
Author

@vbatts vbatts commented Feb 5, 2013

simplest recreation

ext = OpenSSL::X509::Extension.new('1.1.1.1.1.1','foo')
dec = OpenSSL::ASN1.decode(ext.to_der)
p dec
@kares
Copy link
Member

@kares kares commented Apr 24, 2014

turns out in this case the issue is really with ext.to_der ... fix shall land on master once #1543 is there

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants