(PUP-3446) Sign certificates used in testing#3150
Closed
adrienthebo wants to merge 1 commit intopuppetlabs:masterfrom
adrienthebo:maint/master/rack-spec-unsigned-cert
Closed
(PUP-3446) Sign certificates used in testing#3150adrienthebo wants to merge 1 commit intopuppetlabs:masterfrom adrienthebo:maint/master/rack-spec-unsigned-cert
adrienthebo wants to merge 1 commit intopuppetlabs:masterfrom
adrienthebo:maint/master/rack-spec-unsigned-cert
Conversation
|
CLA signed by all contributors. |
Contributor
There was a problem hiding this comment.
This diff is wonky due to whitespace.
Contributor
Author
There was a problem hiding this comment.
The original code had 4 space tabs; I changed that to the standard 2 space tabs.
Contributor
|
So aside from the whitespace shenanigans, on my Ruby 2.1.2 / OSX 10.9.5 / OpenSSL 0.9.8za 5 Jun 2014 the spec is fixed locally for me now with these changes. 👍 |
On versions of OpenSSL around version 0.9.8y, it was possible to decode certificates
that had not been signed. However OpenSSL 1.0.1i cannot decode unsigned
certificates. Given the following PEM encoded cert:
-----BEGIN CERTIFICATE-----
MIGqMIGgoAMCAQICAQAwAgYAMAAwHhcNMTQxMDAxMTgzNTQ5WhcNMTQxMDAxMTkz
NTQ5WjASMRAwDgYDVQQDDAd0ZXN0aW5nMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJB
ALiOQvoQaSIRDogCJwLKmM11vObOnBm93AdGkezbpdHI/TFebvvZYT2J6ukPmyVD
bGa0ZEpg5gc2yJ+sgJTwbSsCAwEAATACBgADAQA=
-----END CERTIFICATE-----
When printed to text this results in the following:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: NULL
Issuer:
Validity
Not Before: Oct 1 18:35:49 2014 GMT
Not After : Oct 1 19:35:49 2014 GMT
Subject: CN=testing
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (512 bit)
Modulus:
00:b8:8e:42:fa:10:69:22:11:0e:88:02:27:02:ca:
98:cd:75:bc:e6:ce:9c:19:bd:dc:07:46:91:ec:db:
a5:d1:c8:fd:31:5e:6e:fb:d9:61:3d:89:ea:e9:0f:
9b:25:43:6c:66:b4:64:4a:60:e6:07:36:c8:9f:ac:
80:94:f0:6d:2b
Exponent: 65537 (0x10001)
Signature Algorithm: NULL
OpenSSL 1.0.1i can convert the certificate to PEM and DER, but it cannot
decode it. Decoding the PEM encoded text directly as a cert results in
the following error:
OpenSSL::X509::Certificate.new(minimal_certificate.to_pem)
OpenSSL::X509::CertificateError: nested asn1 error
Decoding the DER encoded cert as raw ASN1 results in the following:
OpenSSL::ASN1.decode(minimal_certificate.to_der)
OpenSSL::ASN1::ASN1Error: invalid object encoding
So OpenSSL is convinced that we have a mangled certificate.
The solution to this to self-sign the certificate, so that the
certificate can be properly encoded and decoded.
adrienthebo
changed the title
|
Merged to stable in #3273 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
On versions of OpenSSL around version 0.9.8y, it was possible to decode certificates
that had not been signed. However OpenSSL 1.0.1i cannot decode unsigned
certificates. Given the following PEM encoded cert:
When printed to text this results in the following:
OpenSSL 1.0.1i can convert the certificate to PEM and DER, but it cannot
decode it. Decoding the PEM encoded text directly as a cert results in
the following error:
Decoding the DER encoded cert as raw ASN1 results in the following:
So OpenSSL is convinced that we have a mangled certificate.
The solution to this to self-sign the certificate, so that the
certificate can be properly encoded and decoded.