X509 cert with GEN_RID subject alt name causes SytemError

[tiran]

BPO	27691
Nosy	@pitrou, @vstinner, @giampaolo, @tiran, @alex, @dstufft, @Lukasa
Files	rid.pem 0001-Fix-handling-of-GEN_RID-in-X.509-subjectAltName-fiel.patch

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2016-09-09.00:05:05.045>
created_at = <Date 2016-08-05.09:26:35.351>
labels = ['type-security', 'extension-modules']
title = 'X509 cert with GEN_RID subject alt name causes SytemError'
updated_at = <Date 2016-09-09.00:05:05.044>
user = 'https://github.com/tiran'

bugs.python.org fields:

activity = <Date 2016-09-09.00:05:05.044>
actor = 'christian.heimes'
assignee = 'none'
closed = True
closed_date = <Date 2016-09-09.00:05:05.045>
closer = 'christian.heimes'
components = ['Extension Modules']
creation = <Date 2016-08-05.09:26:35.351>
creator = 'christian.heimes'
dependencies = []
files = ['44014', '44018']
hgrepos = []
issue_num = 27691
keywords = ['patch']
message_count = 5.0
messages = ['272020', '273240', '274112', '274116', '274634']
nosy_count = 9.0
nosy_names = ['janssen', 'pitrou', 'vstinner', 'giampaolo.rodola', 'christian.heimes', 'alex', 'python-dev', 'dstufft', 'Lukasa']
pr_nums = []
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'security'
url = 'https://bugs.python.org/issue27691'
versions = ['Python 2.7', 'Python 3.4', 'Python 3.5', 'Python 3.6']

[tiran]

A X509 cert with a registered id general name in subject alternative name causes a SystemError: error return without exception set. This prevents host name validation of certs with a registered id.

>>> import _ssl
>>> _ssl._test_decode_cert('rid.pem')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
SystemError: error return without exception set

The problem is caused by a bug in OpenSSL's print function for general names. Python's _get_peer_alt_names() uses GENERAL_NAME_print() to print GEN_IPADD, GEN_RID and others into a buffer. The buffer is then split at ':' into two strings. This works for all fields except for GEN_RID because OpenSSL doesn't put a ':' after 'Registered ID', https://github.com/openssl/openssl/blob/master/crypto/x509v3/v3_alt.c#L183 . _get_peer_alt_names() fails and returns NULL without setting a proper exception.

It looks like we haven't had tests for GEN_RID as well as some other field types.

Related Red Hat bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1364268

[tiran]

ping

[pitrou]

I can't comment on this, as I don't even know what a "registered id" is, sorry :-/

[tiran]

A GEN_RID is an OID plus some opaque data. It's up to an application to understand an OID and interpret its data. The value of a GEN_RID can be as simple as an int or UTF-8 strings or as complex as a nested ASN.1 struct for Kerberos principals.

I have modified Lib/test/make_ssl_certs.py to include two GEN_RIDS:

  otherName.1 = 1.2.3.4;UTF8:some other identifier
  otherName.2 = 1.3.6.1.5.2.2;SEQUENCE:princ_name

[princ_name]
realm = EXP:0, GeneralString:KERBEROS.REALM
principal_name = EXP:1, SEQUENCE:principal_seq
[principal_seq]
name_type = EXP:0, INTEGER:1
name_string = EXP:1, SEQUENCE:principals
[principals]
princ1 = GeneralString:username

1.3.6.1.5.2.2 is the OID for Kerberos public key init (pkinit), used for e.g. FAST pre-auth and SmartCard authentication.

[python-dev]

New changeset 9bbf0b31da48 by Christian Heimes in branch '3.5':
Issue bpo-27691: Fix ssl module's parsing of GEN_RID subject alternative name fields in X.509 certs.
https://hg.python.org/cpython/rev/9bbf0b31da48

New changeset 2b9af57af3e4 by Christian Heimes in branch 'default':
Issue bpo-27691: Fix ssl module's parsing of GEN_RID subject alternative name fields in X.509 certs.
https://hg.python.org/cpython/rev/2b9af57af3e4

New changeset 74805fd9e734 by Christian Heimes in branch '2.7':
Issue bpo-27691: Fix ssl module's parsing of GEN_RID subject alternative name fields in X.509 certs.
https://hg.python.org/cpython/rev/74805fd9e734