Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Certificates generated using jruby-openssl have a bad value for Authority Key Identifier, CRL Distribution Points and Authority Information Access #994

Closed
johnae opened this issue Sep 8, 2013 · 6 comments
Closed

Certificates generated using jruby-openssl have a bad value for Authority Key Identifier, CRL Distribution Points and Authority Information Access #994

johnae opened this issue Sep 8, 2013 · 6 comments
Labels
openssl
Milestone
Invalid or Duplicate

Comments

@johnae
Copy link

johnae commented Sep 8, 2013

when using "openssl x509 -text -in /path/to/generated.crt" I get this value for the identifier:

X509v3 Authority Key Identifier: 
            0...PW.....z.`@..D^.(.D.

If I use MRI to generate the certificate this value looks like this:

X509v3 Authority Key Identifier: 
            keyid:F2:80:1A:04:C3:D7:43:79:DB:54:F5:98:7B:05:72:37:92:76:03:F1

I've looked through the code for this but I am unable to determine the reason though I'm neither a java expert nor an expert on jruby internals.
@johnae
Copy link
Author

johnae commented Sep 8, 2013

Also seems as if some other fields have strange looking values in them:

X509v3 CRL Distribution Points: 
    .:URI:http://some.url/revoked.crl
Authority Information Access: 
    .8OCSP;URI:http://some.url/ocsp

Certificates generated by MRI look like this:

X509v3 CRL Distribution Points: 
    Full Name:
      URI:http://some.url/revoked.crl

Authority Information Access: 
    OCSP - URI:http://some.url/ocsp

This info was all output using "openssl x509 -text -in /path/to/generated.crt"

@johnae
Copy link
Author

johnae commented Sep 8, 2013

I found these problems when moving my certificate authority from MRI to JRuby. OpenVPN for example started complaining about plaintext errors and clients with certificates generated by jruby could not connect. Removing all these fields from the generated certificates makes openvpn happy but it's really jruby that is in error somewhere.

The error openvpn gives is this (or similar ones anyway depending on which of the fields above you leave in the certificates):

TLS_ERROR: BIO read tls_read_plaintext error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag: error:0D06C03A:asn1 encoding routines:ASN1_D2I_EX_PRIMITIVE:nested asn1 error: error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag: error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error

@johnae
Copy link
Author

johnae commented Sep 9, 2013

These things would probably be somewhere in:

https://github.com/jruby/jruby/blob/master/ext/openssl/src/main/java/org/jruby/ext/openssl/X509Extensions.java

@hggh hggh mentioned this issue Sep 21, 2016
Open
kares added a commit to jruby/jruby-openssl that referenced this issue Jan 19, 2017
@kares
test that we read authority keyid back just fine (for a while now)
dc4599c 
for jruby/jruby#994
@kares
Copy link
Member

kares commented Jan 19, 2017

this particular issue has been fixed along the way, let us know if its still an issue.

@kares kares closed this as completed Jan 19, 2017
@kares kares added this to the Invalid or Duplicate milestone Jan 19, 2017
duritong added a commit to duritong/jruby-openssl that referenced this issue Feb 8, 2017
@duritong
add another test for chained ca and keyid - seems to work now jruby/j…
d7e8614 
…ruby#994
@ahmet2mir
Copy link

ahmet2mir commented Jan 29, 2020
edited

@kares I still had the issue (v0.10.2)

When running this code (create a slef signed cert with crl)

require 'openssl'

key = OpenSSL::PKey::RSA.new(4096)

subject = "/C=FR/ST=IDF/L=PARIS/O=Company/CN=myhost.example"

cert = OpenSSL::X509::Certificate.new
cert.subject = cert.issuer = OpenSSL::X509::Name.parse(subject)

cert.not_before = Time.now
cert.not_after = Time.now + 365*24*60*60
cert.public_key = key.public_key
cert.serial = 0x0
cert.version = 2

ef = OpenSSL::X509::ExtensionFactory.new
ef.subject_certificate = ef.issuer_certificate = cert

cert.add_extension ef.create_extension('basicConstraints', 'CA:FALSE', true)
cert.add_extension ef.create_extension('keyUsage', 'keyEncipherment,dataEncipherment,digitalSignature')
cert.add_extension ef.create_extension('subjectKeyIdentifier', 'hash')
cert.add_extension ef.create_extension('authorityKeyIdentifier', 'keyid:always,issuer:always')
cert.add_extension ef.create_extension('crlDistributionPoints', "URI:http://example.com")

cert.sign key, OpenSSL::Digest::SHA256.new

File.open("/tmp/cert.pem", "w"){ |f| f.write cert.to_pem }

puts cert.to_text

cert.to_text returns

X509v3 CRL Distribution Points: 
    URI:http://example.com

where openssl x509 -noout -text -in /tmp/cert.pem returns

X509v3 CRL Distribution Points: 
    ..URI:http://example.com

So unittests validate the cert.to_text output and pass, there is something (like an extra bit) added in to_pem or to_text ignore this.

@kares
Copy link
Member

kares commented Jan 29, 2020

@ahmet2mir to_text details might not be 100% accurate, are the other parts problematic for you?
in any case, please open a new issue with details instead of commenting on a closed one. thanks.

@ahmet2mir ahmet2mir mentioned this issue Jul 21, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
openssl
Projects
None yet
Milestone
Invalid or Duplicate
Development

No branches or pull requests
3 participants
@johnae @kares @ahmet2mir