Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Corrupt CSR generated #102

Closed
technion opened this issue Sep 2, 2016 · 5 comments
Closed

Corrupt CSR generated #102

technion opened this issue Sep 2, 2016 · 5 comments

Comments

@technion
Copy link

technion commented Sep 2, 2016
edited by kares

Environment

jruby 9.1.2.0 (2.3.0) 2016-05-26 7357c8f OpenJDK 64-Bit Server VM 25.102-b14 on 1.8.0_102-b14 +jit [linux-x86_64]
Arch Linux, jRuby installed from AUR.

Linux linodeplz 4.4.0-2-ec2 #1 SMP Thu Jan 21 09:52:26 PST 2016 x86_64 GNU/Linux

Other relevant info you may wish to add:
This issue showed up in part of a Sinatra application, but has been reduced to a minimal test case.

Expected Behavior

Generate a CSR using the script from this gist. Then use OpenSSL to view.

https://gist.github.com/technion/0e63d42299cc3d91f387d41e9e5c2c74

Under MRI 2.3.1, we can observe this behaviour:

$ ./ssltest.rb > mycsr.csr
$ openssl req -in mycsr.csr -noout -text | more
...
            X509v3 Subject Alternative Name:
                DNS:test.example.com, DNS:test2.example.com, DNS:example.com, DNS:www.example.com

It can be observed that the "Subject Alternative Name" field correctly matches those defined on line 13 of the gist.

Actual Behavior

When recreating the above test:

$ jruby ./ssltest.rb > mycsr.csr
$ openssl req -in mycsr.csr -noout -text | more
...
           X509v3 Subject Alternative Name:
                .N test.example.com,DNS: test2.example.com,DNS: example.com,DNS: www.example.com

You can observe that the first 'DNS' field is broken, and the data appears to have different spacing

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.
@technion
Copy link
Author

technion commented Sep 6, 2016

Just an update: I've tested with jRuby 9.1.4.0 and the issue still occurs.

The specific corruption appears to vary depending on the exact domainlist value. I've seen numbers and all sorts of strange characters appear.

@jmcclell
Copy link

We are seeing this same issue with generating certs.

We see the same issue with Subject Alternative Name and we also see that the Authority Key Identifier, which is generally a hash value, appears to be binary garbage in the output we are seeing from this library.

jruby 1.7.26 (1.9.3p551) 2016-08-26 69763b8 on OpenJDK 64-Bit Server VM 1.7.0_111-b01 +jit [linux-amd64]

(This is the JRuby bundled with PuppetServer)

This was referenced Oct 28, 2016
Open
Open
@duritong
Copy link

I can confirm these behavior together with multiple fields. As a reference you can see all the disabled tests for trocla and x509 for jruby

This makes openssl support on jruby barely usable and as a CA completely unusable.

@kares
Copy link
Member

kares commented Oct 28, 2016

it should be fixable but it might need some hacking around x.509 support jossl uses from bouncy-castle.

kares added a commit that referenced this issue Nov 4, 2016
@kares
a simple resolution for handling subjectAltName multiple DNS: names
6230c59 
#102
kares added a commit that referenced this issue Nov 5, 2016
@kares
handle X.509 authorityKeyIdentifier parsing somehow right
b209d97 
more stuff for dealing with #102
@kares
Copy link
Member

kares commented Nov 7, 2016

subjectAltName and authorityKeyIdentifier should work better since 0.9.18 but extensions such as nameConstraints are currently not supported (and will likely require a considerable amount of work thus help/support is welcome), please open separate issue(s) for these.

@kares kares closed this as completed Nov 7, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@duritong @kares @jmcclell @technion