-
Notifications
You must be signed in to change notification settings - Fork 81
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
X509ExtensionFactory generates incorrect extension for subjectAltName #134
Comments
please give 0.9.21 a try a let us know if there's smt wrong. assuming its fixed here. |
Unfortunately, the problem with #123 still persists, right? So the representation of SubjectAltNames is still flawed, though this problem might be hidden now... |
@duritong its a different issue (and that is why its still open) that would take more time which I did not have. |
@kares Thanks for looking into this. While your change appears to fix one very special case, the parsing is still fairly broken if the string doesn't happen to list email first, or it contains just a URI, etc. E.g. all of these still fail:
IMO the code needs to look something like the following (untested and incomplete): private static GeneralNames parseSubjectAltNames(final String valuex) throws IOException {
final String[] vals = valuex.split("(?<!\\\\),"); // allow one level of escaping of ','
final GeneralName[] names = new GeneralName[vals.length];
for ( int i = 0; i < vals.length; i++ ) {
parseSubjectAltName(vals[i]);
}
return new GeneralNames(names);
}
private static GeneralName parseSubjectAltName(final String valuex) throws IOException {
if ( valuex.startsWith(DNS_) ) {
final String dns = valuex.substring(DNS_.length());
return new GeneralName(GeneralName.dNSName, dns);
}
if ( valuex.startsWith(DNS_Name_) ) {
final String dns = valuex.substring(DNS_Name_.length());
return new GeneralName(GeneralName.dNSName, dns);
}
if ( valuex.startsWith(URI_) ) {
final String uri = valuex.substring(URI_.length());
return new GeneralName(GeneralName.uniformResourceIdentifier, uri);
}
...
} |
OK, we need a piece of test with that code in a PR. thanks. |
It now handles arbitrary lists of names and always produces a GeneralNames as required by the definition. Additionally, leading and trailing whitespace around separators and labels is properly removed. This fixes jruby#134.
It now handles arbitrary lists of names and always produces a GeneralNames as required by the definition. Additionally, leading and trailing whitespace around separators and labels is properly removed. This fixes jruby#134.
\o/ thank you! |
@kares Thank you for merging. Regarding #123, I took a quick look at it, and the current failure boils down to the function X509Extension.newExtension(). Specifically the block spanning lines 144 through 158 looks completely bogus and should IMO just be removed - with that this test passes, but it breaks test In short the #123 failure is now due to a different issue than what this pull request fixed. But frankly, there are still a bunch of things in the |
@roadrunner2 thanks you so much for looking, sounds like a plan - please fire up a PR if you get a chance. |
The extension generated for
subjectAltName
byX509ExtensionFactory
is missing a sequence. Take this code snippet:The DER of this extension should look like (and does so under MRI)
But the actual DER of the created extension under JRuby is
Note the missing sequence, and the fact that both values are in one string.
The core issues are that
X509ExtensionFactory.parseSubjectAltName()
returns a GeneralName instead of a GeneralNames (sequence of GeneralName), and that it fails to parse multiple names properly.Due to the missing sequence, it's currently completely impossible to generate a (valid) certificate with a subject-alt-name extension.
Lastly, pull request #123 appears to be related to this.
The text was updated successfully, but these errors were encountered: