Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support more complex SANs in verify_certificate_identity #325

Draft
wants to merge 2 commits into
base: master
Choose a base branch
from
Draft

Support more complex SANs in verify_certificate_identity #325

wants to merge 2 commits into from

Conversation

alexjfisher
Copy link

Not sure if this is the right approach, but I'll put it up for discussion anyway. :)

Fixes #324

@alexjfisher
Add failing test for verify_certificate_identity
665bf7e 
This certificate and key is loaded from a fixtures file as I couldn't work out
how to create an example programatically.

The certificate has a `subjectAltName` extension with an `otherName` entry.

`verify_certificate_identity` fails because it parses the string representation
of `subjectAltName` with a simple regex expecting entries in the sequence to be
comma separated only.
@alexjfisher
Replace verify_certificate_identity method with upstream version
036c5e9 
Instead of using the fragile regex, decode the `subjectAltName` sequence
with `OpenSSL::ASN1.decode`.

This is slightly different to the MRI ruby implementation as `san.value` didn't
contain the raw string in jruby, but a single element Array of `OctetString`
instead.
alexjfisher
alexjfisher commented Jan 3, 2025
View reviewed changes
lib/openssl/ssl.rb
# MRI 2.2.3 (JRuby parses ASN.1 differently)
#when 7 # iPAddress in GeneralName (RFC5280)
elsif /\AIP(?: Address)?:(.*)/ =~ general_name
return true if verify_hostname(hostname, san.value.last.value)
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In ruby-openssl this was verify_hostname(hostname, san.value), but I've had to add .last.value to get this to work here, as I'm getting a single element Array returned instead of a plain string. Maybe this isn't the right solution though. Should san.value instead return the exact same thing across both implementations?? I've not worked out where this is done though, and maybe it'd break loads of other things...

alexjfisher
alexjfisher commented Jan 3, 2025
View reviewed changes
lib/openssl/ssl.rb
# rescue IPAddr::InvalidAddressError
# end
# end
if san.value.last.value.size == 4 || san.value.last.value.size == 16
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here. san.value is changed to san.value.last.value

alexjfisher
alexjfisher commented Jan 3, 2025
View reviewed changes
src/test/ruby/ssl/fixtures/othername_cert/othername.cnf
@@ -0,0 +1,15 @@
[ req ]
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I couldn't work out how to generate a test certificate with the otherName extension programatically, so used openssl on the command line with this config file.

openssl req -newkey rsa:2048 -nodes -x509 -days 36500 -keyout othername.key -out othername.crt -config othername.cnf -extensions req_ext

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

verify_certificate_identity fails when subjectAltName includes otherName
1 participant
@alexjfisher