jruby-openssl icon indicating copy to clipboard operation
jruby-openssl copied to clipboard
verified publisher icon jruby

Bad value for crlDistributionPoints

Open ahmet2mir opened this issue 5 years ago • 1 comments

Hello,

When running this code, create a self signed cert with crlDistributionPoints, i've got strange value when running openssl (and also browser don't recogniez the value)

require 'openssl'

key = OpenSSL::PKey::RSA.new(4096)

subject = "/C=FR/ST=IDF/L=PARIS/O=Company/CN=myhost.example"

cert = OpenSSL::X509::Certificate.new
cert.subject = cert.issuer = OpenSSL::X509::Name.parse(subject)

cert.not_before = Time.now
cert.not_after = Time.now + 365*24*60*60
cert.public_key = key.public_key
cert.serial = 0x0
cert.version = 2

ef = OpenSSL::X509::ExtensionFactory.new
ef.subject_certificate = ef.issuer_certificate = cert

cert.add_extension ef.create_extension('basicConstraints', 'CA:FALSE', true)
cert.add_extension ef.create_extension('keyUsage', 'keyEncipherment,dataEncipherment,digitalSignature')
cert.add_extension ef.create_extension('subjectKeyIdentifier', 'hash')
cert.add_extension ef.create_extension('authorityKeyIdentifier', 'keyid:always,issuer:always')
cert.add_extension ef.create_extension('crlDistributionPoints', "URI:http://example.com")

cert.sign key, OpenSSL::Digest::SHA256.new

File.open("/tmp/cert.pem", "w"){ |f| f.write cert.to_pem }

puts cert.to_text

When running with jruby

I have in output

...
X509v3 extensions:
    X509v3 Basic Constraints: critical
        CA:FALSE
    X509v3 Key Usage: 
        Digital Signature, Key Encipherment, Data Encipherment
    X509v3 Subject Key Identifier: 
        A4:C6:21:3A:A1:85:DA:E6:76:FA:90:80:75:6C:AD:70:A0:C3:D4:EB
    X509v3 Authority Key Identifier: 
        keyid:A4:C6:21:3A:A1:85:DA:E6:76:FA:90:80:75:6C:AD:70:A0:C3:D4:EB
        DirName:/C=FR/ST=IDF/L=PARIS/O=Company/CN=myhost.example
        serial:01
    X509v3 CRL Distribution Points: 
        URI:http://example.com
...

But if I run openssl

$ openssl x509 -noout -text -in /tmp/cert.pem
...
X509v3 extensions:
    X509v3 Basic Constraints: critical
        CA:FALSE
    X509v3 Key Usage: 
        Digital Signature, Key Encipherment, Data Encipherment
    X509v3 Subject Key Identifier: 
        A4:C6:21:3A:A1:85:DA:E6:76:FA:90:80:75:6C:AD:70:A0:C3:D4:EB
    X509v3 Authority Key Identifier: 
        keyid:A4:C6:21:3A:A1:85:DA:E6:76:FA:90:80:75:6C:AD:70:A0:C3:D4:EB
        DirName:/C=FR/ST=IDF/L=PARIS/O=Company/CN=myhost.example
        serial:01

    X509v3 CRL Distribution Points: 
        ..URI:http://example.com
...

Note the value ..URI:

I also try with example from unittests https://github.com/ruby/openssl/blob/master/test/openssl/test_x509ext.rb#L40 But it doesn't understand how to use config because the value rest as is.

# replace cert.add_extension ef.create_extension('crlDistributionPoints', "URI:http://example.com") with
ef.config = OpenSSL::Config.parse(<<-_end_of_cnf_)
[crlDistPts]
URI.1 = http://www.example.com/crl
_end_of_cnf_
cert.add_extension ef.create_extension("crlDistributionPoints", "@crlDistPts")

Output

X509v3 extensions:
    X509v3 Basic Constraints: critical
        CA:FALSE
    X509v3 Key Usage: 
        Digital Signature, Key Encipherment, Data Encipherment
    X509v3 Subject Key Identifier: 
        42:70:31:95:ED:5D:A5:2E:31:E6:EC:CC:F4:B5:AB:3D:E5:16:58:6D
    X509v3 Authority Key Identifier: 
        keyid:42:70:31:95:ED:5D:A5:2E:31:E6:EC:CC:F4:B5:AB:3D:E5:16:58:6D
        DirName:/C=FR/ST=IDF/L=PARIS/O=Company/CN=myhost.example
        serial:01
    X509v3 CRL Distribution Points: 
        @crlDistPts

Note the value @crlDistPts

with openssl

$ openssl x509 -noout -text -in /tmp/cert.pem
...
X509v3 extensions:
    X509v3 Basic Constraints: critical
        CA:FALSE
    X509v3 Key Usage: 
        Digital Signature, Key Encipherment, Data Encipherment
    X509v3 Subject Key Identifier: 
        42:70:31:95:ED:5D:A5:2E:31:E6:EC:CC:F4:B5:AB:3D:E5:16:58:6D
    X509v3 Authority Key Identifier: 
        keyid:42:70:31:95:ED:5D:A5:2E:31:E6:EC:CC:F4:B5:AB:3D:E5:16:58:6D
        DirName:/C=FR/ST=IDF/L=PARIS/O=Company/CN=myhost.example
        serial:01
    X509v3 CRL Distribution Points: 
        @crlDistPts
...

Using jruby embedded in PuppetServer

$ /opt/puppetlabs/server/bin/puppetserver ruby --version
jruby 9.2.11.1 (2.5.7) 2020-03-25 b1f55b1a40 OpenJDK 64-Bit Server VM 25.252-b09 on 1.8.0_252-b09 +jit [linux-x86_64]

$ /opt/puppetlabs/server/bin/puppetserver gem list jruby-openssl
*** LOCAL GEMS ***
jruby-openssl (default: 0.10.4 java)

Similar to https://github.com/jruby/jruby/issues/994

ahmet2mir avatar Jul 21 '20 17:07 ahmet2mir

My last Java project was in 2010, so I try to read the code and I see that some extensions had dedicated parser https://github.com/jruby/jruby-openssl/blob/c862febc6a77d6aae708bce1564fba21810cbb44/src/main/java/org/jruby/ext/openssl/X509ExtensionFactory.java#L183 And also in extension https://github.com/jruby/jruby-openssl/blob/c862febc6a77d6aae708bce1564fba21810cbb44/src/main/java/org/jruby/ext/openssl/X509Extension.java#L330

Maybe need crlDistributionPoints parser too ?

ahmet2mir avatar Jul 21 '20 17:07 ahmet2mir