portable icon indicating copy to clipboard operation
portable copied to clipboard
verified publisher icon libressl

Escaping of extensions in x509 -text

Open dgl opened this issue 7 months ago • 2 comments

OpenSSL has a longstanding bug where x509 -text does not escape characters in various extensions. (I think there may be multiple code paths for known vs unknown extensions.)

The same appears to affect LibreSSL. To reproduce, either use the cert from the OpenSSL bug (with S/MIME extensions) or make a cert with openssl like so (note you'll have to use OpenSSL itself, LibreSSL has stronger default validations on creation it seems, it does output the escape character in the error, but I'm not too worried by that, as that's just a user hurting themselves, not usually untrusted input).

$ openssl req -x509 -newkey rsa -sha256 -days 1 -nodes -keyout example.key -subj "/CN=example.com" -addext "subjectAltName=DNS:$(printf "\e")[31m.example.com" -out example.crt

Then with openssl from LibreSSL:

$ openssl x509 -text -in example.crt

The rest of the cert and maybe your shell (depending if you have a color prompt) goes red. This bug was covered at Nullcon Goa 2025 in a talk by @wllm-rbnt, credit for looking into this (note OpenSSL had a temporary regression where also the CN wasn't escaped, I don't see any issues like that on LibreSSL).

dgl avatar May 23 '25 01:05 dgl

Thanks for the report. The openssl command line tool is complete garbage and unfit for any purpose. Unfortunately, people keep using it so we must keep it. I envy the BoringSSL people who managed to get rid of it from the start.

Several variations of this are known, like this one that made the rounds about a year ago https://infosec.exchange/@ryanc/112455283652607072, where you make the output overwrite itself. I think the real response is to stop using the openssl tool and resort to proper utilities written by experts, like der-ascii: https://github.com/google/der-ascii.

All that said, we should probably look into fixing this.

botovq avatar May 23 '25 01:05 botovq

I wrote a Perl tool that converts the output of asn1parse to configuration text format of ASN1_generate_nconf(3) https://github.com/wllm-rbnt/asn1template Apart from a few quirks, asn1parse is actually not that bad. The output of the various tools should definitely be better filtered.

Just my 2 cents ...

wllm-rbnt avatar Jun 09 '25 13:06 wllm-rbnt