openssl icon indicating copy to clipboard operation
openssl copied to clipboard
verified publisher icon ruby

x509: fix handling of multiple URIs in Certificate#crl_uris

Open rhenium opened this issue 1 year ago • 3 comments

The implementation of OpenSSL::X509::Certificate#crl_uris makes the assumption that each DistributionPoint in the CRL distribution points extension contains a single general name of type URI. This is not guaranteed by RFC 5280. A DistributionPoint may only contains something other than a URI, or more than one URI.

Let's include all URIs seen in the extension. If only non-URI pointers are found, return an empty array.

Fixes: https://github.com/ruby/openssl/issues/775

rhenium avatar Jul 09 '24 13:07 rhenium

cc: @bdewater, #275

This PR currently returns an empty array when the certificate includes the extension, but no URIs in it. Should it be nil in that case too?

rhenium avatar Jul 09 '24 13:07 rhenium

I think that'd be nice since an empty array is a bit useless otherwise.

bdewater avatar Aug 15 '24 02:08 bdewater

Fair enough. I changed it to return nil if the extension contains only non-URIs.

rhenium avatar Aug 16 '24 06:08 rhenium