➜
This issue trackerhas been migrated toGitHub, and is currentlyread-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.
Created on2016-08-05 09:26 bychristian.heimes, last changed2022-04-11 14:58 byadmin. This issue is nowclosed.
| Files | ||||
|---|---|---|---|---|
| File name | Uploaded | Description | Edit | |
| rid.pem | christian.heimes,2016-08-05 09:26 | |||
| 0001-Fix-handling-of-GEN_RID-in-X.509-subjectAltName-fiel.patch | christian.heimes,2016-08-05 10:48 | review | ||
| Messages (5) | |||
|---|---|---|---|
| msg272020 -(view) | Author: Christian Heimes (christian.heimes)* | Date: 2016-08-05 09:26 | |
A X509 cert with a registered id general name in subject alternative name causes a SystemError: error return without exception set. This prevents host name validation of certs with a registered id.>>> import _ssl>>> _ssl._test_decode_cert('rid.pem')Traceback (most recent call last): File "<stdin>", line 1, in <module>SystemError: error return without exception setThe problem is caused by a bug in OpenSSL's print function for general names. Python's _get_peer_alt_names() uses GENERAL_NAME_print() to print GEN_IPADD, GEN_RID and others into a buffer. The buffer is then split at ':' into two strings. This works for all fields except for GEN_RID because OpenSSL doesn't put a ':' after 'Registered ID',https://github.com/openssl/openssl/blob/master/crypto/x509v3/v3_alt.c#L183 . _get_peer_alt_names() fails and returns NULL without setting a proper exception.It looks like we haven't had tests for GEN_RID as well as some other field types.Related Red Hat bugzilla:https://bugzilla.redhat.com/show_bug.cgi?id=1364268 | |||
| msg273240 -(view) | Author: Christian Heimes (christian.heimes)* | Date: 2016-08-20 19:00 | |
ping | |||
| msg274112 -(view) | Author: Antoine Pitrou (pitrou)* | Date: 2016-09-01 09:31 | |
I can't comment on this, as I don't even know what a "registered id" is, sorry :-/ | |||
| msg274116 -(view) | Author: Christian Heimes (christian.heimes)* | Date: 2016-09-01 10:32 | |
A GEN_RID is an OID plus some opaque data. It's up to an application to understand an OID and interpret its data. The value of a GEN_RID can be as simple as an int or UTF-8 strings or as complex as a nested ASN.1 struct for Kerberos principals.I have modifiedLib/test/make_ssl_certs.py to include two GEN_RIDS: otherName.1 = 1.2.3.4;UTF8:some other identifier otherName.2 = 1.3.6.1.5.2.2;SEQUENCE:princ_name [princ_name] realm = EXP:0, GeneralString:KERBEROS.REALM principal_name = EXP:1, SEQUENCE:principal_seq [principal_seq] name_type = EXP:0, INTEGER:1 name_string = EXP:1, SEQUENCE:principals [principals] princ1 = GeneralString:username1.3.6.1.5.2.2 is the OID for Kerberos public key init (pkinit), used for e.g. FAST pre-auth and SmartCard authentication. | |||
| msg274634 -(view) | Author: Roundup Robot (python-dev) | Date: 2016-09-06 21:28 | |
New changeset9bbf0b31da48 by Christian Heimes in branch '3.5':Issue#27691: Fix ssl module's parsing of GEN_RID subject alternative name fields in X.509 certs.https://hg.python.org/cpython/rev/9bbf0b31da48New changeset2b9af57af3e4 by Christian Heimes in branch 'default':Issue#27691: Fix ssl module's parsing of GEN_RID subject alternative name fields in X.509 certs.https://hg.python.org/cpython/rev/2b9af57af3e4New changeset74805fd9e734 by Christian Heimes in branch '2.7':Issue#27691: Fix ssl module's parsing of GEN_RID subject alternative name fields in X.509 certs.https://hg.python.org/cpython/rev/74805fd9e734 | |||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022-04-11 14:58:34 | admin | set | github: 71878 |
| 2016-09-15 15:54:28 | christian.heimes | link | issue28170 superseder |
| 2016-09-09 00:05:05 | christian.heimes | set | status: open -> closed resolution: fixed stage: commit review -> resolved |
| 2016-09-06 21:29:37 | christian.heimes | set | stage: test needed -> commit review |
| 2016-09-06 21:28:25 | python-dev | set | nosy: +python-dev messages: +msg274634 |
| 2016-09-01 10:32:13 | christian.heimes | set | messages: +msg274116 |
| 2016-09-01 09:31:56 | pitrou | set | messages: +msg274112 |
| 2016-08-20 19:00:59 | christian.heimes | set | nosy: +vstinner,Lukasa type: behavior -> security messages: +msg273240 |
| 2016-08-05 10:48:44 | christian.heimes | set | files: +0001-Fix-handling-of-GEN_RID-in-X.509-subjectAltName-fiel.patch keywords: +patch |
| 2016-08-05 09:26:35 | christian.heimes | create | |