[ruby-core:60588] [ruby-trunk - Bug #9504] [Open] X509 certificate incorrectly loaded (because of try-pem-first-else-asn1)

[ruby-core:60588] [ruby-trunk - Bug #9504] [Open] X509 certificate incorrectly loaded (because of try-pem-first-else-asn1)

[ms]

Issue #9504 has been reported by Mark Schloesser.

----------------------------------------
Bug #9504: X509 certificate incorrectly loaded (because of try-pem-first-else-asn1)
https://bugs.ruby-lang.org/issues/9504

* Author: Mark Schloesser
* Status: Open
* Priority: Normal
* Assignee: 
* Category: ext/openssl
* Target version: next minor
* ruby -v: ruby 1.9.3p484 (2013-11-22 revision 43786) [x86_64-linux]
* Backport: 1.9.3: UNKNOWN, 2.0.0: UNKNOWN, 2.1: UNKNOWN
----------------------------------------
Ruby's openssl extension tries to load certificates as PEM format first, and on failure will try to do DER / ASN1. The PEM format loading ignores junk in the beginning and end of the given buffer, which can lead to a DER certificate being incorrectly loaded. This occurs on 1.9.3 and 2.2.0.

More concretely this occurs in the wild when a server certificate has a X509 extension comment that includes another certificate in PEM format. Example below.

To fix this, one could allow the user to optionally specify the format, and do DER directly if specified. That would keep things backwards compatible and allow these certificates to be correctly parsed.

Example certificate - http://pastebin.com/V90dDSez
Openssl output for this - http://pastebin.com/GSsLtP8J

Ruby script to show the bug/problem - http://pastebin.com/Q7ap7FjN

I currently patched my ruby version (1.9.3) like this: http://pastebin.com/HzyyAm0p

Thanks for feedback and incorporating the patch / a similar solution for this into Ruby.



-- 
http://bugs.ruby-lang.org/

[ruby-core:60589] [ruby-trunk - Bug #9504] X509 certificate incorrectly loaded (because of try-pem-first-else-asn1)

[ms]

Issue #9504 has been updated by Mark Schloesser.


My patch means you can load the certificate like this:

    x509 = OpenSSL::X509::Certificate.new(cert, "DER")

I guess having some module level constants for this (`FILETYPE_PEM`, `FILETYPE_ASN1`) would be better. Sadly I'm not a ruby guy by day, and I'd appreciate if someone cleans this up to be more clean :)


----------------------------------------
Bug #9504: X509 certificate incorrectly loaded (because of try-pem-first-else-asn1)
https://bugs.ruby-lang.org/issues/9504#change-45032

* Author: Mark Schloesser
* Status: Open
* Priority: Normal
* Assignee: 
* Category: ext/openssl
* Target version: next minor
* ruby -v: ruby 1.9.3p484 (2013-11-22 revision 43786) [x86_64-linux]
* Backport: 1.9.3: UNKNOWN, 2.0.0: UNKNOWN, 2.1: UNKNOWN
----------------------------------------
Ruby's openssl extension tries to load certificates as PEM format first, and on failure will try to do DER / ASN1. The PEM format loading ignores junk in the beginning and end of the given buffer, which can lead to a DER certificate being incorrectly loaded. This occurs on 1.9.3 and 2.2.0.

More concretely this occurs in the wild when a server certificate has a X509 extension comment that includes another certificate in PEM format. Example below.

To fix this, one could allow the user to optionally specify the format, and do DER directly if specified. That would keep things backwards compatible and allow these certificates to be correctly parsed.

Example certificate - http://pastebin.com/V90dDSez
Openssl output for this - http://pastebin.com/GSsLtP8J

Ruby script to show the bug/problem - http://pastebin.com/Q7ap7FjN

I currently patched my ruby version (1.9.3) like this: http://pastebin.com/HzyyAm0p

Thanks for feedback and incorporating the patch / a similar solution for this into Ruby.



-- 
http://bugs.ruby-lang.org/

[ruby-core:61259] [ruby-trunk - Bug #9504] [Assigned] X509 certificate incorrectly loaded (because of try-pem-first-else-asn1)

[nagachika00]

Issue #9504 has been updated by Tomoyuki Chikanaga.

Status changed from Open to Assigned
Assignee set to Martin Bosslet

Hello, Mark.
Thank you for your reporting.

Martin, could you handle this?

----------------------------------------
Bug #9504: X509 certificate incorrectly loaded (because of try-pem-first-else-asn1)
https://bugs.ruby-lang.org/issues/9504#change-45599

* Author: Mark Schloesser
* Status: Assigned
* Priority: Normal
* Assignee: Martin Bosslet
* Category: ext/openssl
* Target version: next minor
* ruby -v: ruby 1.9.3p484 (2013-11-22 revision 43786) [x86_64-linux]
* Backport: 1.9.3: UNKNOWN, 2.0.0: UNKNOWN, 2.1: UNKNOWN
----------------------------------------
Ruby's openssl extension tries to load certificates as PEM format first, and on failure will try to do DER / ASN1. The PEM format loading ignores junk in the beginning and end of the given buffer, which can lead to a DER certificate being incorrectly loaded. This occurs on 1.9.3 and 2.2.0.

More concretely this occurs in the wild when a server certificate has a X509 extension comment that includes another certificate in PEM format. Example below.

To fix this, one could allow the user to optionally specify the format, and do DER directly if specified. That would keep things backwards compatible and allow these certificates to be correctly parsed.

Example certificate - http://pastebin.com/V90dDSez
Openssl output for this - http://pastebin.com/GSsLtP8J

Ruby script to show the bug/problem - http://pastebin.com/Q7ap7FjN

I currently patched my ruby version (1.9.3) like this: http://pastebin.com/HzyyAm0p

Thanks for feedback and incorporating the patch / a similar solution for this into Ruby.



-- 
http://bugs.ruby-lang.org/

[ruby-core:70745] [Ruby trunk - Bug #9504] X509 certificate incorrectly loaded (because of try-pem-first-else-asn1)

[zzak]

Issue #9504 has been updated by Zachary Scott.

Assignee changed from Martin Bosslet to openssl

----------------------------------------
Bug #9504: X509 certificate incorrectly loaded (because of try-pem-first-else-asn1)
https://bugs.ruby-lang.org/issues/9504#change-54124

* Author: Mark Schloesser
* Status: Assigned
* Priority: Normal
* Assignee: openssl
* ruby -v: ruby 1.9.3p484 (2013-11-22 revision 43786) [x86_64-linux]
* Backport: 1.9.3: UNKNOWN, 2.0.0: UNKNOWN, 2.1: UNKNOWN
----------------------------------------
Ruby's openssl extension tries to load certificates as PEM format first, and on failure will try to do DER / ASN1. The PEM format loading ignores junk in the beginning and end of the given buffer, which can lead to a DER certificate being incorrectly loaded. This occurs on 1.9.3 and 2.2.0.

More concretely this occurs in the wild when a server certificate has a X509 extension comment that includes another certificate in PEM format. Example below.

To fix this, one could allow the user to optionally specify the format, and do DER directly if specified. That would keep things backwards compatible and allow these certificates to be correctly parsed.

Example certificate - http://pastebin.com/V90dDSez
Openssl output for this - http://pastebin.com/GSsLtP8J

Ruby script to show the bug/problem - http://pastebin.com/Q7ap7FjN

I currently patched my ruby version (1.9.3) like this: http://pastebin.com/HzyyAm0p

Thanks for feedback and incorporating the patch / a similar solution for this into Ruby.



-- 
https://bugs.ruby-lang.org/

[ruby-core:94278] [Ruby master Bug#9504] X509 certificate incorrectly loaded (because of try-pem-first-else-asn1)

[merch-redmine]

Issue #9504 has been updated by jeremyevans0 (Jeremy Evans).

Backport deleted (1.9.3: UNKNOWN, 2.0.0: UNKNOWN, 2.1: UNKNOWN)
Status changed from Assigned to Feedback
File nested-asn1-9504.patch added

I worked on implementing support for adding a :format keyword to `OpenSSL::X509::Certificate#initialize`, allowing you to specify `format: :der` if you didn't want to try loading it as a PEM.  A patch for that is attached (for the ruby-openssl repository).

For the certificate provided, using LibreSSL 3.0.0, both `PEM_read_bio_X509` and `d2i_X509_bio` with the certificate return NULL, with the OpenSSL error: "nested asn1 error".  Are you actually able to get the certificate to work with a modern version of OpenSSL or LibreSSL?

----------------------------------------
Bug #9504: X509 certificate incorrectly loaded (because of try-pem-first-else-asn1)
https://bugs.ruby-lang.org/issues/9504#change-80601

* Author: rep (Mark Schloesser)
* Status: Feedback
* Priority: Normal
* Assignee: openssl
* Target version: 
* ruby -v: ruby 1.9.3p484 (2013-11-22 revision 43786) [x86_64-linux]
* Backport: 
----------------------------------------
Ruby's openssl extension tries to load certificates as PEM format first, and on failure will try to do DER / ASN1. The PEM format loading ignores junk in the beginning and end of the given buffer, which can lead to a DER certificate being incorrectly loaded. This occurs on 1.9.3 and 2.2.0.

More concretely this occurs in the wild when a server certificate has a X509 extension comment that includes another certificate in PEM format. Example below.

To fix this, one could allow the user to optionally specify the format, and do DER directly if specified. That would keep things backwards compatible and allow these certificates to be correctly parsed.

Example certificate - http://pastebin.com/V90dDSez
Openssl output for this - http://pastebin.com/GSsLtP8J

Ruby script to show the bug/problem - http://pastebin.com/Q7ap7FjN

I currently patched my ruby version (1.9.3) like this: http://pastebin.com/HzyyAm0p

Thanks for feedback and incorporating the patch / a similar solution for this into Ruby.

---Files--------------------------------
nested-asn1-9504.patch (4.75 KB)


-- 
https://bugs.ruby-lang.org/