certmonger

Clone

#224 Don't encode critical=FALSE in X509v3 extensions
Merged 2 years ago by rcritten. Opened 2 years ago by cheimes.
cheimes/certmonger ext_critical  into  master

file modified
+6 -42 
@@ -203,45 +203,6 @@ 
 

  	{0, 0, NULL, 0},
 

  };
 

  

- /* RFC 5280, 4.1 */
 

- const SEC_ASN1Template
 

- cm_certext_cert_extension_template[] = {
 

- 	{
 

- 	.kind = SEC_ASN1_SEQUENCE,
 

- 	.offset = 0,
 

- 	.sub = NULL,
 

- 	.size = sizeof(CERTCertExtension),
 

- 	},
 

- 	{
 

- 	.kind = SEC_ASN1_OBJECT_ID,
 

- 	.offset = offsetof(CERTCertExtension, id),
 

- 	.sub = NULL,
 

- 	.size = sizeof(SECItem),
 

- 	},
 

- 	{
 

- 	.kind = SEC_ASN1_BOOLEAN,
 

- 	.offset = offsetof(CERTCertExtension, critical),
 

- 	.sub = NULL,
 

- 	.size = sizeof(SECItem),
 

- 	},
 

- 	{
 

- 	.kind = SEC_ASN1_OCTET_STRING,
 

- 	.offset = offsetof(CERTCertExtension, value),
 

- 	.sub = NULL,
 

- 	.size = sizeof(SECItem),
 

- 	},
 

- 	{0, 0, NULL, 0},
 

- };
 

- const SEC_ASN1Template
 

- cm_certext_sequence_of_cert_extension_template[] = {
 

- 	{
 

- 	.kind = SEC_ASN1_SEQUENCE_OF,
 

- 	.offset = 0,
 

- 	.sub = cm_certext_cert_extension_template,
 

- 	.size = sizeof(CERTCertExtension **),
 

- 	},
 

- };
 

- 

  /* Windows 2000-style UPN */
 

  static unsigned char oid_ms_upn_name_bytes[] = {0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14, 0x02, 0x03};
 

  static const SECOidData oid_ms_upn_name = {
 
@@ -1745,9 +1706,12 @@ 
 

  	CERTCertExtension ext[13], *exts[14], **exts_ptr;
 

  	SECOidData *oid;
 

  	SECItem *item, encoded;
 

+ 	/* X509v3 extension's critical element has an implicit default,
 

+ 	 * see https://pagure.io/certmonger/issue/223
 

+ 	 */
 

  	SECItem der_false = {
 

- 		.len = 1,
 

- 		.data = (unsigned char *) "\000",
 

+ 		.len = 0,
 

+ 		.data = NULL,
 

  	};
 

  	SECItem der_true = {
 

  		.len = 1,
 
@@ -1960,7 +1924,7 @@ 
 

  	/* Encode the sequence. */
 

  	memset(&encoded, 0, sizeof(encoded));
 

  	if (i > 1) {
 

- 		template = cm_certext_sequence_of_cert_extension_template;
 

+ 		template = CERT_SequenceOfCertExtensionTemplate;
 

  		if (SEC_ASN1EncodeItem(arena, &encoded, &exts_ptr,
 

  				       template) == &encoded) {
 

  			*extensions = talloc_memdup(entry, encoded.data,

file modified
+37 -45 
@@ -8,8 +8,8 @@ 
 

  4096 OK.
 

  Signature OK
 

  The last CSR (the one with everything) was:
 

-     0:d=0  hl=4 l=1413 cons: SEQUENCE          

-     4:d=1  hl=4 l=1133 cons: SEQUENCE          

+     0:d=0  hl=4 l=1389 cons: SEQUENCE          

+     4:d=1  hl=4 l=1109 cons: SEQUENCE          

      8:d=2  hl=2 l=   1 prim: INTEGER           :00
 

     11:d=2  hl=2 l=  22 cons: SEQUENCE          

     13:d=3  hl=2 l=  20 cons: SET               
@@ -21,7 +21,7 @@ 
 

     41:d=4  hl=2 l=   9 prim: OBJECT            :rsaEncryption
 

     52:d=4  hl=2 l=   0 prim: NULL              

     54:d=3  hl=4 l= 271 prim: BIT STRING        

-   329:d=2  hl=4 l= 808 cons: cont [ 0 ]        

+   329:d=2  hl=4 l= 784 cons: cont [ 0 ]        

    333:d=3  hl=2 l=  52 cons: SEQUENCE          

    335:d=4  hl=2 l=   9 prim: OBJECT            :challengePassword
 

    346:d=4  hl=2 l=  39 cons: SET               
@@ -30,48 +30,40 @@ 
 

    389:d=4  hl=2 l=   9 prim: OBJECT            :friendlyName
 

    400:d=4  hl=2 l=  48 cons: SET               

    402:d=5  hl=2 l=  46 prim: BMPSTRING         

-   450:d=3  hl=4 l= 687 cons: SEQUENCE          

+   450:d=3  hl=4 l= 663 cons: SEQUENCE          

    454:d=4  hl=2 l=   9 prim: OBJECT            :Extension Request
 

-   465:d=4  hl=4 l= 672 cons: SET               

-   469:d=5  hl=4 l= 668 cons: SEQUENCE          

-   473:d=6  hl=2 l=  14 cons: SEQUENCE          

+   465:d=4  hl=4 l= 648 cons: SET               

+   469:d=5  hl=4 l= 644 cons: SEQUENCE          

+   473:d=6  hl=2 l=  11 cons: SEQUENCE          

    475:d=7  hl=2 l=   3 prim: OBJECT            :X509v3 Key Usage
 

-   480:d=7  hl=2 l=   1 prim: BOOLEAN           :0
 

-   483:d=7  hl=2 l=   4 prim: OCTET STRING      [HEX DUMP]:030205E0
 

-   489:d=6  hl=4 l= 264 cons: SEQUENCE          

-   493:d=7  hl=2 l=   3 prim: OBJECT            :X509v3 Subject Alternative Name
 

-   498:d=7  hl=2 l=   1 prim: BOOLEAN           :0
 

-   501:d=7  hl=3 l= 253 prim: OCTET STRING      [HEX DUMP]:3081FA82096C6F63616C686F737482156C6F63616C686F73742E6C6F63616C646F6D61696E810E726F6F74406C6F63616C686F7374811A726F6F74406C6F63616C686F73742E6C6F63616C646F6D61696EA020060A2B060104018237140203A0120C10726F6F74404558414D504C452E434F4DA02E06062B0601050202A0243022A00D1B0B4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74A024060A2B060104018237140203A0160C14726F6F7440464F4F2E4558414D504C452E434F4DA03206062B0601050202A0283026A0111B0F464F4F2E4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74
 

-   757:d=6  hl=2 l=  32 cons: SEQUENCE          

-   759:d=7  hl=2 l=   3 prim: OBJECT            :X509v3 Extended Key Usage
 

-   764:d=7  hl=2 l=   1 prim: BOOLEAN           :0
 

-   767:d=7  hl=2 l=  22 prim: OCTET STRING      [HEX DUMP]:301406082B0601050507030206082B06010505070304
 

-   791:d=6  hl=2 l=  18 cons: SEQUENCE          

-   793:d=7  hl=2 l=   3 prim: OBJECT            :X509v3 Basic Constraints
 

-   798:d=7  hl=2 l=   1 prim: BOOLEAN           :255
 

-   801:d=7  hl=2 l=   8 prim: OCTET STRING      [HEX DUMP]:30060101FF020103
 

-   811:d=6  hl=2 l=  34 cons: SEQUENCE          

-   813:d=7  hl=2 l=   3 prim: OBJECT            :X509v3 Authority Key Identifier
 

-   818:d=7  hl=2 l=   1 prim: BOOLEAN           :0
 

-   821:d=7  hl=2 l=  24 prim: OCTET STRING      [HEX DUMP]:30168014A9993E364706816ABA3E25717850C26C9CD0D89D
 

-   847:d=6  hl=2 l=  32 cons: SEQUENCE          

-   849:d=7  hl=2 l=   3 prim: OBJECT            :X509v3 Subject Key Identifier
 

-   854:d=7  hl=2 l=   1 prim: BOOLEAN           :0
 

-   857:d=7  hl=2 l=  22 prim: OCTET STRING      [HEX DUMP]:0414A9993E364706816ABA3E25717850C26C9CD0D89D
 

-   881:d=6  hl=2 l= 107 cons: SEQUENCE          

-   883:d=7  hl=2 l=   8 prim: OBJECT            :Authority Information Access
 

-   893:d=7  hl=2 l=   1 prim: BOOLEAN           :0
 

-   896:d=7  hl=2 l=  92 prim: OCTET STRING      [HEX DUMP]:305A302B06082B06010505073001861F687474703A2F2F6F6373702D312E6578616D706C652E636F6D3A3132333435302B06082B06010505073001861F687474703A2F2F6F6373702D322E6578616D706C652E636F6D3A3132333435
 

-   990:d=6  hl=2 l=  96 cons: SEQUENCE          

-   992:d=7  hl=2 l=   3 prim: OBJECT            :X509v3 CRL Distribution Points
 

-   997:d=7  hl=2 l=   1 prim: BOOLEAN           :0
 

-  1000:d=7  hl=2 l=  86 prim: OCTET STRING      [HEX DUMP]:30543028A026A0248622687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F6765743028A026A0248622687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F676574
 

-  1088:d=6  hl=2 l=  51 cons: SEQUENCE          

-  1090:d=7  hl=2 l=   9 prim: OBJECT            :Netscape Comment
 

-  1101:d=7  hl=2 l=   1 prim: BOOLEAN           :0
 

-  1104:d=7  hl=2 l=  35 prim: OCTET STRING      [HEX DUMP]:1621636572746D6F6E6765722067656E65726174656420746869732072657175657374
 

-  1141:d=1  hl=2 l=  13 cons: SEQUENCE          

-  1143:d=2  hl=2 l=   9 prim: OBJECT            :sha256WithRSAEncryption
 

-  1154:d=2  hl=2 l=   0 prim: NULL              

-  1156:d=1  hl=4 l= 257 prim: BIT STRING        

+   480:d=7  hl=2 l=   4 prim: OCTET STRING      [HEX DUMP]:030205E0
 

+   486:d=6  hl=4 l= 261 cons: SEQUENCE          

+   490:d=7  hl=2 l=   3 prim: OBJECT            :X509v3 Subject Alternative Name
 

+   495:d=7  hl=3 l= 253 prim: OCTET STRING      [HEX DUMP]:3081FA82096C6F63616C686F737482156C6F63616C686F73742E6C6F63616C646F6D61696E810E726F6F74406C6F63616C686F7374811A726F6F74406C6F63616C686F73742E6C6F63616C646F6D61696EA020060A2B060104018237140203A0120C10726F6F74404558414D504C452E434F4DA02E06062B0601050202A0243022A00D1B0B4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74A024060A2B060104018237140203A0160C14726F6F7440464F4F2E4558414D504C452E434F4DA03206062B0601050202A0283026A0111B0F464F4F2E4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74
 

+   751:d=6  hl=2 l=  29 cons: SEQUENCE          

+   753:d=7  hl=2 l=   3 prim: OBJECT            :X509v3 Extended Key Usage
 

+   758:d=7  hl=2 l=  22 prim: OCTET STRING      [HEX DUMP]:301406082B0601050507030206082B06010505070304
 

+   782:d=6  hl=2 l=  18 cons: SEQUENCE          

+   784:d=7  hl=2 l=   3 prim: OBJECT            :X509v3 Basic Constraints
 

+   789:d=7  hl=2 l=   1 prim: BOOLEAN           :255
 

+   792:d=7  hl=2 l=   8 prim: OCTET STRING      [HEX DUMP]:30060101FF020103
 

+   802:d=6  hl=2 l=  31 cons: SEQUENCE          

+   804:d=7  hl=2 l=   3 prim: OBJECT            :X509v3 Authority Key Identifier
 

+   809:d=7  hl=2 l=  24 prim: OCTET STRING      [HEX DUMP]:30168014A9993E364706816ABA3E25717850C26C9CD0D89D
 

+   835:d=6  hl=2 l=  29 cons: SEQUENCE          

+   837:d=7  hl=2 l=   3 prim: OBJECT            :X509v3 Subject Key Identifier
 

+   842:d=7  hl=2 l=  22 prim: OCTET STRING      [HEX DUMP]:0414A9993E364706816ABA3E25717850C26C9CD0D89D
 

+   866:d=6  hl=2 l= 104 cons: SEQUENCE          

+   868:d=7  hl=2 l=   8 prim: OBJECT            :Authority Information Access
 

+   878:d=7  hl=2 l=  92 prim: OCTET STRING      [HEX DUMP]:305A302B06082B06010505073001861F687474703A2F2F6F6373702D312E6578616D706C652E636F6D3A3132333435302B06082B06010505073001861F687474703A2F2F6F6373702D322E6578616D706C652E636F6D3A3132333435
 

+   972:d=6  hl=2 l=  93 cons: SEQUENCE          

+   974:d=7  hl=2 l=   3 prim: OBJECT            :X509v3 CRL Distribution Points
 

+   979:d=7  hl=2 l=  86 prim: OCTET STRING      [HEX DUMP]:30543028A026A0248622687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F6765743028A026A0248622687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F676574
 

+  1067:d=6  hl=2 l=  48 cons: SEQUENCE          

+  1069:d=7  hl=2 l=   9 prim: OBJECT            :Netscape Comment
 

+  1080:d=7  hl=2 l=  35 prim: OCTET STRING      [HEX DUMP]:1621636572746D6F6E6765722067656E65726174656420746869732072657175657374
 

+  1117:d=1  hl=2 l=  13 cons: SEQUENCE          

+  1119:d=2  hl=2 l=   9 prim: OBJECT            :sha256WithRSAEncryption
 

+  1130:d=2  hl=2 l=   0 prim: NULL              

+  1132:d=1  hl=4 l= 257 prim: BIT STRING        

  Test complete (32 combinations).

file modified
+49 -61 
@@ -11,8 +11,8 @@ 
 

  minicert.openssl.4096.pem: OK
 

  4096 OK.
 

  The last CSR (the one with everything) was:
 

-     0:d=0  hl=4 l=1635 cons: SEQUENCE          

-     4:d=1  hl=4 l=1355 cons: SEQUENCE          

+     0:d=0  hl=4 l=1599 cons: SEQUENCE          

+     4:d=1  hl=4 l=1319 cons: SEQUENCE          

      8:d=2  hl=2 l=   1 prim: INTEGER           :00
 

     11:d=2  hl=2 l=  22 cons: SEQUENCE          

     13:d=3  hl=2 l=  20 cons: SET               
@@ -24,7 +24,7 @@ 
 

     41:d=4  hl=2 l=   9 prim: OBJECT            :rsaEncryption
 

     52:d=4  hl=2 l=   0 prim: NULL              

     54:d=3  hl=4 l= 271 prim: BIT STRING        

-   329:d=2  hl=4 l=1030 cons: cont [ 0 ]        

+   329:d=2  hl=4 l= 994 cons: cont [ 0 ]        

    333:d=3  hl=2 l=  52 cons: SEQUENCE          

    335:d=4  hl=2 l=   9 prim: OBJECT            :challengePassword
 

    346:d=4  hl=2 l=  39 cons: SET               
@@ -33,64 +33,52 @@ 
 

    389:d=4  hl=2 l=   9 prim: OBJECT            :friendlyName
 

    400:d=4  hl=2 l=  48 cons: SET               

    402:d=5  hl=2 l=  46 prim: BMPSTRING         

-   450:d=3  hl=4 l= 909 cons: SEQUENCE          

+   450:d=3  hl=4 l= 873 cons: SEQUENCE          

    454:d=4  hl=2 l=   9 prim: OBJECT            :Extension Request
 

-   465:d=4  hl=4 l= 894 cons: SET               

-   469:d=5  hl=4 l= 890 cons: SEQUENCE          

-   473:d=6  hl=2 l=  14 cons: SEQUENCE          

+   465:d=4  hl=4 l= 858 cons: SET               

+   469:d=5  hl=4 l= 854 cons: SEQUENCE          

+   473:d=6  hl=2 l=  11 cons: SEQUENCE          

    475:d=7  hl=2 l=   3 prim: OBJECT            :X509v3 Key Usage
 

-   480:d=7  hl=2 l=   1 prim: BOOLEAN           :0
 

-   483:d=7  hl=2 l=   4 prim: OCTET STRING      [HEX DUMP]:030205E0
 

-   489:d=6  hl=4 l= 290 cons: SEQUENCE          

-   493:d=7  hl=2 l=   3 prim: OBJECT            :X509v3 Subject Alternative Name
 

-   498:d=7  hl=2 l=   1 prim: BOOLEAN           :0
 

-   501:d=7  hl=4 l= 278 prim: OCTET STRING      [HEX DUMP]:3082011282096C6F63616C686F737482156C6F63616C686F73742E6C6F63616C646F6D61696E810E726F6F74406C6F63616C686F7374811A726F6F74406C6F63616C686F73742E6C6F63616C646F6D61696EA020060A2B060104018237140203A0120C10726F6F74404558414D504C452E434F4DA02E06062B0601050202A0243022A00D1B0B4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74A024060A2B060104018237140203A0160C14726F6F7440464F4F2E4558414D504C452E434F4DA03206062B0601050202A0283026A0111B0F464F4F2E4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F7487047F000001871000000000000000000000000000000001
 

-   783:d=6  hl=2 l=  32 cons: SEQUENCE          

-   785:d=7  hl=2 l=   3 prim: OBJECT            :X509v3 Extended Key Usage
 

-   790:d=7  hl=2 l=   1 prim: BOOLEAN           :0
 

-   793:d=7  hl=2 l=  22 prim: OCTET STRING      [HEX DUMP]:301406082B0601050507030206082B06010505070304
 

-   817:d=6  hl=2 l=  18 cons: SEQUENCE          

-   819:d=7  hl=2 l=   3 prim: OBJECT            :X509v3 Basic Constraints
 

-   824:d=7  hl=2 l=   1 prim: BOOLEAN           :255
 

-   827:d=7  hl=2 l=   8 prim: OCTET STRING      [HEX DUMP]:30060101FF020103
 

-   837:d=6  hl=2 l=  34 cons: SEQUENCE          

-   839:d=7  hl=2 l=   3 prim: OBJECT            :X509v3 Authority Key Identifier
 

-   844:d=7  hl=2 l=   1 prim: BOOLEAN           :0
 

-   847:d=7  hl=2 l=  24 prim: OCTET STRING      [HEX DUMP]:30168014A9993E364706816ABA3E25717850C26C9CD0D89D
 

-   873:d=6  hl=2 l=  32 cons: SEQUENCE          

-   875:d=7  hl=2 l=   3 prim: OBJECT            :X509v3 Subject Key Identifier
 

-   880:d=7  hl=2 l=   1 prim: BOOLEAN           :0
 

-   883:d=7  hl=2 l=  22 prim: OCTET STRING      [HEX DUMP]:0414A9993E364706816ABA3E25717850C26C9CD0D89D
 

-   907:d=6  hl=2 l= 107 cons: SEQUENCE          

-   909:d=7  hl=2 l=   8 prim: OBJECT            :Authority Information Access
 

-   919:d=7  hl=2 l=   1 prim: BOOLEAN           :0
 

-   922:d=7  hl=2 l=  92 prim: OCTET STRING      [HEX DUMP]:305A302B06082B06010505073001861F687474703A2F2F6F6373702D312E6578616D706C652E636F6D3A3132333435302B06082B06010505073001861F687474703A2F2F6F6373702D322E6578616D706C652E636F6D3A3132333435
 

-  1016:d=6  hl=2 l=  96 cons: SEQUENCE          

-  1018:d=7  hl=2 l=   3 prim: OBJECT            :X509v3 CRL Distribution Points
 

-  1023:d=7  hl=2 l=   1 prim: BOOLEAN           :0
 

-  1026:d=7  hl=2 l=  86 prim: OCTET STRING      [HEX DUMP]:30543028A026A0248622687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F6765743028A026A0248622687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F676574
 

-  1114:d=6  hl=2 l= 106 cons: SEQUENCE          

-  1116:d=7  hl=2 l=   3 prim: OBJECT            :X509v3 Freshest CRL
 

-  1121:d=7  hl=2 l=   1 prim: BOOLEAN           :0
 

-  1124:d=7  hl=2 l=  96 prim: OCTET STRING      [HEX DUMP]:305E302DA02BA0298627687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F67657464656C7461302DA02BA0298627687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F67657464656C7461
 

-  1222:d=6  hl=2 l=  51 cons: SEQUENCE          

-  1224:d=7  hl=2 l=   9 prim: OBJECT            :Netscape Comment
 

-  1235:d=7  hl=2 l=   1 prim: BOOLEAN           :0
 

-  1238:d=7  hl=2 l=  35 prim: OCTET STRING      [HEX DUMP]:1621636572746D6F6E6765722067656E65726174656420746869732072657175657374
 

-  1275:d=6  hl=2 l=  18 cons: SEQUENCE          

-  1277:d=7  hl=2 l=   9 prim: OBJECT            :OCSP No Check
 

-  1288:d=7  hl=2 l=   1 prim: BOOLEAN           :0
 

-  1291:d=7  hl=2 l=   2 prim: OCTET STRING      [HEX DUMP]:0500
 

-  1295:d=6  hl=2 l=  44 cons: SEQUENCE          

-  1297:d=7  hl=2 l=   9 prim: OBJECT            :1.3.6.1.4.1.311.20.2
 

-  1308:d=7  hl=2 l=   1 prim: BOOLEAN           :0
 

-  1311:d=7  hl=2 l=  28 prim: OCTET STRING      [HEX DUMP]:1E1A006300610041007700650073006F006D00650043006500720074
 

-  1341:d=6  hl=2 l=  20 cons: SEQUENCE          

-  1343:d=7  hl=2 l=   9 prim: OBJECT            :Netscape Cert Type
 

-  1354:d=7  hl=2 l=   1 prim: BOOLEAN           :0
 

-  1357:d=7  hl=2 l=   4 prim: OCTET STRING      [HEX DUMP]:030205A0
 

-  1363:d=1  hl=2 l=  13 cons: SEQUENCE          

-  1365:d=2  hl=2 l=   9 prim: OBJECT            :sha256WithRSAEncryption
 

-  1376:d=2  hl=2 l=   0 prim: NULL              

-  1378:d=1  hl=4 l= 257 prim: BIT STRING        

+   480:d=7  hl=2 l=   4 prim: OCTET STRING      [HEX DUMP]:030205E0
 

+   486:d=6  hl=4 l= 287 cons: SEQUENCE          

+   490:d=7  hl=2 l=   3 prim: OBJECT            :X509v3 Subject Alternative Name
 

+   495:d=7  hl=4 l= 278 prim: OCTET STRING      [HEX DUMP]:3082011282096C6F63616C686F737482156C6F63616C686F73742E6C6F63616C646F6D61696E810E726F6F74406C6F63616C686F7374811A726F6F74406C6F63616C686F73742E6C6F63616C646F6D61696EA020060A2B060104018237140203A0120C10726F6F74404558414D504C452E434F4DA02E06062B0601050202A0243022A00D1B0B4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74A024060A2B060104018237140203A0160C14726F6F7440464F4F2E4558414D504C452E434F4DA03206062B0601050202A0283026A0111B0F464F4F2E4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F7487047F000001871000000000000000000000000000000001
 

+   777:d=6  hl=2 l=  29 cons: SEQUENCE          

+   779:d=7  hl=2 l=   3 prim: OBJECT            :X509v3 Extended Key Usage
 

+   784:d=7  hl=2 l=  22 prim: OCTET STRING      [HEX DUMP]:301406082B0601050507030206082B06010505070304
 

+   808:d=6  hl=2 l=  18 cons: SEQUENCE          

+   810:d=7  hl=2 l=   3 prim: OBJECT            :X509v3 Basic Constraints
 

+   815:d=7  hl=2 l=   1 prim: BOOLEAN           :255
 

+   818:d=7  hl=2 l=   8 prim: OCTET STRING      [HEX DUMP]:30060101FF020103
 

+   828:d=6  hl=2 l=  31 cons: SEQUENCE          

+   830:d=7  hl=2 l=   3 prim: OBJECT            :X509v3 Authority Key Identifier
 

+   835:d=7  hl=2 l=  24 prim: OCTET STRING      [HEX DUMP]:30168014A9993E364706816ABA3E25717850C26C9CD0D89D
 

+   861:d=6  hl=2 l=  29 cons: SEQUENCE          

+   863:d=7  hl=2 l=   3 prim: OBJECT            :X509v3 Subject Key Identifier
 

+   868:d=7  hl=2 l=  22 prim: OCTET STRING      [HEX DUMP]:0414A9993E364706816ABA3E25717850C26C9CD0D89D
 

+   892:d=6  hl=2 l= 104 cons: SEQUENCE          

+   894:d=7  hl=2 l=   8 prim: OBJECT            :Authority Information Access
 

+   904:d=7  hl=2 l=  92 prim: OCTET STRING      [HEX DUMP]:305A302B06082B06010505073001861F687474703A2F2F6F6373702D312E6578616D706C652E636F6D3A3132333435302B06082B06010505073001861F687474703A2F2F6F6373702D322E6578616D706C652E636F6D3A3132333435
 

+   998:d=6  hl=2 l=  93 cons: SEQUENCE          

+  1000:d=7  hl=2 l=   3 prim: OBJECT            :X509v3 CRL Distribution Points
 

+  1005:d=7  hl=2 l=  86 prim: OCTET STRING      [HEX DUMP]:30543028A026A0248622687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F6765743028A026A0248622687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F676574
 

+  1093:d=6  hl=2 l= 103 cons: SEQUENCE          

+  1095:d=7  hl=2 l=   3 prim: OBJECT            :X509v3 Freshest CRL
 

+  1100:d=7  hl=2 l=  96 prim: OCTET STRING      [HEX DUMP]:305E302DA02BA0298627687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F67657464656C7461302DA02BA0298627687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F67657464656C7461
 

+  1198:d=6  hl=2 l=  48 cons: SEQUENCE          

+  1200:d=7  hl=2 l=   9 prim: OBJECT            :Netscape Comment
 

+  1211:d=7  hl=2 l=  35 prim: OCTET STRING      [HEX DUMP]:1621636572746D6F6E6765722067656E65726174656420746869732072657175657374
 

+  1248:d=6  hl=2 l=  15 cons: SEQUENCE          

+  1250:d=7  hl=2 l=   9 prim: OBJECT            :OCSP No Check
 

+  1261:d=7  hl=2 l=   2 prim: OCTET STRING      [HEX DUMP]:0500
 

+  1265:d=6  hl=2 l=  41 cons: SEQUENCE          

+  1267:d=7  hl=2 l=   9 prim: OBJECT            :1.3.6.1.4.1.311.20.2
 

+  1278:d=7  hl=2 l=  28 prim: OCTET STRING      [HEX DUMP]:1E1A006300610041007700650073006F006D00650043006500720074
 

+  1308:d=6  hl=2 l=  17 cons: SEQUENCE          

+  1310:d=7  hl=2 l=   9 prim: OBJECT            :Netscape Cert Type
 

+  1321:d=7  hl=2 l=   4 prim: OCTET STRING      [HEX DUMP]:030205A0
 

+  1327:d=1  hl=2 l=  13 cons: SEQUENCE          

+  1329:d=2  hl=2 l=   9 prim: OBJECT            :sha256WithRSAEncryption
 

+  1340:d=2  hl=2 l=   0 prim: NULL              

+  1342:d=1  hl=4 l= 257 prim: BIT STRING        

  Test complete (69 combinations).

The X509v3 extension is defined as

   Extension  ::=  SEQUENCE  {
        extnID      OBJECT IDENTIFIER,
        critical    BOOLEAN DEFAULT FALSE,
        extnValue   OCTET STRING
                    -- contains the DER encoding of an ASN.1 value
                    -- corresponding to the extension type identified
                    -- by extnID
        }

Since the critical element has a default value of FALSE, a DER
encoder must not encode the value. Only TRUE value must be encoded.

Fixes: https://pagure.io/certmonger/issue/223
Signed-off-by: Christian Heimes cheimes@redhat.com

1 new commit added

  • Use extensions template from NSS
2 years ago

Change looks ok. Can the commits be squashed? The first one updates the existing template and the second eliminates it.

rebased onto 9312d18
2 years ago

I'm still seeing BOOLEAN: 0 in the generated CSR:

402:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Alternative Name
407:d=7 hl=2 l= 1 prim: BOOLEAN :0
410:d=7 hl=3 l= 161 prim: OCTET STRING [HEX DUMP]:....

1 new commit added

  • Use implicit, empty FALSE for extensions
2 years ago

OK, this drops the critical extension altogether as desired.

asn1crypto.csr still fails to parse the CSR with a very similar failure as reported in the ticket.

Can you update the commit message on the new commit to include the ticket # and I think the 1st comment from this PR would be good to context to include as well.

I tested this on F35 with and without this patch applied. An IPA replica is installable with the patch.

2 new commits added

  • Use implicit, empty FALSE for extensions
  • Use extensions template from NSS
2 years ago

Metadata Update from @rcritten:
- Request assigned
2 years ago

LGTM, thanks.

Pull-Request has been merged by rcritten
2 years ago
Metadata
No Tags
Changes Summary 3
+6 -42
file changed
src/certext.c
+37 -45
file changed
tests/003-csrgen-rsa/expected.out
+49 -61
file changed
tests/003-csrgen/expected.out
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.