This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification
Title: X509 cert with GEN_RID subject alt name causes SytemError
Type: security Stage: resolved
Components: Extension Modules Versions: Python 3.6, Python 3.4, Python 3.5, Python 2.7
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: Nosy List: Lukasa, alex, christian.heimes, dstufft, giampaolo.rodola, janssen, pitrou, python-dev, vstinner
Priority: normal Keywords: patch

Created on 2016-08-05 09:26 by christian.heimes, last changed 2022-04-11 14:58 by admin. This issue is now closed.

Files
File name Uploaded Description Edit
rid.pem christian.heimes, 2016-08-05 09:26
0001-Fix-handling-of-GEN_RID-in-X.509-subjectAltName-fiel.patch christian.heimes, 2016-08-05 10:48 review
Messages (5)
msg272020 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2016-08-05 09:26 
A X509 cert with a registered id general name in subject alternative name causes a SystemError: error return without exception set. This prevents host name validation of certs with a registered id.

>>> import _ssl
>>> _ssl._test_decode_cert('rid.pem')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
SystemError: error return without exception set

The problem is caused by a bug in OpenSSL's print function for general names. Python's _get_peer_alt_names() uses GENERAL_NAME_print() to print GEN_IPADD, GEN_RID and others into a buffer. The buffer is then split at ':' into two strings. This works for all fields except for GEN_RID because OpenSSL doesn't put a ':' after 'Registered ID', https://github.com/openssl/openssl/blob/master/crypto/x509v3/v3_alt.c#L183 . _get_peer_alt_names() fails and returns NULL without setting a proper exception.

It looks like we haven't had tests for GEN_RID as well as some other field types.

Related Red Hat bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1364268
msg273240 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2016-08-20 19:00 
ping
msg274112 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2016-09-01 09:31 
I can't comment on this, as I don't even know what a "registered id" is, sorry :-/
msg274116 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2016-09-01 10:32 
A GEN_RID is an OID plus some opaque data. It's up to an application to understand an OID and interpret its data. The value of a GEN_RID can be as simple as an int or UTF-8 strings or as complex as a nested ASN.1 struct for Kerberos principals.

I have modified Lib/test/make_ssl_certs.py to include two GEN_RIDS: 

  otherName.1 = 1.2.3.4;UTF8:some other identifier
  otherName.2 = 1.3.6.1.5.2.2;SEQUENCE:princ_name

  [princ_name]
  realm = EXP:0, GeneralString:KERBEROS.REALM
  principal_name = EXP:1, SEQUENCE:principal_seq
  [principal_seq]
  name_type = EXP:0, INTEGER:1
  name_string = EXP:1, SEQUENCE:principals
  [principals]
  princ1 = GeneralString:username

1.3.6.1.5.2.2 is the OID for Kerberos public key init (pkinit), used for e.g. FAST pre-auth and SmartCard authentication.
msg274634 - (view) Author: Roundup Robot (python-dev) (Python triager) Date: 2016-09-06 21:28 
New changeset 9bbf0b31da48 by Christian Heimes in branch '3.5':
Issue #27691: Fix ssl module's parsing of GEN_RID subject alternative name fields in X.509 certs.
https://hg.python.org/cpython/rev/9bbf0b31da48

New changeset 2b9af57af3e4 by Christian Heimes in branch 'default':
Issue #27691: Fix ssl module's parsing of GEN_RID subject alternative name fields in X.509 certs.
https://hg.python.org/cpython/rev/2b9af57af3e4

New changeset 74805fd9e734 by Christian Heimes in branch '2.7':
Issue #27691: Fix ssl module's parsing of GEN_RID subject alternative name fields in X.509 certs.
https://hg.python.org/cpython/rev/74805fd9e734
History
Date User Action Args
2022-04-11 14:58:34adminsetgithub: 71878
2016-09-15 15:54:28christian.heimeslinkissue28170 superseder
2016-09-09 00:05:05christian.heimessetstatus: open -> closed
resolution: fixed
stage: commit review -> resolved
2016-09-06 21:29:37christian.heimessetstage: test needed -> commit review
2016-09-06 21:28:25python-devsetnosy: + python-dev
messages: + msg274634
2016-09-01 10:32:13christian.heimessetmessages: + msg274116
2016-09-01 09:31:56pitrousetmessages: + msg274112
2016-08-20 19:00:59christian.heimessetnosy: + vstinner, Lukasa
type: behavior -> security
messages: + msg273240
2016-08-05 10:48:44christian.heimessetfiles: + 0001-Fix-handling-of-GEN_RID-in-X.509-subjectAltName-fiel.patch
keywords: + patch
2016-08-05 09:26:35christian.heimescreate