This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification
Title: Client certificates with UniqueIdentifier in the subject break ssl.peer_certificate()
Type: behavior Stage: patch review
Components: SSL Versions: Python 3.11, Python 3.10, Python 3.9
process
Status: open Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: christian.heimes, kacper, miss-islington, xiaox55066
Priority: normal Keywords: patch

Created on 2022-01-02 22:03 by kacper, last changed 2022-04-11 14:59 by admin.

Pull Requests
URL Status Linked Edit
PR 30351 merged christian.heimes, 2022-01-03 08:50
PR 31454 merged miss-islington, 2022-02-20 20:42
Messages (3)
msg409532 - (view) Author: Kacper (kacper) Date: 2022-01-02 22:03 
Currently all subject sets of a client certificate are treated as UTF8 strings using the ASN1_STRING_to_UTF8 function (https://github.com/python/cpython/blob/8d999cbf4adea053be6dbb612b9844635c4dfb8e/Modules/_ssl.c#L912), however RFC 5280 states that the UniqueIdentifier is of type BIT STRING. Passing a BIT STRING into the ASN1_STRING_to_UTF8 function seems to return -1 and subsequently fail a SSL handshake.

Traceback (most recent call last):
  File "/usr/lib64/python3.6/asyncio/events.py", line 145, in _run
    self._callback(*self._args)
  File "/usr/lib64/python3.6/site-packages/tornado/platform/asyncio.py", line 138, in _handle_events
    handler_func(fileobj, events)
  File "/usr/lib64/python3.6/site-packages/tornado/iostream.py", line 702, in _handle_events
    self._handle_read()
  File "/usr/lib64/python3.6/site-packages/tornado/iostream.py", line 1471, in _handle_read
    self._do_ssl_handshake()
  File "/usr/lib64/python3.6/site-packages/tornado/iostream.py", line 1431, in _do_ssl_handshake
    if not self._verify_cert(self.socket.getpeercert()):
  File "/usr/lib64/python3.6/ssl.py", line 860, in getpeercert
    return self._sslobj.getpeercert(binary_form)
  File "/usr/lib64/python3.6/ssl.py", line 610, in getpeercert
    return self._sslobj.peer_certificate(binary_form)
ssl.SSLError: unknown error (_ssl.c:959)

(line 959 of _ssl.c corresponds to https://github.com/python/cpython/blob/8d999cbf4adea053be6dbb612b9844635c4dfb8e/Modules/_ssl.c#L914)

https://github.com/pyca/cryptography/issues/3542 might be of interest for further discussion.
msg413609 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2022-02-20 20:42 
New changeset be095f6c32188bba02079d086ac8639ea37cec3c by Christian Heimes in branch 'main':
bpo-46232: Fix parsing of certs with bit string in DN (GH-30351)
https://github.com/python/cpython/commit/be095f6c32188bba02079d086ac8639ea37cec3c
msg413641 - (view) Author: miss-islington (miss-islington) Date: 2022-02-21 09:37 
New changeset 633d0f90f933515a9fca21a38cf87a8baf8ddc7d by Miss Islington (bot) in branch '3.10':
bpo-46232: Fix parsing of certs with bit string in DN (GH-30351)
https://github.com/python/cpython/commit/633d0f90f933515a9fca21a38cf87a8baf8ddc7d
History
Date User Action Args
2022-04-11 14:59:54adminsetgithub: 90390
2022-02-21 21:18:45ned.deilysetmessages: - msg413642
2022-02-21 09:59:19xiaox55066setnosy: + xiaox55066
messages: + msg413642
2022-02-21 09:37:46miss-islingtonsetmessages: + msg413641
2022-02-20 20:42:47miss-islingtonsetnosy: + miss-islington
pull_requests: + pull_request29582
2022-02-20 20:42:42christian.heimessetmessages: + msg413609
2022-01-03 08:50:14christian.heimessetkeywords: + patch
stage: patch review
pull_requests: + pull_request28564
2022-01-03 07:55:44christian.heimessetassignee: christian.heimes ->
versions: - Python 3.6, Python 3.7, Python 3.8
2022-01-02 22:03:19kacpercreate