Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

X509 cert with GEN_RID subject alt name causes SytemError #71878

Closed
tiran opened this issue Aug 5, 2016 · 5 comments
Closed

X509 cert with GEN_RID subject alt name causes SytemError #71878

tiran opened this issue Aug 5, 2016 · 5 comments
Labels
extension-modules C modules in the Modules dir type-security A security issue

Comments

@tiran
Copy link
Member

tiran commented Aug 5, 2016

BPO 27691
Nosy @pitrou, @vstinner, @giampaolo, @tiran, @alex, @dstufft, @Lukasa
Files
  • rid.pem
  • 0001-Fix-handling-of-GEN_RID-in-X.509-subjectAltName-fiel.patch
    		•

    Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = None
closed_at = <Date 2016-09-09.00:05:05.045>
created_at = <Date 2016-08-05.09:26:35.351>
labels = ['type-security', 'extension-modules']
title = 'X509 cert with GEN_RID subject alt name causes SytemError'
updated_at = <Date 2016-09-09.00:05:05.044>
user = 'https://github.com/tiran'

    bugs.python.org fields:

    activity = <Date 2016-09-09.00:05:05.044>
actor = 'christian.heimes'
assignee = 'none'
closed = True
closed_date = <Date 2016-09-09.00:05:05.045>
closer = 'christian.heimes'
components = ['Extension Modules']
creation = <Date 2016-08-05.09:26:35.351>
creator = 'christian.heimes'
dependencies = []
files = ['44014', '44018']
hgrepos = []
issue_num = 27691
keywords = ['patch']
message_count = 5.0
messages = ['272020', '273240', '274112', '274116', '274634']
nosy_count = 9.0
nosy_names = ['janssen', 'pitrou', 'vstinner', 'giampaolo.rodola', 'christian.heimes', 'alex', 'python-dev', 'dstufft', 'Lukasa']
pr_nums = []
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'security'
url = 'https://bugs.python.org/issue27691'
versions = ['Python 2.7', 'Python 3.4', 'Python 3.5', 'Python 3.6']
    @tiran
    Copy link
    Member Author

    tiran commented Aug 5, 2016

    A X509 cert with a registered id general name in subject alternative name causes a SystemError: error return without exception set. This prevents host name validation of certs with a registered id.

    >>> import _ssl
>>> _ssl._test_decode_cert('rid.pem')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
SystemError: error return without exception set

    The problem is caused by a bug in OpenSSL's print function for general names. Python's _get_peer_alt_names() uses GENERAL_NAME_print() to print GEN_IPADD, GEN_RID and others into a buffer. The buffer is then split at ':' into two strings. This works for all fields except for GEN_RID because OpenSSL doesn't put a ':' after 'Registered ID', https://github.com/openssl/openssl/blob/master/crypto/x509v3/v3_alt.c#L183 . _get_peer_alt_names() fails and returns NULL without setting a proper exception.

    It looks like we haven't had tests for GEN_RID as well as some other field types.

    Related Red Hat bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1364268

    @tiran tiran added type-bug An unexpected behavior, bug, or error extension-modules C modules in the Modules dir labels Aug 5, 2016
    @tiran
    Copy link
    Member Author

    tiran commented Aug 20, 2016

    ping

    @tiran tiran added type-security A security issue and removed type-bug An unexpected behavior, bug, or error labels Aug 20, 2016
    @pitrou
    Copy link
    Member

    pitrou commented Sep 1, 2016

    I can't comment on this, as I don't even know what a "registered id" is, sorry :-/

    @tiran
    Copy link
    Member Author

    tiran commented Sep 1, 2016

    A GEN_RID is an OID plus some opaque data. It's up to an application to understand an OID and interpret its data. The value of a GEN_RID can be as simple as an int or UTF-8 strings or as complex as a nested ASN.1 struct for Kerberos principals.

    I have modified Lib/test/make_ssl_certs.py to include two GEN_RIDS:

      otherName.1 = 1.2.3.4;UTF8:some other identifier
  otherName.2 = 1.3.6.1.5.2.2;SEQUENCE:princ_name

    [princ_name]
    realm = EXP:0, GeneralString:KERBEROS.REALM
    principal_name = EXP:1, SEQUENCE:principal_seq
    [principal_seq]
    name_type = EXP:0, INTEGER:1
    name_string = EXP:1, SEQUENCE:principals
    [principals]
    princ1 = GeneralString:username

    1.3.6.1.5.2.2 is the OID for Kerberos public key init (pkinit), used for e.g. FAST pre-auth and SmartCard authentication.

    @python-dev
    Copy link
    Mannequin

    python-dev mannequin commented Sep 6, 2016

    New changeset 9bbf0b31da48 by Christian Heimes in branch '3.5':
    Issue bpo-27691: Fix ssl module's parsing of GEN_RID subject alternative name fields in X.509 certs.
    https://hg.python.org/cpython/rev/9bbf0b31da48

    New changeset 2b9af57af3e4 by Christian Heimes in branch 'default':
    Issue bpo-27691: Fix ssl module's parsing of GEN_RID subject alternative name fields in X.509 certs.
    https://hg.python.org/cpython/rev/2b9af57af3e4

    New changeset 74805fd9e734 by Christian Heimes in branch '2.7':
    Issue bpo-27691: Fix ssl module's parsing of GEN_RID subject alternative name fields in X.509 certs.
    https://hg.python.org/cpython/rev/74805fd9e734

    @tiran tiran closed this as completed Sep 9, 2016
    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Assignees
    No one assigned
    Labels
    extension-modules C modules in the Modules dir type-security A security issue
    Projects
    None yet
    Milestone
    No milestone
    Development

    No branches or pull requests
    2 participants
    @tiran @pitrou