Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Client certificates with UniqueIdentifier in the subject break ssl.peer_certificate() #90390

Closed
kacper mannequin opened this issue Jan 2, 2022 · 4 comments
Closed

Client certificates with UniqueIdentifier in the subject break ssl.peer_certificate() #90390

kacper mannequin opened this issue Jan 2, 2022 · 4 comments
Labels
3.9 only security fixes 3.10 only security fixes 3.11 only security fixes topic-SSL type-bug An unexpected behavior, bug, or error

Comments

@kacper
Copy link
Mannequin

kacper mannequin commented Jan 2, 2022

BPO 46232
Nosy @tiran, @miss-islington
PRs
  • bpo-46232: Fix parsing of certs with bit string in DN (GH-30351) #30351
  • [3.10] bpo-46232: Fix parsing of certs with bit string in DN (GH-30351) #31454
    		•

    Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = None
closed_at = None
created_at = <Date 2022-01-02.22:03:19.139>
labels = ['expert-SSL', 'type-bug', '3.9', '3.10', '3.11']
title = 'Client certificates with UniqueIdentifier in the subject break ssl.peer_certificate()'
updated_at = <Date 2022-02-21.21:18:45.546>
user = 'https://bugs.python.org/kacper'

    bugs.python.org fields:

    activity = <Date 2022-02-21.21:18:45.546>
actor = 'ned.deily'
assignee = 'none'
closed = False
closed_date = None
closer = None
components = ['SSL']
creation = <Date 2022-01-02.22:03:19.139>
creator = 'kacper'
dependencies = []
files = []
hgrepos = []
issue_num = 46232
keywords = ['patch']
message_count = 3.0
messages = ['409532', '413609', '413641']
nosy_count = 4.0
nosy_names = ['christian.heimes', 'miss-islington', 'kacper', 'xiaox55066']
pr_nums = ['30351', '31454']
priority = 'normal'
resolution = None
stage = 'patch review'
status = 'open'
superseder = None
type = 'behavior'
url = 'https://bugs.python.org/issue46232'
versions = ['Python 3.9', 'Python 3.10', 'Python 3.11']
    @kacper
    Copy link
    Mannequin Author

    kacper mannequin commented Jan 2, 2022

    Currently all subject sets of a client certificate are treated as UTF8 strings using the ASN1_STRING_to_UTF8 function (

    cpython/Modules/_ssl.c

    Line 912 in 8d999cb

    buflen = ASN1_STRING_to_UTF8(&valuebuf, value);
    ), however RFC 5280 states that the UniqueIdentifier is of type BIT STRING. Passing a BIT STRING into the ASN1_STRING_to_UTF8 function seems to return -1 and subsequently fail a SSL handshake.

    Traceback (most recent call last):
  File "/usr/lib64/python3.6/asyncio/events.py", line 145, in _run
    self._callback(*self._args)
  File "/usr/lib64/python3.6/site-packages/tornado/platform/asyncio.py", line 138, in _handle_events
    handler_func(fileobj, events)
  File "/usr/lib64/python3.6/site-packages/tornado/iostream.py", line 702, in _handle_events
    self._handle_read()
  File "/usr/lib64/python3.6/site-packages/tornado/iostream.py", line 1471, in _handle_read
    self._do_ssl_handshake()
  File "/usr/lib64/python3.6/site-packages/tornado/iostream.py", line 1431, in _do_ssl_handshake
    if not self._verify_cert(self.socket.getpeercert()):
  File "/usr/lib64/python3.6/ssl.py", line 860, in getpeercert
    return self._sslobj.getpeercert(binary_form)
  File "/usr/lib64/python3.6/ssl.py", line 610, in getpeercert
    return self._sslobj.peer_certificate(binary_form)
ssl.SSLError: unknown error (_ssl.c:959)

    (line 959 of _ssl.c corresponds to

    cpython/Modules/_ssl.c

    Line 914 in 8d999cb

    _setSSLError(NULL, 0, __FILE__, __LINE__);
    )

    pyca/cryptography#3542 might be of interest for further discussion.

    @kacper kacper mannequin assigned tiran Jan 2, 2022
    @kacper kacper mannequin added 3.7 (EOL) end of life 3.8 only security fixes 3.10 only security fixes 3.11 only security fixes 3.9 only security fixes topic-SSL type-bug An unexpected behavior, bug, or error labels Jan 2, 2022
    @kacper kacper mannequin assigned tiran Jan 2, 2022
    @kacper kacper mannequin added 3.7 (EOL) end of life 3.8 only security fixes 3.10 only security fixes 3.11 only security fixes 3.9 only security fixes topic-SSL type-bug An unexpected behavior, bug, or error labels Jan 2, 2022
    @tiran tiran removed 3.7 (EOL) end of life 3.8 only security fixes labels Jan 3, 2022
    @tiran tiran removed their assignment Jan 3, 2022
    @tiran tiran removed 3.7 (EOL) end of life 3.8 only security fixes labels Jan 3, 2022
    @tiran tiran removed their assignment Jan 3, 2022
    @tiran
    Copy link
    Member

    tiran commented Feb 20, 2022

    New changeset be095f6 by Christian Heimes in branch 'main':
    bpo-46232: Fix parsing of certs with bit string in DN (GH-30351)
    be095f6

    @miss-islington
    Copy link
    Contributor

    New changeset 633d0f9 by Miss Islington (bot) in branch '3.10':
    bpo-46232: Fix parsing of certs with bit string in DN (GH-30351)
    633d0f9

    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    @hauntsaninja
    Copy link
    Contributor

    Thanks, looks to me like this has been completed

    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Assignees
    No one assigned
    Labels
    3.9 only security fixes 3.10 only security fixes 3.11 only security fixes topic-SSL type-bug An unexpected behavior, bug, or error
    Projects
    None yet
    Milestone
    No milestone
    Development

    No branches or pull requests
    3 participants
    @tiran @hauntsaninja @miss-islington