[erlang-bugs] x509 certificate decoded string representation is wrong
PAILLEAU Eric
eric.pailleau@REDACTED
Wed Sep 3 23:32:32 CEST 2014
Hello,
I confirm it is not seen as PRINTABLESTRING but as default VALUE, using
swab.
Regards
1> {ok, Pem} = file:read_file("/tmp/certificate.pem").
{ok,<<"-----BEGIN
CERTIFICATE-----\nMIIDXTCCAkWgAwIBAgIJALPOPyhAojyyMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV\nBAYTAkFVMRMwEQY"...>>}
2> swab:sync([{convert,der},{debug,asn1_pp}],Pem).
<0.32.0> : {debug,asn1_pp} =>
SEQUENCE
. SEQUENCE
. . CONSTRUCTOR
. . . INTEGER : 10#2 (16#2)
. . . END
. . INTEGER : 10#12956362620107111602 (16#B3CE3F2840A23CB2)
. . SEQUENCE
. . . OBJECT : {1,2,840,113549,1,1,11}
. . . NULL : <<>>
. . . END
. . SEQUENCE
. . . SET
. . . . SEQUENCE
. . . . . OBJECT : {2,5,4,6}
. . . . . PRINTABLESTRING : AU
. . . . . END
. . . . END
. . . SET
. . . . SEQUENCE
. . . . . OBJECT : {2,5,4,8}
. . . . . VALUE : Some-State
. . . . . END
. . . . END
. . . SET
. . . . SEQUENCE
. . . . . OBJECT : {2,5,4,10}
. . . . . VALUE : Internet Widgits Pty Ltd
. . . . . END
. . . . END
. . . END
. . SEQUENCE
. . . UTCTIME : 140604142612Z (2014-06-04 16:26:12 UTC+2)
. . . UTCTIME : 170603142612Z (2017-06-03 16:26:12 UTC+2)
. . . END
. . SEQUENCE
. . . SET
. . . . SEQUENCE
. . . . . OBJECT : {2,5,4,6}
. . . . . PRINTABLESTRING : AU
. . . . . END
. . . . END
. . . SET
. . . . SEQUENCE
. . . . . OBJECT : {2,5,4,8}
. . . . . VALUE : Some-State
. . . . . END
. . . . END
. . . SET
. . . . SEQUENCE
. . . . . OBJECT : {2,5,4,10}
. . . . . VALUE : Internet Widgits Pty Ltd
. . . . . END
. . . . END
. . . END
. . SEQUENCE
. . . SEQUENCE
. . . . OBJECT : {1,2,840,113549,1,1,1}
. . . . NULL : <<>>
. . . . END
. . . BIT STRING :
00000000 00 30 82 01 0a 02 82 01 01 00 e4 ce bc 7f 36 1a |.0...........^6.|
00000010 47 51 1f ec 34 f5 a2 80 f0 fd 08 70 2b 67 ae 79 |GQ..4......p+g.y|
00000020 d7 fb 2e 3d 41 ba 05 5a c2 e8 52 1a 91 e0 b2 b5 |...=A..Z..R.....|
00000030 54 a2 bc cf 50 de 06 5d 75 a8 6a f0 f4 23 d2 8c |T...P..]u.j..#..|
00000040 c8 88 58 f1 6c e1 e6 22 3d c7 08 d9 dd 1b 50 18 |..X.l.."=.....P.|
00000050 b7 12 75 60 22 40 c1 3f ed d3 df b3 de 0c cd c4 |..u`"@.?........|
00000060 8a 01 38 12 65 e3 ee 9e 53 96 14 ac 4f f6 27 b5 |..8.e...S...O.'.|
00000070 d8 62 8a ca fa 38 3e dc 11 45 9f e6 e7 4f 7a ec |.b...8>..E...Oz.|
00000080 36 d8 1f c7 7e 4e 0f 80 49 35 98 03 c1 07 ae 90 |6...~N..I5......|
00000090 6b 96 fa 31 74 0f 5e e7 19 22 2f 0b 75 e7 e4 a7 |k..1t.^.."/.u...|
000000a0 0e 18 91 d3 a7 33 cb b5 d0 ff ee 28 25 ea 08 c0 |.....3.....(%...|
000000b0 1e ba 89 a8 7f 2d 57 b7 3d 79 c9 53 ff aa 61 2a |....^-W.=y.S..a*|
000000c0 82 4a 06 2f ab 8d 4b fb 41 52 62 94 c1 a9 16 c9 |.J./..K.ARb.....|
000000d0 ef 65 b1 4f b9 76 96 3d 08 b0 a1 e4 4f ac b0 ba |.e.O.v.=....O...|
000000e0 fc 2d e8 c0 b0 e6 0f 7a 5a 0b ec ca 7e f5 6f d1 |.-.....zZ...~.o.|
000000f0 14 28 0e 8a 95 39 65 68 0f 7a 8a a5 47 56 8b af |.(...9eh.z..GV..|
00000100 5f 9f 2d e0 3e 19 b7 c2 1c f9 02 03 01 00 01 |_.-.>..........|
. . . END
. . CONSTRUCTOR
. . . SEQUENCE
. . . . SEQUENCE
. . . . . OBJECT : {2,5,29,14}
. . . . . OCTET STRING :
00000000 04 14 78 ee 57 90 22 fd a2 62 a8 33 ab 8a 59 ec |..x.W."..b.3..Y.|
00000010 d8 58 22 9c c2 82 |.X"...|
. . . . . END
. . . . SEQUENCE
. . . . . OBJECT : {2,5,29,35}
. . . . . OCTET STRING :
00000000 30 16 80 14 78 ee 57 90 22 fd a2 62 a8 33 ab 8a |0...x.W."..b.3..|
00000010 59 ec d8 58 22 9c c2 82 |Y..X"...|
. . . . . END
. . . . SEQUENCE
. . . . . OBJECT : {2,5,29,19}
. . . . . OCTET STRING :
00000000 30 03 01 01 ff |0....|
. . . . . END
. . . . END
. . . END
. . END
. SEQUENCE
. . OBJECT : {1,2,840,113549,1,1,11}
. . NULL : <<>>
. . END
. BIT STRING :
00000000 00 90 53 ee 1e 45 94 af 76 44 d2 0a 0d ce ce 91 |..S..E..vD......|
00000010 b9 19 cd 64 44 9f 7c 41 57 b6 4f 05 31 05 d4 57 |...dD.|AW.O.1..W|
00000020 ef 62 f1 d2 5b 13 41 25 2b b3 30 54 b6 dc e1 54 |.b..[.A%+.0T...T|
00000030 bf 9d 7a 01 55 06 e2 71 24 ce 3e ad 8b 65 ed 20 |..z.U..q$.>..e. |
00000040 6f bd 98 72 bb 50 94 ca 16 77 03 42 89 b8 e7 bb |o..r.P...w.B....|
00000050 17 48 d2 8e fa 9d f5 92 87 1b f2 e8 ad 6c 27 4a |.H...........l'J|
00000060 90 fd 3d df b1 fb c6 80 a9 fc a8 60 c2 00 69 98 |..=........`..i.|
00000070 d8 f2 5a 69 7b e9 a9 2c b7 c0 83 c8 17 19 e1 08 |..Zi{..,........|
00000080 68 ae 0a b7 15 b9 d6 64 27 05 56 9c 6d bb 8d 87 |h......d'.V.m...|
00000090 79 20 4e 22 f6 cb 79 a0 99 da b4 c4 b4 ac 27 86 |y N"..y.......'.|
000000a0 22 78 d6 5a 0e 9a 02 8e 61 b1 d7 e0 ba 0d 26 33 |"x.Z....a.....&3|
000000b0 25 fe f3 b1 22 c6 81 9f 50 d9 b9 f5 35 96 56 25 |%..."...P...5.V%|
000000c0 9c 16 e2 d4 92 c0 0a 10 29 b3 b1 e2 59 2c 19 d3 |........)...Y,..|
000000d0 d7 e6 c7 5c 81 b2 57 f3 71 65 6f 74 47 c3 42 e4 |...\..W.qeotG.B.|
000000e0 e6 c1 90 ff 76 e2 40 9d 00 62 8f 59 55 ba 5e bb |....v.@REDACTED^.|
000000f0 8c 08 59 6b 99 e5 3e 3f d4 4a 86 2c 1f fc 55 f8 |..Yk..>?.J.,..U.|
00000100 ce |.|
. END
END
{ok,<<48,130,3,93,48,130,2,69,160,3,2,1,2,2,9,0,179,206,
63,40,64,162,60,178,48,13,6,...>>}
Le 03/09/2014 23:00, Daniel Goertzen a écrit :
> Now its my turn to apologize for the late response. :)
>
> I ran the tests again on 17.0 and the same issues exist.
>
>
> Here is my cert generator crashing on a unicode string:
>
> 15> api_app:generate_cert_with_key(1024).
> ** exception error: no match of right hand side value {error,{asn1,badarg}}
> in function pubkey_cert_records:transform/2
> (pubkey_cert_records.erl, line 59)
> in call from lists:map/2 (lists.erl, line 1237)
> in call from pubkey_cert_records:transform/2
> (pubkey_cert_records.erl, line 91)
> in call from pubkey_cert_records:encode_tbs/1
> (pubkey_cert_records.erl, line 306)
> in call from public_key:pkix_encode/3 (public_key.erl, line 268)
> in call from public_key:pkix_sign/2 (public_key.erl, line 472)
> in call from api_app:generate_cert_with_key/1 (src/api_app.erl,
> line 128)
>
>
> The part of the cert with the unicode string was...
>
> Subject = {rdnSequence, [
> [#'AttributeTypeAndValue'{
> type = ?'id-at-commonName',
> value = {utf8String, [16#4e09|" string starting with a
> chinese symbol"]}
> %% value = {utf8String, "embedded self-signed cert"}
> }]
> ]},
>
> It works fine when I swap in the non-unicode string.
>
>
>
>
>
> Here is a certificate and it's decode showing how the text is presented
> as binaries instead of strings (lists).
>
>
>
> goertzen@REDACTED ~/test
> $ cat test.cert
> -----BEGIN CERTIFICATE-----
> MIIDXTCCAkWgAwIBAgIJALPOPyhAojyyMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
> BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
> aWRnaXRzIFB0eSBMdGQwHhcNMTQwNjA0MTQyNjEyWhcNMTcwNjAzMTQyNjEyWjBF
> MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
> ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
> CgKCAQEA5M68fzYaR1Ef7DT1ooDw/QhwK2euedf7Lj1BugVawuhSGpHgsrVUorzP
> UN4GXXWoavD0I9KMyIhY8Wzh5iI9xwjZ3RtQGLcSdWAiQME/7dPfs94MzcSKATgS
> ZePunlOWFKxP9ie12GKKyvo4PtwRRZ/m50967DbYH8d+Tg+ASTWYA8EHrpBrlvox
> dA9e5xkiLwt15+SnDhiR06czy7XQ/+4oJeoIwB66iah/LVe3PXnJU/+qYSqCSgYv
> q41L+0FSYpTBqRbJ72WxT7l2lj0IsKHkT6ywuvwt6MCw5g96Wgvsyn71b9EUKA6K
> lTllaA96iqVHVouvX58t4D4Zt8Ic+QIDAQABo1AwTjAdBgNVHQ4EFgQUeO5XkCL9
> omKoM6uKWezYWCKcwoIwHwYDVR0jBBgwFoAUeO5XkCL9omKoM6uKWezYWCKcwoIw
> DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkFPuHkWUr3ZE0goNzs6R
> uRnNZESffEFXtk8FMQXUV+9i8dJbE0ElK7MwVLbc4VS/nXoBVQbicSTOPq2LZe0g
> b72YcrtQlMoWdwNCibjnuxdI0o76nfWShxvy6K1sJ0qQ/T3fsfvGgKn8qGDCAGmY
> 2PJaaXvpqSy3wIPIFxnhCGiuCrcVudZkJwVWnG27jYd5IE4i9st5oJnatMS0rCeG
> InjWWg6aAo5hsdfgug0mMyX+87EixoGfUNm59TWWViWcFuLUksAKECmzseJZLBnT
> 1+bHXIGyV/NxZW90R8NC5ObBkP924kCdAGKPWVW6XruMCFlrmeU+P9RKhiwf/FX4
> zg==
> -----END CERTIFICATE-----
> goertzen@REDACTED ~/test
> $ erl
> Erlang/OTP 17 [erts-6.0.1] [source-deacab9] [64-bit] [smp:3:3]
> [async-threads:10] [hipe] [kernel-poll:false]
>
> Eshell V6.0.1 (abort with ^G)
> 1> {ok, PemBin} = file:read_file("test.cert").
> {ok,<<"-----BEGIN
> CERTIFICATE-----\nMIIDXTCCAkWgAwIBAgIJALPOPyhAojyyMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV\nBAYTAkFVMRMwEQY"...>>}
> 2> [{'Certificate',Cert,not_encrypted}] = public_key:pem_decode(PemBin).
> [{'Certificate',<<48,130,3,93,48,130,2,69,160,3,2,1,2,2,9,
> 0,179,206,63,40,64,162,60,178,48,13,...>>,
> not_encrypted}]
> 3> OTPCert = public_key:pkix_decode_cert(Cert, otp).
> {'OTPCertificate',{'OTPTBSCertificate',v3,
> 12956362620107111602,
>
> {'SignatureAlgorithm',{1,2,840,113549,1,1,11},'NULL'},
>
> {rdnSequence,[[{'AttributeTypeAndValue',{2,5,4,6},"AU"}],
>
> [{'AttributeTypeAndValue',{2,5,4,8},
> *{utf8String,<<"Some-State">>*}}],
>
> [{'AttributeTypeAndValue',{2,5,4,10},
> *{utf8String,<<"Internet Widgits Pty Ltd">>}*}]]},
>
> {'Validity',{utcTime,"140604142612Z"},
>
> {utcTime,"170603142612Z"}},
>
> {rdnSequence,[[{'AttributeTypeAndValue',{2,5,4,6},"AU"}],
>
> [{'AttributeTypeAndValue',{2,5,4,8},
> {utf8String,<<"Some-State">>}}],
>
> [{'AttributeTypeAndValue',{2,5,4,10},
> {utf8String,<<"Internet Widgits Pty Ltd">>}}]]},
>
> {'OTPSubjectPublicKeyInfo',{'PublicKeyAlgorithm',{1,2,840,
> 113549,1,1,1},
> 'NULL'},
>
> {'RSAPublicKey',28884279009285790301669924467575946032489944489699263464818187209641451094053086029317223819905552232804663206681799701028265354352239301173419976030286993076554223850305834956052085323986279172838215343728630359816997644527827805951010425788227425209795979178217250409900809512057807966976585078052255837974497261381284713573904257439066194709912683930375930487604830660421775765930552658716300974673840116044766673767999239289293469792318108847067157652307614870531765029586512631237561271128048065184664689086457528061690000433623928374995254617336829376087731238998361247235770397685269871591203885794507056356601,
> 65537}},
> asn1_NOVALUE,asn1_NOVALUE,
> [{'Extension',{2,5,29,14},
> false,
>
> [120,238,87,144,34,253,162,98,168,51,171|...]},
> {'Extension',{2,5,29,35},
> false,
>
> {'AuthorityKeyIdentifier',[120,238,87,144,34,253,162,98|...],
> asn1_NOVALUE,asn1_NOVALUE}},
> {'Extension',{2,5,29,19},
> false,
>
> {'BasicConstraints',true,asn1_NOVALUE}}]},
> {'SignatureAlgorithm',{1,2,840,113549,1,1,11},'NULL'},
> {0,
> <<144,83,238,30,69,148,175,118,68,210,10,13,206,206,145,
> 185,25,205,100,68,159,124,65,...>>}}
> 4>
>
>
> Dan.
>
>
> On Thu, Jul 31, 2014 at 9:50 AM, Ingela Anderton Andin
> <Ingela.Anderton.Andin@REDACTED
> <mailto:Ingela.Anderton.Andin@REDACTED>> wrote:
>
> Hi!
>
> Sorry for the late answer. Was this pre 17.0 or 17.0 ? There was a
> unicode fix in 17.0 the accidentally seems to have been lost in the
> release notes. If you still have problems could you please send us a
> sample cert that fails to speed up the process.
>
> Regards Ingela Erlang/OTP team - Ericsson AB
>
>
>
>
>
> On 06/12/2014 10:57 PM, Daniel Goertzen wrote:
>
> In the public_key application, decoding of attributes in x509
> certificates does not always decode to a string as indicated in the
> documentation. The documentation says that the value of
> commonName (and
> several other attributes) should be:
>
> special_string() = {teletexString, string()} | {printableString,
> string()} | {universalString, string()} | {utf8String, string()} |
> {bmpString, string()}
>
> ... however when I decode a cert I see a utf8String coming out as a
> binary instead of a string()....
>
> [{'AttributeTypeAndValue',
> {2,5,4,3},
> {utf8String,<<"Daniel Goertzen">>}}],
>
> ... and typer shows several other non-string representations
> (unicode
> characters represented by 4-tuples):
>
> -spec dec_X520CommonName(_) ->
> {'bmpString',[byte() | {byte(),byte(),byte(),byte()}] |
> {byte(),binary()}} |
> {'printableString',[byte() | {byte(),byte(),byte(),byte()}] |
> {byte(),binary()}} |
> {'teletexString',[byte() | {byte(),byte(),byte(),byte()}] |
> {byte(),binary()}} |
> {'universalString',[byte() | {byte(),byte(),byte(),byte()}] |
> {byte(),binary()}} |
> {'utf8String',_}.
>
>
>
> Also, encoding does not accept unicode strings (list of chars). The
> example below crashes.
>
> Subject = {rdnSequence, [
> [#'AttributeTypeAndValue'{
> type = ?'id-at-commonName',
> value = {utf8String, [16#4e09|" string starting with a
> chinese symbol"]}
> }]
> ]},
>
>
>
> I assume that the documentation is right and the decoded
> representation
> should be "list of characters". Instead internal
> representations are
> coming through.
>
>
> _________________________________________________
> erlang-bugs mailing list
> erlang-bugs@REDACTED <mailto:erlang-bugs@REDACTED>
> http://erlang.org/mailman/__listinfo/erlang-bugs
> <http://erlang.org/mailman/listinfo/erlang-bugs>
>
>
> _________________________________________________
> erlang-bugs mailing list
> erlang-bugs@REDACTED <mailto:erlang-bugs@REDACTED>
> http://erlang.org/mailman/__listinfo/erlang-bugs
> <http://erlang.org/mailman/listinfo/erlang-bugs>
>
>
>
>
> _______________________________________________
> erlang-bugs mailing list
> erlang-bugs@REDACTED
> http://erlang.org/mailman/listinfo/erlang-bugs
>
More information about the erlang-bugs
mailing list