Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IP Address SANs are invalid #69

Closed
tsoutsman opened this issue Jan 3, 2022 · 3 comments
Closed

IP Address SANs are invalid #69

tsoutsman opened this issue Jan 3, 2022 · 3 comments

Comments

@tsoutsman
Copy link

Hi,
The IP Address SAN is being encoded as an octet string of length 8 when it should be of length 4. This first four bytes are [48, 6, 135, 4] (decimal), irrelevant of the actual IP address. The last four bytes are the actual IP address. This seems to be related to #25, but that was fixed more than two years ago.

I noticed that the CertificateParams::write_extension method seems to be adding the [135, 4] bytes to the octet string. I've done very little work with ASN.1, so I might be completely missing something, especially considering no one else has recently had this issue.
@est31
Copy link
Member

est31 commented Jan 3, 2022

@tsoutsman Thanks for the report! Do you have an example certificate you could share?

@tsoutsman
Copy link
Author

tsoutsman commented Jan 3, 2022
edited
Loading

Sure, the following code:

use std::net::{IpAddr, Ipv4Addr};

let mut cert_params = rcgen::CertificateParams::default();
cert_params.subject_alt_names = vec![rcgen::SanType::IpAddress(IpAddr::V4(Ipv4Addr::new(
    1, 2, 3, 4,
)))];
let cert = rcgen::Certificate::from_params(cert_params).unwrap();
let cert = cert.serialize_der().unwrap();
println!("{:02x?}", cert);
println!("{:#?}", simple_asn1::from_der(&cert).unwrap());

prints out the following:

// raw key
[30, 82, 01, 4c, 30, 81, f3, a0, 03, 02, 01, 02, 02, 08, 01, cc, d4, 
58, e0, 3d, 19, c9, 30, 0a, 06, 08, 2a, 86, 48, ce, 3d, 04, 03, 02,
 30, 21, 31, 1f, 30, 1d, 06, 03, 55, 04, 03, 0c, 16, 72, 63, 67, 65, 
6e, 20, 73, 65, 6c, 66, 20, 73, 69, 67, 6e, 65, 64, 20, 63, 65, 72,
 74, 30, 20, 17, 0d, 37, 35, 30, 31, 30, 31, 30, 30, 30, 30, 30, 30, 
5a, 18, 0f, 34, 30, 39, 36, 30, 31, 30, 31, 30, 30, 30, 30, 30, 
30, 5a, 30, 21, 31, 1f, 30, 1d, 06, 03, 55, 04, 03, 0c, 16, 72, 63, 
67, 65, 6e, 20, 73, 65, 6c, 66, 20, 73, 69, 67, 6e, 65, 64, 20, 63, 
65, 72, 74, 30, 59, 30, 13, 06, 07, 2a, 86, 48, ce, 3d, 02, 01, 06, 
08, 2a, 86, 48, ce, 3d, 03, 01, 07, 03, 42, 00, 04, 74, 82, 15, c8, 
70, 52, 2a, 96, 83, 46, 96, e5, a9, b2, 75, 77, 91, 89, 61, 38, ee, 
c7, 2b, 50, 28, 9d, dd, 9a, 6c, 66, a3, 17, 56, 9b, 2c, 0c, a4, f4, 
04, b4, 08, db, 6c, e4, 0a, 2a, 84, 29, 5e, 1e, 1b, da, 17, e2, 4f, 
4e, 53, aa, af, f8, a3, 33, 42, 52, a3, 13, 30, 11, 30, 0f, 06, 03, 
55, 1d, 11, 04, 08, 30, 06, 87, 04, 01, 02, 03, 04, 30, 0a, 06, 08, 
2a, 86, 48, ce, 3d, 04, 03, 02, 03, 48, 00, 30, 45, 02, 21, 00, bc, 
f7, a4, 01, b2, a1, 4b, 09, 09, c8, 6e, 5c, cf, 72, c7, d7, 50, ab, ba, 
93, 47, 75, 21, 65, cc, 6a, 7a, 08, df, f6, 60, 74, 02, 20, 63, 
36, e6, 35, b6, b6, 4b, c0, 27, b7, 05, 32, f5, 4b, a7, ae, 87, bb, aa, 
cb, f9, 99, 72, 14, b0, 30, 21, d1, 1d, e2, a3, 77]

// Decoded (The first integer in every item is the offset from the start)
[
    Sequence(
        0,
        [
            // TBSCertificate
            Sequence(
                4,
                [
                    Explicit(
                        ContextSpecific,
                        7,
                        0,
                        // version
                        Integer(
                            9,
                            2,
                        ),
                    ),
                    // serialNumber
                    Integer(
                        12,
                        129711967471213001,
                    ),
                    // signature
                    Sequence(
                        22,
                        [
                            ObjectIdentifier(
                                24,
                                OID(
                                    [
                                        1,
                                        2,
                                        840,
                                        10045,
                                        4,
                                        3,
                                        2,
                                    ],
                                ),
                            ),
                        ],
                    ),
                    // issuer
                    Sequence(
                        34,
                        [
                            Set(
                                36,
                                [
                                    Sequence(
                                        38,
                                        [
                                            ObjectIdentifier(
                                                40,
                                                OID(
                                                    [
                                                        2,
                                                        5,
                                                        4,
                                                        3,
                                                    ],
                                                ),
                                            ),
                                            UTF8String(
                                                45,
                                                "rcgen self signed cert",
                                            ),
                                        ],
                                    ),
                                ],
                            ),
                        ],
                    ),
                    // validity
                    Sequence(
                        69,
                        [
                            UTCTime(
                                71,
                                PrimitiveDateTime {
                                    date: Date {
                                        year: 1975,
                                        ordinal: 1,
                                    },
                                    time: Time {
                                        hour: 0,
                                        minute: 0,
                                        second: 0,
                                        nanosecond: 0,
                                    },
                                },
                            ),
                            GeneralizedTime(
                                86,
                                PrimitiveDateTime {
                                    date: Date {
                                        year: 4096,
                                        ordinal: 1,
                                    },
                                    time: Time {
                                        hour: 0,
                                        minute: 0,
                                        second: 0,
                                        nanosecond: 0,
                                    },
                                },
                            ),
                        ],
                    ),
                    // subject
                    Sequence(
                        103,
                        [
                            Set(
                                105,
                                [
                                    Sequence(
                                        107,
                                        [
                                            ObjectIdentifier(
                                                109,
                                                OID(
                                                    [
                                                        2,
                                                        5,
                                                        4,
                                                        3,
                                                    ],
                                                ),
                                            ),
                                            UTF8String(
                                                114,
                                                "rcgen self signed cert",
                                            ),
                                        ],
                                    ),
                                ],
                            ),
                        ],
                    ),
                    // subjectPublicKeyInfo
                    Sequence(
                        138,
                        [
                            Sequence(
                                140,
                                [
                                    ObjectIdentifier(
                                        142,
                                        OID(
                                            [
                                                1,
                                                2,
                                                840,
                                                10045,
                                                2,
                                                1,
                                            ],
                                        ),
                                    ),
                                    ObjectIdentifier(
                                        151,
                                        OID(
                                            [
                                                1,
                                                2,
                                                840,
                                                10045,
                                                3,
                                                1,
                                                7,
                                            ],
                                        ),
                                    ),
                                ],
                            ),
                            BitString(
                                161,
                                520,
                                [
                                    4,
                                    116,
                                    130,
                                    21,
                                    200,
                                    112,
                                    82,
                                    42,
                                    150,
                                    131,
                                    70,
                                    150,
                                    229,
                                    169,
                                    178,
                                    117,
                                    119,
                                    145,
                                    137,
                                    97,
                                    56,
                                    238,
                                    199,
                                    43,
                                    80,
                                    40,
                                    157,
                                    221,
                                    154,
                                    108,
                                    102,
                                    163,
                                    23,
                                    86,
                                    155,
                                    44,
                                    12,
                                    164,
                                    244,
                                    4,
                                    180,
                                    8,
                                    219,
                                    108,
                                    228,
                                    10,
                                    42,
                                    132,
                                    41,
                                    94,
                                    30,
                                    27,
                                    218,
                                    23,
                                    226,
                                    79,
                                    78,
                                    83,
                                    170,
                                    175,
                                    248,
                                    163,
                                    51,
                                    66,
                                    82,
                                ],
                            ),
                        ],
                    ),
                    // extensions
                    Explicit(
                        ContextSpecific,
                        229,
                        3,
                        Sequence(
                            231,
                            [
                                // subject alternative name
                                Sequence(
                                    233,
                                    [
                                        ObjectIdentifier(
                                            235,
                                            OID(
                                                [
                                                    2,
                                                    5,
                                                    29,
                                                    17,
                                                ],
                                            ),
                                        ),
                                        // Not sure what the first 4 bytes are
                                        OctetString(
                                            240,
                                            [
                                                48,
                                                6,
                                                135,
                                                4,
                                                1,
                                                2,
                                                3,
                                                4,
                                            ],
                                        ),
                                    ],
                                ),
                            ],
                        ),
                    ),
                ],
            ),
            Sequence(
                250,
                [
                    ObjectIdentifier(
                        252,
                        OID(
                            [
                                1,
                                2,
                                840,
                                10045,
                                4,
                                3,
                                2,
                            ],
                        ),
                    ),
                ],
            ),
            BitString(
                262,
                568,
                [
                    48,
                    69,
                    2,
                    33,
                    0,
                    188,
                    247,
                    164,
                    1,
                    178,
                    161,
                    75,
                    9,
                    9,
                    200,
                    110,
                    92,
                    207,
                    114,
                    199,
                    215,
                    80,
                    171,
                    186,
                    147,
                    71,
                    117,
                    33,
                    101,
                    204,
                    106,
                    122,
                    8,
                    223,
                    246,
                    96,
                    116,
                    2,
                    32,
                    99,
                    54,
                    230,
                    53,
                    182,
                    182,
                    75,
                    192,
                    39,
                    183,
                    5,
                    50,
                    245,
                    75,
                    167,
                    174,
                    135,
                    187,
                    170,
                    203,
                    249,
                    153,
                    114,
                    20,
                    176,
                    48,
                    33,
                    209,
                    29,
                    226,
                    163,
                    119,
                ],
            ),
        ],
    ),
]

I also checked with an online decoder so I don't think it's an issue in simple_asn1

@tsoutsman
Copy link
Author

tsoutsman commented Jan 4, 2022
edited
Loading

Upon further inspection, it seems to be an issue with a decoder. The octet string contains another sequence within it which the decoder does not realise. ASN.1 is quite the specification. Sorry for any trouble.

This Stack Overflow post explains it: https://stackoverflow.com/questions/15299201/asn-1-octet-strings

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@est31 @tsoutsman