Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error_Packet_Parsing with Netscape Comment in Certificate #242

Closed
nikomi opened this issue Jun 29, 2017 · 13 comments
Closed

Error_Packet_Parsing with Netscape Comment in Certificate #242

nikomi opened this issue Jun 29, 2017 · 13 comments

Comments

@nikomi
Copy link

nikomi commented Jun 29, 2017

Hi,

while testing 1.3.11 we found the following issue when connecting to a server providing a certificate containing a Netscape Comment extension:

TlsExceptionHostPort (HandshakeFailed (Error_Packet_Parsing
  Failed reading: error certificate parsing 0:signed object error:
    "fromASN1: X509.ExtensionRaw: OID=[2,16,840,1,113730,1,13]: cannot decode data: ParsingPartial"
    From: handshake[HandshakeType_Certificate]

See http://www.alvestrand.no/objectid/2.16.840.1.113730.1.13.html

This is waht OpenSSL says the certificate contains:

        X509v3 extensions:
            Netscape Comment: 
                Puppet Ruby/OpenSSL Internal Certificate

Do you think the problem could be in TLS or rather in the ASN.1 libs?
@vincenthz
Copy link
Collaborator

vincenthz commented Jun 29, 2017
edited
Loading

it's definitely a low level problem either in x509 or in asn.1 (not tls fault I would assume). Any chance this certificate is public (or worse case can be send to me semi-privately) ?

@nikomi
Copy link
Author

nikomi commented Jun 29, 2017

Sorry, it's a company cert :-(

@vincenthz
Copy link
Collaborator

vincenthz commented Jun 29, 2017
edited
Loading

x509 certs don't contain private information, there's no non-public cryptographic material (AFAIK). In any case, if I can't see the cert or something exhibiting the exact same problem, I won't be able to help/fix the issue. As a tip, you can use the x509-util haskell package to drive your debugging

@nikomi
Copy link
Author

nikomi commented Jun 29, 2017

Our admins created a certificate showing the same problem which I am allowed to give away.

How could I get this to you?

@vincenthz
Copy link
Collaborator

send it to my email (listed on github)

@nikomi
Copy link
Author

nikomi commented Jun 30, 2017

You have mail :-)

Thanx for looking into this!

@ocheron
Copy link
Contributor

ocheron commented Jul 12, 2017

What is the status on this issue?

I couldn't reproduce with a certificate I generated.
But I see that this kind of failure was already reported in haskell-tls/hs-certificate#66:
there we have 23 ParsingPartial exceptions for extension "Subject Alternative Name".

Looking at those 23 certificates, the OctetString containing the ASN.1 of the extension value is padded with an extra 0x00 byte. openssl x509 accepts the certificates but not gnutls-certtool -i.
So maybe it's the same for the Netscape Comment here.

@vincenthz
Copy link
Collaborator

vincenthz commented Jul 22, 2017
edited
Loading

@nikomi could you re-try using x509-1.7.1 ? It should be fixed now I think, the netscape comment extension violate all the other extension format, which is a bytestring that contains ASN1, but in the case of netscape comment it just contains a ascii string.

@vdukhovni
Copy link
Collaborator

I also have run into an example certificate that exhibits the problem. The Netscape comment is encoded directly as the octet string of the extension, from openssl asn1parse I get:

  688:d=5  hl=2 l=   9 prim: OBJECT            :Netscape Comment
  699:d=5  hl=2 l=  40 prim: OCTET STRING      :Puppet Ruby/OpenSSL Internal Certificate

while when I ask OpenSSL to generate a "Netscape Comment" extension with payload "This is a comment", I get:

  509:d=5  hl=2 l=   9 prim: OBJECT            :Netscape Comment
  520:d=5  hl=2 l=  19 prim: OCTET STRING      [HEX DUMP]:161154686973206973206120636F6D6D656E74

Which has tag(22) and length (17). So it seems that the standard encoding of Netscape Comments is as an IA5String, but openssl also accepts a variant form with no tag/length:

Attaching variant.pem (observed on live SMTP server) and normal.pem generated via OpenSSL conf file with nsComment = "This is a comment"

normal.pem.txt
variant.pem.txt

The parser reports the same value when asked for "text":

$ openssl x509 -text -in /tmp/normal.pem.txt | grep -A1 "Netscape Comment"
            Netscape Comment: 
                This is a comment
$ openssl x509 -text -in /tmp/variant.pem.txt | grep -A1 "Netscape Comment"
            Netscape Comment: 
                Puppet Ruby/OpenSSL Internal Certificate

This variant of an extension we can safely ignore should not I think prevent processing of the certificate as a whole.

@nikomi
Copy link
Author

nikomi commented Jul 25, 2017

Sorry, I've been on holiday... I'll try to test the new lib as soon as I get hold of a colleague I need to do this.

thanx for your support!

@vdukhovni
Copy link
Collaborator

I can confirm that the site with the variant Netscape comment in its certificate works with x509-1.7.1. Will let you know if anything else breaks...

@vincenthz
Copy link
Collaborator

let's close for now, and if this is not sorted you're both welcome to create a new issue.

@nikomi
Copy link
Author

nikomi commented Aug 1, 2017

Sorry, I have not managed to grab the colleague yet... holiday season takes it's toll...

I whole-heartedly agree to close this for now, and thanks again for your support!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@vincenthz @vdukhovni @ocheron @nikomi