-
Notifications
You must be signed in to change notification settings - Fork 29.9k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
crypto: use RFC2253 format in PrintGeneralName
For backward compatibility, node uses X509_NAME_oneline to format X509_NAME entries in PrintGeneralName. However, the format produced by this function is non-standard and its use is discouraged. It also does not handle Unicode names correctly. This change switches to X509_NAME_print_ex with flags that produce an RFC2253-compatible format. Non-ASCII strings are converted to UTF-8 and preserved in the output. Control characters are not escaped by OpenSSL when producing the RFC2253 format because they will be escaped by node in a JSON-compatible manner afterwards. PR-URL: #42002 Refs: #42001 Reviewed-By: Rich Trott <[email protected]> Reviewed-By: Matteo Collina <[email protected]>
- Loading branch information
Showing
2 changed files
with
42 additions
and
26 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -66,21 +66,21 @@ const { hasOpenSSL3 } = common; | |
'email:[email protected]', | ||
// ... but should be escaped if they contain commas. | ||
'email:"[email protected]\\u002c DNS:good.example.com"', | ||
'DirName:/C=DE/L=Hannover', | ||
// TODO(tniessen): support UTF8 in DirName | ||
'DirName:"/C=DE/L=M\\\\xC3\\\\xBCnchen"', | ||
'DirName:"/C=DE/L=Berlin\\u002c DNS:good.example.com"', | ||
'DirName:"/C=DE/L=Berlin\\u002c DNS:good.example.com\\\\x00' + | ||
'evil.example.com"', | ||
'DirName:"/C=DE/L=Berlin\\u002c DNS:good.example.com\\\\\\\\x00' + | ||
'evil.example.com"', | ||
// These next two tests might be surprising. OpenSSL applies its own rules | ||
// first, which introduce backslashes, which activate node's escaping. | ||
// Unfortunately, there are also differences between OpenSSL 1.1.1 and 3.0. | ||
'DirName:"/C=DE/L=Berlin\\\\x0D\\\\x0A"', | ||
hasOpenSSL3 ? | ||
'DirName:"/C=DE/L=Berlin\\\\/CN=good.example.com"' : | ||
'DirName:/C=DE/L=Berlin/CN=good.example.com', | ||
// New versions of Node.js use RFC2253 to print DirName entries, which | ||
// almost always results in commas, which should be escaped properly. | ||
'DirName:"L=Hannover\\u002cC=DE"', | ||
// Node.js unsets ASN1_STRFLGS_ESC_MSB to prevent unnecessarily escaping | ||
// Unicode characters, so Unicode characters should be preserved. | ||
'DirName:"L=München\\u002cC=DE"', | ||
'DirName:"L=Berlin\\\\\\u002c DNS:good.example.com\\u002cC=DE"', | ||
// Node.js also unsets ASN1_STRFLGS_ESC_CTRL and relies on JSON-compatible | ||
// escaping rules to safely escape control characters. | ||
'DirName:"L=Berlin\\\\\\u002c DNS:good.example.com\\u0000' + | ||
'evil.example.com\\u002cC=DE"', | ||
'DirName:"L=Berlin\\\\\\u002c DNS:good.example.com\\\\\\\\\\u0000' + | ||
'evil.example.com\\u002cC=DE"', | ||
'DirName:"L=Berlin\\u000d\\u000a\\u002cC=DE"', | ||
'DirName:"L=Berlin/CN=good.example.com\\u002cC=DE"', | ||
// Even OIDs that are well-known (such as the following, which is | ||
// sha256WithRSAEncryption) should be represented numerically only. | ||
'Registered ID:1.2.840.113549.1.1.11', | ||
|