search

Ephenodrom / Dart-Basic-Utils

A dart package for many helper methods fitting common situations
MIT License
364 stars 77 forks source link

X509Utils crash when cert has no CN but a SAN #28

Closed cconstab closed 3 years ago

cconstab commented 4 years ago

I am checking certificates to see if the SAN/CN matches what I am expecting and everything works just fine until I started using certificates from BUYPASS.COM.

I use the same code with a LetsEncrypt and or a ZeroSSL cert and everything works as expected, I guess because they both include a CN/Subject.. Interestingly everything work fine also with a cert with a CN/Subject and SAN.. Example cert for that below also from stackoverflow..

Being a European CA they give out certificates without a CN but with a SAN and that causes a failure..

Unhandled exception: type 'ASN1Boolean' is not a subtype of type 'ASN1OctetString' in type cast

0 X509Utils._fetchSansFromExtension (package:basic_utils/src/X509Utils.dart:504:25)

1 X509Utils.x509CertificateFromPem. (package:basic_utils/src/X509Utils.dart:368:18)

2 List.forEach (dart:core-patch/growable_array.dart:282:8)

3 X509Utils.x509CertificateFromPem (package:basic_utils/src/X509Utils.dart:364:28)

4 main (file:///C:/Users/colin/Github/certcheck/bin/certcheck.dart:8:24)

5 _startIsolate. (dart:isolate-patch/isolate_patch.dart:299:32)

6 _RawReceivePortImpl._handleMessage (dart:isolate-patch/isolate_patch.dart:168:12)

Process finished with exit code 255

Small bit of sample code import 'dart:io';

import 'package:basic_utils/basic_utils.dart';

void main(List arguments) { var x509Pem = new File('testlab.pem').readAsStringSync(); var data = X509Utils.x509CertificateFromPem(x509Pem); var subjectAlternativeName = data.subjectAlternativNames; print("SAN: ${subjectAlternativeName}"); var commonName = data.subject["2.5.4.3"]; print("CN: ${commonName}"); print("---------------"); }

and a test.lab.shaduf.com cert to test with..

-----BEGIN CERTIFICATE----- MIIGQzCCBCugAwIBAgIKWNF1YknimMXcJzANBgkqhkiG9w0BAQsFADBLMQswCQYD VQQGEwJOTzEdMBsGA1UECgwUQnV5cGFzcyBBUy05ODMxNjMzMjcxHTAbBgNVBAMM FEJ1eXBhc3MgQ2xhc3MgMiBDQSA1MB4XDTIwMDkzMDAzMTg1N1oXDTIxMDMyOTIx NTkwMFowADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMdi82GXyrIB 6syElYZjAcDsovgVi75Ha+BQEfFNZEk7gx9hKJjKqtS4ml+I/jeYkkBZJKkRZ/QB kDxP+C3katM3QhZ1Ro/uJDh7lx60+S2W3By+rVJdR0JKs1kxalq/fkC/rMSCPRSr Sb7DakuQNDytqMvwI3Be60L5UIt+vzITKS+zXru/DsK75I0DmObKzvWVyPdI3KRX NpJfHYqAdN3AQIlftqrwuOwjPCVfSfmpQ/kWSBPnLMX4JJjNTrpR+bO8Zeh6AcnV ZrmF9nflYC4LE8P/WPY4l6+3MXhmZLI6cFRKjHrb+TsqJqU6RUZ7Kdcy0whf9Plq lWdhP3BaAfcCAwEAAaOCAnIwggJuMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUJ1Kk by0qq0CTkOzWacv+fGE7fEIwHQYDVR0OBBYEFCeb0lXIYklGgxzvQrx7jEuWGfOW MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw HwYDVR0gBBgwFjAKBghghEIBGgECBzAIBgZngQwBAgEwOgYDVR0fBDMwMTAvoC2g K4YpaHR0cDovL2NybC5idXlwYXNzLm5vL2NybC9CUENsYXNzMkNBNS5jcmwwIQYD VR0RAQH/BBcwFYITdGVzdC5sYWIuc2hhZHVmLmNvbTBqBggrBgEFBQcBAQReMFww IwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLmJ1eXBhc3MuY29tMDUGCCsGAQUFBzAC hilodHRwOi8vY3J0LmJ1eXBhc3Mubm8vY3J0L0JQQ2xhc3MyQ0E1LmNlcjCCAQQG CisGAQQB1nkCBAIEgfUEgfIA8AB1APZclC/RdzAiFFQYCDCUVo7jTRMZM7/fDC8g C8xO8WTjAAABdN0FN7EAAAQDAEYwRAIgArAvLNqvUrMg/vDQu8zNgsoGahFodt2O faPW/w07BZICIHek8n/zq1lbW58XForWdbXZ6ogqd5YgaVNS5Gy6jukYAHcARJRl LrDuzq/EQAfYqP4owNrmgr7YyzG1P9MzlrW2gagAAAF03QUv+wAABAMASDBGAiEA 14996HrGYMCydAXZDFOUF3yt2V26IEb3lfLY3nPmTzMCIQC6Fto0DF97qpHgCAaf YS2MFKbiTYN+HTv5+nDcoE886TANBgkqhkiG9w0BAQsFAAOCAgEAqZigbgUbLZse PAUc+SDyPu456PoGHFTF7qUgOPJd5roARLcpiI8zxr8zSIirrlzfdUgRozdzGL7Y hJ3XtNlg5F/WDQHWC6XeJSXyLzlnaqnvEckkHrvW2PfX+JsdgaIue9/mjZfqe1nk /jJwK2ftw40l4sfxIpmNP3zjCzg0jMnakmzDf3cRg2r78VyzeqONr1SHyAaLvFmr F6ZU5mCrxKO3JjMLGkJw1Rxc16fqGNniKPoqmEZbliJgSNLBK23MuRHpWvCG6JMT AE0a9lkAdUQ07NJRJaBpEus1wYkPyO2b4Di69On2kdUsQ9LdU5aAIB9RCj5z97GQ UN7LqL8NWQgKio8MgclLmP9s+IdWnB/cGPMrO6xyqBWtKA6rE0BCQTqYKOODPTXU sR6+GN+bgkxtVxdKt52aWo6gy6Xuq98TXOj17m9hfKMIBRitrDJgU0v5YY5BLGYi DpKZ45oA1K/PMZba/ZxxS9CzMU803ouHZZUJQgbJIaRUxVf0YrVKfcDdhEJ6MrRg 04mwh3NteH1/O3uQ+mFtKsmj1rFt9WMzgsO15fcYiCjjSzui/1jJL+15epiWXSFd aTMXqalErmW7yZZ4+xHVFPcR+Wt/aXcJ9QaTf+N5sPwIYuQT5k3ZsA6z0bO/FV7i 8UhhGUUcPT6NuTN1LY7k+wvsdcRayEU= -----END CERTIFICATE-----

And the StackOverflow cert with CN and SAN

-----BEGIN CERTIFICATE----- MIIHJTCCBg2gAwIBAgISA72+1m+qM4K1gtDMN1jR2FJbMA0GCSqGSIb3DQEBCwUA MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDA4MDcxMzAxMDBaFw0y MDExMDUxMzAxMDBaMB4xHDAaBgNVBAMMEyouc3RhY2tleGNoYW5nZS5jb20wggEi MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQChAaaXCGRfHl8uAuVzaQIAsNWj sz679b63jJSb8HQOi4ZIc7puQXNZ78L/QrKeomO3+CsR4vd4k7RAITzmsyP3Xnz+ hrgbkG2iFGfN6APhnfC3jaSNsDk/zcy1EKzpuUVYOp+fpqqJuYvXP4eG3o8Gmeln rweONZWyA2KxQYyiNNbnwdSpSASDbObhtDgXDS8g8fiFtZvjxaSrAPydx/L7AbYG jyslc4Boo+JoXl4/teVWLQkKMHXEiDzaaOec/LFqyh2dGmlZs+EDis77I1qRegA8 x/Z/HvhUyagjXB9eqqpiaMR5WkVXRcAoSPa1kM+VcXRyZh+XN3nvB0Pbenc/AgMB AAGjggQvMIIEKzAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG CCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFBtuDXxB32488D9N/baT nSOcs9BtMB8GA1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyhMG8GCCsGAQUF BwEBBGMwYTAuBggrBgEFBQcwAYYiaHR0cDovL29jc3AuaW50LXgzLmxldHNlbmNy eXB0Lm9yZzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNy eXB0Lm9yZy8wggHkBgNVHREEggHbMIIB14IPKi5hc2t1YnVudHUuY29tghIqLmJs b2dvdmVyZmxvdy5jb22CEioubWF0aG92ZXJmbG93Lm5ldIIYKi5tZXRhLnN0YWNr ZXhjaGFuZ2UuY29tghgqLm1ldGEuc3RhY2tvdmVyZmxvdy5jb22CESouc2VydmVy ZmF1bHQuY29tgg0qLnNzdGF0aWMubmV0ghMqLnN0YWNrZXhjaGFuZ2UuY29tghMq LnN0YWNrb3ZlcmZsb3cuY29tghUqLnN0YWNrb3ZlcmZsb3cuZW1haWyCDyouc3Vw ZXJ1c2VyLmNvbYINYXNrdWJ1bnR1LmNvbYIQYmxvZ292ZXJmbG93LmNvbYIQbWF0 aG92ZXJmbG93Lm5ldIIUb3BlbmlkLnN0YWNrYXV0aC5jb22CD3NlcnZlcmZhdWx0 LmNvbYILc3N0YXRpYy5uZXSCDXN0YWNrYXBwcy5jb22CDXN0YWNrYXV0aC5jb22C EXN0YWNrZXhjaGFuZ2UuY29tghJzdGFja292ZXJmbG93LmJsb2eCEXN0YWNrb3Zl cmZsb3cuY29tghNzdGFja292ZXJmbG93LmVtYWlsghFzdGFja3NuaXBwZXRzLm5l dIINc3VwZXJ1c2VyLmNvbTBMBgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEEAYLf EwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCC AQMGCisGAQQB1nkCBAIEgfQEgfEA7wB1AOcS8rA3fhpi+47JDGGE8ep7N8tWHREm W/Pg80vyQVRuAAABc8k5k1sAAAQDAEYwRAIgaSN4+Dp0Ok5hMAHQfloLqMw0AHS5 g/qCdCkjDXTIZZkCICauC3SqsvYGYfMD0MFJIwcKVZ0LyyeFmi84MfLLQ0v1AHYA sh4FzIuizYogTodm+Su5iiUgZ2va+nDnsklTLe+LkF4AAAFzyTmTTAAABAMARzBF AiAlqHGi3QFuPFuKjh1M9PHK83/e2P1RUBElKWcFMj1KPAIhAP/7SHtOGAGXJ9lu cw35Pa+O1DB2knhkQvfW6UiJP2iQMA0GCSqGSIb3DQEBCwUAA4IBAQBKVczMFdHl yg79pfqtAdcex97XrcH85D9fHeM1WkJEOIMtSWFXOkCTnr3iPvtP11d3ObNT+gu0 njjH5xcVxBfcXuB8fFtVdgH38dTs/HqeLQYz1iF8luG8F9i0FOQb8P6tyD7BaRn8 7MQoMhay5VWF+zubAKac7IxcdnGpOEl7rGnKixaDul/VTgW9faTg69QBO2lzla1+ dWotBc/zK9WCHYSaX7IsHJBjYU1mSxa29myjCGGOmk2pXZP5yB/9NZSzkQkje87o Qc7UCbvUWX6qBFZnFpehBucXfQlsQizCOA9GykjfpuFAw8g9W6MzBclbVhEi8VaA G1xBoiCDrqfh -----END CERTIFICATE-----

Ephenodrom commented 4 years ago

@cconstab

I checked the parsing method with a lot of different PEMs from different CAs like DigiCert, Sectigo and GlobalSign. But I never had a Certificate without a common name. I will update the method next week, so it will be able to parse X509 without subject data and will therefore take the common name out of the SAN list.

I will let you know when this is done.

Regards

Ephenodrom commented 4 years ago

@cconstab Busy week, will take a look at this next week.

Regards

cconstab commented 4 years ago

Busy here too! Thanks so much.. Colin

Ephenodrom commented 4 years ago

@cconstab Release 2.7.0-rc.1 is out now. Please check if this works now.

cconstab commented 4 years ago

Thanks I will check and let you know!

cconstab commented 3 years ago

Works Perfectly THANK YOU from all of our dev team!

Server viewpoint Connected from: SAN: [test.lab.shaduf.com] CN: null

Ephenodrom commented 3 years ago

@cconstab Nice too hear. Feel free to create a issue for feature requests if you have some nice ideas on how to improve this package.