Certificate SAN values with non-standard string input types throw errors on importing.

[IsaacCalligeros95]

Severity

Sev 2

Version

All, Latest

Latest Version

None

What happened?

Importing certificates with non-standard SAN values like 1.3.6.1.4.1.111.20.2.3;UTF8:0111111111@test.gov fail

Reproduction

• openssl genrsa -out ca.key 2048

  cat > csr.conf <<EOF
  [req]
  distinguished_name = req_distinguished_name
  req_extensions = v3_req
  prompt = no
  [req_distinguished_name]
  C = US
  ST = VA
  L = SomeCity
  O = MyCompany
  OU = MyDivision
  CN = www.company.com
  [v3_req]
  keyUsage = keyEncipherment, dataEncipherment
  extendedKeyUsage = serverAuth
  subjectAltName = @alt_names
  [alt_names]
  DNS.1 = www.company.com
  DNS.2 = company.com
  DNS.3 = www.company.net
  DNS.4 = company.net
  otherName.1 = 1.3.6.1.4.1.111.20.2.3;UTF8:0111111111@test.gov
  EOF

• openssl req -new -sha256 -key ca.key -out ca.csr -config csr.conf

• openssl x509 -req -sha256 -days 730 -in ca.csr -signkey ca.key -out ca.crt

• openssl genrsa -out server.key 2048

• openssl req -new -sha256 -key server.key -out server.csr -config csr.conf

  cat > cert.conf <<EOF
  authorityKeyIdentifier=keyid,issuer
  basicConstraints=CA:FALSE
  keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
  subjectAltName = @alt_names
  [alt_names]
  DNS.1 = www.company.com
  DNS.2 = company.com
  DNS.3 = www.company.net
  DNS.4 = company.net
  otherName.1 = 1.3.6.1.4.1.311.20.2.3;UTF8:0111111111@test.gov
  EOF

• openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 3650 -sha256 -extfile cert.conf

• openssl x509 -inform pem -in server.crt -outform der -out san_certificate.der

• Import the certificate into Octopus.

Error and Stacktrace

Unable to cast object of type Byte[] to type string.

More Information

No response

Workaround

No response

[octoreleasebot]

Release Note: Fixed an issue where certificate metadata validation returns a byte array and throws an exception when using non string inputs like otherName.1 = 1.3.6.1.4.1.111.20.2.3;UTF8:<mailto:0111111111@test.gov|0111111111@test.gov>

[Octobob]

:tada: The fix for this issue has been released in:

Release stream	Release
2024.1	2024.1.12849
2024.2	2024.2.9206
2024.3	2024.3.3183
2024.4+	all releases