search

PeculiarVentures / PKI.js

PKI.js is a pure JavaScript library implementing the formats that are used in PKI applications (signing, encryption, certificate requests, OCSP and TSP requests/responses). It is built on WebCrypto (Web Cryptography API) and requires no plug-ins.
http://pkijs.org
Other
1.25k stars 204 forks source link

Incorrect IPv6 address presentation double colon '::' instead of single colon ':' without replacing zero blocks #407

Closed mb closed 1 month ago

mb commented 1 month ago

Originally filed as Bug 1881524 - Incorrect IPv6 address presentation in certificate view

[...] Steps to reproduce:

  1. Open a new Firefox window and visit https://9.9.9.9/dns-query
  2. Click the lock pad and finally click the View Certificate

Actual results:

In the View Certificate page the IP Address listed for object "Subject Alt Names" has incorrect format, e.g. "IP Address 2620::fe:0000:0000:0000:0000:0000:0009" (See attachment picture)

Expected results: [...] There should be ONE colon between "2620" and "fe"

So likely either of those two are expected:

Moving the bug report from bugzilla to hopefully the correct issue tracker.

microshine commented 1 month ago

@mb The PKIjs module does not implement logic for converting IP address values from OCTET STRING to text representation. I reviewed the script at certDecoder.mjs:150 in Firefox and noticed that this script converts the hexadecimal representation of the address incorrectly.

Here is the current implementation in Firefox:

address
  .toLowerCase()
  .match(/.{1,4}/g)
  .join(":")
  .replace(/\b:?(?:0+:?){2,}/, "::");

If the address is 262000FE000000000000000000000009, the result will be 2620::fe:0000:0000:0000:0000:0000:0009.

Here is a potential solution for this issue:

address
  .toLowerCase()
  .match(/.{1,4}/g)
  .map(segment => parseInt(segment, 16).toString(16))
  .join(":")
  .replace(/(^|:)0(:0)+(:|$)/, '::')
  .replace(/(^|:)0+([1-9a-f])/, '$1$2');

With this solution, the result will be 2620:fe::9, but this implementation needs to be tested with other values to ensure it works correctly in all cases.

mb commented 1 month ago

Thanks a lot, that is really helpful! I'm sorry for the trouble :see_no_evil:. So it is a problem in Firefox after all. I tried to find the source of the value, but couldn't and was relying on comment 2 for the report. Lets close this bug here.

rmhrisk commented 1 month ago

@mb, the Firefox certificate viewer was implemented before we had the https://github.com/peculiarventures/PVCertViewer/ project, which encapsulates all the necessary display magic to do this well. For what it is worth I just checked and we do show the values correctly.