search

fidm / x509

Pure JavaScript X509 certificate tools for Node.js
https://fidm.github.io/x509/
MIT License
82 stars 15 forks source link

Parsing PEM certificate exchanges content of issuingCertificateURL and ocspServer #4

Open lemmingucwcz opened 5 years ago

lemmingucwcz commented 5 years ago

When I parse certificate attached below like this:

const parsed = Certificate.fromPEM(fs.readFileSync('cert.pem'));

resulting object has properties as follows:

issuingCertificateURL: "http://ocsp.ica.cz/pca15_rsa" ocspServer: "http://s.ica.cz/pca15_rsa.cer"

However, these values should be switched, which is clear from their contents, also parsing certificate by openssl tool shows them OK:

        Authority Information Access:
            CA Issuers - URI:http://s.ica.cz/pca15_rsa.cer
            OCSP - URI:http://ocsp.ica.cz/pca15_rsa

Certificate in question:

-----BEGIN CERTIFICATE----- MIIGljCCBH6gAwIBAgIDJZJJMA0GCSqGSIb3DQEBCwUAMHoxCzAJBgNVBAYTAkNa MSMwIQYDVQQDDBpJLkNBIFB1YmxpYyBDQS9SU0EgMDcvMjAxNTEtMCsGA1UECgwk UHJ2bsOtIGNlcnRpZmlrYcSNbsOtIGF1dG9yaXRhLCBhLnMuMRcwFQYDVQQFEw5O VFJDWi0yNjQzOTM5NTAeFw0xODA4MDcxMTAwMTRaFw0xOTA4MDcxMTAwMTRaMIGL MR4wHAYDVQQDDBVWZXJvbmlrYSBSZWljaG1hbm92w6ExCzAJBgNVBAYTAkNaMRsw GQYDVQQKDBJFLk9OIEVuZXJnaWUsIGEucy4xETAPBgNVBCoMCFZlcm9uaWthMRUw EwYDVQQEDAxSZWljaG1hbm92w6ExFTATBgNVBAUTDElDQSAtIDk0MzgzOTCCASIw DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ9tFOnc9JJsKWHivgu2pWmUE2lZ oQI6VVeau8YgCetzwCSdkUBsTyXMen59y7UpLPNye4JgS5VxghmV2BAXmxcdo0CQ +kyRqQ9Zt27YtVs21DfPI6WY2w4JezOgxt1HVisXDeTcAyB6DYWQGaZAgPsIMDFY zxK8MlqLmsFAiGr5LVFRbAmZj+56F+0frLNMKA9MVYEJmUOxceViR47+/uoa3K3v wGv4gwk7WU9CGvw/5PTvxRWl94UIQMa6Dc3FTVZPIA2TFhc33BbbE824RmWAwJeU PjKVVp4CkRt65yfOh5S7bye1Hy/+V89WJPx8t9AuWiKcpQdRrTql2xo+kS8CAwEA AaOCAhEwggINMCUGCisGAQQBgbhIBAcEFzAVDA01NzA4NjEwNTM2NTE4AgECAQEA MB0GCisGAQQBgbhIBAMEDxoNNTcwODYxMDUzNjUxODA+BgNVHREENzA1gRt2ZXJv bmlrYS5yZWljaG1hbm92YUBlb24uY3qgFgYKKwYBBAGBuEgEBqAIDAY5NDM4Mzkw DgYDVR0PAQH/BAQDAgWgMEUGA1UdIAQ+MDwwMAYNKwYBBAGBuEgKAUYBATAfMB0G CCsGAQUFBwIBFhFodHRwOi8vd3d3LmljYS5jejAIBgYEAI96AQEwXwYDVR0fBFgw VjApoCegJYYjaHR0cDovL3NjcmxkcDEuaWNhLmN6L3BjYTE1X3JzYS5jcmwwKaAn oCWGI2h0dHA6Ly9zY3JsZHAyLmljYS5jei9wY2ExNV9yc2EuY3JsMGMGCCsGAQUF BwEBBFcwVTApBggrBgEFBQcwAoYdaHR0cDovL3MuaWNhLmN6L3BjYTE1X3JzYS5j ZXIwKAYIKwYBBQUHMAGGHGh0dHA6Ly9vY3NwLmljYS5jei9wY2ExNV9yc2EwCQYD VR0TBAIwADAfBgNVHSMEGDAWgBTYaDylv6jn9DDRIGAkRSSkfDMqxzAdBgNVHQ4E FgQUtz2DIIzS5cZmRSgnNyo7U0QP5D4wHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsG AQUFBwMEMA0GCSqGSIb3DQEBCwUAA4ICAQAi6ZUHwwWXHPw7/Ta3pQOrBV968yaB gMBktEljW7WwCs+KmlQC5w2i9BQCt3KMXiT2Yx/5njYyJzGI0JIPncIGnbT5M70t 89l9YwGySth39/0LCRuMDfYhUZLuZalnmRuO/sL+ntvDgnBHOQMha6KlKAg7wpWD 21ABOnvbCNgD/XyqZa3sMype3S58x3tU1vnOiaJGfPzjRfuMidZ/NUV6Cdj74I+3 PHEYXuXudZlR7+DNUzfJ+TgmYgagzoVnmGmR643zgg+PmvYCcctYXGGgFYnSGmuf 0kL/WgvP+8qRgZBDeNV560mYrkFZJIYlA0zJM++NTmOfFaoEd9bth9bzHDE2+0ha 16nQS5RKhe5bXFO3FHvfgsQC7mWJNCzjzYGvnt2XG2SdUaLz1yryZ29sdzQt/Pvs XJVwekcox2DezqQisClXQTgUPIx5PnREYl8VakOD7hN8f41Z9aojP91WbjkGfgCV wYAov6i8Q3bw+FWzGjqhKa4IiAzhGFUU4fGoeAnoiDZuwIZ5//QUYdnSc/FXZ7rv RGBl8C9FYwAEg+bHYa9Spc8SuRET6OGgmS5urhsQmpwsyyQz38PyMClwK4GfGyiC oehHR+hHK3D97w9EJFkIA/bI2iveBu5xq6EwOKrYsMZB+Cr0+ej7ff36gCia4k4z nlfUtAS0qXspww== -----END CERTIFICATE-----

If you need more info, feel free to contact me.

lemmingucwcz commented 5 years ago

I got another cert which has (according to openssl) three CA Issuers and no OCSP link. Yet in parsed certificate one issuer is in issuingCertificateURL, second in ocspServer and third is not shown. It seems you always take first value as issuingCertificateURL, second as ocspServer without checking OIDs...