Inconsistent #to_der implementation in OpenSSL

[headius]

From http://jira.codehaus.org/browse/JRUBY-7092

Following script produces different results on JRuby versus MRI:

require 'openssl'

puts "RUBY_ENGINE #{RUBY_ENGINE}"
puts "RUBY_VERSION #{RUBY_VERSION}"

cert_content = <<CERT_STRING
-----BEGIN CERTIFICATE-----
MIICUTCCAboCCQDUhZE3BTJJhjANBgkqhkiG9w0BAQUFADBtMQswCQYDVQQGEwJV
UzETMBEGA1UECBMKU29tZS1TdGF0ZTENMAsGA1UEChMEdGVzdDENMAsGA1UECxME
dGVzdDENMAsGA1UEAxMEdGVzdDEcMBoGCSqGSIb3DQEJARYNdGVzdEB0ZXN0LmNv
bTAeFw0xMzAyMDQyMzQwMjRaFw0xNDAyMDQyMzQwMjRaMG0xCzAJBgNVBAYTAlVT
MRMwEQYDVQQIEwpTb21lLVN0YXRlMQ0wCwYDVQQKEwR0ZXN0MQ0wCwYDVQQLEwR0
ZXN0MQ0wCwYDVQQDEwR0ZXN0MRwwGgYJKoZIhvcNAQkBFg10ZXN0QHRlc3QuY29t
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+x90TmmitBsEgQYM2E06lvUm3
gdwVdpa0w0Lfykbz6jRS/o7IlpDVbedTpdDfQLl4f/XAEKaU9qg8nQH29BXhFh8y
cvV7Jp4t15a5w+bDqmbC6F21P6GFeDJjlTKN3UtJ6KvbMIp4AGsY5Tlc2q8KvjYQ
K2H21ufwLWQeIBbbFwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAHQAYl1N214nksSM
tp8OFTOtUexFNrfSV75s3+DTHOT3I61NDYxo7EqieJjsc4noHhEF4DRFVbe4+e51
IWNIpBw8O1+JKg2kWsg5qoVTYe5rtCqW5UH5zfni9OPr/McPz05bnauNltPzyGup
b+Wi3RJg/Iygc0bMNejB0FcPyDWh
-----END CERTIFICATE-----
CERT_STRING

certificate = OpenSSL::X509::Certificate.new cert_content
puts "Hex String representation of to_der:"
puts certificate.public_key.to_der.unpack('H*')

Here's what I get on JRuby master:

~/projects/jruby $ jruby blah.rb
RUBY_ENGINE jruby
RUBY_VERSION 2.2.0
Hex String representation of to_der:
30818902818100bec7dd139a68ad06c120418336134ea5bd49b781dc157696b4c342dfca46f3ea3452fe8ec89690d56de753a5d0df40b9787ff5c010a694f6a83c9d01f6f415e1161f3272f57b269e2dd796b9c3e6c3aa66c2e85db53fa18578326395328ddd4b49e8abdb308a78006b18e5395cdaaf0abe36102b61f6d6e7f02d641e2016db170203010001

~/projects/jruby $ rvm ruby-2.2 do ruby blah.rb
RUBY_ENGINE ruby
RUBY_VERSION 2.2.0
Hex String representation of to_der:
30819f300d06092a864886f70d010101050003818d0030818902818100bec7dd139a68ad06c120418336134ea5bd49b781dc157696b4c342dfca46f3ea3452fe8ec89690d56de753a5d0df40b9787ff5c010a694f6a83c9d01f6f415e1161f3272f57b269e2dd796b9c3e6c3aa66c2e85db53fa18578326395328ddd4b49e8abdb308a78006b18e5395cdaaf0abe36102b61f6d6e7f02d641e2016db170203010001

--- Want to back this issue? **[Post a bounty on it!](https://www.bountysource.com/issues/7363863-inconsistent-to_der-implementation-in-openssl?utm_campaign=plugin&utm_content=tracker%2F136995&utm_medium=issues&utm_source=github)** We accept bounties via [Bountysource](https://www.bountysource.com/?utm_campaign=plugin&utm_content=tracker%2F136995&utm_medium=issues&utm_source=github).

[kares]

BC's DER conversion (for complex cases) might be different from OpenSSL's ... last I tracked this down for Certificate/CRL I recall it was fine (mostly the signature being different - which as I understood there is more than one "correct" case) - OpenSSL was able to read BC's and fields where the same.