search

kaikramer / keystore-explorer

KeyStore Explorer is a free GUI replacement for the Java command-line utilities keytool and jarsigner.
https://keystore-explorer.org/
GNU General Public License v3.0
1.7k stars 275 forks source link

Name Constraint for IP subnets is expecting a plain IP instead of subnet #298

Closed natan-abolafya closed 2 years ago

natan-abolafya commented 3 years ago

Describe the bug It's really cool to see that the Name Constraints is already supported. As I was creating new CA certificates to test some implementation around this extension, I couldn't create a proper IP one. As documented here, the expected value for IP constraint is supposed to represent a subnet:

IPAddress = 192.168.0.0, 255.255.255.0 ; format: {IP network address},{Subnet Mask}

But when I try to create one, KeyStore Explorer expects a plain IP. It also fails to parse it when it's created by openssl with that format. (Screenshots and examples below)

To Reproduce Steps to reproduce the behavior:

  1. Create a new KeyStore - PKCS#12
  2. Right-click and "Generate a new key pair". Click OK to generate RSA key.
  3. Enter details for your cert if you want and then click "Add Extensions".
  4. Click "+" and choose "Name Constraints"
  5. Click "+" on either Permitted or Excluded section.
  6. Click the icon for "General name" and choose "IP Address".
  7. Enter "192.168.0.0, 255.255.255.0" into "General Name Value" and press OK.
  8. It will show an error saying "Not a valid IPv4 or IPv6 address".

Expected behavior It accepts the value. And it shouldn't accept the expected input of plain IP. (Unless you want to automatically append , 255.255.255.255)

Screenshots image

Also, here is a CA file with a proper name constraints:

-----BEGIN CERTIFICATE-----
MIIGrzCCBJegAwIBAgIUAKMSybw/+ZvQKhn/S/zSWKW2l78wDQYJKoZIhvcNAQEN
BQAwgbUxCzAJBgNVBAYTAlNFMREwDwYDVQQIDAhHb3RlYm9yZzERMA8GA1UEBwwI
R290ZWJvcmcxCTAHBgNVBBEMADEQMA4GA1UECQwHTWFqb3JuYTEQMA4GA1UECgwH
YXBwZ2F0ZTEPMA0GA1UECwwGZGV2b3BzMRswGQYDVQQDDBJkZXZvcHMuYXBwZ2F0
ZS5jb20xIzAhBgkqhkiG9w0BCQEWFG5vLXJlcGx5QGFwcGdhdGUuY29tMB4XDTIx
MDkyMjE0MTQzN1oXDTIxMTAyMjE0MTQzN1owgbUxCzAJBgNVBAYTAlNFMREwDwYD
VQQIDAhHb3RlYm9yZzERMA8GA1UEBwwIR290ZWJvcmcxCTAHBgNVBBEMADEQMA4G
A1UECQwHTWFqb3JuYTEQMA4GA1UECgwHYXBwZ2F0ZTEPMA0GA1UECwwGZGV2b3Bz
MRswGQYDVQQDDBJkZXZvcHMuYXBwZ2F0ZS5jb20xIzAhBgkqhkiG9w0BCQEWFG5v
LXJlcGx5QGFwcGdhdGUuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC
AgEAttu0aUmfbfGb7wMCgN7CVS/T5I6HYpdfBQKiloDmasPxaTLbmcnTBFH3WAjS
XRVg+ox9/ZCT7OBLLV3a/53Xu1ndHczXf5amy8RhXZPRXYX+v6CanqqxejJ9G4Qz
be1wxvIfDteUOFoPjjG+F5nUrhcKraHYBYD4On0AjorxyhaUmAQHoWBHsl86PtKZ
Qydtrrr9H4c50dvWog5Un+WxE3LujO8n5sX+7Ow1T8wz6pnPzDzBmaDiO+hInGNO
2q5T/pggUWrJUSeWYAdVLprci+6EgEptvaC04wCqtW8mzcwx1AQFRD/SyL97SBfF
onNPGYxBcKbxSq8qJ+WcCLSlJda2UrII42DYHsd+1B4y1GAwG/ourN2Zz4qfdwhn
oGZ6cxfdQIfkJ8Vy3R92dT+5jXgaPHERdE6VdBDm5UN4SAZeItX8L7QBQxUULpLc
6BMzBkfvLPpw5oMaZs59FeZh+j+uWMXWev63uAzfR2EwzvUr0rJZOR51XPI8Jm+R
Lfabqjwr/o+Y79xferhX3GCtcbaMwdkPY2kEluGcCNiY28imxSxizTKuJtZAGkHq
b4jgZEj3B89MUO59wqgSjI/ZKYjXt6YjXACbDGlcWVHL6bpSdbz4VGRW5nCcpgTG
xJryfLeGj83iR13XupbDfD2fJInwBgmDZGWKP2fwEzR2+M0CAwEAAaOBtDCBsTAW
BgNVHREEDzANggthcHBnYXRlLmNvbTAPBgNVHRMECDAGAQH/AgEAMAsGA1UdDwQE
AwIBhjAnBgNVHSUEIDAeBggrBgEFBQcDAgYIKwYBBQUHAwEGCCsGAQUFBwMJMCIG
A1UdHgQbMBmgFzAJggcuZGV2b3BzMAqHCAphgAD///8AMCwGA1UdHwQlMCMwIaAf
oB2GG2h0dHA6Ly90ZXN0eWQuZGV2b3BzL215LmNybDANBgkqhkiG9w0BAQ0FAAOC
AgEArZHW5ynzkKVGBgM+hpt0jzfqORmz+91WKZoWh7tUn/+L6p7d8likKCa1pCSo
yxWmiXc7NH3HKQ8EYlNslJuRtpmBqE3Qjf5SWFvnZwnMhaPbTGH6/JCB4833Oe5z
S/73ntwGmLQqMDhPzJy/KLC9cpBHGOEkdQRcTHsUyylHptjlD6M9+pAd47QGtE4d
Y82E23G0UZsgbptgRhIXDC1wzkBDWv4wH3rqLYKgtmtajTlPA9WIHHJ+YvcfIDjq
OCEjDzze35HijaLpcO9d3SoUfcM4q9t8zPhnbxN/13lSzO0O2fVTSEMFD3l8vW4F
0fFofmGeiFv8568z7umgz/qoBS0rrTWympUD1XDqKwyptRm+Cshw6Iub1YM0LQP3
EQ8mSaOpnUfWl0Kec5eB56LHZSd1rbxs6oF415oFUbaKv/t0m7BFwvtTv2nUZJWb
7xsZzyK9br+dOl2F1yIEQ4j1OaNm5ajTKOADoZSb5M3czRtD7Nrt7IDN5y94AoNC
kX4ZMJgyD1Ebt8/FscP227hiRjF6kK1S9/gcrg3F6YVqNPH6/Zo8nMXHJZhcra8Z
4dlow49hbYD0N3dzI8s7AHcGqGWkPHfQqUzKbIqM0xXsfIf844fnCQgz8EikynIB
TExgZsHOgOxEsI/jw/bhdPmlj3lJo0cHu2U90HAQe5EZL5I=
-----END CERTIFICATE-----

How KeyStore Explorer parses it: image

How Windows parses it: image

Environment

kaikramer commented 3 years ago

Thanks for reporting!

kaikramer commented 3 years ago

Some thoughts on the input format:

{IP network address}, {Subnet Mask} is how Microsoft's certreq.exe expects the input data, which is not necessarily the best or most common way to write an IP range.

Normally one would write it like this (see RFC 4632): 192.168.1.0/24 (which means a 24 bit or 255.255.255.0 mask)

On the other hand, 192.168.1.0, 255.255.255.0 might be easier to understand and that's how it is stored in the extension anyway...

natan-abolafya commented 3 years ago

yeah, while I'd prefer the 192.168.1.0/24 notation in general also, I'd go for sticking to what X509 uses.

kaikramer commented 2 years ago

Closing tickets in preparation for release of KSE 5.5.0