search

kjur / jsrsasign

The 'jsrsasign' (RSA-Sign JavaScript Library) is an opensource free cryptography library supporting RSA/RSAPSS/ECDSA/DSA signing/validation, ASN.1, PKCS#1/5/8 private/public key, X.509 certificate, CRL, OCSP, CMS SignedData, TimeStamp, CAdES and JSON Web Signature/Token in pure JavaScript.
https://kjur.github.io/jsrsasign
Other
3.25k stars 646 forks source link

X509 getExtBasicConstraints() not outputting the CA JSON key and value #610

Closed robcordes closed 7 months ago

robcordes commented 7 months ago

the picture below is a screenshot of the object: The method result sin the extension name and its critical flag value instead of returning the data as per API being: x.getExtBasicConstraints() → {cA:true,pathLen:3,critical:true}

Screenshot 2024-02-07 at 22 19 56

The output of the certificate tested with is: (subject and SAN is removed from the output. One can see that openssl does output the CA flag.

openssl x509 -in ......pem -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 32:20:35:82:6c:29:5d:41:60:e4:ce:3e:00:bc:04:72:b3:56:29:bb Signature Algorithm: sha256WithRSAEncryption Issuer: C=NL, O=KPN B.V., CN=KPN PKIoverheid Private Services CA - G1 Validity Not Before: Nov 17 14:20:04 2023 GMT Not After : Nov 16 14:20:03 2026 GMT Subject: C=NL, L=Den Haag, O=....., serialNumber=0, CN=client.t05i0014ru075.idd..... Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:c9:94:22:52:91:1a:55:3c:65:3f:77:d5:8a:ec: 8a:85:dd:16:db:54:ff:0d:10:75:5f:8c:f5:72:a1: 5c:1e:d0:21:6a:0c:a7:4b:6f:07:62:55:7c:05:3f: 33:97:3e:61:fc:91:6e:96:26:f2:98:40:b6:9c:12: bf:4f:2e:cb:7f:c9:4c:63:65:64:4c:66:2a:66:18: e0:8f:e7:4e:66:71:63:7b:fd:38:06:df:f0:f6:31: bc:61:3e:06:08:fe:d0:98:61:06:a9:a0:2e:9e:9b: 72:a1:0f:d0:57:2c:28:55:86:0e:c4:37:eb:5b:b7: 3f:b9:aa:64:24:70:3f:22:b0:65:52:f7:53:42:2c: 2a:a4:77:8a:78:13:2d:08:53:a1:f4:24:80:3e:e0: c4:0d:54:a7:b3:f5:fc:40:fc:5d:a4:a9:16:f4:c6: ea:32:7f:4b:28:72:f8:31:dd:71:75:ab:8a:48:61: fb:a5:56:8d:b0:b9:f3:87:ed:19:9f:d1:fd:e5:6c: 6d:3b:47:d6:3e:2e:35:ed:b8:cf:52:e9:c8:cb:06: 70:59:37:1d:31:f4:0b:ac:82:50:7f:0a:78:29:49: 85:6c:25:aa:90:b7:b0:d7:49:85:37:1e:6d:f7:ad: 06:6e:30:0c:9b:3c:e2:c4:15:66:7e:a3:6c:43:bb: 65:5b Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Authority Key Identifier: B8:D4:4C:9F:A8:5B:6E:DA:25:A7:68:8E:EF:8C:46:1A:FE:1F:53:65 Authority Information Access: OCSP - URI:http://procsp.managedpki.com X509v3 Subject Alternative Name: DNS:......... X509v3 Certificate Policies: Policy: 2.16.528.1.1003.1.2.8.6 CPS: https://certificaat.kpn.com/elektronische-opslagplaats User Notice: Explicit Text: Op dit certificaat is het CPS PKIoverheid Private Services Server certificaten van KPN van toepassing. X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication X509v3 CRL Distribution Points: Full Name: URI:http://crl.managedpki.com/KPNBVPKIoverheidPrivateServicesCAG1/LatestCRL.crl X509v3 Subject Key Identifier: 8B:5E:3C:84:9B:E3:DA:FF:C8:E0:CC:06:E2:8A:18:E4:D0:47:41:65 X509v3 Key Usage: critical Digital Signature, Key Encipherment Signature Algorithm: sha256WithRSAEncryption Signature Value: ae:3f:39:62:13:a0:3d:96:75:25:05:c8:4d:0b:0e:18:27:2c: 3c:47:dc:7b:c2:de:3b:c1:1d:0f:5e:8e:3c:69:f7:b9:d5:ab: f9:23:68:d2:5f:c7:ab:29:cf:c6:9c:f7:b1:a7:d6:44:9b:13: 1f:7d:0d:bb:45:a7:8b:44:ec:c6:f3:5d:42:a2:c1:ca:fa:c8: 4b:5d:38:f8:4a:9d:c4:ce:5f:7c:1f:3b:e9:6f:98:ea:2b:c7: 60:f9:76:b9:28:c3:05:82:08:a9:b1:22:44:d4:94:5a:e8:6d: c6:8d:b7:ba:44:f8:bb:66:29:8a:48:61:ee:07:dd:2d:08:aa: 30:c0:e2:67:15:93:4e:cd:15:c6:e8:1e:0a:76:14:cf:9c:ff: 3d:ff:35:4e:3a:bb:18:a0:b9:77:f9:bb:77:7d:a1:5e:5a:f7: 10:a2:f7:01:47:6d:10:a7:7c:fc:09:80:84:9b:16:19:bc:94: 99:28:5f:76:f9:67:91:80:a5:43:0d:ab:c6:62:cb:1e:dc:e6: 67:ad:8e:2c:aa:05:19:c5:0e:10:04:82:1e:f4:42:db:55:c9: d7:b6:38:2b:bc:f5:1a:e8:8a:d6:84:9b:c0:7d:4c:f7:3f:b1: b6:b5:bb:23:0c:93:18:44:02:04:4a:27:a5:af:4b:4d:34:cb: b7:1c:46:02:c7:8a:4b:9e:e8:0e:30:a1:35:7a:d6:70:5a:7e: 59:d0:c8:cf:e5:63:fe:7b:31:8c:a5:65:3c:25:07:5a:e1:9d: 3b:86:18:9c:7c:15:fb:2e:91:33:86:a3:af:0d:40:3f:6b:05: c6:a0:2b:c7:31:90:8b:63:2f:21:db:82:d1:d8:7d:2f:c3:81: a5:54:b5:f7:4d:c0:f2:10:9e:6e:2e:41:5f:37:d3:89:e9:3b: 6a:f2:de:17:3d:d1:ab:92:27:84:d9:d7:1d:e9:c7:25:bf:e7: 7d:c6:c7:e7:09:dc:29:e0:a6:9e:24:1d:cb:17:60:0b:74:12: 1b:cd:29:ef:bc:51:0e:3e:19:db:6d:6e:41:6b:c8:62:6f:70: fb:22:61:e6:3c:0c:28:39:35:0f:29:13:0d:20:b1:89:a3:e8: 75:5d:ba:35:d4:30:56:8c:13:59:a1:4c:79:69:55:2f:c6:7c: 1c:07:0c:6e:48:cb:2a:ad:59:2a:75:71:7b:f7:4a:9e:67:79: d5:38:bc:8f:a4:36:fb:fb:44:c1:cb:ef:64:83:6e:b7:7f:77: e1:d7:1a:e5:40:45:f2:41:a4:3d:04:06:a2:f3:67:46:49:55: 2d:4d:81:74:99:e4:1f:1f:64:09:a0:e2:c4:0b:81:14:a3:14: c6:76:b3:fc:41:0f:f1:05

kjur commented 7 months ago

Hi @robcordes , could you provide its certificate PEM? Then I'll investigate it.

robcordes commented 7 months ago

mailed the PEM file.

kjur commented 7 months ago

getExtBasicConstraints() returns proper value for the certificate you send me.

> x.getExtBasicConstraints()
{ extname: 'basicConstraints', critical: true }
robcordes commented 7 months ago

Hi,

It is the CA flag I’m after and which is not returned.

It should have returned x.getExtBasicConstraints() → {cA:true,pathLen:3,critical:true} as per API description.

This is what the code returns however:

Best regards,

Rob Cordes

On Feb 9, 2024, at 01:30, Kenji Urushima @.***> wrote:

getExtBasicConstraints() returns proper value for the certificate you send me.

x.getExtBasicConstraints() { extname: 'basicConstraints', critical: true } — Reply to this email directly, view it on GitHub https://github.com/kjur/jsrsasign/issues/610#issuecomment-1935143097, or unsubscribe https://github.com/notifications/unsubscribe-auth/AENQQRH4FXHZ7TR3NOKWNZ3YSVUYXAVCNFSM6AAAAABC6RRA76VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMZVGE2DGMBZG4. You are receiving this because you modified the open/close state.

kjur commented 7 months ago

BTW, I didn't get your email with PEM file.

robcordes commented 7 months ago

Here it is again.

Best regards,

Rob Cordes

On Feb 9, 2024, at 10:57, Kenji Urushima @.***> wrote:

BTW, I didn't get your email with PEM file.

— Reply to this email directly, view it on GitHub https://github.com/kjur/jsrsasign/issues/610#issuecomment-1935632413, or unsubscribe https://github.com/notifications/unsubscribe-auth/AENQQRBZX3GCBU66OSCFL4DYSXXKJAVCNFSM6AAAAABC6RRA76VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMZVGYZTENBRGM. You are receiving this because you modified the open/close state.

kjur commented 7 months ago

I believe you can't attach a file in that way.

robcordes commented 7 months ago

PKIO-issued-client.t05i0014ru075.idd.mindef.nl.txt Here it is with .txt as extension. Again, if the CA flag is false, would it not be present as an attribute at all? So like the criticality flag for any given extension?

kjur commented 7 months ago

Yes, when cA flag is false, "cA" attribute will not exist like critical flag.

robcordes commented 7 months ago

Allright then this issue can be closed as well. Thx for the explanation.

Best regards,

Rob Cordes

On Feb 9, 2024, at 12:01, Kenji Urushima @.***> wrote:

Yes, when cA flag is false, "cA" attribute will not exists like critical flag.

— Reply to this email directly, view it on GitHub https://github.com/kjur/jsrsasign/issues/610#issuecomment-1935715862, or unsubscribe https://github.com/notifications/unsubscribe-auth/AENQQRB6GUPU4KWBNMAZMHDYSX6W3AVCNFSM6AAAAABC6RRA76VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMZVG4YTKOBWGI. You are receiving this because you modified the open/close state.