mreinstein
commented
7 years ago hmm maybe a bug was introduced in a recent update of the openssl-cert-tools module. I'll poke around their repo and see what I see. :)
thanks for bringing this up!
Closed cnadeau closed 7 years ago
mreinstein
commented
7 years ago hmm maybe a bug was introduced in a recent update of the openssl-cert-tools module. I'll poke around their repo and see what I see. :)
thanks for bringing this up!
mreinstein
commented
7 years ago @cnadeau I've looked at all commits for the latest openssl-cert-tools but I'm confident none of them are causing this error.
Having looked at the code a little, I'm thinking that the certificate being passed in isn't matching what is expected, and it's failing. can you possibly send me the certificate contents so I can try to debug this a bit further?
here's the line that actually fails in the module https://github.com/frdmn/openssl-cert-tools/blob/master/lib/information.js#L70
cnadeau
commented
7 years ago cnadeau
commented
7 years ago I've seen the failing line, but I was a bit surprised that an amazon cert wasn't valid
mreinstein
commented
7 years ago maybe this library is failing to pick on a particular aspect of this specific certificate. :-/ That's just initial gut feeling. I'll try to plug this cert contents into the tool and see if I can reproduce.
Another possibility: are you sure that the certificate data is actually getting passed in correctly?
cnadeau
commented
7 years ago I'm actually using alexa-verifier-middleware which is using alexa-verifier to fetch and validate the cert if I'm following the flow correctly
mreinstein
commented
7 years ago yeah that's a good way to do it. I'm just wondering if something is falling down in between. There is a little bit of magic that happens with reading the request body out, and it has to be before any other body parsing-related middlewares. It might be good to shove a couple log statements in there to see if the cert body is actually getting passed to the module as expected.
You don't have to do this; I'll mess with the .pem contents and see if I can repro it tonight; just another potential avenue to explore if you're so inclined.
mreinstein
commented
7 years ago @cnadeau I've done testing. here's my setup code:
'use strict'
const fs = require('fs')
const tools = require('openssl-cert-tools')
const cert = fs.readFileSync(__dirname + '/echo-api-cert-4.pem')
tools.getCertificateInfo(cert, function(er, data) {
console.log('result', er, data)
})output (run with openssl-cert-tools@1.2.1 and node v7.4.0):
λ node index
result undefined { certificate: <Buffer 2d 2d 2d 2d 2d 42 45 47 49 4e 20 43 45 52 54 49 46 49 43 41 54 45 2d 2d 2d 2d 2d 0a 4d 49 49 46 66 6a 43 43 42 47 61 67 41 77 49 42 41 67 49 51 50 79 ... >,
issuer:
{ C: 'US',
O: 'Symantec Corporation',
OU: 'Symantec Trust Network',
CN: 'Symantec Class 3 Secure Server CA - G4' },
subject:
{ C: 'US',
ST: 'Washington',
L: 'Seattle',
O: 'Amazon.com, Inc.',
CN: 'echo-api.amazon.com' },
validFrom: 2016-10-07T00:00:00.000Z,
validTo: 2017-10-30T23:59:59.000Z,
remainingDays: 276 }which looks right. Certainly no crash. I'm lead to believe this has something to do with not passing the cert string into this module correctly.
If you can do some logging before this line, to see what is in pem_cert, that might give us some more clues:
https://github.com/alexa-js/alexa-verifier/blob/master/index.js#L121
mreinstein
commented
7 years ago another thing to try: take my test code from above, and run it in the docker container that is failing. Maybe it will fail in that environment. I know openssl 1.0.2k came out very recently. Might have something to do with that.
cnadeau
commented
7 years ago @mreinstein I just did use your test case and got the exact same output from within the container
bash-4.3# node test.js
result undefined { certificate: <Buffer 2d 2d 2d 2d 2d 42 45 47 49 4e 20 43 45 52 54 49 46 49 43 41 54 45 2d 2d 2d 2d 2d 0a 4d 49 49 46 66 6a 43 43 42 47 61 67 41 77 49 42 41 67 49 51 50 79 ... >,
issuer:
{ C: 'US',
O: 'Symantec Corporation',
OU: 'Symantec Trust Network',
CN: 'Symantec Class 3 Secure Server CA - G4' },
subject:
{ C: 'US',
ST: 'Washington',
L: 'Seattle',
O: 'Amazon.com, Inc.',
CN: 'echo-api.amazon.com' },
validFrom: 2016-10-07T00:00:00.000Z,
validTo: 2017-10-30T23:59:59.000Z,
remainingDays: 276 }I will try to add some logs
cnadeau
commented
7 years ago Here are the logs within openssl-cert-tools/lib/informations
https://github.com/frdmn/openssl-cert-tools/blob/master/lib/information.js#L70
cell_1 | data ==> issuer= /C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
cell_1 |
cell_1 | linearray length ==> 2
cell_1 | linearray ==> ["issuer= /C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4",""]this means there is a bug in openssl 1.0.2k as you mentioned, I'll try to revert to 1.0.2j and validate it
mreinstein
commented
7 years ago @cnadeau this problem (and it's solution) might overlap with #1 nicely. openssl-cert-tools doesn't work on windows. Maybe we can find a replacement. I don't like relying on openssl.
cnadeau
commented
7 years ago You're right, maybe node-forge could be used to do the subject and issuer verifiation
var forge = require('node-forge');
var pki = forge.pki;
var fs = require('fs');
var pem = fs.readFileSync('./echo-api-cert-4.pem', 'utf-8');
var cert = pki.certificateFromPem(pem);
console.log(JSON.stringify(cert.subject.getField('CN').value));
console.log(JSON.stringify(cert.issuer.attributes, null, 2));
Using node 7.4 inside a docker container with openssl available (1.0.2k), I'm getting an error which seems related to openssl-cert-tools, but maybe someone already knows the answer
using
alexa-verifier-middleware0.1.5 which usesalexa-verifier0.2.0, I'm getting an error within openssl-cert-tools. Here is a simple repro snippet:is leading to:
Any idea?