Closed acarlson0000 closed 2 years ago
Hi,
Thanks for the report and all the details. I was suspecting that the encoding of some extensions is wrong, but I cannot check without the file.
Would it be possible to either attach it to this issue (drag and drop in the text area), or send it to me using whatever method? It would help a lot.
Thanks!
Thanks for taking a look quickly @chifflier , much appreciated!
Sure thing - I'll attach them for you rustica-x509-parser-crl-issue.zip
Thanks, that helps a lot.
A very quick check shows that the error happens here:
96:d=2 hl=2 l= 0 cons: SEQUENCE
98:d=2 hl=2 l= 47 cons: cont [ 0 ]
100:d=3 hl=2 l= 45 cons: SEQUENCE
102:d=4 hl=2 l= 31 cons: SEQUENCE
According to RFC 5280, the extensions should be an explicit tagged 0 sequence:
crlExtensions [0] EXPLICIT Extensions OPTIONAL
Instead of the tagged value, this seems to be a sequence containing the tagged value.
This is confirmed by comparing to other .crl files I have locally.
I only had a quick look, so at this point I am not sure why openssl accepts the CRL, and if I didn't miss anything in the specifications, but I'm not sure the encoding is entirely valid. I'll continue investigating.
Ok, got it. The encoding is not invalid, but weird. This is not a sequence of tagged, but in fact an empty sequence preceding the tag. Though unusual, it is valid. I can confirm this is indeed a bug and will work on a fix.
Thanks so much for investigating - it wouldn't surprise me if we were also doing something a little out of the ordinary, but great to know we've found a potential way forward here 😄
Hi,
We are looking to use this library as part of an Envoy WASM filter which does CA/CRL parsing. We're mostly there, however we are having some trouble parsing one of our Issuer's CRL files.
When attempting to parse the DER contents of the CRL, we receive the following (somewhat cryptic) error -
Error(InvalidExtensions)
Not exactly sure what it is failing on, as we are able to successfully parse this in openssl (see below) and don't appear to be adding any unusual Extensions onto the CRL itself (we're using some go code to generate the CA / CRL):
OpenSSL Output:
Let me know if anything else is helpful, and the best way to supply them to you. Thanks for your work, much appreciated!