cpu
commented
1 year ago @chifflier Gentle bump - would love to see this small fix land in-tree.
Closed cpu closed 8 months ago
cpu
commented
1 year ago @chifflier Gentle bump - would love to see this small fix land in-tree.
chifflier
commented
8 months ago Hi, Good catch, thanks! Indeed, these fields are IMPLICIT. Since they are only seldomly encountered, it's not really surprising the bug was not triggered before. Thank you for the detailed report and the fix.
Description
The
issuerUniqueIdandsubjectUniqueIdfields of a TBSCertificate are being parsed as an explicitly tagged bit string when RFC 5280 describes it as implicit:Because of this mismatch the real world examples I've found of certificates with these fields present fail to parse using
x509-parser, with the errorInvalidIssuerUID. I've included one that I found using Censys as a test asset.I suspect this bug hasn't bubbled up before because RFC5280 forbids CAs from issuing certs with these fields when adhering to the defined profile, making their use rare.
Fix
This commit fixes
parseto expect implicit tagging and adds a unit test parsing the exemplar certificate to ensure a certificate with subject/issuer UIDs can be parsed successfully.Testing
Running the unit test without the fix fails:
``` running 1 test test test_tbscert_unique_identifiers ... FAILED failures: ---- test_tbscert_unique_identifiers stdout ---- thread 'test_tbscert_unique_identifiers' panicked at 'parsing failed: Error(InvalidIssuerUID)', tests/readcert.rs:366:50 stack backtrace: 0: rust_begin_unwind 1: core::panicking::panic_fmt 2: core::result::unwrap_failed 3: core::result::ResultWith the fix, it passes:
``` test test_tbscert_unique_identifiers ... ok ``` ``` ❯ openssl x509 -inform der -in assets/unique_ids.der -noout -text | grep "Unique ID" -A1 Issuer Unique ID: 30:16:80:14:c5:78:84:b8:0c:6e:8c:4c:ce:b9:94:6f:98:fc: f3:8a:54:b1:80:e0 Subject Unique ID: 04:14:df:13:ac:69:14:90:62:db:3d:e9:b4:56:e6:a6:90:26: bf:2c:ef:81 ```