InvalidNameType error when parsing IZENPE RootCA

[SecSamDev]

The following RootCA certificate cannot be processed with rcgen giving an error "InvalidNameType". The certificate can be found installed in /etc/ssl/certs/Izenpe.com.pem

$ cat /etc/ssl/certs/Izenpe.com.pem 
-----BEGIN CERTIFICATE-----
MIIF8TCCA9mgAwIBAgIQALC3WhZIX7/hy/WL1xnmfTANBgkqhkiG9w0BAQsFADA4
MQswCQYDVQQGEwJFUzEUMBIGA1UECgwLSVpFTlBFIFMuQS4xEzARBgNVBAMMCkl6
ZW5wZS5jb20wHhcNMDcxMjEzMTMwODI4WhcNMzcxMjEzMDgyNzI1WjA4MQswCQYD
VQQGEwJFUzEUMBIGA1UECgwLSVpFTlBFIFMuQS4xEzARBgNVBAMMCkl6ZW5wZS5j
b20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDJ03rKDx6sp4boFmVq
scIbRTJxldn+EFvMr+eleQGPicPK8lVx93e+d5TzcqQsRNiekpsUOqHnJJAKClaO
xdgmlOHZSOEtPtoKct2jmRXagaKH9HtuJneJWK3W6wyyQXpzbm3benhB6QiIEn6H
LmYRY2xU+zydcsC8Lv/Ct90NduM61/e0aL6i9eOBbsFGb12N4E3GVFWJGjMxCrFX
uaOKmMPsOzTFlUFpfnXCPCDFYbpRR6AgkJOhkEvzTnyFRVSa0QUmQbC1TR0zvsQD
yCV8wXDbO/QJLVQnSKwv4cSsPsjLkkxTOTcj7NMB+eAJRE1NZMDhDVqHIrytG6P+
JrUV86f8hBnp7KGItERphIPzidF0BqnMC9bC3ieFUCbKF7jJeodWLBoBHmy+E60Q
rLUk9TiRodZL2vG70t5HtfG8gfZZa88ZU+mNFctKy6lvROUbQc/hhqfK0GqfvEyN
BjNaooXlkDWgYlwWTvDjovoDGrQscbNYLN57C9saD+veIR8GdwYDsMnvmfzAuU8L
hij+0rnq49qlw0dpEuDb8PYZi+17cNcC1u2HGCgsBCRMd+RIihrGO5rUD8r6ddIB
QFqNeb+Lz0vPqhbBleStTIo+F5HUsWLlguWABKQDfo2/2n+iD5dPDNMN+9fR5XJ+
HMh3/1uaD7euBUbl8agW7EekFwIDAQABo4H2MIHzMIGwBgNVHREEgagwgaWBD2lu
Zm9AaXplbnBlLmNvbaSBkTCBjjFHMEUGA1UECgw+SVpFTlBFIFMuQS4gLSBDSUYg
QTAxMzM3MjYwLVJNZXJjLlZpdG9yaWEtR2FzdGVpeiBUMTA1NSBGNjIgUzgxQzBB
BgNVBAkMOkF2ZGEgZGVsIE1lZGl0ZXJyYW5lbyBFdG9yYmlkZWEgMTQgLSAwMTAx
MCBWaXRvcmlhLUdhc3RlaXowDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC
AQYwHQYDVR0OBBYEFB0cZQ6o8iV7tJHP5LGx5r1VdGwFMA0GCSqGSIb3DQEBCwUA
A4ICAQB4pgwWSp9MiDrAyw6lFn2fuUhfGI8NYjb2zRlrrKvV9pF9rnHzP7MOeIWb
laQnIUdCSnxIOvVFfLMMjlF4rJUT3sb9fbgakEyrkgPH7UIBzg/YsfqikuFgba56
awmqxinuaElnMIAkejEWOVt+8Rwu3WwJrfIxwYJOubv5vr8qhT/AQKM6WfxZSzwo
JNu0FXWuDYi6LnPAvViH5ULy617uHjAimcs30cQhbIHsvm0m5hzkQiCeR7Csg1lw
LDXWrzY0tM07+DKo7+N4ifuNRSzanLh+QBxh5z6ikixL8s36mLYp//Pye6kfLqCT
VyvehQP5aTfLnnhqBbTFMXiJ7HqnheG5ezzevh55hM6fcA5ZwjUukCox2eRFekGk
LhObNA5me0mrZJfQRsN5nXJQY6aYWwa9SG3YOYNw6DXwBdGqvOPbyALqfP2C2sJb
UjWumDqtujWTI6cfSN01RpiyEGjkpTHCClguGYEQyVB1/OpaFs4R1+7vUIgtYf8/
QnMFlEPVjjxOAToZpR9GTnfQXeWBIiGH/pR9hNiTrdZoQ0iy2+tzJOeRf1SktoA+
naM8THLCV8Sg1Mw4J87VBp6iSNnpn86CcDaTmjvfliHjWbcM2pE38P1ZWrOZyGls
QyYBNWNgVYkDOnXYukrZVP/u3oDYLdE41V4tC5h9Pmzb/CaIxw==
-----END CERTIFICATE-----

Version:          3 (0x02)
Serial number:    917563065490389241595536686991402621 (0x00b0b75a16485fbfe1cbf58bd719e67d)
Algorithm ID:     SHA256withRSA
Validity
  Not Before:     13/12/2007 13:08:28 (dd-mm-yyyy hh:mm:ss) (071213130828Z)
  Not After:      13/12/2037 08:27:25 (dd-mm-yyyy hh:mm:ss) (371213082725Z)
Issuer
  C  = ES
  O  = IZENPE S.A.
  CN = Izenpe.com
Subject
  C  = ES
  O  = IZENPE S.A.
  CN = Izenpe.com
Public Key
  Algorithm:      RSA
  Length:         4096 bits
  Modulus:        c9:d3:7a:ca:0f:1e:ac:a7:86:e8:16:65:6a:b1:c2:1b:
                  45:32:71:95:d9:fe:10:5b:cc:af:e7:a5:79:01:8f:89:
                  c3:ca:f2:55:71:f7:77:be:77:94:f3:72:a4:2c:44:d8:
                  9e:92:9b:14:3a:a1:e7:24:90:0a:0a:56:8e:c5:d8:26:
                  94:e1:d9:48:e1:2d:3e:da:0a:72:dd:a3:99:15:da:81:
                  a2:87:f4:7b:6e:26:77:89:58:ad:d6:eb:0c:b2:41:7a:
                  73:6e:6d:db:7a:78:41:e9:08:88:12:7e:87:2e:66:11:
                  63:6c:54:fb:3c:9d:72:c0:bc:2e:ff:c2:b7:dd:0d:76:
                  e3:3a:d7:f7:b4:68:be:a2:f5:e3:81:6e:c1:46:6f:5d:
                  8d:e0:4d:c6:54:55:89:1a:33:31:0a:b1:57:b9:a3:8a:
                  98:c3:ec:3b:34:c5:95:41:69:7e:75:c2:3c:20:c5:61:
                  ba:51:47:a0:20:90:93:a1:90:4b:f3:4e:7c:85:45:54:
                  9a:d1:05:26:41:b0:b5:4d:1d:33:be:c4:03:c8:25:7c:
                  c1:70:db:3b:f4:09:2d:54:27:48:ac:2f:e1:c4:ac:3e:
                  c8:cb:92:4c:53:39:37:23:ec:d3:01:f9:e0:09:44:4d:
                  4d:64:c0:e1:0d:5a:87:22:bc:ad:1b:a3:fe:26:b5:15:
                  f3:a7:fc:84:19:e9:ec:a1:88:b4:44:69:84:83:f3:89:
                  d1:74:06:a9:cc:0b:d6:c2:de:27:85:50:26:ca:17:b8:
                  c9:7a:87:56:2c:1a:01:1e:6c:be:13:ad:10:ac:b5:24:
                  f5:38:91:a1:d6:4b:da:f1:bb:d2:de:47:b5:f1:bc:81:
                  f6:59:6b:cf:19:53:e9:8d:15:cb:4a:cb:a9:6f:44:e5:
                  1b:41:cf:e1:86:a7:ca:d0:6a:9f:bc:4c:8d:06:33:5a:
                  a2:85:e5:90:35:a0:62:5c:16:4e:f0:e3:a2:fa:03:1a:
                  b4:2c:71:b3:58:2c:de:7b:0b:db:1a:0f:eb:de:21:1f:
                  06:77:06:03:b0:c9:ef:99:fc:c0:b9:4f:0b:86:28:fe:
                  d2:b9:ea:e3:da:a5:c3:47:69:12:e0:db:f0:f6:19:8b:
                  ed:7b:70:d7:02:d6:ed:87:18:28:2c:04:24:4c:77:e4:
                  48:8a:1a:c6:3b:9a:d4:0f:ca:fa:75:d2:01:40:5a:8d:
                  79:bf:8b:cf:4b:cf:aa:16:c1:95:e4:ad:4c:8a:3e:17:
                  91:d4:b1:62:e5:82:e5:80:04:a4:03:7e:8d:bf:da:7f:
                  a2:0f:97:4f:0c:d3:0d:fb:d7:d1:e5:72:7e:1c:c8:77:
                  ff:5b:9a:0f:b7:ae:05:46:e5:f1:a8:16:ec:47:a4:17
  Exponent:       65537 (0x10001)
Certificate Signature
  Algorithm:      SHA256withRSA
  Signature:      78:a6:0c:16:4a:9f:4c:88:3a:c0:cb:0e:a5:16:7d:9f:
                  b9:48:5f:18:8f:0d:62:36:f6:cd:19:6b:ac:ab:d5:f6:
                  91:7d:ae:71:f3:3f:b3:0e:78:85:9b:95:a4:27:21:47:
                  42:4a:7c:48:3a:f5:45:7c:b3:0c:8e:51:78:ac:95:13:
                  de:c6:fd:7d:b8:1a:90:4c:ab:92:03:c7:ed:42:01:ce:
                  0f:d8:b1:fa:a2:92:e1:60:6d:ae:7a:6b:09:aa:c6:29:
                  ee:68:49:67:30:80:24:7a:31:16:39:5b:7e:f1:1c:2e:
                  dd:6c:09:ad:f2:31:c1:82:4e:b9:bb:f9:be:bf:2a:85:
                  3f:c0:40:a3:3a:59:fc:59:4b:3c:28:24:db:b4:15:75:
                  ae:0d:88:ba:2e:73:c0:bd:58:87:e5:42:f2:eb:5e:ee:
                  1e:30:22:99:cb:37:d1:c4:21:6c:81:ec:be:6d:26:e6:
                  1c:e4:42:20:9e:47:b0:ac:83:59:70:2c:35:d6:af:36:
                  34:b4:cd:3b:f8:32:a8:ef:e3:78:89:fb:8d:45:2c:da:
                  9c:b8:7e:40:1c:61:e7:3e:a2:92:2c:4b:f2:cd:fa:98:
                  b6:29:ff:f3:f2:7b:a9:1f:2e:a0:93:57:2b:de:85:03:
                  f9:69:37:cb:9e:78:6a:05:b4:c5:31:78:89:ec:7a:a7:
                  85:e1:b9:7b:3c:de:be:1e:79:84:ce:9f:70:0e:59:c2:
                  35:2e:90:2a:31:d9:e4:45:7a:41:a4:2e:13:9b:34:0e:
                  66:7b:49:ab:64:97:d0:46:c3:79:9d:72:50:63:a6:98:
                  5b:06:bd:48:6d:d8:39:83:70:e8:35:f0:05:d1:aa:bc:
                  e3:db:c8:02:ea:7c:fd:82:da:c2:5b:52:35:ae:98:3a:
                  ad:ba:35:93:23:a7:1f:48:dd:35:46:98:b2:10:68:e4:
                  a5:31:c2:0a:58:2e:19:81:10:c9:50:75:fc:ea:5a:16:
                  ce:11:d7:ee:ef:50:88:2d:61:ff:3f:42:73:05:94:43:
                  d5:8e:3c:4e:01:3a:19:a5:1f:46:4e:77:d0:5d:e5:81:
                  22:21:87:fe:94:7d:84:d8:93:ad:d6:68:43:48:b2:db:
                  eb:73:24:e7:91:7f:54:a4:b6:80:3e:9d:a3:3c:4c:72:
                  c2:57:c4:a0:d4:cc:38:27:ce:d5:06:9e:a2:48:d9:e9:
                  9f:ce:82:70:36:93:9a:3b:df:96:21:e3:59:b7:0c:da:
                  91:37:f0:fd:59:5a:b3:99:c8:69:6c:43:26:01:35:63:
                  60:55:89:03:3a:75:d8:ba:4a:d9:54:ff:ee:de:80:d8:
                  2d:d1:38:d5:5e:2d:0b:98:7d:3e:6c:db:fc:26:88:c7

Extensions
  subjectAltName :
    rfc822: info@izenpe.com
    dn: /O=IZENPE S.A. - CIF A01337260-RMerc.Vitoria-Gasteiz T1055 F62 S8/STREET=Avda del Mediterraneo Etorbidea 14 - 01010 Vitoria-Gasteiz
  basicConstraints CRITICAL:
    cA=true
  keyUsage CRITICAL:
    keyCertSign,cRLSign
  subjectKeyIdentifier :
    1d1c650ea8f2257bb491cfe4b1b1e6bd55746c05

[cpu]

The following RootCA certificate cannot be processed with rcgen giving an error "InvalidNameType".

@SecSamDev Can you expand on what processing you're doing?

I believe the cause of the problem is the directoryName type SAN general name in this cert. Rcgen's support for converting general names from a pre-existing cert to its internal representation doesn't support that type.

[SecSamDev]

I was testing how rcgen worked by parsing the certificates in /etc/ssl/certs and discovered that IZENPE was failing to parse.

You're right, general names aren't being converted, but wouldn't it be better to just silently ignore the ones that can't be converted? Or maybe provide an alternative method for doing so?

[cpu]

wouldn't it be better to just silently ignore the ones that can't be converted?

I'm not sure. I'm personally fairly wary of the existing CertificateParams::from_ca_cert_pem|der() API since it's lossy - not all attributes of the certificate are translated into fields on CertificateParams. Could the general name parsing be relaxed to further increase that "lossyness"? Probably, but I'm not sure it's the right direction.

I was testing how rcgen worked by parsing the certificates in /etc/ssl/certs

Taking a step back here: if your goal is to accurately parse and represent the data from your system's CA certificates I would argue that using x509-parser is a better route. That's what CertificateParams::from_ca_cert_*() is using under the hood and it can already represent the SANs from your example certificate without error.

I think of rcgen's API surface here as primarily suited for cases where you control the private key associated with the pre-existing certificate and want to issue new certificates, signing requests, or associated signed objects. That's certainly not the case for the INZENPE root (I hope ;-)).

[SecSamDev]

Thank you so much, I will try to use that library. Even so, for someone who has a CA certificate to sign with parameters not supported by rcgen, it would be interesting to have an alternative that does not involve having to translate parameters from one library to another.