Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Ia5String support #180

Closed
darkseid-is opened this issue Oct 27, 2023 · 10 comments · Fixed by #182
Closed

Ia5String support #180

darkseid-is opened this issue Oct 27, 2023 · 10 comments · Fixed by #182

Comments

@darkseid-is
Copy link

Add support for Ia5String in Distinguished Name. Thank you.
@djc
Copy link
Member

djc commented Oct 27, 2023

What's your use case? Why do you need this?

@darkseid-is
Copy link
Author

darkseid-is commented Oct 27, 2023
edited
Loading

Trying to create CertificateParams using from_ca_cert_der. The existing certificate contains subject in Ia5String format. Thank You.

@djc
Copy link
Member

djc commented Oct 27, 2023

Why is it important to you that the generated certificate has the same type as the existing certificate?

@darkseid-is
Copy link
Author

The type doesn't matter , but https://docs.rs/rcgen/latest/rcgen/struct.CertificateParams.html#method.from_ca_cert_der fails to parse the certificate if subject is of type Ia5String.

@cpu
Copy link
Member

cpu commented Oct 27, 2023
edited
Loading

Can you share the certificate? I would expect most certificate subjects to contain organization names, or common names, and those are defined in RFC 5280 as choices of string types that don't include Ia5String. Does the subject contain something unusual like a DomainComponent or is it misencoded?

@darkseid-is
Copy link
Author

darkseid-is commented Oct 27, 2023
edited by cpu
Loading

Here is the certificate

-----BEGIN CERTIFICATE-----
MIIDwzCCAqugAwIBAgIUDbwX+I6Mglqk/s/5Ig9cWuLeZI4wDQYJKoZIhvcNAQEL
BQAwcTELMAkGA1UEBhMCREUxDzANBgNVBAgMBkJlcmxpbjEPMA0GA1UEBwwGQmVy
bGluMRUwEwYDVQQKDAxmcmVlLWhvc3RpbmcxKTAnBgkqhkiG9w0BCQEWGmNvbnRh
Y3RAd3d3LndlYmhvc3RpbmcuaHRiMB4XDTIzMDIwMTIwMTkyMloXDTI0MDIwMTIw
MTkyMlowcTELMAkGA1UEBhMCREUxDzANBgNVBAgMBkJlcmxpbjEPMA0GA1UEBwwG
QmVybGluMRUwEwYDVQQKDAxmcmVlLWhvc3RpbmcxKTAnBgkqhkiG9w0BCQEWGmNv
bnRhY3RAd3d3LndlYmhvc3RpbmcuaHRiMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAsnrZYHQIiNN6J6zHYhag4x2uQIxBpHCOUE0lSD+jVhBTGGI+3hHV
5IEb0bnQkl25sJznVGKAZeRWbrBytDIdatAAY0JgBH+zsGKP0TSq3IfBZZ8ky8DR
ZbE8LDMOjTMf9zt+gaZ0ImjZfyN0mWLQz50+7wcvYqKAupuicLrASp5CQoGVlg+G
BeSvdLxLxO6yOOfHVIq7aaxYF/mCz+wlFcQB0r9fAveX6xLZGFHWcRE4d5eHVmub
3Z5pJUZFy7bTk7hnZN1FWH4n5teefLdGE0pRTMqlSEBZdP39DeQoIVYZL3c+8SaK
9ouPk6MlhHQPeCbUCzXsHQGRM04ikkQ6wQIDAQABo1MwUTAdBgNVHQ4EFgQUEnQA
S/EsJQsz7fwkTkREt0c3QtMwHwYDVR0jBBgwFoAUEnQAS/EsJQsz7fwkTkREt0c3
QtMwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAXoAPy1OefGsE
L2Hzc2OTsE6IdMS3vyCfVRzax3XpWEI9T5UMeATWU4bu0BQ5HBsZ8El1/guPUm0H
BVVIXmYLQo6sehj+EOuXGHXGHvgwwUS4UYdVNFBANZtZ+a322kp+g/B8U4VLHFM5
gjCpnPnvyv2ESNKXhd1jTAfCMuFThCTRPZorO5PVxnHUsJ/rb6IaS3un+vp8LkIi
FigFaGrElTFE/j9Qirgshp7ekFUYppqOBCEjd9h+14Yb+sG1byz2vW/OoXBwGB63
2fGOyXtR9zau0NRNFd/t26AbY/3QIyc99DwR8QhBhzCkVwmXV/RyLc/WAoD5OyH+
LKFFI1NSEA==
-----END CERTIFICATE-----

@cpu
Copy link
Member

cpu commented Oct 27, 2023

Thanks!

It's the emailAddress attribute in the subject causing trouble:

      SET {
        SEQUENCE {
          # emailAddress
          OBJECT_IDENTIFIER { 1.2.840.113549.1.9.1 }
          IA5String { "contact@www.webhosting.htb" }
        }
      }

5280 mentions:

Implementers should note that the at sign ('@') and underscore ('_')
characters are not supported by the ASN.1 type PrintableString.
These characters often appear in Internet addresses.  Such addresses
MUST be encoded using an ASN.1 type that supports them.  They are
usually encoded as IA5String in either the emailAddress attribute
within a distinguished name or the rfc822Name field of GeneralName.

I believe IA5String is equivalent to ASCII so I think it would be feasible to implement support without too much work.

@cpu cpu mentioned this issue Oct 27, 2023
Merged
@cpu
Copy link
Member

cpu commented Oct 27, 2023

@darkseid-is with the code in #182 I'm able to use CertificateParams::from_ca_cert_der with your example certificate without error.

@cpu cpu closed this as completed in #182 Oct 30, 2023
github-merge-queue bot pushed a commit that referenced this issue Oct 30, 2023
@cpu
basic Ia5String support for DistinguishedName values (#182)
58febf6 
This branch adds basic support emitting and parsing distinguished name
values that are Ia5Strings. For example, email address attributes in a
certificate subject distinguished name.

Note that because of #181 this code will panic when emitting invalid
Ia5String values. This problem is general to rcgen's handling of ASN.1
string types and so isn't addressed with additional care in this branch.
A broader rework is required.

Along the way I also fixed a warning from
#176 related to where we were
defining the custom `profile.dev.package.num-bigint-dig` profile
metadata.

Resolves #180
@cpu
Copy link
Member

cpu commented Oct 30, 2023

This is fixed in the main branch.

@darkseid-is
Copy link
Author

Thanks for the fix guys.

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

basic Ia5String support for DistinguishedName values cpu/rcgen
3 participants
@djc @cpu @darkseid-is