This issue tracker has been migrated to GitHub ,
and is currently read-only.
For more information,
see the GitHub FAQs in the Python's Developer Guide.
Created on 2016年08月05日 09:26 by christian.heimes, last changed 2022年04月11日 14:58 by admin. This issue is now closed.
| Files | ||||
|---|---|---|---|---|
| File name | Uploaded | Description | Edit | |
| rid.pem | christian.heimes, 2016年08月05日 09:26 | |||
| 0001-Fix-handling-of-GEN_RID-in-X.509-subjectAltName-fiel.patch | christian.heimes, 2016年08月05日 10:48 | review | ||
| Messages (5) | |||
|---|---|---|---|
| msg272020 - (view) | Author: Christian Heimes (christian.heimes) * (Python committer) | Date: 2016年08月05日 09:26 | |
A X509 cert with a registered id general name in subject alternative name causes a SystemError: error return without exception set. This prevents host name validation of certs with a registered id.
>>> import _ssl
>>> _ssl._test_decode_cert('rid.pem')
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
SystemError: error return without exception set
The problem is caused by a bug in OpenSSL's print function for general names. Python's _get_peer_alt_names() uses GENERAL_NAME_print() to print GEN_IPADD, GEN_RID and others into a buffer. The buffer is then split at ':' into two strings. This works for all fields except for GEN_RID because OpenSSL doesn't put a ':' after 'Registered ID', https://github.com/openssl/openssl/blob/master/crypto/x509v3/v3_alt.c#L183 . _get_peer_alt_names() fails and returns NULL without setting a proper exception.
It looks like we haven't had tests for GEN_RID as well as some other field types.
Related Red Hat bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1364268
|
|||
| msg273240 - (view) | Author: Christian Heimes (christian.heimes) * (Python committer) | Date: 2016年08月20日 19:00 | |
ping |
|||
| msg274112 - (view) | Author: Antoine Pitrou (pitrou) * (Python committer) | Date: 2016年09月01日 09:31 | |
I can't comment on this, as I don't even know what a "registered id" is, sorry :-/ |
|||
| msg274116 - (view) | Author: Christian Heimes (christian.heimes) * (Python committer) | Date: 2016年09月01日 10:32 | |
A GEN_RID is an OID plus some opaque data. It's up to an application to understand an OID and interpret its data. The value of a GEN_RID can be as simple as an int or UTF-8 strings or as complex as a nested ASN.1 struct for Kerberos principals. I have modified Lib/test/make_ssl_certs.py to include two GEN_RIDS: otherName.1 = 1.2.3.4;UTF8:some other identifier otherName.2 = 1.3.6.1.5.2.2;SEQUENCE:princ_name [princ_name] realm = EXP:0, GeneralString:KERBEROS.REALM principal_name = EXP:1, SEQUENCE:principal_seq [principal_seq] name_type = EXP:0, INTEGER:1 name_string = EXP:1, SEQUENCE:principals [principals] princ1 = GeneralString:username 1.3.6.1.5.2.2 is the OID for Kerberos public key init (pkinit), used for e.g. FAST pre-auth and SmartCard authentication. |
|||
| msg274634 - (view) | Author: Roundup Robot (python-dev) (Python triager) | Date: 2016年09月06日 21:28 | |
New changeset 9bbf0b31da48 by Christian Heimes in branch '3.5': Issue #27691: Fix ssl module's parsing of GEN_RID subject alternative name fields in X.509 certs. https://hg.python.org/cpython/rev/9bbf0b31da48 New changeset 2b9af57af3e4 by Christian Heimes in branch 'default': Issue #27691: Fix ssl module's parsing of GEN_RID subject alternative name fields in X.509 certs. https://hg.python.org/cpython/rev/2b9af57af3e4 New changeset 74805fd9e734 by Christian Heimes in branch '2.7': Issue #27691: Fix ssl module's parsing of GEN_RID subject alternative name fields in X.509 certs. https://hg.python.org/cpython/rev/74805fd9e734 |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022年04月11日 14:58:34 | admin | set | github: 71878 |
| 2016年09月15日 15:54:28 | christian.heimes | link | issue28170 superseder |
| 2016年09月09日 00:05:05 | christian.heimes | set | status: open -> closed resolution: fixed stage: commit review -> resolved |
| 2016年09月06日 21:29:37 | christian.heimes | set | stage: test needed -> commit review |
| 2016年09月06日 21:28:25 | python-dev | set | nosy:
+ python-dev messages: + msg274634 |
| 2016年09月01日 10:32:13 | christian.heimes | set | messages: + msg274116 |
| 2016年09月01日 09:31:56 | pitrou | set | messages: + msg274112 |
| 2016年08月20日 19:00:59 | christian.heimes | set | nosy:
+ vstinner, Lukasa type: behavior -> security messages: + msg273240 |
| 2016年08月05日 10:48:44 | christian.heimes | set | files:
+ 0001-Fix-handling-of-GEN_RID-in-X.509-subjectAltName-fiel.patch keywords: + patch |
| 2016年08月05日 09:26:35 | christian.heimes | create | |