Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IpAddress SANs are invalid #25

Closed
passcod opened this issue Sep 14, 2019 · 3 comments
Closed

IpAddress SANs are invalid #25

passcod opened this issue Sep 14, 2019 · 3 comments
Labels
bug Something isn't working

Comments

@passcod
Copy link

passcod commented Sep 14, 2019

Not super sure why this is writing CIDRs?

The OID description expects only an octet string under the tag IPAddress:

IPAddress	[7] OCTET STRING,

and OpenSSL marks rcgen-generated IP fields as invalid:

X509v3 Subject Alternative Name:
    IP Address:<invalid>

Generating IPAddress SANs with OpenSSL makes [u8; 4] and [u8; 16] for IP v4 and v6 respectively, and not CIDRs with the mask.

TaggedDerValue {
    tag: Tag {
        tag_class: ContextSpecific,
        tag_number: 7,
    },
    pcbit: Primitive,
    value: [
        1,
        2,
        3,
        4,
    ],
}
@passcod passcod mentioned this issue Sep 14, 2019
Closed
@est31
Copy link
Member

est31 commented Sep 14, 2019

Oh, I think I know the mistake. I was following this text from RFC 5280:

The syntax of iPAddress MUST be as described in Section 4.2.1.6 with
the following additions specifically for name constraints. For IPv4
addresses, the iPAddress field of GeneralName MUST contain eight (8)
octets, encoded in the style of RFC 4632 (CIDR) to represent an
address range [RFC4632]. For IPv6 addresses, the iPAddress field
MUST contain 32 octets similarly encoded. For example, a name
constraint for "class C" subnet 192.0.2.0 is represented as the
octets C0 00 02 00 FF FF FF 00, representing the CIDR notation
192.0.2.0/24 (mask 255.255.255.0).

I only realized now that it's from the name constraints section and not from the subject alternative name section. The spec has this text for the subject alternative name section:

When the subjectAltName extension contains an iPAddress, the address
MUST be stored in the octet string in "network byte order", as
specified in [RFC791]. The least significant bit (LSB) of each octet
is the LSB of the corresponding byte in the network address. For IP
version 4, as specified in [RFC791], the octet string MUST contain
exactly four octets. For IP version 6, as specified in
[RFC2460], the octet string MUST contain exactly sixteen octets.

It should be easy to change it though. Will do this later today.

@est31 est31 added the bug Something isn't working label Sep 14, 2019
@est31 est31 closed this as completed in b1e5abd Sep 14, 2019
@est31
Copy link
Member

est31 commented Sep 14, 2019

@passcod can you try whether current master fixes it for you? If so, I'll make a new bugfix release.

Also wondering how I can add tests for this stuff... webpki doesn't support ip addresses (see briansmith/webpki#54) and the openssl test infrastructure doesn't involve full validation. I guess we'll need some additional mock code for openssl.

@passcod
Copy link
Author

passcod commented Sep 14, 2019

That works perfectly now

@tsoutsman tsoutsman mentioned this issue Jan 3, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@passcod @est31