Here is the test certificate. I yanked over the exact openssl code in
the 'case GEN_IPADD'
(listed in the bug notes) into an application code to print out the IP
string but got "::21"
as shown in the code snip below.
The code pasted was:
for (i = 0; i < 8; i++)
{
snprintf(out, sizeof(out), ":%X", p[0] << 8 | p[1]);
p += 2;
}
}
printf("IP Address:%s\n", out);---> Printed "::21"
Pl. let me know if you need more info.
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
f1:bd:41:c6:15:1c:22:a1
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=CA, O=Internet Widgits Pty Ltd, CN=Tupac
Validity
Not Before: Sep 4 00:00:07 2009 GMT
Not After : Sep 3 00:00:07 2012 GMT
Subject: C=US, ST=CA, O=Internet Widgits Pty Ltd, CN=Tupac
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c8:e1:1b:a9:e6:70:47:9d:b3:a4:09:57:bf:95:
42:26:d7:45:b6:dc:a8:13:64:a1:f6:bf:65:a6:3b:
aa:2f:c0:57:bc:24:e9:eb:5e:d9:fe:1d:88:36:a3:
58:9e:9a:22:cf:16:17:42:d8:b8:49:d4:7c:fb:3b:
a3:e3:4b:90:52:bb:0e:cd:ba:3c:98:01:b4:c6:ba:
18:f9:67:66:c8:f2:c2:13:59:0c:c5:08:cb:65:32:
05:f7:d2:fe:57:11:16:84:81:43:d4:21:bf:b5:d4:
dd:d1:ef:b8:14:66:a5:89:b3:77:11:7b:19:ea:52:
35:09:62:e4:2a:fa:35:14:d3
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
F9:82:F3:BC:D4:4C:79:00:35:79:86:A4:12:B6:1D:B6:DB:A5:0F:6D
X509v3 Authority Key Identifier:
keyid:F9:82:F3:BC:D4:4C:79:00:35:79:86:A4:12:B6:1D:B6:DB:A5:0F:6D
DirName:/C=US/ST=CA/O=Internet Widgits Pty Ltd/CN=Tupac
serial:F1:BD:41:C6:15:1C:22:A1
X509v3 Basic Constraints:
CA:TRUE
X509v3 Subject Alternative Name:
IP Address:2001:0:0:0:0:0:0:21
Signature Algorithm: sha1WithRSAEncryption
2c:2b:7d:78:8b:95:1a:12:fc:45:c3:34:64:fe:8a:4b:9e:8c:
9f:c4:36:12:de:01:1e:ec:6a:28:52:0d:d5:40:1c:a2:4c:5a:
05:1f:22:f3:33:11:91:87:e9:92:97:e1:b8:62:83:65:05:ce:
80:ba:54:fd:13:e0:e7:e3:cf:1a:f1:b5:d1:2e:40:af:f1:0f:
4e:98:32:6a:91:72:10:08:d5:03:e5:a6:e8:28:72:2a:9d:91:
56:32:ea:f2:37:1a:60:37:d3:73:22:c3:55:21:f8:4f:9a:79:
d6:f8:e7:d4:eb:ec:1b:fb:5d:29:be:55:1a:f5:86:39:e4:c2:
ef:f7
-----BEGIN CERTIFICATE-----
MIIC5TCCAk6gAwIBAgIJAPG9QcYVHCKhMA0GCSqGSIb3DQEBBQUAME0xCzAJBgNV
BAYTAlVTMQswCQYDVQQIEwJDQTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQ
dHkgTHRkMQ4wDAYDVQQDEwVUdXBhYzAeFw0wOTA5MDQwMDAwMDdaFw0xMjA5MDMw
MDAwMDdaME0xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEhMB8GA1UEChMYSW50
ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMQ4wDAYDVQQDEwVUdXBhYzCBnzANBgkqhkiG
9w0BAQEFAAOBjQAwgYkCgYEAyOEbqeZwR52zpAlXv5VCJtdFttyoE2Sh9r9lpjuq
L8BXvCTp617Z/h2INqNYnpoizxYXQti4SdR8+zuj40uQUrsOzbo8mAG0xroY+Wdm
yPLCE1kMxQjLZTIF99L+VxEWhIFD1CG/tdTd0e+4FGalibN3EXsZ6lI1CWLkKvo1
FNMCAwEAAaOBzDCByTAdBgNVHQ4EFgQU+YLzvNRMeQA1eYakErYdttulD20wfQYD
VR0jBHYwdIAU+YLzvNRMeQA1eYakErYdttulD22hUaRPME0xCzAJBgNVBAYTAlVT
MQswCQYDVQQIEwJDQTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk
MQ4wDAYDVQQDEwVUdXBhY4IJAPG9QcYVHCKhMAwGA1UdEwQFMAMBAf8wGwYDVR0R
BBQwEocQIAEAAAAAAAAAAAAAAAAAITANBgkqhkiG9w0BAQUFAAOBgQAsK314i5Ua
EvxFwzRk/opLnoyfxDYS3gEe7GooUg3VQByiTFoFHyLzMxGRh+mSl+G4YoNlBc6A
ulT9E+Dn488a8bXRLkCv8Q9OmDJqkXIQCNUD5aboKHIqnZFWMuryNxpgN9NzIsNV
IfhPmnnW+OfU6+wb+10pvlUa9YY55MLv9w==
-----END CERTIFICATE-----
On Wed, Sep 9, 2009 at 4:35 AM, Stephen Henson via RT <r...@openssl.org>wrote:
> > [vineet.ku...@gmail.com - Wed Sep 09 08:12:07 2009]:
> >
> > I noticed in GENERAL_NAME_print() code the following parsing code
> which has
> > a bug.
> >
> > When my test certificate's subjectAltName has "IP Address: 2001::21"
> > [expanded out v6 style of course], then the code below ends up printing
> > “::21” instead of “2001::21”.
> >
> > Note that when I use inet_ntop(AF_INET6, p, ....) it all works fine and I
> > get "2001::21".
> >
> >
> >
> > case GEN_IPADD:
> >
> > p = gen->d.ip->data;
> >
> > if(gen->d.ip->length == 4)
> >
> > BIO_snprintf(oline, sizeof oline,
> >
> > "%d.%d.%d.%d", p[0], p[1], p[2],
> p[3]);
> >
> > * else if(gen->d.ip->length == 16)** -------> **IPv6*
> >
> > {
> >
> > oline[0] = 0;
> >
> > for (i = 0; i < 8; i++)
> >
> > {
> >
> > BIO_snprintf(htmp, sizeof htmp,
> >
> > *"%X", p[0] << 8 | p[1]*);
> >
> > p += 2;
> >
> > strcat(oline, htmp);
> >
> > if (i != 7)
> >
> > strcat(oline, ":");
> >
> > }
> >
> > }
> >
> >
>
> I've not managed to reproduce this. I created a certificate with an IP
> of 2001::21 and it was printed out fine (well in full with the
> additional zeroes). Can you attach or send me a certificate where the
> address is incorrectly printed out?
>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
>
>
Here is the test certificate. I yanked over the exact openssl code in the 'case GEN_IPADD'
(listed in the bug notes) into an application code to print out the IP string but got "::21"
as shown in the code snip below.
The code pasted was:
for (i = 0; i < 8; i++)
{
snprintf(out, sizeof(out), ":%X", p[0] << 8 | p[1]);
p += 2;
}
}
printf("IP Address:%s\n", out);---> Printed "::21"
Pl. let me know if you need more info.
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
f1:bd:41:c6:15:1c:22:a1
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=CA, O=Internet Widgits Pty Ltd, CN=Tupac
Validity
Not Before: Sep 4 00:00:07 2009 GMT
Not After : Sep 3 00:00:07 2012 GMT
Subject: C=US, ST=CA, O=Internet Widgits Pty Ltd, CN=Tupac
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c8:e1:1b:a9:e6:70:47:9d:b3:a4:09:57:bf:95:
42:26:d7:45:b6:dc:a8:13:64:a1:f6:bf:65:a6:3b:
aa:2f:c0:57:bc:24:e9:eb:5e:d9:fe:1d:88:36:a3:
58:9e:9a:22:cf:16:17:42:d8:b8:49:d4:7c:fb:3b:
a3:e3:4b:90:52:bb:0e:cd:ba:3c:98:01:b4:c6:ba:
18:f9:67:66:c8:f2:c2:13:59:0c:c5:08:cb:65:32:
05:f7:d2:fe:57:11:16:84:81:43:d4:21:bf:b5:d4:
dd:d1:ef:b8:14:66:a5:89:b3:77:11:7b:19:ea:52:
35:09:62:e4:2a:fa:35:14:d3
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
F9:82:F3:BC:D4:4C:79:00:35:79:86:A4:12:B6:1D:B6:DB:A5:0F:6D
X509v3 Authority Key Identifier:
keyid:F9:82:F3:BC:D4:4C:79:00:35:79:86:A4:12:B6:1D:B6:DB:A5:0F:6D
DirName:/C=US/ST=CA/O=Internet Widgits Pty Ltd/CN=Tupac
serial:F1:BD:41:C6:15:1C:22:A1
X509v3 Basic Constraints:
CA:TRUE
X509v3 Subject Alternative Name:
IP Address:2001:0:0:0:0:0:0:21
Signature Algorithm: sha1WithRSAEncryption
2c:2b:7d:78:8b:95:1a:12:fc:45:c3:34:64:fe:8a:4b:9e:8c:
9f:c4:36:12:de:01:1e:ec:6a:28:52:0d:d5:40:1c:a2:4c:5a:
05:1f:22:f3:33:11:91:87:e9:92:97:e1:b8:62:83:65:05:ce:
80:ba:54:fd:13:e0:e7:e3:cf:1a:f1:b5:d1:2e:40:af:f1:0f:
4e:98:32:6a:91:72:10:08:d5:03:e5:a6:e8:28:72:2a:9d:91:
56:32:ea:f2:37:1a:60:37:d3:73:22:c3:55:21:f8:4f:9a:79:
d6:f8:e7:d4:eb:ec:1b:fb:5d:29:be:55:1a:f5:86:39:e4:c2:
ef:f7
-----BEGIN CERTIFICATE-----
MIIC5TCCAk6gAwIBAgIJAPG9QcYVHCKhMA0GCSqGSIb3DQEBBQUAME0xCzAJBgNV
BAYTAlVTMQswCQYDVQQIEwJDQTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQ
dHkgTHRkMQ4wDAYDVQQDEwVUdXBhYzAeFw0wOTA5MDQwMDAwMDdaFw0xMjA5MDMw
MDAwMDdaME0xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEhMB8GA1UEChMYSW50
ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMQ4wDAYDVQQDEwVUdXBhYzCBnzANBgkqhkiG
9w0BAQEFAAOBjQAwgYkCgYEAyOEbqeZwR52zpAlXv5VCJtdFttyoE2Sh9r9lpjuq
L8BXvCTp617Z/h2INqNYnpoizxYXQti4SdR8+zuj40uQUrsOzbo8mAG0xroY+Wdm
yPLCE1kMxQjLZTIF99L+VxEWhIFD1CG/tdTd0e+4FGalibN3EXsZ6lI1CWLkKvo1
FNMCAwEAAaOBzDCByTAdBgNVHQ4EFgQU+YLzvNRMeQA1eYakErYdttulD20wfQYD
VR0jBHYwdIAU+YLzvNRMeQA1eYakErYdttulD22hUaRPME0xCzAJBgNVBAYTAlVT
MQswCQYDVQQIEwJDQTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk
MQ4wDAYDVQQDEwVUdXBhY4IJAPG9QcYVHCKhMAwGA1UdEwQFMAMBAf8wGwYDVR0R
BBQwEocQIAEAAAAAAAAAAAAAAAAAITANBgkqhkiG9w0BAQUFAAOBgQAsK314i5Ua
EvxFwzRk/opLnoyfxDYS3gEe7GooUg3VQByiTFoFHyLzMxGRh+mSl+G4YoNlBc6A
ulT9E+Dn488a8bXRLkCv8Q9OmDJqkXIQCNUD5aboKHIqnZFWMuryNxpgN9NzIsNV
IfhPmnnW+OfU6+wb+10pvlUa9YY55MLv9w==
-----END CERTIFICATE-----
On Wed, Sep 9, 2009 at 4:35 AM, Stephen Henson via RT <r...@openssl.org> wrote:
> [vineet.ku...@gmail.com - Wed Sep 09 08:12:07 2009]:
I've not managed to reproduce this. I created a certificate with an IP>
> I noticed in GENERAL_NAME_print() code the following parsing code
which has
> a bug.
>
> When my test certificate's subjectAltName has "IP Address: 2001::21"
> [expanded out v6 style of course], then the code below ends up printing
> “::21” instead of “2001::21”.
>
> Note that when I use inet_ntop(AF_INET6, p, ....) it all works fine and I
> get "2001::21".
>
>
>
> case GEN_IPADD:
>
> p = gen->d.ip->data;
>
> if(gen->d.ip->length == 4)
>
> BIO_snprintf(oline, sizeof oline,
>
> "%d.%d.%d.%d", p[0], p[1], p[2],
p[3]);
>
> * else if(gen->d.ip->length == 16)** -------> **IPv6*
>
> {
>
> oline[0] = 0;
>
> for (i = 0; i < 8; i++)
>
> {
>
> BIO_snprintf(htmp, sizeof htmp,
>
> *"%X", p[0] << 8 | p[1]*);
>
> p += 2;
>
> strcat(oline, htmp);
>
> if (i != 7)
>
> strcat(oline, ":");
>
> }
>
> }
>
>
of 2001::21 and it was printed out fine (well in full with the
additional zeroes). Can you attach or send me a certificate where the
address is incorrectly printed out?
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
