[Puppet - Bug #23222] (Accepted) Structured CSR attributes cannot be displayed by OpenSSL

[tickets]

Issue #23222 has been reported by Adrien Thebo.

----------------------------------------
Bug #23222: Structured CSR attributes cannot be displayed by OpenSSL
https://projects.puppetlabs.com/issues/23222

* Author: Adrien Thebo
* Status: Accepted
* Priority: Normal
* Assignee: 
* Category: SSL
* Target version: 3.4.0
* Affected Puppet version: 
* Keywords: 
* Branch: 
----------------------------------------
When using `openssl req` to inspect a CSR with custom attributes, the attribute 
value cannot be displayed. Given the following `csr_attributes.yaml`:

<pre>
---
custom_attributes:
  1.3.6.1.4.1.34380.2.1: "string data"
  1.3.6.1.4.1.34380.2.2: ['structured', 'data']

extension_requests:
  pp_uuid: '6036aec5-b5a2-4919-9194-8bf8a81d92b9'
</pre>

Inspecting the CSR with `openssl req -in ~/.puppet/csr.pem -noout -text` yields 
the following:

<pre>
[...]
        Attributes:
            1.3.6.1.4.1.34380.2.1    :unable to print attribute
            1.3.6.1.4.1.34380.2.2    :unable to print attribute
        Requested Extensions:
            1.3.6.1.4.1.34380.1.1.1: 
                6036aec5-b5a2-4919-9194-8bf8a81d92b9
[...]
</pre>

This is because the OpenSSL code expects attributes to either be the extReq 
attribute, or a custom attribute with a type of `T61String`, `IA5String`, or 
`PrintableString`:

(openssl 1.0.1e crypto/asn1/t_req.c lines 206-216)
<pre>
                                if (    (type == V_ASN1_PRINTABLESTRING) ||
                                        (type == V_ASN1_T61STRING) ||
                                        (type == V_ASN1_IA5STRING))
                                        {
                                        if (BIO_write(bp,(char 
*)bs->data,bs->length)
                                                != bs->length)
                                                goto err;
                                        BIO_puts(bp,"\n");
                                        }
                                else
                                        {
                                        BIO_puts(bp,"unable to print 
attribute\n");
                                        }
</pre>

The specification of CSRs indicates that attributes may be arbitrarily 
structured, but the openssl command line is one of the main methods that people 
will be interacting with CSRs with custom attributes. Changing the CSR 
attribute structure to only use string values simplifies the code and interacts 
better with openssl, and if structured data is needed then a data can be 
serialized as JSON/YAML/XML/JSONx and deserialized by the consumer of the CSR 
if needed.


-- 
You have received this notification because you have either subscribed to it, 
or are involved in it.
To change your notification preferences, please click here: 
http://projects.puppetlabs.com/my/account

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Bugs" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-bugs+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-bugs@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-bugs.
For more options, visit https://groups.google.com/groups/opt_out.