[issue27691] X509 cert with GEN_RID subject alt name causes SytemError

2016-09-08 Thread Christian Heimes 

Changes by Christian Heimes :


--
resolution:  -> fixed
stage: commit review -> resolved
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue27691] X509 cert with GEN_RID subject alt name causes SytemError

2016-09-06 Thread Christian Heimes 

Changes by Christian Heimes :


--
stage: test needed -> commit review

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue27691] X509 cert with GEN_RID subject alt name causes SytemError

2016-09-06 Thread Roundup Robot 

Roundup Robot added the comment:

New changeset 9bbf0b31da48 by Christian Heimes in branch '3.5':
Issue #27691: Fix ssl module's parsing of GEN_RID subject alternative name 
fields in X.509 certs.
https://hg.python.org/cpython/rev/9bbf0b31da48

New changeset 2b9af57af3e4 by Christian Heimes in branch 'default':
Issue #27691: Fix ssl module's parsing of GEN_RID subject alternative name 
fields in X.509 certs.
https://hg.python.org/cpython/rev/2b9af57af3e4

New changeset 74805fd9e734 by Christian Heimes in branch '2.7':
Issue #27691: Fix ssl module's parsing of GEN_RID subject alternative name 
fields in X.509 certs.
https://hg.python.org/cpython/rev/74805fd9e734

--
nosy: +python-dev

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue27691] X509 cert with GEN_RID subject alt name causes SytemError

2016-09-01 Thread Christian Heimes 

Christian Heimes added the comment:

A GEN_RID is an OID plus some opaque data. It's up to an application to 
understand an OID and interpret its data. The value of a GEN_RID can be as 
simple as an int or UTF-8 strings or as complex as a nested ASN.1 struct for 
Kerberos principals.

I have modified Lib/test/make_ssl_certs.py to include two GEN_RIDS: 

  otherName.1 = 1.2.3.4;UTF8:some other identifier
  otherName.2 = 1.3.6.1.5.2.2;SEQUENCE:princ_name

  [princ_name]
  realm = EXP:0, GeneralString:KERBEROS.REALM
  principal_name = EXP:1, SEQUENCE:principal_seq
  [principal_seq]
  name_type = EXP:0, INTEGER:1
  name_string = EXP:1, SEQUENCE:principals
  [principals]
  princ1 = GeneralString:username

1.3.6.1.5.2.2 is the OID for Kerberos public key init (pkinit), used for e.g. 
FAST pre-auth and SmartCard authentication.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue27691] X509 cert with GEN_RID subject alt name causes SytemError

2016-09-01 Thread Antoine Pitrou 

Antoine Pitrou added the comment:

I can't comment on this, as I don't even know what a "registered id" is, sorry 
:-/

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue27691] X509 cert with GEN_RID subject alt name causes SytemError

2016-08-20 Thread Christian Heimes 

Christian Heimes added the comment:

ping

--
nosy: +Lukasa, haypo
type: behavior -> security

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue27691] X509 cert with GEN_RID subject alt name causes SytemError

2016-08-05 Thread Christian Heimes 

Changes by Christian Heimes :


--
keywords: +patch
Added file: 
http://bugs.python.org/file44018/0001-Fix-handling-of-GEN_RID-in-X.509-subjectAltName-fiel.patch

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue27691] X509 cert with GEN_RID subject alt name causes SytemError

2016-08-05 Thread Christian Heimes 

New submission from Christian Heimes:

A X509 cert with a registered id general name in subject alternative name 
causes a SystemError: error return without exception set. This prevents host 
name validation of certs with a registered id.

>>> import _ssl
>>> _ssl._test_decode_cert('rid.pem')
Traceback (most recent call last):
  File "", line 1, in 
SystemError: error return without exception set

The problem is caused by a bug in OpenSSL's print function for general names. 
Python's _get_peer_alt_names() uses GENERAL_NAME_print() to print GEN_IPADD, 
GEN_RID and others into a buffer. The buffer is then split at ':' into two 
strings. This works for all fields except for GEN_RID because OpenSSL doesn't 
put a ':' after 'Registered ID', 
https://github.com/openssl/openssl/blob/master/crypto/x509v3/v3_alt.c#L183 . 
_get_peer_alt_names() fails and returns NULL without setting a proper exception.

It looks like we haven't had tests for GEN_RID as well as some other field 
types.

Related Red Hat bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1364268

--
components: Extension Modules
files: rid.pem
messages: 272020
nosy: alex, christian.heimes, dstufft, giampaolo.rodola, janssen, pitrou
priority: normal
severity: normal
stage: test needed
status: open
title: X509 cert with GEN_RID subject alt name causes SytemError
type: behavior
versions: Python 2.7, Python 3.4, Python 3.5, Python 3.6
Added file: http://bugs.python.org/file44014/rid.pem

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com