Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-4467

Netscape comment extension uses wrong encoding

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Normal
    • Resolution: Won't Fix
    • Affects Version/s: PUP 4.0.0
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None
    • Template:

      Description

      The value for a Netscape Comment certificate extension is supposed to be an ASN.1 OctetString which wraps an IA5String. Originally, I believe this was documented here, but this link no longer appears to be active:

      http://wp.netscape.com/eng/security/cert-exts.html

      References to this needing to be an IA5String, however, appear in some other places:

      Prior to Puppet 4, the Ruby Puppet CA would generate the Netscape Comment extension value as a raw OctetString, not wrapping a String of another type. This was incorrect. Per the work done in PUP-3560, however, the Ruby Puppet CA would generate the extension value as an OctetString wrapping a UTF8String. Different, but also incorrect. Note that the Puppet Server CA - both versions 1.x and 2.x - correctly generate the Netscape Comment extension value as an OctetString wrapping an IA5String.

      -

      Steps to reproduce:

      1) Install puppet-agent 1.x.
      2) Run export RUBYLIB=/opt/puppetlabs/puppet/lib/ruby/vendor_ruby.
      3) Run export PATH=/opt/puppetlabs/puppet/bin:$PATH.
      4) Run puppet master --no-daemonize --debug --trace --verbose --confdir=/etc/puppetlabs/puppet --vardir=/opt/puppetlabs/puppet/cache.
      5) After the WEBrick Puppet master has started, an /etc/puppetlabs/puppet/ssl/certs/[myhost].pem file should exist. On that file, run openssl asn1parse -in [myhost].pem.

      The output from the command could include:

      702:d=5  hl=2 l=   9 prim: OBJECT            :Netscape Comment
      713:d=5  hl=2 l=  42 prim: OCTET STRING      [HEX DUMP]:0C2850757070657420527562792F4F70656E53534C20496E7465726E616C204365727469666963617465
      

      Not that the "0C" at the beginning of the OCTET STRING in this case indicates that the value is encoded as a UTF8String whereas the value should start with "16", hex value for IA5String. See http://www.obj-sys.com/asn1tutorial/node124.html for a list of ASN.1 universal tag numbers.

      Since the Netscape Comment extension has been deprecated - https://www.openssl.org/docs/apps/x509v3_config.html#Netscape-String-extensions, this problem only affects the Ruby Puppet CA and not the Puppet Server CA, and the Ruby Puppet CA is intended to be deprecated in the not too distant future, resolution of this problem is probably not critical.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                jeremy.barlow Jeremy Barlow
                QA Contact:
                Erik Dasher
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Zendesk Support