Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-4467

Netscape comment extension uses wrong encoding



    • Type: Bug
    • Status: Closed
    • Priority: Normal
    • Resolution: Won't Fix
    • Affects Version/s: PUP 4.0.0
    • Fix Version/s: None
    • Component/s: None
    • Labels:
    • Template:


      The value for a Netscape Comment certificate extension is supposed to be an ASN.1 OctetString which wraps an IA5String. Originally, I believe this was documented here, but this link no longer appears to be active:


      References to this needing to be an IA5String, however, appear in some other places:

      Prior to Puppet 4, the Ruby Puppet CA would generate the Netscape Comment extension value as a raw OctetString, not wrapping a String of another type. This was incorrect. Per the work done in PUP-3560, however, the Ruby Puppet CA would generate the extension value as an OctetString wrapping a UTF8String. Different, but also incorrect. Note that the Puppet Server CA - both versions 1.x and 2.x - correctly generate the Netscape Comment extension value as an OctetString wrapping an IA5String.


      Steps to reproduce:

      1) Install puppet-agent 1.x.
      2) Run export RUBYLIB=/opt/puppetlabs/puppet/lib/ruby/vendor_ruby.
      3) Run export PATH=/opt/puppetlabs/puppet/bin:$PATH.
      4) Run puppet master --no-daemonize --debug --trace --verbose --confdir=/etc/puppetlabs/puppet --vardir=/opt/puppetlabs/puppet/cache.
      5) After the WEBrick Puppet master has started, an /etc/puppetlabs/puppet/ssl/certs/[myhost].pem file should exist. On that file, run openssl asn1parse -in [myhost].pem.

      The output from the command could include:

      702:d=5  hl=2 l=   9 prim: OBJECT            :Netscape Comment
      713:d=5  hl=2 l=  42 prim: OCTET STRING      [HEX DUMP]:0C2850757070657420527562792F4F70656E53534C20496E7465726E616C204365727469666963617465

      Not that the "0C" at the beginning of the OCTET STRING in this case indicates that the value is encoded as a UTF8String whereas the value should start with "16", hex value for IA5String. See http://www.obj-sys.com/asn1tutorial/node124.html for a list of ASN.1 universal tag numbers.

      Since the Netscape Comment extension has been deprecated - https://www.openssl.org/docs/apps/x509v3_config.html#Netscape-String-extensions, this problem only affects the Ruby Puppet CA and not the Puppet Server CA, and the Ruby Puppet CA is intended to be deprecated in the not too distant future, resolution of this problem is probably not critical.


          Issue Links



              jeremy.barlow Jeremy Barlow
              QA Contact:
              Erik Dasher
              0 Vote for this issue
              2 Start watching this issue



                  Zendesk Support