Bad value for crlDistributionPoints #205
Description
Hello,
When running this code, create a self signed cert with crlDistributionPoints, i've got strange value when running openssl (and also browser don't recogniez the value)
require 'openssl'
key = OpenSSL::PKey::RSA.new(4096)
subject = "/C=FR/ST=IDF/L=PARIS/O=Company/CN=myhost.example"
cert = OpenSSL::X509::Certificate.new
cert.subject = cert.issuer = OpenSSL::X509::Name.parse(subject)
cert.not_before = Time.now
cert.not_after = Time.now + 365*24*60*60
cert.public_key = key.public_key
cert.serial = 0x0
cert.version = 2
ef = OpenSSL::X509::ExtensionFactory.new
ef.subject_certificate = ef.issuer_certificate = cert
cert.add_extension ef.create_extension('basicConstraints', 'CA:FALSE', true)
cert.add_extension ef.create_extension('keyUsage', 'keyEncipherment,dataEncipherment,digitalSignature')
cert.add_extension ef.create_extension('subjectKeyIdentifier', 'hash')
cert.add_extension ef.create_extension('authorityKeyIdentifier', 'keyid:always,issuer:always')
cert.add_extension ef.create_extension('crlDistributionPoints', "URI:http://example.com")
cert.sign key, OpenSSL::Digest::SHA256.new
File.open("/tmp/cert.pem", "w"){ |f| f.write cert.to_pem }
puts cert.to_textWhen running with jruby
I have in output
...
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage:
Digital Signature, Key Encipherment, Data Encipherment
X509v3 Subject Key Identifier:
A4:C6:21:3A:A1:85:DA:E6:76:FA:90:80:75:6C:AD:70:A0:C3:D4:EB
X509v3 Authority Key Identifier:
keyid:A4:C6:21:3A:A1:85:DA:E6:76:FA:90:80:75:6C:AD:70:A0:C3:D4:EB
DirName:/C=FR/ST=IDF/L=PARIS/O=Company/CN=myhost.example
serial:01
X509v3 CRL Distribution Points:
URI:http://example.com
...
But if I run openssl
$ openssl x509 -noout -text -in /tmp/cert.pem
...
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage:
Digital Signature, Key Encipherment, Data Encipherment
X509v3 Subject Key Identifier:
A4:C6:21:3A:A1:85:DA:E6:76:FA:90:80:75:6C:AD:70:A0:C3:D4:EB
X509v3 Authority Key Identifier:
keyid:A4:C6:21:3A:A1:85:DA:E6:76:FA:90:80:75:6C:AD:70:A0:C3:D4:EB
DirName:/C=FR/ST=IDF/L=PARIS/O=Company/CN=myhost.example
serial:01
X509v3 CRL Distribution Points:
..URI:http://example.com
...
Note the value ..URI:
I also try with example from unittests https://github.com/ruby/openssl/blob/master/test/openssl/test_x509ext.rb#L40
But it doesn't understand how to use config because the value rest as is.
# replace cert.add_extension ef.create_extension('crlDistributionPoints', "URI:http://example.com") with
ef.config = OpenSSL::Config.parse(<<-_end_of_cnf_)
[crlDistPts]
URI.1 = http://www.example.com/crl
_end_of_cnf_
cert.add_extension ef.create_extension("crlDistributionPoints", "@crlDistPts")Output
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage:
Digital Signature, Key Encipherment, Data Encipherment
X509v3 Subject Key Identifier:
42:70:31:95:ED:5D:A5:2E:31:E6:EC:CC:F4:B5:AB:3D:E5:16:58:6D
X509v3 Authority Key Identifier:
keyid:42:70:31:95:ED:5D:A5:2E:31:E6:EC:CC:F4:B5:AB:3D:E5:16:58:6D
DirName:/C=FR/ST=IDF/L=PARIS/O=Company/CN=myhost.example
serial:01
X509v3 CRL Distribution Points:
@crlDistPts
Note the value @crlDistPts
with openssl
$ openssl x509 -noout -text -in /tmp/cert.pem
...
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage:
Digital Signature, Key Encipherment, Data Encipherment
X509v3 Subject Key Identifier:
42:70:31:95:ED:5D:A5:2E:31:E6:EC:CC:F4:B5:AB:3D:E5:16:58:6D
X509v3 Authority Key Identifier:
keyid:42:70:31:95:ED:5D:A5:2E:31:E6:EC:CC:F4:B5:AB:3D:E5:16:58:6D
DirName:/C=FR/ST=IDF/L=PARIS/O=Company/CN=myhost.example
serial:01
X509v3 CRL Distribution Points:
@crlDistPts
...
Using jruby embedded in PuppetServer
$ /opt/puppetlabs/server/bin/puppetserver ruby --version
jruby 9.2.11.1 (2.5.7) 2020-03-25 b1f55b1a40 OpenJDK 64-Bit Server VM 25.252-b09 on 1.8.0_252-b09 +jit [linux-x86_64]
$ /opt/puppetlabs/server/bin/puppetserver gem list jruby-openssl
*** LOCAL GEMS ***
jruby-openssl (default: 0.10.4 java)
Similar to jruby/jruby#994