New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Regression in 0.10.48 SubjectAlternativeName
#1923
Comments
k0nserv
changed the title
Regression in 0.10.48 with SubjectAlternativeName
Regression in 0.10.48 May 12, 2023
SubjectAlternativeName
You're correct that there was a behavior change here, this was necessary to fix an injection vulnerability: https://rustsec.org/advisories/RUSTSEC-2023-0023.html We did not realize anyone was intentionally "exploiting" this issue. |
Cool, I figured that'd be it. Anyway the workaround works fine so no problems. Thanks for the response. |
Sorry for the inconvenience. Glad to hear the resolution was simple.
…On Fri, May 12, 2023 at 8:33 AM Hugo Tunius ***@***.***> wrote:
Closed #1923 <#1923> as
completed.
—
Reply to this email directly, view it on GitHub
<#1923 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAAGBCLDTLFY4O45OJ573DXFYUZPANCNFSM6AAAAAAX7NC7Y4>
.
You are receiving this because you commented.Message ID:
***@***.***>
--
All that is necessary for evil to succeed is for good people to do nothing.
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello,
I've discovered a regression in 0.10.48 where the SAN extension generated by
rust-openssl
doesn't seem to be correct when encoded as DER. In particular the resulting SAN extension no longer parses correctly with Go'sParseCertificateRequest
.The code in question:
Under 0.10.47 creating a CSR with
create_csr(pkey, &["*.example.com"‚ "example.com"])
produces a CSR, that when parsed from Go results in aCertificateRequest
withlen(req.DNSNames) == 2
. With 0.10.48 it instead parses as aCertificateRequest
withlen(req.DNSNames) == 1
and the sole DNSName is*.example.com,DNS:example.com
.I've created two branches to showcase this:
Both include a new regression test that can be run as
cargo test -- x509_extension_to_der_full
. This test saves a DER toopenssl/csr.der
.I've used the following Go program to parse the resulting DER
main.go
On the 0.10.47 branch the output of this program is:
On the the 0.10.48 branch the output of this program is:
See this screenshot:
Cause
It seems quite likely that this is a side-effect of #1854. I'm not sure if the syntax used in the example is supposed to work after #1854 or not.
Workaround
There's a trivial workaround:
The text was updated successfully, but these errors were encountered: