Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Printable BMPString in subject DN fields marked as failing lint e_subject_dn_not_printable_characters #818

Open
cwjnkins opened this issue Mar 28, 2024 · 2 comments
Open

Printable BMPString in subject DN fields marked as failing lint e_subject_dn_not_printable_characters #818

cwjnkins opened this issue Mar 28, 2024 · 2 comments

Comments

@cwjnkins
Copy link

This concerns changes introduced by PR #249, specifically lint e_subject_dn_not_printable_characters. Some attribute values for subject DNs are declared as DirectoryString types, such as X520CommonName

-- Naming attributes of type X520CommonName:
--   X520CommonName ::= DirectoryName (SIZE (1..ub-common-name))
--
-- Expanded to avoid parameterized type:
X520CommonName ::= CHOICE {
  teletexString     TeletexString   (SIZE (1..ub-common-name)),
  printableString   PrintableString (SIZE (1..ub-common-name)),
  universalString   UniversalString (SIZE (1..ub-common-name)),
  utf8String        UTF8String      (SIZE (1..ub-common-name)),
  bmpString         BMPString       (SIZE (1..ub-common-name)) }

which in particular includes the non-UTF8 encoded strings BMPString (a subset of UTF16) and UniversalString.

Here is an example of a certificate using BMPString, for which I have confirmed ZLint (v3.6.1) flags as failing this lint. The X520CommonName decodes to "SSL_Self_Signed_Fallback", with each codepoint consisting of two bytes where the leading byte is 0x00. I suspect that the culprit is that utf8.DecodeRune (used in the lint) treats the leading 0x00 byte as its own codepoint, and that the fix should be to decode with UTF16 when BMPString is encountered.

Alternatively, Section 7.1 of RFC5280 states that while support for PrintableString and UTF8String is required of conforming implementations, support for the other DirectoryString types is optional, so a new lint could be introduced that flags the optional string types.

I do not have an example on hand for UniversalString, but I suspect it could also cause an issue.
@cardonator cardonator mentioned this issue Mar 28, 2024
Closed
@cardonator
Copy link
Contributor

I believe at the time I last touched this lint, the focus of it was more targeted at specific problems seen in public PKI certs. Splitting into different buckets took place later. I agree with your argument that the RFC lint should be able to handle a wider range of data compliant with RFC 5280. Check the linked PR to see changes that will fix the problem for the cert in question but some other examples would be helpful. As usual, generating the test data to use as a basis for testing the changes is the hardest part 😄

@cwjnkins
Copy link
Author

but some other examples would be helpful.

I only have two others, this one with common name "172_19_32_13" and another with the same common name "SSL_Self_Signed_Fallback" (both are BMPString).

From the recent discussion on PR #819, I take it the plan will be to add a lint for prohibiting the optional string encoding types based on restrictions from the CA/B forum (seems sensible to me!), so hopefully these certs will be useful as test cases for that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cardonator @cwjnkins