Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Certificate#crl_uris throws exception "undefined method `value' for nil (NoMethodError)" #775

Open
gettalong opened this issue Jul 9, 2024 · 4 comments · May be fixed by #776
Open

Certificate#crl_uris throws exception "undefined method `value' for nil (NoMethodError)" #775

gettalong opened this issue Jul 9, 2024 · 4 comments · May be fixed by #776

Comments

@gettalong
Copy link

I have a certificate that errors out when calling cert.crl_uris with a NoMethodError for a nil value.

Going through the code the certificate has two values in cdp_asn1. The first one has the expected tag value of 6 for the URI. The second one, however, has a tag value of 4, leading to a nil value in crl_uris. Looking at the code there might be other situations where a nil value might be included in crl_uris.

Having the nil value in crl_uris leads to an error when calling crl_uris&.map(&:value). This can be avoided by using #compact, i.e. crl_uris&.compact&.map(&:value).
@rhenium
Copy link
Member

rhenium commented Jul 9, 2024

Could you provide a certificate that causes the exception?

@gettalong
Copy link
Author

Could you provide a certificate that causes the exception?

I will ask if I'm allowed to share the certificate.

@gettalong
Copy link
Author

@rhenium Here you go: Certificate.zip

rhenium added a commit to rhenium/ruby-openssl that referenced this issue Jul 9, 2024
@rhenium
x509: fix handling of multiple URIs in Certificate#crl_uris
5fe29a3 
The implementation of OpenSSL::X509::Certificate#crl_uris makes the
assumption that each DistributionPoint in the CRL distribution points
extension contains a single general name of type URI. This is not
guaranteed by RFC 5280. A DistributionPoint may only contains something
other than a URI, or more than one URI.

Let's include all URIs seen in the extension. If only non-URI pointers
are found, return an empty array.

Fixes: ruby#775
@rhenium rhenium linked a pull request Jul 9, 2024 that will close this issue
Open
@rhenium
Copy link
Member

rhenium commented Jul 9, 2024

Thanks, it is helpful:

            X509v3 CRL Distribution Points: 
                Full Name:
                  URI:http://crl.netrust.net/netrustca2-1.crl
                Full Name:
                  DirName:C = SG, O = Netrust Pte Ltd, OU = Netrust Certificate Authority, CN = Netrust CA 2-1, CN = CRL421

The extension contains two DistributionPoint, and the second one contains no URI.

#776 should fix it.

rhenium added a commit to rhenium/ruby-openssl that referenced this issue Jul 9, 2024
@rhenium
x509: fix handling of multiple URIs in Certificate#crl_uris
342f5bd 
The implementation of OpenSSL::X509::Certificate#crl_uris makes the
assumption that each DistributionPoint in the CRL distribution points
extension contains a single general name of type URI. This is not
guaranteed by RFC 5280. A DistributionPoint may only contains something
other than a URI, or more than one URI.

Let's include all URIs seen in the extension. If only non-URI pointers
are found, return an empty array.

Fixes: ruby#775
rhenium added a commit to rhenium/ruby-openssl that referenced this issue Aug 16, 2024
@rhenium
x509: fix handling of multiple URIs in Certificate#crl_uris
71f4fef 
The implementation of OpenSSL::X509::Certificate#crl_uris makes the
assumption that each DistributionPoint in the CRL distribution points
extension contains a single general name of type URI. This is not
guaranteed by RFC 5280. A DistributionPoint may contain zero or more
than one URIs.

Let's include all URIs found in the extension. If only non-URI pointers
are found, return nil.

Fixes: ruby#775
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

x509: fix handling of multiple URIs in Certificate#crl_uris rhenium/ruby-openssl
2 participants
@gettalong @rhenium