Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Loading CA cert and using for signing doesn't match original certificate #59

Closed
geeklint opened this issue Jun 14, 2021 · 2 comments · Fixed by #71
Closed

Loading CA cert and using for signing doesn't match original certificate #59

geeklint opened this issue Jun 14, 2021 · 2 comments · Fixed by #71
Labels
bug Something isn't working

Comments

@geeklint
Copy link

I'm trying to develop a P2P application where clients can register with a server, which will sign their certificates, so that they can later talk to each other without the involvement of the server.

I've been trying to load the CA cert using CertificateParams::from_ca_cert_pem and sign the client certs with Certificate::serialize_der_with_signer. However the "issuer" attached to the resulting signed cert doesn't match the original cert (specifically the "subject" is 1 byte different).

I don't really know enough about TLS to figure out why this is happening, so let me know if I can provide any additional details.

My (testing) code looks like this:

    let ca_key = rcgen::KeyPair::from_der(debug_certs::CA_KEY_PK8).unwrap();
    let params = rcgen::CertificateParams::from_ca_cert_pem(
        debug_certs::CA_CERT,
        ca_key,
    )
    .unwrap();
    let ca_cert = rcgen::Certificate::from_params(params).unwrap();
    let gen_cert = rcgen::generate_simple_self_signed(vec![hostname]).unwrap();
    gen_cert.serialize_der_with_signer(&ca_cert).unwrap();

The issuer "subject" lines I get during certificate verification look like this (as byte arrays, note byte index 9)

Certificate "Issuer":

[49, 11, 48, 9, 6, 3, 85, 4, 6, 12, 2, 85, 83, 49, 17, 48, 15, 6, 3, 85, 4, 8, 12, 8, 86, 105, 114, 103, 105, 110, 105, 97, 49, 33, 48, 31, 6, 3, 85, 4, 10, 12, 24, 73, 110, 116, 101, 114, 110, 101, 116, 32, 87, 105, 100, 103, 105, 116, 115, 32, 80, 116, 121, 32, 76, 116, 100]

Trust Anchor "Subject":

[49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 17, 48, 15, 6, 3, 85, 4, 8, 12, 8, 86, 105, 114, 103, 105, 110, 105, 97, 49, 33, 48, 31, 6, 3, 85, 4, 10, 12, 24, 73, 110, 116, 101, 114, 110, 101, 116, 32, 87, 105, 100, 103, 105, 116, 115, 32, 80, 116, 121, 32, 76, 116, 100]

debug-game-cert.pem.txt
example_signed_cert.pem.txt
@est31
Copy link
Member

est31 commented Jun 14, 2021
edited
Loading

Hmm yeah apparently the countryName is a PrintableString in the (presumably openssl generated) cert while it's an UTF8String in the rcgen generated cert. Ideally one would just extract the entire ASN.1 of the signer subject name as-is and then dump it out again.

In the meantime, I suggest trying to create a root certificate using rcgen. rcgen will then create an UTF8String in the first place and thus avoid this issue.

@est31 est31 added the bug Something isn't working label Jun 14, 2021
@geeklint
Copy link
Author

In the meantime, I suggest trying to create a root certificate using rcgen. rcgen will then create an UTF8String in the first place and thus avoid this issue.

This workaround is working for me for now, thanks!

@est31 est31 mentioned this issue Jun 16, 2021
Open
This was referenced Nov 3, 2021
Closed
Closed
This was referenced Jan 15, 2022
Closed
Merged
@est31 est31 closed this as completed in #71 Jan 20, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: support non utf8 strings
2 participants
@geeklint @est31