On Fri, Aug 23, 2024 at 12:48:22PM +0000, Viktor Dukhovni wrote: > On Fri, Aug 23, 2024 at 02:11:42PM +0200, 'Jacob Persson' via openssl-users wrote: > > > > that assigns any meaning to the username part of a URI in X.509 > > > certificates. Best I can tell, if present, it should ignored! > > > > > > https://datatracker.ietf.org/doc/html/rfc9525#section-7.2 > > > > The username identifies a wire user within a domain but the meaning > > and validation > > of that is happening inside our client application. > > A more appropriate application-specific SAN might have been an > "otherName" variant under some suitable OID arc, where you control > the semantics of the SAN (but would also then need (and be free) to > implement both the validation and any name constraint checks). Indeed, that would have been another option, but, as you point out, it would then require us to implement validation and name constraint checks, which we currently basically get for free. > > But if I understood correctly the fact that the userinfo component is > > not ignored could be considered a bug in openssl, should I open a > > Github Issue for that? > > By all means. This will not guarantee prompt remediation, the issue is > rather a corner case, but if you're also able to contribute a robust fix > (parse the URI authority to strip the username and port), then it might get > adopted. I've opened a small PR to skip to the 'userinfo' component of an authority, if there is any: https://github.com/openssl/openssl/pull/25861 This makes our certificates verify successfully. I've tried looking into making a test for this, but it wasn't quite obvious how to approach it. I started by adding two new certs to setup.sh: +# NC CA3 only permits URIs matching good.org. + +NC="permitted;URI:good.org" +NC=$NC ./mkcert.sh genca "Test NC CA 3" ncca3-key ncca3-cert root-key root-cert + +# A certificate with an URI SAN +./mkcert.sh req alt1-key "O = Good NC Test Certificate 1" \ + "CN=Joe Bloggs" | \ + ./mkcert.sh geneealt nc-uri-key nc-uri-cert ncca3-key ncca3-cert \ + "URI.1 = foo://%42something@xxxxxxxx" \ + "URI.2 = bar://other@xxxxxxxx/baz/quux" + Having these certs, it's trivial to test with the openssl binary, but I'm unsure of how to fit this with the rest of the test suite. Suggestions are very much welcome. -- Ivan Stanković, ivan.stankovic@xxxxxxxx "Protect your digital freedom and privacy, eliminate DRM, learn more at http://www.defectivebydesign.org"; -- You received this message because you are subscribed to the Google Groups "openssl-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to openssl-users+unsubscribe@xxxxxxxxxxx. To view this discussion visit https://groups.google.com/a/openssl.org/d/msgid/openssl-users/psovop6ek64l5vmschv5d4poksh675vecosvvvyvc7j6xzgnuk%40nk6suvi3krhg.
