Skip to content

X509 parse error #471

Closed
Closed
@augjoh

Description

@augjoh
Contributor
> cat test/parser-2.js 
#!/usr/bin/env node

var jsrsasign = require('jsrsasign');

var pem = '-----BEGIN CERTIFICATE-----\n' +
          'MIIC2TCCAcGgAwIBAAIBADANBgkqhkiG9w0BAQQFADAsMQswCQYDVQQGEwJhdTEdMBsGA1UE\n' +
          'ChMUU2VjdXJlTmV0IENBIENsYXNzIEIwJhcROTkwNjMwMDAwMDAwKzEwMDAXETA5MTAxNTIz\n' +
          'NTkwMCsxMDAwMCwxCzAJBgNVBAYTAmF1MR0wGwYDVQQKExRTZWN1cmVOZXQgQ0EgQ2xhc3Mg\n' +
          'QjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKZj2cYVWnbnRmXHNJH5e91Wu/iW\n' +
          'NS4pyqd9Ch73MVLoWsjTzzkBTlvwH7G4StKzR0NmPwFATjBJ4Q/96xJjeMz2FmIY9W9p/X5u\n' +
          'M3Yho8CID+rmJfypl8wYcscxtgubzcLFeGFjRaw0pid4aMS9UmjOhE3SJKUobIDmyubP5pqe\n' +
          'UHjO8zbSo0NaHAavyyDu0CzERBiQbLGRZGW5t4WDS6iRmcXgnPe4UNfTsE+a7WP7TfTUKCQ6\n' +
          'gFt7k4zFBYSvO4b+gTHHtp1fGuqQe7BGXrIIUgBXDVVSg3iVSv1oj57ZULZLU/ryhQKVTjj1\n' +
          'g6eW1DE/P6fKN1PcxS9tGnSmzL8CAwEAATANBgkqhkiG9w0BAQQFAAOCAQEAS0amIlrp0aXk\n' +
          'EI9MU2DjTVSG3rocqipaNggdSgtJoe+qvbwmMqT/c0AwJA/sqxHVy6/ES5vnHhzDUIW6Twgr\n' +
          'Lz8UI6r2g5mGvkZ4ERUrmuSjv33pjX75Z98+f+atRudgZWdf5YDzLLtTZ3Nv4K6XEm1JGBxo\n' +
          'TLMs81rBNTH27Ok+p8vNVFCHWEXAFNVItvMojjoYKeiamfHg9aPLCLR9eCUT4TTOaJvatyIh\n' +
          'GzRSy+9T4vPXDGLasUVBRbiXWCwIYkUjDlmVNRoORMdRcE4/BK0mwh3tD0gtVRMdcaKnDrMv\n' +
          'h2+w7uXHNosscVFAhxrOVhQ5Ke8lCoAKGZ31Vp/dig==\n' +
          '-----END CERTIFICATE-----\n'
console.log(pem);

var cert = new jsrsasign.X509();
cert.readCertPEM(pem);
console.log(cert.getIssuer());

console.log(`Signature Algorithm: ${cert.getSignatureAlgorithmName()}`);
var pubKey = cert.getPublicKey();
cert.verifySignature(pubKey);

The above script cannot parse the embedded certificate. The following error is thrown:

/usr/home/node/node_modules/jsrsasign/lib/jsrsasign.js:4950
    var k = parseInt(a.substr(0, 2), 16);
                       ^

TypeError: Cannot read property 'substr' of null
    at Object.KJUR.asn1.ASN1Util.oidHexToInt (/usr/home/node/node_modules/jsrsasign/lib/jsrsasign.js:4950:24)
    at X509.getAttrTypeAndValue (/usr/home/node/node_modules/jsrsasign/lib/jsrsasign.js:15953:36)
    at X509.getRDN (/usr/home/node/node_modules/jsrsasign/lib/jsrsasign.js:15940:25)
    at X509.getX500NameArray (/usr/home/node/node_modules/jsrsasign/lib/jsrsasign.js:15932:25)
    at X509.getX500Name (/usr/home/node/node_modules/jsrsasign/lib/jsrsasign.js:15921:22)
    at X509.getIssuer (/usr/home/node/node_modules/jsrsasign/lib/jsrsasign.js:15178:21)
    at Object.<anonymous> (/usr/home/node/test/parser-2.js:25:18)
    at Module._compile (node:internal/modules/cjs/loader:1108:14)
    at Object.Module._extensions..js (node:internal/modules/cjs/loader:1137:10)
    at Module.load (node:internal/modules/cjs/loader:973:32)

Activity

kjur

kjur commented on Feb 17, 2021

@kjur
Owner

Hi. I've investigate the certificate and found some issue:

  • This certificate X.509v1 certificate and version number [0] { INTEGER 0 } is specified. However this shall be omitted since it is DEFAULT value.
  • Wrong notBefore, notAfter value. such as "990630000000+1000". This shall be Zulu value "990630000000Z".

So this certificate is malformed format as RFC 5280 X.509 certificate. Version number check may be relaxed in the future but it can be handled in the current version. Thank you for understanding.

augjoh

augjoh commented on Feb 18, 2021

@augjoh
ContributorAuthor

@kjur Thank you for looking into this issue. You're right, the certificate isn't X509v3. On the other hand it is compliant to ITU-T X.509 (formerly CCITT X.509) or ISO/IEC 9594-8, which was first published in 1988 as part of the X.500 directory recommendations, defines a standard certificate format. ISO/IEC 9594-8 places no further restrictions on GeneralizedTime when it is used for notBefore or notAfter. The GeneralizedTimestamps in the certificate comply with https://tools.ietf.org/html/rfc4517#section-3.3.13.

Please reconsider to relax parsing here, as RFC5280 states: Implementations SHOULD be prepared to accept any version certificate.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @kjur@augjoh

        Issue actions

          X509 parse error · Issue #471 · kjur/jsrsasign